ConfigMgr: A Couple of Client Tweaks via PowerShell

Posted on by
Reply

Disable WINS Lookup via PowerShell & WMI

If you’re running Microsoft System Center Configuration Manager, you probably don’t need to be using the WINS lookup for Server Locator Points. Normally, you’d have to de-install the ConfigMgr client, and then re-install it with the SMSDIRECTORYLOOKUP=NOWINS MSI property. If you don’t want to do that, and want to disable the WINS lookup feature on your existing client base, you can use PowerShell to achieve this.

1
2
3
$DirectoryLookup = Get-WmiObject -Namespace root\ccm\policy\machine\actualconfig -Class CCM_DirectoryLookup_Configuration;
$DirectoryLookup.LookupFlags = 1;
$DirectoryLookup.Put();

Verification

After configuring this setting, you can restart the SMS Agent Host service by running the following command:

1
Restart-Service -Name ccmexec;

Open up the LocationServices.log client log file, and search for the text: Policy disallows failing over to WINS..

If you see that message showing up in the logs, then you should be all set!

Enabling Verbose Logging via PowerShell & WMI

Another post-installation trick you can do for Microsoft System Center Configuration Manager clients is enable verbose logging via the Windows Management Instrumentation (WMI) service. Check out this quick PowerShell script to achieve this:

1
2
3
$Logging = Get-WmiObject -Namespace root\ccm\policy\machine\actualconfig -Class CCM_Logging_GlobalConfiguration;
$Logging.LogLevel = 0;
$Logging.Put();

Important: You may need to restart the ConfigMgr client service (short name: ccmexec, display name: SMS Agent Host) in order for this change to take effect.

ConfigMgr 2012 SP1: Remote SQL Connectivity Problem

Posted on by
Reply

Recently I had some issues with a ConfigMgr 2012 SP1 Primary Site communicating with a remote SQL Server 2008 R2 named instance. This was in my lab environment. I decided to upgrade the database instance from SQL Server 2008 R2 to SQL Server 2012 SP1.

Missing SQL Server Services in Configuration Manager

The first problem I encountered, right after the upgrade, was that I could not view the SQL Server 2012 SP1 instance from the SQL Server Configuration Manager tool. I posted about this problem on the Microsoft TechNet forums, and quickly got the help I needed to resolve it. Although I did not have a new shortcut in the Start Menu for the SQL Server 2012 Configuration Manager tool, it has indeed been installed. I used Windows PowerShell to locate the file (sqlconfigurationmanager11.msc) that was mentioned in response to my inquiry, and it turned out to be in the %WinDir%\System32 folder. After launching this tool, I could successfully “see” the SQL Server services that had been previously “missing” from the SQL Server Configuration Manager.

Database Engine Certificate Issue

I had been having a problem for a little while, on SQL Server 2008 R2, and then SQL Server 2012 after the upgrade, where something with the SQL Server database engine configuration got screwed up. Basically, the SSL certificate that was auto-generated by SQL Server was “broken.” I tried to clear the certificate on the database engine instance, using SQL Server Configuration Manager, but that only caused more problems. I generated a new Computer certificate from my internal Certificate Authority (which the ConfigMgr Primary Site trusts), and set that as the SSL certificate for the SQL Server database engine. After doing this, I started getting some errors in the Application event log.

EventID 26014

1
Unable to load user-specified certificate [Cert Hash(sha1) "0D1E36686557FDB0A86E9E60DCE80E2820C3D1C1"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online.

EventID 26014

1
TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.

EventID 17120

1
SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

As it turns out, I found out that the service account did not have access to the private key of the SSL certificate that I had enrolled onto the SQL Server. In order to resolve this, I used the MMC snap-in for Local Computer Certificates, right-clicked on the SSL certificate with the corresponding thumbprint in the error message, selected All Tasks –> Manage Private Keys, and added the Read permission for the SQL Server domain service account. After doing this, I was able to successfully start the SQL Server service.

ConfigMgr 2012 SP1 Database Connectivity

This is just some brief documentation of the errors I was getting while I was encountering SQL database engine issues.

