Wednesday, December 18, 2013

Exchange SSL renewal - "pending certificate signing request"

After getting a renewal for exchange server and doing the "complete pending request" the certificate still shows in the EMC with "This is a pending certificate signing request (CSR)."  This is after the completing successfully with the crt downloaded from the cert authority.

Opening MMC certs and looking at the cert shows the cert is missing it's private key and in my case also the friendly name didn't carry over.

http://www.petri.co.il/forums/showthread.php?t=52766
Open the the certificate from the CA and on the details tab find the thumbprint field and copy it to your clipboard.
Now run the following command from a command prompt:
certutil -repairstore My ""

In addition, in the MMC you can right click your cert and go to properties to assign the friendly name.

Tuesday, December 10, 2013

Fiberlink Maas360 MDM - Warning! Stay away

I don't usually post things like this, but this has been one of the worst experiences I've had with a company.

I'll keep it short and sweet.  If your looking into an MDM and you're looking at Fiberlink Maas360 (now IBM) move along, nothing (good) to see here.

The product itself worked okay, that's not entirely the issue (although I did have some issues with the product).

More importantly!  Sales / Billing at Fiberlink and their business policies are terrible.  They are not very consumer friendly.   Read that contract very carefully!!  They have an "auto-renew" section in there and they WILL NOT warn you in advance.  They where completely unwilling to work with us.



HINT: take a look at XenMobile...
https://www.citrix.com/products/xenmobile/overview.html?ntref=hp_hero_xenmobileMDM

Tuesday, November 12, 2013

Citrix XenMobile - Bulk assign corporate device

After moving away from Fiberlink Maas360 (soooo glad we did) I found that I needed to mark over 100 devices in XenMobile as corporate owned.  This would allow us to mark the devices as either corporate or employee owned so that we could push deploments based on ownership.

This can be done manually one at a time... or

Citrix put together this how to which works great!


Looks like the URL changed: http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-manage-devices-tagging-auto-tsk.html







Monday, November 4, 2013

Convert XenServer to Hyper V 2012

Built a new Windows Server 2012 Hyper-V environment for my test and non-critical machines.  Below are the steps that I used to move some of my machines out of XenServer and into Hyper-V.

This was using XenServer 6.0

  1. Export VM as OVF
    1. Shutdown the machine
    2. Right click and Export
    3. Choose the OVF format, location, and name
    4. Next through the rest of the screens
  2. This leaves you with a VHD that we can attach to and use.
  3. In Hyper-V create a new diskless VM in your cluster share
  4. Copy the VHD to the subfolder for the VM
  5. In the settings of the VM under the IDE Controller 0 add a new hard drive
    1. Browse to the VHD and OK
  6. Convert the VHD to VHDX
    1. In Hyper-V Manager select the VM and click "edit disk".
    2. Select the VHD, Next
    3. Click Convert, Next
    4. Select VHDX, Next
    5. Leave at Dynamically Expanding, Next
    6. Browse to the VM folder (where it will create the VHDX), typically the same location as where the VHD is currently.
    7. Name it (can be the same name since extension will be different)
    8. Finish and wait for it to create.
  7. Change the VM to point to the VHDX.
    1. Edit the VM and change the virtual hard disk path to point to the vhdx instead of the vhd.
  8. Ensure it boots properly
  9. Login and remove the XenServer tools (note it will be very slow at this point), Reboot
  10. Ensure integrated services is the latest version by inserting the disk and running the update.
  11. Remove integrated services disk
  12. Change IP address as needed
  13. After saving the IP, go back in and make sure the default gateway is listed properly.
  14. Remove the old VHD file.

Wednesday, August 14, 2013

Create preconfigured AppCenter / Delivery Services Console

In the past I've always just had the other IT staff configure the Delivery Services Console on first run themselves.  With AppCenter I found that each time they launched it through their Citrix Profile it wouldn't save the server discovery.

Found the following that worked perfectly.  This allowed me to configure their server discovery and add in the idle times and reorder the columns as desired for everyone.

http://support.citrix.com/article/CTX126752

Tuesday, July 30, 2013

Windows 2008 R2 Password Notification causes more issues than helps

With Windows 7 / 2008 R2 Microsoft changed the way password notifications look. 

After upgrading from PS 4.5 to XenApp 6.5 we fairly quickly found that the default password expiration notification changes from 14 days down to only 5 days.  This doesn't work well in an environment where part time workers may be off a week at a time.  No problem, set the GPO and mark it for 14 days right...  One would think.

Unfortunately, MS changed the popup.








