PowerCLI: Get Snapshot Information

Get Snapshot Information KB ID 0001829

Problem

The question was asked on Experts Exchange today.

Are there any scripts or reports that would give me information on VMware VM’s with snapshots?

was pretty sure this was a straight forward one, so I jumped on the test network.

Solution: Get Snapshot Information

Connect to your vCenter and use the following commands.

[box]

Connect-viserver vCenter-Name 
THEN AUTHENTICATE
Get-VM | Get-Snapshot | Select-Object VM, Name, SizeGB, Created

[/box]

That was easy!

Get Snapshot Information : With RV Tools

You can also get the same information from RVTools, which if you don’t already use, do so!

Solution: PowerShell Delete Snapshots

You can delete all snapshots by simply piping the command above to Remove-Snapshot, But you will porbably want to do that on a VM by VM basis. Use the cfollowing command.

[box]

 Get-VM VM-Name| Get-Snapshot | Remove-Snapshot

[/box]

Related Articles, References, Credits, or External Links

NA

Windows – Find your ‘Uptime’

KB ID 0000552 

Problem

There are lots of reasons you might want to know your PC/Servers uptime, to make sure a client has rebooted a server (like you asked them to), or to see if a server has had a BSOD and rebooted overnight, etc.

Check Uptime with Task Manager

You can get your uptime from the Task Manager’s “Performance” tab.

To launch Task Manger

Start > Run > Taskmgr.exe {enter}. or Press CTRL+SHIFT+ESC, or Right click the Task bar > Select Task Manager.  > Options

 

Use PowerShell to find Server Boot time

From Powershell Use the following syntax;

[box]

[Management.ManagementDateTimeConverter]::ToDateTime((Get-WmiObject Win32_OperatingSystem).LastBootUpTime)

[/box]

Use PowerShell to find Uptime

From Powershell Use the following syntax;

[box]

(Get-Date) - [Management.ManagementDateTimeConverter]::ToDateTime((Get-WmiObject Win32_OperatingSystem).LastBootUpTime)

[/box]

Option 3 – Use Systeminfo to find Uptime

From command line execute the Systeminfo | find /I “boot” command;

 

Option 3 -Use Net Statistics to find Uptime

You can get uptime information by either querying the workstation service, or the server service, issue either, the following command;

[box]

net statistics workstation

[/box]

Or the following command;

[box]

net statistics server

[/box]

Option 4 – Use Uptime.exe to find Uptime

Download uptime and put a copy in your “System32” Directory, you can then use the uptime command.

Option 5 – Use WMI (Windows Management Instrumentation) to find Uptime

Issue the following command;

[box]

wmic os get lastbootuptime

[/box]

As you can see the result is not pretty, it is presented in UTC format.

20120109081112.925800+000 = Year 2010, Month 01, Day 09, Time 08:11:12

Option 6 – Check the Event Log to find Uptime

Launch the Event Viewer (eventvr.msc) > Windows Logs > System Log > Find > Search for Event ID 6005, (Note: This event gets logged each time the server boots, as the event log service starts). Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.

 

Note: Event 6013 is periodically logged this shows the machines uptime at that point.

Note:  In the event of an abnormal shutdown look for Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.

Option 1 – Use Uptime.exe to get a Remote Machines Uptime

Already mentioned above download uptime and extract it to your system32 directory. Then to get a remote machines uptime, use the following command;

[box]

uptime {Name of Remote PC}

[/box]

Use Powershell to get a Remote Machines Uptime

Use the following syntax;

[box]

[Management.ManagementDateTimeConverter]::ToDateTime((Get-WmiObject Win32_OperatingSystem -ComputerName RemoteMachine).LastBootUpTime)

[/box]

Related Articles, References, Credits, or External Links

NA

Windows – Open a Firewall Port with Group Policy

Define Inbound Port Exceptions

KB ID 0000979 

Problem

For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer configuration > Policies >Administrative Templates > Network > Network Connections >Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions

[/box]

6. Open the policy and enable it > Show.

7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.

Port Exception Syntax

<Port>:<Transport>:<Scope>:<Name>

  • <Port>: Number in decimal from 0 to 65,335
  • <Transport>: TCP or UDP
  • <Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
  • <Name>: A simple text entry to define what the exception is.

8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)

10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.

11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.

