That… Could Be A Problem…

15Aug/140

PoSh – Add File Share Permissions to Existing Share

Found myself in the position of having to add some permissions to an existing file share... Unfortunately none of these systems were 2012R2, whom can take advantage of the SMBShare cmdlets, so this ended up being a bigger task than I would've thought. I found tons of help and posts on creating shares, but found a surprising lack of information on a task of this nature which I would've thought fairly basic.

Couple things to note:

  • This only changes the actual file share permissions and does not touch the NTFS permissions.
  • There are 5 variables that need to be addressed prior to running the script.
  • One of those variables will require the Active Directory module imported to search specific OUs.
    The AD module isn't a mandatory item, computer names can certainly be fed in one at a time or by way of an array.

Note: this was a script that worked in my environment. There is no warranty or support with this script, please use at your own risk.

11Nov/134

PoSh – HP Scripting Tools for Windows PowerShell

HP has released their Scripting Tools for Windows PowerShell: http://www.hp.com/go/PowerShell

After taking a while to figure out where to download it (HP Download Link), the rest was easy. Once downloaded, just unzip the file wherever you like (note: it isn't unzipping into an install directory) and then run the included executable. Now open up a PowerShell session and you're good to go...

First thing I did, try and figure out what commands are now available by doing the following command to be greeted by 112 new cmdlets:

Get-Command *HP*

Get Command View

Lots of cool stuff in there that should make life a whole lot easier. I started off by checking out and testing the things I would use most often, like host power info, boot order, UID light changes, etc.

First up, let's get comfortable with how it works by finding some HP iLO systems:

Find-HPiLO

Find HP iLO

Couple things to note: this is by IP address only, there's no DNS resolution; IP ranges work, but require patience.

Find HP iLO Name Error

Now that I've established that I can find the iLOs and I can find them from versions 2, 3, and 4, let's do something cool like turn a hosts' power on. Start off by establishing a host to test with by the find-hpilo command and storing it into a variable to save typing the IP every time. For my convenience, I also stored the username and password into separate variables as there's no Credential parameter. I check the current status, which I was verifying by connection via web browser to the iLO, I run the following command:

Get-HPiLOHostPower -Server $servervariable -Username $username -Password $password

HP iLO Host Power Status

We can verify that the host's power is off. Then run the following command to power the system on:

Set-HPiLOHostPower -Server $servervariable -Username $username -Password $password -HostPower "Yes"

HP iLO Host Power On

As you can guess, running the same command only with the HostPower parameter to "No" and it powers the host off. It appears to attempt a graceful shutdown via ACPI.

Set-HPiLOHostPower -Server $servervariable -Username $username -Password $password -HostPower "No"

HP iLO Host Power Off

Next up, turning the UID light off and on. This is especially helpful to locate servers while in the datacenter. The UID follows the same, semi-awkward use of "Yes" and "No" as the HostPower cmdlet does.
Get UID status:

Get-HPiLOUIDStatus -Server $servervariable -Username $username -Password $password

Turn UID on:

Set-HPiLOUIDStatus -Server $servervariable -Username $username -Password $password -UIDControl "Yes"

Turn UID off:

Set-HPiLOUIDStatus -Server $servervariable -Username $username -Password $password -UIDControl "No"

HP UID Status

Last but not least, let's change the boot order.
Showing the current boot order:

Get-HPiLOOneTimeBootOrder -Server $servervariable -Username $username -Password $password

Change the boot order over to CDROM:

Set-HPiLOOneTimeBootOrder -Server $servervariable -Username $username -Password $password -Device "CDROM"

HP Boot Order Status

Review time: It's a solid start by HP to get into realm of PowerShell administration of their servers. The big pieces are there and functional and I plan to add this tool into my arsenal immediately. With that said, there are some oddities, such as yes/no answers instead of on/off and gathering the event logs into an array instead of a table format. There's some other stuff that I'm sure will come as the product starts to evolve, hopefully items like piping a find-hpilo into a get-hpilo cmdlet and adding in a credential parameter instead of forcing a username/password with each use of the cmdlet. Overall, if you have HP servers in your environment and use PowerShell at all, this is definitely something you should be checking out.

