Pages

Monday, March 26, 2018

Attempting to generate a new CSR with OpenSSL fails with: “13536:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:crypto\conf\conf_lib.c:272:”

Problem

You’ve downloaded OpenSSL and have began the process of generating a new CSR to submit to a Certificate authority but notice that executing the following command:

req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

… generates the following error:

C:\OpenSSL-Win64\bin>openssl.exe

OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

Can't open C:\Program Files\Common Files\SSL/openssl.cnf for reading, No such file or directory

13536:error:02001003:system library:fopen:No such process:crypto\bio\bss_file.c:74:fopen('C:\Program Files\Common Files\SSL/openssl.cnf','r')

13536:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:81:

Generating a 2048 bit RSA private key

........+++

............................................+++

writing new private key to 'mykey.pem'

-----

unable to find 'distinguished_name' in config

problems making Certificate Request

13536:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:crypto\conf\conf_lib.c:272:

error in req

OpenSSL>

image

Solution

One of the reasons why the error above would be thrown is if the openssl_confg is not configured properly to the openssl.cfg file.  To do so, execute the following command (change the path as required):

set openssl_conf=c:\OpenSSL-Win64\bin\openssl.cfg

The CSR generation will proceed as expected once the configuration file is specified:

C:\OpenSSL-Win64\bin>openssl.exe

OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

Generating a 2048 bit RSA private key

...................................................+++

.....................+++

writing new private key to 'mykey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

image

Please refer to one of my older posts if you’re using OpenSSL to generate a certificate for a Cisco Wireless Controller:

Generating SSL certificate with OpenSSL for Cisco Wireless Controller
http://terenceluk.blogspot.com/2015/03/generating-ssl-certificate-with-openssl.html

Friday, March 16, 2018

Configuring Azure Active Directory integration with Atlassian Cloud using SAML

I recently had to configure Azure Active Directory integration with Atlassian Cloud using SAML and was a bit lost as I went through the instructions from the Microsoft Azure documentation:

Tutorial: Azure Active Directory integration with Atlassian Cloud

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-atlassian-cloud-tutorial

Microsoft typically writes great documentation and judging by the slightly different screenshots between what I see on the Atlassian portal and the documentation, the instructions are most likely a bit out-of-date.

Not really sure how to proceed, I reached out to Atlassian support and quickly received the following reply indicating what I really should be doing is:

  1. Start at step #11 to setup the organization in the Atlassian site
  2. Stop at step #19
  3. Log into the Azure portal to setup the Atlassian cloud application via step #1 under Add Atlassian Cloud from the gallery
  4. Navigate into the Single sign-on section of the Atlassian Cloud application
  5. Navigate down the window to the Configure Atlassian Cloud section and click on it as shown in step #9 under Configure Azure AD single sign-on
  6. Obtain the Azure AD SMAL Entity ID
  7. Obtain the Azure AD Single Sign-On Service URL
  8. Downloaded Metadata Certificate (Base64 encoded)
  9. Then navigate to the SAML single sign-on in the Atlassian administration portal and click on Add SAML configuration
  10. Fill in the fields as directed in step #19 then save the configuration
  11. Copy the SP Entity ID and SP Assertion Consumer Service URL from portal
  12. Then navigate back to the Azure Active Directory admin center console and continue step #20 then to step #1 through #7 under Configure Azure AD single sign-on
  13. Once the configuration has been saved, use the Test SAML Settings button to test launching the dashboard and ensure authentication works

The above can get confusing quite fast so here are the steps along with the screenshots:

1. Start at step #11 to setup the organization in the Atlassian site
2. Stop at step #19 which will bring you to this screen allowing you to launch the Add SAML configuration:

image

3.  Log into the Azure portal to setup the Atlassian cloud application via step #1 under Add Atlassian Cloud from the gallery

image

4. Navigate into the Single sign-on section of the Atlassian Cloud application

image

5. Navigate down the window to the Configure Atlassian Cloud section and click on it as shown in step #9 under Configure Azure AD single sign-on

image

6. Obtain the Azure AD SMAL Entity ID
7. Obtain the Azure AD Single Sign-On Service URL
8. Downloaded Metadata Certificate (Base64 encoded)

image

9. Then navigate to the SAML single sign-on in the Atlassian administration portal and click on Add SAML configuration:

image

10. Fill in the fields as directed in step #19 then save the configuration:

image

11. Copy the SP Entity ID and SP Assertion Consumer Service URL from portal:

image

12. Then navigate back to the Azure Active Directory admin center console and continue step #20 then to step #1 through #7 under Configure Azure AD single sign-on:

image

13. Once the configuration has been saved, use the Test SAML Settings button to test launching the dashboard and ensure authentication works:

image

Hope this helps anyone who may be a bit confused with the instructions provided by Microsoft.

