ConfigMgr Reporting Services Point with complex SQL

No Gravatar

In a new ConfigMgr 2012 R2 SP1 environment the Reporting Services point was proving a bit challenging to install.  After setting all of the required permission it was finally happy. 

Required Permissions

On the SQL Server Reporting Services server, an account (in this case a domain user "functional" or "service" account) needed the following:

  • Membership in the server’s local Administrators group
  • SSRS Site Settings -> System Administrator, System User
  • SSRS Folder Settings on the root folder -> Browser, Content Manager, My Reports, Publisher, Report Builder

Scenario Details

This ConfigMgr environment has a complex configuration with 3 different SQL servers in play.

  • Server1: ConfigMgr Primary Site server
  • Server2: server running SQL Server Database Engine role and configured as the ConfigMgr Site Database server
  • Server3: server running SQL Server Reporting Services role
  • Server4: server running SQL Server Database Engine role with only the ReportServer database

With Server1 (ConfigMgr) and Server2 (SQL DB) configured and most functionality working (software deployment, software update deployment, OS deployment, inventory, etc.) it was time to install Reporting Services point.  We created a new ConfigMgr Site Server for Server3 using a domain user account.  However, when attempting to install the Reporting Services point the following error was encountered:

image

  • Unable to locate any configured SRS instances on the server.  Verify SRS is installed, accessible, and correctly configured.
  • The "Reporting Services server instance" is blank.

 

We knew that SSRS was installed, configured, and working as there were two other applications already using the SRS instance in a production capacity.

We verified the domain user account could actually access the SSRS website from Server1 (the ConfigMgr server) and discovered

  • the account was a member of the local Administrators group
  • the account had System Administrator rights to the SSRS Site
  • the account could not see any existing reports or report folders and the following message displayed: "User ‘<domain>\<userID>’ does not have required permissions.  Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed."

As the screen shot shows, UAC was actually disabled already.

image

Once the domain user account was given rights to the root folder, the Reporting Services point role could see the Reporting Services server instance the the role installed without issue.

image

After the role installed, ConfigMgr reset its own permissions to give the domain user account only "ConfigMgr Report Users, ConfigMgr report Administrators" roles.

image

Also, the logs for the Reporting Services point are on the SSRS server (Server3 in this case), and located at C:\SMS\logs

August 27, 2015

Posted In: Uncategorized

Error installing Windows ADK

No Gravatar

When preparing a new Windows Server 2012 R2 system for a new ConfigMgr 2012 R2 site, I ran into an error installing the Windows ADK.  In this case it is version 10; however, I believe the same scenario would apply to 8.1 Update, 8.1, 8, etc.

The installation appears to be working, then performs a rollback with the following error:

image

Image path is [\??\C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wimmount.sys

Could not acquire privileges; GLE=0x514

Returning status 0x514

 

Additionally, after installation was successful, it was not possible to mount a WIM or create boot media in ConfigMgr.

Crating ConfigMgr or MDT Task Sequence Media fails with the error:

Error: 1313  A required privilege is not held by the client.  Refer to CreateTsMedia.log file to find more details.

image

CreateTSMedia.log file…

using CreateMedia.exe /K: boot … fails

 image

The PowerShell cmdlet New-CMTaskSequenceMedia -BootableMedia … fails

Mounting a WIM with DISM fails

image

DISM.exe /Mount-Image /ImageFile: …

Error: 1313  A required privilege is not held by the client.

Solution

In my case the root cause was that a default permission was removed for the local Administrators group by a domain policy.  

image

By default, the User Right Assignment for "Back up files and directories" and "Restore files and directories" is held by the "Administrators, Backup Operators".  But in this case the "Administrators" group had been removed and replaced by the "Domain Admins". 

Since my account isn’t and shouldn’t be a domain admin, I simply added it to the local "Backup Operators" group, logged off, logged back on, and presto!  Success.

Workaround

If the User Right Assignment isn’t you issue, another solution, or rather workaround, is to run the installation as the SYSTEM account.

image

Getting to the workaround

Multiple other solutions were attempted before resorting to the SYSTEM account for installation including

  • Run as Administrator
  • Run a Command Prompt as Administrator then run ‘ADKsetup.exe
  • multiple system reboots
  • manually creating the folder structure and file
  • manually running the ‘Windows Deployment Tools-x86_en-us.msi‘.  Strangely this succeeded; however, when re-running the ADKsetup.exe, the same failure occurred.
  • manually running the ‘Windows System Image Manager on amd64-x86_en-us.msi‘.  Strangely this succeeded; however, when re-running the ADKsetup.exe, the same failure occurred.
  • both the system drive (Drive C:) and a data drive (E:) were attempted
  • disabling the antivirus / antimalware software (Sophos)

None of these made any difference.

