SCOM 2012 SP1, error 500 Internal Server Error when using Web Console

March 1, 2013

With a fresh install of SCOM 2012 SP1, the Web Console gave me this error.
I was able to logon to the website, see the list of reports on the left, but when i selected one of the reports (Active Alerts for instance) i got this error 500.
On the server itself i got a more precise error:
HTTP error 500.19 – Internal Server Error
HRESULT: 0x800700b7
The requested page cannot be accessed because the related configuration data for the page is invalid.
There is a duplicate ‘uri’ section defined in file Web.Config

So this pointed me to the file Web.Config, which had a single record of uri, but also this sentence:

“Note, the URI config section is not declared in machine.config for .NET 2.x-3.x, so declaring it explicitly here”

But in IIS 7.5, the Application Pools were all configured to use .NET 4.
So this could very well be the cause of the duplicate uri section.

In IIS, i changed the Application Pools in IIS for OperationsManagerMonitoringView to use .NET 2 instead of 4.
AFter that, a recycle of the application pool, en presto, the OperationsManager Web Console was working again.


Deleting or Purging disconnected mailboxes in Exchange 2010 SP1/ SP2 or 2013

February 19, 2013

After moving around a lot of mailboxes from one database to another in Exchange 2010 SP1, i noticed that the mailboxes were not really deleted from their source database after the move.
Instead, they are marked as Disconnected Mailboxes, with a disconnected reason of “Soft-Deleted”
This is appearantly by design, according to this link

Soft-deleted mailboxes   When a mailbox is moved to a different mailbox database, Exchange doesn’t fully delete the mailbox from the source mailbox database when the move is complete. Instead, the mailbox in the source mailbox database is switched to a soft-deleted state. Like disabled mailboxes, soft-deleted mailboxes are retained in the source database either until the deleted mailbox retention period expires or until the Remove-StoreMailbox cmdlet is used to purge the mailbox.

To purge a mailbox, you can use this powershell command: Remove-StoreMailbox
Read all about it here
Problem is that when you want to delete a whole lot of boxes, you want to first get them all and them pipe the output to the Remove cmdlet.
The documentation says that to remove all SoftDeleted mailboxes from database MBD01, you run:

Get-MailboxStatistics -Database MBD01 | where {$_.DisconnectReason -eq “SoftDeleted”} | ForEach {Remove-StoreMailbox -Database $_.Database -Identity $_.MailboxGuid -MailboxState SoftDeleted}

Unfortunately, this command doesn’t work. 😦
You get the following error:
Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.

This is explained on this page where it says you cannot pipe the output of one Cmdlet to another Cmdlet with the ForEach argument.

A Workaround is to declare variables. In the above command, this would be:
$Statistics = Get-MailboxStatistics -Database “MBD01” | where {$_.DisconnectReason -eq “SoftDeleted”}
$Statistics | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}

Only thing is that you will be prompted for each deletion…and no, typing A for Yes to All doesn’t work..

Deploying Windows 8? Not with ConfigMgr 2007…

September 21, 2012

Windows 8 and SCCM 2007 / 2012
I just read this post from the ConfigMgr team about support for Windows 8 and Server 2012 in ConfigMgr versions.
Although Windows 8 and Server 2012 will be fully supported as ConfigMgr clients for ConfigMgr 2012 SP1 and ConfigMgr 2007 Sp2, the deployment of Windows 8 or Server 2012 through the ConfigMgr Operating System Deployment (OSD) feature will NOT be supported with ConfigMgr 2007 SP2.
So, if you want to a large scale deployment of Windows 8 and/or Server 2012 in your environment, you will have to upgrade your ConfigMgr 2007 environment to ConfigMgr 2012 SP1.
Oh, and with “upgrade”, i mean “replace”.

That’s right, there is no option to in-place-upgrade your ConfigMgr 2007 environment to ConfigMgr 2012.
You can do a side-by-side migration, meaning you install ConfigMgr 2012, migrate all your packages to the new environement, and then migrate your clients.

This is not a problem however,  because ConfigMgr 2012 simply ROCKS!

