Pages

Wednesday, December 15, 2010

Grant Local Administrators MS SQL SysAdmin Rights while not a SysAdmin

Recently had a problem where an Microsoft SQL instance on a Development server was in accessible. The server was no longer bound to the domain and the local Windows Administrator accounts didn't have sysadmin access to the SQL. I found a great post over at David Browne's - Batch File to Grant Local Administrators a Sysadmin Login in SQL Server on the method by which you could give access to the administrative accounts.

The outcome is that if you have Administrator access to the machine you can ways give yourself Full access to the databases.

Thursday, December 9, 2010

Nexus 1000 Interface resetting when only member of Port-Channel

This should be the first of many posts on configuring VMware ESX Hosts to use the Nexus 1000. This is a work in progress. First and foremost, I am not a networking guy and this is a very complicated configuration. The networking admin where I work, Chris Johnson, is very good and has been teaching me as we work out the problems. I'm learning this stuff with you and please post any help you can. I'll try and do the same.

One of the thousand problems I've been working with actually came the host we use to migrate machines on and off the nexus switches. We have some hosts that use the regular Vmware Distributed virtual switch (DVS) and we have test hosts that use the Nexus v1000 Distributed virtual switch.
  • All our VMware ESX hosts use Dual Port 10 Gig FCoE Emulex cards setup as trunks.
  • All hosts also have two 100 MB Nics
    • One is for for the lights out management, (Dell Remote Management Cards and a really crappy IBM knock off).
    • One is for service console not on the distributed virtual switch but the normal Virtual Switch. The service console isn't on the distributed virtual switch because we've had to many problems managing the hosts when the Emulex cards and/or nexus fail.
One host has a single 10G nic on the regular Vmware Distributed virtual switch and its other 10G nic  on Nexus v1000 Distributed virtual switch. This host is for migrating machines on and off the nexus hosts. As a result the the Nexus 10g Nic interface was setup in a port-channel by itself. The result was that the interface kept reseting every minute. It would say up for 30 seconds, then off line for 30 seconds.

Here is how this looked in the logs.

Nexus 1000 Command: show logging last 100
2010 Dec 7 12:12:07 ac02-ns1-01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet6/3 is down (Initializing)
2010 Dec 7 12:12:07 ac02-ns1-01 %ETHPORT-5-SPEED: Interface port-channel4, operational speed changed to 10 Gbps
2010 Dec 7 12:12:07 ac02-ns1-01 %ETHPORT-5-IF_DUPLEX: Interface port-channel4, operational duplex mode changed to Full
2010 Dec 7 12:12:07 ac02-ns1-01 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface port-channel4, operational Receive Flow Contol state changed to on
2010 Dec 7 12:12:07 ac02-ns1-01 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface port-channel4, operational Transmit Flow Contol state changed to on
2010 Dec 7 12:12:40 ac02-ns1-01 %ETH_PORT_CHANNEL-4-PORT_INDIVIDUAL: port Ethernet6/3 is operationally individual
2010 Dec 7 12:12:40 ac02-ns1-01 %ETHPORT-5-IF_UP: Interface Ethernet6/3 is up in mode trunk
2010 Dec 7 12:13:07 ac02-ns1-01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet6/3 is down (Initializing)
2010 Dec 7 12:13:08 ac02-ns1-01 %ETHPORT-5-SPEED: Interface port-channel4, operational speed changed to 10 Gbps
2010 Dec 7 12:13:08 ac02-ns1-01 %ETHPORT-5-IF_DUPLEX: Interface port-channel4, operational duplex mode changed to Full
2010 Dec 7 12:13:08 ac02-ns1-01 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface port-channel4, operational Receive Flow Contol state changed to on
2010 Dec 7 12:13:08 ac02-ns1-01 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface port-channel4, operational Transmit Flow Contol state changed to on
2010 Dec 7 12:13:44 ac02-ns1-01 %ETH_PORT_CHANNEL-4-PORT_INDIVIDUAL: port Ethernet6/3 is operationally individual
2010 Dec 7 12:13:44 ac02-ns1-01 %ETHPORT-5-IF_UP: Interface Ethernet6/3 is up in mode trunk
2010 Dec 7 12:14:08 ac02-ns1-01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet6/3 is down (Initializing)
2010 Dec 7 12:14:08 ac02-ns1-01 %ETHPORT-5-SPEED: Interface port-channel4, operational speed changed to 10 Gbps
2010 Dec 7 12:14:08 ac02-ns1-01 %ETHPORT-5-IF_DUPLEX: Interface port-channel4, operational duplex mode changed to Full
2010 Dec 7 12:14:08 ac02-ns1-01 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface port-channel4, operational Receive Flow Contol state changed to on
2010 Dec 7 12:14:08 ac02-ns1-01 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface port-channel4, operational Transmit Flow Contol state changed to on
2010 Dec 7 12:14:41 ac02-ns1-01 %ETH_PORT_CHANNEL-4-PORT_INDIVIDUAL: port Ethernet6/3 is operationally individual
2010 Dec 7 12:14:41 ac02-ns1-01 %ETHPORT-5-IF_UP: Interface Ethernet6/3 is up in mode trunk

