Author: Wesley

SQL Server 2016 Configuration Manager

Another issue we came across, cannot use the SQL Server Configuration Manager from a machine where SQL Server isn’t installed.
This is kind of sad knowing that MS is pushing administrators to connect remotely on servers and make use of remote tools.

In order to use the SQL Server Configuration Manager snap-in integrated in the Computer Management MMC, you need at least the “SQL Server 20xx Common files” component which is installed when you install the Database Engine feature. You can check this by verifying directly in the uninstall section of the registry for MSI installations.

Get-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*” | Sort-Object Displayname | Select-Object DisplayName, DisplayVersion

So, if you require the Configuration Manager, you need to install a local instance of the Database Engine because the standalone version of SQL Server Management Studio doesn’t give you this ability.

Diagnostic

I used Process Monitor from SysInternals to find out that when loading the compmgmt.msc window on a machine having SQL Server Database Enngine instance, it will load a specific DLL registered in the system. The ‘Computer Management’ snap-in will check if any extension has been registered for specific node types as defined here :
Computer Management Extensible Node Types
Here’s the flow :
First, it will read the extensions.
mRemoteNG_2017-03-15_15-19-24The MMC executable found an extension with the ID {EE7F2DDB-1319-4227-8FD4-4EB51615D34A} referenced as ‘SqlcmSnapin’.
The ID {476E6449-AAFF-11D0-B944-00C04FD8D5B0} is the unique ID for the Computer Management snap-in (CompMgmt.msc).
It will then check the unique ID of the snap-in in the dedicated registry path ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns’.
mRemoteNG_2017-03-15_15-20-46
This entry validates the snap-in and gives it a friendly name (SQL Server Configuration Manager). We also see a first reference to the file used by the snap-in (C:\Program Files\Microsoft SQL Server\130\Tools\Binn\SqlManager.dll).
The MMC now will check if the snap-in is correctly registered in the local machine’s classes using the UID (HKEY_CLASSES_ROOT\CLSID{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}).
mRemoteNG_2017-03-15_15-21-41
Again, the entry is found and we can see a second reference to the DLL.

Once the registry keys have been validated, it will try to load the files located in the SQL Server common installation path ‘C:\Program Files\Microsoft SQL Server\130\Tools\Binn\’.
First, the ‘SQLManager.dll’ file and then the different resources files.
mRemoteNG_2017-03-15_15-22-48
mRemoteNG_2017-03-15_15-23-45

Knowing this, it was just a question of registering the correct files on my machine to force the loading of the SQL Server Configuration Manager snap-in.
For the files themselves, you need to copy them from an existing SQL Server installation though.

Below is the Powershell script to automate this little configuration :

$myserver = ‘tst-s04’

$SQLInstallPath = ‘Program Files\Microsoft SQL Server\130\Tools\Binn’

# Copy the SQLmanager dll file
If ( -not (Test-Path -Path “C:\$SQLInstallPath\SqlManager.dll”) ) {
Copy-Item -Path “\\$myserver\c$\$SQLInstallPath\SqlManager.dll” -Destination “C:\$SQLInstallPath”
}
# Copy the Resources folder
If ( -not (Test-Path -Path “C:\$SQLInstallPath\Resources”) ) {
Copy-Item -Path “\\$myserver\c$\$SQLInstallPath\Resources” -Destination “C:\$SQLInstallPath” -Recurse
}

# Register the snap-in keys
#Extension
If ( -not ((Get-ItemProperty “HKLM:\SOFTWARE\Microsoft\MMC\NodeTypes\{476E6449-AAFF-11D0-B944-00C04FD8D5B0}\Extensions\NameSpace”).'{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}’) -eq ‘SqlcmSnapin’ ) {
New-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\MMC\NodeTypes\{476E6449-AAFF-11D0-B944-00C04FD8D5B0}\Extensions\NameSpace” -Name ‘{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}’ -Value ‘SqlcmSnapin’ -PropertyType String
}
# MMC
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}’
If ( -not (Test-Path -Path $RegPath) ) {
New-Item -Path $RegPath -Force | Out-Null
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘SqlcmSnapin’
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘NameString’ -Value ‘SQL Server Configuration Manager’
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘NameStringIndirect’ -Value ‘@C:\Program Files\Microsoft SQL Server\130\Tools\Binn\SqlManager.dll,-3’
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘About’ -Value ‘{E84BEF4D-385C-4113-AE37-2795FE726A18}’
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\NodeTypes’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\NodeTypes\{1D59FD70-D8B8-4425-B12B-72E32516A9E9}’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\NodeTypes\{B919722D-5ED6-44A2-A034-40C796E3E38E}’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\StandAlone’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
}