So, let’s all get those ConfigMgr 2007 environments upgraded to 2012!

ESXi 5 installation to SDcard fails; “Could not rebuild bootbank database”

July 23, 2012

Setting: trying to install ESXi 5 on a HP Proliant DL360p Gen8 server, on a 4 GB SDcard installed in the internal SD slot.

During installation, when choosing the disk to install ESXi to, the SD card is shown as HP ILO SD card. Weird.The server doesn’t have the Advanced ILO license, but maybe if it did, this sdcard could also be used for ILO storage? Confusing.
After doublechecking that this the only internal SD slot, we choose to install to this one.

By the way, for the installation we used the latest HP-provided ESXi-5 ISO, currently 5.0 U1 Jun 2012 ESXi HD-USB-SDImgeInstlr (Z7550-00779.iso) (link)

Updated all firmware/bios/drivers to latest version, using HP Smart Update Firmware DVD v 10.10

The problem

After choosing the SDcard as target, the installation process would fail at 51% with the following error:


You understand why i’m not typing out the error code, right 🙂

When researching this error, it seemd to have something to do with not finding a proxy server.

No problem, just yanked all network cables out of the server and restarted the installation.

Now the installation failed again at 51%, but with a different error:

“Could not rebuild bootbank database”

Right…. now what.

Another try then. First took out the SD card and formatted it, then tried again.

Now the following error:

Failed to check for existing filesystem on device

Error: unable to access device, please check your connection to the device


Right, that’s enough. Has to be the disk (sdcard ) then.

The solution

We took out the SD card, and tried to access it in another computer. No dice.

We then inserted a new SD card in the server, and voila, no more errors.

The installation finished flawlessly within minutes.


—> Props go to my colleague B-Sting, for his patience in getting to the bottom of this. Pics are his too 🙂  <—

Set Pagefile to other drive fails – Hyper-V

May 29, 2012


Pagefiles in Hyper-V VMs can only be placed on Virtual IDE disks, not on Virtual SCSI disks.


A not-so-well-known “feature” within Hyper-V VM’s is the fact that the disk with the boot/OS parttion in a Hyper-V VM always needs to be connected to a Virtual IDE controller.

This has to do with the fact that the IDE Controller is natively supported in Windows, so no special drivers need to be loaded first.

The virtual SCSI controller however, requires a driver which is provided by the Hyper-V Integration Services. This driver is loaded later in the boot sequence, so the OS partition cannot boot from a SCSI virtual disk.


Another thing that is very hard to find, is that the Pagefile (swapfile) in a Windows VM can ONLY be located on a (virtual)  IDE disk.

Or, to be more precise, the Virtual Disk on which the pagefile is located, needs to be attached to a virtual IDE Controller in the properties of the VM.

Usually, this is not a problem, because by default Windows manages the Pagefile size and location by itself, thereby locating it on the systemdrive, which in Hyper-V will allways be attached to an IDE controller.

The Problem

The problem however, comes when you manually want to configure the pagefile to move it to a different partition/disk.

This might be the case when your systemdrive has filled up to a point where you’re in need of more space on it.

If the partition/disk where you want to move your pagefile to is attached to a Virtual SCSI controller, things get messy.

The Windows OS in the VM will not give you any warnings about this, and just tell you to reboot the VM for the changes to take effect.

However, when you reboot the machine, you will find that the pagefile simply has not been created on the SCSI drive.

If you have also set the pagefile to a very small size on the systemdrive, you might get warnings about an incorrectly set pagefile-size.


So, what can you do to move the pagefile to another disk/partition in a Hyper-V VM?

Option 1: Add a new IDE disk for the Pagefile

Shut down the VM.

Create a new virtual disk, attached to a virtual IDE Controller.

Size the disk according to your pagefile needs (IE for an 8 GB pagefile, create a 10 GB disk) . I would advise to use a fixed size disk, not an expanding one.

Boot the VM. Initialze the new disk in Disk Management, and create a partition on it.

Now change the pagefile settings, creating a fixed size pagefile on this new disk. Set the pagefile on your system drive to a small one, like 256 MB.

