Category Archives: MS Windows server

Add-VMNetworkAdapterExtendedAcl – allow only specific traffic to a VM and allow all outgoing traffic from a VM on Windows server 2016 – Hyper-V

Leave a reply
Block all trafic to a VM:
Add-VMNetworkAdapterExtendedAcl –VMName “vm01” –Action “Deny” –Direction “Inbound” –Weight 10
Allow (for example) TCP 80 (HTTP) and TCP 443 (HTTPS) to a VM:
Add-VMNetworkAdapterExtendedAcl –VMName “vm01” –Action “Allow” –Direction “Inbound” –LocalPort 80 –Protocol “TCP” –Weight 11
Add-VMNetworkAdapterExtendedAcl –VMName “vm01” –Action “Allow” –Direction “Inbound” –LocalPort 443 –Protocol “TCP” –Weight 12
 
Allow any TCP and UDP from VM to ANY port and ANY address:
Add-VMNetworkAdapterExtendedAcl -VMName “vm01” -Action Allow -Direction Outbound -RemotePort Any -Protocol tcp -Weight 100 -IdleSessionTimeout 3600 -Stateful $True
Add-VMNetworkAdapterExtendedAcl -VMName “vm01” -Action Allow -Direction Outbound -RemotePort Any -Protocol udp -Weight 101 -IdleSessionTimeout 3600 -Stateful $True
 
Want to start over? Remove all ACLs:
Get-VMNetworkAdapterExtendedAcl -VMName “vm01” | Remove-VMNetworkAdapterExtendedAcl

Import and set TSGateway / RDGateway certificate with Powershell

Leave a reply

As I noted in my previous article Let’s Encrypt started to issue wildcard certificates – and now for me it is a right time to automate the whole process of renewal and binding – and I am using Let’s Encrypt certificates also for my RD Gateway servers (some of them stand-alone without other TS/RD roles).

So how to get from PFX certificate “package” (before retrived from Let’s Encrypt) to a fully functional RDGateway?

Be careful with providing password for certificate import – Inserting passwords into scripts is not a good idea! – here I have inserted it in souch way just for an example:

$pass = “passw0rdforimport” | ConvertTo-SecureString -AsPlainText -Force

Then we need to import certificate in LocalMachine certificate store and save its Thumbprint into a variable $Thumbprint that we will use later to bind it to TS/RDGateway

$Thumbprint = Import-PfxCertificate -FilePath C:\lets\certificate_combined.pfx -Password $pass -CertStoreLocation Cert:\LocalMachine\My | select -ExpandProperty Thumbprint

Next we need to create CertHash that will be inserted in RDGateway settings

$Cert = Get-Item -Path Cert:\LocalMachine\My\$Thumbprint
$CertHash = $Cert.GetCertHash()

As we have our CertHash we can set the setting for TS/RDGateway

Get-CimInstance -Namespace root/CIMV2/TerminalServices -ClassName Win32_TSGatewayServerSettings | Invoke-CimMethod -MethodName SetCertificate -Arguments @{CertHash = $CertHash}

To apply new settings we need to restart TS/RDGateway service

Restart-Service -Name TSGateway -Force

 

How to change TXT record value on Micorosft DNS server using Powershell

1 Reply

As Let’s Encrypt anounced wildcard certificates I just wanted to make my life easier with automating the process of renewal and inserting values in TXT records to prove domain identity.

I am running all my DNS zones on Microsoft Windows server 2016 with DNS role installed where I will need to modify TXT record value every (little less) than three months to renew my *.domain.xyz cerificate. So how can we do it in Powershell just by modifing the existing value.

First time you will probably need to create the record by using:
Add-DnsServerResourceRecord

Add-DnsServerResourceRecord -Txt -Name _acme-challenge -DescriptiveText “SomeTextThatYouReceiveFromLet’sEncryptACME2Process” -ZoneName mydomain.xyz -TimeToLive 00:00:10

*I am keeping TTL very low here just in case you will need to repeat the process to expire soon (in 10 seconds).

