Category: Computing

Windows 10 Roll-out: WSUS, Group Policy and Installation

As a software development company we need to be a little ahead of the curve when it comes to our adoption of new releases of Windows Server and Desktop environments as we need to ensure that our software will continue to function when our clients decide to upgrade to the latest technologies. However until recently due to our customers being large enterprises, which traditionally are slow to adopt new technology, we didn’t need to jump in immediately when a new OS was released. That has changed since we started to gain clients in emerging markets, Kenya and Nigeria specifically, who appear to be quicker to adopt the latest OS as they are experiencing rapid expansion and growth of their infrastructure.

So just over two months since the release of Windows 10 I undertook a pilot program to roll it out to a limited number of developers and create a small number of virtual machines for testing.

Edit: Since first writing this up the number of people that I have rolled Windows 10 out to now encompasses almost a third of the company.

But prior to the actual roll-out there are a couple of tasks that need to be done to ensure that the infrastructure for managing Windows 10 is in place namely WSUS (Windows Server Update Services) and Group Policy.

WSUS was pretty simple as the product list it uses is updated automatically with new entries so it is just a matter of ticking the boxes to receive updates for those products. Open up the WSUS console, click on Options and then Products and Classifications. Tick all the relevant boxes to receive the Windows 10 updates.

WSUS_windows10

Installing the Group Policy Administrative Templates (admx files) was more involved but again was pretty straightforward. I downloaded the ADMX files Microsoft Administrative Templates for Windows 10 I also downloaded the ones for Windows 8.1 and Windows Server 2012 R2 as I’d realized that I’d somehow overlooked these previously.

Logged into one of the Domain Controllers and found the path to the SYSVOL folders location in the Central Store. Please note if you’re following these instructions and do not have a central store in your domain then the SYSVOL location will have different path.

Then opened the msi installer to start the installation of the Administrative Templates. At the Select Installation Folder window I changed the folder from the default to the folder of the SYSVOL folder in the central store that I found previously.

Windows-10-admx-installation

If you have a Central Store for ADMX files, the location should be the same or similar to the path below, just replace with your domain name (domain.com).

C:\Windows\SYSVOL\sysvol\\Policies\PolicyDefinitions

Installed both sets of templates and then took a quick look at the Group Policy Settings reference spreadsheet to see what new settings have been added, the total number of settings is now over 3700!

The actual installs of Windows 10 have all gone very smoothly so far. As well as the relatively new developer PCs (1-2 years old) I have carried out Windows 10 upgrades on a variety of different older systems including a 5 year old desktop PC and a 4 year old laptop.



Microsoft’s Windows 10 hardware event in 9 minutes

Microsoft’s Windows 10 hardware event in 9 minutes.

The Verge have produced a video highlighting the best bits of Microsoft’s hardware presentation.



Unitrends DRaaS: Disaster Recovery as a Service

I use Unitrends Enterprise Backup as part of our disaster recovery system and I’m impressed with it.

Apparently Unitrends also provide a full DRaaS: Disaster Recovery as a Service and currently have a Limited time offer of free 500GB of Forever Cloud for all new customers!



How to shrink a VMDK: Shrinking a virtual disk in VMware ESXi

First open up Disk Management in Computer Management in your guest Windows environment.

Right click the volume on the disk you want to shrink.

Windows will inform you the maximum amount it can shrink the disk by. Choose an amount that you wish to actually shrink it by and click Shrink.

shrinkF

Windows will start the shrinking process and it might take some time and appear to be hanging as Windows will actually be defragmenting the disk in order to consolidate the free space towards the end of the disk before resizing the volume.

Once it is done and you are satisfied that the volume on the disk is the size you want it then you need to shut down the VM.

SSH into the host and copy the VMDK file to make a backup of it, just the descriptor file not the flat file.

cp vmname.vmdk vmname-original.vmdk

Open up the VMDK file in a text editor and find the line that describes the size of the flat file. Similar to the following

# Extent description

RW 209715200 VMFS “vmname-flat.vmdk”

The number is the size of the virtual disk in terms of disk sectors, where each sector is 512 bytes. So a 100GB virtual disk is 209715200 sectors.