 

Related Articles, References, Credits, or External Links

Windows Group Policy – Disable The Local Windows Firewall

ADMT (Active Directory Migration Tool) Domain Migration – Part 2

KB ID 0001306

Problem

Back in Part One we setup our migration admin account, and installed ADMT. Now, as I’m going to migrate the users passwords I need a ‘Password Export Server‘, but first I need to tackle the subject of user SIDs

 

Solution

Domain Migrations and SID Filtering

Every user has a SID (Security Identifier) it’s the thing AD uses to refer to and apply security to users, (and other objects). This is why you can rename a user and it’s security does not change, (because the SID always remains the same). Why is this important for domain migrations? Well if you’re a doing a migration that’s taking place over a period of time, users in the NEW domain may still need access to things IN the OLD domain, (like file shares, printers, applications etc).  

This is a problem because when you setup a domain trust it Enables SID filtering, back in part one it told you this, here. So if a user in newdomain.com tries to access a folder, (they could access before the migration,) in olddomian.com they wont be able to do so, (because their SID has changed, to a new SID in the new domain. Even if you migrated their old SID if get’s filtered out as the user comes back over the trust).

How do we fix that? We need to do two things, 

  • Migrate the users old SID to newdomain.com (This then become their, sIDHistory attribute)
  • Disable SID filtering in  olddomain.com (To allow the sIDHistory attributes to come back over the trust)

This lets users in the new domain have their NEW SID, and their OLD SID.

Migrating the users SID is simple, (it’s just a box you tick when running a migration, you will see that later). Disabling SID filtering can be a little confusing. Where do you do it, and which way round do you execute the command? Above I’ve solved the first one for you you Disable SID Filtering on the OLD domain. The following diagram will explain why;

Usually users DON’T have a sIDHistory. attribute, (unless they’ve been migrated before!) They only have a SID (objectSID attribute.) To demonstrate let’s jump forward in time, and look at a migrated user (ABarksdale)

Click to enlarge the above image, and inspect the users SID (objectSID) and old SID (sIDhisttory) attributes.

In the olddomain.com;

objectSID: S-1-5-21-227018303-3265311450-382577

sIDHistory: {None}

In the newdomain.com;

objectSID: S-1-5-21-3846632479-19853633304-4016520

sIDHistory: S-1-5-21-227018303-3265311450-382577 (Note: objectSID migrated from olddomain.com)

Disabling SID Filtering

Now we know where to do it, we just need to construct the command to disable it. Run the following command;

[box]netdom trust {source-domain} /domain:{target-domain} /quarantine:No userro:{username} password:{password}[/box]

Or for a Forest Trust

[box]netdom trust {source-domain} /domain:{target-domain} /enablesidhistory:Yes /userD:{username} /passwordD:{password}[/box]

So in my example;

  • source-domain: olddomain.com
  • target-domain: newdomain.com
  • username: (Domain administrator in olddomain.com)
  • password: Password for user above.

ADMT: Setting up a Password Export Server

As the name implies, this is a piece of software that runs on the source domain, (on a domain controller,) that ADMT uses to migrate user passwords. Before you can do this, you need to create a ‘key’ in the NEW domain, (where ADMT is running). Then, you use that key to setup the password export server in the OLD domain.

On the ADMT Server open an administrative command window and issue the following command;

[box]admt key /option:create /sourcedomain:{source-domain} /keyfile:”C:\PES.pes” /keypassword:{password}[/box]

So in my example;

  • source-domain: olddomain.com
  • keyfile: Where you want to save the keyfile.
  • password: can be anything you want, but you will need it to setup the password export server, so don’t forget it.

If it runs OK, find your keyfile, then copy this to the domain controller in the old domain you are going to install the password export server service on.

Theres two versions of the password export server software, (a 32 bit and a 64 bit version.) Download and install the version applicable to your source domain controller.

Passport Export Server 64 bit version

Passport Export Server 32 bit version

Note: The install requires a reboot of the server, you might want to do this at the end of the day.

The install is pretty simple, Accept the EULA, browse to the keyfile, and enter the password you used above.

 

Specify a user account to run the service as, (I just use the ADMTAdmin account we’ve already created).

Finish the install, and let it reboot.

After a reboot, if you look in the services (Start > Run > services.msc). You will see the ‘Password Export Server Service’.

Note: You will also notice the startup type for the service is ‘Manual’. ONLY start this service, when you are actually migrating passwords.

