Andy Dawson's Blog

The blog of Andy dawson

Publishing ADFS using Web Application Proxy behind TMG

During a recent upgrade of ADFS from 2.0 to 3.0, we saw an interesting issue publishing the ADFS 3.0 proxy through TMG 2010.

The ADFS 2.0 proxy was published via TMG using a non-preauthenticating publishing web rule which had worked happily since ADFS was first used. When ADFS 3.0 was installed ad configured, the firewall rule was modified to change the IP address that should be used to direct traffic to the ADFS 3.0 proxy instead of the old ADFS 2.0 proxy. When tested, this generated an error in the browser of the user attempting to access the ADFS proxy to sign into their organisation account:

Error Code 64: Host not available

“The page cannot be displayed. Error Code 64: Host not available”

In addition, the test of the firewall rule fails with the error “Connectivity error. Error details: 64 – The specified network name is no longer available.”

This obviously meant that users could not sign in to access services authenticated using ADFS.

The solution is to use a non-web server publishing rule on TMG to simply forward all traffic to the ADFS proxy/Web Application Proxy, however this requires that a dedicated external IP address is available on TMG, or all applications need to be published using the Web Application Proxy instead of using TMG.

Workflow Manager 1.0 doesn't successfully install on Windows Server 2012 R2 unless VC Redist 11.0 or 12.0 already present

There seems to be an issue installing Workflow Manager 1.0 refresh on Windows Server 2012 R2. Upon completion, when clicking through to configure Workflow Manager, you are informed that neither Service Bus 1.0, nor (obviously) CU1 for Service Bus 1.0 has been installed.

Digging into the event log on the machine in question, this shows that VC Redist 11.0 or greater is required, and this is not installed automatically by the WebPI.

On Windows Server 2012, VC redist 12.0 is installed automatically by WebPI and the installation of Workflow Manager 1.0 Refresh completes successfully.

Obviously the solution is to install VC redist 11.0 or 12.0 before attempting to install Workflow Manager 1.0 refresh on Windows Server 2012 R2.

Upgrading Data Protection Manager from 2012 SP1 to 2012 R2

Our recent upgrade of Data Protection Manager (DPM) from 2012 SP1 to 2012 R2 generated one issue which wasn’t mentioned by the documentation on Technet.

The documentation on Technet is good and the procedure for upgrading DPM was very quick and easy. Pay attention to the Upgrade Sequencing documentation as not following this can result in component failure for which no rollback procedure exists.

Once the upgrade is complete, the agents on each protected client need to be upgraded and a consistency check run against all protected sources. Depending upon the volume of data protected, this may take an extended period of time. Following this procedure I saw two errors, one on each of our DPM servers.

In each case, the DPM database that was being protected on the other DPM server would not show as consistent. Running a consistency check would change the status icon to green for a few seconds before the consistency check would again fail.

The error was occurring because during the DPM upgrade procedure, the DPM database names had been changed. Originally the DPM database names were of the form

DPMDB_ServerName

Following the upgrade, the DPM database names were of the form

DPMDB_ServerNameGUID

In each case it was a simple task to modify the protection group to include the new database name and once a backup had been taken, remove the protection on the original database name.

Edit: I've come across another issue that occurs during the upgrade - the notification settings had been reset to remove the e-mail addresses that I had entered. This means that we were no longer receiving e-mail notifications for DPM issues. Again this was quick and easy to resolve, but it would have been useful for the upgrade documentation to flag it.

