Wednesday, 20 November 2019

SOLVED! RADIUS Authentication Failed (MSCHAP error: "E=649" R=0 V=3)

Client setup: Sonicwall NSA 4600 and NPS on Server 2016.

Error: RADIUS Authentication Failed (MSCHAP error: E=649 R=0 V=3)

Tried just about everything to fix this one. Gradually unpicked every single bit of security right back to clear password and nothing seemed to work.  In the end I went into the user's account and under 'Dial in' changed the setting from 'Control access through NPS Network Policy' to 'Allow Access'.  Finally I've had a successful authentication attempt for my test user.  Now I need to start dialling back up the security setting by setting and try and get to the bottom of what is going on.

Tuesday, 22 October 2019

Powershell script to find scheduled tasks on all servers or computers in the domain.

 

First off lets get all the set up variables out of the way.  A lot of these are the same variables I use in every script and I just copy them in each time so you may not want to use them all.

 

 

$Transpath = $env:LOCALAPPDATA + "\Cloudwyse\Logs\scheduled_task_Report_" + $(get-date -Format ddMMyy_HHmmss) + ".log"

Start-Transcript -Path $TransPath -NoClobber

$DateTime = (Get-Date).ToString('ddMMyy_HHmmss')

$ResultsPath = "C:\Cloudwyse\Scripts\Output\Scheduled_Task_Test_Output_" + $DateTime + ".csv"

$Date = Get-Date -Format "dd-MM-yyyy"

$Pass = cat C:\mysecurestring.txt | convertto-securestring

$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "CONTOSO\rick.sanchez",$Pass

$DC = "DC01.contoso.com"

$TaskReport = @()

$TestedServers = 0

$OutputPath = "C:\Cloudwyse\Scripts\Output"

$SplitSeparator = "\"

$SplitOption = [System.StringSplitOptions]::RemoveEmptyEntries

  

I like to use Write-Output to add the actions to the logfile (transcript) started in the previous section.  I use this instead of comments as it does the same job but also makes reading the logs easier.  I also prefer it to Write-Host since the latter is considered bad practise.

 

First we’re just going to make sure that the folder required for the logs already exists, and create it if not.

 

 

 

Write-Output "Script started at $DateTime"

Write-Output "Checking whether report destination patch exists..."

 

if (!(Test-Path $OutputPath)) {

    Write-Output "$OutputPath does not exist, creating it now..."

    New-Item -ItemType Directory -Force -Path $OutputPath

    } else {

    Write-Output "$OutputPath already exists, continuing with script..."

    }

 

 

  

Next make a connection to the DC (I prefer doing this than running scripts on the DC itself.  Once this is done, run the LDAP query below to get all the servers in our environment.

 

 

Write-Output "Establishing powershell session with $DC"

$TargetSession = New-PSSession -ComputerName $DC -Credential $Cred

Invoke-Command $TargetSession -Scriptblock {Import-Module ActiveDirectory}

Import-PSSession $TargetSession -Module ActiveDirectory | out-null

 

$serverlist = (Get-ADComputer -LDAPFilter "(&(objectcategory=computer)(OperatingSystem=*server*))").Name

Write-Output "Server list is as follows: `r $serverlist"

Write-Output "Querying $($serverlist.count) servers that were found with the LDAP Query"

 

 

  

Then we get into our foreach loop that is going to check through every server in the list.  I’ve added a variable I’m calling $Skip.  This jut allows me to speed of the execution of the script by skipping any servers that I know are going to fail.  So I use Try Catch to test that I can access the path to my scheduled tasks.  I’ve already trapped the error I need for unauthorised access and have it in my catch statement.  If this error is triggered then the $Skip flag will be set to avoid wasting time on that record.

 

 

foreach ($server in $serverlist) {

    $Skip = $False

    $ServerFQDN = $Server + ".contoso.com"

    Write-Output "Checking server $serverFQDN"

    $serverpath = "\\" + $serverFQDN + "\c$\Windows\System32\Tasks"

    Try     {

        Write-Output "Testing $ServerPath"

        $PathTest = Test-Path $ServerPath -ErrorAction Stop

            }

    Catch [System.UnauthorizedAccessException]  {

        Write-Output "Access to $ServerPath was denied.  Setting skip flag for $ServerFQDN..."

        $Skip = $True

            }

    if (!$Skip) {

        if ($PathTest -match "False") {

            Write-Output "Server not found, setting skip flag for $ServerFQDN..."

            $Skip = $True

                }

            }

 

  

The next step will only run if the $Skip flag is not set.  A list of tasks will be pulled together from the scheduled tasks library.  

 

 

    if (!$Skip) {

        $tasks = Get-ChildItem -Path $serverpath -File

        Write-Output "Tasks for $serverFQDN as follows: `r $tasks"

        $TestedServers = $TestedServers +1

        if ($tasks) {

            $TestedTasks = 0

            Write-Output "Script has found $($tasks.count) scheduled tasks for $serverFQDN"

 

  

The script now works through each task in the variable and gets the content.  If the task is not a system task it will be added to the hash table I’m using to generate the final list which will be exported using export-csv.  I’ve recently changed the way I build these hash tables as I realised I was using an outdated method from Powershell V1 days previously.  There’s a great article on the subject here.  

