Sunday, January 31, 2016

Attempting to install Skype for Business Server 2015 KB3061064 fails with: “There were errors during the installation process. For details, see the log file at C:\SfB KB3061064 Update\Skype_patchinstallerlog--[2016-01-31][16-22-02].txt”

Problem

You’ve downloaded the Skype for Business Server 2015 KB3061064 installer from:

https://support.microsoft.com/en-us/kb/3061064

… but noticed that when the update installer successfully installs all the updates aside from:

3097645 Update for Skype for Business Server 2015 6.0.9319.102

image

The error presented reads:

Skype for Business Server 2015 Update Installer

There were errors during the installation process. For details, see the log file at C:\SfB KB3061064 Update\Skype_patchinstallerlog-<serverName>-[2016-01-31][16-22-02].txt

image

image

Opening the Skype_patchinstallerlog-<serverName>-[2016-01-31][16-22-02].txt displays the following error:

[1/31/2016 4:30:05 PM] ERROR 1603: Server.msp had errors installing.

image

Solution

As shown in the log file above, the error message doesn’t really provide much information as to why the item in the patch failed.  The next troubleshooting step in this case is to review the Skype for Business Server 2015 Deployment Log that is usually an html file found in the following directory:

%userprofile%\AppData\Local\Temp

The log we are interested in is the html file that was last written:

image

Launching this log in this case revealed that my C drive had less than 32GB free which was what the minimum requirement for patching the server required:

Error: An error occurred: "Microsoft.Rtc.Management.Deployment.DeploymentException" "Install-CsDatabase was unable to find suitable drives for storing the database files. This is often due to insufficient disk space; typically you should have at least 32 GB of free space before attempting to create databases. However, there are other possible reasons why this command could have failed. For more information, see http://go.microsoft.com/fwlink/?LinkId=511023"

image

Simply increasing the C drive space to a size that had 32GB free will allow the patch to install.

Saturday, January 30, 2016

Unable to manage NetScaler administration console with Active Directory account

Problem

You’ve configured the requirements to allow Active Directory to log into your NetScaler appliance and while authentication appears to work and allows you to log into the administration console, you are presented with the following message:

2 error(s) encountered.
Not authorized to execute this command [show ns license]
Not authorized to execute this command [show ns features]

image

Clicking OK displays a page with no information populated and you are unable to administer the appliance.

Solution

I’ve received quite a few calls from colleagues and clients about this error and what I’ve noticed is that it is caused by missed configuration the majority of the time.  One of the common missed configuration is forgetting to fill in the following two settings under the Other Settings section:

  • Group Attribute
  • Sub Attribute Name

image

The correct settings are as follows:

Group Attribute – memberOf

Sub Attribute Name – cn

image

If these settings do not correct the issue, please refer to my previous post to double check whether something else was missed:

Configure NetScaler Appliance to allow administration with Active Directory accounts
http://terenceluk.blogspot.com/2015/06/configure-netscaler-appliance-to-allow.html

Friday, January 29, 2016

Attempting to migrate a mailbox from Exchange 2007 Server to 2013 throws the error: “Error: MigrationPermanentException: Active Directory property ‎'homeMDB‎' is not writeable on recipient”

Problem

You attempt to migrate a mailbox from Exchange 2007 Server to Exchange 2013 Server through in the Exchange Server 2013 administrative console but the move fails with:

Data migrated:
Migration rate:
Error: MigrationPermanentException: Active Directory property ‎'homeMDB‎' is not writeable on recipient ‎'domain.com/Disabled Accounts/Rewan, Sheena‎'. --> Active Directory property ‎'homeMDB‎' is not writeable on recipient ‎'domain.com/Disabled Accounts/Rewan, Sheena‎'.
Report: srewan@domain.bm Download the report for this user
Last successful sync date:
Status: 
Queued duration:
In-progress duration:
Synced duration:
Stalled duration:

image

Solution

I find the most probable cause to this error when attempting to migrate a mailbox is due to Inheritance being turned off for the user object’s security permissions.  Proceed to open the user account’s security properties and ensure Inheritance is enabled:

image

image

image

Wednesday, January 27, 2016

Using a CSV list to create Active Directory contacts

I’ve recently been asked to convert a set of contacts exported from Outlook as a CSV file into Active Directory contacts. This was the first time I’ve had to do something like this and this exercise made me realize that Outlook contacts actually had much more fields available than Active Directory contacts so if anyone is about to embark on this task, note that there are going to be many fields that you would not be able to bring into Active Directory.

The way I approached this was to begin by determining what fields were available for Active Directory contacts. This can be easily determined by reviewing the tabs and fields of an Active Directory contact in Active Directory Users and Computers:

imageimage

imageimage

From here, the next step is to determine what fields in the Contact object maps to the ones that we will use to import via a CSV file. To do this, I executed the following csvde command to export existing contacts from AD to review the fields:

csvde -f exportContacts.csv -d OU=Contacts,DC=domain,DC=com

image

Opening up this CSV file will list the following available attributes:

  • DN
  • objectClass
  • ou
  • distinguishedName
  • instanceType
  • whenCreated
  • whenChanged
  • uSNCreated
  • uSNChanged
  • name
  • objectGUID
  • objectCategory
  • dSCorePropagationData
  • cn
  • sn
  • givenName
  • displayName
  • memberOf
  • proxyAddresses
  • targetAddress
  • mailNickname
  • internetEncoding
  • countryCode
  • legacyExchangeDN
  • textEncodedORAddress
  • mail
  • msExchHideFromAddressLists
  • msExchPoliciesIncluded
  • msExchRecipientDisplayType
  • msExchVersion
  • showInAddressBook
  • msExchUMDtmfMap
  • altRecipientBL
  • initials
  • company
  • mAPIRecipient
  • msExchALObjectVersion
  • telephoneNumber
  • homeMTA
  • extensionData
  • homeMDB
  • garbageCollPeriod
  • mDBUseDefaults
  • userAccountControl
  • codePage
  • pwdLastSet
  • primaryGroupID
  • objectSid
  • accountExpires
  • sAMAccountName
  • sAMAccountType
  • userPrincipalName
  • ipPhone
  • lastLogonTimestamp
  • msExchHomeServerName
  • msExchMailboxSecurityDescriptor
  • msExchUserAccountControl
  • msExchMailboxGuid
  • msExchPoliciesExcluded
  • msExchMDBRulesQuota
  • msExchUserCulture
  • msExchRecipientTypeDetails
  • altRecipient
  • badPwdCount
  • badPasswordTime
  • lastLogoff
  • lastLogon
  • logonCount
  • lockoutTime
  • deliverAndRedirect
  • msDS-
  • SupportedEncryptionTypes

Opening up a CSV file that was created from exporting Outlook contacts will display the following attributes:

  • Title
  • First Name
  • Middle Name
  • Last Name
  • Suffix
  • Company
  • Department
  • Job Title
  • Business Street
  • Business Street 2
  • Business Street 3
  • Business City
  • Business State
  • Business Postal Code
  • Business Country/Region
  • Home Street
  • Home Street 2
  • Home Street 3
  • Home City
  • Home State
  • Home Postal Code
  • Home Country/Region
  • Other Street
  • Other Street 2
  • Other Street 3
  • Other City
  • Other State
  • Other Postal Code
  • Other Country/Region
  • Assistant's Phone
  • Business Fax
  • Business Phone
  • Business Phone 2
  • Callback
  • Car Phone
  • Company Main Phone
  • Home Fax
  • Home Phone
  • Home Phone 2
  • ISDN
  • Mobile Phone
  • Other Fax
  • Other Phone
  • Pager
  • Primary Phone
  • Radio Phone
  • TTY/TDD Phone
  • Telex
  • Account
  • Anniversary
  • Assistant's Name
  • Billing Information
  • Birthday
  • Business Address
  • PO Box
  • Categories
  • Children
  • Directory Server
  • E-mail Address
  • E-mail Type
  • E-mail Display Name
  • E-mail 2 Address
  • E-mail 2 Type
  • E-mail 2 Display Name
  • E-mail 3 Address
  • E-mail 3 Type
  • E-mail 3 Display Name
  • Gender
  • Government ID Number
  • Hobby
  • Home Address PO Box
  • Initials
  • Internet
  • Free Busy
  • Keywords
  • Language
  • Location
  • Manager's Name
  • Mileage
  • Notes
  • Office Location
  • Organizational ID Number
  • Other Address PO Box
  • Priority
  • Private Profession
  • Referred By
  • Sensitivity
  • Spouse
  • User 1
  • User 2
  • User 3
  • User 4
  • Web Page

**Notice how much more attributes are available for an Outlook contact so if you are to convert these into AD contacts then you will need to determine where to put the additional information.

I’ve created the following table that maps what AD attribute maps to which CSV fields:

 

AD Attribute

Value

DN

CN=First name Initia. Last name,OU=Test,OU=Contacts,DC=domain,DC=com

objectClass

contact

ou

 

distinguishedName

CN=First name Initia. Last name,OU=Test,OU=Contacts,DC=domain,DC=com

instanceType

4

whenCreated

20160110232419.0Z

whenChanged

20160110232548.0Z

uSNCreated

53027203

uSNChanged

53027234

name

First name Initia. Last name

objectGUID

X'01709c730e93d24db092bac6744cda3c'

objectCategory

CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com

cn

First name Initia. Last name

sn

Last name

c

BM

l

City Address

st

State/provice Address

title

Job Title

description

Description

postalCode

Zip/Postal Code Address

postOfficeBox

P.O. Box Address

physicalDeliveryOfficeName

Office

telephoneNumber

Telephone Number General

facsimileTelephoneNumber

Fax

givenName

First name

initials

Initia

displayName

Display name

info

Notes

co

Bermuda

department

Department

company

Company

streetAddress

Street

wWWHomePage

Web Page

countryCode

60

ipPhone

IP phone

mail

E-mail General

homePhone

Home

mobile

Mobile

pager

Pager

With the above information, simply create a spreadsheet with the AD attribute as the column headings, fill in the appropriate values for the contacts, save it as a CSV file then use the csvde command below to import and create the AD contacts:

csvde -I -f c:\ContactsImport.csv

image

Saturday, January 23, 2016

Attempting to connect to a VMware Horizon View desktop via PCoIP displays a black screen and does not disconnect

Problem

You’ve deployed a new Windows desktop, created a manual desktop pool and then added the desktop to the pool. With the newly added desktop listed as Available in the Status column, you attempt to connect to the desktop via PCoIP with your VMware Horizon View client but all you see is a black screen:

image

The session does not cut off and navigating to the VMware Horizon 6 View Administrator shows that the session is in a Connected state:

image

You’ve confirmed that you’ve set the monitor resolution for the desktop pool to a high resolution:

image

Solution

This issue threw me off for a bit of time because I’ve come across this issue before as mentioned in one of my previous posts:

Connecting to VMware View 5.1.2 desktop via PCoIP displays a black screen when in full screen
http://terenceluk.blogspot.com/2013/11/connecting-to-vmware-view-512-desktop.html

I had a feeling it was the video memory but never bothered to check the actual virtual machine’s settings because I assumed they were adjusted and when I finally did, it was set to:

Number of displays: 1

Total video memory: 8 MB

image

These settings were lower than the minimum required for the lowest monitor resolution that VMware Horizon View provides:

Max number of monitors: 1

Max resolution of any one monitor: 1680x1050

image

When set to the lowest resolution indicated above, the Video card for the virtual machine settings are configured as:

Number of displays: 1

Total video memory: 13.5 MB

image

… which is still higher than the original virtual machine settings.  The cause of my issue because I failed to remember that changing the resolution settings for the desktop pool does not get applied to the virtual desktops unless the desktop is completed Powered Off.  A restart of the desktop will not change the Video card settings and since this was a manual desktop pool with the Remote Machine Power Policy set to Ensure machines are always powered on, the desktop was never really powered off after being added to the pool.

