Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Wednesday, August 31, 2011

Installing the Virtual Machine Servicing Tool 3.0

The Virtual Machine Servicing Tool 3.0 is the upgrade to Offline Virtual Machine Servicing Tool.  VMST allows you to keep VMs stored in your System Center Virtual Machine Manager library up to date when the are not in use.  You can download the VMST from Microsoft.

 

Once downloaded, Extract and open the folder on your VMM server.

 

image

 

Select the correct processor platform for your environment.

image

Click Run

image

Click Next

 

image

Accept the license agreement and click Next

Click Next and then Install.

Click Yes or enter your local/domain administrative credentials if you receive a UAC prompt.

Click Finish when the installation is completed.

The installation is now complete.

Tuesday, August 30, 2011

How to make a Windows VPN connection FIPS compliant

FIPS stands for Federal Information Processing Standards.  FIPS defines how federal computers systems will be secured and how they will talk to each other.  Windows XP and later can be configured for FIPS compliance.  In my 6416C class in New York, this question came from a room full of government employees.  They had an obvious interest in making sure what they had just learned on Network Policy Server could be considered for usage in their organizations.  The two TechNet articles below outline how to do this and some considerations to follow.

Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-MS-CHAP v2 Authentication

The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and in later versions of Windows

Monday, August 29, 2011

Virtual Hardware Choices for adding VHD files.

You have 2 choices when it comes to configuring your VHD files. You can connect them via IDE or SCSI controllers in your virtual machines.

 

IDE:

The IDE allows you to connect 2 drives. You are allowed 2 IDE controllers which allow for up to 4 drives. You must have the boot drive for the VM on the IDE controller. You will be limited to 2,048 GB per IDE hard disk. Pass-Through, Fixed-disk, and Dynamic VHD type are all allowed on the IDE controller.

 

SCSI:

You are allowed to have 4 SCSI controllers on your virtual machine. Each SCSI controller can host 64 VHD files with give you a total of 256 disks. There is not a limit to the size of the SCSI drives except the hardware that is actually hosting the VHD file. You can also add and remove SCSI disks from the VM while the VM is running if you are running the host of Windows Server 2008 R2.

Friday, August 26, 2011

How to use the System Center Virtual Machine Module cmdlets in your scripts.

This took a little research.  You need to use the Add-PSSnapin cmdlet.

 

Add-PSSnapin Microsoft.SystemCenter.VirtualMachineManager

 

This snapin is available on a client that has the VMM Administrator Console installed on it.  Once you execute the above command, the VMM cmdlets should be available to you.

Thursday, August 25, 2011

Forcing a Windows 7 client to create a Shadow Copy

Windows 7 has the ability to support Previous Versions lust like Windows XP and Vista did on a share hosted on a 2003 or 2008 server.  The difference is that the shadow copy can now be a local drive.  Thanks to a little help from Thomas Lee and a posting on the Win32_ShadowCopy from MSDN, you can force a Windows 7 to create a shadow copy.  The actual lines of PowerShell code are below.

# get static method
$class=[WMICLASS]"root\cimv2:win32_shadowcopy"
# create a new shadow copy
"Creating a new shadow copy"
$class.create("C:\", "ClientAccessible")

You can attempt to run this remotely by using PowerShell V2 remoting capability

Wednesday, August 24, 2011

Configuring VM Storage in Hyper-V

The Default location for storing Hyper-V Virtual Machine files is:

 

.vhd: C:\Users\Public\Public Documents\Hyper-V\virtual hard disks

 

Configuration files: C:\Program Files\Microsoft\Windows\Hyper-V

 

It is OK to leave them there in a test environment, but in practice, you will want to move them to different physical drives simply for the sake of better performance. Here are a few considerations.

 

  • Move them off the partition that holds the host’s operating system
  • Move them off the disk that is used by the parent for paging.
  • If using multiple VMs on the same server, distribute the VM files across as many disks as possible.
  • If stored on a SAN, ensure reliability and performance will meet expectations.
  • Make sure the location will not only have enough space for data, but also snapshots.
  • Restrict access to the storage locations to only those who need to copy and paste files in that location.
  • If on a failover cluster, store the files on the shared disk.

 

To change the default location of the stored files, open Hyper-V Manager:

 

Click Hyper-V Settings in the Actions pane.

 

The first two columns on the left are the default storage locations. Changing these will change the storage location of all future VM files.

 

clip_image002

 

You can also specify the location of the data files when you create a new VM.