# SQL Manager Class
If (-not (Get-PSDrive -Name ‘HKCR’ -ErrorAction SilentlyContinue) ) { New-PSDrive -Name ‘HKCR’ -PSProvider Registry -Root ‘HKEY_CLASSES_ROOT’ | Out-Null }

$RegPath = ‘HKCR:\CLSID\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}’
If ( -not (Test-Path -Path $RegPath) ) {
New-Item -Path $RegPath -Force | Out-Null
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘SqlcmSnapin Class’
$RegPath = ‘HKCR:\CLSID\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\InprocServer32’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘C:\Program Files\Microsoft SQL Server\130\Tools\Binn\SqlManager.dll’
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘ThreadingModel’ -Value ‘Apartment’
$RegPath = ‘HKCR:\CLSID\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\ProgID’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘SQLManager.SqlcmSnapin.5’
$RegPath = ‘HKCR:\CLSID\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\VersionIndependentProgID’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘SQLManager.SqlcmSnapin’
}

PowerPlan, WMI, GUI and Windows Server 2012

Howdy !

If you try to configure the power plan settings of your servers using DSC, you might come into the below issue if you are using one of the following resource : xPowerPlan or cPowerPlan. They both call WMI classname.

The WMI class ‘Win32_PowerPlan‘ of the namespace ‘root/cimv2/power’ is only available when using a FULL GUI Windows Server 2012 (R2). If you switch to CORE flavor, the classname becomes inaccessible.

At the moment you are using a Core only OS, this classname doesn’t works anymore under Windows 2012 and 2012 R2 except for Windows 2016 Core.

You can quickly check the falvor of your OS with the following cmdlets :

$Computer = ‘yourMachine’
$sb = {
Get-ItemProperty ‘HKLM:\Software\Microsoft\Windows NT\CurrentVersion’ -Name Productname | Select -expa ProductName
Get-Item ‘HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels’ | ft -AutoSize
}

icm -ScriptBlock $sb -ComputerName $Computer

Cheers,
MW

PowerShell DSC Encryption issue

Context

While working on a new setup, we had to deploy some binaries on a server using DSC.

To make the process scale for many machines, we created a network share to host the binaries in order to centralize the access. In the DSC world, this meant we had 2 options :

1- Add the computer account of each machine accessing the share in the permissions of the share.

2- Use the encryption feature in DSC (define an account in the MOF in order to access the share)

During the testing phase, everything went well. The configuration was as is :
Authoring machine : Windows 10, Powershell 5.1.14393.693
Target machine : Server 2016, Powershell 5.1.14393.0

Issue

We then deployed the configuration on a Windows Server 2012 R2 and the LCM kept getting in error, throwing the message “Decryption failed. LCM failed to start desired state configuration manually.”
powershell_2017-01-19_10-00-07

Digging a little deeper in the ‘Microsoft-Windows-Desired State Configuration/Operational’ event log, just before the “Decryption failed” error, another error was caught :
“Message Invalid provider type specified.”mremoteng_2017-01-19_10-23-16

With the help of the Internet and some querying, I was able to “decrypt” our issue. I began by reading this nice article :
https://hyper-v.nu/archives/bgelens/2015/02/integrating-vm-role-with-desired-state-configuration-part-7-creating-a-configuration-document-with-encrypted-content/
Which led me to review the certificate we used for the DSC encryption.

The initial setup was using a CA issued custom certificate we created following Microsoft’s recommendation stated here :
https://msdn.microsoft.com/en-us/powershell/dsc/securemof#certificate-requirements
firefox_2017-01-19_10-31-36
And since we wanted to follow the MS’ Best practices, we configured our certificate template using the provider ‘Microsoft RSA SChannel Cryptographic Provider’.

Solution

The caveat with this configuration is that Windows Server 2012 R2 doesn’t know how to decrypt anything using the ‘Microsoft RSA SChannel Cryptographic Provider‘. Even if you deploy WMF 5.1 Preview, it won’t help.
If you use the Self-Signed certificate generator script, it will work flawlessly because it actually uses the legacy provider named ‘Legacy Cryptographic Service Provider‘.