This presents 2 issues in my environment:
  • The popup doesn't display for long enough  (this can be corrected via GPO)
    • Users tend to miss it
    • Or ignore it
  • CTRL+ALT+END doesn't work for our Citrix sessions. 
    • When connected through the web interface it just doesn't do anything
    • When connected from a thin client (Wyse and HP clients) it disconnects the session  ACK!

In our case when connecting from:
  • Thin Client - CTRL+ALT+DEL works fine...
  • Web Interface - CTRL+F1 works


After messing around with several options I ended up opting for the following:
http://serverfault.com/questions/140816/with-no-password-expire-notification-at-logon-in-windows-7-how-are-you-configur

With a slight amount of modification to the message you can make it fit your scenario.
I then added it to GPO as a user configuration logon script.  With this I added the GPO Loopback mode as "Merge" and applied the policy to the machines that needed it (Citrix, RDS / Terminal Services, others)




Who would have thought that something as simple as "changing your password" would be such a
nuisance and so poorly implemented by Microsoft.

Thursday, July 25, 2013

Fixing the Outlook Address Cache / Autofill after recreating email address in Exchange

Recently I had a scenario where we wanted to convert a distribution group to a user mailbox. This was an email address that everyone uses. Of course this can't be done without deleting the dist group and creating as a user mailbox. Unfortunately when you delete the distribution group and recreate as a user the Outlook autocomplete / autofill will break because the value that outlook looks at is different for the new object.

This will result in a NDR like the following: (for dist group test@mydomain.org)

Delivery has failed to these recipients or groups:
'Test' <mailto:IMCEAEX-_O%3DHERE_OU%3DEXCHANGE%2B20ADMINISTRATIVE%2B20GROUP%2B20%2B28FYDIBOHF23SPDLT%2B29_CN%3DRECIPIENTS_CN%3DTesta56@mydomain.com>
The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:
Generating server: Server.mydomain.com
IMCEAEX-_O=HERE_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FYDIBOHF23SPDLT+29_CN=RECIPIENTS_CN=Testa56@mydomain.com
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##



As Ben points out this can easily be fixed: https://www.simple-talk.com/sysadmin/exchange/exchange-e-mail-addresses-and-the-outlook-address-cache/

This helps keep our 200+ users from having to fix on their own or more likely calling the help desk to have us fix it


And to help convert the IMCEAEX string
http://support.microsoft.com/kb/2807779

Monday, July 8, 2013

\Windows\System32\config\system Status: 0xc000014c missing, or corrupt

On a Lenovo E520 running Windows 7 x64 user ran out of power and system crashed.  When it came back up the user was presented with:
File: \Windows\system32\config\system
Status: 0xc000014c
Info: Windows failed to load because the system registry file is missing, or corrupt.

I tried using the Lenovo recovery media without success.

I then plugged in a Dell recovery disc and just went into the Windows recovery cmd prompt.  At that point I found that the hard disk was mapped to the D drive.

sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


After it finished running I rebooted the computer and gave back to the user (after tucking away my handy Dell disc)

IIS7 - Cannot find the certificate request that is associated with this certificate file

Seems like once a year (or longer) when I renew our SSL cert this causes me some headache.  The worst part about the error is that it's false and the cert was created just fine!

In this case I create the CSR and get the new cert which is delivered in PKCS #7 (.p7b).  When you "complete Certificate Request" and point it to the p7b file (note you have to change it to *.*) you then get the error "Cannot find the certificate request that is associated with this certificate file".

At that point I usually troubleshoot if I created the p7b incorrectly (which I did nothing wrong).


Instead you just need to click OK and then hit refresh (F5) on the IIS7 certificates screen.  Your new cert appears :)

At this point you can export it as pfx and convert to pem if needed.

Tuesday, May 21, 2013

Script - detect users SID and make registry changes based on it

Deploying some laptops I needed to add registry changes to the account.  Unfortunately the accounts where not domain accounts making it slightly harder.

To complicate matters registry for these particular machines is disabled by GPO and we didn't want to enable it.  Thus the user can't run the reg add themselves AND for each computer the user SID is different.

Solution was to use psgetsid to find the users sid and then add the reg keys using this from an account that has access to regedit on the machine.

Example:
For /f "delims=" %%i in ('c:\admin\psgetsid.exe usernameofaccounttochange') DO set usersid=%%i

reg add "HKU\%usersid%\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v "DefaultConnectionSettings" /t REG_SZ /d 460000001e00000001000000000000000000000000000000010000000000000018dc31de5756ce0100000000000000000000000000000000 /f
reg add "HKU\%usersid%\Software\Microsoft\Windows\CurrentVersion\Explorer" /v EnableAutoTray /t REG_DWORD /d 0 /f



Note:  You can also use %username% to detect the currently logged on user and retrieve sid for the script, BUT if you do this note that if UAC is enabled or prompts then the username that will return will be that of the admin account that you enter for UAC.  Which is likely not what your after.

