SMBv1 Solutions

WannaCry
WannaCry

It’s been weeks since the #WannaCry #WannaCrypt exploited thousands of computers across the internet. If you have been regularly patching your systems you would have been covered by the March 2017 update. The vulnerability used the legacy protocol SMB version 1 to propagate across the network once a machine was infected. Security experts and even Microsoft have been calling for the disabling and or removal of the SMBv1 protocol from Windows environments for quite some time.

A Little History

Introduced with Windows XP, the SMBv1 protocol has been installed and enabled by default on all Windows operating systems for backwards compatibility. SMB version 2 was introduced with Windows Vista/Windows Server 2008 adding additional security and performance. SMB version 3 was introduced with Windows 8/Windows Server 2012 adding even more performance and availability options.

But First…

Disabling SMBv1 across an enterprise is no small feat. There’s a process to follow, and there’s research that needs to be done ahead of time. There are basically three hang-ups that can keep you from disabling SMBv1 across the board:

  • Windows XP and Windows Server 2003 boxes still hanging around the network. You REALLY need to get rid of them.
  • Linux servers, appliances, or devices that share or access data over SMBv1. Check with your vendors on supporting SMB 2.
  • Network scanners or multi-function printers that scan to file servers using SMBv1. See if they can be reconfigured or updated to support SMB 2.

Do the work to identify these gotchas so that you can know where you can and can’t proceed with disabling the legacy protocol.

Tip

Note that when disabling the SMBv1 protocol you need to disable both the server-side (I’m sharing files with you) and client-side (you’re sharing files with me) of the protocol.

Get It Done!

You route to disabling SMBv1 depends on the tools at your disposal.

1. Batch files and psexec

 

2. Group Policyhttps://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/

or

https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

3. SCCMhttps://alexpooleyblog.wordpress.com/2017/03/09/disabling-smb1-via-configmgr-desired-state-configuration-dsc/

I wrote a PowerShell tool to gather the SMB protocols that are enable/disabled on a Windows computer called Get-SmbStatus. You can use this tool for discovery before and/or after you make your changes.

Example:

You can pick up the PowerShell function Get-SmbStatus at the Technet Script Repository.

DEV Intersection Conference

DEV Intersection
DEV Intersection Conference

Last month I had the privilege to attend the DEV Intersection conference in Orlando, FL. Being a infrastructure engineer I stuck to the IT Transformation track which was stocked with great speakers and sessions. The general focus of the sessions and keynotes was utilizing Microsoft (and others’) technologies to move towards devops oriented processes. I was additionally grateful for the workshops focusing on leveraging Visual Studio Team Services with Visual Studio Code to write PowerShell infrastructure as code taught by Jeffrey Snover, Don Jones, and Michael Greene. They convinced me to finally switch to using Code as my PowerShell editor.

Another highlight of the conference was Jeffrey Snover’s keynote on the impending release of Azure Stack. He presented the value proposition of businesses and service providers being able to provide a subset of Azure services in places where the Azure public cloud doesn’t yet make sense. I really think this is more game changing then most people realize and will put Microsoft in a unique position to help businesses transition to the “cloud” both in architecture and destination.

For years I have been listening to podcasts, reading blogs, and watching training videos, and it was a real treat to finally meet some of these people in person, shake their hand, and thank them for their influence on my career.

People I’m glad to have met:
Jeffrey Snover
Don Jones
Orin Thomas
Tim Warner
Michael Greene
John Savill
Steven Murawski
Rich Campbell

I would definitely go to the DEV Intersection conference again (if/when it comes back to the south east). The next conference is October 31-November 2, 2017 in Las Vegas.

Disk Inventory with PowerShell

Hard Drive
Hard Drive

Almost every time I write a PowerShell script, tool, or module it is to scratch an itch that I have. The Get-DiskInventory script is not new to me, but I have recently published because I saw others needed the same type of tool.

Get-DiskInventory gets a list of disk (really volumes) on a local or remote computer and displays their drive letter, name, free space, capacity, used space, and % free. While new operating systems have Get-Volume, sometimes you need a tool to work with those “legacy” operating systems such as Windows Server 2008 R2.

Get-DiskInventory leverages Get-WmiObject to gather the necessary information and is compatible across all versions of Windows client and server.

Examples:

Get your copy now from the TechNet Script repository.