Either you create a certificate template using the Provider category ‘Legacy Cryptographic Service Provider’ thus not following Microsoft’s certificate requirements or you use only self-signed certificate using the custom script or you upgrade your OS to Windows 2016.

Regards,
MW

SharePoint 2013, AlwaysOn, Availability group and SQL alias

Bonjour,

I had a story at my company where I had to migrate the SharePoint databases to a fresh AlwaysOn Availability Group (AOAG) SQL Instance. This move wasn’t an issue until we found out that our backup script (which is performing a “Backup-SPFarm” cmdlet) failed to re-provision the User Profile Synchronization (UPS) Service.

Context

The issue all came down from the fact that the UPS database was now configured with the AlwaysOn feature, therefore, any operations to the DB couldn’t occur anymore.

The error message in the ULS was :

SqlError: ‘The operation cannot be performed on database “UserProfile-Sync-DB” because it is involved in a database mirroring session or an availability group. Some operations are not allowed on a database that is participating in a database mirroring session or in an availability group.’    Source: ‘.Net SqlClient Data Provider’ Number: 1468 State: 1 Class: 16 Procedure: ” LineNumber: 5 Server: ‘AG Listener Name’

When the move to the new AlwaysOn SQL server happened, the operation went pretty smoothly since we are using SQL alias. We only updated our current alias name to redirect to the new SQL instance.

Updated configuration :
SQLAlias-AG-01

After some research, we found out that this is a “internet” known issue and can also occur on the Usage and Health database when performing patching of SharePoint farms.

Hence, we decided to modify the configuration and implement a better integration between SharePoint and AlwaysOn by using the SharePoint Database Availability Group cmdets. It will give us the flexibility to manage the databases in the AOAG directly from SharePoint.

In this initial setup, SharePoint isn’t aware of the AlwaysOn service running beneath it. It only sees the SQL Alias and has no way to know which SQL server is running behind the SQL Alias ; it is a regular connection string.

By explicitly declaring to SharePoint that the databases are hosted by a HADR system, SharePoint Admins keep some visibility and control over the AOAG.

Availability Group Listener (AGL) and port attribution

When your AGL is configured to use the default port (1433) and you don’t use SQL alias, you will surely have no issue when configuring your environment.
The troubles arises when you use SQL alias or have a custom port defined for the AGL, let’s say 25066 for the example.

  • When using a SQL alias (redirecting to the AGL), SharePoint will fail retrieving the “Availability Group listeners”.
    SQLAlias-AG-02
  • When using a custom port for the AGL, SharePoint will check the database server by using a trimmed version of the data source.
    SQLAlias-AG-03
SQL Alias

You can use SQL Alias with Availability Group Listener as long as the SQL alias uses the same DNS entry as the AGL.

Availability Group Custom Port

You must use a SQL Alias to bypass the SharePoint port validation.

Solution (for both scenarios)

In both cases, you must use a SQL alias that mirrors the AGL dns name. For example, if your AGL is “AGListener” on port 25066.
SQLAlias-AG-05

Some in-depth details :

I was able to pinpoint this issue by decompiling the SharePoint assembly and verify the logic behind the powershell cmdlets. I found the root issue in the “UpdateDataSource” method of the Database object.
SQLAlias-AG-04
When trimming the datasource from its port, it then sends the port-less server string to the method “ChangeDatabaseInstance” which itself calls “ValidateDatabaseServer”.
At this point, it won’t be able to validate the connection to the SQL server because of the modified server string.

Cheers !
MW

PS: I wasn’t able to find anything on the web regarding this particular issue except 1 slide that confirmed my troubleshooting.
Ref: http://blogs.technet.com/b/fromthefield/archive/2015/04/23/sharepoint-2013-amp-sql-alwayson-sharepoint-evolution-conference-2015.aspx – Slide 30

Quickly reset Firefox’s certificate store and exceptions

Hey there,

A quick PowerShell function to reset the certificate store and certificate exceptions for all firefox profiles. Can be handy in organisations when performing tests with certificate configuration and firefox.

shack/Reset-MAKFirefoxCertificateSettings.ps1


Function Reset-MAKFirefoxCertificateSettings{
# Certificate DB and exceptions reset
If(Get-Process -Name "firefox" -ErrorAction SilentlyContinue){Stop-Process -Name "firefox"}
Get-ChildItem -Path "$Env:APPDATA\Mozilla\Firefox\Profiles" -Recurse -Include "cert8.db","cert_override.txt" | ForEach-Object {
If(Get-ChildItem -Path "$Env:APPDATA\Mozilla\Firefox\Profiles" -Recurse -Include "$($_.Name).old" -ErrorAction SilentlyContinue){
Remove-Item -Path "$Env:APPDATA\Mozilla\Firefox\Profiles" -Recurse -Include "$($_.Name).old"
}
Rename-Item -Path $_ -NewName "$($_.Name).old"
}
}

