Saturday, October 25, 2014

Attempting to use PowerShell’s Add-Windows feature for .NET Framework 4.5 fails on a Windows Server 2012 R2 server

Problem

You have a new server installed with Windows Server 2012 R2 and need to install .NET Framework 4.5 with other roles and features so you mount the Windows Server 2012 R2 media, launch Windows PowerShell then execute the following cmdlet:

Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Windows-Identity-Foundation,Web-Static-Content,Web-Default-Doc,Web-Http-Errors,Web-ASP-NET,Web-ASP-NET45,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Logging,Web-Log-Libraries,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Client-Auth,server-media-foundation,MSMQ-Server,MSMQ-Directory -Source D:\sources\sxs

image

The installer executes and begins the install but quickly fails with the following message:

Windows PowerShell

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Windows-Identity-Foundation,Web-Static-Content,Web-Default-Doc,Web-Http-Errors,Web-ASP-NET,Web-ASP-NET45,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Logging,Web-Log-Libraries,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Client-Auth,server-media-foundation,MSMQ-Server,MSMQ-Directory -Source D:\sources\sxs

Add-WindowsFeature : The request to add or remove features on the specified server failed.

Installation of one or more roles, role services, or features failed.

The source files could not be downloaded.

Use the "source" option to specify the location of the files that are required to restore the feature. For more

information on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077. Error: 0x800f0906

At line:1 char:1

+ Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Wi ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (@{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature],

Exception

+ FullyQualifiedErrorId : DISMAPI_Error__Cbs_Download_Failure,Microsoft.Windows.ServerManager.Commands.AddWindowsF

eatureCommand

Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------

False No Failed {}

PS C:\Windows\system32>

image

Solution

This issue actually got me scratching my head for quite a bit of time because the error appeared to suggest that there was something wrong with the source files.  Executing this cmdlet or using the Add Roles and Features Wizard did not allow me to successfully install the components I needed for a Lync Server 2013 install I was doing and copying the source files from the Windows Server 2012 R2 media directly onto the server did not work either.  A bit of searching on the suggested to try getting the install.wim Index number with a cmdlet such as:

dism /get-wiminfo /wimfile:d:\sources\install.wim

… then pipe in the Windows Server 2012 R2 version into the Add-WindowsFeature cmdlet:

PS D:\sources\sxs> Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Windows-Identity-Foundation,Web-Static-Content,Web-Default-Doc,Web-Http-Errors,Web-ASP-NET,Web-ASP-NET45,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Logging,Web-Log-Libraries,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Client-Auth,server-media-foundation,MSMQ-Server,MSMQ-Directory -Source

win:d:\sources\install.wim:2

Add-WindowsFeature : The request to add or remove features on the specified server failed.

Installation of one or more roles, role services, or features failed.

The source files could not be downloaded.

Use the "source" option to specify the location of the files that are required to restore the feature. For more

information on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077. Error: 0x800f0906

At line:1 char:1

+ Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Wi ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (@{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature],

Exception

+ FullyQualifiedErrorId : DISMAPI_Error__Cbs_Download_Failure,Microsoft.Windows.ServerManager.Commands.AddWindowsF

eatureCommand

Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------

False No Failed {}

PS D:\sources\sxs> Dism /get-wiminfo /wimfile:d:\sources\install.wim

… but this did not work either.  After a bit of searching, I finally realized that the reason why I was getting this error was because of the following installed security update:

Security Update for Microsoft Windows (KB2966828)

image

The same cmdlet that continuously failed completed successfully once I removed this security update:

PS D:\sources\sxs> Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Windows-Identity-Foundation, Telnet-Client, BITS -Source d:\sources\sxs

Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------

True Yes SuccessRest... {Background Intelligent Transfer Service (...

WARNING: You must restart this server to finish the installation process.

WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is

automatically updated, turn on Windows Update.

PS D:\sources\sxs>

image

image

image

I haven’t actually encountered the issue on a Windows Server 2012 R1 server but the following TechNet blog indicates that Security Update For Microsoft Windows 2966827 can cause the same issue as well.

Attempting to Install .NET Framework 3.5 on Windows Server 2012 R2 Fails with Error Code 0x800F0906 or “the source files could not be downloaded”, even when supplying source
http://blogs.technet.com/b/askpfeplat/archive/2014/09/29/attempting-to-install-net-framework-3-5-on-windows-server-2012-r2-fails-with-error-code-0x800f0906-or-the-source-files-could-not-be-downloaded-even-when-supplying-source.aspx

Thursday, October 23, 2014

Lync Server Management Shell 2013 does not load and hangs with a black screen on a Windows Server 2012 R2 server

Problem

You’ve just completed deploying Lync Server 2013 on a Windows Server 2012 R2 server but notice that the Lync Server Management Shell does not load and hangs with a black screen regardless of whether you run it as an administrator or not:

image

image

Solution

This only appears to affect Windows Server 2012 R2 deployments as the application shortcut appears to be created with a missing quote:

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "cd $env:UserProfile; Import-Module 'C:\Program Files\Common Files\Microsoft Lync Server 2013\Modules\Lync\Lync.psd1'

image

Simply adding a quote back into the shortcut will correct the issue:

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "cd $env:UserProfile; Import-Module 'C:\Program Files\Common Files\Microsoft Lync Server 2013\Modules\Lync\Lync.psd1'"

"

image

Wednesday, October 22, 2014

How to export message tracking log results as a CSV file in Exchange Server 2010

I recently had to troubleshoot an issue for a client where their log drive filled up and wanted to identify whether there was a device that was generating excessive logs on the Exchange server or whether they genuinely received that much mail between the last backup and the time when the drive filled up.  To determine whether the Exchange Organization did indeed receive enough mail to fill up the log drive, I directed my attention to the Tracking Log Explorer.  For those who are familiar with the Exchange Server 2010’s Tracking Log Explorer feature located in Microsoft Exchange –> Microsoft Exchange On-Premises –> Toolbox –> Tracking Log Explorer:

image

… would probably have come across this situation where you would like to export the returned table results:

image

… but noticed that there does not appear to be a way to do so via the GUI:

image 

The GUI does not provide a way to export these logs to a text or CSV file and therefore there wasn’t a way for me easily add up the TotalBytes column to get an idea as to how much mail was send and received:

image

I recall asking a Microsoft support engineer years ago about this for Exchange 2007 and the answer was that there was no way but seeing how it has been such a long time, I went ahead and did a quick Google search which returned this Exchange Team Blog post:

How to Easily Export Message Tracking Results in Exchange Server 2007
http://blogs.technet.com/b/exchange/archive/2008/12/01/3406581.aspx

This was exactly what I wanted because I could sum TotalBytes column but the command was a screenshot which meant I had to type it out.  It was a bit annoying to have to type all that out when I was in a rush to get the results to the client at 1a.m. in the morning so to avoid having to do this again in the future, I’m going to paste the command here for reference if I ever needed it again:

get-messagetrackinglog -Server "<replaceWithServerName>" -Start "10/20/2014 10:15:00 PM" -End "10/21/2014 12:35:00 PM" -resultsize unlimited | select timestamp, eventid, source, sourcecontext, messageid, messagesubject, sender, {$_.recipients}, internalmessageid, clientip, clienthostname, serverip, serverhostname, connectorid, {$_.recipientstatus}, totalbytes, recipientcount, relatedrecipientaddress, reference, returnpath, messageinfo | export-csv c:\results.csv

Note that I added the “-resultsize unlimited” switch at the end of get-messagetrackinglog to allow unlimited results to be returned.

In addition to using this export to total up each message size to get an idea of how much logs should be generated, another useful tool for troubleshooting this issue is to download the:

Microsoft Exchange Server User Monitor
http://www.microsoft.com/en-us/download/details.aspx?id=11461

This tool allows you to monitor individual user’s utilization of the Exchange server including the amount of Bytes In and Bytes Out:

image

Monday, October 20, 2014

Securing traffic between NetScaler and StoreFront with HTTPS rather than HTTP

I’ve been asked several times since publishing my previous blog post:

Configuring a NetScaler VPX appliance to publish load balanced XenDesktop 7.x StoreFront servers
http://terenceluk.blogspot.com/2014/07/configuring-netscaler-vpx-appliance-to.html

… how can the HTTP traffic between the NetScaler and StoreFront be secured since the NetScaler effectively authenticates with the StoreFront server(s) and the StoreFront server makes a callback to the NetScaler during the process.  The answer is simple and that is to use HTTPS instead.  Not all of the customers I work with use HTTPS because their justification is that their server VLANs are secured but I usually recommend to use HTTPS when possible.  To do so, a certificate will be required for the URL that the NetScaler will be using to reach the StoreFront servers.  Before I begin with demonstrating the configuration, I would like to note the following points:

  1. Do not use the same URL that you are using for users on the internet or internal VLAN to access the NetScaler for the StoreFront servers(s). This means that if you’re using https://citrix.domain.com for your NetScaler’s VIP, do not use https://citrix.domain.com for your StoreFront servers because Citrix does not support this.
  2. Make sure that the CallBack URL that you configure on your StoreFront’s NetScaler Gateway configuration matches the name you are using for your NetScaler VIP. Any changes to the URL will not work:

image

Step #1 – Bind SSL Certificate to StoreFront’s IIS Server

Begin by binding an SSL certificate to the StoreFront’s IIS server.  This can be done either by generating a SSL certificate CSR request, sending it to a public CA and completing the certificate request so the server has the private key or simply exporting a certificate from a source as a PFX and importing it onto the StoreFront server’s Local Computer store.  The certificate used in this example will be exported from the NetScaler appliance because it is a wildcard certificate.