ESX Command: tail /var/log/vmkernel -n 30
Dec  7 11:43:02 nkuvmhost9 vmkernel:
Dec  7 11:43:30 nkuvmhost9 vmkernel: 3:21:34:09.172 cpu8:4531)Need to send MAC Move for Inband Port
Dec  7 11:43:30 nkuvmhost9 vmkernel:
Dec  7 11:44:02 nkuvmhost9 vmkernel: 3:21:34:41.376 cpu3:4319)Not removing sys vlan 60 from the ltl 18
Dec  7 11:44:02 nkuvmhost9 vmkernel:
Dec  7 11:44:02 nkuvmhost9 vmkernel: 3:21:34:41.376 cpu3:4319)Not removing sys vlan 70 from the ltl 18
Dec  7 11:44:02 nkuvmhost9 vmkernel:
Dec  7 11:44:02 nkuvmhost9 vmkernel: 3:21:34:41.376 cpu3:4319)Not removing sys vlan 200 from the ltl 18
Dec  7 11:44:02 nkuvmhost9 vmkernel:
Dec  7 11:44:02 nkuvmhost9 vmkernel: 3:21:34:41.376 cpu3:4319)Not removing sys vlan 268 from the ltl 18
Dec  7 11:44:02 nkuvmhost9 vmkernel:
Dec  7 11:44:02 nkuvmhost9 vmkernel: 3:21:34:41.376 cpu3:4319)Not removing sys vlan 274 from the ltl 18
Dec  7 11:44:02 nkuvmhost9 vmkernel:
Dec  7 11:44:02 nkuvmhost9 vmkernel: 3:21:34:41.376 cpu3:4319)Not removing sys vlan 275 from the ltl 18
Dec  7 11:44:02 nkuvmhost9 vmkernel:
Dec  7 11:44:31 nkuvmhost9 vmkernel: 3:21:35:10.172 cpu8:4104)Need to send MAC Move for Inband Port
Dec  7 11:44:31 nkuvmhost9 vmkernel:
Dec  7 11:45:02 nkuvmhost9 vmkernel: 3:21:35:41.376 cpu8:4319)Not removing sys vlan 60 from the ltl 18
Dec  7 11:45:02 nkuvmhost9 vmkernel:
Dec  7 11:45:02 nkuvmhost9 vmkernel: 3:21:35:41.376 cpu8:4319)Not removing sys vlan 70 from the ltl 18
Dec  7 11:45:02 nkuvmhost9 vmkernel:
Dec  7 11:45:02 nkuvmhost9 vmkernel: 3:21:35:41.376 cpu8:4319)Not removing sys vlan 200 from the ltl 18
Dec  7 11:45:02 nkuvmhost9 vmkernel:
Dec  7 11:45:02 nkuvmhost9 vmkernel: 3:21:35:41.376 cpu8:4319)Not removing sys vlan 268 from the ltl 18
Dec  7 11:45:02 nkuvmhost9 vmkernel:
Dec  7 11:45:02 nkuvmhost9 vmkernel: 3:21:35:41.377 cpu8:4319)Not removing sys vlan 274 from the ltl 18
Dec  7 11:45:02 nkuvmhost9 vmkernel:
Dec  7 11:45:02 nkuvmhost9 vmkernel: 3:21:35:41.377 cpu8:4319)Not removing sys vlan 275 from the ltl 18
Dec  7 11:45:02 nkuvmhost9 vmkernel:
Dec  7 11:45:32 nkuvmhost9 vmkernel: 3:21:36:11.172 cpu8:4531)Need to send MAC Move for Inband Port

It seems we can hide this issue if we remove the interface from the port-channel. 

Warning: Before you can disable Vpc (Virutal port channel) you must remove all but one nic it from the Distubed switch in ESX.

An example on how to remove an interface from a port-channel.
  • > conf
  • > interface ethernet 6/3
  • > no channel-group 21 mode active
But why does it fail in the first place when its the single member of the port-channel?

Post a comment if you have any idea why or over at at my post at http://communities.vmware.com/message/1661219#1661219.


Tuesday, November 30, 2010

Create Image files from MS SQL Image Data Type with Powershell

Today my brother Patrick asked me to pull pictures from our ID badge System to be used for Active Directory. I found that the images where stored in a Microsoft SQL 2000 instance as the image data type. After some work with Powershell I was able to to recreate the Image file from the SQL data. This example is of course a simplifed version but should be easy enough to modify for your needs.

$picture_ID = 1
$file = "c:\image.jpeg"
$sqlserver = "DBServer"
$SQLCommand = "Select image 
  From ImageTable
  Where ID = '$picture_ID'"
#note image is an SQL Type "Image"
$SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = "Server=$sqlserver;Database=master;Integrated Security=True"
$SqlConnection.Open()
$SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$SqlCmd.CommandText = $SQLCommand
$SqlCmd.Connection = $SqlConnection
$dbname = $SqlCmd.ExecuteScalar()
$SqlConnection.Close()

Set-Content -path $file -Value $dbname -Encoding Byte 
start $file #open the file to view if its correct.

In my case I didn't know the files were jpeg but used http://www.sqlimageviewer.com/ to first see what type of tiles they are. Then change the file extension. Also the trial was sufficient for this, no need to buy it.

Additionally I modifyed a fuction from Jason Fossen to demo the return array when it was returned as a string to create a byte array and

function Convert-HexStringToByteArray {
Param ( [String] $String )

#Clean out whitespaces and any other non-hex crud.
$String = $String.ToLower() -replace '[^a-f0-9\\\,x\-\:]',''

#Try to put into canonical colon-delimited format.
$String = $String -replace '0x|\\x|\-|,',':'

#Remove beginning and ending colons, and other detritus.
$String = $String -replace '^:+|:+$|x|\\',''

#Maybe there's nothing left over to convert...
if ($String.Length -eq 0) { ,@() ; return } 

#Split string with or without colon delimiters.
$String -split '([a-f0-9]{2})' | foreach-object { 
 if ($_) {
   [System.Convert]::ToByte($_,16)  
 }
} 
}

$file = "c:\image.jpeg"
$img = "0xFFD8FFE000104A46......" #excluded the rest for size reasons
$ba = Convert-HexStringToByteArray $img
Set-Content -path $file -Value $ba -Encoding Byte 
start $file #open the file to view if its correct.

Monday, November 29, 2010

Create LTO Barcode Labels

This post is more for my own memory than yours. A while back I needed to reuse some LTO cleaning cartridges. However the IBM Tape Library we use needed LTO bar codes on the tapes and they didn't have any.  I priced the labels and found the it way overpriced for simple barcodes. Rather than spending the money I followed the post here on how to create the needed LTO bar codes.

The reason I'm posting this is because it happened again with new cleaning cartridges that got ordered with out labels and I had to find out to print them again.  I did find a few products that would create the labels  and print them however they weren't free and I only needed about 10 labels.

