The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…

  • about.me

    Mikael Nystrom

    Mikael Nystrom

    OS Deployment Geek, Virtualization and System Center

    Mikael Nystrom is a Microsoft MVP and Principal Architect at TrueSec

  • Archives

  • Meta

Nice to Know–Adding a second federated domain in ADFS fails if –SupportMultipleDomain was not used in the first place

Posted by Mikael Nystrom on February 7, 2015

Today as was trying to fix an issue regarding with ADFS and Office 365.

The Issue:

A very simple error, when you try to add the second domain it fails and in this case it was because the first federated domain was not setup using –SupportMultipleDomain

The solution:

After some digging and searching I found this post:

https://exitcodezero.wordpress.com/2013/03/05/supportmultipledomain-is-not-supported-here/

The issue was not exactly the same but close enough, a bit further down in the post it seems that he had the same issue as a while back.

image

Delete the object in the ADFS console

Open up the ADFS mmc snap-in

image

and delete it

Switch from Managed to Federated

Open the elevated PowerShell prompt with the Msol CMDLets, connect and authenticate and run this command to fix it:

Convert-MsolDomainToFederated -SupportMultipleDomain -DomainName viamonstra.com

From this point on, you can now switch from Managed to Federated on all the other domains as well

Last thing you do is to run:

Get-MsolDomain to verify:

image

/mike

Posted in ADFS, Office 365 | Tagged: , | Leave a Comment »

Nice to Know – HP FlexFabric 10GB 2-port 534FLB Adapter can cause network issues using NVGRE

Posted by Mikael Nystrom on February 5, 2015

Today I was working at a customer site, setting up a NVGRE Gateway in a Fabric domain. Install, configuration, all went nice and smooth until we should test and verify that the VM’s could access the network, found a miss configuration and then, hey it was working, well TCP was working but NOT UDP, wtf??? Some troubleshooting (Google and Bing and some cursing) and it seems to be some various obscure things, some hotfixes but then we found something that actually worked…

The issue: Encapsulated Task Offloading

I’m pretty sure that the idea behind it is all good, but of course as all “great” things, it does not work in this combination.

imageimage
Here you can se the setting that needs to be disabled and you can also see the driver version and date that was in place.

The Solution: Disable it!

But, if you disable it on every hyper-v host (not only the hosts running the NVGRE gateway), it starts working. At the time we could not find any other solution then to disable it.

In this case the customer (and you know how you are) was kind enough to let me post the script that was used to disable this “amazing” technology.

image

or here in plain text form


$Nics = Get-NetAdapterAdvancedProperty -DisplayName “Encapsulated Task Offload”

foreach($Nic in $Nics)
{
Set-NetAdapterEncapsulatedPacketTaskOffload -Name $Nics.Name -EncapsulatedPacketTaskOffloadEnabled:$false
}


/Mike

Posted in Fabric, Hyper-V, SCVMM, System Center Configuration Manager 2012 R2 | Tagged: , , | Leave a Comment »

Nice to Know – Clean up the ISO name mess I SCVMM so that Windows Azure Pack looks nice

Posted by Mikael Nystrom on February 5, 2015

In System Center Virtual Machine Manager there is a library. The library stores resources used in the environment and one kind of resources is ISO images. The problem is that names on those ISO images is slightly “technical” and not so user-friendly. So who cares?

The Issue:

When you start using Windows Azure Pack to provide self-service, that is a very good reason to have nice names here is two samples

imageimage
In the first picture, all the names looks ok, in the second picture, it looks different…

The names of the these files comes from System Center Virtual Machine Manager and they are easy to change, just go in to the library, open each and everyone and change the name…

image
How to modify the name of the ISO resource in the SCVMMLibrary using the UI.

However, doing that for one or two files are ok, more then that, it kind of gets boring after a while.

The Solution:

So, you can export all the information in to a CSV file, modify the CSV file to suit your organization and then import it again.

Export CD/DVD meta data from SCVMM using PowerShell

Get-SCISO -All -VMMServer “clscvm01.cloud.truesec.com” | where HostType -EQ LibraryServer | Select LibraryServer,SharePath,Name,Description | ConvertTo-Csv -NoTypeInformation > “$env:TEMPISOInSCVMMLib.csv”

and that will give something like this:

image
A few of the ISO’s in the SCVMMLibrary.

So, open the file, modify name and description and run this


function Update-ISOForSCVMLib
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
$LibraryServer,

[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=1)]
$SharePath,

[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=2)]
$Name,

[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=3)]
$Description
)
$ISOToUpdate =  Get-SCISO -All | Where LibraryServer -EQ $LibraryServer | Where SharePath -EQ $SharePath
$ISOToUpdate | Set-SCISO -Description $Description -Name $Name
}


This will give you a new function and that new function can be used in the following way.

Import-Csv .\ISOInSCVMMLib.csv | foreach {Update-ISOForSCVMLib $_.LibraryServer -SharePath $_.SharePath -Name $_.Name -Description $_.Description}

The function is going trough the CSV file and search for the file, find the object and finally change the display name of the object.

/mike

Posted in SCVMM, System Center 2012 R2, Virtual Machine Manager | Leave a Comment »

Beyond Supported – Azure Site-2-Site VPN (with physical router) behind a NAT device

Posted by Mikael Nystrom on February 2, 2015

Last week at TechXAzure I did 3 sessions, during on of them we did some demos around Azure Site-2-Site VPN which is the fundamental connection to create a Hybrid solution. In production that is not really a complex task since the firewall that is used is directly connected to the Internet with a static IP, but that is usually not the case when you play around at home or in the LAB. Running behind a NAT:ed device is not supported, neither is running the solution on a dynamically assign IP, but it works…

So, the idea behind this guide is to give a fairly simple step-by-step guide to build a site-2-site VPN connection to the Azure IaaS service for you to play with at home or in a LAB, just remember, there is NO support for this at all!

The design

Looking at the picture you can see that we basically have two networks, one for the normal traffic and one more that is behind a second router. Behind that network we have access to Azure directly. For me this is perfect when playing around. The “normal network act as the workload network, that is where all normal traffic exists. The network behind the second router act as the fabric network, here is where my Private Cloud cloud is running. Note, this is just for LAB, Testing, Playing and such things. You should not use this for production since it is unsupported.

Hardware:

The Internet facing router is a Linksys EA6900

The Internal router between the normal network and internal Azure Site-2-Site router is a NETGEAR FVS318N

image

Create Networks in Azure

Logon to your Azure Account and create the Local network

image
Select Local Network.

image
Give it a name and type in your Internet facing IP.

image
Type in the IP address range your are going to use behind the second router.

Logon to your Azure Account and create the Virtual network

image
Select to create a Custom network

image
Give the network a name and assign it to a Azure location.

image
Type in the DNS servers you are going to have locally on your network and select Site-2-Site VPN. Note: If you also select Point-2-Site you cannot create a Virtual Router in Azure that supports IKEv1, the router I’m using does not support it, it only supports IKEv1 and there for I cannot have Point-2-Site VPN.

image
Add the IP address range and gateway range for your virtual network in Azure.

Create the Router

When the network has been created you need to create the Virtual Router

image
In the Azure portal, click on the Virtual Network “FabricAzure” You can either create a Static or a Dynamic router and you need to select the version based on the router/firewall you have locally. In my case I use a NetGear FVS318N and the features in that router requires my to configure the virtual router as a static router.

image

This takes time, have lunch or something

image
Finally its done.

Configure the Internet facing Router

imageimage
To allow traffic from the Virtual Router in Azure to correctly receive data you need to redirect traffic, the easy way to do this is to use the DMZ function in the Internet facing router. This way, all traffic from that IP will be redirected to the second router.

Configure the second router on your network (not the Internet facing)

image

In this case it is a NETGEAR FVS318N and the easy thing is to run the Wizard for VPN and then modify the settings, but before you do that, we need the PreShared Key and you can get that in the Azure Portal.

image
Modify the IKE Policy in the Second router.

image
Modfy the VPN Policy in the second router

image

Wait, check logs, wait, check logs and…

image

/Happy Routing…

Posted in Azure, Fabric, IaaS, Site-2-Site, VPN | Tagged: , , , | 1 Comment »

Nice To Know – Generate the -JobGroup ID in SCVMM Scripts

Posted by Mikael Nystrom on January 28, 2015

When working with SCVMM it is common to perform administrative tasks using PowerShell. One very nice thing in SCVMM is that when using the UI it will create a script in the end and the idea is that you should be able to use that script and you can, one time…why?

…because you need to generate a new ID every time you run the script, so how do you do that?

Generate a GUID using PowerShell:

$JobGroupID1 = [Guid]::NewGuid().ToString()

image
The result when generating a GUID.

Using the generated GUID in a SCVMM PowerShell script

Here is a list of CMDlets that uses _JobGroup

https://social.technet.microsoft.com/Forums/systemcenter/en-US/ab1e7054-69c7-44ee-a475-229f9557b653/jobgroup-what-cmdlets?forum=virtualmachinemanager

/mike

Posted in PowerShell, SCVMM, System Center 2012 R2 | Tagged: , , | Leave a Comment »

Nice to Know – Azure Operational Insights -Data aggregation in progress”

Posted by Mikael Nystrom on January 27, 2015

I was troubleshooting Capacity planning Intelligence Pack stuck in “Data aggregation in progress” and found a blog post from the team, one of the best step-by-step’s for troubleshooting this problem I have seen. If you do have issues with this, just follow the guide

If this is your issue:

image

Follow this guide:

image

In this guide check out these procedures:

  • Validate if the right Management Packs get downloaded to your OpsMgr Environment
  • Validate if the right Intelligence Packs get downloaded to your Direct Agent
  • Validate if data is being sent up to the Advisor service (or at last attempted)
  • Check for Errors on the Management Server or Direct Agent Event Logs
  • Look for your agents to send their data and have it indexed in the Portal

Posted in OpsMgr, SCVMM, System Center 2012 R2 | Tagged: | Leave a Comment »

OSD – Install IE 11 in the ref image like a pro using a PowerShell wrapper

Posted by Mikael Nystrom on January 27, 2015

One of the best ways to get ready for Windows 10 is to deploy Internet Explorer 11 in your current environment, if you can make IE 11 work there is a huge chance that you will have no or just a few issues when Windows 10 is about to be deployed.

The best way to do that is to add IE 11 to the reference image when you are replacing, refreshing or perform a bare-metal deployment and the next best thing is to deploy it using any software distribution engine, like WSUS, ConfigMgr, Intune or something like that.

Even if you distribute it as a software, you should still update your reference image and here it is.

Step No:1 – Download IEAK

The best way to deal with IE11 is to create a configuration only package for all Windows versions that already have IE11 installed (Like Windows 8.1 or Windows Server 2012 R2) and create a full install package for all the other versions of Windows you are using in your organization and that is done by Internet Explorer Administration Kit (IEAK), just download it from https://technet.microsoft.com/en-us/ie/bb219517.aspx and install on a computer WITH IE11 already installed.

Step No:2 – Create all packages

Start IEAK and create all your packages for each version and each language of IE you would like to have

  • Windows 7 SP1 x86/x64
  • Windows 8.1 x86/x64

(Create both full install package as well as as configuration packages)

Step No:3 – Download the PowerShell script

After creating all the packages, with the customized settings you will have a folder structure with full packages as well as configuration only for one or more language and instead of creating one application for each of these packages you can create one application in the deployment workbench that will figure out which package that should be installed.

  1. Download the PowerShell script from http://1drv.ms/15EELL8
  2. UnZip it and browse to the folder “Install – Internet Explorer 11\Sorurce”
  3. Copy the content of you “build” folder that was created when using IEAK into the folder named “Source”, it should contain folder names like “BrndOnly”,”FLAT” and “Ins”

image
This is the tree structure after copying the files.

Step No:4 – Create the Application in the Deployment Workbench

No you need to create the application, follow these steps and you are done.

  1. Open Deployment Workbench and browse to the Application node
  2. Create a new application named “Install Internet Explorer 11” with the Command Line “PowerShell.exe -ExecutionPolicy ByPass -File Install-InternetExplorer11.ps1”

image
The properties of the “Install – Internet Explorer 11” application in the Deployment Workbench.

Step No:5 – Add the application to the Task Sequence

Open your task sequence and add the application to the task sequence.

image
Install Internet Explorer 11 is added to the Task Sequence.

Happy OSD
/mike

 

Posted in Internet Explorer, MDT, OS Deployment, OSD | Tagged: , , | 1 Comment »

PowerShell is King – Working with Passwords, Secure Strings and Credentials

Posted by Mikael Nystrom on December 6, 2014

No, not something new at all, more of a answer on a lot of questions I got from folks. At TechNet Wiki there is a page that describes how to deal with passwords, secure strings and such.

Working with Passwords, Secure Strings and Credentials in Windows PowerShell

Here is the most common I use:

Create SecureString

Type the password in an interactive prompt:

$SecurePassword = Read-Host -Prompt “Enter password” -AsSecureString

Convert from existing plaintext variable

$PlainPassword = “P@ssw0rd”
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force

Create PSCredentials

Assuming that you have password in SecureString form in $SecurePassword variable:

$UserName = “Domain\User”
$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName, $SecurePassword

Read the rest of the Wiki here: http://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

/mike

Posted in PowerShell | Tagged: , , , | 5 Comments »

Connecting VMM and Operations Manager

Posted by Mikael Nystrom on December 5, 2014

Originally posted on System Center Ramblings:

When building a fabric domain most want to connect Virtual Machine Manager and Operations Manager to get alerts and information. However many seem to fail with this due to not using the correct credentials.

First off you need to download and import the SQL MP for OpsMgr. They have been removed from the catalog and can now be found here: http://www.microsoft.com/en-us/download/details.aspx?id=10631 Download, extract and import them into OpsMgr.

Next we need a service account with Admin privileges in OpsMgr. Create the account and add the account to an AD group and add the AD group to the OpsMgr Admins. While you are in the process of creating accounts we will need another account that OpsMgr will use to connect to VMM. This account does NOT need any privileges at all.

Now go to the VMM console on the VMM server. Go to Settings and then System Center Settings and click…

View original 157 more words

Posted in Uncategorized | Leave a Comment »

PowerShell is King – Using OneGet Package Manager on Windows Server Technical Preview build 9841

Posted by Mikael Nystrom on December 5, 2014

PowerShell is great and with the “new” OneGet it get awesome. OneGet is a part of PowerShell v5 and it is a generic package manager. OneGet can get items from a repository, for example from Chocolatey (https://chocolatey.org/) Instead of spending a massive amount of time to explain how it works inside, lets just start playing with it. There is a couple of things you need to do to make OneGet to work with Chocolatey in build 9841.

Lets Install Zoomit, WinRAR and Notepad++!

Step 1 – Install the Chocolatey provider

Execute the following in an elevated PowerShell prompt:

#Setup the Webclient
$webclient = New-Object System.Net.WebClient

#DL and install Chocolatey
Invoke-Expression (($webclient).DownloadString('https://chocolatey.org/install.ps1'))

 

image

Step 2 – Download the updated and modified OneGet PowerShell Module

Execute the following in an elevated PowerShell prompt:

#DL and unzip the latest OneGet
$ZipFile = ‘C:\OneGet.Zip’
$webclient.DownloadFile(‘
http://oneget.org/oneget.zip’,$ZipFile)

image

After download, unzip the zip folder and execute the RunToUnBlock.CMD inside the folder.

Step 3 – Import the updated OneGet module

Execute the following in an elevated PowerShell prompt:

Import-Module C:\Oneget.New\OneGet.psd1 -Force -Verbose

image

Step 4 – Get the Package Provider to verify that you have the correct version

(Currently that is 2.8.3.6)

Execute the following in an elevated PowerShell prompt:

Get-PackageProvider -Name Chocolatey -ForceBootstrap -Force

image

Step 5 – Find the fun stuff

Execute the following in an elevated PowerShell prompt:

Find-Package -Name WinRar,Zoomit,notepadplusplus -Provider Chocolatey

image

Step 6 – Install your package

Execute the following in an elevated PowerShell prompt:

Find-Package -Name WinRar,Zoomit,notepadplusplus -Provider Chocolatey | Install-Package -Force

image

/mike

Posted in PowerShell | Tagged: | 13 Comments »

 
Follow

Get every new post delivered to your Inbox.

Join 4,572 other followers