Read-Host -Prompt "Press a key to continue and reset the Firefox settings."
Reset-MAKFirefoxCertificateSettings

Quickly generate PFX files for the Central Certificate Store from a SAN certificate

  • Define location of the certificate.
     $CertPath = 'C:\MyDisks\Certificates\MyCDN.mydomain.org.pfx' 
  • Load the certificate
     $Cert = Get-PfxCertificate -FilePath $CertPath

    [Enter the password in the credential prompt]
    OR

     $Pass = ConvertTo-SecureString -String 'TheSecurePasswordOfCertificate' -AsPlainText -Force
    [System.Security.Cryptography.X509Certificates.X509Certificate]::new($CertPath,$Pass) 
  • Generate the files using the DNS Names of the certificate
     $Cert.DnsNameList | %{Copy-Item -Path $CertPath -Destination C:\MyDisks\TMP\$($_.unicode).pfx} 

ULS Viewer crashes when viewing SharePoint 2013 logs

Hello there,

A quick tip for those who encountered the ULS viewer crash with SharePoint 2013 as my colleagues and me.

Scenario

  • SharePoint 2013
  • ULS viewer

Issue

When opening a SharePoint log containing “verbose” logging with ULS viewer, this one crashes after processing all the data. This makes the tool unusable at some extent.
This issue doesn’t appear if you don’t set the logging level to at least “Verbose“.

Fix

Although I don’t know what is going on in the background, the quick fix for this is to disable in the option the feature “correlation tree”.

  1. Open Uls Viewer
  2. Go in menu “Tools/Options…”
  3. Uncheck the option “Enable correlation tree”
    ULSViewer-crashes

 

 

 

 

 

 

 

 

Happy troubleshooting !

Office Web Apps Server unhealthy status

Hi,

While deploying OWAS in our environment, we came across the “unhealthy” status of the machines in the farm issue. While we reviewed all the possible configuration options and search the Internet for an unknown factor that could explain this behavior, we remained clueless.
Although you can find very good article regarding the configuration and common issues with OWAS, this specific one isn’t documented anywhere.

Scenario

  • Windows Server 2012 MSI
  • Office Web Apps Server 2013
  • 2 different URLs for the internal and external  OWAS access
  • Dedicated CNAME records for the URLs (Server’s FQDN isn’t used as the main OWAS URL)

Quick note for the configuration, I highly recommend you check out Wictor Wilén’s blog for very interesting explanation of OWAS mechanics. I also underline his blog for the reason that we initially had the issue of the certificate not including the server’s FQDN which created the static unhealthy report (see Machine are always reported as Unhealthy).

The culprit

S0, even with a correctly configured OWAS farm, the machines will kept being flagged as “Unhealthy”. What I found out is that I modified one setting from its original state : Log Verbosity. By our standard, we usually set them at “unexpected” (for SharePoint and OWAS) in order to save disk space and mitigate disk IOPS. If you check attentively a default OWAS farm, this setting will be set at … nothing. The value is actually empty.
Get-OfficeWebAppsFarm
OWAS-LogVerbosity

 

After some testing, I found out that the least level of verbosity to get Healthy machines must be Medium.

With the culprit found and knowing how to fix it, I digged a little more to understand.
By looking in the OWAS folder installation located in drive:\Program Files\Microsoft Office Web Apps, a file named “uls.config.dynamic.xml” is stored in the subfolder AgentManager. From my understanding, this file is the template used by OWAS each time it starts to configure the current logging setting and save a copy of the configuration in drive:\ProgramData\Microsoft\OfficeWebApps\Data\local\ULSConfig.
You can easily validate this fact by changing the log verbosity (E.g.:Set-OfficeWebAppsFarm -LogVerbosity 'Unexpected') of the farm and review the changes within the template file.

The workaround

First of all, keep in mind this is not an official fix and am not responsible of any issues it could create.

2 possible workarounds :
1/Reset the log verbosity of the farm to either “Medium” or nothing
2/ In order to have the machines in a healthy state while having “Unexpected” log verbosity, you must change the log configuration template file.