Internet Explorer slow on first open

Configuring new laptops we found that Internet Explorer was very slow loading the first time when connecting to a new network (in our case wireless networks).  This was with IE8, IE9, IE10 on a Windows 7 x64 machine using both the 64 and 32 bit versions of IE. 

After many hours of cursing I found that this was due to the following setting:
Internet Options, Connections, LAN settings, Automatically detect settings.

Unchecking this options fixed the issue.


In the registry this is found here:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v "DefaultConnectionSettings" /t REG_SZ /d 460000001e00000001000000000000000000000000000000010000000000000018dc31de5756ce0100000000000000000000000000000000 /f

In particular, the 01 set that I have bolded is what disables it (09 is enabled).
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/cb6abb30-4360-4d3d-93fc-61823b2a5c20

Note: in our case this only effected WLAN connections.  Broadband and LAN did not display the issue (unless WLAN was also connected at the same time).

Friday, May 17, 2013

Prevent domain users from logging into computer

We have a number of laptops that are in a common area (ie conference rooms, shared amongst staff) as well as out in the field where they use them more as a "thin client" to connect back to a Citrix environment.  On these laptops we don't want them logging in as their domain account and having the ability to copy sensitive files to the local disk.  We also don't want a specific domain user logging into a laptop then walking off without logging off and thus effectively preventing the next user from accessing the computer (unless they hard power the system, which isn't what we want).

In the past with Windows XP I was able to quickly remove this access for domain users while not effecting domain admins by removing the following groups from the local "users" group via a script during setup.
Net localgroup users "domainname\Domain Users" /delete
Net localgroup users "NT Authority\Interactive" /delete
Net localgroup users "NT Authority\Authenticated Users" /delete



If you attempt this in Windows Vista and above it results in slow logon, logoff, blank desktop, etc.  IE, it doesn't work.
http://support.microsoft.com/kb/970879



The easy way around this (and the proper fix anyways) is to simply limit the "allow logon to this computer" setting in GPO.

If you open gpedit.msc on the local machine you can see the normal settings for this key:


So we can see that we can easily remove the "users" group from the list.  This will prevent anyone that falls in the "users group" from logging in. 

Now you need to add any of the specific usernames that you do want to allow to login.
This for example could be a specific local account or specific domain user accounts.

I highly recommend that rather than doing this with the local GPO you do it in the domain GPO with an OU specific GPO that contains the computers you want it to effect.  Ensure you don't attach the GPO at the wrong OU or you'll cause havoc across your environment.



Note: depending on your environment setup this could have unexpected results.  Specifically if you have certain users accounts that are non-admin that have to access the system for certain tasks (backups, services, scanning, etc).

Wednesday, May 8, 2013

XenApp 6.5 Get-XAPrinterDriver shows removed drivers

When attempting to replicate drivers in a new farm with Powershell I found that using the Get-XAPrinterDriver -ServerName CtxTest01 would return a list of servers that included old drivers that had been removed (and didn't include new drivers that had been installed).

Rebooting did not help.  Looking back at the scenario recreating the LHC may have worked.

Update-XAPrinterDriver -ServerName CtxTest01

After running the above drivers showed as expected.


Replicate drivers:
http://support.citrix.com/article/CTX126125

printer driver is not installed error on 2008 Print Server

This is nothing new, been around for years, but every year or so I have to spend another 10 minutes having to search out the answer again.

On a Windows 2008 R2 print server I switched a printers driver to another driver and was greated with "printer driver is not installed on this computer. Some printer properties will not be accessible unless you install the printer driver. Do you want to install the driver now?".

Installing the driver again (was already installed) doesn't help.


http://social.technet.microsoft.com/Forums/en-US/winserverprint/thread/5101195b-3aca-4699-9a06-db4578614e2d/


This effects out of the box HP printer drivers.  In my case the HP 4100 series PCL drivers.

Navigate to
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\(printers name)\PrinterDriverData
Change the key HPTrayCount to 12.

Do this for each printer (and repeat anytime you change the driver).

Wednesday, May 1, 2013

Server 2008 R2 - Remove Libraries, Network, and Favorites from Explorer

During the deployment of XA65 I quickly found that I didn't want the Libraries, Network displaying.  Also, I wanted to remove certain content from Favorites, but leave the desktop (since we redirect our desktops to a central store).



