PowerShell – Getting Server IP Address Information

KB ID 0001404

Problem

I’ve been rebuilding some Hyper-V hosts over the last few weeks, and one thing I learned rebuilding VMware ESX hosts is, ‘make sure you know what all the network cards are doing before you flatten it!’

The same is true of storage as well but here I’m just concentrating on networking.

List Network Cards and MAC Addresses

If you have these documented you can rename the network card correctly after the rebuild and the mac addresses ensure you have the right names assigned to the right NICs. (Without having to go and check all the cabling afterwards!)

[box]Get-NetAdapter | Select Name, MACAddress, vlanID[/box]

List Network Teams and Members

From the names of the network connections above we can see we are using network teaming, but even if yours dont have sensible names, you can get the team names and the NICs that are a member of each team with the following command;

[box]Get-NetLbfoTeam[/box]

List NICs and IP addresses

To see what IP addresses are in use on which NICs, (physical or virtual) use the following;

[box]Get-NetIPAddress -AddressState Preferred -AddressFamily IPv4 | Select Name, IPAddress, PrefixLength[/box]

Hyper-V: Get vSwitch and Virtual NIC info

As stated above, I’m rebuilding Hyper-V hosts, the following lists all the Management vSwitch(es) and vNICS, (and their names).

[box]Get-VMNetworkAdapter -ManagementOS[/box]

Hyper-V: Get vSwitch and Virtual NIC VLAN info

In addition to above, I also need to know the VLANs the vNICs are on.

[box]Get-VMNetworkAdapterVLAN -ManagementOS[/box]

Related Articles, References, Credits, or External Links

NA

Exchange: PowerShell Commands

KB ID 0001405

Problem

This might seem like an odd title for an article here at PNL? But I’m going to use this page as a place to put all the commands I’m sick of Googling for, and/or working out every time I do an Exchange job.

So as with all the posts here, it’s here for my benefit, and if anyone else gets something from it great!

Exchange General

Change Exchange Licence Code

[box]Set-ExchangeServer -Identity Server-Name -ProductKey 12345-12345-12345-12345-12345[/box]

Exchange Mailboxes

How Many Mailboxes Per Database?

[box]Get-Mailbox | Group-Object -Property:Database | Select-Object Name,Count | Sort-Object Name | Format-Table -Auto[/box]

 

Exchange Mailbox Migrations

Migrate a Single Mailbox

[box]New-MoveRequest -Identity “Fred Bloggs” -TargetDatabase “Destination-DB” -BatchName “Fred Bloggs” -BadItemLimit “200” -AcceptLargeDataLoss[/box]

Migrate ALL Mailboxes in one Database to Another

[box]Get-Mailbox -Database “Source-DB” ” -ResultSize Unlimited | New-MoveRequest -TargetDatabase “Destination-DB”[/box]

Display Mailbox Migration Progress

[box]Get-moverequest | get-moverequeststatistics

OR

Get-moverequest -MoveStatus InProgress

Get-moverequest -MoveStatus Failed

Get-moverequest -MoveStatus Queued

[/box]

Remove Mailbox Move Requests

[box]Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest[/box]

Exchange Databases

List All Mailboxes in a Database

[box]Get-Mailbox -Database “Database Name“[/box]

Create a Mailbox Database 

[box]New-MailboxDatabase -Name Database-Name -EdbFilePath X:\Folder\Database\Database-Name.edb -LogFolderPath X:\Folder\Log-Folder\[/box]

Show Database (and Log File) Locations

[box]Get-MailboxDatabase -Status | select EdbFilePath
Get-MailboxDatabase -Status | select LogFolderPath[/box]

Move a Database (and Log Files)

[box]Move-DatabasePath -Identity Database-Name -EdbFilePath X:\Folder\Database\Database-Name.edb
Move-DatabasePath -Identity Database-Name -LogFolderPath X:\Folder\Log-Folder\[/box]

Show Mailbox Database ‘Whitespace’

[box]Get-MailboxDatabase -Status | select Name,DatabaseSize,AvailableNewMailboxSpace[/box]

Users and Groups

Exchange Create a Distribution Group

[box]New-DistributionGroup -Name “DG-All-Users” -Type “Security”[/box]

Exchange Add All Users (In an OU) to a Distribution Group

[box]Get-Mailbox -OrganizationalUnit “cn=users,dc=petenetlive,dc=com” -resultsize unlimited|ForEach-Object { Add-DistributionGroupMember -Identity “DG-All-Users” -Member $_ }[/box]

 

Related Articles, References, Credits, or External Links

NA

Windows ‘Always On’ VPN Part 2 (NPS, RAS, and Clients)

KB ID 0001403

Problem

Back in Part One, we setup the AD (Groups,) and the Certificate services that will knit everything together. Now we need to configure an NPS server that acts as a RADIUS server for our remote clients, And a RAS Server that our remote clients will connect to.