To correct the issue, I simply changed the Remote Machine Power Policy set to Take no power action:

image

… powered off the machine, let View reconfigure the virtual machine, powered it back on with the new Video card settings and the problem went away.

As a reference, setting the monitor resolution for the pool to:

Max number of monitors: 4

Max resolution of any one monitor: 2560x1600

image

Configures the virtual machine’s Video card settings as:

Number of displays: 4

Total video memory: 125 MB

image

Thursday, January 21, 2016

Viewing Adobe PDFs within Internet Explorer 11 throws the error: “There is a problem with Adobe Acrobat/Reader. If it is running, please exit and try again. (0:104)”

Problem

I was recently involved with an Internet Explorer upgrade for a client with VMware Horizon VIew virtual desktops accelerated with SanDisk’s ioVDI solution where we noticed that after upgrading from Internet Explorer 9 to 11, we were no longer able to open PDFs from within the browser as the following error is presented:

There is a problem with Adobe Acrobat/Reader. If it is running, please exit and try again. (0:104)

image

Solution

Through the week long troubleshooting process, we were able to identify three possible solutions to the problem.

Solution #1 – Configure Internet Explorer to launch the Adobe PDF in a new seperate window

This was one of the easiest solutions we found through the forums but it was not practical for the environment because we had web applications that required PDFs to be launched from within the Internet Explorer 11 window.

Solution #2 – Configure IE 11 Tab Process Growth to 1 and disable Adobe Protected Mode

The environment we worked in had an application that required the Tab Process Growth for IE 11 to be set to the value of 0. 

User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer

Set tab process growth

image

image

What we noticed was that if we set the value to 1 via the GPO:

image

… or via the registry:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

REG_DWORD named TabProcGrowth

clip_image002clip_image002

------------------------------------------------------------------------------------------------------------------------------------------

**Note that if the above registry key does not work, try the following alternate location that also appears to work:

image

HKEY_CURRENT_USER\Software\Polices\Microsoft\Internet Explorer\Main

------------------------------------------------------------------------------------------------------------------------------------------

… and disable Protected Mode for Adobe Acrobat Reader DC 2015 as demonstrated in my previous post:

Disabling “Enable Protected Mode at startup” and “Enable Enhanced Security” for Adobe Acrobat Reader DC 2015
http://terenceluk.blogspot.com/2016/01/disabling-enable-protected-mode-at.html

… then the error will no longer be presented.

Solution #3 – Disable redirectusertemp for SanDisk ioVDI

The two solutions above would not have met our requirements for the organization and we were left wondering why our virtual desktops exhibited this problem but not our physical desktops.  Through further investigation and a bit of luck, we noticed errors being thrown in the Adobe Acrobat Reader DC 2015 referencing the directory:

C:\Windows\Temp\iotdx-disposable

As demonstrated in one of my previous posts:

VMware Horizon View virtual desktops experience temporary drive space issues with SanDisk Fusion-io ioVDI integration
http://terenceluk.blogspot.com/2015/08/vmware-horizon-view-virtual-desktops.html

I recently noticed that an environment with SanDisk ioVDI redirecting Windows files to a disposable disk could case issues if the drive fills up.  In this situation, the drive did not fill up but Adobe appears to have problems writing to it.  What we noticed was that this issue could be fixed if we iottool command on the VDI and disable the user temp folder from redirecting.

image

The command to execute would be as follows:

iottool redirectusertmp disable

Once executed, restart the system.

------------------------------------------------------------------------------------------------------------------------------------------

This issue took quite a bit of time and resources and I hope this post will help others who may come across this issue.

Wednesday, January 20, 2016

Licensing VMware App Volumes

I recently had to assist a client with licensing their VMware App Volumes software as the trial period was coming to an end and I noticed that the process was a bit confusing so I thought I’d write this short blog post in case someone runs into the same issue.