You will need to change this number to correspond to the new disk size where x = size in GB

vmdk_size = [x * (1024*1024*1024)] / 512

I have chosen to shrink my disk to 60gb, so my new Extent description now reads as follows:

# Extent description

RW 125829120 VMFS “vmname-flat.vmdk”

You now need to clone the drive to get it to the new size:

vmkfstools -i vmname.vmdk vmname-new.vmdk

The bit we are interested in is the newly created vmname-new-flat.vmdk file.

Rename the old flat file from vmname-flat.vmdk to vmname-flat-old.vmdk

and rename the vmname-new-flat.vmdk file to vmname-flat.vmdk

Start the VM up and it should show the new smaller disk. When you are satisfied that everything is working you can now delete the old unneeded files from your datastore.



How to download the Windows 10 ISO

It is July 29th 2015 and Windows 10 has been released. If you have reserved your copy it will probably have downloaded by now and is ready for you to install it.

However

  • If you reserved your copy and it hasn’t downloaded yet.
  • You didn’t reserve your copy and you’ve found that you can’t download and install it yet due to Microsoft’s staggered roll-out.
  • You wish to do a fresh install.
  • You have multiple machines to upgrade and you don’t want to download the installation files many times.

Then what are your options?

You can jump the queue and do an in place install or download an ISO file of Windows 10 via a handy little tool that Microsoft has published called the Media creation tool.

The Media creation tool is a small EXE file that you just need to download and run to start the process. It comes in 32-bit and 64-bit versions and both will allow you to create 32-bit and 64-bit ISO files.

When you run it you’ll be given the option to either perform an upgrade of the PC you run it on or to create installation media for another PC. Choose the latter option, click Next, then choose the language, Windows version, and whether you want 32- or 64-bit architecture, or both.

You will then get the option to either download and create a bootable USB medium or to download and create an ISO file. select the ISO file radio button, click Next yet again and choose a location to save it to.

The tool will download the files, verify them and then create the ISO file.



Moving TempDB to a new location.

We had a process running on a particular SQL server virtual machine which was causing the TempDB file to grow exponentially and as a result caused the C: drive to run out of space. In this case the best solution was to move the location of the TempDB from the default location to a new location on the very large second Virtual drive.

The process is pretty straightforward.
[via]

Firstly locate the current file path of TempDB.
SELECT name, physical_name AS CurrentLocation
FROM sys.master_files
WHERE database_id = DB_ID(N'tempdb');
GO

Secondly perform the actual move with the following code. Modify it to choose new locations appropriate to your system.
USE master;
GO
ALTER DATABASE tempdb
MODIFY FILE (NAME = tempdev, FILENAME = 'E:\TempDB\tempdb.mdf');
GO
ALTER DATABASE tempdb
MODIFY FILE (NAME = templog, FILENAME = 'E:\TempDB\templog.ldf');
GO



Cannot RDP to a Windows Server 2008 R2 virtual machine

A quite mystifying issue with one of Citrix test machines was escalated to me this morning. The member of staff whose role it is to configure new test environments on the Citrix servers Skyped me to say that he couldn’t RDP to the machine but could access it via the vSphere client and could I please take a look at it and see if I could work out what was going on.

It was in a hell of state and I suspect that he’d had a good go at fixing things himself but had made matters much worse. The Remote Desktop Services role had been uninstalled for a start! Not that that would have actually made much of a difference as RDP for Administration would still be available without that role installed.

From the command line I ran the following two commands.

netstat -a -o | findstr 3389
and
qwinsta

The first was to display all the active TCP and UDP ports on which the computer was listening and then find the string 3389 which is the default RDP port number, the second command displays information about Remote Desktop sessions on a server. Neither returned any result.

I then restarted the Remote Desktop Services service.

