Migrating File Server from Windows Server 2003 to Windows Server 2012 R2

To follow up on my previous blog post regarding Radius from Windows 2003 to Windows 2012 due to the End-of-life of Windows 2003 on July 14th 2015, I will continue down this track and provide you with a simple guide to migrate the File server from a source server, running on Windows 2003 to target server on Windows 2012 R2.

– (On the Target Server) Run below command to start the Initial copy of the data. 

robocopy \\source_server\source_folder <Drive letter>:\target_folder /e /zb /copyall /log: <Drive letter>:\:\initial_copy.log

– (On the Source Server): Export below registry key

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\lanmanserver\Shares

– (On Source server) Stop Sharing the shares in “Computer Management > Shared Folders > Shares

– (On the Target Server) Run below command to start the incremental/Finial copy of the data

​robocopy \\source_server\D$\source_folder <Drive letter>:\:\target_folder /e /zb /mir /log: <Drive letter>:\:\mirror_copy.log

– (On the Source Server): Import below registry key that you just have exported in the “Step 2”

HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\lanmanserver\Shares

Link (Robocopy – Command-Line)
Link (Saving and restoring existing Windows shares)

Udgivet i Uncategorized | Tagget , , , , , | Skriv en kommentar

What about Single Sign-On?

Is Single Sign-On (SSO) and Identity and Access Management (IAM) the same? How do password resets differ when using SSO? What is best: a specialised SSO solution combined with a specialised IAM solution, or a “one-size-fits-all” solution?

SSO vs IAM

SSO and IAM are two different ingredients for managing identities and system access in general. SSO provides a single login so that users only need to sign in once for access to multiple resources, while IAM provides a unified way to control access to individual resources, both working across all connected systems and software. You can easily have SSO without IAM, and IAM without SSO; the responsible IT department will have both. SSO and IAM provide the greatest protection when they work together.

Password Resets

A major concern when it comes to identities is how to deal with passwords, especially when they need to be provided, replaced, or reset. When resetting a password, a randomized password or login key will be supplied. The password policy on the individual system will then decide if the new password or key can be kept, or if the user needs to change it directly upon their first login after the reset.

When resetting a password via an SSO solution, the SSO platform (1) handles passwords according to the local security or password policy (2) synchronizes the new password with all available platforms and (3) ensures that once you’re logged in, no further login is required even when you change from system to system. In addition to the three basic tasks, a specialised SSO platform will conform exactly to your specific security requirements and be able to handle things like two-factor authentication, biometrics, chip cards, SMS codes, picture puzzles, etc. The greater capabilities of a specialised solution built by specialists in the field help to ensure the highest level of security from any device on your infrastructure!

The Best Solution

Which is best: an all-in-one solution, or separate, specialized solutions? Well, it all depends.  [:-)]  But you knew that, right?

Personally, I find that I get the highest quality and standard of service by going to the specialists and utilizing specialized tools where available. I really like the freedom of being able to, at any given time, replace a part of my infrastructure with the “modern standard” for the future, or to flexibly comply with new legislation, new compliance demands, or new customer demands without changing out a whole suite with one that suits the new functionality. And, when it comes to SSO, it is such a crucial and fundamental part of my basic infrastructure that I want the best; then I want an IAM solution that both integrates seamlessly with my infrastructure and can match the quality level and security that I have decided on.

What does that all mean? It means that choosing an SSO tool will not solve your challenges with regards to Identity and Access Management. It means that choosing an IAM tool will not fully cover your password security policy. (At least I hope not… If so, I suggest you aim higher.) But together they provide you the best possible control over your users, their access rights, passwords, support, self-service, and much more.

So, choose an SSO solution that fits your security standards (and then some), and make sure they provide a useful API so that there is a means of integrating with it. And, choose an IAM / IDM tool that integrates with any SSO vendor you can think of (including your vendor of choice)—one that smoothly enables your colleagues to handle self-service tasks regarding access rights management, password resets, and so on.

