Are there any scripts or reports that would give me information on VMware VM’s with snapshots?
was pretty sure this was a straight forward one, so I jumped on the test network.
Solution: Get Snapshot Information
Connect to your vCenter and use the following commands.
[box]
Connect-viserver vCenter-Name
THEN AUTHENTICATEGet-VM | Get-Snapshot | Select-Object VM, Name, SizeGB, Created
[/box]
That was easy!
Get Snapshot Information : With RV Tools
You can also get the same information from RVTools, which if you don’t already use, do so!
Solution: PowerShell Delete Snapshots
You can delete all snapshots by simply piping the command above to Remove-Snapshot, But you will porbably want to do that on a VM by VM basis. Use the cfollowing command.
[box]
Get-VM VM-Name| Get-Snapshot | Remove-Snapshot
[/box]
Related Articles, References, Credits, or External Links
There are lots of reasons you might want to know your PC/Servers uptime, to make sure a client has rebooted a server (like you asked them to), or to see if a server has had a BSOD and rebooted overnight, etc.
Check Uptime with Task Manager
You can get your uptime from the Task Manager’s “Performance” tab.
To launch Task Manger
Start > Run > Taskmgr.exe {enter}. or Press CTRL+SHIFT+ESC, or Right click the Task bar > Select Task Manager. > Options
From command line execute the Systeminfo | find /I “boot” command;
Option 3 -Use Net Statistics to find Uptime
You can get uptime information by either querying the workstation service, or the server service, issue either, the following command;
[box]
net statistics workstation
[/box]
Or the following command;
[box]
net statistics server
[/box]
Option 4 – Use Uptime.exe to find Uptime
Download uptime and put a copy in your “System32” Directory, you can then use the uptime command.
Option 5 – Use WMI (Windows Management Instrumentation) to find Uptime
Issue the following command;
[box]
wmic os get lastbootuptime
[/box]
As you can see the result is not pretty, it is presented in UTC format.
20120109081112.925800+000 = Year 2010, Month 01, Day 09, Time 08:11:12
Option 6 – Check the Event Log to find Uptime
Launch the Event Viewer (eventvr.msc) > Windows Logs > System Log > Find > Search for Event ID 6005, (Note: This event gets logged each time the server boots, as the event log service starts). Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.
Note: Event 6013 is periodically logged this shows the machines uptime at that point.
Note: In the event of an abnormal shutdown look for Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.
Option 1 – Use Uptime.exe to get a Remote Machines Uptime
Already mentioned above download uptime and extract it to your system32 directory. Then to get a remote machines uptime, use the following command;
For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.
<Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
<Name>: A simple text entry to define what the exception is.
8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)
10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.
11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.
Related Articles, References, Credits, or External Links
Back in Part One we setup our migration admin account, and installed ADMT. Now, as I’m going to migrate the users passwords I need a ‘Password Export Server‘, but first I need to tackle the subject of user SIDs
Solution
Domain Migrations and SID Filtering
Every user has a SID (Security Identifier) it’s the thing AD uses to refer to and apply security to users, (and other objects). This is why you can rename a user and it’s security does not change, (because the SID always remains the same). Why is this important for domain migrations? Well if you’re a doing a migration that’s taking place over a period of time, users in the NEW domain may still need access to things IN the OLD domain, (like file shares, printers, applications etc).
This is a problem because when you setup a domain trust it Enables SID filtering, back in part one it told you this, here. So if a user in newdomain.com tries to access a folder, (they could access before the migration,) in olddomian.com they wont be able to do so, (because their SID has changed, to a new SID in the new domain. Even if you migrated their old SID if get’s filtered out as the user comes back over the trust).
How do we fix that? We need to do two things,
Migrate the users old SID to newdomain.com (This then become their, sIDHistory attribute)
Disable SID filtering in olddomain.com (To allow the sIDHistory attributes to come back over the trust)
This lets users in the new domain have their NEW SID, and their OLD SID.
Migrating the users SID is simple, (it’s just a box you tick when running a migration, you will see that later). Disabling SID filtering can be a little confusing. Where do you do it, and which way round do you execute the command? Above I’ve solved the first one for you you Disable SID Filtering on the OLD domain. The following diagram will explain why;
Usually users DON’T have a sIDHistory. attribute, (unless they’ve been migrated before!) They only have a SID (objectSID attribute.) To demonstrate let’s jump forward in time, and look at a migrated user (ABarksdale)
Click to enlarge the above image, and inspect the users SID (objectSID) and old SID (sIDhisttory) attributes.
As the name implies, this is a piece of software that runs on the source domain, (on a domain controller,) that ADMT uses to migrate user passwords. Before you can do this, you need to create a ‘key’ in the NEW domain, (where ADMT is running). Then, you use that key to setup the password export server in the OLD domain.
password: can be anything you want, but you will need it to setup the password export server, so don’t forget it.
If it runs OK, find your keyfile, then copy this to the domain controller in the old domain you are going to install the password export server service on.
Theres two versions of the password export server software, (a 32 bit and a 64 bit version.) Download and install the version applicable to your source domain controller.
