another GURU blog…

PowerShell interactive session with LAPS credentials

May 9, 2020June 25, 2020 matej Leave a comment

I have created a new PowerShell Module for LAPS, this time for interactive sessions with remote computers. The Connect-PS cmdlet gets local administrator password from Active Directory and creates an interactive session with a single remote computer.

You can download the module from GitHub here:

https://github.com/matejklemencic/LAPS

How to Install?

– Install LAPS PowerShell module AdmPwd.PS on your management computer.

– Copy the PSviaLAPS folder to C:\Program Files\WindowsPowerShell\Modules.

– Run PowerShell with a domain user account that has LAPS read password permissions.

Example 1

Connect-PS -ComputerName Server01

1	Connect-PS -ComputerName Server01

This command gets local administrator password from Active Directory and creates an interactive session with default username Administrator.

Example 2

Connect-PS -ComputerName Server01 -UserName Hulk

1	Connect-PS -ComputerName Server01 -UserName Hulk

This command gets local administrator password from Active Directory and creates an interactive session with username Hulk.

Create custom local administrator account when deploying LAPS

April 27, 2020June 25, 2020 matej Leave a comment

When deploying LAPS in your environment you might want to disable the build in local administrator account and create a custom one. You can do that with CUSTOMADMINNAME parameter, for example:

msiexec /q /i LAPS.x64.msi CUSTOMADMINNAME=Hercules

1	msiexec /q /i LAPS.x64.msi CUSTOMADMINNAME=Hercules

This will create a new local account named Hercules added as a member of the local Administrators group.

PowerShell – Create Remote Desktop session with LAPS credentials

June 10, 2019June 25, 2020 matej Leave a comment

If you are managing your servers and computers with LAPS you might want a simple solution to connect via RDP with your LAPS credentials, without checking the password in LAPS UI or PowerShell.

That is why I’ve created a simple PowerShell Module that you can install on your management machine.

You can download the module from GitHub here:

https://github.com/matejklemencic/LAPS

How to Install?

– Install LAPS PowerShell module AdmPwd.PS on your management computer.

– Copy the RDPviaLAPS folder to C:\Program Files\WindowsPowerShell\Modules.

– Run PowerShell with a domain user account that has LAPS read password permissions.

Example 1

Connect-RDP -ComputerName Server01

1	Connect-RDP -ComputerName Server01

This command gets local administrator password from Active Directory and creates a RDP connection with default username Administrator on port 3389.

Example 2

Connect-RDP -ComputerName Server01 -UserName Hulk -Port 43389

1	Connect-RDP -ComputerName Server01 -UserName Hulk -Port 43389

This command gets local administrator password from Active Directory and creates a RDP connection with username Hulk on port 43389.

DPM 2019: Where is 2012/R2 support?

April 7, 2019April 10, 2019 matej Leave a comment

Almost a month ago System Center 2019 with Datacenter Protection Manager 2019 was released. Many of us quickly realised that there is no support for Windows Server 2012/R2, Exchange 2013, SharePoint 2013, etc.

I’m shocked! Is that true?

Unfortunately, at the time of writing this post it is. If you check the updated document on What can DPM back up? you will see that older workloads are not listed.

Ok, but does that mean that it won’t work?

Not necessary, It’s a very high probability that everything will work as expected. That is why I have decided to test some scenarios:

Windows Server 2012 and 2012 R2 volumes and folders backup,
Windows Server 2012 bare-metal backup,
Windows Server 2012 R2 Virtual Machine (on 2016 Hyper-V Host),
Exchange Server 2013 (CU22) backup.

As expected all backup/restore process went well. I had no issues installing DPM agent on Windows Server 2012/R2 servers, but if you experience issues with the new DPM agent, try installing an older agent (for example DPM 2016).

So is it safe to use it anyway?

This is enterally up to you. If you are already deploying Windows Server 2019 then you will need to use DPM 2019, as DPM 2016 cannot backup Windows Server 2019. But if you also have some workloads running on Windows Server 2012/R2 you will need to decide if you want to take the “risk” and use DPM 2019. The other option is to simple use two different DPM Servers for now (2016 and 2019).

Do you think the support for Windows Server 2012/R2 will be added later?

Hope so! If I remember correctly the same “problem” was with DPM 2016 release, so I’m quite sure the support for older workloads will be added later (maybe next update rollup).

