Azure site Recovery on premise to on premise (offline initial replication) - azure

I have 2 sites. Each site has one SCVMM configured to do Azure Site Recovery
ASR is configured to replicate the VM form one site to another.
Here is the issue, my VM size is big and i want to do the initial replication offline instead of over the Network and it just not allowing me saying permission issues.
Can anyone help me to find, what could be going wrong here?
ERROR MESSAGE
Permissions couldn't be set for one or more hosts on the initial replication folder path.
Provider error code: 31218
Provider error message:
The VMM service couldn't provide permissions for cs\nimbl[enter image description here][1]ecs1$ on \\nimblecs1\f$. Error: Object reference not set to an instance of an object.. During cloud configuration, the VMM service provides permissions for Hyper-V service accounts on the import and export paths used for initial replication.
Provider error possible causes:
The VMM service doesn't have the required privileges to modify the permissions on the import and export paths.
Provider error recommended action:
Ensure that the VMM service account has the required privileges to perform this operation.
POSSIBLE CAUSES
Verify that the initial replication path exists and is accessible.

Related

Onboarding Azure Arc VM fails: can't install Azure Connected Machine Agent

I'd like to add an offsite Windows VM to Azure Arc for health monitoring. The VM is hosted by Vultr and runs Windows Server 2016 Standard Build 14393.
However, installing AzureConnectedMachineAgent.msi on the target VM fails with error code 1603. Installation log also contains this error:
Start-Service : Service 'Guest Configuration Extension service
WixQuietExec64: (ExtensionService)' cannot be started due to the following error: Cannot start
WixQuietExec64: service ExtensionService on computer '.'.
WixQuietExec64: At C:\Program Files\AzureConnectedMachineAgent\ExtensionService\GC\Modules\Exte
WixQuietExec64: nsionService\ServiceHelper.psm1:367 char:5
Any suggestions on how to fix this?
You may Check if the user with which you are logged into the VM have
sufficient permissions to start a system service
If you find the following in the
%ProgramData%\AzureConnectedMachineAgent\Log\himds.log or in installation logs :
time="2021-02-11T08:39:38-08:00" level=error msg="Cannot open event source: Azure Hybrid Instance Metadata Service."
You can verify the permissions by collecting the following registry
key from an impacted server.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomS
Mitigation can be to grant the permission to write to the
SECURITY_SERVICE_RID S-1-5-6 which would grant the required
permissions to the himds service account.
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids.
If the registry key does NOT exist on the impacted VM, then this
resolution will NOT apply as there will be a separate root cause such
as AV interference.
If the root cause is not found here ,then a procmon trace needs to be
taken to analyze the root cause for the msi not being able to start a
service.
( In case a procmon trace has to be analyzed , please open an MS
Support ticket)
To get support for Windows Agent and extensions in Azure, the Windows
Agent on the Windows VM must be later than or equal to version
2.7.41491.911. However the cause for the failure of agent installation is different in this case.
You may also want to check %programdata%\ext_mgr_logs\gc_ext_telemetry.txt log which must have had an entry something like this :
<GCLOG>........ Not starting Extension Service since machine is an Azure VM</GCLOG>
Cause:
This can happen while attempting to install the agent on an Azure VM.This is an unsupported production scenario.One Should not be installing this agent on an Azure VM as it conflicts with the Azure Guest Agent and interferes with Azure VM management.
If one wishes to use an Azure VM simply for testing purposes then
they can follow the below document for guidance
https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine

Azure Storage Explorer : Unable to retrieve child resources

Getting error ONLY while accessing Blob storage.
No issues in Queues, File Share or table.
Any idea ?
Unable to retrieve child resources.
Details:
["FetchError:request to https://fssaicessunsetsbxv1sa.blob.core.windows.net/?include=metadata&comp=list failed, reason: unable to get local issuer certificate"]
Error : Self-Signed Certificate in Certificate Chain ,Unable to retrieve child resources.
Issue for me: I am attached with office proxy server. But Azure Storage Explorer is not using that proxy.
Solution:
Azure Storage Explorer -> Edit -> Configure Proxy,
Source = No proxy "Changed to" Use System proxy(preview)
After making these changes; I am able access the resources.
Moreover, Verify the permissions do you have on the connection string?
To generate your connection string either through the Azure Portal or some apps. When you generate the connection string, you need to give "Allowed permissions". Beside Read/Write you also need the List permission so Storage Explorer can list the blobs. Here is a screenshot in Azure portal to check/uncheck the permissions:
Have set any RBAC policies?
If you are connected to Azure through a proxy, verify that your proxy settings are correct. If you were granted access to a resource from the owner of the subscription or account, verify that you have read or list permissions for that resource.
If possible can you try to un-install and reinstall the latest version and check for the status of the issue.
Azure Storage Explorer Troubleshooting: "unable to retrieve child resources” or “The request action could not be completed”.
If the issue still persist after trying above mentioned steps, I would like to work closer on this issue. Let me know the status
Warning: For the noobs !
if you got luck you can also fix it by closing and re-opening the visual studio.
Reason: Authorization is tightly coupled with azure
Motivation: To err is Human ! Even Soft. DEV working at Microsoft are Human.