Wednesday, March 14, 2018

Monitoring Exchange 2013 and 2016 message queues with PowerShell

I’ve been asked several times in the past by colleagues how would they go about monitoring Exchange message queues so that they would be notified if a threshold is exceeded and while I usually recommend looking for this feature in their existing monitoring solution, an alternative and free method of achieving this is to use a PowerShell script with conjunction of the task scheduler.

What I’ve used in the past is to modify a script found here at the Microsoft Office TechCenter:

Powershell - Check Exchange 2010 Queue and mail alert on queue threshold
https://gallery.technet.microsoft.com/office/e0bb250e-e699-4c6c-a5be-f1af245a2219

As this script was written for Exchange 2010, a slight modification to the line:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 

… would need to get changed to:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

The script would look as such for Exchange 2013 or 2016 (The variables you’ll need or could to change are highlighted in red):

$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri yourExchangeServer/PowerShell/ -Authentication Kerberos

Import-PSSession $s

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

. $env:ExchangeInstallPath\bin\RemoteExchange.ps1

Connect-ExchangeServer -auto

$filename = “c:\Scripts\ExchangeQueues.txt

Start-Sleep -s 10

if (Get-ExchangeServer | Where { $_.isHubTransportServer -eq $true } | get-queue | Where-Object { $_.MessageCount -gt 30 })

{

Get-ExchangeServer | Where { $_.isHubTransportServer -eq $true } | get-queue | Where-Object { $_.MessageCount -gt 30 } | Format-Table -Wrap -AutoSize | out-file -filepath c:\Scripts\ExchangeQueues.txt

Start-Sleep -s 10

$smtpServer = “yourSMTPserver

$msg = new-object Net.Mail.MailMessage

$att = new-object Net.Mail.Attachment($filename)

$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$msg.From = “Monitor@contoso.com

$msg.To.Add("admin1@mycompany.com")

#$msg.To.Add("admin2@mycompany.com")

#$msg.To.Add("admin3@mycompany.com")

#$msg.To.Add("admin4@mycompany.com")

$msg.Subject = “Exchange queue threshold of 30 reached.

$msg.Body = “Please see attached queue log file for queue information

$msg.Attachments.Add($att)

$smtp.Send($msg)

}

Note that the cmdlet used to check the queues can be modified to omit queues such as the Shadow Redundancy by adjusting:

if (Get-ExchangeServer | Where { $_.isHubTransportServer -eq $true } | get-queue | Where-Object { $_.MessageCount -gt 30 })

… into this:

if (Get-ExchangeServer | Where { $_.isHubTransportServer -eq $true } | get-queue | Where-Object { $_.MessageCount -gt 30 -and $_.DeliveryType -notlike "ShadowRedundancy"})

Adding the notlike operator will exclude the Shadow Redundancy queues when evaluating whether the threshold has been exceeded.

Once the script has been tested and verified to be in working order, you can then schedule it as a task to run every, say, 15 minutes as such:

imageimage

Program/script: powershell.exe

Add arguments (optional): -command "& 'C:\Scripts\CheckExchangeQueues.ps1'"

image

Sunday, March 11, 2018

Monitoring Microsoft Exchange Server 2010, 2013 and 2016 services with PowerShell script and task scheduler

Most enterprise environments have solutions that provide monitoring services to ensure Microsoft Exchange Server services are running and if they are not, restart the service and send an email notification to administrators but I have constantly come across smaller business that may not be able to afford such applications and therefore have implemented scripts with task manager scheduled tasks to provide some form of service monitoring. The Exchange Health Check Report by Paul Cunningham (https://practical365.com/exchange-server/powershell-script-exchange-server-health-check-report/) is great for daily reports but it is not practical to constantly use it for monitoring so what I’ve typically used is implement the service_check.ps1 script written by Kevin Olson:

Check for hung or stopped services
https://gallery.technet.microsoft.com/scriptcenter/Check-for-hung-or-stopped-67bc718d

The small adjustment I’ve made to the script is to move the Send-Mailmessage cmdlet to execute after the Start-Service because if you do not have another SMTP relay setup and need to rely on the Exchange server this script is monitoring, the email will not be sent out if the service that is hung or stopped is the transport service. The following are the scripts along with the Exchange services added into the script for each version:

Microsoft Exchange 2010

#NAME: service_check.ps1 

#AUTHOR: Kevin Olson

#DATE: 4/29/2011

#Machine to be monitored

$Computer = "brcl-exchange"

#Create an array of all services running

$GetService = get-service -ComputerName $Computer

#Create a subset of the previous array for services you want to monitor

$ServiceArray = "MSExchangeADTopology","MSExchangeAB","MSExchangeAntispamUpdate","MSExchangeEdgeSync","MSExchangeFDS","MSExchangeIS","MSExchangeMailSubmission","MSExchangeMailboxAssistants","MSExchangeMailboxReplication","MSExchangeProtectedServiceHost","MSExchangeRepl","MSExchangeRPC","MSExchangeSearch","MSExchangeServiceHost","MSExchangeSA","MSExchangeThrottling","MSExchangeTransport","MSExchangeTransportLogSearch","MSExchangeFBA","W3SVC";

#Find any iWFM service that is stopped

foreach ($Service in $GetService)

{

    foreach ($srv in $ServiceArray)

    {

        if ($Service.name -eq $srv)

        {

            #check if a service is hung

            if ($Service.status -eq "StopPending")

            {

            $servicePID = (gwmi win32_Service | where { $_.Name -eq $srv}).ProcessID

            Stop-Process $ServicePID

            Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)

            #email to notify if a service is down

            Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is hung on $Computer" -from exchange@contoso.com -Body "The $srv service was found hung." -SmtpServer localhost

            }

            # check if a service is stopped

            elseif ($Service.status -eq "Stopped")

            {

            #automatically restart the service.

            Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)

                   #email to notify if a service is down

            Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is stopped on $Computer" -from exchange@contoso.com -Body "The $srv service was found stopped." -SmtpServer localhost

            }

        }

    }

}

The services I included in the script are all of the ones listed as Automatic as well as Automatic (Delayed Start):

image

Microsoft Exchange 2013

#NAME: service_check.ps1 
#AUTHOR: Kevin Olson
#DATE: 4/29/2011
 
#Machine to be monitored
$Computer = "bm1-azim-40-001"
 
#Create an array of all services running
$GetService = get-service -ComputerName $Computer
 
#Create a subset of the previous array for services you want to monitor
$ServiceArray = “HostControllerService","MSExchangeADTopology","MSExchangeAntispamUpdate","MSExchangeDagMgmt","MSExchangeDelivery","MSExchangeDiagnostics","MSExchangeEdgeSync","MSExchangeFastSearch","MSExchangeFrontEndTransport","MSExchangeHM","MSExchangeIS","MSExchangeMailboxAssistants","MSExchangeMailboxReplication","MSExchangeRepl","MSExchangeRPC","MSExchangeServiceHost","MSExchangeSubmission","MSExchangeThrottling","MSExchangeTransport","MSExchangeTransportLogSearch","MSExchangeUM","MSExchangeUMCR","W3SVC";
 
#Find any iWFM service that is stopped
foreach ($Service in $GetService)
{
     foreach ($srv in $ServiceArray)
     {
         if ($Service.name -eq $srv)
         {
             #check if a service is hung
             if ($Service.status -eq "StopPending")
             {
             $servicePID = (gwmi win32_Service | where { $_.Name -eq $srv}).ProcessID
             Stop-Process $ServicePID
             Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)
             #email to notify if a service is down
             Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is hung on $Computer" -from exchange@contoso.com -Body "The $srv service was found hung." -SmtpServer localhost
             }
             # check if a service is stopped
             elseif ($Service.status -eq "Stopped")
             {
             #automatically restart the service.
             Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)
         #email to notify if a service is down
             Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is stopped on $Computer" -from exchange@contoso.com -Body "The $srv service was found stopped." -SmtpServer localhost
             }
         }
     }
}

The services I included in the script are all of the ones listed as Automatic as well as Automatic (Delayed Start):

image

World Wide Web Publish Service is also included.

