Setting up IPsec with Kerberos on Server 2012 R2

Ok, so not strictly an SCCM related post but it might be helpful to many people struggling to setup IPsec.

We have recently been asked to ensure that all our SCCM 2012 servers communicate with each other using IPsec. Now, anyone who has tried to do this, having never done it before, will know there isn’t that much online on how to do this. At first hand it seems quite complex but actually its pretty easy to do.

I have only ever done this on Server 2012 R2, so I’ve no idea if this same process will work on earlier versions (give it a go and let me know!). Also, this is using Kerberos as the authentication method only (so obviously can only be done in a domain environment) and requesting IPsec, rather than forcing it (meaning non-IPsec computers can still communicate with the servers, albeit without encryption). Here is how we implemented it:

  1. Login with an admin account, open up Services and ensure the IKE and AuthIP IPsec Keying Modules service is running and set to start automatically.
  2. Open Windows Firewall with Advanced Security, right-click over Connection Security Rules node and select New Rule….
    NewRule
  3. In the New Connection Security Rule Wizard, on the Rule Type page, select the Isolation radio button and click Next.
    Isolation
  4. On the Requirements page, select the Request authentication for inbound and outbound connections radio button and click Next.
    Request
  5. On the Authentication Method page, select the Computer (Kerberos V5) radio button and click Next.
    Kerberos
  6. On the Profile page, leave as default and click Next.
  7. On the Name page, give the rule a sensible name and click Finish.
    Name

That’s it! Now obviously you’ll want to test its working and I’m sure you can use some sort of network monitor to do this but the easiest way is to use the tools in the firewall itself.

Simply set this up on 2 servers, have them ping each other (this is important as its starts the IPsec connection) and then go into Windows Firewall with Advanced Security again, expand the Monitoring node, then expand the Security Associations node and click on the Main Mode node (you may need to hit F5 to refresh the node). In the right window you should see any IPsec connections, along with the authentication method and encryption type:
IPsec

IPsec away!

Advertisements

Inventorying App-V in SCCM 2012

I recently had to start inventorying virtual apps in SCCM 2012 and although its very easy to do, I noticed there isn’t much out there explaining the process.

How you do this will depend on whether you use App-V 4.6 or App-V 5.

Inventory App-V 4.6
WMI Class is located \root\Microsoft\appvirt\client

Once you have deployed an App-V 4.6 app to a machine the above WMI class should get populated. Then its just a simple case of going to Client Settings, Hardware Inventory, choose Set Classes and turn on the correct Classes for App-V 4.6, which are Virtual Application Packages (Package) and Virtual Applications (Application), selecting which ever values you need reporting back.

AppV46Hinv

Inventory App-V 5.0
WMI Class is located \root\appv

Once you have deployed an App-V 5.0 app to a machine the above WMI class should get populated. Then its just a simple case of going to Client Settings, Hardware Inventory, choose Set Classes and turn on the correct Classes for App-V 5.0, which are AppV Client Application (AppvClientApplication) and AppV Client Package (AppvClientPackage), selecting which ever values you need reporting back.

AppV5Hinv

Once the clients have updated their policy and ran a Hardware Inventory you can go to Resource Explorer > Hardware and you should see nodes for AppV Client Application, AppV Client Package, Virtual Application Packages and Virtual Applications, all showing virtual application data.

There are also a few default reports that are available to use:

VAReports

SCCM 2012 Data Replication Service (DRS)

I’ve been troubleshooting a number of SQL replication issues recently and found a couple of great blogs to help. I’ll continuously update this post to list great articles that will help you understand and troubleshoot DRS problems.

Troubleshooting Initial DRS Synchronisation – http://blogs.technet.com/b/sudheesn/archive/2012/10/21/drs-initialization-in-configuration-manager-2012.aspx

Troubleshooting DRS – http://blogs.msdn.com/b/minfangl/archive/2012/05/16/tips-for-troubleshooting-sc-2012-configuration-manager-data-replication-service-drs.aspx

More DRS Troubleshooting – http://blogs.technet.com/b/umairkhan/archive/2014/03/25/configmgr-2012-drs-troubleshooting-faqs.aspx

 

2013 in review

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 26,000 times in 2013. If it were a concert at Sydney Opera House, it would take about 10 sold-out performances for that many people to see it.

Click here to see the complete report.

Hardware Inventory not being recieved by the Management Point

Me and a colleague have been working on an issue today where the Hinv from a client was being generated and sent but never seemed to be received by the MP.

When we checked the Last Hardware Scan value for the machine in Resource Explorer > Hardware > Workstation Status, we could see that SCCM stated the last scan was from over a month ago but looking at the InventoryAgent.log on the client, it clearly showed it successfully sent the report yesterday.

There were no errors (or even mentions) for this machine in either of the inventory components in Component Status in the console or in the MP_Hinv.log on the MP. Something was blocking the report between it being sent by the client and it being received on the MP.

Tho obvious answer for this was IIS, so we turned on IIS logging for the MP server and sent the Hinv again. Within a few seconds we saw:

170.60.210.69 BITS_POST /CCM_Incoming/{25F04BBF-0626-4989-921D-0B3EDA3B2A1C} (bits_error:{5FB9E647-D1DC-4211-8A68-2310B81E4E0C},403,0×80070005) 80 – 10.133.44.170 Microsoft+BITS/7.5 403 0 0 0

Obviously the bits_error part of this message immediately made us think there might be a problem with BITS on the client. As an initial troubleshooting step, we decided to try and clear the BITS queue of current jobs, using the below method:

  1. Stop the BITS service on the client (use services.msc or “net stop BITS”)
  2. For Windows 7 or Windows 8 go to C:\ProgramData\Microsoft\Network\Downloader. For Windows Vista and below go to C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader.
  3. Delete qmgr0.dat and qmgr1.dat
  4. Start the BITS service on the client (use services.msc or “net start BITS”)

Once the BITS queue had been cleared we ran another Hinv and the information was sent by the client and received by the MP successfully. The client also no longer created any errors in the IIS logs.

Problem solved.

Force an SCCM Client to use a particular AD Site

Did you know it was possible to make SCCM think that a computer is in a particular AD site, even though based on its IP address, it is in a completely different one?

You may want to use this for many scenarios such as a test environment, where you want to force a client to download from a particular DP.

It is very easy to do by simply going to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Create a new String Value called SiteName with a value of the AD Site you want to use.

ADSiteName
Once it has been added, open up the SCCM Client on the machine and you will see that the AD Site Name has now been changed:

ADSiteNameOnClient
All software downloads initiated from this client will now take place from the DP that has the boundary for this AD site.

Collection query based on a machine being a member of another collection

Earlier today I was trying to create a collection that showed all machines that were in another collection.

This has to be done using a sub select query and the first one I used brought back all machines that were in a collection, based on that collection ID:

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System where ResourceID in
(select ResourceID
from SMS_FullCollectionMembership
where CollectionID = “NOV00062”)

Unfortunately this only partly solved the clients problem, as he wanted to bring back all machines that were part of a collection where the collection name started with “Lab:”. This meant adding a join to the query, as the SMS_FullCollectionMembership table doesn’t include the collection name, only the collection ID:

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select ResourceID  
from SMS_FullCollectionMembership  
JOIN SMS_Collection on SMS_FullCollectionMembership.CollectionID = SMS_Collection.CollectionID
where SMS_Collection.name LIKE “Lab:%”)

Problem solved 🙂