January 2009 - Posts

• The Most Secure Way to Provision SCUP Certificates for Client Machines and the WSUS/SCUP Server

  Description: The Most Secure Way to Provision System Center Update Publisher (SCUP) Certificates for Client Machines and the WSUS/SCUP Server. Supporting Article: http://social.technet.microsoft.com/forums/en-US/configmgrsum/thread/f53e8ee3-dfc9-4d4b-92e6-447546150853 Notice the certificate that SCUP uses or will accept when configuring the certificate in SCUP in the Settings location within the console, SCUP will only accept .PFX Personal Information Exchange certificates. So this means that .CER certificates cannot be used with SCUP. If you use a certificate you configured for IIS and WSUS as the above article mentions, you have to export the certificate out to a .PFX certificate before SCUP will accept and can use it. Since this wasn't mentioned in documentation I, or I can't find it, members on my Team, and I'm sure others, was exporting the .CER type certificate. Which does not work or is accepted my the SCUP product.   So what should be known and what I've discovered is the following: Must use a .PFX Personal Information Exchange certificate when importing a Cert into SCUP under the Setting Option. Since this is a .PFX cert which holds the Public and Private Key, you do not want to deploy this type of certificate on client machines. This would be like giving out your login id and password to everyone that gets the certificate. What you want to do is export ONLY the Public Key portion of the PFX certificate, which then will be a .CER certificate built from the .PFX certificate and only has the Public Key. Then you can use Group Policy to deliver the certificate to clients. So I would see the steps as follows: On the WSUS/SCUP Server Step 1. Click Start -> Run -> MMC Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK Step 4. Expand Certificates (Local Computer) -> Expand WSUS -> Click Certificates Step 5. Find the Certificate you created for use WSUS/SCUP, or Find the Self Sinning certificate automatically created by SCUP, Right Click it -> All Tasks -> Export. Must be a .PFX certificate. Note and Remember: A .PFX Personal Information Exchange certificate holds the Public and Private Key. So 1. you don't want to deploy this type of certificate on client desktop computers. and 2. You do not need this type of certificate in the Trusted Publishers and Trusted Root Certification Authorities store. The .CER type certificate will work just find and does not have the Public Key associated with it. Step 6. Click Next -> No, do not export the private key -> Next -> Select Base-64 encoded X.509 (.CER) -> Provide a location to export the certificate to -> Next -> Finish, to export the certificate. Note: Base-64 encoded X.509 (.CER) is the highest encryption method that you can export to a (.CER) certificate. For Provisioning the Certificate on the WSUS/SCUP server. Step 7. Expand Certificates (Local Computer) -> Expand Trusted Publishers -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate. Step 8. Expand Certificates (Local Computer) -> Expand Trusted Root Certificate Authorities -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate. Now you only have Public Key in the "Trusted Root Certificate Authorities" and "Trusted Publishers" these stores. Note: When you Import your own .PFX cert or using the Self-Signing Cert SCUP creates in the WSUS\Certificate Store, You now only have the Public Key for this Cert in one location on the WSUS/SCUP server. This is the most secure way of configuring the SCUP certificate. Step 9. Perform Steps 7 and 8 to import the certificate manually on client machines. Or you can use Group Policy to deploy the cert.cer to client machines. Posted Jan 30 2009, 11:24 PM by Richard Dixon with no comments

• Resolution: Workaround to Error: 2912 No more thread can be create in the system (0x800700A4) in SCVMM

  I posting a Workaround for a issue I found and notice that other people running into. So far I not seen or found a root cause or a fix. But this work around is the best I have discovered and better than rebooting the Hyper V host to resolve the issue. Link to the Article on Tech Net: URL: http://social.technet.microsoft.com/forums/en-US/virtualmachinemanager/thread/ac48fd59-3de9-4191-8466-25bedee3f5b1 Workaround: Though I have not found the root cause, but I did find something of a workaround that quickly brings the Hyper V host back to a functional state. When I see the error of : Error (2912) An internal error has occurred trying to contact an agent on the servername.domain.com server. (No more threads can be created in the system (0x800700A4)) Recommended Action Ensure the agent is installed and running. Ensure the WS-Management service is installed and running, then restart the agent. I go to Services and Restart the "Windows Management Instrumentation" Service. Restarting this services also restarts the following services: (if they are on your server) Hyper V Virtual Machine Management Virtual Machine Manager Agent Hyper-V Image Management Service Hyper-V Networking Management Service IP Helper EMC PowerPath Service 5.1.2 SMS Agent Host Due to the type of services that are also restarted when doing this, and if the Hyper V host is in production. I would suggest doing this with caution and sending a user awareness notification for the temporary outage. Though the outage is small depending on how long it takes for certain services to start. Because the Hyper-V Image Management Service is restarted. Users will not be able remote control a virtual machine or may be kicked off the VM remote control session. And if you are doing this while TS into the Hyper V host server, you may lose TS connectivity momentarily.     Technorati Tags: Hyper V,SCVMM,Virtual Machine,Virtualization,windows,server,2008 Posted Jan 30 2009, 12:15 PM by Richard Dixon with no comments Filed under: Windows Server 2008, TechNet on Hyper-V, Hyper-V, Virtual, Virtual Machine, Virtualization, SCVMM, 2008, Hyper V, server, windows