Step1: Network Setup

Microsoft have an alarming habit of telling you to connect DMZ assets to the LAN. In their defence I’ve seen some documentation where theres is a firewall in front and behind their RAS/VPN server, but then you keep reading and they refer to the NIC on the LAN and the NIC in the DMZ. As you can tell I’m not a fan, I prefer to have an un-authenticated and an authenticated DMZ, and neither of them are connected to the LAN, So then I can control what can, and cannot flow between the DMZs and the LAN.

My way means I have to allow more ports for domain membership etc, but, if you have a Cisco ASA I’ve covered that in the following article,

Cisco ASA – Allowing Domain Trusts, and Authentication

As for the VPNs and RADIUS you need to allow the following;

From Outside to the RAS Server

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT Traversal)

From the RAS Server to the NPS/NAP Server

  • UDP 1812 (RADIUS Authentication)
  • UDP 1813 (RADIUS Accounting)
  • UDP 1645 (RADIUS Authentication)
  • UDP 1646 (RADIUS Accounting)

Quite why it needs both pairs or RADIUS ports I’m unsure, I’ve not scanned or packet captured the traffic, but I’m wiling to bet it really only needs 1812/1813 or 1645/1646.

Step2: Install NPS

Server Manager > Manage > Add Roles and Features > Network Policy and Access Services > Complete the wizard accepting the defaults.

Administrative tools > Network Policy Server > Right click NPS (Local) > Register in Active Directory > OK.

Even though its not setup yet, we need to create our RAS server as a RADIUS client > RADIUS Clients > New.

Friendly Name: A sensible name that identifies the RAS server

IP: IP of the RAS server (On the LAN segment)

Shared Secret: Generate a new one and copy it to the clipboard, (you will need it in a minute.)

On the main page, ensure ‘RADIUS server for Dial-Up or VPN Connections’ is selected‘ > Configure VPN or Dial-Up.

Select ‘Virtual Private Network (NPS) Connections > Next > Ensure the RADIUS server you have just created is listed > Next > Ensure ONLY ‘Extensible Authentication protocol’ is ticked > Change its value to Microsoft Protected EAP (PEAP) > Configure.

EAP Types: Remove the one that is listed by default > Add in ‘Smart card or other certificate’ > OK > Under Groups make sure sure you have ONLY added the group you created back in part one > Next > Next.

Next > Next > Finish.

Your connection request policies should look like this.

Your network policies should look like this.

Step 3: Setup RAS

Server Manager > Manage > Add roles and Features > Next > Next > Next > Remote Access > Next.

Select DirectAccess and RAS > Finish the wizard accepting the defaults.

Open the Getting Started Wizard > Select VPN Only.

Administrative Tools > Routing and Remote Access > Right click {server-name} > Configure and enable Routing and Remote Access > Next  > Custom configuration.

VPN Access > Next > Finish > Start service.

Once again right click {server-name} > Properties > IPv4 > Note: If you are not going to use your internal DHCP server/scope, then you can set one up manually (as shown) > Ensure ‘Enable broadcast name resolution’ is selected, and the RAS servers internal/LAN interface is selected > Apply.

Security Tab:  Authentication provider  = RADIUS Authentication  > Configure > Add > Enter the IP of the NPS server > Change > Paste in the shared secret you copied, (above) > OK > OK. 

Repeat the same procedure for Accounting provider, (below).

Drill down to ‘Ports’ > Right Click  > Properties > Select SSTP > Configure > Remove the tick from ‘Remote access connections (inbound only) > OK. Repeat this procedure for ALL the protocols EXCEPT IKEv2, (So when finished, only IKEv2 is set to accept incoming requests).

Step 4: Configure Reference Windows 10 Machine

On a Windows 10 machine* Launch the ‘Change virtual private networks.

*Note: Your logged on user, must have a certificate issued to them, and be a member of the AD group we created earlier. 

Add a VPN Connector.

  • VPN Provider: Windows (Built-in).
  • Connection Name: Connection-Template.
  • Server Name or address: (The ‘public’ name we put on the certificate on the RAS server).

Change Adapter options.

Right click the VPN connection > Properties.

Security Tab:

  • Type of VPN: IKEv2
  • Data Encryption: Maximum
  • Use Extensible Authentication Protocol (EAP)
  • Properties > Enter the name on the certificate on your NAP Server, (I know that does not make sense trust me!)
  • Tick your Root CA Cert for the domain.
  • Select ‘Don’t prompt user to authorise new servers or new authorities’.

