SCCM WSUS Sync errors/WSUS cleanup

As an SCCM administrator it is easy to install SCCM and simply forget about WSUS being an integral part of SCCM and forgetting its even there.   That is until you start getting synchronization errors or other WSUS errors.  So to fix or prevent that from happening you should really go to the wsus server cleanup wizard which can be found in the wsus console under options.  What do you do though if you haven’t been running it and the wsus server cleanup wizard fails.
wsus error

Well to start you can rerun the wsus server cleanup wizard with all but the first option and then rerun with only the first option but that won’t always work especially if you are really behind on wsus cleanup.  So your options are to reinstall the wsus database or do a manual cleanup.  In the past when I had seen issues with this occur I had reinstalled the wsus database but that isn’t really the right solution so instead you can run the below on the wsus db.


DECLARE @var1 INT

DECLARE @msg nvarchar(100)

CREATE TABLE #results (Col1 INT)

INSERT INTO #results(Col1) EXEC spGetObsoleteUpdatesToCleanup

DECLARE WC Cursor

FOR

SELECT Col1 FROM #results

OPEN WC

FETCH NEXT FROM WC

INTO @var1

WHILE (@@FETCH_STATUS > -1)

BEGIN SET @msg = ‘Deleting’ + CONVERT(varchar(10), @var1)

RAISERROR(@msg,0,1) WITH NOWAIT EXEC spDeleteUpdate @localUpdateID=@var1

FETCH NEXT FROM WC INTO @var1 END

CLOSE WC

DEALLOCATE WC

DROP TABLE #results

This will find and delete all the obsolete updates for you and then you can rerun server cleanup and it should finish successfully.  Once that is done you should probably either run or schedule wsus cleanup on a regular basis.

I can’t take credit for that sql query though and you can find more info at the below post which I found after I had figured this all out myself.  I was doing the same thing to cleanup but his script is a little better/easier to use than mine.  Take a look at the below post as it goes through setting wsus cleanup and reindexing on a schedule in very great detail.

https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/

Advertisements

Alternate Names for File Servers

I had a server I had to quickly give a alternate name to so that the existing users could point to the new server but I didn’t want to rename it the same as the old one.  Traditionally you would simply add the following registry entry.

Registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
DWORD name: DisableStrictNameChecking
DWORD value: 1

Problem is this only works if you have SMB1.0 enabled on both the server and client and you know how unsecure that is (think EternalBlue exploited by Wanna cry).

The proper way is to use netdom to add an alternative name by doing the below.


netdom computername "currentname" /add "myothername.mydomain.local"

This will add a new SPN in active directory for the current machine name.

Special thanks to Dimitri’s Wanderings which is in the first link below as that saved me a lot of time.

https://dimitri.janczak.net/2016/09/26/multiple-server-names-on-windows/

https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias

 

Removing unneeded software updates from SCCM

Happy Friday everyone,  I can’t take any credit at all for this one but someone (much better at Powershell than me) has wrote this amazing script on removing updates that are not deployed or not required on any machines but are still in a deployment package. This is been something I’ve needed for a long time to save disk space on DP’s.

See link below.

http://www.scconfigmgr.com/2017/08/17/clean-software-update-packages-in-configmgr-with-powershell

Critical Update Confusion

Happy Wednesday, (Well as happy as an Wednesday can be I guess…) I was prompted by a user that their machine was behind on updates as were many others as they tried updating from the web and got lots of updates.  I did some checking and all the updates looked to be fairly recent within the last month but were listed as Critical level updates.  This confused me as I have critical level updates deploying more often than once a month to not get behind on security vulnerabilities as Microsoft patches them.  After some research I realized there is a difference between Critical level severity and Critical level update classifications.  Microsoft defines Critical Updates as “A widely released fix for a specific problem that addresses a critical, non-security-related bug.”  So just because it’s in the critical update classification it may not have an severity level of critical.  In fact critical level updates have a severity of none as they are not related to security.  So critical severity updates are security only.  Critical update classification is non security updates.  The critical severity level updates fall into the security update classification.  So if your like me and push out critical severity security updates more often than your other updates don’t start thinking SCCM isn’t working since you got confused between Update classifications and Severity levels.  Found my answer on the technet forums as someone else was confused like I was.  Happy Updating.

Technet Forum post referenced https://social.technet.microsoft.com/Forums/en-US/e55aa1bc-648e-480d-91eb-828ca5b52f73/critical-updates-with-none-as-a-severity-do-not-get-pushed?forum=configmanagersecurity

Number of active active sync devices connected to Exchange

Happy Monday everyone,  I haven’t posted anything in a while so I thought I would do a quick post of a short script I wrote the other day.  I was curious how many ActiveSync devices connected that were actively being used in our Exchange.  So after scouring around and discovering the get-mobiledevicestatistics cmdlet for Exchange I came up with the below.


get-mailbox -resultsize unlimited | foreach {Get-MobileDeviceStatistics -mailbox $_.Identity  | Where-Object {$_.LastSuccessSync -gt "06/01/2017"} | select-object identity, LastSuccessSync }

This will give you the identity of the device and the last successful sync time.  You could then pipe this into a export-csv to get a copy of the report or measure-object  to get a count of the objects.   Make sure to change the LastSuccessSync date.

