« Posts under Infrastructure

SCCM WSUS Configuration Manager Could Not Establish Trust Relationship for the SSL/TLS secure channel

May 4, 2011 / posted in Infrastructure / No Comments

I have two SCCM SUP points, one is the top and the other is downstream. The SCCM infrastructure is operating in Native Mode and all WSUS synchronizations and configurations happen over HTTPS.

The internal SUP (SKN01) is the site server and has a site system in the DMZ (DMZ01) which it uses as a SUP for external IBCM clients. I had a look at the system status a couple of days ago only to see the SMS_WSUS_CONFIGURATION_MANAGER component had gone critical with this message all over the place:

SMS_WSUS_CONFIGURATION_MANAGER Message ID: 6600

WSUS Configuration Manager failed to configure upstream server settings on WSUS Server "Internal".   
Possible cause: WSUS Server version 3.0 SP1 and above is not installed or cannot be contacted. 
Solution: Verify that the WSUS Server version 3.0 SP1 or greater is installed. Verify that the IIS ports configured in SMS are same as those configured on the WSUS IIS website.

I looked at WCM.log to see exactly which server it is failing to configure. To reproduce the error I started and stopped the SMS_WSUS_CONFIGURATION_MANAGER component using the ConfigMgr Service Manager tool.

WCM.log showed the initial connection to the primary SKN01 SUP as successful with a fairly odd .NET exception following:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --->
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~  
         at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)~~  
         at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)~~  
         at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at
...

Basically, this meant that whatever WSUS server the primary was attempting to connect to (it wasn’t exactly specific…) was failing to negociate SSL and aborting. FYI, I used ProcMon.exe to figure out which WSUS server it was connecting to during the failure. It turns out it was DMZ01

This was odd because WSUS synchronization and configuration had worked for a while and seemingly overnight the certificate became invalid? Not likely. I checked the machine certificates and their trust chain and it all seemed in order on both servers.

I remembered that recently I was troubleshooting an issue with the Management Point and I had removed the Intranet FQDN from the site system in the DMZ (the IBCM SUP server, DMZ01).

It turns out all I had to do was enter the Intranet FQDN in the DMZ site system’s properties (DMZ01) and all was well. If you’re still experiencing issues after entering the FQDN, remove the SUP from the DMZ site and re-add it.

Who knew that removing this FQDN would cause the WSUS configuration to fail. I guess the internal SUP uses the supplied internal FQDN by the DMZ site system to validate the web server certificate supplied by WSUS.

So yeah.. make sure you configure both the Intranet and Internet FQDNs in the DMZ site system’s properties. Make sure they match the web server certificate’s SAN (Subject Alternative Name).

BUG: Task Sequence editor fails to find the MDT Toolkit package if parent group is disabled

April 19, 2011 / posted in Infrastructure, Operating System Deployment / No Comments

I’ve recently encountered an issue with an MDT integrated System Center Configuration Manager 2007 SP2 R3 installation. In a non-MDT task sequence, if you disable the parent group of the Use Toolkit Package step, the SCCM task sequence editor reports an error in locating the package:

SCCM Task Sequence MDT Package Not Found Error (BUG)

SCCM Task Sequence MDT Package Not Found Error (BUG)

You can re-select the package from your list and the (X) goes away until you click Apply or re-open the TS editor.

Workaround: If you disable the ‘Use Toolkit Package’ step itself, the package is found and there is no error reported by the editor:

SCCM Task Sequence MDT Package Not Found Error (Workaround)

SCCM Task Sequence MDT Package Not Found Error (Workaround)

This is not exactly a blocker and there is a quick and dirty workaround but may prove tedious on more complex task sequences.

I’ve experienced this issue on two separate System Center Configuration Manager 2007 SP2 R3 installations, both MDT 2010 Update1 integrated:

  • Windows Server 2008 x86
  • Windows Server 2008 R2 x64

Hope this helps…

Quickly rename a large number of files with PowerShell and Regular Expressions

April 18, 2011 / posted in Development, Infrastructure, Planet CDOT / No Comments

There have been a few times in the past where I’ve had to rename a large number of files for various reasons (ie: remove a common piece of text from the name) and I’ve always resorted to PowerShell.

Piping dir into a where and matching the files I wanted to rename was effective but tedious. Cue the mass_rename.ps1 script:

$ext = $args[0];
$dir = $args[1];

$what = $args[2];
$with = $args[3];

$whatif = $args[4];

$count = 0;

if ($args.length -lt 4) {
    write-host "Invalid parameters" -fore red;
    ""
    write-host "   .\mass_rename.ps1 <ext> <dir> <what> <with> [-whatif]";
    ""
    write-host " Example (don't do any replacing, -whatif):";
    write-host "   .\mass_rename.ps1 .docx c:\Documents 'version 1\.1' 'version 1.2' -whatif";
    ""
    exit 1;
}

ls -recurse -path $dir | ?{ ($_.name.endswith($ext)) -and ($_.name -imatch $what) } | %{
    if ($whatif -eq "-whatif") {
        write-host("whatif: '" + $_.fullname + "' -> '" + ($_.name -ireplace $what,$with) + "'");
    }
    else {
        $from = $_.fullname;
        $to = ($_.name -ireplace $what,$with);
        mv -literalpath $from -destination ($_.directoryname + "\" + $to) -force;
        write-host "Renamed '$from' -> '$to'" -fore yellow;
        $count++;
    }
}

write-host "Done. Processed $count files." -fore green

The script will accept 4 parameters with an optional -whatif as the 5th. Fairly self explanatory with one mention: the <what> parameter is a regular expression. Keep this in mind when, for example, you are trying to match for a period (.) as you would have to escape it (as per the example usage).

