MDT 2013 Error "Language to install:” field blank during OSD with MDT 2013

You are attempting to perform a Lite Touch installation of Windows 8.1 using MDT 2013 and you are halted on the Locale and Time page as the Language to install: field is blank with no drop down options, this stops you from continuing with the deployment.

 

 
As a work around to this issue I edited the CustomSettings.ini file to include statements to automate this part of the deployment wizard. I added the following statements into the CustomSettings.ini file;

SkipLocalSelection=YES KeyboardLocale=0809:000000809 UserLocale=en-GB UILangugage=en-GB SkipTimeZone=YES TimeZoneName=GMT Standard Time

 Although there may be reasons you do not want to automate this step, this worked around the problem for me and allowed me to continue with the OS deployment.

Preparing Schema for Exchange 2013 Error: There was an error while running 'ldifde.exe' to import the schema file (Setup.exe /PrepareSchema)

You are attempting to prepare an environment for the installation of an Exchange 2013 SP1 deployment, the first stage is to run the following command.

setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

The setup.exe resides on the Exchange 2013 media. The following error is displayed from the Exchange setup.exe,

 

You open the LDIFDE log file from the default location  C:\Users\username\AppData\Local\Temp\ldif.log and it states error 0x21a2 The FSMO role ownership could not be verified because its directory partition has not replicated...

 

This error relates to stale or non-existing domain controllers, luckily this is only my lab environment and it so happens I know there was an old DC removed forcibly. The next stage is to find the old computer object of the DC in Active Directory and remove it, tick the box Delete this Domain Controller anyway. It is permanently offline and can no longer be removed using the removal wizard. and click Delete.

 

You should also remove any old DNS records associated with this DC, I also deleted it from Active Directory Sites and Services to complete the removal. Now if you run the command again, it will complete successfully.

 

In a production environment it is highly likely you will have tenth of domain controllers, probably in multiple AD sites. Therefore it maybe a large discovery exercise to resolve this issue if you are experiencing the issue in production.

Tools such as DCDIAG.exe and Replmon.exe can prove useful when looking at these issues.

 

 

  

Using VMware Workstation 10 to Run Hyper-V 2012 R2 Nested Instances

In order for this to work correctly there is a small hack that must be put in place. For every Virtual Machine created under VMware Workstation there is a (.vmx) file which contains configuration settings for the guest machine. This files is stored along with the virtual hard disk files by default.

You can open the (.vmx) file with Notepad and edit it freely provided the Virtual Machine is powered off. The following lines must be added to the (.vmx) file;

 

hypervisor.cpuid.v0 = "FALSE"

mce.enable = "True"

 

Save the changes to the (.vmx) file.

You must also edit the Processors setting on the VM, set the Preferred Mode to Automatic and ensure Virtualize Intel VT-x/EPT or AMD-V/RVI and Virtualize CPU performance counters are ticked.

 

 

Now start the machine and you will now be able to run "nested" Virtual Machines inside Hyper-V. The hypervisor.cpuid.v0 = "FALSE" line tricks the guest operating system into thinking it’s not running as a virtual instance.

 

DirectAccess: Configuring Network Location Server (NLS) SSL NLS Off-Box

Internet Information Services (IIS) must be installed on the server that is going to host the Network Location Server (NLS). When IIS is configured a new certificate request must be made. The Certificates (Local) MMC snap-in can be used to to do this, expand Personal and Certificates. Right click on the Certificates folder and select Request New Certificate...

Click Next at the inital Certificate Enrollment page.

From the list of available Certificate Requests choose Web Server, in your environment this may be blank this is due to Certificate Templates not being issued. You can duplicate and certificate templates on your CA (remember and grant permissions to either Authenticated Users or Domain Computers), and choose Certificate Template to Issue.

Select Web Server (this was provisioned by the Web Server Certificate Template), and click More information is required to enroll this certificate. Click here to configure settings.

From the Certificate Properties dialog box, under Subject Name: change the type to Common Name, the value should be set to the name used for the NLS server. In this example it's nls.company.pri click Add.

Click Enroll.

The Certificate being enrolled.

 

Click Finish to conclude the Certificate request.

You will now see on the IIS Server that the nls.company.pri certificate appears under Personal/Certificates.

