Remote Connect to macOS

KB ID 0001539

Problem

Remotely connecting to Windows is easy we’ve had RDP since Windows NT4, (yes I’m that old). But what if you want to remote connect to a mac? Well that has ‘Screen Sharing’ built in, (which it pretty much the same, but it uses VNC). 

If you’re unfamiliar with VNC, (Virtual Network Computing,) you can install it on both Windows and Linux. Normally you need a client, (to connect with) and a server, (to connect to). VNC server is built into your Mac, so you just need to switch it on. 

Note: To access though a firewall you will need to have TCP port 5900 open/forwarded to the mac.

Solution

Apple Symbol > System Prefernces > Sharing.

Tick: ‘Screen Sharing‘ > Computer Settings > Tick VNC viewers may control screen with password > Enter a password > OK.

On a remote machine download a VNC client (there are a lot to choose from!) > Point it to the IP address of your mac > Enter the password you set, (above).

And you are connected.

Related Articles, References, Credits, or External Links

NA

Using a KMS Server

KB ID 0000582

Problem

Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”

I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).

1. Locate your “Windows Server 2008 Std/Ent KMS B” Key > From command line issue the following command;

[box]

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

[/box]

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

3. Now we need to activate the Windows Server > Run the following command;

[box]

c:\Windows\System32\slui.exe

[/box]

Select “Activate Windows online now” > Follow the on screen prompts.

4. When complete, it should tell you that it was successfully activated.

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

2. From your client machines you can test that they can see the SRV record, by running the following command;

[box]

nslookup -type=srv _vlmcs._tcp

[/box]

Note: If this fails, can your client see the DNS server? And is it in the domain?

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

[box]

cscript c:\Windows\System32\slmgr.vbs /dli

[/box]

4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

[box]

cd c:\windows\system32
slmgr /dli

[/box]

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the “Microsoft Office 2010 KMS Host License Pack“.

3. When prompted type/paste in your “Office 2010 Suites and Apps KMS” product key > OK.

4. It should accept the key.

5. Press {Enter} to close.

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com 
cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /act 

[/box]

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /act [/box]

Related Articles, References, Credits, or External Links

KMS Activation – Error: 0xC004C008

Meraki Block Page http://wired.meraki.com:8090 ‘Not Found’

KB ID 0001365

Problem

If you have a Meraki Security device and have enabled ‘Content Filtering’, instead of a nice ‘block-page’ informing you why you are being blocked you may see this;

http://wired.meraki.com:8090

This is happening because your Corporate DNS is resolving ‘wired.meraki.com’ to 54.241.7.184, which you can also see if you look at the URL you are trying to connect to it on port 8090. A quick nmap of that IP will tell you port 8090 is not open,  (only port 80 and port 443 are).

This is happening because if you were to use your Meraki Device for DNS forward lookups, it would ‘DNS Doctor’ the return DSN packet and insert its own IP address in there instead. That’s fine but most corporate networks don’t want to use their Meraki devices for DNS forward lookups. 

The easiest way to resolve the problem, is with your own corporate DNS servers.

Solution

First you need the inside IP of your Meraki device(s). You can get these from the Meraki Dashboard (Security Devices > Addressing and VLANS). If you browse to that IP, you should se something similar to below;

Armed with that information, go to one of your DNS Servers, and create a new forward lookup zone.

Next > Primary zone > Next > To all DNS Servers… > Next.

Zone Name = wired.meraki.com > Next > Allow only Secure… > Next > Finish.

In the newly created zone, create a ‘New Host (A or AAAA) record.

Enter the Inside IP or your MX device (only) > Add Host > Repeat for each Meraki device, if you have more than one.

Now you will receive a slightly more friendly blocked page.

Related Articles, References, Credits, or External Links

NA

Set Up the VMware View 5 (and Horizon View) Event Database

KB ID 0000856

Problem

Below I’ll configure SQL 2008 R2, insofar as I will setup a new database for the View Events, create a user for that database, then finally connect the View 5 Horizon View Connection Server to that database.

