tag:blogger.com,1999:blog-626874831293049212024-03-17T07:24:59.655+01:00ADdictThings related to Active DirectoryThomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.comBlogger235125tag:blogger.com,1999:blog-62687483129304921.post-77720128463565945652016-09-22T23:11:00.001+02:002016-09-23T22:19:01.791+02:00Domain controller: LDAP server signing requirements and Simple Binds<p>Lately I’ve been wondering about the impact of the following setting: <strong>Domain controller: LDAP server signing requirements. T</strong>he documentation (<a href="https://technet.microsoft.com/en-us/library/jj852234(v=ws.11).aspx">TechNet #1</a> and <a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/domain-controller-ldap-server-signing-requirements">TechNet #2</a> ) spells it out pretty well: <em>This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. </em>You can set it to either None or Required. None is the default and allows signing if the client asks for it.</p> <p>Sometimes when I read information I read too fast and draw my conclusion. Shame on me. Wrong conclusion from my side: configuring this setting to <strong>required</strong> requires all connection to use LDAPS (TCP 636). Nope. It says <u>data signing</u>! Signing can be perfectly done with traffic targetted at both LDAP (TCP 389) or LDAPS (TCP 636). </p> <p>From <a href="https://blogs.technet.microsoft.com/askds/2009/09/21/understanding-ldap-security-processing/">AskDS: Understanding LDAP Security Processing</a> I learned various things about simple binds. Simple binds send your username and password in clear text. Needless to say that in combination with LDAP you’re at risk. On the other hand, if the communication is using LDAPS, sending passords in clear text could be acceptable.  </p> <p>Now the documentation I referenced earlier is a bit conflicting on this topic:</p> <ul> <li><em>This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL.</em> </li> <li><em>If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected.</em> </li> <li><em>Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.</em> </li> </ul> <p>Now it might be just me but I would phrase that in another way. Both articles suffer from the same wording. So like with any other uncertainty we just test it. Once you see and experience it you’ll never forget!</p> <p>This is part of the Default Domain Controller Policy on Windows Server 2012 R2:</p> <p><a href="https://lh3.googleusercontent.com/-dS-JHfgSPsU/V-RI6Z8UCDI/AAAAAAAADPY/6YcnQTPI3wA/s1600-h/image%25255B3%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-9LCLUPjHo5g/V-RI7Dwt_XI/AAAAAAAADPc/BEKDloU38Xk/image_thumb%25255B1%25255D.png?imgmax=800" width="454" height="42" /></a></p> <p>I changed it to:</p> <p><a href="https://lh3.googleusercontent.com/-dxjeM_icf6c/V-RI7pNx9vI/AAAAAAAADPg/alyQMgytwXk/s1600-h/image%25255B7%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-oEn9m2e9l7w/V-RI8HyEnDI/AAAAAAAADPk/hhTgJ-K0TkM/image_thumb%25255B3%25255D.png?imgmax=800" width="454" height="42" /></a></p> <p>Now using LDP.exe we can do some tests:</p> <p>Connecting over LDAPS:</p> <p><a href="https://lh3.googleusercontent.com/-ib1mCXyFhx0/V-RI8_WJIgI/AAAAAAAADPo/QTcfQxOqiOo/s1600-h/image%25255B10%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/--uH1pLTTLOs/V-RI9Xid1TI/AAAAAAAADPs/_vTQ_47Pe78/image_thumb%25255B4%25255D.png?imgmax=800" width="244" height="130" /></a></p> <p>Performing a simple bind:</p> <p><a href="https://lh3.googleusercontent.com/-SWGy312DNh4/V-RI94KojZI/AAAAAAAADPw/MtZWQ60y1iM/s1600-h/image%25255B13%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-olabGaZz7t0/V-RI-QvqpWI/AAAAAAAADP0/-wV9vW5Jqcc/image_thumb%25255B5%25255D.png?imgmax=800" width="244" height="222" /></a></p> <p>And the result:</p> <p><a href="https://lh3.googleusercontent.com/-UlSetBC7mTY/V-RI-w8idsI/AAAAAAAADP4/kCEXGhamQvM/s1600-h/image%25255B17%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-QnJaQyZa9_Q/V-RI_UcCGuI/AAAAAAAADP8/iLgm6RU4lfo/image_thumb%25255B7%25255D.png?imgmax=800" width="454" height="40" /></a></p> <p>Now if we try to connect over LDAP:</p> <p><a href="https://lh3.googleusercontent.com/-UBnfgJ7twGQ/V-RI_xO8uXI/AAAAAAAADQA/hk7XfImIwB0/s1600-h/image%25255B23%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-IQ2YmKICm98/V-RJAe5jhSI/AAAAAAAADQE/4TGgcObEdb8/image_thumb%25255B9%25255D.png?imgmax=800" width="244" height="133" /></a></p> <p>Bind like before. But now we get:</p> <p><a href="https://lh3.googleusercontent.com/-WHvCDeF8wKQ/V-RJA-Fq2XI/AAAAAAAADQI/NFKD_Z43AVM/s1600-h/image%25255B27%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-01UDnxrp_7Q/V-RJBrPhYRI/AAAAAAAADQM/cSlQ5IOpgU8/image_thumb%25255B11%25255D.png?imgmax=800" width="454" height="45" /></a></p> <p>In words: <em>Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required <br />Server error: 00002028: LdapErr: DSID-0C090202, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 <br />Error 0x2028 A more secure authentication method is required for this server.</em> <br /><u><strong>Conclusion:</strong></u></p> <p>All of this is definitely not new. But writing about it helps me never forget it. Setting the LDAP Server Signing Settings to required will probably require some planning and testing. But it doesn’t mean you can’t use simple binds. As long as you can configure your application to use LDAPS. Your domain controller should be logging a warning event every once in a while when simple binds or unsigned LDAP traffic is seen. Here’s some more info on this event: <a title="http://blog.jocha.se/tech/saslldap-simple-warning-on-dcs" href="https://technet.microsoft.com/en-us/library/dd941856(v=ws.10).aspx">Event ID 2887 — LDAP signing</a>.</p> <p>If you want to read more on LDAP signing, please check <a href="https://support.microsoft.com/en-us/kb/935834">KB935834: How to enable LDAP signing in Windows Server 2008</a></p>Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com4tag:blogger.com,1999:blog-62687483129304921.post-19158670329157408952016-06-14T15:10:00.001+02:002016-06-14T15:10:21.613+02:00IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null<p align="justify">I’ve been educating myself on the capabilities of OpenID Connect/OAuth in Server 2016. The version I’m currently playing with is based on TP5. I created a small application which consists of a web application and an API. Just for educational purposes. The actual application can be found here: <a title="https://github.com/tvuylsteke/TodoListWeb" href="https://github.com/tvuylsteke/TodoListWeb">https://github.com/tvuylsteke/TodoListWeb</a></p> <p align="justify">When I started testing my application I ran into an issue. I would visit my application, hit the sign in button and be redirected to AD FS. I would either enter my credentials or be authenticated transparently and then be redirected to my application. That’s where things went wrong. I always seemed to get this error:</p> <p><a href="https://lh3.googleusercontent.com/-W96U2mP7LJ8/V2ACNIgLScI/AAAAAAAADLo/G4uHWvsd4eU/s1600-h/error%25255B3%25255D.png"><img title="error" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="error" src="https://lh3.googleusercontent.com/-AR91YeF8EJU/V2ACNU6uDbI/AAAAAAAADLw/5SEMDckV3CU/error_thumb%25255B1%25255D.png?imgmax=800" width="454" height="72" /></a></p> <p align="justify">In Words:<em>We're having trouble signing you in.</em></p> <p align="justify"><em>IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.;</em></p> <p align="justify">Some online searching led me to some threads but no real good suggestions. I also found a session off Build 2015: <a href="https://channel9.msdn.com/Events/Build/2015/2-740">Cloud Authentication Troubleshooting and Recipes for Developers</a> They mention that IDX10311 typically happens when you don’t receive an expected cookie from the browser. Likely cause: Your reply URL is sending the browser to somewhere different than where you started. I double checked everything, but that didn’t seem to be the cause.</p> <p align="justify">Now I found out that using chrome everything was working as expected. Still I had no real clue. I posted my issue to an internal DL and one of my colleagues quickly spotted my issue using the Fiddler traces I provided. He told me that the OpenIdConnect.nonce.OpenIdConnect cookie was not being set correctly for the todolistweb.contoso.com application in IE. And when I took my traces I could indeed see this:</p> <p align="justify">A trace from Internet Explorer:</p> <p align="justify">You can see the response from AD FS and then the browser going back to the application without any cookies:</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBWVWN2CJaSZDmdj1xfmYWdvG6RrkSt3Rb8TedZUrjgavS4V4jyThyphenhyphenvC4hNALgt-YiYC0-rHje-s_CP1-tPvvXr6UuwDLKGA0usfaX0ea8AE67VMz1FGOcAU3Nu5Qu3IA6GgTu5lg-cg/s1600-h/IE1%25255B3%25255D.png"><img title="IE1" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="IE1" src="https://lh3.googleusercontent.com/-hprdRV8hQMs/V2ACNzKOQSI/AAAAAAAADMA/U7tZfcvz6-A/IE1_thumb%25255B1%25255D.png?imgmax=800" width="404" height="67" /></a></p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTQzVRLx4ULJurrM1fZAzFsnMx7VOp8PKtZ2NTCYmrMaAH29sVwYNUSTkns-p2qK6rLH_jaBff4ff-D96odXa41PXQmaEhb8TC8pJfT_u0i1bJmLSx74NZI97lyuGnNVojnLofqJAr6A/s1600-h/IE2%25255B3%25255D.png"><img title="IE2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="IE2" src="https://lh3.googleusercontent.com/-h0WUyNaqVqI/V2ACOfFG1EI/AAAAAAAADMQ/Op4qCDvuDjk/IE2_thumb%25255B1%25255D.png?imgmax=800" width="404" height="102" /></a></p> <p>Now if we compare that to a session from within Chrome:</p> <p><a href="https://lh3.googleusercontent.com/-WEgp_i3wC2A/V2ACOrwc-HI/AAAAAAAADMY/ktFF1aXk2wM/s1600-h/Chrome1%25255B3%25255D.png"><img title="Chrome1" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="Chrome1" src="https://lh3.googleusercontent.com/-2VidnP-eOy8/V2ACO3ogmNI/AAAAAAAADMg/QaaSAHz-yv0/Chrome1_thumb%25255B1%25255D.png?imgmax=800" width="404" height="74" /></a></p> <p>You can clearly see the OpenIDConnect.nonce cookie</p> <p><a href="https://lh3.googleusercontent.com/-AJsngP2LJEU/V2ACPHVrbDI/AAAAAAAADMo/Z74rgZkDwwk/s1600-h/Chrome2%25255B3%25255D.png"><img title="Chrome2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="Chrome2" src="https://lh3.googleusercontent.com/-KX81xEVYhCA/V2ACPI0eHgI/AAAAAAAADMw/YH5par23X_Q/Chrome2_thumb%25255B1%25255D.png?imgmax=800" width="404" height="104" /></a></p> <p align="justify">As a solution to this issue I added my application to the Local Intranet Zone in IE and that resulted in the cookie being sent to the application. Mystery solved!</p>Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com3tag:blogger.com,1999:blog-62687483129304921.post-30470896652854757842016-02-27T13:34:00.001+01:002016-02-27T13:34:37.202+01:00Protected Users Group<p align="justify">Earlier this week I’ve been talking to a customer about the “Protected Users” group. You might have seen it appearing when introducing the first 2012 R2 domain controller. Here’s a good explanation on its purpose:</p> <p align="justify"><em>Protected Users is a new global security group to which you can add new or existing users. Windows 8.1 devices and Windows Server 2012 R2 hosts have special behavior with members of this group to provide better protection against credential theft. For a member of the group, a Windows 8.1 device or a Windows Server 2012 R2 host does not cache credentials that are not supported for Protected Users. Members of this group have no additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1. Source: <a href="https://technet.microsoft.com/en-us/library/dn518179.aspx">TechNet: How to Configure Protected Accounts</a></em></p> <p align="justify">The above is actually a bit misleading. The functionality was actually backported to Windows 2008 R2/Windows 2012 in the hotfix KB2871997 See <a href="http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx">blogs.technet.com: An Overview of KB2871997</a> for an explanation on this.</p> <p align="justify">This group might be part of your organization’s strategy to reduce the attack surface for pass the hash. A great white paper on this can be found here: <a title="https://www.microsoft.com/en-us/download/details.aspx?id=36036" href="https://www.microsoft.com/en-us/download/details.aspx?id=36036">Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2</a></p> <p align="justify">One of the things the Protected Users group ensures is that no NTLM hashes are available to be used <em>or</em> stolen. Now I wanted to see this for myself. There are various tools out there that are capable of listing the various secrets. I tried Windows Credential Editor (WCE) but that one didn’t work on (my) Windows 2012 R2. So I used Mimikatz. My setup: A 2012 R2 domain controller and a 2012 R2 member server. I’ve got 3 domain admins: one that has the remote desktop session open to the member server and then two that have a powershell runnning through runas. Of the latter one is a member of the Protected Users group:</p> <p align="justify">Run as different user: SETSPN\john</p> <p><a href="https://lh3.googleusercontent.com/-AiJaw2jSQoY/VtGXzWAYiII/AAAAAAAADKo/0TaHUWO-ry8/s1600-h/image%25255B8%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-QaLLgaEeUaI/VtGXzquUgNI/AAAAAAAADKs/1loYkmwi23E/image_thumb%25255B4%25255D.png?imgmax=800" width="454" height="107" /></a></p> <p>Run as different user: SETSPN\thomas</p> <p><a href="https://lh3.googleusercontent.com/-VEjeLEFftjI/VtGX0JAp6lI/AAAAAAAADKw/hUiQIaPkctI/s1600-h/image%25255B7%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-RgoBxhmhTVs/VtGX0WYxLwI/AAAAAAAADK0/WpBzAzm96fU/image_thumb%25255B3%25255D.png?imgmax=800" width="454" height="107" /></a></p> <p align="justify">As you can see John is an oldschool Domain Admin whereas Thomas has read the Mitigating PtH whitepaper and is a proud member of the Protected Users group. This is the PowerShell oneliner I used to dump the groups I care about: <em>WHOAMI /GROUPS /FO CSV | ConvertFrom-Csv | where {$_."group name" -like "Setspn\*"}</em> </p> <p align="justify">Here you can see the Protected Users admin has no NTLM available:</p> <p><a href="https://lh3.googleusercontent.com/-Rk4LiFVP0LU/VtGX0jn6TsI/AAAAAAAADK4/TIJo3CgqsKg/s1600-h/image%25255B19%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-t_SVGkaWe1A/VtGX04QCXxI/AAAAAAAADK8/ti-1EQ_z4qY/image_thumb%25255B9%25255D.png?imgmax=800" width="454" height="186" /></a></p> <p>Where the regular admin has NTLM available:</p> <p><a href="https://lh3.googleusercontent.com/-uiOhxYCwEZU/VtGX1YvE06I/AAAAAAAADLA/_dqNTnA55Sk/s1600-h/image%25255B20%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-gBnszBY8eH8/VtGX1tzbKJI/AAAAAAAADLE/54RR5yA3fuI/image_thumb%25255B10%25255D.png?imgmax=800" width="454" height="156" /></a></p> <p align="justify">Here’s the difference from an attacker point of view:</p> <p align="justify">Start Mimikatz –> Privilege::debug –> sekurlsa::logonpasswords And here are the goodies:</p> <p align="justify"><strong><u>John:</u></strong></p> <p>Authentication Id : 0 ; 3529276 (00000000:0035da3c) <br />Session           : Interactive from 0 <br />User Name         : john <br />Domain            : SETSPN <br />Logon Server      : SRVDC01 <br />Logon Time        : 2/24/2016 6:59:54 PM <br />SID               : S-1-5-21-4274776166-1111691548-620639307-5603 <br />        msv : <br />         [00000003] Primary <br />         * Username : john <br />         * Domain   : SETSPN <br />         * NTLM     : <font style="background-color: #ffff00">59884edfb057d0fec8cb7e0d571dc200 <br /></font>         * SHA1     : 7e655db2b3a7e88fb0c50ca56416ae655469f09e <br />         [00010000] CredentialKeys <br />         * NTLM     : <font style="background-color: #ffff00">59884edfb057d0fec8cb7e0d571dc200 <br /></font>         * SHA1     : 7e655db2b3a7e88fb0c50ca56416ae655469f09e <br />        tspkg : <br />        wdigest : <br />         * Username : john <br />         * Domain   : SETSPN <br />         * Password : (null) <br />        kerberos : <br />         * Username : john <br />         * Domain   : SETSPN.LOCAL <br />         * Password : (null) <br />        ssp : <br />        credman : <br /></p> <p><u><strong>Thomas:</strong></u></p> <p>Authentication Id : 0 ; 3493146 (00000000:00354d1a) <br />Session           : Interactive from 0 <br />User Name         : thomas <br />Domain            : SETSPN <br />Logon Server      : SRVDC01 <br />Logon Time        : 2/24/2016 6:59:36 PM <br />SID               : S-1-5-21-4274776166-1111691548-620639307-5602 <br />        msv : <br />         [00010000] CredentialKeys <br />         * RootKey  : db1c2347608db0c4e2d89bbd6c328bf6f42671b7d88653cd4cc9af2713 <br />e958f0 <br />         * DPAPI    : 63adfe49948fca81c885933b3aa23eba <br />        tspkg : <br />        wdigest : <br />         * Username : thomas <br />         * Domain   : SETSPN <br />         * Password : (null) <br />        kerberos : <br />         * Username : thomas <br />         * Domain   : SETSPN.LOCAL <br />         * Password : (null) <br />        ssp : <br />        credman : <br /></p> <p align="justify">As you can see the admin that’s a member of the Protected Users group does NOT have the NTLM hashes dumped. Wooptiedoo! Now think and test before you start adding the Domain Admins group to the Protected Users group! By no means you should do that! Here’s some good information on how to start with the Protected Users group and some additional caveats: <a title="https://technet.microsoft.com/en-us/library/dn518179.aspx" href="https://technet.microsoft.com/en-us/library/dn518179.aspx">How to Configure Protected Accounts</a></p> <p align="justify">Here’s one from my side: after adding my admin user to the Protected Users group he was no longer to RDP to a 2012 R2 member server:</p> <p><a href="https://lh3.googleusercontent.com/-49AUE_Y9ykc/VtGX12Tu3tI/AAAAAAAADLI/zyC5FJeypFA/s1600-h/image%25255B12%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-hwPpNTM-Wvc/VtGX2YrPOuI/AAAAAAAADLM/l9ME3dyJp3c/image_thumb%25255B6%25255D.png?imgmax=800" width="454" height="111" /></a> </p> <p align="justify">In words: <em>A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.</em></p> <p align="justify">Remote desktop to a Windows 2008 R2 worked fine with that account. It seems for my Protected User admin to be able to log on to a Windows 2012 R2 server it had to actualy use mstsc.exe /restrictedadmin and I had to enable Restricted Admin mode on the member server:</p> <p><a href="https://lh3.googleusercontent.com/-h_2-DKlht5g/VtGX2kySzrI/AAAAAAAADLQ/klDfQjfWvd4/s1600-h/image%25255B24%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://lh3.googleusercontent.com/-P-6oLxFTht8/VtGX21UYGGI/AAAAAAAADLU/O9JQ_WYwVqk/image_thumb%25255B12%25255D.png?imgmax=800" width="454" height="51" /></a></p> <p align="justify">You can find that value below HKLM\SYSTEM\CurrentControlSet\Control\Lsa</p> <p align="justify">If you want to know more about the Protected Users group and the Restricted Admin feature read up on both of them here: <a title="https://technet.microsoft.com/en-us/library/dn408190.aspx" href="https://technet.microsoft.com/en-us/library/dn408190.aspx">TechNet: Credentials Protection and Management</a> or <a title="https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain-accounts-restricted-admin-and-protected-users" href="https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain-accounts-restricted-admin-and-protected-users">digital-forensics.sans.org:Protecting Privileged Domain Accounts: Restricted Admin and Protected Users</a></p> <p align="justify">Some additional reading on Restricted Admin mode: <a title="http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx" href="http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx">Restricted Admin mode for RDP in Windows 8.1 / 2012 R2</a></p>Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com2tag:blogger.com,1999:blog-62687483129304921.post-46586582268866717812015-10-14T20:51:00.001+02:002016-03-15T08:32:40.043+01:00Direct Access: Windows Internal Database (SQL) High CPU Usage<p align="justify">[<strong>Update 2016/03/15</strong>] An <u>official</u> article has been released with proper guidance and no need for any SQL management tools at all. It’s available here: <a title="https://technet.microsoft.com/en-us/library/mt693376.aspx" href="https://technet.microsoft.com/en-us/library/mt693376.aspx">https://technet.microsoft.com/en-us/library/mt693376.aspx</a></p> <p align="justify">I’ve got a customer who has deployed Direct Access quite a while ago. Something which we have observed for a while now is that the CPU usage of the servers is rather high. Some details about our setup: we got 2 Direct Access servers which are load balanced using Windows NLB. They are running Windows 2012 R2, have 4 vCPU’s and 8 GB of RAM. When troubleshooting this issue, we were seeing 400 active users, roughly 200 for each server. Here’s what the CPU usage looked like:</p> <p><a href="http://lh3.googleusercontent.com/-zEZW1xxvXI8/Vh6j-gvf_hI/AAAAAAAADGk/X8HPAHdHy9A/s1600-h/image001%25255B3%25255D.png"><img title="image001" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image001" src="http://lh3.googleusercontent.com/-jlerqrI4uFc/Vh6j_FfyKQI/AAAAAAAADGs/e_tRlMT-pmA/image001_thumb%25255B1%25255D.png?imgmax=800" width="404" height="152" /></a></p> <p align="justify">As you can see sqlservr.exe is using 67% CPU. Now that’s quite a lot… I would hope a DA server had other things to do with it’s CPU instead of running an SQL instance. Now I know where this instance comes from. We configured inbox accounting on the Direct Access servers. This allows an administrator to pull up reports about who connected when to what resources. You can choose between Radius and Windows Internal Database (WID) for the auditing data targets. We choose the WID approach. We configured our accounting to hold data for 3 months. So I started wondering, is the SQL database instance having troubles with the amount of data? Or is there an issue with indexes that are fragmented or… In order to investigate this, we’d had to do some SQL talking to this instance. As it’s a WID instance, we can only talk to it from the box itself. So we can either install the SQL commandline tools or the SQL Management Studio. I’m not an SQL guru, so I prefer to do my troubleshooting using the SQL Management Studio. In order to determine what version you can use you can check the location for the sqlservr.exe binary:</p> <p><a href="http://lh3.googleusercontent.com/-6wzfeItD62E/Vh6j_Q4vAXI/AAAAAAAADGw/5iainoC3s8E/s1600-h/image003%25255B3%25255D.png"><img title="image003" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image003" src="http://lh3.googleusercontent.com/-lzWLIeWRSMU/Vh6j_5VW24I/AAAAAAAADG4/qoNCzU-dPlY/image003_thumb%25255B1%25255D.png?imgmax=800" width="404" height="212" /></a></p> <p align="justify">And from the details you can see that a WID on a Windows 2012 R2 is actually build 11.0.2100.60 which, if bing is correct, is a SQL 2012 edition.</p> <p><a href="http://lh3.googleusercontent.com/-rpjZi2Yie-c/Vh6kAOT3OyI/AAAAAAAADHA/3H2nJkA6ngA/s1600-h/image005%25255B3%25255D.png"><img title="image005" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image005" src="http://lh3.googleusercontent.com/-Bf39NnxNvtU/Vh6kAnaY0FI/AAAAAAAADHI/15fbdoXU04s/image005_thumb%25255B1%25255D.png?imgmax=800" width="404" height="332" /></a></p> <p align="justify">So I took the SQL 2012 iso and installed the SQL Management Studio on the DA servers. Watch out when going through the setup, we don’t want to install another SQL instance! Just the management tools. Here’s the string we can use to connect to the instance: <strong><a href="file://\\.\pipe\MICROSOFT##WID\tsql\query">\\.\pipe\MICROSOFT##WID\tsql\query</a></strong></p> <p><a href="http://lh3.googleusercontent.com/-g5nMvWAD99c/Vh6kA4FTxhI/AAAAAAAADHQ/Wf77VLF4_cI/s1600-h/image007%25255B7%25255D.png"><img title="image007" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image007" src="http://lh3.googleusercontent.com/-hrwjXVkvJ2Y/Vh6kBSXn4aI/AAAAAAAADHY/I_uxIApCqhI/image007_thumb%25255B3%25255D.png?imgmax=800" width="404" height="311" /></a></p> <p align="justify">After connecting to the instance we see that there’s only one Database (RaAcctDb) which has 4 tables. This query I found here: <a title="https://gallery.technet.microsoft.com/scriptcenter/Check-SQL-Server-a-a5758043" href="https://gallery.technet.microsoft.com/scriptcenter/Check-SQL-Server-a-a5758043">TechNet Gallery</a> and also resembles the query that is presented here: <a href="https://support.microsoft.com/en-us/kb/2755960">KB2755960</a>. To check all indexes for fragmentation issues, execute the following query:</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">SELECT</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#ff00ff">OBJECT_NAME</font></span><span style="color: "><font color="#808080">(</font></span><span style="color: "><font color="#008080">ind</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#ff00ff">OBJECT_ID</font></span><span style="color: "><font color="#808080">)</font></span> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">TableName</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">,</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">ind</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">name</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">IndexName</font></span><span style="color: "><font color="#808080">,</font></span> <span style="color: "><font color="#008080">indexstats</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">index_type_desc</font></span> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">IndexType</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">,</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">indexstats</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#008080">avg_fragmentation_in_percent</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">FROM</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008000">sys</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008000">dm_db_index_physical_stats</font></span><span style="color: "><font color="#808080">(</font></span><span style="color: "><font color="#ff00ff">DB_ID</font></span><span style="color: "><font color="#808080">(),</font></span> <span style="color: "><font color="#808080">NULL,</font></span> <span style="color: "><font color="#808080">NULL,</font></span> <span style="color: "><font color="#808080">NULL,</font></span> <span style="color: "><font color="#808080">NULL)</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">indexstats</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080"><font style="font-size: 9.5pt">INNER</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#808080">JOIN</font></span> <span style="color: "><font color="#008000">sys</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008000">indexes</font></span> <span style="color: "><font color="#008080">ind</font></span> </font></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">ON</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">ind</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#ff00ff">object_id</font></span> <span style="color: "><font color="#808080">=</font></span> <span style="color: "><font color="#008080">indexstats</font></span><span style="color: "><font color="#808080">.</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#ff00ff">object_id</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080"><font style="font-size: 9.5pt">AND</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">ind</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">index_id</font></span> <span style="color: "><font color="#808080">=</font></span> <span style="color: "><font color="#008080">indexstats</font></span><span style="color: "><font color="#808080">.</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#008080">index_id</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WHERE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">indexstats</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">avg_fragmentation_in_percent</font></span> <span style="color: "><font color="#808080">></font></span> 30</font></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">ORDER</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">BY</font></span> <span style="color: "><font color="#008080">indexstats</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">avg_fragmentation_in_percent</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#0000ff">DESC</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font color="#0000ff" face="Consolas"><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><span style="color: "></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: ">No indexes were returned. Another thing which I hear from time to time is rebuild “statistics”. So I checked them and I saw they were two weeks old. I figured rebuilding them couldn’t hurt:</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "> </p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">use</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">RaAcctDb</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">;</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#ff00ff"><font style="font-size: 9.5pt">UPDATE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">STATISTICS</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">connectionTable</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WITH</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> </font><span style="color: "><font style="font-size: 9.5pt" color="#0000ff">FULLSCAN</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">GO</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt"> </font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">use</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">RaAcctDb</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">;</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#ff00ff"><font style="font-size: 9.5pt">UPDATE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">STATISTICS</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">EndpointsAccessedTable</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WITH</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> </font><span style="color: "><font style="font-size: 9.5pt" color="#0000ff">FULLSCAN</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">GO</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt"> </font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">use</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">RaAcctDb</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">;</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#ff00ff"><font style="font-size: 9.5pt">UPDATE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">STATISTICS</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">ServerEndpointTable</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WITH</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> </font><span style="color: "><font style="font-size: 9.5pt" color="#0000ff">FULLSCAN</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">GO</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt"> </font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">use</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">RaAcctDb</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">;</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#ff00ff"><font style="font-size: 9.5pt">UPDATE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">STATISTICS</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">SessionTable</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WITH</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> </font><span style="color: "><font style="font-size: 9.5pt" color="#0000ff">FULLSCAN</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">GO</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff" face="Consolas"></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: " align="justify">Again no real change in CPU usage… Ok, back to the drawing board.  I googled a bit for “high cpu usage SQL” and I found the following blog: <a href="http://mssqlfun.com/2013/04/01/dmv-3-what-is-currently-going-on-sys-dm_exec_requests-2/">http://mssqlfun.com/2013/04/01/dmv-3-what-is-currently-going-on-sys-dm_exec_requests-2/</a> One of the queries there is this one:</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: " align="justify"> </p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">SELECT</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">SESSION_ID</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">REQUEST_ID</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">SESSION_REQUEST_ID</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">,</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff">STATUS</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">S</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#ff00ff">HOST_NAME</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">C</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">CLIENT_NET_ADDRESS</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">CASE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">WHEN</font></span> <span style="color: "><font color="#008080">S</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">LOGIN_NAME</font></span> <span style="color: "><font color="#808080">=</font></span> <span style="color: "><font color="#008080">S</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">ORIGINAL_LOGIN_NAME</font></span> <span style="color: "><font color="#0000ff">THEN</font></span> <span style="color: "><font color="#008080">S</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">LOGIN_NAME</font></span> <span style="color: "><font color="#0000ff">ELSE</font></span> <span style="color: "><font color="#008080">S</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">LOGIN_NAME</font></span> <span style="color: "><font color="#808080">+</font></span> <span style="color: "><font color="#ff0000">'('</font></span> <span style="color: "><font color="#808080">+</font></span> <span style="color: "><font color="#008080">S</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">ORIGINAL_LOGIN_NAME</font></span> <span style="color: "><font color="#808080">+</font></span> <span style="color: "><font color="#ff0000">')'</font></span> <span style="color: "><font color="#0000ff">END</font></span> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">LOGIN_NAME</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">,</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">S</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#ff00ff">PROGRAM_NAME</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#ff00ff"><font style="font-size: 9.5pt">DB_NAME</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">(</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">R</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">DATABASE_ID</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">)</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">DATABASE_NAME</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">,</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">COMMAND</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">ST</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff">TEXT</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">QUERY_TEXT</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">,</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">QP</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">QUERY_PLAN</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">XML_QUERY_PLAN</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">,</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">WAIT_TYPE</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#008080">CURRENT_WAIT_TYPE</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">,</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">LAST_WAIT_TYPE</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">BLOCKING_SESSION_ID</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">ROW_COUNT</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">GRANTED_QUERY_MEMORY</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">OPEN_TRANSACTION_COUNT</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#ff00ff">USER_ID</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080">PERCENT_COMPLETE</font></span></font><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt" color="#808080">,</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">CASE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">R</font></span><span style="color: "><font color="#808080">.