Site what we followed: http://rogierg.blogspot.com - 80 bucks for LTO barcodes? WTF?
Create Barcodes Site: http://www.barcodesinc.com/generator/index.php

Settings for the LTO Barcode
LTO Barcode Creation




After you generate the barcode, right click the image and "Save image as" and save the jpeg. Print the label and carefully tape it to the LTO Cartridge. Be careful that there is no way the barcode can come free or hang in anyway.

Tuesday, November 23, 2010

VMware View 4.5 - Removing the linked clone references from the View Composer Database

In an earlier post I referenced Manually deleting linked clones or stale virtual desktop entries from VMware View Manager. While following that KB my self I found removing references from the View Composer database to be to much of a manual process and double so when removing multiple machines in a pool. I went looking on line and found nearly what I wanted from wanted from andga.

I made just a few changes to what andga wrote so that it would work work with the BaseName and will remove the references from all tables based on the name. By using sql 'like' and '%' it finds all the matching VM and cleans them all up at once.

DECLARE @vmdelete varchar(20);
set @vmdelete = 'VM_BaseName%';

delete from SVI_VM_NAME where NAME like @vmdelete
delete from SVI_COMPUTER_NAME where NAME like @vmdelete
delete from SVI_TASK_STATE where SIM_CLONE_ID in (SELECT ID FROM SVI_SIM_CLONE WHERE (VM_NAME like @vmdelete))
delete from SVI_SC_BASE_DISK_KEYS where PARENT_ID in (SELECT ID FROM SVI_SIM_CLONE WHERE (VM_NAME like @vmdelete))
delete from SVI_SC_PDISK_INFO where PARENT_ID in (SELECT ID FROM SVI_SIM_CLONE WHERE (VM_NAME like @vmdelete))
delete FROM SVI_SIM_CLONE WHERE (VM_NAME like @vmdelete)

After using this or manually editing the SQL in the View Composer DB be sure to restart the VMware View Composer Service.

Links

VMware View 4.5: Specified AD container partial distinguished name is not valid

Update 9-1-2011 with View 4.6 - Ran into this problem again, it seems that if you change the creds in view that they don't take effect very quickly. I made a change to the creds for the vSphere one day and 2 days later recomposing started giving the "Specified AD container partial distinguished name is not valid"  again. Check the AD permissions on the OU you have the View VM's added to with this post by Vmware. Also it was creating the AD objects then failing, as clean up Manually deleted those objects from AD.

Today I kept getting the following in error in VMware View 4.5 when trying to provision VMs.
Specified AD container partial distinguished name is not valid.
When provisioning VMware View Pools. I've ran into it error before and last time i was in a hurry and created a new pool to get around the problem. However I finally narrowed it down several causes today.
  1. Follow the Logs. For more detailed information checkout "\\VSphereServer\c$\ProgramData\VMware\View Composer\Logs\vmware-viewcomposer.log" for additional detail about the error.
  2. Is the Value correct? If your like me you used the GUI to set this value so it seems unlikely its incorrect.  
  3. Does that account specified have access to add machines to that OU and is the password correct. Both are easy to check, as the password might have changed or the like.
  4. Did the Computer already exist in AD? If your recomposing the machine you may need to delete the already existing AD object and then see if it can recreate it.
  5. Have you rebooted the View Composser Server? I found that while the services were up I needed to reboot it once in a while. I don't know why this is and it shouldn't work but I found that it did. Wish i could tell you more on why this works some times.
  6. Try Removing it from the LDAP ADAM instance, the DB, and View before provisioning it. Manually deleting linked clones or stale virtual desktop entries from VMware View Manager
If unsure how to connect to the LDAP Instance look to my other post.

If you are seeing the following also follow the Manually deleting linked clones or stale virtual desktop entries from VMware View Manager link. You may need this post if your deleting references from the View Composer database as it will automate the process for you.
Desktop Composer Fault: 'Virtual Machine with Input Specification already exists



Links

Unprotect or Delete VMware View Replicas

7/20/2012 Update: The below post pertains to pre view Composer 3.0. See this document for more information.

Ever have a VMware View Replica shown in vSphere Client but unable to move, edit, or delete it? I have.  First assume you really know what your doing and you need to modify it. Normally VMware View attempts to protect you from yourself and protects your replicas, even from you. But sometimes you may need to mofity them anyway and to do so you'll need to remove the protection.

To do this you will need to use the SviConfig Command on the View Composer server. The Syntax on it usage isn't to hard but the inventory path wasn't very clear. Thus the  problem is figuring out the syntax in order to remove the connection. As a Solution   This is a Powershell script that will display the correct syntax to remove the VMware View Protection from the replica. SviConfig usage for unptotectentity are as follows:
sviconfig -operation=unprotectentity
          -VcUrl=https://<VirtualCenter address>/sdk
          -Username=<VirtualCenter account name>
          -Password=<VirtualCenter account password>
          -InventoryPath=/<Datacenter name>/[vm|host]/<folder name>/<vm name>
          -Recursive=[true|false]

What I wrote is a powershell Script that generates the unprotect commands. The script requires the VMware vSphere PowerCLI to be installed but doens't have to be run from the View Composer server. This script only creates the commands, it does not execute sviconfig in anyway.  Instead it Creates the commands and puts them in a text file then shows you the text file.

Download UnprotectVmwareViewReplicas.ps1

Example Output
Output of Unprotect Replicas Commands 

Monday, November 22, 2010

How to Connect to VMware View's LDAP Instance with AdsiEdit

As part of my VMware View 4.5 setup I've needed dig into the LDAP instance that Vmware View uses. In case you didn't know Vmware View usesa  LDAP instance (using Microsoft's ADAM) to allow additional connection Servers to be used to provide high‐availability and load balancing.  The connection is easy enough with adsiedit.msc if know if you know the Naming Context.

I warn you to manually edit this LDAP at your own risk.
  • From a server or Desktop that has the AD tools installed run  adsiedit.msc from a console window or Run prompt.
  • Right click ADSI Edit and then connect to...
  • Change the Connection Point to DC=vdi,DC=vmware,DC=int
  • Select the the Computer and enter the name of your VMware View Host.
AdsiEdit Connection Settings for VMware View 4.5

Thursday, November 18, 2010

Emulex 10 Gb CNA Crash - VMware and Windows Update 1

Following up a previous post of mine on our Emulex 10 Gb CNA problems and crashes. I figured I'd take a minute and update the list of working driver builds we've used  for VMware ESX hosts.

