Failover Cluster Generic Script Resource Failed 0x80070009

Hi All,

I have found interesting behavior of Failover Clustering feature in Windows 2012 R2. Message from console and logs in this situation is quite Add to dictionary.
When you have done Generic Script Resource configuration, as described in this Microsoft Product Team Blog , you can find your resource down and following status message:

1
The storage control block is invalid.

I have shown that on this screenshot:
Status zasobu klastrowego
When we display the extended error message, we find out, that error code is

1
0x80070009

Rozszerzona informacja o błędzie
Similar Entry we can find in Cluster Event Log:
Log systemowy klastra

In this situation we should verify if our script is not returning 0x9 value from any entry point function. When we assured that, this error tells us we have made syntax error in Visual Basic script and in the result cluster resources manager was unable to compile and execute that script.

That is why checking script (every, not only Visual Basic!) is general good practise. We can verify Visual Basic Script Behawior by running the script from command line. This can be done with following command:

1
cscript.exe C:\pełna\ścieżka\do\pliku.vbs

Correctly written script should write to console completelly nothing except VB host banner because Generic Script Resource should contain only function definition and no calls to them (this is property of all CallBacks).
In case of any syntax error command execution should return with similar error:
Błąd walidacji skryptu

Have a nice Scripting Time!

Certificate Request generation for Microsoft Enterprise CA by openssl

Long time ago I have written about generating Certificate Signing Requests from non-Windows machines. The main goal was to sign such request by Microsoft Enterprise CA. I have mentioned vSphere infrastructure as an example.
I have been recently asked a similar question. New vSphere versions require Alternative Name Extension to exist in the certificate. The question was how to configure openssl to implement both functionalities.
Reaching the goal was quite simple, but not trivial. We can define several sections containing settings for request extensions, however only one can be used for a specific certificate request generation.
It is a good practice to reorganize an openssl configuration file designed for generating a single server certificate. In this way, we obtain templates for each server instance.
An Example configuration file may look as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
openssl_conf = openssl_init

[ openssl_init ]
oid_section = new_oids

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ new_oids ]
MsCaCertificateTemplate = 1.3.6.1.4.1.311.20.2

[ v3_req ]
basicContraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:server01, DNS:server01.domena.test
MsCaCertificateTemplate = ASN1:PRINTABLESTRING:VMwareCertificate

[ req_distinguished_name ]
countrName = PL
stateOrProvinceName = Malopolskie
localityName = Krakow
0.organizationName = Firma
organizationalUnitName = Oddzial
commonName = server01.domena.test

Most important parts of the config file are:

  • Line 1. Identifies the global configuration section.
  • Line 4. Identifies the OIDs definitione section. This line is singleton in this section.
  • Line 13. Identifies the Extension definition section. Those extensions will be added to certificate request body.
  • Line 15. Defines OIDs section.
  • Line 16. Defines OID registered and used by Microsoft for marking certificate template extension.
  • Line 22. Defines alternative names of the server. Of course, we can use other than DNS prefixes.
  • Line 23. Defines the name of certificate Template, what is designed to use during signing the certificate. It is important to remember that we need to specify “Certificate Template Name”, as oposite to “Certificate Template Display Name”.

Rest of the file is standard body similar to every single config file designed for generation of requests.

Orchestrator 2012 R2 REST OIP Error: HTTP Version should be either 1.0 or 1.1

Today quick diagnosis of Tilte mentioned issue.
Let consider following scenario:

  1. Orchestrator 2012 R2 installed on Windows 2012 R2 server
  2. Imported Integration Pack for REST
  3. Regional Settings configured in way, where decimal separator is other then period (‘.’)
  4. “Invoke Rest Service” action parameters are configured according to the documentation with string value “1.0” or “1.1”

This is really common scenario in Poland, where traditional decimal separator is comma sign (‘,’).
That is exactly the cause of issue. We need to double check last point of scenario is correctly configured for the first time.
Now we should confirm the diagosis with following code snippet, what is powershell substitute of code within integration pack.

1
2
3
4
5
6
7
$result = 0;
$HTTPVersion = "1.1"
$status = [float]::TryDecode($HTTPVersion, [ref]$result);
if(($status -ne $true) -or ($HTTPVersion -ne "1.0") -or ($HTTPVersion -ne "1.1"))
{
"Return Error: HTTP Version should be either 1.0 or 1.1";
}

When decimal separator is not set to '.' in regional settings for service’s user account, then in line no. 3, there will be following true: $status == $false.
The solution is to set two registry values HKU\SID\Control Panel\International\sDecimal
and HKU\SID\Control Panel\International\sMonDecimalSep for the service account with exact SID to value

1
'.'

.
At the end, Orchestrator Runbook service should be restarted.

Originally I have described the case in russian technet forum reply.