SOURCE: IDM365

Udgivet i Uncategorized | Tagget , , , , , , , | Skriv en kommentar

Exchange 2010/2013 CU stuck at Languages install

This simple solution can save you a lot of time.

This issue can happen on the upgrade of Exchange 2010 and Exchange 2013, when you apply a CU. The upgrade gets stuck at ‘Languages’, step 9, forever.

It turns out that the solution is very simple, this happens because System Center 2012 Endpoint Protection was installed on the server automatically by the SCCM, and this software use the “Same Engines” for Languages.
Skærmbillede 2015-06-17 kl. 10.03.20

Solution:

Uninstall the Endpoint Protection on the server. After uninstalling the Endpoint Protection, the Exchange update will continue. When the upgrade of the Exchange CU is finish, you can restart the server and install the Endpoint Protection again.

Hope this saves you some time!

Udgivet i Uncategorized | Skriv en kommentar

How to remove clients automatically, from operating system deployment collections in SCCM

It is a common scenario that the Windows deployment collections fill up with clients, who has already completed the OSD. If you use mandatory deployments, this is not an issue, but if you are using available deployments, you might have users who accidently reinstall their computers.

There is nothing built into Configuration Manager to do this, but luckily it can be done with a PowerShell script and a status filter rule.

There are a couple of prerequisites

  • The ConfigMgr PowerShell module must be trusted.
  • The ConfigMgr server needs permissions in SCCM and DCOM.
  • This version of the PowerShell script requires SCCM 2012 R2.

PowerShell Module

To trust the PowerShell module, run PowerShell from the Configuration Manager console. Answer “A” when it asks, “Do you want to run software from this untrusted publisher?”

SCCM permissions

Your ConfigMgr server needs “full administrator” rights in SCCM. To do this, go to \Administration\Overview\Security\Administrative Users in the SCCM console and “add user or group”. Find your server under browse and add it to “Full Administrator”.

DCOM permissions

To grant your ConfigMgr server the appropriate rights in DCOM, start Component Services and expand Computers and rightclick ‘My Computer’. Go to the tab “COM Security” and click “Edit Default” under “Access Permissions”. Ensure the System has ‘Allow’ in Remote Access.

Now that the prerequisites are in place, we can move on to the actual function. This consists of a PowerShell script that does the actual legwork and a status filter rule that decides when to run the script.

The PowerShell script

#Call example:
#C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass <Path to Script>\RemoveFromCollection_1.0.ps1 %msgsc %msgsys
#%msgsc = Site-Code
#%msgsys = ComputerName#Set required Input Parameters
Param(
[string]$SiteCode,
[string]$ComputerName
)

#——————–
#User defined variables here

$CollectionIDs = “CEN000B3;CEN000B4;CEN000B5″
$bEventlogEntry = “1”
$bClearPXE = “0”

#End user defined variables
#——————–
If($SiteCode -and $ComputerName){}
else{
Write-Host “Required Input is missing! Omit SiteCode and Computername.”
exit
}
#Import SCCM Module
$ModuleName = (get-item $env:SMS_ADMIN_UI_PATH).parent.FullName + “\ConfigurationManager.psd1″
Import-Module $ModuleName
CD $SiteCode”:”

#Remove Client from collections
#Get collection id array
$aCollections = ($CollectionIDs).Split(“;”)

#check for each collection if a directmembership exist, and remove it
foreach($Collection in $aCollections){
$TrytoRemove = 1
#Check if Collection exists, if not, write an event log error
If((Get-CMDeviceCollection -CollectionId $Collection).Count -eq 0){
write-eventlog -logname Application -source “SMS Client” -eventID 3001 -entrytype Error -message “Collection $Collection does not longer exist, please remove from SCCM Script!” -category 1 -rawdata 10,20
$TrytoRemove = 0
}
else {
If((Get-CMDeviceCollectionDirectMembershipRule -CollectionId $Collection -ResourceName $ComputerName).count -eq 0) {
#DirectMemberShipRule does not exist, no need to delete
$TrytoRemove = 0
}
}

