You are browsing the archive for 2014 January.

OSD Capture fails on a HP Gen8 Hyper-V cluster

12:12 pm in 2012R2, capture, CM12, CM12 R2, CM12 SP1, hyper-V, OSD, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1 by Kenny Buntinx [MVP]

 

I’ve seen lots of people saying to use VMs to create images and my customer decided to do it using Hyper-V as they see the Hyper-V scenario as possible replacement for Vmware. We did it on Hyper-V 2012 R2.

However, I am having a problem capturing the image with the Build & Capture Task Sequence. I have the VM (running Windows 7 x64 Enterprise) . The VM ran through Sysprep and rebooted into WinPE, but then the problem starts. I checked the Captures folder to see if it started creating the WIM file,  only written 1KB and then fails with “Exiting with return code 0x80004005”. That’s right, 1 freaky’ KB.

I do have the Legacy Network adapter installed so I can perform PXE boots on the VMs that I have created.

This was the first time I’ve worked with Hyper-V 2012 R2 so I wasn’t sure what to expect as I had experiences with Hyper-V 2008 R2 and 2012 . I’ve looked at all the threads that mention "Hyper-V’ but none have said they are having any problems.

I’ll have tried a few things to see what happens, and to figure out what was wrong here. Finally we found out the issue :

We immediately thought at networking issues and not to a share or permission issue as we could write a file of 1kb.

1.When the VM started in Winpe to start capturing the image , we checked for an IP (F8 command prompt) . We saw the correct IP , but suddenly 5 seconds later , it changed back to an auto assign IP , short term APIPA (Automatic Private IP Addressing) . That was weird and we blamed it to the Networking team Smile . ( for once we thought we had a reason as the DHCP server was a linux box )

2. After ruling out the network ( giving it a fixed ip , MAC reservation ) , we start to search a little deeper . Maybe it was the Hyper-V cluster or the virtual switch ?

3. To rule out any virtual switch issues , we started to create a VM on the Hyper-V Host itself and BINGO ! The creation of the WIM file succeeded .

4. To make sure it was the Hyper-V cluster , we created a VM and tried it again . Same problem, The VM ran through Sysprep and rebooted into WinPE, but then the problem starts. I checked the Captures folder to see if it started creating the WIM file,  only written 1KB and then fails with “Exiting with return code 0x80004005”. That’s right, 1 freaky’ KB.  .

The solution:

Ok , The problem is related to the Hyper-V cluster . After a little investigation , we discovered that people had reported issues with networking drops on HP Generation 8 hardware. I’ve got answer with my connectivity issue.

Our case is the same as described on the Hyper-V.nu blog:

http://www.hyper-v.nu/archives/marcve/2013/11/vnics-and-vms-loose-connectivity-at-random-on-windows-server-2012-r2/

http://www.hyper-v.nu/archives/pnoorderijk/2013/11/the-story-continues-vnics-and-vms-loose-connectivity-at-random-on-windows-server-2012-r2/

As a workaround , disabling VMQ works . More info what VMQ does : http://blogs.technet.com/b/networking/archive/2013/09/10/vmq-deep-dive-1-of-3.aspx

The issue has been reported to HP support. We are awaiting feedback . In the meanwhile we will try this hotfix http://support.microsoft.com/kb/2913659 It seems that after patching our cluster nodes with the hotfix, we haven’t had a VM guest lose network connectivity for over 24 hours. It was happening quit regularly with several VM’s that are sending/recieving lots of network traffic . If you haven’t applied this hotfix and you are experience this issue and/or others with your virtual switches, do it before opening a case at HP

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management .

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0x5

12:17 pm in ADFS, ADFS 2.1, CM12, CM12 R2, CM12 SP1, intune, sso by Kenny Buntinx [MVP]

 

One day my ADFS authentication for Configmgr 2012 R2 and Windows Intune suddenly stopped. I  came across the following on the Active Directory Federation Services farm which uses WID (Windows internal Database) to store its configuration.

image

In words: An exception occurred while enqueueing a message in the target queue. Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘<Domain>\ADFS_srvc’, error code 0x5.

The solution: is to give the “Authenticated Users”  “Read Permissions” on the ADFS service account.

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

XenApp 6.5 Connector Now Supports System Center 2012 R2 Configuration Manager

7:12 am in citrix, CM12 R2, connector, sccm 2012 R2, SCCM 2012 R2, Xenapp, Xendestop by Kenny Buntinx [MVP]

 

Citrix understoud the importance of supporting the new System Center 2012 R2 Configuration Manager for Xenapp 6.5.  Citrix is pleased to announce the availability of our second Service Pack for the Citrix XenApp 6.5 Connector, which enables you to deploy the connector in a System Center 2012 R2 Configuration Manager environment. 

This release also enables support for StoreFront 2.1 aggregated resources that allow applications from multiple farms to be published in a single store.

Advice for customers upgrading from the original or SP1 versions of the connector.

If you are upgrading your original connector and System Center installation, we recommend using the following procedure to ensure upgrade goes as planned:

  • Upgrade all instances of the connector service
  • Upgrade the ConfigMgr consoles extension(s)
  • Upgrade Connector Agent on XenApp workers
  • Upgrade the DT handler & agent on all Managed PCs (if these were previously installed)
  • Test that deployments and publishing function as expected
  • Upgrade System Center Configuration Manager & Clients (as per Microsoft guidance)
  • Test that deployments and publishing function as expected

DO NOT uninstall older versions of the agent on any XenApp servers as this will prevent System Center from deploying any software until you have installed the new agent manually or in the base image.

