ESXi Update Network Config Failed
Set ESXi IP via CLI

Real quick post here. I was moving my ESXi hosts and vCenter to a new dedicated subnet. I did the usual; had a temp Windows System in the new subnet, create VMK with temp IP in new subnet, connect to ESXi Web UI via new Temp IP in new Subnet via temp Windows machine. Reconfigure default TCP/IP stack default gateway, change VMK0 IP address (and edit management port group VLAN id if applicable). and Away I’d go.

However on this one host for some unknown stupid reason it would simply fail “Failed – An Error occurred during host configuration”, and the detailed log was just as vague “operation failed diagnostics report unable to set network unreachable” OK… whatever, that shouldn’t matter do as I tell you! Here’s a snippet of the error, and the CLI command that simply worked without bitching.

I just figured let’s try the CLI way and see if it worked, and it turns out it did. The source I used to figure out the command syntax.

The commands I used:

Get IPs:

esxcli network ip interface ipv4 get

Set new IP:

esxcli network ip interface ipv4 set -i vmk1 -I 1.1.1.1 -N 255.255.255.0 -t static

Hope this helps someone.

FreeNAS Single SSD as ZIL and L2ARC

Quick Story I remember I set this up on my FreeNAS server in hopes to get better performance, in reality, I don’t think it helped anything cause of my FreeNAS servers setup. Which was an old desktop with 3 Gigs of memory and a couple SATA drives, 2 spindle and 1 SSD.

Took me a while but I finally found the original source I followed.

Main Parts (assume SSD is ada0):

root@freenas1:~ % gpart create -s gpt ada0
ada0 created
root@freenas1:~ % gpart add -a 4k -b 128 -t freebsd-zfs -s 10G ada0
ada0p1 added
root@freenas1:~ % gpart add -a 4k -t freebsd-zfs ada0
ada0p2 added

List Disk to get GUIDs

root@freenas1:~ % gpart list

Add partitions as Zil and L2ARC on a logical disk (volume0)

root@freenas1:~ % zpool add volume0 log gptid/94a4bd28-aeb7-11e5-99ac-bc5ff42c6cb2
root@freenas1:~ % zpool add volume0 cache gptid/9a79622f-aeb7-11e5-99ac-bc5ff42c6cb2

Nice you can use the zpool command to verify their used as such:

If you are paying attention you’ll noticed the guid are different. Anyway you can use the GUI to see the results as well, if you click the main volume under Storage -> Volume, Then click the Show details button.

If you pick any of the partitions in this list, at the bottom you get a button labeled “Remove”. To undo the previous additions made via the back end SSH.

After this I removed the old Volume completely, including the old File based extent I was using on it.

I then created all new Volumes, one volume on each drive, then created 1 zVol on each volume, then used those zVols as Device based Extents on the iSCSI service…. and I couldn’t believe the performance increase, I couldn’t saturate the 1gbps link before with storage vMotions. Now every single Datastore maxes out the NIC and I hot 100 MB/s plus on every storage vMotion and I increased my storage capacity. W00t (of course I never had storage redundancy to begin with so nothing lost, all gains.

Summary

Don’t bother using a SSD to try and gain speeds on simple homelab FreeNAS servers. It’s useless… “Some more specifics: as a rule of thumb L2ARC is only really useful if you have lots of RAM (64GB+) and a ZIL is only useful if you’re performing lots of synchronous writes.” – anodos

Upgrade and Migrate a vCenter Server

Intro

Hello everyone! Today I’ll be doing a test in my home lab where I will be upgrading, not to be confused with updating, a vCenter server. If you are interested in staying on the version your vCenter is currently on but just patch to the latest version, see my other blog post: VMware vCenter Updates using VAMI – Zewwy’s Info Tech Talks

Before I get into it, there are a couple thing expected from you:

  1. An existing instance of vCenter deployed (for me yup, 6.7)
  2. A backup of the config or whole server via a backup product
  3. A Copy of the latest vCenter ISO (either from VMware directly or for me from VMUG)

Side Story

*Interesting Side Note* VM Creation dates property is only a thing since vCenter 6.7. Before that it was in the events table that gets rotated out from retention policies. 🙂

*Side Note 2* I was doing some vmotions of VMs to prepare rebooting a storage device hosting some datastores before the vCenter update, and oddly even though the Task didn’t complete it would disappear from the recent task view. Clicking all Tasks showed the task in progress but @ 0% so no indication of the progress. The only trick that worked for me was to log off and back in.

A quick little side story, it was a little while since I had logged into VMUG for anything, and I have to admit the site setup is unbelievably bad designed. It’s so unintuitive I had to Google, again, how to get the ISO’s I need from VMUG.