 
Microsoft didn't provide a great way of removing this functionality.  Fortunately there are many in the comunity that are sharp and figured this out on their own.
 
Thanks to Marco Sues from this Citrix thread for the solutions: http://forums.citrix.com/thread.jspa?threadID=266828
 
From this we're able to quickly add the necessary keys into GPO for all our Citrix servers to remove the undesired libraries for both x64 and x32.  In addition to adding the keys you also need to give SYSTEM full control over the shellfolder.  This can be done if you use Computer Config/Policies/ Windows Settings/Security Settings/Registry to change the permissions. Use GPO preferences to update the attributes keys.
 
Favorites:
x64 = HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder
x32 = HKEY_LOCAL_MACHINE\Software\Wow6432Node\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder
for both
Attributes = a9400100
dword / hex
 
 
Libraries:
x64 = HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder
x32 = HKEY_LOCAL_MACHINE\Software\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder
for both
Attributes = b090010d
dword / hex
 
 
Network:
x64 = HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
x32 = HKEY_LOCAL_MACHINE\Software\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
 for both
Attributes = b0940064
dword / hex
 
Once this is set in your GPO do gpupdate /target:computer and then logoff and back on. (explorer needs to reinitialize)
 
 
In my case I decided I didn't want to remove Favorites since it gives quick and easy access to the desktop.  Instead I redirected it to a central location for all users.  This implys that end users won't be able to add their own "favorites" to the folder.  This can be done with folder redirection and then place the desktop shortcut in the folder.
You could also easily redirect it to their own personal stash and the script the removal of the unwanted "links" (located in the users Links folder)
 
 


Tuesday, April 16, 2013

Netlogon 5719 at startup

This issue was a real booger and I almost threw in the flag and called in the big guns.

This error has been around for awhile.  There is a lot of information out there on it and a LOT of reasons it can occur.

I've actually run across this now twice.  Once in my server VM environment and also on new desktops.  It is possible / likely they are related due to the use of switches being simular / same.


In this post I'm focusing on the Virtual Environment issue.

I first discovered the issue when building an Exchange 2010 server and finding that the services where not starting automatically on boot.  This led me to find the Netlogon 5719.  After a review of the events it was obvious that this service was attempting and failing to start before the network was connected.

After find this: http://support.microsoft.com/kb/938449 I tried some of the suggestions with no help. Note this setup was with ESXi 5.1 going back to HP ProCurve switches (2810's).  STP was off on the switches.  Also, connected to the same switches is a XenServer environment and a few physical servers which do not see the issue.

Some of the different posts and KB's I found suggested that this isn't an issue and can safely be ignored as long as you can reach the DC to login.  After the set timeperiod Group Policy will apply.  Unfortunately this is NOT a solution nor a good workaround (for desktops, servers, anything).  This causes lots of issues in a domain environment especially where folder redirection, logon scripts, etc.  The proper fix is to be able to get the NIC to initialize before netlogon OR for MS to provide a method for admins to reliably force netlogon to wait for the NIC.

After messing around for awhile I discovered that this only occurs if the NIC is set to static IP.  When set to DHCP all works as expected.

So, at this point we could do DHCP reservations to make it work, BUT this isn't a solution for DC's or DHCP servers, and sometimes a static address is necessary or easier.

After finding a thread on VMWare communities that was exactly my issue it was suggested to try changing the ArpRetryCount.
http://communities.vmware.com/thread/316237?start=15&tstart=0

Bingo!

This could indicate a deeper network issue or possibly a flaw in logic as to when netlogon service should attempt to start.


Note: I also commonly see an issue very simular to this on workstations with SSD's (some differences, occurs when set to DHCP but not static, etc).  In these cases changing the ArpRetryCount does not help although I did find that it is heavily dependent on the type of switch that the workstation is plugged into.  For instance, the issue occurs when plugged into HP ProCurve switches, but does not occur when plugged into cheapo Linksys / Cisco switches.  This likely indicates configuration issue with HP ProCurve (although, many report same or simular issues with enterprise Cisco switches).  It may also be caused by the type of NIC / driver on the system (ie Realtek driver issue).  I have not been able to dig into this issue in great detail yet.

Citrix print management service crashing

Awhile back I posted about cleaning up print drivers in XA4.5. Recently I started to have issues again with printers not being auto created with what appeared to be the same issue of the spooler crashing and taking the Citrix service with it. Oddly it wasn't logging the crash though.

