Apply Updates on Windows Nano Server 2016

In my previous post, List Updates on Windows Nano Server 2016, I talked about reporting the updates which are installed or missing from your Nano Servers. With that information in hand, you can now move to the more powerful aspect of actually patching them.

In my environment, I don’t want my hosts going out to Microsoft Update on their own, nor do I want to run an entire WSUS server just for a couple of Nano Servers so I patch them manually and this manual patching effort is something which will possibly resonate with others so I thought I would share it.

As it stands, the script requires you to fetch the updates yourself. I am going to work on something using Invoke-WebRequest in PowerShell to automate that step too, but that’s a small price to pay given the minimal number of updates Nano Server requires. Use the Microsoft Update Catalog at https://catalog.update.microsoft.com to obtain any updates you need. Something that was pointed out by Thomas Maurer in his Nano Server updates post at http://www.thomasmaurer.ch/2016/10/how-to-install-updates-on-nano-server/, there is an update for your Nano Servers which is not actually listed and this is the Servicing Stack Update for Windows 10 Version 1607, KB3176939 which you can download from http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3176936. This update is designed to be installed first and it improves the reliability and stability of the servicing stack in Windows which is used by the update process.

Read the Full Post

List Updates on Windows Nano Server 2016

Windows Server 2016 introduced the new SKU, Nano Server. Nano Server is an extremely low footprint operating system designed for micro services and rapid deployment and provisioning and currently supports roles including Failover Clustering, Hyper-V, File Server, Web Server and DNS Server.

With Nano Server being completely headless and at this moment in time, not supporting a Configuration Manager agent for managing operating system patches, there needs to be a way for you to to track and manage patching on them. At home I run two Nano Server hosts using Hyper-V to host some virtual machines and a third running inside a VM for some testing workloads. I decided I wanted to script a way of at least going some way to automate the patching.

The first script below lists the updates that your Nano Server has installed already for reporting purposes. The second lists the updates which are available and require installation. It’s worth noting that for this to work, your Nano Server machines will need access to an update service to find out what updates are available, be it Microsoft Update or WSUS. If you are reading this thinking that you didn’t know Nano Server could use WSUS, well sure it can, you just need to populate the same registry keys you would on a normal Windows machine.

The code for returning the list of updates comes direct from the Microsoft Blog at https://blogs.technet.microsoft.com/nanoserver/2016/10/07/updating-nano-server/ however this assumes a manual process so I have wrapped this up to provide a level of automation.

Read the Full Post

RDS and the Case of the Mistaken PKI OID

Earlier this morning, I was working with our support team to work out an issue they were having in an environment where Remote Desktop Services had stopped working. Trying to connect to a server via RDS simply failed with a Network Level Authentication warning, strange, given it was a domain environment and everything should be trusted and all good. The issue started life as support seeing Event ID 1058 and Event ID 36870 errors in the event log and they had been looking at https://blogs.technet.microsoft.com/askperf/2014/10/22/rdp-fails-with-event-id-1058-event-36870-with-remote-desktop-session-host-certificate-ssl-communication/ for guidance to this point with no success.

I quickly discovered that a GPO had recently been implemented that enforced NLA for RDS and also assigned a certificate template to use for Remote Desktop instead of the default self-signed version. I hopped onto the certificate authority to check out the certificate template that had been configured and compared it to the recommendations of the Microsoft article for assigning certificates to RDS sessions at https://blogs.technet.microsoft.com/enterprisemobility/2010/04/09/configuring-remote-desktop-certificates/ as this is an article I have referred to before and know it works.

Read the Full Post

Hunting and Decrypting EFS Encrypted Files

At home last week, I started doing some preparations for upgrading my home server from Windows Server 2012 R2 to Windows Server 2016. This server was originally installed using Windows Server 2012 R2 Essentials and since, I have performed a Standard edition, edition upgrade on the machine which means that the host has ADDS, ADCS, NPS and some other roles installed as part of the original Essentials server installation. We all know that unbinding ADDS and ADCS can be a bit of a bore which is why nobody in the age of virtualization should be installing ADDS and ADCS on a single server together but that’s by the by.

When I started looking at decommissioning the ADCS role, I noticed that an EFS certificate had been issued to my domain user account. I’ve never knowingly used EFS but the presence of a certificate for that purpose lead me to believe there may be some files out there so I started looking.