Also for some reason, I don’t know why, when I went to log in it stated my username and password is wrong. Considering I use a password manager, I was very confident it was something wrong on their end. Attempting to do a password reset, provided no email to my email address.

Distort I decided to make a another account with the same email, which oddly enough when created brought me right back to my old account on first log in. Super weird. According to Reddit I was not the only one to experience oddities with VMUG site.

Also on the note of VMware certification, I totally forgot you have to take one of the mandatory classes before you can challenge, or take any of the VMware exams.

“Without the mandatory training? Yes, they represent a reasonable value proposition. With mandatory training? No, they do not. Requiring someone who’s been using your products for a decade to attend a class which covers how to spell ESXi is patronizing if not downright condescending. I only carry VMware certifications because I was able to attain them without going through the nonsense mandatory training.”

“The exam might as well cost $3500 and “include” the class for “free”.”

Don’t fully agree with that last one cause you can take any one class (AFAIK) and take all the exams. I get the annoyance of the barrier to entry, gotta keep the poor out. 😛

Simple Summary about VMUG.

  1. Create account and Sign up for Advantage from the main site.
  2. Download Files from their dedicated Repo Site.

Final gripes about VMUG:

  1. You can’t get Offline Bundles to create custom ESXi images.
  2. You can’t seem to get older versions of the software from there.
  3. The community response is poor.
  4. The site is unintuitive and buggy.

So now that we finally got the vCenter 7 ISO

For a more technical coverage of updating vCenter see VMware’s guide.

For shits.. moving esxi hosts, and vcenter to new subnet.

1) Build Subnet, and firewall rules and vlans
2) Configure all hosts with new VMPG for new vlan
3) Move each host one at a time to new subent, ensure again that network will be allowed to the vCenter server after migration
4) Can’t change VMK for mgmt to use VLAN from the vCenter GUI, have to do it at host level.
i) Place host into maintenance mode, remove from inventory (if host were added by IP, otherwise just disconnect)
ii) Update hosts IP address via the hosts console, and update DNS records
iii) Re-add the host to the cluster via new DNS hostname

Changing vCenter Server IP address

Source: How to change vCenter and vSphere IP Address ( embedded PSC ) – Virtualblog.nl

changed IP address in the VAMI, it even changed the vpxa config serverIP address to the new IP automatically. it worked. :O

Upgrading vCenter

Using the vCenter ISO

The ISO is not a bootable one, so for me I mount it on to a Windows machine that has access to the vCenter server.

Run the installer exe file…

Click Upgrade

I didn’t enter the source ESXi host IP.. lets see

nope wants all the info, fill all fields including source esxi host info.

Yes.

Target ESXi Host for new VCSA deployment. Next

Target VCSA VM info. Next

Would you like, large or eXtra large?

pick VMs datastore location, next.

VM temp info, again insure network connections are open between subnets if working with segregated networks.

Ready to deploy.

Deploying VM to target ESXi host. Once this was done got a message to move on to Stage 2, which can be done later, I clicked next.

 

Uhhh, ok….

 

Ok dokie?

I didn’t care too much about old metrics.

nope.

Let’s go!

After some time…

Nice! and it appears to have worked. 🙂

Another Side Trail

I was excited cause I deployed this new VCSA off the FreeNAS Datastore I wanted to bring and reboot. but low and behold some new random VMs are on the Datastore…

doing some research I found this simple explanation of them however it wasn’t till I found this VMware article with the info I was more after.

Datastore selection for vCLS VMs

The datastore for vCLS VMs is automatically selected based on ranking all the datastores connected to the hosts inside the cluster. A datastore is more likely to be selected if there are hosts in the cluster with free reserved DRS slots connected to the datastore. The algorithm tries to place vCLS VMs in a shared datastore if possible before selecting a local datastore. A datastore with more free space is preferred and the algorithm tries not to place more than one vCLS VM on the same datastore. You can only change the datastore of vCLS VMs after they are deployed and powered on.

If you want to move the VMDKs for vCLS VMs to a different datastore or attach a different storage policy, you can reconfigure vCLS VMs. A warning message is displayed when you perform this operation.

You can perform a storage vMotion to migrate vCLS VMs to a different datastore. You can tag vCLS VMs or attach custom attributes if you want to group them separately from workload VMs, for instance if you have a specific meta-data strategy for all VMs that run in a datacenter.

In vSphere 7.0 U2, new anti-affinity rules are applied automatically. Every three minutes a check is performed, if multiple vCLS VMs are located on a single host they will be automatically redistributed to different hosts.

Note:When a datastore is placed in maintenance mode, if the datastore hosts vCLS VMs, you must manually apply storage vMotion to the vCLS VMs to move them to a new location or put the cluster in retreat mode. A warning message is displayed.

