Friday, July 22, 2016

Unattended Installation Of KB3159706 Breaks WSUS Instance (SUP) For SCCM

Issue
A customer of mine has a SCCM 1511 environment which also has a Software Update Point (SUP) deployed. This SUP uses WSUS underwater and worked fine for a long time. However, for a few weeks the SUP was broken and the underlying WSUS Console threw this error:
image

And:

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

System.IndexOutOfRangeException -- Index was outside the bounds of the array.

Source
Microsoft.UpdateServices.BaseApi

Cause
It took me some time to pinpoint the cause, but it turned out to be KB3159706, which enables ESD decryption provision in WSUS.

However, the update itself is harmless UNLESS one undertakes manual steps after the installation of the update, as stated in the same KB article:
SNAGHTML2a2e76[11]

When you don’t WSUS will be broken…

Solution
In this case, the decision was made to uninstall this particular update. The server was rebooted and WSUS was fully functional again.

Within an hour the SUP for SCCM was fully functional again and runs now without a glitch.

Recap
Always be careful with the automated deployment of updates. Of course, Critical Updates and Security Updates are crucial, but require testing. When also pushing regular updates to your environment, they require testing as well. Never assume things won’t be hurt.

In this case the update itself was okay, but required manual actions afterwards in order to make it land properly. Because no one knew about this update being pushed, no one looked until it was too late.

So: Always test yourself before you wreck yourself.

Monday, July 18, 2016

SCOM Gateway Server Event ID 20077: ‘…no private key was included with the certificate…’

Issue
For a complex environment I had to create Certificate Signing Request files (CSR’s) using this method, section Request OpsMgr Certificate. So far so good. The certificates created on those CRS’s worked as expected, except for the SCOM Gateway Server.

Somehow, there was NO private key, and therefore SCOM didn’t load this certificate, throwing Event ID 20077:
image

And indeed, in the Certificate snap-in there was NO  private key attached to this certificate:
image
(Please mind: the golden key is missing in the certificate icon, depicting the private key.)

And:
image
(Normally located at the yellow question mark there should be a line of text about the private key.)

Fix
One of the fixes is to create a NEW certificate, based on a new CSR. But before doing that one might try to repair the store first, based on this posting.

Results
So based on that posting I ran the RepairStore command using the thumbprint of the ‘broken’ certificate. The feedback I got was good:
image

Time to refresh the certificate MMC, and YES it worked:
image
(Please mind: the golden key is ‘back’ in the certificate icon, depicting the private key.)

And:
image
(Yes, the line of text about the private key is ‘back’.)

Let’s bounce the Health Service and see whether the certificate is REALLY okay now:
image

And YES we’re in business. After this the SCOM Gateway Server connected properly to the SCOM MS servers and all was okay again.

Recap
Whenever SCOM can’t load the certificate because the private key is missing, try to fix it first before creating a new certificate. It saves you a lot of time.

A BIG thanks to…
SSL Support Desk for their posting which helped me to solve this issue. Awesome!

Ignite 2016 = Launch Date System Center 2016

As expected, System Center 2016 will be launched in Q3 2016. Now the date is really set: System Center 2016 will be launched at Ignite 2016, which takes place in September.

For now (based on TP5 for SCOM 2016) these are the fixes and new features:

  • Monitor a broad range of network devices without requiring Operations Manager certification
  • Monitor Nano Server deployments, including DNS and IIS roles
  • Realize more than 2X scale improvement in monitoring UNIX/Linux servers
  • Experience a more responsive application console, including the ability to navigate across different views and pivots without having to wait for the data to load
  • Seamlessly discover, install and update required management packs right from the administration console
  • Tune management packs, and alter the monitors and alerting rules – either at source level or group level – to reduce alert noise
  • Plan and schedule maintenance windows for workloads without generating spurious alerts in Operations Manager console
  • Utilize the Preferred Partner program to discover third-party management packs, authoring tools, dashboard utilities, etc., right from the Operations Manager console.

IMHO these fixes and new features aren’t that big compared to SCOM 2012 R2 UR#9, underlining Microsoft’s ‘Cloud-First, Mobile-First’ strategy.

Updated MP: SQL MPs, Version 6.7.2.0

The SQL MP line has been updated to version 6.7.2.0. This is a major update, containing many fixes and new features. For instance, the SQL Server MP for SQL 2005, 2008, 2008 R2 & 2012 contains these fixes and new features:

  • Added rules for alerting when an Availability Replica changed its role and/or a Database Replica changed its role
  • Created a group for WOW64 SQL Server instances and disabled launching some workflows for these instances
  • Added MP version line into MP's events generated by scripts
  • Fixed display strings and Knowledge Base articles
  • Fixed: some scripts do not return data when one of few installed instances is stopped
  • Fixed: SPN configuration monitor uses stale data
  • Fixed: Mirroring monitoring scripts fail when instance is stopped
  • Fixed Always On Database replica discovery incorrect behavior; fixed Always On policies discovery and monitoring
  • Fixed Database policies discovery and monitoring
  • Fixed and optimized CPU Usage monitoring scripts (the issue appeared when only one core was assigned)
  • Added support for more than 32 processors count in CPU Usage monitoring.
  • SQLPS module is now used for the tasks instead of deprecated SQLPS.EXE
  • Implemented FILESTREAM filegroup monitoring
  • Multiple Ports are now supported in SQL Server TCP/IP parameters
  • Fixed error occurring when no port is specified in SQL Server TCP/IP parameters
  • Fixed filegroup read-only state discovery
  • Fixed RunAs profiles mapping for some workflows
  • Implemented support for TLS 1.2 in connection logic
  • Implemented support for different client drivers in connection logic
  • Updated connection logic error logging
  • Added RunAs profiles for mirroring monitors, fixed mirroring discovery issues
  • Fixed issue: CPU usage monitor ignored SQL server limitations on CPU core count
  • Fixed display strings and Knowledge Base articles
  • Fixed error reporting in the scripts
  • Fixed intermittent "Cannot login to database" alert with some rules
  • Added support for SQL Express Instances
  • Updated Knowledge Base articles
  • Microsoft SQL Server 2012 x86 on Windows 2008 R2: fixed the issue when DB filegroups cannot be discovered
  • Win10 support: fixed "Cannot bind argument to parameter 'Path' because it is an empty string." issue
  • Fixed issue when SQL Configuration Manager starts snap-in of wrong version
  • Fixed invalid Always On non-readable replica detection

As ever, TEST these MPs BEFORE putting them into PRODUCTION. In the past there have been nasty issues with updated MPs, causing unexpected behavior, like DW bloat for instance.

So TEST yourself before you WRECK yourself.

Monday, July 4, 2016

ConfigMgr 1602 Hotfix (KB3155482) In-Console Installation FAQ

Since I do get a lot of questions from customers running ConfigMgr 1602 in relation to the new feature of in-console installation of updates or hotfixes, I’ve decided to write this posting hoping to answer most of those questions.

However, when you don’t find your particular question in this posting, don’t hesitate to reach out through a comment, and I’ll update the posting accordingly.

Also good to know, even though this posting is based on the last available hotfix for ConfigMgr 1602 (KB3155482), this FAQ can be used for ALL in-console updates/hotfixes.

  1. Q: Are there any resources out there, describing how to use this new feature, first introduced in ConfigMgr 1511?
    A: Yes, there are. Many are community based and easy to be found on the internet, using a search engine like Google/Bing. Of course has Microsoft a TechNet article as well about the same topic, titled Updates for System Center Configuration Manager. This TN article is updated every time when a new branch for ConfigMgr is publicly released.

  2. Q: Is this new feature like ‘Set & Forget’. Like: I click it to install and I don’t have to do anything anymore?
    A: Even though this new feature is really cool and awesome, it still REQUIRES your ATTENTION. Seriously. Never ever trust ANYTHING to run smoothly, but CHECK and DOUBLE CHECK is the message here. Also, keep your environment in mind. For instance, Secondary Sites aren’t automatically updated. You must initiate this by yourself. And when the installation is finished, and as such neatly reported in the Console, check the file versions yourself to be 100% sure. Just like you would roll out any other update/hotfix when done manually.

  3. Q: Can I blindly updates my Clients as well?
    A: This question is the same like asking me whether or not to eat peanuts. When not having an allergy, be my guest but when you do, don’t eat the peanuts!

    In other words, it depends on your situation. And your situation is based on too many factors I simply don’t know. So again, be careful here. It’s simply better to postpone the update of the Clients until you’re pretty sure it won’t hurt them. To that order create a test Device Collection of Clients representing a cross selection of all SCCM Clients and have them updated. When they’re okay, simply move ahead to the next batch and so on.

  4. Q: Why should I use this new feature at all? I don’t think it’s cool anyhow. Always updated my ConfigMgr environment by hand, so why should I change that now?
    A: Progress is default in our line of work. Of course, it doesn’t mean you must follow everything suit, but it pays off to know what’s available and possible. Just denying a new way of working based solely on the reason ‘I always did it manually or by method A or B’ won’t get you far. When you simply want to TEST this new functionality however, before letting it loose in the ‘wild’, I hear you. Simply build a new test environment and test drive it. Document it. Discuss it with your team. And then decide.

    But simply dismissing it because it’s new I personally think your next question could be: ‘Do you want French fries with your burger?’. Excuse me for being harsh, but running away from new developments in our line of industry won’t keep you ahead of the competition and sooner or later you’ll find yourself learning a new trade. Perhaps even serving a burger to your old colleagues who have time for it now since ConfigMgr is updating itself…

  5. Q: Should I run the Prerequisite Check or not?
    A: Yes please! Even when you try to skip it by hitting the Install Update Pack button in the Console, it will run that check. But none the less, it’s better to run the check separately before you hit that button. This way you’ll know whether there are issues or not. It will help you to prevent situations where you’ve planned time for the installation, only to bump into a ‘negative’ from the Prerequisite Checker. Better to catch them beforehand, fix them and then move ahead.

