Friday, December 23, 2016

Merry Christmas & Happy New Year

Finally the holiday season has started for me. Therefore this blog will be silent til the first week of January.

As such I wish you all a merry christmas and a happy new year!
merry-christmas-and-happy-new-year-2017

!!!NEW!!! !!!NEW!!! Active Directory Management Pack !!!NEW!!! !!!NEW!!!

Yikes! Seems like Microsoft has released a TOTAL NEW AD MP! Which is quite awesome since the previous MP had some serious issues. Most of them seem to be fixed in this MP.

The version of this MP is 10.0.1.0. What has changed? A LOT!!! Taken directly from the guide:

Version 10.0.0.0 of the Management Pack for ADDS is an initial release of a new Management Pack for Active Directory® (AD). It is based on the Active Directory Management Pack (AD MP) and includes many changes from the AD MP.

  • Removed Event Alert rules, all Error and Warning events from AD related event logs are now only collected in the Events collections. 
  • Informational events can be collected as well by turning on the Information Events rules.
  • Replication Monitoring replaced with the following monitors:
    • AD Replication Queue Monitor
    • AD Show Replication Check
    • Replication Partner Count Monitor
    • Replication Consistency Monitor
  • Removed Reliance on OOMADS.dll for Domain Controller monitoring removed oomads dependency from all MPs.
  • Removed dependency on down-level DC discovery MPs
  • Created well defined aggregate roll-ups for health monitors
  • New server health monitors
    • Strict replication
    • DNS service
    • Group Policy
    • Network adapters
    • Strict replication
  • New domain member monitors
    • Reliable time server
    • Secure channel
    • DC health
    • Group policy
  • Removed deprecated rules, alerts, and tools
  • Added additional information to alerts and monitors and updated knowledge base information
  • Added performance collection rules for DNS perf counters

As you can see, this is indeed a whole new MP. And on the outside it seems Microsoft has addressed many painpoints of the previous version.

This MP works on DCs running Windows Server 2012, 2012 R2 and 2016. It runs on SCOM 2012 R2 or later.

Want to download this MP? Go here.

Kevin Holman has also written a posting about this new MP.

Wednesday, December 21, 2016

WS 2016 Server Core + SQL Server 2016 Installation. How To Enable Remote Management Of SQL


Update 21-21-2016: As it turned out, additional ports have to be opened as well. Therefore I’ve updated this posting accordingly. Please know that this posting came to be using different resources, so don’t think I invented the wheel myself. As such I’ve updated the section ‘Used resources’ as well.

Issue
Suppose you’ve rolled out a VM with Windows Server 2016 Core and deployed on that same VM SQL Server 2016 (with the command line setup.exe /UIMODE=EnableUIOnServerCore /Action=Install).

Another VM runs Windows Server 2016 with Desktop Experience  and is used as a Stepping Stone server, hosting all kinds of Consoles in order to manage the products/services hosted by many other VMs running the Core installation option.

On that server you start SQL Server Management Studio and want to connect to the previously installed SQL instance. However, all you get is this error message: ‘…Cannot connect to [SQL instance]. A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 5)…’
image

Cause
When you’ve configured the SQL instance correctly during installation so that the account you’re using has access permissions, SQL and the VM hosting it, require additional configuration in order to access it remotely by SQL Server Management Studio.

Without the additional configuration you can’t access the SQL instance remotely.

Solution
Follow these steps and when done correctly, you’ll be able to access the SQL instance remotely by using SQL Server Management Studio.

  1. Ascertain that the SQL Server Browser Service is running and set to start automatically
    Connect with Service Manager to the related VM and check out the SQL Server Browser Service. Correct when required so the service is running and set to start automatically.

  2. Enable remote connections on the instance of SQL Server
    Do this locally on the VM hosting the related SQL instance. Use SQLCMD.exe locally and execute the following statements against the Server Core instance:
    EXEC sys.sp_configure N'remote access', N'1'
    GO

    RECONFIGURE WITH OVERRIDE
    GO


  3. Enable TCP/IP on the Instance of SQL Server
    Do this locally on the VM hosting the related SQL instance. Start PowerShell when logged on.
    Import SQL PS Module (Import-Module SQLPS) and run this PS script (copy & paste works Smile):
    $smo = 'Microsoft.SqlServer.Management.Smo.' 
    $wmi = new-object ($smo + 'Wmi.ManagedComputer') 
    # Enable the TCP protocol on the default instance.  If the instance is named, replace MSSQLSERVER with the instance name in the following line. 
    $uri = "ManagedComputer[@Name='" + (get-item env:\computername).Value + "']/ServerInstance[@Name='MSSQLSERVER']/ServerProtocol[@Name='Tcp']" 
    $Tcp = $wmi.GetSmoObject($uri) 
    $Tcp.IsEnabled = $true 
    $Tcp.Alter() 
    $Tcp


  4. Create exceptions in Windows Firewall
    Do this locally on the VM hosting the related SQL instance. Start PowerShell when logged on.
    These two lines will allow remote access to the default SQL instance over TCP port 1433:
    netsh firewall set portopening protocol = TCP port = 1433 name = SQLPort mode = ENABLE scope = SUBNET profile = CURRENT

    netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN


    These two lines will allow remote access from SQL Server Management Studio to the SQL instance over TCP Port 1434 (aka SQL Admin Connection):
    netsh firewall set portopening protocol = TCP port = 1434 name = SQLPort mode = ENABLE scope = SUBNET profile = CURRENT

    netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1434 remoteip = localsubnet profile = DOMAIN

    These two lines will allow SQL Broker traffic over TCP Port 4022:
    New-NetFirewallRule -DisplayName "Allow inbound SQL Broker Traffic (TCP Port 4022)" -Direction inbound –LocalPort 4022 -Protocol TCP -Action Allow

    New-NetFirewallRule -DisplayName "Allow outbound SQL Broker Traffic (TCP Port 4022)" -Direction outbound –LocalPort 4022 -Protocol TCP -Action Allow


    These two lines will allow SQL-Transact traffic over TCP Port 135:
    New-NetFirewallRule -DisplayName "Allow inbound SQL-Transact Traffic  (TCP Port 135)" -Direction inbound –LocalPort 135 -Protocol TCP -Action Allow

    New-NetFirewallRule -DisplayName "Allow outbound SQL-Transact Traffic  (TCP Port 135)" -Direction outbound –LocalPort 135 -Protocol TCP -Action Allow

    These two lines will allow SQL Browser traffic over TCP Port 2382:
    New-NetFirewallRule -DisplayName "Allow inbound SQL Browser TCP Traffic (TCP Port 2382)" -Direction inbound –LocalPort 2382 -Protocol TCP -Action Allow

    New-NetFirewallRule -DisplayName "Allow outbound SQL Browser TCP Traffic (TCP Port 2382)" -Direction outbound –LocalPort 2382 -Protocol TCP -Action Allow

    These two lines will allow SQL Browser traffic over UDP Port 1434:
    New-NetFirewallRule -DisplayName "Allow inbound SQL Browser UDP Traffic (UDP Port 1434)" -Direction inbound –LocalPort 1434 -Protocol UDP -Action Allow

    New-NetFirewallRule -DisplayName "Allow outbound SQL Browser UDP Traffic (UDP Port 1434)" -Direction outbound –LocalPort 1434 -Protocol UDP -Action Allow

    !!!Only when required!!!
    These two lines will allow web traffic over TCP Port 80 (e.g for SSRS instances):
    New-NetFirewallRule -DisplayName "Allow inbound HTTP Traffic (TCP Port 80)" -Direction inbound –LocalPort 80 -Protocol TCP -Action Allow

    New-NetFirewallRule -DisplayName "Allow outbound HTTP Traffic (TCP Port 80)" -Direction outbound –LocalPort 80 -Protocol TCP -Action Allow

    !!!Only when required!!!
    These two lines will allow secure web traffic over TCP Port 443 (e.g for SSRS instances):
    New-NetFirewallRule -DisplayName "Allow inbound HTTPS Traffic (TCP Port 443)" -Direction inbound –LocalPort 80 -Protocol TCP -Action Allow

    New-NetFirewallRule -DisplayName "Allow outbound HTTPS Traffic (TCP Port 443)" -Direction outbound –LocalPort 80 -Protocol TCP -Action Allow

    !!!Only when required!!!
    These two lines will allow SQL Analysis traffic over TCP Port 2383:
    New-NetFirewallRule -DisplayName "Allow inbound SQL Analysis Traffic (TCP Port 2383)" -Direction inbound –LocalPort 2383 -Protocol TCP -Action Allow

    New-NetFirewallRule -DisplayName "Allow outbound SQL Analysis Traffic (TCP Port 2383)" -Direction outbound –LocalPort 2383 -Protocol TCP -Action Allow

  5. Allow WMI traffic
    When installing SCOM 2016 for instance, WMI traffic has to be allowed. By default the Windows Firewall on the SQL box blocks it, stopping the installation of SCOM 2016. With this PS oneliner WMI traffic is allowed.
    netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

No restart is required. Now all required SQL and WMI traffic to the SQL server is allowed.

Used resources

Friday, December 16, 2016

Hyper-V 2016 ‘Bug’: WS 2016 Server LogonUI.exe Doesn’t Allow 2x [ESC] Key When Connected To VM In Enhanced Session Mode

Noticed this issue some time ago in my test lab but forgot to blog about it. None the less it can be a nagging issue, while the solution is simple. So here it is.

Issue
A new VM is deployed, based on WS 2016 Std, no GUI. When this VM is added to the domain and restarted, it defaults to the old credentials AND the old system name. This doesn’t work since one has to use another (AD based) account.

For this the LogonUI.exe screen tells you to hit the Escape key twice in order to enter alternate credentials. However, when connected to the VM with Enhanced Session mode, only the first [Escape] key entry is processed:
image

I hit the [Escape] key the first time, and now I am told to hit that key a second time:
image

But now the second entry of the [Escape] key isn’t accepted.

Cause
Somehow when running an enhanced session with the related VM, the second hit of the [Escape] key isn’t passed to the VM.

Resolution
Change the session to Basic session.
image

You have to logon again and as such hit the [Escape] key two times. However, this time the second entry of the [Escape] key will be passed to the VM as well, allowing you to change to other user credentials:
image

Poor Man’s Test Lab: How To Get The Most Out Of It…

When running a test lab on a tight budget it’s a challenge to get the most out of the available CPU, RAM and storage. Over the last years I learned some nice tricks in order to run the maximum amount of VMs on my test lab, and still having an acceptable performance.

Please be reminded, this approach of combined ‘tricks’ is only viable in test labs and shouldn’t be used in any production environment at any times! And no, I am NOT responsible for your test labs in any kind of way…

Some ground rules first
Here are some basics in order to get the most of the available hardware of your testlab.

  1. Run the parent Windows Server OS hosting the Hyper-V role from a ‘classic’ disk (no SSD) which has good performance (10K and lots of cache);
  2. Enable BOTH write-caching policies on the classic drive (no SDD), like this:
    image
  3. Put the ISO and other software store on the classic disk;
  4. Run all the VMs from the availble SSDs, never ever from the ‘classic’disk!;
  5. Same goes for storing the meta data and memory of your VMs. Store them on the available SSDs, never ever on the classic disk.

Resource saver 01: Differencing Disks
When using differencing disks for ALL the VMs running on your test lab system, you save a LOT of storage. The parent disk contains the server OS and the differencing disk contains the delta’s for that particular VM. For instance, the VM running SQL will have a differencing disk containing the SQL installation and DB files, but use the parent disk running the server OS, containing between 9 to 14 GBs of data.

That parent disk will be used by all other VMs, resulting in MASSIVE disk cost savings per VM.

How to create a parent disk? That’s easy!

  1. Create a new VM
  2. Install Windows Server (2016 for instance)
  3. Configure it as required (time/date settings and so on)
  4. Install the latest updates
  5. Run SysPrep with this syntax: sysprep.exe /oobe /generalize /shutdown /mode:vm
  6. The VM will shutdown itself when done with sysprep
  7. Copy the related VHDX file to a new folder, like D:\_Differencing Disks
  8. Rename the VHDX file so you know exactly what this file is all about (eg: WS2016-DiffDisk-Std-GUI.vhdx for WIndows Server 2016 Std with Desktop Experience and WS2016-DiffDisk-Std-CLI.vhdx for Windows Server 2016 Std without Desktop Experience);
  9. Set the VHDX file to be read-only.

Now you’ve got yourself a nice parent disk. Read this posting in order to roll out a VM using this parent disk.

Resource saver 02: No GUI!
Yes, I know. Many Windows users are used to clicking through windows. Hence the name of the OS! BUT when running Windows Server 2016 Std without a GUI as a parent disk, one saves 4,5 GB compared to a parent disk hosting Windows Server 2016 Std with a GUI (Desktop Experience).

When running MANY VMs and as much of them using the no GUI version, one quickly saves tens of GBs!

Besides that, one learns how to work with Windows Server 2016 without a GUI, which is a good thing as well. Ever heard of the utility sconfig? It’s powerfull and helps one out with the basic configuration stuff:
image

Resource saver 03: Deduplication
Wow! This feature is totally awesome. And pretty easy to use on your Windows 2016 server hosting all the VMs. Simply add this Role (File Server > Data Deduplication) to your server:
image

And enable them ONLY for the SSD volumes hosting the VMs and related (meta) data:
image

Set Data deplucation to General purpose file server and files older than zero (0)days:
image

Once per week, shut down all VMs and run these PS cmdlets per SSD volume for which dedup is enabled and configured: Start-DedupJob -Volume "D:" -Type Optimization -Memory 50
image

Let it run as long as it takes. With PS cmdlet Get-DedupJob you’ll see the progress of the running dedup job(s).

With the PS cmdlet Get-DedupStatus you’ll see the actual dedup status of the dedup enabled volumes:
image

When dedup is ready, fire up the VMs and you’re back in business! And of course, all these steps can be scripted with PowerShell as well. And this PS script can be scheduled as required.

Resource saver 04: Dynamic Memory
With dynamic memory you can squeeze the maximum utilization of the available RAM. And even ‘more’ when using Windows Server 2016 WITHOUT a GUI. Since this OS edition has a far lesser footprint on the available resources.

As such you can run VMs hosting AD domain controllers and DNS with only consuming 675 MBs of RAM! And with the dynamic memory config you can set the limit to 1024 MB max.

This way you get the most of the available RAM of your Hyper-V server.

Recap
Sure, everything can be put into the cloud. But guess what? Running 20+ VMs in Azure isn’t cheap. One saves a LOT of money when hosting those same VMs on an oversized desktop as a testlab Smile.

When using it smart with all the resource savers I mentioned before, you’ll squeeze the max out of it, while still having a reasonable performance.

And when combined with Splashtop you can remotely wake up the testlab when required (some additional one time router configuration is needed here). As such this testlab doesn’t have to run 24/7 but is only fired up when required.

Poor Man’s Test Lab + Intel 82579 Gigabit NIC + Windows Server 2016. It Can Be Done!!!

Background information
Some years ago I bought myself a new system in order to function as my personal test lab. Since budget didn’t allow for a state of the art system, I had to puzzle a lot. Yes, I needed storage with high IO, a reasonable fast CPU and fast AND loads of RAM.

But again, budget was limited. So after a lot of research I spent every euro of the allocated budget and got myself maximum value for money. All based on PC (desktop) hardware and not a single piece of server hardware because that was way outside the budget. But still the system I finally got allowed me to built my own test lab, running 16 VMs and still delivering good performance!

Since the system allowed for growth, in the past years I added more RAM, additional SSDs for storage and upgraded the CPU as well. On the server OS side of things the lab ran Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and now Windows Server 2016.

The NIC ‘issue’
But I was always a bit hesitant to upgrade the parent Windows Server OS since the Intel desktop motherboard (DZ68DB series) in this system has some quirks. The integrated Intel 82579 Gigabit NIC won’t install by default on a Windows Server OS. It requires some additional steps in order to make it work. The reason here is that the driver BLOCKS the installation on any Windows Server OS by default!

On itself understandable, but quite frustrating after having spend all my available budget on my new to be test lab!

So with every new Windows Server OS upgrade I went through the same challenge. Of course, I could use another NIC instead. And believe me, I tried! But here another quirck came up: that other NIC (I tried different brands with different chipsets) never worked!

In my other systems the same NIC worked without a sweat, but in the would be server it was a no go. No matter what I tried. And believe me, I went deep! So I HAD to make the onboard Intel 82579 Gigabit NIC work, no matter what!

Intel 82579 Gigabit NIC vs ME: 0-1!!!!
When Windows Server 2016 went GA I decided to upgrade my whole lab to this new Server OS. So I had to face the challenge, making the Intel 82579 Gigabit NIC work with Windows Server 2016.

Last weekend it was show time! And to my surprise I finally found out myself how to address it rather quickly and within less than an hour, Windows Server 2016 installed the driver, resulting in a fully functional NIC!

I decided to share this, since the same approach can be used for making any Intel desktop NIC work on Windows Server 2016.

How the west was won
First Windows Server must be put into ‘test mode’. As such it accepts the installation of unsigned drivers. Follow this procedure:

  • Run the command bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
  • And afterwards the command bcdedit -set TESTSIGNING ON
  • Reboot the server

After the reboot the server is in test mode, as shown in the lower right corner of the desktop.

Now it’s time to get the hardware ID’s of the Intel NIC. You’ll need those ID’s later on.

  • Open Device Manager, select the Intel NIC > Properties > tab Details
  • Select as Property Hardware Ids and note them (or screenshot them) but PLEASE get them totally right! Also know that the first hardware ID won’t be used later on.
    image
  • As such you only need the yellow highlighted entries. Three of them in total.

With this information it’s time to ‘hack’ the INF file so the driver will install just fine.

  1. Download the Intel 82579 Gigabit NIC drivers for Windows 8 x64
  2. Run the installer BUT DON’T go through the wizard, instead search for a folder with a name like RarSFX0. Most of the times it’s located in the temp folder of your user profile, like C:\Users\[USERNAME]\AppData\Local\Temp\[RANDOM NAME, MOSTLY A NUMBER]\RarSFX0. In my case it was: C:\Users\Administrator\AppData\Local\Temp\2\RarSFX0
  3. Copy the folder PRO1000 to another location, like C:\Temp\Intel NIC for instance
  4. Close the Intell NIC installer> Cancel > Yes > Finish
  5. Open the folder ~\PRO1000\Winx64\NDIS64
  6. Open the e1d64x64.inf file, I used the default Notepad application  to edit the file
  7. In the [ControlFlags] section delete ALL the 3 lines since this section blocks the installation of the driver on Windows Server! So this:
    image
    Becomes this:
    image
  8. Select and copy the three E153B lines found under the header [Intel.NTamd64.6.3.1]
    image
  9. Paste the 3 lines in the [Intel.NTamd64.6.3] section below the E15A0 lines:
    image
  10. Now you must alter the DeviceID of those copied lines so they match the earlier found three Hardware Ids:
    image
  11. So now these three lines look like this:
    image
  12. Save it
  13. Install the modified driver from Device Manager > select the NIC > Properties > Driver > Update Driver > choose Browse my computer for driver software > Browse > and select now the folder containing the modified file (in my case: C:\Temp\Intel NIC\PRO1000\Winx64\NDIS64) > Next
  14. You’ll get the warning about installing an unsigned driver, ignore it. Follow the wizard and soon the NIC is in working condition!
  15. As a last step, reenable the driver integrity checks and disable test signing again by using the following commands:
    • bcdedit -set loadoptions ENABLE_INTEGRITY_CHECKS
    • bcdedit -set TESTSIGNING OFF
    • Reboot the server
  16. And now all is ready!

And as stated before, this method can be used with any other Intel NIC. Just be sure to use the correct Hardware Ids.

Tuesday, December 13, 2016

Updated MP: Windows Server OS MP, Version 6.0.7323.0

A few days ago Microsoft released an update for their Windows Server OS MP, version 6.0.7323.0.

Unfortunately is the MP Guide for this updated MP still review mode:
image 

Apparently the ‘author’ was a bit busy and forgot to finalize this important document…

But the changes in this MP are:

  • Added Storport Miniport monitor for monitoring Event ID 153 in Windows Server 2003, 2008 and 2012 platforms.
  • Fixed bugs:
    • Logical Disk MB Free Space and Percentage Free Space monitor issues: Operator can set the threshold values for Error state even within Warning state default thresholds. At that, the Error state will supersede the Warning state according to the set values. Error threshold is independent of the Warning threshold.
    • Fixed localization issue with root report folder in the Report Library.
    • Windows Server 2003/20082008 R2/2012/2012 R2 Computer discovery was causing repeated log events (EventID: 10000) due to improper discovery of non-2003/2008/2008 R2/2012/2012 R2 Windows Server computers.

As such the changes aren’t that big. This update is more aimed at aligning this MP with the Windows Server OS MP which uses the same library Server OS MPs.

MP For Windows Server 2016 Available

For a few weeks now the Windows Server 2016 MP (version 10.0.8.0) is available for download.

With the release of this MP Microsoft breaks with the tradition that a single Windows Server OS MP covers all versions covered by Mainstream Support, since this MP ‘only’ covers Windows Server 2016 installations, Nano server included.

Mp can be downloaded from here.

OMS Gateway With SCOM Support Is Now General Available (GA)

For some months the OMS Gateway with SCOM Support was in public preview.

Now it’s GA with these two significant updates:

  1. It’s available in 18 different languages;
  2. Microsoft Update supports this product.

You can either download the OMS Gateway from your OMS Workspace or the Azure Portal.

Want to know more? Go here.