Issue with SCOM agent in forest trust domain(0x80090311)

Issue with SCOM agent in forest trust domain.

Event ID : 20057
Failed to initialize security context for target MSOMHSvc/rms_fqdn The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.
And also this one less frequently:

Event ID : 21016
OpsMgr was unable to set up a communications channel to rms_fqdn and there are no failover hosts.  Communication will resume when rms_fqdn is available and communication from this computer is allowed.

If you see these events  with code (0x80090311), that is mean (trust is corrupted) and agents can not authenticate to MS.
The most common reason is Firewall issue.
(TCP/UDP 88 port (Kerberos) and TCP/UDP 389 port (LDAP)) should be open from Agent to Management Server DCs.

0x109_7_1a0_40000 Research into hyper-v cases

0x109_7_1a0_40000

Research into hyper-v cases and looking at vmware workaround
For example, VMWare has a known issue that will modify this MSR register

https://support.microsoft.com/en-us/kb/2902739

Our internal security mechanism are detecting a change / misalignment in the Machine Specific Registers

What content was changed in the MSR register, we cannot find out in a dump, since this information is not included in the dump.

Sicne we have seen similar issues in the past we assume that this is because HW/BIOS is not synchronizing register correctly once the security feature called TXT (Intels Trusted Execution Technology) is enabled.

Solution

=======

To enable Processor Compatibility Mode on existing VMs, you need to shut down the VM and change the Processor setting for the VM, selecting the Migrate To A Physical Computer With A Different Processor Version check box, which you’ll find in the Settings dialog box of Hyper-V Manager. 

Windows updates rollback after reboot and update installation fails Error: Windows failed to install the following update with error 0x800F0922

Cause
=======

CBS Corruption

Resolution
=========

Ran dism commands to remove-package Package_for_KB2919355~31bf3856ad364e35~amd64~~6.3.1.14

dism /online /cleanup-image /startcomponentcleanup

dism /online /cleanup-image /restorehealth

Check for App Readiness service and start the service.

Installed rest of the update except KB2919355 and rebooted the server.

Ran sfc scan and installed KB2919355 successfully. 

How do Rejoin a Computer to the Domain without Losing it’s SID

There are a couple of ways do this:

1. In AD right click the computer and select Reset Account. Then re-join without un-joining the computer to the domain. Reboot required.
2. In an elevated command prompt type: dsmod computer “Computer DN” – reset. Then re-join without un-joining the computer to the domain. Reboot required.
3. In an elevated command prompt type: netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *} The account whose credentials you provided must be a member of the local administrators group. No rejoin. No reboot.
4. In an elevate command prompt type: nltest /Server:ServerName /SC_Reset:DomainDomainController  No rejoin. No reboot.

Windows 10 on WSUS Shows as Windows Vista

Please see below comment from Michael regarding Hotfix 3095113 which resolves this issue.

The changes you need to add to the SQL cmd file are:

UPDATE [SUSDB].[dbo].[tbComputerTargetDetail]
SET [OSDescription] = 'Windows 10'
WHERE [OSMajorVersion] = '10'
AND [OSMinorVersion] = '0'
AND [OldProductType] = '1'
AND ([OSDescription] <> 'Windows 10' or [OSDescription] IS NULL)



Delegate Moving User, Group and Computer Accounts Between Organizational Units in Active Directory

http://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx

Object	Organizational Unit	Permission Tab	Apply to	Permission
User	Source Organizational Unit	Object	This object and all descendant objects	Delete User objects
		Properties	Descendant User objects	Write Distinguished Name
		Properties	Descendant User objects	Write name
		Properties	Descendant User objects	Write Name
	Destination Organizational Unit	Object	This object and all descendant objects	Create User objects
Group	Source Organizational Unit	Object	This object and all descendant objects	Delete Group objects
		Properties	Descendant Group objects	Write Distinguished Name
		Properties	Descendant Group objects	Write name
		Properties	Descendant Group objects	Write Name
	Destination Organizational Unit	Object	This object and all descendant objects	Create Group objects
Computer	Source Organizational Unit	Object	This object and all descendant objects	Delete Computer objects
		Properties	Descendant Computer objects	Write Distinguished Name
		Properties	Descendant Computer objects	Write name
		Properties	Descendant Computer objects	Write Name
	Destination Organizational Unit	Object	This object and all descendant objects	Create Computer objects

RunbookTester.config

To start the Runbook Designer as another user, click Start > All Programs > Microsoft System Center 2012 > Orchestrator, then hold down the SHIFT key and right click on Runbook Designer. Select Run as different user. Enter the account credentials of the other user, and Runbook Designer launches. You can then go to the runbook you want to test and then click Runbook Tester.
Note: Your alternate user must have rights in the Runbook Designer to see the runbook and must be part of the Orchestrator Users group in order to the runbook to load in the Runbook Tester.
You can verify that this account is being used to open and test the runbook by going to the following directory:

C:\Users\<ACCOUNT_NAME>\AppData\Local\Microsoft System Center 2012\Orchestrator

In there you should see an XML file that represents the runbook being edited, and a file named RunbookTester.config that shows that Runbook tester is being opened in that user context.