WSFC – Validate Configuration wizard error

Reading Time: 2 minutes

This is a short post talking about Windows Server Failover Clustering (WSFC) and a problem I found when adding the nodes from your cluster using the “Validate a Configuration” wizard.

This wizard is recommended to run after configuring your nodes and before creating the cluster in order to spot any misconfigurations.

So now, let’s go into the problem.

 

The issue

In the wizard when trying to add (in my example) the second node shows an error:

Failed to access remote registry on <FQDNoftheserver>. Ensure the remote registry service is running, and have remote administration enabled.

 

Possible solutions

  • Execute in Powershell (PS): winrm quickconfig

This will set up “winrm” (Windows Remote Management), more information in this link.

  • Review the NIC settings on the affected node:

Check the options “File and Print Sharing for Microsoft Networks” and “Client for Microsoft Networks” for the NIC that you’re are trying to add the node (based on what’s registered in DNS):

  •  Review the service “remote registry” is set to “automatic (trigger start)”.

 

After that, you shouldn’t have problems in order to add your nodes within the cluster from the wizard:

Now, you could continue with the testing options and so on but this post is only to explain the error and how to solve it.

 

That will conclude this quick post about Windows Server Failover Cluster and an issue you can find while trying to validate the configuration of your cluster from the wizard.

 

 

 

Troubleshooting tips for beginners in Windows Server

Reading Time: 5 minutes

I was thinking these days what I wish I have known when I started working with Windows servers, some basic (and some not) commands that can help me to troubleshoot servers without requiring additional software.

 

That’s why this is a post dedicated to people who just started administering servers with Windows Server 20xx-2019 (I expect at least 2008 although it is going end of support the next month) or maybe you’re curious and want to know more about Windows Server administration.

We will exclude networking problems as that is another huge topic so, we assume that the server is reachable by using ping (ICMP protocol).

 

RDP isn’t everything

First thing I notice when someone tells me: “I can’t access the server via RDP, it must be overloaded, unresponsive, etc. because I can ping it”.

As you may know (or not) RDP is the Remote Desktop protocol which usually runs in port 3389, there can be tons of reasons why you can’t access a server via RDP at the moment an alert raises (port blocked, server out of resources, user not allowed to RDP, etc.)

Therefore, I will list some points about how to troubleshoot a server when you can’t access using RDP. In this way, you’ll be able to manage a server (Windows) without accessing it.

 

MMC (Microsoft Management Console)

MMC is everywhere, when you open the Event Viewer it is indeed an MMC that has the Snap-in “Event Viewer”. Here is how would you do it manually instead of opening the Event Viewer “console”:

event viewer

You should try to master the MMC as it provides you the best way to manage different aspects and features from a Windows server (remote or local).

 

By typing “mmc” in Run and pressing Enter”, an empty console (MMC) will be open.mmc_console_empty

And then, you can add a “snap-in” about any particular feature, service, etc. from Windows. Meaning that with the MMC you have at your disposal a tool to troubleshoot a remote or local server.

Just go to File > Add/Remove snap-in and here choose what do you want! For this example,  I will add the Certificates snap-in in order to check which certificates are installed in my server:

Once you press Add, it will ask you which account, usually you want to use the computer account because services and features related to the computer nor a user account.

Choose if you want to manage a local or remote server:

And finally, here is the final screenshot after adding the Certificates snap-in from my computer:

 

Now, imagine if you do the same with the Services snap-in and select Another Computer, you will be able to manage the services from a remote computer by just doing that and without connecting to the server using RDP!

 

Check memory resources (RAM)

CMD (command prompt)

Our “old” friend CMD or command prompt interpreter which works on all versions of Windows Server, no matter which problem you have on your server that you can always run it and it is available on any Windows installation without any requirement.

There are some useful commands to manage a remote Windows server. The first command I want to show you is the “tasklist” command, which is the equivalent of the “Task Manager” that you probably know.

It can become very handy to check which processes are consuming more memory resources:

tasklist /s <server> | sort /R /+58

tasklist command

The previous command is just for Memory usage (RAM) but it won’t work for CPU so, how can I check which process is consuming more CPU resources?

Check the next section!

 

Check CPU resources (CPU)

WMIC (Windows Management Interface Console)

In order to check the CPU remotely, there isn’t a simple command like “tasklist” with parameters as it is harder to get the stats from the CPU perspective.

Anyway,  this is another command that can be used within CMD, the command is wmic, here you have some examples:

To get the CPU usage of the server:

 wmic cpu get loadpercentage 

Or the processes that are consuming a particular percentage (70% in this example):

 wmic path win32_perfformatteddata_perfproc_process where (PercentProcessorTime ^> 70) get Name, Caption, PercentProcessorTime, IDProcess /format:list 

As you can see in this output, it says “PercentProcessorTime=100”, which means that a process (mcshield) consumed 100% of his time when we asked for the processes above 50% of the server.