Microsoft Exchange 2016

#NAME: service_check.ps1 
#AUTHOR: Kevin Olson
#DATE: 4/29/2011
 
#Machine to be monitored
$Computer = "prpmbx16-02"
 
#Create an array of all services running
$GetService = get-service -ComputerName $Computer
 
#Create a subset of the previous array for services you want to monitor
$ServiceArray = "HostControllerService","MSComplianceAudit","MSExchangeADTopology","MSExchangeAntispamUpdate","MSExchangeCompliance","MSExchangeDagMgmt","MSExchangeDelivery","MSExchangeDiagnostics","MSExchangeEdgeSync","MSExchangeFastSearch","MSExchangeFrontEndTransport","MSExchangeHM","MSExchangeHMRecovery","MSExchangeIS","MSExchangeMailboxAssistants","MSExchangeMailboxReplication","MSExchangeRepl","MSExchangeRPC","MSExchangeServiceHost","MSExchangeSubmission","MSExchangeThrottling","MSExchangeTransport","MSExchangeTransportLogSearch","MSExchangeUM","MSExchangeUMCR","W3SVC";
 
#Find any iWFM service that is stopped
foreach ($Service in $GetService)
{
     foreach ($srv in $ServiceArray)
     {
         if ($Service.name -eq $srv)
         {
             #check if a service is hung
             if ($Service.status -eq "StopPending")
             {
             $servicePID = (gwmi win32_Service | where { $_.Name -eq $srv}).ProcessID
             Stop-Process $ServicePID
             Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)
             #email to notify if a service is down
             Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is hung on $Computer" -from exchange@contoso.com -Body "The $srv service was found hung." -SmtpServer localhost
             }
             # check if a service is stopped
             elseif ($Service.status -eq "Stopped")
             {
             #automatically restart the service.
             Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)
         #email to notify if a service is down
             Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is stopped on $Computer" -from exchange@contoso.com -Body "The $srv service was found stopped." -SmtpServer localhost
             }
         }
     }
}

The services I included in the script are all of the ones listed as Automatic (Microsoft Exchange Notifications Broker is excluded) as well as Automatic (Delayed Start):

image

World Wide Web Publish Service is also included.

Task Scheduler Configuration

One of the methods to execute the script repeatedly on the server is to create a task in the Task Scheduler as such:

image

Create a trigger and specify a Repeat task every however frequently you like:

image

Then create an action with powershell.exe as the Program/script and the following as the Add arguments (optional) field:

-command "& 'C:\Scripts\service_check.ps1'"

image

Extra Setup Information

This script can be used for other services as well and an easy way of obtaining the service names to monitor is use cmdlets such as the one below to list all the services that contains, say, Microsoft Exchange:

Get-Service | Where {$_.DisplayName -like "Microsoft Exchange*"} | format-table -autosize

Status  Name                          DisplayName
------  ----                          -----------
Running HostControllerService         Microsoft Exchange Search Host Controller
Running MSComplianceAudit             Microsoft Exchange Compliance Audit
Running MSExchangeADTopology          Microsoft Exchange Active Directory Topology
Running MSExchangeAntispamUpdate      Microsoft Exchange Anti-spam Update
Running MSExchangeCompliance          Microsoft Exchange Compliance Service
Running MSExchangeDagMgmt             Microsoft Exchange DAG Management
Running MSExchangeDelivery            Microsoft Exchange Mailbox Transport Delivery
Running MSExchangeDiagnostics         Microsoft Exchange Diagnostics
Running MSExchangeEdgeSync            Microsoft Exchange EdgeSync
Running MSExchangeFastSearch          Microsoft Exchange Search
Running MSExchangeFrontEndTransport   Microsoft Exchange Frontend Transport
Running MSExchangeHM                  Microsoft Exchange Health Manager
Running MSExchangeHMRecovery          Microsoft Exchange Health Manager Recovery
Stopped MSExchangeImap4               Microsoft Exchange IMAP4
Stopped MSExchangeIMAP4BE             Microsoft Exchange IMAP4 Backend
Running MSExchangeIS                  Microsoft Exchange Information Store
Running MSExchangeMailboxAssistants   Microsoft Exchange Mailbox Assistants
Running MSExchangeMailboxReplication  Microsoft Exchange Mailbox Replication
Stopped MSExchangeNotificationsBroker Microsoft Exchange Notifications Broker
Stopped MSExchangePop3                Microsoft Exchange POP3
Stopped MSExchangePOP3BE              Microsoft Exchange POP3 Backend
Running MSExchangeRepl                Microsoft Exchange Replication
Running MSExchangeRPC                 Microsoft Exchange RPC Client Access
Running MSExchangeServiceHost         Microsoft Exchange Service Host
Running MSExchangeSubmission          Microsoft Exchange Mailbox Transport Submission
Running MSExchangeThrottling          Microsoft Exchange Throttling
Running MSExchangeTransport           Microsoft Exchange Transport
Running MSExchangeTransportLogSearch  Microsoft Exchange Transport Log Search
Running MSExchangeUM                  Microsoft Exchange Unified Messaging
Running MSExchangeUMCR                Microsoft Exchange Unified Messaging Call Router
Stopped wsbexchange                   Microsoft Exchange Server Extension for Windows Server Backup