</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#008080">TRANSACTION_ISOLATION_LEVEL</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WHEN</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> 0 <span style="color: "><font color="#0000ff">THEN</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#ff0000">'UNSPECIFIED'</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WHEN</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> 1 <span style="color: "><font color="#0000ff">THEN</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#ff0000">'READUNCOMITTED'</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WHEN</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> 2 <span style="color: "><font color="#0000ff">THEN</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#ff0000">'READCOMMITTED'</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WHEN</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> 3 <span style="color: "><font color="#0000ff">THEN</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#ff0000">'REPEATABLE'</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WHEN</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> 4 <span style="color: "><font color="#0000ff">THEN</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#ff0000">'SERIALIZABLE'</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">WHEN</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> 5 <span style="color: "><font color="#0000ff">THEN</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#ff0000">'SNAPSHOT'</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">ELSE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#ff00ff">CAST</font></span><span style="color: "><font color="#808080">(</font></span><span style="color: "><font color="#008080">R</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">TRANSACTION_ISOLATION_LEVEL</font></span> <span style="color: "><font color="#0000ff">AS</font></span> <span style="color: "><font color="#0000ff">VARCHAR</font></span><span style="color: "><font color="#808080">(</font></span>32</font><span style="color: "><font style="font-size: 9.5pt" color="#808080">))</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff"><font style="font-size: 9.5pt">END</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">AS</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">TRANSACTION_ISOLATION_LEVEL_NAME</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">FROM</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008000"><font style="font-size: 9.5pt">SYS</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008000">DM_EXEC_REQUESTS</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">R</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080"><font style="font-size: 9.5pt">LEFT</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#808080">OUTER</font></span> <span style="color: "><font color="#808080">JOIN</font></span> <span style="color: "><font color="#008000">SYS</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008000">DM_EXEC_SESSIONS</font></span> <span style="color: "><font color="#008080">S</font></span> <span style="color: "><font color="#0000ff">ON</font></span> <span style="color: "><font color="#008080">S</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">SESSION_ID</font></span> <span style="color: "><font color="#808080">=</font></span> <span style="color: "><font color="#008080">R</font></span><span style="color: "><font color="#808080">.</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#008080">SESSION_ID</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080"><font style="font-size: 9.5pt">LEFT</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#808080">OUTER</font></span> <span style="color: "><font color="#808080">JOIN</font></span> <span style="color: "><font color="#008000">SYS</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008000">DM_EXEC_CONNECTIONS</font></span> <span style="color: "><font color="#008080">C</font></span> <span style="color: "><font color="#0000ff">ON</font></span> <span style="color: "><font color="#008080">C</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">CONNECTION_ID</font></span> <span style="color: "><font color="#808080">=</font></span> <span style="color: "><font color="#008080">R</font></span><span style="color: "><font color="#808080">.</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#008080">CONNECTION_ID</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080"><font style="font-size: 9.5pt">CROSS</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#808080">APPLY</font></span> <span style="color: "><font color="#008000">SYS</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008000">DM_EXEC_SQL_TEXT</font></span><span style="color: "><font color="#808080">(</font></span><span style="color: "><font color="#008080">R</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#0000ff">SQL_HANDLE</font></span><span style="color: "><font color="#808080">)</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">ST</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080"><font style="font-size: 9.5pt">CROSS</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#808080">APPLY</font></span> <span style="color: "><font color="#008000">SYS</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008000">DM_EXEC_QUERY_PLAN</font></span><span style="color: "><font color="#808080">(</font></span><span style="color: "><font color="#008080">R</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008080">PLAN_HANDLE</font></span><span style="color: "><font color="#808080">)</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">QP</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">WHERE</font></font></span><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#008080"><font style="font-size: 9.5pt">R</font></font></span><font style="font-size: 9.5pt"><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#808080">.</font></span><span lang="EN-GB" style="font-family: ; color: ; mso-ansi-language: en-gb"><font color="#0000ff">STATUS</font></span></font><span lang="EN-GB" style="font-family: ; mso-ansi-language: en-gb"><font style="font-size: 9.5pt"> <span style="color: "><font color="#808080">NOT</font></span> <span style="color: "><font color="#808080">IN</font></span><span style="color: "><font color="#0000ff"> </font></span><span style="color: "><font color="#808080">(</font></span><span style="color: "><font color="#ff0000">'BACKGROUND'</font></span><span style="color: "><font color="#808080">,</font></span><span style="color: "><font color="#ff0000">'SLEEPING'</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">)</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: ">The result:</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhygE6ow1-A_CYhoVBO2PRiBqvzQNV0m9PP_LrhxdVkBJ60C4w6wmhh5zHv3uBfzTaVJ3NU7BOdqUU3yWlVUwAYdH4-eWVZmgykdRPsIDIZMsV4bqW9fi7PvdcDMOLvSJMdabgUzoNrhg/s1600-h/image009%25255B7%25255D.png"><img title="image009" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image009" src="http://lh3.googleusercontent.com/-bHZHz6Y8f5U/Vh6kCN3nvkI/AAAAAAAADHo/AAjnD8tVMoU/image009_thumb%25255B3%25255D.png?imgmax=800" width="454" height="51" /></a></p> <p>It returns one ore more queries the SQL instance is currently working on. It’s actually pretty easy and very powerful. The first record is a sample entry we care about. The others are me interacting with the SQL management studio. Scroll to the right and you’ll see both the execution plan and the actual query. Now how cool is that?!</p> <p><a href="http://lh3.googleusercontent.com/-4vyewtW8DSU/Vh6kCWM-AzI/AAAAAAAADHw/2tQVBr4msqM/s1600-h/image011%25255B3%25255D.png"><img title="image011" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image011" src="http://lh3.googleusercontent.com/-ONjo_vYbVVc/Vh6kC24qOWI/AAAAAAAADH4/bpy2vK3Vtiw/image011_thumb%25255B1%25255D.png?imgmax=800" width="454" height="55" /></a></p> <p>There we can get the query being executed (QUERY_TEXT)</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Courier New"><span style="font-family: ; color: "><font color="#0000ff"><font style="font-size: 10pt">CREATE</font></font></span><span style="font-family: "><font style="font-size: 10pt"> <span style="color: "><font color="#0000ff">PROCEDURE</font></span> raacct_InsertSession<span style="color: "><font color="#0000ff"> </font></span></font><span style="color: "><font style="font-size: 10pt" color="#808080">(</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @Hostname <span style="color: "><font color="#0000ff">NVARCHAR</font></span><span style="color: "><font color="#808080">(</font></span>256</font><span style="color: "><font style="font-size: 10pt" color="#808080">),</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ClientIPv4Address <span style="color: "><font color="#0000ff">BINARY</font></span><span style="color: "><font color="#808080">(</font></span>4</font><span style="color: "><font style="font-size: 10pt" color="#808080">),</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ClientIPv6Address <span style="color: "><font color="#0000ff">BINARY</font></span><span style="color: "><font color="#808080">(</font></span>16</font><span style="color: "><font style="font-size: 10pt" color="#808080">),</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ClientISPAddressType <span style="color: "><font color="#0000ff">SMALLINT</font></span></font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ClientISPAddress <span style="color: "><font color="#0000ff">VARBINARY</font></span><span style="color: "><font color="#808080">(</font></span>16</font><span style="color: "><font style="font-size: 10pt" color="#808080">),</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ConnectionType <span style="color: "><font color="#0000ff">TINYINT</font></span></font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @TransitionTechnology <span style="color: "><font color="#0000ff">INT</font></span></font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @TunnelType <span style="color: "><font color="#0000ff">INT</font></span></font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @SessionHandle <span style="color: "><font color="#0000ff">BIGINT</font></span></font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @Username <span style="color: "><font color="#0000ff">NVARCHAR</font></span><span style="color: "><font color="#808080">(</font></span>256</font><span style="color: "><font style="font-size: 10pt" color="#808080">),</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @SessionStartTime <span style="color: "><font color="#0000ff">BIGINT</font></span><span style="color: "><font color="#808080">,</font></span> </font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @AuthMethod <span style="color: "><font color="#0000ff">INT</font></span></font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @HealthStatus <span style="color: "><font color="#0000ff">INT</font></span><span style="color: "><font color="#808080">)</font></span> </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">AS</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: ; color: "><font face="Courier New"><font style="font-size: 10pt" color="#0000ff">BEGIN</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">DECLARE</font></span> @SessionId </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">BIGINT</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">DECLARE</font></span> @ConnectionId </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">BIGINT</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">DECLARE</font></span> @NumActiveSessions </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">SMALLINT</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">IF </font></span><span style="color: "><font color="#808080">(</font></span>@SessionHandle <span style="color: "><font color="#808080">IS</font></span> <span style="color: "><font color="#808080">NULL</font></span> <span style="color: "><font color="#808080">OR</font></span> @SessionHandle <span style="color: "><font color="#808080">=</font></span> 0</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">BEGIN</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        </font><span style="color: "><font style="font-size: 10pt" color="#008000">-- error (BAD PARAMETER)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">RETURN </font></span><span style="color: "><font color="#808080">(</font></span>1</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">END</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">IF </font></span><span style="color: "><font color="#808080">(</font></span>@SessionStartTime <span style="color: "><font color="#808080">IS</font></span> <span style="color: "><font color="#808080">NULL</font></span> <span style="color: "><font color="#808080">OR</font></span> @SessionStartTime <span style="color: "><font color="#808080">=</font></span> 0</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">BEGIN</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        </font><span style="color: "><font style="font-size: 10pt" color="#008000">-- error (BAD PARAMETER)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">RETURN </font></span><span style="color: "><font color="#808080">(</font></span>1</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">END</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">SELECT</font></span> @SessionId <span style="color: "><font color="#808080">=</font></span> 0</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">BEGIN</font></span> </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">TRANSACTION</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">SELECT</font></span> @SessionId <span style="color: "><font color="#808080">=</font></span> [SessionId]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">FROM</font></span> [dbo]<span style="color: "><font color="#808080">.</font></span>[SessionTable]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">WHERE</font></span>    @SessionHandle <span style="color: "><font color="#808080">=</font></span> [SessionHandle]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#808080">AND</font></span> @SessionStartTime <span style="color: "><font color="#808080">=</font></span> [SessionStartTime]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt"> </font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">IF </font></span><span style="color: "><font color="#808080">(</font></span><span style="color: "><font color="#ff00ff">@@ROWCOUNT</font></span> <span style="color: "><font color="#808080">></font></span> 0</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">BEGIN</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        </font><span style="color: "><font style="font-size: 10pt" color="#008000">-- error (session already exists)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">ROLLBACK</font></span> </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">TRANSACTION</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">RETURN </font></span><span style="color: "><font color="#808080">(</font></span>2</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">END</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#008000">-- check if connection exists</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">SELECT</font></span> @ConnectionId <span style="color: "><font color="#808080">=</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>[ConnectionId]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">FROM</font></span> [dbo]<span style="color: "><font color="#808080">.</font></span>[ConnectionTable] <span style="color: "><font color="#0000ff">AS</font></span> connTbl<span style="color: "><font color="#808080">,</font></span> [dbo]<span style="color: "><font color="#808080">.</font></span>[SessionTable] <span style="color: "><font color="#0000ff">AS</font></span> sessTbl</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">WHERE</font></span> sessTbl<span style="color: "><font color="#808080">.</font></span>SessionState <span style="color: "><font color="#808080">=</font></span> 1</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ConnectionId <span style="color: "><font color="#808080">=</font></span> sessTbl<span style="color: "><font color="#808080">.</font></span>ConnectionId</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>Hostname <span style="color: "><font color="#808080">=</font></span> @Hostname</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ClientIPv4Address <span style="color: "><font color="#808080">=</font></span> @ClientIPv4Address</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ClientIPv6Address <span style="color: "><font color="#808080">=</font></span> @ClientIPv6Address</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ClientISPAddressType <span style="color: "><font color="#808080">=</font></span> @ClientISPAddressType</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ClientISPAddress <span style="color: "><font color="#808080">=</font></span> @ClientISPAddress</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ConnectionType <span style="color: "><font color="#808080">=</font></span> @ConnectionType</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>TransitionTechnology <span style="color: "><font color="#808080">=</font></span> @TransitionTechnology</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>TunnelType <span style="color: "><font color="#808080">=</font></span> @TunnelType</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">IF</font></span> <span style="color: "><font color="#ff00ff">@@ROWCOUNT</font></span> <span style="color: "><font color="#808080">=</font></span> 0</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">BEGIN</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        </font><span style="color: "><font style="font-size: 10pt" color="#008000">-- create connection record</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">INSERT</font></span> <span style="color: "><font color="#0000ff">INTO</font></span> [dbo]<span style="color: "><font color="#808080">.</font></span>[ConnectionTable]<span style="color: "><font color="#0000ff"> </font></span><span style="color: "><font color="#808080">(</font></span>[Hostname]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [ClientIPv4Address]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [ClientIPv6Address]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [ClientISPAddressType]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [ClientISPAddress]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [ConnectionType]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [TransitionTechnology]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [TunnelType]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                </font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            <span style="color: "><font color="#0000ff">VALUES </font></span><span style="color: "><font color="#808080">(</font></span>@Hostname</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ClientIPv4Address</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ClientIPv6Address</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ClientISPAddressType</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ClientISPAddress</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @ConnectionType</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @TransitionTechnology</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @TunnelType</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            </font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">IF</font></span> <span style="color: "><font color="#ff00ff">@@ERROR</font></span> <span style="color: "><font color="#808080"><></font></span> 0</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">BEGIN</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            </font><span style="color: "><font style="font-size: 10pt" color="#008000">-- error (failed to create connection), return from here</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            <span style="color: "><font color="#0000ff">ROLLBACK</font></span> </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">TRANSACTION</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            <span style="color: "><font color="#0000ff">RETURN </font></span><span style="color: "><font color="#808080">(</font></span>99</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">END</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">SET</font></span> @ConnectionId <span style="color: "><font color="#808080">=</font></span> </font><span style="color: "><font style="font-size: 10pt" color="#ff00ff">@@IDENTITY</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">END</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">SELECT</font></span> @NumActiveSessions <span style="color: "><font color="#808080">=</font></span> <span style="color: "><font color="#ff00ff">COUNT</font></span><span style="color: "><font color="#808080">(</font></span>SessionHandle</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">FROM</font></span> [dbo]<span style="color: "><font color="#808080">.</font></span>[SessionTable]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">WHERE</font></span>   [SessionState] <span style="color: "><font color="#808080">=</font></span> 1</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">SET</font></span> @NumActiveSessions <span style="color: "><font color="#808080">=</font></span> @NumActiveSessions <span style="color: "><font color="#808080">+</font></span> 1</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">INSERT</font></span> <span style="color: "><font color="#0000ff">INTO</font></span> [dbo]<span style="color: "><font color="#808080">.</font></span>[SessionTable]<span style="color: "><font color="#0000ff"> </font></span><span style="color: "><font color="#808080">(</font></span>[ConnectionId]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [SessionHandle]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [Username]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [SessionStartTime]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [AuthMethod]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                [HealthStatus]</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                        [NumConcurrentConnections]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                </font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">VALUES </font></span><span style="color: "><font color="#808080">(</font></span>@ConnectionId</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @SessionHandle</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @Username</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">                  @SessionStartTime</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @AuthMethod</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @HealthStatus</font><span style="color: "><font style="font-size: 10pt" color="#808080">,</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">            @NumActiveSessions</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        </font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">IF</font></span> <span style="color: "><font color="#ff00ff">@@ERROR</font></span> <span style="color: "><font color="#808080"><></font></span> 0</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">BEGIN</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">ROLLBACK</font></span> </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">TRANSACTION</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#0000ff">RETURN </font></span><span style="color: "><font color="#808080">(</font></span>4</font><span style="color: "><font style="font-size: 10pt" color="#808080">)</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">END</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">COMMIT</font></span> </font><span style="color: "><font style="font-size: 10pt" color="#0000ff">TRANSACTION</font></span></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: ; color: "><font face="Courier New"><font style="font-size: 10pt" color="#0000ff">END</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: ; color: "><font face="Courier New"><font style="font-size: 10pt" color="#0000ff"> </font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt">The only thing I can see, with my limited SQL knowledge, is that <b>potentially</b> performance hits might occur on the where statements:</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt"> </p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Courier New"><span style="font-family: ; color: "><font color="#0000ff"><font style="font-size: 10pt">FROM</font></font></span><span style="font-family: "><font style="font-size: 10pt"> [dbo]<span style="color: "><font color="#808080">.</font></span>[SessionTable]</font></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">WHERE</font></span>    @SessionHandle <span style="color: "><font color="#808080">=</font></span> [SessionHandle]</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">        <span style="color: "><font color="#808080">AND</font></span> @SessionStartTime <span style="color: "><font color="#808080">=</font></span> [SessionStartTime]</font></font></span></p> <p>And</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><font face="Courier New"><span style="font-family: ; color: "><font color="#0000ff"><font style="font-size: 10pt">FROM</font></font></span><span style="font-family: "><font style="font-size: 10pt"> [dbo]<span style="color: "><font color="#808080">.</font></span>[ConnectionTable] <span style="color: "><font color="#0000ff">AS</font></span> connTbl<span style="color: "><font color="#808080">,</font></span> [dbo]<span style="color: "><font color="#808080">.</font></span>[SessionTable] <span style="color: "><font color="#0000ff">AS</font></span> sessTbl</font></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">    <span style="color: "><font color="#0000ff">WHERE</font></span> sessTbl<span style="color: "><font color="#808080">.</font></span>SessionState <span style="color: "><font color="#808080">=</font></span> 1</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ConnectionId <span style="color: "><font color="#808080">=</font></span> sessTbl<span style="color: "><font color="#808080">.</font></span>ConnectionId</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>Hostname <span style="color: "><font color="#808080">=</font></span> @Hostname</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ClientIPv4Address <span style="color: "><font color="#808080">=</font></span> @ClientIPv4Address</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ClientIPv6Address <span style="color: "><font color="#808080">=</font></span> @ClientIPv6Address</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ClientISPAddressType <span style="color: "><font color="#808080">=</font></span> @ClientISPAddressType</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ClientISPAddress <span style="color: "><font color="#808080">=</font></span> @ClientISPAddress</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>ConnectionType <span style="color: "><font color="#808080">=</font></span> @ConnectionType</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>TransitionTechnology <span style="color: "><font color="#808080">=</font></span> @TransitionTechnology</font></font></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: "><span style="font-family: "><font face="Courier New"><font style="font-size: 10pt">      <span style="color: "><font color="#808080">AND</font></span> connTbl<span style="color: "><font color="#808080">.</font></span>TunnelType <span style="color: "><font color="#808080">=</font></span> @TunnelType</font></font></span></p> <p align="justify">The where statements act as filters and columns they use are often indexed. Without an index the SQL server would have to scan the complete table looking for the records. Now on smaller tables that’s not an issue but the SessionTable table contains 14.482.972 records!</p> <p><a href="http://lh3.googleusercontent.com/-lcPVGIXcTGw/Vh6kDCs-TUI/AAAAAAAADIA/QlCIb9TH7Yw/s1600-h/image013%25255B6%25255D.png"><img title="image013" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image013" src="http://lh3.googleusercontent.com/-v9x9mo_Ffkw/Vh6kDXV1MMI/AAAAAAAADII/qFSqrDm22jo/image013_thumb%25255B2%25255D.png?imgmax=800" width="324" height="200" /></a></p> <p>So if we check the indexes for that table, one would hope SessionHandle, SessionStartTime and SessionState to be present:</p> <p><a href="http://lh3.googleusercontent.com/-bpMnLUWOhOM/Vh6kD73vijI/AAAAAAAADIQ/0I-IMrZSC_I/s1600-h/image015%25255B4%25255D.png"><img title="image015" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image015" src="http://lh3.googleusercontent.com/-ZRYQNUeW-i4/Vh6kEFFrccI/AAAAAAAADIY/d1tDM0PwlHk/image015_thumb%25255B2%25255D.png?imgmax=800" width="404" height="177" /></a></p> <p align="justify">The last one UQ_SessionT… seems to have both SessionHandle and SessionStartTime in it. So I guess that should satisfy the first where statement:</p> <p><a href="http://lh3.googleusercontent.com/-BEandH3i4yc/Vh6kEdCsAkI/AAAAAAAADIg/uBDGzvWLXLI/s1600-h/image017%25255B3%25255D.png"><img title="image017" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image017" src="http://lh3.googleusercontent.com/-PvW3Y8oJbP4/Vh6kE08di3I/AAAAAAAADIo/idEPGCj_XDg/image017_thumb%25255B1%25255D.png?imgmax=800" width="404" height="97" /></a></p> <p align="justify">Now what about SessionState? I can’t seem to find that one… Now back to our query that showed us the query being executed. There’s also an XML_QUERY_PLAN. It’s clickable in the Management Studio:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-zouHlTBsD9o/Vh6kFN5zsvI/AAAAAAAADIw/lEnXVgelYZw/s1600-h/image019%25255B3%25255D.png"><img title="image019" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image019" src="http://lh3.googleusercontent.com/-iKkPyCSzFow/Vh6kFbI0PtI/AAAAAAAADI4/SqKMbNLvXRs/image019_thumb%25255B1%25255D.png?imgmax=800" width="404" height="101" /></a></p> <p align="justify">See how this query cost shows 50%? Further down there’s another Query that shows the other 50%. Both show “missing index”:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-CoroDwv-E1Q/Vh6kFzP403I/AAAAAAAADJA/aT4_gmtaYIU/s1600-h/image021%25255B3%25255D.png"><img title="image021" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image021" src="http://lh3.googleusercontent.com/-6nfWfCdSnzc/Vh6kGWnD6SI/AAAAAAAADJI/hJGCugfaQz8/image021_thumb%25255B1%25255D.png?imgmax=800" width="404" height="66" /></a></p> <p align="justify">As previously stated, I’m not an experienced SQL engineer/DBA. I try to crosscheck stuff I find online before applying it. Also I wouldn’t do this kind of stuff on a FIM Service or SCCM database. Those are pretty complex databases. But I made a personal assessment and the Direct Access auditing database seems simple enough to tinker with it. So I decided to give it a try and create the index. Undoing this is pretty straightforward, so I guess there’s no real harm in going forward. Right-click one of the existing indexes and choose Script Index as > CREATE To > New Query Editor Window</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt" align="justify"><a href="http://lh3.googleusercontent.com/-KyEXoxxt35o/Vh6kG-U4fTI/AAAAAAAADJQ/wN4_5wWNQ3A/s1600-h/image023%25255B10%25255D.png"><img title="image023" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image023" src="http://lh3.googleusercontent.com/-immb8NL7ANg/Vh6kHMXVAPI/AAAAAAAADJY/HtPd2YDyklE/image023_thumb%25255B4%25255D.png?imgmax=800" width="404" height="97" /></a></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: " align="justify">Simply change both the Index name and the column to “SessionState”. And execute the query. After refreshing the UI you can see the index:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-JlP0VOZdHa0/Vh6kHRGoiOI/AAAAAAAADJg/V0AyP_k3UnA/s1600-h/image025%25255B3%25255D.png"><img title="image025" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image025" src="http://lh3.googleusercontent.com/--JV2E3Wg9qA/Vh6kIAPGbtI/AAAAAAAADJo/UtHA3r8g2Jw/image025_thumb%25255B1%25255D.png?imgmax=800" width="404" height="212" /></a></p> <p align="justify">And there goes the CPU usage:</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt" align="justify"><a href="http://lh3.googleusercontent.com/-qyw4tdTQmgY/Vh6kIjCVaFI/AAAAAAAADJw/QiPzO3RXH2s/s1600-h/image027%25255B3%25255D.png"><img title="image027" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image027" src="http://lh3.googleusercontent.com/-bm_vA5bXyhU/Vh6kI-B0qYI/AAAAAAAADJ4/ANCCFQHmpPg/image027_thumb%25255B1%25255D.png?imgmax=800" width="404" height="122" /></a></p> <p align="justify"><strong>Conclusion: </strong>to me it looks like the DA team just forgot this particular index. From the other indexes you can tell they actually did something for those. I’m not really sure why we didn’t just log a case with Microsoft. Partially I guess because we were afraid/guessing we’d get the answer: by design with that amount of auditing data. But after this troubleshooting session we can clearly see there’s shortcoming in the SQL database setup. As with most stuff you read on the internet: be careful when applying in your environment. If you do not know what commands/queries you’re executing, look them up and do some background reading.</p>Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com6tag:blogger.com,1999:blog-62687483129304921.post-64600618414544449252015-09-04T07:23:00.001+02:002015-09-04T07:23:05.885+02:00Azure VPN Gateway Sizes<p align="justify">One of the things I’ve been finding very confusing is the VPN Gateway sizing. Especially the mismatch between the pricing table and what the systems show you. Here’s the technical information:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-QSxnuFSv_uM/Vekqo3Mum1I/AAAAAAAADFY/0hcN5qkjmaE/s1600-h/image%25255B3%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-Ge6l3YA2_QM/Vekqrabt8aI/AAAAAAAADFg/x1Fh4POTIHs/image_thumb%25255B1%25255D.png?imgmax=800" width="454" height="107" /></a></p> <p align="justify">Source: <a href="https://azure.microsoft.com/nl-nl/documentation/articles/vpn-gateway-about-vpngateways/">Azure.com: About VPN Gateways</a> The same table is more or less available on the pricing page as well. There you can clearly see that the price difference is real. Pricing goes from 0,0304€ over 0,1603€ to 0,4133€/GW hour. As a VPN Gateway runs 24/7 this might have an impact on your bill. <a href="http://azure.microsoft.com/en-us/pricing/details/vpn-gateway/">Pricing Source</a> From a technical point of view both basic and standard offer the same features/performance for NON Express Route VPNs.</p> <p align="justify"><strong>Conclusion #1: </strong>If you don’t need Express Route, there’s no difference between Standard and Basic.</p> <p align="justify">Now what was bothering me: in many blogs/documentation people explain how to change the Gateway SKU. They always mention <strong>Default</strong> or <strong>HighPerformance</strong>. When you create a Gateway from the “old” portal this is how the resulting Gateway looks in PowerShell:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-kY6lI1vtcCU/VekqsVIiNvI/AAAAAAAADFo/mG6eSSB0-fE/s1600-h/2015-09-03_9-31-57%25255B3%25255D.png"><img title="2015-09-03_9-31-57" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="2015-09-03_9-31-57" src="http://lh3.googleusercontent.com/-dBkfznWEiv4/VekqtWQyAMI/AAAAAAAADFw/-l2qOU_wR8s/2015-09-03_9-31-57_thumb%25255B1%25255D.png?imgmax=800" width="454" height="141" /></a></p> <p align="justify">As you can see the GatewaySKU is <strong>Default</strong>. Now it might be just me, but how the hell on earth are we supposed to know what value default is? Luckily there’s a place like Azure Advisors on Yammer where get to ask questions like this. The Microsoft PM’s do a great job of helping is out and gathering feedback on various topics. The answer I got there is: <strong>Default is the same as Basic.