EFS was a technology that appeared circa Windows XP to allow users to encrypt files before BitLocker was a thing. It was a nice idea but it was troubled and flawed in that it was enabled by default and users could self-encrypt files without IT having implemented the proper tools to allow them to recover the files when disaster struck.

Read the Full Post

Hyper-V Replication Firewall Rules on Nano Server

Nano Server is the newest edition in the Windows Server family and because of it’s ultra-low footprint and patching requirement, makes it an ideal Hyper-V host for running your private cloud infrastructure.

One of the resiliency features in Hyper-V, Hyper-V Replicas allows you to replicate a VM on a timed interval of as low as 30 seconds. This isn’t a new feature but is a great one none-the-less and is ideally suited to organisations with multiple data centres wanting to protect their VMs across two or more sites without the need for expensive SAN replication technologies.

Nano Server ships by default with the Windows Firewall enabled and there are two rules for Hyper-V Replicas which are both disabled by default. If you want to use Hyper-V Replica, even once you’ve configured everything you need via the Hyper-V Manager console or via PowerShell such as virtual networks and enabling the Hyper-V Replica feature, you will still need to configure this rule.

Read the Full Post

Setting PowerShell as the Default Shell in Server Core

As part of a little weekend project I’ve embarked on this week, I’ve built myself a pair of new Domain Controllers for my home AD environment running on Server Core. Not only does using Server Core for Domain Controllers make great sense because they take up less resources (CPU, Memory and Storage) but they also need less patching which means we can keep them up more often. Sure, it would be nice to be able to use Nano Server for Domain Controllers but least in Technical Preview 5 at the time of writing, this isn’t a role that’s available. DNS is but AD isn’t and hopefully it will come.

Living in the present though, with Windows Server 2012 R2 and Server Core being the best we can do for Active Directory, there is a problem that most people will notice when they start using Server Core and that is that it uses Command Prompt as it’s default shell. This means that if you want to use any PowerShell Cmdlets, you need to step up to PowerShell first. I know this doesn’t seem like a hardship but if you do it enough, it gets tiresome, especially when you think that the Active Directory Cmdlets all live in PowerShell.

Luckily, we can fix this and make PowerShell the default shell in Server Core. If you’ve only got one server to do this against then the easiest thing to do it do it manually but if you’ve got a larger estate of Server Core machines, you can go it with Group Policy Preferences too.

Setting PowerShell as the Default Shell Manually

If you’ve only got one server, a couple of servers or maybe your Server Core machines are workgroup members so you can’t use Group Policy and if any of these are true, the manual method is for you. It’s a simple PowerShell one-liner:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name Shell -Value 'PowerShell.exe -NoExit'

 Setting PowerShell as the Default Shell via Group Policy

As I mentioned, we can use a Group Policy Object to ensure that all of our Server Core machines get PowerShell as their default shell.

The first step is to setup a WMI Filter in Active Directory to detect Server Core machines and the second is to create and link the GPO itself. To create a new WMI Filter, using Group Policy Management Console create a new WMI Filter. Name it whatever you chose but I called mine Windows Server 2012 R2 Server Core Only. For the query itself, use the following WMI Query:

SELECT InstallState FROM Win32_OptionalFeature WHERE (Name = "Server-Gui-Shell") AND (InstallState = "2")

To break it down, this queries WMI in the Win32_OptionalFeature class and grabs the InstallState property. It then checks to see whether InstallState is equal two for the Server-Gui-Shell value. In Windows server 2008 and 2008 R2, this was a little easier as Server GUI and Server Core identified themselves as different SKUs of the operating system however because Windows Server 2012 R2 allows us to install and uninstall the GUI as a feature that means there isn’t a different in the SKU so the way to tell the two apart is the installation state of the Server-Gui-Shell feature. On a server with a GUI, this will equal 1 and on a server without the GUI this will equal 2.

With the WMI Filter now created, we can create the GPO itself. Create a new GPO and configure it to use the WMI Filter we just created. Once created and filtered, open up the GPO Editor so that we can add our setting.

With the GPO Editor, expand Computer Configuration Preferences Windows Preferences Registry. Right-click the Registry node on the left and select New Registry Item and configure the registry item as follows:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value Name: Shell
Value Type: REG_SZ
Value Data: PowerShell.exe -NoExit

Once you set this, hit OK and you’re done. Link the GPO to an OU in your Active Directory hierarchy that contains your servers and once it has applied, you’ll start to get PowerShell as your default prompt when you logon. Because the WMI Filter only applies to Server Core machines, it’s safe to link this GPO to a root OU that contains all of your servers so that when any Server Core machines get dropped in, they will automatically pick this GPO up.

Cleaning Up Active Directory and Cluster Computer Accounts

Recently at work, I’ve been looking at doing a clean up of our Active Directory domain and namely removing stale user and computer accounts. To do this, I short but sweet PowerShell script which gets all of the computer objects from the domain and include the LastLogonTimestamp and the pwdLastSet attributes to show when the computer account was last active however I came across an interesting problem with cluster computer objects.

Import-Module ActiveDirectory
Get-ADComputer -Filter * -SearchBase “DC=domain,DC=com” -Properties Name, LastLogonTimestamp, pwdLastSet -ResultPageSize 0 | Select Name, @{n='LastLogonTimestamp';e={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}, @{n='pwdLastSet';e={[DateTime]::FromFileTime($_.pwdLastSet)}}, DistinguishedName

When reviewing the results, it seemed as though Network Names for Cluster Resource Groups weren’t updating their LastLogonTimestamp or pwdLastSet attributes even though those Network Names are still in use.

After a bit of a search online, I found a TechNet Blog post at http://blogs.technet.com/b/askds/archive/2011/08/23/cluster-and-stale-computer-accounts.aspx which describes exactly that situation. The LastLogonTimestamp attribute is only updated when the Network Name is brought online so if you’ve got a rock solid environment and your clusters don’t failover or come crashing down too often, this object will appear as although it’s stale.

To save you reading the article, I’ve produced two updated versions of the script. This first amendment simply adds the servicePrincipalName column to the result set so that you can verify them for yourself.

Import-Module ActiveDirectory
Get-ADComputer -Filter * -SearchBase “DC=domain,DC=com” -Properties Name, LastLogonTimestamp, pwdLastSet, servicePrincipalName -ResultPageSize 0 | Select Name, @{n='LastLogonTimestamp';e={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}, @{n='pwdLastSet';e={[DateTime]::FromFileTime($_.pwdLastSet)}}, servicePrincipalName, DistinguishedName

This second amended version uses the -Filter parameter of the Get-ADComputer Cmdlet to filter out any results that include the MSClusterVirtualServer which designates it as a cluster object computer account.

Import-Module ActiveDirectory
Get-ADComputer -Filter 'servicePrincipalName -NotLike "*MSClusterVirtualServer*"' -SearchBase “DC=domain,DC=com” -Properties Name, LastLogonTimestamp, pwdLastSet, servicePrincipalName -ResultPageSize 0 | Select Name, @{n='LastLogonTimestamp';e={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}, @{n='pwdLastSet';e={[DateTime]::FromFileTime($_.pwdLastSet)}}, DistinguishedName

The result set generated by this second amendment of the script will produce exactly the same output as the original script with the notable exception that the cluster objects are automatically filtered out of the results. This just leaves you to ensuring that when you are retiring clusters from your environment that you perform the relevant clean up afterwards to delete the account. Alternatively, you could use some clever automation script like Orchestrator to manage the decommissioning of your clusters and include this as an action for you.

MDOP and EMET for Windows 10

It’s been a while since I’ve posted anything here now which is in part down to me being busy at home and in part due to work being full-on at the moment trying to juggle a handful of internal systems projects as well as dropping in customer engagements but you won’t hear me complaining as it’s all great work.

In the time between I last wrote anything and now, Windows 10 is full swing and we are already looking at the Threshold 2 (or November 2015 Update) for Windows 10 shipping which will see the Skype Messaging experience rolled out to the public as well as the Cortana text messaging and missed call notifications on the desktop, both of which have been available to people running the Windows 10 Insider Preview builds for a few weeks’ now.

With people looking more closely at Windows 10, there’s good news for people who rely on the slew of Microsoft tools in the enterprise as many of them are either now already updated to support Windows 10 or are working their way to support. MDOP 2015 was released back in August 2015 and this included updated service packs for Application Virtualization (App-V) 5.0 SP3, User Experience Virtualization (UE-V) 2.1 SP1 and Microsoft BitLocker Administration and Management (MBAM) 2.5 SP1 to add support for Windows 10. App-V and MBAM are simply service packs to add support whilst UE-V not only gains support for Windows 10 but also gets native support for Office 2013 via the ADMX files which means you no longer need to manually import the Office 2013 .xml templates into your Template Store.

Sadly, UE-V 2.1 SP1 shipped before the release of Office 2016 which means there is no native support for this which seems to be a common theme for UE-V; the product ships ready for a new Windows version but misses the matching Office version so. If you want to use UE-V for Office 2016, you can head over to the TechNet Gallery and download the official Microsoft .xml templates for it from https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8.

Aside from MDOP, Microsoft EMET is being updated to version 5.5 which includes support for Windows 10 along with claiming to include much improved Group Policy based management of the clients. I haven’t tried this for myself yet as the product is still in beta but I will be giving it a try soon and I will be sure to post anything I find that can help improve the management position of it.

As a throw-in note, If you are using System Center Endpoint Protection for anti-virus then you might want to have a read of this post by System Center Dudes at http://www.systemcenterdudes.com/sccm-2012-windows-10-endpoint-protection/, which explains the behaviour of Endpoint Protection in Windows 10.

Xbox One Streaming with Windows 10

This week, I decided to give Xbox One Streaming for Windows 10 a try and thought I would just briefly post up my experiences.

First off, I cannot speak highly enough of how well it works. Due to not getting around to installing extra Ethernet ports in my living room, I have only one port which gets used by the Plex Home Theatre PC so the Xbox One right now is wireless on my 802.11n network. I tested the streaming in a number of different scenarios including laptop and Xbox One both wireless connected to the same access point, laptop and Xbox One both wireless but with the laptop in a different part of the house on a different access point and also the Xbox One wireless with the laptop connected to a switch port.

In all scenarios, it worked flawlessly and using the little menu button in the toolbar on the app, you can bring up a bandwidth meter which appears in the bottom left corner of the stream. Over wireless I’ve seen it streaming up to about 6Mbps although I haven’t been watching this extensively so it could be going even higher. Right now I’m playing Assassin’s Creed IV Black Flag which was free on Games on Gold this month in July and even a fast paced high motion game like Assassin’s Creed, I’m not seeing any negative effects compared to being locally on the console in terms of input controls.

Streaming Assassins Creed Black IV Flag

Currently, the only way to use the Xbox One controller is via a Micro USB cable. Microsoft do have an adapter in the works but there is no news on when this is going to ship right now. When the adapter does ship it means you will be able to connect your controller wirelessly to your Windows 10 PC however I personally don’t like the physical look of this adapter based on the images released thus far as it looks pretty darn big and I would have much preferred to see something a bit more sleek and minimalist like the nano receivers we see for mice and keyboards.

The problem with the current scenario and the future one though is that it all hinges on having a USB port available. One of the great potentials with the Xbox One streaming in Windows 10 was the ability to use a low-end specification, cheap and cheerful Windows 10 tablet like a HP Stream (for example) and play your Xbox anywhere in the house however the requirement for a USB port means that actually a lot of tablets are out of favour because they are too thin to incorporate a USB port into their design. I’m really hoping that Microsoft come up with a solution to this – perhaps a Bluetooth to Xbox One controller bridge as most of these small tablets have Bluetooth so it’s an ideal protocol to use and has no physical port requirements on the tablet then.

I have found one flaw with the experience I should point out. It’s only a minor thing and truth be told, I’m not even sure this is a console related issue which is why I didn’t mention it above but a game specific issue. If I am playing the game on the console locally and then I later come back to it with my USB connected controller and streaming, the controller operates the console no problems, the start screen and menus however the game, Assassin’s Creed IV Black Flag doesn’t acknowledge that a controller is connected and sticks at the reconnect a controller page. This is obviously something to do with switching between a local controller and a streaming attached controller mid-session.

To work around the problem, hit the Xbox button on the controller to return to the home screen. With the large game tile selected, press the menu button on the controller, the button with the hamburger menu three lines just above the right thumb stick and select the Quit option from the menu. This completely closes the game or app that is active. After doing this, I can re-launch the game and the controller is detected no problems.

 

Pin a File or VHD to a Storage Space Tier

In Windows Server 2012 R2, Microsoft added the ability to tier Storage Spaces such that hard disks and solid state drives where in separate tiers allowing the Storage Pool and the Storage Spaces in the pool to operate like a SAN that offers up hot block technology, automatically moving frequently accessed data up to the faster disks and less frequently accessed data down to the slower tiers.

In some circumstances, you may find that you want to pin a particular file or in the case of Hyper-V a VHD file accessed over an SMB file share to a particular tier. For example, you may want to pin the VHD file that hosts your virtual SQL Server TempDB files onto the SSD tier of your Storage Pool so that they are nice and fast. Inversely, you may want to pin data to the slow tier so that even if the Storage Pool detects the data as frequently accessed, it will never take up valuable space in your SSD tier.

In my lab, I am using Data Protection Manager (DPM) to backup my SQL databases among other things. The DPM server is a Hyper-V VM with the VHDs for the DPM server stored on a Windows Server 2012 R2 Storage Space which is accessed over SMB 3.0. As my Storage Pool consists of two tiers using SSD and spinning HDD disk, I don’t want the backup volumes to be able to ever exist on the SSD tier and storing backup data on fast disk is a waste of time (there is one caveat and that is that you may want to force the backup data onto the SSD tier in the event of a major failure in the datacentre and you are going to be doing a lot of restores over a short period of time).

To achieve pinning of files to a particular tier in the Storage Pool, we need to use the PowerShell Cmdlets for managing Storage Spaces either via PowerShell Remoting or directly on the SMB File Server hosting the files.

Setting the Desired Storage Tier

First, we need to get the name of the Storage Space, otherwise referred to as the Virtual Disk.

Get-VirtualDisk

Once we execute the Get-VirtualDisk Cmdlet, we will see a list of all of the Storage Spaces. You may have multiple in which case you need to determine which you are interested in however in my lab, there is only one. Next, we need to declare the name of our Virtual Disk in a variable.

$VD = Get-VirtualDisk -FriendlyName "VMs"

Using the Cmdlet above, we repeat Get-VirtualDisk however this time, we are setting the output for a specific Virtual Disk named VMs to the $VD variable so that we can re-use it later on.

Set-FileStorageTier -FilePath "V:\VMs\RJGDPM1\RJGDPM1 DPM Pool 1.vhdx" -DesiredStorageTier ($VD | Get-StorageTier -MediaType HDD)

With our Virtual Disk in a variable, we can now set the desired storage tier for a file. Use the Set-FileStorageTier Cmdlet above to achieve this. In my example, I am setting the DPM Pool disk VHDX file such that it will exist only on the hard disk slow disk tier. If you wanted to achieve the opposite and bind a file to the SSD tier then you would simply change the HDD value of the -MediaType parameter to SSD.

Optimize Files to the Desired Tier

Once you have run the Cmdlets above, your Storage Space is now ready and set to pin the file to the tier that you specified however this does not automatically move the files. The files are not moved until the next time a Tier Optimize job runs however we can force this if you want to move the file in a hurry or if you want to move the file to the appropriate tier before you start loading it with data (such as a new blank VHD file).

Optimize-Volume -DriveLetter V -TierOptimize

With the above, we use the Optimize-Volume Cmdlet against the drive letter on which the Storage Space and the files exist. This will start the process of evaluating file tier placement against the heat of a file and move files up and down through the tiers as required. This will also execute any placement rules which have been hard set as we did above. If you happened to be physically looking at your server at this point, you would likely see a flurry of disk activity as files get moved up and down through the drive tiers.

Once the optimization has finished, we can verify that the files are in the appropriate places using the following Cmdlet.

Get-FileStorageTier -VolumeDriveLetter V | FL

This Cmdlet will report any files which have been manually pinned to a particular Storage Space disk tier and will report their placement status. In my example, I have only the one DPM Storage Pool disk pinned to the HDD tier and this file is reporting as “Completely on tier” after the successful completion of the Tier Optimize job.