Categories
Uncategorized

HP BL460c G6 NC532i drivers blue-screen crash

We saw repeated blue screens in our 2012 R2 Hyper-V environment during periods of high network activity (Live Migrations) or when inspecting the properties/disabling of our Network Connections.

Reference: https://community.hpe.com/t5/HPE-BladeSystem-Server-Blades/Proliant-bl460c-G6-BSOD-when-configure-nc532i-NIC/td-p/6927531

[Update] http://h20566.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=3958220&docLocale=en_US&docId=emr_na-c05389904

  • Our scenario involved Windows 2012 R2, but this also applies to Windows 2008, 2008 R2, 2012, and 2016
  • Hardware: HP C7000 enclosure, BL460c G6 blade.
  • If you mess up at any point during these instructions, you may have to start over from the beginning, especially when it comes to disabling the NIC in the BIOS and removing drivers.
  • Per the HP advisory/alert, this problem is caused by the October 2016 HP SPP, so if you haven’t install that SPP and you would like to, you should probably install cp31808.exe beforehand so that you will already be running a newer version of the NIC driver and that particular part of the upgrade will be skipped.
  • Our NICs were previously teamed, and were un-teamed as part during the work below because teaming may have been part of the problem. Un-teaming also simplified matters.
  • Get cp31808.exe from HP onto your server (e.g. copy to C: drive)
    • Run cp31808 and extract contents into a folder
    • Retain cp31808.exe
  • Boot into BIOS (optional, use “One Time Boot from: RBSU” in OA)
  • Disable NIC(s)
    • PCI Device Enable/Disable
    • Disable any/all HP NC532i adapters
  • Boot server
  • Launch Device Manager
    • Select Show Hidden Devices
    • Uninstall offending NC532i/Broadcom devices under Network Adapters (select delete driver option if present)
    • Uninstall offending NC532i/Broadcom devices under System Devices (select delete driver option if present)
    • Optional: There’s an option in recent versions of HP’s Virtual Connect to Hide Unused FlexNICs which will reveal in Windows/your OS only the NICs you need; this may make your job easier and may benefit you in other ways
  • Prevent drivers from auto-installing using GPO
    • gpedit.msc
    • Expand Computer Configuration, expand Administrative Templates, expand System, expand Device Installation, and then click Device Installation Restrictions
    • In the right window, double-click Prevent installation of devices not described by other policy settings
    • Click to select Enabled, and then click OK
    • https://support.microsoft.com/en-us/help/2500967/how-to-stop-windows-7-automatically-installing-drivers
  • Reboot into BIOS (optional, use “One Time Boot from: RBSU” in OA)
  • Enable NIC(s)
    • PCI Device Enable/Disable
    • Enable previously-disabled HP NC532i adapters
  • Reboot
  • Use gpedit to set driver auto-install GPO setting above back to “Not Configured”
    • If re-enabling this now causes problems, then delay this step until the end
  • Launch Device Manager; devices will have repopulated
  • Under System Devices ONLY, “manually” update Broadcom drivers (do NOT update the drivers under Network Adapters at this point)
    • Right-click on Broadcom NIC and Update Driver Software
    • Browse my computer (do not let Windows search for the drivers automatically)
    • Go to folder where you extracted cp31808
    • Broadcom drivers will change to “NC532i”
    • You may only have to do this once and it will take effect for all similar devices, or you may have to do it for each System Device, one at a time
    • Now update the drivers under Network Adapters just as you did with the System Devices, one at a time if necessary
  • Reboot
  • Optional: Launch cp31808.exe and see if it reports as up-to-date and optionally install if not
Categories
Uncategorized

Find the top-level manager for any Active Directory user

I was recently asked to report on who the vice president is for a list of users. The PowerShell function below does that for the users who have a manager designated on their Active Directory account. It excludes the President and Provost, so essentially reports to the level just below their positions.


function Get-TopLevel
{
param ($userID)
$subject = Get-ADUser $userID -Properties manager, displayName

if ($subject.manager -eq $null) {
Write-Host “No manager data available.”
}
else {
$userObj = $subject
while `
(($userObj.manager -ne $null) -and `
($userObj.manager -ne ‘CN=President,OU=Employee,OU=People,DC=university,DC=edu’) -and `
($userObj.manager -ne ‘CN=Provost,OU=Employee,OU=People,DC=university,DC=edu’))
{
$userObj = Get-ADUser $userObj.manager -Properties manager, displayName
# $userObj.displayName
}
Write-Host $userObj.displayName
}
}

Categories
PowerShell

Compare the Exchange Alias to the Primary SMTP Address

Here’s a data quality report for an Exchange environment. This command looks for Alias values that do not match the “username” portion of the PrimarySMTPAddress values. Any discrepancies are returned.

