PreReq’s

  • You need to have the HyperV Role installed on the server if you want to convert VHDX -> VHD , Azure only support VHD
  • You need to create a storage account in Azure : $storageaccount
  • You need to create a container in that storage account $containername
  • Azure Resource Group : $resourceGroup
  • VHD to VHDX should be stored at $localPath e.g. C:\Temp\VHD.VHD – this should be the C drive of the computer including System Reserve partition

 

  1. Connect to Azure

connect-azaccount

2. Select Azure Subscription

Select-AzureSubscription -Current -SubscriptionName $AzureSubscriptionName

3. 
# Upload the VHD
$urlOfUploadedImageVhd = (‘https://$storageaccount.blob.core.windows.net/’ + $containername + ‘/’ + $vhdName)
Add-AzVhd -ResourceGroupName $resourceGroup -Destination $urlOfUploadedImageVhd -LocalFilePath $localPath

This will try and convert the VHDX file to VHD

To be compatible with Azure, Add-AzVhd will automatically try to convert VHDX files to VHD, and resize VHD files to N * Mib using Hyper-V Platform, a Windows naitive virtualization product.
For more information visit https://aka.ms/usingAdd-AzVhd

MD5 hash is being calculated for the file \\XXXX\f$\TEMP\XXXX.VHD.
MD5 hash calculation is completed.
Elapsed time for the operation: 00:16:32
Creating new page blob of size 68719477248…
Detecting the empty data blocks in the local file.
Detecting the empty data blocks completed.
Elapsed time for upload: 00:32:37

LocalFilePath DestinationUri
————- ————–
\\vbr01\f$\TEMP\XXXX.VHD https://$storageaccount.blob.core.windows.net/$containername/XXXX.VHD

You will have the new Blob URL for the VHD, now you need to make a managed disk from it – https://aidanfinn.com/?p=20441

Once you have a managed disk you can then create a VM from that Managed Disk

GD Star Rating
loading...
GD Star Rating
loading...

1)Setup User in Access Control ( Local or AD ) 

2) Make sure Auth with Cert is ticked

Setup Virtual Folder and set to home

 

Get end user to create a new Public and Private Keypair 

 

https://www.ssh.com/academy/ssh/putty/windows/puttygen ( RSA ) 

 

Get end user to share Public Key with you ( they keep private key ) 

Copy  their Public Key 

Sits in C:\Program Files\VanDyke Software\VShell\PublicKey\%username% called Identity.pub

Top line should be 

—- BEGIN SSH2 PUBLIC KEY —-

User should then auth to server with .ppk file using SFTP client like Filezilla

GD Star Rating
loading...
GD Star Rating
loading...

Recently I was trying to set access to a SSH server over the internet for a third party. 

The third party could see the SSH headers in telnet , however opening putty did not bring up the login screen

Sounds a lot like IPS not allowing SSH through , however I had to prove it!

Finding an open ssh server they could use was tough but I found example.dreamhosters.com

GD Star Rating
loading...
GD Star Rating
loading...
  1. HPE Insight Management Agent needs upgrading , latest here : Software Details – HPE Insight Management Agents for Microsoft Windows Server x64 Editions | HPE Support ,does not support 2019 so you have to extract and install MSI manually
  2. Breaks AD Connect
  3. Breaks NPS Azure Radius  ( needs to run repair on installer ) 
  4. Document the firewall status before upgrade ( whats enabled on what profile ) 
  5. TS Upgrades ( works with 2019 as well )  -> Upgrading your Remote Desktop Services deployments to Windows Server 2016 | Microsoft Docs
  6. Your SMTP Virtual services configuration will be wiped out during an in-place upgrade.
  7. When upgrading fileserver server with DFS , I had to manually start the DFS Server
  8. Need to fix WDS Service 
  9. WSUS needs to be rerun after upgrade ( Settings are kept )
  10. Rerun Veeam Agent Config if you have it installed

  11. If stuck on “91%” , Just wait! 
GD Star Rating
loading...
GD Star Rating
loading...

Recently had a plugin that installed by default to the users profile location , this is how to manually change it to a directory so it can be used by all users on a computer like a terminal server.

 

1. Run the installer as Administrator
2. Accept all the default prompts EXCEPT for install location.
3. Update the highlighted portion to “C:\Program Files\”

 

Add CalibreFT add-in for user on RDS Server
1. Launch Excel
2. File > Options > Add-Ins
3. Change the drop-down to COM Add-Ins > GO
4. Click Add…
5. Navigate to “C:\Program Files\CalibreFT\CalibreFT CRMS Office Add-in 2021.9.1”
6. Select using the following rules:

a. If Office is x64 = “adxloader64.CalibreFT.CRMS_OfficeAddin.dll”
b. If Office is x32 = “adxloader.CalibreFT.CRMS_OfficeAddin.dll”

7. Add-In list should now look like:

8. Click OK
9. Go back to File > Options > Add-Ins
10. Make sure drop down is set to Excel Add-ins and click GO
11. Click Browse…
12. Navigate to “C:\Program Files\CalibreFT\CalibreFT CRMS Office Add-in 2021.9.1”
13. Change the filter to “All Files”

14. Select using the following rules (will be same as Step 6)

a. If Office is x64 = “adxloader64.CalibreFT.CRMS_OfficeAddin.dll”
b. If Office is x32 = “adxloader.CalibreFT.CRMS_OfficeAddin.dll”

15. Should now see entry per below:

16. Restart Excel
17. CalbreFT should be in the ribbon

 

 

GD Star Rating
loading...
GD Star Rating
loading...
  1. Acgivate the Subnets in Azure if you use split tunneling in your VPN portal settings ( to make sure there’s a local route ) 
  2. Make sure your VPN Client Subnet is in the Phase2 Selectors on the IP Sec if you route specific Subnets ( instead of 0.0.0.0 ) 
  3. Enable the IPv4 policies SSL.Root -> Azure IP Sec VPN ( NO Nat ) 
  4. Enable the SSL.root subnet in Azure per below ( 10.212.134.0/24 ) 

 

GD Star Rating
loading...
GD Star Rating
loading...

Recently I migrated from Safeword to Azure Radius NPS Extension for Citrix Netscaler

Web Authentication worked fine , however whenever you tried to activate the .cr file for Receiver the below error showed

Error: "Cannot retrieve discovery document" when the Provisioning File is  Run

Needed to change the Storefront and Netscaler Gateway this from Domain and Security Token to just Domain

GD Star Rating
loading...
GD Star Rating
loading...

 

Get-ADSyncConnector
Get-ADSyncConnector : Retrieving the COM class factory for remote component with CLSID
{835BEE60-8731-4159-8BFF-941301D76D05} from machine XXXXX failed due to the following error: 80040154 XXXXX
At line:1 char:1
+ Get-ADSyncConnector
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (Microsoft.Ident…ConnectorCmdlet:GetADSyncConnectorCmdlet) [Get-ADSyncConne
ctor], SynchronizationConfigurationValidationException
+ FullyQualifiedErrorId : Retrieving the COM class factory for remote component with CLSID {835BEE60-8731-4159-8BF
F-941301D76D05} from machine IDP-ADDC02 failed due to the following error: 80040154 IDP-ADDC02.,Microsoft.Identity
Management.PowerShell.Cmdlet.GetADSyncConnectorCmdlet

The registry keys for ADSync get removed during the upgrade , you need to restore these and restart the server ( Save below file a a .reg file ) 

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{835BEE60-8731-4159-8BFF-941301D76D05}]
"AppID"="{835BEE60-8731-4159-8BFF-941301D76D05}"
@="Microsoft Azure AD Sync"

[HKEY_CLASSES_ROOT\CLSID\{835BEE60-8731-4159-8BFF-941301D76D05}\InprocHandler32]
@="ole32.dll"

[HKEY_CLASSES_ROOT\CLSID\{835BEE60-8731-4159-8BFF-941301D76D05}\ProgID]
@="Microsoft.Metadirectory.Server.1"

[HKEY_CLASSES_ROOT\CLSID\{835BEE60-8731-4159-8BFF-941301D76D05}\VersionIndependentProgID]
@="Microsoft.Metadirectory.Server"

[HKEY_CLASSES_ROOT\AppID\{835BEE60-8731-4159-8BFF-941301D76D05}]
"LocalService"="ADSync"
@="Microsoft Azure AD Sync"
"LaunchPermission"=hex:01,00,04,80,e8,00,00,00,04,01,00,00,00,00,00,00,14,00,\
  00,00,02,00,d4,00,06,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,00,00,24,00,0b,00,00,00,01,05,00,00,00,00,00,05,\
  15,00,00,00,37,2f,2d,49,15,53,3f,2a,03,63,45,00,a8,44,00,00,00,00,24,00,0b,\
  00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,37,2f,2d,49,15,53,3f,2a,03,63,\
  45,00,a9,44,00,00,00,00,24,00,0b,00,00,00,01,05,00,00,00,00,00,05,15,00,00,\
  00,37,2f,2d,49,15,53,3f,2a,03,63,45,00,aa,44,00,00,00,00,24,00,1f,00,00,00,\
  01,05,00,00,00,00,00,05,15,00,00,00,37,2f,2d,49,15,53,3f,2a,03,63,45,00,f8,\
  48,00,00,00,00,24,00,0b,00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,37,2f,\
  2d,49,15,53,3f,2a,03,63,45,00,ab,44,00,00,01,05,00,00,00,00,00,05,15,00,00,\
  00,37,2f,2d,49,15,53,3f,2a,03,63,45,00,f4,01,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00
"AccessPermission"=hex:01,00,04,80,fc,00,00,00,18,01,00,00,00,00,00,00,14,00,\
  00,00,02,00,e8,00,07,00,00,00,00,00,18,00,07,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,00,00,24,00,03,00,00,00,01,05,00,00,00,00,00,05,\
  15,00,00,00,37,2f,2d,49,15,53,3f,2a,03,63,45,00,a8,44,00,00,00,00,24,00,03,\
  00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,37,2f,2d,49,15,53,3f,2a,03,63,\
  45,00,a9,44,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,00,00,24,00,07,00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,37,2f,2d,49,\
  15,53,3f,2a,03,63,45,00,f8,48,00,00,00,00,24,00,03,00,00,00,01,05,00,00,00,\
  00,00,05,15,00,00,00,37,2f,2d,49,15,53,3f,2a,03,63,45,00,aa,44,00,00,00,00,\
  24,00,03,00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,37,2f,2d,49,15,53,3f,\
  2a,03,63,45,00,ab,44,00,00,01,05,00,00,00,00,00,05,15,00,00,00,37,2f,2d,49,\
  15,53,3f,2a,03,63,45,00,f4,01,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00
"AuthenticationLevel"=dword:00000006
GD Star Rating
loading...
GD Star Rating
loading...

An app trying to send emails out to an SMTP server on TLS was receiving the following java error

 

javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: java.net.SocketException: Connection reset

 

Issue was due to a fortigate Firewall block , make sure its whitelisted and the policy is the correct order ( Above the main outbound rule ) 

GD Star Rating
loading...
GD Star Rating
loading...

 

The preference is to install patches prior to our automated patching. If this isn’t possible, remove the above servers from the current automated patching schedule, and re-add the next day.

The Update Process

OS

Bad KBs

Fixed KB

2022

KB5009555

KB5010796

2019

KB5009557

KB5010791

2016

KB5009546

KB5010790

2012 R2

KB5009624 (CU)

KB5010794

2012

KB5009586 (CU)

KB5010797

2008 R2

KB5009610 (CU)

KB5010798

2008

KB5009627 (CU)

KB5010799

 

Do not use the windows update GUI. This will install the bad patch and force a reboot, likely leaving you with a boot loop. If you forget and get stuck in a boot loop, there is a recovery process below. The other reason to not use the windows update UI is the fixed KBs are only downloaded if you have the ‘download updates for other Microsoft products’ ticked.

I highly recommend downloading these prior to the outage window as they’re circa 1.5GB and will take up to 3 hours to install.

  1. If the server you are patching is 2016 or newer  – skip the dodgy KB and jump straight to downloading and installing the fixed KB. These patches are cumulative and will save you a patching cycle.
  2. If the server you are patching is 2012 R2 or below – download both the dodgy KB and the fixed KB. Install the dodgy KB and then the fixed KB. Do not reboot when the dodgy KB prompts to, ignore it and install the second update.
  3. Confirm in the windows update history that the server reports the fixed patch installed.
  4. Perform a normal scan/install for updates to capture anything outside of this patch such as PowerShell updates etc.

So I used the GUI to install the update or rebooted between patches and the server is in a boot loop – what now?

  1. Try to log in straight after the server reboots and stop the netlogon service. This will sometimes prevent the lsass service from crashing and give you time to install the fixed KB.
  2. Boot a windows ISO and load the recovery prompt under advanced and enter the following commands.

Diskpart

List volume # use the ltr column to determine the drive letter for the below command

exit

dism /image:D:\ /Remove-Package /PackageName:XXXXXXX #where XXXX is the KB from above.

  1. If the above fails or you are uncomfortable running the dism commands, call the TSO

Lastly if N-Able has been on the server at some point it’ll have disabled the windows update GUI. Check patch management isn’t enabled in n-able, if it’s not use the PowerShell script below to clean up the relevant registry keys. If there is a GPO in place and we rip something out we shouldn’t, it will reapply in <15 minutes.

$ErrorActionPreference = ‘Continue’

Remove-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’ -Force -Name WUServer

Remove-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’ -Force -Name TargetGroup

Remove-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’ -Force -Name WUStatusServer

Remove-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’ -Force -Name TargetGroupEnable

Set-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU’ -Value 0 -Force -Name UseWUServer

Set-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU’ -Value 0 -Force -Name NoAutoUpdate

Set-ItemProperty ‘HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate’    -Value 0 -force -Name DisableWindowsUpdateAccess

Restart-Service -Name wuauserv

GD Star Rating
loading...
GD Star Rating
loading...