Update

We are going to add support for 2012 / 2012 R2 officially soon.
— Nagaraj Venkatesh (@NagarajSalagame) April 7, 2019

Protection support matrix for DPM 2019 updated! Windows Server 2012 / R2 is now officially supported. https://t.co/EHf0hAJ4bj #SysCtr #WinServ pic.twitter.com/imEQsCU9lZ
— Matej Klemenčič (@MatejKlemencic) April 10, 2019

Restore failed node Storage Spaces Direct (S2D)

January 27, 2019March 21, 2020 matej 2 Comments

I’ve tested two different options on how to restore a failed node in a 2-node S2D Cluster with one Storage Pool. Here are the necessary steps on how to restore a failed node with existing physical server (OS re-install) and new physical server (hardware failure).

Existing Physical Server (OS re-install)

Let’s assume that one of the nodes failed and you need to re-install your Operating System.

Remove the failed Node from the S2D Cluster.

Remove-ClusterNode <Name>

1	Remove-ClusterNode <Name>

Re-install the failed node and update it (You can use the same computer name and IP address).

Don’t modify or remove any disks from your Storage Pool.

Install roles and features needed for the Cluster.

Install-WindowsFeature -Name "Hyper-V", "Failover-Clustering", "Data-Center-Bridging", "RSAT-Clustering-PowerShell", "Hyper-V-PowerShell", "FS-FileServer"

1	Install-WindowsFeature -Name "Hyper-V", "Failover-Clustering", "Data-Center-Bridging", "RSAT-Clustering-PowerShell", "Hyper-V-PowerShell", "FS-FileServer"

Add the node back to the cluster (it’s recommend to run cluster validation before adding your node back to the cluster).

Add-ClusterNode <Name>

1	Add-ClusterNode <Name>

Once done, monitor status of your Disks in the Storage Pool. The missing disks should become healthy in a short time.

When disks are healthy check the status of your Virtual Disks with Get-VirtualDisk cmdlet and wait until the status is changed to Healthy.

Get-VirtualDisk | Select-Object FriendlyName, HealthStatus, OperationalStatus

1	Get-VirtualDisk \| Select-Object FriendlyName, HealthStatus, OperationalStatus

You should now have a healthy S2D Cluster.

New Physical Server (hardware failure)

In this example let’s assume that you need to replace your physical server (with new disks for Storage Pool) due the hardware failure.

Change the Usage of the failed disks to Retired.

$disk = Get-StoragePool *S2D* | Get-PhysicalDisk | ? OperationalStatus -NE "OK"
Set-PhysicalDisk -InputObject $disk -Usage Retired

1 2	$disk = Get-StoragePool S2D \| Get-PhysicalDisk \| ? OperationalStatus -NE "OK" Set-PhysicalDisk -InputObject $disk -Usage Retired

Remove the failed Node from the Cluster.

Remove-ClusterNode <Name>

1	Remove-ClusterNode <Name>

Install roles and features on your new node.

Install-WindowsFeature -Name "Hyper-V", "Failover-Clustering", "Data-Center-Bridging", "RSAT-Clustering-PowerShell", "Hyper-V-PowerShell", "FS-FileServer"

1	Install-WindowsFeature -Name "Hyper-V", "Failover-Clustering", "Data-Center-Bridging", "RSAT-Clustering-PowerShell", "Hyper-V-PowerShell", "FS-FileServer"

Add the new node to the Cluster (it’s recommend to run cluster validation before adding your node back to the cluster).

Add-ClusterNode <Name>

1	Add-ClusterNode <Name>

Monitor the health of Virtual Disks and wait until status is Healthy.

Get-VirtualDisk | Select-Object FriendlyName, HealthStatus, OperationalStatus

1	Get-VirtualDisk \| Select-Object FriendlyName, HealthStatus, OperationalStatus

Remove failed disks (with status Retired) from the Cluster.

$Pool = Get-StoragePool *S2D*
$RetiredDisk = Get-StoragePool *S2D* | Get-PhysicalDisk | ? Usage -EQ "Retired"
Remove-PhysicalDisk -StoragePool $Pool -PhysicalDisks $RetiredDisk

$Pool = Get-StoragePool *S2D*

$RetiredDisk = Get-StoragePool *S2D* | Get-PhysicalDisk | ? Usage -EQ "Retired"

Remove-PhysicalDisk -StoragePool $Pool -PhysicalDisks $RetiredDisk

Conclusion

Keep in mind that this was tested on 2-node S2D Cluster with only one Storage Pool. If you are using multiple Storage Pools you will need to customize cmdlet’s to remove or add the disks to correct Storage Pool.