Importing Hyper-V Virtual Machines Used With SCVMM into Hyper-V Manager

I recently ran into an issue importing some virtual machines that had been used with SCVMM into Hyper-V. I needed to export the virtual machines for use with a development environment while still leaving the originals where they were in SCVMM. The procedure I was using was:

  1. Shut down the virtual machines to be exported
  2. Export the virtual machines using Hyper-V on the virtual host
  3. Copy the exported virtual machines to another host not connected to SCVMM
  4. Attempt to import the virtual machines (copy, create a new ID)

This failed with the following error message:

Hyper-V did not find virtual machines to import from location c:\virtualisation\server212\

This is because SCVMM adds a security section into the virtual machine xml file which stops the Hyper-V import process. An example from one of the virtual machines I was attempting to import is:

<security>
  <sd type="string">O:S-1-0-0D:(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-16695)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-16726)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-18157)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-18645)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;DA)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;SY)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-500)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-1703)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-1110)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-15767)(OA;;CC;5cf72d6e-61d5-4fbe-a05c-1e3c28d742fa;;S-1-5-21-583907252-842925246-1060284298-1694)</sd>
</security>

Manually removing the security section from the virtual machine xml file allowed Hyper-V Manager to successfully complete the import process.

Cross Flashing a Dell PERC H200 BIOS to Support Larger SATA Disks

The latest firmware for the Dell PERC H200 still doesn’t support SATA disks of greater than 2.2TB. In fact the card cannot even detect SATA drives that are larger than this.  As the PERC H200 is essentially a rebadged LSI 9211-8i card however, the firmware and BIOS from that card can be flashed onto the PERC H200 to provide support for larger SATA hard drives.

The procedure is as follows:

  1. Download the latest 9211-8i firmware package from LSI. I got my copy from http://www.lsi.com/products/storagecomponents/Pages/LSISAS9211-8i.aspx (click on the ‘Support & Downloads’ tab, then expand the firmware section). I downloaded the ‘9211_8i_Package_P16_IR_IT_Firmware_BIOS_for_MSDOS_Windows’ package and extracted the contents.
  2. Copy the required files from the extracted archive onto bootable media. I created a Windows 98SE boot USB stick and copied the files onto it. The required files are: 
    sas2flsh.exe – this is the  flash application. Copy the version from the sas2flash_dos_rel folder if using a dos boot disk.
    2118ir.bin – this is the firmware for the 9211-8i.
    mptsas2.rom – this is the card’s BIOS.
  3. Boot the server containing the PERC H200 from the bootable media. I’d recommend disconnecting any drives from the RAID card before flashing the firmware and BIOS.
  4. Once booted, change to the folder containing the files copied to the media, above, and issue the following commands
    sas2flsh –o –f 2118ir.bin
    sas2flsh –o –b mptsas2.rom
    sas2flsh –o –reset
    Each command should report success before you move onto the next one. If any indicate a failure, double check that you copied the correct files onto the bootable media.
  5. Reboot the server and test the card.

The above procedure allowed the H200 I was using to  detect and use two 3TB disks.

SharePoint 2013 on Windows Server 2012 R2 Preview and SQL Server 20143 CTP1

Following the recent release of Windows Server 2012 R2 Preview and SQL Server 2014 CTP1, I thought it would be an interesting experiment to see if I could get SharePoint 2013 running on the combination of these two previews. Most of the issues I encountered were around the product installers for SharePoint and the SharePoint pre-requisites:

  1. The SharePoint 2013 prereqinstaller.exe installer would not run and gave the error “This tool does not support the current operating system”.
    Pre-req_error
  2. The SharePoint binary installer would insist that not all of the server features required by SharePoint had been installed.
  3. The SharePoint binary installer failed when installing the oserver.msi file.
    Binary_setup_error
    Followed by:
    Setup_bootstrapper_stopped
    Examination of the setup logs (located at C:\Users\<username>\AppData\Temp\SharePoint Server Setup(<date-time).log) showed the following error:
    ”Error: Failed to install product: C:\MediaLocation\SharePoint2013InstallationMedia\global\oserver.MSI ErrorCode: 1603(0x643).”

SQL Server 2014 CTP1 seemed to install and work fine, although I did experience a couple of crashes during the installation procedure.

The following are workarounds for the issues seen above:

Preparing the server manually instead of using the prereqinstaller.exe involves adding the required server features and then manually installing the SharePoint pre-req files.

