SCOM 2012 secondary server installation failed

Hi,

I came up with another article for the issue of Microsoft System Center Operation Manager 2012 secondary server installation issue. So sharing my experience here how I dealt with this situation.

OS - Microsoft Windows 2008 R2
Apps - Microsoft System Center Operation Manager 2012

Issue - While try to install SCOM 2012 secondary server into existing Management Group by selecting custom port for Data-Ware house, installation gets failed.

Here I have analyzed the set up log and found below error.

Error:  :StackTrace:   at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)

at System.Net.Dns.GetHostEntry(String hostNameOrAddress)

at Microsoft.EnterpriseManagement.OperationsManager.SetupCommon.SetupUtils.CheckIsRemoteSqlServer(String sqlInstanceName)

at Microsoft.EnterpriseManagement.OperationsManager.Setup.Common.SetupHelpers.GetAccountForDB(Account dasAccount, String sqlServerInstance, String& dasAccountForDB)

   at Microsoft.SystemCenter.Essentials.SetupFramework.InstallItemsDelegates.OMDataWarehouseProcessor.SetDataWarehouseSecurity()

[16:17:36]:     Error:  :FATAL ACTION: SetDataWarehouseSecurity

[16:17:36]:     Error:  :FATAL ACTION: DWInstallActionsPostProcessor

[16:17:36]:     Error:  :ProcessInstalls: Running the PostProcessDelegate returned false.

Cause:

The setup failed because we use 1443 as the SQL service port for data warehouse server, there’s a known issue that when GUI passed the port number to the setup, the format is not correct and causing exception.

The work around is to install the management server with command line, however the SDK and data write account have special characters in the password and could not be used in CMD prompt.

Resolution:

We change the port back to default 1433 port from SQL server configuration manager and use following steps to update the databases.

1.     On the server hosting the operational database, update the OperationsManager database table.

a.   Open SQL Server Management Studio.

b.   Expand Databases, OperationsManager, and Tables.

c.   Right-click dbo. MT_Microsoft$SystemCenter$DataWarehouse, and then click Edit Top 200 Rows.

d.   Change the value in the MainDatabaseServerName_2C77AA48_DB0A_5D69_F8FF_20E48F3AED0F column from server name,1433 to server name.

e.   Close SQL Server Management Studio.

2.     On the data warehouse server, update the member database.

a.   Open SQL Server Management Studio.

b.   Expand Databases, OperationsManagerDW, and Tables.

c.   Right-click dbo. MemberDatabase, and then click Edit Top 200 Rows.

d.   Change the value in the ServerName column from server name,1433 to server name

e.   Close SQL Server Management Studio.

After the changes had been made, we rerun the setup and the management server was successfully installed. So using another port will not work by design and treated as a Bug,

Reference-

Installing Operations Manager by Using the Command Prompt Window - See Here

How to install Operations Manager 2012 single server configuration from the command prompt - See Here

How to Install Additional Management Servers - See Here

Microsoft System Center Configuration Manager 2007 R3 - unable to download patches - 2. Failed to find updates with error code 800B0001

Hi Guys,

I recently worked upon SCCM case for failing downloading windows updates with below error therefore sharing it here in my blog with solution implemented so that it will help to whoever facing same issue.

Failed to find updates with error code 800B0001

OS- Microsoft Windows 2008 R2
Application - Microsoft SCCM 2007 R3

As Microsoft does not support with SP1 - See Here 

Check Windowsupdate.log & Patchdownloader.log file for error details.

Windowsupdate.log Finding:

2012-07-17          15:46:38:808       816        2168       Misc       WARNING: Error: 0x800b0001 when verifying trust for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab

2012-07-17          15:46:38:808       816        2168       Misc       WARNING: Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab are not trusted: Error 0x800b0001

2012-07-17          15:46:38:808       816        2168       Setup    WARNING: Self Update check failed to download package information, error = 0x800B0001

2012-07-17          15:46:38:809       816        2168       Setup    FATAL: Self Update check failed, err = 0x800B0001

2012-07-17          15:46:38:867       816        2168       Agent      * WARNING: Skipping scan, self-update check returned 0x800B0001

2012-07-17          15:46:38:922       816        2168       Agent      * WARNING: Exit code = 0x800B0001

2012-07-17          15:46:38:922       816        2168       Agent    WARNING: WU client failed Searching for update with error 0x800b0001

2012-07-17          15:46:38:938       816        11e4      AU          >>##  RESUMED  ## AU: Search for updates [CallId = {C4B3D200-5463-4446-9432-EB74507F131E}]

2012-07-17          15:46:38:938       816        11e4      AU            # WARNING: Search callback failed, result = 0x800B0001

2012-07-17          15:46:38:939       816        11e4      AU            # WARNING: Failed to find updates with error code 800B0001

