Skip to content
Apr 25 12

Powershell one-liner to find vSphere guest by MAC address

by admin

Somebody has stolen an IP address which belongs to one of your vSphere guests and you have an IP conflict reported in Windows Event Log? Just note the suspicious MAC and execute the following statement within vSphere PowerCLI

Get-VM | Get-NetworkAdapter | ? {$_.MacAddress -match '00:50:56:AF:00:61'} | % {get-vm -Id (($_.Id).split('/')[0])}

 

 

Leave a comment
Mar 27 12

Smart Card PIN pass-through not working with Windows 7 client on XenApp

by admin

Issue description

While fighting with the Citrix Single Sign On Service (SSONSVR.exe) on Windows 7 using Smart Card based login I had a deeper look at the architecture of SSONSVR service. For those which are not familiar with this component of the Receiver / Online Plugin, it’s basically a Citrix client component which caches the current logon credentials on a Windows based endpoint to enable the pass-through logon feature of XenApp. If a user logs on with username / password, SSONSVR caches the credentials and passes them over to the XenApp server resp. to the WI or WI service site.
Now, if a user logs on to his Windows 7 client using Smart Card interactive logon with PIN, SSONSVR.exe is not invoked and therefore PIN pass through to a XenApp host is not working. Users will receive a RDS logon screen where they have to click on their user account and enter the PIN, which is of course very annoying.

SSONSVR is implemented as a “Network Provider” and called by Winlogon via NPLogonNotify function. Upon a smart card logon the NPLogonNotify process is simply not invoked by Winlogon.exe anymore due to an architecture change of Winlogon within Vista / Windows 7 / 2008 R2.
For more info about that see: http://msdn.microsoft.com/en-us/library/bb905527.aspx and http://support.citrix.com/article/CTX131223

Resolution

Add the following Registry key to your Windows 7 clients:
Key: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
Value Name: SmartCardLogonNotify
Value Type: REG_DWORD
Value Data: 0×1

Logoff and log on using your smart card / PIN, and voilà, here is ssonsvr.exe or ssonsvr.exe*32 process running.
To generally enable SSON and Smart Card PIN Pass Through a few more steps are required.

  • Configure Receiver ADM Policy
    • Enable local user name and password
    • Allow Smart Card Authentication
    • Enable pass-through authentication for PIN
  • Enable Smart Card or Smart Card with pass-through authentication on your WI site
  • Enable “Trust XML Service requests” on the XenApp policy
  • Install required Smart Card drivers and middleware components on the XenApp hosts if using a third party one.

Notice about PIN caching on Windows 7
The Microsoft provided CSP does not support global PIN caching, only a “per process” PIN caching. This means, at the time Receiver starts up and each time Receiver or PNAgent is calling a published resource, the CSP asks for the PIN. This behavior is by design and to get rid of that, you have to use a third-party CSP / Middleware like ActivIdentity, which supports global PIN caching.

Leave a comment
Dec 17 11

Redirect AGEE VPN users to a different Web Interface

by admin
This post describes how to use the Netscaler responder feature to redirect users to a different Web Interface Site on the same web server if they are connected via VPN (AG plugin).
Case description / Problem
You have multiple Web Interface sites on your internal web servers which are load balanced using Netscaler. Users are connecting using a VPN Smart Access Portal on your AGEE. You want to prevent users from changing the Web Interface URL from eg. https://wi.corp.com/Citrix/internalWI to https://wi.corp.com/Citrix/AdminWI while connected via a non-clientless AGEE policy.
Solution Description
  • Create a responder action and a responder policy to redirect requests always to /internalWI if request is coming from AGEE.
  • Bind the policy to the virtual server which is load balancing your WI servers
Commands on the internal Netscaler
add responder action "redirect_to_internal_wi" redirect "\"https://wi.corp.com/internalWI\"" -bypassSafetyCheck YES
add responder policy pol-redirect-wi "HTTP.REQ.URL.CONTAINS(\"/adminWI\") && CLIENT.IP.SRC.EQ(10.10.1.95)" "redirect_to_internal_wi"
bind lb vserver wi_vserver -policyName pol-redirect-wi -priority 100 -gotoPriorityExpression END
Use the AGEE’s SNIP or MIP as the source address on the policy expression filter.
Leave a comment
Dec 14 11

FIM Ressources in a nutshell

by admin

If you are new to FIM (Forefront Identity Manager) , this blog article might help you a lot.

http://www.jonoble.com/blog/month/november-2011

If you are familar with Powershell, the possibilities together with FIM are huge!