Tuesday, August 23, 2011

Migrating virtual machines between Hyper-V hosts using the Export/Import feature in Hyper-V

One of the benefits of virtualization is your ability to migrate a VM to another host. Whereas with a physical server, you would have to install the OS, applications, drivers, and then migrate the data, you can simply migrate the VM in the virtual world.

 

To begin the migration, shut down the virtual machine.

 

Access the Hyper-V Manager that controls the VM.

 

Right click the VM that you want to export and click Export.

 

Provide a path to save the VM. Remember, if this VM has snap shots, all that data will be exported as well. Make sure you have sufficient disk space.

 

Click Export.

 

While the VM is exporting, you will see the Cancel Exporting option in the Actions pane of the VM.

 

clip_image001

 

You will also see the Cancel Exporting option if you right mouse click the VM.

 

clip_image002

 

Once Exporting is complete, these options will go away.

 

Transfer the exported files to their new home.

 

One Hyper-V Manager, in the Actions pane, click Import Virtual Machine.

 

Browse to the location where you stored the VM. Click on the parent folder of the exported VM. Do not open it. Click Select Folder.

 

Click Import.

 

If all goes well, your virtual machine with import into Hyper-V and be ready to start. Of course you may want to adjust the settings if needed since it is on a new host.

Monday, August 22, 2011

Configuring Hyper-V Virtual Networks

 

The Virtual Network Manager in Hyper-V allows you to create several types of virtual networks inside your virtual environment. This allows you to create isolated networks inside the same server. Click Virtual Network Manager in the Actions pane to access the Virtual Network Manager.

 

clip_image002

 

In the left hand pane is a listing of all the virtual networks currently programed in on this Hyper-V server. Be default, New virtual network is selected. Be clicking on any of the other already configured networks will allow us to make changes to each profile.

 

Types of virtual networks.

 

In the Create virtual network area, we see three types of networks that we can create.

External:

 

An External network creates a virtual network that you bind to a physical network adapter. This allows the VMs in that virtual network to access your physical network. They will be able to talk with each other, get DHCP addresses, and access the internet if those services are provided.

 

clip_image003

 

Provide a Name for this virtual network.

 

It is a good idea to add some notes as to what this virtual network is going to be used for.

 

From the drop down list, select the physical NIC that this virtual network will bind to. You can only bind a virtual network to 1 NIC. Also, uncheck the Allow management operating system to share this network adapter. In practice, you want to have a separate NIC for the host and each virtual network hosted on that server.

Internal Only

 

In this configuration, the VMs will be able to talk with each other, and the host operating system. You will have to provide for IP addressing and name resolution services in this scenario.

Private

 

With this setting the physical host cannot talk to the VMs and vice versa. It completely isolates network communications to only the VMs inside the virtual network.

Friday, August 19, 2011

How to reserve resources for a VMM host

 

To prevent virtual machines from being placed on a server that the VM will overwhelm, you can use the Reserves feature of VMM. 

 

Open up System Center Virtual Machine Manager

 

Browse to the host that you want to manage the reserves on.

 

Right click it and select Properties

 

clip_image001

 

Click the Reserves tab.

 

Here you can set the minimum resources that host can run on.  A VM cannot take these resources away from the host.

 

clip_image002

Thursday, August 18, 2011

What's the difference between Microsoft Security Essentials and Windows Defender?

Below is the official word from Microsoft.

Security Essentials is antimalware software, which means that it's designed to detect and help protect your computer against a wide range of malicious software, including viruses, spyware, and other potentially unwanted software. Windows Defender, which is automatically installed with your Windows operating system, is software that detects and stops spyware. To learn more about Windows Defender, visit the Windows Defender Web site.

Wednesday, August 17, 2011

Hardware Requirements for Hyper-V 2008 R2

Below is a list of the hardware requirements for Hyper-V 2008 R2. You can find the original information from Microsoft here.

 

· Supported Operating Systems: A list of supported guest operating systems can be found here.

 

· Processor: x64 compatible processor with Intel VT or AMD-V technology enabled.
Hardware Data Execution Prevention (DEP), specifically Intel XD bit (execute disable bit) or AMD NX bit (no execute bit), must be available and enabled.

 

· Minimum CPU speed: 1.4 GHz; Recommended: 2 GHz or faster.

 

· RAM: Minimum: 1 GB RAM; Recommended: 2 GB RAM or greater (additional RAM is required for each running guest operating system); Maximum 1 TB.

 

· Available disk space: Minimum: 8 GB; Recommended: 20 GB or greater (additional disk space needed for each guest operating system).