Create Address Book Policy for Office 365

January 4, 2019January 4, 2019 matej Leave a comment

If you would like to segment users in your Office 365 subscription or on your Exchange On-Premise you will need to use Address Book Policy.

This set of cmdlets will create everything you need to start using Address Book Policy in Office 365 or Exchange On-Premise. Keep in mind that prior running this cmdlets you should already set the value of CustomAttribute1 on each mailbox (PowerShell or via Exchange Admin Center).

If you are not familiar with Address Book Policy, I would recommend checking Microsoft TechNet first – this script is just a Cheat Sheet so you don’t need to create your own.

#Connect to Exchange Online
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

#Set CustomAttribute1 value (modify this value as needed)
$CustomAttribute1 = "contoso.com"

#Create new Address Lists
New-AddressList -Name $CustomAttribute1 -RecipientFilter {((RecipientType -eq 'UserMailbox') -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup")) -and (CustomAttribute1 -eq $CustomAttribute1)}
New-AddressList -Name "$CustomAttribute1 Rooms" -RecipientFilter {(Alias -ne $null) -and (CustomAttribute1 -eq $CustomAttribute1) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))}
#Create Global Address List
New-GlobalAddressList -Name "$CustomAttribute1 GAL" -RecipientFilter {(CustomAttribute1 -eq $CustomAttribute1)}
#Create Offline Address Book
New-OfflineAddressBook -Name "$CustomAttribute1 OAB" -AddressLists "$CustomAttribute1 GAL"
#Create Address Book Policy
New-AddressBookPolicy -Name "$CustomAttribute1 ABP" -AddressLists $CustomAttribute1 -OfflineAddressBook "\$CustomAttribute1 OAB"  -GlobalAddressList "\$CustomAttribute1 GAL" -RoomList "\$CustomAttribute1 Rooms"
#Assign Address Book Policy to Mailboxe's with CustomAttribute1 value equal to variable $CustomAttribute1
Get-Mailbox -resultsize unlimited | where {$_.CustomAttribute1 -eq "$CustomAttribute1"} | Set-Mailbox -AddressBookPolicy "$CustomAttribute1 ABP"
#List all Mailboxe's
Get-Mailbox -ResultSize unlimited | select name,addressbookpolicy,customattribute1

#Exit Exchange Online Session
Remove-PSSession $Session

#Connect to Exchange Online

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

#Set CustomAttribute1 value (modify this value as needed)

$CustomAttribute1 = "contoso.com"

#Create new Address Lists

New-AddressList -Name $CustomAttribute1 -RecipientFilter {((RecipientType -eq 'UserMailbox') -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup")) -and (CustomAttribute1 -eq $CustomAttribute1)}

New-AddressList -Name "$CustomAttribute1 Rooms" -RecipientFilter {(Alias -ne $null) -and (CustomAttribute1 -eq $CustomAttribute1) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))}

#Create Global Address List

New-GlobalAddressList -Name "$CustomAttribute1 GAL" -RecipientFilter {(CustomAttribute1 -eq $CustomAttribute1)}

#Create Offline Address Book

New-OfflineAddressBook -Name "$CustomAttribute1 OAB" -AddressLists "$CustomAttribute1 GAL"

#Create Address Book Policy

New-AddressBookPolicy -Name "$CustomAttribute1 ABP" -AddressLists $CustomAttribute1 -OfflineAddressBook "\$CustomAttribute1 OAB" -GlobalAddressList "\$CustomAttribute1 GAL" -RoomList "\$CustomAttribute1 Rooms"

#Assign Address Book Policy to Mailboxe's with CustomAttribute1 value equal to variable $CustomAttribute1

Get-Mailbox -resultsize unlimited | where {$_.CustomAttribute1 -eq "$CustomAttribute1"} | Set-Mailbox -AddressBookPolicy "$CustomAttribute1 ABP"

#List all Mailboxe's

Get-Mailbox -ResultSize unlimited | select name,addressbookpolicy,customattribute1

#Exit Exchange Online Session

Remove-PSSession $Session

This example will create an Address Book Policy linked to a dedicated Address Lists, Global Address List and Offline Address Book. ABP will be assigned to all Mailboxe’s with CustomAttribute1 equal to variable $CustomAttribute1 (in this example contoso.com). Modify the $CustomAttribute1 variable as needed with any value (I personally use domain names). Rerun the cmdlet’s multiple times to create different Address Book Policies.

