I don’t deploy large amounts of servers at once, so Windows Server sysprep is not as important as it is with the client operating systems I deploy. But I do need to create virtual machine templates, (mostly for testing), but some clients like to have server templates. I prefer to manually sysprep and shutdown a server then either convert or clone it to a template.
Thankfully sysprep is in the same place as it was with Server 2008 R2.
Solution
As before you can either run sysprep from command line by navigating to its location and running it with the correct switches. Or simply browse to it with Windows Explorer and double click it.
Related Articles, References, Credits, or External Links
Exchange 2013, has changed the way Offline Address Books are handled, with previous versions only one server (the first server holding the mailbox role) was responsible for generating the OAB. With 2013 however multiple servers generate the OAB, In fact every server that has a special arbitration mailbox called an organization mailbox will create a copy. This is better for fault tolerance and resilience, and you will find the OAB files located at %ExchangeInstallPath%ClientAccessOAB. Another change is the way the OAB is distributed, now it can only be distributed via the web (no public folder distribution any more).
With the new Exchange Admin Center (https://localhost/ecp) there are no options to mange the OAB, so you will need to do that via PowerShell.
Solution
Pre-Requisites
If your AD environment contains more than one forest, you need to change the parameters that the management shell is going to use first, (or you will get no results). To do that execute the following command;
System logs on host {host-name} are stored on non-persistent storage.
Syslog Error Seen on ESXi 5.1
Error Configuration Issues System logs on host {host-name} are stored on non-persistent storage.
Syslog Error Seen on ESXi 5
Error Configuration Issues System logging is not configured on host {host-name}.
Syslog Error Seen on ESXi 4
Error Configuration Issues Issue detected on {host-name}: Warning: Syslog not configured. Please check Syslog options under Configuration.Software.Advanced Settings.
Solution
Seen on ESXi hosts that boot from an internal SD card, (or USB Drive.) ESXi likes to have some persistent storage to keep its logs on.
To stop this error you need to give it a location for the logs. That location is setup as follows;
ESXi (Post Version 6) Setting a Syslog Location
First, create a folder on some shared storage to save you logs into, below you can see my datastore name is [iSCSI-RAID5-SAS], and Ive created a folder called ‘Logs’
Select the host with the error > Configure > Advanced System Settings > Type ‘Global’ in the search criteria > Locate Syslog.Global.LogDir > Select it > Edit.
Once again, search for Global and change the location to [DATASTORE-NAME]Logs\HOST-NAME > OK.
The error should cease immediately, without the need to restart anything.
ESXi (Pre Version 6) Setting a Syslog Location
With an ESXi host selected, Configuration > Advanced Settings > Syslog > Syslog.global.logDir.
Here you have two options,
Option 1 Store the Syslogs on the SD Card
Note: If you have built the ESXi Server from a manufacturers ESXi DVD (the HP build for example) there may not be enough room on the SD card for the logs.
In the example below, I’ve got an ESXi host, that’s running ESXi from an SD card (4GB) and I’ve put the syslog on there by using the default entry of;
[box][]/scratch/log[/box]
Click OK > After a couple of seconds the alert will disappear (without the need to reboot).
Option 2 Store the Syslogs on Local or Shared Storage.
ESXi 5 Putting the syslog onto a DataStore
With an ESXi host selected, Configuration > Storage > On a datastore, right click > Browse Datastore > Select the new folder icon > call the folder LOGS > OK.
Note: In this example I’m storing the syslog on local storage (on the ESXi host) if you have shared storage , i.e. a SAN or NAS, I suggest you create a sub-folder for each ESXi host within the LOGS directory and set the path on each host accordingly. This will take effect without a reboot and the error should cease.
ESXi 4 Putting the syslog onto a DataStore
In this case I created a syslog area on one of the shared data stores.
With an ESX host selected, Configuration > Storage > On a datastore, right click > Browse Datastore > Select the new folder icon > call the folder syslog > OK.