 

· DVD ROM drive

 

· Display: Super VGA (800 × 600) or higher resolution monitor.

 

· Other: Keyboard and Microsoft Mouse or compatible pointing device.

Note: The actual system requirements will vary based on your system configuration and hosted guest operating systems.

Tuesday, August 16, 2011

Does a Computer Object SID do anything?

This one through me for a loop in class.  While talking about what SYSPREP does to a client, one of the members of the class pointed me to a very interesting article.  I have always been taught that the SID of the computer account is what Windows looks at for assigning security access.  Well, take a minute to read this blog post from Mark Russinovich at Microsoft.

 

OK, let’s put this to the test.  I took a VM from class and created an image of it.  I then deployed this non syspreped image to another VM and started it up in the same environment as the original.  The original was logged off and I had no trouble logging in.  After taking snapshots of the new VM and the DC, I went ahead and renamed the VM to LON-CL3.  In AD Users and Computers, the account associated with the original was renamed.

 

OK, I reapplied the snap shots and brought both identical VMs online.  I was able to log in on both.  On the original, I’m renamed the client and allowed it to reboot. 

image

 

In the image below, you can see a client named LON-CL5.  This is my renamed original.  I was also able to successfully log in using the cloned that is still named LON-CL1.  At this point, security is obviously looking at the SID.

 

Group Policy Updates

I was able to update group policy on the client that was renamed, but the clone with the original name could not update its policy.

image

This points to something other than the SID being used.

 

Resetting the computer account still allowed both clones to log in.

 

I’m out on this one as to what the computer account SID is used for.  Keep an eye on Mark’s blog.  It has so far generate 18 pages of comments.

Monday, August 15, 2011

Configuring settings for Hyper-V R2

Once the Hyper-V server has been installed, you can configure it. Open the Hyper-V Manager console.

 

Click Hyper-V Settings from the Actions pane.

 

There are two sections to the Hyper-V Settings, Server and User. The Server settings control the default locations for the VM files.

Keyboard Settings

 

clip_image002

 

This is where you decide when the “Window” key will be used on the host, and on the child. The default setting is to use it on the host, unless the VM is running in full-screen mode.

Mouse Release Key

 

clip_image004

 

For older operating systems, you may not be able to click in and outside the VM window as easily as you can for Windows 2008 and Windows 7 virtual machines. In that case, the mouse is captured and you will not be able to click on the host desktop. The Mouse Release Key is the key combination that you will use to release the mouse back to the parent operating system.

User Credentials

 

Click this if you want to use your login credentials to give you access to the desktops that are running in Hyper-V. This does not give you log in capability to the VMs. You still need to authenticate to use them. This just determines if you can even access them. If you are using Smart Cards for login, you will need to disable to feature and log in manually into Hyper-V

Delete Saved Credentials

 

clip_image006

 

This option allows for any saved credentials to be removed from Hyper-V. This will help to increase security.

Reset Check Boxes

 

This will reset Hyper-V confirmation and wizard pages back to their defaults.

You can also further configure the Hyper-V manager by determining which

elements are displayed. Click View \ Customize.

 

clip_image007

 

Checking and unchecking will show you live the results in the Hyper-V Manager window what is removed or added.

Friday, August 12, 2011

Cloning virtual machines using Virtual Machine Manager

Cloning allows you to take a virtual machine and make a copy of it. This is a good way to test a new configuration or software installation on a VM without risking taking the VM down. When you create your clone of a VM, it is not generalized. That means it holds the same SID, and all other settings, as the original. For this reason, you will not be able to run this VM in the same network while the original is running. You can transfer the cloned VM to an isolated virtual network for testing. In the isolated network, it will not have contact with the original.

 

To clone a virtual machine, open Virtual Machine Manager.

 

Make sure the VM is turned off. The cloning option will not be available if the VM is turned on.

 

Click Virtual Machines in the lower left hand menu.

 

Right click the VM that you want to clone and click Clone.

 

clip_image002

 

In the Virtual Machine Identity window, you can change the name, description, and owner of this cloned VM.

 

Click Next

 

In the Configure Hardware you can keep the hardware profile from the original VM, or make changes such as increasing the RAM, adding processors, or changing BIOS settings. You can also assign the VM a stored hardware profile from the Hardware Profile drop down box.

 

clip_image003

 

Click Next

 

On the Select Destination window, you can place this clone on a host, or place it in a virtual machine library. For this demonstration, I’ve selected Place the virtual machine on a host. Click Next.

 

In the Select Host window, click the host that you want to store the VM on. Click Next.