Connect your VPN to test it.

Make sure everything works.

Note: I had some DNS resolution problems, see the post below to find out how I fixed them;

Windows 10: Remote VPN Client Cannot Resolve Domain DNS

Now you need to ‘capture’ all those settings so you can give them to your other clients. To do that you need a copy of the PowerShell script MakeProfile.ps1 You will need to edit the script a little, see the example below. Running the script will output two files to the desktop, an PowerShell Script and an XML file

Step 5: Deploying the Settings

At the time of writing you can deploy these settings via three methods, PowerShell Script, SCCM, or Microsoft Intune. I’m simply going to run the PowerShell Script, there are a few restrictions though, you have to be logged on as the particular user. They need administrative rights to run the script, which is a bit of a pain, you can use restricted groups and set the powershell to run at logon with group policy, then remove the policy when configured, but it’s still a bit of a drama. Below I’m simply running the VPN_Profile.ps1 file I generated above.

Now once the user logs in, (and has a valid remote internet connection.) The remote client will auto-connect.


That covers USER tunnels, you can also, (Post 1709 Windows 10 Builds,) have DEVICE tunnels. Which I would write a part three about, but I simply cannot get them to work, so I’m waiting for the bugs to be ironed out, and I will revisit it at some point in the future.

Related Articles, References, Credits, or External Links

NA

Remotely Log Users Off From CLI / PowerShell

KB ID 0001401

Problem

I’ve not had to do this since the days we got “The terminal server has exceeded the maximum number of allowed connections” errors. Now thankfully Windows Server tells us who is logged on so we can ‘ask politely’ before we boot them off!

Today though, my user session got all messed up, and I needed to kick ‘myself’ off remotely, (and have a fresh session.)

Solution

From a remote machine run the following command, to see who is logged on and, (more importantly get the session number for that user);

[box]QUser /SERVER:{Hostname}[/box]

Above the ID of ‘1’ denotes the session number, select the one that corresponds with the user you want to log off. Then issue the following command;

[box]Logoff /SERVER:{Hostname} /{Session} /V[/box]

Job done, that was easy!

Related Articles, References, Credits, or External Links

NA

PowerShell: Creating Domains and Domain Controllers

KB ID 0001400

Problem

I needed to spin up some Windows 2016 Servers, and a domain to do some testing. I have promoted hundreds maybe thousands of domain controllers, so I wondered if this time I could do it with PowerShell. It’s actually easier than using the GUI!

Solution

If you were doing this in Server Manager, you would have to add the role first, and PowerShell is no different;

[box]Install-WindowsFeature AD-Domain-Services -IncludeManagementTools[/box]

Then promote the server to a new DC in a new forest;

[box]Install-ADDSForest[/box]

Supply the new domain name and the recovery password. Select ‘Y’ to reboot, go and have a coffee, when finished you will have a new DC in a new domain, ready to log into.

Related Articles, References, Credits, or External Links

NA

Windows ‘Always On’ VPN Part 1 (Domain and PKI)

KB ID 0001399

Problem

Always On VPN was a bit of a misnomer when it was released, as it was only really ‘on’ when a user logged on. So when comparing it with ‘Direct Access‘ it didn’t have the capacity to ‘Manage Out’. With the release of Windows 10 (1709) this has been rectified with ‘Device Tunnels’, (more on that later).

The solution uses RAS, NAP (NPS), and PKI (Certificate Services). Obviously Active Directory is a requirement, and in addition I’ve also got a file server setup just for ‘testing’ access to domain resources.

Note: The VPN setup, (on everything, apart from the Windows 10 clients), is just the same as it ever was. This technology is for copying VPN settings from a Windows 10 client, and then being able to put those settings on other Windows 10 clients, so that when a user logs on, the VPN connects (User Tunnels), or when a machine gets a network connection it connects (Device tunnels).

Step 1: Active Directory Work

You will need to setup some security groups in AD, I’m going to use;

  • VPN-NPS-Servers
  • VPN-RAS-Servers
  • VPN-Users

Note: You can of course use ‘domain users’ if you are rolling this out domain wide.

Add your NAP/NPS server(s) to the VPN-NPS-Servers group, (remember you need to add computers to the search criteria, or you wont find them).

Add your RAS server(s) to the VPN-RAS-Servers group.

Add your domain users(s) to the VPN-Users group.

Step 2: PKI (Certificate Services)

PLEASE: Don’t just race forward and install Certificate Services. Every domain certificate problem I’ve ever had to worked on has been the result of someone ‘just lashing it in’. Take the time to do it properly, and think about your domain PKI design, consider things like, Offline Root CA’s, Multi-Tier Sub CA’s, CRL, and OCSP.