The enter maintenance mode task will start but cannot finish because there is 1 virtual machine residing on the datastore. You can always cancel the task in your Recent Tasks if you decide to continue.
The selected datastore might be storing vSphere Cluster Services VMs which cannot be powered off. To ensure the health of vSphere Cluster Services, these VMs have to be manually vMotioned to a different datastore within the cluster prior to taking this datastore down for maintenance. Refer to this KB article: KB 79892.

Select the checkbox Let me migrate storage for all virtual machines and continue entering maintenance mode after migration. to proceed.

huh, the checkbox is greyed out and I can’t click it.
vmotioned them and the process kept moving up.

How a Small Mistake Became a Big Problem

Background

This story is about implantation of compliance requirements, and the technical changes made that caused some heartburn. In particular Exchange server and retention policies.

Very simple; Compliance, and regulatory practices.

Retention Policy was becoming enforced. As such on Exchange no less, see here for more information on how to configure retention policies on Exchange.

You might notice you have to create tags of time frames. In this case there wasn’t one already pre-populated with my needs. So you have to create those. You may have also noticed that the only name time frame is all defined with number of days.

Human Error

So long story short, I  wrongly defined the number of days for the length of period I wanted to defined. Simply due to bad arithmetic, I swear I was an ace at math in school. Anyway, after this small mistake on the tag definition, and it was deployed to all Mailboxes. (Yeap there was steps of approval, and wasn’t caught even during pilot users).

Once it was discovered, there were 2 options. 1) Wait till specific people notice and  recover as required, or  2) do it all in one swoop.

Recover deleted messages in a user’s mailbox in Exchange Server | Microsoft Docs

After following this, it was determined that we couldn’t find just the emails from the time frame we needed to restore. This turns out cause all the emails “whenChanged” timestamp all became the same time the retention policy came into effect. So filtering by Date was completely useless.

Digging a Hole

At this point we figured we’d just restore all email, and let the retention policy rerun with the proper time frame tag applied. While this did work, there was a technique or property that was recently added that would have restored the emails into the sub folders in which they were removed from. Instead, all the emails were placed back into users Inbox.

This was a rough burn.  Overall it did work, it just wasn’t very clean and there was some fallout from the whole ordeal.

Hope this story helps someone prevent the same mistakes.

Palo Alto Networks Protocols Defined

I have to often do validation on rules set created on a Palo Alto firewall, now if you’ve done this you’ll know there’s  a specific requirement to define which protocol to test against. Generally you’ll use UDP or TCP, and ICMP if needing to validate ping rules.

However PAN uses numbers and the provided direct KB from them does not define them all (1-255). So googling I found a nice simplified post by Kerry Cordero on his site here. Where he got this info from I’m not certain, he did not reference any PAN KB’s or anything. For prosperity of the internet I have quotes his list as it was on his site.

Many Thanks to Kerry for this work on this.

Protocol Options:
When it comes to the protocol #, you have several options to choose from like:

TCP = 6
UDP = 17
ICMP = 1
ESP = 50

Below is a full list of options you can use.