Dcpromo failed - Ownership of FSMO role is set to a server which is deleted or does not exist

I am attempting to use dcpromo on a Windows 2008 R2 server. The command produces a warning and an error in the event log. Below are the print outs of those entries:
-Warning-
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=XXX,DC=XXXX
FSMO Server DN: CN=NTDS Settings\0ADEL:xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,CN=XXX-PDC01\0ADEL:xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=XXXX
User Action:
Determine which server should hold the role in question.
Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
-Error-
The operations master roles held by this directory server could not transfer to the following remote directory server.
Remote directory server:
\XXX-AWSDC2.CSI.local
This is preventing removal of this directory server.
User Action
Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.
Additional Data
Error value:
5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
Extended error value:
0
Internal ID:
52498782
The following roles have been successfully transferred to the XXX-awsdc2 server
Schema master
Domain naming master
PDC
RID pool manager
Infrastructure master
How do I remove the CN=CSI-PDC01 object using ADSI? It looks like the XXX-PDC01 held the FSMO Server role at one point and then was removed from the domain with out being demoted properly. I've been unable to find any reference to the XXX-PDC01 server anywhere in the DNS, AD or ADSI.
I've also attempted to delete all the AD metadata. As a last resort, I could always use the dcpromo /forceremoval command but I'd prefer to work through the error and demote this domain controller using the dcpromo command without the forceremoval flag.
Thanks!

Azure sql database export to storage blob failed

I tried to export Sql Database in azure to storage blob but the operation failed. I do this task daily last month and this issue is new. It shows as follows :
Error encountered during the service operation.Blob https://blob link/dbname-2019-1-16-14-24.bacpac is not writeable. The remote server returned an error: (403) Forbidden.The remote server returned an error: (403) Forbidden.
I had the same problem. I have contacted Azure support and this is their response.
We recently identified a regression in the import/export service that is generating incorrect SAS tokens to the storage accounts.
The engineering team has rolled out the fix, but it might take some time for the fix to get applied worldwide.
Please try the following link to access Azure portal and then perform the export operations:
https://portal.azure.com/?feature.canmodifystamps=true&microsoft_azure_storage=stage1
The portal shows an orange title bar if you open it via the above link, this is expected.
So, it should be already fixed by now.
If you're using sql scripts for back up following this link, then I suspect that the expired date of SHARED ACCESS SIGNATURE is reached.
Please re-generate SHARED ACCESS SIGNATURE, and then use the new key for backup.
Please let me know if any more issues.
Make sure a firewall rule does not exist. Please go to the Azure portal "Storage Accounts → "YourStorageAccountName" → Firewalls and Virtual Networks (left vertical panel). Put it to "Allow access" from "All networks". You can also configure the storage account with exceptions for trusted Microsoft services as explained here.

Kentico 9 site import error

I'm trying to import a site into a new VM. This vm only has the demo corporate site.
I get an error when click Import Site or Object. The event log has two entries.
Both have the following statement: Message: Access to the path 'C:\inetpub\wwwroot\Kentico9\CMS\App_Data\Persistent\import_315c65f4-dc91-4175-a4e5-fdad1601727d_settings.dat' is denied.
I check permissions in to the Kentio9 VM and they match my DEV which doesn't have this issue. I didn't set up DEV, but i can't see why my new QA VM, which seems to have the same folder permissions doesn't work.
We have a service level account for connecting to the DB, all through the application pool. Could there be something on the account settings?
What kind of Identity is the Application pool are you using for this site? What about if you set it to ApplicationPoolIdentity and then grant permissions to IIS_IUSRS for your Kentico root folder?
Additionally you can try checking the disk permissions problems documentation page.

Resources