Month: January 2014

Update adds BPA rules for DirectAccess in Windows Server 2012

There is a update that adds new Best Practices Analyzer (BPA) rules. The rules are for DirectAccess on the servers that are running Windows Server 2012.
The following rules are added:

  • Checks whether the Domain Name System (DNS) address that is used for internal network resources is correct. If the internal interface of the DirectAccess server has only an IPv4 address, the DNS server that is configured in the Name Resolution Policy Table (NRPT) must be the DNS64 address.
  • Gives a warning if the option that enables DirectAccess for Windows 7 clients is not selected. 
  • Returns an error if the DirectAccess server is also a domain controller.
  • Returns an error if both force tunneling and Kerberos authorization are configured on the DirectAccess server.
  • Returns an error if the AcceptInterface parameter for DNS64 does not use the same IP address as the one that is used for DNS64.
  • If DirectAccess is configured by using the Remote Access Management user interface, checks whether DirectAccess policies are configured on the server.
  • Gives a warning if any certificate that can be used on the DirectAccess server has subject alternative names (SANs) but no subject name.
  • Provides information if the order of the Internal network interface is below the Internet network interface in Adapters and Bindings.
  • Gives a warning if the private key of the IP-HTTPS certificate does not exist on the server when the certificate is used.
  • Gives a warning if the DirectAccess client security group includes desktop computers.
  • Sends an HTTP request to test whether the certificate revocation list (CRL) field in the IP-HTTPS certificate that is configured on the DirectAccess server is valid. If the request fails, a warning is displayed. This test is only required when Windows 7 clients are configured for DirectAccess.
  • Sends an HTTP request to test whether the CRL field in the network location server certificate that is configured on the DirectAccess server is valid. If the request fails, a warning is displayed. This test is only required when Windows 7 clients are configured for DirectAccess, and when NLS is deployed on the DirectAccess server.
  • Checks whether an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router or load balancing is configured on the network. If this is the case, checks the DNS records for ISATAP. The DNS server should have the records for the internal dynamic IP (DIP) of the server and for the internal virtual IP of the load balancer.
  • Checks whether the email address field is configured for Network Connectivity Assistant.
  • Checks whether the default gateway is configured on the Internet interface instead of on the Internal interface. If the check fails, a warning is displayed.
  • Gives a warning if NRPT exemptions are configured when force tunneling is deployed. 
  • Makes sure that probes other than Internet Control Message Protocol (ICMP) probes are configured in NCA.

Download the update here: HERE

Incompatibility between Windows 8 roaming user profiles and roaming profiles in other versions of Windows

Roaming user profiles on Windows 8-based or Windows Server 2012-based computers are incompatible with roaming user profiles in other versions of Windows.
Profiles are compatible only between the following client and server operating system pairs: 

  • Windows 8.1 and Windows Server 2012 R2
  • Windows 8 and Windows Server 2012 
  • Windows 7 and Windows Server 2008 R2
  • Windows Vista and Windows Server 2008 

Note In this article, when the client operating system is referenced, the same issue applies to its corollary server operating system.
For example, if you try to deploy Windows 8 in an environment that uses roaming, mandatory, super-mandatory, or domain default profiles in Windows 7, you experience the following:

  • After you use a user account that has an existing Windows 7 profile to log on to a Windows 8-based computer for the first time, the components from Windows 8 read and modify the profile state.
  • Certain Windows 8.1 features may not work as expected because the expected profile state is not present.
  • When you try to use the same user account to log on to a Windows 7-based computer, the user profile modification that was performed in Windows 8 may not work as expected in Windows 7.

The issues occur because the profile will contain values that are used differently between the versions of Windows. The user profile will be missing default profile configuration information that is expected by the operating system, and could contain unexpected values that are set by a different operating system version. Therefore, the operating system will not behave as expected. Additionally, profile corruption may occur.