Since the first problem I had was the SQL Server database being unavailable, I was getting the following errors in the smsexec.log. The “actively refused” message makes a lot of sense, since there was no database engine service listening on the port that the SMS_Executive service was attempting to connect to.

1
2
3
4
5
6
*** [08001][10061][Microsoft][SQL Server Native Client 11.0]TCP Provider: No connection could be made because the target machine actively refused it.
*** [HYT00][0][Microsoft][SQL Server Native Client 11.0]Login timeout expired
*** [08001][10061][Microsoft][SQL Server Native Client 11.0]A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.
*** Failed to connect to the SQL Server, connection type: SMS ACCESS.
CSiteControlEx::GetCurrentSiteInfo: Failed to get SQL connection
CSiteControlEx::GetMasterSCF:Failed to read site information from database, retry in 5 seconds ...

After getting the SQL Server instance back up and running, I started seeing these messages in the smsexec.log. I’m pretty sure that the root cause of this was that the SQL Server database engine could not access the private key of the configured SSL certificate. Given this, I have no idea which certificate it was ultimately using, but obviously it was not the one that I had explicitly told it to use.

1
2
3
4
5
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection
*** Failed to connect to the SQL Server, connection type: SMS ACCESS.
CSiteControlEx::GetCurrentSiteInfo: Failed to get SQL connection
CSiteControlEx::GetMasterSCF:Failed to read site information from database, retry in 5 seconds ...

In order to resolve this, check out the previous section Database Engine Certificate Issue.

PowerShell Summit 2013 Videos

Posted on by
2

Don Jones (@concentrateddon) recently posted about some videos that Aaron Hoover recorded at PowerShell Summit 2013. Don is short on time and bandwidth, and didn’t have time to post click-able links, so I’m just reposting them here for convenience. All credit goes to Don and Aaron for the content below!

http://youtu.be/0NeEU3FHp8I Device Management With PowerShell – Ricardo Mendes – PowerShell Summit 2013
http://youtu.be/XsnE_OQGvdo Creating a Complex and Reusable HTML Reporting Structure – Alan Renouf – PowerShell Summit 2013
http://youtu.be/iV6cYsQDL0Y How Secure Can You Be – Jeff Hicks PowerShell Summit 2013
http://youtu.be/qSE06GkQWV4 Standards Based Hardware Management – Steve Lee – PowerShell Summit 2013
http://youtu.be/7C53pawPw3Y Workshop – Automating for DevOps – Kenneth Hansen and Hemant Mahawar – PowerShell Summit 2013
http://youtu.be/KFA-zSojxqw CIM Sessions – Richard Siddaway – PowerShell Summit 2013
http://youtu.be/EloMKpvfES8 PowerShell Web Access – Richard Siddaway – PowerShell Summit 2013
http://youtu.be/3deY6e6Npzo Sapien PowerShell Products – David Corrales – PowerShell Summit 2013
http://youtu.be/xZtapxf1ytI What I learned Judging 5000 Scripts – Ed Wilson – PowerShell Summit 2013
http://youtu.be/Ahvs1rGPk1s PowerShell Events – Richard Siddaway – PowerShell Summit 2013
http://youtu.be/U_niW85TtJE Write Modules, Not Scripts – Ed Wilson – PowerShell Summit 2013
http://youtu.be/Y8IbadEHoPg PoshMon – PowerShell Does Performance Counters – Ed Wilson – PowerShell Summit 2013
http://youtu.be/1XuB71tLNvg Configuring Your PowerShell Workflow Environment – Aleksandar Nikolic – PowerShell Summit 2013
http://youtu.be/msHGx-mxWJA Practical PowerShell Integration from Bare Metal to the Cloud – Alan Renouf – PowerShell Summit 2013
http://youtu.be/eAZ-agh182g Source Control for IT Pros – Andy Schneider – PowerShell Summit 2013
http://youtu.be/pL_Ry5LzX3w Creating HTML Reports with Style – Jeff Hicks – PowerShell Summit 2013
http://youtu.be/-ERyfmOmyoI Remoting Configuration Deep Dive – Don Jones – PowerShell Summit 2013
http://youtu.be/jMVBN5V0G4Y Advanced Network Scripting with PowerShell – Lee Holmes – PowerShell Summit 2013
http://youtu.be/GXkLtEOM-DM Build Your Demo Environment with Windows PowerShell – Aleksandar Nikolic – PowerShell Summit 2013