Patchdownloader.log finding

Contentsource = http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab . Software Updates Patch Downloader 7/25/2012 5:55:17 AM 10344 (0x2868)
Downloading content for ContentID = 9349,  FileName = windows6.1-kb2698365-x64.cab. Software Updates Patch Downloader 7/25/2012 5:55:17 AM 10344 (0x2868)
Download http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab in progress: 10 percent complete Software Updates Patch Downloader 7/25/2012 5:55:18 AM 9484 (0x250C)http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab in progress: 61 percent complete Software Updates Patch Downloader 7/25/2012 5:55:18 AM 9484 (0x250C)Download http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab in progress: 81 percent complete Software Updates Patch Downloader 7/25/2012 5:55:18 AM 9484 (0x250C)
Download http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab in progress: 91 percent complete Software Updates Patch Downloader 7/25/2012 5:55:18 AM 9484 (0x250C)
Download http://download.windowsupdate.com/msdownload/update/software/secu/2012/06/windows6.1-kb2698365-x64_bf20bb36fc73c0d1f53ea1e635b8aa46c71d7b1f.cab to C:\Users\svc_sccm\AppData\Local\Temp\CAB1D33.tmp returns 0 Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
Checking machine config Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
Cert revocation check is disabled so cert revocation list will not be checked. Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
To enable cert revocation check use: UpdDwnldCfg.exe /checkrevocation Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
Authentication of file C:\Users\svc_sccm\AppData\Local\Temp\CAB1D33.tmp failed, error 0x800b0004 Software Updates Patch Downloader 7/25/2012 5:55:19 AM 9484 (0x250C)
ERROR: DownloadContentFiles() failed with hr=0x80073633 Software Updates Patch Downloader 7/25/2012 5:55:19 AM 10344 (0x2868)
it was happening for all patches and not to specific.

I was getting the same error message in windows update log file as stated above and as Microsoft strengthened the WSUS communication channels in the last month or so, which may explain why older patches worked but newer ones, are not working hence see here.

Additionally you can refer this article as well - See Here

However in my case, issue was still exist. I searched for KB 272011 but they havn't instaled it. So suggested to

install 2718704 and then 2720211

Also during my remote session, I noticed that any of Microsoft update link like http://gva1swparis.hq.intra.who.int:8530/SelfUpdate/wuident.cab downloading sucesfully However, the Digital Signature tab is missing from the file (go to properties, next to general TAB, it should show TAB for 'Digital Signature'. So Looks like there's a problem with the server itself. Since we move the same file to a different machine, we're able to see the Digital signature tab.

Also tried by changing security authentication mode but no sucess.

So, finally I resolved the issue. I have specified details below.

Cause:-

This problem may occur if one or more of the following conditions are true:

• Log file or database corruption exists in the %Systemroot%\System32\Catroot2 folder.
• Cryptographic Services is set to disabled.
• Other Windows files are corrupted or missing.
• The timestamp signature or certificate could not be verified or is malformed.
• The hidden attribute is set for the %Windir% folder or one of its subfolders.
• The Unsigned non-driver installation behavior Group Policy setting (Windows 2000 only) is set to Do not allow installation or Warn but allow installation, or the Policy binary value is not set to 0 in the following registry key:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver Signing
• The Enable trusted publisher lockdown Group Policy setting is turned on, and you do not have the appropriate certificate in your Trusted Publishers certificate store. This Group Policy setting is located under User Configuration, under Windows Settings, under Internet Explorer Maintenance, under Security, under Authenticode Settings in the Group Policy MMC snap-in.

Resolution:-

1. Set Cryptographic Services to automatic, it was set to Manual earlier

2. Rename catroot2 folder by stopping cryptsvc service, rename to oldcatroot2, start service again & then removed tmp *.cat files from
%systemroot%\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

Note - If no files that start with tmp exist in this folder, do not remove any other files. The .cat files in this folder are necessary for installing hotfixes and service packs.

3. Reregister the DLL files that are associated with Cryptographic Services

Go to command prompt by 'Run as Administrator'

regsvr32 /u softpub.dll
regsvr32 /u wintrust.dll
regsvr32 /u initpki.dll
regsvr32 /u dssenh.dll
regsvr32 /u rsaenh.dll
regsvr32 /u gpkcsp.dll
regsvr32 /u sccbase.dll
regsvr32 /u slbcsp.dll
regsvr32 /u mssip32.dll
regsvr32 /u cryptdlg.dll
 if some files failed, ignore it for next try and restart the server

Once done, again do same excercise and re-register following

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 mssip32.dll
regsvr32 cryptdlg.dll
then restart box again.

