If you want to Upgrade VMware Tools and Suppress the Reboot, (because rebooting production servers is always a touchy subject), But putting ‘maintenance windows‘ and ‘CAB procedures‘ to one side. If you want to deploy new versions of VMware tools from vSphere, if you just right click and select automatically upgrade, it will reboot the server. How do you stop that happening?
Solution: Upgrade VMware Tools Suppress Reboot
Let’s start by saying that the full upgrade process requires a reboot, you will still have to do one, but it’s pretty easy to schedule that. You follow the same procedure as normal, select Automatic Upgrade, but in the Advanced Options, enter the following text;
[box]
/s /v "/qn REBOOT=ReallySuppress"
[/box]
You can actually jump on the machine and keep an eye on task manger, you will see the VMware tools stop and restart, and if you look at the installed software you will see something like the following;
Don’t forget to Schedule a reboot to properly complete the procedure.
Related Articles, References, Credits, or External Links
I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite simple.
So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).
Azure MFA With Microsoft NPS Pre-Requisites
The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license.
“But I can use the Authenticator App with my Office 365 subscription?”
Well yes you can, but we are not authenticating to office 365 are we?
Below you can prove the licence is allocated in Office 365
And the same in Azure AD.
Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.
Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;
[box]
Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any
[/box]
Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)
You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.
Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.
Configure NPS for RADIUS Access
Note: You may already have this configured, if so please skip to the next section.
The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK
Policies > Network Policies > New > Give it a sensible name > Next.
Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.
Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.
Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.
Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.
And on my phone I get prompted to allow
Authentication successful!
Troubleshooting (NPS Azure MFA Not Working)
Event ID 6274: The Request Was Discarded by a third-party extension DLL file.
This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).
Full Error
[box]
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 15/07/2021 16:42:58
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: PNL\tanya.long
Account Name: tanya.long
Account Domain: PNL
Fully Qualified Account Name: pnl.com/PNL/Users/Tanya Long
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 192.168.254.254
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 6
RADIUS Client:
Client Friendly Name: Firewall
Client IP Address: 192.168.254.254
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: NP-Azure-MFA
Authentication Provider: Windows
Authentication Server: PKI-02.pnl.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 9
Reason: The request was discarded by a third-party extension DLL file.
[/box]
Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection
In my case I had re-install the NPS Azure extension.
Full Error
[box]
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 15/07/2021 17:24:39
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: tanya.long
Account Domain: PNL
Fully Qualified Account Name: PNL\tanya.long
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 192.168.254.254
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 10
RADIUS Client:
Client Friendly Name: Firewall
Client IP Address: 192.168.254.254
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: PKI-02.pnl.com
Authentication Type: Extension
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 21
Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.
[/box]
Related Articles, References, Credits, or External Links
People are always ‘a bit twitchy‘ about upgrading their backup software. Mines on my test network so I’m a little more cavalier about diving in and clicking next. So when you want to Upgrade Veeam 10 to Veeam 11, peoples main concerns are;
Will I lose my backup / replication jobs?
Will I need to rescan backup repositories?
Remember Veeam keeps all its data in a database, so your configs should remain unaffected but just to prove it.
Can I Upgrade Veeam 10 to Veeam 11 – Yes
Obviously close any Veeam management windows (in all logged in profiles) before starting.
‘Backup the Free Version of ESX?’ This was asked on Experts Exchange this week, I responded with the usual answer of “No the VAPI is not exposed in the free version, so it cannot be backed up by a third party backup application.”
The poster responded with, “That’s what I thought, but I’ve got a Technical Consultant here who says it can be done with version 7“
This should be easy to test, I simply need to spin up an ESX7 VM put a free licence on it and see if I can back it up right?
Backup the Free Version of ESX ?