</strong> Which does make sense in a way as we initially had either Basic or HighPerformance. But it does suck a bit that instead of using a default value they are setting default as a value. If you catch my drift…</p> <p align="justify">Here’s the PowerShell cmdlet reference for the <a title="https://msdn.microsoft.com/en-us/library/azure/mt270346.aspx" href="https://msdn.microsoft.com/en-us/library/azure/mt270346.aspx">New-AzureVNetGateway cmdlet</a> There you can see that the PowerShell cmdlet takes Basic, Standard and HighPerformance as parameters for the GatewaySKU parameter.</p> <p align="justify"><strong>Conclusion #2: Default SKU == Basic SKU</strong></p> <p align="justify">Another area that might confuse you is how the new Portal displays the Gateway sizes. For all types (basic, standard and high performance) a size of Small is shown. Lucian also mentions this on his blog: <a title="http://blog.kloud.com.au/2015/07/23/azure-vnet-gateway-basic-standard-and-high-performance/" href="http://blog.kloud.com.au/2015/07/23/azure-vnet-gateway-basic-standard-and-high-performance/">blog.kloud.com: Azure VNET gateway: basic, standard and high performance</a> But I must admit that I haven’t looked into this. I primarily cared about sku vs pricing.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com0tag:blogger.com,1999:blog-62687483129304921.post-32585760180105375632015-09-03T08:55:00.001+02:002015-09-03T08:55:55.312+02:00MIM 2016: Failed to Connect to the Specified Database<p align="justify">I ran into another issue after upgrading a FIM 2010 deployment to MIM2016. As part of the OS/Infrastructure refresh I moved the database to a more recent SQL server platform. One of the things I initially forgot but found out pretty quickly is that obviously I also needed to update the FIM Management Agent parameters so that it points to the new database location. However when I clicked OK, I got the following error:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-1zLKqv9ML6U/Vefu5vvhkmI/AAAAAAAADD8/T5W528cGMVQ/s1600-h/bError1%25255B3%25255D.png"><img title="bError1" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="bError1" src="http://lh3.googleusercontent.com/-N4cuGyyJD0I/Vefu6Ow1DiI/AAAAAAAADEA/MQqHaP4aIwc/bError1_thumb%25255B1%25255D.png?imgmax=800" width="354" height="137" /></a></p> <p align="justify">In words: <em>Failed to connect to specified database. Failed to connect to the specified database with the given credentials.</em></p> <p align="justify">And in the Forefront Identity Manager Management Agent event log (on the FIM Sync server):</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-J494fWpOyB0/Vefu6qm86AI/AAAAAAAADEI/b_AB5MYOEaA/s1600-h/bError3%25255B7%25255D.png"><img title="bError3" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="bError3" src="http://lh3.googleusercontent.com/-QxmI8cQ_BTg/Vefu7F0v37I/AAAAAAAADEQ/5i8eORr1pTs/bError3_thumb%25255B2%25255D.png?imgmax=800" width="354" height="26" /></a></p> <p align="justify">In words: <em>mmsmafim: MIIS.ManagementAgent.ManagedMACredentialFailureException: Failed to connect to the specified database with the given credentials. <br />   at MIIS.ManagementAgent.RavenMA.UIValidateCredentials(String pszCredentials, Int32& pfValid, String& ppszResult)</em></p> <p align="justify">Upon looking a bit deeper I found the following error in the SQL Server logs:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-ydWcNgMxsho/Vefu7iXJHXI/AAAAAAAADEY/0E7y21xyx1U/s1600-h/bError2%25255B4%25255D.png"><img title="bError2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="bError2" src="http://lh3.googleusercontent.com/-zb5VlTxShME/Vefu8Dp_obI/AAAAAAAADEg/QvzlEGBom_U/bError2_thumb%25255B2%25255D.png?imgmax=800" width="354" height="56" /></a></p> <p align="justify"></p> <p align="justify">In words: <em>Login failed for user 'CONTOSO\FIMSYNC'. Reason: Failed to open the explicitly specified database 'fimservice'. [CLIENT: 10.x.y.z] <br />Error: 18456, Severity: 14, State: 38. <br /></em>This was a bit odd, it was complaining that the FIM Synchronization Service account had no access to the FIMService database. I’d expect the FIM MA Account to be used for this connection…</p> <p align="justify">I checked the old database/SQL and I could confirm the FIM Sync service has no access to that database… As I didn’t wanted to start handing out permissions on a wild guess I started googling a bit. I came up with this TechNet thread: <a title="https://social.technet.microsoft.com/Forums/en-US/d4f8b29e-030a-4160-8f2c-49079d4bdea1/fim-2010-update-rollup-2-problem?forum=ilm2" href="https://social.technet.microsoft.com/Forums/en-US/d4f8b29e-030a-4160-8f2c-49079d4bdea1/fim-2010-update-rollup-2-problem?forum=ilm2">TechNet Forum: FIM 2010 Update Rollup 2 Problem</a> which suggests granting the FIM Sync service account the FIM_SynchronizationService role within the FIMService catabase:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-zwrHcV9N3ZY/Vefu8i1cW5I/AAAAAAAADEo/zrp5eIvvM8c/s1600-h/bFix%25255B3%25255D.png"><img title="bFix" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="bFix" src="http://lh3.googleusercontent.com/-QnlkaAAtG-E/Vefu9PSLxnI/AAAAAAAADEw/yMRpT0HNPcI/bFix_thumb%25255B1%25255D.png?imgmax=800" width="354" height="318" /></a></p> <p align="justify">Of the FIM MA configuration again. Attempt #2:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-nO5buE-vko4/Vefu9iX8WqI/AAAAAAAADE4/Q8BqAys0pyw/s1600-h/cError1%25255B3%25255D.png"><img title="cError1" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="cError1" src="http://lh3.googleusercontent.com/-2_xgGHR9Guw/Vefu-SIbKJI/AAAAAAAADFA/ZxYdSM11wd4/cError1_thumb%25255B1%25255D.png?imgmax=800" width="354" height="145" /></a></p> <p align="justify">In words: <em>Unable to update the management agent. The object explorer specified was not found. (Exception from HRESULT: 0x80070776)</em></p> <p align="justify">Back to google gave me this thread: <a title="https://social.technet.microsoft.com/Forums/en-US/f15209af-a7e4-469c-86fe-6f59d1c2ff1b/strange-stoppedextensiondllfilenotfound-error?forum=ilm2" href="https://social.technet.microsoft.com/Forums/en-US/f15209af-a7e4-469c-86fe-6f59d1c2ff1b/strange-stoppedextensiondllfilenotfound-error?forum=ilm2">Technet Forum: Strange stopped-extension-dll-file-not-found error</a> where <a href="http://www.integrationtrench.com">Craig</a> suggest rebooting the FIM server. I rebooted the server, <strong>undid the SQL changes</strong>. And tada! It seems all the Synchronization Service needed was a good old restarted. Perhaps restarting the sync service was good enough but I rebooted it anyhow.</p> <p align="justify"><u><strong>Conclusion</strong></u></p> <p align="justify">I was having troubles reconfiguring the FIM MA and I was able to resolve it by just rebooting the sync server. Configuration changes on SQL were not required.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com0tag:blogger.com,1999:blog-62687483129304921.post-85483875608000284512015-09-02T17:58:00.001+02:002015-09-02T17:58:25.275+02:00MIM 2016: no-start-ma when Exporting to Active Directory<p align="justify">Recently I did an upgrade of FIM 2010 to MIM2016 for a customer of mine. I’ve described that process <a href="http://setspn.blogspot.be/2015/08/fim-2010-not-r2-upgrade-to-mim-2016.html">here</a>. We’ve only upgraded our lab environment and are now testing whether everything works as expected. Today I was testing the flow that is triggered by adding a new user to the HR source. One of the things that MIM is supposed to do is create an AD account and an Exchange mailbox. However when the export run profile was executed on the AD MA we saw the following error:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-54f6RIZi7ws/VecckTjkFTI/AAAAAAAADC0/hM1lAkWRTCk/s1600-h/error1%25255B2%25255D.png"><img title="error1" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="error1" src="http://lh3.googleusercontent.com/-grGY39kUBbA/VecckxvmEKI/AAAAAAAADC4/ohhZ7RKhmLE/error1_thumb.png?imgmax=800" width="244" height="71" /></a></p> <p align="justify">Status: <em>no-start-ma</em></p> <p align="justify">In the Application event log:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-wBmbrIaxkGg/VecclLSdjtI/AAAAAAAADDA/-G0l0F22p1Q/s1600-h/error2%25255B3%25255D.png"><img title="error2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="error2" src="http://lh3.googleusercontent.com/-xkzNu7gIx74/VecclmfwOCI/AAAAAAAADDI/Hp7Gr-xD1CU/error2_thumb%25255B1%25255D.png?imgmax=800" width="404" height="116" /></a></p> <p align="justify">In words: <em>The management agent controller encountered an unexpected error. <br />  <br /> "ERR_: MMS(8228): ..\libutils.cpp(10186): Failed to start run because of undiagnosed MA error <br />Forefront Identity Manager 4.3.1935.0"</em></p> <p align="justify">When troubleshooting an issue like this it’s important to narrow down the possible causes. Is there a connectivity issue with AD? Is there an issue with a rules extension? Is there an issue with the Exchange Provisioning component? The latter is quite easy to check. On the configure extensions we can simply set the <em>Provision for</em> to <font style="background-color: #ffff00"><em></em></font><font style="style"><em>No Provisioning</em></font><font style="background-color: #ffff00"><em></em></font><font style="style">.</font><font style="background-color: #ffff00"></font> <br /><a href="http://lh3.googleusercontent.com/-1MdmfZ7TaSs/VeccmO52SyI/AAAAAAAADDQ/0YvX6kze6R4/s1600-h/workaround1%25255B3%25255D.png"><img title="workaround1" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="workaround1" src="http://lh3.googleusercontent.com/-izDBiovAvwU/VeccmsXXT0I/AAAAAAAADDY/0jz6w5BIGZU/workaround1_thumb%25255B1%25255D.png?imgmax=800" width="404" height="304" /></a></p> <p align="justify">After disabling Exchange provisioning the MA seemed to be able to export just fine. So something was up with the Exchange provisioning. To be sure nothing was wrong with the remote PowerShell I tested the URL by opening a remote PowerShell connection to Exchange [<a href="https://technet.microsoft.com/en-us/library/dd297932(v=exchg.141).aspx">technet</a>]. That seemed to go fine. After looking some more in the Application event log I also noticed several Application Crash (event 1000) events whenever I was trying to run an export profile. The application was mmsscrpt.exe. I’m guessing that’s the utility being used to setup the remote PowerShell session and call the Update-Recipient cmdlet.</p> <p align="justify">I found an older article (<a href="http://social.technet.microsoft.com/wiki/contents/articles/16776.troubleshooting-fim-receiving-event-id-1000-with-faulting-application-mmsscrpt-exe.aspx">link</a>) stating errors like this might occur whenever .NET 4.0 is missing. But in my case I was running on a Server 2012 R2 with .NET 4.5.2 installed on it. Either way, that article pushed me into suspecting .NET. We had installed .NET 4.5.2 using the Add-WindowsFeature cmdlet. This is the exact .NET version we had:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-YiyjG-8vmB0/VeccnJNCZQI/AAAAAAAADDg/6UZrNyl-s_Q/s1600-h/netBefore%25255B3%25255D.png"><img title="netBefore" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="netBefore" src="http://lh3.googleusercontent.com/-wC5hZtepwnA/Veccn-qrW8I/AAAAAAAADDo/60C8UOd-hw8/netBefore_thumb%25255B1%25255D.png?imgmax=800" width="404" height="134" /></a></p> <p align="justify">As you can see we were running 4.5.51650 which matches .NET4.5.2 (May 2014 Update) If I may believe: <a title="http://deletionpedia.org/en/List_of_.NET_Framework_versions" href="http://deletionpedia.org/en/List_of_.NET_Framework_versions">http://deletionpedia.org/en/List_of_.NET_Framework_versions</a> I binged a bit to find out whether there were any updates available for .NET 4.5.2 but I couldn’t find any. Then a colleague of mine (Thanks Kevin!) reminded me that very recently .NET 4.6 became RTM. So I went ahead and downloaded it from here:</p> <ul> <li> <div align="justify">All links: <a title="https://support.microsoft.com/en-us/kb/3045560" href="https://support.microsoft.com/en-us/kb/3045560">https://support.microsoft.com/en-us/kb/3045560</a></div> </li> <li> <div align="justify">Offline installer: <a title="http://www.microsoft.com/en-us/download/confirmation.aspx?id=48137" href="http://www.microsoft.com/en-us/download/confirmation.aspx?id=48137">http://www.microsoft.com/en-us/download/confirmation.aspx?id=48137</a></div> </li> </ul> <p align="justify">After installing the 4.6 package the .NET version showed us 4.6.00081 in the registry. After a reboot I performed the test again and now I could export to AD again while provisioning mailboxes on Exchange!</p> <p align="justify"><strong><u>Conclusion</u>:</strong></p> <p align="justify">Whenever you are preparing a Server 2012 R2 to host the FIM Synchronization Service, do not forget to download and install .NET 4.6 as the .NET 4.5.2 that comes out of the box is not sufficient.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com9tag:blogger.com,1999:blog-62687483129304921.post-89055209312012024262015-08-26T07:53:00.001+02:002015-08-26T07:54:51.941+02:00Azure Management Portal: Properly Remove Co-Adminstrators Permissions<p align="justify">Something I’ve noticed for a while now: whenever I perform an Add-AzureAccount I see more subscriptions being returned than I’d expect. The list I have to choose from in the old portal (manage.windowsazure.com) is definitely not showing that much subscriptions. The new portal (portal.azure.com) displays also more subscriptions than I’d expect. The problem to sort those out is that many of those belong to subscriptions I’ve once have gotten access to, but now I no longer have. Either from customers or test subscriptions from colleagues. </p> <p align="justify">For test purpose subscriptions I don’t really care whether people take my permissions away or not. But for production subscriptions I feel more at ease when I don’t have any permissions I don’t need anyway. Lately a customer mentioned my permissions were taken away, but I still saw their entry in the new Portal. Hmm, odd! Here’s how that’s possible:</p> <p align="justify">First off, Initially I was granted access on my Microsoft Account (<a href="invisibal_at_gmail.com">invisibal_at_gmail.com</a>) through the old Portal:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-r0y9nSZtg5c/Vd1UC9wJgzI/AAAAAAAAC9o/CZM6b6BEZCg/s1600-h/image%25255B60%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-AQCN3pQEl5U/Vd1UDgS6ymI/AAAAAAAAC9s/nb8xNyuMPhE/image_thumb%25255B22%25255D.png?imgmax=800" width="454" height="137" /></a></p> <p align="justify">Now I could manage that subscription through both old and new Portal. </p> <p align="justify"><a href="http://lh3.googleusercontent.com/-BNpsHvKREro/Vd1UD47wCdI/AAAAAAAAC90/CtXRtV-lDA4/s1600-h/image%25255B64%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-AebRJavSWyw/Vd1UEoc65QI/AAAAAAAAC98/takpTOXjpbI/image_thumb%25255B24%25255D.png?imgmax=800" width="454" height="130" /></a></p> <p align="justify">And as I also worked for another “customer”, I had multiple subscriptions to manage, Setspn and RealDolmen Azure POC:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-_ercJVG5GtQ/Vd1UFnypVDI/AAAAAAAADB0/VM4mjLNRZWo/s1600-h/image%25255B104%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-OX7LOizvSGE/Vd1UGDsUPtI/AAAAAAAADB8/3r5iaso_GAU/image_thumb%25255B45%25255D.png?imgmax=800" width="204" height="207" /></a></p> <p align="justify">After my work was done, the customer removed me from the list of Administrators of the Setspn subscription.</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-0sD7RnbUokw/Vd1UGs6inuI/AAAAAAAAC-U/YR6O5sQsvhs/s1600-h/subvs%25255B3%25255D.png"><img title="subvs" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="subvs" src="http://lh3.googleusercontent.com/-g719Tip6gWI/Vd1UHFpWdtI/AAAAAAAAC-c/Fmk0Hrf8iuo/subvs_thumb%25255B1%25255D.png?imgmax=800" width="454" height="51" /></a></p> <p align="justify"><a href="http://lh3.googleusercontent.com/-bNIOIciHvRw/Vd1UHplq9KI/AAAAAAAAC-k/ZsLw6xO3PRM/s1600-h/su2%25255B4%25255D.png"><img title="su2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="su2" src="http://lh3.googleusercontent.com/-Vnq4ij4qwMY/Vd1UIHDOQ0I/AAAAAAAAC-s/SUTQa9B18ek/su2_thumb%25255B2%25255D.png?imgmax=800" width="454" height="51" /></a></p> <p align="justify">Now when I log in to the old Portal (manage.windowsazure.com) I’ll only see the other subscription.</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-RnZI49HGF0A/Vd1UI3d9BoI/AAAAAAAAC-0/mwXmft7Qlq8/s1600-h/image%25255B84%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-9ZGFQSQLd3I/Vd1UJf7dvvI/AAAAAAAAC-8/471bVJXjuS8/image_thumb%25255B34%25255D.png?imgmax=800" width="454" height="73" /></a></p> <p align="justify">However, when I log on to the new Portal, it’s still there!</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-l7h_rCOJVuI/Vd1UKK1OD0I/AAAAAAAADCI/Uy28aJM7XoA/s1600-h/image%25255B103%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-jc1vV9DpOfk/Vd1UKkEfrMI/AAAAAAAADCU/lZcU9knmx8c/image_thumb%25255B44%25255D.png?imgmax=800" width="204" height="207" /></a></p> <p align="justify">Trying to show “all resources” of the Setspn subscription shows nothing. As expected.</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-z-lxcqk5Ufw/Vd1ULTnAiZI/AAAAAAAAC_U/iB0pjv4p_nA/s1600-h/image%25255B72%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-v0KwYQ4xKmg/Vd1UL8ez1ZI/AAAAAAAAC_c/kA1j4ElExrI/image_thumb%25255B28%25255D.png?imgmax=800" width="454" height="163" /></a></p> <p align="justify">The same is observed through PowerShell:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-52ebflToB90/Vd1UMbu1izI/AAAAAAAAC_k/Gf7nSCZUNTc/s1600-h/image%25255B96%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-GTza4y4ncJA/Vd1UNEDqcSI/AAAAAAAAC_s/fq81Uw-Sm6Y/image_thumb%25255B39%25255D.png?imgmax=800" width="454" height="94" /></a></p> <p align="justify">Now the only solution I could think is to also remove the live ID from the Azure Active Directory the subscription is linked to.</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-f2BNujsfhIQ/Vd1UNindifI/AAAAAAAAC_0/fc72kQ0Ezws/s1600-h/Capture3%25255B3%25255D.png"><img title="Capture3" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="Capture3" src="http://lh3.googleusercontent.com/-H1G4tqCEji4/Vd1UOFiIPsI/AAAAAAAAC_8/FrFiTMBlqaQ/Capture3_thumb%25255B1%25255D.png?imgmax=800" width="454" height="58" /></a></p> <p align="justify"><a href="http://lh3.googleusercontent.com/-qwG6cCxQubI/Vd1UO29o7nI/AAAAAAAADAE/Yro90w6I1NQ/s1600-h/Captur4e%25255B3%25255D.png"><img title="Captur4e" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="Captur4e" src="http://lh3.googleusercontent.com/-gs4d3ylMwSo/Vd1UPluHBjI/AAAAAAAADAM/X7njz3MSycg/Captur4e_thumb%25255B1%25255D.png?imgmax=800" width="454" height="72" /></a></p> <p align="justify">After removing the user from the Azure AD, you’ll no longer see the subscription in the new Portal:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-QG6NlFwB8RU/Vd1UQdlVxPI/AAAAAAAADBY/XLnaznx71M0/s1600-h/image%25255B102%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-8oKlIXJJvBQ/Vd1UQ9Bf3bI/AAAAAAAADBk/Nt9tF3Fb7zY/image_thumb%25255B43%25255D.png?imgmax=800" width="204" height="184" /></a></p> <p align="justify">Well as you can see, not exactly… Typically when you try to reproduce things for screenshots, it doesn’t happen or it goes wrong. This is a case “it goes wrong”.  I tried a few times, but the GUID (belonging to the Azure AD I was part of) kept appearing… All I can say whenever the customer actually removed me from their Azure AD it got properly removed from my Azure Portal UI and PowerShell experience….</p> <p align="justify"><strong>Conclusion</strong>:</p> <p align="justify">I’m pretty sure the only reason you keeping seeing the entry in the new Portal is because you still have the User role assigned in the Azure Active Directory instance. So in a way you’re not really seeing the subscription, but rather the Azure Active Directory instance. But the issue remains the same, it clutters your PowerShell (get-AzureSubscription) and Portal UI experience. So whenever someone takes your co-administrator permissions away, ask them to also remove you from the Azure AD instance.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com0tag:blogger.com,1999:blog-62687483129304921.post-15642843605299871842015-08-21T08:08:00.001+02:002015-08-21T08:10:07.274+02:00MIM 2016: PowerShell Workflow and PowerShell v3<p align="justify">One of the issues of running FIM 2010 R2 on Windows Server 2012 is calling PowerShell scripts from within FIM Portal Workflows (.NET). It seems the workflow code is running .NET 3.5 but uses PowerShell 2.0. When we started migrating our FIM 2010 to MIM 2016 (on Server 2012 R2) we ran into the same issues. This is the .NET code that has been running fine on Windows 2008 R2 for years without any issues:</p> <p align="justify">RunspaceConfiguration config = RunspaceConfiguration.Create(); <br />Runspace runspace = RunspaceFactory.CreateRunspace(config); <br />runspace.Open(); <br />psh = PowerShell.Create(); <br />psh.Runspace = runspace; <br />psh.AddCommand(this.PSCmdlet) <br />… <br />psh.Invoke();</p> <p align="justify">And one the scripts that was executed contained code like this:</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#0000ff"><font style="font-size: 10pt">doSomething.ps1</font></font></span><font style="font-size: 10pt"> <br /> <br /><span style="color: "><font color="#006400">#region Parameters</font></span> <br /><span style="color: "><font color="#0000ff">Param</font></span><span style="color: ">(</span><span style="color: "><font color="#008080">[string]</font></span><span style="color: "><font color="#ff4500">$UserName</font></span><span style="color: "><font color="#a9a9a9">,</font></span><span style="color: "><font color="#008080">[string]</font></span><span style="color: "><font color="#ff4500">$Department</font></span><span style="color: ">)</span> <br /><span style="color: "><font color="#006400">#endregion Parameters</font></span> <br /><span style="color: "><font color="#0000ff">Import-Module</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">ActiveDirectory</font></span> <br /><span style="color: "><font color="#0000ff">Get-Aduser</font></span><span style="color: "> </span></font><span style="color: "><font style="font-size: 10pt" color="#8a2be2">...</font></span></font> <br /></div> </td> </tr> </tbody></table> </div> <p align="justify">Now when porting that same logic to our MIM 2016 running on Windows Server 2016 we saw that our get-AD* cmdlets returned nothing. After some investigation we found the following error was triggered when running import-module Active Directory: <em>The 'C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.psd1' module cannot be imported because its manifest contains one or more members that are not valid. The valid manifest members are ('ModuleToProcess', 'NestedModules', 'GUID', 'Author', 'CompanyName', 'Copyright', 'ModuleVersion', 'Description', 'PowerShellVersion', 'PowerShellHostName', 'PowerShellHostVersion', 'CLRVersion', 'DotNetFrameworkVersion', 'ProcessorArchitecture', 'RequiredModules', 'TypesToProcess', 'FormatsToProcess', 'ScriptsToProcess', 'PrivateData', 'RequiredAssemblies', 'ModuleList', 'FileList', 'FunctionsToExport', 'VariablesToExport', 'AliasesToExport', 'CmdletsToExport'). Remove the members that are not valid ('HelpInfoUri'), then try to import the module again.</em></p> <p align="justify">There are various topics online that cover this exact issue. </p> <ul> <li> <div align="justify"><a href="https://idmgnt.wordpress.com/2014/04/25/fim-powershell-wf-does-not-load-module-active-directory-on-windows-server-2012/">IDMGMT Blog: FIM powershell wf does not load module active directory on windows server 2012</a> </div> </li> <li> <div align="justify"><a href="https://social.technet.microsoft.com/Forums/en-US/4638a6ca-74f2-4b11-afa5-bf988b70734f/using-fim-powershell-activity-on-windows-2012?forum=ilm2">FIM TechNet Forums: Using FIM Powershell Activity on Windows 2012</a> </div> </li> </ul> <p align="justify">It seems some PowerShell modules are hardwired to require PowerShell v3. I came across the following suggestion a few times, but it scares me a bit as with my (limited?) knowledge of .NET It’s hard to estimate what impact this might have on FIM. The suggestion was to add the following to the Microsoft.ResourceManagement.Service.exe.config file.</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#a9a9a9"><font style="font-size: 10pt"><</font></font></span><font style="font-size: 10pt"><span style="color: "><font color="#8a2be2">startup></font></span> <br /><span style="color: "> </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">supportedRuntime</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">version="v4.0"/></font></span> <br /><span style="color: "> </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">supportedRuntime</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">version="v2.0.50727"/></font></span> <br /><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">/startup></font></span> </font></font></div> </td> </tr> </tbody></table> </div> <p align="justify">I found some approaches using a script that calls another script, but I wanted to avoid this. So I came up with the following approach to update the workflow itself:</p> <p align="justify">PowerShellProcessInstance instance = new PowerShellProcessInstance(new Version(3, 0), null, null, false); <br />Runspace runspace = RunspaceFactory.CreateOutOfProcessRunspace(new TypeTable(new string[0]), instance); </p> <p align="justify">Source:<a href="http://stackoverflow.com/questions/22383915/how-to-powershell-2-or-3-when-creating-runspace">http://stackoverflow.com/questions/22383915/how-to-powershell-2-or-3-when-creating-runspace</a></p> <p align="justify">The PowerShellProcessInstance is class that is available in System.Management.Automation. And that’s part of PowerShell itself. I tried various DLLS, but either they didn’t know the class or they resulted in the following error when building my .NET project:</p> <p align="justify"><em>The primary reference "System.Management.Automation" could not be resolved because it has an indirect dependency on the .NET Framework assembly "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" which has a higher version "4.0.0.0" than the version "2.0.0.0" in the current target framework.    FODJ.FIM.Workflow.ActivityLibrary</em></p> <p align="justify">My project is configured to build for .NET 3.5, but If I’m not mistaken .NET 3.5 use CLR 2.0. Whilst .net 4/4.5 use CLR 4.0 (see <a href="https://msdn.microsoft.com/en-us/library/bb822049(v=vs.110).aspx">.NET Framework Versions and Dependencies</a>). So I guess this route isn’t going to work after all. Back to the drawing board. As I only got a number of scripts to call like this, I decided to go back the wrapper script approach:</p> <p align="justify">The script containing the logic to be executed:</p> <div align="justify"> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#0000ff"><font style="font-size: 10pt">doSomething.script.ps1</font></font></span><font style="font-size: 10pt"> <br /> <br /><span style="color: "><font color="#006400">#region Parameters</font></span> <br /><span style="color: "><font color="#0000ff">Param</font></span><span style="color: ">(</span><span style="color: "><font color="#008080">[string]</font></span><span style="color: "><font color="#ff4500">$UserName</font></span><span style="color: "><font color="#a9a9a9">,</font></span><span style="color: "><font color="#008080">[string]</font></span><span style="color: "><font color="#ff4500">$Department</font></span><span style="color: ">)</span> <br /><span style="color: "><font color="#006400">#endregion Parameters</font></span> <br /><span style="color: "><font color="#0000ff">Import-Module</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">ActiveDirectory</font></span> <br /><span style="color: "><font color="#0000ff">Get-Aduser</font></span><span style="color: "> </span></font><span style="color: "><font style="font-size: 10pt" color="#8a2be2">...</font></span></font> <br /></div> </td> </tr> </tbody></table> </div> </div> <p align="justify">As you can see I prepended .script to the .ps1 extension. And here’s my wrapper script. This is the one that is called from the FIM/MIM Workflow:</p> <div align="justify"> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font color="#0000ff"><span style="color: "><font style="font-size: 10pt">doSomething.ps1</font></span><font style="font-size: 10pt"> <br /> <br /><span style="color: ">Param</span></font></font><font style="font-size: 10pt"><span style="color: ">(</span><span style="color: "><font color="#008080">[string]</font></span><span style="color: "><font color="#ff4500">$UserName</font></span><span style="color: "><font color="#a9a9a9">,</font></span><span style="color: "><font color="#008080">[string]</font></span><span style="color: "><font color="#ff4500">$Department</font></span><span style="color: ">)</span> <br /><span style="color: "><font color="#ff4500">$script</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$myinvocation</font></span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">invocationName</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">replace</span><span style="color: ">(</span><span style="color: "><font color="#8b0000">".ps1"</font></span><span style="color: "><font color="#a9a9a9">,</font></span><span style="color: "><font color="#8b0000">".script.ps1"</font></span><span style="color: ">)</span> <br /><span style="color: "><font color="#0000ff">powershell</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-version</font></span><span style="color: "> </span><span style="color: "><font color="#800080">3.0</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-file</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$script</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-UserName</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$username</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Department</font></span><span style="color: "> </span></font><span style="color: "><font style="font-size: 10pt" color="#ff4500">$Department</font></span></font> <br /></div> </td> </tr> </tbody></table> </div> </div> <p align="justify">There are some things to note: the param line is just a copy past from the base script. And I just specify them as parameters again when calling the base script. I had been looking for a way to use unbound parameters, e.g. the calling workflow says –username … –department … and the wrapper script just passes it over. That would have allowed me to have a generic wrapper script. I got pretty close to getting it to work, but I kept running into issues. In the end I just decided to go for KISS.</p> <p align="justify"><strong>Note:</strong> if you want to capture errors like the one I show from “import-module Active Directory”, just use the $error variable. You can use it like this. Saving it to disk is just one example. Typically you could integrate this with your logging function.</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#ff4500"><font style="font-size: 10pt">$error</font></font></span><font style="font-size: 10pt"><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">Clear</span> <br /><span style="color: "><font color="#0000ff">Import-Module</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">ActiveDirectory</font></span> <br /><span style="color: "><font color="#ff4500">$error</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">out-file</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">c:\users\public\error.txt</font></span> </font></font></div> </td> </tr> </tbody></table> </div> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com5tag:blogger.com,1999:blog-62687483129304921.post-48171502626024862482015-08-18T17:06:00.001+02:002015-08-18T17:08:13.884+02:00Azure Quick Tip: Block or Allow ICMP using Network Security Groups<p align="justify">For a while now Azure allows administrators to restrict network communications between virtual machines in Azure. Restrictions can be configured through the use of Network Security Groups (NSGs). Those can be linked to both subnets or virtual machines. Check the following link if you want some more background information: <a title="https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/" href="https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/">https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/</a></p> <p align="justify">A NSG always contains some default rules. By default all outbound traffic is allowed, and inbound from other subnets (not the internet) is also allowed. Typically if you ping between VM’s on different subnets (same VNET) you’ll see that the machines respond as expected.</p> <p align="justify">Now what if you want to restrict traffic between subnets but still allow ICMP? ICMP is great for troubleshooting connectivity. <em>Set-AzureNetworkSecurityRule</em> allows you to provide the <em>protocol</em> parameter. In a typical firewall scenario this value would contain TCP, UDP, ICMP, … Ping uses ICMP which is neither TCP or UDP… Azure only seem to allow TCP, UDP and * for the protocol:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-GxGBMB-OITw/VdNJ1Equ_gI/AAAAAAAAC9Q/EyrQa4qwJeI/s1600-h/image3.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-UfyN8isMK0I/VdNJ2IfvPYI/AAAAAAAAC9Y/gzGteexmouE/image_thumb1.png?imgmax=800" width="454" height="86" /></a></p> <p align="justify">Now how can we block all traffic but allow ICMP? Simple, by explicitly denying UDP and TCP but allowing *. In this example I included the allow rule, but it should be covered by the default rules anyhow.</p> <div align="justify"> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#006400"><font style="font-size: 10pt">#allow ping, block UDP/TCP</font></font></span><font style="font-size: 10pt"> <br /><span style="color: "><font color="#0000ff">Get-AzureNetworkSecurityGroup</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-name</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"NSG-1"</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureNetworkSecurityRule</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Name</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">BlockTCP</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Type</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Inbound</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Priority</font></span><span style="color: "> </span><span style="color: "><font color="#800080">40000</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Action</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Deny</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-SourceAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"*"</font></span><span style="color: ">  </span><span style="color: "><font color="#000080">-SourcePortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationPortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Protocol</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"TCP"</font></span> <br /> <br /><span style="color: "><font color="#0000ff">Get-AzureNetworkSecurityGroup</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-name</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"NSG-1"</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureNetworkSecurityRule</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Name</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">BlockUDP</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Type</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Inbound</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Priority</font></span><span style="color: "> </span><span style="color: "><font color="#800080">40001</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Action</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Deny</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-SourceAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"*"</font></span><span style="color: ">  </span><span style="color: "><font color="#000080">-SourcePortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationPortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Protocol</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"UDP"</font></span> <br /> <br /><span style="color: "><font color="#0000ff">Get-AzureNetworkSecurityGroup</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-name</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"NSG-1"</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureNetworkSecurityRule</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Name</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">AllowPing</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Type</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Inbound</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Priority</font></span><span style="color: "> </span><span style="color: "><font color="#800080">40002</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Action</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Allow</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-SourceAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"*"</font></span><span style="color: ">  </span><span style="color: "><font color="#000080">-SourcePortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationPortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Protocol</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"*"</font></span> </font></font></div> </td> </tr> </tbody></table> </div> </div> <p align="justify">If we want to work the other way round: allow UDP/TCP but block ICMP we can turn the logic around:</p> <div align="justify"> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#006400"><font style="font-size: 10pt">#block ping, allow UDP/TCP</font></font></span><font style="font-size: 10pt"> <br /><span style="color: "><font color="#0000ff">Get-AzureNetworkSecurityGroup</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-name</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"NSG-1"</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureNetworkSecurityRule</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Name</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">AllowTCP</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Type</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Inbound</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Priority</font></span><span style="color: "> </span><span style="color: "><font color="#800080">40000</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Action</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Allow</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-SourceAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"*"</font></span><span style="color: ">  </span><span style="color: "><font color="#000080">-SourcePortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationPortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Protocol</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"TCP"</font></span> <br /> <br /><span style="color: "><font color="#0000ff">Get-AzureNetworkSecurityGroup</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-name</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"NSG-1"</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureNetworkSecurityRule</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Name</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">AllowUDP</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Type</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Inbound</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Priority</font></span><span style="color: "> </span><span style="color: "><font color="#800080">40001</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Action</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Allow</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-SourceAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"*"</font></span><span style="color: ">  </span><span style="color: "><font color="#000080">-SourcePortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationPortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Protocol</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"UDP"</font></span> <br /> <br /><span style="color: "><font color="#0000ff">Get-AzureNetworkSecurityGroup</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-name</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"NSG-1"</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureNetworkSecurityRule</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Name</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">BlockPing</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Type</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Inbound</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Priority</font></span><span style="color: "> </span><span style="color: "><font color="#800080">40002</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Action</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Deny</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-SourceAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"*"</font></span><span style="color: ">  </span><span style="color: "><font color="#000080">-SourcePortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationAddressPrefix</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-DestinationPortRange</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">'*'</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Protocol</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"*"</font></span> </font></font></div> </td> </tr> </tbody></table> </div> </div> <p align="justify">The source/destination information is pretty open as I use * for those, but that’s just an example here. It’s up to you to decide for which ranges to apply this. And you might probably open up some additional ports for actual traffic to be allowed. The above logic is also mentioned in the information I linked at the beginning of the article:</p> <p align="justify"><em>The current NSG rules only allow for protocols ‘TCP’ or ‘UDP’. There is not a specific tag for ‘ICMP’. However, ICMP traffic is allowed within a Virtual Network by default through the Inbound VNet rules that allow traffic from/to any port and protocol ‘*’ within the VNet.</em></p> <p align="justify">Kudos to my colleague Nichola (<a href="http://www.vnic.be">http://www.vnic.be</a>) for taking the time to verify this.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com10tag:blogger.com,1999:blog-62687483129304921.post-67533180232796659412015-08-11T12:51:00.001+02:002015-08-12T07:27:38.069+02:00FIM 2010 (NOT R2!) Upgrade to MIM 2016<p>This blog post will assist you in upgrading a FIM 2010 environment to MIM 2016. To be clear: FIM 2010, not FIM 2010 R2. <strong>Disclaimer</strong>: if you “play” around like I do below, make sure you use one, or more, of the following. </p> <ul> <li> <div>A test environment</div> </li> <li> <div>SQL Backups</div> </li> <li> <div>VM Snapshots</div> </li> <li> <div>…</div> </li> </ul> <p>Trust me sooner or later they’ll save your life or at least your day. After each attempt I did an SQL restore to be absolutely sure my upgrade path was OK. The installer “touches” the databases pretty quickly even if it fails in the beginning of the process.</p> <p>The upgrade process is explained on <font style="background-color: #ffff00"></font><a href="https://technet.microsoft.com/en-US/library/mt219041.aspx">TechNet: Upgrading Forefront Identity Manager 2010 R2 to Microsoft Identity Manager 2016</a> as well, but the guide is only partially applicable for the scenario I’ve foreseen.</p> <ul> <li> <div>No information on upgrading from FIM 2010, only FIM 2010 R2 is mentioned</div> </li> <li> <div>No information on transitioning to a more recent Operating System</div> </li> <li> <div>No information on transitioning to a more recent database platform</div> </li> </ul> <p>In order to clarify I’ll show a topology diagram of our current setup:</p> <p><a href="http://lh3.googleusercontent.com/-pPQAqSdvJXo/VcnTe5fyv6I/AAAAAAAAC6U/mtALp55lfAE/s1600-h/visio%25255B3%25255D.png"><img title="visio" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="visio" src="http://lh3.googleusercontent.com/-X9mQqJx-1C4/VcnTfTpt_EI/AAAAAAAAC6Y/CpCdwDXXF8U/visio_thumb%25255B1%25255D.png?imgmax=800" width="454" height="552" /></a></p> <p>Current versions:</p> <ul> <li> <div>Operating System: <strong>Windows 2008 R2</strong></div> </li> <li> <div>SQL: <strong>SQL Server 2008</strong></div> </li> <li> <div>FIM: <strong>FIM 2010 (build 4.0.3576.2)</strong></div> </li> </ul> <p>Target versions:</p> <ul> <li> <div>Operating System: <strong>Windows 2012 R2</strong></div> </li> <li> <div>SQL: <strong>SQL Server 2012 SP1</strong></div> </li> <li> <div>FIM: <strong>MIM 2016 (RTM)</strong></div> </li> </ul> <p>I won’t post a target diagram as in our case we decided not to change anything. We intend to upgrade FIM 2010 to MIM2016. However, we also would like to upgrade the various supporting components such as the underlying operating system and the SQL server edition. The TechNet guide shows you what has to be done to perform an in place upgrade of FIM 2010 R2 to MIM 2016. If I were to do an in place upgrade I would end up with MIM 2016 on server 2008 R2. I’d rather not do an in place upgrade of 2008 R2 to 2012 R2. That means I would have to migrate MIM 2016 to another box. Another disadvantage of upgrading in place is that you’ll have downtime during the upgrade. Well eventually you’ll have some downtime, but if you can leave the current environment intact, you can avoid the lengthy restore process if something goes wrong. And what about the database upgrade processes? Depending on your environment that can take quite some time. If you want plan your window for the upgrade, you could follow my approach as a “dry run” with the production data without impacting your current (running) environment! If you’re curious how, read on!</p> <p>I wanted to determine the required steps to get from current to target with the least amount of hassle. I’ll describe the steps I followed and the issues I encountered:</p> <p><strong><u>Upgrading/Transitioning the FIM Synchronization Service: Attempt #1</u></strong></p> <ol> <li> <div>Stop and disable all scheduled tasks that execute run profiles</div> </li> <li> <div>Stop and disable all FIM 2010 services (both Sync and Service)</div> </li> <li> <div>Backup the FIMSynchronization database on the SQL 2008 platform (see note at bottom)</div> </li> <li> <div>Restore the FIMSynchronization database on the SQL 2012 platform</div> </li> <li> <div>Enable SQL Server Service Broker for the FIMSynchronization database (see note at bottom)</div> </li> <li> <div>Transfer the logins used by the database from SQL 2008 to SQL 2012</div> </li> <li> <div>Copy the FIM Synchronization service encryption keys  to the Windows 2012 R2 Server</div> </li> <li> <div>Ran the MIM 2016 Synchronization Service MSI on the Windows 2012 R2 server</div> </li> </ol> <p>However that resulted in the following events and concluded with an MSI installation failure:</p> <p><a href="http://lh3.googleusercontent.com/-hFHjdj0oFF8/VcnTf2rYBiI/AAAAAAAAC6g/Y8axNjyfOw4/s1600-h/Error1%25255B3%25255D.png"><img title="Error1" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="Error1" src="http://lh3.googleusercontent.com/-HT89fX_EYCM/VcnTgfQivVI/AAAAAAAAC6o/0dao9Nxbzow/Error1_thumb%25255B1%25255D.png?imgmax=800" width="354" height="154" /></a></p> <p>In words: Error 25009.The Microsoft Identity Manager Synchronization Service setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. <hr=0x80230406></p> <p>And in the Application Event log:</p> <p><a href="http://lh3.googleusercontent.com/-ap0KlgvFlys/VcnTg0cCSeI/AAAAAAAAC6w/olMbNJ5kL-g/s1600-h/sync1%25255B4%25255D.png"><img title="sync1" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="sync1" src="http://lh3.googleusercontent.com/-AeTc1LBirHg/VcnThb2tfuI/AAAAAAAAC64/0fVWKpCLRlY/sync1_thumb%25255B2%25255D.png?imgmax=800" width="454" height="58" /></a></p> <p>In words:<em>Conversion of reference attributes started.</em></p> <p><a href="http://lh3.googleusercontent.com/-Lpvq8MODBpQ/VcnTh1H4MpI/AAAAAAAAC7A/ZQklOA0KID0/s1600-h/sync2%25255B4%25255D.png"><img title="sync2" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="sync2" src="http://lh3.googleusercontent.com/-nZQmuDVYhBs/VcnTicenkwI/AAAAAAAAC7I/savSOFCLwvM/sync2_thumb%25255B2%25255D.png?imgmax=800" width="454" height="60" /></a></p> <p>In words: <em>Conversion of reference attributes failed.</em></p> <p><a href="http://lh3.googleusercontent.com/-_QoUi9uEaw4/VcnTi4GuftI/AAAAAAAAC7Q/YFFyrALPoyA/s1600-h/Sync3%25255B4%25255D.png"><img title="Sync3" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="Sync3" src="http://lh3.googleusercontent.com/-BBmm6_wbT9c/VcnTjaeaalI/AAAAAAAAC7Y/KwV77AY-fGs/Sync3_thumb%25255B2%25255D.png?imgmax=800" width="454" height="60" /></a></p> <p>In words: <em>Product: Microsoft Identity Manager Synchronization Service -- Error 25009.The Microsoft Identity Manager Synchronization Service setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. <hr=0x80230406></em></p> <p>The same information was also found in the MSI verbose log. Some googling led me to some fixes regarding SQL access rights or SQL compatibility level. None of which worked for me.</p> <p><strong><u>Upgrading/Transitioning the FIM Synchronization Service: Attempt #2</u></strong></p> <p>This attempt is mostly the same as the previous. However now I’ll be running the MIM 2016 installer directly on the FIM 2010 Synchronization Server. I’ll save you the trouble: it fails with the exact same error. As a bonus the setup rolls back and leaves you with a server with NO FIM installed.</p> <p><strong><u>Upgrading/Transitioning the FIM Synchronization Service: Attempt #3</u></strong></p> <p>I’ll provide an overview of the steps again:</p> <ol> <li> <div>Stop and disable all scheduled tasks that execute run profiles</div> </li> <li> <div>Stop and disable all FIM 2010 services (both Sync and Service)</div> </li> <li> <div>Backup the FIMSynchronization database on the SQL 2008 platform (see note at bottom)</div> </li> <li> <div>Restore the FIMSynchronization database on the SQL 2012 platform</div> </li> <li> <div>Enable SQL Server Service Broker for the FIMSynchronization database (see note at bottom)</div> </li> <li> <div>Transfer the logins used by the database from SQL 2008 to SQL 2012</div> </li> <li> <div>Install a new (temporary) Windows 2012 Server</div> </li> <li> <div>Copy the FIM Synchronization service encryption keys to the Windows 2012 Server</div> </li> <li> <div>Run the <u>FIM 2010 <strong>R2</strong></u> (4.1.2273.0) Synchronization Service MSI on the <u>Windows 2012 server</u>–> Success</div> </li> <li> <div>Stop and disable the FIM Synchronization Service on the Windows 2012 server</div> </li> <li> <div>Copy the FIM Synchronization service encryption keys to the Windows 2012 R2 Server</div> </li> <li> <div>Run the MIM 2016 Synchronization Service MSI on the Windows 2012 R2 server</div> </li> </ol> <p>Again that resulted in several events and concluded with the an MSI installation failure:</p> <p><a href="http://lh3.googleusercontent.com/-Yl9UIMY9wcI/VcnTjiyMgmI/AAAAAAAAC7g/86t0jkD8Jd8/s1600-h/SyncErrorBis%25255B4%25255D.png"><img title="SyncErrorBis" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="SyncErrorBis" src="http://lh3.googleusercontent.com/-3B-BH1tLqTc/VcnTkKjjLdI/AAAAAAAAC7o/FaAsnpb5KpU/SyncErrorBis_thumb%25255B2%25255D.png?imgmax=800" width="454" height="102" /></a></p> <p>In words: <em>Product: Microsoft Identity Manager Synchronization Service -- Error 25009.The Microsoft Identity Manager Synchronization Service setup wizard cannot configure the specified database. Incorrect syntax near 'MERGE'. You may need to set the compatibility level of the current database to a higher value to enable this feature. See help for the SET COMPATIBILITY_LEVEL option of ALTER DATABASE.</em> </p> <p>Now that’s an error that doesn’t seem to scary. It’s clearly suggesting to raise the database compatibility level so that the MERGE feature is available. </p> <p><strong><u>Upgrading/Transitioning the FIM Synchronization Service: Attempt #4 –> Success!</u></strong></p> <p>I’ll provide an overview of the steps again:</p> <ol> <li> <div>Stop and disable all scheduled tasks that execute run profiles</div> </li> <li> <div>Stop and disable all FIM 2010 services (both Sync and Service)</div> </li> <li> <div>Backup the FIMSynchronization database on the SQL 2008 platform (see note at bottom)</div> </li> <li> <div>Restore the FIMSynchronization database on the SQL 2012 platform</div> </li> <li> <div>Enable SQL Server Service Broker for the FIMSynchronization database (see note at bottom)</div> </li> <li> <div>Transfer the logins used by the database from SQL 2008 to SQL 2012</div> </li> <li> <div>Don’t worry about the SQL Agent Jobs, the MIM Service setup will recreate those</div> </li> <li> <div>Install a new (temporary) Windows 2012 Server</div> </li> <li> <div>Copy the FIM Synchronization service encryption keys to the Windows 2012 Server</div> </li> <li> <div>Run the <u>FIM 2010 <strong>R2</strong></u>  (4.1.2273.0) Synchronization Service MSI on the <u>Windows 2012</u> server</div> </li> <li> <div>Stop and disable the FIM Synchronization Service on the Windows 2012 server</div> </li> <li> <div>Changed the SQL Compatibility Level to 2008 (100) on the database</div> </li> <li> <div>Copy the FIM Synchronization service encryption keys to the Windows 2012 R2 Server</div> </li> <li> <div>Run the MIM 2016 Synchronization Service MSI on the <u>Windows 2012 R2</u> server –> Success!</div> </li> </ol> <p>Changing the compatibility level can easily be done using the using the SQL Management Studio:</p> <p><a href="http://lh3.googleusercontent.com/-JOd2aKnEdiQ/VcnTkd9KSNI/AAAAAAAAC7w/j0aHITO3F7w/s1600-h/sqlCompatLevel%25255B3%25255D.png"><img title="sqlCompatLevel" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="sqlCompatLevel" src="http://lh3.googleusercontent.com/-m3aZLNjyXhI/VcnTlF8q32I/AAAAAAAAC74/5Qvz2_pHufg/sqlCompatLevel_thumb%25255B1%25255D.png?imgmax=800" width="354" height="318" /></a></p> <p>In my case it was on SQL Server 2005 (90) and I changed it to SQL Server 2008 (100). If you prefer doing this through an SQL query:</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: ; mso-layout-grid-align: none"><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-fareast-language: en-us"><font color="#0000ff"><font style="font-size: 9.5pt">USE</font></font></span><span lang="EN-GB" style="font-family: ; mso-fareast-language: en-us"><font style="font-size: 9.5pt"> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">[master]</font></span></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: ; mso-layout-grid-align: none"><span lang="EN-GB" style="font-family: ; color: ; mso-fareast-language: en-us"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">GO</font></font></span><span lang="EN-GB" style="font-family: ; mso-fareast-language: en-us"></span></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: ; mso-layout-grid-align: none"><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-fareast-language: en-us"><font color="#0000ff"><font style="font-size: 9.5pt">ALTER</font></font></span><span lang="EN-GB" style="font-family: ; mso-fareast-language: en-us"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">DATABASE</font></span> <span style="color: "><font color="#008080">[FIMSynchronization]</font></span> <span style="color: "><font color="#0000ff">SET</font></span> <span style="color: "><font color="#0000ff">COMPATIBILITY_LEVEL</font></span> <span style="color: "><font color="#808080">=</font></span> 100</font></span></font></p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: ; mso-layout-grid-align: none"><span lang="EN-GB" style="font-family: ; color: ; mso-fareast-language: en-us"><font face="Consolas"><font style="font-size: 9.5pt" color="#0000ff">GO</font></font></span><span lang="EN-GB" style="font-family: ; mso-fareast-language: en-us"></span></p> <p><strong><u>Bonus information:</u></strong></p> <p>This is the command I ran to install both the FIM 2010 R2 and MIM 2016 Synchronization Instance:</p> <p>Msiexec /i "Synchronization Service.msi" /qb! STORESERVER=sqlcluster.contoso.com SQLINSTANCE=fimsql SQLDB=FIMSynchronization SERVICEACCOUNT=svcsync SERVICEDOMAIN=CONTOSO SERVICEPASSWORD=PASSWORD GROUPADMINS=CONTOSO\GGFIMSyncSvcAdmins GROUPOPERATORS=CONTOSO\GGFIMSyncSvcOps GROUPACCOUNTJOINERS=CONTOSO\GGFIMSyncSvcJoiners GROUPBROWSE=CONTOSO\GGFIMSyncSvcBrowse GROUPPASSWORDSET=CONTOSO\GGFIMSyncSvcPWReset FIREWALL_CONF=1 ACCEPT_EULA="1" SQMOPTINSETTING="0" /l*v C:\MIM\LOGS\FIMSynchronizationServiceInstallUpgrade.log</p> <p>No real rocket science here. However, make sure not to run /q but use /qb! as the latter allows popups to be thrown and answered by you. For instance when prompted to provide the encryption keys.</p> <p><strong><u>Upgrading/Transitioning the FIM Service: Attempt #1 –> Success!</u></strong></p> <p>Now to be honest, the upgrade I feared the most proved to be the easiest. From past FIM experiences I know the FIM Service comes with a DB upgrade utility. The setup runs this for you. I figured: why on earth would they throw away the information to upgrade from FIM 2010 to FIM 2010 R2 and cripple the tool so that it can only upgrade FIM 2010 R2 to MIM 2016?! And indeed, they did not! Here’s the steps I took to upgrade my FIM Portal & Service:</p> <ol> <li> <div>Stop and disable all scheduled tasks that execute run profiles => this was already the case</div> </li> <li> <div>Stop and disable all FIM 2010 services (both Sync and Service) => this was already the case</div> </li> <li> <div>Backup the FIMService database on the SQL 2008 platform (see note at bottom)</div> </li> <li> <div>Restore the FIMService database on the SQL 2012 platform</div> </li> <li> <div>Enable SQL Server Service Broker for the FIMService database (see note at bottom)</div> </li> <li> <div>Transfer the logins used by the database from SQL 2008 to SQL 2012</div> </li> <li> <div>Installed a Standalone Sharepoint 2013 Foundation SP2</div> </li> <li> <div>Run the MIM 2016 Service and Portal MSI on the Windows 2012 R2 server –> Success!</div> </li> <li> <div>Note: the compatibility level was raised to 2008 (100) by the setup</div> </li> </ol> <p>One thing that assured me the FIM Service database was upgrade successfully was the database upgrade log. The following event indicates where you can find it:</p> <p><a href="http://lh3.googleusercontent.com/-rzNgaLxmoN4/VcnTlZ3j44I/AAAAAAAAC8A/pPiXTd1fh8w/s1600-h/dbupgrade%25255B3%25255D.png"><img title="dbupgrade" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="dbupgrade" src="http://lh3.googleusercontent.com/-lWKqkYUC2ek/VcnTlliKNeI/AAAAAAAAC8I/GqpFIDVmn6U/dbupgrade_thumb%25255B1%25255D.png?imgmax=800" width="454" height="64" /></a></p> <p>The path: c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.IdentityManagement.DatabaseUpgrade_tracelog.txt An extract:</p> <p>Database upgrade : Started. <br />Database upgrade : Starting command line parsing. <br />Database upgrade : Completed commandline parsing. <br />Database upgrade : Connection string is : Data Source=sqlcluster.contoso.com\fimsql;Initial Catalog=FIMService;Integrated Security=SSPI;Pooling=true;Connection Timeout=225. <br />Database upgrade : Trying to connect to database server. <br />Database upgrade : Succesfully connected to database server. <br />Database upgrade : Setting the database version to -1. <br />Database upgrade : Starting database schema upgrade. <br />Schema upgrade: Starting schema upgrade <br /><font style="background-color: #ffff00">Schema upgrade : Upgrading FIM database from version: 20 to the latest version.</font> <br />Schema upgrade : Starting schema upgrade from version 20 to 21. <br />... <br />Database upgrade : Out-of-box object upgrade completed. <br /><font style="background-color: #ffff00">Database ugrade : Completed successfully.</font> <br />Database upgrade : Database version upgraded from: 20 to: 2004 <br />The AppDomain's parent process is exiting.</p> <p>You can clearly see that the datbase upgrade utility intelligently detects the current (FIM 2010) schema and upgrades all the way to the MIM 2016 database schema.</p> <p><font style="background-color: #ffff00"></font><strong><u>Bonus information</u></strong></p> <p>This is the command I ran to install the MIM 2016 Portal and Service. Password reset/registration portals are not deployed, no reporting and no PIM components. If you just want to test your FIM Service database upgrade, you can even get away with only installing the CommonServices component.</p> <p>Msiexec /i "Service and Portal.msi" /qb! ADDLOCAL=<font style="background-color: #ffff00">CommonServices,WebPortals</font> SQLSERVER_SERVER=sqlcluster.contoso.com\fimsql SQLSERVER_DATABASE=FIMService <font style="background-color: #ffff00">EXISTINGDATABASE=1</font> SERVICE_ACCOUNT_NAME=svcfim SERVICE_ACCOUNT_DOMAIN=CONTOSO SERVICE_ACCOUNT_PASSWORD=PASSWORD SERVICE_ACCOUNT_EMAIL=svcfim@contoso.com MAIL_SERVER=mail.contoso.com MAIL_SERVER_USE_SSL=1 MAIL_SERVER_IS_EXCHANGE=1 POLL_EXCHANGE_ENABLED=1 SYNCHRONIZATION_SERVER=fimsync.contoso.com SYNCHRONIZATION_SERVER_ACCOUNT=CONTOSO\svcfimma SERVICEADDRESS=fimsvc.contoso.com FIREWALL_CONF=1 SHAREPOINT_URL=<a href="http://idm.contoso.com">http://idm.contoso.com</a> SHAREPOINTUSERS_CONF=1 ACCEPT_EULA=1 FIREWALL_CONF=1 SQMOPTINSETTING=0 /l*v c:\MIM\LOGS\FIMServiceAndPortalsInstall.log</p> <p><u><strong>Note: SQL Management Studio Database Backup</strong></u></p> <p>Something I learned in the past year or so: whenever taking an “ad hoc” SQL backup, make sure to check the “<strong>Copy-only backup</strong>” box. That way you won’t interfere with the regular backups that have been configured by your DBA/Backup Admin.</p> <p><a href="http://lh3.googleusercontent.com/-h-PNM8Cnn7o/VcnTmO33REI/AAAAAAAAC8Q/sL_COYfy9ic/s1600-h/SQL%252520Backup%25255B4%25255D.png"><img title="SQL Backup" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="SQL Backup" src="http://lh3.googleusercontent.com/-1ibRaPrzcGQ/VcnTm8ey2PI/AAAAAAAAC8Y/AEW3AIe1VxU/SQL%252520Backup_thumb%25255B2%25255D.png?imgmax=800" width="404" height="364" /></a></p> <p><u><strong>Note: SQL Server Service Broker</strong></u></p> <p>Lately I’ve seen cases where applications are unhappy due to the fact that the SQL Server Broker Service is disabled for their database. In my case it was an ADFS setup. But here’s an (older) example for FIM: <a href="http://justanothertechguy.blogspot.be/2012/11/fim-2010-unable-to-start-fim-service.html">http://justanothertechguy.blogspot.be/2012/11/fim-2010-unable-to-start-fim-service.html</a> Typically a database that is restored from an SQL backup has this feature disabled. I checked the SQL Server Broker Service for the FIM databases on the SQL 2008 platform and it was enabled. I checked on my SQL 2012 where I did the restore and I could see it was off. Here’s some relevant commands:</p> <p>Checking whether it’s on for your database:</p> <p class="MsoNormal" style="margin: 0cm 0cm 0pt; text-autospace: ; mso-layout-grid-align: none"><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-fareast-language: en-us"><font color="#0000ff"><font style="font-size: 9.5pt">SELECT</font></font></span><span lang="EN-GB" style="font-family: ; mso-fareast-language: en-us"><font style="font-size: 9.5pt"> <span style="color: "><font color="#008080">is_broker_enabled</font></span> <span style="color: "><font color="#0000ff">FROM</font></span> <span style="color: "><font color="#008000">sys</font></span><span style="color: "><font color="#808080">.</font></span><span style="color: "><font color="#008000">databases</font></span> <span style="color: "><font color="#0000ff">WHERE</font></span> <span style="color: "><font color="#008080">name</font></span> <span style="color: "><font color="#808080">=</font></span> <span style="color: "><font color="#ff0000">'FIMSYnchronization'</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">;</font></span></span></font></p> <p><a href="http://lh3.googleusercontent.com/-DjRkWn3Yy1E/VcnTnY5GPoI/AAAAAAAAC8g/DsLqRVIejIA/s1600-h/brokerOff%25255B3%25255D.png"><img title="brokerOff" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="brokerOff" src="http://lh3.googleusercontent.com/-MLUlvMOBGao/VcnTnvCz6WI/AAAAAAAAC8o/2zWnAqvMk3w/brokerOff_thumb%25255B1%25255D.png?imgmax=800" width="254" height="136" /></a></p> <p>Enable:</p> <p><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-fareast-language: en-us; mso-fareast-font-family: "Times New Roman"; mso-ansi-language: en-gb; mso-bidi-language: ar-sa"><font color="#0000ff"><font style="font-size: 9.5pt">ALTER</font></font></span><span lang="EN-GB" style="font-family: ; mso-fareast-language: en-us; mso-fareast-font-family: "Times New Roman"; mso-ansi-language: en-gb; mso-bidi-language: ar-sa"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">DATABASE</font></span> <span style="color: "><font color="#008080">FIMSYnchronization</font></span> <span style="color: "><font color="#0000ff">SET</font></span> <span style="color: "><font color="#0000ff">ENABLE_BROKER</font></span> <span style="color: "><font color="#0000ff">WITH</font></span> </font><span style="color: "><font style="font-size: 9.5pt" color="#008080">NO_WAIT</font></span></span></font></p> <p>If issues arise you can try this one: I’m not an SQL guy. All I can guess it handles the thing less gracefully:</p> <p><font face="Consolas"><span lang="EN-GB" style="font-family: ; color: ; mso-fareast-language: en-us; mso-fareast-font-family: "Times New Roman"; mso-ansi-language: en-gb; mso-bidi-language: ar-sa"><font color="#0000ff"><font style="font-size: 9.5pt">ALTER</font></font></span><span lang="EN-GB" style="font-family: ; mso-fareast-language: en-us; mso-fareast-font-family: "Times New Roman"; mso-ansi-language: en-gb; mso-bidi-language: ar-sa"><font style="font-size: 9.5pt"> <span style="color: "><font color="#0000ff">DATABASE</font></span> <span style="color: "><font color="#008080">FIMSYnchronization</font></span> <span style="color: "><font color="#0000ff">SET</font></span> <span style="color: "><font color="#0000ff">ENABLE_BROKER</font></span> <span style="color: "><font color="#0000ff">WITH</font></span> <span style="color: "><font color="#0000ff">ROLLBACK</font></span> <span style="color: "><font color="#0000ff">IMMEDIATE</font></span></font><span style="color: "><font style="font-size: 9.5pt" color="#808080">;</font></span></span></font></p> <p>And now it’s on:</p> <p><a href="http://lh3.googleusercontent.com/-VIek87CPdDU/VcnToG4XGRI/AAAAAAAAC8w/5jp_UKRV8Nk/s1600-h/BrokerOn%25255B3%25255D.png"><img title="BrokerOn" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="BrokerOn" src="http://lh3.googleusercontent.com/-nPvPY45Ni3Q/VcnTorNGPVI/AAAAAAAAC84/3x2dBcW7-8c/BrokerOn_thumb%25255B1%25255D.png?imgmax=800" width="254" height="112" /></a></p> <p><u><strong>Remark</strong></u></p> <p>I didn’t went all to deep on certain details, if you feel something is unclear, post a comment and I’ll see if I can add information where needed. The above doesn’t describe how to install the second FIM Portal/Service server or the standby MIM Synchronization Server. I expect the instructions to be fairly simple as the database is already on the correct level. If I encounter issues you can expect a post on that well. To conclude: there’s more to do than just running the MIM installers and be done with this. You’ll have to transfer your customizations (like custom workflow DLLs) as well. FIM/MIM Synchronization extensions are transferred for you, but be sure to test everything! Don’t assume! Happy upgrading!</p> <p><u><strong>Conclusion</strong></u></p> <p>The FIM 2010 Portal and Service can be upgraded to MIM 2016 without the need for a FIM 2010 R2 intermediate upgrade. The FIM 2010 Synchronization Service could not be upgraded directly to MIM 2016. This could be tied to something specific in our environment, or it could be common…</p> <p><strong><u>Update #1 (12/08/2015)</u></strong></p> <p>Someone prompted me if the FIM can be upgraded without providing the FIM/MIM Synchronization service encryption keys. Obviously it can not. That part has not changed. Whenever you install FIM/MIM on a new box and you point it to an existing database, it will prompt for the key file. I’ve added some “copy keys” steps in my process so that you have them ready when prompted for by the MSI.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com8tag:blogger.com,1999:blog-62687483129304921.post-67184436528922776092015-08-05T18:24:00.001+02:002015-08-05T18:25:17.595+02:00ADFS Alternate Login ID: Some or all identity references could not be translated<p align="justify">First day back at work I already had the chance to get my hands dirty with an ADFS issue at a customer. The customer had an INTERNAL.contoso.com domain and an EXTERNAL.contoso.com domain. Both were connected with a two-way forest trust. The INTERNAL domain also had an ADFS farm. Now they wanted both users from INTERNAL and EXTERNAL to be authenticated by that ADFS. Technically this is possible through the AD trust. Nothing special there, the catch was that they wanted both INTERNAL and EXTERAL users to authenticate using @contoso.com usernames. Active Directory has no problems authenticating users with an UPN different with that from the domain. You can even share the UPN suffix namespace in more than one domain, but… you cannot route shared suffixes cross the forest trust! In our case that would mean the ADFS instance would be able to authenticate <a href="mailto:user.internal@contoso.com">user.internal@contoso.com</a> but not <a href="mailto:user.external@contoso.com">user.external@contoso.com</a> as there would be no way to locate that user in the <em>other</em> domain.</p> <p align="justify">Alternate Login ID to the rescue! Alternate Login ID is a feature on ADFS that allows you to specify an <strong>additional </strong>attribute to be used for user lookups. Most commonly “mail” is used for this. This allows people to leave the UPN, commonly a non public domain (e.g. contoso.local), untouched. Although I’m mostly advising to change the UPN to something public (e.g. contoso.com). The cool thing about Alternate Login ID is that you can specify one <strong>or more</strong> LookupForests! In our case the command looked like:</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#0000ff"><font style="font-size: 10pt">Set-AdfsClaimsProviderTrust</font></font></span><font style="font-size: 10pt"><span style="color: "> </span><span style="color: "><font color="#000080">-TargetIdentifier</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"AD AUTHORITY"</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-AlternateLoginID</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">mail</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-LookupForests</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">internal.contoso.com</font></span><span style="color: "><font color="#a9a9a9">,</font></span></font><span style="color: "><font style="font-size: 10pt" color="#8a2be2">external.contoso.com</font></span></font> <br /></div> </td> </tr> </tbody></table> </div> <p align="justify">Some more information about Alternate Login ID: <a href="https://technet.microsoft.com/en-us/library/dn659436.aspx">TechNet: Configuring Alternate Login ID</a></p> <p align="justify">Remark: <em>When alternate login ID feature is enabled, AD FS will try to authenticate the end user with alternate login ID first and then fall back to use UPN if it cannot find an account that can be identified by the alternate login ID. You should make sure there are no clashes between the alternate login ID and the UPN if you want to still support the UPN login. For example, setting one’s mail attribute with the other’s UPN will block the other user from signing in with his UPN.</em></p> <p align="justify">Now where’s the issue? We could authenticate INTERNAL users just fine, but EXTERNAL users were getting an error:</p> <p><a href="http://lh3.googleusercontent.com/-pBRaoqb8PKI/VcI4g42k9-I/AAAAAAAAC4c/DskRA60XZuY/s1600-h/3%25255B3%25255D.png"><img title="3" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="3" src="http://lh3.googleusercontent.com/-3iBOQ2dlYLE/VcI4haRSHRI/AAAAAAAAC4g/nUPfTjS7-DM/3_thumb%25255B1%25255D.png?imgmax=800" width="454" height="184" /></a></p> <p>In words:</p> <p><em><font size="1">The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request. </font></em></p> <p><em><font size="1">Activity ID: 00000000-0000-0000-5e95-0080000000f1 </font></em></p> <p><em><font size="1">Request type: </font></em><a href="http://schemas.microsoft.com/idfx/requesttype/issue"><em><font size="1">http://schemas.microsoft.com/idfx/requesttype/issue</font></em></a><em><font size="1"> </font></em></p> <p><em><font size="1">Additional Data <br />Exception details: <br />System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated. <br />   at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) <br />   at System.Security.Principal.SecurityIdentifier.Translate(Type targetType) <br />   at System.Security.Principal.WindowsIdentity.GetName() <br />   at System.Security.Principal.WindowsIdentity.get_Name() <br />   at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.InitializeName() <br />   at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.get_Claims() <br />   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.AddClaimsInWindowsIdentity(UserNameSecurityToken usernameToken, WindowsClaimsIdentity windowsIdentity, DateTime PasswordMustChange) <br />   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) <br />   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) <br />   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) <br />   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection) <br />   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)</font></em></p> <p align="justify">Now the weird part: just before the error I was seeing a successful login for that particular user:</p> <p><a href="http://lh3.googleusercontent.com/-inrwQN_ukKQ/VcI4iF_2uBI/AAAAAAAAC4s/I2PbrSRZCq0/s1600-h/2%25255B5%25255D.png"><img title="2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="2" src="http://lh3.googleusercontent.com/-wK0AbNaVr2M/VcI4i_mSsQI/AAAAAAAAC4w/xpPnLk51ixs/2_thumb%25255B3%25255D.png?imgmax=800" width="454" height="349" /></a></p> <p align="justify">I decided to start my search with this part: <em>System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.</em> That led me to all kind of blogs/posts where people were having issue with typo’s in scripts or with users that didn’t exist in AD. But that wasn’t the case with me, after all, I just had a successful authentication! Using the first line of the stack trace: <em>at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) </em>I took an educated guess of what the ADFS service was trying to do. And I was able to do the same using PowerShell</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#ff4500"><font style="font-size: 10pt">$objSID</font></font></span><font style="font-size: 10pt"><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">New-Object</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">System.Security.Principal.SecurityIdentifier</font></span><span style="color: "> </span><span style="color: ">(</span><span style="color: "><font color="#8b0000">"S-1-5-21-3655502699-1342072961-xxxxxxxxxx-1136"</font></span><span style="color: ">)</span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$objUser</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$objSID</font></span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">Translate</span><span style="color: ">(</span><span style="color: "> </span><span style="color: "><font color="#008080">[System.Security.Principal.NTAccount]</font></span><span style="color: ">)</span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$objUser</font></span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">Value</span> </font></font></div> </td> </tr> </tbody></table> </div> <p>And yes I got the same error!:</p> <p><a href="http://lh3.googleusercontent.com/-3e30JGXjozs/VcI4jVSMk4I/AAAAAAAAC44/7uX_6Iqj00M/s1600-h/psError%25255B3%25255D.png"><img title="psError" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="psError" src="http://lh3.googleusercontent.com/-t_GW7D-T5PE/VcI4kI2HAGI/AAAAAAAAC5E/E5grObggU2U/psError_thumb%25255B1%25255D.png?imgmax=800" width="454" height="135" /></a></p> <p align="justify">At first sight this gave me nothing. But this was actually quite powerful: I was now able to reproduce the issue as many times as I liked, no need to go through the logon pages and most importantly: I could now take this PowerShell code and execute it on other servers! This way I could determine whether it was OS related, AD related, trust related,… I found out the following:</p> <ul> <li> <div align="justify">Command fails on ADFS-SRV-01</div> </li> <li> <div align="justify">Command fails on ADFS-SRV-02</div> </li> <li> <div align="justify">Command fails on WEB-SRV-01</div> </li> <li> <div align="justify">Command runs on HyperV-SRV-01</div> </li> <li> <div align="justify">Command runs on DC-INTERNAL-01</div> </li> </ul> <p align="justify">Now what did this learned me:</p> <ul> <li> <div align="justify">The command is fine and should work</div> </li> <li> <div align="justify">The command runs fine on other 2012 R2 servers</div> </li> <li> <div align="justify">The command runs fine on a member server (the Hyper-V server)</div> </li> </ul> <p align="justify">As I was getting nowhere with this I decided to take a Network Trace on the ADFS server while executing the PowerShell command. I expected to see one of the typical SID translation methods (<a title="https://technet.microsoft.com/en-us/library/ff428139(v=ws.10).aspx" href="https://technet.microsoft.com/en-us/library/ff428139(v=ws.10).aspx">TechNet: How SIDs and Account Names Can Be Mapped in Windows</a>) to appear. However absolutely nothing appeared?! No outgoing traffic related to this code. Now wtf? I had found this article: <a title="http://blogs.technet.com/b/askds/archive/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious.aspx" href="http://blogs.technet.com/b/askds/archive/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious.aspx">ASKDS: Troubleshooting SID translation failures from the obvious to the not so obvious</a> but that wouldn’t help me if there was no traffic to begin with.</p> <p align="justify">Suddenly an idea popped up in my head. What if the network traffic wasn’t showing any SID resolving because the machine looked locally? And why would the machine look locally? Perhaps if the domain portion of the machine SID is the same as that of the user we were looking up? But they’re in different domains… However, there’s also the machine’s local SID! The one that is typically never encountered or seen! Here’s some info on it: <a title="http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx" href="http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx">Mark Russinovich: The Machine SID Duplication Myth (and Why Sysprep Matters)</a></p> <p align="justify">I didn’t took the time to find out whether I could retrieve it’s value with PowerShell or so, but I just took PsGetsid.exe from SysInternals. This is what the command showed me for the ADFS server:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-zAD37pS9lqg/VcI4kjPNB7I/AAAAAAAAC5M/VpnAG4JnmzM/s1600-h/2015-08-03_14-43-07%25255B3%25255D.png"><img title="2015-08-03_14-43-07" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="2015-08-03_14-43-07" src="http://lh3.googleusercontent.com/-00abyn6iQsY/VcI4l6NBhDI/AAAAAAAAC5Q/kScSbeZpNtM/2015-08-03_14-43-07_thumb%25255B1%25255D.png?imgmax=800" width="404" height="94" /></a></p> <p align="justify">Bazinga! It seemed the local SID of all the machines that were failing the command were the same as the domain portion of the EXTERNAL domain SIDs! Now I asked to customer if he could deploy a new test server so I could reproduce the issue one more time. Indeed the issue appeared again. The local SID was again identical. Running sysprep on the server changed the local SID and after joining the server again to the domain we were able to succesfully execute the PowerShell commands!</p> <p align="justify"><strong><u>Resolution:</u></strong></p> <p align="justify">The customer had been copying the same VHD over and over again without actually running sysprep on it… As the EXTERNAL domain was also created on a VM from that image the Domain Controller promotion process choose that local SID as base for the EXTERNAL domain SID. My customer choose to resolve this issue by destroying the EXTERNAL domain and setting it up again. Obviously this does not solve the fact that several servers were not sysprepped, and in the future this might cause other issues…</p> <p align="justify">Sysprep location:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-lCJ-Buvjijc/VcI4mnS0_2I/AAAAAAAAC5c/MorWJBf65jU/s1600-h/image%25255B3%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-BgfXaW0SA5k/VcI4ntGC6PI/AAAAAAAAC5k/05UE9JyrV-Q/image_thumb%25255B1%25255D.png?imgmax=800" width="304" height="129" /></a></p> <p align="justify">For a template you can run sysprep with generalize and the shutdown option:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-XAWhClfiFvg/VcI4oIU615I/AAAAAAAAC5s/5Cx44H_46N8/s1600-h/image%25255B7%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-9c1w9tvz3JU/VcI4pO4D9II/AAAAAAAAC50/-aOt8B4xvfw/image_thumb%25255B3%25255D.png?imgmax=800" width="304" height="234" /></a></p> <p align="justify">Each time you boot a copy of your template it will run the sysprep process at first boot.</p> <p align="justify">P.S. Don’t run sysprep on a machine with software/services installed. It might have a nasty outcome…</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com1tag:blogger.com,1999:blog-62687483129304921.post-11281787827731202262015-07-03T07:40:00.001+02:002015-07-03T07:42:41.819+02:00Quick Tips: Azure: Where did my Public IP go?<p align="justify">Over the past few months I’ve been working more and more on Azure and here is a small tip I’d like to share. I’ve seen various customers that are not aware about the following:</p> <p align="justify">Whenever you start the first VM in a cloud service, the cloud service gets a public IP from the Azure infrastructure. Suppose you have an IIS server in it and you want to expose it to the internet, you might create a 443/80 endpoint for it. In order to point users to it you’ll probably rather want <a href="http://web.contoso.com">http://web.contoso.com</a> than <a href="http://contosoweb.cloudapp.net">http://contosoweb.cloudapp.net</a> Chances are you’ll start fiddling around in your public DNS zone. If you want to achieve this, there’s some options for you:</p> <ul> <li> <div align="justify">Create a CNAME (alias) record web.contoso.com –> contosoweb.cloudapp.net</div> </li> <li> <div align="justify">Creata an A record web.contoso.com –> public IP of the cloud service</div> </li> </ul> <p align="justify">Which option you prefer is up to you, but watch out with the last option! By default cloud services get a dynamic public IP. Once all VM’s are stopped (deallocated) in the cloud service, the cloud service stops as well and the public IP is released. Whenever you start your VM’s again, they’ll be no longer reachable on that old public IP! There’s an option to reserve your IP though, you can even reserve 5 for free with each subscription. For pricing details: <a href="http://azure.microsoft.com/en-us/pricing/details/ip-addresses/">http://azure.microsoft.com/en-us/pricing/details/ip-addresses/</a></p> <p align="justify">Some relevant screenshots:</p> <p align="justify">Before: “Virtual IP-Address” > Dynamic</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-iDKYTfjk4ec/VZYgNCfarVI/AAAAAAAAC2w/VEuGxhLMGYU/s1600-h/Dyn%25255B4%25255D.png"><img title="Dyn" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="Dyn" src="http://lh3.googleusercontent.com/-aJFNcO4q914/VZYgN1Ks9bI/AAAAAAAAC24/SWhffjUyuEA/Dyn_thumb%25255B2%25255D.png?imgmax=800" width="404" height="399" /></a></p> <p align="justify">After: “Virtual IP-Address” > Reserved</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-CVV1Z349EBk/VZYgOm5ApMI/AAAAAAAAC3A/RcJcZJ1VFPI/s1600-h/dyn2%25255B3%25255D.png"><img title="dyn2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="dyn2" src="http://lh3.googleusercontent.com/-Jsu5OxmVp2s/VZYgPXTv3YI/AAAAAAAAC3E/qTcVBvvD00M/dyn2_thumb%25255B1%25255D.png?imgmax=800" width="404" height="413" /></a></p> <p align="justify">Assigning an IP is pretty straight forward, first we create one:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-xUjUC8HoqAo/VZYgPzGl9qI/AAAAAAAAC3Q/2mh8D1bzTY0/s1600-h/2%25255B3%25255D.png"><img title="2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="2" src="http://lh3.googleusercontent.com/-Nja8mldwPA8/VZYgRHkus-I/AAAAAAAAC3Y/leABj-G_Hdk/2_thumb%25255B1%25255D.png?imgmax=800" width="454" height="103" /></a></p> <p align="justify">Then we reserve it:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-wVUHU3dRM0M/VZYgRn80Z4I/AAAAAAAAC3g/3JR5Hz2VL-A/s1600-h/3%25255B3%25255D.png"><img title="3" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="3" src="http://lh3.googleusercontent.com/-BaBrGWzODAM/VZYgSUW56UI/AAAAAAAAC3o/U_AY6Ujfs8g/3_thumb%25255B1%25255D.png?imgmax=800" width="454" height="92" /></a></p> <p align="justify"><strong>Note:</strong> the reserved IP will not be the same as the IP currently in use, so make sure to coordinate this with your DNS record update!</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com0tag:blogger.com,1999:blog-62687483129304921.post-16768993286621053502015-06-29T07:15:00.001+02:002015-06-29T07:15:27.767+02:00Azure DSC and Configuration Archive Case Sensitiveness<p align="justify">Lately I’ve been working on my Azure Automation skills. More precisely I want to have a script that is able to create a virtual machine and creates a new Active Directory (domain controller) on it. The are several ways of doing this. One way is to create a PowerShell script that is executed through the Azure script extension. An other way is through the Desired State Configuration (DSC) extension. In my opinion the latter is the best option. DSC is really great at getting your server configured with minimal scripting. If you’re unfamiliar with DSC you might be experiencing quite some issues in the beginning. Having a working DSC extension is one thing, but getting it to work through the Azure DSC extension has it’s own challenges. Most of these so called issues have probably to do with me being at the bottom of the DSC learning curve…</p> <p align="justify">A while back I wrote a simple DSC extension to get the time zone right (<font style="background-color: #ffff00"></font><font style="style"><a href="http://setspn.blogspot.be/2015/06/working-with-powershell-dsc-and-azure.html">Working with PowerShell DSC and Azure VM’s based on Windows 2012</a></font><font style="background-color: #ffff00"></font>). That simple example went pretty well. Now I wasn’t even getting my DSC script to properly download to the target system. Now how on earth could something that simple be that hard? Here’s the error I was having:</p> <p align="justify">Log file location: C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSC\1.10.1.0\DscExtensionHandler.3.20150627-211133</p> <p align="justify"><font size="1">VERBOSE: [2015-06-27T21:11:42] File lock does not exist: begin processing <br />VERBOSE: [2015-06-27T21:11:42] File <br />C:\Packages\Plugins\Microsoft.Powershell.DSC\1.10.1.0\bin\..\DSCWork\2-Completed.Install.dsc exists; invoking extension <br />handler... <br />VERBOSE: [2015-06-27T21:11:43] Reading handler environment from <br />C:\Packages\Plugins\Microsoft.Powershell.DSC\1.10.1.0\bin\..\HandlerEnvironment.json <br />VERBOSE: [2015-06-27T21:11:44] Reading handler settings from <br />C:\Packages\Plugins\Microsoft.Powershell.DSC\1.10.1.0\RuntimeSettings\3.settings <br />VERBOSE: [2015-06-27T21:11:47] Applying DSC configuration: <br />VERBOSE: [2015-06-27T21:11:47]     Sequence Number:              3 <br />VERBOSE: [2015-06-27T21:11:47]     Configuration Package URL:    <br /></font><a href="https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC.ps1.zip"><font size="1">https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC.ps1.zip</font></a> <br /><font size="1">VERBOSE: [2015-06-27T21:11:47]     ModuleSource:                 <br />VERBOSE: [2015-06-27T21:11:47]     Configuration Module Version: <br />VERBOSE: [2015-06-27T21:11:47]     Configuration Container:      MyDC.ps1 <br />VERBOSE: [2015-06-27T21:11:47]     Configuration Function:       MyDC (2 arguments) <br />VERBOSE: [2015-06-27T21:11:47]     Configuration Data URL:       <br /></font><a href="https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC-69d57a1f-2522-41d7-b5ac-3b635c63ba93.psd1"><font size="1">https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC-69d57a1f-2522-41d7-b5ac-3b635c63ba93.psd1</font></a> <br /><font size="1">VERBOSE: [2015-06-27T21:11:47]     Certificate Thumbprint:       FC89BDBF395EFC39EA3633BBDEAE9BB7AA7C475E <br />VERBOSE: [2015-06-27T21:11:47] Creating Working directory: <br />C:\Packages\Plugins\Microsoft.Powershell.DSC\1.10.1.0\bin\..\DSCWork\MyDC.ps1.3 <br />VERBOSE: [2015-06-27T21:11:48] Downloading configuration package <br />VERBOSE: [2015-06-27T21:11:48] Downloading <br /></font><a href="https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC.ps1.zip?sv=2014-02-14&sr=b&sig=k38XoVn5%2Bn5P1UIMM8q"><font size="1">https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC.ps1.zip?sv=2014-02-14&sr=b&sig=k38XoVn5%2Bn5P1UIMM8q</font></a> <br /><font size="1">mh9bc7YBD7Q5ZNV%2B5aqvP2xs%3D&se=2015-06-27T20%3A10%3A16Z&sp=rd to <br />C:\Packages\Plugins\Microsoft.Powershell.DSC\1.10.1.0\bin\..\DSCWork\MyDC.ps1.3\MyDC.ps1.zip <br />VERBOSE: [2015-06-27T21:11:48] An error occurred processing the configuration package; removing <br />C:\Packages\Plugins\Microsoft.Powershell.DSC\1.10.1.0\bin\..\DSCWork\MyDC.ps1.3 <br />VERBOSE: [2015-06-27T21:11:48] [ERROR] An error occurred downloading the Azure Blob: Exception calling "DownloadFile" with "2" <br />argument(s): "The remote server returned an error: (404) Not Found." <br />The Set-AzureVMDscExtension cmdlet grants access to the blobs only for 1 hour; have you exceeded that interval? <br />VERBOSE: [2015-06-27T21:11:49] Writing handler status to C:\Packages\Plugins\Microsoft.Powershell.DSC\1.10.1.0\Status\3.status <br />VERBOSE: [2015-06-27T21:11:49] Removing file lock</font> <br /> <br />The most interesting part:</p> <p align="justify">VERBOSE: [2015-06-27T21:11:48] [ERROR] <strong>An error occurred downloading the Azure Blob: Exception calling "DownloadFile" with "2" <br />argument(s): "The remote server returned an error: (404) Not Found." <br />The Set-AzureVMDscExtension cmdlet grants access to the blobs only for 1 hour; have you exceeded that interval?</strong></p> <p align="justify">I found the following URL from the log file: <a title="https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC.ps1.zip?sv=2014-02-14&sr=b&sig=k38XoVn5%2Bn5P1UIMM8qmh9bc7YBD7Q5ZNV%2B5aqvP2xs%3D&se=2015-06-27T20%3A10%3A16Z&sp=rd" href="https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC.ps1.zip?sv=2014-02-14&sr=b&sig=k38XoVn5%2Bn5P1UIMM8qmh9bc7YBD7Q5ZNV%2B5aqvP2xs%3D&se=2015-06-27T20%3A10%3A16Z&sp=rd">https://thvuystoragetest.blob.core.windows.net/windows-powershell-dsc/MyDC.ps1.zip?sv=2014-02-14&sr=b&sig=k38XoVn5%2Bn5P1UIMM8qmh9bc7YBD7Q5ZNV%2B5aqvP2xs%3D&se=2015-06-27T20%3A10%3A16Z&sp=rd</a></p> <p align="justify">Some googling led me to some results, but nothing relevant. I took the URL and copy pasted into a browser:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-61gi_h2x-OY/VZDUW_v8Z9I/AAAAAAAAC10/n2ElzIl5cVI/s1600-h/StorageContainerXMLChrome%25255B3%25255D.png"><img title="StorageContainerXMLChrome" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="StorageContainerXMLChrome" src="http://lh3.googleusercontent.com/--lerp-AIJpM/VZDUX4fZYhI/AAAAAAAAC18/p3F1FXa99Fc/StorageContainerXMLChrome_thumb%25255B1%25255D.png?imgmax=800" width="454" height="120" /></a></p> <p align="justify">It showed me an XML type response stating: <em>BlobNotFound:</em> <em>The specified blob does not exist. </em>By accident I used an open chrome instance as I typically use IE. If I visited this URL using IE I simply got a page not found error. That’s probably something that can be tweaked in the IE settings, but still good to know. After seeing that error page I went to the Azure management portal:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-cHfxMEsxcH4/VZDUY6t5gyI/AAAAAAAAC2E/5UWJn6dQnVc/s1600-h/StorageContainer%25255B3%25255D.png"><img title="StorageContainer" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="StorageContainer" src="http://lh3.googleusercontent.com/-vT4PSLA-BJw/VZDUZ0Ay2eI/AAAAAAAAC2M/zARKGMHOAG0/StorageContainer_thumb%25255B1%25255D.png?imgmax=800" width="454" height="158" /></a></p> <p align="justify">I drilled down till I found my .ps1.zip file and copy pasted its URL in a notepad++ windows:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-9BEh-NeJ9Mw/VZDUaozz6SI/AAAAAAAAC2U/FP6BF3puhxo/s1600-h/image%25255B6%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-YTzowpFWHS4/VZDUbdjD5OI/AAAAAAAAC2c/AqTC1IilupI/image_thumb%25255B2%25255D.png?imgmax=800" width="454" height="49" /></a></p> <p align="justify">As you can see the only difference is the casing of “MyDC.ps1”… The URL in the log file is constructed by the Azure DSC extension. More particular by the following PowerShell lines:</p> <div align="justify"> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008 <br />009 <br />010 <br />011 <br />012</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#ff4500"><font style="font-size: 10pt">$configurationArchive</font></font></span><font style="font-size: 10pt"><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"MyDC.ps1.zip"</font></span> <br /><span style="color: "><font color="#ff4500">$configurationName</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"MyDC"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$configurationData</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"C:\Users\Thomas\SkyDrive\Documenten\Work\Blog\DSC\Final\myDC.psd1"</font></span> <br /> <br /><span style="color: "><font color="#ff4500">$VM</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">get-AzureVM</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Service</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$svcname</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-name</font></span><span style="color: "> </span></font></font><font style="font-size: 10pt"><font face="Consolas"><font color="#ff4500"><span style="color: ">$vmname</span> <br /><span style="color: ">$vm</span></font><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureVMDSCExtension</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-VM</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$vm</font></span><span style="color: "> </span>` <br /><span style="color: ">    </span><span style="color: "><font color="#000080">-ConfigurationArchive</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$configurationArchive</font></span><span style="color: "> </span>` <br /><span style="color: ">    </span><span style="color: "><font color="#000080">-ConfigurationName</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$configurationName</font></span><span style="color: "> </span>` <br /><span style="color: ">    </span><span style="color: "><font color="#000080">-ConfigurationArgument</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$configurationArguments</font></span><span style="color: "> </span>` <br /><span style="color: "></span><span style="color: "><font color="#000080">-ConfigurationDataPath</font></span><span style="color: "> </span></font></font><font face="Consolas"><font style="font-size: 10pt"><font color="#ff4500"><span style="color: ">$configurationData</span> <br /><span style="color: "></span> <br /><span style="color: ">$vm</span></font><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">update-azurevm</font></span> </font></font></div> </td> </tr> </tbody></table> </div> </div> <p align="justify"></p> <p align="justify">Updating my $configurationArchive to myDC.ps1.zip was all I needed to do to get this baby running.</p> <p align="justify"><strong><u>Summary</u></strong></p> <p align="justify"><strong>Whenever creating storage accounts, containers or blobs on them, make sure to watch out for case sensitiveness. In my opinion using an all lower case approach might be the best way forward.</strong></p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com0tag:blogger.com,1999:blog-62687483129304921.post-63026060417158741052015-06-26T07:53:00.001+02:002015-06-26T07:53:18.017+02:00Azure Billing Changes<p align="justify">A bit less technical for once, but a few days ago I noticed several announcements for billing related changes that I though were worth mentioning. And besides that, my personal test subscription got disabled once more because I ran out of credit… So what else is there to do? ; )</p> <p align="justify"><strong><u>Azure Billing Detailed Usage Change</u></strong></p> <p align="justify">Every time I talk to a customer who is new to Azure and is starting to get into IAAS, I explain how Virtual Machines are billed. Roughly there’s 4 things to take into account:</p> <ul> <li> <div align="justify">Compute hours: depends on the uptime/tier </div> </li> <li> <div align="justify">Storage space consumed: the bigger the VM,…. </div> </li> <li> <div align="justify">Storage transactions: the more disk IO VM performs, …. </div> </li> <li> <div align="justify">Network IO: “upload”/”download” where download is free </div> </li> </ul> <p align="justify">Now a lot of customers want to, or foresee, that they want to split the bill to the responsible department, project or another factor. Before the recent changes there were 2 ways to do this:</p> <ul> <li> <div align="justify">Separate subscriptions </div> </li> <li> <div align="justify">Creating your VM’s on separate storage accounts/in separate cloud services </div> </li> </ul> <p align="justify">Personally I’m not too fond of the separate subscriptions idea. It will bring you overhead in terms of network connectivity and the overall picture might become more difficult to see. I’m aware that there are definitely cases where you clearly want to provide a group of people “full control” on “their” stuff and you want to be able to just send the bill of everything they use. But in many cases I feel having many subscriptions will become a PITA to manage. What if your billing scheme changes, instead of per department, you have to have a picture per application. Do you really want to tie your subscriptions to that?</p> <p align="justify">Now I’m more in favor of creating VM’s in separate storage accounts and cloud services. Still not ideal if you have to restructure, but the impact should be less. Here’s how the detailed usage looked before June:</p> <table cellspacing="0" cellpadding="2" width="450" border="1"><tbody> <tr> <td valign="top" width="159"><strong>Type</strong></td> <td valign="top" width="149"><strong>Unit</strong></td> <td valign="top" width="140"><strong>Granularity</strong></td> </tr> <tr> <td valign="top" width="159">Networking</td> <td valign="top" width="149">Data Transfer In( GB)</td> <td valign="top" width="140">Cloud Service</td> </tr> <tr> <td valign="top" width="159">Networking</td> <td valign="top" width="149">Data Transfer Out (GB)</td> <td valign="top" width="140">Cloud Service</td> </tr> <tr> <td valign="top" width="159">Storage</td> <td valign="top" width="149">Standard IO – Page Blob/DISK (GB)</td> <td valign="top" width="140">Storage Account</td> </tr> <tr> <td valign="top" width="159">Virtual Machines</td> <td valign="top" width="149">Compute Hours</td> <td valign="top" width="140">Cloud Service\Tier</td> </tr> <tr> <td valign="top" width="159">Data Management</td> <td valign="top" width="149">Storage Transactions (in 10,000s)</td> <td valign="top" width="140">Storage Account</td> </tr> </tbody></table> <p align="justify">As you can see Cloud Service and Storage Account are really important if you want to separate our resources. Now things have changed, both Networking and Compute now include the VM name (next to the Cloud Service):</p> <table cellspacing="0" cellpadding="2" width="450" border="1"><tbody> <tr> <td valign="top" width="150"><strong>Type</strong></td> <td valign="top" width="150"><strong>Unit</strong></td> <td valign="top" width="150"><strong>Granularity</strong></td> </tr> <tr> <td valign="top" width="150">Networking</td> <td valign="top" width="150">Data Transfer In( GB)</td> <td valign="top" width="150">Cloud Service (VM Name)</td> </tr> <tr> <td valign="top" width="150">Networking</td> <td valign="top" width="150">Data Transfer Out (GB)</td> <td valign="top" width="150">Cloud Service (VM Name)</td> </tr> <tr> <td valign="top" width="150">Storage</td> <td valign="top" width="150">Standard IO – Page Blob/DISK (GB)</td> <td valign="top" width="150">Storage Account</td> </tr> <tr> <td valign="top" width="150">Virtual Machines</td> <td valign="top" width="150">Compute Hours</td> <td valign="top" width="150">Cloud Service (VM Name)</td> </tr> <tr> <td valign="top" width="150">Data Management</td> <td valign="top" width="150">Storage Transactions (in 10,000s)</td> <td valign="top" width="150">Storage Account</td> </tr> </tbody></table> <p align="justify">So assigning VM’s to cloud services is no longer an absolute requirement for building detailed bills. Other than that, there’s two more new fields:</p> <ul> <li> <div align="justify">Resource Group</div> </li> <li> <div align="justify">Tags</div> </li> </ul> <p align="justify">From tags I know they are a V2 (Azure Resource Manager) feature. Resource groups are also available for V1 VMs. On my detailed usage overview the column resource group was empty. So it might be that this only will be filled in for V2 resources. Once V2 resources are commonly used we’ll be able to add one ore more tags to resources like VM’s. This will greatly benefit Azure Automation and Azure Billing! You’ll be able to specify information that can help identify the VM: e.g. Environment: Dev/Test/Acceptance/Production or Department: HR/IT/Sales or …</p> <p align="justify"><u><strong>Enterprise Agreement: MSDN subscriptions</strong></u></p> <p align="justify">Something that has been available for a while: MSDN subscriptions below an Enterprise Agreement. If your company has both an Azure Agreement and your developers/IT Pro’s have an MSDN, they are allowed to have machines run at MSDN rates. These machines <u><strong>cannot</strong></u> belong to production! The advantage is pricing: Windows VM run at the price of the equivalent Linux VM and software available in the MSDN library is for free (e.g. SQL). You can configure this on the EA portal: <a href="https://ea.azure.com">https://ea.azure.com</a></p> <p><a href="http://lh3.googleusercontent.com/-ZWpNaFWC5aA/VYzoye44xGI/AAAAAAAAC1Y/Ejy0Qt-kI-A/s1600-h/image%25255B3%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-y-sfhVTSxXY/VYzozJNNGjI/AAAAAAAAC1c/7yIibe4eva4/image_thumb%25255B1%25255D.png?imgmax=800" width="454" height="195" /></a></p> <p align="justify"><font style="background-color: #ffff00"><u><strong></strong></u></font><font style="style"><u><strong>Azure Billing API</strong></u></font></p> <p align="justify"><font style="style">In the pas there was an API available for the EA customers. Luckily the new <strong>Azure Usage API (<a href="https://msdn.microsoft.com/en-us/library/azure/mt219001">MSDN</a>) </strong>and <strong>Azure RateCard API (<a href="https://msdn.microsoft.com/en-us/library/azure/mt219004">MSDN</a>) </strong>or for all subscriptions! You can read more on these here: <a title="https://weblogs.asp.net/scottgu/new-azure-billing-apis-available" href="https://weblogs.asp.net/scottgu/new-azure-billing-apis-available">ScottGu: New Azure Billing APIs Available</a></font></p> <u><strong></strong></u> <p align="justify"><strong><u>Side note</u></strong></p> <p align="justify">It’s a common practice to shutdown VM’s that are not being used in order to save Azure credits. The less hours a VM turns, the better. One thing I overlooked this month is the cost of the Azure VNET Gateway. I had been playing with a site to site VPN (between two Azure VNets) and this resulted in two Gateways burning quite some credit. So I’d say: keen any eye on those gateways! They can cost quite a lot.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com0tag:blogger.com,1999:blog-62687483129304921.post-89742815560752055632015-06-17T17:37:00.001+02:002015-06-17T17:37:38.931+02:00Working with PowerShell DSC and Azure VM’s based on Windows 2012<p align="justify">Mostly when I work with Azure VM’s I do the actual VM creation using Azure PowerShell cmdlets. I like how you can have some template scripts that create VM’s from beginning to end. Typically I create a static IP reservation, I join them to an AD domain, I add one or more additional disks,I add the Microsoft Antimalware extension…. When the VM is provisioned I log on and I’m pretty much ready to go. One of the things I noticed is that the Time Zone was set to <font style="background-color: #ffff00"></font>UTC where I like it to be GMT+1. Obviously this only requires two clicks but I wanted this to be done for me. Now there are various approaches: either us traditional tooling like SCCM, GPO (is there a setting/registry key? ), …. or do it the Azure way. As far as Azure is concerned I could create a custom VM image or use PowerShell DSC (Desired State Configuration).</p> <p align="justify">I prefer DSC over a custom image. The main reason is that I can apply these DSC customizations to whatever image from the gallery I feel like applying them. If the SharePoint team wants to take the latest SharePoint image from the gallery, I can just apply my DSC over it. If there’s a more recent Windows 2012 R2 image, I can just throw my DSC against it and I’m ready to go.</p> <p align="justify">The following example shows how to apply a given DSC configuration to a VM.</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#ff4500"><font style="font-size: 10pt">$configurationArchive</font></font></span><font style="font-size: 10pt"><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"DSC_SetTimeZone.ps1.zip"</font></span> <br /><span style="color: "><font color="#ff4500">$configurationName</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"SetTimeZone"</font></span> <br /><span style="color: "><font color="#ff4500">$VM</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Get-AzureVM</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-ServiceName</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"contoso-svc"</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Name</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"CONTOSO-SRV"</font></span> <br /><span style="color: "><font color="#ff4500">$VM</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureVMDSCExtension</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-VM</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$vm</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-ConfigurationArchive</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$configurationArchive</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-ConfigurationName</font></span><span style="color: "> </span></font></font><font face="Consolas"><font style="font-size: 10pt"><font color="#ff4500"><span style="color: ">$configurationName</span> <br /><span style="color: ">$VM</span></font><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">update-AzureVM</font></span> </font></font></div> </td> </tr> </tbody></table> </div> <p align="justify">Now I wont go into all of the details, but here are some things I personally ran into.</p> <p align="justify"><u>Creating and Uploading the DSC configuration archive</u></p> <p align="justify">Initially I had some trouble wrapping my head around how to get my script to run on a target machine. I had this cool DSC script I found on the internet and tweaked it a bit:</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008 <br />009 <br />010 <br />011 <br />012 <br />013 <br />014 <br />015 <br />016 <br />017 <br />018 <br />019 <br />020 <br />021 <br />022</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#006400"><font style="font-size: 10pt">#Requires -version 4.0</font></font></span><font style="font-size: 10pt"> <br /><span style="color: "><font color="#00008b">Configuration</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">SetTimeZone</font></span> <br /><span style="color: ">{</span> <br /><span style="color: ">    </span><span style="color: "><font color="#00008b">Param</font></span> <br /><span style="color: ">    </span><span style="color: ">(</span> <br /><span style="color: ">        </span><span style="color: "><font color="#006400">#Target nodes to apply the configuration </font></span> <br /><span style="color: ">        </span><span style="color: "><font color="#a9a9a9">[</font></span><span style="color: "><font color="#00bfff">Parameter</font></span><span style="color: ">(</span><span style="color: ">Mandatory</span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$false</font></span><span style="color: ">)</span><span style="color: "><font color="#a9a9a9">]</font></span> <br /><span style="color: ">        </span><span style="color: "><font color="#a9a9a9">[</font></span><span style="color: "><font color="#00bfff">ValidateNotNullorEmpty</font></span><span style="color: ">(</span><span style="color: ">)</span><span style="color: "><font color="#a9a9a9">]</font></span> <br /><span style="color: ">        </span><span style="color: "><font color="#008080">[String]</font></span><span style="color: "><font color="#ff4500">$SystemTimeZone</font></span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "><font color="#8b0000">"Romance Standard Time"</font></span> <br /><span style="color: ">    </span><span style="color: ">)</span> <br /> <br /><span style="color: ">    </span><span style="color: "><font color="#0000ff">Import-DSCResource</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-ModuleName</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xTimeZone</font></span> <br /> <br /><span style="color: ">    </span><span style="color: "><font color="#00008b">Node</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">localhost</font></span> <br /><span style="color: ">    </span><span style="color: ">{</span> <br /><span style="color: ">        </span><span style="color: "><font color="#00008b">xTimeZone</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">TimeZoneExample</font></span> <br /><span style="color: ">        </span><span style="color: ">{</span> <br /><span style="color: ">            </span><span style="color: ">TimeZone</span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$SystemTimeZone</font></span> <br /><span style="color: ">        </span><span style="color: ">}</span> <br /><span style="color: ">    </span><span style="color: ">}</span> <br /></font><span style="color: "><font style="font-size: 10pt">}</font></span></font> <br /></div> </td> </tr> </tbody></table> </div> <p align="justify">This script depends on the xTimeZone DSC resource. As I already knew, those DSC resources, like xTimeZone, come in waves. Would my server have the latest version? Did I have to install that out of band? It seems not. All you need to do is create a configuration archive, a ZIP file, which contains both your script and the resource it depends on. The Azure cmdlets are an easy way to do this. They’ll also make sure all the dependent DSC resources are added to the package.</p> <p align="justify">We got our script in c:\users\thomas\onedrive\documenten\work\blog\DSC. Some steps further I’ll get you the information where to store the DSC resources.</p> <p><a href="http://lh3.googleusercontent.com/-N7B_nhSMdc4/VYGUDo4z8WI/AAAAAAAACy8/UPBPP_O24Gk/s1600-h/DSC_1%25255B3%25255D.png"><img title="DSC_1" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="DSC_1" src="http://lh3.googleusercontent.com/--hKu_u6UgUw/VYGUEgTJchI/AAAAAAAACzE/MFhRmQHJeqs/DSC_1_thumb%25255B1%25255D.png?imgmax=800" width="404" height="106" /></a></p> <p align="justify">By using the following command we can create and upload the package to the “setspn” storage account:</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#ff4500"><font style="font-size: 10pt">$subscriptionID</font></font></span><font style="font-size: 10pt"><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"af2f6ce8-e4f3-abcd-abcd-34ab4ce9c7d3"</font></span> <br /><span style="color: "><font color="#ff4500">$storageAccountName</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"setspn"</font></span> <br /><span style="color: "><font color="#0000ff">Set-AzureSubscription</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-SubscriptionId</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$subscriptionID</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-CurrentStorageAccount</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$storageAccountName</font></span> <br /><span style="color: "><font color="#0000ff">Publish-AzureVMDscConfiguration</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-ConfigurationPath</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">C:\Users\Thomas\OneDrive\Documenten\Work\Blog\DSC\DSC_SetTimeZone.ps1</font></span> </font></font></div> </td> </tr> </tbody></table> </div> <p align="justify"><font style="background-color: #ffff00"></font>We need to execute this from an Azure PowerShell prompt. <font style="style">I executed this command from a Windows 8.1 machine that is running PowerShell v4.</font></p> <p><a href="http://lh3.googleusercontent.com/-xlnM3ttCqhw/VYGUFcei4cI/AAAAAAAACzM/ZwaIMqSJVHo/s1600-h/DSC_2%25255B3%25255D.png"><img title="DSC_2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="DSC_2" src="http://lh3.googleusercontent.com/-K3oY5iw_oXE/VYGUGYg3ynI/AAAAAAAACzU/oYoL5KD3BRU/DSC_2_thumb%25255B1%25255D.png?imgmax=800" width="404" height="142" /></a></p> <p align="justify">It seems to be complaining that we are running this from an x86 prompt instead of an x64 prompt. But the Azure PowerhShell prompt is an x86 prompt… The error in words:</p> <p align="justify"><font size="1">Publish-AzureVMDscConfiguration : Configuration script 'C:\Users\Thomas\SkyDrive\Documenten\Work\Blog\DSC\DSC_SetTimeZo <br />ne.ps1' contained parse errors: <br />At C:\Users\Thomas\SkyDrive\Documenten\Work\Blog\DSC\DSC_SetTimeZone.ps1:2 char:1 <br />+ Configuration SetTimeZone <br />+ ~~~~~~~~~~~~~ <br />Configuration is not supported in a Windows PowerShell x86-based console. Open a Windows PowerShell x64-based console, <br />and then try again. <br />At C:\Users\Thomas\SkyDrive\Documenten\Work\Blog\DSC\DSC_SetTimeZone.ps1:3 char:1 <br />+ { <br />+ ~ <br />Unexpected token '{' in expression or statement. <br />At C:\Users\Thomas\SkyDrive\Documenten\Work\Blog\DSC\DSC_SetTimeZone.ps1:21 char:1 <br />+ } <br />+ ~ <br />Unexpected token '}' in expression or statement. <br />At line:1 char:1</font> <br />The error is quite misleading. I tried the various “DSC” cmdlets, like Get-DSCResource, and they all failed saying that the cmdlet could not be found. So it seems I needed the WMF framework to be installed. Shame on me. Here’s some explanation towards the prerequisites: <a title="https://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d" href="https://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d">TechNet Gallery: DSC Resource Kit (All Modules)</a> Using the WMF 5.0 installer got me further.</p> <p><a href="http://lh3.googleusercontent.com/-RRFJDbynUOU/VYGUG7JXxNI/AAAAAAAACzc/Nbip08T7WIk/s1600-h/DSC_2b%25255B3%25255D.png"><img title="DSC_2b" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="DSC_2b" src="http://lh3.googleusercontent.com/-47Yg_PdrKMM/VYGUH5-LhuI/AAAAAAAACzk/pOIfcVKOAgI/DSC_2b_thumb%25255B1%25255D.png?imgmax=800" width="404" height="44" /></a></p> <p><font style="style">Now off to creating the package again: again an error…</font></p> <p><a href="http://lh3.googleusercontent.com/-6wO7g3ywIqs/VYGUI92ed7I/AAAAAAAACzs/jyNgyyvKPcw/s1600-h/DSC_3%25255B3%25255D.png"><img title="DSC_3" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="DSC_3" src="http://lh3.googleusercontent.com/-BUta9wZDYp4/VYGUJVdbDJI/AAAAAAAACzw/adcYKCmE04Y/DSC_3_thumb%25255B1%25255D.png?imgmax=800" width="404" height="131" /></a></p> <p align="justify">Now it seems to complain it can’t find the DSC resources… But I installed them?! The error in words:</p> <p align="justify"><font size="1">VERBOSE: Parsing configuration script: C:\Users\Thomas\SkyDrive\Documenten\Work\Blog\DSC\DSC_SetTimeZone.ps1 <br />VERBOSE: Loading module from path 'C:\Program Files <br />(x86)\WindowsPowerShell\Modules\xTimeZoneSource\DSCResources\xTimeZone\xTimeZone.psm1'. <br />Publish-AzureVMDscConfiguration : Configuration script 'C:\Users\Thomas\SkyDrive\Documenten\Work\Blog\DSC\DSC_SetTimeZo <br />ne.ps1' contained parse errors: <br />At C:\Users\Thomas\SkyDrive\Documenten\Work\Blog\DSC\DSC_SetTimeZone.ps1:16 char:9 <br />+         xTimeZone TimeZoneExample <br />+         ~~~~~~~~~ <br />Undefined DSC resource 'xTimeZone'. Use Import-DSCResource to import the resource. <br />At line:1 char:1</font> <br />After some googling I found out that the PowerShell prompt imports to module it finds in it’s PATH variable. As we are running from an x86 prompt, the folder that was loaded was different. Typically all DSC guides tell you to install DSC resources below C:\Program Files\WindowsPowerShell\Modules but in fact for the Azure PowerShell prompt you need to put them in C:\Program Files (x86)\WindowsPowerShell\Modules or you have to modify your PATH variable to include the x64 location…. I choose to copy the module to the x86 location:</p> <p><a href="http://lh3.googleusercontent.com/-6VVVoxOkkgU/VYGUJqyzCOI/AAAAAAAACz4/4nJv7_qyXWk/s1600-h/DSC_3c%25255B3%25255D.png"><img title="DSC_3c" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="DSC_3c" src="http://lh3.googleusercontent.com/-C149UeNYZBc/VYGUKSXqubI/AAAAAAAAC0E/4SboFbN7Rzc/DSC_3c_thumb%25255B1%25255D.png?imgmax=800" width="404" height="172" /></a></p> <p align="justify">And all seems fine now:</p> <p><a href="http://lh3.googleusercontent.com/-dQrvVp4Fv3o/VYGULAYSw5I/AAAAAAAAC0M/_i6l1av312c/s1600-h/DSC_4%25255B3%25255D.png"><img title="DSC_4" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="DSC_4" src="http://lh3.googleusercontent.com/-XtWkwZ0XOs8/VYGULzHLmDI/AAAAAAAAC0Q/Il8SLF4iPYk/DSC_4_thumb%25255B1%25255D.png?imgmax=800" width="404" height="79" /></a></p> <p><u>Applying the DSC to a Windows 2012 VM</u></p> <p>The DSC script I created worked fine on a newly install Windows 2012 R2 VM, but on a Windows 2012 the extension seemed to have troubles. Now that wasn’t supposed to happen… The good thing about the Azure DSC extension is that the logging is quite decent. Inside the VM you can find some log files in the following location: C:\WindowsAzure\Logs\Plugins\Microsoft.Powershell.DSC\1.10.1.0</p> <p>The following extract comes from the DscExtensionHandler log file:</p> <p>VERBOSE: [2015-05-28T21:43:17] Applying DSC configuration: <br />VERBOSE: [2015-05-28T21:43:17]     Sequence Number:              0 <br />VERBOSE: [2015-05-28T21:43:17]     Configuration Package URL:    <br /><a href="https://setspn.blob.core.windows.net/windows-powershell-dsc/DSC_SetTimeZone.ps1.zip">https://setspn.blob.core.windows.net/windows-powershell-dsc/DSC_SetTimeZone.ps1.zip</a> <br />VERBOSE: [2015-05-28T21:43:17]     ModuleSource:                 <br />VERBOSE: [2015-05-28T21:43:17]     Configuration Module Version: <br />VERBOSE: [2015-05-28T21:43:17]     Configuration Container:      DSC_SetTimeZone.ps1 <br />... <br />VERBOSE: [2015-05-28T21:44:27] [ERROR] Importing module xTimeZone failed with error - File C:\Program <br />Files\WindowsPowerShell\Modules\xTimeZone\DscResources\xTimeZone\xTimeZone.psm1 cannot be loaded because running scripts is <br />disabled on this system. For more information, see about_Execution_Policies at <a href="http://go.microsoft.com/fwlink/?LinkID=135170">http://go.microsoft.com/fwlink/?LinkID=135170</a>.</p> <p align="justify">Now that’s a pretty well known message… Bummer. Seems the execution policy on the Windows 2012 machine is set to <strong>restricted</strong>. Now there’s a way around that. Scripts could be executed with the option “-executionpolicy bypass”. But we can’t control that as the DSC extension is responsible for this. Kind of a bummer. The Windows 2012 R2 image seems to have RemoteSigned as default execution policy…</p> <p align="justify">Now this got me curious. Would the <em>run PowerShell script</em> extension also suffer from this? If it would not, I could have a small PowerShell script execute first that alters the execution policy!</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#0000ff"><font style="font-size: 10pt">Set-ExecutionPolicy</font></font></span><font style="font-size: 10pt"><span style="color: "> </span></font><span style="color: "><font style="font-size: 10pt" color="#8a2be2">remotesigned</font></span></font> <br /></div> </td> </tr> </tbody></table> </div> <p align="justify">I create a PowerShell script with this line in it. Saved it to disk and then used <font style="background-color: #ffff00"></font><a href="https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/">AzCopy</a> to copy it a container in a storage account. Executing the script:</p> <p><a href="http://lh3.googleusercontent.com/-rXdtFrDKcbg/VYGUMUhdMBI/AAAAAAAAC0c/YYgkFQcR_O0/s1600-h/DSC_ExecScript3.png"><img title="DSC_ExecScript" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="DSC_ExecScript" src="http://lh3.googleusercontent.com/-Wx5wRcgFwaU/VYGUM8bgiyI/AAAAAAAAC0k/gWG3JFtveJA/DSC_ExecScript_thumb1.png?imgmax=800" width="404" height="102" /></a></p> <p align="justify">After executing I can confirm that the execution policy has changed:</p> <p><a href="http://lh3.googleusercontent.com/-ZeQbZ_q2LbM/VYGUN-YHcsI/AAAAAAAAC0s/SXuIZDqulcw/s1600-h/ExecPol3.png"><img title="ExecPol" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="ExecPol" src="http://lh3.googleusercontent.com/-TIKbJUOV15g/VYGUOeZiBeI/AAAAAAAAC00/_6203qy0mIY/ExecPol_thumb1.png?imgmax=800" width="404" height="92" /></a></p> <p align="justify">The logging for this extension can be found here: C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension\1.4 From the log file we can see that the PowerShell script extension run scripts in a more robust way:</p> <p>2015-05-28T21:36:58.7646763Z    [Info]:    HandlerSettings = ProtectedSettingsCertThumbprint: , ProtectedSettings: {}, PublicSettings: {FileUris: [<a href="https://storaccount.blob.core.windows.net/windows-powershell-dsc/test.ps1?sv=2014-02-14&sr=b&sig=eijcTn9I2kWuOPU1CK%2F9zQ3tAO1NIUrs8wT2gUE8z0o%3D&se=2015-05-29T21%3A07%3A00Z&sp=r]">https://storaccount.blob.core.windows.net/windows-powershell-dsc/test.ps1?sv=2014-02-14&sr=b&sig=eijcTn9I2kWuOPU1CK%2F9zQ3tAO1NIUrs8wT2gUE8z0o%3D&se=2015-05-29T21%3A07%3A00Z&sp=r]</a>, CommandToExecute: powershell -ExecutionPolicy Unrestricted -file test.ps1 }</p> <p align="justify">As you can see this script is called while specifying the execution policy. Now we’ll be able to apply our DSC extension</p> <p><a href="http://lh3.googleusercontent.com/-axxWpEl2IJE/VYGUOzuMKSI/AAAAAAAAC08/Q_A32qUKz08/s1600-h/DSC_ExecDSC4.png"><img title="DSC_ExecDSC" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="DSC_ExecDSC" src="http://lh3.googleusercontent.com/-1jz42y3YYD0/VYGUQAffXGI/AAAAAAAAC1E/bUd2avbFoak/DSC_ExecDSC_thumb2.png?imgmax=800" width="404" height="132" /></a></p> <p>And the log file contents:</p> <p>VERBOSE: [2015-05-29T00:00:00] Import script as new module: <br />C:\Packages\Plugins\Microsoft.Powershell.DSC\1.10.1.0\bin\..\DSCWork\DSC_SetTimeZone.ps1.1\DSC_SetTimeZone.ps1 <br />... <br />VERBOSE: [2015-05-29T00:00:12] Executing Start-DscConfiguration... <br />... <br />VERBOSE: [2015-05-29T00:00:20] [SRV2012]: LCM:  [ Start  Set      ] <br />VERBOSE: [2015-05-29T00:00:22] [SRV2012]: LCM:  [ Start  Resource ]  [[xTimeZone]TimeZoneExample] <br />VERBOSE: [2015-05-29T00:00:22] [SRV2012]: LCM:  [ Start  Test     ]  [[xTimeZone]TimeZoneExample] <br />VERBOSE: [2015-05-29T00:00:22] [SRV2012]: LCM:  [ End    Test     ]  [[xTimeZone]TimeZoneExample]  in 0.1100 seconds. <br />...</p> <p align="justify"><u>Conclusion</u></p> <p align="justify">Configuring the time zone using DSC might be a bit overkill. But it’s an excellent exercise to get the hang of this DSC stuff. For a good resource on DSC check this <a href="https://twitter.com/tvuylsteke/status/606349117128908800">tweet</a> from me. I myself plan to create more DSC scripts in the near future. I tear VM’s up and down all the time. I would love to have a DSC that creates me a Windows AD domain, a Microsoft Identity Manager installation, a ….</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com0tag:blogger.com,1999:blog-62687483129304921.post-86768342669327034012015-06-08T22:46:00.001+02:002015-06-08T22:52:17.403+02:00Federating ADFS with the Belnet Federation<p align="justify"><img style="float: left; display: inline" alt="logo_federation" src="http://federation.belnet.be/themes/belnet/images/style/logo_belnet_fed_and_base.png" width="127" align="left" height="149" />The <a href="http://federation.belnet.be/node/8">Belnet federation</a> is a federation where a lot of Belgian educational or educational related institutions are joined to. I’m currently involved in a POC at one of these institutions. Here’s the situation we started from: they have an Active Directory domain for their employees, and are part of the Belnet federation through a Shibboleth server which is configured as an IDP with their AD. Basically this means that for certain services hosted on the Belnet federation, they can choose to login using their AD credentials through the Shibboleth server.</p> <p align="justify">Now they want to host a service themselves. They would like to provide users outside of their organization access to that service, a SharePoint farm. These users will have an account at one of the institutions federated with Belnet. After some research it came clear to use that we would need an ADFS instance to act as a protocol bridge between SAML and WS-FED. SharePoint does not natively speak SAML. Now the next question: how do we get Belnet to trust our ADFS instance and how do we get our ADFS instance to trust the IDP’s part of the Belnet federation?</p> <p align="justify">These are two different problems and both need to be addressed in order for authentication to succeed. We need to find out how we can let Belnet trust our ADFS instance. But first we zoom into the part where we try to trust the IDP’s in the Belnet federation. This federation has over <font style="background-color: #ffff00"></font>20<font style="background-color: #ffff00"></font> IDP’s in it and it’s metadata is available at the following URL: <a title="Metadata XML file - Official Belnet federation" href="https://federation.belnet.be/federation-metadata.xml">Metadata XML file - Official Belnet federation</a> From my first contacts with the people responsible for this federation I heard that it would be hard to get ADFS to “talk” to this federation. They mentioned ADFS does speak SAML, but not all SAML specifications are supported. One of the things that ADFS cannot handle is creating a claims provider trust based upon a metadata file which contains multiple IDPs. And guess what this Belnet metadata file contains…</p> <p align="justify">Some research led me to the concept of federation trusts topologies. Suppose you got two partners who want to expose their Identity Provider so that their users can authenticate at services hosted between partners. In the Microsoft world one typically configures one ADFS instance as a claims provider trust and on the other side the other way round: as a relying party trust. And for the other organization the other way round. And that’s it. But what happens if you want to federate with 3 parties? Now each party has to add two claims provider trusts. And what happens when a new organization joins the federation? Each organization that is already active in the federation has to exchange metadata and add the new organization. As the number of partners in the federation grows you can see that the Microsoft approach seems to scale badly for this…</p> <p align="justify">Now after reading up a bit on this subject I learned that there are two types of topologies: full mesh and proxy based. In the proxy approach each party federates with the proxy and the proxy remains in the middle for authentication requests. In the full mesh topology each party federates with each party. As I explained above, a full mesh approach scales bad. The Belnet setup is mostly based upon Shibboleth and each Shibboleth server gets updated automatically whenever an additional IDP or SP is added to the federation. So Belnet is only responsible for distributing the federation partner information to each member. So I came up with the following idea: <strong>If I were to take the Belnet XML file and chop it into multiple IDP XML files, I could add those one by one to the ADFS configuration</strong>. I got this idea here: <a title="https://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx" href="https://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx">Technet (Incommon Federation): Use FEMMA to import IDPs</a></p> <p align="justify">Here’s a schematic view of the Federation Metadata exchanges. It might makes things a bit more clear. On the schema you’ll see the Shibboleth server, but in fact, for the SharePoint/ADFS instance it’s irrelevant.</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-EUtyj0YTFFE/VXX_w3g9_AI/AAAAAAAACyg/dvZM0CuyQWU/s1600-h/belnet%25255B7%25255D.png"><img title="belnet" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="belnet" src="http://lh3.googleusercontent.com/-lvEBgWslNU8/VXX_xV9EVmI/AAAAAAAACyk/Co6-VFXe2SA/belnet_thumb%25255B3%25255D.png?imgmax=800" width="454" height="409" /></a></p> <p><u><strong>Adding Belnet IDP’s to ADFS</strong></u></p> <p align="justify">Search the Belnet federation XML file for something recognizable like part of the DNS domain: vub.ac.be, or (part of) the name of the IDP: Brussel Once you got the good entry we need everything from this IDP that’s between the <<b>EntityDescriptor> </b>tags. So you should have something like this:</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#a9a9a9"><font style="font-size: 10pt"><</font></font></span><font style="font-size: 10pt"><span style="color: "><font color="#8a2be2">EntityDescriptor</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">entityID="https://idp.vub.ac.be/idp/shibboleth"</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xmlns="urn:oasis:names:tc:SAML:2.0:metadata"</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xmlns:ds="http://www.w3.org/2000/09/xmldsig#"</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"></font></span><span style="color: "> </span> <br /><span style="color: ">    </span><span style="color: "><font color="#0000ff">…</font></span><span style="color: "> </span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">GivenName>Technical</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Support</GivenName></font></span><span style="color: "> </span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">SurName>Technical</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Support</SurName></font></span><span style="color: "> </span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">EmailAddress>support@vub.ac.be</EmailAddress></font></span><span style="color: "> </span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">/ContactPerson></font></span><span style="color: "> </span> <br /><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">/EntityDescriptor></font></span> </font></font></div> </td> </tr> </tbody></table> </div> <p align="justify">Copy this to a separate file and save it as FederationMetadata_VUB.xml</p> <p align="justify">Now go to the ADFS management console and add a claims provider trust.</p> <p><a href="http://lh3.googleusercontent.com/-WtO3pT0ydUw/VXX_CEIp-DI/AAAAAAAACxc/hwYaI9aSm40/s1600-h/image19.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-TkEeymZ6TTg/VXX_CRYNtII/AAAAAAAACxk/OIeCpAhb2Wk/image_thumb7.png?imgmax=800" width="454" height="115" /></a></p> <p>When asked, provide the XML file we just created. When you’re done change the Signature hash algorithm. You can find this on the advanced trust. This might differ from trust to trust and you can try without changing, but if your authentication results in an error, check your ADFS event logs and if necessary change this setting.</p> <p><a href="http://lh3.googleusercontent.com/-NJKQgIPPoCw/VXX_CytbUTI/AAAAAAAACxs/L7z1-QZNrPk/s1600-h/image23.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-tMTAxIKBa7U/VXX_DcpMVqI/AAAAAAAACx0/3IooMpEIlLc/image_thumb9.png?imgmax=800" width="354" height="404" /></a></p> <p>The error:</p> <p><a href="http://lh3.googleusercontent.com/-EiZC7zl-hR8/VXX_DgZFBII/AAAAAAAACyA/nys2lF6DWfo/s1600-h/image27.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-nDqc_rA6vPI/VXX_EVuQtMI/AAAAAAAACyE/Sls7mfxzG8g/image_thumb11.png?imgmax=800" width="454" height="124" /></a></p> <p align="justify">In words:</p> <p align="justify"><em>Authentication Failed. The token used to authenticate the user is signed using a weaker signature algorithm than expected.</em></p> <p align="justify">And that’s it. Repeat for any other IDP’s you care about. Depending on the number of IDP’s this is a task you’d want to script or not. The <a href="https://technet.microsoft.com/en-us/library/gg317734(v=ws.10).aspx">InCommon federation guide</a> contains a script written in Python which provides similar functionality.</p> <p align="justify"><u><strong>Adding your ADFS as SP to the Belnet Federation</strong></u></p> <p align="justify">Now the first part seemed easy. We had to do some cutting and pasting, but for a smaller amount of IDP’s this seems doable. Now we have to ensure all involved IDP’s trust our ADFS server. In the worst case we have to contact them one by one and exchange information. But that would mean we’re not benefitting the Belnet federation. Our goal is to have our ADFS trusted by Belnet and that will ensure all Belnet partners trust our ADFS instance. This would ensure we only have to exchange information with one party and thus simplifying this process a lot!</p> <p align="justify">First we need the Federation Metadata from the ADFS instance: <a href="https://sts.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml">https://sts.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml</a></p> <p align="justify">Then we need to edit a bit so that the Belnet application that manages the metadata is capable of parsing the file we give it. Therefore we’ll remove the blocks we don’t need or that tooling at Belnet is not compatible with:</p> <ul> <li>Signature block: <signature>…</signature> </li> <li>WS-FED stuff: <RoleDescriptor xsi:type="fed:ApplicationServiceType … </RoleDescriptor> </li> <li>Some more WS-FED stuff: <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" … </RoleDescriptor> </li> <li>SAML IDP stuff, not necessary as we’re playing SP: <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> … </IDPSSODescriptor> </li> </ul> <p>We also need to add some contact information:</p> <p>There should be a block present that looks like this: <ContactPerson contactType="support"/></p> <p>Replace it with:</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008 <br />009 <br />010 <br />011</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#a9a9a9"><font style="font-size: 10pt"><</font></font></span><font style="font-size: 10pt"><span style="color: "><font color="#8a2be2">Organization></font></span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">OrganizationName</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xml:lang="en"</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xmlns:xml="http://www.w3.org/XML/1998/namespace"></font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Contoso</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">/OrganizationName></font></span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">OrganizationDisplayName</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xml:lang="en"</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xmlns:xml="http://www.w3.org/XML/1998/namespace"></font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Contoso</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">Corp</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">/OrganizationDisplayName></font></span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">OrganizationURL</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xml:lang="en"</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">xmlns:xml="http://www.w3.org/XML/1998/namespace"></font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">http://www.contoso.com</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">/OrganizationURL></font></span> <br /><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">/Organization></font></span> <br /><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">ContactPerson</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">contactType="technical"></font></span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">GivenName>Thomas</GivenName></font></span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">SurName>Vuylsteke</SurName></font></span> <br /><span style="color: ">    </span><span style="color: "><font color="#a9a9a9"><</font></span><span style="color: "><font color="#8a2be2">EmailAddress>adfs.admin@contoso.com</EmailAddress></font></span> <br /><span style="color: "><font color="#a9a9a9"><</font></span></font><span style="color: "><font style="font-size: 10pt" color="#8a2be2">/ContactPerson></font></span></font> <br /></div> </td> </tr> </tbody></table> </div> <p align="justify">Now you’re ready to upload your modified metadata at Belnet: <a href="https://idpcustomer.belnet.be/idp/Authn/UserPassword">https://idpcustomer.belnet.be/idp/Authn/UserPassword</a></p> <p align="justify">After some time you’ll be able to logon using the IDP’s you configured. Pretty cool eh! Authentication will rely on the trusts shown below:</p> <p align="justify"><a href="http://lh3.googleusercontent.com/-rT60xnbN3iE/VXX_E4ywfII/AAAAAAAACyM/ncg0nF_uPJw/s1600-h/belnetAu%25255B3%25255D.png"><img title="belnetAu" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="belnetAu" src="http://lh3.googleusercontent.com/-s9bUlok4zxg/VXX_FpUltrI/AAAAAAAACyU/zeyER86buT0/belnetAu_thumb%25255B1%25255D.png?imgmax=800" width="454" height="336" /></a></p> <p align="justify">Some remarks:</p> <p align="justify"><strong>Scoping:</strong> once you trust several IDP’s like this, you might be interested in a way to limit the users to the ones your organization works with. The customer I implemented this has an overview of all users in their Active Directory. So we allow the user to log on at their IDP, but we have ADFS authorization rules that only issue a permit claim when we find the user as an enabled AD user in the customer AD. These user are there for legacy reasons and can now be seen as some form of ghost accounts.</p> <p align="justify"><strong>Certificates:</strong> the manual nature of the above procedure also means you have to keep the certificates up to date manually! If the IDP starts using an other certificate you have to update that IDP specific information. If you change your certificates on the ADFS instance you have to contact Belnet again and have your metadata updated. Luckily most IDP’s in the Belnet federation have expiration dates far away in the future. But not all of them. Definitely a point of attention.</p> <p align="justify">Just drop a comment if you want more information or if you got some feedback.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com0tag:blogger.com,1999:blog-62687483129304921.post-31343221393214811022015-06-05T16:55:00.001+02:002015-06-05T16:55:00.923+02:00Synchronizing Time on Azure Virtual Machines<p align="justify">I’m currently setting up a a small Identity infrastructure on some Azure Virtual Machines for a customer. The components we’re installing consist of some domain controllers, a FIM server, a FIM GAL Sync server and an SQL server to support the FIM services. All of those are part of the CONTOSO domain. Besides the Azure virtual machines we also got two on-premises machines, also member of the CONTOSO domain. They communicate with the other CONTOSO servers across a site to site VPN with Azure.</p> <p align="justify">Eventually I came to the task of verifying my time synchronization setup. Throughout the years there have been small variations in recommendations. Initially I had configured time synchronization like I always do: configure a GPO that targets specifically the PDC domain controller. This GPO configures the PDC domain controller to use an NTP server for it’s time.</p> <p align="justify">Administrative Templates > System > Windows Time Service > Global Configuration Settings:</p> <p><a href="http://lh3.googleusercontent.com/-C4NEQTNr6oE/VXG4FNdMULI/AAAAAAAACtk/4NW4V_d8LaU/s1600-h/image%25255B18%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-_oi29nCcjEQ/VXG4FxJRXkI/AAAAAAAACto/kmxFh6vQQDY/image_thumb%25255B6%25255D.png?imgmax=800" width="454" height="420" /></a></p> <p align="justify">Set to AnnounceFlags to 5 so this domain controller advertise as a reliable time source. Besides that we also need to give a good source for the PDC domain controller:</p> <p align="justify">Administrative Templates > System > Windows Time Service > Global Configuration Settings > Time Providers</p> <p><a href="http://lh3.googleusercontent.com/--26G6doPhoE/VXG4GAjWfkI/AAAAAAAACtw/6F8c7Xgtj7Q/s1600-h/image%25255B19%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-cWSAV9WQ-t0/VXG4G0WiN_I/AAAAAAAACt4/7GtF1uIB8RA/image_thumb%25255B7%25255D.png?imgmax=800" width="454" height="416" /></a></p> <p align="justify">In the above example I’m just using time.windows.com as a source and the type is set to NTP. Just for the reference, the WMI filter that tells this GPO to only apply on the PDC domain controller:</p> <p><a href="http://lh3.googleusercontent.com/-3-t1W6t5IUQ/VXG4HLvICiI/AAAAAAAACuA/GVhC_s9S2VY/s1600-h/image%25255B20%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-V-7QX1bdeZQ/VXG4H52wT_I/AAAAAAAACuI/MlDhtXi8GY8/image_thumb%25255B8%25255D.png?imgmax=800" width="454" height="336" /></a></p> <p align="justify">Typically that’s all what’s needed. Keep in mind, the above was done on a 2012 R2 based domain controller/GPMC. If you use older versions you might have other values for certain settings, on 2012 R2 they are supposed to be as per current recommendations. But that’s not the point of this post. For the above to work, you should make sure that the NTP client on ALL clients, servers and domain controllers OTHER than the PDC is set to NT5DS:</p> <p align="justify">w32tm /query /configuration</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf7MC3kiAVClvYJ2sA0YI1LuzyQWJWt7cBhex9Cabdi_Vhrx3w2pKmQh0AuqhkHNYd5-OaOGvkMFZItA1AAUsezgkZa4xdz6tLEsURZxCZmOMxpuK6i6lUuOLyzUpW8aOaPfATgH1A3A/s1600-h/image%25255B21%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-_ZGXc_UIPcM/VXG4IrjkhxI/AAAAAAAACuY/WFz-pPubsao/image_thumb%25255B9%25255D.png?imgmax=800" width="304" height="69" /></a></p> <p align="justify">Once the above is al set the following logic should be active:</p> <p><img src="https://i-technet.sec.s-msft.com/dynimg/IC195579.gif" width="450" height="481" /></p> <p align="justify">Put simple: if you got a single domain, single forest topology:</p> <ul> <li> <div align="justify">The PDC domain controllers syncs from an internet/external source</div> </li> <li> <div align="justify">The domain controllers sync from the PDC domain controller</div> </li> <li> <div align="justify">The clients/member servers sync from A domain controller</div> </li> </ul> <p align="justify">You can verify this by executing w32tm /query /source:</p> <p align="justify">On my PDC (DC001), on a DC (DC002) and on a member server (hosted in Azure):</p> <p><a href="http://lh3.googleusercontent.com/-w53Dgoo5rZM/VXG4JCuLRCI/AAAAAAAACug/g3AuZHLuCaQ/s1600-h/time1%25255B3%25255D.png"><img title="time1" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="time1" src="http://lh3.googleusercontent.com/-QHPFXhfeI7I/VXG4JknLX2I/AAAAAAAACuo/6dI1xGPT2I8/time1_thumb%25255B1%25255D.png?imgmax=800" width="304" height="46" /></a></p> <p align="justify">=> VM IC Time Synchronization Provider</p> <p align="justify">On my DC (DC003)(hosted on premises on VMware):</p> <p><a href="http://lh3.googleusercontent.com/-k2yammC-Z8w/VXG4KIyiErI/AAAAAAAACuw/ntAP_hPTkhU/s1600-h/time2%25255B3%25255D.png"><img title="time2" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="time2" src="http://lh3.googleusercontent.com/-swjobAfK_2w/VXG4KyCXmcI/AAAAAAAACu4/jeBgbXATgg0/time2_thumb%25255B1%25255D.png?imgmax=800" width="304" height="54" /></a></p> <p align="justify">=> The PDC domain controller</p> <p align="justify">On my member server (hosted on premises on VMware):</p> <p><a href="http://lh3.googleusercontent.com/-1LxuGnqPE-I/VXG4LBG-vMI/AAAAAAAACvA/_BSqG2PQ03A/s1600-h/time3%25255B3%25255D.png"><img title="time3" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="time3" src="http://lh3.googleusercontent.com/-nTgYArn4toI/VXG4Lk9BZcI/AAAAAAAACvI/hDLOf0z-TEs/time3_thumb%25255B1%25255D.png?imgmax=800" width="304" height="53" /></a></p> <p align="justify">=> A domain controller</p> <p align="justify">As you can see, that’s a bit weird. What is that VM IC Time Synchronization Provider? If I’m not mistaken, it’s a component that gets installed with Windows, and is capable of interacting with the hypervisor (E.g. on-premises Hyper-V or Azure <em>Hyper-V). </em>As far as I can tell, VMware guests ignore it. Basically it’s a component that helps the guest sync the time with the physical host it runs on. Now you can imagine that if guests run on different hosts, time might start to drift slowly. In order to mitigate this, we need to ensure the time is properly synchronized using the domain hierarchy.</p> <p align="justify">Luckily it seems we can easily disable this functionality. We can simply set the enabled registry key to 0 for this provider. <strong>The good news: setting from 0 –> 1 seems to require a Windows Time Service restart, but I did some tests and setting from 1 –> 0 seems to be come effective after a small period of time. The good news part 2: setting it to 0 doesn’t seem to have a side effect for on-premises VM’s as well.</strong></p> <p align="justify">In my case I opted to use group policy preferences for this:</p> <p><strong><a href="http://lh3.googleusercontent.com/-HXWoZ6S2i2w/VXG4MEybwmI/AAAAAAAACvQ/f7uHLBQ-E5U/s1600-h/time4%25255B3%25255D.png"><img title="time4" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="time4" src="http://lh3.googleusercontent.com/-H8tRW_ZbjN4/VXG4M0Pc9cI/AAAAAAAACvY/muMizKlFkE0/time4_thumb%25255B1%25255D.png?imgmax=800" width="304" height="337" /></a></strong></p> <p align="justify">The registry path: SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider set the Value Enabled to 0</p> <p align="justify">And now we can repeat our tests again:</p> <p align="justify">On my PDC (hosted in Azure):</p> <p><a href="http://lh3.googleusercontent.com/-1tb0IBAqiBU/VXG4NbEizOI/AAAAAAAACvg/sTHq91eZ8Wg/s1600-h/time5%25255B3%25255D.png"><img title="time5" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="time5" src="http://lh3.googleusercontent.com/-ddOcYcrR744/VXG4Ny_GGfI/AAAAAAAACvo/Wrp_K3GWclg/time5_thumb%25255B1%25255D.png?imgmax=800" width="304" height="52" /></a></p> <p align="justify">On my DC (hosted in Azure):</p> <p><a href="http://lh3.googleusercontent.com/-tcyU4JnFz3g/VXG4Om4c-CI/AAAAAAAACvw/vWtQiT6E084/s1600-h/time6%25255B3%25255D.png"><img title="time6" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="time6" src="http://lh3.googleusercontent.com/-4FZX14u9VRw/VXG4POA9DtI/AAAAAAAACv4/5EoXFTFtybQ/time6_thumb%25255B1%25255D.png?imgmax=800" width="304" height="62" /></a></p> <p align="justify">On a member server (hosted in Azure):</p> <p><a href="http://lh3.googleusercontent.com/-Qk7CoUVH0RE/VXG4PrQs9GI/AAAAAAAACwA/K7xTUzs0tKk/s1600-h/time7%25255B3%25255D.png"><img title="time7" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="time7" src="http://lh3.googleusercontent.com/-EGd5qIFfe4Q/VXG4P2kPnhI/AAAAAAAACwM/9IdHzbD0Tpo/time7_thumb%25255B1%25255D.png?imgmax=800" width="304" height="63" /></a></p> <p align="justify"><strong><u>Summary</u></strong></p> <p align="justify">I’ll try to validate this with some people, and I’ll definitely update this post If I’m proven to be wrong, but as far as I can tell: <strong>whenever you host virtual machines in Azure that are part of a Windows Active Directory Domain, make sure to disable to VM IC Time Provider component.</strong></p> <p align="justify">Imho this kind of information is definitely something that should be added to <a href="https://msdn.microsoft.com/en-us/library/azure/jj156090.aspx">MSDN: Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines</a> or <a href="https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-install-replica-active-directory-domain-controller/">Azure.microsoft.com: Install a replica Active Directory domain controller in an Azure virtual network</a></p> <p align="justify"><strong><u>References:</u></strong></p> <ul> <li> <div align="justify"><a title="https://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx" href="https://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx">TechNet: How the Windows Time Service Works</a></div> </li> <li> <div align="justify"><a href="http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx">Blogs.msdn.com: Time Synchronization in Hyper-V [2010]</a></div> </li> <li> <div align="justify"><a href="http://blogs.technet.com/b/askds/archive/2007/11/01/configuring-your-pdce-with-alternate-time-sources.aspx">Blogs.technet.com: Configuring your PDCE with Alternate Time Sources [2007]</a></div> </li> <li> <div align="justify"><a href="http://blogs.msdn.com/b/robertvi/archive/2011/05/11/time-synchronization-and-domain-controller-vm-s.aspx">Blogs.msdn.com: Time Synchronization and Domain Controller VM's [2011]</a></div> </li> <li> <div align="justify"><a href="https://jorgequestforknowledge.wordpress.com/2011/09/14/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations/">Jorge: https://jorgequestforknowledge.wordpress.com/2011/09/14/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations/ [Great Reference!]</a></div> </li> </ul> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com8tag:blogger.com,1999:blog-62687483129304921.post-23433884092476916652015-06-03T12:56:00.001+02:002015-06-03T12:57:35.563+02:00Protecting a Domain Controller in Azure with Microsoft Antimalware<p align="justify">I’m getting more and more involved with customers using Azure to host some VM’s in an IAAS scenario. In some cases they like to have a Domain Controller from their corporate domain on Azure. I think it’s a best practice to have some form of malware protection installed. Some customers opt to use their on-premise solution, other opt to use the free Microsoft Antimalware solution. The latter comes as an extension which you can add when creating a virtual machine. Or just add it afterwards. One of the drawbacks is that there’s no central management. You push it out to each machine and that’s it.</p> <p align="justify">Both the old and new portals allow to specify this during the machine creation:</p> <p align="justify">Old portal wizard:</p> <p><a href="http://lh3.googleusercontent.com/-XC0AV0bn7Lo/VW7dQgLLJLI/AAAAAAAACrs/ai3oamEizwg/s1600-h/image1.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-1ncyg3BBDdY/VW7dRFaYm0I/AAAAAAAACrw/dEVaG1wMCUg/image_thumb1.png?imgmax=800" width="304" height="150" /></a></p> <p>New portal wizard:</p> <p><a href="http://lh3.googleusercontent.com/-8sLfi06MWDQ/VW7dRnnNTII/AAAAAAAACr4/kAg-gzWmKXs/s1600-h/image3%25255B1%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-u5qZJ4RhYYU/VW7dSSa0PGI/AAAAAAAACsA/2szDn01FKjA/image_thumb3.png?imgmax=800" width="304" height="146" /></a></p> <p>However, the new portal allows you to specify additional parameters:</p> <p><a href="http://lh3.googleusercontent.com/-VzwXZKnS6rw/VW7dTD_N8nI/AAAAAAAACsI/ybqR-Zm4-jc/s1600-h/image5.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/--VA7oGHPywo/VW7dT1mi6EI/AAAAAAAACsQ/0xOO5q27v14/image_thumb5.png?imgmax=800" width="204" height="337" /></a></p> <p align="justify"><font style="background-color: #ffff00"></font>As you can see you can also specify the exclusions. For certain workloads (like SQL) this is pretty important. From past experiences I know that getting exclusions for a given application is a pretty tedious work. You have to go through various articles and compose your list. I took a look at the software installed on an Azure VM and I noticed it was called System Center Endpoint Protection.</p> <p><a href="http://lh3.googleusercontent.com/-9KouSxtGN58/VW7dUR2JnrI/AAAAAAAACsY/Nm6ZTKWhw-w/s1600-h/image10.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-3TUUxoEDp1U/VW7dUwZCaqI/AAAAAAAACsg/SLGza-rv0qY/image_thumb2.png?imgmax=800" width="244" height="95" /></a></p> <p>Second I went ahead and looked in the registry:</p> <p><a href="http://lh3.googleusercontent.com/-yn1y_et6i98/VW7dVmUo80I/AAAAAAAACso/WkdmHOlAJfI/s1600-h/image811.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.googleusercontent.com/-qBAecO14h7Y/VW7dWHgePHI/AAAAAAAACsw/NYnwgg69tgw/image81_thumb.png?imgmax=800" width="404" height="122" /></a></p> <p align="justify">The easiest way to configure those exclusion setting is through PowerShell. The <em>Set-AzureVMMicrosoftAntimalwareExtension</em> cmdlet has a parameter called <em>AntimalwareConfigFile</em> that accepts both an XML or JSON file. Initially I thought I’d just take the XML files from a System Center Endpoint Protection implementation and be done with it. Quickly I found out that the format for this XML file was different than the templates SCEP uses. So I thought I’d do some quick find and replace. But no matter what I tried, issues kept popping inside the guest and the XML file failed to be parsed successfully. This guide explains it pretty well, but I failed to do so: <a title="Microsoft Antimalware for Azure cloud services and virtual" href="http://download.microsoft.com/download/F/A/E/FAE6F5D7-051D-49EF-A46D-1FAFAEFBB3F3/Microsoft%20Antimalware%20For%20Azure%20Cloud%20Services%20and%20Virtual%20Machines%20-%2005102014.docx">Microsoft Antimalware for Azure Cloud Services and Virtual Machines</a></p> <p align="justify">I was preferring XML as that format allows for comment tags which is pretty easy to document certain exclusions. Now I had to resort to JSON which is just a bunch of text in brackets/colons. Here’s some sample config files based upon the files from SCEP:</p> <p><strong><u>A Regular Server</u></strong></p> <p><font size="1">{ <br />"AntimalwareEnabled": true, <br />"RealtimeProtectionEnabled": true, <br />"ScheduledScanSettings": { <br />"isEnabled": false, <br />"day": 1, <br />"time": 180, <br />"scanType": "Full" <br />}, <br />"Exclusions": { <br />"Extensions": "", <br />"Paths": "%allusersprofile%\\NTUser.pol;%systemroot%\\system32\\GroupPolicy\\Machine\\registry.pol;%windir%\\Security\\database\\*.chk;%windir%\\Security\\database\\*.edb;%windir%\\Security\\database\\*.jrs;%windir%\\Security\\database\\*.log;%windir%\\Security\\database\\*.sdb;%windir%\\SoftwareDistribution\\Datastore\\Datastore.edb;%windir%\\SoftwareDistribution\\Datastore\\Logs\\edb.chk;%windir%\\SoftwareDistribution\\Datastore\\Logs\\edb*.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Edbres00001.jrs;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Edbres00002.jrs;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Res1.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Res2.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\tmp.edb", <br />"Processes": "" <br />} <br />}</font></p> <p><strong><u>A SQL Server</u></strong></p> <p><font size="1">{ <br />"AntimalwareEnabled": true, <br />"RealtimeProtectionEnabled": true, <br />"ScheduledScanSettings": { <br />"isEnabled": false, <br />"day": 1, <br />"time": 180, <br />"scanType": "Full" <br />}, <br />"Exclusions": { <br />"Extensions": "", <br />"Paths": "%allusersprofile%\\NTUser.pol;%systemroot%\\system32\\GroupPolicy\\Machine\\registry.pol;%windir%\\Security\\database\\*.chk;%windir%\\Security\\database\\*.edb;%windir%\\Security\\database\\*.jrs;%windir%\\Security\\database\\*.log;%windir%\\Security\\database\\*.sdb;%windir%\\SoftwareDistribution\\Datastore\\Datastore.edb;%windir%\\SoftwareDistribution\\Datastore\\Logs\\edb.chk;%windir%\\SoftwareDistribution\\Datastore\\Logs\\edb*.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Edbres00001.jrs;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Edbres00002.jrs;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Res1.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Res2.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\tmp.edb", <br />"Processes": "<strong>%ProgramFiles%\\Microsoft SQL Server\\MSSQL10.MSSQLSERVER\\MSSQL\\Binn\\SQLServr.exe</strong>" <br />} <br />}</font></p> <p align="justify">This one is almost identical to the server one, but here we exclude the SQLServr.exe process. <strong>The path to this executable might be different in your environment!</strong> <br /><strong><u>A Domain Controller</u></strong></p> <p><font size="1">{ <br />"AntimalwareEnabled": true, <br />"RealtimeProtectionEnabled": true, <br />"ScheduledScanSettings": { <br />"isEnabled": false, <br />"day": 1, <br />"time": 180, <br />"scanType": "Full" <br />}, <br />"Exclusions": { <br />"Extensions": "", <br />"Paths": "%allusersprofile%\\NTUser.pol;%systemroot%\\system32\\GroupPolicy\\Machine\\registry.pol;%windir%\\Security\\database\\*.chk;%windir%\\Security\\database\\*.edb;%windir%\\Security\\database\\*.jrs;%windir%\\Security\\database\\*.log;%windir%\\Security\\database\\*.sdb;%windir%\\SoftwareDistribution\\Datastore\\Datastore.edb;%windir%\\SoftwareDistribution\\Datastore\\Logs\\edb.chk;%windir%\\SoftwareDistribution\\Datastore\\Logs\\edb*.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Edbres00001.jrs;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Edbres00002.jrs;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Res1.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\Res2.log;%windir%\\SoftwareDistribution\\Datastore\\Logs\\tmp.edb;E:\\Windows\\ntds\\ntds.dit;E:\\Windows\\ntds\\EDB*.log;E:\\Windows\\ntds\\Edbres*.jrs;E:\\Windows\\ntds\\EDB.chk;E:\\Windows\\ntds\\TEMP.edb;E:\\Windows\\ntds\\*.pat;E:\\Windows\\SYSVOL\\domain\\DO_NOT_REMOVE_NtFrs_PreInstall_Directory;E:\\Windows\\SYSVOL\\staging;E:\\Windows\\SYSVOL\\staging areas;E:\\Windows\\SYSVOL\\sysvol;%systemroot%\\System32\\Dns\\*.log;%systemroot%\\System32\\Dns\\*.dns;%systemroot%\\System32\\Dns\\boot", <br />"Processes": "%systemroot%\\System32\\ntfrs.exe;%systemroot%\\System32\\dfsr.exe;%systemroot%\\System32\\dfsrs.exe" <br />} <br />}</font> <br /></p> <p align="justify">Again a lot of familiar exceptions as in the server template but also specific exclusions for NTDS related files and DNS related files. <strong>Remark: One of the best practices for installing domain controllers in Azure is to relocate the AD database/log files and sysvol to another disk with caching set to none. So the above exclusions might be wrong! Replace %systemroot% with the drive letter containing your AD files!</strong></p> <p align="justify">Special remark: the SCEP templates have a bug where they add %systemroot%\\system32\\GroupPolicy\\Registry.pol which in fact should be %systemroot%\\system32\\GroupPolicy\\<strong>Machine</strong>\\registry.pol I’ve given an example issue of that here: <a href="http://setspn.blogspot.be/2015/05/corrupt-local-gpo-files.html">Setspn.blogspot.com: Corrupt Local GPO Files</a></p> <p align="justify">The templates above are in the JSON format. I save them as MicrosoftAntiMalware_DC.json</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#ff4500"><font style="font-size: 10pt">$vm</font></font></span><font style="font-size: 10pt"><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">get-AzureVM</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-servicename</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"CoreInfra"</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-name</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"SRVDC01"</font></span> <br /><span style="color: "><font color="#ff4500">$vm</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Set-AzureVMMicrosoftAntimalwareExtension</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-AntimalwareConfigFile</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">C:\Users\Thomas\Documenten\Work\MicrosoftAntiMalware_DC.json</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span></font><span style="color: "><font style="font-size: 10pt" color="#0000ff">Update-AzureVM</font></span></font> <br /></div> </td> </tr> </tbody></table> </div> <p>Now in the registry on the VM we can verify our extensions are applied:</p> <p><font style="background-color: #ffff00"><a href="http://lh3.googleusercontent.com/-ppa9vqzxSrQ/VW7dWh02Q2I/AAAAAAAACs4/VKgH9stDUX8/s1600-h/reg34.png"><img title="reg3" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="reg3" src="http://lh3.googleusercontent.com/-ydvm_49441Q/VW7dXEWGJaI/AAAAAAAACtA/nSYrcceOTuU/reg3_thumb2.png?imgmax=800" width="404" height="207" /></a></font></p> <p>Some good references:</p> <ul> <li><a href="https://www.petri.com/installing-microsoft-anti-malware-azure-vms">Petri (Aidan Finn): Installing Microsoft Anti-Malware in Azure VMs</a> </li> <li><a title="New Antimalware Options for Protecting Azure Virtual Machines Microsoft Azure Blog" href="http://azure.microsoft.com/blog/2014/12/01/new-antimalware-options-for-protecting-azure-virtual-machines/">azure.microsoft.com: New Antimalware Options for Protecting Azure Virtual Machines  Microsoft Azure Blog</a> </li> <li><a title="Deploying Antimalware Solutions on Azure Virtual Machines" href="http://azure.microsoft.com/blog/2014/05/13/deploying-antimalware-solutions-on-azure-virtual-machines/">azure.microsoft.com: Deploying Antimalware Solutions on Azure Virtual Machines</a> </li> <li><a href="https://support.microsoft.com/en-us/kb/822158">Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows</a> </li> </ul> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com1tag:blogger.com,1999:blog-62687483129304921.post-69646514516328928782015-05-08T20:26:00.001+02:002015-05-08T20:26:53.326+02:00Corrupt Local GPO Files<p align="justify">A while ago I go I looked into a laptop not being able to access anything on the network. As this customer has Direct Access deployed I knew I had to start my troubleshooting with the following command: <strong>netsh dns show state</strong></p> <p><a href="http://lh3.googleusercontent.com/-ete0R8R9MQo/VUz_1anxgoI/AAAAAAAACqE/1EIHXtHrsSM/s1600-h/13.png"><img title="1" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="1" src="http://lh3.googleusercontent.com/-AMxA_K8CTU0/VUz_2MIR4mI/AAAAAAAACqI/lMBwdrkX7_g/1_thumb1.png?imgmax=800" width="454" height="253" /></a></p> <p align="justify">As you can tell from the screenshot above, the laptop thinks it’s <strong>outside the corporate network</strong> and has Direct Access <strong>configured and enabled</strong>. I tried pinging various resources (on the domain) but they all failed. That would make sense as the client is trying to build a Direct Access tunnel, but fails to do so. Besides that, the name resolution policy also kicks in. The result is that neither remote or local connectivity is working. In such a situation one should suspect an issue with the Network Location Service that is deployed on the network. However this was an isolated case as no other clients were showing similar issues…</p> <p align="justify">The reason name resolution and thereby all other domain related tasks are failing is the fact that the Direct Access <strong>name resolution policies</strong> are in place and force all DNS requests for the domain zone to be resolved by the Direct Access DNS service. That one is not reachable as we don’t have a valid Direct Access Connection… In order to mitigate this I thought I’d kill the name resolution policies locally and see if I’d be able to get it talking to the domain again.</p> <p><a href="http://lh3.googleusercontent.com/-A1pCMyuxFAU/VUz_2vj-xEI/AAAAAAAACqM/BudPfrzqwrs/s1600-h/33.png"><img title="3" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="3" src="http://lh3.googleusercontent.com/-rC3H5QbeXqg/VUz_3FnLTDI/AAAAAAAACqU/BeN5X3l6Gcs/3_thumb1.png?imgmax=800" width="454" height="150" /></a></p> <p align="justify">Delete both DA-…. keys. They can be found below HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig. Reboot the client afterwards. In my case I could see connectivity (and name resolution) was now working again. But processing GPO’s still failed:</p> <p><a href="http://lh3.googleusercontent.com/-5c7DXVq1i4A/VUz_3o2AnPI/AAAAAAAACqg/ZFsogr5f63w/s1600-h/43.png"><img title="4" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="4" src="http://lh3.googleusercontent.com/-odnFLx5XS74/VUz_4oL_EXI/AAAAAAAACqo/-Uud4aSzjK0/4_thumb1.png?imgmax=800" width="454" height="298" /></a></p> <p>In the event log:</p> <p><a href="http://lh3.googleusercontent.com/-Cv6JRuZfkLI/VUz_5AezwwI/AAAAAAAACqw/cHGIqXBbHzU/s1600-h/53.png"><img title="5" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="5" src="http://lh3.googleusercontent.com/-LacUYOIU544/VUz_58BGqnI/AAAAAAAACq4/SGUz_GEr8ks/5_thumb1.png?imgmax=800" width="454" height="90" /></a></p> <p align="justify"><em>Event 1096: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.</em></p> <p align="justify">Some googling led me the following information:</p> <ul> <li> <div align="justify"><a href="https://technet.microsoft.com/en-us/library/cc978247.aspx">https://technet.microsoft.com/en-us/library/cc978247.aspx</a></div> </li> <li> <div align="justify"><a href="http://itcalls.blogspot.be/2014/09/event-1096-processing-of-group-policy.html">http://itcalls.blogspot.be/2014/09/event-1096-processing-of-group-policy.html</a></div> </li> <li> <div align="justify"><a href="http://blogs.technet.com/b/jlosey/archive/2013/01/08/the-cobbler-s-children-have-now-shoes.aspx">http://blogs.technet.com/b/jlosey/archive/2013/01/08/the-cobbler-s-children-have-now-shoes.aspx</a></div> </li> </ul> <p align="justify">The instructions to fix this:</p> <ul> <li> <div align="justify">Rename (or delete) C:\Windows\System32\GroupPolicy\Machine\Registry.pol</div> </li> <li> <div align="justify">Start > run > cmd (as admin)</div> </li> <li> <div align="justify">Gpedit.msc</div> </li> <li> <div align="justify">Below administrative templates change a (not matter which) setting and then revert it. This will trigger the creation of a new registry.pol file</div> </li> <li> <div align="justify">gpupdate /force</div> </li> <li> <div align="justify">Gpo’s should process correctly now.</div> </li> </ul> <p><a href="http://lh3.googleusercontent.com/-HdtaByRZziw/VUz_6UBzm7I/AAAAAAAACrA/yzUrUdIIJ7Q/s1600-h/63.png"><img title="6" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="6" src="http://lh3.googleusercontent.com/-ecgyyRyIogE/VUz_69tnIoI/AAAAAAAACrI/gRsJOurS3sw/6_thumb1.png?imgmax=800" width="454" height="145" /></a></p> <p align="justify">Now you might wonder, how does this registry.pol gets in such a condition that group policy processing starts the fail? I stumbled across the following post: </p> <p align="justify"><a href="http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx?pi47623=2">http://blogs.technet.com/b/systemcenterpfe/archive/2013/01/11/updated-system-center-2012-configuration-manager-antivirus-exclusions-with-more-details.aspx?pi47623=2</a></p> <p align="justify">In the comments section there’s a comment from <strong>Mike Niccum</strong> which seems to be very interesting. We checked our exclusions on our Endpoint Protection and as Mike explains we’re also seeing the missing antivirus exclusion. We added it and in the coming weeks we’ll see whether new issues will pop up or not.</p> <ul> <li> <div align="justify">Present (Wrong?) exclusion: C:\Windows\System32\GroupPolicy\Registry.pol</div> </li> <li> <div align="justify">Missing exclusion: C:\Windows\System32\GroupPolicy\Machine\Registry.pol</div> </li> </ul> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com9tag:blogger.com,1999:blog-62687483129304921.post-31807257229518876392015-04-26T14:14:00.001+02:002015-05-08T20:29:23.785+02:00Commvault REST API using PowerShell<p align="justify">A while ago I wrote a blog post about <a href="http://setspn.blogspot.be/2014/11/3par-connect-to-webapi-using-powershell.html">Connecting to the 3PAR WebAPI using PowerShell</a>. Today I’m doing the same but now with the Commvault REST API. Connecting to that API is even easier! Commvault has a nice sandbox to get familiar with the REST API! This one is definately worth a look. It can be accessed at <a href="http://commvaultwebconsoleserver.contoso.com/webconsole/sandbox/">http://commvaultwebconsoleserver.contoso.com/webconsole/sandbox/</a> It looks like this:</p> <p><a href="http://lh3.googleusercontent.com/-UwYqzELQwRw/VTzWkgPI7jI/AAAAAAAACpk/olBuCxIZ84g/s1600-h/2015-02-27_10-29-35_CommvaultRestAPI.png"><img title="2015-02-27_10-29-35_CommvaultRestAPI" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="2015-02-27_10-29-35_CommvaultRestAPI" src="http://lh3.googleusercontent.com/-nNNXZbt3cAg/VTzWmHGKuZI/AAAAAAAACps/JseBt8HYrh4/2015-02-27_10-29-35_CommvaultRestAPI%25255B1%25255D.png?imgmax=800" width="454" height="185" /></a></p> <p align="justify">Working with the API is similar to the 3PAR approach: first we authenticate and get a token. Then we use that token to call other services. In order to get this working I just looked at the c# sample code Commvault provides: <a href="http://documentation.commvault.com/hds/v10/article?p=features/rest_api/rest_api_getting_started_csharp.htm">Commvault Documentation: REST API - Getting Started Using C#</a> Here’s how you can authenticate using PowerShell:</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008 <br />009 <br />010 <br />011 <br />012 <br />013 <br />014 <br />015</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#006400"><font style="font-size: 10pt">#Credentials </font></font></span><font style="font-size: 10pt"> <br /><span style="color: "><font color="#ff4500">$username</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"Contoso\s_apiuser"</font></span><span style="color: ">  </span> <br /><span style="color: "><font color="#ff4500">$password</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">P@$$w0rd</font></span><span style="color: ">  </span> <br /><span style="color: "><font color="#006400">#Commvault web console server </font></span> <br /><span style="color: "><font color="#ff4500">$SERVER</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"srdccvws0001.rddcmgmt.local"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#006400">#API URL </font></span> <br /><span style="color: "><font color="#ff4500">$APIURL</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"http://$($SERVER):81/SearchSvc/CVWebService.svc"</font></span><span style="color: "> </span> <br /> <br /> <br /><span style="color: "><font color="#ff4500">$APIURLaction</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"$APIURL/login"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$passwordB64byte</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#008080">[System.Text.Encoding]</font></span><span style="color: "><font color="#a9a9a9">::</font></span><span style="color: ">UTF8</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">GetBytes</span><span style="color: ">(</span><span style="color: "><font color="#ff4500">$password</font></span><span style="color: ">)</span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$encodedPassword</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#008080">[System.Convert]</font></span><span style="color: "><font color="#a9a9a9">::</font></span><span style="color: ">ToBase64String</span><span style="color: ">(</span><span style="color: "><font color="#ff4500">$passwordB64byte</font></span><span style="color: ">)</span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$loginReq</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"<DM2ContentIndexing_CheckCredentialReq mode=""Webconsole"" username=""$username"" password=""$encodedPassword"" />"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$result</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Invoke-WebRequest</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Uri</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$APIURLaction</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Method</font></span><span style="color: "> </span><span style="color: "><font color="#8a2be2">POST</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Body</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$loginReq</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-UseBasicParsing</font></span><span style="color: ">        </span> <br /><span style="color: "><font color="#ff4500">$token</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: ">(</span><span style="color: ">(</span><span style="color: "><font color="#008080">[xml]</font></span><span style="color: "><font color="#ff4500">$result</font></span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">content</span><span style="color: ">)</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">SelectSingleNode</span><span style="color: ">(</span><span style="color: "><font color="#8b0000">"/DM2ContentIndexing_CheckCredentialResp/@token"</font></span><span style="color: ">)</span><span style="color: ">)</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">value</span> </font></font></div> </td> </tr> </tbody></table> </div> <p align="justify">The code might seem cryptic but is actually pretty straightforward: we need to call the /login service and pass it some parameters.The service requires the password to be base64 encoded. As you might guess this information goes across the wire… So I would definitely advise to use an account that only has permissions to the items it needs to access. Ideally we’d approach the service over SSL but I’m not sure if Commvault allows SSL to be configured for the services.</p> <p align="justify">The username and encoded password have to be passed in a specific XML string that is passed as the body of the web request. The result is an XML string that contains a token value. We don’t need the whole string but only the part representing the token. Now that we managed to get a token we can start calling specific services. If I'm not mistaken this token will remain valid until there’s a period of inactivity (30’).</p> <p align="justify">Here’s how you can get all Clients:</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008 <br />009 <br />010</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#ff4500"><font style="font-size: 10pt">$service</font></font></span><font style="font-size: 10pt"><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"/client"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$action</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"GET"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$APIURLaction</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"$APIURL$service"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$headers</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: ">@{</span><span style="color: ">}</span><span style="color: "> </span> <br /><span style="color: "><font color="#006400">#default is XML </font></span> <br /><span style="color: "><font color="#ff4500">$headers</font></span><span style="color: "><font color="#a9a9a9">[</font></span><span style="color: "><font color="#8b0000">"Accept"</font></span><span style="color: "><font color="#a9a9a9">]</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"application/json"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$headers</font></span><span style="color: "><font color="#a9a9a9">[</font></span><span style="color: "><font color="#8b0000">"Authtoken"</font></span><span style="color: "><font color="#a9a9a9">]</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$token</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$result</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Invoke-WebRequest</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Uri</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$APIURLaction</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Headers</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$headers</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Method</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$action</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-UseBasicParsing</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$clientInfo</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: ">(</span><span style="color: "><font color="#ff4500">$result</font></span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">content</span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">ConvertFrom-Json</font></span><span style="color: ">)</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">App_GetClientPropertiesResponse</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">clientProperties</span></font><span style="color: "><font style="font-size: 10pt"> </font></span></font> <br /></div> </td> </tr> </tbody></table> </div> <p align="justify">If you go through the REST API documentation you’ll notice that some services are GET based and other are POST based. The /client service is GET based, the /jobdetails is POST based. You’ll also notice that we pass an XML string as the body for the request.</p> <div style="overflow: auto; border-top: black 1px solid; font-family: ; border-right: black 1px solid; width: 450px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-family: ; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><font style="font-size: 10pt">001 <br />002 <br />003 <br />004 <br />005 <br />006</font></font> <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-family: ; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><font face="Consolas"><span style="color: "><font color="#ff4500"><font style="font-size: 10pt">$jobID</font></font></span><font style="font-size: 10pt"><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"3040"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$body</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"<JobManager_JobDetailRequest jobId=""$jobID""/>"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$service</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: ">  </span><span style="color: "><font color="#8b0000">"/JobDetails"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$action</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#8b0000">"POST"</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$result</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">Invoke-WebRequest</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Uri</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$APIURLaction</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Headers</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$headers</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Method</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$action</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-UseBasicParsing</font></span><span style="color: "> </span><span style="color: "><font color="#000080">-Body</font></span><span style="color: "> </span><span style="color: "><font color="#ff4500">$body</font></span><span style="color: "> </span> <br /><span style="color: "><font color="#ff4500">$jobDetails</font></span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">=</font></span><span style="color: "> </span><span style="color: ">(</span><span style="color: "><font color="#ff4500">$result</font></span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">content</span><span style="color: "> </span><span style="color: "><font color="#a9a9a9">|</font></span><span style="color: "> </span><span style="color: "><font color="#0000ff">ConvertFrom-Json</font></span><span style="color: ">)</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">JobManager_JobDetailResponse</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">job</span><span style="color: "><font color="#a9a9a9">.</font></span><span style="color: ">jobDetail</span> </font></font></div> </td> </tr> </tbody></table> </div> <p align="justify">I hope with these basic examples you can now successfully connect yourself. As you might see, the above code contains no error handling. Depending on how you will use scripts like that I would advise to add some logging and error handling. Try providing wrong credentials or entering a bad servername and see what happens.