How to remotelly trigger run advertisement on SCCM 2012 Client

Hello Everybody,

there is many questions on the web about remote invoking SCCM actions on the client via scripting.
Within official SCCM 2012 SDK, there is absolutelly nothing about such client actions. Within the 2007 version it is demonstrated, but with local script and invoking the CPAppletMgr in conjuction with UIResourceMgr COM object class. But configuration of DCOM for accepting remote request for this objects is at least tricky and useless because it is dummy to beleve this classes will not change in the future.
Most natural way for SCCM to do this is create apropriative WMI calls.
And here Microsoft makes new troubles for all of us, scripting guys – in new SCCM 2012 SDK is dry description of classes witin CCM namespace. But also absolutelly nothing as notes for using this.
Finally I have found brilliant tool: SMSCLICTR, what encapsulates all of settings within simple to use .NET assemblies. This can also be used within Powershell, but sometimes usage such external modules is prohibited.
So I have made own piece of code in Powershell for doing this manually.

  1. First of all I had to enforce current Machine policy refresh. I is done by following function:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    function ForceMachinePolicyRefresh
    {
    param($clientname, $username, $userpass, $PolicyID)
    $ms = new-object system.management.managementscope
    $ms.Path = "\\$clientname\root\CCM"
    $ms.options.username = $username
    $ms.options.password = $userpass
    $mc = new-object system.management.managementclass($ms, 'SMS_Client', $null)
    $mc.invokeMethod("TriggerSchedule", $PolicyID)
    return $mc
    }

    There are several things to explain within this code:

    • It connects to namespace with explicity manner, without any casting, because of credentials passing. This code can be invoked only remotelly, because setting $ms.options.username is supported only with remote connection.
    • It is general function for enforcing any scheduled action. So it can be used not only for Machine policy refresh, but also applying changes within localconfig, as you can see later.
    • Last thing connected with this small piece of code is fact it can be used as a base for manipulating any of published method within SMS_Client WMI class. Now the MS refrence from SDK can be helpfull.
  2. So, when we have this defined we can go further. Now the function for invoking exact advertisement of specified Package. Function takes all necessary arguments:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    function InvokeOptionalAdvertisement
    {
    Param($clientname, $username, $userpass, $advertID, $packID)
    $mc = ForceMachinePolicyRefresh -clientname $clientname -username $username -userpass $userpass -PolicyID "{00000000-0000-0000-0000-000000000021}"
    $ms = new-object system.management.managementscope
    $ms.path = "\\$clientname\root\ccm\policy\Machine\ActualConfig"
    $ms.options.username = $username
    $ms.options.userpass = $userpass
    $query =new-object System.Management.ObjectQuery
    $query.QueryString = "Select * From CCM_SoftwareDistribution where ADV_AdvertisementID = '$advertID' and PKG_PackageID = '$packID'"
    $searcher = new-object system.management.managementobjectsearcher($query)
    $searcher.Scope = $ms
    $advs = $searcher.Get
    $enum = $advs.GetEnumerator()
    $enum.MoveNext()
    $adv = $enum.Current
    $adv.SetPropertyValue("ADV_RepeatRunBehavior", "RerunAlways")
    $adv.SetPropertyValue("ADV_MandatoryAssignments", "True")
    $adv.Put()
    $query1 = new-object System.Management.ObjectQuery
    $query1.QueryString = "Select ScheduledMessageID FROM CCM_Scheduler_ScheduledMessageID like '" + $adv.ADV_AdvertisementID + "-" + $adv.PKG_PackageID + "%'"
    $searcher1 = new-object System.management.managementobjectsearcher($query1)
    $searcher1.scope = $ms
    $scheds = $searcher1.Get()
    $scheds | Foreach-Object { $mc[1].invokeMethod("TriggerSchedule", $_.ScheduledMessageID) }
    return $adv
    }

    So now a word of comment for this function:

    • On the beginning we invoke machine policy refresh with our previously defined function
    • Next we define new management scope with namespace of actual config, what is used by CCM.
    • After that we need the ObjectQuery instance for encapsulating correct WMI Query. This query select all CCM_SoftwareDistribution objects, what matches our conditions
    • by usage of searcher object we obtain all required object to $advs variable
    • trick with enumerator and him Current property gives us only one object, instead of containing it collection
    • now we do main Job. We modify two properties, what ensures that optional assigment is now mandatory and will run on next schedule of this Advertisement
    • last part of the script gets proper objects of schedulers for our Advertisement and Package.
    • finally we trigger the schedules and task sequence runs properly.

