Query Terminal Services Profile Path of AD Users through PowerShell

9 Apr

If you like to query Terminal Services or Remote Desktop Server Profile Path with PowerShell you cannot use the Get-ADUser Cmdlet. Instead you have to go through ADSI. The Scripting Guy has explained this in detail on his blog: http://blogs.technet.com/b/heyscriptingguy/archive/2008/10/23/how-can-i-edit-terminal-server-profiles-for-users-in-active-directory.aspx

This works basically very well for all user object where the path for the Terminal Services Profile is set or was set sometime in the past and is now empty. But if you have a user object for which the Terminal Services settings in AD were never touched you get a funky error message:
Exception calling “InvokeGet” with “1” argument(s): “The directory property cannot be found in the cache.

If you do an ad hoc query then this is not really a problem. But if you want to export the settings for all ad users into a CSV file the error will probably bother you.
So what we can do? If you have a look at the properties of the ADUser object, which the Get-ADUser Cmdlet returns, you can see that there is a property with the name “userProperties” with a cryptic value. That’s where the Terminal Services Profile Path is actually stored.

userparamaduser

But it the User Object had never set a Terminal Service Profile Path this property does simply not exist:
nouserparamaduser

Now, as workaround, you can first check for the existence of “userProperties” property before you query the Terminal Services Profile Path with ADSI. This could look like this:

 

Beware of SCVMM UR5 if you have Hyper-V Clusters with Storage Spaces

23 Mar

The latest Update Rollup (UR5) for SCVMM 2012 R2 seems to have some issues with Live Migration in environments where the Hyper-V hosts have Cluster Shared Volumes (CSV) directly stored on clustered Storage Spaces. So basically this is the case if you are using one of the following configuration for your Hyper-V clusters:

  • Two Hyper-V host directly connected to a SAS JBOD.
  • Cluster in a Box Systems like these from DataON.

Note: The here described issue does not occur if the VMs are stored on a Scale-Out File Server or on a traditional Fiber Channel SAN

The Error:
Anyway the issue I have noticed in UR5 with one of the above listed configuration, is that when you try to live migrate a VM in SCVMM the Live Migration fails with the following Error:
Error20404

This only happens in SCVMM. Live Migration through Failover Cluser Manager still works fine.
After some troubleshooting I found also that the Live Migration works sometimes from e.g. Host 1 to Host 2 but not the other way. So this brings me to the conclusion that it must has something to do which host is the owner node of the CSV Volume. And some further tests has confirmed my assumption. If you change the owner node of a CSV which is stored on clustered Storage Spaces the whole disk is moved from on node to the other and this seems to confuse SCVMM.
As a result SCVMM inserts an invalid value (00000000-0000-0000-0000-000000000000) for “HostDiskID”, for one of the hosts, in the “tbl_ADHC_HostDisk” table in the SCVMM DB.
tbl_ADHC_HostDisk

During the Live Migration pre checks, SCVMM runs a query to find a disk with the ID “00000000-0000-0000-0000-000000000000” in the DB which obviously does not exists. So the pre checks and Live Migration Job fails immediately with error 20404

Solution / Conclusion:

Update April 29, 2015: UR6 for SCMM 2012 R2 is now released and includes a fix for this issue. Yeah! 🙂

After opening a Microsoft Support case and posting the issue on connect.microsot.com I got the confirmation from Microsoft that this behavior is a bug in UR5. It will probably fixed in UR6 which is expect for April.
So my advice for everyone, which is using one of the above configuration together with SCVMM, is to stay on UR4 and wait for UR6. If it’s not already too late. 😉

 

SMB Direct connectivity options with HP servers

22 Feb

Are there any 10GBE network cards from HP which you can use for SMB Direct?
Recently I was doing some research about the options of 10GBE/RDMA NICs for HP ProLiant rack servers (DL380/DL360) and I found some interesting new option for the relatively new Gen9 servers:

The 556FLR und 544FLR are FlexFabric adapters. These are special option of ProLiant rack server to extend the onboard connectivity with additional network ports together with the four builtin 1Gbit/s onboard NICs. The CN1200E is a regular PCI-E for installation in normal PCI-E slot.

So the answer is yes, there are now some NICs available from HP which you can use for SMB Direct (and with the NVGRE offload abilities even for efficient VM connectivity with NVGRE).

Why are the HP branded adapters interesting?
Sure you could use any RDMA capable NIC without the HP branding in a HP server but the benefit with HP branded adapter is that you get firmware and driver upgrades included with HP SUM like for any other components of the HP severs. So you can update all drivers and firmwares with one Tool/Setup at once.
Furthermore you have not to debate with HP that its not the network adapter which is responsible for the issue if you have a hardware support case for something else at HP. You know what I mean… 😉

But no iWARP with HP?
It looks like HP has no love for iWARP. There are no HP branded NIC which supports iWARP or at least I couldn’t found it. This meaning if you want to use HP Adapters for SMB Direct you have to go the RoCE path which need some more investments in the networking part (DCB/PFC). MVP Didier Van Hoye has some great blog posts about this topic.

