Hello everyone, my name is John Clyburn, and I am a Sr. consultant in MCS. I recently ran into a problem changing a Software Defined Networks (SDN) self-sign cert to enterprise CA cert. My environment is configured with a single node SDN Network Controller for testing purposes. I have been primarily working with Windows Server 2019 and VMM 2019, deploying the solution using VMM SDN Express from the GitHub site. To learn more about this solution see the following link: SDNExpress.
I ran into a problem that I would like to share with everyone in hopes that this will save you some time if you ever run into it.
PROBLEM:
Although the problem below has to do with the state of the network controller (NC), it was discovered while attempting to change a SDN self-sign certificate to an enterprise Certificate Authority certificate.
I will not cover all the steps required to switch a SDN self-sign certificate to one published by an Enterprise Certificate Authority. See the following link for details on changing a SDN self-sign cert to enterprise CA cert Update the network controller server certificate. I will use this link to reference steps below to explain where I encountered the errors.
When you attempt to run Step 3. Update the server certificate by executing the following PowerShell command on one of the NC nodes:
$certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Thumbprint -eq "ac45ff3a3b1c86daf9cc108708fc81597b154653"}
Set-NetworkController -ServerCertificate $certificate
It fails with the following:
Set-NetworkController : Network Controller update is pending, please run Update-NetworkController. All operations are blocked
till update ...
Note this message could mean, there are network controller updates that have not been applied.
I noticed there were Operating System updates available on the Network Controller, so I installed them and rebooted the server. The Update-NetworkController cmdlet updates the Network Controller binaries after a software update is installed or after the operating system is upgraded. Network Controller automatically updates binaries after no longer than one hour. If you want the binaries to be updated immediately, run this cmdlet.
I then ran Update-Networkcontroller and it gave the following message:
Update-NetworkController : Network Controller update is in progress. All operations are blocked at the moment
SOLUTION:
There are several reasons why you may get the “Network Controller is in progress” error. My issue had to do with a single node SDN NC configuration. It was resolved by a Microsoft senior SDN Software Engineer running several commands based on my Network Controller environment queries. There are too many variables at play to write one document that covers everyone’s specific case or environment.
Therefore, if you receive this error, contact the SDN_Feedback distribution list for help.
Once you have resolved the issue and can run the Update-Networkcontroller command without receiving the above error, you are ready to continue with the Update the Network Controller Server Certificate article:
Step 4. Update the certificate used for encrypting the credentials stored in the NC by executing the following command on one of the NC nodes.
$certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.Thumbprint -eq “Thumbprint of new certificate”}
Set-NetworkControllerCluster -CredentialEncryptionCertificate $certificate
And that is it. The steps above were successful in resolving the issue I had with the Network Controller update is in progress. All operations are blocked at the moment error. I hope this post saves you time if you ever encounter these errors.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.