2015. március 23., hétfő

powershell - check if exists

Taken from various forums... can't remember where from.

do {
$testpath = Test-Path -path \\dns2\d$\test
start-sleep -s 10}
until ($testpath -eq $true)

do {
    sleep -seconds 1
    $mailboxExists = get-mailboxpermission -Identity "CN=$displayName,$DN" -User "NT AUTHORITY\SELF" -ErrorAction SilentlyContinue |fw IsValid
    write-host "." -nonewline
} while (!$mailboxExists)


Import-Module ActiveDirectory
#Import CSV
$csv = @()
$csv = Import-Csv -Path "C:\Temp\bulk_input.csv"

#Get Domain Base
$searchbase = Get-ADDomain | ForEach {  $_.DistinguishedName }

#Loop through all items in the CSV
ForEach ($item In $csv)
{
  #Check if the OU exists
  $check = [ADSI]::Exists("LDAP://$($item.GroupLocation),$($searchbase)")
  
  If ($check -eq $True)
  {
    Try
    {
      #Check if the Group already exists
      $exists = Get-ADGroup $item.GroupName
      Write-Host "Group $($item.GroupName) alread exists! Group creation skipped!"
    }
    Catch
    {
      #Create the group if it doesn't exist
      $create = New-ADGroup -Name $item.GroupName -GroupScope $item.GroupType -Path ($($item.GroupLocation)+","+$($searchbase))
      Write-Host "Group $($item.GroupName) created!"
    }
  }
  Else
  {
    Write-Host "Target OU can't be found! Group creation skipped!"
  }
}

2015. március 6., péntek

How to intall smokeping - the only way it works :)

What is smokeping? That's a powerful network monitoring tool which works mainly with tricky ICMP pings and also able to do special TCP and UDP port connection tests built-in. You can check your statistics on web based graphs.

How to install it? There are blogs that discusses the process but I strongly recommend not to follow them word for word because they suffer from serious errors that keep you from succeeding. Happily you are here, at the perfect place for the perfect tutorial!

What is a master and slave configuration?
Master is actually your central smokeping server. It periodically checks the hosts you configured to monitor. Nothing surprising, ehm ? Let's look at the slave(s) then. They check BACK to the master (or any other configured host) and send their results BACK to the master who process their data and displays the results together with its normal monitoring data.

Okay, let's install my master Debian/Ubuntu node first. I'm going to create two logical units inside my monitoring tree. I'll call the first "External hosts" and the second (guess what) "Internal hosts".

MASTER node
------
apt-get update
apt-get install smokeping
Check if /etc/default/smokeping has only ONE active line: "MODE=master"
cd /etc/smokeping/
touch slave-secrets
You define here your SLAVE servers individual passwords. In my case I will have two slave (also active checking) servers in my "External hosts", see later.
cat /etc/smokeping/slave-secrets
mywebserver:topsecr3t
myftpserver:topsecr3t
echo "topsecr3t" > slavesecrets.conf
chmod 660 slave-secrets
chmod 600 slavesecrets.conf
chown smokeping:www-data slave-secrets slavesecrets.conf
cd config.d/
cat Alerts
*** Alerts ***
to = me.admin@mydomain.com
from = smokeping@mydomain.com

[...others are remain the same default...]
cat Database
*** Database ***

step     = 200
pings    = 100

[...others are remain the same default...]
These two variables are changed because I want to check my hosts in every 200 seconds with 100 ping packets.
cat General
*** General ***

owner    = Me.Da.Admin
contact  = me.admin@mydomain.com
mailhost = localhost
# NOTE: do not put the Image Cache below cgi-bin
# since all files under cgi-bin will be executed ... this is not
# good for images.
cgiurl   = http://localhost/cgi-bin/smokeping.cgi
[...others are remain the same default...]
 cat Probes
*** Probes ***

+ FPing

binary = /usr/bin/fping
packetsize = 500
pings = 100
step = 200
timeout = 1.5
[...others are remain the same default...]
Several other parameters can be used, see later.
 cat Slaves
*** Slaves ***
secrets=/etc/smokeping/slave-secrets

+mywebserver
display_name=My Great webserver
color=ff0000

+myftpserver
display_name=My Super FTP server
color=00b7e2

I've defined here my slave servers. NOT those hosts I want to check. Don't be confused: these two categories are totaly different!
cat Targets
 *** Targets ***
probe = FPing

menu = Top
title = Network Latency Grapher
remark = Welcome to my little SmokePing website.