Checked Remote Desktop Session Host and then at that point realised that RDS was no longer there. Reinstalled RDS and configured it to point at the license server again. A redundant step in terms of resolving the issue, but an important one in restoring the server back to full functionality.

Disabled the Windows Firewall completely.

From elevated command prompt I ran the following two commands.
sfc /scannow
regsvr32 remotepg.dll

I thought about checking Group Policy to ensure that nothing silly had been configured that would have denied RDP connections.

To do so would involve opening up the Group Policy Editor locally and then expanding the following.
Computer Configuration – Administrative Templates – Windows Components – Remote Desktop Services – Remote Desktop Session Host – Connections.
Allow users to connect remotely using Remote Desktop Services (enable or disable)

But the issue was more fundamental than that as I could see that the port itself wasn’t open.

Then decided to check whether the correct port number was assigned to the Remote Desktop Services and using information from this knowledge base article http://support.microsoft.com/kb/2477176 I checked the port number associated with RDP in the registry.

  • Ran regedit and opened the following registry subkey:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Desktop server\WinStations
  • Located the PortNumber registry entry.
  • Saw that the port number 3390 had been assigned.
  • Changed the port back from 3390 to 3389.
  • Saved the change, and then closed Registry Editor.

Tested RDP from my laptop and it worked.

Job done.

This strikes me as being a deliberate change . There is security advice out there that suggests changing the default port to something else, but I don’t believe that it offers a great deal of security and in this case was a massive pain. Also I can’t think who would have made this change.



ESXi 5: Suppressing the local/remote shell warning

Using the SSH shell is a pretty efficient way to get things done on ESXi 5.x, but annoyingly it is disabled by default. Enabling the ESXi shell is simple enough to do.

But having enabled it means vSphere will show a warning message ESXi shell for the host has been enabled and in the host view the host is shown with a yellow warning exclamation mark. If you’re like me you’ll want to enable the shell but not have the warning always showing.

Suppressing the warning is pretty straightforward. In the vSphere client select the affected host and then click the configuration tab. Open up Advanced Settings and click UserVars from the menu tree and scroll all the way down to the UserVars.SuppressShellWarning setting. Change the value from 0 to 1.

SSG_shell_warning_suppress
[via]



Find large vmware.log files

Since upgrading to ESXi 5.1 some time ago I’ve seen the logfiles for some of our virtual machines grow truly massive, like over a gigabyte in size massive.

Removing the logs isn’t too difficult simply either vMotion the VM or shut it down entirely and then power up again. Both methods result in a new log being created allowing the old log to then be deleted.

The difficulty is in finding which VMs have generated huge log files, especially when you have well over a hundred virtual machines.

The following is a simple one line piece of code to show the 10 biggest logfiles, it can be amended accordingly to show a greater number.

cd /vmfs/volumes/; ls -lhdS [A-Z]*/*/vmware.log | head -10

To prevent that datastores are shown twice, once by name and once by id, it is limited to only show datastores starting with a capital letter, all our datastores start with an upper case letter, you may have to adjust the command to fit your particular environment.

[Via]


POODLE Attack – Disabling SSLv3 in Internet Explorer via Group Policy

The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0. Further details on the nature of the attack can be found here.

SSL 3.0 will be disabled in the next releases of all the major web browsers, but until then the following steps can be taken to protect clients in your company through disabling SSL 3.0 and enabling TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy.

You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group Policy Object.

  • Open Group Policy Management.
  • Select the group policy object to modify, right click and select Edit.
  • In the Group Policy Management Editor, browse to the following setting:
    Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
  • Double-click the Turn off Encryption Support setting to edit the setting.
  • Click Enabled.
  • In the Options window, change the Secure Protocol combinations setting to “Use TLS 1.0, TLS 1.1, and TLS 1.2”.
  • Click OK.

Note Administrators should make sure this group policy is applied appropriately by linking the GPO to the appropriate OU in their environment.

To achieve the same in Mozilla Firefox is not possible centrally via Group Policy but can be done on an individual basis through installation of the SSL Version control plugin.