January 2009 - Posts

• The Most Secure Way to Provision SCUP Certificates for Client Machines and the WSUS/SCUP Server

  Description: The Most Secure Way to Provision System Center Update Publisher (SCUP) Certificates for Client Machines and the WSUS/SCUP Server. Supporting Article: http://social.technet.microsoft.com/forums/en-US/configmgrsum/thread/f53e8ee3-dfc9-4d4b-92e6-447546150853 Notice the certificate that SCUP uses or will accept when configuring the certificate in SCUP in the Settings location within the console, SCUP will only accept .PFX Personal Information Exchange certificates. So this means that .CER certificates cannot be used with SCUP. If you use a certificate you configured for IIS and WSUS as the above article mentions, you have to export the certificate out to a .PFX certificate before SCUP will accept and can use it. Since this wasn't mentioned in documentation I, or I can't find it, members on my Team, and I'm sure others, was exporting the .CER type certificate. Which does not work or is accepted my the SCUP product.   So what should be known and what I've discovered is the following: Must use a .PFX Personal Information Exchange certificate when importing a Cert into SCUP under the Setting Option. Since this is a .PFX cert which holds the Public and Private Key, you do not want to deploy this type of certificate on client machines. This would be like giving out your login id and password to everyone that gets the certificate. What you want to do is export ONLY the Public Key portion of the PFX certificate, which then will be a .CER certificate built from the .PFX certificate and only has the Public Key. Then you can use Group Policy to deliver the certificate to clients. So I would see the steps as follows: On the WSUS/SCUP Server Step 1. Click Start -> Run -> MMC Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK Step 4. Expand Certificates (Local Computer) -> Expand WSUS -> Click Certificates Step 5. Find the Certificate you created for use WSUS/SCUP, or Find the Self Sinning certificate automatically created by SCUP, Right Click it -> All Tasks -> Export. Must be a .PFX certificate. Note and Remember: A .PFX Personal Information Exchange certificate holds the Public and Private Key. So 1. you don't want to deploy this type of certificate on client desktop computers. and 2. You do not need this type of certificate in the Trusted Publishers and Trusted Root Certification Authorities store. The .CER type certificate will work just find and does not have the Public Key associated with it. Step 6. Click Next -> No, do not export the private key -> Next -> Select Base-64 encoded X.509 (.CER) -> Provide a location to export the certificate to -> Next -> Finish, to export the certificate. Note: Base-64 encoded X.509 (.CER) is the highest encryption method that you can export to a (.CER) certificate. For Provisioning the Certificate on the WSUS/SCUP server. Step 7. Expand Certificates (Local Computer) -> Expand Trusted Publishers -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate. Step 8. Expand Certificates (Local Computer) -> Expand Trusted Root Certificate Authorities -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate. Now you only have Public Key in the "Trusted Root Certificate Authorities" and "Trusted Publishers" these stores. Note: When you Import your own .PFX cert or using the Self-Signing Cert SCUP creates in the WSUS\Certificate Store, You now only have the Public Key for this Cert in one location on the WSUS/SCUP server. This is the most secure way of configuring the SCUP certificate. Step 9. Perform Steps 7 and 8 to import the certificate manually on client machines. Or you can use Group Policy to deploy the cert.cer to client machines. Posted Jan 30 2009, 05:25 PM by rdixon with no comments

• Resolution: Workaround to Error: 2912 No more thread can be create in the system (0x800700A4) in SCVMM

  I posting a Workaround for a issue I found and notice that other people running into. So far I not seen or found a root cause or a fix. But this work around is the best I have discovered and better than rebooting the Hyper V host to resolve the issue. Link to the Article on Tech Net: URL: http://social.technet.microsoft.com/forums/en-US/virtualmachinemanager/thread/ac48fd59-3de9-4191-8466-25bedee3f5b1 Workaround: Though I have not found the root cause, but I did find something of a workaround that quickly brings the Hyper V host back to a functional state. When I see the error of : Error (2912) An internal error has occurred trying to contact an agent on the servername.domain.com server. (No more threads can be created in the system (0x800700A4)) Recommended Action Ensure the agent is installed and running. Ensure the WS-Management service is installed and running, then restart the agent. I go to Services and Restart the "Windows Management Instrumentation" Service. Restarting this services also restarts the following services: (if they are on your server) Hyper V Virtual Machine Management Virtual Machine Manager Agent Hyper-V Image Management Service Hyper-V Networking Management Service IP Helper EMC PowerPath Service 5.1.2 SMS Agent Host Due to the type of services that are also restarted when doing this, and if the Hyper V host is in production. I would suggest doing this with caution and sending a user awareness notification for the temporary outage. Though the outage is small depending on how long it takes for certain services to start. Because the Hyper-V Image Management Service is restarted. Users will not be able remote control a virtual machine or may be kicked off the VM remote control session. And if you are doing this while TS into the Hyper V host server, you may lose TS connectivity momentarily.     Technorati Tags: Hyper V,SCVMM,Virtual Machine,Virtualization,windows,server,2008 Posted Jan 30 2009, 12:15 PM by rdixon with no comments Filed under: SCVMM, Hyper V, server, Virtual Machine, 2008, Virtualization, windows

• Solution to: HyperV unstable vmms service crashes periodically

  Problem Statement: I am getting an error, that is causing the hyperV to be unstable. I have 3 hyperV servers in my test env, runnning about 45 clients. All 3 are reporting this error at some point through the day. This often means that I need to restart the service hyperV Virtual Machine manager, and obviously during that time the SCVMM server (which is a VM client within these 3) looses contact until the service is restarted.   Article and Solution: http://social.technet.microsoft.com/Forums/en-US/virtualmachingmgrhyperv/thread/02adb29a-c3b8-41c5-80fc-99e6a67d39fc    Answer: The problem is a known bug and is fixed in Windows 2008 SP2. The problem is due to having a virtual machine configured with a SCSI adapter that does not have a drive attached to it. I had virtual machines with this configuration. since removing the un used SCSI adapter, my Hyper V service does not stop and restart. So go thru each VM and remove any SCSI adapters that does not have a drive associated with it. Hope this helps you guys. Thanks Technorati Tags: Hyper V,vmms,SCVMM Posted Jan 12 2009, 10:24 PM by rdixon with no comments Filed under: MSDN on Hyper-V, TechNet on Hyper-V, SCVMM, Hyper V, vmms