Get-Mailbox -ResultSize unlimited | where {$_.PrimarySmtpAddress.ToString() -notlike $_.Alias.ToString()+"@*"} | ft name, Alias, PrimarySmtpAddress

Categories
PowerShell

Search Active Directory for a list of email addresses

I’m occasionally asked to provide a list of account names based on a list of email addresses. This is pretty straight foward when the list of addresses contains only primary email addresses.

Get-Content C:\scripts\users.txt | %{Get-ADUser -Filter {mail -like $_} -Properties *} | ft name, displayName, eduPersonPrimaryAffiliation, PasswordLastSet -AutoSize

However, it’s very important to point out that the previous command will only match on the primary email address. Most of the time our list of address does not contain only primary email addresses – it may contain one of several secondary addresses the user has, which Active Directory refers to as proxyAddresses.

To make sure we search through all accounts for all their email address, we have to modify the input file and also modify our command a bit.

  1. Prefix the string smtp: to be beginning of each address in your file.
    1. For example, if you have address address@domain.edu in your file, modify that line to smtp:address@domain.edu
  2. Run the following PowerShell command – it’s all one line.
    1. Get-Content C:\scripts\users.txt | %{Get-ADUser -Filter {proxyAddresses -like $_} -Properties *} | ft name, displayName, mail, eduPersonPrimaryAffiliation, PasswordLastSet -Autosize

That output will include the primary email address for each account, so you can validate the results against your input file.

Categories
Office 365 PowerShell

Connecting to Office 365 with automation

In order to automate management activities for Office 365, it’s imperative to connect to the remote environments without human interaction. Typically this type of automated job will be run with Task Scheduler. However, due to differences between Windows authentication and Office 365 authentication, this is not quite as straightforward as running a Task Scheduler job with a service account in a pure Windows Server environment.

Fortunately there is a method of creating a file-based credential that securely associates an Office 365 user account with a local or Active Directory user account. We can then provide that credential file to the Office 365 connection string in our scripts. This allows us to schedule our scripts in Task Scheduler, run them as the local or Active Directory user account, and gain access to Office 365 resources.

  1. First, it’s important to logon to the server where the Task Scheduler will run, and to logon there as the user account that will be running the Task Scheduler job (i.e., domain\userA). This can be either a local user account or an Active Directory user account.
  2. Now we create the credential file using the Export-Clixml cmdlet. We must specify the Office 365 user account we plan to use in our scripts (i.e., cloudUser@tenant.onmicrosoft.com), and we’ll be prompted for the password on that cloud account when we execute the following command. An XML credential file will be produced in the path we specify in the Export-Clixml cmdlet.
    Get-Credential "cloudUser@tenant.onmicrosoft.com" | Export-Clixml C:\credentials\office365_credential.xml

    1. Note that the credential file we create here is tied to this account on this machine, and can only be used on this machine.
  3. Now that the credential file has been created, we can log out of the server and log back in with our standard administrative account if desired.

Now that we have the credential file, we can use it in our scripts to gain access to any Office 365 resource where this Office 365 user account (i.e., cloudUser@tenant.onmicrosoft.com) has permissions as long as we run those scripts as the associated user account (i.e., domain\userA). Keep in mind that the credential file will be unusable if it is copied to another computer, or even if it is used by any other user account on the computer where it was created!

Here is a sample connection string to connect to Exchange Online using our credential file as long as it’s run by the domain\userA account.

$credential = Import-Clixml C:\credentials\office365_credential.xml
$Session = New-PSSession `
-ConfigurationName Microsoft.Exchange `
-ConnectionUri https://outlook.office365.com/PowerShell-LiveID?PSVersion=4.0 `
-Credential $credential `
-Authentication Basic `
-AllowRedirection
Import-PSSession $Session

Here is a sample connection string to connect to Microsoft Online using our credential file.