If($TrytoRemove -eq 1){
#Write Eventlog entry
If($bEventlogEntry -eq 1){
write-eventlog -logname Application -source “SMS Client” -eventID 3001 -entrytype Information -message “Computer $ComputerName will be removed from Collection $Collection” -category 1 -rawdata 10,20
}

#Remove Client from collection
Remove-CMDeviceCollectionDirectMembershipRule -CollectionId $Collection -ResourceName $ComputerName -Force

#Clear PXE Flag
If($bClearPXE -eq 1){
Clear-CMPxeDeployment -DeviceName $ComputerName
}
}

}

All you have to edit in this script are the collection ID’s.

Status Filter Rule

To create the rule that runs the script, when a client has successfully finished OSD, do the following. In the Configuration Manager console, navigate to \Administration\Overview\Site Configuration\Sites, select your site and click status filter rules, either by right clicking or by selecting it on the ribbon.

Create a new rule as follows:

General tab.

  • Component: Task Sequence Manager (this can’t be selected from the drop down menu, you need to write it).
  • Message ID: 11171 (the task sequence completed successfully message in SCCM)

 

Actions tab.

  • Check “report to the event log” if you want this.
  • Check “replicate to the parent site”
  • Check “run a program” in put this in the program box:
“C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” -ExecutionPolicy ByPass \\LocationOfTheScript\ScriptName.ps1 %msgsc %msgsys

 

Click next and finish – and your new status filter rule is in place and ready for testing.

Udgivet i Uncategorized | Skriv en kommentar

SCCM 2012 – Who created/modified/deleted the collection?

Ever stumbled on a collection that you did not know where came from? Or wondered who deleted a collection that you were using? It has happened to me a few times.

One way to find out who created, modified, or deleted a collection, is to use the SCCM built in report “All messages for a specific message ID”.

  • Click Monitoring.
  • Click on Reports.
  • Right click on “All messages for a specific message ID” and click Run. The report Viewer opens and requires you to input a value in the “Message ID” Box.

11

  • Click on Values.

12

  • Write the Value (Go to the end of this page to find the Value you need) in the Filter box, click on the Value in the Message ID box and then click OK.

13

  • Click “View Report” and now the information is located at the bottom of the GUI window.

14

Depending on how your system is set up, there could be a lot of messages in this report and you might need to use the search function (“7”) to find the collection you need information about.

Message ID’s:

5

Udgivet i Uncategorized | Tagget , , , , , , , , | Skriv en kommentar

SQL Server error when using Named Instance

I encountered this problem a while ago, when I was installing a test lab with Configuration Manager 2012 R2 in my own environment. I installed all prerequisites and was about to do the SQL database setup in the SCCM setup wizard, so I typed in all the correct information as well as the “Named Instance”, which I chose doing the installation of the SQL Server Database and the exceptions to the firewall.

At this point I knew it was all running as well as working – I could connect to the database, open SQL Server Management Studio and only needed the SCCM Installation Setup Wizard but when I pressed “Next” I got the following error message.

1

  • The Instance Name were created and typed in correctly
  • At this point I assumed the port for the SQL database would be set to 1433 (1433 is our default)
  • The exceptions in the firewall were made (Tried turning it off completely)
  • The account I used for this was the default Admin Account, configured by the SQL server

Verifying the above several times, I could not figure out why I got this error so I kept trying to get it to work when I remembered that I did not use a Default Instance Name (MSSQLSERVER) but instead created my own. This is the reason for this error as ConfigMgr does not support dynamic ports, and by choosing a Named Instance, it automatically configures it with a default port. NOTE: It is not wrong to use Named Instances, as you will be able to do better isolation in your environment than using default names but do what you prefer in your own environment.