• Solution to: HyperV unstable vmms service crashes periodically

  Technorati Tags: Hyper V,vmms,SCVMM Problem Statement: I am getting an error, that is causing the hyperV to be unstable. I have 3 hyperV servers in my test env, runnning about 45 clients. All 3 are reporting this error at some point through the day. This often means that I need to restart the service hyperV Virtual Machine manager, and obviously during that time the SCVMM server (which is a VM client within these 3) looses contact until the service is restarted.   Article and Solution: http://social.technet.microsoft.com/Forums/en-US/virtualmachingmgrhyperv/thread/02adb29a-c3b8-41c5-80fc-99e6a67d39fc    Answer: The problem is a known bug and is fixed in Windows 2008 SP2. The problem is due to having a virtual machine configured with a SCSI adapter that does not have a drive attached to it. I had virtual machines with this configuration. since removing the un used SCSI adapter, my Hyper V service does not stop and restart. So go thru each VM and remove any SCSI adapters that does not have a drive associated with it. Hope this helps you guys. Thanks Posted Jan 13 2009, 04:25 AM by Richard Dixon with no comments Filed under: TechNet on Hyper-V, Hyper-V, Virtual, Virtual Machine, Virtualization, System Center Configuration Manager 2008, SCVMM

• How to enable log trace for System Center Virtual Machine Manager

  In order to diagnose a failure scenario, it is normally required to reproduce the issue and collect traces at the same time. Here are the instructions on how to collect the traces: From what computer should I collect the trace? If it’s a console crash issue, please collect the traces from both the computer where you run admin console, and your VMM Server. If it’s an “Add Hosts” issue, please collect the traces from the VMM server; If it’s a host status (Needs Attention) or VM issue, please collect the traces from both the VMM server and the host in question. If it's self-service portal issue, please collect the traces from the Web server and the VMM server What are the steps to collect traces? Install DebugView from http://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx on your VMM server, your host in question and your Web server (if it's a self-service portal issue). Save the following code into a text file and name it as "odsflags.cmd": @echo off echo ODS control flags - only trace with set flags will go to ODS if (%1)==() goto :HELP if (%1)==(-?) goto :HELP if (%1)==(/?) goto :HELP echo Setting flag to %1... reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Carmine" /v ODSFLAGS /t REG_DWORD /d %1 /f echo Done. goto :EXIT :HELP echo Usage: odsflags [flag], where flag is echo TRACE_ERROR = 0x2, echo TRACE_DBG_NORMAL = 0x4, echo TRACE_DBG_VERBOSE = 0x8, echo TRACE_PERF = 0x10, echo TRACE_TEST_INFO = 0x20, echo TRACE_TEST_WARNING = 0x40, echo TRACE_TEST_ERROR = 0x80, :EXIT Save the following code into a text file and name it as "odson.reg": Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Carmine] "ODS"=dword:00000001 Save the following code into a text file and name it as "odsoff.reg": Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Carmine] "ODS"=dword:00000000 Copy the above three files onto your VMM server, your host in question and your Web server (if it's a self-service portal issue). In a command window on the machine that you want to capture VMM tracing, run “odson.reg” and “odsflags.cmd 255”. (If you need to collect traces for both VMM Server and the host or the Web server, make sure to run these commands on all computers.) Open DebugView and run it as administrator, make sure that in its Capture menu, you have both "Capture Win32" and "Capture Global Win32" checked. You should be able to see tracing from the VMM components showing up in the DebugView. (If you need to collect traces for both VMM Server and the host, make sure to do these steps on all computers.) Restart vmmservice on VMM server with “net stop vmmservice” and “net start vmmservice”. Restart the agent service on the host with “net stop vmmagent” and “net start vmmagent”. Restart the IIS service on the Web server with "iisreset". Reproduce the issue that you found. Save the output from the DebugView to a text file and email it to the people who can help you diagnose the issue. Don't forget to turn off the tracing after you are done collecting by running "odsoff.reg" on the machine.   Compliments to Cheng : --> http://blogs.technet.com/chengw/archive/2008/05/08/how-to-collect-scvmm-traces.aspx  Technorati Tags: SCVMM,Hyper-V,Virutalization,Log Trace Posted Jan 06 2009, 11:53 AM by Richard Dixon with no comments