The -whatif parameter will only output the before and after file names thout modifying the files themselves.

That’s it, set the execution policy and enjoy.

Exchange 2007 SMTP Send Connector on a port other than 25

February 18, 2011 / posted in Infrastructure / No Comments

I’ve setup an Exchange 2007 SP1 server recently to sync with a few remote Exim POP/IMAP accounts, in order to provide push email to my new Windows Phone 7. After battling with certificate issues, I managed to sync the phone to the Exchange server with all of the accounts I wanted. Email was being pushed, all was well. The only issue was.. sending email using the ActiveSync accounts on WP7.

By default Exchange 2007 does not relay messages to remote domains (@gmail.com, etc). You have to create a SMTP Send Connector for all domains (*, or specific domains if you wish) on the Hub Transport Role server. This is all well and good, however, my ISP blocks all outgoing connections to port 25. If you’re using the GUI to create this connector you wont have the option to modify this port number.

Say my connector name was “All Mail” I would type this in the Exchange Management Shell:

Set-SendConnector -id "All Email" -port 2525

And that’s that. Exchange can talk to my Exim server and relay messages to the outside world.

To see the current port assigned to the “All Email” connector type in the Exchange Management Shell:

(Get-SendConnector -id "All Email").Port

Drive Backup over SSH Compressed with Gzip

October 2, 2010 / posted in Infrastructure, Planet CDOT, Security / 2 Comments

If you’ve worked hard to configure your Linux machine and can’t afford to lose it due to drive failure, try creating an image of it using dd periodically.

It wouldn’t make much sense to store the image of the drive on the drive itself, but luckily dd is smart and you can combine it with ssh and gzip to store your stuff off-site.

# dd if=/dev/sda | ssh user@backup.remotehost.com dd of=/backup/drive.img.gz

At this point the drive.img.gz file is quite large. If you’re going over the internet this will take a really long time and kill your bandwidth.

Try this:

# dd if=/dev/sda | gzip | ssh user@backup.remotehost.com dd of=/backup/drive.img.gz

Notice the gzip pipe right before the ssh command compressing the stream before it gets sent to backup.remotehost.com.

You can also tell dd to create an image of a specific partition only (specify /dev/sda2 as the input stream)

To restore a drive image, log into backup.remotehost.com and type:

# dd if=/backup/drive.img.gz | gzip -d | ssh root@livecd.host dd of=/dev/sda

You should only restore to a drive that is not in use (possibly an OS running off of a Live CD?).

Warning: These commands are not idiot-proof and it’s all too easy to wipe the wrong drive!

I was able to reduce my drive.img.gz by almost 75% using gzip! You may find other compression tools to be better or worse depending on the data you are imaging.

Recently I was working on a project where we configured secure MySQL replication between Fedora host A and Fedora host B. There was no RAID or any kind of redundancy and me being paranoid I quickly imaged drive B to drive A and vice-versa.

Warning: keep in mind that creating an image of an OS that uses logical volumes (LVM) may not restore to a new drive properly.

SSD TRIM in Windows 7

September 22, 2010 / posted in Infrastructure, Operating System Deployment / No Comments

If you’ve recently purchased an SSD you should probably be aware of performance issues that arise over time when it comes to writing data. TRIM technology was designed to make sure your drives write performance is consistent throughout the life of the drive. What is TRIM?

Windows 7 supports TRIM natively and you probably wont need to mess around with it. However if you want to check if TRIM is turned on or off use the following command:

C:>fsutil behavior query disabledeletenotify
DisableDeleteNotify = 0

0 – TRIM is enabled
1 – TRIM is disabled

Windows 7, for example, will query the drive’s RPM and if it responds with 0, it assumes the drive is an SSD. It then turns on TRIM and disables disk defrags as they are no longer needed.

If your system reports TRIM as disabled you can enable it by setting the property to 0:

C:>fsutil behavior set disabledeletenotify 0
DisableDeleteNotify = 0

… or if you want to showcase TRIM vs. No-TRIM:

C:>fsutil behavior query disabledeletenotify 1
DisableDeleteNotify = 1

If you’re in the market for an SSD, remember you get what you pay for, so if that drive is relatively cheap make sure it supports TRIM. Also keep in mind that not all operating systems support TRIM, some may need patches and some may not support it at all for the time being.

Performance improvement is significant when deploying or capturing on an SSD, I highly recommend this upgrade to your lab environment.

SMS Trace64 and Trace32 for WinPE

September 10, 2010 / posted in Infrastructure, Operating System Deployment / No Comments

SMS Trace is a great tool for troubleshooting deployment issues from within WinPE, no doubt about that. It makes errors and warnings clearly visible in thousands of lines of markup logs.

Trace64 has been removed from the MDT Healthcare package, because “it is a System Center tool” and they don’t have permission to release it (See Dan’s blog).

Adding Trace32 and Trace64 to your winpe.wim is easy:

imagex /mountrw c:\winpe_x86.wim 1 c:\mount
copy /y c:\sms_trace\trace32.exe c:\mount\windows\
imagex /unmount /commit c:\mount

imagex /mountrw c:\winpe_x64.wim 1 c:\mount
copy /y c:\sms_trace\trace64.exe c:\mount\windows\
imagex /unmount /commit c:\mount

You should also create a package that copies these files to the %SystemRoot%. If your task sequence fails outside of WinPE you won’t have access to SMS Trace.

Remember to update your Distribution Points before creating the ISOs.

Download SMS Trace32 and Trace64