Import-Module MSOnline
$credential = Import-Clixml C:\credentials\office365_credential.xml
Connect-MsolService –Credential $credential

Categories
PowerShell

compare two lists with PowerShell

I am asked occasionally to compare a list of employee ID numbers to find the differences or the matches. Notepad++ does not do a great job of this, so I put together a quick PowerShell solution.

$dupes = @()
[System.Collections.ArrayList]$arrA = Get-Content U:\listA.txt
[System.Collections.ArrayList]$arrB = Get-Content U:\listB.txt
foreach ($itemA in $arrA) {
if ($arrB -match $itemA) {
$arrB.Remove($itemA)
$dupes += $itemA
}
}

Now $arrB contains only items from listB.txt that do not also appear on listA.txt. Also $dupes contains the items that exist in both files.

Categories
Uncategorized

Intel Smart Response can’t be enabled with Windows 8.1 / 2012 R2

Scenario: Single 500GB HDD and single 240GB SSD.  I wanted to use SSD cache feature to accelerate hard disk access.  Both HDD and SSD are initialized as GPT, with the “system” disk containing a Recovery Partition, an EFI System Partition, and the C: drive (Boot Partition), with the entire disk allocated.  The SSD is shown as Unallocated.  Intel’s Rapid Storage Technology would not let me enable their Smart Response Technology (SSD caching), however.  The only performance accelerator in the Rapid Storage Technology UI was for Dynamic Storage Accelerator.

On my HP EliteDesk 800 G1 SFF, I had to change the disk access mode in the UEFI/BIOS from AHCI to RAID.  Windows then failed to boot (no surprise there).  After switching back to AHCI, I followed the advice from the following post to reboot in Safe Mode to enable RAID access, and that worked.  If I recall correctly, in Windows’ Device Manager, there was no obvious Intel-provided driver under Storage Controllers until after I enabled RAID mode – only a “Microsoft Storage Spaces Controller.”  I obtained the most recent version of the driver from Intel, but was still unable to enable SSD caching.
http://www.eightforums.com/installation-setup/24141-convert-ahci-mode-raid-mode-without-re-installing.html

After following advice from Tom_GPT on the following thread, I shrunk my C: drive by 1GB (that size was arbitrary).  This resulted in 1GB of unallocated space at the end of the 500GB hard disk.  I was then able to launch Intel’s RST and enable Smart Response Technology.  Using Intel’s latest versions of both their RST and storage drivers is probably advisable.
https://communities.intel.com/thread/45540?start=15&tstart=0

Categories
Office 365

Office 365: removing Litigation Hold mailboxes in an Exchange Hybrid environment

In our hybrid Exchange 2010 / Exchange Online environment, we occasionally need to place an Exchange 2010 mailbox on Litigation Hold. In some cases, that user’s mailbox will need to be removed but the Active Directory account will need to be retained. Exchange 2010 will not allow a mailbox on Litigation Hold to be removed, so our practice has been to simply export the mailbox to PST for retention, manually remove the Litigation Hold, and then remove the mailbox. However, we’ve learned that Exchange Online requires a slight change to that procedure.

Exchange Online was reporting an error regarding a few such users.
Exchange: An unknown error has occurred. Refer to correlation ID:

Referencing this article to help determine the problem, I ran some code against MSOL to look at a more detailed error report.
http://support2.microsoft.com/kb/2741233

$errors = (Get-MsolUser –UserPrincipalName user@domain.edu).Errors
$errors | foreach-object {"`nService: " + $_.ErrorDetail.Name.split("/")[0]; "Error Message: " + $_.ErrorDetail.ObjectErrors.ErrorRecord.ErrorDescription}

The output provided the details need to understand the problem.

Service: exchange
Error Message: Exchange can't disable the mail user "NAMPRXXXXXX.prod.outlook.com/Microsoft Exchange Hosted Organizations/tenant.onmicrosoft.com/user" because it is on litigation hold.

First I tried to simply remove the MsolUser using this command.
Remove-MailUser –Identity name@domain.com –IgnoreLegalHold

However, that returned an error.