Decimal Keyword Protocol IPv6 Extension Header Reference
0 HOPOPT IPv6 Hop-by-Hop Option Y [RFC8200]
1 ICMP Internet Control Message [RFC792]
2 IGMP Internet Group Management [RFC1112]
3 GGP Gateway-to-Gateway [RFC823]
4 IPv4 IPv4 encapsulation [RFC2003]
5 ST Stream [RFC1190][RFC1819]
6 TCP Transmission Control [RFC793]
7 CBT CBT [Tony_Ballardie]
8 EGP Exterior Gateway Protocol [RFC888][David_Mills]
9 IGP any private interior gateway
(used by Cisco for their IGRP)
[Internet_Assigned_Numbers_Authority]
10 BBN-RCC-MON BBN RCC Monitoring [Steve_Chipman]
11 NVP-II Network Voice Protocol [RFC741][Steve_Casner]
12 PUP PUP [Boggs, D., J. Shoch, E. Taft, and R. Metcalfe, “PUP: An
Internetwork Architecture”, XEROX Palo Alto Research Center,
CSL-79-10, July 1979; also in IEEE Transactions on
Communication, Volume COM-28, Number 4, April 1980.][[XEROX]]
13 ARGUS (deprecated) ARGUS [Robert_W_Scheifler]
14 EMCON EMCON [<mystery contact>]
15 XNET Cross Net Debugger [Haverty, J., “XNET Formats for Internet Protocol Version 4”,
IEN 158, October 1980.][Jack_Haverty]
16 CHAOS Chaos [J_Noel_Chiappa]
17 UDP User Datagram [RFC768][Jon_Postel]
18 MUX Multiplexing [Cohen, D. and J. Postel, “Multiplexing Protocol”, IEN 90,
USC/Information Sciences Institute, May 1979.][Jon_Postel]
19 DCN-MEAS DCN Measurement Subsystems [David_Mills]
20 HMP Host Monitoring [RFC869][Bob_Hinden]
21 PRM Packet Radio Measurement [Zaw_Sing_Su]
22 XNS-IDP XEROX NS IDP [“The Ethernet, A Local Area Network: Data Link Layer and
Physical Layer Specification”, AA-K759B-TK, Digital
Equipment Corporation, Maynard, MA.  Also as: “The
Ethernet – A Local Area Network”, Version 1.0, Digital
Equipment Corporation, Intel Corporation, Xerox
Corporation, September 1980.  And: “The Ethernet, A Local
Area Network: Data Link Layer and Physical Layer
Specifications”, Digital, Intel and Xerox, November 1982.
And: XEROX, “The Ethernet, A Local Area Network: Data Link
Layer and Physical Layer Specification”, X3T51/80-50,
Xerox Corporation, Stamford, CT., October 1980.][[XEROX]]
23 TRUNK-1 Trunk-1 [Barry_Boehm]
24 TRUNK-2 Trunk-2 [Barry_Boehm]
25 LEAF-1 Leaf-1 [Barry_Boehm]
26 LEAF-2 Leaf-2 [Barry_Boehm]
27 RDP Reliable Data Protocol [RFC908][Bob_Hinden]
28 IRTP Internet Reliable Transaction [RFC938][Trudy_Miller]
29 ISO-TP4 ISO Transport Protocol Class 4 [RFC905][<mystery contact>]
30 NETBLT Bulk Data Transfer Protocol [RFC969][David_Clark]
31 MFE-NSP MFE Network Services Protocol [Shuttleworth, B., “A Documentary of MFENet, a National
Computer Network”, UCRL-52317, Lawrence Livermore Labs,
Livermore, California, June 1977.][Barry_Howard]
32 MERIT-INP MERIT Internodal Protocol [Hans_Werner_Braun]
33 DCCP Datagram Congestion Control Protocol [RFC4340]
34 3PC Third Party Connect Protocol [Stuart_A_Friedberg]
35 IDPR Inter-Domain Policy Routing Protocol [Martha_Steenstrup]
36 XTP XTP [Greg_Chesson]
37 DDP Datagram Delivery Protocol [Wesley_Craig]
38 IDPR-CMTP IDPR Control Message Transport Proto [Martha_Steenstrup]
39 TP++ TP++ Transport Protocol [Dirk_Fromhein]
40 IL IL Transport Protocol [Dave_Presotto]
41 IPv6 IPv6 encapsulation [RFC2473]
42 SDRP Source Demand Routing Protocol [Deborah_Estrin]
43 IPv6-Route Routing Header for IPv6 Y [Steve_Deering]
44 IPv6-Frag Fragment Header for IPv6 Y [Steve_Deering]
45 IDRP Inter-Domain Routing Protocol [Sue_Hares]
46 RSVP Reservation Protocol [RFC2205][RFC3209][Bob_Braden]
47 GRE Generic Routing Encapsulation [RFC2784][Tony_Li]
48 DSR Dynamic Source Routing Protocol [RFC4728]
49 BNA BNA [Gary Salamon]
50 ESP Encap Security Payload Y [RFC4303]
51 AH Authentication Header Y [RFC4302]
52 I-NLSP Integrated Net Layer Security  TUBA [K_Robert_Glenn]
53 SWIPE (deprecated) IP with Encryption [John_Ioannidis]
54 NARP NBMA Address Resolution Protocol [RFC1735]
55 MOBILE IP Mobility [Charlie_Perkins]
56 TLSP Transport Layer Security Protocol
using Kryptonet key management
[Christer_Oberg]
57 SKIP SKIP [Tom_Markson]
58 IPv6-ICMP ICMP for IPv6 [RFC8200]
59 IPv6-NoNxt No Next Header for IPv6 [RFC8200]
60 IPv6-Opts Destination Options for IPv6 Y [RFC8200]
61 any host internal protocol [Internet_Assigned_Numbers_Authority]
62 CFTP CFTP [Forsdick, H., “CFTP”, Network Message, Bolt Beranek and
Newman, January 1982.][Harry_Forsdick]
63 any local network [Internet_Assigned_Numbers_Authority]