Solution

1. Firstly, I’m assuming you have a SQL Server setup and ready to create database on, If you do not rather than reinvent the when follow my instructions in the article below.

Deploying VMware View 5 -Part 4 Installing and Configuring SQL 2008 R2

Note: Complete ONLY Steps 1 to 6 then return here.

2. Login to the SQL Management Studio > Databases > New Database.

3. Call it View5Events (Note: You can call it ‘Aunty Mary’s Canary’ if you want to).

4. Options section > change the recovery mode to ‘Simple’ > OK.

5. Expand Security > Logins > New Login.

6. Give the user a name i.e. view5events > Tick ‘SQL Authentication’ > Type and re-type a password > Untick ‘Enforce password policy’.

7. User Mapping tab > Tick the View5Events Database > Tick db_owner > OK > Close the SQL Management Studio.

8. Login to the Connection Server (Flash Required) > View Configuration > Event Configuration > Edit,

Database Server: The name of the Server Running SQL.
Port: 1433 (Standard SQL Port make sure it it NOT blocked by a firewall).
Database Name: View5Events
User name: view5events
Password: {You set above}
Table prefix: _vdi

9. To see if it is working > Monitoring > Events > (It may be empty for a while don’t panic).

 

Related Articles, References, Credits, or External Links

NA

vSphere 5 – Install and Configure the Web Client

KB ID 0000551 

Problem

The ability to administer vCenter via a web browser is nothing new, vCenter has had a web console in previous versions.

vCenter vSphere 4 Web Client (Web Access)

The version with vSphere 5 is much more feature rich. Like the VMware vSphere client it talks directly to the vCenter vSphere API, but unlike previous web access, the component needs to be installed and configured before you can use it.

What the Web Client Can Do

1. Connect to a vSphere vCenter server.

2. Can be used on non Windows machines (VI Client is Windows only).

3. Deploy Virtual Machines (Including deployment from Templates).

4. Configure Virtual Machines.

5. Provide basic monitoring.

What the Web Client Can’t Do

1. Manage Hosts

2. Manage Clusters

3. Manage Networks.

4. Manage Datastores or Datastore Clusters.

5. Connect to ESX or ESXi hosts.

Solution

Step 1 Install and Configure Web Access

Prerequisite: The vCenter server needs to have Adobe Flash installing on it to access the management console.

1. From the vCenter Installer media select “VMware vSphere Web Client (Server) > Install > Follow the on screen prompts.

2. Accept all the defaults, note the secure port number we will be using that later (TCP Port 9443).

3. Once installed > On the vCenter server itself open a browser window > navigate to > https://{servername}:9443/admin-app > Select “Register vCenter Server”.

vSphere Web Client Supported Browsers: Internet Explorer (7 or newer) and Firefox (3.5 or newer), I’ve tried Chrome, it works, but some functionality is lost. (anything that requires the plug in i.e. console connections).

4. Enter the details for the vCenter server > Take note of the URL for your client to access (https://{servername}:9443/vsphere-client) > Register.

5. You will probably be using self signed certificates to tick the box and select “Ignore”.

6. That’s the server configured and ready to go.

Step 2 – Access the vCenter from web client

1. Open a browser window and navigate to https://{servername}:9443/vsphere-client> You may receive a warning about the certificate (because it’s self signed) click to continue > Enter your credentials > Login.

2. The first time you connect it launches the welcome splash screen > tick “Do not show..” and close the window. (Note you can launch it again from the help menu).

Note: If you see this error:

Connection Error
Unable to connect to vCenter Inventory Service –
https://{servername}:10443

Check on the vCenter server to make sure this service is running.

3. You should then be connected, and be able to browse your virtual infrastructure.

4. You can “console” onto your VM’s (Note: will need a plug in installing your browser will prompt you to accept/install).

 

Related Articles, References, Credits, or External Links

NA

VMware – Setting up ESX NTP Time Sync

KB ID 0000798

Problem

Having your ESX Server running the correct time is quite important, and before you visit this subject, I would suggest you MAKE SURE the time is set in the ESX Servers BIOS, ie the internal clock is set correctly first. I’ve lost count of the amount of times I’ve seen Windows domains fall over because the ESX host has reverted to its BIOS time and replicated that time to its guests, suddenly your domain clocks are two years apart and carnage ensues!