Using PowerShell with SCCM Pending Updates

SCCM Pending Updates
SCCM Pending Updates

We’ve been deploying Microsoft updates with System Center Configuration Manager for a few months now. Each month we get a little better at the process and trust the system more. After approving each month’s patches, I kept finding myself logging into my servers to see if they had pending updates ready to be deployed at the next maintenance window. Logging into each server doesn’t scale, so I needed to find a way to automate the process using PowerShell.

After using a search engine I was able to find the correct WMI class that I could use to query for SCCM client software updates.

Once I had the proper namespace and class, I wrapped a function around it to get the information I need along with a simplified summary output.

Full Output (Default)

Summary Output

If I find that the computer I’m working on still doesn’t have the updates that I approved, I give it a good kick with the following three client actions from the same CMClient module :

Try it out for yourself.

 

Test-ADUser

Have you ever wanted to know if a user was valid, disabled, or expired? I created a tool to validate a username against Active Directory called Test-ADUser.

Example 1: Valid User Output

Example 2: An Expired User

Example 3:
Test-ADUser -username disableduser

Example 4:
Test-ADUser -username invaliduser

Get your copy today at the PowerShell gallery (Install-Module MrAADAdministration).

PowerShell and SCCM Client Actions

SCCM Client Actions
SCCM Client Actions

If you work with System Center Configuration Manager (SCCM) you will be familiar with the number client actions that you can execute. Some of these actions are used more often than others, and learning what each of them do is for another blog post.

In our quest to roll out automated patching with SCCM we found that we often needed to run these various actions to get the SCCM client to check back in for new policy and check for pending updates. After logging into a handful of computers to open the Configuration Manger client applet from Control Panel to perform a Machine Policy Retrieval and Evaluation Cycle, I had to stop myself and find a faster way.

“What if I could use PowerShell to do this for me?”

I started like I normally do trying to find a SCCM client module with built-in cmdlets, but that path led to futility. Thankfully I found @adbertram wrote a PowerShell module that could execute the proper WMI method for the client actions. I immediately downloaded the code and started to try it out. I found one problem: the functions only accepted a single computer name at a time. I asked Adam about it. He told me to go ahead and update the code, and do a pull request on Git. I said I’d be glad to, pretending I knew how to do any of that Git stuff. After updating the code and performing my first Git pull request, we now have a SCCM client module for invoking client actions on multiple computers.

Let me show you a few examples:

Check out the CMClient module on Github and the PowerShell gallery (Install-Module CMClient).

Send your positive feedback to me and your bugs and complaints to Adam.

Get-WindowsUpdatePolicy

 

Windows UpdateI’ve been working on a project to roll out automated patching to the servers in our environment. We have been using a combination of group policy and WSUS, which is a great solution, but it doesn’t allow for multiple maintenance windows. Since we are primarily a Windows shop we chose to use System Center Configuration Manger (SCCM) as our solution. If you’ve worked with SCCM you know that “it’s a full time job.” So over the last few months we’ve been carving off some servers from our WSUS and moving them to SCCM for patching. During the changeover we needed to verify if the server was  actually talking to SCCM instead of our existing WSUS infrastructure. For the first few servers I logged on and launched regedit.exe to look at the policy key HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. After doing this two (too many) times I realized this wasn’t going to scale. I put together a PowerShell script to read the registry keys we needed from one or more remote servers.

Introducing Get-WindowsUpdatePolicy

Now with a quick command I can see what WSUS server a computer is configured to use. Try it out, and let me know if you find it to be useful.

Azure IaaS Disk Add Error

Today I saw that one of our Azure IaaS VM’s was getting low in disk space. The VM was configured with a number of data disks in a storage pool so adding a disk to expand space would not be a problem. In fact we have done this quite a few times for this specific VM, so the process is all too familiar. However this time I ran into a problem. I stepped through the process to add a new disk using the Azure Portal and received the following error:

Azure Disk Add Error
Failed to attach new disk ‘disk13’ to the virtual machine ‘server01’. Error: CannotAddOrRemoveNetworkInterfacesFromARunningVirtualMachine: Secondary network interfaces cannot be added or removed from a running virtual machine.

Wait….what? I can’t add a disk because I can’t add a NIC when the machine is running? But I’m trying to add a disk not a network adapter! I attempted to stop the VM to see if I could add this disk while the VM was offline. “No soup for you!

Failed to stop the virtual machine ‘server01’. Error: Secondary network interfaces cannot be added or removed from a running virtual machine.