(see this post: http://didyourestart.blogspot.com/2009/04/terminal-server-citrix-printing-errors.html)

It then occurred to me that it's not the same issue! Duh

On a pool of 8 XenApp 5.0 (windows 2003) with R07 installed I've found that occasionally the Citrix Print Management Service will crash.  Note that in this instance the Print Spooler is NOT crashing, only the Citrix Service.  I determined this by using the script in my other printing issue post so that it would log when the print spooler crashed.  In this case no log was ever generated on the servers after a failure.

I then added a new short script and set it to run on failure of the Citrix Print Management Service.  On the next failure sure enough I had my log showing the failure time.

Batch File contents
net start "Citrix Print Manager Service"
SET logfile=C:\AdminTools\CitrixCrashLogs.log
ECHO Citrix print management service crashed on %date% at %time% on %computername% >> %Logfile%

I then set the Citrix Print Management Service to run this program on failure.

This tells me that it's a different issue causing the failure of the Citrix service since print spooler isn't actually crashing.  I believe this is an issue that was introduced sometime post R05 as I never had the issue (that I'm aware of) until updating to R07.  Note that I had skipped installing R06.  I also tested this on a fresh Citrix build with the same results.

I now implement the above batch file as part of my build on all XenApp servers.  This has reduced the help desk calls for this issue down to 1 or less a quarter.

Friday, March 1, 2013

Convert XenServer XVA to VMDK for VMWare ESXi 5.1

During our conversion from XenServer to VMWare I had one machine that had a woopsy and would no longer boot in XenServer without BSOD.  Of course, this is the ONE machine I didn't snapshot first HA.

Environment:
XenServer 5.6 SP2
ESXi 5.1


Cause:
During the conversion, I uninstalled the XenServer tools.  When I went to use VMConverter on the machine it couldn't find the disk due to drivers on the SCSI controller.  So, I went to select a generic driver for the controller and low and behold, I selected the wrong one and rebooted.  ACK  Of course I was greeted by the BSOD.


Solution:
I could have just rebuilt the machine, but it was one of those pain machines (ie, reconfiguring it would be more painful then spending an hour seeing if I could fix it).

  1. Export from XenServer to XVA format
    1. I tried to export to OVF, but it would fail and after some quick looking on the citrix forums it looked like it would likely be easier to export to xva then convert to ovf
  2. XenConvert v2.3.1  (version 2.5 doesn't have the options necessary to do this)
    1. From = Xen Virtual Appliance
    2. To OVF
    3. This converts to OVF format which gives you 2 files, an OVF and a VHD
  3. WinImage v8.5 (http://www.winimage.com/download.htm)
    1. Disk dropdown
    2. Convert virtual hard disk image
    3. Select the OVF (vhd file)
    4. OK
    5. Type name and change save as type to vmdk
    6. When you click save the conversion starts
    7. At the end you don't need to mount it with winimage
  4. Create a new virtual machine using the datastore that you want.
    1. Edit the VM and delete the Hard Disk
    2. Browse the datastore and delete the vmdk file
  5. Veeam FastSCP (I used the older version)
    1. Copy the 2 files that WinImage created to the datastore VM Folder
      1. both are vmdk files.  One will be large the other small.  Both are required for this to work (otherwise when you add a hard disk in the next step it won't see it)
  6. Back in VMWare now
    1. Add hard disk
    2. Browse to the VMDK and select it
    3. Boot
    4. Login and install tools
    5. Restart
  7. Change the disk from IDE to SCSI
    1. In VMWare edit the VM and add a new hard disk of 1GB using SCSI (this pulls the controller into the image)
    2. Delete the disk you just created
    3. shutdown the VM
    4. Now we have to edit the vmdk, this can be done using vi, but I'm a windows guy so I used notepad++ on my workstation
      1. pull a copy of the small vmdk down to your local drive using Veeam FastSCP
      2. edit with notepad++
      3. modify the line "ddb.adapterType = "ide" change to "lsilogic"
      4. save and push the file back up to the datastore overwriting
      5. Delete the primary IDE hard disk
      6. Browse the datastore and delete the 1GB vmdk that we created earlier (for getting the LSI controller installed)
      7. Add new hard disk and point to the vmdk
      8. It will find it as SCSI / LSI Logic
      9. Note: if you have a CDROM, it will be IDE 0:1, so you'll want to delete it and re-add it so that it picks up IDE 0:0
      10. Boot
That wasn't so bad...


Your results may vary :)







Thursday, February 28, 2013

Convert from XenServer 5.6SP2 to VMWare ESXi 5.1

Recently we converted our main environment from XenServer 5.6 SP2 (Lefthand Networks SAN/iQ) to VMWare ESXi 5.1 (Nimble Storage CS240).