So in this case, the process “mcshield” (which is related to McAfee) is consuming more than 50% of the CPU.

Obviously de “_Total” process mustn’t take into account and it’s in the output because I didn’t want to make it larger (although is a bit large).

There is another command (typeperf) which although it can be more powerful (it uses performance counters), the output is a mess (lots of data). I won’t show it here but  I wanted to let you know.

Alternate access to RDP

A server can be physical or virtual then, you can probably access the virtual machine using Hyper-V Manager (if you use Hyper-V) or the vSphere Web Client (vSphere) tools in order to gain access to the virtual server.

If the server is physical, you have probably access to some remote console (iLO, iDRAC, etc.) to access the server and finally be able to log if you need to.

 

 

I hope these tips helped you or at least make you remember how to do it, see you next time.

Migrating ADFS from 2012 R2 (3.0 v) to 2016 (4.0 v.)

Reading Time: 5 minutes

I will explain today how to migrate ADFS from 2012 R2 (3.0 v) to 2016 (4.0) without almost no downtime. The overall process consists in adding the new ADFS server to the farm, assign the primary role to the new ADFS, make some changes and then we’re done.

 

The current environment is:

  • 1 x WAP Server (W2012 R2)
  • 1 x ADFS Server (W2012 R2)

No applications published, just an Office 365 Relying party trust.

A DNS A record that points sts.teselia.com to the ADFS IP address.

 

And the future environment will be:

  • 1 x WAP Server (W2016) -> Not in this post
  • 1 x ADFS Server (W2016) -> In this post

Planning for your ADFS Migration

  1. Active Directory schema update using ‘ADPrep’ with the Windows Server 2016 additions (not necessary in my case)
  2. Build a Windows Server 2016 server with ADFS and join into an existing farm.
  3. Promote one of the ADFS 2016 servers as “primary” of the farm, and point all other secondary servers to the new “primary”.
  4. Change DNS records to the new servers’s IP address.
  5. Raise the Farm Behavior Level feature (FBL) to ‘2016’
  6. Test that the setup works correctly.
  7. Remove the old ADFS server (W2012 R2) from the farm.

Upgrading Schema

Now, time to upgrade the schema of the AD:

Put the installation media from W2016 Datacenter:

Adprep /forestprep

In my case, it was already updated (my domain is in W2012 R2 so it seems that I don’t need it).

 

Installing and configuring ADFS

Once we deployed a new Windows Server 2016 and it’s joined to our domain…

Install the role of ADFS in your target server and then continue with the post-deployment config:

 

Provide can account with Domain Administrator permissions:

 

Provide your federation service name. You can review it in the current ADFS primary server and click Properties in the root folder of the ADFS console:

 

In our case “sts.teselia.com”:

 

Specify your SSL certificate (usually your wildcard):

 

Then, I will use an account (Managed service account recommended):

 

Review your configuration and after the pre-requisite checks proceed with the “Configure” button:

 

After the server is installed you will have some warnings that will be fixed later by rebooting the server and making this new server as the primary ADFS server in the farm:

Then, we will proceed to reboot our server (ADFS01.teselia.com).

 

Configuring as a “PrimaryComputer” in the ADFS farm

Once the machine has restarted, open the ADFS Management Console, and you’ll notice it’s not the primary federation server in the farm.

Open a PS console and execute:

Set-AdfsSyncProperties -Role PrimaryComputer

 

After that, I can access the ADFS console from our new ADFS server without the warning:

 

Execute this on the other ADFS servers (we will point the new ADFS server as the PRIMARY):

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName sts.teselia.com

Then, we will check that in our old ADFS server it’s correct:

Details to bear in mind

So, in my case, I have a DNS A record that points sts.teselia.com to an IP address (the ADFS server)

After pointing the new, I had to modify the hosts file from the WAP server in the DMZ to point to the new server!

Also, I modified the DNS  record from the internal DNS with the new server’s IP address.

 

 

Error with 0365 relying party trust

After migrating the service from ADFS 3.0 (W2012 R2) to ADFS 4.0 (W2016), I faced a  problem when updating the O365 relying party trust.

The solution was to apply a fix described by Microsoft:

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358

Basically, what you have to do is to add a couple of registry values in this new ADFS server because it’s Windows Server 2016 and is running ADFS 4.0 version.

Once you applied the fix, reboot it and works flawlessly!

 

Testing the new setup

To check that it’s really working, try to log into your Office 365 portal and it must show you the portal from your federation service.

As the WAP service isn’t migrated yet, it should respond correctly but if the configuration is not correct, it won’t be able to gather the configuration from the ADFS service.