System Center 2012 SP1 Orchestrator: Getting Started with Configuration Manager 2012 Integration

Posted on by
5

Introduction

System Center 2012 SP1 Orchestrator is a tool to help automate enterprise processes. It stresses the reduction of code writing, which has its benefits, but also has its drawbacks. In my personal opinion, everyone should learn how to write code. These days, if you’re focused on the Microsoft platform, there is nothing better to learn than PowerShell. Knowing how to write code will help you to fill in gaps in the integration of two or more software products.

Given the wide array of functionality offered by System Center 2012 SP1 Configuration Manager, it would seem highly desirable to use Orchestrator to automate some of that functionality. You can perform functions such as:

  • Creating or deleting Collections
  • Invoke Collection membership evaluations
  • Add or remove Collection Membership Rules
  • Enumerate Collection members
  • Deploy Applications or Configuration Baselines
  • Invoke ConfigMgr client actions

In the next section, we’ll explore how to set up integration between Orchestrator and Configuration Manager.
Continue reading

SQL 2012 SP1: Errors on starting database server named instance

Posted on by
1

I recently got some weird SQL Server error messages in the Application event log after rebooting my SQL 2012 SP1 server, running on Windows Server 2012:

Event ID 26014: Unable to load user-specified certificate [Cert Hash(sha1) "D3D88810B87C9533AA30CE9B2C3BDCEE3C674B97"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See “Configuring Certificate for Use by SSL” in Books Online.

Event ID 17182: TDSSNIClient initialization failed with error 0×80092004, status code 0×80. Reason: Unable to initialize SSL support. Cannot find object or property.

Event ID 17182: TDSSNIClient initialization failed with error 0×80092004, status code 0×1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.

Event ID 17826: Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.

Event ID 17120: SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

These errors confused me, because as far as I know, I’m not using SSL for my SQL Server instance. To solve the issue, I opened the SQL Server Configuration Manager –> SQL Server Network Configuration –> right-click “Protocols for CM12″ –> Properties –> Certificate tab. Click the “Clear” button and restart the service. Hopefully this clears up the error.

 

PowerShell: A first-timer’s perspective of PowerCLI

Posted on by
2

This blog post is a description of my first experience playing around with PowerCLI, which is VMware’s PowerShell module for managing vSphere servers. I haven’t really dealt with VMware much in my past, other than VMware Workstation, so I thought it was exciting to get the chance to play around with PowerShell & VMware together!

I won’t bore you with the installation details, and I’ll get right to firing it up. There’s a shortcut to launch PowerCLI in the Start Menu, and it’s got a custom icon on it, which makes it easily recognizable on the Windows Taskbar.

Continue reading

PowerShell: Update-Help via Scheduled Task in Group Policy Preferences

Posted on by
6

Introduction

If you’re like me, you probably like to ensure that all your computers have PowerShell updatable help updated on a regular basis. You can achieve this using a variety of methods, but since Group Policy Preferences are available out of the box using Windows 7 and later, I figured it would be the perfect tool to keep PowerShell help up-to-date! The following guide will show you how to implement a Windows Scheduled Task to update PowerShell version 3.0 help on a regular basis.

The following operating systems include Group Policy Preferences Client Side Extensions (GPP-CSE) out of the box:

  • Windows 7
  • Windows 8
  • Windows Server 2008 R2
  • Windows Server 2012

You can also deploy the Windows Management Framework Core 3.0, and Group Policy Preferences Client Side Extensions to Windows Server 2008 non-R2 systems, however the equivalent client operating system, Windows Vista, does not support WMF 3.0.