 

Hotfix: Download

HV Backup A free Hyper-V backup Tool

HVbackup is a very easy and powerful free tool to backup and restore Hyper-V virtual machines, in standalone and clustered (CSV) environments, overcoming all the limitations that a generic tool like Diskshadow provides.
This tool targets Windows 2008 (R2) and Windows Server 2012 (R2). All the corresponding core and free Hyper-V editions are also supported!
HVBackup supports app consistent and crash consistent backups through the Hyper V VSS writer component integrated in the operating system.
There are quite a few expensive commercial solutions on the market supporting this scenario, but this is the first open source one, based on the research we did before publishing the project.
We integrated this tool in our datacenter’s production environment management infrastructure, which means that it undergoes continuous testing in a real world environment 🙂
HVBackup can be invoked from the command line, scripted with Powershell or integrated in any .Net program through it’s class library.
The backup process generates a separate zip file for each virtual machine in the specified output directory, containing all the files owned by the VM and identified for backup by the VSS Hyper-V provider.
Requirements:
.Net Framework 3.5, which can be easily enabled on the command line.

Samples:

HVBackup -a -o c:\backup
Performs a full VSS backup (using the HyperV VSS writer) of all VMs on the host.
HVBackup -l VM1,VM2 -o \\yourserver\backup
Performs a full VSS backup of the provided list of VMs (use quotes if the names contain spaces).
In this sample the output directory is on a remote server.
HVBackup -f list.txt -o c:\backup
Performs a full VSS backup of the VMs names provided in “list.txt”, one per line.

How to perform a scheduled backup

backup.cmd :

set BCKPATH=\\yourserver\yourpath
net use %BCKPATH% /user:<user> <password>
pushd %BCKPATH% && forfiles.exe -m *.zip -d -7 -c “cmd /c del @path”
popd
HVBackup.exe -a -o %BCKPATH% 1> lastlog_out.txt 2> lastlog_err.txt

Note: This script will delete every zip file older than 7 days in the target directory before performing a backup of all the VMs on the host. Change it accordingly to your needs.

Now, as we don’t have a scheduled task UI on hyper-v or server core, in order to schedule the previous script every night at 01 AM, just run:

schtasks.exe /create /tn HVBackup /tr c:\hvbackup\backup.cmd /sc DAILY /ru <username> /rp /st 01:00:00

Tool: http://hypervbackup.codeplex.com/

Download: HVBackup_1_0_beta1_20120330.zip Windows 2008 (R2) and Windows Server 2012

Download: HVBackup_1_0_1_Beta.zip Windows Server 2012 R2

Adding GPO Pack support in MDT 2013 for Windows 8.1 & 2012 R2

If you ever tried to use GPO Packs in MDT 2013 or ConfigMgr 012 R2, you quickly find out they will fail for Windows 8.1 or 2012 R2. The reason?  Microsoft forgot to add support for Windows 8.1 in the ZTIApplyGPOPack.wsf script.
Luckily it’s easy to fix, and while you’re at it, why not also add support for Windows Server 2012 R2.

Fix the bug

Find the following section in ZTIApplyGPOPack.wsf (line 86 – 92):

sOSVersion = oEnvironment.Item(“OSCurrentVersion”)
If (Left(sOSVersion,3) = “6.2”) and oEnvironment.Item(“IsServerOS”) then
    sOS = “WS2012RTM”
    oLogging.CreateEntry “Using Default Windows Server 2012 RTM GPO Pack”, LogTypeInfo
ElseIf (Left(sOSVersion,3) = “6.2”) and Not(oEnvironment.Item(“IsServerOS”)) then
    sOS = “Win8RTM”
    oLogging.CreateEntry “Using Default Windows 8 RTM GPO Pack”, LogTypeInfoAnd change to:

If (Left(sOSVersion,3) = “6.3”) and oEnvironment.Item(“IsServerOS”) then
    sOS = “WS2012R2”
    oLogging.CreateEntry “Using Windows Server 2012 SP1 PO Pack”, LogTypeInfo
ElseIf (Left(sOSVersion,3) = “6.3”) and Not(oEnvironment.Item(“IsServerOS”)) then
    sOS = “Win81”
    oLogging.CreateEntry “Using Windows 8.1 GPO Pack”, LogTypeInfo
ElseIf (Left(sOSVersion,3) = “6.2”) and oEnvironment.Item(“IsServerOS”) then
    sOS = “WS2012RTM”
    oLogging.CreateEntry “Using Default Windows Server 2012 RTM GPO Pack”, LogTypeInfo
ElseIf (Left(sOSVersion,3) = “6.2”) and Not(oEnvironment.Item(“IsServerOS”)) then
    sOS = “Win8RTM”
    oLogging.CreateEntry “Using Default Windows 8 RTM GPO Pack”, LogTypeInfo

Or download the file Winking smile

ZTIApplyGPOPack.7z

Translate »