Tagged as: , , 4 Comments
12Feb/121

Windows Firewall just keeps fighting me…

I'm just trying to get some stuff to pass traffic, that's all. However Windows Firewall on Server 2008R2 has decided that it's too much to ask and is going out of it's way to block the traffic.

Case in Point #1: I create a firewall rule to allow 443 in from a couple other subnets, everything works just fine. I turn on another system which resides in one of those subnets and it fails. I get a "Windows Filtering Platform has blocked a packet".

Very weird, but maybe there's something I'm missing. I turn on logging to see where we're getting the failure. Here's the funny part, the pfirewall.log file shows that it is allowing the traffic!
*NOTE: I highlighted the wrong one, so the arrow is pointing out the correct one.*
Firewall Allow, Filtering block

Probably a problem with the firewall policy right? Nope.
Firewall Policy
Firewall Policy

Some of the other things I've done to attempt to resolve the issue:

  • "netsh advfirewall reset" followed by recreating the rule via admin templates
  • "netsh advfirewall reset" followed by recreating the rule via Security Settings
  • "netsh advfirewall reset" followed by recreating the rule locally
  • Block Policy Inheritance, and retry all the above
  • Set the scope to any and the port to 443
  • Set the scope to any and the port to any

Everything else on the subnet is allowed in, so why would it be isolated to just this one system? I'm petitioning for a Microsoft Support Case to be made, hopefully they can get to the bottom of it.

Case in Point #2: Windows Firewall sees outgoing traffic and allows it. However, I get a "Windows Filtering Platform has blocked a packet" error again. The real head scratcher is that WFP sees the direction as being "Inbound".
Send but Inbound is blocked

I've gone through and created the proper firewall rules to allow a source port exception of 5989, and even a rule to allow all traffic from the offending system. Still no luck. So I'm hoping to add that to the case and finally get to the bottom of these problems.

Any thoughts or insight is much appreciated...

29Nov/110

Generating RSA Key & CSR for use with VMware Solutions…

Ever received a Security Warning while logging into either you ESX/i host and/or vCenter?
That's due to the SSL certificate being untrusted with your machine. You can always click the "Ignore" button or check the "Install this certificate..." box and then "Ignore" and move on, however you can improve the security by replacing the certificates with certificates signed by a commercial certificate authority (CA).
Certificate Warning

To generate an RSA Key and certificate signing request (CSR), we'll start by downloading the OpenSSL-Light application on the system you'll be installing or have already installed a VMware application. The application is available from the following site: http://www.slproweb.com/products/Win32OpenSSL.html

Download the "Win32 OpenSSL v1.0.0e Light" application along with the "Visual C++ 2008 Redistributables". Once downloaded, run the Visual C++ file (in this case, "vcredist_x86.exe"). Click "Next", check the "I have read and accept the license terms." box and click "Install", wait a couple seconds and click "Finish".
Downloaded Files
Setup
Accept Terms
Configuration
Finish

Now it's time to install OpenSSL by running the "Win32OpenSSL_Light-1_0_0e.exe" and installing it to your desired location. Click "Next", accept the agreement and click "Next", choose an install location (default is the root of C:, but I don't like cluttering up the root of C:) and click "Next", click "Next", change the option so that the OpenSSL DLLs are copied to the OpenSSL binaries (/bin) directory and click "Next", then click "Install", once the installer is finished click "Finish".
Setup
Accept Terms
Destination
Start Menu Folder
OpenSSL DLLs
Confirmation

From this point, open up a command prompt and navigate to the bin folder within the location of the installation of OpenSSL. To generate the key, run the following command: openssl genrsa 1024 > rui.key Once that is complete, generate the CSR by running this command: openssl req -new -key rui.key > rui.csr After running the command, you'll be asked to populate some information regarding your country name, state, city, organization name and unit, common name and email address.
Command Line Work

If you happen to receive the error: "WARNING: can’t open config file: /usr/local/ssl/openssl.cnf" this is due to OpenSSL being unable to find the openssl.cnf file. To correct this error, run the following command: set OPENSSL_CONF=c:[PATH TO OPENSSL DIRECTORY]binopenssl.cfg

After creating the CSR, submit it to either the admin of your Microsoft Certificate Services CA or to whomever handles the certificates from a commercial CA.

