Azure Pack: Web Sites MBCA 2.0 Model preventing Feature Pack for Windows Azure Pack Web Sites v2 (KB2927682) from installing.

Windows Update is failing to install “Feature Pack for Windows Azure Pack Web Sites v2 (KB2927682)” on one of my Azure Pack servers. And just give the error message: 0x80070643

The event log shows a slightly better error message; “Product: Web Sites Local Feed — A newer version of Web Sites Local Feed was found on this machine.”

After further investigation, the MSI Logfile reveals some great information and clues;

It lists a program with GUID {BE2AD1F0-C5FF-4F62-95BD-44C829150573} that prevents the installation from completing.
And that GUID turned out, after a quick Registry search, to be “Web Sites MBCA 2.0 Model”.

And after uninstalling “Web Sites MBCA 2.0 Model” from Add/Remove Programs, my Windows Update installation went through at once!

Success!

AzurePack: Components for Website Feature failed to install

I had to install a new Frontend and Publishing server for my Web Sites components inside Azure Pack, unfortunately the installation failed so I had to find out what was wrong.

First check on the troubleshooting step by step list is to control the Firewall, which also revealed the problem:

The automatically created Firewall Rule for the “WebFarmAgentService” which is used to install the rest of the components, only enables the rule for “Public interfaces”. So my interface that’s being used, that’s connected to the Domain, did not obviously allow that traffic.

Enabling “Domain” in the Firewall Rule solved the problem, and the installation went through! I can’t see any reason for the devs to make that decision to only enable the rule for Public… But maybe there is some strange reason that you guys can come up with?

 

SCVMM : Automatic Baseline update script

SCVMM (System Center: Virtual Machine Manager) 2012 and 2012R2 can manage the patch compliance on your servers. That’s a great feature but normally involves some manual work as you have to add each update to the Baselines manually.

My colleague Mikael Nyström (MVP)  made a script to handle this automatically, which I’ve developed a bit further.

The script has a few Pre-Requisites;

  • A WSUS Server defined in SCVMM
  • Approved patches for “Windows Server 2012” and “Windows Server 2012 R2” in WSUS
  • Pre-Defined Baselines (you can use Add-Baseline to create them) with these names;
    • Security Updates
    • Critical Updates
    • Updates
    • Update Rollups

That’s it! You can now run the script and automatically import all matching updates.

The following actions will be performed;

  • Synchronize updates with WSUS
  • Check if there are any updates in the Baseline already
    • If the baseline is empty, import ALL matching updates
    • If the baseline is NOT empty, check the Newest 500 updates and import all matching updates
  • Remove inactive updates
  • Repeat for all Baselines
  • Start a compliance scan

The script will not initiate any remediation. And as the script normally only checks the newest 500 updates, it has to be run fairly regular. In my environment, 500 updates is about 1 month of updates. Though to be safe, run it once a week.

Azure Pack : Database creation failed with internal server error

If you experience problems creating MS SQL Databases as an Azure Pack tenant, with the very descriptive error message “Database creation failed” and details “internal server error” you may have run into the same problem I had today.

Azure Pack states that the user needs to have a 8 character complex password, but in truth it’s using the settings from the Local Security  Policy on the MS SQL Server, which in my case was 12 characters long. So any attempt to create a database with username and a password shorter than 12 characters gave that error message.

Quick solution, set a new Local Security policy with length of at least 8 characters. Problem Solved!

 

Azure Pack : Tenant Site automatic installation

If you want to install Azure Pack : Tenant Site in a distributed installation meaning not an Express installation on just one server. It’s possible to do it manually, OR … of course in a scripted way, so it’s automatic, scripted and unattended. Same result each time and smallest amount of time wasted on installations.  Here is a small powershell script that will take care of all the dependencies and install all the packages for the Public Tenant Site.

 

Bugcheck: DRIVER_POWER_STATE_FAILURE (9f)

I experienced a Bluescreen of Death (BSOD) on my Windows 8 Laptop (HP EliteBook 8560w) this morning when it resumed from Hibernate.
I quickly launched WinDBG and opened the crashdump.

WinDBG managed to find the driver that caused this problem by itself this time. But IF WinDBG had not been able to show me the faulty driver, the next step would have been to use the Bugcheck info (0x0000009f) to dig further into this;

The last argument is the interesting one, and which we should look into further with the !irp command.

It will show something similar to this. And it’s the e1c63x64.sys driver that were active at the time of the bluescreen. Same info as !analyze -v managed to figure out by itself.

Hmm, so what driver is that?

intel_driver1Too bad that it were unable to provide more detailed information. But some oldschool properties of the \SystemRoot\system32\DRIVERS\e1c63x64.sys file gave this;

And a quick search on Intel’s Support sites showed that there was a newer version available for my NIC;
Intel(R) 82579LM Gigabit Network Connection here.

