VMware Converter ‘Unable to Connect to the Network Share’

KB ID 0001583

Problem

I don’t think, Ive ever run the VMware Standalone Converter, without at least one error message or popup complaining about something! Today I was trying to convert a clients old Windows Server 2003 document management server, when trying to deploy the agent this happened;

Unable to connect to the network share ‘{Sever-name-or-IP} \ADMIN$’.

Solution

It’s a pretty descriptive error, can you map a drive to this machine and open a network share manually? Is the ‘server service’ running? In my case the problem was easily diagnosed;

As I wasn’t about to start enabling SMBv1 on the clients Windows 2019 server! So I simply installed the VMware Standalone converter on one of their existing 2008 members servers instead, and ran it from there.

Related Articles, References, Credits, or External Links

SMB1 Is Dead? (Unfortunately Not Yet)

VMware Converter – Unable to Deploy Agent

Microsoft LAPS – Deployment and Configuration

KB ID 0001059 

Problem

Microsoft have released the Local Administrator Password Solution (LAPS). What is does is automatically change the load administrator password on workstations, (and servers if required) periodically. It then keeps those passwords securely in AD. Microsoft tried to mitigate attacks from the local admin account back in the days of Windows Vista by shipping with this account disabled, which is fine, but most large deployments I’ve worked on, I’ve been specifically asked to enable the local administrator account and set its password on deployment.

Some organisations create a different account and leave the local administrator account disabled, but they still suffer from the same problem, (all the machines have the same local admin password), and it gets known, if you have a disgruntled ex-employee they may know this password. Yes you can change them all periodically but it’s a bit of a faff. Note: LAPS can manage local accounts that are admin accounts but not necessarily the ‘administrator’ account.

The LAPS solution works by creating some new attributes on the computer object, ms-MCS-AdmPwd which actually stores the password, and ms-MCS-AdmPwdExpirationTime which is the time stamp for the password expiration. What LAPS sets out to do, is provide a random complex password for the local administrator account, and protect that password in AD by use of an AD ACL. In doing so it will protect your machines from a ‘Pass the Hash’ attack which can use common local administrators passwords to compromise a network.

Solution

 

Microsoft LAPS – Step 1 Setup a Management Machine

1. On a management machine download and install the LAPS software, Things will be easier if this machine is also running RSAT tools for Active Directory, and the Group Policy Management Console as well.

2. Be aware you get the documentation form the download page as well. Make sure you get the appropriate x86 or x64 bit version (LAPS supports Server 2003 SP1 and above).

3. Install the software and install ALL the options. (if you apply the defaults it will only install the GPO Extensions), which is what you would want on the ‘controlled machines’ but you want everything on the ‘controlling machine’.

Microsoft LAPS – Step 2 Deploy the software to the machines to be controlled.

1. To be honest this could not be simpler, I just sent the software out as a standard software package via GPO, (watch the video above if you don’t know how to do that). You can script the install and it will also manually install with a /quiet switch to avoid any user interaction. But if you have any amount of machines, GPO is the way to go.

To manually install quietly;

[box]

msiexec /i \\Server\Share\laps.x64.msi /quiet

or simply

msiexec /i c:\laps.x64.msi /quiet

[/box]

2. To check if the client has received the LAPS software, look in Add/Remove programs and you should see it listed (Run > appwiz.cpl {Enter}).

Microsoft LAPS – Step 3 Extend Active Directory Schema

1. It goes without saying that to do this you need to be a member of ‘Schema Admins’. On the management machine run the following two PowerShell commands, to add the two new attributes mentioned above;

[box]

Import-Module AdmPwd.PS
Update-AdmPwdADSchema 

[/box]

Microsoft LAPS – Step 4 Check/Set Permissions to Read Local Admin Passwords

1. On my test network below you can see I’ve got a couple of test Windows 8 machines in an OU called ‘Domain Computers’, this is the OU that I will be working with.