To learn more about the connector please check out this video. You can download the Service Pack 2 update here.

NOTE: This Service Pack replaces the previous download which is no longer available. We recommend that customers using / evaluating the original 6.5 connector upgrade to this release as soon as possible. Customers using / evaluating the SP1 connector only need to upgrade to SP2 only if you need the features listed at the top of this article.

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot

8:48 pm in ADFS, ADFS 3.0, Global Managed Service Account, gmsa, intune, MDM, UDM, Windows Server 2012 R2, Windws Intune by Kenny Buntinx [MVP]

 

Background :

With the arrival of ADFS 3.0 in Windows Server 2012 R2 the use of IIS with AD FS in Windows Server 2012 R2 has been eschewed in favour of a move to kernel-mode (HTTP.SYS). The motive is to improve performance, provide greater sign-in customization options and to be able for co-locating ADFS and AD Domain Services on the same server (IIS on domain controllers is from a security perspective a big no-no).

As the use of federation services goes more mainstream in everyday use with Windows 8.1, office 365 , intune , azure and whatever cloud service they come up with , this shift is understandable and an important design consideration.  With the new kernel-mode approach, support for running under server core also appears as an option in the new release.

Problem :

In my lab , I Installed and configured ADFS 3.0 om my domain controller with a global managed service account (gmsa). This is a new feature since ADDS 2012 was introduced. After a server reboot , the ADFS services cannot start anymore and it always stay in "starting" state , making your DC unusable.

This issue appears to be gMSA related, when you install ADFS 3.0 on a 2012R2 running AD DS, than after the reboot (not always) gMSA fails to authenticate on behalf of the ADFS Service under which the service is configured to run.

Solution:

After investigation, I found an unacceptable workaround, which is to :

1. Reboot the ADDS/ADFS3.0 server, logon and immediately set the ADFS Service from Automatic (Delayed) to Manual.

2. Change the Microsoft Key Distribution Service (kdssvc) service to auto (instead of manual trigger) and restart the DC.

3. Logon and start the ADFS service (starts successfully)

4. Set the ADFS Service from Manual to Automatic (Delayed) .

5. Done.

Keep it coming. We’re all learning ADFS 3.0 for Windows Intune  :-)

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I

3:55 pm in ADFS, ADFS 2.1, ADFS 3.0, BYOD, WAP, Work Folders, Workplace Join by Kenny Buntinx [MVP]

 

In the next few posts, I wanted to take a look at the changes to be found in Windows Server 2012 R2 with respect to Active Directory Federation Services (AD FS) that is used for mainly Product and features such as “Windows Intune” , “Workplace Join” and “Work Folders” Introduced in windows 8.1 .

Through the new Workplace Join feature within R2, AD FS becomes a focal point for mobile access in the enterprise and an integral component in the Microsoft Bring Your Own Device (BYOD) vision. Workplace Join allows unmanaged/untrusted operating systems such as Windows RT/Windows 8.1 and IOS to be moved into a more controlled access context, by allowing their registration and affiliation with Active Directory.

Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2. When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able to Workplace Join devices from any internet connected location. To further secure this process, additional factors can be also used with Windows Azure Active Authentication (Phone Factor).

Work Folders is a brand new direction for enabling access to data in offline scenarios, along the lines of Dropbox and Skydrive Pro, but without the web and sharing features. Like most Microsoft OS features, Work Folders is tied to a specific release of Windows; however according to this Channel 9 video, Microsoft will release Work Folders for Windows 7, iOS and “other devices“ soon.

For all that technology to make it work, you will need to implement ADFS 3.0 which is only available in Windows Server 2012 R2 . The current levels of AFDS are difficult to find, so I will list them once more :

  • ADFS 2.0 – Windows 2003/2008/2008R2 (supported only for SSO in Windows Intune)
  • ADFS 2.1 – Windows 2012 (supported only for SSO in Windows Intune)
  • ADFS 3.0 – Windows 2012 R2 (supports SSO in Windows Intune , Workplace Join and Work Folders)

To be able to support ADFS 3.0, we will need some prerequisites that I will list below:

  • Forest Functional Level = min 2003 or higher

To check the ForestLevel –> Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=vnextdemo,dc=be" -Properties * | Select objectVersion

  • Domain Controller OS = Min 2012 or higher

· If no DC 2012R2 then upgrade schema with Adprep. New Device class requires a schema change to Active Directory. For those upgrading an existing Windows setup, the appropriate files can be found on the R2 installation CD under D:\Support\ADPrep.

· If upgrading to 2012R2 for DC :

            • Execute following command PS C:\> netdom query FSMO
            • Then use the Move-ADDirectoryServerOperationMasterRole cmdlets to move them.  You can do this with a simple one liner! Move-ADDirectoryServerOperationMasterRole -identity "DC01" -OperationMasterRole 0,1,2,3,4

 

  • ADFS 3.0 and Web Application Proxy requires to be installed on Windows server 2012 R2 

 

In the next blog post , I will continue on how to setup the ADFS 3.0 to support “Windows Intune” , “Workplace Join” and “Work Folders”. So stay tuned for Part II

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP