Exchange 2010 Update Rollups Fail


Update: This has been fixed in Exchange 2010 SP1 Rollup 3

We recently ran into an issue when trying to apply the latest rollups for Exchange 2010 SP1. We never had this problem with the rollups on Exchange 2007.

What happens when the update fails, it rolls back, but it leaves all dependent services in a “Disabled” state (when it fails it does not reset its services back to the way they were, which is very bad). To find out which services it changed, the easiest way is to look in the System Event Log and see which services were modified.

This issue occurs when you have the “PowerShell Execution Policy” defined in group policy. You can find this policy in the Group Policy Management Editor under: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell > Turn on Script Execution.

The only workaround I could find is to temporarily disable your GPO that configures this policy on your Exchange server (or exclude your Exchange servers from the policy). After the patch has completed successfully, the policy can (should) be re-applied. Hopefully Microsoft will fix this for future rollups.

Endpoint Protection February 2015 Update Problem (4.7.205)


Update 3/2: Today Microsoft has released an update to resolve this problem (KB3041687). The update brings the client version to 4.7.209. You can find more about the update here: http://support2.microsoft.com/kb/3041687

This last Tuesday (February 12, 2015) Microsoft released a platform update to Endpoint Protection (4.7.205). This update appears to have a major issue with Windows 8.1/Windows Server 2012 R2. I have not seen these issues in Windows 7. In my environment, I saw two problems with the update.

First, the update actually failed to install when installing other updates. This also caused all other updates that were being ran to also fail and would not complete until rebooting the system. Secondly, once I got the update actually installed (by installing it standalone), downloads began to fail in Internet Explorer, stating that the file has been deleted . It has also reported that this affects Chrome as well, but not Firefox.

The only solution is to uninstall and reinstall without the update. Even disabling scanning of downloads does not help. Currently waiting to hear something

High CPU on IIS Server 2016 from MsMpEng.exe


If you are running production load on an IIS server that is also running Windows Server 2016 and you are running Windows Defender/Endpoint Protection with Real-Time Protection enabled on this server; you may find that MsMpEng.exe (Windows Antimalware service) is taking a lot of CPU and causing IIS performance issues.

Fortunately the solution is relatively simple. After some trial and error, I was able to find that the Real-Time Protection setting: “Scan all downloaded files and enable exploit protection for Internet Explorer” was the culprit. Simply changing this setting to “No” immediately solved the problem.

I have found this setting does not appear to cause issues in Windows Server 2008 R2, 2012 or 2012 R2, only 2016. Also, in Server 2016, this setting is not exposed via the UI on the server and must be managed via System Center Configuration Manager (or manually edit the registry).

I did not notice an issue on IIS servers with low load (as Windows Defender could keep up), but once started having hundreds/thousands of connections to the IIS server, MsMpEng.exe (the Windows Antimalware service) would immediately peg CPU to 100%.

Azure RMS Connector Installation Issue


When trying to set up the Azure Active Directory Rights Management Server Connector, I ran into some problems when trying to install the Connector in relation to the credentials to connect to Azure RMS.

I followed the Microsoft steps at https://technet.microsoft.com/en-us/library/dn375964.aspx to create a new account and grant this account “ConnectorAdministrator” permissions. Note: If you are an account that does not have an email address, you must use the ObjectID parameter in order to add the account to the ConnectorAdministrator role. You can get this information by using the Azure Active Directory cmdlet Get-MSOLUser.

Once I had my account created and permissions granted, I tried to use this account in the Microsoft Rights Management Connector setup wizard. Here, I kept getting an Invalid Username and Password error. I tested my new user account via the Office 365 portal and it worked fine. I also double and triple checked the password and confirmed it was correct. I then tried using some new passwords and found that a different password worked. This implies that there must be a bug in the setup wizard. In my case, the character that was causing the failure was a “&” symbol. If the password for the account contains a “&” symbol, the wizard will fail the login. Apparently there is an issue with the password field handling certain symbols. I didn’t try every symbol combination but I found others characters that worked fine.

So, if you have problems running this setup wizard, check your passwords and consider trying passwords that contain different characters.