Copy the output to a text file and extract the services as such:

HostControllerService

MSComplianceAudit

MSExchangeADTopology

MSExchangeAntispamUpdate

MSExchangeCompliance

MSExchangeDagMgmt

MSExchangeDelivery

MSExchangeDiagnostics

MSExchangeEdgeSync

MSExchangeFastSearch

MSExchangeFrontEndTransport

MSExchangeHM

MSExchangeHMRecovery

MSExchangeIS

MSExchangeMailboxAssistants

MSExchangeMailboxReplication

MSExchangeRepl

MSExchangeRPC

MSExchangeServiceHost

MSExchangeSubmission

MSExchangeThrottling

MSExchangeTransport

MSExchangeTransportLogSearch

MSExchangeUM

MSExchangeUMCR

Saturday, March 10, 2018

Logging into Windows displays the system tray message: “You’ve been signed in with a temporary profile.”

One of my biggest pet peeves when asking fellow colleagues to delete a user’s profile on a desktop or server is when they do so by launching Windows Explorer, navigate to the C:\Users folder then deletes the folder because that almost always causes the following message to be displayed for the deleted user:

You've been signed in with a temporary profile.

You can’t access your files, and files created in this profile will be deleted when you sign out. To fix this, sign out and try signing in later. Please see the event log for details or contact your system administrator.

image

This also happens to be one of the causes of profiles to not work with VMware Horizon View Virtual Desktop profile disks because the deleted profile isn’t cleanly removed from the Windows OS and thus a new profile cannot be created properly.

To delete a user’s profile correctly, navigate to the User Profiles menu by clicking on Advanced system settings within the System window:

image

Then the Settings… button under the User Profiles section in the System Properties:

image

Remove the profile by selecting it from the list and clicking on the Delete button:

image

To correct the issue when a profile was deleted incorrectly causing the message shown above to be displayed every time the user logs in, simply launch the registry editor on the server and navigate to:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Then locate the folder that represents the deleted user by finding one with the corresponding ProfileImagePath directory:

image

Make a note of the Guid and remove the corresponding key located in the path HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileGuid.

image

With the key identified by the Guid of the profile deleted, proceed to remove key of the deleted user in the path HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.

Thursday, March 8, 2018

Skype for Business Server 2015 logs the error: “GetAndPublish web service failed due to an internal error. This may impact user sign-in.”

Problem

You’ve received reports that users have experienced issues with logging into an audio conference as the leader with their PIN and noticed that your Skype for Business Server 2015 front-end server has the following error written in the Lync Server logs:

Log Name: Lync Server

Source: LS UserPin Service

47055

Level: Error

GetAndPublish web service failed due to an internal error. This may impact user sign-in.

Request Details - Entity: [agrant@contoso.com], Device Id: [6EFEFC0B-234D-55CA-A44F-061007CDAC2F], Authenticated User: [sip:agrant@contoso.com].

Additional Context: [CA_Failure: InternalError]

Cause: This is an unexpected failure

Resolution:

Re-start the web server. If you see this error continuously, examine the server traces and contact product support.

image

Solution

One of the reasons why this error would be thrown causing audio conferencing PIN login issues is if the front-end server is assigned a certificate that is configured with an unsupported Signature Algorithm such as the following example:

Signature algorithm: RSASSA-PSS

image

To correct the issue, either change the issuing certificate authority’s signature algorithm to a supported algorithm such as sha256RSA or obtain a certificate from an authority with a supported signature algorithm such as the following:

image

The above event log error will no longer be written and PIN sign in services will operate as expected once a certificate issued by a certificate authority with a supported signature algorithm is assigned

Wednesday, March 7, 2018

On-prem Skype for Business Server 2015 federation with Skype for Business Online logs the event: "Unable to resolve DNS SRV record";domain="fabrikam.com";dns-srv-result="NegativeResult";dns-source="WireQuery";source="sip.contoso.com"