Although by default the DirectAccess Getting Started Wizard installs NLS on the DA Server, if you are to host it on another server you should create a new website. Decide where on the local file system the website files will reside and create a new folder.

 

 

Change the Permissions on the website folder to include Everyone with Full Control (in production you would not enter Everyone F/C to any directory, but this is an example).

In case in your environment you have multiple administrators create a very simply web page, this something like Do Not Delete.

To save the Notepad document as .html choose Save as type: All Files and name the file with the extension .html

Open the Internet Information Services (IIS) console, expand the server name object and right click on Sites, then click Add Website.

In the Site Name: field enter NLS (or whatever you have chosen), and click Select to change the Application Pool to Default AppPool, click OK.

The physical path should point to the new folder you created that contains the index.html file. Under Bindings the Type should be set to https, the IP Address should be the interface of this web server, and Port should be 443. Perhaps the most important part is the Host name: field, this must match the Common Name (nls.company.pri) that was configured during the Certificate Request done in an earlier stage.From the SSL Certificate drop down select nls.company.pri, click OK. It warrants notice that in this example I have an additional Network Adapter configured on this VM, with the IP of 192.168.1.20 this interface only listens for the DirectAccess traffic, in my experience this works best for the NLS Server.

IIS should look something like this.

DNS must now be configured to support the NLS website, you start by right clicking on the Forward Lookup Zone under your domain Company.pri and select New Host (A or AAAA)... record.

The A record should use the name of nls and the IP address should be set to the IP address of the interface you bound to the SSL Certificate in IIS.

If you now open up CMD and type ping nls it should resolve to the correct IP. If you too decide to configure a dedicated interface for NLS traffic, you must be careful to remove any duplicate DNS (A) record that will be automatically created when the new interface is connected to an already domain joined computer (Active Directory Integrated Zones with Dynamic Updates). If you fail to do this the server you are using is effectively going to answer pings to multiple IP's.

Open the Remote Access Management console and click Step 3 Infrastructure Servers Edit

From the Network Location Server pane, click The network location server is deployed on a remote web server (recommended). In the URL field type https://nls.company.pri and click Validate.

Now return to the Dashboard NLS will be reporting full health.

 

MDT Error Litetouch Deployment Failed, Return Code 2147467259 0x80004005

You are trying to deploy Windows 8.1 via a MDT 2013 and Task Sequence you have used on many occasions. After you boot the from the LiteTouch deployment disk, select the Task Sequence and click Finish, the Task Sequence immediately fails with.

Litetouch Deployment Failed, Return Code 2147467259 0x80004005

 

Although there are a number of articles on the web relating to MDT share permissions, registry keys and multicasting (PXE boot was not being used) none of these worked for me in this instance.

Solution

This issue here was that MDT could not initiate the partitioning of the hard disks, an educated guess why this happens is MDT is checking the destination disk for space to establish the Task Sequence Cache, if there is not sufficient space it fails? If this is incorrect and you know the exact reason please share it below.

Click Finish and break out of the Deployment Summary window to Command Prompt. Type diskpart at Command Prompt.

Type list disk to identify which hard disk contains the stale instance of Windows. Disks are numbered, to select the disk type select disk x

Now type clean and this will remove all of the existing partitions from the hard disk.

 

Reboot the machine and type running the same Task Sequence again, this sorted the issues for me in this case.

 

The Task Sequence will now continue.

 

 

Emulating a Cisco ASA Firewall in GNS3 and QEMU

Download and install GNS3 (http://www.gns3.net/download/) and QEMU (http://www.gns3.net/qemu/), it is important you properly install GNS3 and not just run the .exe from the download location. The suggested location on x64 Windows 8.1 would be C:\Program Files\GNS. In order for a Cisco ASA Firewall to work you must also extract and copy the QEMU files to a writable location (ideally C:\Program Files\GNS\QEMU) for consistency. 

Open GNS3, and click Edit and Preferences….

Click Qemu and remain on the General Settings tab. You must now point GNS3 to the correct locations for the QEMU engine, if you have installed GNS3 and QEMU as suggested above your interface settings should look like mine below. This directs GNS3 to C:\Program Files\GNS\QEMU to run the qemu.exe.