Solution

Note: For this to work the hosts need to be able to communicate with public time servers over NTP (UDP Port 123), ensure your firewall has this port open or time sync will fail.

1. Connect to the host (or vCenter and drill down to the host(s)). Select the host in question > Configuration > Time Configuration > Properties > Tick NTP Client Enabled > Options > Add > Add in your public time server IPs > Tick ‘Restart NTP Service to apply changes’ > OK > OK.

Note: I’m in the UK so I’m using two time servers in this country, you may want to use one closer to home.

130.88.212.143 = turnip.mc.man.ac.uk (Manchester University)
130.88.200.4 = dir.mcc.ac.uk (Manchester University)

2. When you see the following all is well.

Note: If all these details are IN RED, then it has failed to sync, either be patient, try putting the host into and out of maintenance mode, or reboot it, if it continues to fail check it can see the public time servers on UDP port 123.

Related Articles, References, Credits, or External Links

NA

vSphere – Adding a Serial Port to a VM

KB ID 0001039 

Problem

I wanted to perform command line access to a virtual firewall on my home ESXi server, (a Juniper Firefly vSRX) via a console session. To do that I needed to add a serial port to that VM.

Solution

1. From Within the VI client > Select the ESXi Host > Configuration > Security Profile > Firewall Section > Properties.

2. Locate and enable ‘VM serial port connected over network’ > OK.

3. From the actual VM‘s properties, (right click > Edit settings) > Add > Serial Port > Next.

4. Connect via Network > Next.

5. Select ‘Server (VM listens for connection)’ > In Port URI enter telnet://{IP-of the ESX-Server}:2001 > Next.

Note: That’s the IP of the ESX server NOT the VM, here I’m using port 2001, but you can use 23 (standard telnet), or a random port above 1024.

6. Review the settings > Finish.

7. Now on a machine that has network connectivity to the ESX server > launch a telnet session to the VM (remember to use port 2001 as telnet defaults to 23!).

Here I’m using PuTTY but you can run ‘telnet {ip-address} {port}’ from a Windows client, (providing you have telnet enabled).

8. I’m in and working.

 

Related Articles, References, Credits, or External Links

NA

vSphere – Adding Domain Users/Groups to vCenter

KB ID 0001063

Problem

Note: This article is for vSphere 6, for vSphere 7 and vSphere 8 see the following article.

vCenter Domain Authentication

Despite my best efforts to keep working with the VMware VI client, my recent move to a MAC has finally forced me to start using the web client. So when I rebuilt my vCenter this week, I went out of my way to use that.

Note: If you have your vCenter and Platform Services Controller (PSC) separated, the use the following article instead;

vSphere: Setup Domain Authentication via PSC

Solution

I’m assuming you have a default install of vCenter and you have also installed the SSO options (this would be the default). You should also have taken note of the administrator@vsphere.local password you entered when you installed vCenter.

1. Log into the vCenter with the vSphere Web Client, as administrator@vsphere.local

URL will be https://{IP or Hostname}:9443

Navigate to Administration > Single Sign On > Configuration > Identity Sources > Select your domain and set it as the default domain.

2. Note: If your domain is not listed (you didn’t add it during the install of vCenter for example), then simply add it first.

3. Users and Groups > Groups > Administrators > Add > Change the domain to yours > Locate the user (or group) > Add > OK.

4. Now you need to grant rights, the simplest way is to grant rights at the vCenter level, and then those rights will cascade down to the Datacenter(s), Clusters, Hosts, and Virtual Machines.
Home > vCenter Servers > Select your vCenter > Manage > Permissions > Add.

5. Select the Administrator role > Add > Select your domain > Locate the users and groups you want to ad > Add > OK.

 

Related Articles, References, Credits, or External Links

Add Domain Authentication To The vCenter Server Appliance