  • Version: be2net-2.102.486.0
    • VMware ESX Versions: 4.0 and 4.1
    • ISO: esx-4.0.0-GA-be2net-2.102.486.0.iso
    • Release: Beta
    • Verdict: STABLE
    • Obtained: Our Networking Admin got it emailed from Emlex Systems Engineer  
  • Version: be2net-2.102.474.1
    • VMware ESX Versions: 4.0 and 4.1
    • ISO: esx-4.0.0-GA-be2net-2.102.474.1.iso
    • Release: Beta
    • Verdict: STABLE
    • Obtained: Our Networking Admin got it emailed from Emlex Systems Engineer  
    • Obtained on: 9/20/2010

Wednesday, November 17, 2010

VMware View 4.5 - Configuring the Local Account on the Thin Client (Part 3)

This post is part of a Series of Posts
Configure ViewUser Account and the Shell Replacement
Now login to the ViewUser account. We want to change the Shell, so that when this account is logged all they can see is Vmware View Client. But first some housekeeping. Run this command from PowerShell so that our unsigned script is allowed to execute on this account.

Set-ExecutionPolicy -scope Currentuser -executionPolicy Unrestricted

Now navigate to the folder we placed the script file in. Right click VMwareViewShell.ps1 and choose "Run with PowerShell". It should launch the VMware View Client and proceed to the username and password Screen.

You should be able to login and view your VMware View Desktop, test that and USB redirection. If the script is working correctly you should be able to close the VMware View Client it should relaunch self and clear the username and recenter it to the screen. Continue testing till your satisfied  that the script works correctly. Once it does we can now replace the explorer shell with the script instead. To do this we need to make a registry change.

Friday, November 12, 2010

Dell Remote Access Controller 6 (iDRAC6) authentication with Microsoft Active Directory

Today while trying to setup some new Dell R810 DRAC's to use Active Directory for Authentication. However I kept getting the following errors.
Environment 
  • iDrac version 6
  • Schema Selection: Standard Schema 
  • Certificate Validation Enabled: No
The useful part of the error when testing the Directory Service Settings. 
user=(Username), host=(DCFN)
16:07:25 Connecting to ldaps://[(DCFN)]:636...
16:07:25 ERROR: Can't contact LDAP server, (null):
Please check the following things:
- the correct Certificate Authority (CA) certificate has been uploaded to iDRAC
- the iDRAC date is within the valid period of the directory server and CA certificates
- the LDAP server address configured in iDRAC matches the subject of the directory server certificate

16:07:25 Connecting to ldaps://[(DCFN)]:3269...
16:07:25 ERROR: Can't contact LDAP server, (null):
Please check the following things:
- the correct Certificate Authority (CA) certificate has been uploaded to iDRAC
- the iDRAC date is within the valid period of the directory server and CA certificates
- the LDAP server address configured in iDRAC matches the subject of the directory server certificate
user=(Username), host=(DCFN)
Solution
The issue stood out when reading the following Frequently Asked Questions.
Question: Does iDRAC6 always use LDAP over SSL?
Answer: Yes. All the transportation is over secure port 636 and/or 3269.
Our Domain Controllers didn't allow LDAP over SSL (LDAPS). The errors didn't come up in Google search so may this help someone else.
See my other post on how to enable LDAP over SSL: Enable LDAP over SSL (LDAPS) on Windows 2008 Active Directory Domain
Links
http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac10mono/en/ug/html/racugc7.htm#wp53492

Enable LDAP over SSL (LDAPS) on Windows 2008 Active Directory Domain

Today I did some work on getting our Dell Remote Access Cards (DRAC) to use Active Directory for authentication. The cards only supported LDAPS so after looking into it I realized my Domain Controller's didn't do LDAP over SSL (LDAPS).

So after some work on it here’s the solution to enable it. I found a few posts on line but they didn't seem to be written very clear for a environment with a Certificate Authority(CA) not on a Domain Controller (DC).

I found that all you really have to do is give the DC the correct type of certificate and it will automatically do LDAP over SSL. An important requirement here is that I didn’t want to force connections to use LDAP over SSL but rather just enable it to work if something wants to use it.

Environment
Microsoft Active Directory: Windows 2008
Certificate Authority: Windows 2008 Server that is not a Domain Controller

Solution


Enable The Domain Controller Authentication Certificate Template on the Certificate Authority
Starting with your Certificate Authority (CA) we need to make sure that the Domain Controllers (DC's) can enroll with the CA in order to obtain the correct Certificates. There is a Certificate Template for this that exists by default. To configure this Logon to the CA and open Server Manager and then expand the roles till you get the view below.
  • Expand the tree till you see the Certificate Templates folder and look for the Domain Controller Authentication the default existing template.
  • Then expand the CA server and check if its listed under its Certificate Templates folder as well. If the Domain Controller Authentication is listed in both places then it exists and is enabled. If it isn't under the CA's Folder then we need to enable the Domain Controller Authentication Certificate Template.
  •  Right click Certificate Templates under the CA, Click New, then and Click Certificate Template to Issue. Select the Domain Controller Authentication and then click OK.

Thursday, November 11, 2010

VMware View 4.5 - Building the Windows 7 Thin Client (Part 2)

Note: that this works with all View Client versions View 4.5, 4.6 and 5.0.

Update 4-4-2011- Added the scripts and the fix windows size Powershell shell.