64 SAT-EXPAK SATNET and Backroom EXPAK [Steven_Blumenthal]
65 KRYPTOLAN Kryptolan [Paul Liu]
66 RVD MIT Remote Virtual Disk Protocol [Michael_Greenwald]
67 IPPC Internet Pluribus Packet Core [Steven_Blumenthal]
68 any distributed file system [Internet_Assigned_Numbers_Authority]
69 SAT-MON SATNET Monitoring [Steven_Blumenthal]
70 VISA VISA Protocol [Gene_Tsudik]
71 IPCV Internet Packet Core Utility [Steven_Blumenthal]
72 CPNX Computer Protocol Network Executive [David Mittnacht]
73 CPHB Computer Protocol Heart Beat [David Mittnacht]
74 WSN Wang Span Network [Victor Dafoulas]
75 PVP Packet Video Protocol [Steve_Casner]
76 BR-SAT-MON Backroom SATNET Monitoring [Steven_Blumenthal]
77 SUN-ND SUN ND PROTOCOL-Temporary [William_Melohn]
78 WB-MON WIDEBAND Monitoring [Steven_Blumenthal]
79 WB-EXPAK WIDEBAND EXPAK [Steven_Blumenthal]
80 ISO-IP ISO Internet Protocol [Marshall_T_Rose]
81 VMTP VMTP [Dave_Cheriton]
82 SECURE-VMTP SECURE-VMTP [Dave_Cheriton]
83 VINES VINES [Brian Horn]
84 TTP Transaction Transport Protocol [Jim_Stevens]
84 IPTM Internet Protocol Traffic Manager [Jim_Stevens]
85 NSFNET-IGP NSFNET-IGP [Hans_Werner_Braun]
86 DGP Dissimilar Gateway Protocol [M/A-COM Government Systems, “Dissimilar Gateway Protocol
Specification, Draft Version”, Contract no. CS901145,
November 16, 1987.][Mike_Little]
87 TCF TCF [Guillermo_A_Loyola]
88 EIGRP EIGRP [RFC7868]
89 OSPFIGP OSPFIGP [RFC1583][RFC2328][RFC5340][John_Moy]
90 Sprite-RPC Sprite RPC Protocol [Welch, B., “The Sprite Remote Procedure Call System”,
Technical Report, UCB/Computer Science Dept., 86/302,
University of California at Berkeley, June 1986.][Bruce Willins]
91 LARP Locus Address Resolution Protocol [Brian Horn]
92 MTP Multicast Transport Protocol [Susie_Armstrong]
93 AX.25 AX.25 Frames [Brian_Kantor]
94 IPIP IP-within-IP Encapsulation Protocol [John_Ioannidis]
95 MICP (deprecated) Mobile Internetworking Control Pro. [John_Ioannidis]
96 SCC-SP Semaphore Communications Sec. Pro. [Howard_Hart]
97 ETHERIP Ethernet-within-IP Encapsulation [RFC3378]
98 ENCAP Encapsulation Header [RFC1241][Robert_Woodburn]
99 any private encryption scheme [Internet_Assigned_Numbers_Authority]
100 GMTP GMTP [[RXB5]]
101 IFMP Ipsilon Flow Management Protocol [Bob_Hinden][November 1995, 1997.]
102 PNNI PNNI over IP [Ross_Callon]
103 PIM Protocol Independent Multicast [RFC7761][Dino_Farinacci]
104 ARIS ARIS [Nancy_Feldman]
105 SCPS SCPS [Robert_Durst]
106 QNX QNX [Michael_Hunter]
107 A/N Active Networks [Bob_Braden]
108 IPComp IP Payload Compression Protocol [RFC2393]
109 SNP Sitara Networks Protocol [Manickam_R_Sridhar]
110 Compaq-Peer Compaq Peer Protocol [Victor_Volpe]
111 IPX-in-IP IPX in IP [CJ_Lee]
112 VRRP Virtual Router Redundancy Protocol [RFC5798]
113 PGM PGM Reliable Transport Protocol [Tony_Speakman]
114 any 0-hop protocol [Internet_Assigned_Numbers_Authority]
115 L2TP Layer Two Tunneling Protocol [RFC3931][Bernard_Aboba]
116 DDX D-II Data Exchange (DDX) [John_Worley]
117 IATP Interactive Agent Transfer Protocol [John_Murphy]
118 STP Schedule Transfer Protocol [Jean_Michel_Pittet]
119 SRP SpectraLink Radio Protocol [Mark_Hamilton]
120 UTI UTI [Peter_Lothberg]
121 SMP Simple Message Protocol [Leif_Ekblad]
122 SM (deprecated) Simple Multicast Protocol [Jon_Crowcroft][draft-perlman-simple-multicast]
123 PTP Performance Transparency Protocol [Michael_Welzl]
124 ISIS over IPv4 [Tony_Przygienda]
125 FIRE [Criag_Partridge]
126 CRTP Combat Radio Transport Protocol [Robert_Sautter]
127 CRUDP Combat Radio User Datagram [Robert_Sautter]
128 SSCOPMCE [Kurt_Waber]
129 IPLT [[Hollbach]]
130 SPS Secure Packet Shield [Bill_McIntosh]
131 PIPE Private IP Encapsulation within IP [Bernhard_Petri]
132 SCTP Stream Control Transmission Protocol [Randall_R_Stewart]
133 FC Fibre Channel [Murali_Rajagopal][RFC6172]
134 RSVP-E2E-IGNORE [RFC3175]
135 Mobility Header Y [RFC6275]
136 UDPLite [RFC3828]
137 MPLS-in-IP [RFC4023]
138 manet MANET Protocols [RFC5498]
139 HIP Host Identity Protocol Y [RFC7401]
140 Shim6 Shim6 Protocol Y [RFC5533]
141 WESP Wrapped Encapsulating Security Payload [RFC5840]
142 ROHC Robust Header Compression [RFC5858]
143 Ethernet Ethernet [RFC8986]
144-252 Unassigned [Internet_Assigned_Numbers_Authority]
253 Use for experimentation and testing Y [RFC3692]
254 Use for experimentation and testing Y [RFC3692]
255 Reserved [Internet_Assigned_Numbers_Authority]