You need to do the following changes to make it work when using a Named Instance:

  1. Open “SQL Server Configuration Manager” (Search for it if  you can’t locate it)
  2. In the “SQL Server Configuration Manager”, you need to expand “SQL Server Network Configuration” -> Click “Protocols for xxx” (xxx=The Named Instance) -> Right click the “TCP/IP” in the right side -> Click “Properties” 2
  3. You will see two tabs, Click “IP Addresses” -> Scroll down and locate the “IPALL” settings (as this is the information the SQL Server database use) -> Remove so it is blank in the “Dynamic Ports”   -> Type in the default SQL database port 1433 (1433 is also the default TCP port when choosing Default Instance name) for the “TCP Port” option.                                                                               3
  4. You could also do these changes to all the IP settings (IP1, IP2, IP3 etc.) if you want to be sure, but it is not required and should work fine if changes made for the “IPALL” is done, as in “step 3”
  5. To apply the changes you will need to restart the SQL Server Service for the Named Instance of yours, as shown in picture below. Press “SQL Server Service” -> Choose “SQL Server xxx” -> Right click and choose “Restart” 4
Udgivet i Uncategorized | Tagget , , , , | Skriv en kommentar

Windows 8 / 8.1 sysprep fails during capture

Problem case:

Creating a Windows 8 or Windows 8.1 reference image, using Microsoft Deployment Tool or System Center Configuration Manger, manually using sysprep or during Prepare OS (sysprep task sequence step) fails.

When running sysprep manually within Windows you will see this error box:

1

Running sysprep through Microsoft Deployment Tool or System Center Configuration Manager you will see the following error entries in SetupErr.log:

<Date> <Time>, Error SYSPRP Package <PackageFullName> was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
<Date> <Time>, Error SYSPRP Failed to remove apps for the current user: 0x80073cf2.
<Date> <Time>, Error SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.

Cause:

Sysprep has an additional provider that is added in Windows 8 / 8.1 to clean Appx packages and generalise the image. The provider will only work if the Appx package is a per-user package or an all-user provisioned package.

Per-user package means that the Appx package is installed for a particular user account and is not available for the other users of the machine.
All-user package means that the Appx has been provisioned into the image so that all users who use this image will get the App.

If an All-user package provisioned into the image was un-provisioned manually from the image, but not removed for a particular user, then during sysprep, the provider will run into an error cleaning out this package. The provider will also fail, if an All-user package provisioned into the image was updated by one of the users on the reference machine.

Additional information: When a Windows 8 / 8.1 machine has been online for 60 minutes it automatically starts to download (stage) Appx packages and updates. This is useful because, when a user manually updates the app through the Windows Store app, the update files are already on the machine and don’t have to be downloaded. Some of these packages might install Per-user and not per All-users. This practically means that if you capture the reference machine within 60 minutes you will be able to successfully sysprep the machine. 

Solution:

IMPORTANT: Remove all provisioned Per-user Appx packages before running sysprep on the reference machine. Otherwise you might have to start all over building your reference image from scratch.

Before starting the sysprep procedure make sure to remove all additional users (except administrator) logged onto the computer, along with their associated files.

Deleting all staged Appx packages:

Run the command: “Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage -online” at the PowerShell prompt. This will list all default installed Appx packages (which are installed per user) AND since it is piped to Remote-AppxProvisionedPackage, it will remove them all.

2

Note: You will get RED errors – this is expected due to dependencies.

Deleting specific staged Appx packages:

To get a list of the provisioned packages, run the following command:

Get-AppXProvisionedPackage -online | select PackageName

To remove a particular provisioned app, run the following command:

Remove-AppXProvisionedPackage -Online -PackageName <PackageName>

Now, capture your reference image and enjoy your Windows 8 / 8.1 deployment.

Udgivet i Uncategorized | Tagget , , , , , | Skriv en kommentar