This post is part of a Series of Posts
The this guide will walk you through building a Thin Client will have the following details.
  • Running Windows 7
  • Using the PCoIP Protocol
  • User authentication based on AD
  • The Thin Client will have a replaced shell to limit the users to VMware View Client only.
  • The Client can be configured to use a particular Pool or offer the user any they have access
Thin Client OS Install
The Thin Client only needs to be protected and run VMware View. The OS is about the only software we need installed and I'll be reploying clones of this machine so I only plan to build it once by hand. Starting with a formated machine that's same as the hardware it'll be running on in the lab. I run a fresh Windows 7 install from DVD. After the Install with normal options for your enviroment. I make the following changes.
  • Updates service configured to auto update and download other microsoft updates
  • Install all possible Microsoft updates
  • Update any drivers
  • Disable UAC
  • Set for best performance
  • turn off system restore points
  • Enable remote desktop.
  • Stop and disable the Themes Service
  • Check that the newest version of  Powershell is installed
  • Change Power settings
    • Don't password protect awaking from sleep
    • Let Sleep monitor and/or machine
Creating a ViewUser and Changing its Shell

We need a Local User that we will use to run VMware View Client from. We could have users log in as themselves but I didn't for a the following reason. If we make users login to Windows. They would login to the machines, profile would be created, then View Client Launched, Authentication is passed, then finally the user is prompted for what VM they would like to access. After they select it they have to wait for it to login and create another profile. Very time consuming. We can skip all of the first profile copy issues by createing a already logged in local user. So Instead lets create the local user.

Tuesday, November 9, 2010

Powershell.exe - Passing Command Arguments with Spaces

This isn't the first time I've run into this problem but the first good solution I've found. When wanting to execute a PowerShell.exe a file the spaces in the file path it can be problematic. However the normal methods of passing arguments fail. I've tried ticks, double quotes, single quotes, backslashes however nothing work.

An example of what fails.
powershell.exe -Command "c:\path with space\script1.ps1 arg1"

However by using the "& - call operator" you can successfully.

This example works.
powershell.exe -Command "& 'c:\path with space\script1.ps1' arg1"

Note: When passing the command line argument "-WindowsStyle" to powershell.exe you have to place it before the "-Command" argument. If "-Command" comes first "-WindowStyle" doesn't work.

Here's an example
powershell.exe -WindowsStyle Hidden -Command "& 'c:\path with space\script1.ps1' arg1"

Side Note: After posting this my brother was like "Of course thats the way around it" and I've swear i asked him the last time it came up.

Links
http://www.leeholmes.com/blog/2006/05/05/running-powershell-scripts-from-cmd-exe/

Tivoli Storage Manager Client Install Script using Powershell

Below is the Tivoli Install Script that I wrote to install, update, or configure Tivoli Storage Manager Clients. It works great but inorder to use it you have to setup a network share with a few things. All the files listed are necessary files and are shown in the picture.

  • IBM TSM Client Install Folders - The name matters and is used in the scripts. 
  • TSM Client Install Script.ps1 - Its given below. Just save to txt file.
  • dsm.opt - set with your normal server settings, values can be set that the script will replace. Example given below.
  • tsmjbbd.ini - the jornal service file. Must use or alter the one used below.

TSM Client Install Script Share
Be sure you edit the TSM Client Install Script.ps1 Configuration Parameters section for your environment. Also check that you either use your dsm.opt file or edit the example to match your environment.

Saturday, November 6, 2010

Password Manager Pro Commands for Trouble Shooting

A small post on the command to launch  Password Manager Pro from a console instead of a service.  Sounds simple enough but most things are after you figure them out. Launching it this way give you better error reporting than just the logs.

Commands to Start the DB and Website
REM open Install directory
cd "\Program Files (x86)\PMP\bin" 
Startdb.bat 2345
pmp start
WARNING!! This command will wipe the Database and any passwords or resources! Besure you have working backups.
pmp reinit

Friday, November 5, 2010

Sysprep 0x8007139f Error on Windows 7

For those of you keeping track the Sysprep issues continue.

While finishing up a windows image and after the previous Sysprep CopyProfile (also worth a read if unsure how to debug sysprep problems) issues. I ran into another sysprep error in C:\Windows\Panther\UnattendGC\setupact.log with error "Failure occured during online installation. Online installation cannot complete at this time.; hr = 0x8007139f"  This was the format of the file.

[windeploy.exe] WinDeploy.exe exiting with code [0x0]
[windeploy.exe] ------------------------------------------------
[windeploy.exe] WinDeploy.exe launched with command-line []...
[windeploy.exe] Setup has not completed, adding pending reboot.
[windeploy.exe] SetupCl has pending operations; blocking deployment process until they've been completed.
[windeploy.exe] Failure occured during online installation.  Online installation cannot complete at this time.; hr = 0x8007139f
[windeploy.exe] Flushing registry to disk...
[windeploy.exe] Flush took 344 ms.
[windeploy.exe] WinDeploy.exe exiting with code [0x8007139f]
[windeploy.exe] ------------------------------------------------

Looking into the issue it appears to be a not so uncommon issue with Windows 7. However most people seem to oddly go about testing for the cause by testing every piece of software on the box one at a time.

The Problem
The issue is linked with registry keys that appear to cause problems for sysprep.
  • The System doesn't have full access to some registry key.
  • A registry key is larger than 8 Kb.
  • Registry is corrupted in some way.
The Solution
While the normal setupact.log is enough for most sysprep problems for this one we have to read the file "C:\Windows\Panther\setup.etl". To do so copy the file to a machine where can open Windows Event Viewer and use Open Saved Log. We didn't use notepad due to the format of the file not being very human readable. It can be done but but why.
setup.etl from machine with 0x8007137f error.
Once you have the log open, look for errors. Mine was 6 errors in a row. All containing and repeating with descendant registry paths:
SclRegProcessKeyRecursiveByHandle@330 : (80000005): Failed to process reg key or one of its descendants:

In my case they all were from [\REGISTRY\USER\.DEFAULT\] and its descendants.

The Fix was to restore my machine to previous state before  sysprep was run (VMware Snapshot in my case). Download Windows 7 and Windows 2008 Hotfix KB 981542 (http://support.microsoft.com/kb/981542/). Then rerun sysprep with the same file which ended successfuly.

Others have reported that this hotfix didn't solve this problem for them. In those cases you should be able to narrow down the cause based on the Registry key listed in the "Failed to process reg key or one of its descendants" error.

Links

Thursday, November 4, 2010

Using Sysprep with CopyProfile in Windows 7 and Windows Server 2008

First rule of testing a sysprep unattened file:

Thou shall test your unattend xml file on a newly unconfigured OS install before blaming the file.