Update April 1, 2015:
As stated in the HP Blog there are now two new Mellanox ConnectX-3 Pro based adapters for Gen9 servers:

Thanks to the Mellanox chip the new adapters support both RDMA (RoCE) and NVGRE offloading like the older 544FLR but at a much lower price.
Although the 544FLR adapter supports also 40GBE and infiniBand. The new 546 adapters support “only” 10GBE.

How to delete a specific Recovery Point in DPM

10 Feb

There is no possibility to delete a recovery point (backup) in DPM via GUI. But good old friend PowerShell helps. 🙂

Here is an example. We want to delete the Recovery Point from the evening of February 8 from the Backup of the file server FSSRV001 in the Protection Group “File Backup”. DPM Server name is “DPMSRV001”

  1. First get the Protection Group to which the recovery point belongs
  2. Then you need the Data Source from where the data in the recovery point comes from.
  3. And finally you need to select the Recovery Point which you want to delete. You can identify the Recovery Point by Date and Time.
  4. Now we have all of the needed information an we can delete the Recovery Point.

 

How to change the RDP certificate on a RD Session Host

30 Jan

In Windows Server 2012 R2 RD Deployment you will install a certificate for the RD Connection Broker, RD Web Access and RD Gateway in the Deployment Properties using Server Manager. But this does not change the certificate on sessions hosts in the RD Deployment and you will still get certificate warnings when conntection to the Session Hosts.

To change the certificate on the Session Hosts manually do the following:

  1. Install the Certificate and the Private Key in the computer certificate store.
  2. Set the thumbprint of the installed certificate with PowerShell and WMI:

     

The process ist also documented in detail at: http://blogs.technet.com/b/askperf/archive/2014/05/28/listener-certificate-configurations-in-windows-server-2012-2012-r2.aspx

Open high ports (over 49151) on a Windows Server Gateway

19 Jan

In a cloud infrastructure with System Center Virtual Machine Manager (SCVMM), Hyper-V and Azure Pack the Windows Server Gateway could provide the tenants with the possibility to connect their virtual network, provided by Hyper-V Network Virtualization (HNV, NVGRE), with the Internet via NAT. The tenant has then also the possibility to open and forward inbound ports to his VMs. For example he can open Port 80 to run a Webserver which is public reachable over the internet.
Basically this works very well. But lately I had a situation where I had to forward TCP Port 60000. So I was going the Azure Pack Tenant Portal and was trying to add a new Network Rule like I did it several times before:
image

 

 

 

 

 

 

 

 

 

 

But then it happens. The operation failed with a strange error:image

Then I had a look in SCVMM and found this, not very instructive, error:
image

So I digged in a little deeper and discovered on the gateway VM that SCVMM adds the external address for the tenants with the port range 1-49151. So that’s explains why you can not forward Port over 49152 on multitenant Windows Server NAT Gateway:
image

Probably the SCVMM defines this port range for the external address because all ports above 49151 where per RFC6335 actually destined for dynamic ports or private ports. In Windows the this range is also specified for the dynamic client port range for outgoing connections. (RPC Communication and so forth)

Bonus, Possible solutions

Option 1, manual intervention with
PowerShell :
But the RRAS Role in Windows which is also used for multitenant NAT Gateway has no restriction which would hinder you define external address with the whole port range from 1-65535 with PowerShell. In fact when you set an external address with PowerShell the default values for PortStart and PortEnd is 1024 and 65535.
This means you can remove the external address set by scvmm and add the address again with PowerShell with the whole port range. This can achieved by the following steps:

  • Get all external IP Address with Get-NetNatExternalAddress and note the values form the parameter “NatName” and “IPAddress” from the definition which you want to change.
  • Remove the existing external Address definition:

    image
  • Add a New external Address with the same value for NatName and IPAddress but with the new port range:


    image

Afterward you can head again to the tenant portal and now you can add a Network Rule with a port greater that 49151 without any problem. Smiley

Option 2, Registry setting for SCVMM:
After some further research I found that SCVMM has a undocumented Registry setting where you can specify the end port for the external address definition on the NAT Gateway. By creating the following Registry Key SCVMM configures automatically the whole port range (1 to 65535) if a tenant activates the NAT Gateway for his VNet in the Tenant Portal.

image
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft System Center Virtual Machine Manager Server\Settings\NATPortRangeEnd, REG_DWORD, Value: 65535

Disclaimer: Use these settings at your own risk! These where NO official solutions from Microsoft and changing these settings will lead probably to a unsupported situation! So be careful! Zwinkerndes Smiley