ADMT: Granting Local Rights to ADMT user in the Source Domain.

To migrate machines, the ADMTAdmin user needs “Local” administrative access on all the source machines. The easiest way to do this is via group policy, using ‘Restricted Groups’.  This allows you to take a group (or user) and put put them on the local groups (including administrators) of the targeted machines.

In the OLD domain, create a group and put the ADMTAdmin from the target domain in it. (I put the domain admin from the target domain in it as well, to be on the safe side, but that’s up to you).

Note: You may see this a few times while doing migrations, notice above the user icon there’s a small red curved arrow (below), that logo denotes ‘Foreign Security Principle’, it’s not really our user at all, it’s a special object that AD creates in a hidden OU, (turn on advanced mode in AD users and computers you can see them.)

Create a new GPO that will apply to the computers/servers you are going to migrate. 

Edit it.

Navigate to;

[box]Computer Configuration > Policies  >Windows Settings > Security Settings > Restricted Groups[/box]

Add a new one, select the group you have just created > and add it to ‘Administrators’.

It should look like this when you are finished.

Windows – Forcing Domain Group Policy

To test it has applied,  on a client run ‘gpresult  -R’ at an administrative command prompt.

You can of course, simply check the local administrators group to  make sure the new group is in there.

ADMT: Additional GPO Note

To perform computer migrations, (and security translations), ADMT needs to deploy an ‘agent’ to the machines in the OLD domain. The local firewall (if enabled) can stop this, I simply disable the local firewall. (If someone wants to send me a list of ports to add, to make it work I’ll publish the). But even the Microsoft Documentation on Technet says disable the firewall.

Create a new GPO linked to where your source computers are, (here I’m just linking to the root of the domain).

Edit the GPO.

Navigate to;

[box]Computer Configuration >Policies  > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile[/box]

Locate “Windows Firewall protect all network connections‘ and set it to disabled.

Windows Group Policy – Disable The Local Windows Firewall

In addition I have also seen the agent fail to deploy if the ‘Remote Registry Service’ is not running on the target machines, (it’s disabled by default). So I use this policy to turn that on as well.

In the same GPO navigate to;

[box]Computer Configuration > Polices > Windows Settings > Security Settings > System Services[/box]

Locate the ‘Remote Registry’ service, and set it’s startup to automatic.

This may take a while to permeate down to all the machines, Windows – Forcing Domain Group Policy

 

In Part Three we will start migrating objects.

Related Articles, References, Credits, or External Links

NA

Windows – Schedule a Reboot For a Specific Time

KB ID 0000866 

Problem

If you want to do this, and you do a quick internet search, all results come back as either suggesting using psshutdown or writing a script then scheduling that. I suppose a script is a good idea if you want to reboot at 01:00 every day for example. But what if you want to reboot a client server once at 17:00 and it’s 10:00 in the morning? Chances are, if you’re like me, you will be working on something different at 17:00 and forget!

Solution

1. Painfully simple, open a command window (Windows Key+R > cmd {Enter}).

2. Execute the command below. Obviously change the time accordingly;

[box]

at 10:15:00 shutdown /r /f

[/box]

3. Then the machine will reboot at the specified time.

Related Articles, References, Credits, or External Links

NA

Can’t Delete a File or Folder or Take Ownership

KB ID 0000887 

Problem

I have a portable drive that I carry in my laptop bag that has all the service packs and iso images that I might need. The problem is when I install service packs and updates on clients servers and PC’s, they have a habit of creating folders on my portable drive that are a pain to delete. While tidying up the drive today, it was telling me I did not have the rights to do so. When I tried to take ownership of the folder this happened;

An error occurred while applying security information to
{Foldername}
Failed to enumerate objects in the container. Access is denied.

Solution

1. Open a command window (Note: Ensure you select ‘Run As Administrator‘).

2. Issue the following commands, replace the ‘Path’ to the foldername, with your own.

[box]

takeown /f F:foldername /r /d y
icacls F:foldername /grant administrators:F /T
rmdir F:foldername /S /Q

[/box]

Related Articles, References, Credits, or External Links

NA

Windows Accessing a Share Error – “You were not connected because a duplicate name exists on the network”

KB ID 0000991 

Problem

I hadn’t seen this myself but it was asked in a forum the other day so I replicated it on the test bench.

You were not connected because a duplicate name exists on the network. Go to System in Control Panel to change the computer name and try again.

or

You were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup choose another workgroup name.