2. The first thing I need to do is grant the rights to the computers themselves to be able to update the password in Active Directory. (If you have nested OU’s, simply apply on the top level OU). Change the value in red to suit your own OU/OU’s.

[box]Set-AdmPwdComputerSelfPermission -OrgUnit ‘Domain Computers‘[/box]

3. To see who has rights to view the passwords in AD (for a given OU), use the following command. Below you can see the default of SYSTEM and Domain Admins is displayed.

[box]Find-AdmPwdExtendedRights -Identity ‘Domain Computers‘[/box]

4. To grant read password permissions to a particular group, use the following syntax, below I have an AD group called HelpDesk setup and I’m adding them into the AD ACL to be able to read local administrator passwords for the Domain Computers OU.

[box]Set-AdmPwdReadPasswordPermission -Orgunit ‘Domain Computers‘ -AllowedPrincipals PeteNetLiveHelpDesk[/box]

Note: If you have multiple groups you can separate/delimit them with a comma.

Microsoft LAPS – Step 5 – Deploy the GPO Extensions to ‘Controlled’ Machines.

1. On the management machine, create a new GPO object, and link it to the OU containing the computers/servers you want to apply the password settings to.

2. Edit the GPO.

3. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > LAPS[/box]

4. The policy that turns LAPS on is the last one ‘Enable local admin password management’ > Enable it.

5. The actual complexity and age of the password is set in the ‘Password Settings’ policy, > Enable it and accept the defaults.

Note: the other two policies are;

Name of the administrator account to manage: Use if you you have manually created another common admin account on all your machines NOT if you have renamed the local administrator account.

Do not allow password expiration time longer than required by policy: Set to Enabled.

Microsoft LAPS – Step 6 – View the Local Admin Passwords for Controlled Machines.

1. You can do this from PowerShell with the following command;

[box]Get-AdmPwdPassword -ComputerName hostname[/box]

2. Or if you have installed the Fat client, you can launch that from; [box]C:\Program Files\LAPS\AdmPwdUI.exe[/box]

3. Or as it’s an AD object attribute, you can view it on the Computers AD object.

Related Articles, References, Credits, or External Links

NA

Setup and Configure HP Wireless E-MSM720 Wireless Controller with HP E-MSM430 Access Points

KB ID 0000692 

Problem

We got some ‘demo stock’ in the office this week, I don’t do a lot of wireless, so I thought I would get it setup and have a look to see how easy/difficult it was.

Hardware used

HP E-MSM720 Premium Mobility Controller (J9694A)
HP E-MSM 430 Wireless N Dual Radio Access Point (J9651A)
HP HP 2915-8G-P-o-E Switch (J5692A)

The switch and controller are ‘tiny’ so if you want to put them in a cabinet you will need some ‘big brackets’, (or a shelf). I was disappointed that the controller didn’t have PoE on it (hence the reason we were supplied the switch). I was also disappointed the Access Point didn’t come with a network cable (seriously these things are pennies – and if a client buys hundreds of these things, someone will forget they also need an equal amount of network cables). In addition they are PoE, so you don’t get a power cable (or power injector) – so you cant even power them on without the network cable. That said all the gear is typical good quality HP Stuff. The documentation consists of a “quick setup sheet” for each piece of hardware and all the manuals are Online. I’m not a fan of manufacturers documentation at all, and HP’s is the same as most major vendors, to long, too complicated and to difficult to find what I’m looking for – I spent half a day reading pdf documents just trying to get the guest network working (a feat I will accomplish below with about three sentences and the same amount of pictures!)

Also See: Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

Solution

Initial Setup E-MSM720 Wireless Controller

1. Connect the controller to your network (Note: Don’t use the two dual personality ports 5 and 6).

2. The controller sets itself up on 192.168.1.1 put yourself on the same network range (see below).

3. Connect to https://192.168.1.1.

4. The MSM720 Default username and password are both admin.

5. Accept the EULA > Skip Registration > Set country > Save > Set the new password > Save.

6. Configure Initial Controller Settings > Start.

7. Set System name > Location > Contact > Login Message > Next > We’ve just set the Password so leave it blank > Next.

8. Enable/disable management interfaces > Next > Configure the network interfaces > Next.

These are allocated as follows, (out of the box!)