Removing the old ADFS server

Once you tested that it works correctly, as both ADFS servers will have the configuration replicated, you can remove the role from the old one (that now holds the secondary role) and then remove it from the domain.

With that done, you will have a fresh new Windows Server 2016 ADFS server and none “old” ADFS servers.

 

 

And that’s all, I will do in the future another post about the WAP service migration that it’s easier than this one, I hope that this can help someone.

Exam 70-743, Upgrading MCSA Windows Server 2016 experience

Reading Time: 3 minutes

I will explain quickly my experience regarding the Exam 70-743, Upgrading Your Skills to MCSA: Windows Server 2016 exam from Microsoft I took last April.

It’s been a while since I took an exam from Microsoft (the latest was in 2013 I think) where you probably know that these kind of exams are multiple-choice or single-choice.

Through my career, I saw a lot of people cheating with these exams by memorizing the questions you can find on the internet and finishing it in just 20 minutes.

Despite I envied these persons because they weren’t putting the same effort as I did, in the end, this was translated in almost no knowledge about what they practiced nor familiar with all the features that Windows Server offers.

So, I encourage you to study the materials and practice in order to learn and bring value to yourself if you want to use these technologies from Microsoft.

The blueprint and webpage for this exam is the following one: https://www.microsoft.com/en-us/learning/exam-70-743.aspx

 

About the exam

In my case, although I am experienced with Windows Server this kind of upgrade exams, which consists in a 3 in 1 exam, can be scary for someone who’s new or hasn’t touched many roles that Windows Server has.

Even I installed almost all roles from Windows Server 2016 there are some of them that aren’t so common and you should practice it in a homelab (best way to stick in your mind).

There are around 60 questions (the quantity may differ) chosen from the following exams:

Regarding the questions there is a mix of Drag and Drop, Radio buttons, Checkboxes, …you know, the usual ones in this kind of exams.

Important: Be aware that the feature “Nano Server” was removed/deprecated in Windows Server 2016 time ago, here is the official post from Microsoft: https://docs.microsoft.com/en-us/windows-server/get-started/deprecated-features

Also read the changes that this exam suffered, in the official change document that Microsoft provides (is in the blueprint): https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IoQP

So, even if you see a lot of information about Nano Server in guides or courses in my case I didn’t find any question in the exam related to it (as it was deprecated years ago).

 

Resources and suggestions

As a resource, I mainly used this course from Pluralsight (not free): https://app.pluralsight.com/paths/certificate/upgrading-your-skills-to-mcsa-windows-server-2016-70-743

There are a lot of videos there, I checked the ones I felt more insecure and practiced in the lab. Also, I do recommend that you use Powershell to install and configure everything you can and in this way, you will get used to it.

As this is a 3 in 1 exam, the range of features and roles to know is huge, knowing a bit of everything will help you to pass but, without practice, you won’t get anywhere…

Having experience helps a lot but if it’s not your case, focus on the roles and features you never used or are not used to use (ADFS, NPS, RRAS, Hyper-V, etc.).

 

So…

To conclude, I can say it’s a fair exam and a bit challenging maybe but if you practice a lot with all the roles that Windows Server 2016 offers and know the differences from Windows Server 2012 R2.

Also, the most important I think…practice with Powershell. It won’t only help you with the exam also, in your future!

 

 

 

 

 

Azure – Backup and restore SQL DB using SSMS

Reading Time: 3 minutes

A quick post talking about how to backup and restore a SQL database on Azure using SQL Server Management Studio (SSMS).

First, you will need to install SSMS. You can download it here: https://go.microsoft.com/fwlink/?linkid=875802

Once installed, in order to access the database, you will need the server name where is installed. So, you will have to check the Server name in Azure Portal (you can also do it by Powershell of course):

Now, open SSMS and access the server name (you gathered the information before):

Export/Backup Database

Once you logged in, select the database you want to export -> Export Data-tier Application

In the new window > Next > Select where do you want to save the DB (you can do it locally or in a Storage Account), in our case Local Disk:

In the Advanced tab you can choose which tables you want to export, we will Select All:

Finally, we have a Summary of the process before exporting the database:

Then it will start to export the database, depending on the size of your DB will take more or less time to export:

Finally, we will have a file with .bacpac extension.

Import/Restore database

The process is almost the same but now we select Import Data-tier Application:

Continue selecting the file with .bacpac extension we exported before:

Then, with Database settings, here you can choose different options as you can do on the Azure portal:

Summary of the imported database:

Finally, it was imported successfully (it took a while for a 10 MB DB):

In consequence of the restore, it will appear the restored database (Restore_DB) in SSMS:

 

Therefore, I posted a quick way to export and import a SQL database by using SSMS. You could use it as a backup (please, not in local) or for example, to overwrite changes from UAT to PROD.