SharePoint Site Has Not Been Shared With You

SharePoint Site Not Accessible

Overview Story

Created brand new SharePoint Teams site.

Enabled Publishing Feature.

Created Access groups, Nest User in Group.

 

Troubleshooting

First Source Disable Access request feature. This feature was enabled, disable it, Result….

Second Source far more thing to try.

  1. Cache, not the case same issue from any browser and client machine.
  2. *PROCEED WITH CAUTION* Stop and Start “Microsoft SharePoint Foundation Web Application” service from Central Admin >>Application Management >>Manage services on server. In case, you face issues, use STSADM command line.cd “c:\program files\common files\microsoft shared\Web Server Extentions\16\BIN”Stop:
    stsadm -o provisionservice -action stop -servicetype spwebservice
    [Time taken ~30min not sure went for a break since it was taking so long]
    iisreset /noforce [!1min]
    Start:
    stsadm -o provisionservice -action start -servicetype spwebservice
    [Roughly 15 min]
    iisreset /noforce

Result, SharePoint completely broken, Central Admin is accessible, but all sites are in a non working state. I cannot recommend to try this fix, but if you have to ensure you are doing so either in a test environment or have a backup plan.

I managed to resolve the issue in my test environment, as it turned out the sites were all defined to be HTTPS, however the binding was done manually on IIS to certs created, and then the AAMs updated on CA. Sources one and two

Running these commands SharePoint is not aware to recreate the HTTPS bindings so this has to be done manually.

Result:

Ughhhhhhhhhhhh!

3.If are migrated from SharePoint 2010, or backup-restore/import-exported: If your source site collection is in classic windows authentication mode and the target is in claims authentication

Not the case, but tried it anayway, and results…

This is really starting to bug me…

4.If you have a custom master page verify it’s published! Checked-out master pages could cause this issue.

We did make changes to the master page to resolve some UI issues, but this had to be published to even have those changes show, so YES, no change in result.

5.If you have this feature enabled: “Limited-access user permission lockdown mode” at site collection level – Deactivate it. – Because, this prevents limited access users from getting Form pages!

Found this, deactivated it and….

Ughhhhh….

6.On publishing sites: Make sure you set the cache accounts: Super User & Reader to a domain account for the SharePoint 2013 Web Application with appropriate rights.

I’ve read this from a different source as well however none of my other sites that are teams sites with publishing enabled have these extra properties defined and they are working without issue, I decided to try anyway,

Result:

7. If you didn’t run the product and configuration wizard after installation/patch, you may get this error even if you are a site collection administrator. Run it once and get rid of this issue.

Let’s give it a whirl… Now I pushed this down from #2 as it’s pretty rough like the suggestion I put as #2, which I should probably shift down for the same risk reasons, but I did try this before the other ones and it like the stsadm commands it broke my ShaerPoint Sites, it stated errors about features defined in the content database of attached sites that the features were not installed on the front end server.

In this case I tried to run my scripts I had written to fix these types of issues (publishing of script pending), but it wouldn’t accept the site URL stating it was not a site collection, it was at this point running get-spsite returned an error…

and sure enough…

AHHHHHHHHHHHH!!!!!!!!!