Then select Advanced Settings > Syslog > Enter a value in the following format:
[datastore]/syslog/hostname.log
i.e. [Volume 3]/syslog/esx2.log
3. Click OK, you should not need to reboot, the error should cease straight away.
Related Articles, References, Credits, or External Links
Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.
This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.
Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).
Solution
First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;
Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.
The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)
Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.
Upload your update, (this can take a while).
When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).
Note: This is a reboot of the FirePOWER module, NOT the Firewall.
You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart from an error, unless your version is 6.1.0 or newer (which shows a nice progress bar). So;
Don’t panic: it looks like it’s crashed for hours – it’s fine.
There are other things you can look at if you’re nervous.
Monitoring FirePOWER upgrades
What I like to do is SSH into the firewall and issue the following command;
[box]debug module-boot[/box]
Then you can (after a long pause of nothing appearing to happen!) see what is going on.
You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.
If you are currently running 6.1.0 or above you get this which is a little better.
Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.
Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!
[box]
PETES-FW# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD2008761R
sfr FirePOWER Services Software Module ASA5508 JAD2008761R
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00c8.8ba0.9b71 to 00c8.8ba0.9b90 1.0 1.1.8 9.7(1)
sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89 N/A N/A 6.0.0-1005
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Not Applicable 6.0.0-1005
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Unresponsive Not Applicable
MANY HOURS LATER
PETES-FW# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD2008761R
sfr FirePOWER Services Software Module ASA5508 JAD2008761R
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00c8.8ba0.9b71 to 00c8.8ba0.9b79 1.0 1.1.8 9.7(1)
sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70 N/A N/A 6.0.1-29
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.0.1-29
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
[/box]
Related Articles, References, Credits, or External Links
On the homeward stretch now, back in Part Three, we migrated service accounts, groups, and users. Now we turn our attention to our machines.
Note ADMT 3.2 Only support the migration of Operating Systems up to Windows 7, (that doesn’t mean Windows 8 and Windows 10 wont work, it just means they are not supported). Migrating Windows 8 and 10 throws a lot of security translation errors, because of the way it treats ‘Apps’, so I’d recommend you do a LOT of testing before carrying out a live migration.
Solution
ADMT Computer Security Translation
Migrating computers is a two-step procedure, you do a security translation on a machine, then you migrate the machine. The security translation adds the security for the user(s) in newdomain.com to all the objects (files, folders, user profiles, and registry hives, etc) that their user account in olddomain.com did. like doing the service account migration (above) the plan is to get everything ready to ‘work’ before the machine is migrated.
Real World Note: This can take a while, (up to an hour for some machines,) and it’s best done without anyone being logged in (to prevent any profiles, or registry hives being locked). So take time to plan when this is done – rush it and you will have problems, and the very users who are too busy to be interrupted, are the very ones that shout the loudest if there’s a problem post migration. I would (if possible) have a stock of prebuilt machines on the new domain in case there’s any migration dramas, at least then you can get people working quickly.
This should be getting familiar by now, accept the defaults.
Select your computer(s) > Select all the options > SELECT ADD > Finish.
Agent Note: You are about to deploy the ADMT agent, make sure you have followed part one and part two.This process will be familiar if you carried out the service translation wizard earlier.
Run the pre check, and agent deploy.
What you will find after translation is all the profiles, and files etc will have the new domain users added alongside the old one with the same rights.
ADMT Computer Migration
Now finally to migrate the machines, ADMT > Computer Migration Wizard.
Select the computers.
Select the Target OU > Tick everything > Add > Select the amount of time to wait before rebooting the machine into the new domain.
Hang About Haven’t we done some of this? Yes, but because you have done the security translation already it can see the ACLs exist as it goes through and skips creating them.
As usual I’m not filtering any attributes > I’ll quit if theres a conflict > Migration should then complete.
Can I migrate Servers With ADMT?
Yes, but you need to have a good think about doing so first? For simple file and print servers that should be OK (Obviously back them up first etc). DONT try and do this with an Exchange server, or any other server that relies on Active directory for its very existence! And wherever possible if you can create clean new servers and migrate your data into them do so!
