CM issues with MS13-052 KB2840628

Update from Microsoft on this issue: http://blogs.technet.com/b/configmgrteam/archive/2013/07/17/issues-reported-with-ms13-052-kb2840628-and-configmgr.aspx

Ah, the importance of testing patches! I was up with John Nelson until 4:30 on Wednesday night trying to figure out why the CM07 clients couldn't get content. Evidently, one of the .NET patches this month causes issues.

 

CM07 only:

We found that this update was causing errors in the MP_Location.log - clients couldn't get location data to find DPs.

CMPDBConnection::ExecuteSQL(): ICommandText::Execute() failed with 0x80040E14
CHandleLocationRequest::CreateReply failed with error (80040e14).

Uninstalling the patch from our Server 2008 R2 MPs and rebooting them cleared the issue up. And actually, if you stop SQL before uninstalling the patch, you won't have to reboot (just remember to start it again). Also, this may affect only MP replicas since I have not heard of other people having the issue.

We also found it to kill the ability to generate a snapshot on the primary sites and removed it from them as well.

For CM12:

Microsoft is hearing reports about this patch too. Here is what they had to say about it so far.

Issue 1:


Database replication between sites (CAS/Primary/Secondary) with SQL 2012 will fail.
The rcmctrl.log file on the failing site(s) will contain entries similar the following:
//
Launching 2 sprocs on queue ConfigMgrDRSQueue and 0 sprocs on queue ConfigMgrDRSSiteQueue. SMS_REPLICATION_CONFIGURATION_MONITOR
The asynchronous command finished with return message: [A .NET Framework error occurred during execution of user-defined routine or aggregate "spDRSActivation": ~~System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception. ---> System.MethodAccessException: Attempt by method 'System.Configuration.TypeUtil.CreateInstanceRestricted(System.Type, System.Type)' to access method 'System.Diagnostics.SwitchElementsCollection..ctor()' failed. ---> System.Security.SecurityException: Request failed... [truncated for readability]
//

Temporary workarounds
While investigation continues into the best long term solution, the following short term changes can be made to unblock customers in this state:
In SQL Management Studio on the affected server, change the Permission set to Unrestricted for the MessageHandlerService Assembly. This is done in the Assembly properties via:
SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> MessageHandlerService
Once the change is made, replication between sites should automatically recover within 5-10 minutes.

Issue 2:
Software Update Point synchronization may fail at the end of the sync process. The WSyncMgr.log will have entries similar to the following:
//
error 14: SQL Error Message Failed to generate documents:A .NET Framework error occurred during execution of user-defined routine or aggregate "fnGenerateLanternDocumentsTable": ~~System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception. ---> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception. ---> System.MethodAccessException: Attempt by method 'System.Configuration.TypeUtil.CreateInstanceRestricted(System.Type, System.Type)' to access method 'System.Diagnostics.SwitchElementsCollection..ctor()' failed. ---> System.Security.SecurityException: Request failed... [truncated for readability]
//

Temporary Workarounds
Similar to Issue 1, the SMSSQLCLR assembly Permission Set can be changed to Unrestricted. From SQL Management Studio:
SQL Server -> Databases -> (Site Database) -> Programmability -> Assemblies -> SMSSQLCLR


Patch Uninstall

Uninstalling KB2840628 has been reported to resolve all issues.
However, removal of a security patch should not be a blanket recommendation; instead anyone that wishes to uninstall until a permanent solution is found should assess the risk of exposure in their own environment. Details on the security vulnerability can be found here:
https://technet.microsoft.com/en-us/security/bulletin/MS13-052

  • Created on .

SCORCH - Don't Get Burned!

Remember last year when Microsoft changed its licensing model for System Center as a whole? Evidently, things are still not quite as clear as we thought. I know our user group had Microsoft folks tell us that if you had CM07 with SA, that you would now own the System Center Suite. And the suite included CM, SCOM, SCORCH, etc.

But it's not as simple as that.

Microsoft put out some pretty detailed information like this link:

http://download.microsoft.com/download/8/7/0/870B5D9B-ACF1-4192-BD0A-543AF551B7AE/System_Center_2012_Licensing_FAQ.pdf

Key to this document was that it really made clear how much easier it was to license servers managed by CM. It's what they call Server Management License (ML). And it entitles you to run SCOM to monitor your CM servers, for example (no licenses are needed beyond the one for the server SCOM would run on.)

What is rather gray here is how you can use SCOM to monitor your CM servers without issue, but you cannot use SCORCH so easily. I'm now being told that a license for SCORCH (via the SC Client Management Suite or the Enterprise CAL) is required for any desktop being managed indirectly via SCORCH's orchestration.