I asked my colleague for help since he seems to be good at solving issue when I feel I’ve tried everything. He noted the master pages and layouts area had unique permissions, setting it to inherit from parent made the pages finally load. But is this normal? I found someone asking about the permissions here, apparently it shouldn’t be inherited and they list the default permission sets:

Yes, Master Page Gallery use unique permissions by default.
Here is the default permissions for your information:
Approvers SharePoint Group Approvers Read
Designers SharePoint Group Designers Design
Hierarchy Managers SharePoint Group Hierarchy Managers Read
Restricted Readers SharePoint Group Restricted Readers Restricted Read
Style Resource Readers SharePoint Group Style Resource Readers Read
System Account User SHAREPOINT\system Full Control

Setting there defaults I still got the page was not shared problem, for some reason it works when I set the library to inherit permissions from the parent site.

When checking other sites I was intrigued when there was only the Style Resource Readers defined. I found this blog on a similar issue when sub site inheritance is broken which interesting enough directly mentions this group.

“It occurs when the built-in SharePoint group “Style Resource Readers” has been messed with in some way.”

Will check this out.

So I went through his entire validation process for that group, it all checked out, however as soon as I broke inheritance on the master page library, made it the “known defaults” and verified all Style Resources users were correct and all permission for it on all listed libraries and lists all match,  I continued to receive Site not shared with you error.

I don’t feel the fix I found is correct, but I can’t find any other cause, or solution at this time. I hope this blog post helps someone, but I’m sad to say I wasn’t able to determine the root cause nor the proper solution.

 

Renew Certificate with same Key via CMD

certutil -store my

The command above can be used to get the required serial number for the cert needing to be renewed. This should show the machine store, if you need certs displayed for the user store remove the “my” keyword.

certreq -enroll -machine -q -PolicyServer * -cert <serial#> renew reusekeys

If you get the following error:

Ensure the machine account has enroll permission on the published certificate template. For step by step guidance follow this blog post by itexperince.

afterwards it should succeed.

*NOTE* this option archives the old certificate, and generates a new one with a new expiration date, with the same key, with a new serial number. How services that are bound to the certificate update themselves, I’m not sure for this test I did not have the certificate bound to any particular services. Verifying this actually the web server using the cert did automatically bind to the new cert, I’d still recommend you verify where the certificate is being used and ensure those services are update/restarted accordingly to apply the changes.

Fixing SharePoint Search

Broken SharePoint Crawl

Issue: SharePoint Search

First Issue: Crawl ends in 1 min 20 seconds.

Solution: Check to see if the Page Loads when queried from the front end server. If you get a credential prompt 3 times.  Then you have to disable loop back checking.

How to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Add a new DWORD value named DisableLoopbackCheck and give it a value of 1. After setting the value reboot your server.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableLoopbackCheck /t REG_DWORD /d 1

Second Issue: Crawl appears to complete but Errors in Log

Log Details of “the content processing pipeline failed to process the item ExpandSegments”

You may find lots of sources stating to watch out for multi valued attributes or property names such as this nicely detailed blog post however, watch for the details in the log message and it’s a bit different. However I feel this TechNet was answered incorrectly.

I tried some of the basics, such as clearing the index and adding the search account as site admin, did not help. On that note I learnt that separate search content sources within a search application do not have their own indexes. You have to create dedicated search applications for each SharePoint site if you wish them to have their own index (“Database/Tables”).

After a bit more scouring I found many instances of the same problem with the solution always being you have to create a new search application, such as this TechNet post and this TechNet Post.

Solution:

Remove the content source from the existing Search Service Application.

Create an entirely new Search Service Application.

Reboot the Front End.

Add Crawl Content on new SSA. Crawl should work.

Third Issue: Red X on Search Service Application Services

*NOTE* After creating the new Search Application, a front end reboot is required to remove the red X’s on some of the application services statuses.

Fourth Issue: Search results not working

This from my testing appeared to have resolved the crawl issue at hand. However I wasn’t able to get results returned when entering data in to search. I did a bit of searching and testing and I found the solution. Turns out you have to associate the web application with the new search service application (In my testing I created a new uniquely defined search application to have a separate index then the other SharePoint Sites).

Solution:

Navigate to Central Admin > Application Management > Manage web applications >Highlight the web application > Select Service Connections from top ribbon > Make sure your Search service application is selected.

This was it for me, however if you still experience issues I have also read updating the front end servers can resolve issues as well, as blogged about by Stefan Goßner.

Fifth Issue: Runaway Crawl

For some unknown reason, when I went to check out the SharePoint front end after the weekend, I noticed it was using near 100% CPU usage, very similar to a Front End that is actively doing a crawl, I knew this wasn’t a normal time for a crawl and it generally never happens during this time.

To my amazement 3 crawls were on going for over 70+ hours. Attempting to stop them from the front end option “Stop all crawl” resulted in them being stuck in a stopping state.

Googling this I found stop and starting the SharePoint Search Service under services.msc did help to bring them back to “idle”.

Now I believe this next step is what caused my next issue, but it is uncertain.