Leave a comment
Nov 6 11

Installing Hyper-V on Server Core 2008 R2, a journey into the abyss of CLI administration

by admin

This week i decided to take myself into a Hyper-V installation running on a Server 2008 R2 SP1 Core. To share my experience and to conserve my own knowledge I’d like to share my personal experiences in this blog post.

The start over

For each of you who haven’t seen a core server after initial image deploy, I’ve captured the scree after changing the admin password.

Configuring Networking

List interfaces and note down the IDX numbers

Netsh interface ipv4 show interfaces

Set the IP addess for the management interface

Netsh interface ipv4 set address name=”21″ address=10.2.1.140 mask=255.255.255.0 gateway=10.2.1.1

Set the DNS Servers

Netsh interface ipv4 add dnsserver name=”21″ address=10.2.1.160 index=1
Netsh interface ipv4 add dnsserver name=”21″ address=10.2.1.161 index=2

Rename the host

Netdom renamecomputer localhost /NewName:SHYPVC01

Join the host to a domain

Netdom join localhost /miru.lab /userD:<username> /passwordD:<password>

Enable remote management

Cscript \windows\system32\scregedit.wsf /ar 0

Netsh advfirewall set currentprofile settings remotemanagement enable

Install Powershell

start /w ocsetup NetFx2-ServerCore

start /w ocsetup MicrosoftWindowsPowerShell

Enable Powershell Remoting

Start powershell from C:\windows\system32\windowspowershell\v1.0\

Enable-PSRemoting

Install Hyper-V Role

start /w ocsetup Microsoft-Hyper-V

So from now on, you’ll be much more comfortable using SCVMM and all the stuff of RSAT to remotely manage your core host. Server core requires you less patching and the possibility of getting rid of curious windows admins thinking “ehh. let’s have a look what that server does” and logging in just for fun by clicking around fancy GUIs. Me personally I think the core installation will become more important with Server 8, because there are dozens of new modules and thousands of new CMDLETS making it way better to manage a core instance via PowerShell.

More details about how to manage a Server core instance in a later article.

 

 

 

Leave a comment
Nov 1 11

Citrix Cloud Gateway Express CTP, a first look and my hands on

by admin

By the end of Synergy Barcelona last week, Cloud Gateway Express is available for download in a CTP Version. (www.citrix.com/techpreview)

It contains the following components:

  • Reveiver Store Front  CTP (currently windows based portal services for Receiver)
  • Receiver 3.1 CTP (same look and feel on any device)

Receiver Store Front claims to replace Web Interface completely, Citrix talks about Web Interface 5.4 as a “legacy technology”. It acts as a single portal solution for Receiver and Web Receiver to deliver XenApp / XenDesktop and Citrix Online Apps like GotoMeeting. It does not integrate to SaaS apps, for this Cloud Gateway Enterprise is required, which is not available yet.
For those who know the Deliver Services Server 1.0 it’s kind straight forward to install and configure the Receiver Store Front. It requires an SQL 2008 R2 database prior the configuration of the Store Front.

Receiver Store Front installs on any Windows 2008 R2 box and introduces the following components:

  • Server Groups (Combine multiple Store Front Servers to a high available portal solution)
  • Authentication Service (Token Validation Service). This service handles authentication requests from Receiver or Web Receiver
  • Stores (That’s where you want to configure your XenApp / XenDesktop Farms)
  • Receiver for Web (where you configure web sites for browser based Receiver access. Stores and Receiver For Web configurations replace the Web Interface parts)
  • Gateways (you can configure multiple access gateways here)
  • Beacons (http probes to tell your Receiver if it’s currently connected to your corporate network or to a public one)

The management console looks a bit like the XenDesktop Studio, and it acts similar too. Behind the scenes are dozens of Powershell CMDLETS executed as you click around the GUI.

You can list the Store Front CMDLETS by opening a powershell console and typing;

Import-Module Citrix.Delivery*
Get-Command -Module Citrix.Delivery*

To configure the Store Front you can follow the eDoc here

Before configuration you have to manually setup the SQL Database on your SQL 2008 R2 box. To create the logins and the database follow the steps here.

There are some painpoints I’m currently dealing with.