To add the required server features, use the following PowerShell commands in an elevated PowerShell prompt:

Import-Module ServerManager

Add-WindowsFeature Net-Framework-Features,Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Security,Web-Basic-Auth,Web-Windows-Auth,Web-Filtering,Web-Digest-Auth,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Application-Server,AS-Web-Support,AS-TCP-Port-Sharing,AS-WAS-Support, AS-HTTP-Activation,AS-TCP-Activation,AS-Named-Pipes,AS-Net-Framework,WAS,WAS-Process-Model,WAS-NET-Environment,WAS-Config-APIs,Web-Lgcy-Scripting,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer

If the server is not connected to the internet, the following PowerShell commands can be used (assuming that the installation media is available on D:\):

Import-Module ServerManager

Add-WindowsFeature Net-Framework-Features,Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Security,Web-Basic-Auth,Web-Windows-Auth,Web-Filtering,Web-Digest-Auth,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Application-Server,AS-Web-Support,AS-TCP-Port-Sharing,AS-WAS-Support, AS-HTTP-Activation,AS-TCP-Activation,AS-Named-Pipes,AS-Net-Framework,WAS,WAS-Process-Model,WAS-NET-Environment,WAS-Config-APIs,Web-Lgcy-Scripting,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –Source D:\sources\sxs

Scripts are available to download the SharePoint pre-reqs; the one I used is located at http://gallery.technet.microsoft.com/office/Script-to-SharePoint-2013-702e07df

I chose to install each of the pre-reqs manually, however the Windows Server App Fabric installer should be installed using the command line rather than the GUI as I couldn’t successfully get it installed with the options required using the GUI. To install Windows Server App Fabric, open an admin PowerShell console and use the following commands (assuming the installation file is located at c:\downloads):

$file = “c:\downloads\WindowsServerAppFabricSetup_x64.exe”

& $file /i CacheClient”,”CachingService”,”CacheAdmin /gac

Note the locations of the “ marks in the second command line, these should be around the commas.

Once this is installed, the Windows Server AppFabric update (AppFabric1.1-RTM-KB2671763-x64-ENU.exe) can also be installed. For reference, the other pre-reqs that I manually installed were:

  • MicrosoftIdentityExtensions-64.msi
  • setup_msipc_x64.msi
  • sqlncli.msi
  • Synchronization.msi
  • WcfDataServices.msi

In each of the above cases, I accepted the default installation options.

Following the installation of the SharePoint 2013 pre-reqs, the SharePoint 2013 binary installer insisted that not all of the required server features were installed. Shutting the server down and restarting it (sometimes twice) seemed to solve this issue.

To solve the issue experienced during the binary installation of SharePoint 2013, a modification of the oserver.msi file is required. This can be achieved using ‘Orca’. Orca is available as part of the Windows Software Development Kit (SDK) for Windows 8, which can be downloaded from http://msdn.microsoft.com/en-us/library/windows/desktop/hh852363.aspx

Once the SDK is installed, start Orca, then use it to open the oserver.msi file located in the ‘global’ folder of the SharePoint 2013 installation media (taking a backup of the original file first, of course…), then navigate to the ‘InstallExecusteSequence’ table and drop the ‘ArpWrite’ line:

Orca_oserver_msi_modification

Save the file over the original, the start the binary installation in the usual way.

Here’s a shot of SharePoint 2013 working on Windows Server R2 Preview with SQL Server 2014 CTP1:

SP2013_on_2012R2Preview_SQL2014CTP1

Please note, all of the above is done entirely at your own risk and is for testing purposes only. Don’t even think of using it in production…

Changing from Incandescent to LED Lighting

Posts on this blog are usually IT related so I thought it might make a change to write about something that, while still technology related, is a little different…

As some of my colleagues will attest to, I firmly believe in a well insulated house and buying products for the home that are as efficient as possible. My Home Server, for example, runs on a low power CPU in an effort to reduce the day-to-day running costs.