image

Note that the Web Interface Address URL currently configured on the NetScaler points to http://storefront.ad.domain.com because the communication between the NetScaler and StoreFront currently uses HTTP:

image

Testing the URL http://storefrontServerName.FQDN will display the default IIS page:

image

Notice that without a certificate binded to the IIS server, navigating to https://storeFrontServerName.FQDN will display the:

This page can’t be displayed

image

With the certificate imported into the Local Computer store, launch the Internet Information (IIS) Manage, navigate to ServerName –> Sites –> Default Web Site, then click on Bindings… under Edit Site:

image

Click on the Add… button in the Site Bindings:

image

Change the Type from http to https:

imageimage

Click on the Close button after the new https binding has been added:

image

There isn’t a need to perform a iisreset but you are free to do so if you like:

image

With the new https binding created, you should now be able to browse the StoreFront website via https:

image

Step #2 – Update Session Profile on NetScaler to use https URL

Now that the StoreFront server can respond to https requests, proceed with modifying the Session Profile on the NetScaler

image

Update the http URL to https:

imageimage

Step #3 – Recreate Virtual Server with https

You cannot actually change a Virtual Servers configured Protocol from HTTP to HTTPS as shown here:

imageimage

Which basically means that you’ll have to delete and recreate the Virtual Server if you already have on created as is the case in this example.  Create a new LB Virtual Server with the Add button:

image

Fill in the required fields and change the Protocol to SSL:

image

You will immediately notice that the Load Balancing Virtual Server’s State is listed as being down and this is because a new service will need to create a new Service to add it to this Load Balancing Virtual Server.  The reason why we performed this step first is because we would not be able to delete the existing HTTP service before deleting the existing HTTP Virtual Server since it is binded to a Virtual Server.  Now that we’ve deleted and recreated the Load Balancing Virtual Server, we can now remove the old HTTP service.

image

Step #4 – Recreate Virtual Server Service

Navigate to Traffic Management –> Load Balancing –> Services:

image

Since you can’t have two Services binded to the same IP where one is HTTP and another is SSL, we will delete the existing one and then create the SSL service:

image

The new Load Balancing SSL service should immediately have its State as being Up:

image

image

Navigate to the Virtual Servers and open the Load Balancing Virtual Server for the StoreFront:

image

Open the Service option:

image

Bind the SSL service that was created earlier:

image

image

image

Note that even with the service added, the service would still be labeled as being down because there is no certificate added:

image

image

Step #5 – Bind SSL Certificate to Load Balancing Server

The certificate that needs to be attached to this Load Balancing server is the same certificate that is used on the StoreFront servers and since we’re using the same wildcard certificate as we’re using for the NetScaler VIP and the StoreFront HTTPS binding, the certificate should already be on the NetScaler.  Proceed by clicking opening the Load Balancing Virtual Server and clicking on the SSL Certificate configuration:

image

Click on No Server Certificate:

image

Click on the Bind button:

image

Bind the certificate that will be used for the StoreFront servers:

image

Save the configuration:

image

image

Next, click on the Persistence configuration:

image

Change the Persistence configuration to SOURCEIP:

imageimage

Click on the Done button to exit the configuration:

image

Notice that the Virtual Server State is now Up:

image

Step #6 – StoreFront Monitoring

For better StoreFront monitoring, it is best to create a service specific monitor that the NetScaler provides and the reason why I leave it as the last item to configure on the NetScaler is because a slight misconfiguration can cause the monitor to report the StoreFront as being down so to avoid situations where I might be confused whether I published the site correctly or not, I’d like to complete all of the configuration leading to the Load Balancing Virtual Server with an Up State before I configure the monitoring.

Navigate to Traffic Management –> Load Balancing –> Monitors and click on the Add button:

image

Fill in the following fields:

Name – Type in a name for the monitor
Type – Select STOREFRONT in the drop down menu

Leave the rest of the settings as default and scroll down to the bottom of the configuration page:

image

Ensure that the following checkboxes are checked:

  • Enabled
  • Secure

image

Scroll back to the top and click on the Special Parameters tab:

image

Fill in the Store Name with the StoreFront name, ensure Storefront Account Service is checked and then click Create:

image

image

A new StoreFront monitor should now be created:

image

Note how the configuration settings we left as default are now filled in:

image

Now navigate to Services and open the properties of the StoreFront service:

image

Click on the Monitors item:

image

Bind the monitor we created for the StoreFront server:

image

image

Save the settings:

image

Notice how there is only 1 item listed in the Monitors section and that’s because the tcp-default is removed:

image

image

Complete the configuration and click on the Done button for the Load Balancing service:

image

Step #7 – Update StoreFront Base URL

If you try to access the site now, you will receive the following error after logging in with your credentials:

image

So before attempting to test, log into your StoreFront server and update the Base URL from http:// to https://:

image

image

image

image

Once this last configuration has been made, you should now be able to log into the portal and launch applications.