I have found if the QEMU paths are not set properly you will receive the following error when you try to launch an ASA instance:-
ASA1: lost communication with server 127.0.0.1:10525

Therefore the first thing to check would be that GNS3 is pointing to a qemu.exe that actually exists.

Click on the ASA tab, select ASA 8.4(2) from the PreConfiguration drop down, the Identifier Name should also be set to asa842, although you can get away with less RAM (512MB) it is my recommendation to give an ASA 8.4(2) at least 1GB, NIC's again are dependant on what you want to do with the ASA, 6 in this example. The NIC model e1000 is a fair standard model of vnic.

Qemu Options: -vnc :2 none -vga none -m 1024 -icount auto -hdachs 980,16,32 (:2 allows you to run two instances simultaneously, this number can be increased. If you only required 1 instance remove :2 completely).

Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Click Save.

Now return to the GNS3 console and click the Cisco router icon from the left hand menu, the option to drag an ASA should now be possible, drag an ASA instance on to the canvise. Right click on the ASA instance and select Start, if the device has started successfully the light will highlight green in the botton right hand corner.

Now you may want to interface this virtual firewall with other VM's running on your computer or on your network, this can be done using a number of built in GNS3 components and Virtual Box. In GNS3 create the topology as shown below, the switch is required as you cannot connect a firewall interface directly to the cloud in GNS3 for some reason.

Install Virtual Box on the device and assign a static IP to the Virtual Box Host-Only Network Adapter.

Now return to GNS3 and right click on the cloud object and select Configure, then click on Cx and from the Generic Ethernet NIO (Administrator or root access required) drop down select the host only adapter installed by Virtual Box. Click Add then the adapter should show in the list of network adapters. Click Apply and OK to continue.

Now open a console connection to the virtual ASA, and assign an IP address in the same subnet as the host only adapter to the interface of the ASA connected to the cloud (via the switch).

en config t int gi0 ip address 196.100.10.2 255.255.255.0 no shut nameif mgmt

From the host device you should now be able to ping the virtual ASA, on IP 196.100.10.2/24, click [link] for a tutorial on configuring the ASA to allow ASDM access.

 Post Update 30/09/2014 - Creating a FLASH for Emulated Cisco ASA

When you try and TFTP an Operating System to the GNS3 ASA you receive the following error "%Error Copying TFTP://10.20.1.2/asdm-649.bin (Not Enough Space on Device)" this is because the emulated ASA does not get preconfigured with a FLASH disk.

You have to use the QEMU-IMG.exe to generate a FLASH file that can be associated with the ASA. To do this change directory to C:\Program Files\GNS3\QEMU and use the following command to generate a FLASH file;

qemu-img.exe create FLASH 512M

This creates a 512MB flash file in the C:\Program Files\GNS3\QEMU directory.

The next step is to copy the FLASH file into the current ASA saved directory.

Now if you reload the ASA and use the following command;

show flash

You will notice that the ASA now has 512MB's of available space to save operating system images.

DirectAccess: Enabling the Teredo Interface

If you have deployed DirectAccess via the Getting Started Wizard you will probably find Teredo is disabled from the beginning. For Teredo to work (or even enable), the external interface on the DirectAccess server must have two consecutive public IP's.

Although DirectAccess is configured correctly, there is no Teredo interface.

If you open an Administrative PowerShell and use the command Get-DAServer you will notice under the TeredoState setting it states Teredo is Disabled. 

                                        

Like the other connection protocols when DirectAccess is installed an adapter is installed in Device Manager (you must Show Hidden Devices). You will notice an adapter for IP-HTTPS, ISATAP and 6to4, but no adapter for Teredo.

In order for Teredo to enable correctly, the external interface of the DirectAccess server must have two consecutive public IP addresses you add the second IP using the Advanced TCP/IP Settings from the external adapters properties.

When both the external IP's are successfully configure you can use the PowerShell command Set-DAServer -TeredoState Enabled to force Teredo to be installed. The command outputs a warning in regards to internal resources and ICMP, this is because Teredo uses ICMPv6 to determine what kind of NAT an incoming client is connecting over.

Once the command has successfully completed, you will now notice the Teredo Tunneling Pseudo-Interface now appears in Device Manager.

If you now return to the Operations Status you will see Teredo listed under Services.