Problem

You’ve configured your Skype for Business Server 2015 SIP FEDERATED PROVIDERS to federate with Skype for Business Online domains:

image

… but notice that one of the domains you are trying to reach is listing the presence information of the contact as Presence unknown:

image

Attempting to manually configure their domain in the SIP FEDERATED DOMAINS with the Edge Server configured as sipdir.online.lync.com:

image

… allows you to view their presence and trade messages but they are unable to view yours:

image

Using the Skype for Business Server 2015 Logging Tool to capture the IMAndPresence scenario:

image

Shows the following SIP/2.0 404 Not Found log entries:

TL_INFO(TF_PROTOCOL) [bmlyncedge01\bmlyncedge01]0608.10A4::03/02/2018-20:08:58.210.00002EA8 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [1193230895] Trace-Correlation-Id: 1193230895

Instance-Id: 9BD4F

Direction: outgoing;source="local";destination="internal edge"

Peer: bmlyncstd01.contoso.com:65371

Message-Type: response

Start-Line: SIP/2.0 404 Not Found

From: "Terence Luk"<sip:tluk@contoso.com>;tag=b57c0d9a53;epid=de538b165f

To: <sip:kseidl@fabrikam.com>;tag=61AAA34DF2202DB35CF394AA3FF1E420

Call-ID: ed355df33e6e40e8afe98664b3abe01b

CSeq: 1 SUBSCRIBE

Via: SIP/2.0/TLS 10.21.1.106:65371;branch=z9hG4bKBD5B17D0.7277A46B0013221F;branched=FALSE;ms-received-port=65371;ms-received-cid=9BD600

Via: SIP/2.0/TLS 10.23.0.28:58599;ms-received-port=58599;ms-received-cid=817000

Content-Length: 0

ms-diagnostics: 1008;reason="Unable to resolve DNS SRV record";domain="fabrikam.com";dns-srv-result="NegativeResult";dns-source="WireQuery";source="sip.contoso.com"

ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=bmlyncedge01.contoso.com;ms-source-verified-user=verified

$$end_record

image

Solution

One of the common causes of symptoms described above is if the domain hosted in Skype for Business Online does not have the appropriate SRV setup to allow the on-prem SfB to discover the company’s SfB. To ensure that the appropriate SRV is configured, simply attempt to look up the record with the following commands:

nslookup

set q=srv

_sipfederationtls.tcp.<domainFQDN>

A domain properly configured with the required DNS record should look like the output circled in green while a domain with the missing record should look like the output circled in red:

image

Creating the missing record will correct the issue.

Extra Troubleshooting Step

I went through numerous troubleshooting steps prior to looking at the obvious issue as outlined above because the problematic company had insisted that they did not have any issues with other partners so my assumption was that the domain I was working with wasn’t configured properly. The following may not have been the solution for this problem but I feel is worth checking as well.

One of the other possible causes to the issue above is if your domain is also configured for Office 365 services and you had inadvertently configured the domain to provide Skype for Business Online services. If this was the case then you would either have to configure interoperability between your on-premises deployment and Skype for Business Online as outlined in the following TechNet article:

Configure federation with Skype for Business Online

https://technet.microsoft.com/en-us/library/jj205126.aspx

If there is no intention on having Skype for Business Online accounts in Office 365 then ensure that the service is turned off. To check, simply launch the Azure Active Directory Module for Windows PowerShell and connect to the domain’s Office 365 account:

image

Use commands such as:

Get-MsolDomain -DomainName <domain>.com | FL

… or:

Get-MSolDomain | Select Name,Capabilities

… to determine whether Skype for Business Online is enabled for the domain:

image

Tuesday, March 6, 2018

vSphere Replication replicated virtual machines in SRM protected groups have the “Protection Status” as “Replication Error”

I’ve been working with VMware Site Recover Manager (SRM) sparsely over the past few years and had thought I’ve seen most of the error messages but came across one today that I had not seen before so I thought it would be worth while to write a quite post for it.

Problem

Logging into the SRM section of a vSphere Web Client shows all of the Protection Groups listed as Not Configured:

image

Navigating into the list of Virtual Machines show the Protection Status as Replication Error:

image

Solution

One of the possible causes of this status being displayed in SRM is if the VMware vCenter Site Recovery Manager service on the target site is not started.  Starting the service will correct the issue.

clip_image002

Sunday, March 4, 2018

Add features to an existing VMware Horizon View 7.x Agent install

Those who are familiar with the VMware Horizon View agent install may have noticed that there does not appear to be an easy way to add features to an existing agent:

image

… because attempting to use the Programs and Features or re-running the installation file only presents the option of removing the agent:

imageimage

image

This may not be an issue if you only had to update a master image but certainly not practical you had to repeat the process multiple times for a full-clone deployment.  I’ve come across this in the past multiple times and thought it would be worth while to write this blog post to demonstrate the process for anyone who may be looking for this information.