Option 2: Change the SCSI disk to an IDE disk

Another option is to simply modify your Virtual SCSI disk, to connect it to a Virtual IDE Controller.

With this, you basically turn your virtual SCSI disk into a virtual IDE disk

For this, a reboot is also required.


But wait, doesn’t a Virtual SCSI disk offer MUCH better performance then a virtual IDE disk?

When you use the Integration Components (like every sane Hyper-V user would) then the answer is No, no and no.

Or, as Technet states:

Although the I/O performance of physical SCSI and IDE devices can differ significantly, this is not true for the virtualized SCSI and IDE devices in Hyper-V. Hyper-V.

IDE and SCSI devices both offer equally fast I/O performance when integration services are installed in the guest operating system.

Further Reading:

Technet: Planning for Disks and Storage in Hyper-V

Ben Armstrong: Why Hyper-V cannot boot off SCSI disks (and why you should not care)

SMS Component Manager failed to install component SMS_PORTALWEB_CONTROL_MANAGER on server . The IIS ASP.NET is not registered correctly

May 10, 2012

When installing ConfigMgr 2012 on a site, i was looking at the Site Status node to check if all components were doing good.
This is located in the ConfigMgr Console under \Monitoring\Overview\System Status\Site Status
One component had a red X, specifically the Application Catalog Website Point Role.

Specific error messages were:

Site Component Manager failed to install component SMS_PORTALWEB_CONTROL_MANAGER on server .

The IIS ASP.NET is not registered correctly.
Solution: Review Microsoft Technet article located at: to resolve the issue.

Wow, now that’s a pretty clear errormessage, even including a link how to fix it.
Lets see some more info about this though.
There is a specific logfile for this component, called SMSPORTALWEBsetup.log, which in a default installation is located under C:\Program Files\Microsoft Configuration Manager\Logs.

In this file, the following was shown

So, ASP.NET isn’t properly registered in IIS. And we know how to fix it.
Just run

%windir%\Microsoft.NET\Framework\version\aspnet_regiis.exe” -i

Ehm, but what about the \version\ bit then?
There are no less then SIX versions of .NET present on this system:

Now which one to register?
It would make sense it it was the 4.0 version, since that is a new requirement in ConfigMgr 2012.
So, lets do that one:

Hey waddayaknow? It worked.
The installation of the role finished nicely:

Thanks to Markus Baker, whose blog posting confirmed my findings. Was hard to find though, in German 🙂

“Shared-Nothing” migration in Server 2012 Beta. The Logon attempt failed (0x8009030C)

May 4, 2012

Virtual Machine Live Migration in Server 8 Beta has been enhanced with some nice features, one of them being the so-called “Shared Nothing Live migration

Basically this means that the datafiles of the VM you want to Migrate, no longer neeed to reside on shared storage.

Also, the Hyper-V hosts you want to move the VM between, do not have to be in the same cluster.

Beware though, that the Hype-V Hosts DO have to be in the same Active Directory domain. This will NOT work in a workgroup scenario!

I am NOT going to show you how to do this, there are enough nice blogposts about this already (1 and2 )

I got a nice error today i want to share with you, because i couldn’t find anything about it.

When trying to kickoff a LiveMigration from one Server 8 Beta host to another i (sometimes) got the following error:

The Virtual Machine Service faield to authenticate the connection for a Virtual Machine migration at the source host: The Logon attempt failed (0x8009030C)

So, first question; did i set up the authentication correcly then?

Nothing special here, using Kerberos for authentication, and of course configured the Hyper-V hosts in AD for Constrained Delegation


Both Hyper-V hosts were able to properly reach the Domain Controller, and eachother.

Weird thing is, sometimes it WOULD work. By the way, changing to CredSSP didn’t help either.



After some testing it turned out that the problem only occured when i start a Live Migration on another host then the one i am running the Hyper-V Management console on.

Wait, whut?

– On Host 1, i log on locally and start the Hyper-V Management Console.

– I select a VM running on the local host and am able to properly move this to Host 2.