Solution

Those ‘recommendations’ are NOT what you should be doing to fix this problem!

This is happening because a resource you are trying to connect to (another PC or Server) is addressable by two different names. As you can see below if i ping the server name ‘dc1b’ and ‘files’, the same IP address responds.

In my case that’s because I’ve got a CNAME entry in my DNS for files, that points to the server name dc1b.

Note: If you have two Host A records, I would recommend deleting the additional one and using a CNAME entry instead.

Note2: If the client exhibiting the problem has multiple entries in its ‘hosts’ file that point to the same IP you can also see this problem.

Fix

1. On the server/computer you are connecting TO > Windows Key +R > regedit {Enter}.

2. Navigate to:

[box]HKEY_LOCA_MACHINE > SYSTEM > CurrentControlSet > Services > lanmanserver > Parameters[/box]

Create a new DWORD Value (or 32 bit DWORD if you are on a newer OS).

3. Call the value DisableStrictNameChecking and set its value to decimal 1 (one).

4. Then either reboot the server or Windows Key +R > services.msc {enter} > Locate the Server service > Restart.

5. At this point your client should be able to connect via either name.

It’s Still Not Working

In some cases you need to set an alias SPN (Service Principle Name). If you are still running Server 2003 Download and install this update first (or it wont know what setspn.exe is).

Syntax

[box]

setspn -A host/<Alias Name> <Host Name>
setspn -A host/<Alias FQDN> <Host Name>

e.g.

setspn -A host/files dc1b
setspn -A host/files.domainb.com dc1b

[/box]

 

Related Articles, References, Credits, or External Links

NA

Why Securing Your VPN Solution With Computer Certificates ‘Only’ Is A BAD Idea

KB ID 0001055 

Problem

After a large AnyConnect 4 roll-out, I had the following conversation with a client;

Client: Can we change the way the clients authenticate?
Me: Yes, no problem what do you need?
Client: Well instead of user based certificate authentication, we want to use computer certificates only.
Me: Really why?
Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and get a user certificate before they can be deployed.
Me: If we can, and user exports the cert onto another device, that device will be able to connect as well.

I then pondered on just how difficult this would be to do. I had a fully working (certificate based) VPN solution running on the bench that I’d used to ‘proof of concept’ the clients requirements. Why don’t I attempt to compromise that for educational purposes 🙂

Disclaimer: As stated, this post is for educational purposes only, not so you can get a free VPN or Wireless connections.

Solution

1. By default computer certs issued by Microsoft Certificate Services have their private key marked as ‘non exportable’ to stop people doing things like this. But just because Windows wont let you do this does not mean you can’t do it. Here I’m using Mimikatz 2.0 to handle that.

[box]privilege::debug[/box]

  [box]crypto::cng[/box]

  [box]crypto::capi[/box]

  [box]crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:MY /export[/box]

2. All being well you should see something like this.

3. All your computer certs (in this case I only have one so I don’t have to hunt though them) will be in the Mimikatz directory.

4. Import the certificate on a machine that does not have one. (Or an iPad, phone, tablet, MAC, Linux box etc.)

5. Connect without error on the new machine.

The moral of the story is, where possible don’t rely on computer certificates on their own, couple them with user-names/passwords or two factor authentication.

 

Related Articles, References, Credits, or External Links

NA

Event ID 1988

KB ID 0000261 

Problem

Event ID 1988

Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local….

in other domains in the forest are known as “lingering objects”.

Domain controllers are bound by “Strict Replication” and there is an item in Active Directory that’s “hanging about” and needs deleting.

Solution

Option 1

1. In the Event ID you will see the following information…

Source DC (Transport-specific network address): 9160d4ef-7d65-45fd-aa8e-624acff91688._msdcs.domaina.com Object: CN=926e60b0-13d9-447d-bff6-70334e598823�ADEL:dc784939-66f9-4433-9830-28fd0f965736,CN=Deleted Objects,CN=Configuration,DC=domaina,DC=com Object GUID: dc784939-66f9-4433-9830-28fd0f965737

The only info you need from that is the GUID of the source domain controller, in the example above that’s 9160d4ef-7d65-45fd-aa8e-624acff91688 also take note of the domain “DC=domaina,DC=com”.