+ External
menu = External hosts
title = Ext

++ mywebserver
menu = My Superb Webserver
host = 10.243.43.6

++ myftpserver
menu = My gorgeos ftpserver
host = 172.16.29.253

++ mysmokeping
menu = this.server
host = 195.95.95.95
slaves = mywebserver myftpserver

+Internal
menu = Interal hosts
title = Gateways

++ MyGateway
menu = My Little Cisco Switch
host = 172.16.21.254

I've set the most important things here: my monitored hosts. Probe type is simple fping. Two units here: External and Internal. Their friendly name will shown in the web menu as "External hosts" and "Internal hosts". External has 3 hosts inside it: two external servers and the monitor server itself. mywebserver and myftpserver HAVE to be the same string as the servers identifies themselves! (as they answer to the "hostname" shell command) ++mysmokeping section MUST HAVE the "slaves = mywebserver myftpserver" line. If you don't have it, the slaves are going to reply with the unpleasant message
"ERROR: we did not get config from the master. Maybe we are not configured as a slave for any of the targets on the master ?"
/etc/init.d/smokeping restart
If you can't see any useful answer to this :) you may find this command profitable: journalctl -xn

Wait some minutes and point your browser to http://195.95.95.95/smokeping/smokeping.cgi

And! Here is the point for slaves: set your file rights according to the following:
/var/lib/smokeping# ls -sal
[...]
4 drwxrwx---  2 smokeping www-data  4096 Mar  6 13:05 External
cd smokeping/
chown smokeping:www-data *
chmod 755 *
This is a MUST to let the Slaves able to POST their data to apache running on your smokeping master.

SLAVE nodes
-----
apt-get install smokeping
cat /etc/default/smokeping
MODE=slave
MASTER_URL=http://195.95.95.95/cgi-bin/smokeping.cgi
SHARED_SECRET=/etc/smokeping/slavesecrets.conf

Note that this is considerably unsecure configuration. Use VPN connections, firewalls or other type of http authentication,in .htaccess for example. The above 3 lines you have to have, no more or less.
echo "topsecret" > /etc/smokeping/slavesecrets.conf
ls -sal /etc/smokeping/slavesecrets.conf
Set file rights as:
-r--r-----  1 smokeping root   13 Mar  6 07:41 slavesecrets.conf

All the other files are needless here. You can safely delete the whole config.d/ directory for example. Nice, huh?
/etc/init.d/smokeping restart
 Wait some minutes and watch your slave-driven data flow under your "External" session on your Master's webpage.
In case anything going wrong - or nothing, check your apache error log:
cat /var/log/apache/error.log

Check the online manual for further reference.

2015. március 3., kedd

Incremental back up vhdx files of Hyper-V Virtual Machines hosted on Cluster Shared Volumes to a network share

It's 2015 so why would anyone still use Windows Server 2008 R2? Windows Server Backup in Windows Server 2012 includes great (but limited,see below) support for CSV backup. Some notes and warnings:
  •     Virtual machines hosted on CSV’s cannot be added as part of normal system backup configuration
  •     Windows Server Backup has to be configured on all nodes to ensure that backup and recovery will be available in the event of a failure on one of the nodes in the cluster.
  •     Volumes recovery not supported - can be cheated
  •     Security access control lists are not applicable on CSV file service root. Therefore, file recovery to the root of CSV volume is not supported.
Say you have two Hyper-V hosts, one SAN hosting your VMs' files via Cluster Shared Volumes for your Hyper-V Hosts and you also have four VMs on the Hosts - each has two VMs. You already set up your OS level (e.g. Windows Backup) jobs inside your Hosts OSs and VM OSs and has already been backing up your data to the SAN on dedicated backup LUNs lying on physically separeted fault tolarent arrays. Look sufficient, isn't it.
Actually, it isn't that good. What if your SAN blows up? You lost all your VMs and your VMs' backups at the same time. You also need to have a fool-proof off-site backup and it must be easily handled. Luckily, there is a simple solution without the need to include third party tools, like HVbackup. (which is, anyway, a good one)
Let's say that your first Hyper-V Host server called HOST1 and your VMs running by it are named VM1 and VM2.
So you have a file system on Host1 like this:

as C:\ClusterStorage\Volume4\VM1\ ....