Several forum posts were found with a resolution pointing to a blog that has since been taken down.  That solution required removing the computer from the domain.  This solution was not attempted.

Executing the workaround

There are a few ways to gain SYSTEM account access; however, I took the interactive route and used PSEXEC from Sysinternals.

From an elevated Command Prompt (Run as Administrator), run ‘PSEXEC.exe -s -d -i cmd.exe

A new Command Prompt will be generated.  run ‘whoami‘ to ensure you are running as SYSTEM, then run ‘adksetup.exe

 

Thanks to Adam for working through the issue with me.

 

Other instances and workarounds

There are a few instances of the same error documented in a few blogs and forum posts.  The options basically include ensuring you are running as an administrator (and with the administrator token), running as SYSTEM (as described in my workaround), or dis-joining the computer from the domain and running as admin.

August 21, 2015

Posted In: Uncategorized

Tags: , , ,

Error installing Windows ADK

No Gravatar

When preparing a new Windows Server 2012 R2 system for a new ConfigMgr 2012 R2 site, I ran into an error installing the Windows ADK.  In this case it is version 10; however, I believe the same scenario would apply to 8.1 Update, 8.1, 8, etc. 

The installation appears to be working, then performs a rollback with the following error:

image

Image path is [\??\C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wimmount.sys

Could not acquire privileges; GLE=0x514

Returning status 0x514

Solution / Workaround

What eventually worked around the problem was to run the installation as the SYSTEM account.

image

Getting to the workaround

Multiple other solutions were attempted before resorting to the SYSTEM account for installation including

  • Run as Administrator
  • Run a Command Prompt as Administrator then run ‘ADKsetup.exe
  • multiple system reboots
  • manually creating the folder structure and file
  • manually running the ‘Windows Deployment Tools-x86_en-us.msi‘.  Strangely this succeeded; however, when re-running the ADKsetup.exe, the same failure occurred.
  • manually running the ‘Windows System Image Manager on amd64-x86_en-us.msi‘.  Strangely this succeeded; however, when re-running the ADKsetup.exe, the same failure occurred.
  • both the system drive (Drive C:) and a data drive (E:) were attempted
  • disabling the antivirus / antimalware software (Sophos)

None of these made any difference.

Several forum posts were found with a resolution pointing to a blog that has since been taken down.  That solution required removing the computer from the domain.  This solution was not attempted.

Executing the workaround

There are a few ways to gain SYSTEM account access; however, I took the interactive route and used PSEXEC from Sysinternals.

From an elevated Command Prompt (Run as Administrator), run ‘PSEXEC.exe -s -d -i cmd.exe

A new Command Prompt will be generated.  run ‘whoami‘ to ensure you are running as SYSTEM, then run ‘adksetup.exe

 

Thanks to Adam for working through the issue with me.

August 17, 2015

Posted In: Uncategorized

Upgrade Windows 10/8.1/8 Pro to Enterprise edition

No Gravatar

The synopsis: Using Windows 10/8.1 Enterprise media, Windows Pro can be upgraded to Enterprise edition while keeping installed apps, personal files, and settings.

 

The story: I ran into an interesting scenario where I needed to run Windows 8.1 Enterprise.  Pro just wouldn’t cut it because of the lack of support for BranchCache, DirectAccess, etc.  Keep in mind that I’m specifically referring to a technical solution and NOT a licensing solution to this challenge.  A valid license is still required.  After digging around the web I found 3 primary resources for the conversion or upgrade.

Change Windows 8 Pro to Enterprise

The TechNet forum thread (https://social.technet.microsoft.com/Forums/windows/en-US/305ac35b-9a14-4244-8e95-dd0b0c23b70a/change-windows-8-pro-to-enterprise?forum=w8itprogeneral) goes though a transformation part way down as new information became available.  There is also confusion by focusing on by licensing and technical aspects.  For the moment, ignore the thread.  After reading this post to the end, come back to the forum thread and re-read it with more/updated facts in mind.

Change the Windows Image to a Higher Edition Using DISM

The TechNet article (https://technet.microsoft.com/en-us/library/hh825049.aspx) applies to Windows 8/8.1 and Windows Server 2012/2012 R2. 

Using the command below you can see what Editions of Windows the running computer can upgrade to.  You can then, theoretically, use another command to change the Edition.

DISM /online /Get-TargetEditions

DISM /online /Set-TargetEdition:<edition name>

This sounds great and may actually work in some scenarios, but not the one I needed.