First off, we looked very hard at XenServer 6, Hyper 2012, and ESX.  After getting hands on for each solution VMWare imo was hands down easier to use and gave better results.

Next, Nimble Storage is awesome!  If your looking at storage give them a good look.



The conversion is pretty easy really, but if you get the steps wrong you can end up with BSOD and other ickyness.  This worked for me, your experience may be different.  I took snapshots at the Lefthand level and XenServer level before touching anything.  Results may vary.

There may be an easier way, doesn't really matter to me. This worked consistantly for me so I'm stickin to it.

It's best practice to rebuild rather than convert.  I only converted machines that couldn't be rebuilt, where being replaced soon (but not ready to replace just yet), or when I was short on time and had to move it immediately. 

Server 2008 / 2008 R2
  1. Download and install VMWare Converter 4.3, yes, the older version
  2. Disable any services necessary (ie, IIS, etc)
  3. Ensure your logged in through the default view, not RDP.
  4. Uninstall XenTools and reboot
  5. Go into Device Manager
  6. You'll see that the SCSI Controller doesn't have a driver.
    1. VMWare converter won't see the disks because of this
  7. Right click the SCSI Controller
  8. Update Driver Software
  9. Browse my computer for driver software
  10. Let me pick from a list of device drivers on my computer
  11. (Standard IDE ATA/ATAPI contoller)
    1. IDE Channel
    2. If you get the wrong one you'll likely see a BSOD upon reboot
  12. Reboot
  13. Open VM Converter
  14. Convert Machine
  15. Select "This local Machine"
  16. Note that "View source details..." lights up. Click it
  17. Ensure that a Source disk is listed (if you didn't change the controller driver then none will be listed and it will error when you attempt to convert)
  18. Type in the info for one of your VMWare hosts
  19. Select your datastore target
  20. Change RAM, CPU, etc as fit
  21. Finish and wait
  22. Once it's completed shutdown the VM in XenServer
  23. In the VMWare console edit the VM.
  24. Delete the CDROM and Hard Disk
  25. Add a new Hard Disk as the SCSI 0:0 and point to the VMDK
  26. Add new CDROM with basic settings
  27. Start the machine and install tools
  28. Note that the VM Version is listed as 4
    1. Shutdown the VM
    2. Right click the VM and choose the option for "Upgrade Virtual Hardware"
    3. It should now show as a vmx-09
  29. Change the nic to vmxnet3 if desired
  30. Boot and change IP address if needed
  31. Uninstall VMWare converter

Since typing the Windows 2008 section, I tried something new that worked amazingly well with little downtime.  I did this with Windows 2008 RTM x32 and Windows 2008 R2 successfully.
  1. Download and install VMWare Converter 4.3.  New version may work better.
  2. Open VM Converter
  3. Convert Machine
  4. Select "This local Machine"
  5. Type in the info for one of your VMWare hosts
  6. Select your datastore target
  7. I had to edit the devices and change the controller to IDE
  8. Finish and wait
  9. At this point it's extermely important to remember that we don't want both VM's on at the same time.  BUT I wanted to ensure that my new VMWare VM would boot...
  10. Change Settings
    1. Change network to an isolated network off production.
  11. Delete the CDROM and Hard Disk
  12. Add a new Hard Disk as the SCSI 0:0 and point to VMDK
  13. Add new CDROM with basic settings
  14. Start the machine
  15. Uninstall XenServer Tools
  16. Reboot
  17. Install VMWare Tools
  18. Shutdown
  19. Note that the VM Version is listed as 4
    1. Shutdown the VM
    2. Right click the VM and choose the option for "Upgrade Virtual Hardware"
    3. It should now show as a vmx-09
  20. Boot the server and ensure it boots
  21. Shutdown VMWare VM
  22. Shutdown XenServer VM
  23. Edit VMWare VM and change NIC to production network
  24. Boot and change IP address if needed
  25. Uninstall VMWare converter
I was amazed how well this worked.  NOTE: I did this on fairly unimportant systems.  Not sure I'd do it with systems that are critical (besides, I rebuilt anything critical, converting is never my first choice)

Windows 2008 RTM: I also had to delete the NIC (which was listed as Flexible) and add a new one for VMXNET3.

One final strange thing I noticed is that the IntialKeyboardIndicators key would get messed up.
This is found under KHEY_USERS\.Default\Control Panel\Keyboard
It would be set to 21474836648 after conversion
Changing this back to 0 made it work as expected.

Pagefile on XenApp

Building out a new environment and I got to the point of setting the pagefile...

I've always been told 1.5 x RAM or other numbers that I didn't know any better and just did it.