Off on a Tangent: Things always go wrong the most when you are doing someone a favour! First my test machines (In a corporate data centre, didn’t have CPUs compatible with ESX7. No problem I’ll spin one up on my macbook in VMWare Fusion, and attempt a backup from the DC (I have a site to site VPN to the DC). Then none of my fusion machines could get network access, then when I fixed that, the VPN was down and needed fixing. Then I was in the middle of a Veeam upgrade anyway, that took about 12 hours!
Back to the answer: Whoever started this rumour needs a percussive adjustment to the face, free ESX still cannot be backed up, here’s what happens when you try with Veeam for example;
Veeam Error:
Error: Current vSphere license or ESXi version prohibits execution of the required operations
So I Can’t Backup the Free Version of ESX?
Well not using a VMWare aware backup solution, but theres nothing to stop you installing backup agents into your VMs, and backing them up that way, (treat them as if they are Physical machines.)
Alternative Backup Solution: I’ve seen people suggesting using GhettoVCB which might fit your requirements, but you need to install it into the ESX server as a VIB, then you can create a folder in your storage. Finally you can then script the VIB to take snapshots of your VMs, and then copy the backups into that folder, but it requires some CLI skills and it leaves your backups on the same box as you production VMs. It you’re an enthusiastic tech type (with no budget) you might want to take a look at it.
Related Articles, References, Credits, or External Links
You may see the “A Reboot From a Previous Installation is Pending” error when either attempting to install Microsoft Exchange or apply a cumulative update, (which is basically a reinstall anyway!) You may also see this if you are only installing the management tools.
At command line;
A reboot from a previous installation is pending. Please restart the system and then rerun Setup.
Or if you are running the install upgrade from the GUI;
A Reboot From a Previous Installation is Pending : FIX
Before we go any further, I’m assuming you have rebooted the server in question, this post is for the good folk who have already done the obvious, and are still getting prompted with the above error!
This happens because the setup procedure checks TWO registry keys, though to be fair the first one is for older versions of the OS so don’t be surprised if you look for it, and the key does NOT exist, there’s nothing wrong!
This is a string value which means it can contain multiple values, as you will probably see most of them will be corrupt links to things. Many sites will tell you to delete the entire string value (PendingFileRenameOperations), but you don’t need to simply empty out all the values like so, before;
After
Then retry.
Related Articles, References, Credits, or External Links
I’ve had to contend with Outlook Search Broken on Windows clients many times, but not being able to search my ‘sent‘ and ‘deleted‘ items has a detrimental effect on my productivity.
Outlook Search Broken Fix
This can happen if the folder/drive that your Outlook profile is in is Blocked/Prevented access by ‘Spotlight’ but in my case that wasn’t the problem.
Close Outlook > Open ‘Finder’ > Go > Go to folder > Paste in the following;
Locate the file called Outlook.sqlite and MOVE it somewhere safe (like your desktop).
Open Outlook and you should see this > Click ‘Repair’.
This can take a while (mine took about an hour, be patient). Eventually Outlook will open and your folders should all ‘resend’ then you can search again.
Alternative Outlook Search Broken Fix
You may also need to ‘bounce‘ the spotlight service, issue the following commands’
[box]
sudo mdutil -a -i off
sudo mdutil -a -i on
[/box]
Related Articles, References, Credits, or External Links
This is a horrible subject to find any decent information on. Microsoft are typically ‘vague’ and most people are stuck with using trial and error, or massively overestimating hardware to be on the safe side. I get asked this occasionally and, just like Microsoft, it’s a question I don’t like to answer!
People are reticent to tell you that you need ‘x’ amount of CPU and ‘y’ amount of RAM. Simply because ‘it depends’ e.g. a dozen users just doing some file and print, and working on office documents, will be much less of a requirement, than a dozen users making MS Teams calls and doing 3D Auto CAD modelling.
I’m going to Assume: That we are deploying RDS in a virtual environment, so I’ll be talking about vCPU requirements. BE AWARE: Running a VM with a LOT of vCPUs can be counter productive for performance (Google CPU Ready).
RDS Sizing Requirements
RDS Dependancies
Most of these will be common sense,
Domain Authentication: Usually via Active Directory or Azure AD credentials.
