Monthly Archive

Categories

Windows Server 2016

Heterogeneous environments

When we talk about heterogeneous environments the assumption is that we mean a mixture of Windows and Linux machines. Windows and Linux can be viewed as providing the end points of a spectrum of management issues. In reality there is another spectrum – that spectrum exists between Windows machines.

Thinking ONLY of server administration you could easily have Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2 and Windows 2016 servers in your environment. And that’s only the supported operating systems. From experience I’d expect that many organisations still have Windows 2003 servers and I suspect there are still some Windows 2000 servers in quite a few organisations. I wouldn’t be shocked to find a few Windows NT machines still in use!

The five supported Windows Server OSs are bad enough. Windows 2016 is moving to twice yearly updates starting this autumn (that’s fall for non-English readers). Windows 2008 & 2008 R2 go out of mainstream support in  2020 so giving the option for 5 versions of 2016 to be released before it vanishes. The Server 2012 family is supported until October  2023!

The point is that you need to think how you’re going to support a potentially large number of operating system editions going forward. I seriously doubt that anyone will be updating their whole server estate on a twice yearly basis.

Multiple small releases enable updates to particular areas of Windows being released quickly. So one  release may update Hyper-V while another updates containers or storage.

Working out which Windows builds – and you will have to start thinking at the build level – will support particular versions of Exchange, SQL Server, SharePoint or any of the other Microsoft products. Expect other vendors of software that runs on top of windows server to panic when you ask them about supporting particular builds – they’re usually so slow at supporting new versions that the next is in beta. That behaviour is going to cause issues.

You could avoid some of this by saying you’ll skip builds – 1, 2, 3 or X years worth – but what happens when a new feature fixes a problem you’ve got now!

Heterogeneity is going to become more widespread. On the plus side it may kill the option of whole sale upgrades and massive server migration projects. You’ll just be permanently upgrading!

At the moment its not too big an issue but I expect over time that  you’ll need to think about build number

PS> Get-CimInstance -ClassName win32_operatingsystem | select -ExpandProperty BuildNumber
15063

as much as version

PS> Get-CimInstance -ClassName win32_operatingsystem | select -ExpandProperty Version
10.0.15063

And that’s before we get to Linux.

If you’re writing scripts that do different things based on Windows version think about dropping down to build number as well. You can always use a –gt <build number> approach.

You’re going to be living in interesting times.

Nano server changes

Nano server is the small, really small, footprint install version of Windows Server that was introduced with Server 2016.

It has a limited number of roles available to to install – much like the original version of  Server core.

Recent announcements - https://blogs.technet.microsoft.com/hybridcloud/2017/06/15/delivering-continuous-innovation-with-windows-server/

https://docs.microsoft.com/en-us/windows-server/get-started/nano-in-semi-annual-channel

indicates that Nano server is going to become even smaller (by more than 50%) and dedicated to delivering Containers. The infrastructure related roles will be removed. Nano Server will ONLY be available as a container base OS image

In addition, starting this Autumn, Nano server and  Server Core  will getting 2 feature updates per year.

PowerShell Direct failure

PowerShell Direct is introduced with Server 2016/Windows 10. it enables you to create a remoting session from the Hyper-V host to a VM using the VM name or ID. I recent discovered a PowerShell Direct failure that I couldn’t explain until now.

Normally you do this:

PS> New-PSSession -VMName w16cn01 -Credential (Get-Credential w16cn01\administrator)

Id Name    ComputerName  ComputerType  State  ConfigurationName  Availability
-- ----     ------------  ------------    -----  -----------------  ------------
1 Session1       W16CN01  VirtualMachine  Opened                       Available

But on one particular machine I was getting this

PS> New-PSSession -VMName w16as01 -Credential (Get-Credential w16as01\administrator)
New-PSSession : [W16AS01] An error has occurred which Windows PowerShell cannot handle. A remote session might have ended.
At line:1 char:1
+ New-PSSession -VMName w16as01 -Credential (Get-Credential w16as01\adm ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gDataStructureException
+ FullyQualifiedErrorId : PSSessionOpenFailed

I couldn’t find an explanation for this particular PowerShell Direct failure

I’ve been working with PowerShell v6 and OpenSSH the last few days and I noticed that the PowerShell directory had been removed from the system path by the installation of one of these pieces of software.

W16AS01 had been the first machine I experimented with PowerShell v6/OpenSSH and it was the first to experience this PowerShell direct failure.

I checked W16AS01 and sure enough the PowerShell folder was missing from the system path. Adding the Powershell folder back onto the path (and restarting the machine for luck) then retrying PowerShell Direct gives:

PS> New-PSSession -VMName W16AS01 -Credential (Get-Credential W16AS01\Administrator)

Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
-- ----            ------------    ------------    -----         -----------------     ------------
1 Session1        W16AS01         VirtualMachine  Opened                                 Available

Looks like I’ve found a solution for this particular PowerShell direct failure

Updating built in modules

Windows 10 and Server 2016 automatically install a module called Pester which is used for testing code. Its the foundation of Test Driven Development or Behaviour Driven Development using PowerShell.

The version  installed by default is 3.4.0.

Pester is originally an open source module that has been incorporated into Windows. The latest version from the PowerShell Gallery is 4.0.2

Normally you’d use Update-Module to install the new version BUT you didn’t install pester from the gallery using Install-Module so you’ll get a big fat error message.

The answer is to use

Install-Module pester –Force

You might still get an error message about the Pester module not being catalog signed. if you do and still want the latest version then use

Install-Module pester -Force -SkipPublisherCheck

Applying updates through WSUS

I like to keep the virtual machines in my test lab up to date so have a WSUS server to download and manage updates. The difficulty is applying the updates. With Windows 2012 R2 I used a module that would contact the WSUS server and apply the updates – the was especially useful on server core installations.

I found with Windows 2016 that this COM based module wasn’t reliable so after a bit of investigation discovered that there are some CIM classes that you can use to discover and apply available updates and see what updates have been applied.

 

All I need is a simple set of code so wrote a bare bones module that offers three functions:

#Scan for available updates
function Get-AvailableUpdate {
[CmdletBinding()]
param()
$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
$result = $ci | Invoke-CimMethod -MethodName ScanForUpdates -Arguments @{SearchCriteria="IsInstalled=0";OnlineScan=$true}
$result.Updates
}

#Install all available updates
function Install-AvailableUpdate {
[CmdletBinding()]
param()
$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
Invoke-CimMethod -InputObject $ci -MethodName ApplyApplicableUpdates
}

#list installed updates
function Get-InstalledUpdate {
[CmdletBinding()]
param()
$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
$result = $ci | Invoke-CimMethod -MethodName ScanForUpdates -Arguments @{SearchCriteria="IsInstalled=1";OnlineScan=$true}
$result.Updates
}

 

Testing so far seems to be good. As this is just for me I’m bothering with adding error testing or other production ready stuff. This works and I’ll fix problems as they occur

New PowerShell console on Server Core

Server Core is great for reducing the footprint of your VMs – Nano server is smaller but it can’t be a domain controller

 

One draw back to server core is that you only get a single console. If you hang that for any reason you have to either try and open another one (Hyper-V console greys out CTRL-DEL-ALT) or open a few when you logon to the machine.

 

You still get a cmd.exe console instead of PowerShell – that should be changed. Its 10 years since PowerShell came along! So run Powershell to open  Powershell in the default console.

 

"Start-Process -FilePath powershell.exe -Verb RunAS" > new-powershell.ps1

Will create a simple script to open a new elevated Powershell console .

 

Run it as many times as you want. Perform your work in the new Powershell console and if it hangs – just shut it down. Keep the default console for just opening new PowerShell consoles and then you’ll always be able to keep working.

Creating a new AD forest

As I’ve completely rebuilt my demo/lab machine I need to re-create the Active Directory

This is now so simple even on a server core machine

 

First install the roles and features needed

Add-WindowsFeature -Name AD-Domain-Services, RSAT-AD-PowerShell, DNS, RSAT-DNS-Server, DHCP, RSAT-DHCP

 

This adds AD, DNS, DHCP and the appropriate admin tools – as its server core we’re really talking about the relevant PowerShell modules

Installing AD just gets you ready – it doesn’t create the forest

 

You get the ADDSDeployment module

PS C:\Scripts> Get-Command -Module ADDSDeployment

Name
----
Add-ADDSReadOnlyDomainControllerAccount
Install-ADDSDomain   
Install-ADDSDomainController 
Install-ADDSForest
Test-ADDSDomainControllerInstallation
Test-ADDSDomainControllerUninstallation
Test-ADDSDomainInstallation 
Test-ADDSForestInstallation 
Test-ADDSReadOnlyDomainControllerAccountCreation
Uninstall-ADDSDomainController

 

To create the forest and the first domain controller

PS C:\Scripts> Install-ADDSForest -DomainName 'Manticore.org' -ForestMode Default -DomainMode Default -InstallDns
SafeModeAdministratorPassword: ********

 

You’ll be asked to confirm the safe mode password

 

Default for forest and domain mode matches the Windows version

 

PS C:\Users\Administrator> Get-ADForest

ApplicationPartitions : {}
CrossForestReferences : {}
DomainNamingMaster    : W16DC01.Manticore.org
Domains               : {Manticore.org}
ForestMode            : Windows2016Forest
GlobalCatalogs        : {W16DC01.Manticore.org}
Name                  : Manticore.org
PartitionsContainer   : CN=Partitions,CN=Configuration,DC=Manticore,DC=org
RootDomain            : Manticore.org
SchemaMaster          : W16DC01.Manticore.org
Sites                 : {Default-First-Site-Name}
SPNSuffixes           : {}
UPNSuffixes           : {}

 

PS C:\Users\Administrator> Get-ADDomain

AllowedDNSSuffixes                 : {}
ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=Manticore,DC=org
DeletedObjectsContainer            : CN=Deleted Objects,DC=Manticore,DC=org
DistinguishedName                  : DC=Manticore,DC=org
DNSRoot                            : Manticore.org
DomainControllersContainer         : OU=Domain Controllers,DC=Manticore,DC=org
DomainMode                         : Windows2016Domain
DomainSID                          : S-1-5-21-759617655-3516038109-1479587680
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=Manticore,DC=org
Forest                             : Manticore.org
InfrastructureMaster               : W16DC01.Manticore.org
LastLogonReplicationInterval       :
LinkedGroupPolicyObjects           : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Manticore,DC=o
                                     rg}
LostAndFoundContainer              : CN=LostAndFound,DC=Manticore,DC=org
ManagedBy                          :
Name                               : Manticore
NetBIOSName                        : MANTICORE
ObjectClass                        : domainDNS
ObjectGUID                         : 05d9aa61-d422-4728-9595-77754934b948
ParentDomain                       :
PDCEmulator                        : W16DC01.Manticore.org
PublicKeyRequiredPasswordRolling   : True
QuotasContainer                    : CN=NTDS Quotas,DC=Manticore,DC=org
ReadOnlyReplicaDirectoryServers    : {}
ReplicaDirectoryServers            : {W16DC01.Manticore.org}
RIDMaster                          : W16DC01.Manticore.org
SubordinateReferences              : {CN=Configuration,DC=Manticore,DC=org}
SystemsContainer                   : CN=System,DC=Manticore,DC=org
UsersContainer                     : CN=Users,DC=Manticore,DC=org

Don’t reinvent the wheel

Way back when I used to take Microsoft certification exams there were often questions of the form “Perform task X with the minimum of administrative effort” Most, if nor all, of the possible answers would be correct but the correct answer was the one that achieved the goal with the minimum amount of work.

 

Many, if not most, administrators don’t seem to follow that model.

 

This was brought home to me when I saw a forum discussion about collecting event log information from a bunch of remote servers on a regular basis.

 

You could set up a scheduled task/job that runs a script against the remote servers – collects the  log information and populates an Excel spreadsheet

OR

You could enable event log forwarding and just interrogate the combined logs as needed.

 

The second option is the easier to MAINTAIN and will cost you less effort in the long run.

 

When you start to solve a problem – stop and search for a bit to see if there is a solution already available in Windows server. Bet you’ll be surprised by what you find

Windows Server 2016 launches

The launch of Windows Server 2016 has been announced at Ignite - https://blogs.technet.microsoft.com/hybridcloud/2016/09/26/announcing-the-launch-of-windows-server-2016/

 

Evaluations can be downloaded from the link in the above post.

 

Soon be time to re-build the test lab

Does Microsoft hate wireless?

Not having a lot of success with Windows new builds and wireless adapters this year.

 

First off Windows 2016 TP5 didn’t work with wireless – needed to install a patch to get it working. It still drops the connection when machine is powered down but while a pain is easy to remedy.

 

Windows 10 preview build 14195 appeared yesterday. Installed it and my wireless adapter stopped working. Looks to be a similar issue to Windows 2016 – oops.  In this case just rolled back to the previous build

 

What’s really funny about the Windows 10 issue is that I’m using a Surface Pro 2 built by – wait for it – Microsoft. So a Microsoft OS kills Microsoft hardware. I’ve seen this in the past with OS/2 and IBM kit but thought we were past those sort of errors