The VM is now running on Host 2.

– Then, in the Hyper-V Management Console, i add Host 2 to the console. (still running on Host 1)

– I then try to migrate the VM back to Host 1. This fails, with the error about logon.


So, when trying to move a VM to another Server 8 Beta host, execute this action on the Local Hyper-V Host.

As we already read here, it is also not a good plan at this time to start a live migration from your workstation. For now, just use the local server.

Mobile Device Management in SCCM 2012 – Hands on (Part 2)

April 29, 2012

So, after connecting the SCCM 2012 server to Exchange and getting some info about devices through EAS, now it’s time to really get busy with Mobile Device Management.

In this posting i will show you how i set up the Mobile Device Enrollment, and actually got my old Windows Mobile 6.5 phone enrolled. W00t!

Starting point in this is this 10-step program to get your mobile devices managed in SCCM 2012.

The basic steps are:

  • Set up a working Microsoft PKI infrastructure
  • Install and configure certificates to SCCM servers
  • Install Enrollment Point Roles
  • Publish the Enrollment point so devices can contact it
  • Allow users to enroll their device

The first step is a tricky one already. Setting up a single issuing Root CA in a test environment is no big deal. But setting up a PROPER PKI Infrastructure is a whole different ballgame.

Since this is way out of scope for this post, i’ll just assume you’ve got a working PKI Infrastructure already. (hehe)

So, onto configuring the required certificates then.

I created a couple of new certificate templates:

Important note when creating these certificate templates and enabling them, is to use the “Windows Server 2003, Enterprise Edition” version.  That is the only supported version in ConfigMgr.

O, and don’t forget to configure a GPO for auto-enrollment of workstation certificates

Well, after you get all the certificates created, enabled and installed, it’s time to configure them in ConfigMgr.

Yes, that’s step 5 of the 10 step program already 🙂

This involves first configuring the MP and DP to manage Mobile Devices, which basically means enabling https, allowing internet-based client access, and selecting certificates. And don’t forget to first configure the Site System on which these roles run, with an external FQDN.

Then the Distribution Point:

and finally the MP:

Then, onto step 6, installing the Enrollment Point Role, and the Enrollment Proxy Point Roles.

When adding these roles it is important to keep in mind that you must use the external FQDN that you will use for Device Enrollment.

After his, you can already access the website containing the Device Enrollment Agents:

This very basic page (what, not even a nice System Center logo??)  contains two links, to the Client Agent installers for Windows Mobile (.cab format) and for Nokia Symbian Belle (.sisx format)

Now, we fly to step 9, to configure the device settings for Mobile Devices

Here you can set things like which usergroup you want to allow to enroll their devices.

This is done in the Mobile Device Enrollment Policy:

Now, that’s it. Now to get the old Windows Mobile device charged up, and see what we can do with it.

In the next posting that is.

Mobile Device Management in SCCM 2012 – Hands on (part 1)

April 28, 2012

In SCCM 2012 there is a completely revised version of the Mobile Device Management part.

Sure, this was already there in SCCM 2007, but hey, would YOU want to “manage” ancient Windows CE or Windows Mobile 5.0 devices? I didn’t think so too. Also, in the SCCM 2007 era, Bring Your Own Device (BYOD) wasn’t as hot as it is today, with everyone wanting to bring in and use their own Tablets, Smarphones and laptops.

Now with SCCM 2012, there is proper support for BYOD. Yeah! For a nice overview of this, see this video of Principal Program manager Jeffrey Sutherland, talking about Mobile Device Management in SCCM 2012.


Light and Depth Management

We can define two types of device management in SCCM 2012:

-> Light Management <

Working through Exchange ActiveSync, we leverage on the existing Exchange Device Policies, to do light management of the device (remote wipe, lockdown etc)

Why do we want this? It’s already in Exchange right?

Well, the Exchange admins might not be very concerned with specific end-users devices as they are with handling the mailflow, so this task may better fit with the desktop/enduser/device management team in your organization. They are the ones working with SCCM 2012, and they are the ones most interested in gathering information about, and managing the devices. Also, SCCM provides some very nice Reporting on these devices.