  • Make sure your farm’s logging level is set at its default value which is literally nothing.
    Set-OfficeWebAppsFarm -LogVerbosity ''
    
  • Restart the service so that changes are applied
    Restart-Service WACSM
    
  • Make a copy (for backup purpose) and then open the file located here : `drive:\Program Files\Microsoft Office Web Apps\AgentManager\uls.config.dynamic.xml`.
  • Find and replace all entities of “Medium” by “Unexpected”.
    This will change the ULS tracing level from the Out-Of-The-Box “Medium” to “Unexpected”
  • Find the category “**Uls Controller Watchdog**” under the “Services Infrastructure” area.
    Set the “**TraceThreshold**” option to “Medium”

    <Category Name="Uls Controller Watchdog" TraceThreshold="Medium" EventThreshold="Verbose" />
    
  • Restart the OWAS service
    Restart-Service WACSM
    
  • Be patient. The watchdog processes may take 5 to 10 minutes before changing the state. Here’s a quick one-liner :
    While((Get-OfficeWebAppsMachine)[0].healthStatus -eq 'Unhealthy'){write-host '.' -NoNewline;Start-Sleep -Seconds 30}
    

Ironically, the TechNet article states this about the log verbosity (under the LogVerbosity Parameter) :

 Leaving the LogVerbosity at a low level for a long time will adversely affect performance.

Knowing that, for healthy servers report,  the highest  level you can set is “Medium”, just one level above “Verbose” which is kind of awkward.

ULS Error message related to this bug

We're about to trace a string for category MsoSpUlsControllerWatchdog at level Info and we expect to find in the log later, but it appears that the category has been throttled. We will never be able to find the string and this watchdog will always fail.

Health report by UlsControllerWatchdog: Agent: UlsController, eventId: 1204, eventType: Error, categoryId: 1, eventMessage: &lt;?xml version="1.0" encoding="utf-16"?&gt;  &lt;HealthReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&gt;    &lt;HealthMessage&gt;UlsControllerWatchdog reported status for UlsController in category 'Verify Trace Logging'. Reported status: Could not find trace string in ULS logs in C:\SPDisks\Logs\ULS.&lt;/HealthMessage&gt;    &lt;ComponentOwner&gt;ServicesInfrastructure&lt;/ComponentOwner&gt;  &lt;/HealthReport&gt;

PowerPivot thumbnails requires Windows Server 2012 GUI

Hello,

We found out a small issue with PowerPivot 2012 and SharePoint 2013 this week.

You may be aware that the PowerPivot for SharePoint is able to create snapshots/thumbnail previews of your document which is then used to display a nice little image in the carrousel view.
This fancy little feature is generated under the hood by an executable located in the bin folder of the SharePoint installation folder (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\bin).

While it works well under common context, it will fail in a particular scenario. I won’t give you all the different ways to troubleshoot this as Internet already as a ton of article around it but here’s one that is very useful :
http://blogs.technet.com/b/excel_services__powerpivot_for_sharepoint_support_blog/archive/2012/12/06/invoking-and-analyzing-the-getsnapshot-exe.aspx

Our scenario is as follow :

  • The server hosting SharePoint and Powerpivot is running Windows 2012
  • Windows Server 2012 is configured using MSI (Minimal Server Interface)

In this particular case, the “GallerySnapshot.exe” will crashes when processing the document.

 

 

 

 

If you look in the “info” file generated, you quickly find out that there is nothing relevant to help you. Here’s the content of the log file :
“<SnapshotCaptureLog serverUrl=”http://<webapp name>” workbookUrl=”http://<site url>/SharePoint/PpowerPivot/Book1.xlsx” fileNameBase=”thumbnail” snapshotCount=”26″ timeout=”600″ />”. That’s it ! Nothing else.

In the “GallerySnapshot.exe has stopped working” error window details, we can see a small hint of what’s going on : “Problem Signature 04: System.Windows.Forms”.

I performed the same exercise on a different server with the same result. I then intalled the windows feature Server Graphical Shell (Install-WindowsFeature Server-Gui-Shell) and restarted the server.

Once rebooted, running the GallerySnapshot.exe again with the same arguments went successfully.

To sum-up, if you require the file preview in a PowerPivot Gallery, you will necessarily have to configure your servers with at least the Graphical User Interface. Let’s hope Microsoft will remove this pre-requisite in a future cumulative update or service pack but until then, forget Windows Server 2012 MSI !

Sad, sad, sad.