Have a great week everyone.

Dial in Conferencing with ShoreTel and Skype for Business 2015/Lync

Hi everyone I haven’t posted anything in a couple of months and have been very busy on a project which I thought I would go over.  Recently the company I work for has been interested in adding dial-in conferencing to our Skype for Business 2015 environment to alleviate some of the costs associated with paying for a web conference service especially since we already were using Skype4B for IM and ShoreTel for our phones.  I already had an Edge server in place for external participants so all I really needed to do was add the dial-in conferencing functionality so that PSTN callers could get in.   Before I get started I’m not attending to give a full tutorial here as many others on the Skype for Business side have written articles but the information is kind of lacking on how to make all these systems talk together and I thought I would provide my notes on what I learned in this experience.  My article is going to be geared at someone using ShoreTel but a lot of this could be applied to anyone with an IP-PBX phone system (Cisco, ShoreTel etc) that wants to hook it to Skype for Business.

This system takes three main parts.  Skype for Business, A VoIP gateway such as the Audiocodes Mediant SBC, and a ShoreTel switch (or whatever has SIP trunks taking PSTN calls back to Skype).

Capture

The whole system goes like this,  Skype for Business hosts the calls and conference numbers and the auto attendant for entering your conference ID.  Audiocodes is the interface between the two as they can’t talk to each other directly as Skype uses TLS SIP and ShoreTel uses UDP SIP .  It also does transcoding if needed between different audio codecs (Skype speaks G.711 whereas your phone system may or may not).  Your ShoreTel switch hosts the SIP trunks and takes the PSTN calls from the outside and sends them to Audio codes.

Now I am not going to do a full tutorial from here on out but instead notes of issues I ran into and documentation I have found useful.

ShoreTel

  • ShoreTel has provided documentation on how to set this and the AudioCodes box up so that they can talk to each other and talk to Skype for Business. AudioCodes provides similar documentation once you are a registered user on their site after you have purchased support.  https://www.shoretel.com/sites/default/files/SkypeForBusiness_AudioCodes_ST_14_2_AppNote_0.pdf
  • A note to anyone on ShoreTel Connect this document could become irrelevant as I have been told by ShoreTel that Skype can hook to ShoreTel directly without the need for AudioCodes via a plugin for Skype for Business.  I ‘m not exactly sure how it works but I am looking to find out more info from ShoreTel if their engineer ever gets back to me.  If you are on ShoreTel version 14.2 or older or you have a different phone system without Skype for Business support a VOIP gateway from AudioCodes may be your only option.
  • You can install the ShoreTel virtual appliance hosted on VMware instead physical switch.  VMware even has a free bare metal version for free! My finding is this will save you money on SIP trunks as the ShoreTel hardware is kind of expensive just to run SIP trunks and you can add SIP trunks simply by buying licenses from ShoreTel instead of having to purchase more dedicated physical hardware and licenses.  (Hint make sure you buy virtual trunk licenses as there are like three different kinds of ShoreTel SIP trunk licenses).  https://www.drvoip.com/blog/shoretel-support-and-service/shoretel-virtual-trunk-switch-configuration-and-license-impact/
  •  I have encountered ShoreTel virtual switch issues with using G.729 with a virtual switch instead of G.711.  I am not sure if it is some kind of bug in the ShoreTel software but I found some others talking about it in the link below so I simply changed AudioCodes to use G.711 which is probably better as that avoids transcoding.  G.711 does use more bandwidth than G.729 so that is another consideration. https://forums.shoretel.com/viewthread.php?id=906C0000000H5nFIAS
  • Don’t forget to turn on caller id on the ShoreTel side for your sip trunk group unless you like all your callers coming in as anonymous.  Also, Skype4B is supposed to use information in AD to figure out who is who in combination with caller ID also but I haven’t quite figured out how that all works and the documentation is lacking.

Audiocodes

  • Avoid transcoding if possible as for example with my 800b ESBC it is limited to 100 sessions with transcoding and 250 without.
  • Make sure you buy the right AudioCodes hardware and licenses as my vendor sold me the wrong one and although I could have added the SBC application license it was cheaper to buy the proper box with the SBC application already installed so be sure it comes with the SBC application license.
  • When Audiocodes needs the ShoreTel IP to send traffic to it is looking for your ShoreTel SIP trunk switch IP not the headquarters server.

Skype for Business

 

Ok, for now, that is all I can think of and I hope some of this might be useful for someone struggling to figure this out on their own. I will add additional links and content if I find any more.  If anyone has additional questions please post them in the comments and I will try and answer them.

 

 

Reimaging with OEM licenses

I came across a TechNet blog post on Microsofts site the other day that taught me something new I thought I would pass along in case it would help someone out.  If you don’t have software assurance with Microsoft but are a volume license customer you can deploy volume license media providing you have keys and the edition of the OEM OS and the Volume License match.  This means you don’t have to be purchasing volume licenses to reimage provided you do have at least a few volume licenses of the software you are trying to deploy.  The below blog posts provide more info.  Guess you learn something new every day.

https://blogs.technet.microsoft.com/volume-licensing/2014/02/13/licensing-how-to-reimaging-rights-top-5-questions/

http://www.aidanfinn.com/?p=14534