Driver updated, and hopefully no more bluescreens due to this driver bug.

 

Can’t access a computer remotely without password?

I got a question the other day, “how can i access a computer remotely without a password?”

The reason that it’s by default is not possible to access a computer remotely with an account that does not have a password is because there is a new security policy/feature which states:

You can change that behavior by modifying the “Local Security Policy” here:

NoPassword

 

Just a thought. One could argue that it’s actually safer to have no password on the Local Admin account and leave this policy Enabled. Than have a weak password on the Admin account.

Because if there is no password, no malicious person or software could ever remotely access the computer as a local admin. While if you have a weak password, it would be possible for someone to brute force (try all possible combinations until you get in) the password.

 

 

Howto get NAP with Server and Domain Isolation to play together

If you are trying to get NAP (Network Access Protection) and SDI (Server & Domain Isolation) to play nice, you might not get the results you are expecting. I’m going to explain howto get NAP with Server and Domain Isolation to play together

There are plenty of Blogs and Guides out there, explaining how to get either NAP or Server and/or Domain Isolation to work. And that’s basically no problem so I won’t cover that here today.
But I’ve so far not found anyone who’s tried to combine both technologies.

Background

First of all, some background for my environment. I’m working on a project where we want to implement NAP to get the health check, but also Server and Domain Isolation to make sure that only trusted clients and users can talk to the systems they have access to. There was no doubt that we would use Certificates to validate the client health state.

NAP with Server and Domain Isolation PolicyTwo Windows Server 2008 R2 Servers with HRA/NAP Roles and the Stand-Alone CA Role were installed for redundancy. Clients are getting the Health Certificates and all is good. The SA (Security Associations) policy on the servers and clients is configured to “Require Inbound and Request Outbound Authentication”, with a requirement for a Health Certificate from the organizations CA Servers. So far, so good.

The clients can now access the server when they have a valid health state, and are unable to access the server if they don’t. Yay! NAP works.

And the nice thing is that since the HRA only serves Domain Joined clients. As the servers won’t talk to any client without a Health Certificate, and only Domain Joined client can get one, we have also got “Domain Isolation”. Ok, two out of three check boxes done.

Now, try to use Server Isolation and configure a Firewall Rule to only allow ClientA to talk to connect to ServerX via RDP. That does not work. Well, it does work to create the rule, but it will never allow the traffic.
The reason is that when you use a NAP Certificate to authenticate the connection, there is no mapping to the computer account. Which makes it impossible to use a Computer Based rule.

NAP with Server and Domain Isolation - Security Associations

Notice “No Authentication”.

Okay, so if you use the check box NAP with Server and Domain Isolation - Certificate Mapping“Enable certificate to account mapping”?

Sorry, that doesn’t work either. When you use the Health Certificate feature, no certificate mapping is done in the Windows Firewall. This has been verified in the Windows source code.

This blog post does state that it should be possible to use that check box and then use a Policy  “Access this computer from the network” where you can specify which computers are able to access the server over the network. But it’s still “All or nothing”. You can’t specify that ClientA should be able to access the SQL Server but nothing else.

Solution for NAP with Server and Domain Isolation

Luckily, there is a kind of workaround. To be honest, it’s not that common that you want to restrict so only ClientA, ClientB and ClientC can access the SQL Service on ServerX. I would dare to say its more common that you want to restrict which Users can access the service. Right?

I want to control so UserD, UserE and userF can access the RDP (Remote Desktop) Service, from any Health Domain Joined Client. It doesn’t really matter which client they connect from as long as it’s healthy and domain joined. Or I could control which clients they are able to logon to.

So by using a “Secondary Authentication” NAP with Server and Domain Isolation - Secondary Authenticationoption, where we Authenticate the User, like this.
Still the same options for the Computer Authentication. Just add a Secondary Authentication on the SA for User (Kerberos v5). It’s then possible to restrict which users are able to connect to a specific service.

In your firewall RDP Rule, configure it to Require a secure connection, and specify which users should be able to access the service. Now try to connect with two different users via RDP. You should see how the rule is applied and works.

I decided to create a Firewall Rule for RDP that only allowed “TestUser” to connect to the service.
In the screenshot below, the upper RDP is started with the TestUser Account, while the bottom RDP Client is started with “Runas Domain\Administrator” which according to the rule, should not be allowed to connect. And as you see, it’s not able to connect, which is expected.

NAP with Server and Domain Isolation - Proof that it works

Summary

To get NAP to work with Server Isolation, you have to enable “Second Authentication” for the User with Kerberos Authentication, so there is Authentication done when the connection is established. Which in turn makes it possible to create Firewall Rules that can be applied to User Object, unfortunately not to computer objects.