What about Microsoft Exchange and User Mailboxes?
I mentioned Exchange briefly on the user migration, Exchange migrations between domains, are possible, depending on your setup it may be easier to export all the mail form the old system and import it into the new one (use the search bar above. I’ve already written a load of stuff about doing this). In the not to distant future I’ll cover Exchange Inter Organisation Mail migrations.
Readers Note:
As with all the articles here, please provide feedback below, if one thing you have found can save another reader sweat and toil, then that’s the very reason for this site! If you have been with this since part one thanks for staying till the end (PL).
Related Articles, References, Credits, or External Links
I wanted to give a copy of a VM to a colleague, so I removed all the snapshots, and cloned one of my test VM’s. When I went to power on the original this happened;
The virtual machine appears to be in use.
If this virtual machine is not in use press the “Take Ownership” button to obtain ownership of it. Otherwise press the “Cancel” button to avoid damaging it.
Configuration file: {path-to-vmx-file}
And when I attempted to ‘Take Ownership’ of the machine, that failed also;
Could not open virtual machine: {path-to-vmx-file}Taking ownership of this virtual machine failed.The virtual machine is in use by an application on your host computer.Configuration file: {path-to-vmx-file}
Solution
I knew it was not in use, as there was only me using my laptop. So I figured VMware had some files ‘locked’. Navigate to the folder that holds the VM’s files, (Note: The path is on the error message above).
.
Locate any folders that have a .lck extension appended to their name (as above), and move them to another folder. Then attempt to power on your VM.
Related Articles, References, Credits, or External Links
For newer servers I don’t really use templates anymore, but if you are deploying a lot of 2003 Windows servers in vSphere, then they can save you some time. Back in the days of vCenter 2.5 you just uploaded those sysprep files to the relevant folder in,
[box]C:Documents and SettingsAll UsersApplication DataVmwareVmware Virtual Centersysprep[/box]
But that location no longer exists (since Server 2008).
Trend Worry Free is a nice product, though to deploy the client software out to your machines, you need them to be switched on, have the firewalls off, and the remote registry service running. You can of course connect the clients to the web portal and install the client on a machine by machine basis, (default https://servername:4343), but if you are rolling out a lot of machines this can get tedious.
So you can either script the install or use Group Policies.
Solution
1. Firstly you need to create the install file, on the server that Worry Free is installed navigate to;
2. We want a setup package, select your platform, I want it to install silently and NOT to do a prescan. Save the output file somewhere you can find it and click “Create”.
3. Note: If have x64 bit clients that you are also going to deploy software to, you will need to repeat the process and create another package for x64 bit installations as well.
4. After a while it should say it was successful, close down the client packager.
5. Create a network share and allow the “Everyone Group” read access to it, then copy the setup file you created above into this share.
6. On a domain controller, Start > Administrative tools > Group Policy Editor > Either edit an existing policy or create a new one. (Remember it’s a computer policy you need to link it to something with computers in it, if you link it to a users OU nothing will happen).
7. Browse to the UNC path of the setup file DO NOT browse to the local drive letter!
8. Set as “Assigned” > OK.
9. Make Sure: That if you have x64 bit clients, you open the advanced properties of this package, and remove the option to deploy this software to x64 bit clients.
10. Repeat the process for the x64 bit client if you also have x64 bit machines.
11. Close the policy and group policy editor window.
12. Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.
Related Articles, References, Credits, or External Links
I was called to a 2003 Server yesterday, that was riddled with malware, whatever was on there was generating a lot of network traffic, so the first thing I did was disconnect it from the network.
That’s fine, but if I wanted to use my usual ‘weapon of choice’ Malwarebytes, how was I going to get the latest database installed?
Solution
WARNING: There is a note on the Malwarebytes website that discourages this procedure, as it breaks the incremental update mechanism of Malwarebytes. They recommend that you use this utility to do the job, and that it should be updated every week (though the page currently has December 2011 as the update date!) . In my case once the machine is clean, I’ll remove Malwarebytes and install Trend Worry Free on it anyway. Either way, I prefer to know for a fact I’m using the latest database.