 

To be precise, SCORCH cannot be used to directly touch a PC - this makes sense just like SCOM licensing does (you'd expect to have to pay to use SCOM to directly manage PC services, for example). But Microsoft is making a new point that I've never heard of before regarding an indirect touch of desktops. They're now saying that because CM manages desktops, that we're indirectly talking to clients and are still responsible to pony up for an a license for all desktops in the CM database.

Examples of SCORCH use and licensing:

  • Optimize some SQL tables in CM, or to pull back a list of machines (even workstations) for reporting. This would be considered distant enough of a use of SCORCH to not require additional licensing.
  • Approve software in CM (recall the Application Approval Workflow?) or use SCORCH to add workstations to a collection. This would require additional licensing.


I know this new wrinkle could suddenly make any SCORCH work you've done so far put you on the hook for a lot of money.

If it helps, there will be a licensing session at MMS this year.

http://www.2013mms.com/topic/details/MMS105

If you have any doubts about where you stand on this, I highly recommend you make this session.

  • Created on .

The MP Replica Doc

I love MP Replicas and have mentioned them before:

Well here is a document fellow CM MVP Kent Agerlund has written. It's in the lab format from the CM12 course he teaches (which I highly recommend). This document also shows how to configure the BGB service - recently renamed to Client Notification in SP1. While the MS online documentation is pretty good for setting this up, it still reads a bit muddy as they don't make it totally clear that in 99.999% of cases, the replica should go on the MP itself for the benefit of resiliency, not to yet another server in the mix that could go down and end client communications. This document shows how to put that replica on the MP itself.

Thanks to Kent for letting this document go public. Our hope is that it gets more people to start using replicas.

cm12replica.zip

  • Created on .

Server 2012 OSD Issues in CM12 SP1

I just tried a CM12 SP1 TS to deploy Server 2012 (using MDT 2012 U1). I got the same error as listed here:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;2468097

Failed to load class properties and qualifiers for class BDD_UsePackage in task sequence

The same fix listed in the KB worked (wording is a tad different).

Unrelated, but also worth noting, last night while making my image, I tried to use the offline servicing to inject software updates into my Server 2012 image by clicking on Schedule Updates in the console. No updates show at all.

The provider log shows that CM is looking for Windows 8 Server instead of Windows Server 2012:

ExecQueryAsync: COMPLETE select * from SMS_UpdateCategoryInstance where LocalizedCategoryInstanceName like '%Windows 8 Server%'

Evidently, the fix should come in CU1 (no promises). Until then, just keep using the install updates step in a TS, I guess.

  • Created on .

Replacing server with CM07 running SQL12

We upgraded our CM07 production environment to SQL12 last year. We like SQL12 and I think I've mentioned before that we saw about a 10% improvement in performance. So yay!

But there is a downside we didn't consider.

This weekend, we replaced our old CM07 central site with a new server. To do that, you simply install CM on a new box and run the repair wizard. But we forgot that you cannot install old CM07 on top of SQL12, so we had to uninstall SQL12, install SQLR2 with SP1, install CM, stop\disable CM, uninstall SQLR2 (actually MS wants you to upgrade, but that's ugly), install SQL12, enable\start CM, then run the repair wizard.

What a pain.

Then the recovery failed because we didn't have our SQL files parked on the exact same drive letters. Part of the point of the new server was to get more drives, so we had to redo our SQL layout, then run repair to restore from backup, then stop CM and move files around again as we wanted them.

More pain.

Anyway, it should be worth the effort, but it would have saved us time had we known about these 2 issues in advance. So now you do - just in case.

  • Created on .

PS - I Love You

I'm no scripter by any means, but I sure know when they're nice to use vs. the CM console.  Here are some PowerShell scripts I'll demo at the AZ User Group.  One is for flipping all of my deployments from an empty collection (which my ADRs are set to target) to pilot, one from pilot to production, and one to flip back to empty.  Because I need lots of ADRs to download all the updates each month (blasted ADR filters!), I have lots of deployments created and they take forever to flip in the console and I could easily miss one.  So the scripts do it and work fast.  Note that there is probably some cooler way to write these, but who cares so long as it works.  The key to PowerShell is to get the job done.  I'm sure I'll get better with time.  Greg Ramsey got me going with these.

The other scripts I'm going to show were written by my teammate, Jeff Carreon.  He took my build doc for CM12 RTM on Server R2\SQL R2 and turned it all into PS.  Edit as needed for your own use.

http://mnscug.org/images/brian/cm12sp1-s12prereqqa-1-8.zip

http://mnscug.org/images/brian/flipdeployments.zip

  • Created on .
Copyright © 2018 - The Minnesota System Center User Group