Later on you will need just to modify the value of TXT record _acme-challenge
We have here a new cmdlet to the rescue: Set-DnsServerResourceRecord but it can not be simply used just to modify the value – you need to use two fill two parameter values called -OldInputObject (old record values) and -NewInputObject (new modified values).

Let’s take a look at the example:

$oldvalue = Get-DnsServerResourceRecord -ZoneName mydomain.xyz -RRType Txt -Name _acme-challenge
$newvalue = Get-DnsServerResourceRecord -ZoneName mydomain.xyz -RRType Txt -Name _acme-challenge
$newvalue.RecordData.DescriptiveText = “SomeNEWTextThatYouReceiveFromLet’sEncryptACME2Process”
Set-DnsServerResourceRecord -ZoneName mydomain.xyz -OldInputObject $oldvalue -NewInputObject $newvalue

What we did here is to declare two values where current values of the record are stored – $oldvalue and $newvalue.
Then I modified the $newvalue element called “DescriptiveText” that represents the text string of TXT record to some new data that I receive from ACME2 process when requesting Let’s Encrypt wildcard certificate.
At least I applied this new value to the record by using Set-DnsServerResourceRecord cmdlet and parameters.

 

How to monitor storage replication after Storage spaces direct node reboot (ex. after updates)

Leave a reply

Hi!

I have two node Storage spaces direct scenario and after updating and rebooting one of the nodes in cluster I need to wait storage operations to complete (yes I am updating this scenario manualy :)).

If you want to check the progresss of this synchronization / repair of Storage spaces just drop this in Powershell on one of the nodes:

Get-StorageJob | Select Name,IsBackgroundTask,ElapsedTime,JobState,PercentComplete,@{label=”BytesProcessed (GB)”;expression={$_.BytesProcessed/1GB}},@{label=”Total Size (GB)”;expression={$_.BytesTotal/1GB}} | ft

You should get something like that…

Remember – if you have Storage spaces direct in two-node scenario you SHOULD WAIT for this job to complete – if you reboot second node to soon your CSV will go offline! So keep calm and Powershell! 🙂

IPv6 in Windows environment for beginners

Leave a reply

Currently I am working on implementing dual-stack (so all servers and computers will run on IPv4 and IPv6 at the same time) in Windows envrironment with Active directory domain controlllers, other member servers (file server, DFS, SharePoint services…), Exchange server 2013, Lync/Skpye for business…

Purpose of this post is to walk you through the obstacles and difficulties while implementing both protocols to work together…

So basicaly we need to know the folowing:

We have one (or more) public IPv4 addresses which we NAT in our private networks where we have our servers…
Our providers gives us some IPv6 prefix for “wan” interface of our router and over that there is a routed prefix which we will use internaly (you need to know there are public – or globaly routed IPv6 addresses inside your network – SO TAKE CARE of your Firewall roules (We will cover that later)).

Simple steps to implement dual stack is to:

a. Get IPv6 from your provider
b. Have a router that understands IPv6 🙂
c. Configure router advertisment on internal network with M (managed (this will force users to use DHCPv6 instead of autoconfiguring IPv6 (SLAAC)) and O (other configuration (this will point clients to DHCPv6 server to get DNS servers (your domain controllers IPv6 addresses)) flag
d. Configure DHCP server on your Windows server with DHCPv6 parameters (prefix, exclusions, DNS servers (called: 00023 DNS Recursive Name Server IPv6 Address)
e. disable DHCP client on servers that use static IPv4/IPv6 addresses (if you do not do that your servers will autoconfigure additional IPv6 addresses as told by RA…) You can use Powershell: Set-NetIPInterface –InterfaceIndex <number> -Dhcp Disabled

Windows server 2012 R2 – A port on the virtual switch has the same MAC as one of the underlying team members on Team Nic Microsoft Network Adapter Multiplexor Driver

Leave a reply

If you have two or more NICs joined in a Team by using Windows server teaming solution and then you use this Team as a base for Virtual switch in Hyper-V and you enable “Allow management operating system to share this network adapter” like:

003 004 005

you will find warnings in system Event log:

A port on the virtual switch has the same MAC as one of the underlying team members on Team Nic Microsoft Network Adapter Multiplexor Driver

001

Check your NICs by using Powershell cmdlet: get-netadapter | ft Name,MacAddress

002

You need to change MAC addresses of your Virtual Switch management interface (vEthernet (xxx)) by using Powershell cmdlet: set-netadapter -name “vEthernet (XXX)” -macaddress xx:xx:xx:xx:xx:xx

007

and MAC addresses of your network cards (in my case 4 NICs) you can leave Team interface mac address alone…

009

There will be no errors in Event log any more 🙂

HP DL380 G8 – Windows server 2012 R2 NIC Teaming (HP Ethernet 1Gb 4-port 331FLR Adapter) – stops working after some time…

1 Reply

I have two HP DL 380 G8 servers with Windows server 2012 R2 OS. I have formed NIC teams by using Windows – built-in NIC teaming.

It Works perfectly but after a week or two teams stop working – the only mode to get server online again is to disable and re-enable physical network cards.

Server uses: HP Ethernet 1Gb 4-port 331FLR Adapter – I have upgraded firmware to latest version (that was available on 1.2.2015) and also updated drivers – but the problem persist.

For a current workaround I have scripted a powershell script that checks connectivity and cycle network adapters:

if (Test-Connection 8.8.8.8 -Count 1 -ErrorAction SilentlyContinue)
{
Add-Content C:watchdogresult.txt “`nUP”
}
else
{
Disable-NetAdapter -Name “Ethernet” -Confirm:$false
Enable-NetAdapter -Name “Ethernet”
Disable-NetAdapter -Name “Ethernet 2” -Confirm:$false
Enable-NetAdapter -Name “Ethernet 2”
Disable-NetAdapter -Name “Ethernet 3” -Confirm:$false
Enable-NetAdapter -Name “Ethernet 3”
Disable-NetAdapter -Name “Ethernet 4” -Confirm:$false
Enable-NetAdapter -Name “Ethernet 4”
$datenow = Get-Date
$datesult = “`n” + $datenow + ” Repaired”
$datesult | Add-Content C:watchdogresult.txt
}

Save as script.ps1

and create a task scheduler task with parameters:

Security options:
Run whether user is logged on or not
Run with highest privileges

Trigger:
Daily
Repeat every 5 minutes for 1 day

Action:
Start program: powershell
Add argument: -ExecutionPolicy bypass -file “C:watchdognet.ps1”

Your txt file should have similar entries – UP if network is working and Repaired with date and time if team failed and was repaired by scrpt:

UP
UP
UP
02/01/2015 12:25:49 Repaired
UP
UP

Windows server 2012 R2 Hyper-V Extended replica

2 Replies

In Windows server 2012 R2 we can find a new DR functionality – extended hyper-v replica. In Windows server 2012 Hyper-V – replica was introduced – but some parameters were not as flexible as they are in a 2012 R2 preview. There was also possiblity to make hyper-v replica only to one location – so virtual machine that was running on one host was replicated only to an additional hyper-v host. Now you are able to do so called extended replication. It means that you are now able to replicate from location 1 to location 2 and from location 2 to location 3. So it is not possible to send replicas directly from a first hyper-v host to two others but from first to second and from second to third.

To see how it works you can check this video: http://screencast.com/t/8ZdQwdh3CM

Shared nothing live migration from Windows server 2012 to Windows server 2012 R2

2 Replies

While we are waiting for Windows server 2012 R2 I just played with a feature that will come very useful after upgrading Hyper-V hosts to new version (R2). Microsoft did a great job with the possibility to live migrate (by using shared nothing live migration feature that was already available in Windows server 2012) from old Windows server 2012 hosts with Hyper-V to new Windows server 2012 R2 hosts with Hyper-V. So you will have zero downtime while upgrading your virtualization platform. This goes one way only – so only from older (Windows server 2012) to Windows server 2012 R2 and NOT vice versa.

