Windows Server – Sysprep

KB ID 0000729 

Problem

I don’t deploy large amounts of servers at once, so Windows Server sysprep is not as important as it is with the client operating systems I deploy. But I do need to create virtual machine templates, (mostly for testing), but some clients like to have server templates. I prefer to manually sysprep and shutdown a server then either convert or clone it to a template.

Thankfully sysprep is in the same place as it was with Server 2008 R2.

Solution

As before you can either run sysprep from command line by navigating to its location and running it with the correct switches. Or simply browse to it with Windows Explorer and double click it.

Related Articles, References, Credits, or External Links

Server 2008 R2 Where is Sysprep

Exchange 2013 – Working with and Managing the OAB

KB ID 0000745 

Problem

Exchange 2013, has changed the way Offline Address Books are handled, with previous versions only one server (the first server holding the mailbox role) was responsible for generating the OAB. With 2013 however multiple servers generate the OAB, In fact every server that has a special arbitration mailbox called an organization mailbox will create a copy. This is better for fault tolerance and resilience, and you will find the OAB files located at %ExchangeInstallPath%ClientAccessOAB. Another change is the way the OAB is distributed, now it can only be distributed via the web (no public folder distribution any more).

With the new Exchange Admin Center (https://localhost/ecp) there are no options to mange the OAB, so you will need to do that via PowerShell.

Solution

Pre-Requisites

If your AD environment contains more than one forest, you need to change the parameters that the management shell is going to use first, (or you will get no results). To do that execute the following command;

[box] Set-ADServerSettings -ViewEntireForest $true [/box]

Locate the OAB Generation Server(s)

[box]

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “*oab*”} | ft name,servername

OR If your serveris a member of a DAG group, first get the database name,

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “*oab*”} | ft name,database

Then use that like so,

Get-MailboxDatabaseCopyStatus database-name

[/box]

Create a new OAB for Exchange 2013

[box] New-OfflineAddressBook -Name “PNL OAB” -AddressLists “Default Global Address List” -VirtualDirectories “EX1OAB (Default Web Site)”[/box]

Force Exchange 2013 to Update the OAB

Simply restarting the Microsoft Exchange Mailbox Assistant service should do this, however you can force the issue with the following command.

[box] Update-OfflineAddressBook “default offline address book” [/box]

Related Articles, References, Credits, or External Links

NA

 

VMware ESXi Syslog Errors – ‘System logs on host {host-name} are stored on non-persistent storage.’

KB ID 0000456 

Problem

Syslog Error Seen on ESXi 6.0 and 6.5

System logs on host {host-name} are stored on non-persistent storage.

Syslog Error Seen on ESXi 5.1

Error Configuration Issues System logs on host {host-name} are stored on non-persistent storage.

Syslog Error Seen on ESXi 5

Error Configuration Issues System logging is not configured on host {host-name}.

Syslog Error Seen on ESXi 4

Error Configuration Issues Issue detected on {host-name}: Warning: Syslog not configured. Please check Syslog options under Configuration.Software.Advanced Settings.

Solution

Seen on ESXi hosts that boot from an internal SD card, (or USB Drive.)  ESXi likes to have some persistent storage to keep its logs on.

To stop this error you need to give it a location for the logs. That location is setup as follows;

ESXi (Post Version 6) Setting a Syslog Location

First, create a folder on some shared storage to save you logs into, below you can see my datastore name is [iSCSI-RAID5-SAS], and Ive created a folder called ‘Logs’

Select the host with the error > Configure > Advanced System Settings > Type ‘Global’ in the search criteria > Locate Syslog.Global.LogDir > Select it > Edit.

Once again, search for Global and change the location to [DATASTORE-NAME]Logs\HOST-NAME > OK.

The error should cease immediately, without the need to restart anything.

ESXi (Pre Version 6) Setting a Syslog Location

With an ESXi host selected, Configuration > Advanced Settings > Syslog > Syslog.global.logDir.