 

On the Select Path window, select the path to store the VM and click Next.

 

On the Select Networks window, select the virtual networks that each NIC in the VM will connect to. Click Next

 

clip_image005

 

On the Summery page, click Create.

 

The window below will pop up to help you monitor the process.

 

clip_image006

 

Depending on the hardware and speed of your network, this process can take some time.

Thursday, August 11, 2011

Managing Snapshots in Hyper-V

Taking snapshots

Taking a snapshot is a very easy process. Just remember a few considerations first.

1. Make sure the disk that is holding the virtual machine (VM) folder has the disk space for a snapshot.

2. Make sure the VM is either running, or shutdown. You cannot take a snapshot while the VM is paused.

3. Snapshots are not supported in a production environment. Snapshots are good for lab or test environments.

4. Snapshots are not a replacement for regular backups.

You can take a snapshot in one of two ways; you can right click a VM in Hyper-V Manager and select Snapshot. Your other option is to click on the VM in Hyper-V Manager and click Snapshot from the VM specific menu in the lower left hand corner of the Hyper-V Manager.

clip_image001

It will take several seconds for the snapshot to appear in the Snapshots window.

 
 
Reverting snapshots

Snapshots make it very easy to go back to a point-in-time. You can easily reset a VM back to its current snapshot by doing a Revert. To Revert a VM, right click the VM in Hyper-V Manager. Click Revert.

clip_image002

This will make the VM fall back to the last Snapshot taken or the last snapshot applied, whichever is the case.

 
 
merging snapshots

Merging a snapshot is the result of deleting a snapshot from Hyper-V. To merge a snapshot into its parent, right click the snapshot to delete and select Delete Snapshot Subtree. Click Delete when prompted.

clip_image003

A word of caution on this procedure. Take a look at the example below:

clip_image004

If I were to merge the snapshot label VTEC1 with its parent Network Base 1, the results would be catastrophic for the snapshots 6416C – AD Recycle Bin and 6420 No DHCP. That is because differencing disks are used for snapshots. All three snapshots in questions are children of Network Base 1. By merging VTEC1 into Network Base 1, I make the other two snapshots unusable.

Perform this procedure with caution.

 
 
Deleting snapshots

From time to time it is good practice to remove snapshots that you no longer need. This will help to conserve on disk space and help to make the VM more portable.

In Hyper-V Manager, right click the snapshot you want to delete and click Delete Snapshot.

clip_image005

Then click Delete when prompted.

The Snapshot will be removed from the list and the disk.
 
 
Applying snapshots;

Applying a snapshot is very easy to do. You can apply a snapshot with the VM running or turned off. In Hyper-V Manager, you apply a snapshot in one of two ways. Right click the snapshot and Click Apply or click the Snapshot and click Apply from the VM menu on the lower left.

clip_image007

Hyper-V will asked you if you want to just apply the Snapshot or if you want to take one of the current machine state before applying the snapshot you selected.

clip_image008

The VM will now be configured to that snapshot.

Wednesday, August 10, 2011

Install Hyper-V on Server Core

Server Core is an excellent platform for running Hyper-V. Because of its minimal installed code, you will have greatly reduced maintenance and reduced attack footprint on the host system. Since Server Core is a minimal installation of Windows Server 2008, you will be working with a text based environment similar to Unix. Also with the minimal code, more of the servers resources can be dedicated to the VMs, and less to the parent OS.

 

Log into your Server Core with an account that has local administrative rights.

 

Let’s get a listing of what roles and features have been installed on this server

 

Type Dism /online /get-features /Format:table and press Enter.

 

We will see a nicely formatted table of what is on installed, and what is not.

 

clip_image002

 

If you scroll down the list you will see Microsoft-Hyper-V is disabled. Let’s enable it.

 

Type Dism /online /enable-feature /featurename:Microsoft-Hyper-V and press Enter. This command is case sensitive.

 

clip_image004

 

Once it has completed, click Y to restart the server.

 

The Hyper-V role has now been installed.

Tuesday, August 9, 2011

list wmi namespace

Last week I published an article about how to set your host reserves in VMM Manager.  I deliberately left off with a manual task.  Changing the host reserves only affects new hosts added to your VMM environment. What about the ones that are already there?  You had to manually change them.