Many of our lights at home have already been converted to use CFL bulbs, replacing the original incandescent bulbs. I’m not a great fan of CFL bulbs however for a couple of reasons:

  • The start-up time of some bulbs still seems to be long (not that that is necessarily an issue on a winter morning when I don’t want to be immediately blinded when switching the lights on)
  • The bulbs contain mercury (albeit in small amounts); if you break a bulb, both the bulb and the items you use to clean up should be treated as hazardous waste (see http://archive.defra.gov.uk/environment/business/products/roadmaps/lightbulbs.htm for details)

On the plus side however, exchanging the incandescent bulbs for CFL ones has significantly reduced the number of bulbs I have to change. Our living room light, for example, used to need a bulb changing on average once per month as opposed to about once every 2-3 years for CFL bulbs. In addition, my (albeit approximate) calculations suggest that we save about £5-7 per bulb per year in energy costs, so in general the CFL bulbs pay for themselves within a few months.

Many of our new lights however use GU10 incandescent bulbs and while GU10 CFL bulbs are available, they are typically longer than the original incandescent bulbs and so will not fit in many of the housings (e.g. in spotlights etc.)

LED bulbs are however available and with recent improvements to LED technology, can now match the light output of the incandescent bulbs they replace. Even better, many of the GU10 LED replacements are exactly the same size as the original bulbs and are therefore direct replacements. I like LED bulbs for the following reasons:

  • Fast start – LED lights are at full output almost immediately. In fact they beat an incandescent bulb, one of the reasons that they are used in brake lights on many cars these days
  • ‘Warm white’ bulbs are now available. White LEDs always used to be ‘cold white’, i.e. showed a significant blue cast, making them a very harsh light. Great for some specific applications, but not so nice for everyday use. Dimmable bulbs are also available.

The bulbs I favour are as follows:

LED_GU10

These have 20 SMD LEDs and produce a light output equivalent to a 50W incandescent. Hopefully if there are failures of the individual LEDs within the bulb, the failure will be gradual rather than suddenly stopping working completely, giving us time to source replacements.

I have, however, found an issue when replacing a set of incandescent GU10 bulbs with their LED equivalents. We replaced a set of 4 bulbs in a kitchen fitting with LED bulbs and found that when the lights were switched off, the bulbs still glowed gently. With a single incandescent bulb and 3 LED bulbs in the fitting, the issue didn’t occur. Following a little research, it became obvious that even with a properly earthed system, the capacitively coupled power from live to switched live is enough to cause an LED bulb to glow gently. With an incandescent bulb in the fitting, the resistance of this bulb was low enough to effectively absorb the leakage current and stop the LEDs from glowing.

There is a solution to the issue, which is to fit a resister-capacitor combination (a contact suppressant; not designed for this purpose, but works perfectly well) across the terminals of the light fitting. These can either be a DIY solution, but I have found a product recommended for this purpose, which is a combination 0.1uF capacitor and a 100 ohm resistor in a package suitable for use with 240V AC:

Capacitor_Resistor_Package

The link goes to a Farnell page, but I am sure that there are also available from other quality electronics resellers. There is also a 0.22uF version for longer circuits, should that be required. I’d strongly recommend using a bit of heat-shrink tubing on each lead of the package to ensure that the supply will not come in contact with the light casing.

Adding one of these devices to our kitchen light has completely solved the issue of the bulbs glowing even when switched off. The LED bulbs are saving something like 90% of the energy (and therefore the running costs) that would be consumed by incandescent bulbs and hopefully they will have a very long life span.

More UK TechDays on Windows 8 and System Center 2012

Rik, Andrew and I will be at some of the upcoming UK TechDays that are being held.

I can’t recommend these days highly enough and every attendee that I have spoken to at previous events has found them both thoroughly enjoyable and useful.

Rik, Andrew and I will be at the System Center 2012 SP1 IT Pro camp tomorrow (19th February) – we hope to see you there!

Further information on the IT camps can be found at:

Date Event Location
19th February 2013 System Center 2012 Manchester
21st February 2013 System Center 2013 Birmingham
5th March 2013 Windows Server 2012 – Virtualising Servers York
6th March 2013 System Center 2012 York
17th April 2013 Windows 8 Southampton
24th April 2013 TechDays Online 2013  

 

If you want to know more about forthcoming TechDays keep an eye on the main events page.

Setting SharePoint 2013 User Profile Service Application Permissions Using PowerShell

My last post about the SharePoint 2013 MySite Newsfeed and required additional permissions on the User Profile Service Application dealt with adding the required permissions to the UPSA using the SharePoint 2013 GUI. Alternatively, you can add the required permissions using PowerShell:

#Grab a reference to the User Profile Service Application $serviceapp = Get-SPServiceApplication | where {$_.DisplayName -eq "User Profile Service Application"} #Return the SPObjectSecurity object for the Service Application $security = Get-SPServiceApplication $serviceapp | Get-SPServiceApplicationSecurity #Setup our claim provider $claimprovider = (Get-SPClaimProvider System).ClaimProvider #Specify the required principal $principal = New-SPClaimsPrincipal "Domain\UPSAppAccount" -IdentityType WindowsSamAccountName #Grant the required permissions on the Service Application Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control" Set-SPServiceApplicationSecurity $serviceapp -ObjectSecurity $security

Using PowerShell allows us to add this part of the configuration to a script rather than having a manual step to perform once the PowerShell has completed (as we all know, these additional manual steps tend to get forgotten).

SharePoint 2013 MySite Newsfeed displays "There was a problem retrieving the latest activity. Please try again later"

This is an issue that we've been bumping up against and have seen a number of other users seeing the same problem with SharePoint 2013 implementations.

When looking at the 'Everyone' tab on a user's MySite, the following message is displayed:

There was a problem retrieving the latest activity. Please try again later.

and the following entries appear in the SharePoint logs:

Failure retrieving application ID for User Profile Application Proxy 'User Profile Service Proxy': Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileApplicationNotAvailableException_Logging :: UserProfileApplicationProxy.ApplicationProperties ProfilePropertyCache does not have c2d5c86f-e928-4abf-b353-a8ab7809766c     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_AppID()           0e49dc9b-d278-1089-b021-6e2138766eae

SPMicrofeedFeedCacheService.GetUserProfile() - UserProfileApplicationProxy not available     0e49dc9b-d278-1089-b021-6e2138766eae

To correct this issue, complete the following steps:

  1. Log onto the SharePoint 2013 Central Administration site as a farm administrator
  2. Navigate to 'Manage Service Applications'
  3. Highlight the User Profile Service Application
  4. Click the 'Permissions' ribbon toolbar button:
    UPSA permissions
  5. Add the account that is used to run the User Profile Service Application and give it full control:
    UPSA connection permissions
  6. Click OK

At this point it is usual to see the following displayed in the 'Everyone' tab of the user's MySite:

Were still collecting the latest news. You may see more if you try again a little later.

It's worth checking the SharePoint logs at this point to see what additional errors may be reported (note that you will see 'We're still collecting the latest news' if no users have posted anything, so create a post to ensure that you have something waiting in the queue). In my case, I saw the following:

System.Data.SqlClient.SqlException (0x80131904): Cannot open database "SP_Content_MySite" requested by the login. The login failed.  Login failed for user 'Domain\UPSApp'.

This can be solved by completing the following steps:

  1. Open the SharePoint 2013 Management Shell by right-clicking and choosing 'run as administrator'
  2. Issue the following PowerShell commands
    $wa = Get-SPWebApplication http://<MySiteURL>
    $wa.GrantAccessToProcessIdentity("domain\UPSApp")

At this point, the newsfeed should be up and running successfully:

Functional everyone newsfeed