  6. Q: Do I still need to follow the RFC procedures?
    A: Seriously? Are you asking me to skip them? Why? Because the Console can update the ConfigMgr infrastructure? Most of the times when a hotfix is applied, the SQL database is hit as well as is the Console. What are you going to tell your manager? It was the Console, not me? So YES please, follow the normal RFC procedures. Even better, run the Prerequisite Checker before filing the RFCs so you know whether additional work is required. Helps you to safe face.

  7. Q: Okay. I’ve run the Prerequisite Checker. Nothing came out. All okay. So I hit the Install Update Pack button. And now I see the Prerequisite Checker came out fine (again). But it looks like NOTHING happens afterwards. Is this new ‘cool’ feature broken or what?
    A: Good question! No, all is just fine. It’s just that between the time the prerequisite check is finished and when the installation starts, there are about ten minutes. So simply wait and soon (or later, depending on your patience) the REAL installation will start.

  8. Q: Where can I find the progress of the installation?
    A: In the Console. Go to: \Administration\Overview\Cloud Services\Updates and Servicing. Select the update which is installing by highlighting it. Underneath in the right side of the same Console you’ll find the header Related Object with the link Show Status underneath it. Hit that link and you’ll find yourself in another section of the Console, \Monitoring\Overview\Site Servicing Status. Select the update you started, and select the button Show Status in the Console. The screen Update Pack Installation Status will be opened, showing you the installation progress of the update you selected. Per step the status will be shown.

  9. Q: When the update/hotfix hits the Console as well, can I still use the in-console update feature?
    A: Yes you can! Simply start the update/hotfix installation through the Console. And when the package is about to update the Console and you’ve got it still open, you’ll be asked to close it so it can be updated. Example of the screen you’ll be shown:
    image

  10. Q: What’s next waiting for us ConfigMgr administrators? A fully automated packaging line? Features like this will cost me my job eventually!
    A: Relax! I compare it to washing your car. Before the car wash industry came to be, it was normal to wash your car by hand. Nowadays almost everybody goes to the carwash. It saves you a lot of time to do tedious repetitive labor and enables you to spend your valuable time in a much better way.
     
    The same goes for the new features introduced in the new line of ConfigMgr branches. They help you to save time, to ascertain repetitive labor is always performed in the same manner. Now you find time to do other things. Like automating other daily jobs by using PowerShell and so on. Like an old colleague once said to me: ‘An administrator who DOESN’T automate his daily chorus, isn’t an admin at all, but just a wannabee’.

Hopefully this posting has answered most of the questions out there about the in-console update feature. And again, when missing your question, don’t hesitate and reach out through a comment.

New License Model: Operations Management Suite (OMS) Subscription

As we all know there are two flavors of licenses for the System Center stack: System Center Standard and System Center Datacenter. For more information about this license model, I advise you to read my blog series about this topic.

Time to meet the new license model
However, a new ‘flavor’ is recently added to the mix, branded Operations Management Suite Subscription and (as the name implies) has OMS at it’s core. However, the whole System Center stack is added to it, making it a perfect fit for hybrid cloud environments. Also, it’s subscription based with the pricing structured per VM per month with an annual commitment.

So when you buy the OMS subscription you’re entitled to use these technologies:
image
(Screenshot taken from the Operations Management Suite Pricing and Licensing Datasheet.)

Already before System Center connected in a technical way to the cloud. And now its licenses are moving to the cloud as well, where almost everything is subscription driven on a ‘pay-as-you-go’ basis.

As Microsoft states: ‘…With OMS, you can manage workloads on Windows Server and Linux across any on-premises and public cloud, including Azure and Amazon Web Services…’. Combined with the strength of the System Center stack and you’ve got all the tooling required to run, manage, automate and monitor your IT services, whether on-premise or in the cloud.

Hey wait! I am already using System Center!
When you’re currently using System Center with SA (Software Assurance), OMS is available as an add-on to your existing licenses. This add-on is also purchased as an annual commitment.
image
(Screenshot taken from the Operations Management Suite Pricing and Licensing Datasheet.)

Basically it means you’ve got to buy more licenses…

OMS & add-ons comparison
This brings us to the next question of this posting: How do the subscription and add-ons compare?

Again a screenshot will come to my aid here Smile:
image

(Screenshot taken from the Operations Management Suite Pricing and Licensing Datasheet.)

All or nothing?
Suppose you only need a certain set of services, eg. Backup and Log Analytics. Gladly you can purchase these services separately as well, allowing you to mix them as required. In this case the services are priced either per VM, per GB (of ingested data), or per minute.

Mind you, this is only valid for the services offered by OMS. When you want to use a certain set of the System Center stack, you’ve can only purchase the System Center licenses mentioned at the beginning of this posting, or the newly introduced OMS Subscription.

How many $$$ or €€€?
Even though the same datasheet gives you an estimate about the retail prices, changes are they will be different for you, depending on your country, supplier and so on.

Resources
For this posting I used these resources:

Visio & PowerPoint: Microsoft Azure, Cloud and Enterprise Symbol / Icon Set

Thanks to James van den Berg this awesome symbol and icon set for Visio and PowerPoint was brought to my attention.

Whenever you’re making a slide deck or Visio drawing all about Microsoft Azure, this is the set to use.

You can download it from here.