The cmdlets works also with Exchange On-Premise, just don’t use the #Connect to Exchange Online and #Exit Exchange Online Session section.

Assign custom Organization Unit to VM Template in VMM 2016

January 4, 2019January 4, 2019 matej Leave a comment

Domain joined Virtual Machines deployed via VM Templates in VMM 2016 are by default added to the Computers OU. You can set a custom OU for each VM Template with PowerShell. Here is an example:

$OU = "OU=Servers,DC=contoso,DC=local"
$VMTemplateName = "MyVMTemplateName"
Get-SCVMTemplateName -Name $VMTemplate | Set-SCVMTemplate -DomainJoinOrganizationalUnit $OU

$OU = "OU=Servers,DC=contoso,DC=local"

$VMTemplateName = "MyVMTemplateName"

Get-SCVMTemplateName -Name $VMTemplate | Set-SCVMTemplate -DomainJoinOrganizationalUnit $OU

Modify the $OU and $VMTemplate variable with your Organization Unit Path and VM Template Name.

Install VMM 2016 console on Workgroup/Non-Domain machine

December 11, 2018December 11, 2018 matej Leave a comment

If you trying to install a VMM console on a Workgroup/Non-Domain machine you will get a prerequisite error saying:

Fortunately there is a simple fix. Run Command Prompt as Administrator go to VMM installation media and run:

setup.exe /client /i /IACCEPTSCEULA

1	setup.exe /client /i /IACCEPTSCEULA

Done!

DPM 2016 – The storage involving the current operation could not be read from or written to. (ID 40003)

June 5, 2018July 19, 2018 matej 13 Comments

I had an issue with backing up some workloads with DPM 2016 with an error The storage involving the current operation could not be read from or written to. (ID 40003).

To fix the problem you need to remove the last recovery point of affected data source.

$PG = "ProtectionGroupName" #Protection Group name of affected data source.
$DS = "DataSourceName" #Data source name, for example Virtual Machine name or SQL Database name.
$DPM = "DPMServerName" #FQDN of your DPM Server.
 
$PGroup = Get-DPMProtectionGroup -DPMServerName $DPM | where {$_.Name -EQ $PG}; $PGroup
 
$PObject = Get-DPMDatasource -ProtectionGroup $PGroup | where {$_.Name -EQ $DS}; $PObject
 
$RPoint = Get-DPMRecoveryPoint -Datasource $PObject | select -Last 1; $RPoint
 
Remove-DPMRecoveryPoint -RecoveryPoint $RPoint

$PG = "ProtectionGroupName" #Protection Group name of affected data source.

$DS = "DataSourceName" #Data source name, for example Virtual Machine name or SQL Database name.

$DPM = "DPMServerName" #FQDN of your DPM Server.

$PGroup = Get-DPMProtectionGroup -DPMServerName $DPM | where {$_.Name -EQ $PG}; $PGroup

$PObject = Get-DPMDatasource -ProtectionGroup $PGroup | where {$_.Name -EQ $DS}; $PObject

$RPoint = Get-DPMRecoveryPoint -Datasource $PObject | select -Last 1; $RPoint

Remove-DPMRecoveryPoint -RecoveryPoint $RPoint

The first cmdlet will get the Protection Group specified in $PG variable. The second cmdlet will get the data source specified in $DS variable. The third cmdlet will get the last recovery point of the selected data source stored in $PObject, and the last cmdlet will remove the recovery point. You can run third cmdlet (Get-DPMRecoveryPoint) multiple times to see if the recovery point was removed from DPM Server.
After recovery point is removed, run the consistency check again.

Update

The issue may reappear after some time. Another solution is to move your backups to a new disk storage.

Windows Admin Center – New virtual machine failed

March 3, 2018July 18, 2018 matej Leave a comment

If you are getting a similar error while creating a Highly Available Virtual Machine with Windows Admin Center you are probably missing the Failover Cluster Module for Windows PowerShell on your Hyper-V Host.

Couldn’t create virtual machine ‘test2’. Error: RemoteException: The term ‘Add-ClusterVirtualMachineRole’ is not recognized as the name of a cmdlet, function, script file, or operable program.

Simply install the Failover Cluster Module for Windows PowerShell on all your Cluster Nodes and you should be able to create new Virtual Machines.

Install-WindowsFeature RSAT-Clustering-PowerShell

1	Install-WindowsFeature RSAT-Clustering-PowerShell