So, building the XA65 server and I look around to see what recommendations are for XenApp 6.5 and found this:
http://blogs.citrix.com/2011/12/23/the-pagefile-done-right/

What a concept, pagefile should be set depending on what the server load is.  All these years and I only just now learned this.

Thursday, February 21, 2013

DHCP Migrate from Split Scope to Windows 2012 DHCP with Failover

There are already several excellent posts out there about how to migrate to Windows 2012 DHCP.
Microsofts own blog is an excellent reference.
http://blogs.technet.com/b/teamdhcp/archive/2012/09/11/migrating-existing-dhcp-server-deployment-to-windows-server-2012-dhcp-failover.aspx

I'm writing this, because I didn't find a lot about migrating from multiple DHCP servers with split scopes to a single 2012 with failover and bringing the leases along with.  This is a very easy process and requires minimal work.  (note, you can also just set conflict detection and then unauthorize the old servers and let it all sort itself out).  I decided not to use conflict detection this time around as last time I did this some users got a popup about their IP expiring, this caused a call to IT to tell them to restart.  Not a big deal, but this is easy and causes one less call to IT - I'm all for less calls.


In my case I migrated off 2 Windows 2008 R2 servers with split scopes.  I wanted to pull the leases off both servers and combine them and then make the DHCP servers failover with hot standby.
I'll refer to the old servers as DC01 and DC02
The new servers will be DC03 and DC04

  • Add the DHCP role to both of your new servers.
  • On DC03 right click, run as administrator on Powershell.
  • Export-DhcpServer -ComputerName DC01 -Leases -File C:\export\dhcpDC01.xml -Verbose
  • Export-DhcpServer -ComputerName DC02 -Leases -File C:\export\dhcpDC02.xml -Verbose
  • Open both xml files with notepad (I prefer Notepad++)
    • These xml files have the full DHCP config for your old server, we need to combine the leases so that when you import all of the leases get combined.
    • Do a search for
    • This is the begining section for all your leases.
    • On the DC02 xml file copy from the first (note that I dropped the "s") down to the last Lease section.  Make sure you get both the starting and ending tags for each active lease.
    • Remove any leases that are from reservations if you have any, otherwise they will be duplicates.
    • In the DC01 xml file paste these leases into the section.  I pasted mine after the last DC01 lease, but just before the tag.
  • On DC03 run: Import-DhcpServer -ComputerName DC03 -Leases -File C:\export\dhcpDC01.xml -Verbose
  • Ensure that DC03 is authorized
  • In the DHCP mmc "unauthorize" the server for DC01 and DC02
  • You may get a parameter error when unauthorizing servers.  I found that it still worked if I closed the mmc and reopened.  In one case I did the unauthorize from the server directly or simply waited a couple minutes then closed / reopened and did it again.  Don't forget to use refresh.
    • In a pinch you can also shutdown the DHCP Server service.
  • Close DHCP mmc and reopen.  Right click DHCP and Manage Authorized Servers and check that the list is correct.
  • Go into your scopes and "merge" your scope exclusions.  I had my new single scope exclusions already written down so that I could just delete all the old exclusions and re-enter the new ones.  EDIT: You can also modify the xml file the same way you did for the leases to include the new exclusion ranges.  Look for the tags
  • I always like having conflict detection, so ensure this is on.  It's under IPv4, Properties, Advanced.  (if you had it set on your old DHCP then it will have migrated with the import)
  • I like to use a tool like MS Windows dhcploc.exe or netscan to check and ensure that I don't have rogue DHCP servers.  Check and ensure that only your new server is handing out addresses at this point. http://www.softperfect.com/products/networkscanner/
Okay, so at this point we have:
  • 1 server 2012 handing out DHCP for the entire environment (DC03)
  • 1 server 2012 with DHCP installed, but not configured  (DC04)
  • 2 old servers that have been unauthorized (DC01 and DC02)
Now we just need to configure DC04
  • From DC03 powershell (run as administrator)
  • Export-DhcpServer -ComputerName DC03 -File C:\export\dhcpexp2012.xml -Verbose
    • Note, we don't want the leases
  • Move the export file over to DC04 locally.  The next steps can be done from DC03, but I found that it ran much faster locally then remotely.
  • From DC04:
  • DHCP role should already be installed, if not install it.
  • Open powershell with run as administrator
  • Import-DhcpServer -ComputerName DC04 -File C:\export\dhcpexp2012.xml -ServerConfigOnly -Verbose -BackupPath C:\export\backup
    • This imports the server config only. No leases or scopes
  • Refresh screen
  • Right click DC04 and authorize the server

Now lets setup failover / replication
  • These next steps are done from DC03, it will be our active server while DC04 will be the standby server
  • Right click on IPv4
  • Configure Failover
  • Select the network - Next
  • Change name if desired
  • Change to mode to "Hot Standby"
  • Enter a shared secret
  • Next
  • Close
  • Refresh DHCP mmc

That's it.  Now if you right click on a scope and go to properties you will find a failover tab.  This will tell you if it's in failover and what the role of that particular server is.