What? Now what do I do? I restarted the guest OS and attempted a redeploy of the VM, but nothing worked. I opened a ticket with Azure support. After walking the support technician through my issue he was also stumped. However after a few hours of research he came back with the solution which was to force the first (and only) network adapter to be primary through PowerShell.

After executing these commands the VM shutdown without warning or intervention after which I was able to add my additional data disk, power on the VM, and get back to work.

I’m glad to find a solution, but this is definitely a pain point. I don’t have access to the hypervisor to force stop or reset a VM to fix the configuration through Hyper-V Manager, Failover cluster manager, or System Center Virtual Machine Manager. I know that’s not going to happen ever with Azure, nor should it. This is just one of those edge cases where you have to reach out to support for help.

Nugget of Wisdom

Purchase your Azure support before you need it. When you’re in the thick of it you don’t want to be establishing a support contract which can take time before you can even open a ticket.

Launchy and UWP Apps

Hello. My name is [redacted], and I’m a performance junkie. It’s been five days since I wrote a PowerShell script to make me work faster.

Sometimes I feel like a NASCAR pit crew chief constantly trying to find ways to shave off seconds of inefficiencies in the way that I work. I’ve learned that the less I leave the keyboard to use the mouse the more I can get done, especially if I just need to start an app.

The Start Menu was introduced to the world with Windows 95 and has gone through many iterations since. Since Windows Vista, Microsoft built search into the Start Menu to help us “quickly” find the apps we wanted to use. Unfortunately it hasn’t been very fast, perhaps because the search is also accessing an index of files and email as well. In 2007 Launchy was created to be a single purpose application launcher to quickly start apps based upon keystrokes. Once I taught myself to use it, I have never looked back. I still use the Start Menu for various purposes, but to start my apps I just press Alt + Space, type a few letters and press Enter.

By default Launchy indexes shortcut (*.lnk) files in your user and system start menu.
By default Launchy indexes shortcut (*.lnk) files in your user and system start menu.

With Windows 8/8.1 and Windows 10 Microsoft is moving to a new style of app which has gone by many names, Metro, Modern, Windows Store, and now Universal Windows Platform (UWP). These apps are packaged into a Appx format and run in isolated ‘containers’.  These UWP apps are registered into the modern Start Menu, but not as shortcut files which means Launchy can’t index them. I set out on a journey to figure out a way to get Launchy to “see” these apps so that I can keep my hands on the keyboard.

My first thought was to find the exe that associated with the UWP app. UWP apps are installed in two locations.

However running those exe’s didn’t seem to do anything, or it popped up the SmartScreen warning.

launchy_uwp_10
“No soup for you.”

I did find the processes suspended in the task manager.

launchy_uwp_20
The suspense is killing me.

It seems like these exe’s have to be launched via the container or host process. I hit a dead end, or it was time for another approach.

I found some information on the Googles (actually Duckduckgo) on UWP apps registering protocols which can be used to launch the app. Now we were on to something. The blogs and documentation I found listed example apps and their protocols, but not how to retrieve them. I decided to look into the PowerShell Appx module.

I started with Get-AppxPackage to see what properties the cmdlet would output. The only properties I found that were useful were Name and InstallLocation.

Then I saw there was another cmdlet Get-AppxPackageManifest which returned an xml object.

From there I browsed the xml tree until I could find and isolate the protocol. Now that I had a found a way to get the protocol for UWP apps, I had to look up some code for creating shortcuts from PowerShell using the COMObject.

Instead of making one “big” script to do the whole process I decided to make one script per tool. One script’s job was to “get” the protocol of an UWP app and then another script to create the shortcuts.

launchy_uwp_30

Once I had these two scripts created I put together a module (MrAAppx) and published it on the PowerShell Gallery.

At the end of the day(s), I was able to reach my goal. I am now able to keep my hands on the keyboard and launch my UWP apps via Launchy, saving me precious seconds and keeping the momentum going.

 

Building Hyper-V Hosts: Converged Networking

Previously we looked at the networking basics for building Hyper-V hosts, specifically hosts in a failover cluster.  We saw that having dedicated high speed 10 GbE adapters for some or all networks could be costly and inefficient. In this article we will tackle the concept of converged networking.

With Hyper-V on Windows Server 2012 and newer you can collapse your networks into fewer high speed NIC’s using converged networking.  Traditionally you would have a team of 1 GbE NIC’s for each network (management, cluster, VM, etc.) requiring 6-8 physical 1 GbE NIC’s on the server. But with converged networking you are able to combine all the networks to go across a pair (or more) of 10 GbE NIC’s while ensuring each network gets their fair share of bandwidth using QoS. Converged networking is implemented through PowerShell only, and we will walk through an example script that you can use to get your converged networking up and running.