4. Remove the hidden attribute from %Windir% and from its subfolders

Launch command prompt again with Administrator access and type following

attrib -s -h %windir%
attrib -s -h %windir%\system32
attrib -s -h %windir%\system32\catroot2
exit

5. Rename EDB.Log file by launching command prompt

ren %systemroot%\system32\catroot2\Edb.log *.tst

6. Temporarily turn off Trusted Publishers Lockdown and install the appropriate certificates to your trusted publishers certificate storeYou can continue to use the Enable trusted publisher lockdown Group Policy setting, but you must first add the appropriate certificates to your Trusted Publishers certificate store. To do this, turn off the Enable trusted publisher lockdown Group Policy setting, install the appropriate certificates in your Trusted Publishers certificate store, and then turn the Enable trusted publisher lockdown Group Policy setting back on. To install the appropriate certificate for Microsoft Windows and Microsoft Internet Explorer product updates, follow these steps:
1. Download the Microsoft product update that you want to install from the Microsoft Download Center, from the Windows Update Catalog, or from the Microsoft Update Catalog. For more information about how to download product updates from the Microsoft Download Center, click the following article number to view the article in the Microsoft Knowledge Base:
   119591

   (http://support.microsoft.com/kb/119591/ )

   How to obtain Microsoft support files from Online Services
   For more information about how to download product updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:
   323166

   (http://support.microsoft.com/kb/323166/ )

   How to download updates that include drivers and hotfixes from the Windows Update Catalog
2. Extract the product update package to a temporary folder. The command-line command that you use to do this depends on the update that you are trying to install. View the Microsoft Knowledge Base article that is associated with the update to determine the appropriate command-line switches that you will use to extract the package. For example, to extract the 824146 security update for Windows XP to the C:\824146 folder, run Windowsxp-kb824146-x86-enu -x:c:\824146. To extract the 828750 security update for Windows XP to the C:\828750 folder, run q828750.exe /c /t:c:\828750.
3. Right-click the KBNumber.cat file from the product update package in the temporary folder you created in step 2, and then click Properties.
   
   Note The KBNumber.cat file may be in a subfolder. For example, the file may be in the C:\824146\sp1\update folder or in the C:\824146\sp2\update folder.
4. On the Digital Signatures tab, click the digital signature and then click Details.
5. Click View Certificate, and then click Install Certificate.
6. Click Next to start the Certificate Import Wizard.
7. Click Place all certificates in the following store, and then click Browse.
8. Click Trusted Publishers, and then click OK.
9. Click Next, click Finish, and then click OK.

7. Verify the status of all certificates in the certification path and import missing or damaged certificates from another computerTo verify certificates in the certificate path for a Windows or Internet Explorer product update, follow these steps:

Step 1: Verify Microsoft certificates

1. In Internet Explorer, click Tools, and then click Internet Options.
2. On the Content tab, click Certificates.
3. On the Trusted Root Certification Authorities tab, double-click Microsoft Root Authority. If this certificate is missing, go on to step 2.
4. On the General tab, make sure that the Valid from dates are 1/10/1997 to 12/31/2020.
5. On the Certification Path tab, verify that This certificate is OK appears under Certificate Status.
6. Click OK, and then double-click the NO LIABILITY ACCEPTED certificate.
7. On the General tab, make sure that the Valid from dates are 5/11/1997 to 1/7/2004.
8. On the Certification Path tab, verify that either This certificate has expired or is not yet valid or This certificate is OK appears under Certificate Status.
   
   Note Although this certificate is expired, the certificate will continue to work. The operating system may not work correctly if the certificate is missing or revoked.
9. Click OK, and then double-click the GTE CyberTrust Root certificate. You may have more than one of these certificates with the same name. Check the certificate that has an expiration date of 2/23/2006.
10. On the General tab, make sure that the Valid from dates are "2/23/1996 to 2/23/2006."
11. On the Certification Path tab, verify that This certificate is OK appears under Certificate Status.
    Click OK, and then double-click Thawte Timestamping CA.
12. On the General tab, make sure that the Valid from dates are "12/31/1996 to 12/31/2020."
13. On the Certification Path tab, verify that This certificate is OK appears under Certificate Status.

Step 2: Import missing or damaged certificates

If one or more of these certificates are missing or corrupted, export the missing or corrupted certificates to another computer, and then install the certificates on your computer. To export certificates on another computer, follow these steps:
1. In Internet Explorer, click Tools, and then click Internet Options.
2. On the Content tab, click Certificates.
3. On the Trusted Root Certification Authorities tab, click the certificate that you want to export.
4. Click Export, and then follow the instructions to export the certificate as a DER encoded Binary x.509(.CER) file.
5. After the certificate file has been exported, copy it to the computer where you want to import it.
6. On the computer where you want to import the certificate, double-click the certificate.
7. Click Install certificate, and then click Next.
8. Click Finish, and then click OK.