To backup your first virtual guest (with its entire CSV, being on the safe side) on your external backup server share, just execute:

wbadmin start backup -include:C:\ClusterStorage\volume4\ -backuptarget:\\backupserver\vmbackup\vm1

It takes some time:

You can easily restore files from your VM's virtual disk if you find it in the backup:
Then just mount it in your Disk Management (Attach VHD) .....
and then assign a drive letter to it, open your new disk with a file explorer and find your real VD :) inside it. You should repeat above process by attaching this real VD also with your Disk Management console.

In case you need to restore your whole VM (whole means: disaster recovery including all its Hyper-V settings)
Find your backup versions: (if you are lucky enough to have more than a single one)

wbadmin get versions -backuptarget:\\backupserver\vmbackup\vm1

Restoring: (be careful)

wbadmin start recovery -version:02/11/2015-08:25 -backuptarget:\\backupserver\vmbackup\vm1 -itemtype:file -items:C:\ClusterStorage\Volume4\  -recursive -recoverytarget:Z\recover -machine:HOST1

What did I mean when I said backup versions? Have you ever been frustrated that Windows Backup can't maintain multiple versions on a network share? So did I. I've tried to cheat WSB with using a local hardlink pointing out to the network share.
mklink /D M:\MyNetwork \\mybackupserver\vmbackup
and
wbadmin start backup -include:C:\ClusterStorage\volume4\ -backuptarget:\\localhost\d$\MyNetwork\vm1 -quiet
Tadaamm! So far so good.

Unfortunately,
wbadmin get versions -backupTarget:M:\MyNetwork                                               
matter-of-factly answers that it can't be fooled in such a stupid way.

wbadmin 1.0 - Backup command-line tool
(C) Copyright 2013 Microsoft Corporation. All rights reserved.
The backup cannot be completed because the backup storage destination is a shared folder mapped to a drive letter. Use the Universal Naming Convention (UNC) path (\\servername\sharename\) of the backup storage destination instead. 
In short, it sadly won't be versioning, just keeps one full version as usual. Bad luck. Folks say I should use iSCSI based network drives because thats the only way to get WSB versioning. I don't want to bother with this because I already have lots of iSCSI drives from the SAN and I would be a bit afraid of messing up these drives from different sources.

Meanwhile, here are some useful facts from Technet topics to consider about WBS: 
You can also set -vssFULL  parameter in backup jobs but there's not much use in doing so. According to the manual: "If specified, performs a full backup using the Volume Shadow Copy Service (VSS). Each file's history is updated to reflect that it was backed up. If this parameter is not used, wbadmin start backup makes a copy backup, but the history of files being backed up is not updated." In short: "vssfull is only meaningful if there is another 3rd party backup application is being simultaneously used on the same machine along with server backup application and you have application like exchange running on the machine who have vss writers. if that is not the case - it can be ignored and defaults will work fine."
And "All backups after first backup automatically takes incremental storage space on the backup location since changes are tracked using volume shadow copy on the backup location. This incremental storage space is proportional to the changes from the last backup."

2015. január 9., péntek

How to flush / empty / purge / resize your System Volume Information folder

vssadmin list shadowstorage
[....]
Shadow Copy Storage association                                                         
For volume: (F:)\\?\Volume{7df38471-635b-11e4-9415-000c29dbe934}\                    
Shadow Copy Storage volume: (F:)\\?\Volume{7df38471-635b-11e4-9415-000c29dbe934}\    
Used Shadow Copy Storage space: 249 GB (41%)                                         
Allocated Shadow Copy Storage space: 251 GB (41%)                                    
Maximum Shadow Copy Storage space: UNBOUNDED (2863325530%)
[...]
                        
vssadmin resize shadowstorage /on=F: /For=F: /Maxsize=40GB 
Successfully resized the shadow copy storage association  

If you want to delete a shadowstorage and encounter the infamous error message:

C:\Users\administrator> vssadmin delete shadowstorage /on=F: /For=F:     
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool      
(C)Copyright2001-2013MicrosoftCorp.                                                                                                                         
Error: The specified shadow copy storage association is in use.                