Problem

Logging into the My VMware portal after purchasing your VMware App Volumes licensing will display the following 15 character license key:

xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

image

What I thought I needed to do was simply copy the serial key and paste it into the console but when I launched the App Volumes Manager, clicked on the Licensing tab, then Edit:

image

I quickly noticed that I was asked to upload some sort of a license file with a .key extension:

image

Solution

While I’m not really sure what the serial key is for, the way to license the App Volumes Manager is to actually navigate back to My VMware and to the downloads section:

image

As shown in the screenshot above, an Unlimited Desktops key file is available for download under the App Volumes ISO item. Proceed to download the file to the server:

image

image

Then upload the file in the licensing section to license VMware App Volumes:

image

image

Thursday, January 14, 2016

Enabling TLS 1.0 for VMware Horizon View 6.2.1 to allow Horizon View 3.3 or older clients to connect

Problem

As a follow up to one of my previous posts:

Upgrading from VMware Horizon View 6.0.1 to 6.2.1 causes connections to throw the error: “Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.”
http://terenceluk.blogspot.com/2016/01/upgrading-from-vmware-horizon-view-601.html

I finally got a chance to take some time to test the following KB that outlines the steps required to enable TLS 1.0 for backward compatibility with VMware Horizon View 6.2.0 and earlier:

Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later (2130798)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2130798

To provide a bit of background for the issue, let me reference the release notes found at the following URL that describes the TLS changes to PCoIP connections:

Release Notes for VMware Horizon 6 version 6.2.1
https://pubs.vmware.com/Release_Notes/en/horizon-6-view/horizon-621-view-release-notes.html

What's New in This Release of Horizon 6

  • VMware Horizon View 6.2.1 is a maintenance release. Some known issues from previous releases are resolved. For more information, see Resolved Issues.
  • To improve security, SSLv3 is no longer supported. By default, TLS 1.1 and TLS 1.2 are enabled. TLS 1.0 is enabled for outgoing connections to support vSphere 5.x, but is disabled for incoming connections. If the vSphere version is 6.x, it is recommended that TLS 1.0 be disabled for outgoing connections.
  • For PCoIP connections, by default, TLS 1.1 and TLS 1.2 are enabled and TLS 1.0 is disabled. Horizon Client 3.3 and earlier versions use only TLS 1.0 for PCoIP. View Agent versions earlier than 6.2 also use only TLS 1.0. To support Horizon Client 3.3 and earlier versions, as well as View Agent 6.1.x and earlier versions, if you use the PCoIP Secure Gateway, you can enable TLS 1.0 for PCoIP connections by following the instructions in KB 2130798, Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later.
  • For Blast Secure Gateway and the HTML Access agent, by default, TLS 1.1 and TLS 1.2 are enabled and TLS 1.0 is disabled. You can configure the security protocols and cipher suites for both components. See Configuring Security Protocols and Cipher Suites for Blast Secure Gateway in the View Security document and Configure Security Protocols and Cipher Suites for HTML Access Agent in the Horizon Client and View Agent Security document.
  • Linux desktops now support clipboard redirection, single sign-on, and smart card redirection. The Setting Up Horizon 6 for Linux Desktops guide also documents additional bulk-deployment scripts.

The text highlighted in red are the changes to TLS that could potentially cause connectivity issues between older VMware View or Horizon View clients due to TLS 1.0 being disabled.

Testing Environment

With the background of the issue described let me begin by listing the details of the environment I used for testing:

Horizon View Connection Servers: 2 (1 for external connections and 1 for internal connections)
Horizon View Connection Server Version: 6.2.1-3284346
Horizon View Security Server Version: 6.2.1-3284346
Horizon View Agent: 6.2.1-3284346

Internal Connection Tests - Use PCoIP Secure Gateway for PCoIP connects to machine is Disabled

The View Connection server currently has the following settings configured:

Use secure Tunnel connection to machine: disabled

Use PCoIP Secure Gateway for PCoIP connections to machine: disabled

Use Blast Secure Gateway for HTML access to machine: disabled

image

Attempting to access this environment with one of the Wyse Windows Embedded thin clients with an unsupported Horizon Client 3.1.0 build-2085634:

image

… will display a blackscreen for a few seconds then disconnect with the following error:

The connection to the remote computer ended.

image

As per the KB article mentioned above:

Configure security protocols for PCoIP for Horizon 6 version 6.2 and later, and Horizon Client 3.5 and later (2130798)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2130798

I proceeded to add the following registry key to my virtual desktop with the 6.2.1 agent in a pool:

HKLM\Software\Teradici\PCoIP\pcoip_admin
Name: pcoip.ssl_protocol
Type: REG_SZ
Value: TLS1.0:TLS1.1:TLS1.2

The registry can either be manually added or the following command can be executed:

reg add "HKLM\Software\Teradici\PCoIP\pcoip_admin" /v "pcoip.ssl_protocol" /t REG_SZ /d TLS1.0:TLS1.1:TLS1.2 /f

image

From here, connections to the virtual desktop with the unsupported Horizon Client 3.1.0 build-2085634 completes successfully without any errors.

Internal Connection Tests - Use PCoIP Secure Gateway for PCoIP connects to machine is Enabled

Changing the View Connection server’s settings to:

Use secure Tunnel connection to machine: enabled

Use PCoIP Secure Gateway for PCoIP connections to machine: enabled

Use Blast Secure Gateway for HTML access to machine: disabled

image

… with the registry added and then attempting to connect to the virtual desktop with the unsupported Horizon Client 3.1.0 build-2085634 fails with the error:

The connection to the remote computer ended.

Proceeding to add the following registry key to the view connection server:

HKLM\Software\Teradici\SecurityGateway
Name: SSLProtocol
Type: REG_SZ
Value: tls1.2:tls1.1:tls1.0

… either via:

reg add "HKLM\Software\Teradici\SecurityGateway" /v "SSLProtocol" /t REG_SZ /d tls1.2:tls1.1:tls1.0 /f

… or manually via the registry editor:

image

Then attempting to connect to the virtual desktop with the unsupported Horizon Client 3.1.0 build-2085634 fails with the same error message.

Note that I tried multiple troubleshooting steps but was unable to get internal View Horizon Clients that were older than 3.3 to successfully connect.

External Connection Tests

Logging onto the VMware Horizon View Security server and adding the registry key:

HKLM\Software\Teradici\SecurityGateway
Name: SSLProtocol
Type: REG_SZ
Value: tls1.2:tls1.1:tls1.0

… either manually through the regisry editor or via:

reg add "HKLM\Software\Teradici\SecurityGateway" /v "SSLProtocol" /t REG_SZ /d tls1.2:tls1.1:tls1.0 /f

… allows me to connect successfully connect with an unsupported Horizon Client 3.1.0 build-2085634.  However, attempting to connect with an even older View Client 5.0.0 build-481677:

image

image

… will through the following error:

The View Connection Server connection failed. A security error occurred.

image

It’s worth noting that I did not add the registry key to the View Connection server that was paired with the View Security server as it did not appear to matter.

Conclusion

The conclusion from my tests is as follows:

  1. I was able to use the registry entry to provide access to View Connection Server 6.2.1 and View Agent 6.2.1 from an unsupported TLS 1.0 client if I am not using PCoIP Secure Gateway for PCoIP connections to the machine meaning your View client is just being brokered directly to virtual desktop
  2. I was unable to use the registry entry to provide access to View Connection Server 6.2.1 and View Agent 6.2.1 from an unsupported TLS 1.0 client if I am using PCoIP Secure Gateway for PCoIP connections to the machine meaning your View client actually traverses through the View Connection server in order to connect to the virtual desktop
  3. I was able to use the registry entry to provide access external access through the View Security Server 6.2.1 and View Agent 6.2.1 from an unsupported TLS 1.0 client by adding the registry entry on the Security server and View agent

What had me stumped at the end of this test was why I could not get #2 to work so comments on what I did incorrectly are welcomed.

I hope this helps anyone who may come across this issue.