Note: The install requires a reboot of the server, you might want to do this at the end of the day.
The install is pretty simple, Accept the EULA, browse to the keyfile, and enter the password you used above.
Specify a user account to run the service as, (I just use the ADMTAdmin account we’ve already created).
Finish the install, and let it reboot.
After a reboot, if you look in the services (Start > Run > services.msc). You will see the ‘Password Export Server Service’.
Note: You will also notice the startup type for the service is ‘Manual’. ONLY start this service, when you are actually migrating passwords.
ADMT: Granting Local Rights to ADMT user in the Source Domain.
To migrate machines, the ADMTAdmin user needs “Local” administrative access on all the source machines. The easiest way to do this is via group policy, using ‘Restricted Groups’. This allows you to take a group (or user) and put put them on the local groups (including administrators) of the targeted machines.
In the OLD domain, create a group and put the ADMTAdmin from the target domain in it. (I put the domain admin from the target domain in it as well, to be on the safe side, but that’s up to you).
Note: You may see this a few times while doing migrations, notice above the user icon there’s a small red curved arrow (below), that logo denotes ‘Foreign Security Principle’, it’s not really our user at all, it’s a special object that AD creates in a hidden OU, (turn on advanced mode in AD users and computers you can see them.)
Create a new GPO that will apply to the computers/servers you are going to migrate.
To test it has applied, on a client run ‘gpresult -R’ at an administrative command prompt.
You can of course, simply check the local administrators group to make sure the new group is in there.
ADMT: Additional GPO Note
To perform computer migrations, (and security translations), ADMT needs to deploy an ‘agent’ to the machines in the OLD domain. The local firewall (if enabled) can stop this, I simply disable the local firewall. (If someone wants to send me a list of ports to add, to make it work I’ll publish the). But even the Microsoft Documentation on Technet says disable the firewall.
Create a new GPO linked to where your source computers are, (here I’m just linking to the root of the domain).
In addition I have also seen the agent fail to deploy if the ‘Remote Registry Service’ is not running on the target machines, (it’s disabled by default). So I use this policy to turn that on as well.
In the same GPO navigate to;
[box]Computer Configuration > Polices > Windows Settings > Security Settings > System Services[/box]
Locate the ‘Remote Registry’ service, and set it’s startup to automatic.
If you want to do this, and you do a quick internet search, all results come back as either suggesting using psshutdown or writing a script then scheduling that. I suppose a script is a good idea if you want to reboot at 01:00 every day for example. But what if you want to reboot a client server once at 17:00 and it’s 10:00 in the morning? Chances are, if you’re like me, you will be working on something different at 17:00 and forget!
Solution
1. Painfully simple, open a command window (Windows Key+R > cmd {Enter}).
2. Execute the command below. Obviously change the time accordingly;
[box]
at 10:15:00 shutdown /r /f
[/box]
3. Then the machine will reboot at the specified time.
Related Articles, References, Credits, or External Links
I have a portable drive that I carry in my laptop bag that has all the service packs and iso images that I might need. The problem is when I install service packs and updates on clients servers and PC’s, they have a habit of creating folders on my portable drive that are a pain to delete. While tidying up the drive today, it was telling me I did not have the rights to do so. When I tried to take ownership of the folder this happened;
An error occurred while applying security information to
{Foldername}
Failed to enumerate objects in the container. Access is denied.
I hadn’t seen this myself but it was asked in a forum the other day so I replicated it on the test bench.
You were not connected because a duplicate name exists on the network. Go to System in Control Panel to change the computer name and try again.
or
You were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup choose another workgroup name.
Solution
Those ‘recommendations’ are NOT what you should be doing to fix this problem!
This is happening because a resource you are trying to connect to (another PC or Server) is addressable by two different names. As you can see below if i ping the server name ‘dc1b’ and ‘files’, the same IP address responds.
In my case that’s because I’ve got a CNAME entry in my DNS for files, that points to the server name dc1b.
Note: If you have two Host A records, I would recommend deleting the additional one and using a CNAME entry instead.
Note2: If the client exhibiting the problem has multiple entries in its ‘hosts’ file that point to the same IP you can also see this problem.
Fix
1. On the server/computer you are connecting TO > Windows Key +R > regedit {Enter}.
Create a new DWORD Value (or 32 bit DWORD if you are on a newer OS).
3. Call the value DisableStrictNameChecking and set its value to decimal 1 (one).
4. Then either reboot the server or Windows Key +R > services.msc {enter} > Locate the Server service > Restart.
5. At this point your client should be able to connect via either name.
It’s Still Not Working
In some cases you need to set an alias SPN (Service Principle Name). If you are still running Server 2003 Download and install this update first (or it wont know what setspn.exe is).
Syntax
[box]
setspn -A host/<Alias Name><Host Name>
setspn -A host/<Alias FQDN> <Host Name>
e.g.
setspn -A host/files dc1b
setspn -A host/files.domainb.com dc1b
[/box]
Related Articles, References, Credits, or External Links
After a large AnyConnect 4 roll-out, I had the following conversation with a client;
Client: Can we change the way the clients authenticate? Me: Yes, no problem what do you need? Client: Well instead of user based certificate authentication, we want to use computer certificates only. Me: Really why? Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and get a user certificate before they can be deployed. Me: If we can, and user exports the cert onto another device, that device will be able to connect as well.
