Ansible common errors and fixes

1)

Issue:

{
    "msg": "basic: the specified credentials were rejected by the server",
    "unreachable": true,
    "changed": false
}

Fix:

In case specified credentials are correct yet they are rejected by the server, check the following:

1. Run the Ansible PowerShell script. If you face the following error while doing so, perform step 
2. Go to local group policy, Computer configuration, Administrative templates, Windows Components,WinRM, WinRM Service, Allow Basic authentication --> enabled
3. If it still does not help, run winrm configSDDL default on cmd and give full permission for the account having access issue.

2)

Issue:

{
    "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
    "unreachable": true,
    "changed": false
}

Fix:

1. check if full computer name of the client matches that of the DNS record
2. check if the client is the correct group in the inventory if you are using inventory groups to seperate clients according to the domain

3)

Issue: 

Cannot find python on the remote host

Fix:

Make sure to install atleast python2.7 on the remote host. This can be done even if a lower version of python is installed on the remote host. Since changing default python version on the remote host may break its own functionality, it is advisable to configure the path to python interpreter on the ansible inventory file as follows:

[all]
remotehostnamewitholderpython    ansible_python_interpreter=/usr/local/bin/python2.7(could be anywhere depending on where latest python was installed)

How to add a Domain Group into local administrator group in one line

Run from PowerShell:

([ADSI]"WinNT://./Administrators").PSBase.Invoke("Add",([ADSI]"WinNT://my.domain.net/adc_win_defaultadmins").PSBase.Path)


or from CMD:

PowerShell -command "& {([ADSI]'WinNT://./Administrators').PSBase.Invoke('Add',([ADSI]'WinNT://my.domain.net/adc_win_defaultadmins').PSBase.Path)}"

Cannot connect to RDP "An authentication error has occurred. The Local Security Authority cannot be contacted"

We have 3 systems in our environment hosted in the cloud and recently we countered this issue connect to these systems via RDP from within our premises.

To fix this:

Start Menu -> Computer -> right click -> properties -> Remote settings ->  under Remote, make sure Allow connections only from computers running Remote Desktop with Network Level Authenticate(more secure) is not selected. Preferred setting is Allow connections from computers running any version of Remote Desktop

Unable to install Updates on server, Access Denied to everything on the machine

We had this weird issue with installing an update on one of our servers. While troubleshooting this, it got it even messier as it turned out that the server is throwing "Access Denied" to almost everything even though I had administrator privileges. We worked with Microsoft on this case and the issue was fixed by changing the DCOM configuration.

1. "Default Authentication Level" was set to "None"  -- > Changed it to "Connect"
2. "Default Impersonation Level" was set to Anonymous --> Changed it to "Identify" 

And this is not the first time we had trouble caused by DCOM. It seems DCOM is one of the most important configurations of the server.

Below script will help to make sure correct DCOM configuration is in place.

 

$logfile = 'C:\Windows\Temp\DCOMenable.log'

 

function checkregistrysubkeys {

 

    try{

 

        $checkImpersonationLevel = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty LegacyImpersonationLevel -ErrorAction Stop

 

        if($checkImpersonationLevel -eq 2){

 

        write-host "Impersonation level is correct : Identify"

        writetolog("Impersonation level is correct : Identify")

 

        } else {

 

            try{

 

                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name LegacyImpersonationLevel -value 2 -ErrorAction Stop

                write-host "Impersonation level set to Identify"

                writetolog("Impersonation level set to Identify")

 

            } catch{

                       

                write-host "ERROR: Unable to change ImpersonationLevel registry"

                writetolog("ERROR: Unable to change ImpersonationLevel registry")

                exit -1

            }

 

        }

 

    } catch {

 

            write-host "ERROR: Unable to check ImpersonationLevel registry"

            writetolog("ERROR: Unable to check ImpersonationLevel registry")

            exit -1

 

    }

 

    try{

 

        $checkAuthenticationLevel = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty LegacyAuthenticationLevel -ErrorAction Stop

 

        if($checkAuthenticationLevel -eq 2){

 

            write-host "Authentication level is correct : Connect"

 

        } else {

 

            try{

 

                Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name LegacyAuthenticationLevel -value 2 -ErrorAction Stop

                write-host "Authentication level set to Connect"

 

            } catch{

                       

                write-host "ERROR: Unable to change AuthenticationLevel registry"

                exit -1

 

            }

 

        }

 

    } catch {

 

        write-host "ERROR: Unable to check AuthenticationLevel registry"

        exit -1

 

    }

 

}

 

function writetolog([string] $txt) {

    

    $Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")

 

    Add-content $logfile -value $Stamp':'$txt

 

}

 

 

 

try{

 

    $isEnabledDCOM = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" | Select -ExpandProperty EnableDCOM -ErrorAction Stop

 

    if($isEnabledDCOM -eq 'Y'){

 

        write-host "DCOM already enabled"

        writetolog("DCOM already enabled")

        checkregistrysubkeys

 

    }

    exit 

 

    if($isEnabledDCOM -eq 'N'){

 

        write-host "DCOM disabled"

        writetolog("DCOM disabled")

        write-host "Enabling DCOM..."

        writetolog("Enabling DCOM...")