“The AD RMS installation could not determine the certificate hierarchy.” error during AD RMS Reinstall

There are rare situations, when you have to reinstall the RMS Cluster node. Most common case causing such need is unsuccessfull provisioning process. It usual fails because of really obvious things, such as already binded SSL certificate to Web Site in IIS. After unsuccessfull provisioning task, you have to uninstall whole AD RMS role and after the server restart you can try again with installation. Unfortunatelly sometimes there are the errors during uninstall too. This hidden errors causes subsequent issues during next attempt.
The error cited in post title has several different potential resons and solutions. Most of them is improper registry settings, which stayed after previous install. One thing, what you have to always remember, is that you have to check twice need of every registry change. Inproper registry edition can causes whole server operating system damage.
Namely described error can be caused by one of the following reasons:

  1. Wrong Service Connectin Point – it happens because of improper value in Active Directory container under following path CN=SCP, CN=RightManagementService, CN=Services, CN=Configuration, DC=domain, DC=lab, what point to nonexiting RMS Cluster service URL. More information about this cause you can obtain here. This reason is explicite mentioned in error message shown at the end of role installation wizard.
  2. Second possible issue is described in Application log entry with Log ID 204. This is because of lack of one value in the registry. The mentioned article provides procedure for recreation of missing registry values.
  3. If no of previous solutions helps, I found third one. You need to verify content of following registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMS. If there is any value or key this can cause an error. You have to examine it and remove any value, which is pointing to non existing service URL. After this hive clean up, there should be only one value. This is the (default) one.

If your situation doesn’t follow any of described cases, please fell free to put me message in a comment.

Microsoft Enterprise CA doesn’t allow to publish templates V2 and V3

Under some circumstances after installation Windows Enterprise Operating System and configuration of AD Certification Services as Enterprise CA, the CA Services still doesn’t allow publication of certificate templates in versions higher than V1. This is because of misconfiguration of registry entries, which determines type of CA installation as Standard.
Okno Publikacji szablonu
The solution for this problem is proper setup of bit flag in the CA configuration. It can be done with following command:

1
certutil -setreg ca\setupstatus +512

After registry update, there is necessity of restart CA service.
More over, there is possibility of manual edition of the templates list, which is used by CA for certificates enrollment. It is possible by edition of attribute

1
certificateTemplates

in object

1
pKIEntrollmentService

. These objects are available under following path

1
CN=Internal Issuing CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contonso,DC=lab

Installing Service Pack 1 for Windows 2008 R2 by MDT 2010 U1 mechanizm

Today post is about why sometimes using manual can harm your things.
It is normal, that if you doesn’t know how invoke application in other way than simple double click on exe file, you call the command line
aplikacja.exe /? or aplikacja.exe /help
In the response we obtain in any form some information about command line switches handled by this program. Especially, we can obtain in this way information about advanced method of calling standalone windows operating system updates.
The Windows 2008 R2 Service Pack 1 installator responses with following:
Dialog window with help for Windows 2008 R2 Service Pack 1
For import process to Microsoft Deployment Toolkit, you have to unpack in any way the exe file to the Windows Standalone Update (msu or cab) files form. On the screen there is no such option.
But after several unsucessful tries I figured out that this command line:

1
 windows6.1-KB976932-X64.exe /extract

fires up exactly this extraction process without any error message. First simptom of right execution was dialog window with directory tree for choosing proper location for extracted files. There is also the cab file, what is necessary for update usage with MDT 2010 U1.

I am only curious, why Microsoft doesn’t add it to the help screen.

VMware ESX – failed to install Virtual Center Agent

The error, which this post is about, can have a variety of causes. I will focus on this, which I have encountered again only because i haven’t written about it before.
The error message usually suggests improper processing of the VC Agent RPM; however, it can also signify problems running the new vpx process. vCenter reports installation success only when it receives first heartbeat from the service. It is quite possible that the service fails to start, although

1
 service vmware-vpxa restart

is executed correctly. Similarly, causes suggested by

1
 /var/log/messages

can be wrong.
This time, the problem was incorrect certificate file format. Unfortunately, VMware doesn’t recognize standard and widely used PEM format, which is provided by most Certification Authorities. Instead, it uses its own version of PEM format. It is the so-called, text PEM representation. To create such, you need to issue the following command:

1
 openssl x509 -text -in /etc/vmware/ssl/rui.crt -out /etc/vmware/ssl/rui.crt

A chance for diagnosing this mistake is interpreting of a little known log file

1
 /var/log/vmware/vpxa.log

. After experiencing this situation, the vpx agent logs there a message about impossibility of certificate file interpretation.
I think that in this log file can be helpful in other problems with vpx agent, too.

Xcopy – “insufficient memory”

Popular copy commad do (for the first look) the same with one difference. It can’t handle copying recursive directories. For resolving this issue, microsoft has released newer version of this tool called Xcopy (eXtended Copy). The new one is present in Windows up to today and helps me in situation, which looks as hopeless (for example when the GUI copy methods fail). It has one serious issue. It raises error cited in post title. It is reported when copied file has absolute path (including the drive letter) longer than 254 characters. Because novadays file systems handles longer path, this factitiously small issue comes to really hard problem.
Solution is, of course, find an alternative tool what will have similar syntax. First shot was xxcopy what behaves similars, not exactly the same way. This one has failings too. Most important of them is fact that it requires license for some important features. Closer info can be obtained from program home site.

Tool what I suggest to all (happy 😉 ) Windows 7 Users and (not) happy users of Windows Vista is Robocopy. It is available for users of those systems as buildin one. Others can obtain it as part of resource kit. This tool, what name is derivied from “Robust File Copy”, is really powerfull during manipulation with huge number of files. Good description of it can be found in Wikipedia.