Here you have two options,

Option 1 Store the Syslogs on the SD Card

Note: If you have built the ESXi Server from a manufacturers ESXi DVD (the HP build for example) there may not be enough room on the SD card for the logs.

In the example below, I’ve got an ESXi host, that’s running ESXi from an SD card (4GB) and I’ve put the syslog on there by using the default entry of;

[box][]/scratch/log[/box]

Click OK > After a couple of seconds the alert will disappear (without the need to reboot).

Option 2 Store the Syslogs on Local or Shared Storage.

ESXi 5 Putting the syslog onto a DataStore

With an ESXi host selected, Configuration > Storage > On a datastore, right click > Browse Datastore > Select the new folder icon > call the folder LOGS > OK.

Note: In this example I’m storing the syslog on local storage (on the ESXi host) if you have shared storage , i.e. a SAN or NAS, I suggest you create a sub-folder for each ESXi host within the LOGS directory and set the path on each host accordingly. This will take effect without a reboot and the error should cease.

ESXi 4 Putting the syslog onto a DataStore

In this case I created a syslog area on one of the shared data stores.

With an ESX host selected, Configuration > Storage > On a datastore, right click > Browse Datastore > Select the new folder icon > call the folder syslog > OK.

Then select Advanced Settings > Syslog > Enter a value in the following format:

[datastore]/syslog/hostname.log

i.e. [Volume 3]/syslog/esx2.log

3. Click OK, you should not need to reboot, the error should cease straight away.

Related Articles, References, Credits, or External Links

Original Article Written 22/11/12

Updating FirePOWER Module (From ASDM)

KB ID 0001348 

Problem

Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.

Like So; Re-Image and Update the Cisco FirePOWER Services Module

This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.

Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).

Solution

First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;

Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.

The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)

Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.

Upload your update, (this can take a while).

When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).

Note: This is a reboot of the FirePOWER module, NOT the Firewall.

You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart from an error, unless your version is 6.1.0 or  newer (which shows a nice progress bar). So;

  1. Don’t panic: it looks like it’s crashed for hours – it’s fine.
  2. There are other things you can look at if you’re nervous.

Monitoring FirePOWER upgrades

What I like to do is SSH into the firewall and issue the following command;

[box]debug module-boot[/box]

Then you can (after a long pause of nothing appearing to happen!) see what is going on.

You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.

If you are currently running 6.1.0 or above you get this which is a little better.

Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.

Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!

[box]

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b90  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89  N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Not Applicable   6.0.0-1005

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Unresponsive       Not Applicable

MANY HOURS LATER

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b79  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70  N/A          N/A          6.0.1-29

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.0.1-29

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

[/box]

Related Articles, References, Credits, or External Links

NA

ADMT (Active Directory Migration Tool) Domain Migration – Part 4

KB ID 0001308 

Problem

On the homeward stretch now, back in Part Three, we migrated service accounts, groups, and users. Now we turn our attention to our machines.

Note ADMT 3.2 Only support the migration of Operating Systems up to Windows 7, (that doesn’t mean Windows 8 and Windows 10 wont work, it just means they are not supported). Migrating Windows 8 and 10 throws a lot of security translation errors, because of the way it treats ‘Apps’, so I’d recommend you do a LOT of testing before carrying out a live migration.

Solution

ADMT Computer Security Translation

Migrating computers is a two-step procedure, you do a security translation on a machine, then you migrate the machine. The security translation adds the security for the user(s) in newdomain.com to all the objects (files, folders, user profiles, and registry hives, etc) that their user account in olddomain.com did. like doing the service account migration (above) the plan is to get everything ready to ‘work’ before the machine is migrated.