->In-Depth Management <-

The other type is the In-Depth Management of Mobile Devices

This does not work through EAS, but through two new SCCM Roles that have been introduced in SCCM 2012; the Enrollment Point and the Enrollment Proxy point.

In-depth management can be done in two ways;

– Enroll the mobile devices into SCCM by installing the Mobile Device Client on them. Only on supported mobile OS’s.(Currently WinMobile 6.1, 6.5 and Nokia Symbian Belle) .Offers most features.

– Enroll the mobile devices into SCCM by installing the Legacy Mobile Device Client on it. Only on supported mobile OS’s, which currently are ancient WinCE 5, 6 and 7, and WinMo 6.0. Less features, but still way more options than with EAS.

For a good comparison of all features on all three scenarios( EAS, Mobile Device Client on device, and Legacy Mobile device client), see this page on Technet.

Note that both in-depth solutions require a PKI Infrastructure, because of the Certificates that are used on the devices!

So, more on the In-Depth part later, let’s first get the EAS connected. (Yes, you can also choose hybrid solutions, ie. managing with both EAS and through the Enrollment)


Configuration of Mobile Device Management through Exchange

So, how do we set this up?

First the prereqs: an Exchange 2010 SP1 server (or Exchange Online(office365),and a working SCCM 2012 server (duh) and a network connection between them.

Then we have to establish a connection between the SCCM server and the Exchange (CAS) server.

We click Add exchange server and get the wizard:

Specifiy the name of the exchange CAS server…

Hey, look at this screen. A precise listing of the exchange permissions that the connector account requires. I’d say this calls for a new RBAC  Role in Exchange!

So, lets first create a serviceaccount for this connection and assign the proper exchange permissions to it.

Now i am going to be assigning Read-Only rights to this service account, ’cause i just want to get data from EAS about the devices, and not do any remote wiping. Which is by the way also how Microsoft IT did this (read here )


Then continue through the wizard:

I just set this to Weekly Full discovery, and Delta discovery twice a day.

So, after this wizard, the connection has been established with the CAS server.


As you can see, the path /powershell has been added to the targetpath of the Exchange server. Which makes sense, because all it really does is fire up PowerShell cmdlets against the CAS, to get information from it.

So, do we see any devices now?

First lets kick off a discovery cycle:

And behold:


Well that device has my name written all over it (tee-hee)

So, what can we do with it then?

Well, not an awfull lot:

Wipe, Block, and.. hmm. well.

Lets have a look at those Reports then:

Wow. That’s a lot of Reports Built-in. Very cool!


So far for this then.

Time to get really busy, and fire up an old Windows Mobile 6.5 phone, and start doing some real managing.

In the Next post that is.


SCVMM 2012 error – You cannot access Virtual Machine Manager server localhost. Ensure that your account is a member of a valid user role, and then try the operation again. ID: 1604

April 27, 2012

When opening the SCVMM Console and trying to logon to it, i got the following error:

You cannot access Virtual Machine Manager server localhost.

Ensure that your account is a member of a valid user role, and then try the operation again.

ID: 1604

Weird. Last time i ran it it worked fine.

Into the Eventlogs of the SCVMM server then. There i found this entry:

“Unable to connect to the VMM database because of a general database failure.
Ensure that the SQL Server is running and configured correctly, then try the operation again.”

Event ID 2605, Virtual Machine Manager

So, no connection to the SQL Server that holds the database? Onto the SQL Server then. There, in the Eventlog was this error:

Login failed for user ‘CONTOSO\sa_scvmm’. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <ip-address of scvvm server>]


Hey, that’s weird. After some googling, this error turns up related to UAC (User Account Control) issues on servers.

So i right-clicked the SCVMM Console and ran it with “Run as Administrator”.

And behold, it worked!

Wait, wut? Does that mean i have to start the SCVMM Console as Administrator every time from now on?

So i closed the console, and re-opened it, now without “Run as Administrator”.

Still worked fine. Hmmkay…. Some weird one-time error?