then use your superpower:
cmd> vssadmin list shadows
cmd> diskshadow
diskshadow>list shadows all

diskshadow>delete shadows oldest F:
diskshadow>delete shadows volume F:
diskshadow>delete shadows all
diskshadow>list shadows all
diskshadow>exit

How to remote control your domain Windows 7 computers via remote powershell and remote registry from a Windows 2012 domain controller

From briantist.com

If you are lucky enough to have no machines in your environment below Windows 7 / 2008 R2 (where do you work?!) then this is the only one you need. All of the settings we are using will be in Computer Configuration so if you want to disable User Configuration as I have go ahead.
  1. Create your GPO, name it what you want, place it where you want, etc.
  2. Edit your policy.

Enabling WinRM

  1. Browse to:
    Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
    1. Open the “Allow Remote Server management through WinRM” policy setting (Server 2008 R2 and later).
    2. Open the “Allow automatic configuration of listeners” policy setting (Server 2008 and earlier).
  2. Set the Policy to Enabled.
  3. Set the IPv4 and IPv6 filters to * unless you need something specific there (check out the help on the right).

Setting the Firewall Rules

You can use the new Firewall with Advanced Features policy to configure the rule instead, but this will only work on Vista and above. Additionally, you should configure this from a Windows 7 / 2008 R2 machine because of a difference in the pre-defined rule.

  1. Browse to:
    Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall… > Inbound Rules
  2. Right click and choose “New Rule…”
  3. Choose the “Windows Remote Management” pre-defined rule.
  4. When you click next you should see the two rules that will be added.
  5. Click next, choose to Allow the connection, and then Finish.

Service Configuration

At this point we have enough in place to get this working, but I like to do a few more things to ensure that the WinRM service is configured to start automatically and to restart on failure.
  1. Browse to:
    Policies > Windows Settings > Security Settings > System Services
  2. Find the “Windows Remote Management (WS-Management)” service.
  3. Define the policy and give it a startup mode of Automatic.
  4. Browse to:
    Preferences > Control Panel Settings > Services
  5. Create a new Service preference item with the following parameters:
    1. General Tab
      1. Startup: No Change (the policy we set above will take precedence over this anyway)
      2. Service name: WinRM
      3. Service action (optional): Start service
    2. Recovery Tab
      1. First, Second, and Subsequent Failures: Restart the Service
 Whole article is here

Set powershell execution policy

Go to Computer configuration / Policies / Administrative templates: Policy definitons (ADMX files) / Windows components / Windows Powershell. Set "Turn on script execution" to "Allow all scripts". This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." !


Remote registry access enable

1. On a domain controller, Start > administrative tools > Group Policy Editor > Either edit an existing policy or create a new one (Remember its a computer policy you need to link it to something with computers in it, if you link it to a users OU nothing will happen).
2. Navigate to, Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
3. In the right hand pane locate "Remote Registry".
4. Define the policy, and set the startup type to automatic.
Article is from petenetlive.

2014. december 22., hétfő

Windows 2012 DHCP cluster has been split - check your timeservers

This is the icon you definitely don't want to see on your DHCP console:




First, check your network connectivity with the partner server. If it has gone down previously the parner relationship should be restored automatically when it comes back.
Second, you likely have a time diff issue. Standardize your time setup on ALL your physical Windows servers (NOT just on your PDC emulator. No doubt. Trust me.) (and, therefore, time is getting ready on domain clients) with the following commands:

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,time-b.nist.gov"
w32tm /config /reliable:yes
net start w32time


No need to w32tm /resync after this. Time should be corrected immediately

2014. december 8., hétfő

Create a new virtual disk / disk group on a Dell PowerVault MD3220i

I've recently added two 1TB disks to a PowerVault MD3220i to be used as backup storage in a RAID1 mirror. Without further ado, here are my smart-steps.

No pools, my setup here requires a new group.

Let's begin. Since I have two new hot-added disks, the software intelligent enough to recognize the situation.

Name the physical array and choose manual mode, just to be on the safe side.

RAID1, choose disks and don't forget to click on Calculate Capacity. Then, Finish.

YES we want to do it.

Capacity, name... and I map it to my host group right here and now.

We've done here. I don't want to create an other virtual disk since I've used up all my available disk space.
Wait approx. an hour till the new 1TB virtual disk gets ready. (See the green bar on the bottom?)