 

        try{

 

            Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Ole" -Name EnableDCOM -value 'Y' -ErrorAction Stop

            write-host "DCOM enabled"

            writetolog("DCOM enabled")

            

            checkregistrysubkeys

 

 

        }catch { 

 

            write-host "ERROR: Unable to change registry"

            writetolog("ERROR: Unable to change registry")

            exit -1

 

        }

 

    }

 

    write-host "Task completed successfully"

    writetolog("Task completed successfully")

    exit 0

 

 

} catch {

 

    write-host "ERROR: Unable to check EnableDCOM registry"

    writetolog("ERROR: Unable to check EnableDCOM registry")

    exit -1

 

}

 

503 error after patching windows web servers

In some cases, web application will throw the above error 503. We have seen this a couple of times post monthly patching activities.

This is how to fix it

1.      Open Application Pools -> <application name> -> right click -> advanced settings

2.      Scroll down to Process Model -> Identity -> click on the … to change the value

3.      In Application Pool Identity window,  select Built-in account and select             ApplicationPoolIdentity

             (previous setting could have been Customer account --> appadmin)

SCCM 2007: Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and Policy NOT CONFIGURED

If you ever come across an issue with installing software updates from SCCM and if WUAHandler.log throws a similar error as follows

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://SCCMMP.example.com:8899  and Policy ENABLED    WUAHandler     5/20/2017 7:34:04 PM    4592 (0x11F0)
Failed to Add Update Source for WUAgent of type (2) and id ({7E86093A-A9D4-4D0F-8B95-DD18478F0FEE}). Error = 0x80040692.       WUAHandler     5/22/2017 2:40:31 PM    1536 (0x0600)


Try this out:

1. Rename following file, c:\windows\system32\GroupPolicy\Machine\Registry.pol
2. Stop and start WU service
3. Run gpupdate /force
4. Check if WSUS local policy 'Specify intranet Microsoft Update service location' is enabled and it is having correct MP, disable and enable back if still doesn't fix the issue

How to perform a complete removal of SCCM 2007 client from a system

• Uninstall SCCM
• C:\Windows\ccmsetup\ccmsetup.exe /uninstall
• Monitor Log and wait for completionC:\Windows\ccmsetup\logs\ccmsetup.log
• Delete if exist
• Folder C:\Windows\ccm
• File C:\Windows\SMSCFG.INI
• Reg Keys:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS

SCCM 2007 - SQL views / sample reports / WQL queries

SQL views

Among the various views available in SCCM 2007 database, there are two identical(yet different) types of views, HS and GS.
Here GS refers to Current data and HS refers to Historical data.
Knowing this comes handy when choosing the correct view to be queried on a report.



SQL reports

Get update lists per software update KB (all variants)

select DisplayName, CI_ID from fn_ListAuthListCIs(1033) AS sul where sul.CI_ID in (

select rel.FromCIID from v_CIRelation

AS rel where rel.ToCIID IN (select CI_ID from fn_ListUpdateCIs(1033) AS su where su.ArticleID='4054522'))

Get domain of all clients

select Name0,Domain0 from v_GS_COMPUTER_SYSTEM

Last patched date for all servers

select * from (

select PS.LastStatusTime, PS.LastStateName, SYS.Name0, OS.LastBootUpTime0,

ROW_NUMBER() OVER(PARTITION BY SYS.Name0 ORDER BY PS.LastStatusTime DESC) rn

from v_gs_patchstatusEx PS

inner join v_R_System SYS ON PS.ResourceID = SYS.ResourceID

inner join v_GS_OPERATING_SYSTEM OS ON SYS.ResourceID = OS.ResourceID

where LastStateName = 'Install Verified' AND (PS.LastStatusTime < Getdate())

AND PS.isActive = '1') a where rn=1 ORDER BY LastBootUpTime0 DESC

Collection membership for certain client

select v_FullCollectionMembership.CollectionID As 'Collection ID', v_Collection.Name As 'Collection Name', v_R_System.Name0 As 'Machine Name' from v_FullCollectionMembership

JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID

JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID

Where v_R_System.Name0= '<hostname>'

Update lists applicable for a certain collection (ID)

select distinct UL.Title, case when ULL.Status='1' then 'Not Required'

when ULL.Status='2' then 'Required' when ULL.Status='3' then 'Installed'

end as 'Install Status'

FROM v_UpdateListStatus_Live ULL

INNER JOIN v_AuthListInfo UL ON ULL.CI_ID=UL.CI_ID

INNER JOIN v_R_System SYST ON SYST.ResourceID=ULL.ResourceID

INNER JOIN v_FullCollectionMembership CM on SYST.ResourceID=CM.ResourceID

where CM.CollectionID = '<collection ID>' AND UL.Title NOT LIKE '%SQL%'

AND UL.Title NOT LIKE '%CSA%' AND UL.Title LIKE '%(APPROVED)%'

AND ULL.Status = '2'

WQL queries

Client Systems installed within the last 48 hours

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner  join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId   inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceId = SMS_R_System.ResourceId where (DateDiff(hh, SMS_G_System_OPERATING_SYSTEM.InstallDate, GetDate()) < 48) and SMS_G_System_SYSTEM.SystemRole = "Server" and SMS_G_System_OPERATING_SYSTEM.InstallDate <= GetDate()