Real World Note: This can take a while, (up to an hour for some machines,) and it’s best done without anyone being logged in (to prevent any profiles, or registry hives being locked). So take time to plan when this is done – rush it and you will have problems, and the very users who are too busy to be interrupted, are the very ones that shout the loudest if there’s a problem post migration. I would (if possible) have a stock of prebuilt machines on the new domain in case there’s any migration dramas, at least then you can get people working quickly.

This should be getting familiar by now, accept the defaults.

Select your computer(s) > Select all the options > SELECT ADD > Finish.

Agent Note: You are about to deploy the ADMT agent, make sure you have followed part one and part two. This process will be familiar if you carried out the service translation wizard earlier.

Run the pre check, and agent deploy.

What you will find after translation is all the profiles, and files etc will have the new domain users added alongside the old one with the same rights.

ADMT Computer Migration

Now finally to migrate the machines, ADMT > Computer Migration Wizard.

Select the computers.

Select the Target OU > Tick everything > Add > Select the amount of time to wait before rebooting the machine into the new domain.

Hang About Haven’t we done some of this? Yes, but because you have done the security translation already it can see the ACLs exist as it goes through and skips creating them.

As usual I’m not filtering any attributes > I’ll quit if theres a conflict > Migration should then complete.

Can I migrate Servers With ADMT?

Yes, but you need to have a good think about doing so first? For simple file and print servers that should be OK (Obviously back them up first etc). DONT try and do this with an Exchange server, or any other server that relies on Active directory for its very existence! And wherever possible if you can create clean new servers and migrate your data into them do so!

 

What about Microsoft Exchange and User Mailboxes?

I mentioned Exchange briefly on the user migration, Exchange migrations between domains, are possible, depending on your setup it may be easier to export all the mail form the old system and import it into the new one (use the search bar above. I’ve already written a load of stuff about doing this). In the not to distant future I’ll cover Exchange Inter Organisation Mail migrations.

Readers Note:

As with all the articles here, please provide feedback below, if one thing you have found can save another reader sweat and toil, then that’s the very reason for this site! If you have been with this since part one thanks for staying till the end (PL).

Related Articles, References, Credits, or External Links

NA

VMware – This Virtual Machine Appears To Be In Use

KB ID 0000959 

Problem

I wanted to give a copy of a VM to a colleague, so I removed all the snapshots, and cloned one of my test VM’s. When I went to power on the original this happened;

The virtual machine appears to be in use.

If this virtual machine is not in use press the “Take Ownership” button to obtain ownership of it. Otherwise press the “Cancel” button to avoid damaging it.

Configuration file: {path-to-vmx-file}

And when I attempted to ‘Take Ownership’ of the machine, that failed also;

Could not open virtual machine: {path-to-vmx-file}
Taking ownership of this virtual machine failed.
The virtual machine is in use by an application on your host computer.
Configuration file: {path-to-vmx-file}

Solution

I knew it was not in use, as there was only me using my laptop. So I figured VMware had some files ‘locked’. Navigate to the folder that holds the VM’s files, (Note: The path is on the error message above).

.

Locate any folders that have a .lck extension appended to their name (as above), and move them to another folder. Then attempt to power on your VM.

Related Articles, References, Credits, or External Links

NA

VMware VIM (vCenter) Where to put the sysprep files in Server 2008?

KB ID 0000420 

Problem

For newer servers I don’t really use templates anymore, but if you are deploying a lot of 2003 Windows servers in vSphere, then they can save you some time. Back in the days of vCenter 2.5 you just uploaded those sysprep files to the relevant folder in,

[box]C:Documents and SettingsAll UsersApplication DataVmwareVmware Virtual Centersysprep[/box]

But that location no longer exists (since Server 2008).

Solution

The location for sysprep files is now,

[box]C:ProgramDataVMwareVMware VirtualCentersysprep[/box]

 

Related Articles, References, Credits, or External Links

Download all the sys prep versions

Deploy the Trend Worry Free Business Client via Group Policy

KB ID 0000491

Problem

Trend Worry Free is a nice product, though to deploy the client software out to your machines, you need them to be switched on, have the firewalls off, and the remote registry service running. You can of course connect the clients to the web portal and install the client on a machine by machine basis, (default https://servername:4343), but if you are rolling out a lot of machines this can get tedious.

