Repairing the DirectAccess Group Policy WMI Filters

When you configure your first DirectAccess server in an Active Directory domain, the wizard will automatically create for you two Group Policy Objects. One of these policies applies to the DirectAccess servers and the other to the DirectAccess clients. I’m in the process of setting this up on my Windows Server 2012 R2 Essentials server so my server is latest and greatest as far as operating system version goes and even to date, it appears that the WMI Filter created for the Group Policy Object has not been updated.

Here is the WMI Filter in it’s default state:

SELECT * FROM Win32_ComputerSystem WHERE PCSystemType = 2
SELECT * FROM Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE ‘6.2%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE ‘6.1%’ AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

As you can see, that’s a pretty long filter, one which is going to take some time to enumerate on a client. Secondly, the filter only calls out Version 6.1 and 6.2 which like a previous post I wrote about the problems with the WMI Filter in the Windows Server 2012 Essentials Client GPO WMI Filter, it excludes Windows 8.1 (Version 6.3).

These aren’t the only problems though. ProductType = 3 means server (per MSDN WMI Win32_OperatingSystem guidance at http://msdn.microsoft.com/en-us/library/aa394239(v=vs.85).aspx) which means that the policy will never apply to a client machine as intended. The OperatingSystemSKU filter section means that this policy is valid for all sorts of crazy product SKUs that we just aren’t interested in (a full list of SKUs can be found at http://techontip.wordpress.com/tag/operatingsystemsku/).

I’ve modified this query down so that it will apply to Windows 7 and upwards instead of explicit versions and also simplified it so that it only applies to the SKUs that we might actually be interested in.

Simply clear out the current filter and replace it with the following:

SELECT * FROM Win32_ComputerSystem WHERE PCSystemType = “2”
SELECT * FROM Win32_OperatingSystem WHERE (ProductType = “1” AND Version >= “6.1%”) AND (OperatingSystemSKU = “4” OR OperatingSystemSKU = “27”)

Now, the policy will apply to computers of class PCSystemType 2 which defines a mobile computer, ProductType 1 which defines a workstation device, Version 6.1 or higher covering Windows 7 and onwards and lastly, defines OperatingSystemSKU as 4 or 27 which singles out Enterprise and Enterprise N editions of Windows client operating systems.

The Case of Remote Desktop Services Random Disconnections

If you are running Windows Server 2008 R2 servers and you find yourself randomly being disconnected from RDS (Remote Desktop Services) sessions on your servers, or sometimes find your servers completely inaccessible you could be impacted by an issue as a result of servicing order (AKA, the order in which you install Windows Updates). The issue effects servers running Windows Server 2008 R2 with Service Pack 1 and with KB2667402 (Update for Terminal Service Denial of Service Vulnerability).

This is something I thought I had written about already as it effected us in a big way at work due to the way in which our virtual machine images were compiled but it seems actually, I hadn’t.

In Windows Server 2008 R2 RTM, the file version of the rdpcorekmts.dll file in Windows Server 2008 R2 RTM is 6.1.7600.16952. In Windows Server 2008 R2 with Service Pack 1, the file version of the rdpcorekmts.dll file is 6.1.7601.17767 and the file version of the rdpcorekmts.dll file after installing KB2667402 is 6.1.7601.17828.

If as a result of servicing order, you installed the KB2667402 update prior to installing Windows Server 2008 R2 Service Pack 1, the file version of rdpcorekmts.dll is downgraded from the KB2667402 version number to the SP1 version number and the hotfix is in essence removed. This causes the Remote Desktop Services service to fail and terminate itself repeatedly as the service believes that there is an attempt to modify it’s files occurring and as a failsafe, shuts down remote access.

In order to resolve the issue, Microsoft re-released KB2667402 as KB2667402v2 which allows you to re-install the update after an installation of Service Pack 1 to bring the file version back up to 6.1.7601.17828 and to allow the Remote Desktop Services service to work again as normal. Trying to re-install the original release of KB2667402 will result in a message that the update is already installed and does not apply to this computer.

You can download the version 2 release of the update from the Microsoft Download Center at http://www.microsoft.com/en-us/download/details.aspx?id=29169. The update is 327KB and requests a reboot, however you can install the update and delay the restart by simply manually restarting the Remote Desktop Services service. You should still restart the server at some point in time though as the pending reboot will block operations such as installation of roles and features.

Deploying Windows Server 2012 Primary Computer Setting

For companies (or homes) using roaming profiles and folder redirection, Microsoft gave you are great new feature in Windows Server 2012 called Primary Computer. This feature hasn’t been talked about that much although it really should have been. The Primary Computer feature allows you to define the primary computer for a user in Active Directory on a user object. Once applied to a user account it prevents the distribution of their roaming profile on non-primary devices and for folder redirection, disables the ability to sync the folders with Offline Files for non-primary devices.

So What is the Benefit

This is ideal for several reasons. Firstly, it helps to reduce profile corruption for roaming profile users when roaming between machines which may be running different versions of Windows or different architectures. Also for roaming profile users, it greatly improves logon and logoff times for non-primary devices. If a user is logging on to a kiosk computer for example, they don’t need their roaming profile and they probably just want to access a service or application quickly so why wait for it? For users of folder redirection, this means that the user is able to access their files when the computer is on the network and can access the file share resource which hosts those redirected folders, but they are non cached using Offline Files. For the business, this is a great security benefit as it means that somebody logging on to a temporary machine isn’t going to be caching all of those files, files which they could potentially leave on the train or in an aeroplane overhead locker. For laptops which typically have small hard disk capacities this is useful for both roaming profile and folder redirection scenarios as it means that you aren’t pulling down potentially gigabytes of data to the local machine clogging up the disk.

Implementing Primary Devices Using Active Directory Administration Center

First, launch the Active Directory Administrative Center and navigate your OU structure to find the computer object for the computer that you want to make primary for a given user, or if you already know the machine name, use the search feature to locate it.

Primary Computer Finding Distinguished Name

From the computer account object, scroll down to the bottom of the view and select the Attribute Editor tab. Scroll through the list of attributes to find the distinguishedName attribute and select the View button to show the full DN.

Primary Computer Copy Distinguished Name

On the String Attribute Editor, right click the pre-highlighted text and select the Copy option from the context menu. Cancel out of the Attribute Editor and cancel out of the computer object view.

With the DN of the computer now in the clipboard, find the user that you want to make this the primary computer for either by searching or again, navigating your OU structure.

Primary Computer Set User msDS-PrimaryComputer

On the user account, do as we did with the computer account a moment ago, scroll down and select the Attribute Editor tab. Scroll through the list of attributes until you locate the msDS-PrimaryComputer attribute then click the Edit button. Right-click in Value to Add box and select Paste from the context menu to paste in the DN of the computer then select the Add button.

Click OK to close the Multi-Valued String Editor dialog then click OK to exit out of the user account properties. Your work here is done.

Implementing Primary Devices Using PowerShell

Out of the box, there is actually no neat way of implementing Primary Devices using PowerShell. To do it, we have to plug a few Cmdlets together. Firstly, get the attributes for the computer and store them in an object. $Computer = Get-ADComputer Computer1 (where Computer1 is the name of the computer). Next, we map the computer that we just stored in the $Computer object to the user. Set-ADUser User1 -Add @{‘msDS-PrimaryComputer’ = “$Computer”} (where User1 is the name of the user). With those two Cmdlets out of the way, the partnership between the user and the computer should now be done, but we can verify this with the following Cmdlet. Get-ADUser User1 -Properties msDS-PrimaryComputer

Configuring Folder Redirection and Roaming Profiles

Now that we’ve setup Primary Computer attributes for some users, it would probably be a good idea if our Group Policy settings for Roaming Profile and Folder Redirection actually honoured these settings and only transferred out the data to the users’ primary computers. The setting for Folder Redirection is available as both a User Setting and a Computer Setting in Group Policy whereas the Roaming Profile setting is only available as a Computer Setting. Because of the fact you can’t apply both of these policy settings from a single policy if you decide to use user targeting, my advice is to apply this as a computer policy. It makes good sense to keep these two settings together as it means you can see that you are applying the Primary Computer setting to both roaming profiles and folder redirection in one view and it means you can give your Group Policy Object a meaningful name like Primary Computer Roaming Settings or the like.

From the Group Policy Management Console, navigate to the Computer Configuration > Administrative Templates > System. From the System node, you will find the Folder Redirection and User Profiles nodes.

Inside the Folder Redirection node, enable the Redirect folders on primary computers only policy setting. Inside the User Profiles node, enable the Download roaming profiles on primary computers only setting.

Storage Spaces Inaccessible After Windows Server 2012 R2 Upgrade

Windows Server 2012 R2 has some nice new features and improvements on existing features for users of Storage Spaces so there is a definite appeal for users of Windows Server 2012 to want to upgrade to Windows Server 2012 R2.  If you opt to do an in-place upgrade to preserve your existing Storage Spaces so that you can get your service up and running with the hope of being able to use them straight off the bat in Windows Server 2012 R2, you may encounter an error Read-only by user action and you need to perform some corrective steps to use them again.

Storage Space Read-Only User Action

This is what your Storage Spaces may look like if you open the Storage Spaces control panel item after the upgrade. As you can see, the spaces are in-tact and will report all of the space names and capacity from prior to the upgrade but instead of being online as you are used to seeing, you instead have this information icon and a message alongside the pool capacity indicator Read-only by user action. This is a built in protection feature of Windows Server 2012 R2 which takes your Storage Spaces offline by default after an upgrade. We just simply need to bring them online to use them. This is very similar to how in Windows Server 2003, a disk connected from an external system from a software RAID set could be marked as Foreign and the configuration of the disk needs to be imported first.

Changing the Storage Pool Status to Read/Write

To do this, open an administrative PowerShell prompt. At PowerShell, enter the two Cmdlets as follows:

Get-StoragePool | Where-Object {$_.IsReadOnly -eq $True} | Set-StoragePool -IsReadOnly $False
Get-VirtualDisk | Where-Object {$_.IsManualAttach -eq $True} | Set-VirtualDisk -IsManualAttach $False

If you forget to elevate the PowerShell prompt by running it as an administrator you will get access denied responses to the two Cmdlets as you aren’t running the Cmdlets with your administrative rights. Simply close PowerShell and re-open it by right-clicking and using the Run as Administrator option.

Bring the Storage Spaces Online

Once you’ve entered the Cmdlets above, returning to the Storage Spaces control panel applet now, you will see the information shown has updated.

Storage Space Offline by Policy

As you can see, the Storage Spaces are now reporting their status as OK but they are marked as Offline by Policy. To change this and to bring the Storage Spaces online, simply click the Bring Online option next to each Storage Space and it will be brought online and granted a drive letter.

Check, Verify and Reminder

It’s important to note here that the drive letter assigned will be the next free letter and not perhaps, the drive letter that you used on the previous installation of Windows Server 2012. If you have a requirement for the Storage Space to be on a particular letter then you will need to go into the Properties of the individual spaces after it has been brought online and change the letter.

It’s also good to remember that any file shares you had on these Storage Spaces may be un-shared through the upgrade process so you should check the existence of your shares either by using the Properties on the drive or folder which you needed to be shared or by using the Share and Storage Management administrative console.

Once you’ve got your Storage Spaces all brought online after the actions above, you should be looking like normality again as shown below.

Storage Space Online Normal

Hopefully someone out there finds this useful and it saves at least a few hair extractions from taking place after a Windows Server 2012 to Windows Server 2012 R2 in-place upgrade. Now it’s time to go and enjoy those new features.

KMS Activating Windows 8.1 and Server 2012 R2

With each new release of Windows client and server operating systems nowadays, comes an update required to allow your on premise KMS host to activate those new operating system servers and clients using volume license activation.

After the general availability on Windows 8.1 Enterprise client and Windows Server 2012 R2, Microsoft released the update for KMS host for Windows Server 2008, 2008 R2 and 2012 to allow these down level operating systems to activate the latest and greatest.

You can get the download for the update from http://support.microsoft.com/kb/2885698. Installation of the update requires a KMS Host restart and you will need to obtain a new KMS Host key from your Microsoft Volume License Center account. Instructions for applying the new key with slmgr.vbs is given on the link above.

Windows 8.1 and Windows Server 2012 R2 use the KMS Client key by default after installation so you shouldn’t need to change anything to get your clients activated, but in case you need them, the KMS Client keys for all operating systems supporting KMS are available from http://technet.microsoft.com/en-us/library/jj612867.aspx.

Windows Server 2012 Essentials PPP RAS Adapter Registration in DNS

Today, I was looking at an issue where one of my clients at home was reporting that the server was unavailable yet other clients were working perfectly fine. The client in question was a Surface Pro tablet running Windows 8.1. This issue turned out to be the Routing and Remote Access PPP RAS Adapter registering in my Windows Server 2012 Essentials domains’ DNS in addition to my local network adapter. Here’s how to spot the issue and to resolve it.

My server is named BGWSE1 and lives on a static IP Address of 10.10.10.201 in a 255.255.255.0 /24 subnet.

On the client I pinged the server by IP address to verify that it was indeed online and was able to be returned by the client which it was. I then tried to ping the server by name which returned a response also, but it wasn’t on the first pass that I noticed that the IP Address was different. The IP Address returned was 10.10.10.30. Strange I thought to myself as this is an IP Address inside my DHCP scope which I run on the server using the start address of 10.10.10.10 and an end address of 10.10.10.50.

I logged on to the server and looked in the DNS Management Console and sure enough, there was a second DNS A record registered for the server with the IP Address of 10.10.10.30 but where had this come from as the timestamp on the record was static and not a date and time stamp as seen on most records. I deleted the record as I knew I didn’t want it there and I refreshed the console and no sooner as I had refreshed the console, the record re-appeared.

Running ipconfig from the server, I saw a second network adapter for the PPP RAS connection with, you guessed it, 10.10.10.30 as it’s IP Address.

I Bing search later and the problem now appears to be resolved thanks to a Microsoft Support KB Article which dated back to Windows Server 2003 entitled Name resolution and connectivity issues on a Routing and Remote Access Server that also runs DNS or WINS (http://support.microsoft.com/kb/292822). I have only actually followed step one which is to add the record to the DNS service parameters to instruct the DNS service to only publish a given IP Address for the server. I’ve restarted the DNS and Routing and Remote Access services multiple times since making the change and the secondary DNS A record for my server BGWSE1 has not re-appeared.

 

Windows Server 2012 Essentials Folder Redirection on Windows 8.1

As all good IT Pros have done, I’ve upgraded my home client computers from Windows 8 to Windows 8.1. You have upgraded your machines to Windows 8.1 right?

As I frequently proclaim and preach on here, I run Windows Server 2012 Essentials on my home network, acting as my DNS Server, DHCP Server in addition to the out of the box features that you can get from Windows Server 2012 Essentials like roaming profiles, folder redirection, automated computer backups and network file sharing (all of which I use).

When I was building out a test environment this week to practice how I might migrate from Windows Server 2012 Essentials to Windows Server 2012 R2 Essentials without the benefit of a second server with 19TB of available storage to hand (how many homes do have 19TB of storage let alone a spare 19TB) I was experiencing an issue.

As part of my testing, I built a Windows 8.1 Pro virtual machine to simulate a desktop or laptop client computer. I built a Windows Server 2012 Essentials server as a second virtual machine on which I recreated my group policy settings and a mock up of my Storage Pool and Storage Spaces on my production server. After installing the Windows Server 2012 Essentials Connector on the Windows 8.1 client and logging in for the first time as a user configured to use roaming profile and folder redirection, I noticed that the roaming profile was working but the folder redirection was not.

I spent a while pouring through event logs on the client wondering why folder redirection wasn’t working, looking at GPMC (Group Policy Management Console) wondering if I’d done something silly like moved a link on a GPO preventing it from working until the penny dropped. Windows Server 2012 Essentials applies a WMI Filter named SBS Group Policy WMI Filter to the SBS Group Policy Folder Redirection GPO which is created when you implement Group Policy via the Server Dashboard.

Windows Server 2012 Essentials Original WMI Filter

This WMI Filter is setup as SELECT * FROM Win32_OperatingSystem WHERE (Version LIKE “6.1%” or Version LIKE “6.2%”) AND ProductType = “1”. For those who are now also dropping the penny or those who can’t make head nor tail of a WMI Filter, Windows 8.1 increments the operating system version number from 6.2 (Windows 8) to 6.3 (Windows 8.1), therefore the GPO isn’t applying to any of the Windows 8.1 machines on my network because this filter limits the scope of the Group Policy Object to explicitly Windows 7 and Windows 8 operating systems.

The solution to making this work is pretty simple in that we just need to update the WMI Filter so that it includes Windows 8.1 as we know that basic features like roaming profiles and folder redirection are going to work so I’m not worried about something breaking here.

I’ve decided to change my WMI Filter to include operating systems greater than or equal to Windows 7 rather than add another or statement to include Windows 8.1 For me, the WMI Filter now reads SELECT * FROM Win32_OperatingSystem WHERE (Version >= “6.1%”) AND ProductType = “1”.

Windows Server 2012 Essentials New WMI Filter

 

After making the changes and running a gpupdate command on a Windows 8.1 client computer, the group policy magically springs back into life and things start working. Firstly, I’m amazed that I haven’t noticed this being a problem on my home clients which I guess is a testament to my gigabit throughout home network pushing the files directly back to the server rather than caching them locally with Offline Folders first. Secondly, I’m surprised that this hasn’t been updated with a patch or update to Windows Server 2012 Essentials but perhaps this is a cattle prod for customers to upgrade to Windows Server 2012 R2 Essentials?

Windows Azure to Overtake Amazon as Cloud Computing Leader

My attention was brought to a greenbutton.com (http://www.greenbutton.com/blog/index.php/2013/10/30/why-windows-azure/) today when it was tweeted by @WindowsAzure (https://twitter.com/WindowsAzure/status/400669888823697408) in which the author, Dave Fellows speaks of how they believe Windows Azure is going to overtake Amazon as the leader in cloud computing within two to three years.

My personal feeling is that I agree with what Dave is saying. Windows Azure has been gaining steam and momentum significantly over the last year as Microsoft has increased the amount of work and effort it’s putting into virtualisation and cloud for the on premise private, mash-up hybrid and all out public cloud software architectures.

Microsoft are traditionally late to a party but when they arrive, they do it well and they do it big. As I’ve made public knowledge recently on my blog here, I worked on a Windows Azure project recently to deliver my companies public website on the Platform as a Service public cloud infrastructure using a CMS product called Sitecore. The experience was really good both when dealing with pre-sales to engage with Microsoft and discuss the opportunity of Windows Azure, and also with Premier Support Services who were really good at helping us get to where we needed to be on the couple of occasions we ran into issues. For clarity, we ran into issues because of soft limits imposed on Azure subscriptions to prevent customers from inflicting giant bills on themselves by provisioning lots of service without considering the ramifications, not because of any practical issues such as performance or loss of service.

As the integration with products and services like System Center Data Protection Manager, System Center Virtual Machine Manager and AppController all improve as I’m sure they will beyond the 2012 R2 releases, this story is only going to get better. The Azure VPN feature already allows customers to expand their on premise networks and private clouds into Azure and future services of this nature, allowing customers to adopt public cloud but in a private and secure manner will promote adoption for those customers who aren’t quite ready to take the leap of faith into public-public.

 

November 2013 Rollup Update for Windows 8.1 and Windows Server 2012 R2

Microsoft have today released KB2887595 which is a 199.7 MB rollup update for Windows 8.1, Windows 8.1 RT and Windows Server 2012 R2.

You can see the release notes for the update and the updates included within it at http://support.microsoft.com/kb/2887595. The update looks tasty including one update which sounds of interest for users of roaming profiles which addresses incompatibility issues between profiles initially created on earlier versions of Windows (KB 2890783 http://support.microsoft.com/kb/2890783).

Although not explicitly mentioned in the notes, it will be interesting to see if the hang issues some people (including myself) have been experiencing with Internet Explorer 11 are resolved?

Configuring the Windows Azure Alerts Preview Feature

As part of the project I’ve been working on for the last six months to deliver a new public website (hint www.primark.com) using Windows Azure we needed to be able to monitor the site performance and alert on warning and critical thresholds for certain counters. At the start of the project, our intention was to use SCOM (System Center Operations Manager) as the cleanest way to get data out of Windows Azure but by the time we went live two weeks’ ago, Microsoft had made available the Windows Azure Alerts feature preview.

Under normal circumstances, SCOM would’ve been a no brainer decision for us as our operational teams use and rely on SCOM already so they are familiar and comfortable using it however with the website, we had a challenge – the third-party.

Setting up SCOM 2007 R2 to monitor Windows Azure sounds really complicated when you read the TechNet article for it at http://technet.microsoft.com/en-us/library/gg276377.aspx however it’s actually pretty simple, something which I’ll cover in a later post on the subject, however as I mentioned, our project involved a third-party development partner who needed to receive the alerts also once we went live. In SCOM, you configure this using an SMTP Subscription to email the alerts raised by the management pack to those who need it, but this would result in our Exchange platform joining the critical path for the monitoring of the website, something which I didn’t want ideally as the architect for the project. Imagine the conversation explaining how you missed a website outage or performance degradation because Exchange was down 😮

Fortunately for me, Microsoft came up trumps with the Windows Azure Alerts preview feature just weeks before I was about to go live with the SCOM management pack configuration for production although I had already configured it for our staging environment by this point.

Windows Azure Alerts allows you to configure SCOM like thresholds and evaluation periods for usage counters and metrics from your Azure services and in turn, generate email alerts for them. This has allowed me to remove Exchange from our critical path for website monitoring because the email alerts are generated directly at source in Windows Azure.

To get started with Windows Azure Alerts, firstly, open your Cloud Service, Web Site, SQL Azure Database or whatever you’d like to monitor in the Windows Azure Management Portal. Once open, select the Monitor tab from the Windows Azure Dashboard.

Azure Cloud Service Monitor

Once you’re on the Monitor tab, select the monitor that you would like to generate alerts for. If the monitor you want to use is not listed then you need to update, amend or possibly even start the configuration of diagnostics. Look at the MSDN page, Collect Logging Data by Using Windows Azure Diagnostics to get started.

Azure Cloud Service Add Rule

With the monitor highlighted, the contextual bottom navigation now shows an option Add Rule. Click this to open the rule definition wizard.

Azure Alert Define Rule

In this rule, I’m configuring monitoring for high CPU utilization on a Cloud Service. Give the rule a name and a description. These are included in the email alert you are sent in the event that the rule is triggered so make sure that it’s something you or people receiving the alert can relate to. Once entered, click the arrow to go to page two.

Azure Alert Define Conditions

On page two as shown above, you configure the conditions for the rule. In the case of CPU usage, I’m going to monitor on CPU usage over 80%. Rules are evaluated over a time period before they breach. This is ideal for CPU and memory counters as it means that you won’t be alerted for momentary peaks in demand due to activity occurring in the service but will be alerted for sustained period of high draw. Here, I am setting the evaluation period to the default option of five minutes.

Under the sub-heading Actions, you define whether a single email address (which could be a distribution list) or all of your Azure administrators and co-administrators receive the email alert from the rule. As we have a number of people such as project deployment engineers and developers accessing Azure and the only people who need to receive the alerts are the operational teams, I elected to enter an email address for a distribution list and not all of the subscription administrators and co-administrators.

The last option is the tick box to enable the rule which is checked by default. Click the success tick button to complete the two step wizard and the rule will be created.

Azure Management Services View Alerts

Switching context to the Management Services pane in Azure allows you to see a list of all of the alerts configured for the subscription be they for Web Sites, Cloud Services, SQL Azure Databases or more. Here, I only have one configured but in our production subscription we currently have 10.

There is currently an imposed limit of 10 alert rules per subscription while the feature is in preview. I’ve been meaning to call Microsoft Azure PSS (Premier Support Services) for a week now to see if we can get this limit raised as we would like to create a few additional rules but I haven’t got round to it yet. If I manage to do this, I’ll be sure to let you all know.

So there you have it. How to create email alerts for performance thresholds as you would do with SCOM, directly in Windows Azure removing the need to configure an extra management pack in your SCOM environment and removing critical path dependencies from your internal systems to receive alerts for Windows Azure services. I’m looking forward to this feature coming out of preview and into production service hopefully with a few extra bells and whistles.