June 24, 2015

Exchange 2013 - Test-OutlookConnectivity error

# Started from SCOM alert and exchange server application log:
SERVER_NAME - Outlook.Protocol - Critical alert
Dummy verification. step of OutlookRpcSelfTestProbe has failed
Microsoft-Exchange-ManagedAvailability/Monitoring - event id 4

# Checked Exchange 2013 server health and status.:
Get-ServerHealth -Identity 'SERVER_NAME' -HealthSet 'Outlook.Protocol' | where {$_.AlertValue -like "Unhealthy"}

Output shows OutlookRpcSelfTestProbe in Unhealthy state

# Test "RPC over HTTP (Outlook Anywhere)":
Test-OutlookConnectivity -ProbeIdentity "OutlookRpcSelfTestProbe"
Got some errors:
- TaskFinished
- Exception = Microsoft.Exchange.Rpc.RpcException: Error 0x5 (Access is denied) from ClientAsyncCallState.CheckCompletion: RpcAsyncCompleteCall

Error 0x5 (Access is denied) from ClientAsyncCallState.CheckCompletion: RpcAsyncCompleteCall

# Change LmCompatibilityLevel to force server use NTLM (or NTLMv2). It will fix an issue:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa - LmCompatibilityLevel - Value 2 (or higher)

More about LmCompatibilityLevel

One note about testing OutlookRpcCTPProbe. Make sure that credentials variable entered in following format - DOMAIN\UserName (not username@domain). It will save some time :)

June 23, 2015

QEMU-Img for Windows

In addition to It is conversion time and WIM2VHD - convert ISO to VHDX I have found very useful tool for conversion. CloudBase IT has been ported qemu-img to Windows and it looks very nice.  

QEMU disk image utility for Windows. It is used for converting, creating and checking for consistency various virtual disk formats. It’s compatible with Hyper-V, KVM, VMware, VirtualBox and Xen hypervisors and virtualization solutions.

June 17, 2015

SCVMM 2012 R2 - Offline VM templates mamagement

Keeping your VM templates up to date is very important in your virtual environment. Latest Windows Updates should be installed on VM template before this template is used for deployment to avoid unnecessary activity (downloading and installing the same updates over and over). For small deployments it is reasonable to update VM template manually by running VM, installing updates, sysprep system and then replace original image with new one. The question is how to deal with multiple templates or how to automate this process?

There are two ways to get it resolved:
1. Mount VM template and install Windows Updates by DISM tool or Add-WindowsPackage cmdlet. It will be done in offline mode, can be automated but *.cab or *.msu files must be downloaded before in specified local folder.
2. Second way requires deploying VM from Template (actually can be automated) and installing Windows Updates by using PSWindowsUpdate module. This way is the most complicated but it doesn't require maintaining windows updates files locally. It checks, downloads and installs updates directly from Windows Updates.

Links for this topic: Script: Image Factory for Hyper-V
Windows Update PowerShell Module
Step-by-Step: Offline VM Template Servicing with Windows Server 2012 R2 Hyper-V and PowerShell
Microsoft Updates Downloader PowerShell Module

June 12, 2015

SCVMM 2012 R2 - Remove logical network definition

Tried to remove logical network and got 25100 error. All dependencies were removed except logical network definition.

$LogicalNetworkName = Get-SCLogicalNetwork "Logical_Network_Name"
$LogicalNetworkName | Remove-SCLogicalNetwork

Error (25100)
VMM is unable to delete the logical network (Logical_Network_Name) because other objects, such as network sites, virtual network adapters, host network adapters, host network adapter profiles, load balancers, load balancer templates or VM networks still depend on it.

Tried to remove logical network definition but got error 25222

$LogicalNetworkName = Get-SCLogicalNetwork "Logical_Network_Name"
$LogicalNetworkDefinition = Get-SCLogicalNetworkDefinition | ? {$_.LogicalNetwork -eq $LogicalNetworkName}
$LogicalNetworkDefinition | Remove-SCLogicalNetworkDefinition

Error (25222)
The external network entity (Logical_Network_Definition_Name) imported from a virtual switch extension manager cannot be deleted.

Remove button in network site of logical network configuration is not active so I am not able even change vlan or subnet. Also noticed NetworkEntityAccessType - VmmManagedMarkedForDeletion output from Get-SCLogicalNetworkDefinition. 
The fix is to change SubnetVLans property of network definition (by setting new subnet/vlan to it) so NetworkEntityAccessType property will be set to VmmManaged and as result remove button becomes available allowing me to remove logical network.

$LogicalNetworkName = Get-SCLogicalNetwork "Logical_Network_Name"
$LogicalNetworkDefinition = Get-SCLogicalNetworkDefinition | ? {$_.LogicalNetwork -eq $LogicalNetworkName}
# As example I took subnet with 192 vlan
$NewSubnetVlan = New-SCSubnetVLan -Subnet "" -VLanID "192"
Set-SCLogicalNetworkDefinition -LogicalNetworkDefinition $LogicalNetworkDefinition -SubnetVLan $NewSubnetVlan

June 11, 2015

Microsoft Azure - Move VM to another Subnet

# Check if there is any static IP assigned
Get-AzureVM "NAME_OF_VM" | Get-AzureStaticVNetIP

# If so remove this assignment and update VM
Get-AzureVM "NAME_OF_VM" | Remove-AzureStaticVNetIP | Update-AzureVM

# Move VM to Subnet2
Get-AzureVM "NAME_OF_VM" | Set-AzureSubnet -SubnetNames "Subnet2" | Update-AzureVM

Note: VM should be in running state.

# After updating VM you can verify if subnet was changed
Get-AzureVM "NAME_OF_VM" | Get-AzureSubnet

Useful article: How to move a VM or role instance to a different subnet

WIM2VHD - convert ISO to VHDX

Convert your install media ISO into sysprepped VHDX. Supported operating systems: Windows 7/8/8.1, Windows Server 2008R2/2012/2012R2. Works very nice. 

June 9, 2015

Microsoft Azure - copy blob between subscriptions

# Specify storage accounts, containers and blobs.
$SourceContainer = "SOURCE_CONTAINER_NAME"
$SourceBlob = "SOURCE_BLOB_NAME"

# Get Context for source
Select-AzureSubscription "SOURCE_SUBSCRIPTION_NAME"
$SourceStorageAccountKey = (Get-AzureStorageKey -StorageAccountName $SourceStorageAccount).Primary
$SourceContext = New-AzureStorageContext -StorageAccountName $SourceStorageAccount -StorageAccountKey $SourceStorageAccountKey

# Get Context for destionation
$DestStorageAccountKey = (Get-AzureStorageKey -StorageAccountName $DestStorageAccount).Primary
$DestContext = New-AzureStorageContext -StorageAccountName $DestStorageAccount -StorageAccountKey $DestStorageAccountKey

# Start blob copy from one subscription to another
Start-AzureStorageBlobCopy -SrcBlob $SourceBlob -SrcContainer $SourceContainer -SrcContext $SourceContext -DestContainer $DestContainer -DestBlob $DestBlob -DestContext $DestContext

# Check status of copy
Get-AzureStorageBlobCopyState -Blob $DestBlob -Container $DestContainer -Context $DestContext

Very useful script: Copy a Virtual Machine Between Subscriptions

AD vs. AAD

Support for Users
Support for Groups
Support for Computers to join Active Directory
Not at this time
Support for Group Policy
Not at this time
Primary Interaction
NetLogon API, LDAP, Directory Service API
Authentication Protocol
NTLM and Kerberos
WS-Fed, SAML, OAuth, OpenID Connect
Administration Tools
Active Directory Administrative tools and PowerShell,
PowerShell, Portal

Source: Identity in Hybrid Clouds

June 8, 2015

Local Administrator Password Solution (LAPS)

Local passwords is a headache of system administrator life. Especially when you are new on position. You sleep and think about decency of previous system administrator. You think how he left the company. Was it good or not. You do not know what to expect. Then you understand that you have excel file with all system passwords stored in a cloud (sarcasm /:). Also you notice that local admin password is the same for all systems. Are you going to change local password on all systems? Using PowerShell/WMI or some third party software? Logon locally and change it? Not good idea and waste time at all.

Here is solution from Microsoft called Local Administrator Password Solution. It checks password expiration, generates new password and forces it to workstations. It stores data in Active Directory and protects it by ACLs.

BTW do not store passwords in excel. Do not store any security information in dropbox, onedrive, icloud etc. At least use KeePass or something like that.

June 5, 2015

Azure Pack - Error 500 on Admin/Tenant portal

I have test deployment of Azure Pack in my lab. Signing certificates (WindowsAuthSite and AuthSite) were expired after default 1 year period. As result I get error 500 when try authenticating via portals (Admin and Tenant). Also there is integration with ADFS that was done by following guide. I found some blog post about this ussue. I put links here and here. All of them are based on running configuration site wizard again so new self-signed certificate is generated. I found more simple way to achieve this. You can generate new certificate. Assign it to IIS site through the bindings settings and then run Set-MgmtSvcRelyingPartySettings again for Admin and Tenant targets. Restart ISS and everything works. 

BTW if you apply an Update Rollup you will have your self-signed certificates updated. Here is information from Azure Pack UR 6. "If you are using the original self-signed certificates installed by WAP, the update operation will replace them".

June 2, 2015

It is conversion time

Do you want to convert VMware VM to Hyper-V one? 5nine V2V Easy Converter free tool to get it done. Here is a link. Very useful feature that allows to shutdown source VM after conversion completes.

Another great tool that I found out on Windows Dev Center is Hyper-V generation 2 VM conversion utility. By obvious reasons it doesn't convert VM's in running state. All other features look pretty good.