The Reason: Before becomeing a server admin I made my way by developing new and better ways to deploy computers on campus. I moved to the server team before Vista came out so my experitise was in mostly with Windows XP. So recently after 5hrs of trying to do the once simple task of copying the administrator profile to the default profile I can say that things have changed.  First let me setup what I'm working on, then share what can so you can avoid the problems I had.

The Goal: To use the <CopyProfile> option with sysprep to copy the Administrator profile to the default profile on a Windows 7.

The Problems: Things that can go wrong will.
  • If your using a Virtual Machine that some one else built, you don't know what they did or didn't do. In my case my brother built a tweaked Virtual Machine for Windows 7 stripped for speed. At some point he made the profiles/registry gods upset and sysprep no longer can listen to the <CopyProfile> option. See here for fix. 
  • You need to be able to read the local disk Incase the box will not boot or in this case gets stuck in a sysprep endless boot. I can't over state this. You can not see whats wrong with sysprep with out this. In my case I used a network PXE server with WinPE loaded with VMware Drivers. However note that PXE doesn't work with VMXNET3 and ESX 4.1 as of yet. See my other post.
  • Sysprep isn't your friend, its more of the coworker you have to deal with. Learn to get along with it as its not going anywhere. 
The Solution
The only truly supported way to copy a profile in Windows 7 to the default to do so by using Sysprep to do the Profile copy. If you search the web many people list ways but they shouldn't be used in real production environments and require manually editing the registry files. And honestly you don't should need these shortcuts as doing the copy via sysprep is easy enough if you follow this post.

First configure the Administrator Profile to the way you want. Make sure you opened most programs and everything works. I'm not going to go through the finer points of this and may make a post on it later and link to it here.

VMware VMXNET3 Driver with WinPE

Today working with View I found out that the VMWare VMXNET3 Nic Type won't allow you to boot to a WinPE even if the driver has been added to the WinPE. I did read that this would be fixed in ESX 4.1 Update 1 but I couldn't confirm that.

The very second that the WinPE starts to download this error is given with the VMXNET3 Nic.

This was picture was taken on from our ESX 4.1.0 environment.

Instead use the E1000 Nic Type and behold A working WinPE running on a VMware Virtual Machine. Incase you were wondering why I was trying to WinPE on a Virtual Machine. Its because I'm using it to trouble shoot sysprep configuration problems I've been having building Virtual Machines for VMware Veiw. The VM will run into an error in sysprep and go into a endless reboot loop. However by booting to the WinPE  i can mount the local drive and read the sysprep log.

I'll post more on the sysprep issues later.

Using the E1000 Nic Type WinPE loads perfectly.

Tuesday, November 2, 2010

Period Slash for Local Account Login

This Helpful Hint was just a little fact I had forgot. On Vista, Window 7 and Windows Server 2008 if the machine is bound to a domain the username is assumed to be on that domain. You can tell it to search for a local account by normally entering the "computername\username". However what I'd forgotten is that by putting ".\username" can be much faster and easier than typing in the full computer name.

Saturday, October 30, 2010

VMware View 4.5 - Thin Client with PCoIP using Windows 7 (Part 1)


Note: that this works with all View Client versions View 4.5, 4.6 and 5.0.


Series of Posts
For what must be the fourth time at work we're looking in to deploying a Thin Client environment. This time we're focusing on VMware View 4.5 and looks to have addressed many of the problems we had in the past. We've stood up a VMware View and a few other systems in the past but weren't satisfied with them.

Our big use case where View machines can be offered to students via VPN and connected to from home using the student's own hardware and everything works perfect. However one of the use cases management wants VMware View to fill is as a replacement for actual Student labs on campus. Where a lab machine is running VMware View and offering students their choice of VM's. This also needed to be accomplished with the following firm constraints.
  • VMware View 4.5
  • Reuse existing PC's in labs as the client hardware.
  • Use PCoIP has the protocol for enhanced multimedia experience.
  • Lock down the PC hardware.
  • Management of the hardware is required. (Example: SCCM and/or Forefront)
  • Easy of Client deployment.
The issue became what OS and how to configure it on the current lab hardware. VMware doesn't really supply a good guide on this for View 4.5. What’s even more surprising appears to be a lack of a good community supplied setup guide; at least that I've found after looking. Sorry if' I've just missed it.

And there appears to be no way of doing a bootable image (WinPE or Linux) that uses PCoIP.  Further research believes me to believe that short of running Windows embedded or a full blown copy of Windows is the only option for PCoIP on re-purposed hardware client.

After approaching this problem and lack of helpful walk through on line I hope this will be just that to others interested in a same or similar setup. I have worked out a method to reach all these constraints and am interested on what the on-line community thinks of it as I will be using Windows 7 as the client OS and PCoIP as the protocol. I'll be posting the solution and steps to creating it in next several posts starting with this one as the length to this guide proves necessary.

Special Thanks to Patrick Towles, Paul Ritter, and Matthew Campbell for their help on this subject..

Tuesday, October 26, 2010

Useful Tivoli Storage Manager (TSM) Commands

One thing that really gets old for me is trying to remember the endless number of TSM commands that can best be described as tricking TSM to give me the information I’m looking for. In the past I’ve kept a useful list in Google Wave but sadly with that going away I’ve decided to keep them here for all of us to use.


(All Commands were tested on TSM 5.5 as of 10/26/2010)

Nodes not associated with a schedules
select node_name from nodes where node_name NOT IN (select node_name from associations)

Number of nodes associated per schedules
Select domain_name, schedule_name, count(node_name ) FROM associations GROUP BY domain_name, schedule_name

Number of Volumes per DRM State
Select state,count(*) as "Number of volumes" FROM drmedia GROUP BY state

Total client data stored (TB) - takes a bit to run
Select CAST(FLOAT(SUM(logical_mb)) / 1024 / 1024 AS DEC(8,2)) FROM occupancy

Client Schedules - The like can be used to filter
select * from associations where node_name like '%'

Number of Schedules per node
select node_name, count(node_name) as "c2" from associations group by node_name order by "c2"

Fragmentation Level of the DB
Select cast((100 - (cast( Max_Reduction_MB as float ) * 256 ) / (cast(Usable_Pages as float) - cast (Used_Pages as float) ) * 100) as decimal(4,2)) as Percent_Frag from DB


Also http://thobias.org/tsm/sql/index.html has some really great TSM SQL commands.