 

            foreach ($task in $tasks) {

                $TaskPath = $serverpath + "\" + $task.Name

                $task = [xml] (Get-Content $TaskPath)

                [STRING]$check = $task.Task.Principals.Principal.UserId

                $SplitTaskPath = $TaskPath.split($SplitSeparator,$SplitOption)

 

                if ($task.Task.Principals.Principal.UserId) {

                    $hash = @{

                    Server      =   $ServerFQDN

                    TaskName    =   $SplitTaskPath[(($SplitTaskPath.count) - 1)]

                    Command     =   $Task.task.actions.exec.command

                    Owner       =   $task.Task.Principals.Principal.UserId

                    }

                    $Build = New-Object PSObject -Property $hash

                    

                    Write-Output "Adding a task to the list for $serverFQDN"

                    $TaskReport += $Build

                    $TestedTasks = $TestedTasks +1

                    }

                Write-Output "Added $TestedTasks of $($tasks.count) tasks to list for server $serverFQDN"

                }

        } else {

            Write-Output "No tasks found for server $serverFQDN"

               }

    Write-Output "All tests complete for server $server. $TestedServers out of $($serverlist.count) servers tested so far..."

    } else {

    $TestedServers = $TestedServers +1

    Write-Output "Skipping server $ServerFQDN. $TestedServers out of $($serverlist.count) servers tested so far..."

    }

}

 

  

Finally the script exports the results to the path created earlier and cleans up after itself.  

 

 

Write-Output "Script has tested $TestedServers servers..."

Write-Output "Writing results to $ResultsPath"

$TaskReport | Export-CSV $ResultsPath

Write-Output "Removing Powershell session for $DC"

Remove-PSSession $TargetSession

Write-Output "Script complete... Goodbye! :)"

Stop-Transcript

 

  

If you found the script helpful please leave a comment below or add a link to this article. Likewise if you notice any mistakes please share your experience.  The entire script is available below.  Good luck!  

 

 

Friday, 29 March 2019

Error 21201 SMBIOS GUID after installing SCVMM 2016 Update Release 6

 

 

I recently updated my SCVMM server to Update Release 6.  However once updated, I was getting error 21201  “Another machine with the same SMBIOS GUID is found. Recommended Action An SMBIOS GUID should uniquely identify the machine. Provide the correct value or contact the machine manufacturer to help update the hardware with correct information” as pictured below:

In my case, I think this was because I had removed a host from the cluster and then re-added it.

 

The fix was as follows:

 

Go to SQL Server Management Studio and connect to the VirtualManagerDB.  Then run the following query:

SELECT * FROM [VirtualManagerDB].[dbo].[tbl_ADHC_Host]

 

This should return a number of rows equal to the number of hosts in your environment.  Mine returned the following:

 

Next execute the query:

 

SELECT * FROM [VirtualManagerDB].[dbo].[tbl_PMM_PhysicalMachine]

 

In my case, this returned one more row than the number of hosts I had in the environment.

 

I exported this information to Excel (right click the grid and Save as) and matched them up getting the following:

You can see that the green and black rows match on SmBiosGuid.  By looking at the PhysicalMachineId I could see which was the redundant record (black).  Therefore I deleted this row from the PMM_PhysicalMachine table.  I did this by going to the table and choosing to edit top 200 rows (as pictured):

 

Then (once I had a full DB backup) I just right clicked the row I wanted to delete and deleted it.  This fixed the issue and SCVMM can now refresh the host successfully.

 

Friday, 8 February 2019

Powershell LDAP query to find Azure / O365 users synchronised with AD Sync

 

 

Recently I needed to create a quick report that would allow me to see at a glance which accounts in that domain had been synchronised with AD Sync into Azure AD.  It wasn’t possible using Get-ADuser and I knew an LDAP query would do the trick.  First I had to download a powershell module called System.DirectoryServices.Protocols.  Once the module is downloaded run:

 

 

Add-Type -AssemblyName System.DirectoryServices.Protocols

Import-Module C:\Cloudwyse\Tools\S.DS.P.psm1

 

Then to query the information I required I ran:

 

 

$MigratedUsers=Find-LdapObject -SearchFilter:"(msDS-ExternalDirectoryObjectId=*)" -SearchBase:"DC=contoso,DC=com" -LdapConnection:"server01.contoso.com" -PageSize 500

 

 

Conversely, if you wanted to find all users that HADN’T been synchronised you could run the following:

 

 

$MigratedUsers=Find-LdapObject -SearchFilter:"(!msDS-ExternalDirectoryObjectId=*)" -SearchBase:"DC=contoso,DC=com" -LdapConnection:"server01.contoso.com" -PageSize 500

 

 

I still had a few service accounts showing so I just filtered these in Excel based on the DN.  To export the fil just run…

 

 

Export-CSV C:\Cloudwyse\User_report.csv