   8. Clear the temporary file and restart the hotfix installation or the service pack installation
To clear the temporary file and restart the hotfix installation or the service pack installation, follow these steps:

1. Delete all the tmp*.cat files in the following folders:
   
   %systemroot%\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
   
   %systemroot%\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
2. Delete all the kb*.cat files in the following folders:
   %systemroot%\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
   %systemroot%\System32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
3. Delete all the oem*.* files from the %systemroot%\inf folder.
4. At the command prompt, type the following commands. Press ENTER after each command.
   net stop cryptsvc
   ren %systemroot%\System32\Catroot2 oldcatroot2
   net start cryptsvc
   exit
5. Restart the failed hotfix installation or service pack installation.

9. Empty the software distribution folder

1. Click Start, click Run, type services.msc, and then click OK.
   
   Note On a Windows Vista-based computer, click Start, type services.msc in the Start Search box, right-click services.msc, and then click Run as administrator.
2. In the Services (Local) pane, right-click Automatic Updates, and then click Stop.
3. Minimize the Services (local) window.
4. Select all the contents of the Windows distribution folder, and then delete them.
   
   Note By default, the Windows distribution folder is located in the drive:\Windows\SoftwareDistribution folder. In this location, drive is a placeholder for the drive where Windows is installed.
5. Make sure that the Windows distribution folder is empty, and then maximize the Services (local) window.
6. In the Services (Local) pane, right-click Automatic Updates, and then click Start.
7. Restart the computer, and then run Windows Update again.

By following all above step by step, it helped me to resolved my issue.

Microsoft System Center Operation Manager 2012 - Alert subscription doesn't work with custom parameter

I recently worked on SCOM 2012 case which was very intresting to work upon, after initial basic troubleshooting, collaborated with Microsoft and worked together, so I thought good to share here if anyone face this issue.

Issue-
Alert subscription doesn't work if select "with specific text in description" and specifying any parameter like - %test%.

OS - Microsoft Windows 2008 R2
Application - Microsoft SCOM 2012 (System Center Operation Manager)

But able to receive email if removing filter.

Information:-

By Design, if configure the criteria with the first word mentioned in the “Alert Description” the subscription works. If select any other word mentioned in the alert details, the subscription doesn’t work. So it meants, if the alert description field is not generated by custom fields it will work as expected. If the Alert description has any information which is generated by custom fields it will not work.

Here in the above example, in the Alert Description section, have certain details. And “Source”, “Path”, “Alert Rule” they are in different section. This is the default configuration. If don’t have anything with the targeted keyword in the “Alert Description” section the subscription will fail. If have the targeted keyword in any place other than “Alert Description” section and in “Subscription Criteria”  selected “With Specific text in description” the alert will never send a notification. So will have to edit the Alert properties to add some Alert Description with the desired keyword.
Cause: 

This is found to be the design of the product and is a BUG. This is only reproducible when the Criteria "With specific text in description" is set to a variable in the description. Any static text in the description will work as expected.    

For example, if create a rule that is triggered for Event ID 644, and assign the Alert description as "Event ID for NotificationRule: $Data/EventID$".   When the alert shows up, can see alert description as - "Event ID for NotificationRule: 644"     Under this condition: If criteria for description text is "%NotificationRule%" for example, the notification will be sent. If criteria for description text is "%644%" the notification will not be sent, because the 644 is a variable.
- When create a Notification Subscription with the option selected as - "With specific text in description", the following is being logged as a criteria in the Notification Internal Library:  -----------------------------------------------------  <Expression>                        <SimpleExpression>                          <ValueExpression>                            <Property>AlertDescription</Property>                          </ValueExpression>                          <Operator>Equal</Operator>                          <ValueExpression>                            <Value>Pradeep</Value>                          </ValueExpression>                        </SimpleExpression>                      </Expression>                    </And>  ----------------------------------------------------- 
Whereas if used any variable in the alert description (while creating the Rule or Monitor), the Alert description will look like:
"The threshold for the Memory \ % Used Memory counter on computer {0} has been exceeded. The value that exceeded the threshold is: {1} "  -- [Example for Memory threshold]    Inside the DB all these information’s will go to the 'Dbo.Alert' table, the static content will go to 'AlertDescription' column. Where-as the variable output will go to 'AlertParams' column in the dbo.alert  table. This is where it fails for sending the notification, as the query looks at 'AlertDescription' column but the entry itself is in different column ('AlertParams'). 

Resolution: 

So far no solution to this (it is a bug) but the following workaround. 
After creating the notification, can manually modify the Notification MP XML to search at the required location and reimport this MP. However, with every change in the notification (in console) then need have to modify the MP manually again. Export the MP>Modify the expression to reflect the 'AlertParams' column>save the changes>Import the MP into configuration.   Or not to use dynamic contents/variables for alert description generation.