Sccm console fails to launch or connect to site for the first time after migrating sql database OR The Configuration Manager console cannot connect to the Configuration Manager site database.

Recently we came across the issue that the sccm console from server and client pcs’s fails to connect to site for the first time. It will give the below error. 

“The Configuration Manager console cannot connect to the Configuration Manager site database. Verify the following:

• This computer has network connectivity to the SMS Provider computer.

• Your user account has Remote Activation permission on the Configuration Manager site server and the SMS Provider computer.

• The Configuration Manager console version is supported by the site server.

• You are assigned to at least one role-based administration security role.

• You have the following WMI permissions to the Root\SMS and Root\SMS\site_<site code> namespaces: Execute Methods, Provider Write, Enable Account, and Remote Enable.”

To give a brief idea on what happened,

  • Prior to database migration the SMS provider was installed on the database server.
  • During migration MSSUPPORT moved the SMS provider to application/site server.
  • After successfull migration, when we try to launch the console we can see that it was trying to connect to old database and then it fails.

The below steps were done by MSSUPPORT to remove the old instance name from the sms provider list.

  •  Checked logs file SMSAdminUI.log
  •  No errors
  • Connected to SCCM server 
  • Clicked “Connect to Site”
  • Clicked on SCCM primary site proprieties
  • Found that there was two SMS provider” as looks like the reinstall Provider on SCCM server and before was on old SQL server
  • Closed opened SCCM Console 
  • Opened Wbemtest
  • Checked WMI & connected to Root\SMS
  • Clicked on “Enum Classes” then clicked “Recursive”
  • Double clicked on SMS_Providorlocaiton ()
  • Opened instance 
  • We can see two Providers
  • Selected old provider and deleted old provider 

 Opened SCCM console and it opened directly to site

Wsus console fails to launch after windows updates/eventid 7053/the wsus administration console has encountered an unexpected error. This may be a transient error, try restarting the administration console.

Inrecently encountered an error on wsus server running on OS 2012 R2.  The KB3159706 was the cluprit. There are some manual configuration agter installing this update.

Go to c:\program files\update services\tools\wsusutil.exe postinstall /servicing. Wait for a few minutes.

Restart wsus service

Remove wsus from %appdata%\microsoft\mmc

The wsus console should now be working.

This solved the issue for me. Hope this helps someone. 

Installing & Configuring URLScan on windows servers

Download and install URLScan. Installation is straightforward. You do not need to consult any document.

Two main files (Urlscan.dll and Urlscan.ini) that we need for configuring URLScan is by default located in the folder C:\Windows\System32\Inersrv\urlscan\

By default after installation, URLScan will be configured as a global filter, ie in IIS on the top level. So the filter will be applied on all sites created in IIS. 

The other way is to apply URLScan 3.1 filter on individual site level. In that way you can configure urlscan filter for individual sites. 

For example you have 2 sites, site1 and site2 under IIS.

Open IIS and on the right hand side, open feature “ISAPI Filters”. You will see URLScan 3.1. Remove the filter.

Copy URLScan.ini and URLScan.dll from c:\windows\system32\inetsrv\urlscan\

Now right click site1 and select “browse” and paste URLScan.ini and URLScan.dll. Edit URLScan.ini according to your hardening requirements.
Now open ISAPI filter for site1 and add urlscan filter. Name : URLScan and path: path-to-site1 and move it to the top of the list. You can select ordered list and use up arrow to move urlscan to top pf list.

Restart IIS. 

Similarly you can do it for site2.

You can edit URLScan.ini to point a log directory, so that any failed url’s will be registered.

Find all open connections with port number from your computer

open command prompt and use the command netstat -an.

To filter details for a particular ip , you may use the below syntax :

netstat -an | find ” 192.168.100.1″

Or to check for a specific port netstat -an | findstr “443”

Or to get more details like the process id which is using the port,

Netstat -bano | findstr “443”

Advanced audit policy in windows using auditpol.exe

Its preferred to set the advanced audit policy through command prompt/powershell other than GUI. It has to be noted that even after you apply the settings through command, in the gui it might not reflect. But that is not an issue. Thats as far as i know.

Open gpedit.msc/secpol.msc 

  • Computer configuration-security settings-security options
  • Set the policy “Audit:Force audit policy subcategory settings (windows vista or later) to override audit policy category settings” to “Enabled”.

To get full information of advanced audit policy on a server, use the command

  • Auditpol.exe /get /category:*

In that you can see categories and sub categories listed with the status success/failure/not configured.

Few examples below :

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable /failure:enable

The below command will enable only success

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable 

The below commmand will set credential validation to “no auditing”

  • Auditpol.exe /set /subcategory:”credential validation” /success:disable /failure:disable

You can group all of them and save it as a power shell script or a bat h file and run it on required machines.
Please refer to the microsoft link for detailed info : https://technet.microsoft.com/en-us/library//dd408940(v=ws.10).aspx

Remotely log off a rdp session/log off user remotely

Open command prompt with a user name that has access to remote server. If local and remote server are in workgroup, its easier if you have same account with password in both servers. Either you should log in with the account name on local pc and open a command promt or you can run as different user and open command prompt.

Qwinsta /server:servername or ipaddress

It will list you all the logged on sessions on the remote server. Now using the session id, we can log off the user from remote server.

Qwinsta /sessionid /servername or ipaddress