Luckily, I’ve spent a ton of time already on Certificate services, look though the following article;

Microsoft PKI Planning and Deploying Certificate Services

If you are simply setting this up on the test bench, or for a POC, (in a non-production domain). Then add the role from Server Manager.

These are the roles I deploy, but for this solution you only really need the Certification Authority, role.

Note: If you are interested what the other roles do, then search for them above, (I’ve blogged about NDES, and the Enrollment Web Services before).

Step 3: Certificate Templates

You will need to create and publish three certificate templates;

  • VPN-User (Based on the User Template)
  • NPS-Servers (Based on the RAS and IAS Template)
  • VPN-Servers (Based on the RAS and IAS Template)

VPN-User Certificate: Open the certificate services management console > Certificate Teplates > Manage > User > Duplicate Template.

General Tab

  • Template Display Name: VPN-User
  • Publish certificate in Active Directory UNTICK.

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work)
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work)

Request Handling Tab:

Allow private key to be exported: UNTICK

Cryptography Tab:

  • Provider Category: Key Storage Provider
  • Providers: First: Microsoft Platform Crypto Provider, Second: Microsoft Software Key Storage Provider.

Note: Theres two because the first one requires a TPM chip, if the client machine does not have one the procedure fails. By allowing ‘Microsoft Software Key Storage Provider’ if will ‘fall-back’ to that option, if there is not TPM chip.

Security Tab:

  • ADD: VPN-users: GRANT: Read, Enrol, and Autoenroll.
  • DELETE: Domain Users

Note: In a test environment, you may also want to UNTICK the option ‘Include e-mail name in subject name‘ on the Subject Name tab or you may see this problem.

Issue the certificate template.

Repeat the procedure but this time make a duplicate of the RAS and IAS template.

General Tab:

  • Template Display Name: NPS-Servers.

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Security Tab:

  • ADD: VPN-NPS-Servers: GRANT: Read, Enrol, and Autoenroll.
  • DELETE: RAS and IAS Servers.

Apply > OK > Now make a second duplicate of the RAS and IAS certificate template.

General Tab:

  • Template Display Name: VPN-Servers.

Extensions Tab:

  • Edit > Add > IP Security IKE Intermediate > OK > OK.

Security Tab:

  • ADD: VPN-RAS-Servers: GRANT: Read and Enrol ONLY.
  • DELETE: RAS and IAS Servers.

Subject Name Tab:

Supply In the Request: TICK (Accept the warning).

Compatibility Tab:

  • Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
  • Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Issue Both of the server certificate templates.

Step 4: Group Policies Auto-Enrolment

Again, I’ve written about this before, so for some extra reading on the subject, see the following article;

Deploying Certificates via ‘Auto Enrollment’

In the’ Group Policy Management Console’ create a new GPO, I’m simply linking it to the root of the domain, you can of course link it to the OUs that your RAS and NPS servers live in.

Edit the policy.

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

  1. Configuration Model: Enabled.
  2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
  3. Update certificates that use certificate templates: TICK.

Close and exit the policy editor.

Now Im creating another policy for my USER auto enrolment, (I could have used the same policy above, that’s linked to the root of the domain, but I like to keep them separate, it’s your choice). Anyway just ensure the policy is linked to your USERS.

Edit the policy.

Navigate to: User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

  1. Configuration Model: Enabled.
  2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
  3. Update certificates that use certificate templates: TICK.

Step 5: Testing CertificateDeployment

Remember we are deploying two computer certificates and one user certificate, and they are all based on group membership, so your servers need to be rebooted before they will get their group membership, and your user(s) need to log off and log on. Also bear in mind you might want to force group policy, see the following article;

Windows – Forcing Domain Group Policy

NPS-Servers Certificate: Windows Key+R > certlm.msc > Personal > Certificates > You should have a certificate based on the NPS-Server template.

VPN-Server Certificate: Windows Key+R > certlm.msc > Personal > Certificates > All Tasks > Request New Certificate > Next.

Note: You are doing this one manually, because this certificate does not auto-enrol, that’s because the certificate will need a different common name on it, (the public DNS name of the RAS server).

Next > Click the ‘More information…’ link > In the Subject Name Section, Set the Common name to the private DNS name of the RAS server. In the Alternative name section set the DNS value to the public name  the server > Apply > OK.

 

Enroll > Finish.

You now have a certificate based on the VPN-Server template.

 

VPN-User Certificate: Just a quick note, on the Windows 10 client, run certlm.msc again but this time ensure you have your domain CA server certificate listed in the ‘Trusted Root Certification Authorities’ folder.