So you can either script the install or use Group Policies.

Solution

1. Firstly you need to create the install file, on the server that Worry Free is installed navigate to;

[box]

Worry Free Version 7

C:\Program Files (x86)\Trend Micro\Security Server\Admin Utility Client Packager

Worry Free Version 8

C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Admin Utility ClientPackager\

[/box]

Locate the ClnPack.exe file and run it.

2. We want a setup package, select your platform, I want it to install silently and NOT to do a prescan. Save the output file somewhere you can find it and click “Create”.

3. Note: If have x64 bit clients that you are also going to deploy software to, you will need to repeat the process and create another package for x64 bit installations as well.

How to Tell if Windows is 32 or 64 bit

You can use a WMI filter to make sure the right policies apply to the right clients;

Using 32 and 64 Bit WMI Filters For Group Policy

4. After a while it should say it was successful, close down the client packager.

5. Create a network share and allow the “Everyone Group” read access to it, then copy the setup file you created above into this share.

6. On a domain controller, Start > Administrative tools > Group Policy Editor > Either edit an existing policy or create a new one. (Remember it’s a computer policy you need to link it to something with computers in it, if you link it to a users OU nothing will happen).

Navigate to:

[box] Computer Configuration > Policies > Software installation [/box]

And create a new package.

7. Browse to the UNC path of the setup file DO NOT browse to the local drive letter!

8. Set as “Assigned” > OK.

9. Make Sure: That if you have x64 bit clients, you open the advanced properties of this package, and remove the option to deploy this software to x64 bit clients.

10. Repeat the process for the x64 bit client if you also have x64 bit machines.

11. Close the policy and group policy editor window.

12.  Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

Related Articles, References, Credits, or External Links

Original article written 11/08/11

Malwarebytes – Manually Update Database/Definitions

KB ID 0000629

Problem

I was called to a 2003 Server yesterday, that was riddled with malware, whatever was on there was generating a lot of network traffic, so the first thing I did was disconnect it from the network.

That’s fine, but if I wanted to use my usual ‘weapon of choice’ Malwarebytes, how was I going to get the latest database installed?

Solution

WARNING: There is a note on the Malwarebytes website that discourages this procedure, as it breaks the incremental update mechanism of Malwarebytes. They recommend that you use this utility to do the job, and that it should be updated every week (though the page currently has December 2011 as the update date!) . In my case once the machine is clean, I’ll remove Malwarebytes and install Trend Worry Free on it anyway. Either way, I prefer to know for a fact I’m using the latest database.

1. Install and update Malwarebytes on a nice clean machine (In this case, my Windows 7 laptop).

2. Find out what version of Malwarebytes you are running (on the about tab).

3. Navigate to the following location, and take a copy of the rules.ref file, i.e. put a copy on a USB thumb drive.

Windows 7 / Vista / 2008 / 2008 R2

[box]C:ProgramDataMalwarebytesMalwarebytes’ Anti-Malware[/box]

Windows XP / 2000 / 2003 / 2003 R2

[box]C:Documents and SettingsAll UsersApplication DataMalwarebytesMalwarebytes’ Anti-Malware[/box]

4. If your version is 1.60 or newer you also need to take a copy of the database.conf file that’s in the same folder, but in the configuration folder.

5. Copy the file(s) to the corresponding folder(s) on the affected machine, and paste them over the copies that exist there.

6. Then launch Malwarebytes on the affected machine, and scan with the updated database.

 

Related Articles, References, Credits, or External Links

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

Cannot Install Malwarebytes (Already Infected) – Deploy Chameleon

Windows Server – Setup Home Folders and Profile Folders

KB ID 0000739 

Problem

A while back I got an email,

Message: Hallo Pete,

Can you make a tutorial for me for sharing a Home Folder or Profile Path folder for every user?
It’s hard to get one.