Here is a video how it works – at the end I also demonstrated that it does not work in opposite direction.

http://screencast.com/t/yz0ggCbFki

Update: It will fail if you have different name for virtual switch – If you have a new name for virtual switch on new server I suggest that you create an “fictive” private virtual switch with the same name on original (old hyper-v). You are not able to choose virtual switch on destination.

“Demystifying” – Windows server 2012 Hyper-V 3.0 network virtualization – part III – (two hosts / two subnets)

2 Replies

In this part III I would like to show you how network virtualization works between two Hyper-V hosts in different subnet (in my example connected HV01 – Router (IPSec VPN) – WAN – WAN – Router (IPsec VPN) – HV02).

You can see how to do that by clicking on a link to video tutorial:
http://www.screencast.com/t/pRDC7Z4UKrg  – Hyper-V 3.0 – Network virtualization Part 4

* at 1:48 – I have already copy pasted that before – you should do it on both hosts
* at 2:04 – there is mistake as those parameters were already there so I removed them and resumed with video recording
* at 2:43 – I did not paste the second part to HV02 (I already did that in previous demo)
* at 3:59 – You will not see GRE traffic until you add Ethernet card to monitoring

In my environment I have two hyper-v hosts called HV01 (10.17.217.177 with gw 10.17.217.1 (router – that makes IPSec VPN)) and HV02 (10.17.218.177 with gw 10.17.218.1 (router – that makes IPSec VPN)).

So only Hyper-V hosts “see” each other over VPN (two different subnets).

I have used folowing powershell cmdlets:

First we need to enable ms_netwnv component on !PHYSICAL! nic – not on virtual switch NIC!
Run it on HV01 and HV02:

Enable-NetAdapterBinding “Ethernet” -ComponentID ms_netwnv

Now we create Lookup record and CustomerRoute (we use IP addresses of our virtual machines, their mac address and IP address of Hyper-V host) This is explained in my previous post.
Run it on HV01 and HV02:
New-NetVirtualizationLookupRecord -CustomerAddress “10.10.10.11” -ProviderAddress “10.17.217.177” -VirtualSubnetID “5001” -MACAddress “AAAAAAAAAA01” -Rule “TranslationMethodEncap”
New-NetVirtualizationLookupRecord -CustomerAddress “10.10.10.12” -ProviderAddress “10.17.218.177” -VirtualSubnetID “5001” -MACAddress “AAAAAAAAAA02” -Rule “TranslationMethodEncap”
New-NetVirtualizationCustomerRoute -RoutingDomainID “{11111111-2222-3333-4444-000000000000}” -VirtualSubnetID “5001” -DestinationPrefix “10.10.10.0/24” -NextHop “0.0.0.0” -Metric 255

Now only on HV01 you should configure provider address and provider route (this is how hosts will get connectivity to each other…):
New-NetVirtualizationProviderAddress -InterfaceIndex 12 -ProviderAddress “10.17.217.177” -PrefixLength 24
New-NetVirtualizationProviderRoute -InterfaceIndex 12 -DestinationPrefix “0.0.0.0/0” -NextHop “10.17.217.1”

The same thing on HV02:
New-NetVirtualizationProviderAddress -InterfaceIndex 12 -ProviderAddress “10.17.218.177” -PrefixLength 24
New-NetVirtualizationProviderRoute -InterfaceIndex 12 -DestinationPrefix “0.0.0.0/0” -NextHop “10.17.218.1”

At the end we need to add VirtualSubnetID parameter to our VM’s sitting on HV01 and on HV02

HV01 (Where Blue01 VM sits):
Get-VMNetworkAdapter -VMName Blue01 | where {$_.MacAddress -eq “AAAAAAAAAA01”} | Set-VMNetworkAdapter -VirtualSubnetID 5001

HV02 (Where Blue02 VN sits):
Get-VMNetworkAdapter -VMName Blue02 | where {$_.MacAddress -eq “AAAAAAAAAA02”} | Set-VMNetworkAdapter -VirtualSubnetID 5001