7Jul/111

VSS & 08R2 – Showing more than 64 Snaps

We ran into a HUGE problem with the migration of our file servers to Server 2008 R2 from Server 2003, our Techs noticed that the Previous Versions tab was only populating 64 of the oldest snapshots. This is a huge problem.

So I did some digging, ended up figuring out that if I opened up the Previous Versions tab in an older OS (I used Server 2003 as well as XP Pro) and could see all of the snapshots perfectly. So this now became a 2008/Win7 problem.

For those that don't know, the default maximum snapshot value is 64. This can be modified by going into the registry of the system that VSS is running on and going to: HKLMSYSTEMCurrentControlSetservicesVSSSettings and adding the DWORD value of "MaxShadowCopies" and setting it to a decimal value of 512. 512 is the maximum number of snaps that can be done. More information can be found here: http://technet.microsoft.com/en-us/library/ee923636%28WS.10%29.aspx
Registry Modification

On the left is a Server 2003 mapping of a 2008 R2 file share, on the right is the same file share mapped on a Windows 7 box. Big difference there.
VSS Comparison

We ended up creating a case with Microsoft. Turns out that it happens to be a known bug with no resolution in site. However, there did happen to be a workaround. To correct the problem, SMB2 has to be turned off. This is generally not something you want to do, however it worked in this particular instance. For information: http://en.wikipedia.org/wiki/Server_Message_Block#SMB2

So to turn off SMB2 and give yourself the ability to see all of the created snapshots in an OS newer than Server 2003 and/or XP, you have to dive back into the registry. Go to: HKLMSYSTEMCurrentControlSetservicesLanmanServerParameters and create a new DWORD value of "SMB2" and ensure that the decimal value is 0. After that change has been made, reboot the system.
Note: Microsoft highly recommends turning SMB2 off at the desktop level rather than the server level.
SMB2 Off In Registry

After the reboot, here's what pulled up:
Success

Success! Our techs can now help people out with the VSS snaps.

6Jul/110

Initializing an Equallogic – the GUI way

Personally, I rather enjoy getting on the serial cable and setting it up that way. However, a recent experience forced me to have to set up an Equallogic PS6000E sight-unseen. Someone else had already done the dirty work of racking and networking it all together. So we are assuming that the Windows system we're using has at least one NIC on the same switch and/or VLAN as the EQL was plugged in to.

Start off by installing the HIT kit for Windows

Run the "Remote Setup Wizard"
Remote Setup Wizard

Choose to initialize the PS Series array, click "Next" and wait for the system to find the array
Initialize
Find the array

With a bit of good luck, it should show up
Discovered Array

Give the newly found array a name, IP, subnet, and gateway. If this is the first one, create a new group or you can even join an existing group. In this case, this is the first one.
Setup

Since this is the first one for the group, create a new group with the necessary information
Create New Group

Once everything is entered, allow the array some time to initialize
Initialize the Array

Upon completion, click "Finish" to exit from the program. The array has been successfully created.
Success

9May/110

Server 2008 R2 Throughput Testing

Background:
SAN Back end: 2 Equallogic 6510Es combined in a single storage pool
1 Windows Server 2008R2, base install, not joined to the domain on an ESXi 4.1 host
1 Windows Server 2008R2, base install, not joined to the domain on another ESXi 4.1 host
Connected via VMXNET3 NICs on our Dell PowerConnect 8024F 10G network on a separate VLAN, no other network connections
Test Procedure: Moving an ~8GB zip via UNC path
Changes made to local policy followed by running gpupdate

Default Policy: 69MB/second
Default Policy

Disable: Digitally sign secure communications (always): 96.7MB/second
Negotiate Policy

Disable: Digitally sign secure communications (always) & (if server/client agrees): 345MB/second
No Policy