But first let’s cover the basic concepts of building converged networks.

We take two or more high speed adapters (10 GbE or faster) and put them into a team. Next we create and attach a Hyper-V virtual switch to this team. This switch is then configured to use weighted bandwidth QoS mode (more on that later). Finally we create virtual network adapters that the host OS uses for the networks you need (i.e. Management, cluster, live migration, virtual machines, etc.).

So what is weighted bandwidth QoS?

Weighted bandwidth mode allows you to share the total bandwidth of the underlying physical NIC’s of a Hyper-V virtual switch between the networks you create. The total weight of all the networks plus the default (VM traffic) must equal 100. The QoS is only enforced when the bandwidth is in contention.  This means that a live migration could use nearly all the bandwidth of a 10 GbE physical adapter, and then bandwidth is available for the other networks to use when no live migrations are occurring.

Using the below table as an example, we will guarantee a percentage of bandwidth for each network. Adjust the weights and number of networks to match your environment.

Networks Weight
Management 15
Cluster 5
Live Migration 20
iSCSI A 20
iSCSI B 20
Default(VM) 20
Total 100

The Default(VM) “network”  is set to 20 (referenced as DefaultFlowMinimumBandwidthWeight in PowerShell). This is the reserved bandwidth for anything that doesn’t match the other networks specified. Since we are specifying bandwidth for management, cluster, live migration, and two iSCSI networks, what is “left over” is the virtual machine traffic. This means that 20% of the bandwidth will be reserved for virtual machine traffic.

Now that we have our networks and weights mapped out, it’s time to get into the PowerShell script.

First Things

You should copy this script to the Hyper-V host on which you wish to configure converged networks and modify the parameters to meet the names, IP addresses, VLAN’s, DNS servers, etc. that meet your environment. Note that running this script WILL disrupt your network access to the server, so you will need to run this script locally on the server from a OOB management (DRAC, iLO, CIMC).

Hyper-V Converged Networking PowerShell Script

Here’s a basic overview of what the script does.  Based upon the parameters you specify, the script will build a network team from two pre-defined NIC’s to which a Hyper-V virtual switch will be connected in weighted bandwidth mode. After which the individual virtual network interfaces are created with their appropriate VLAN, IP, subnet mask, weight, et cetera.

To use the script we need to edit the parameters. Although you can specify most of the parameters when you run the script, you may find it simpler to open the script in the ISE and modify the IP address information for each of the networks to match your environment .

If you are not using iSCSI Networks:

    Adjust the weight parameter of each network to what you need
    Comment out (or don’t run) the last two network sections where the iSCSI interfaces are created.

The script assumes you have two 10 GbE network adapters named 10GbE1 and 10 GbE2.  You can adjust this based upon the number and names of your network adapters. Find the line that begins New-NetLBFOTeam.

The script also enables Jumbo frames on all virtual network adapters that are created, but you will need to enable jumbo frames manually on the underlying physical network adapters. (Due to the various names of registry properties for jumbo frames for the multitude of NIC manufactures it is difficult to add that to the template script.) Comment out these lines to skip the jumbo frame configuration.

Once you have made all of the necessary parameter changes and given everything a thorough second look, you’re ready to run the script.

STOP!

Make sure the script is stored locally on the server, AND you’re connected via OOB management just in case something goes wrong. OK. Take a deep breath and run the script. Within a minute or two the script should finish and now you can validate your network connectivity. If something went wrong review the script output.

Troubleshooting Steps

  • Make sure the virtual network adapters have been created and have the correct IP addresses.
  • Verify the network adapters have the correct VLAN ID associated.
  • Verify the network team is healthy (lbfoadmin.exe)
  • Start over again by removing the virtual network adapters (Remove-VMNetworkAdapter), removing the virtual switch, and removing the team.

Once you’re satisfied that your first Hyper-V host is configured and working with converged networking, repeat this process for every node in your Hyper-V cluster, changing the IP addresses and such where appropriate. After each node has been configured with converged networking you should run the cluster validation wizard to verify network connectivity between each node.

TIP

Document your cluster networking and save your converged networking scripts should you need to rebuild or adjust your cluster networks.

Now that you have accomplished converged networking, your next step should be to configure VMQ to ensure the high IO networking bandwidth is spread out properly amongst the CPU cores on your hosts. We’ll save that for another blog post.