Friday, June 23, 2017

Attempting to expand a Windows 2012 R2 ReFS drive fails with the error message: “There is not enough space available on the disk(s) to complete this operation.”

Problem

You have a Windows 2012 R2 server virtual machine with multiple disks that is formatted with the ReFS file system and you have just one of the disks at the hypervisor level then proceed to extend it within Disk Management:

image

image

image

image

image

image

Attempting to complete the Extend Volume Wizard throws the following error:

Disk Management

There is not enough space available on the disk(s) to complete this operation.

image

The expansion of the disk fails.  You attempt to use diskpart but receive the same error:

Virtual Disk Service error:

There is not enough usable space for this operation.

image

You attempt to expand the disk by 1MB but the results are the same:

image

Solution

I’m not sure whether this is a bug in the earlier versions of Windows 2012 R2 and ReFS but expanding the disk by 1000MB completes successfully:

image

10000MB also works:

image

Sames goes for 100000MB:

image

image

With 52.60GB of Unallocated space left, leaving the Select the amount of space in MB as the default (maximum) completes successfully:

image

Friday, June 16, 2017

Configuring a Citrix NetScaler Responder Policy and Action to redirect traffic to another URL based on source IP

I’ve been asked several times in the past about how to configure a NetScaler virtual load balancing server to redirect traffic to another URL based on the incoming source IP address so this post serves to demonstrate the process.

Step #1 – Create the Responder Action

Begin by navigating to AppExpert > Responder > Actions and click the Add button to create the responder action to execute when a policy is met:

image

In the Create Responder Action window, fill in the following fields as required:

Name: A name that represents the redirect – Redirect_USA_Subnets_Action

Type: Redirect

Expression: Enter the URL you would like to redirect requests to with quotes – “https://www.someURL.com”

Response Status Code: 302

image

Step #2 – Create the Responder Policy

Navigate to AppExpert > Responder > Policies and click the Add button to create the responder police that will execute the action that was previously created when a requirement is met:

image

In the Create Responder Policy window, fill in the following fields as required:

Name: A name that represents the redirect – Redirect_USA_Subnets_Action

Action: The previous action created – Redirect_USA_Subnets_Action

Expression: Enter the required IP address or subnet with the expressions:

CLIENT.IP.SRC.EQ(x.x.x.x) || CLIENT.IP.SRC.IN_SUBNET(x.x.x.0/24)

An example of would be:

CLIENT.IP.SRC.EQ(10.43.3.136) || CLIENT.IP.SRC.IN_SUBNET(162.221.215.0/24) || CLIENT.IP.SRC.IN_SUBNET(195.130.217.0/24) || CLIENT.IP.SRC.IN_SUBNET(91.220.42.0/24) || CLIENT.IP.SRC.IN_SUBNET(185.58.84.0/22)

image

Step #3 – Assign Responder Policy to Virtual Server

Navigate to Traffic Management > Load Balancing > Virtual Servers and edit the properties of the virtual server you would like to redirect traffic based on incoming source IP address:

image

If there are already policies assigned, scroll down to the Policies section and click on the + button or if there are no policies applied then click on the Policies button listed on the right side of the page to add a new policy:

image

Configure the following and click Continue:

Choose Policy: Responder

Choose Type: Request

image

In the Choose Type options window, click on Click to select under Select Policy:

image

Select the Responder Policy that was created earlier:

image

Click on the Bind button to bind the policy to the virtual server:

image

Save the configuration by clicking on the Done button:

image

The NetScaler will now redirect any traffic coming in for the specified IPs to the alternate URL.

Monday, June 12, 2017

Non domain joined Windows 10 client unable to connect to wireless network with 802.1X authentication

Problem

You have a Cisco Wireless Controller setup to use a Microsoft Network Policy (RADIUS) server to authenticate wireless clients via 802.1X and while Android devices and all Windows clients that are joined to the domain have no issues connecting to the network, non-domain joined Windows 10 workstations are unable to. 

Attempting to join the network with a non-domain joined Windows 10 device shows the following Audit Failure log written in the Security logs of the NPS server:

image

Log Name: Security

Source: Microsoft Windows security

Event ID: 6273

Level: Information

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
     Security ID:            CONTOSO\tluk
     Account Name:            CONTOSO\tluk
     Account Domain:            CONTOSO
     Fully Qualified Account Name:    CONTOSO\tluk

Client Machine:
     Security ID:            NULL SID
     Account Name:            -
     Fully Qualified Account Name:    -
     OS-Version:            -
     Called Station Identifier:        00-17-df-a8-e0-50:CONTOSO_Corp
     Calling Station Identifier:        60-57-18-a7-ea-18

NAS:
     NAS IPv4 Address:        192.168.220.254
     NAS IPv6 Address:        -
     NAS Identifier:            Cisco_7d:fe:e4
     NAS Port-Type:            Wireless - IEEE 802.11
     NAS Port:            13

RADIUS Client:
     Client Friendly Name:        CONTOSO Test
     Client IP Address:            192.168.220.254

Authentication Details:
     Connection Request Policy Name:    CONTOSO
     Network Policy Name:        Secure Wireless Connections 3
     Authentication Provider:        Windows
     Authentication Server:        CONTOSODC01.Contoso.com
     Authentication Type:        PEAP
     EAP Type:            -
     Account Session Identifier:        35393361643862372F36303A35373A31383A61373A65613A31382F3739383139
     Logging Results:            Accounting information was written to the local log file.
     Reason Code:            16
     Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

image

The error presented in Windows 10 during the login is shown in the following screenshots:

image

image

Verifying and connecting

image

Can’t connect to this network

image

Solution

One of the reasons why this error would be be presented to non domain joined Windows 10 client is if the NPS / RADIUS server is configured with a certificate issued by an internal Microsoft CA that is not trusted by the Windows 10 device since it is not joined to the domain.  The way around this is to either install the issuing Root CA certificate on the Windows 10 device or configure the SSID network manually and do validate the certificate.  The following outlines these steps:

Begin by opening the Network and Sharing Center then click on Set up a new connection or network:

image

Select Manually connect to a wireless network:

image

Fill in the appropriate configuration:

image

Once the new SSID network has been created, proceed by clicking on Change connection settings:

image

Click on the Security tab:

image

Click on the Settings button:

image

Uncheck the Verify the server’s identity by validating the certificate option:

image

image

Configure the above usually does the trick so that the following prompt is displayed the next time an attempt is made to connect:

clip_image002

However, if you continue to encounter the same error then proceed by clicking on the Advanced settings button:

image

Enable the Specify authentication mode: option:

image

image

Change the configuration to User authentication then click on Save credentials:

image

Enter the appropriate credentials:

image

The SSID should now no longer prompt for credentials and will automatically connect to the SSID network with the saved credentials.

Thursday, June 8, 2017

Setting up Get-ExchangeEnvironmentReport.ps1 PowerShell script in Task Scheduler to automatically run daily

One of the scripts I've often used when trying gather information about a current Exchange environment prior to performing a migration is the Get-ExchangeEnvironmentReport.ps1 PowerShell script written by Steve Goodman.  The information provided by the report provides great information that would allow me to get a good understanding of the current Exchange topology as well as the mailbox databases.  If you are unfamiliar with this script, further details about the script can be found in the following links:

Generate Exchange Environment Reports using Powershell
https://gallery.technet.microsoft.com/office/Generate-Exchange-2388e7c9

Generate Exchange Environment Reports using Powershell
http://www.stevieg.org/2011/06/exchange-environment-report/

This script could be scheduled to automatically run via the Task Scheduler and this post serves to provide the configuration for the action which sometimes can be difficult to find.  Note that I won’t go into the details of creating the scheduled task as that could be found in one of my previous posts here:

Setting up vCheck PowerShell health check script in Task Scheduler to automatically run daily
http://terenceluk.blogspot.com/2017/03/setting-up-vcheck-powershell-health.html

The following is the syntax required to configure the action:

Program/script: powershell.exe

Add arguments (option): -command ". 'E:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; . 'C:\PS-Scripts\Get-ExchangeEnvironmentReportModified.ps1'

clip_image002

Wednesday, June 7, 2017

Attempting to call a Lync Server 2013 Enterprise Voice user fails with a fast busy

Problem

You have a user who is enabled for Enterprise Voice in a Lync Server 2013 environment that had no issues placing and receiving calls but recently noticed that users attempting to call them is now receiving a fast busy with the error message:

Cannot contact <userName>

image

Running a trace with Snooper on the server shows that a SIP/2.0 485 Ambiguous error is logged during the failed call:

TL_INFO(TF_PROTOCOL) [0]2160.20F4::06/06/2017-13:36:28.621.00008520 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[4058195155] $$begin_recordTrace-Correlation-Id: 4058195155
Instance-Id: 495426
Direction: outgoing;source="local"
Peer: CONTles03.CONT.com:58390
Message-Type: response
Start-Line: SIP/2.0 485 Ambiguous
From: <sip:tluk@contoso.com>;tag=244c2c0e70;epid=98eec5ee8d
To: <sip:+44xxxxx9578@contoso.com;user=phone>;tag=872B83A7584D65996E00DA963EC419D0
Call-ID: 1c27d3fe51e6418892fe4e79cb4f564b
CSeq: 1 INVITE
Via: SIP/2.0/TLS 192.168.131.2:58390;branch=z9hG4bK323649EF.04A161E3BE17588C;branched=FALSE;ms-received-port=58390;ms-received-cid=36CFC00
Via: SIP/2.0/TLS 172.16.1.121:50637;received=216.249.42.188;ms-received-port=50637;ms-received-cid=AE8300
Content-Length: 0
ms-diagnostics: 4199;reason="Multiple users associated with the target phone number";HRESULT="0x8004C3CD";processing-cluster="CONTlse03.CONT.com";processing-frontend="CONTLSE03.CONT.COM";source="CONTLSE03.CONT.COM"
$$end_record

image

Solution

One of the reasons why this user would experience issues with inbound calls is if someone had recently created an account that uses the same number but with a different extension for their Line URI field.  To troubleshoot this, launch the Lync Server 2013 Control Panel and search for users with the problematic user’s number but without the extension.

For this example, the problematic user’s Line URI field is configured as such:

tel:+44xxxxxx9578;ext=9578

With the above information, add a Line URI filter configured to contain the string:

tel:+44xxxxxx9578

image

As shown in the screenshot above, two users have been returned.

Open the properties of the user accounts to compare the Line URI field and in the case of this example, the problem is caused by a typo in the Line URI field where:

User A: tel:+44xxxxxx9578;ext=9578

User B: tel:+44xxxxxx9578;ext=9579

User B’s Line URI was meant to be:

User A: tel:+44xxxxxx9579;ext=9578

… and because of the slight typo shown above, the Control Panel allowed the configuration to be made since the strings were unique but a call could not be routed properly because there were 2 matches to the number even though the extensions were different.

imageimage