Continue reading

PowerShell Twitter Update [2013-02-24]

Posted on by
Reply

So it’s getting close the end of February, and it’s been several months since I’ve blogged anything new! For today’s post, let’s take a look at what’s going on, on Twitter in the PowerShell universe!

#ConEmu

@tphakala says that he’s discovered a project called #ConEmu. #ConEmu is a project hosted on Google Code and offers a PowerShell console replacement for Windows. Some of the features that #ConEmu includes are: tabbed console support, smooth / friendly window resizing, support for Windows 7 jump lists (cool!), and a lot more!

4Sysops by Jeff Hicks

@JeffHicks is working on Part 8 of his 4Sysops series for Microsoft Certified Professional (MCP) Magazine, which covers changing Windows service account credentials through WMI. This series covers several other topics within WMI that will certainly be of interest to a variety of Windows desktop and server administrators.

Infosec PowerShell Module

@nikhil_mitt is an information security expert, and mentioned on Twitter that he has a security toolkit known as Nishang. This project is hosted on Google Code similar to the #ConEmu project mentioned above. Nikhil was even kind enough to mention that he had used some of my code in this project, which I had no idea about before today (February 24th, 2013)! I’m quite honored to hear that he made good use of some code that I had written a while back. The code we’re talking about here is in the Remove-Update function, which removes Windows software updates from a particular system.

Using Get-Content like Cat

@proxb (Boe Prox) tweeted about an article written by @ScriptingGuys (Ed Wilson) that talks about how to use the Get-Content cmdlet in PowerShell v3 to track changes to text files in realtime. This command is similar to the “cat” command in *nix operating systems.

ConfigMgr 2012: Ccmeval.exe causing client corruption

Posted on by
7

I’ve discovered, on more than one occasion, that the ConfigMgr 2012 client’s ccmeval.exe, which is intended to resolve client health related issues, actually breaks the ConfigMgr client. This has happened on a Windows 8 RTM client, and I’m fairly certain that it affects Windows Server 2012 as well. You might be aware that Windows 8 and Windows Server 2012 are unsupported client operating systems with ConfigMgr 2012 RTM, but will be officially supported in Configuration Manager 2012 Service Pack 1 (SP1).

Issue


By default, when the ConfigMgr 2012 client is installed, a Scheduled Task is registered under the \Microsoft\Configuration Manager called “Configuration Manager Health Evaluation.” The command line that is called is simply ccmeval.exe, with no command line arguments. The task will run approximately around midnight (12:19 AM on my test client) every night.
Continue reading

VBscript: Export ConfigMgr Task Sequence Variables

Posted on by
1

Here is a simple VBscript that will export Microsoft System Center Configuration Manager (SCCM / ConfigMgr) task sequence variables to a file on the root of the system drive for troubleshooting. In WinPE (Windows Pre-execution), this is typically the x:\ drive, and in the full OS phase, it’s most commonly the c:\ drive, although that cannot necessarily be assumed either.

In WinPE 4.0, you can use PowerShell instead, but I developed this for use on WinPE 3.x.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
'  Author: Trevor Sullivan
'    Date: 2012-11-16
' Purpose: Exports all ConfigMgr OSD task sequence variables to a text file on
'          the root of %systemdrive%. In WinPE, this is normally x:\.

Option Explicit

dim tsenv, var, fso, log, sh, LogPath

' Create a few COM objects
set tsenv = CreateObject("Microsoft.SMS.TSEnvironment")
set sh = CreateObject("Wscript.Shell")
set fso = CreateObject("Scripting.FileSystemObject")

' Get path to log file
LogPath =  sh.ExpandEnvironmentStrings("%SystemDrive%\Task Sequence Variables.txt")
' Get FileStream object
set log = fso.OpenTextFile(LogPath, 8, true)

' Iterate over task sequence variables and write each one to log file
for each var in tsenv.GetVariables()
    call log.WriteLine(var & " = " & tsenv(var))
    call wscript.echo(var & " = " & tsenv(var))
next