  • Missing Smart Card Support on Token Authentication Service component
  • Receiver 3.1 does not properly recognize when to connect via gateway and when not, even if beacons are configured properly and reachable. (maybe I have still some misunderstandings here)
  • Few documentation available, but that will hopefully change ;-)

And that’s how it looks like when you connect via Web Receiver and Access Gateway Enterprise.

I’ll cover Cloud Gateway Enterprise in more detail in an upcoming post as soon as I receive the binaries.

 

 

 

 

Leave a comment
Oct 28 11

Exchange 2010 Administrative Group Name decrypted

by admin

I’m sure almost everyone dealing with upgrading an existing Exchange Org to MS Exchange 2010 wondered about the name of the administrative group created automatically under the configuration container.

It’s name (FYDIBOHF23SPDLT) looks interesting and by MS you shouldn’t change it in any way. But where does that name come from? If you look back a couple of years, there was a cool movie called “2001 – space odyssey”. A smart but fool computer named HAL had full control over the star ship. HAL is a crypt name too and if you count each letter always -1 in the alphabet you’ll receive — guess what? I B M :-)

So what about the name of the E2K10 admin group? Starting with Exchange 2007, they had to find a name, which would be really unique and no one has already chosen because in fact E2K7 and E2K10 don’t use the administrative group concept any more, but you need one if you upgrade from E2K3 for coexistence purposes. The MS Exchange team had a couple of ideas, one was creating a unique GUID. But would that be good to read and to administer? Probably not.

So if we take the name and proceed the same way as with the old school HAL

FYDIBOHF23SPDLT

means..

EXCHANGE12ROCKS

For me personally, it rocks too ;-)

Leave a comment
Sep 21 11

How to create a Windows 7 Default Profile

by admin

There are several ways to create a new Default user profile on a Windows 7 client,

The most popular one is the official way from Microsoft documented here: http://support.microsoft.com/kb/973289/en-us

Personally I think that’s a bit too complex, we just want to copy another users profile to the default one or not? Here is another way which worked several times for me.

  1. Create a local user, log on with this user and make your changes to the profile as you have to
  2. Log off and log on with an administrator account (you may need to reboot first as sometimes the user’s hive is not completely unloaded at logoff)
  3. Open the registry editor and change the following value to match your model users profile
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
    (Change %SystemDrive%\Users\Default to %SystemDrive%\Users\yourlocaluser)
  4. Open Computer Advanced Properties and navigate to “User Profiles”. Sekect  the Default profile and choose “Copy to”. Select %SystemDrive%\Users\Default as the destination and select “Everyone” as the permitted user to use the profile
  5. Change the registry value back to %SystemDrive%\Users\Default

I’m not sure if this is supported by MS in any kind but it works perfectly.

 

 

Leave a comment
Sep 6 11

UAC prompts when running scripts which perform high privileged operations, even if you are a local administrator

by admin

Imagine this:

You have a 2008 R2 RDS host or a Win7 client machine and a logon script which want’s to copy some files, (templates) in my case, to C:\ProgramData, a UAC protected folder. UAC will prompt you (if UAC is enabled of course) even if you are member of the local administrators group. Well, there are solutions, but assigning Domain Admin permissions the executive account is not acceptable IMHO. I found some badly documented hacks arount the AppCompat Tool. The easiest way to get rid of this is to set the “__COMPAT_LAYER” environment variable. (yes these are TWO underscore characters.

So just set the value of this varianle to set “RunAsInvoker” before you start something that tries to execute a UAC protected executable or tries to write to a UAC protected folder.

Example:

set __COMPAT_LAYER=RunAsInvoker
robocopy \\%logonserver%\netlogon\templates %ProgramData%\CompanyTemplates /S /E

This works also for Appsense EM actions, where you specify the executing user (which has to be a local admin of course or having apropriate access rights)

Leave a comment
Aug 30 11

vSphere 5 – what’s new , a closer look under the hood

by admin

Attending the vSphere 5 upgrade class gave me a pretty good overview of vSphere 5′s new features and enhanced functionalities. VMware has again made a step forward to provide a – please forgive me – “Cloud proven” virtualization solution.