I clicked on Remove Index, for the primary search service application. It was stuck at “This shouldn’t take long” for a really long time, and I believe it was my impatience here that caused the next problem, as I restarted the search service again after this fact.

Sixth Issue: Paused by System

All solutions I found for this issue resulted in no success. Even rebooting the server the primary search service content crawl states were “paused by system. Regardless of:

    1. Pausing and Resuming the Search Services
    2. Restarting the Search Services
    3. Rebooting the server

I was only able to resolve this issue the same way I fixed the initial issue with the crawl, rebuild the search service application.

I hope this blogs helps anyone experiencing issues with SharePoint Search functionality. Cheers!

Verifying Web connections to SharePoint Sites

Simple as:

Get-Counter -Counter '\web service(_total)\current connections'

You can also use performance Monitor utilizing the same filter/”counter”.

To view all filter/”counter” types: (*note a lot of output, may want to pipe to file)

typeperf -qx

This is useful info if you plan on making Site Changes and need to know how many people might be affected. At the time of this writing I haven’t been able to figure out WHO these connections belong to, however I believe with more knowledge this might be possible. I’ll leave this open for the time being, and come back to it when time permits.

Rename Lync/Skype Server

Overview

Short Answer, Don’t start fresh.

If in a clustered topology with a dedicated CMS. Remove from topology,  add new server with new name to topology and redeploy fresh.

My Expereince:

Step 1) Restore LyncVM created on resource domain, change hostname.
Step 2) Stop All Lync Services
Step 3) Create SRV record for _sipinteraltls, and 3 a records (admin, meet, dialin)
Step 4) Remove old CSM, else topogly deployment will fail. (Remove-CSconfigurationStorelocation)
Step 4.1) Extend Storage to 80Gig, else publishing will fail. (https://docs.microsoft.com/en-us/skypeforbusiness/troubleshoot/server-install-or-uninstall/error-when-install-lync-server#:~:text=This%20issue%20occurs%20because%20the,16%20GB%20of%20free%20space.)
Step 5) Open Topology Builder, if host name same, open file, if new host create new topology. Publish
FAIL

Step 1) Cloned Server
Step 2) Removed from Domain (disconnected)
Step 3) changed Hostname, and joined Domain
Step 4) Run Deployment Wizard -> Prep First Standard eidtion server
Step 5) Run Deployment Wizard -> Setup or Remove Lync Components -> Step 2
FAIL

Step 1) Cloned Server
Step 2) Removed from Domain (disconnected)
Step 3) remove all local SQL instances
Step 4) Delete C:\CSData
Step 5) Rename, Join Domain
Step 6) Run Deployment Wizard, Prepare First standard edition server
Step 7) Adjust DNS (_sipinternaltls, admin, dialin, meet)
Step 8) Remove-CSConfigurationStoreLocation
Step 9) Create and Publish Topology
SUCCESS
However Install CMS: failed:
https://social.technet.microsoft.com/Forums/en-US/88fc3dc6-cf74-474e-baf7-08609211ac1b/cannot-open-database-quotxdsquot-requested-by-the-login-the-login-failed-login-failed-for-user?forum=lyncdeploy

Long Answer (Source): This info has been shared on many blogs, not sure who’s the originator of the list

  1. Remove Skype for Business server from topology
  2. Publish topology.
  3. Run Skype for Business Server Deployment Wizard local setup on server to remove Lync components (or run the bootstrapper)
  4. Uninstall SQL Server. Front-ends have LyncLocal and RTCLocal instances. Remove both, rebooting between instance removal.  Edge only has RTCLocal instance.
  5. Remove SQL Server 2012 Management Objects (x64)
  6. Remove SQL Server 2012 Native Client (x64)
  7. Remove Microsoft System CLR Types for SQL Server 2012 (x64)
  8. Remove Microsoft Skype for Business Server 2015, Front End Server
  9. Remove Microsoft Skype for Business Server 2015, Core Components
  10. Delete leftover data:
    Delete C:Program FilesMicrosoft SQL Server
    Delete C:Program FilesMicrosoft Skype for Business Server 2015
    Delete C:CSData
  11. Rename server and restart
  12. Wait until AD replication completes with new server name.
  13. Open Topology Builder, add a new server to existing pool and publish. (If this is a SBA or Standard Edition Server, the pool and the server FQDN is identical.)
  14. Reinstall Skype for Business Server 2015components and all cumulative updates
  15. Generate new certificate with updated server name and assign to appropriate services using Skype for Business Server 2015 Deployment Wizard.
  16. Restart all servers in pool at same time (only relevant for front-end servers in an Enterprise pool).

Summary

Don’t do it. It’s so much easier to start fresh then deal with this garbage.