Determining Installed Horizon View Agent Components

To begin, the way to determine what components are installed currently can be found in the agent install logs located in the folder:

C:\ProgramData\VMware\logs

image

The log named vmmsi.log_<date>.log with the latest timestamp is the file with this information.  Opening the logs and navigating down to the section beginning with:

Action start 21:20:57: InstallValidate.

MSI (s) (8C:C4) [21:20:57:927]: Feature: URLRedirection; Installed: Absent; Request: Null; Action: Null

image

… is where you will find all the features of the agent listed and whether they were installed.

Feature: this is the feature of the agent

Installed: this is the installation status of the feature during the install
The values are Absent and Local

Request: this is whether a request to install it was made
The values are Null, Local and Reinstall

Action: this is the action taken for the feature
The values are Null, Local and Reinstall

Adding Horizon View Agent Components (non agent upgrade)

The only way to add Horizon View agent components to an existing installation is to use the command line and features matrix as described in the following documentation:

Silent Installation Properties for Horizon Agent
https://docs.vmware.com/en/VMware-Horizon-7/7.4/horizon-virtual-desktops/GUID-3096DA8B-034B-435B-877E-5D2B18672A95.html

The command would look as such:

VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn VDM_VC_MANAGED_AGENT=1 ADDLOCAL=<featureToAdd>

To demonstrate the process, let’s begin by performing a fresh install of the View agent with only the Core, USB Redirection and Real-Time Audio-Video components:

image

Note the agent install log indicating the RTAV (Real-Time Audio-Video) component is installed (along with USB and other core components):

MSI (s) (D0:B0) [19:11:50:601]: Feature: RTAV; Installed: Absent; Request: Local; Action: Local

image

To add a component such as the Client Drive Redirection simply run the silent install command with the following switch:

VMware-viewagent-x86_64-7.0.2-4368292.exe /s /v"/qn VDM_VC_MANAGED_AGENT=1 ADDLOCAL=ClientDriveRedirection

**Note that if you’re only specifying one feature with the ADDLOCAL switch then you do not see a quote at the end but if you specify more than one then you will:

image

Browsing the agent install log once the process has completed will show the following output for the feature indicating it was absent but now installed:

MSI (s) (28:D4) [20:28:45:916]: Feature: ClientDriveRedirection; Installed: Absent; Request: Local; Action: Local

image

Note that the RTAV component being already installed has a different output than when it was being installed:

MSI (s) (28:D4) [20:28:45:916]: Feature: RTAV; Installed: Local; Request: Null; Action: Null

image

Upgrading Horizon View Agent and Adding Components

One of the common mistakes I’ve seen administrators in the past make is that they are upgrading the Horizon View Agent and inadvertently using the silent install with the additional component they want to add to the agent.  This will actually install the newer agent with the single or multiple components specified in the ADDLOCAL switch because an upgrade of the agent actually removes the previous agent and reinstalls the new one thus not take the previous installed components into consideration.  If you are upgrading the agent silently then you’ll need to ensure ADDLOCAL=ALL for all components or ADDLOCAL=<features>, to ensure the features that are required would be installed.

Extra Information

The following are for those who may want to reference what a default installation of the Horizon View Agent 7.4.0 components look like:

imageimage

image

The log out put would be as such:

Action start 21:20:57: InstallValidate.

MSI (s) (8C:C4) [21:20:57:927]: Feature: URLRedirection; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: PSG; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: VmVideo; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: VmwVdisplay; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: FlashURLRedirection; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: RDSH3D; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: SVIAgent; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: NGVC; Installed: Absent; Request: Absent; Action: Absent

