Powershell: Issue with Connect-SPOService

Assuming, SharePoint Online Management Shell is installed..

First step to manage SharePoint Online tenant is connecting to the tenant. However, the following is a common error that occurs while connecting to tenant (SPO Connection) using “Connect-SPOService” Powershell command. I encountered this error when in the early days of the SharePoint online management shell. Surprisingly this still persists with the latest version. So wanted to summarize the findings.

Symptoms:

PS C:\WINDOWS\system32> Connect-SPOService -Url "https://organizationname-admin.sharepoint.com" -Credential $creds

Connect-SPOService : For security reasons DTD is prohibited in this XML document. To enable DTD processing set the

DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

At line:1 char:1

+ Connect-SPOService -Url "https://organizationname-admin.sharepoint.com" -C ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo          : NotSpecified: (:) [Connect-SPOService], XmlException

+ FullyQualifiedErrorId : System.Xml.XmlException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService

Observations from Fiddler Trace:

• A get request sent for https://msoid.organizationname.onmicrosoft.com/FPUrl.xml has been responded with content of type “text/html” instead of a valid “XML”. The role of “FPUrl.xml” is unknown.
• The returned html(in the above step) is from my ISP saying, the specified URL is not found.
• Got similar response when tried directly in the browser.
• Another interesting thing here is – msoid, a CNAME record required at the External DNS. This is to direct the user to best server for auth-process to facilitate faster authentication response. This is not going to solve my issue, as I don’t have any custom domain. Moreover, MS’s documentation states this as requirement only for O365 operated by “21Vianet” – which, again, is not my case.(Click to See Adding DNS entries for GoDaddy)

Error Message:

• DtdProcessing of XmlReaderSettings: Nothing to do with this setting as we do not explicitly handle the XML in our script.

Solution (1): A straight forward option to go with Web Login. This is said to be the only way when MFA is enabled, however, this comes to the rescue with this issue too.
Execute without passing the credentials..

PS C:\WINDOWS\system32> Connect-SPOService -Url "https://organizationname-admin.sharepoint.com"

This will pop a web form prompting for credentials. Once we login, it works without any issue.

Solution (2): Configure Google’s public DNS server for IPv4. This will resolve the issue. This solution is also suitable, in case the error source is a CSOM code.

Note: For IPv6, corresponding IPv6 value of Google’s DNS should work.

Full Farm Backup fails – Causes and Solutions

Requirements to check before moving on to the Errors section..

1. Shared Folder need to be created & full control has to be granted to timer job, SQL Server service accounts and CA’s app pool account
2. SQL Server VSS Writer service, that facilitates the backup/restore, should be running
3. SharePoint Administration Service should be running on all servers of the farm

Error 1: Here WSS_xxx is any database.

Object WSS_XXXX failed in event OnBackup. For more information, see the spbackup.log or sprestore.log file located in the backup directory.
SqlException: Cannot open backup device ‘\\Backup\spbr0000\0000015d.bak’. Operating system error 3(The system cannot find the path specified.).
BACKUP DATABASE is terminating abnormally.

Possible Reason	Solution
The path given for the backup is wrong	Check the path & Correct it. It must be a Shared folder
Insufficient privileges, i.e. The Windows SharePoint Services Timer V4 (SPTimerV4) and the SQL Server service account perform backup/restore operations on behalf of the requested user. Hence these accounts should have full control on the backup locations	While sharing the folder, granting ‘Full Control’ to ‘Everyone’ will not work. The domain account(ideally), under which the Timer Service & SQL Server service execute, should be explicitly granted ‘Full Control’ on the shared folder

Find SQL Server Accounts that carry out backup/restore by checking the below services…

Sharing the folder:

Error 2: User Profile Synchronization service instance causes this issue.

FatalError: Object UPS failed in event OnBackup. For more information, see the spbackup.log or sprestore.log file located in the backup directory.
SPDuplicateObjectException: An object of the type Microsoft.Office.Server.Administration.ProfileSynchronizationUnprovisionJob named “ProfileSynchronizationUnprovisionJob” already exists under the parent Microsoft.SharePoint.Administration.SPTimerService named “SPTimerV4”. Rename your object or delete the existing object.

Possible Reason	Solution
The ‘User Profile Synchronization service'(CA -> Manage Services on server) instance is in ‘Stopping’ state	Let the service instance be in a Start/Stop state. Not in ‘ing’ state.

Note: Usually this error is thrown when we try to unprovision a service instance which is already in ‘stopping’ state. Here the timer job may not be trying to unprovision the instance, however, it checks the job queue to ensure that no jobs are executing so that the system gets stored/backed up in a stable state.

Error 3: Search Service Application causing the issue

FatalError: Object Search Service Application failed in event OnBackup …

Possible Reason	Solution
The Timer job service account doesn’t have permission on the Search Service Application	Grant Full Control permission to the timer job service account on the Search Service Application
Search Service account doesn’t have permission to the shared folder	Share the folder to the search service account with full control

Note: Try narrowing down the permissions as much as possible. It’s not advisable to grant Full Control unless it’s really needed.