1. Install and update Malwarebytes on a nice clean machine (In this case, my Windows 7 laptop).
2. Find out what version of Malwarebytes you are running (on the about tab).
3. Navigate to the following location, and take a copy of the rules.ref file, i.e. put a copy on a USB thumb drive.
Can you make a tutorial for me for sharing a Home Folder or Profile Path folder for every user?
It’s hard to get one.
Thanks in advance.
Sincerely,
Matthew Wittenberg </br
Well it’s taken me a while (sorry!) But here you go,
Solution
Creating and Allocating Home Folders to Users
1. Create a folder that is on a drive or volume with plenty of room.
2. I’ve simply used ‘Home’ as the folder name, open the folder’s properties.
3. Sharing Tab > Advanced Sharing.
4. Tick to share > put a dollar ‘$’ symbol onto the end of the share name (this just stops the folder being visible to someone browsing the network) > Permissions.
5. Grant Everyone ‘Full Control’, Don’t worry we will lock it down with NTFS permissions (Remember permissions are cumulative, and most restrictive apply) > Apply > OK.
9. Select CREATOR OWNER > Edit > Permissions should apply to ‘Subfolders and files only’ > Full control.
10. Select SYSTEM > Edit > Permissions should apply to ‘This Folder, subfolders and files only’ > Full control.
11. Select DOMAINNAMEAdministrators > Edit > Permissions should apply to ‘This Folder, subfolders and files only’ > Full control.
12. Remove the Users (the one with Read & Execute).
13. Remove the Users (the one with Special).
14. Add.
15. Everyone > check Name (make sure it underlines Everyone) > OK
16. Sett Apply to = This folder only > Allow the following.
Traverse Folder / execute file
List Folder / read data
Read attributes
Create Folders / append data
Allocate the Home Folder to the Domain Users
1. From within Active Directory Users and Computers locate your users, (you can press Windows Key+A to select them all).
2. Open their properties.
3. Profile tab > You can connect a drive letter (I usually use H:) and connect that to the users home drive. Set the path like so;
[box]
\\Server-name\Folder-name\%username%
e.g.
\\PNL-DC\Home$\%username%
[/box]
4. This is what the users will see.
5. On the server the folders are all created straight away.
Creating and Allocating Roaming Profile Folders to Users
The process for setting up the folder is identical to the one above for the home folders.
1. Create a folder that is on a drive or volume with plenty of room.
2. I’ve simply used ‘Profile’ as the folder name, open the folder’s properties > Sharing Tab > Advanced Sharing > Tick to share > put a dollar ‘$’ symbol onto the end of the share name (this just stops the folder being visible to someone browsing the network) > Permissions.
3. Grant Everyone ‘Full Control’, Don’t worry we will lock it down with NTFS permissions (Remember permissions are cumulative, and most restrictive apply) > Apply > OK.
6. Remove the Users (the one with Read & Execute).
7. Remove the Users (the one with Special).
8. Add.
9. Everyone > check Name (make sure it underlines Everyone) > OK.
10. Set Apply to = This folder only > Allow the following.
Traverse Folder / execute file
List Folder / read data
Read attributes
Create Folders / append data
Allocate the Roaming Profile Folder to the Domain Users
1. From within Active Directory Users and Computers locate your users, (you can press Windows Key+A to select them all).
2. Open their properties > Profile Tab > Tick ‘Profile path’ > Set the path as follows;
[box]
\\Server-name\Folder-name\%username%
e.g.
\\PNL-DC\Profiles$\%username%
[/box]
3. Unlike home folders, profile folders are only created when the users log onto the network, here you can see this profile has a V2 on the end of it (a version 2 profile means it has come from a Windows Vista or newer machine). For this reason if your users use Windows XP (or older) clients, AND Windows Vista (or newer) clients they will get TWO DIFFERENT profiles.
Related Articles, References, Credits, or External Links