2. On the top of the event Error It will give you the server name (hint it’s the server name the event log is on).

Event Type: Error Event Source: NTDS Replication Event Category: Replication Event ID: 1988 Date: 26/05/2010 Time: 09:34:59 User: NT AUTHORITYANONYMOUS LOGON Computer: SERVER01

3. From here you need the server name in this example that’s SERVER01

3. Start > Run > cmd {enter}.

4. Issue the following command,

repadmin /removelingeringobjects SERVER01 9160d4ef-7d65-45fd-aa8e-624acff91688 DC=domaina,DC=com /advisory_mode

IMPORTANT: If either server is Windows Server 2000 this won’t work! You need to do this instead.

Option 2

1. Disable Strict replication on your domain controllers. Start > Regedit > {Enter}.

2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters > In the right hand pane either create or modify the DWORD Object “Strict Replication Consistency

4. Set it as follows,

  • Value: 1 (0 to disable)
  • Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.
  • Data type: REG_DWORD

Related Articles, References, Credits, or External Links

NA

PowerShell Web Access

KB ID 0001036

Problem

One of my goals for this year is to become more proficient with PowerShell. During my studies I came across PowerShell Web access and thought it was so cool, I’d have a play with it.

What is PowerShell Web Access?

It’s a web service that runs on a Server 2012 IIS web server. It lets you remote connect to that host (via https) and then launch a PowerShell secure connection to any machine in your network. So by deploying a secure bastion host in your DMZ you can manage your infrastructure via PowerShell, you don’t even need to have PowerShell on your remote machine, (as demonstrated below) that machine does not even have to be Windows. It just needs a browser that can run JavaScript and can accept cookies.

You Expect Me to Open All My Servers To Remote Management?

In a word yes, in fact if you have server 2012 or newer they already are, and if you have not already enabled the Windows Remote Management Service, on your legacy machines, DO SO! If not all the modern domain management tools will gradually stop working. As far as Microsoft is concerned PowerShell is the tool that all the management tools will be built on.

In fact if you are a security conscious type, you probably already have domain services in your DMZ, think of this as a secure ‘reverse-proxy’, whose traffic is secured by SSL and Kerberos.

Solution

Setting Up PowerShell Remote Access

1. PowerShell web access is a ‘windows feature’ add it with the following command;

[box]

Add-WindowsFeature WindowsPowerShellWebAccess
[/box]

 

2. Now it’s available you can install it like so;

[box]

Install-PswaWebApplication

Note: My Target server is already running IIS and has a certificate binding for https, yours probably does not, if so generate a self signed certificate and assign it like so;

Install-PswaWebApplication –UseTestCertificate

Obviously in production replace this certificate with either a publicly signed one, or one form your own PKI environment.

[/box]

3. Now you need to allow access, the following allows all users to all machines to do everything (Note: I would not recommend this for a production environment, see next step).

[box]Add-PswaAuthorizationRule * * *[/box]

4. As I said above, lets be a little more secure, I’ve created a computer group, for my target computers, and a user group for my remote PowerShell admins. As above, I’ve not filtered what the users can do, you could give granular remote access to different levels of administrative groups using this, if that’s a requirement see this article.

[box]

Add-PswaAuthorizationRule -ComputerGroupName petenetlivePSComputers -UserGroupName petenetlivePSAdmins -ConfigutationName *

[/box]

5. So now if you connect to the server over https, (it creates a virtual directory called pswa) so we will need to go to https://{ip address or hostname}/pswa.

PowerShell Web Access – It Doesn’t Work!

If at this point there’s a problem, ensure the server and the client you are trying to connect to have comms, (can they ping each other by name and IP). Most importantly the machine you need to connect to needs to have WinRM running and its firewall configuring properly.

Configure Windows Remote Management for a Single Host

From an elevated command prompt execute the following command and follow the on-screen prompts;

[box]WinRM QuickConfig [/box]

Configure Windows Remote Management via Group Policy

A better approach would be to configure you hosts via GPO. You can find the correct GPO at;

[box]

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM
On Server 2008 R2 and older the policy will be called 'Allow automatic configuration of listeners'

[/box]

Enable the policy and select which networks you want to allow remote connections from, above I’ve simply used asterisks to denote ‘all addresses’.

Providing all is well, you should have PowerShell access.

 

PowerShell from an Apple IOS Device (iPad shown)

PowerShell from an Android Device (Samsung Note shown)

Related Articles, References, Credits, or External Links

NA