The following error occurred during validation in agent 'Windows LiveId Agent': 'Unable to perform the save operation. 'user' is not within a valid server write scope.'

After engaging Microsoft on the problem, we determined there are two options to address the error:

  1. If the MSOL account is not actually required in Azure Active Directory (AAD), we can simply delete it and purge it from the AAD recycle bin. At the next DirSync cycle, a new MsolUser will be created and the error will be resolved. (See the important NOTE below.)
  2. An Exchange Online license could be assigned temporarily to the MsolUser to create a new Exchange Online mailbox. After allowing time for the mailbox to be created plus additional time for a DirSync cycle, remove the Exchange Online license again, and the mailbox will be deleted. This should allow the backend processing to occur and resolve the error.

In most cases, Option 1 is probably most palatable. I issued these two commands, and after the regular DirSync scheduled sync, the error has been resolved. Of course you can add the -Force parameter to quickly execute the commands without having to confirm.

NOTE: If the AAD account is removed, this will also remove the user’s access to other Office 365 data such as OneDrive for Business.

Remove-MsolUser -UserPrincipalName user@domain.edu
Remove-MsolUser -UserPrincipalName user@domain.edu -RemoveFromRecycleBin

In summary, the way to avoid the problem is to remove the Litigation Hold from the Exchange 2010 mailbox, then wait for a DirSync cycle, and then remove the Exchange 2010 mailbox. If both actions are taken quickly together and an error is reported in the Office 365 Admin Center, just purge the AAD account as described above to resolve the error.

Categories
Uncategorized

NetScaler Login exceeds maximum allowed users after 10.1 upgrade

Shortly after our recent NetScaler upgrade from 9.3 -> 10.1, users reported getting the error “Login exceeds maximum allowed users” in their browsers when attempting to log in to the Access Gateway (NetScaler Gateway).  A remote session with a Citrix technician revealed that we had indeed hit our license limit as seen under NetScaler Gateway / Active User Sessions. We did see that some users were logged in two or more times, and it’s possible that the way licenses are consumed under 10.1 is different from 9.3, which might be why we never hit the licensing limit before.  The options presented by the Citrix tech were:

  1. Ask users to deliberately log out of the Access Gateway when they are done (vs. just allowing their sessions to time out) in order to free up their license.  This would, of course, require user education.
  2. Switch our Access Gateway Virtual Server from SmartAccess Mode (includes VPN access) to Basic Mode (ICA proxy-only).  Without taking additional steps such as allowing VPN for just a subset of our users, this option would remove VPN ability for all users from the gateway but allow unlimited connections through the gateway to our apps.
  3. Lower the timeout value for our Access Gateway, forcing users to re-authenticate to the gateway during the workday.

If memory serves, the technician also mentioned that the 10.5 version of NetScaler would allow a user who logged into the Access Gateway more than once to “assume” the license from his/her previous session.  An immediate upgrade to 10.5 was not an option in our case.

After a quick review of our environment, the technician suggested we switch to Basic Mode on our Virtual Server under NetScaler Gateway / Virtual Servers as no VPN was required in our environment.

Categories
Uncategorized

NetScaler Integrated Caching behavior after 9.3 -> 10.1 upgrade

After a recent NetScaler upgrade from 9.3 to 10.1, we noticed a change in the behavior of the Integrated Caching feature.  Integrated Caching had been enabled for the previous two years, but with the Memory Usage Limit set to zero, caching had been effectively disabled.  After the upgrade, our PeopleSoft application began displaying incorrect content after users logged in.

We were able to tell that Integrated Caching was delivering cached content by visiting Optimization / Integrated Caching / Content Groups and seeing both “non-304 Hits” and “304 Hits” for the DEFAULT Content Group, along with a non-zero value under Memory Usage.

Integrated-Caching-10-1

Since we run in HA mode, we could consult our not-yet-upgraded, 9.3 NetScaler node.  Visiting Integrated Caching / Content Groups / DEFAULT revealed the expected values of zero for Memory Usage, Non-304 Hits, and 304 Hits.

Integrated-Caching-9-3

 

Our solution was to disable Integrated Caching in System / Settings / Configure Basic Features as it wasn’t needed.  As soon as we did this, the undesired content stopped displaying within our PeopleSoft application.

Integrated-Caching-Disable-10-1