Now this console lists computer certificates, and we need to look at user certificates (I could just run certmgr.msc instead), but old habits die hard, so I’ll launch an mmc console > and add a snap-in.

And add ‘certificates’ (Note: If I were an administrator I would be prompted to choose computer or user certificates, as I’m just a user, then current user is selected by default). > OK.

And there’s my certificate based on the VPN-User template.

If you’re struggling, and the user certificate refuses to appear, read my note (above) about e-mail addresses (that’s a very common error that causes auto-enrollment to fail). For troubleshooting look in the Event logs and in the ‘Failed Requests’ Section on your CA server. For all certificates, if something isn’t working then either somethings in the wrong group, the wrong group has been given permissions on the certificate template, or the GPO is linked to the wrong location.

That’s it for Part One, in Part Two I will look at deploying my RAS/VPN server into my DMZ, and having a rant/sneer at Microsofts continuing policy of trying  to bypass my firewall. 

Related Articles, References, Credits, or External Links

A massive thank you to Joseph Moody, and Kevin Kaminski, fellow MVP’s who took the time to reply to my Always On VPN queries.

VMWare vCenter: Cant Remove ‘Orphaned’ VMs

KB ID 0001398

Problem

I noticed I had a VM that was ‘Orphaned’ in my vCenter web console. It was not a production server or anything, I just wanted to delete it. However the option to Delete or Remove from Inventory was not available.

Solution

It turns out, you just need to ‘dig a little deeper’. All Virtual Infrastructure Action > More Uncategorized Actions > Remove from inventory.

Related Articles, References, Credits, or External Links

vSphere – Guest VM is shown as (Orphaned)

VMware – Cannot Delete an ‘Orphaned’ Replica

Exchange 2016 Setup Error “Server-Gui-Mgmt-Infra” Isn’t Installed

KB ID 0001397

Problem

During the Exchange 2016 Setup Readiness Checks;

The Windows component Server-Gui-Mgmt-Infra isn’t installed on this computer and needs to be installed before Exchange Setup can begin

Solution

This is a known problem when installing Exchange 2016 on Server 2016, and was fixed in Exchange 2016 (Cumulative Update number 4). You are probably installing Exchange 2016 from the RTM media, (downloaded from Microsoft.)

You need to download a newer version of the Exchange 2016, install media, CU4 or newer. Use the following link;

Updates for Exchange 2016

Note: The update, is the full install media, (It might just look smaller, because it does not have every language pack in it!)

Related Articles, References, Credits, or External Links

NA

Deleting Folders With ‘Long Filenames’ (Source Path Too Long)

KB ID 0001396

Problem

Source Path Too Long
The source file name(s) are larger than is supported by the file system. Try moving to a location which has a shorter path name, or try renaming to shorter name(s) before attempting this operation.

“Have you come across a problem deleting folders with long filenames?” I got asked this question twice in the first week at a new job. In a former role my colleague did a lot of work in schools and was forever coming across this problem when doing file migrations.

As it transpired this was a problem at, yes you’ve guessed it a school that was a client. The little darlings had got hold of a script that recursively created nested folders, and as obviously this is hilarious it had happened multiple times.

I didn’t have a solution of the top of my head, but I thought I’d try and recreate the problem, and see if there was a simple solution.

Solution

The most difficult part was replicating the script. Windows is pretty good at protecting itself. But thanks to the good folk at Experts-Exchange’s assistance, I was good to go, attempting to move or delete the file generated the error you see above.

Method One: Use Robocopy

Robocopy has been built into windows for a while, you can use it with the /MIR flag to remove all your subfolders.

[box]

MD C:\DELETE-ME
robocopy C:\DELETE-ME C:\{path}\{The Top Level Folder To Delete} /s /mir

[/box]

Then you can simply delete the two remaining empty folders

[box]

rd C:\DELETE-ME
rd C:\{path}\{The Top Level Folder To Delete}

[/box]

Method Two: Use a GUI Tool

I’m always suspicious of third party tools, and if you Google this problem two pieces of software will jump out, one’s brilliant does not have any spamware or malware in it, the other one’s, well not free and annoying.

The Good

DeleteLongPath by BackupChain simple and does exactly what you expect. Take some time to look a their backup software as well!

The Bad

Message boards are spammed with people saying how great this piece of software is, probably by the clowns who make it! Long Path Tool, they just want your money don’t bother. 

Update: I’ve had about 15 to 20 chancers trying to post favourable comments for this piece of junk, don’t bother i wont approve them!

 

Related Articles, References, Credits, or External Links

NA