DNS Resolution: Not just for the RDS server roles deployed, for resolving the names on Certificates, and for third party hosted applications.
Third Party (Line of Business) Applications: Not all apps support RDS deployment, and many that do, require different licensing (Check!)
File and Print: Thankfully these days most file storage is moving into the cloud, but users still need user profiles? How are you going to present them?FXLogix, Redirected folders, Shared folders etc.
Access: These days having RDP open to the outside world is a thing of the past, it you want to connect to RDS you either come in via an RDS Web Gateway, or even better, by connecting to a VPN, then accessing the RDS deployment.
Licensing: Obviously the RDS servers themselves require licensing, but so does RDS. Depending on what licence model you buy, (user CALs, or device CALs). Typically most people buy user CALs (Device CALs are good for things like call centres e.g. where 3 shift workers use the same PC in a 24 hour period so you can buy 1 device CAL rather than 3 user CALs).*
*Note: Whats a SAL then? A Subscriber Access Licence is used if you have your servers SPLA licenced from a service provider. These are usually on a monthly rental basis.
RDS Sizing: Roles
You can, (and I think it’s still the default) put all the RDS roles on one server, obviously this is not ideal for anything other than a tiny deployment (5-10 users doing very low impact roles for example). But the individual roles required are;
RD Session Host: This is what does all the heavy lifting, it hosts the remote user sessions. Typically these will be the server(s) in your deployment that suffer with recourse constraints if you get something wrong. As I’ve mentioned above if you’re running 3rd Party Line of Business applications on here MAKE sure they are designed and optimised for RDS. Finally based on what your users are doing is it worth having better/faster/local storage on these servers.
RD Connection Broker: This role had two primary jobs, 1) Connect remote users to the least utilised session hosts, and 2) Reconnect users to the correct session host if they’ve dropped a connection, or have an existing open RDS session.
RD Web Server: This provides a web logon portal for RDS so that RDS desktops and applications can be accessed over HTTPS. Remember just because traffic is on HTTPS (TCP port 443) do not assume it’s trusted and non malicious. Nearly every exploit and attack these days used HTTPS or SSH to get traffic in and out of your network. Unless you are inspecting https it’s not more secure than http! Typically the RD Web server is deployed in a DMZ. In some small deployments it can also be on the RD Connection broker.
RD Licence Server: Typically this gets put on ‘Another‘ server in the environment, the draw back of this is people forget where it is, and don’t check before decommissioning a server then find out a few days later their licence server disappeared. You install this role, then register it with Microsoft, then finally add your licences to it.
RDS Sizing Calculations
For all RDS roles apart from the RD Session Host(s) Then the footprint is relatively small.
RD Session Host(s) CPU: This depends on the amount of users, typically no more more than 4 users per vCPU , and up to a maximum of 8 vCPUs per host, (this should tell you you need an RDS Session Host for every 24 (approx) users). Remember to factor in additional hosts in case you suffer a loss of server/hypervisor. For that reason it’s also good practice to deploy your session hosts with anti-affix city rules so that they are not all on the same hypervisor host!
RD Session Host(s) RAM: Again depends on the user and what they will be doing, as a rule of thumb, allow between 2 and 8 GB per user, but do not allocate more than 128 GB per RDS Session Host.
RD Connection Broker: (2x vCPU, 8GB RAM, 70GB HDD) Note: Can scale up to 8 vCPU, 16 GB RAM, 70 GB HDD) for larger deployments.
RD Web Server: (2x vCPU, 4GB RAM, 70GB HDD) Note: Can scale up to 8 vCPU, 16GB RAM, 70 GB HDD) for larger deployments. Once you get larger than this you need to look as load balancing multiple RD Web servers.
RD Licensing: (1 x vCPU, 4GB RAM, 70GB HDD) Assuming there’s no additional compute requirements on the same host.
I welcome any feedback and recommendations below.
Related Articles, References, Credits, or External Links