At this point I would run netscan again and check which servers it sees handing out DHCP as well as which servers it shows as AD-authorized.  In my case it shows DC03 as handing out DHCP and it shows AD authorized as DC03 and DC04.
http://www.softperfect.com/products/networkscanner/


Note: dhcploc.exe is included with the Microsoft tools on the Windows 2003 cd. (believe it's also on the 2008+ cd's).  To run it I typed "dhcploc.exe mymachinesIPaddress".  I took awhile to start displaying.


Friday, January 4, 2013

Installing / Upgrading Windows Server 2012 KMS Host

This guide is to install Volume Activation Services on Windows Server 2012 and then point clients to the new host.  I used KMS and have not looked into Active Directory-Based Activation (which requires Windows Server 2012 AD DS schema).

First, you should read this to better understand how the process works:
http://technet.microsoft.com/en-us/library/hh831612.aspx

  1. Once you have your new Windows Server 2012 setup you'll need to install the new role and it's required features for Volume Activation Services.
  2. Once this is installed you'll find a new "VA Services" option on the Server Manage
  3. Right click on the server in the open Servers field and select "Volume Activation Tools".
  4. Click Next
  5. Ensure KMS is selected and the proper server is listed.  You will need to be logged in as an Enterprise Administrator.  Click Next
  6. Retrieve your KMS key from the MS VLCS login, you can find it under the relationship summary or under downloads and then clicking Keys next to Windows Server 2012.  Make sure you get the one listed as KMS (not MAK) and from the proper agreement.
  7. Input your KMS key
  8. Click Yes, this uninstalls the GVLK
  9. Activate the product.  Can be done Online or by phone.
  10. Click Yes to confirm
  11. This will return with your configuration options.  Notice Licensing Status returned "Licensed"
  12. You are now presented with the options to for firewall exceptions and DNS (srv record).
  13. Click Yes to confirm
  14. Click Close
  15. You should now see in the servers window that it shows Windows Activation as "Activated"
  16. Right click the server again and choose the option "start performance counters"

Confirming settings and DNS

To start with I checked my DNS to see what my VLMCS records where pointing at and found that nothing had changed yet (I had statically created them with my 2008 R2 KMS host).
This can be found under Forward Lookup Zones\your domain\_tcp  it's the _VLMCS record (you may not have one depending on your past setup)
Open command prompt and navigate to C:\Windows\System32
cscript slmgr.vbs /dlv

From here we can see:
  • It's licensed and activated
  • The partial license key
  • Current count of clients (zero atm)


Let's add the new VLMCS record so that we can activate another 2012 Server
in the _tcp location:
  1. Other New Record
  2. Service Location (SRV)
  3. Service = _VLMCS
  4. Protocol = _tcp
  5. Port Number = 1688
  6. Host = fqdn of server


I then deleted the old _VLMCS key and waited for replication.
From here on another 2012 server I issued cscript slmgr.vbs /ato which errored. 
Looking in the eventvwr I could see that it was still attempting to hit the old KMS server.  (event id 12288, server name is in the details).
After and ipconfig /flushdns (plus I had went to get coffee, so the time wait may have been sufficient) I ran the cscript slmgr.vbs /ato again.  Now I could see it hitting the new server properly. 
Now the server responds with:
Error: 0xC004F038 The software licensing service reported that the computer could not be activated. The count reported by your Key Management Service (KMS) is insufficient.
Once the KMS server hits it's 5 server count you'll be all set and it will begin giving out licenses.



Note:  I found that even though the KMS server showed activated a majority of my servers where 2008 R2, but only 2 servers where 2012.  The 2012 servers where giving the following:

Error: 0xC004F038 The software Licensing Service reported that the computer could not be activated. The count reported by your Key Management Service (KMS) is insufficient. Please contact your system administrator

This indicates that the KMS server hasn't hit the 5 count and activated.

2008R2 servers where activating against it without issue.

It would appear that the activation count for 2008R2 and Windows 2012 are seperate when hosted on Server 2012.  After I brought up another 3 Windows 2012 servers the KMS no longer reported the count insufficient for 2012 and the 2012 servers no longer reported the 0xC004F038 error, but rather activated as expected.