Windows 8 and Windows 8.1 Upgrade Paths

The TechNet article (https://technet.microsoft.com/en-us/library/jj203353.aspx) applies to Windows 8/8.1.

Using media (ISO, USB drive) Windows 8/8.1 Pro can be upgraded to Windows 8/8.1 Enterprise, but the language is misleading.

Windows 8 (non-pro) can be upgraded to Windows 8.1 and you can keep Windows settings, personal files, and applications.

Windows 8/8.1 (non-pro) and Windows 8 Pro/Pro with Media Center can be upgraded to Windows 8.1 Pro and you can keep Windows settings, personal files, and applications.

Interestingly, the Pro to Enterprise section does not mention anything about keeping any settings, files, or apps.  The next section makes a note about not keeping settings, files and apps during a cross-language installation, then a table follows that shows several scenarios and what you can/can not keep.  Pro to Enterprise is not listed in the table.  Thus the implication is that during a Pro to Enterprise upgrade, you can’t keep any existing data or customizations.

As it turns out, this is just a lack of specificity in the article.  Upgrading Windows 8.1 Pro to Windows 8.1 Enterprise does give the option to keep settings, files, and apps… and it works.

Do remember, that this is an OS upgrade… the existing installation of Windows is moved to the Windows.old folder and a new installation of Windows is created.  Ensure you have a good 5+ GB of free space on the system drive (Drive C).

 

Windows 8.1 Pro upgrade to Enterprise.

Windows 8.1 Pro installed using the sample GVLK KMS key.  DISM shows that the only Edition which can be upgraded to is Pro with Media Center.

image

 

I installed a Windows App (Adobe Photoshop Express), 7-zip, created a WordPad document, and set Bing.com as my home page.

image

Running Windows Setup from a Windows 8.1 Enterprise ISO.

image

I get to keep my settings, personal files, and apps! Smile

image

image

After a few reboots and logging in as my original admin account, we see that Windows is now Enterprise edition and there are no TargetEditions available.  The upgradation (yes, that is a real word) is complete!

image

We also see that the customizations I made were retained.

image

Lastly wee see the old Windows installation was backed up (renamed).

image

Success!

 

What about Windows 10

I haven’t duplicated the effort for Windows 10 yet, but I’m confident the same scenario is in play.

I can say that DISM will not change the edition of an online image (a running Windows computer).

image

However, the Windows Store can do that for at least some upgrade scenarios, although I’m 99.9% sure Enterprise edition will NOT work this way.

image

Happy upgrading!

July 31, 2015

Posted In: Windows 10

Tags:

NTFRS or DFS-R replication for SYSVOL

No Gravatar

For a recent customer I was going through all of the requirements to implement DirectAccess.  One that I stumbled on a bit was that DirectAccess requires DFS-R replication but I wasn’t certain how to verify what replication type was in use.  After some digging, some assumptions, and some great tips from fellow Catapult Systems consultants, here’s the scoop.

Determine if FRS is being utilized by the Domain Controllers

Note: FRS is the abbreviated acronym for NTFRS.

Method 1

From an administrator Command Prompt on a domain controller run DfsrMig /GetMigrationState and DfsrMig /GetGlobalState

  • A value of 0, 1, or 2 means the migration from FRS to DFS-R is in progress
  • A value of 3 means the migration from FRS to DFS-R is complete (FRS is ELIMINATED)
  • A return message of "DFSR migration has not yet initialized" means FRS is in use, not DFS-R

Method 2

From ADSI Edit or Active Directory Users and Computers with Advanced Features enabled,

navigate to <domain>\System

  • if a container named DFSR-GlobalSettings exists, then DFS-R should be in use
  • if a container named File Replication Service \ Domain System Volume (SYSVOL share) exists and contains Domain Controller objects, then FRS should be in use

navigate to <domain>\Domain Controllers\<Domain controller>\

  • if a container named NTFRS Subscriptions exists, then FRS should be in use

Method 3

From a domain controller

  • open Event Viewer \ Applications and Services Logs\ File Replication Service.  If there is recent activity then FRS should be in use.
  • if <SYSVOL>\SYSVOL_DFSR\SYSVOL exists, then DFS-R should be in use.

Note: to find the <SYSVOL> share

  • From a command prompt enter reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters and note the SysVol location
  • From a command prompt enter dir %SystemRoot%\SYSVOL\SYSVOL and note the location of the <domain FQDN> directory junction which will be in [square brackets]
  • From ADSI Edit or Active Directory Users and Computers, check the fRSRootPath attribute of the <domain>\Domain Controllers\<domain controller>\NTFRS Subscriptions\Domain System Volume (SYSVOL share) object

References

July 27, 2015

Posted In: Uncategorized

Tags: