The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…

  • Archives

  • Meta

Posts Tagged ‘Datacenter’

Working in the Datacenter – Deploying the DPM agent using PowerShell

Posted by Mikael Nystrom on March 10, 2016

Last night i was deploying a DPM server for a customer and we needed to deploy the DPM agent on a few machines. It is well know that DPM can do push agent install, but the requirements is to open high ports on every client, well lets state that it is not something any customer likes to do, so that means that we will use the Attach Agent function in DPM and that require the agent to be installed first.

The trick is not to install it, rather running the setDpmServer command that will do a connection against the DPM server, resulting in the double hop issue in Windows. The real solution is to use the existing software deployment solution to push the agent or to install the agent when the server is deployed, but in this case we needed a quick-and-dirty method to get it out to a few servers.

So the script will copy the installers to the target, install the agent, configure the agent and add the agent to the DPM server. It works with multiple servers at the same time. It uses CredSSP to fix the double-hop issue, which was ok for this customer.

The Script


$SecurePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
$User = “$env:USERDOMAIN\$UserName”
$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $User, $SecurePassword

Foreach($Server in $Servers){
    Enable-WSManCredSSP -Role Client -Force -DelegateComputer $Server 
    New-Item -Path "\\$Server\c$\DPMinstall" -ItemType Directory -Force 
    Copy-Item -Path 'C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\ProtectionAgents\RA\4.2.1205.0\amd64' -Destination "\\$Server\c$\DPMinstall" -Container -Force -Recurse
    Invoke-Command -ComputerName $Server -ScriptBlock {
        Enable-WSManCredSSP -Role Server -Force
        cmd.exe /c C:\DPMInstall\amd64\DPMAgentInstaller_x64.exe /q /IAcceptEula
        & 'C:\Program Files\Microsoft Data Protection Manager\DPM\bin\SetDpmServer.exe' -dpmServerName $DMPServerName
    } -EnableNetworkAccess -Credential $Credentials -Authentication Credssp
    & 'C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin\Attach-ProductionServer.ps1' -DPMServerName "$DMPServerName.$env:USERDNSDOMAIN" -UserName $UserName -Password $Password -Domain $env:USERDOMAIN -PSName $Server


Posted in Data Protection Manager, Datacenter, System Center 2012 R2 | Tagged: , , | 1 Comment »

Working in the Datacenter – Keeping WSUS Happy using PowerShell

Posted by Mikael Nystrom on February 3, 2016

We use WSUS in our own datacenter as well as customer sites, for many client based scenarios this is done using WSUS and ConfigMgr, but in the fabric it is either WSUS or WSUS and SCVMM. When WSUS is used for content and distribution (Nativly or with SCVMM) it needs a helping hand…

  • Someone need to deny all patches that are superseeded, this does not happen automatically.
  • Someone needs to cleanup old content, computers, patches and such, this does not happen automatically.
  • Someone needs to care for the database, this does not happen automatically.

So, over the years poeople around the globe has been providing scripts for this, and here is what we currently are using.

The script will do the following


Connect to a database

you might need to change this in the script.

#For Windows Internal Database, use $WSUSDB = ‘\\.\pipe\MICROSOFT##WID\tsql\query’
#For SQL Express, use $WSUSDB = ‘\\.\pipe\MSSQL$SQLEXPRESS\sql\query’

Get the Superseeded Updates

Here is the Posh that fixes that:

$SuperSeededUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -NE -Value ‘None’ -Verbose
$SuperSeededUpdates | Deny-WsusUpdate –Verbose

Cleanup WSUS

We run each step sepratly, however, you can change that and run everything in one line…

Cleanup the DB

Last part runs sqlcmd using a .SQL file from MSFT Gallery, and yes, you can download and install the PowerShell tools for SQL and use that instead. Most of your customers dont have thoose tools installed, so sqlcmd.exe it is.

Posted in Datacenter, Patching, PowerShell, WSUS | Tagged: , , , | 19 Comments »

Working in the Datacenter – Add-DVDDrive does not work correctly in Windows Server 2016 TP4 (or in Windows 10)

Posted by Mikael Nystrom on December 17, 2015

Update 2015-12-17 : This is now a confirmed bug, and as soon as I know more I will update this post.

It seems to be a bug, hopefully it will be fixed soon. The issue is very simple. If you try to run Add-VMDvdDrive the –path must be specified, in previous version that could be left alone. This problem is more common when you create VM Gen 2, since it does not have a DVD by default, and yes when we build VM’s they usually have a empty DVD for various reasons. According to help in the command let, there is no differences in the cmdlet between 1.1 and 2.0, but in reality it is.

The Issue

The problem is that when using the command Add-VMDvdDrive -VMName $VMName it fails with Add-VMDvdDrive : Exception of type ‘System.ArgumentException’ was thrown because it does not have a path, so i have seen workarounds when you create a small ISO and mount that and then you can remove that, but that sucks. There are some other issues as well.

The issue.

The Workaround

Luckily there is 2 different PowerShell modules, 1.1 for older OS and 2.0 for Windows 10/Windows server 2016 TP4 so the only thing you need to do is unload the new PowerShell module for Hyper-V and load the old one, and when you are done, you can load the new module again.

(if you would like to know why there is 2 versions, here you go:

We run this in the beginning of the script to replace the module.

We run this in the end of the script to restore the module.


Here is the code on GHitHub

Posted in Datacenter, Hyper-V, PowerShell, Windows 10, Windows Server 2016 | Tagged: , , , | 1 Comment »

Working in the Datacenter – Creating a Reference Image of Windows Server 2016 TP4

Posted by Mikael Nystrom on December 2, 2015

Yes, you really need a reference Image, if not today, you will need it later. If you just deploy VM’s in an isolated environment, well in that case you might not, but for me testing is all about “Non Contoso” testing. What I mean is that I really need to play/test/learn how to run Windows Server 2016 in VM’s, as Hyper-V, with vendors software (like software from Dell, HP and such), so here it is, some kind of step by step guide to create a reference image for Windows Server 2016 TP4. There is a detailed description on how to create a reference image for Windows 10 on TechNet

MDT 2013 Update is not installed:

Download and Install the following:

ADK 10 –

MDT 2013 Update 1 –

I usually have a dedicated “image factory” server/machine, but you can do this on basically any Windows computer running Windows 7 or above. If you are looking for an image factory, here is the story:

MDT 2013 Update 1 is already installed:

Download the following:

Windows Server 2016 Technical Preview 4 –

Visual C++ –

Configure MDT

Mount the ISO and import the Operating System.

Import the VC++ runtimes as applications –

Create a new Task Sequence for Windows Server 2016 Technical Preview 4 and perform the following modifications:

Add the product key


The product key is located on the media in the folder \Sources\pid.txt (It works with the Datacenter Edition, NOT the standard, don’t use standard for TP4)

Disable the Maps Broker


This step is actually  an application that basically runs a PowerShell script that does disable the service, the reason for having a script is that it is easy to open script, modify, set conditions and similar things in a script, that way I don’t need to modify the task sequence when a change is needed. You can download the script here:

You then need to create an application in the workbench with the following settings:

Quit Install Command: PowerShell.exe -ExecutionPolicy Bypass -File Configure-DisableServicesforWindowsServer.ps1


The services currently makes no sense to have in a UI server and it does not start at all, so instead of having error in the Server Manager I rather disable the service. Of course you can disable the service in any other way, but I don’t like to have a long list of disable commands in the task sequence.

Add .NET framework 3.5.1 (includes 2.0)


A massive amount of server applications, toolkit, drivers does require .Net framework

Add VC++ runtimes


In the beginning of the post I explained how to download all VC++ and how to import an application that that installs all VC++

Basically every agent invented is written in C++ (it seams that way)

Cleanup before SysPrep


Currently the savings are not that great, but as a best practice I always try to make the image as small as possible to make it fast to deploy.

The story is here:

Add Updates


You can add updates by downloading the from, this works when the number of update are small and the update is a .CAB file, but you should configure MDT to use a WSUS server in customsetings.ini, like this:



Posted in Datacenter, Deployment, OS Deployment, OSD, Windows Server 2016 | Tagged: , , , | 5 Comments »

Working in a Datacenter – Nested Hyper-V or Running Hyper-V in Hyper-V

Posted by Mikael Nystrom on November 21, 2015


There are many reason where it make sense to run Hyper-V in Hyper-V, one of them being to enable Credential Guard (VSM) in Windows Server 2016 TP 4 and later. For training, demos, test. R&D it is great. For Windows Server 2016 TP4 it needs to be enable and configured to work and that means PowerShell. Currently there are also some limitations.

On the Host:

Device Guard Disable
Credential Guard Disable
Hyper-V Enabled
Hardware Intel VT-x
Windows Version Build 10565 or greater


In the VM:

Dynamic Memory No
Change memory while VM is running No
Using any kind of Checkpoint No
Live Migration No
Save/Resume No


You can read the fine print here:

The PowerShell Function/Script:

This script will enable Nested Hyper-V an a VM
Invoke-WebRequest "" -OutFile ~/EnableNestedHyperV.ps1
Import-Module ~/EnableNestedHyperV.ps1
Enable-NestedHyperV -VMname TEST100
This Script (Provided be Microsoft) will verify configuration
Invoke-WebRequest "" -OutFile ~/Get-NestedVirtStatus.ps1


Posted in Datacenter, Hyper-V, Windows 10, Windows Server, Windows Server 2016, Windows Server vNext | Tagged: , , , , | 1 Comment »

Working in the Datacenter – Deploying Update Rollups for System Center 2012 R2

Posted by Mikael Nystrom on November 14, 2015

You really need to understand this: A Update Rollup should NEVER, EVER be deploying using WSUS!!! (or any other automated way, unless you know exactly what needs to be done before and after to make it work)


Microsoft provides all the Update Rollups trough Windows Update, so far so good, that makes it easy to deploy, so what is the big “nono” here? Well, the short story is that it does not work they way most people assumes. Deploying the Update Rollup could also require you to perform actions like this:

  • Update the SQL database using script
  • Add or modify Registry Keys
  • Manually update Agents
  • Troubleshoot issues

So, based on the history, please, just don’t do this, it does not work. You need to deploying a Update Rollup pretty much like a Service Pack, since that is what it really is. It does contain both bug fixes as well as new features and some of the features will change behavior, some of the new features needs to be enabled.

Ok, so how?

You need to follow the blogs from each product team so you know when they are released and then you need to follow the step-by-step instructions from the team. If you do have a test system (you can use a hydration kit to build one fast and use for testing, check or for more information

Ok, so When?

You have two options here, you either know someone that has tested and verified it or you wait 30 days and “listen” on the Internet, if you see 1.000.000 hits in a search engine, maybe you should wait to everyone else has fixed it.

Plan it a head

Ok, so this is what I tell all the customers I work with. Since Microsoft is releasing Update Rollups 4 times per year, create a schedule and set a side a couple of days (or more) every year to do this. It does not need to match the dates Microsoft will release it, just have a Maintenance Window 4 times every year to update/maintain your System Center platform.

Deploying Update Rollup 8 for System Center 2012 R2 – All Systems

Deploying Update Rollup 8 for System Center 2012 R2 – App Controller (No updates)

The last update for App Controller was System Center 2012 SP1 –

Deploying Update Rollup 8 for System Center 2012 R2 – Data Protection Manager

Note: Could require a restart of all protected servers after deploying agent.

3086084 Update Rollup 8 for System Center 2012 R2 Data Protection Manager

Download the Data Protection Manager update package now

Deploying Update Rollup 8 for System Center 2012 R2 – Operations Manager

Note: Do not install this update rollup package immediately after you install the System Center 2012 R2 server. Otherwise, the Health Service state may not be initialized.

Note: Could require manually editing webpages

Note: Could require you to manually adding Registry Keys and Values

Note: Could require you to manually run SQL scripts to update the database

3096382 Update Rollup 8 for System Center 2012 R2 Operations Manager

Download the Operations Manager update package now

Deploying Update Rollup 8 for System Center 2012 R2 –  Orchestrator

3096381 Update Rollup 8 for System Center 2012 R2 Orchestrator

Download the Orchestrator update package now

Deploying Update Rollup 8 for System Center 2012 R2 – Service Provider Foundation

3096384 Update Rollup 8 for System Center 2012 R2 Service Provider Foundation

Download the Service Provider Foundation update package now

Deploying Update Rollup 8 for System Center 2012 R2 – Virtual Machine Manager

Note: Bare metal provisioning has changed

Note: Could require you to manually run SQL scripts

Note: Many new features, read and understand (and test them)

3096389 Update Rollup 8 for System Center 2012 R2 Virtual Machine Manager

Download the Server update package now

Download the Administrator Console update package now

Download the Guest Agent update package now

Deploying Update Rollup 8 for System Center 2012 R2 – Windows Azure Pack

3096392 Update Rollup 8 for System Center 2012 R2 Windows Azure Pack

Download the Windows Azure Pack update package now

Posted in Data Protection Manager, Datacenter, Operations Manager, Orchestrator, Service Provider Foundation, System Center 2012 R2, Virtual Machine Manager, Windows Azure Pack | Tagged: , , , , , , , , | Leave a Comment »

Working in the Datacenter – Protect Remote Desktop Connection Manager using Self Signed Certificates

Posted by Mikael Nystrom on November 13, 2015

Note: Script has been updated to include $YEARS, the suggestion came from, Thanks!

Even if IT is changing into more “Pets” and “Cattle’s”, we still have a massive amount of system that will be managed using Remote Desktop for a long time. Using Remote Desktop Connection Manager makes that process easier, you can basically work with all machines in a single windows.

The mini view of 3 computers in RDCMan 2.7

Security is important

One really great feature is that you can save the password for each and every connection, and if you read the help file, it states:

RDCMan can encrypt the passwords stored in files either with the local user’s credentials via CryptProtectData or an X509 certificate

Hmm, ok, the first one is kind of bad. If I move the RDCMan file to another computer then all the passwords are lost, on the other hand, that is also more safe. But I really have that situation. I need to have to be able to use the configurations files on more then one computer and they need to be protected. So lets use Certificate instead, but, how do you create a Certificate that can be moved around easy and at the same time is secure and protect itself?

According to the help file, we shall of course use the one utility on the planet that I hate most, I don’t like that fact that you need to spend hours to download an SDK kit just to run a app to create file that takes 1 second. There just to have to be a replacement for makecert.exe…

PowerShell to the Rescue!

So, lets us first create the certificate, export it and then remove it and finally import it. This way way we know we can import it even on other computers. You need to protect the certificate with a password, that way it will be protected from being imported by anyone else than you

Create and export a self signed Certificate for Remote Desktop Connection Manager

#Create and Export Certificate
$PlainPassword = “P@ssw0rd”
$ExportFolder = "C:\Test"
$Subject = "RDCMan"
$YEARS = 1
$CertificateFileName = "RDCManCertificate.pfx"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange -NotAfter $(Get-date).AddYears($YEARS)
Export-PfxCertificate -Cert $RDCManCertificate -FilePath "$ExportFolder\$CertificateFileName" -Password $SecurePassword
$RDCManCertificate | Remove-Item


Import the Self Signed Certificate for Remote Desktop Connection Manager

#Import Certificate
$PlainPassword = “P@ssw0rd”
$ImportFolder = "C:\Test"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$CertificateFileName = "RDCManCertificate.pfx"
Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -Password $SecurePassword -FilePath "$ImportFolder\$CertificateFileName"


Use the Certificate in Remote Desktop Connection Manager

In the setting for each .rdg file you can configure encryption, like this.


Hey, almost missed, my friend and co-worker Markus Lassfolk have a really cool script that dumps all servers from AD and create the .RDG file fore you, go grab that here:

Posted in Datacenter, PowerShell | Tagged: , | 7 Comments »

Working in the Datacenter – Wake on LAN using PowerShell

Posted by Mikael Nystrom on November 2, 2015

I have to admit, I’m lazy. So when working with computers, datacenters, at home or basically anywhere I don’t like to get up and push a button. My hands needs to be close to my keyboard, BTW, Wake on LAN is not something new, it is actually pretty old.

The first section in this post is about how it works, and the second part is how to use it.

How does this work?

The Wake On LAN Function

I don’t like to download utilities or application when I don’t really need to, if i can solve this with a simple PowerShell CMD-let or a simple function, I’ll use that instead. So browsing around the Internet lead me to this site where the basic functionality to create a magic packet exist. So by using the fundamentals from Kris Powell I crerated a function of this:


Getting the MacAdress

But to be able to send a Magic Packet I do need a MacAddress, so I need a function for that to and here it is. I do need multiple functions here.

The first function is to grab the MAC from a “live” IP address, but then I need to know the IP.


So the second function is to get the IP from name.


And combining them leads me into the last function.


There are of course a bunch of other ways to get the MAC address, you can of course grab the MAC address from with in the OS using basically any command line, but it’s so handy to not logon to all the machines(Yes I know there are ways, but I have a massive amount of lab machines, not members of the domain and other strange machines).

Storing the MacAddress in a XML data file

Well getting the macaddress is easy when the machine is turned on, but, hey  that’s not going to be the case here. So while the machines are “live” I can get the MAC, IP and Computer name and store that in an XML File, then I can later use that information to wake my machines up when I need them, so I do need to store that information somehow.


Get information from the XML data file

Now, lets see what’s in the data file by using this function


Using this

Load them up and lets get started!

#Import Module
Import-Module C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\WakeOnLan.psm1 -Force -Verbose

#Set Vars
$XMLfile = “C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\Computers.xml”
$Computers = “FABUILD01″,”DFLAB01”

With all functions loaded you can now run trough a couple of steps to create your XML file and have functions ready for Wake-On-LAN

Function is loaded and basic variables are set

Create the XML file and get the content

#Generate  New XML File
New-ComputerDataFile -Computers $Computers -XMLDatafile $XMLfile

#Get Content of XML File
Get-ComputerDataFile -XMLDatafile $XMLfile


Wake it up!

#Send Magic Packet to Computer
Send-MagicPacket -Mac $(Get-MacFromXML -ComputerName DFLAB01 -XMLDatafile $XMLfile)


Here is the PowerShell Module and a Sample Script on how to use it



For Ref:

WakeOnLan.psm1 – Listning:

Function Get-MacFromIP{
$Ping = ( new-object System.Net.NetworkInformation.Ping ).Send($IP)
if($Ping.Status -eq “Success”){
RETURN (Get-NetNeighbor -IPAddress $IP).LinkLayerAddress
Write-Host “NA”
Function Get-IPFromName{
Return (Test-Connection -ComputerName $ComputerName -Count 1 -BufferSize 32).IPV4Address.IPAddressToString
Function Get-MacFromName{
$IP = (Test-Connection -ComputerName $ComputerName -Count 1 -BufferSize 32).IPV4Address.IPAddressToString
$Ping = ( new-object System.Net.NetworkInformation.Ping ).Send($IP)
if($Ping.Status -eq “Success”){
RETURN (Get-NetNeighbor -IPAddress $IP).LinkLayerAddress
Write-Host “NA”
Function Get-MacFromXML{

[XML]$XMLData = Get-Content -Path $XMLDatafile
RETURN $(($XMLData.Computers.Computer | Where-Object -Property Name -EQ -Value $ComputerName).Mac)
Function New-ComputerDataFile{

$XMLData = New-Item -Path $XMLDatafile -ItemType File -Force
$ComputerID = 100

set-Content $XMLData ‘<?xml version=”1.0″ encoding=”utf-8″?>’
add-Content $XMLData ‘<Computers>’

foreach($computerName in $computers){
$ComputerID = $ComputerID + 1
add-Content $XMLData ” <Computer id=””$ComputerID””>”
add-Content $XMLData ”  <Name>$ComputerName</Name>”
add-Content $XMLData ”  <IP>$(Get-IPFromName -ComputerName $ComputerName)</IP>”
add-Content $XMLData ”  <Mac>$(Get-MacFromName -ComputerName $ComputerName)</Mac>”
add-Content $XMLData ‘ </Computer>’
add-Content $XMLData ‘</Computers>’
Function Get-ComputerDataFile{

[XML]$XMLData = Get-Content -Path $XMLDatafile

Function Send-MagicPacket{
Write-Host “Sending MagicPacket to $MAC”

$MacByteArray = $Mac -split “[:-]” | ForEach-Object { [Byte] “0x$_”}
[Byte[]] $MagicPacket = (,0xFF * 6) + ($MacByteArray  * 16)
$UdpClient = New-Object System.Net.Sockets.UdpClient

Proj-WakeOnLan.ps1 – Listning:

#Import Module
Import-Module C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\WakeOnLan.psm1 -Force -Verbose

#Set Vars
$XMLfile = “C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\Computers.xml”
$Computers = “FABUILD01″,”DFLAB01″

#Generate  New XML File
New-ComputerDataFile -Computers $Computers -XMLDatafile $XMLfile

#Get Content of XML File
Get-ComputerDataFile -XMLDatafile $XMLfile

#Send Magic Packet to Computer
Send-MagicPacket -Mac $(Get-MacFromXML -ComputerName DFLAB01 -XMLDatafile $XMLfile)


Computers.xml –  – Listning:

<?xml version=”1.0″ encoding=”utf-8″?>
<Computer id=”101″>
<Computer id=”102”>

Posted in Datacenter, PowerShell | Tagged: , | 2 Comments »

Building Next Gen Datacenter – Portable Datacenter in a Pelican Case

Posted by Mikael Nystrom on September 28, 2014

The cloud is great, but sometimes you really need to have a portable solution and here it is. I call it the Pelicase Datacenter (someone used that name in a twitter feed and I think its kind of cool.)

Before you dig in the list a couple of questions that pops up all the time:

Question: What about heat issues?

Answer: The only hot item is the LED lamp, the router is getting warm but the rest of the stuff keeps cool forever. I have been using the Pelicase for book writing the entire summer, the longest “uptime” is more then 40 hours. Just to get you some number:

After 8 hours of operation in a room with 25 degrees Celsius/77 Fahrenheit degrees .

  • The NUS’s is 30 degrees Celsius / 86 degrees Fahrenheit
  • The power supply is 41 degrees Celsius / 105.8 degrees Fahrenheit
  • The switch is 41 degrees Celsius / 105.8 degrees Fahrenheit
  • the router is 42 degrees Celsius / 107.6 degrees Fahrenheit

Question: What’s the price for all of it?

Answer: I have no idea and the reason is very simple. I have friends working on some of these companies.

The Pictures

The complete setup with my Laptop on the right side and the Pelicase Datacenter on the left. They are connected using a 1GB network cable.

A closer look at the Pelicase Datacenter.

In the front you can see the LED USB light used to light up the keyboard that is in front of the case.

The TINY Router, configured for routing using cable or 3/4G and support for Wireless access to the Datacenter.

The 6 PSU’s need for the 6 Intel NUC’s.

The GB Switch.


The 6 Intel NUC’s, 5 of them is running Hyper-V and the last one is running Windows 8.1

The Shopping list

The Case:


The Router/Wireless/Firewall:


The Screen:


The Switch (current):


The Switch (previous):


The USB LED Lamp:


The Intel NUC’s:


Supported Memory:


Memory I use:


Disk drives:


The keyboard and mouse:



All NUC’s runs Windows Server 2012 R2 as Hyper-V hosts, but there is a whole lot more around the software and configuration, so this last part will be updated later this week(end)

Setup & Configuration:



Posted in LAB, Pelicase | Tagged: , , , , | 27 Comments »