And that is the content:

 

ESXi in a nutshell

  • ESX classic has gone, what means, only ESXi is available, so you’d better get familiar with your vSphere PowerCLI and vSphere CLI know how, if you’ve not already done so
  • Installation creates 4GB scratch partition
  • 2098 MB Memory required
  • Scripted installation still possible, some kickstart commands depreciated
  • Upgrade via Update Manager requires 350MB /boot partition!!! (so in most cases you won’t be able to upgrade a ESX 4.x, because nobody created a 350MB boot partition J). IMHO It’s although better to create a clean and fresh installation.
  • Image builder (PowerCLI) allows creation of custom images containing 3rd party agents and additional drivers and auto deployment images
  • DCUI (direct console user interface) provides now the identical commands as the remote CLI via the built in busybox toolset. So local console debugging becomes more easier again

vCenter 5 in a nutshell

  • Requires x64 OS (2003 R2 / 2008 R2), min. 4GB Memory
  • vCenter also available as a Linux based appliance
  • No longer requires dbo rights for database upgrades
  • Now uses 64-bit DSN
  • No Converter on install media (will VMware deliver a version 5 enterprise converter soon ?)
  • Data migration tool helps to transfer vCenter settings to a new box
  • Update Manager supports now simultaneous host patching and ESX to ESXi migrations (if you’d really want to do that…)
  • Update Manager does not support guest OS patching any more
  • vSphere Web Client is not really a full replacement for the vSphere classic client, but although a cool alternative for basic operational tasks as it supports also Firefox and Linux based browsers. The web client has an SDK for customizations. Currently it does not support connecting directly to an ESXi, only via vCenter web service.
  • vCenter Solutions Manager (Currently, there are no integrations, but the basic idea behind is to provide a API framework for 3rd party vendors to integrate with vCenter, eg. Netapp SnapManager, veeam backup/replication). Also the VMware own existing solutions like Chargeback, Capacity IQ, etc. should be integrated there in future versions.

Virtual machines (V8)

  • 32vCpus per VM
  • 1TB RAM per VM
  • USB 3.0 devices
  • Smart Card readers (can now be used to authenticate against virtual machines using vSphere client)
  • E1000e network adapter
  • VMDirectPath I/O version 2
  • UI for multicore vCPUs (define what VMs see (physical / virtual cores)
  • Snapshot consolidation (commit / cleanup snapshot chains where snapshot descriptor file and effective delta files are out of sync). This solves orphaned deltas, where all changes still go to the delta, but no snapshot can be found.

Networking (Distributed vSwitches)

  • NetFlow delivery of physical/virtualized network traffic to to NetFlow collector
  • Port mirroring on distributed virtual switches (dramatically enhances troubleshooting of network traffic between virtual machines) Who did not wait for this feature to come? Unfortunately it’s only available to Enterprise Plus license because it relies on the distributed vSwitch architecture
  • Network I/O control with predefined / user defined network resource pools
    • VMware Fault Tolerance traffic
    • iSCSI traffic
    • Management traffic
    • NFS traffic
    • Virtual machine traffic
    • Vmotion traffic
    • vSphere replication traffic
  • Enhanced ESXi stateless firewall with granular access control. Custom services can be added via xml file (eg. Veeam backup or other services)

Storage

  • VMFS version 5
    • Guid Partition Table (GPT) replaces master boot record to support partitions greater that 2TB
    • Max datastore size increased to 64TB
    • Max RDM size increased to 64TB
    • Max file size on a datastore remains on 2 TB
    • Newly created VMFS 5 datastores have a fixed 1MB block size
    • File system subblock size has decreased from 64K to 8K
  • Storage VMotion supports migration of VMs having snapshots or using linked clones
  • Storage VMotion has a new mirroring architecture. If a VM is moved to another data store, VM monitor loads a I/O mirroring driver which enables constant writes to both sides based on a block level bitmap (source and destination). Here is how that works exactly:
    • The VM directory is copied from the source to the destination datastore
    • The mirror driver creates a single pass and copies the virtual disk files from the source to the destination.
    • During the copy process the mirror driver tracks all changes on block level bitmap to recognize changes in blocks. All changes are written simultaneously to both, the source and the destination disk files. And here’s one part of the magic, because this procedure eliminates the iterative process of vSphere 4 where VMs with high IOPS characteristics where hard to storage VMotion.
    • An additional virtual machine is started by the VMMonitor in background using the copied files on the destination datastore
    • After the sinlgepass copy process has finished, Storage VMotion transfers the control to the machine on the destination datastore. (you can follow this other part of the magic using esxtop utility)
    • The virtual machine directory and the virtual machine’s disk files are deleted from the source datastore

    This enhanced the reliability of storage VMotion required for Storage DRS.