Using PowerShell on a client that has VMM Manager installed on it, you can change the Host Reserves of all Hosts that are already on the system

Open PowerShell (You must do this on a client that has VMM Manager installed on it)
Type Add-PSSnapin Microsoft.SystemCenter.VirtualMachineManager and press Enter.
This adds in cmdlets that are specific to Virtual Machine Manager.
Now type Get-VMHost | Select-Object ComputerName, CPUPercentageReserve, NetworkPercentageReserve, DiskSpaceReserveMB, MaxDiskIOReservation, MemoryReservationMB and press Enter.
This will show you the current Host Reserves on each host.
image
We can use the 5 reservation properties to change the host reservations.  For simplicity, we are only going to change the CPU and Network percentage reserves.
Get-VMHost | Set-VMHost –CPUPercentageReserve 25 –NetworkPercentageReserve 35

If we re-execute our first command, we get the following:
image

Friday, August 5, 2011

Verify DEP BIOS setting without rebooting your server

If you find that you need to verify your DEP (Data Execution Prevention) BIOS settings, here is a simpler way to do it without rebooting your server. Type this command in a DOS command window.

WMIC OS Get DataExecutionPrevention_SupportPolicy

It will return back one of the following:

0 - DEP is disabled for all processes.
1 - DEP is enabled for all processes.
2 - DEP is enabled for only Windows system components and services. (Default)
3 - DEP is enabled for all processes.

Thursday, August 4, 2011

Can you exclude certain files from UAC?

User Access Control is an all or nothing feature. It is either on or off. I personally like to keep it on. On my servers, I have UAC prompt for consent for administrators. I know when I’m going to set off UAC. This keeps it in place and still helps to provide protection. For my clients, it keeps technical support cost down by helping to prevent users from damaging the clients they use.
Some applications do not like to use UAC. To date, you can not exclude certain applications of OS functionality from UAC. I found a possible work around on Martin Zugec’s blog. Give it a through testing prior to use.

Wednesday, August 3, 2011

Do you have to use the free VM license with Server 2008 on the same physical host that you installed 2008 on?

Yes you do.  If you by a copy of Windows Server 2008 R2 Enterprise, you must use those virtual license on the machine that you assigned the physical license to. I’m not a licensing expert, so I’m going to direct you to a blog article by Matt McSpirit to explain the details.

Tuesday, August 2, 2011

How to Cascade Host Group Reserve Settings in VMM Manager.

Configuring resource reserves for a Host in VMM is a good idea.  This prevents the VMs running on the host from consuming all the resources of that host and rendering it unusable.  There are two ways of setting up host reserves, manually and through inheritance.

 

Let’s first look at the inheritance method.  Below is a screen shot of my VMM host groups.

image

 

Currently, I have the default host reserves set on them. The image below is from the All Hosts properties.

image

 

I’m going to change the CPU percentage from 20 to 25 and then click OK. When I did this, I received the options below.

image

I’m going to select Apply changes to this host group and its children and click OK

Once completed, the host reserves for the host currently on that host group did not change.  This is for new hosts added to VMM.  This is not the true inheritance that we use with technologies such as NTFS.  The Host Reserves in the Host Groups should be considered more as templates for new hosts as opposed to an inheritable property

 

The Manual method is how you change the host reserves for VMM hosts that are already managed by the VMM server.  You simply right click the host and select Properties.  Then click the Reserves tab and make your changes.

Monday, August 1, 2011

How to prevent USB memory devices from being used through Group Policy

USB devices have made transporting data extremely fast and easy.  The down side is that they also have the potential of spreading computer viruses just as fast and easy.  For this reason, you may want to restrict a computers ability to read data and execute programs from a USB drive.  Also potentially damaging is the ability for a user to remove large amounts of data for your networks.  You may also want to restrict the writing of data to these drives.  Group Policy provides you with options to help manage USB memory device usage.

 

This first option is for users of Vista.  You can scope this one to either a computer or to a user.  In your GPO, expand. Policies \  Administrative Templates \ System \ Removable Storage Access.  There you will find 4 GPO settings to help you deny read, write, and execution from USB devices.

image

 

For Windows 7 clients, you can also set a condition based on Windows BitLocker.  In your Group Policy, expand Computer Configuration \ Administrative Templates \ Windows Components \ Bitlocker Drive Encryption \ Removable Data Drives.  Two GPO settings will help you out here.  First, disable Control use of Bitlocker removable drives.  This will prevent users from BitLocker protecting their USB devices to get around the next setting we are going to enable. Second, enable Deny write access to removable drives not protected by BitLocker.  Also check Do not allow write access to devices configured in another organization.  This will not completely block the USB device, but it will only allow USB BitLocker devices created previously by the client to be used.

 

For Windows XP client, check this blog post from Daniel Petri on a possible method to help with XP clients.