MSI (s) (8C:C4) [21:20:57:927]: Feature: ScannerRedirection; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: SerialPortRedirection; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: SmartCard; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: TSMMR; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: ThinPrint; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: USB; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: V4V; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: VPA; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: VmwVaudio; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: DeviceBridgeBAS; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: CIT; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: RDP; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: BlastUDP; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: Core; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: VMWMediaProviderProxy; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: ClientDriveRedirection; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: RTAV; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Feature: FLASHMMR; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Feature: HTML5MMR; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_agentAutoUpdate_BuildNumber.reg; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_pcoipAudioFwd.reg; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _Registry_FipsEnabled; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _Registry_IpProtocolUsage; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _Registry_SetDefaultMgmtPort; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _Registry_EnableRDSH3D; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _Registry_bEnumerateHWBeforeSW; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _Registry_disable_NLA; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _arp.ico; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _eula.rtf; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _eula_de.rtf; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _eula_es.rtf; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _eula_fr.rtf; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _eula_ja.rtf; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _eula_ko.rtf; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _eula_zh_CN.rtf; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _eula_zh_TW.rtf; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _open_source_licenses.txt; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _pcoip_server_fips_mode.reg; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _pcoip_tcpport.reg; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _pcoip_udpport.reg; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _audio_enumerator_def.reg; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _nodeManagerSecuredQueues.reg; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _ws_perfMon.dll_reg; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _vmware_url_protocol_intercept.dll; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _vmware_url_protocol_intercept.dll_64; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _vmware_url_filtering_plugin.dll; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _vmware_url_protocol_launch_helper.exe; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _vmware_url_filtering_plugin.dll_64; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _abctrl.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _bin_wsnm_scredir.dll; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_pcoip_vmwsci32.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _smartcard_vmwsci64.dll; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:927]: Component: _pcoip_vmwsci64.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _vmkbd.sys; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_VMwareResolutionSet.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_VMwareResolutionSet.exe; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_audiodevtap.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_inputdevtap.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_pcoip_agent_win64.dll_reg; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_libeay32.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_ssleay32.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_pcoip_glib_2.0.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_pcoip_pcre.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_pcoip_iconv.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:927]: Component: _32_pcoip_intl.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _32_pcoip_libidn.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _32_pcoip_server_win32.exe; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _32_pcoip_perf_installer.exe; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _32_pcoip_vchan.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _32_pcoip_vmtools.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _32_pthreadVC2.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _32_svgadevtap.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _32_tera2800_accel.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _NvFBCEnable.exe; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _ICuiSDK32.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _libmfxsw32.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _pcoip_agent_win64.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _pcoip_perf_provider64.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _pcoip_server_win32.reg; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _psg.reg; Installed: Absent; Request: Null; Action: Null

MSI (s) (8C:C4) [21:20:57:928]: Component: _vmwicpdr.reg; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _mfxplugin32_screen_capture.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _plugin.cfg; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _64_VMwareResolutionSet.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _64_VMwareResolutionSet.exe; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _64_pcoip_glib_2.0.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _64_pcoip_pcre.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _64_pcoip_iconv.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _64_pcoip_intl.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _64_pcoip_vmtools.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _pcoip_vchan64.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _vdp_rdpvcbridge.dll; Installed: Absent; Request: Local; Action: Local

MSI (s) (8C:C4) [21:20:57:928]: Component: _vmwsci.dll; Installed: Absent; Request: Local; Action: Null

MSI (s) (8C:C4) [21:20:57:928]: Component: _wsnotify.dll; Installed: Absent; Request: Local; Action: Local

image

Now if you were to add the VMware Virtualization Pack for Skype for Business feature:

imageimage

… by executing:

VMware-viewagent-x86_64-7.4.0-7400533.exe /s /v"/qn VDM_VC_MANAGED_AGENT=1 ADDLOCAL=VMWMediaProviderProxy

**Note make sure the Skype for Business client is is closed or it won’t install!

… then you’ll see the following output in the logs:

MSI (s) (CC:04) [14:02:09:034]: PROPERTY CHANGE: Adding PRODUCTLANGUAGE property. Its value is '1033'.

MSI (s) (CC:04) [14:02:09:034]: PROPERTY CHANGE: Adding VDM_VC_MANAGED_AGENT property. Its value is '1'.

MSI (s) (CC:04) [14:02:09:035]: PROPERTY CHANGE: Adding ADDLOCAL property. Its value is 'VMWMediaProviderProxy'.

MSI (s) (CC:04) [14:02:09:035]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\a-tluk\AppData\Local\Temp\{0159A3BB-1690-4203-9383-4900B9E34B0B}~setup'.

MSI (s) (CC:04) [14:02:09:035]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.

MSI (s) (CC:04) [14:02:09:035]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '6732'.

MSI (s) (CC:04) [14:02:09:035]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0

image

MSI (s) (68:EC) [13:38:11:820]: Feature: VMWMediaProviderProxy; Installed: Absent; Request: Local; Action: Local

image