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com6tag:blogger.com,1999:blog-62687483129304921.post-71545867545165749732015-03-04T20:33:00.001+01:002015-03-04T20:35:24.343+01:00Azure Virtual Machines: Event 257: Defrag: Slab Consolidation/ Slab Analysis<p align="justify">I’ve got a customer running some virtual machines on the Azure IAAS platform, and when doing a quick checkup I found the following recurring events in the event log:</p> <ul> <li> <div align="justify"><em>The volume (C:) was not optimized because an error was encountered: Neither Slab Consolidation nor Slab Analysis will run if slabs are less than 8 MB. (0x8900002D)</em></div> </li> <li> <div align="justify"><em>The volume Temporary Storage (D:) was not optimized because an error was encountered: Neither Slab Consolidation nor Slab Analysis will run if slabs are less than 8 MB. (0x8900002D)</em></div> </li> <li> <div align="justify"><em>The volume Data (F:) was not optimized because an error was encountered: Neither Slab Consolidation nor Slab Analysis will run if slabs are less than 8 MB. (0x8900002D)</em></div> </li> </ul> <p align="justify">Sample event:</p> <p align="justify"><a href="http://lh3.ggpht.com/-Owph21zLC68/VPdd8PXbGmI/AAAAAAAACnQ/Sr0oYJT19zM/s1600-h/image%25255B22%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh5.ggpht.com/-285XI-MRrC4/VPdd8ji_xOI/AAAAAAAACnY/TtMyyOJxwVs/image_thumb%25255B11%25255D.png?imgmax=800" width="454" height="83" /></a></p> <p align="justify">I’m aware that Windows does maintenance on a regular base all by itself. One of these tasks is a scheduled defrag:</p> <p align="justify"><a href="http://lh5.ggpht.com/-XJAhmXRFSpc/VPdd9dXE8sI/AAAAAAAACng/6XRTV0dMEhM/s1600-h/image%25255B23%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh6.ggpht.com/-TFZDZSyt_1Y/VPdd99OfNYI/AAAAAAAACno/u0-tA_UEAV4/image_thumb%25255B12%25255D.png?imgmax=800" width="454" height="33" /></a></p> <p align="justify">You’ll probably see that there’s no trigger for this particular task, yet it runs regularly! That’s because there’s another scheduled task called “regular maintanance” who calls this specific task. An excellent writeup can be found here: <a title="https://datatothepeople.wordpress.com/2013/12/19/maintenance-at-3am-in-the-morning/" href="https://datatothepeople.wordpress.com/2013/12/19/maintenance-at-3am-in-the-morning/">DataToHelpThePeople: Maintenance at 3AM in the Morning</a></p> <p align="justify">I did some googling and I quickly came accross this: <a title="http://support2.microsoft.com/kb/2964429/en-us" href="http://support2.microsoft.com/kb/2964429/en-us">KB2964429: Storage Optimizer memory use increases when it runs on thin provisioned LUNs</a></p> <p align="justify">From that article: <em>There's no need to run Storage Optimizer on thin provisioned LUNs that use an allocation size (also known as slab size) of less than 8 MB. Thin provisioned LUNs that have a smaller slab size manage space more efficiently, and the benefits of defragmenting them are not as great.</em></p> <p align="justify">So that got me curious, how big is the allocation size on these volumes? We can find this information using diskpart:</p> <p align="justify"><a href="http://lh5.ggpht.com/-gz2bxE_pf2c/VPdd-tcPjdI/AAAAAAAACnw/HBMmNkOpikw/s1600-h/image%25255B24%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.ggpht.com/-kGkcilfTHZA/VPdd_P7DPxI/AAAAAAAACn0/R50lH0blSwg/image_thumb%25255B13%25255D.png?imgmax=800" width="454" height="172" /></a></p> <p align="justify">After selecting a given volume, execute “filesystem”. In our example we have 4 MB which is, as the erorr states, less than 8 MB. Both the OS disk and the Temporary Disk have 4 MB which is the default I guess. My custom disk (F:) also has this value.</p> <p align="justify"><a href="http://lh5.ggpht.com/-1fT3yEEqwk0/VPdd_jFLV6I/AAAAAAAACoA/r1JLfLEu1do/s1600-h/image%25255B25%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh4.ggpht.com/-_9-88bHdIyg/VPdeAPeUkaI/AAAAAAAACoE/dLo1MzvnWHg/image_thumb%25255B14%25255D.png?imgmax=800" width="454" height="176" /></a></p> <p align="justify">If we check the action of the scheduled task we can see that this is the command being executed: %windir%\system32\defrag.exe -c -h -k -g –$ If we execute that command manually, the same events are logged.</p> <p align="justify"><a href="http://lh6.ggpht.com/-LlcSy4dE_ag/VPdeAlcAG7I/AAAAAAAACoQ/Y-0eDWFvdrQ/s1600-h/image%25255B38%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhURvQR5N0CnH2b62Bj9mu4B-W2ZH6lRo8c5zHPvjE6l2kA1PDO4puWG8z3nauODLJRXz_SMs7-Keyt35DdnfSy91JbhIs45ph0dYwbMIE_3b8Gnnts2DHR-6cXrHkIbvrHexzR3LjC3Q/?imgmax=800" width="454" height="355" /></a></p> <p align="justify">From defrag.exe /? I can tell that we could ommit –k in order to avoid slab analysis and consolidation. However upon executing the command I’m not really sure much happens in the background.</p> <p align="justify"><a href="http://lh6.ggpht.com/-Xnm1MG93tbM/VPdeCQ6B50I/AAAAAAAACoc/6kios1ksCJQ/s1600-h/image%25255B39%25255D.png"><img title="image" style="border-left-width: 0px; border-right-width: 0px; background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-top-width: 0px" border="0" alt="image" src="http://lh3.ggpht.com/-twnCmRHwceQ/VPdeCwUMjDI/AAAAAAAACok/vyIHb6rlWG4/image_thumb%25255B20%25255D.png?imgmax=800" width="454" height="105" /></a></p> <p align="justify">In the following screenshot you can clearly see that for each volume an event with ID 258 is logged: <em>The storage optimizer succesfully completed retrim on XYZ</em>. This events are NOT logged when I run the defrag command without the –k switch.</p> <p align="justify"><a href="http://lh4.ggpht.com/-hdwnE2-TeaM/VPdeDQNfTLI/AAAAAAAACpA/jqNYAU9qlLk/s1600-h/image%25255B42%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; display: inline; padding-right: 0px" border="0" alt="image" src="http://lh6.ggpht.com/-pavhHLphmaQ/VPdeFhScwhI/AAAAAAAACpI/VHVe8zTdGEE/image_thumb%25255B23%25255D.png?imgmax=800" width="454" height="193" /></a></p> <p align="justify">Your first reaction might be to disable this scheduled task all togehter. You might not care about fragmentation. But you might care about your billing statement… If you care check: <a title="http://fabriccontroller.net/blog/posts/releasing-unused-space-from-your-windows-azure-virtual-hard-disk-reduce-billable-size/" href="http://fabriccontroller.net/blog/posts/releasing-unused-space-from-your-windows-azure-virtual-hard-disk-reduce-billable-size/">fabriccontroller: Release unused space from your Windows Azure Virtual Hard Disks to reduce their billable size</a> Bottom line: whenever this maintenance tasks finds unused storage it reclaims it and lowers the overall VHD size. Which means you pay less for your storage account!</p> <p align="justify">I’m not really sure how to move forward. On the one hand I really detest recurring, safe to ignore, errors in events logs. But I don’t like changing system stuff like this without some official guidance. So if you got something to add, feel free to comment!</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com9tag:blogger.com,1999:blog-62687483129304921.post-74697867735742218672014-11-13T08:02:00.001+01:002014-11-19T17:55:59.223+01:00MaxTokenSize Implications for HTTP.SYS<p align="justify">One of my customers had problems with certain users being member of a lot of Active Directory groups. This resulted in several client side issues. There’s an easy and well-known “fix” for that: raise the MaxTokenSize registry key on all Windows operating systems in your domain. On Windows 8(.1) / 2012 (R2) the MaxTokenSize is already at its maximum (advised) value out of the box. That value is 48.000 bytes. In order to mitigate these users their access problems we raised the MaxTokenSize to 48.000 bytes on all clients and servers that are running Windows 7/ Windows 2008 R2. After this change the typical issues were gone. However new ones came up:</p> <p align="justify">From time to time, when HTTP is involved, issues were encountered:</p> <ul> <li> <div align="justify">Opening the Direct Access management console (depends on WinRM)</div> </li> <li> <div align="justify">Open the FIM Portal</div> </li> <li> <div align="justify">Streaming App-V packages over HTTP</div> </li> <li> <div align="justify">…</div> </li> </ul> <p align="justify">Typically the user would receive several authentication prompts and even after specifying valid credentials another prompt would reappear. Example browser based issue:</p> <p align="justify"><a href="http://lh4.ggpht.com/-3vPHXVTef6s/VGzLmhWFzjI/AAAAAAAACmY/VvXlJ6ab06A/s1600-h/image%25255B4%25255D.png"><img title="image" style="border-top: 0px; border-right: 0px; border-bottom: 0px; border-left: 0px; display: inline" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyOccOI_xIg1ndzRSMhxTezupjgOb2cB9LP-xBa8aFwBc_QdhGmmsgLownTOqEALR6PEKnwrQ0rLqQlAZXcF-Go7dWO_FUJnmUYEix2vL4xMneOFQbexCUbveO4GAYizOXMKId8cNAug/?imgmax=800" width="404" height="393" /></a> </p> <p align="justify">As you can see the browser gives an HTTP 400 Bad Request error. Using a network trace we can easily see why it’s considered bad:</p> <p align="justify"><a href="http://lh3.ggpht.com/-5ACgSsu4otc/VGRXa0ibhuI/AAAAAAAACk4/eJgD-pbgyl4/s1600-h/trace01%25255B5%25255D.png"><img title="trace01" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="trace01" src="http://lh5.ggpht.com/-su2uLtHhfz0/VGRXbeh75CI/AAAAAAAAClA/f-ZIaJeAWz8/trace01_thumb%25255B3%25255D.png?imgmax=800" width="454" height="20" /></a> </p> <p align="justify">And the packet details:</p> <p align="justify"><a href="http://lh6.ggpht.com/-j8GiSRhrHEc/VGRXbxqqTUI/AAAAAAAAClI/ZBtz5__NU6M/s1600-h/trace02%25255B5%25255D.png"><img title="trace02" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="trace02" src="http://lh3.ggpht.com/-_aHCgATeqw4/VGRXceKZpJI/AAAAAAAAClQ/jO_MVQjFe8o/trace02_thumb%25255B3%25255D.png?imgmax=800" width="454" height="77" /></a> </p> <p align="justify"></p> <p align="justify"></p> <p align="justify"></p> <p align="justify">The details clearly state that <strong>The size of the request headers is too long.</strong></p> <p align="justify">The problem here is that the token is allowed to be up to 48.000 bytes where it used to be 12.000 bytes. The http subsystem of a windows server has several parameters that are supposed to protect the server from oversized requests. However, as the token can now be a lot larger, the maximum request size has to be tuned as well:</p> <p align="justify">From: <a href="http://support2.microsoft.com/kb/820129">KB820129</a></p> <p align="justify">Below: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters there are two interesting values:</p> <p align="justify"><a href="http://lh4.ggpht.com/-SGuKggYnQ40/VGRXcmVRsWI/AAAAAAAAClY/nQE4jS0Vyic/s1600-h/InfoIIS%25255B5%25255D.png"><img title="InfoIIS" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="InfoIIS" src="http://lh5.ggpht.com/-Z8luOXqXIj4/VGRXdPAkVRI/AAAAAAAAClk/VJXUq7XlEd0/InfoIIS_thumb%25255B3%25255D.png?imgmax=800" width="454" height="98" /></a> </p> <p align="justify">And from: <a href="http://support.microsoft.com/kb/2020943">KB2020943</a> we can find a formula to calculate the MaxFieldLength to set based on the MaxTokenSIze.</p> <p align="justify">If <strong>MaxToken</strong> is 48.000 bytes (default in Windows 2012 and configure by GPO for 2008 R2/ Win7):</p> <ul> <li> <div align="justify">(4/3 * 48000) + 200 = 64200</div> </li> </ul> <p align="justify">We’ll use the maximum allowed value of MaxFieldLength 65534 (=~ 64200) to allow tokens up to 48000 bytes. We’ll also use this value for MaxRequestBytes.</p> <p align="justify"><a href="http://lh3.ggpht.com/-n1f1MwcL2MM/VGRXdobIOnI/AAAAAAAAClo/S70usu2VjTQ/s1600-h/col%25255B3%25255D.png"><img title="col" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="col" src="http://lh6.ggpht.com/-GKyNLe0B5aE/VGRXeM8ZhQI/AAAAAAAACl0/Bqca-b-zEiY/col_thumb%25255B1%25255D.png?imgmax=800" width="313" height="66" /></a></p> <ul> <li> <div align="justify"><strong>MaxFieldLength</strong>: we can take the maximum allowed value: 65534</div> </li> <li> <div align="justify"><strong>MaxRequestBytes</strong>:  65534 </div> </li> </ul> <p align="justify">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters</p> <p align="justify"><a href="http://lh6.ggpht.com/-41dgNQeRCmE/VGRXex4q_wI/AAAAAAAACl8/bj9ZyrEm6ks/s1600-h/reg%25255B4%25255D.png"><img title="reg" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="reg" src="http://lh3.ggpht.com/-oqnhc2DU9Ho/VGRXfWnZruI/AAAAAAAACmE/UN2N1Ok1LHY/reg_thumb%25255B2%25255D.png?imgmax=800" width="404" height="138" /></a> </p> <p align="justify"></p> <p align="justify">Other useful information:</p> <ul> <li> <div align="justify"><a href="http://blogs.msdn.com/b/ashishsingh/archive/2010/04/03/windows-authentication-for-accounts-with-large-kerberos-tickets-may-not-work-despite-having-maxtokensize-in-place.aspx">http://blogs.msdn.com/b/ashishsingh/archive/2010/04/03/windows-authentication-for-accounts-with-large-kerberos-tickets-may-not-work-despite-having-maxtokensize-in-place.aspx</a></div> </li> <li> <div align="justify"><a href="http://www.grouppolicy.biz/2013/06/how-to-configure-iis-to-support-large-ad-token-with-group-policy/">http://www.grouppolicy.biz/2013/06/how-to-configure-iis-to-support-large-ad-token-with-group-policy/</a></div> </li> </ul> <p align="justify">I specifically wanted to post this information as in many other only articles/posts I always see people just using the maximum allowed value for MaxRequestBytes and I don’t feel 100% comfortable with that. Second,  in my opinion it’s advised to have these values pushed out to all your server systems. Especially now that Windows 2012 and up have a MaxTokenSize of 48.000 by default. If you don’t push these HTTP.sys parameters, you’ll end up troubleshooting the same phenomena multiple times from different angles. Why waste time?</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com1tag:blogger.com,1999:blog-62687483129304921.post-42791964378831353782014-11-05T20:37:00.001+01:002014-11-05T20:43:27.677+01:003PAR: Connect to WebAPI using PowerShell<p align="justify">I’m currently involved in a CloudCruiser implementation. CloudCruiser is not one of my usual technologies, but as it’s something new to me it’s refreshing to do. CloudCruiser allows you to collect information from your infrastructure and then generate billing information. You could generate bills for virtual machine instances or storage usage. My customer has 3PAR storage and I had to wrote a script which runs frequently and collects volume information.</p> <p align="justify">As far as I can tell there are two approaches:</p> <ul> <li> <div align="justify">Use the 3PAR CLI utilities</div> </li> <li> <div align="justify">Use the 3PAR Web API</div> </li> </ul> <p align="justify">I wanted to avoid the CLI utilities. They need to be installed (or copied) to the server where you want to run the script and integrating these tools and their data with PowerShell is less intuitive. I loved the idea of a Web API. This goes hand in hand with the Invoke-WebRequest cmdlet in PowerShell. This cmdlet does many of the heavy lifting and makes it real easy to talk with a given Web API. Here’s how I connected to the 3PAR device and how I got the volume information. </p> <p align="justify">Calling a method of the 3PAR Web API is a two part job: first you have to call the /credentials method using a HTTP POST and provide a valid username and password. The result of that call will be a session key that you can use in subsequent calls to the Web API. </p> <p align="justify"><u><strong>Getting the session key:</strong></u></p> <div style="font-size: 10pt; overflow: auto; border-top: black 1px solid; font-family: consolas,lucida console; border-right: black 1px solid; width: 470px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-size: 10pt; font-family: consolas,lucida console; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008 <br />009 <br />010 <br />011 <br />012 <br />013 <br />014 <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-size: 10pt; font-family: consolas,lucida console; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><span style="color: #006400">#Credentials </span> <br /><span style="color: #ff4500">$username</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #8b0000">"3PAR user"</span><span style="color: #000000"> </span> <br /><span style="color: #ff4500">$password</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #8b0000">"3PAR user password"</span><span style="color: #000000"> </span> <br /> <br /><span style="color: #006400">#IP of the 3PAR device </span> <br /><span style="color: #ff4500">$IP</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #8b0000">"10.0.0.1"</span><span style="color: #000000"> </span> <br /><span style="color: #006400">#API URL </span> <br /><span style="color: #ff4500">$APIurl</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #8b0000">"https://$($IP):8080/api/v1"</span><span style="color: #000000"> </span> <br /> <br /><span style="color: #ff4500">$postParams</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #000000">@{</span><span style="color: #000000">user</span><span style="color: #a9a9a9">=</span><span style="color: #ff4500">$username</span><span style="color: #000000">;</span><span style="color: #000000">password</span><span style="color: #a9a9a9">=</span><span style="color: #ff4500">$password</span><span style="color: #000000">}</span><span style="color: #000000"> </span><span style="color: #a9a9a9">|</span><span style="color: #000000"> </span><span style="color: #0000ff">ConvertTo-Json</span><span style="color: #000000"> </span> <br /><span style="color: #ff4500">$headers</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #000000">@{</span><span style="color: #000000">}</span><span style="color: #000000"> </span> <br /><span style="color: #ff4500">$headers</span><span style="color: #a9a9a9">[</span><span style="color: #8b0000">"Accept"</span><span style="color: #a9a9a9">]</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #8b0000">"application/json"</span><span style="color: #000000"> </span> <br /><span style="color: #ff4500">$credentialdata</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #0000ff">Invoke-WebRequest</span><span style="color: #000000"> </span><span style="color: #000080">-Uri</span><span style="color: #000000"> </span><span style="color: #8b0000">"$APIurl/credentials"</span><span style="color: #000000"> </span><span style="color: #000080">-Body</span><span style="color: #000000"> </span><span style="color: #ff4500">$postParams</span><span style="color: #000000"> </span><span style="color: #000080">-ContentType</span><span style="color: #000000"> </span><span style="color: #8b0000">"application/json"</span><span style="color: #000000"> </span><span style="color: #000080">-Headers</span><span style="color: #000000"> </span><span style="color: #ff4500">$headers</span><span style="color: #000000"> </span><span style="color: #000080">-Method</span><span style="color: #000000"> </span><span style="color: #8a2be2">POST</span><span style="color: #000000"> </span><span style="color: #000080">-UseBasicParsing</span><span style="color: #000000"> </span> <br /><span style="color: #ff4500">$key</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #000000">(</span><span style="color: #ff4500">$credentialdata</span><span style="color: #a9a9a9">.</span><span style="color: #000000">Content</span><span style="color: #000000"> </span><span style="color: #a9a9a9">|</span><span style="color: #000000"> </span><span style="color: #0000ff">ConvertFrom-Json</span><span style="color: #000000">)</span><span style="color: #a9a9a9">.</span><span style="color: #000000">key</span> </div> </td> </tr> </tbody></table> </div> <p align="justify">And that’s it! After this you should get a string in the the $key variable which can be used in calls further down the script. But I have to take a step back. To be honest the above code didn’t work. The problem in my case was that I was accessing the API over HTTPS but the certificate couldn’t be validated. I was using the IP to access the device and it was a self signed certificate. So reasons enough why the Invoke-WebRequest cmdlet was sad… I found the following workaround which you can place somewhere before your first Invoke-WebRequest cmdlet:</p> <div style="font-size: 10pt; overflow: auto; border-top: black 1px solid; font-family: consolas,lucida console; border-right: black 1px solid; width: 470px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-size: 10pt; font-family: consolas,lucida console; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br />008 <br />009 <br />010 <br />011 <br />012 <br />013 <br />014 <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-size: 10pt; font-family: consolas,lucida console; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><span style="color: #006400">#avoid issues with an invalid (self-signed) certificate, try avoid tabs/spaces as this might mess up the string block </span> <br /><span style="color: #006400">#http://stackoverflow.com/questions/11696944/powershell-v3-invoke-webrequest-https-error </span> <br /><span style="color: #0000ff">add-type</span><span style="color: #000000"> </span><span style="color: #8b0000">@" <br />    using System.Net; <br />    using System.Security.Cryptography.X509Certificates; <br />    public class TrustAllCertsPolicy : ICertificatePolicy { <br />        public bool CheckValidationResult( <br />            ServicePoint srvPoint, X509Certificate certificate, <br />            WebRequest request, int certificateProblem) { <br />            return true; <br />        } <br />    } <br />"@</span><span style="color: #000000"> </span> <br /><span style="color: #008080">[System.Net.ServicePointManager]</span><span style="color: #a9a9a9">::</span><span style="color: #000000">CertificatePolicy</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #0000ff">New-Object</span><span style="color: #000000"> </span><span style="color: #8a2be2">TrustAllCertsPolicy</span> </div> </td> </tr> </tbody></table> </div> <p align="justify"><u><strong>Calling the method:</strong></u></p> <p align="justify">And now on to the actual magic. Here we’ll do a GET to the /volumes method.</p> <div style="font-size: 10pt; overflow: auto; border-top: black 1px solid; font-family: consolas,lucida console; border-right: black 1px solid; width: 470px; border-bottom: black 1px solid; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; border-left: black 1px solid; padding-right: 5px"> <table cellspacing="0" cellpadding="5" border="0"><tbody> <tr> <td valign="top"> <div style="font-size: 10pt; font-family: consolas,lucida console; background: #cecece; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px">001 <br />002 <br />003 <br />004 <br />005 <br />006 <br />007 <br /></div> </td> <td valign="top" nowrap="nowrap"> <div style="font-size: 10pt; font-family: consolas,lucida console; background: #fcfcfc; padding-bottom: 5px; padding-top: 5px; padding-left: 5px; padding-right: 5px"><span style="color: #ff4500">$headers</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #000000">@{</span><span style="color: #000000">}</span> <br /><span style="color: #ff4500">$headers</span><span style="color: #a9a9a9">[</span><span style="color: #8b0000">"Accept"</span><span style="color: #a9a9a9">]</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #8b0000">"application/json"</span> <br /><span style="color: #ff4500">$headers</span><span style="color: #a9a9a9">[</span><span style="color: #8b0000">"X-HP3PAR-WSAPI-SessionKey"</span><span style="color: #a9a9a9">]</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #ff4500">$key</span> <br /><span style="color: #ff4500">$volumedata</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #0000ff">Invoke-WebRequest</span><span style="color: #000000"> </span><span style="color: #000080">-Uri</span><span style="color: #000000"> </span><span style="color: #8b0000">"$APIurl/volumes"</span><span style="color: #000000"> </span><span style="color: #000080">-ContentType</span><span style="color: #000000"> </span><span style="color: #8b0000">"application/json"</span><span style="color: #000000"> </span><span style="color: #000080">-Headers</span><span style="color: #000000"> </span><span style="color: #ff4500">$headers</span><span style="color: #000000"> </span><span style="color: #000080">-Method</span><span style="color: #000000"> </span><span style="color: #8a2be2">GET</span><span style="color: #000000"> </span><span style="color: #000080">-UseBasicParsing</span><span style="color: #000000"> </span> <br /><span style="color: #ff4500">$volumedataPS</span><span style="color: #000000"> </span><span style="color: #a9a9a9">=</span><span style="color: #000000"> </span><span style="color: #000000">(</span><span style="color: #ff4500">$volumedata</span><span style="color: #a9a9a9">.</span><span style="color: #000000">content</span><span style="color: #000000"> </span><span style="color: #a9a9a9">|</span><span style="color: #000000"> </span><span style="color: #0000ff">ConvertFrom-Json</span><span style="color: #000000">)</span><span style="color: #a9a9a9">.</span><span style="color: #000000">members</span> <br /><span style="color: #006400">#also works:</span> <br /><span style="color: #006400">#$volumedata = Invoke-RestMethod -Uri "$APIurl/volumes" -ContentType "application/json" -Headers $headers -Method GET </span></div> </td> </tr> </tbody></table> </div> <p align="justify">And that’s all there is to it! $volumedataPS now contains an array with objects you can iterate through. No need to work with intermediate CSV files or other tricks.</p> <p align="justify">Some additional information:</p> <p align="justify">The <strong>UseBasicParsing </strong>parameter. When running the PowerShell script as the user I was logged in I didn’t had any troubles. Once I started running it as SYSTEM (for a scheduled task), it gave the following error: <em>Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.</em> The UseBasicParsing seems to avoid using the IE engine altogether and thus the script runs fine under SYSTEM.</p> <p align="justify"><strong>Invoke-WebRequest</strong> versus <strong>Invoke-RestMethod: </strong>It’s to my understanding  that they both work for calling the Web API, but Invoke-WebRequest seems to return more information regarding the actual call whereas Invoke-RestMethod simply returns the requested data. I figured this might help when adding additional logging.</p> <p align="justify">The Web API might not be enabled by default. You could provide the following instructions to your 3PAR admin: <a title="http://helpcenter.veeam.com/backup/70/free/add_3par_enable_web.html" href="http://helpcenter.veeam.com/backup/70/free/add_3par_enable_web.html">Veeam: Enabling the HP 3PAR Web Services API Server</a> They are from Veeam but I found them to be accurate.</p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com6tag:blogger.com,1999:blog-62687483129304921.post-67203496159917712022014-10-27T23:21:00.001+01:002014-10-27T23:21:27.048+01:00Windows Technical Preview: Cannot Update the System Reserved Partition<p align="justify">Last week a new build for Windows Technical Preview (“Windows 10”) was available. You can easily find out by going to PC settings: Windows + C > Settings > Change PC Settings > Update and Recovery > Preview Builds</p> <p align="justify"><a href="http://lh5.ggpht.com/-yMA1TM3ldV8/VE7FL_cPikI/AAAAAAAACgw/LqwJO6Wc4Zk/s1600-h/1.UpdateAv%25255B3%25255D.png"><img title="1.UpdateAv" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="1.UpdateAv" src="http://lh4.ggpht.com/-xBfUUGAKTbw/VE7FMUXAyJI/AAAAAAAACg4/GhLQkD8A8lE/1.UpdateAv_thumb%25255B1%25255D.png?imgmax=800" width="304" height="138" /></a> </p> <p align="justify">My current version (build 9841):</p> <p align="justify"><a href="http://lh5.ggpht.com/-OjYyWeediWY/VE7FNL5O5lI/AAAAAAAACg8/iBsHwc--atw/s1600-h/beforeVersion%25255B3%25255D.png"><img title="beforeVersion" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="beforeVersion" src="http://lh5.ggpht.com/-7oJ2cp1qcoI/VE7FNf-5zQI/AAAAAAAAChE/SnvhjQvuGSQ/beforeVersion_thumb%25255B1%25255D.png?imgmax=800" width="304" height="93" /></a> </p> <p align="justify">Upon clicking install now I got the following error:</p> <p align="justify"><a href="http://lh6.ggpht.com/-OT-Epk_aYOY/VE7FN09cIaI/AAAAAAAAChQ/soOLYMg85qE/s1600-h/2.error%25255B4%25255D.png"><img title="2.error" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="2.error" src="http://lh6.ggpht.com/-Id2GQwlXm7s/VE7FOdVCEsI/AAAAAAAAChY/ggdCcYnvpDE/2.error_thumb%25255B2%25255D.png?imgmax=800" width="454" height="227" /></a> </p> <p align="justify">In words: <em>Failed to install the new preview build, please try again later. 0x80246007</em></p> <p align="justify">After rebooting and trying again:</p> <p align="justify"><a href="http://lh6.ggpht.com/-d-dvuH_Jywo/VE7FPEZLDXI/AAAAAAAAChc/dvyLtKY-8pc/s1600-h/Error%25255B5%25255D.png"><img title="Error" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="Error" src="http://lh3.ggpht.com/-dw9qeORY1Mw/VE7FPst-sVI/AAAAAAAACho/dgIX4bIVurQ/Error_thumb%25255B3%25255D.png?imgmax=800" width="454" height="257" /></a> </p> <p align="justify">In words: <em>Couldn’t install Windows Technical Preview. We couldn’t update the system reserved partition.</em></p> <p align="justify"><a href="http://lh3.ggpht.com/-CHKXcnKPnfo/VE7FQBCMFHI/AAAAAAAAChs/jIjdQJu8YWs/s1600-h/4.ERROR%25255B3%25255D.png"><img title="4.ERROR" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="4.ERROR" src="http://lh4.ggpht.com/-fgQ_cw8Ji-Y/VE7FQuTDT4I/AAAAAAAACh4/uwoTB9kieno/4.ERROR_thumb%25255B1%25255D.png?imgmax=800" width="454" height="188" /></a> </p> <p align="justify">In words: <em>Failed to install the new preview build, please try again later. 0xC1900200</em></p> <p align="justify"></p> <p align="justify"></p> <p align="justify"></p> <p align="justify">I opened up diskmgmt.msc to find out what was wrong with my system reserved partition:</p> <p align="justify"><a href="http://lh4.ggpht.com/-JSHcEdwKQXs/VE7FRFhBrGI/AAAAAAAACh8/49FufvoGqis/s1600-h/5.Disk%25255B3%25255D.png"><img title="5.Disk" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="5.Disk" src="http://lh5.ggpht.com/-S2rXGOHoTrw/VE7FRm6og6I/AAAAAAAACiI/1HRjO3UHagM/5.Disk_thumb%25255B1%25255D.png?imgmax=800" width="454" height="109" /></a> </p> <p align="justify">As you can see the first partition (system reserved) was quite full. I assigned a drive letter and starting looking around. The easiest way to do this is to use PsExec (<a title="http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" href="http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx">http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx</a>) and start a command prompt as System (psexec –s cmd). If you use a regular command prompt you’ll get some access denieds here and there as your local administrator user might not have access to some system managed files/folders. Using dir /a you’ll be able to drill down the structure. Eventually I came up with H:\Recovery\WindowsRE\ which contained a file WinRE.wim of 309 MB.</p> <p align="justify"><a href="http://lh6.ggpht.com/-fF9oVjsFj9g/VE7FSOv3SXI/AAAAAAAACiM/0nV_dFsUC3s/s1600-h/WinRE%25255B4%25255D.png"><img title="WinRE" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="WinRE" src="http://lh3.ggpht.com/-_3UyCs0qU3M/VE7FSWQPiyI/AAAAAAAACiU/8EhzgCjAfLw/WinRE_thumb%25255B2%25255D.png?imgmax=800" width="454" height="170" /></a> </p> <p align="justify">This WinRE.wim contains a Windows Recovery Environment which you can boot when your system is having issues. It’s not vital that this is stored in the system reserved partition so I thought Id move it. Using “reagentc.exe /info” or “bcdedit /enum all” you can also see this configuration:</p> <p align="justify"><a href="http://lh3.ggpht.com/-RhzCdjDJyXg/VE7FS0Rd24I/AAAAAAAACic/psCSxvnqS10/s1600-h/Reagentc%25255B3%25255D.png"><img title="Reagentc" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="Reagentc" src="http://lh5.ggpht.com/-2CmWGlGqlBo/VE7FTcbNnMI/AAAAAAAACik/s_3-iEKycN4/Reagentc_thumb%25255B1%25255D.png?imgmax=800" width="454" height="190" /></a> </p> <p align="justify">I then started messing around with takeown and eventually I just used Windows Explorer and moved the Recovery folder to my second internal HDD (D:\) which I use as a data volume. After moving the files I could see that the WinRE configuration was disabled. I googled around a bit to find out how I could update the information to reflect the new location. There seemed to be a reagentc command available, but although it stated success my configuration wasn’t updated to reflect the new path. So I used Visual BCD (<a title="http://www.boyans.net/" href="http://www.boyans.net/">http://www.boyans.net/</a>) to just easily change the BCD parameters:</p> <p align="justify">I updated both Windows Recovery Device options (edit SdiDevice and chose D: as my partition)</p> <p align="justify"><a href="http://lh5.ggpht.com/-3P15hK-Tybw/VE7FT98bajI/AAAAAAAACis/IClOdkBjY8Q/s1600-h/visualBcd1%25255B3%25255D.png"><img title="visualBcd1" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="visualBcd1" src="http://lh3.ggpht.com/-GyPzU0T3h7A/VE7FUkNq56I/AAAAAAAACi0/_TURN6evf8Q/visualBcd1_thumb%25255B1%25255D.png?imgmax=800" width="454" height="293" /></a></p> <p align="justify">The same for the Windows Recovery Environment loaders (edit  ApplicationDevice and OSDevice)</p> <p align="justify"><a href="http://lh3.ggpht.com/-9IU0F_TFqK0/VE7FU79x7wI/AAAAAAAACi8/1ikXfzxZc14/s1600-h/visualBcd2%25255B3%25255D.png"><img title="visualBcd2" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="visualBcd2" src="http://lh3.ggpht.com/-ukIqaiO9UMs/VE7FVjZiJXI/AAAAAAAACjI/_Y5_ibKo2c4/visualBcd2_thumb%25255B1%25255D.png?imgmax=800" width="454" height="291" /></a> </p> <p align="justify">Now my configuration showed as enabled again:</p> <p align="justify"><a href="http://lh5.ggpht.com/-SuohMR5pg5I/VE7FWAIu_9I/AAAAAAAACjM/tgVsP8x_hlo/s1600-h/reagentcafter%25255B3%25255D.png"><img title="reagentcafter" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="reagentcafter" src="http://lh4.ggpht.com/-B2Lq9oucSWo/VE7FWuizAlI/AAAAAAAACjU/1lPhri0dNbA/reagentcafter_thumb%25255B1%25255D.png?imgmax=800" width="454" height="132" /></a> </p> <p align="justify">After making some free room I could now successfully install the latest build:</p> <p align="justify"><a href="http://lh3.ggpht.com/-J8aCHz4DoGw/VE7FXOlMAVI/AAAAAAAACjc/HOClOOXUA-k/s1600-h/AfterVersion%25255B3%25255D.png"><img title="AfterVersion" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="AfterVersion" src="http://lh6.ggpht.com/-PfxY2PVYdJw/VE7FXkfdweI/AAAAAAAACjk/rb7d2eobR50/AfterVersion_thumb%25255B1%25255D.png?imgmax=800" width="304" height="88" /></a> </p> <p align="justify">Eventually it seemed that the update process also moved (or recreated?) the WinRE environment on my C:\ drive. The Recovery folder I moved was empty (besides the logs folder). Using reagentc /info I could also see that the WinRE.wim was coming from the C:\ partition. So I guess this worked out fine for me.</p> <p align="justify">On a final note: there’s a new option available to set your preference as to how fast you want to receive new builds:</p> <p align="justify"><a href="http://lh5.ggpht.com/-QeCXFmqf0ks/VE7FX6-70FI/AAAAAAAACjs/oPKyE0Z3ZI0/s1600-h/PreviewSpeed%25255B3%25255D.png"><img title="PreviewSpeed" style="border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; display: inline; border-top-width: 0px" border="0" alt="PreviewSpeed" src="http://lh4.ggpht.com/-bbTBakG4PrY/VE7FYtw32sI/AAAAAAAACj0/-heqSDU_aYY/PreviewSpeed_thumb%25255B1%25255D.png?imgmax=800" width="454" height="105" /></a> </p> <p align="justify">This is also explained on an official blog of Microsoft:<a title="http://blogs.windows.com/bloggingwindows/2014/10/21/were-rolling-out-our-first-new-build-to-the-windows-insider-program/" href="http://blogs.windows.com/bloggingwindows/2014/10/21/were-rolling-out-our-first-new-build-to-the-windows-insider-program/">blogs.windows.com: We’re rolling out our first new build to the Windows Insider Program</a></p> <p align="justify"><a href="http://lh3.ggpht.com/-5pPZAk9gX-4/VE7FY4zB1oI/AAAAAAAACj8/8K9B7is3qdQ/s1600-h/Ring2%25255B3%25255D.png"><img title="Ring2" style="border-top: 0px; border-right: 0px; border-bottom: 0px; border-left: 0px; display: inline" border="0" alt="Ring2" src="http://lh6.ggpht.com/-kAmZ_60dxZ8/VE7FZRFS4yI/AAAAAAAACkE/GnjFVQZ91sY/Ring2_thumb%25255B1%25255D.png?imgmax=800" width="404" height="139" /></a></p> Thomashttp://www.blogger.com/profile/12651864373303201993noreply@blogger.com8