I then pondered on just how difficult this would be to do. I had a fully working (certificate based) VPN solution running on the bench that I’d used to ‘proof of concept’ the clients requirements. Why don’t I attempt to compromise that for educational purposes 🙂
Disclaimer: As stated, this post is for educational purposes only, not so you can get a free VPN or Wireless connections.
Solution
1. By default computer certs issued by Microsoft Certificate Services have their private key marked as ‘non exportable’ to stop people doing things like this. But just because Windows wont let you do this does not mean you can’t do it. Here I’m using Mimikatz 2.0 to handle that.
2. All being well you should see something like this.
3. All your computer certs (in this case I only have one so I don’t have to hunt though them) will be in the Mimikatz directory.
4. Import the certificate on a machine that does not have one. (Or an iPad, phone, tablet, MAC, Linux box etc.)
5. Connect without error on the new machine.
The moral of the story is, where possible don’t rely on computer certificates on their own, couple them with user-names/passwords or two factor authentication.
Related Articles, References, Credits, or External Links
The only info you need from that is the GUID of the source domain controller, in the example above that’s 9160d4ef-7d65-45fd-aa8e-624acff91688 also take note of the domain “DC=domaina,DC=com”.
2. On the top of the event Error It will give you the server name (hint it’s the server name the event log is on).
IMPORTANT: If either server is Windows Server 2000 this won’t work! You need to do this instead.
Option 2
1. Disable Strict replication on your domain controllers. Start > Regedit > {Enter}.
2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters > In the right hand pane either create or modify the DWORD Object “Strict Replication Consistency“
4. Set it as follows,
Value: 1 (0 to disable)
Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.
Data type: REG_DWORD
Related Articles, References, Credits, or External Links
One of my goals for this year is to become more proficient with PowerShell. During my studies I came across PowerShell Web access and thought it was so cool, I’d have a play with it.
What is PowerShell Web Access?
It’s a web service that runs on a Server 2012 IIS web server. It lets you remote connect to that host (via https) and then launch a PowerShell secure connection to any machine in your network. So by deploying a secure bastion host in your DMZ you can manage your infrastructure via PowerShell, you don’t even need to have PowerShell on your remote machine, (as demonstrated below) that machine does not even have to be Windows. It just needs a browser that can run JavaScript and can accept cookies.
You Expect Me to Open All My Servers To Remote Management?
In a word yes, in fact if you have server 2012 or newer they already are, and if you have not already enabled the Windows Remote Management Service, on your legacy machines, DO SO! If not all the modern domain management tools will gradually stop working. As far as Microsoft is concerned PowerShell is the tool that all the management tools will be built on.
In fact if you are a security conscious type, you probably already have domain services in your DMZ, think of this as a secure ‘reverse-proxy’, whose traffic is secured by SSL and Kerberos.
Solution
Setting Up PowerShell Remote Access
1. PowerShell web access is a ‘windows feature’ add it with the following command;
[box]
Add-WindowsFeature WindowsPowerShellWebAccess
[/box]
2. Now it’s available you can install it like so;
[box]
Install-PswaWebApplication
Note: My Target server is already running IIS and has a certificate binding for https, yours probably does not, if so generate a self signed certificate and assign it like so;
Install-PswaWebApplication –UseTestCertificate
Obviously in production replace this certificate with either a publicly signed one, or one form your own PKI environment.
[/box]
3. Now you need to allow access, the following allows all users to all machines to do everything (Note: I would not recommend this for a production environment, see next step).
[box]Add-PswaAuthorizationRule * * *[/box]
4. As I said above, lets be a little more secure, I’ve created a computer group, for my target computers, and a user group for my remote PowerShell admins. As above, I’ve not filtered what the users can do, you could give granular remote access to different levels of administrative groups using this, if that’s a requirement see this article.
5. So now if you connect to the server over https, (it creates a virtual directory called pswa) so we will need to go to https://{ip address or hostname}/pswa.
PowerShell Web Access – It Doesn’t Work!
If at this point there’s a problem, ensure the server and the client you are trying to connect to have comms, (can they ping each other by name and IP). Most importantly the machine you need to connect to needs to have WinRM running and its firewall configuring properly.
Configure Windows Remote Management for a Single Host
From an elevated command prompt execute the following command and follow the on-screen prompts;
[box]WinRM QuickConfig [/box]
Configure Windows Remote Management via Group Policy
A better approach would be to configure you hosts via GPO. You can find the correct GPO at;
[box]
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRMOn Server 2008 R2 and older the policy will be called'Allow automatic configuration of listeners'
[/box]
Enable the policy and select which networks you want to allow remote connections from, above I’ve simply used asterisks to denote ‘all addresses’.
Providing all is well, you should have PowerShell access.
PowerShell from an Apple IOS Device (iPad shown)
PowerShell from an Android Device (Samsung Note shown)
Related Articles, References, Credits, or External Links