Thanks in advance.

Sincerely,
Matthew Wittenberg
</br

Well it’s taken me a while (sorry!) But here you go,

Solution

Creating and Allocating Home Folders to Users

1. Create a folder that is on a drive or volume with plenty of room.

2. I’ve simply used ‘Home’ as the folder name, open the folder’s properties.

3. Sharing Tab > Advanced Sharing.

4. Tick to share > put a dollar ‘$’ symbol onto the end of the share name (this just stops the folder being visible to someone browsing the network) > Permissions.

5. Grant Everyone ‘Full Control’, Don’t worry we will lock it down with NTFS permissions (Remember permissions are cumulative, and most restrictive apply) > Apply > OK.

6. Security tab > Advanced.

7. Change Permissions.

8. Untick ‘Include inheritable permissions……’ > Add.

9. Select CREATOR OWNER > Edit > Permissions should apply to ‘Subfolders and files only’ > Full control.

10. Select SYSTEM > Edit > Permissions should apply to ‘This Folder, subfolders and files only’ > Full control.

11. Select DOMAINNAMEAdministrators > Edit > Permissions should apply to ‘This Folder, subfolders and files only’ > Full control.

12. Remove the Users (the one with Read & Execute).

13. Remove the Users (the one with Special).

14. Add.

15. Everyone > check Name (make sure it underlines Everyone) > OK

16. Sett Apply to = This folder only > Allow the following.

Traverse Folder / execute file
List Folder / read data
Read attributes
Create Folders / append data

Allocate the Home Folder to the Domain Users

1. From within Active Directory Users and Computers locate your users, (you can press Windows Key+A to select them all).

2. Open their properties.

3. Profile tab > You can connect a drive letter (I usually use H:) and connect that to the users home drive. Set the path like so;

[box]

\\Server-name\Folder-name\%username%
e.g.
\\PNL-DC\Home$\%username%

[/box]

4. This is what the users will see.

5. On the server the folders are all created straight away.

Creating and Allocating Roaming Profile Folders to Users

The process for setting up the folder is identical to the one above for the home folders.

1. Create a folder that is on a drive or volume with plenty of room.

2. I’ve simply used ‘Profile’ as the folder name, open the folder’s properties > Sharing Tab > Advanced Sharing > Tick to share > put a dollar ‘$’ symbol onto the end of the share name (this just stops the folder being visible to someone browsing the network) > Permissions.

3.  Grant Everyone ‘Full Control’, Don’t worry we will lock it down with NTFS permissions (Remember permissions are cumulative, and most restrictive apply) > Apply > OK.

4. Security tab > Advanced.

5. Change Permissions > Untick ‘Include inheritable permissions..’ > Add.

6. Remove the Users (the one with Read & Execute).

7. Remove the Users (the one with Special).

8. Add.

9. Everyone > check Name (make sure it underlines Everyone) > OK.

10. Set Apply to = This folder only > Allow the following.

Traverse Folder / execute file
List Folder / read data
Read attributes
Create Folders / append data

Allocate the Roaming Profile Folder to the Domain Users

1. From within Active Directory Users and Computers locate your users, (you can press Windows Key+A to select them all).

2. Open their properties > Profile Tab > Tick ‘Profile path’ > Set the path as follows;

[box]

\\Server-name\Folder-name\%username%
e.g.
\\PNL-DC\Profiles$\%username%

[/box]

3. Unlike home folders, profile folders are only created when the users log onto the network, here you can see this profile has a V2 on the end of it (a version 2 profile means it has come from a Windows Vista or newer machine). For this reason if your users use Windows XP (or older) clients, AND Windows Vista (or newer) clients they will get TWO DIFFERENT profiles.

Related Articles, References, Credits, or External Links

NA