  • Storage DRS
  • SSD cache (auto detection of local or shared SSD disk) -> faster storage VMotion or VM swapfile location
  • vSphere 5 has now a software FCoE adapter (required partial FCoE offload capabilities on the physical NIC)
  • VAAI enhancements (NAS support, Monitoring of thin provisioned storage of thin provisioned storage arrays)
  • VSA (virtual storage appliance)
    The VSA is a virtual appliance running on an ESXi host. It provides HA/DRS / VMotion functionalities between ESXi hosts with local storage. Multiple VSA instances on multiple ESX hosts can be combined to create a VSA cluster (max 3 nodes). VSA cluster provides datastore replication to provide automatic failover from HW/SW failures. It’s kind of distributed- or grid storage architecture if you like. The drawbacks are the relatively high price and the limitations of supported server types (currently some DELL / HP)
  • Profile-driven storage (enables tags on datastores to create storage categories for virtual machine placement. Virtual machines and datastores can then be mapped to a profile which simplifies the placement of new virtual machines by a simple categorization. ESX admin can see if a machine is compliant regarding it’s placement on the actual storage category)

Scalability / High Availability

VMotion

  • Multi-NIC support of up to four 10Gbps NICs or up to sixteen 1Gbps NICS
  • Support for “higher” latency links of up to 10ms
  • Improved error reporting
  • Reduced application overhead (not sure if this is really a benefit)

HA

  • Datastore Heartbeats ensures HA reliability if management network has an outage (requires at least two shared VMFS datastores within the cluster accessible by all cluster nodes) NFS is also supported as heartbeat datastore. HA is not available any more if the cluster does not have at least two heartbeat datastores!
  • Master / Slave concept
    • Master agent ensures protection of protected VMs and maintains current state of protected VMs and slave agents
    • Slave agent monitors own protected VMs and monitors the health state of the master agent. If master fails all slaves participate in a new master election
  • Management network partition support
  • DNS dependency has been removed

Resource Pools

  • Resource pools are now maintained in vCenter rather than on the ESX hosts. vCenter has complete control over resource pool regardless of where the pool is created

     

Fault Tolerance

  • Not much J
  • Support for Westmere-ex, Sandy Bridge and AMD bulldozer processors
  • Broader guest OS support
  • Still, SMP is not supported

     

EVC

  • Support for future processor generations
  • Ability to change EVC mode for disconnected hosts
  • EVC validation check on reboot (helps in case somebody changed BIOS settings)

 

Alternative deployment methods

  • Auto deployment (provisioning of stateless ESXi hosts)
    This technology uses a combination of DHCP/TFTP and PXE services to deliver stateless ESX hosts. The ESX host loads the hypervisor, a host profile and optional an answer file containing additional settings into the memory. The host runs it’s state and configuration entirely in the memory, deployments to disks are not supported. Auto deployment server can be installed separately on a server but communicates with the vCenter server. If vCenter becomes available, host deployment continues to work, but if the deployment server or one of it’s dependencies like DHCP or TFTP are unavailable hosts are completely down once they are restarted. Installing patches via Update Manager is limited to those which don’t require a reboot of course. To implement additional software packages or patches which require a reboot, the ESXi deployment image has to be updated using Image Builder tool.

vSphere PowerCLI 5

The new version of this powerful scripting, automation and development framework has new cmdlets and bug fixes which I personally waited for a long time. See here for release notes. Image Builder and Auto Deployment both completely rely on PowerCLI cmdlets.

vCenter Server Appliance

  • vCenter server is now available as a SLES based virtual appliance.
  • Supports either the built in IBM DB2 or remote Oracle or DB2 as database instances. The built in database should only be used for small environments up to 5 ESXi hosts and 50 VMs, says VMware.
  • Installed and ready to use within a few minutes
  • Provides same API capabilities and functionalities to vSphere Client, vSphere Web Client and vSphere PowerCLI as the Windows based product.
  • Current Limitations:
    • No support for vCenter Heartbeat
    • No support for MSSQL databases
    • No Support for vCenter Linked Mode
    • No IPv6 Support

Some personal thoughts…
The appliance requires an external Oracle or DB2 database for mid or large environments. So the license savings for a Windows Server and SQL License could be lost if you have to pay for an Oracle database instance. As the vCenter availability will become more and more important it’s not too bad IMHO to have a preconfigured Linux appliance, because you probably won’t have Windows admins “playing around” with the heart of your vSphere infrastructure. Although I’m pretty sure that VMware will continue to push this variant and perhaps we’ll see the Windows base vCenter disappearing within the next few version…

Leave a comment
« Older Entries