Install Steps for Microsoft Live@Edu SSO (Single-Sign-On) on Windows 2008 and WIndows 2008 R2

I while back i wrote some quick notes on the install steps to setup Microsoft Live@Edu SSO on a Windows 2008 R2. Some of the details may be different for you enviroment and a later issues i point out may be resolved since i was working with Version 4.1. I worked on this when I wrote http://liveatedussolinks.codeplex.com/ which allows SSO to login to Outlook Live and Live@Edu from SharePoint 2010. (I really need to upload the newest version of the SharePoint WebPart to both Sites but email me if you want a copy.)
UPDATE 4-3-2012 : Sorry I've not been updating this project in a bit, I've actually rewrote this project and am looking around at creating or sale this SSO Login with support for a small fee but honestly don't know a good way of going about it. Anyone have an idea about how to go about this? Is it wise to do it your self or sell it to someone and let them resale it.
I assume you've already registered your site to use SSO with Microsoft and they have sent you a certificate to use. I had to work with them as the cert they sent was invalid but hopefully you have better luck than I did and it works on the first request. If you need it you must setup with Microsoft the Windows LiveID SSO Kit. if you haven't already done this go to the Live@edu service management portal (http://eduadmin.live.com/), select Single sign-on. Then, click Request SSO Support to request the SSO SDK and certificate.

Download Newest Version - Microsoft Live@Edu SSO and extract contents on the server we're going to be configuring and working from the same server do the following.

Import the Microsoft Certificate
  • Open MMC
    • add snap in for Certificates
    • chose computer account - local computer
    • Navigate to Personal Certs
    • Import the Cert Microsoft sent you for SSO
      • mark as exportable, no password needed
      • If imported a sapipartner.com entry should be added
      • Right click the sapipartner.com and chose all tasks
        • Manage Private keys
          • add everyone full and give full access
          • Need to sit down and figure out what is actually needed but this works
Install Microsoft Passport RPS (Relying Party Suite)
    • From the extracted folder Install rps64.msi
      • Warning: You must launch the msi with compatibility mode.
      • Chose Production
      • RPSServer.xml
      • leave rpscomponent.xml blank
      • leave sitename and everything else blank
      • leave DEK and everything else blank
      • NT AUTHORITY\NetworkService
      • navigate to c:\Program Files\Microsoft Passport RPS
        • copy RPSNetwork.xml to c:\Program Files\Microsoft Passport RPS\config
    • Test Microsoft Passport RPS by running rpsDiag.exe
      • click run
      • All should be green, if not use the errors and fix till they are all Sucessfull
    Install winhttpcertcfg.msi
    • open a Administrative command window to "C:\Program Files (x86)\Windows Resource Kits\Tools"
    • Run the following
    winhttpcertcfg.exe -g -a %ComputerName%\NetworkService -c LOCAL_MACHINE\My -s sapipartner.com
    
    • Check that granting private key access for account NT Authority\NetworkService works

    Create Web Site

    • Install Web Services Role (IIS)
      • Enable management Features
    • Copy SSOPortal folder from Microsoft Live@Edu SSO extracted folder  to C:\inetpub\wwwroot\
    • Edit web.config - This is very important, there are notes that come in the Microsoft Live@Edu SSO extracted folder on what to change.
    • Open IIS Manager
      • Convert SSOPortal an application.
      • Change the authentication to windows
      • Disable anonymous Authentication
    Test the SSOPortal site with http://(servername)/SSOPortal/default.aspx

    Warning: The following was only needed for Windows 2008 R2
    • Open MMC (fix only for 2008 R2)
      • add snap-in "Component Services"
      • open till DCOM Config
      • open properties on RPSSvc
        • Under Security
        • Give everyone full access
          • Need to sit down and figure out what is actually needed but this works

    Friday, October 22, 2010

    Passing Arguments in PowerShell to Start-Process

    Recently while automating a Tivoli Storage install with a Powershell script I noticed trouble passing arguments to the normal Start-Process cmdlet. In this case I was calling msiexec.exe and then passing it arguments to it to the installer, it was an issue due to the fact that most of the arguments had quotes and spaces.

    Later in on the same project I was working with a command line and wanted the command output . I noticed that Start-Process didn’t allow me to have the output lines in a string array. The result was that both problems could be solved by writing a function that wrapped Start-Process and allowed a solution to both problems.

    function StartProcess ($FileToExecute,$Arguments,$ClientDir , $printCommandtoConsole) {
     $Tempfile = "$Env:TEMP\tempfile.txt"  
     New-Item $Tempfile  -ItemType file  -Force
     
     Start-Process $FileToExecute -ArgumentList $Arguments -Wait -WorkingDirectory $ClientDir -RedirectStandardOutput $Tempfile 
     
     if($printCommandtoConsole){
      Write-Host "$ClientDir\$FileToExecute" $Arguments
     }
     
     Get-Content $Tempfile
     Remove-Item $Tempfile -Force 
    }
    

    Here's an example of showing the creation of the arguments and then calling the StartProcess function.

    function InstallTSMScheduler {
     $Arguments = @()
     $Arguments += "install"
     $Arguments += "scheduler"
     $Arguments += "/name:`"TSM Scheduler`""
     $Arguments += "/node:" + [Environment]::MachineName
     $Arguments += "/password:`"$NodePassword`""
     $Arguments += "/clientdir:`"$ClientDir`""
     $Arguments += "/optfile:`"$ClientDir\$OptFile`""
     $Arguments += "/autostart:no"
     $Arguments += "/startnow:no"
     
     StartProcess "$ClientDir\dsmcutil.exe" $Arguments $ClientDir $printCommands
    }
    
    $CommandLog = InstallTSMScheduler 
    $CommandLog
    }

    I'll Post the rest of the Tivoli Client Install Script at a later date if some one wants it.