How to Retrieve BitLocker Recovery Password


To locate and retrieve the BitLocker Recovery Password for a computer in Active Directory, follow these steps:

Start > Run > adsiedit.msc
Expand the tree and select the computer name:
DC=,DC=
OU=
CN=
Double-click (or right-click > Properties) the entry in the right pane (i.e. CN=T-)
Scroll down and locate “msFVE-RecoveryPassword”
Double-click (or left-click > Edit) the attribute to see the Recovery Password
Use the Recovery Password to unlock the computer
If the Recovery Password is required due to the replacement of the motherboard or other core hardware, you will need to decrypt and re-encrypt the hard drive in order to avoid needing the Recovery Password at every boot.

ADFS: Raise Farm Behavior Level Issue


After upgrading our ADFS servers to Windows Server 2016, the last step was to raise the Farm Behavior Level using the Invoke-AdfsFarmBehaviorLevelRaise PowerShell cmdlet. In my case, when I ran this command, I received the following error:

Invoke-AdfsFarmBehaviorLevelRaise : Database upgrade could not be performed on localhost. Error: Unable to connect to
the database. You may not have permission to create the AD FS configuration database in the specified SQL server. You
can do one of the following: (1) have the SQL administrator grant permissions to you to create the AD FS configuration
database in the specified SQL server or (2) have the SQL administrator create the AD FS configuration database by
running SQL scripts. Use the Export-ADFSDeploymentSQLScript to create the SQL scripts. After the SQL administrator
runs the scripts, try the command again specifying that the database is to be overwritten.
.
At line:1 char:1

  • Invoke-AdfsFarmBehaviorLevelRaise
  • ~~~~~~~~~
  • CategoryInfo : NotSpecified: (:) [Invoke-AdfsFarmBehaviorLevelRaise], RemoteException
  • FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.InvokeUpgradeFarmBehaviorCom
    mand

Message
——-
Unable to create a newer version of the configuration database. Database upgrade could not be performed on localhost…
In my case, I have a few advanced configurations that may have triggered this error. First, my ADFS databases are hosted on a remote SQL Server with HA redundancy using SQL AlwaysOn. Also, my ADFS service runs with a gMSA account (Global Managed Service Account).
As of the time of this article, there is my limited documentation on the Invoke-AdfsFarmBehaviorLevelRaise cmdlet. I discovered I could solve this issue by specifying Admin credentials using the -Credential parameter and specifying the -GroupServiceAccountIdentifier parameter to be my gMSA as optional parameters to the Invoke-AdfsFarmBehaviorLevelRaise cmdlet.
In the end, my cmdlet looked like this:
$cred = Get-Credential
Invoke-AdfsFarmBehaviorLevelRaise -Credential $cred -GroupServiceAccountIdentifier \mygMSA$
If you are running a similar ADFS configuration and run into this issue, trying adding some the optional parameters to solve the issue.

Windows Sysprepped Machine Fails to Automatically Register with Azure


Beginning with Windows 10 1511, Windows based computers will attempt to automatically register with Azure Active Directory. For this to succeed some configuration is required (I won’t go into this detail, but you can find official steps here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup).

VMworld: vSphere Stretched Clusters, DR & Mobility (BCO2479)

Premise:
– lots of confusion between disaster recovery (DR) and disaster avoidance (DA)

Part 1: Disaster Avoidance vs. Disaster Recovery

Disaster Avoidance
– you know a host will go down
– Host: vMotion
– Site: vMotion

Disaster Recovery
– unplanned host outage
– Host: VMware HA
– Site: SRM

*** More content forthcoming (to fill in the blanks) ***

VMworld: vSphere PowerCLI Best Practice (VSP1883)


Speakers: Luc Dekens (Eurocontrol), Alan Renouf (VMware)

Luc – blog: http://lucd.info
Alan – blog: http://www.virtu-al.net

BP1: Get-View returns full copy of the server-side object
– otherwise the get- commands only return a subset of the properties

BP2: Finding Properties
– what you see is not what is there
– – can edit the .ps1xml files to change returned properties
– use Get-Member to return all of the properties
– ex. Get-VMHost | Get-Member
– complex (nested) objects
– – Select-Object -ExpandProperties
– – Get-Member in a loop
– – Format-Custom Depth

BP3: Make Your Own Properties
– use the New-VIProperty cmdlet
– adds a CodeProperty to the object
– valid until Remove-VIProperty or end of session

VMworld: VMware View Performance & Best Practices (EUC3163)


PCoIP server offload card for improved graphical performance & consolidation

View 5
– WAN bandwidth optimizations: ~75% reduction
– CPU optimizations: idle VMs, algorithms, libraries
– Better session resilience: session recovery during loss of network of up to 30 seconds
– PCoIP performance counters
– Provisioning: faster and more parallelism