And are controlled by these two settings,

9. Set the time and timezone > Next > Apply.

Configure a Corporate WLAN with the E-MSM720 Wireless Controller

1. If not already there, select ‘Automated Workflow’ > Configure a wireless network for employees > Start.

11. Create an SSID > Next > Set the WPA Key > Next.

12. Choose what access points to apply these settings to > Next > Apply.

Note: At this point I had not powered on or touched the access points, so I just selected ‘All’.

Configure a ‘Guest’ WLAN with the E-MSM720 Wireless Controller

I had a nightmare getting this running, until I fully understood the VLAN, IP address and interface allocation, but if you set things up as specified above it will just work.

1. Automated Workflows > Create a wireless network for guests > Start.

2. Create and SSID > Next > Configure guest authentication (or leave open) > Set IP Settings for clients > Next.

3. Select APs to apply to > Next > Apply.

Setup the HP E-MSM 430 Wireless N Dual Radio Access Point

Well you have already done all the work! Simply connect the AP to a POE capable network outlet.

By default the AP is in ‘Controlled’ mode, so it will start looking for a controller as soon at it powers on, it can take a little while to boot (go get a coffee), you will see it appear in the controllers web interface when its pulled its configuration down.

Updating Firmware MSM70 and MSM430

Very slick! update the firmware package on the controller, and it will update all the access points for you.

Final thoughts

This is good quality gear, it has built in support for IPSEC, SSL, RADIUS and a myriad of other features that you would expect to find on an enterprise class wireless solution. HP might be concerned by their lack of wireless sales, but they could make the experience with these things better by making the web interface easier to navigate, (ask someone who has never used it before to delete a wireless network! – over 90 minutes it took me to locate the VSC bindings section to remove that!) I’ve already mentioned the documentation, I appreciate that it needs to be comprehensive but come on!

Related Articles, References, Credits, or External Links

HP E Series Wireless – Cannot Access Local LAN

Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

 

Install and Configure an HP UPS Network Module

KB ID 0000813

Problem

I installed one of these a couple of weeks ago, and there’s some good documentation with the module itself so installing it into the UPS and giving it an IP address was easy, getting the right client software to talk to it was a pain.

Solution

Configure the Network Module

1. Physically install the module in the UPS, it’s fixed with two screws and you can install it with the UPS powered on.

2. It takes a while for the card to boot, pop in the console cable that came with it (into the Settings/AUX socket – see above). Fire up PuTTy and connect via serial.

Note: Standard Serial Settings,

Bits per second—9600
Data bits—8
Parity—None
Stop bits—1
Flow control—None

3. The default password is ‘admin’

4. Use the menus presented to change the IP details, you MUST restart the module when you are finished or the IP address WONT change.

5. Once its rebooted (again this takes a while) you can login with a web browser, (username admin password admin).

Configure the Client Machines.

1. Download HP Power Protector, (Note: there is no client and administrator software any more, this software will do BOTH. The network module has the administration software built in).

2. Install the software on your machine, and login (again username admin password admin).

3. Select client > Save.

4. Select the Device Discovery tab. The software usually detects the network module on its own quite quickly, if it does not you can use the options on right to do a scan.

Ports Required for HP UPS Network Module

If you are connecting through a firewall (or you machine has a software firewall), make sure the following six ports are open.

TCP 5000
TCP 5001
TCP and UDP 4680
TCP and UDP 4679

5. When it’s fully detected, select the network module and select ‘Configure power source’, supply the login credentials for the network module, and the load segment the machine is plugged into (see below) > Save.

6. Back in the web console of the network module > Open ‘Notified Applications’ and in about 5-10 minutes your server should appear.

Related Articles, References, Credits, or External Links

NA