    Seems i wasn't the only one with the problem (link here)

    Tuesday, October 19, 2010

    Emulex 10 Gb CNA Crash - VMware and Windows

    Update 1 - 04-08-2011 - VMware and Emulex now has a stable driver so theres no need in the beta driver.

    We recently purchased Emulex 10 Gb CNA Cards for our new and existing VMware ESX Hosts and other large bandwidth servers. However we have seen nothing but problems with them crashing. After going round and round with VMWare, Cisco and Emulex we seem to have a stable build using a beta driver build we received from Emulex. This driver is only for the Ethernet controller on the card; in other words the be2net driver.

    The problem seems to be with any version of the driver that has TCP Offload enabled. On the windows drivers we were able to configure the driver to disable this "Feature" which made the cards stable. On Vmware the drivers at current time only go up to VMware ESX/ESXi 4.x Driver CD for ServerEngines BladeEngine 10Gb Version "2.102.440.0" released on 2010/09/16. Problems you'll notice with this driver is if you change VLAN ID’s on a Network the ESX host will crash with a purple screen. Other problems will arise like hosts would lose the ability to talk to each other intermittently. However the switching the VLAN ID case was used to case the crash on demand for testing.

    Our network guy pushed and we were able to get a beta release of the be2net driver. The build is version be2net-2.102.474.1 and from what we read in it the notes we got. This build allows you to enabled and disable vlan offloading with the default being disabled. Like the Windows driver we worked with on windows 2008 R2 that appears to be all that’s needed to make the driver stable.

    Below is the screen shot of the ESX with the beta unsigned driver running an ESX Host that’s been stable for last 2 weeks and pasted every test we could think of to try.


    We also tested a QLogic 10 Gb CNA since we considered switching to it however it had the same issue with crashing with TCP offload. We wonder if they are both using the same chip.

    No fix of yet would allow us to enable this feature.

    Update 1: Newer Beta Drivers Listed

    Thursday, October 14, 2010

    Windows GPO's work best on New Profiles

    After the last 3 hours of reboots and gpupdate in vain, let’s remember the following rule when working with Windows GPO’s.

    When you change a GPO that makes changes to user settings like folder redirection. do the following;
    1. Delete the profile from which you intend to test from
    2. Run "gpupdate /force" from the Client
    3. Reboot the Client (logoff should work but just to be sure.)
    In my case I was creating a GPO to redirect student profiles to their network drives. I was doing 2 different Redirects in the same GPO, however only 1 of them was applying. This odd behavior with no error in the logs to speak of was what really blinded me to the solution.

    Also for a tip, if a GPO needs to be applied to an OU, but needs to affect user settings instead of computer settings. The GPO has to enable User Group Policy loopback processing mode. This will enable it to apply the users settings to a GPO applied to computers.
    The settings is under Computer Configuration, Policies, Administrative Templates, System, Group Policy.

    Wednesday, October 13, 2010

    ManageEngine's Password Manager Pro says Invalid License File

    At work we use ManageEngine's Password Manager Pro to store any Sever and Application passwords. Without a doubt I would recommend it to anyone needs a password manager for a team or teams of people.

    We recently had a issue where our Password Manager Pro didn't correctly read a valid license file. It would read the Company and a few other features however would fail to validate the rest of the file saying that it was an Invalid License File. After working with support they sent the following fix.

    ManageEngine Password Manager Pro, Product Version 6.2.0

    1. Stop the PMP server if it is running.
    2. Go to \lib folder and take a back up of AdventNetLicense.xml, petinfo.dat and product.dat and store them outside the \lib folder.
    3. Download the license_fix.zip file from the following URL and extract it under \lib folder.

    4. Ensure that AdventNetLicense.xml file is not present in the \lib folder.
    5. Start the PMP server and apply your license XML file again.

    Tuesday, October 12, 2010

    How to Encrypt VMware VM running Windows 2008 R2 with Microsoft Bitlocker

    A piece of software at work has a HIPAA requirement that the drive is to be encrypted. No problem right, we use Microsoft BitLocker on our windows severs and PC’s. So in keeping with that I worked out a way to do so with our VMware Virtual Machines but it should work with any type of Virtual Machines as well.

    The Goal: To encrypt windows 2008 using the built in Microsoft BitLocker.

    The Problem:  Since we are working with a Virtual Machine there isn’t a TPM (Trusted Platform Module) Chip. This is normally where Bit locker would store the encryption key.

    The Solution: BitLocker can use a USB or floppy drive to store the key in the case the hardware doesn’t have a TMP chip on board. That fact alone doesn’t do a lot of good with a VM because the USB would would always have to be mounted to the VM. However we can use that feature to instead point it to a disk volume we create to store the encryption key.

    A few details about my environment:
    • VMware ESX 4.1 Hosts
    • VM with Windows 2008 R2 already running and ready to encrypt.
    • Our domain as already been extended to store BitLocker keys (see here for more.)
    • Our GPO policy that Bit Locker requires TPM to backup to AD DS.
    Firstly enable Bitlocker on Windows 2008 and 2008 R2 Server. Its a Server Feature you can enabled called “BitLocker Drive Encryption”.

    Next we will need a volume to store the encryption key since our VM doesn’t have a TPM Chip. You should add a additional Hard Drive to the VM and format it NTFS and mount it. I made mine 100 MB and labeled it  “EncryptionKey”. Another method would be to shrink the OS Volume by 100MB and create the volume from the freed up space however this shouldn’t be done as resizing the drive and extending the volume is then prevented. It’s better to just create a the new Virtual hard drive.

    After the drive is added, formated and labeled  open the Run prompt and launch "gpedit.msc", We need to set the Group Policy Object (GPO) settings to enable BitLocker to store the key on a drive instead of TPM and to make sure it takes a backup of the key and stores it in AD.


    Local Group Policy being used to edit BItLocker Settings

    Friday, October 8, 2010

    Hide the Blogger Nav Bar

    While setting up this blog one of the things I found useful for the design and feel was being able to hide the top Navigation bar. By adding the following to your HTML Template to Hide the Blogger Navigation Bar from being seen on your/their site.

    /* Hides the Blogger Nav Bar  */
    #navbar-iframe {   display: none !important; }