Wednesday, April 22, 2015

Install-MSAs.ps1 -- Automatically Create and Configure Managed Service Accounts with this PowerShell Script

I have brought up using Managed Service Accounts on this blog in the past (SQLync Cheatsheet, or The Quick Rundown on SQL Server and Lync Server 2013) and, for me, now is a great time to revisit the topic.

Due to unforeseen circumstances, I made the tough decision to blow my lab away and start from scratch. Well, honestly, I do this about 6 times a year, so it's more like I'm looking for an excuse. Anyway, I decided that I would do two very special things with this lab:

  • Configure everything almost entirely in PowerShell -- whenever possible
  • Follow recommended best practices (when it doesn't greatly slow down other work)

To a lot of IT folks, that probably sounds like a nightmare. To others, "impossible." (Honestly, it is technically impossible even with only using Microsoft products... there's a small number of things that just cannot be done). But hopefully you're like me and would enjoy the heck out of it. It's a constant puzzle and you're always finding new pieces. I just love when you execute a script that you're really not sure of and it runs without any of that dastardly red text.

When it came time to install SQL, I realized that the recommended best practice is to have an MSA for every service. That's a minimum of two per instance. With SCOM, SCCM, SCVMM, SC Orch, Lync, and SharePoint... that's a lot of services.

So of course I scripted it.

PowerShell Script: Install-MSAs.ps1

Using the Script



Assuming you put the script in C:\Scripts, you can just run

.\Install-MSAs.ps1 "SvcSqlR-SQL02"

and it will create the MSA and install it on the local computer. You can then configure it for a service, such as those needed for SQL to run, like so:



You can also specify more than one MSA name. For example, you could do this:

$MSANames = "MSA1","MSA2"

and then put that variable after the script name. Or, if you want to get fancy, you can do this:


All I did was create a text file on my desktop that looks like this:


...and then I get to delete all those accounts that I made for your amusement. That's right... all of this is for YOU so you better appreciate it. Or whatever.

To delete or view the MSAs in Active Directory Users and Computers, see below. You must first enabled "Advanced Settings" under the View drop-down menu.


Script Content


Overview:


I'm just going to paste the script here because it's not very long and you won't have to download anything.

Here is the high-level process:

  • Check if the AD PowerShell module is installed; install it, if needed
  • Check to see if a service account with the name you provided exists; skip creating that MSA if so
  • Create the MSA, associate it with the local computer, and install it
  • Display which MSAs were created and which failed to be provisioned

Code:



param($MSANames)

$hostname = hostname

$InstallState = (Get-WindowsFeature -Name RSAT-AD-PowerShell).InstallState

if ($InstallState -ne "Installed") {
    Install-WindowsFeature -Name RSAT-AD-PowerShell -WarningAction SilentlyContinue | Out-Null
    sleep 1
}

Import-Module ActiveDirectory
sleep 1

$CreatedMSAs = @()
$NotCreatedMSAs = @()

foreach ($name in $MSANames) {
    
    Try {
        Get-ADServiceAccount -Identity $name | Out-Null
        sleep 1
        Write-Host "An account with the name '$name' already exists! This account cannot be created.`n`n" -ForegroundColor Red
        $NotCreatedMSAs += $name
    } catch [System.Exception] {
        New-ADServiceAccount -Name $name -Enabled $true -RestrictToSingleComputer
        sleep 1
        Add-ADComputerServiceAccount -Identity $hostname -ServiceAccount $name
        sleep 1
        Install-ADServiceAccount $name
        sleep 1
        $CreatedMSAs += $name
    }
}

$count = 0
if ($CreatedMSAs -ne $null) {
    Write-Host "Managed Service Accounts have been installed on this computer." -ForegroundColor Green
}
foreach ($name in $CreatedMSAs) {
    $count += 1
    Write-Host "MSA #$count :      $name" -ForegroundColor Cyan
}

if ($NotCreatedMSAs -ne $null) {
    Write-Host "`nThe following MSAs were not able to be created, most likely because an account with that name already exists."
    foreach ($name in $NotCreatedMSAs) {
        Write-Host $name
    }
}
Posted by at No comments:
Labels: , , , , ,

Friday, April 10, 2015

Where to Start with PowerShell -- It's not as scary as you think

I opened PowerShell. Now what?

Yes. I want to talk about the most basic elements of PowerShell... but I'm also not just writing this for the people who are just now seeing that little blue box for the first time.














Whoops. Wrong blue box.


There we go.

Beyond those who are just venturing out from the cmd prompt or looking to get into automation, I've come to realize there are a LOT of IT professionals who use PowerShell on a regular basis yet they have very little idea what it is they are actually doing. They paste the same commands in day after day, probably know which parameters do what, and it just becomes a tiny piece of the backdrop of their workday. Heck, maybe they even get an error once in a while... but this can be fixed by just "doing it manually" through the UI.

To these folks--and I know this because I was one of them not long ago--this is enough. It's enough to get the job done, and it's enough to put "Intermediate PowerShell" on a resume. Oh, then you're in a world of trouble. Because one day, you're going to have some new task, with a new set of variables, and a new set of cmdlets to run... and not all cmdlets have an equivalent in the GUI... and the error messages for that cmdlet may have been designed by a moron.


PowerShell: What is it? What's it for?

I don't ask that to be inane or condescending. I didn't start getting better with PowerShell until I knew how to answer that question. Sure, I can Google it and echo back that it's a command-line interface created to interact with the .NET architecture, but that means nothing to an infrastructure person.

Because think about it: there already is a command-line interface. Good old cmd.exe has been serving Windows operating systems well for much longer than it was even referred to as the "cmd prompt." It can even start reaching into the .NET universe and do its thing. It can add little bits here and remove little bits there until it gets the job done. 

If you were cleaning out your closet with the cmd prompt, you'd get it done by inspecting every dirty shirt or smelly sock and then moving it to wherever it needs to go, like a hamper or a bio-hazard containment facility. Well, if you were cleaning out your closet with PowerShell, it would be like having a team of specialized engineers whose sole purpose in life was to eradicate your dirty laundry.


But why is it so much better? Because it was designed for a different purpose and a lot went into it to get to that point. PowerShell is object-oriented, meaning that can view things as a whole or even collections of things. It can store that information as the object itself rather than storing it as a collection of characters and numbers. It's not just a logical arrangement of the data like in cmd prompt. The information being stored is the data. 

Going back to my horrible closet analogy, you could use PowerShell to clean up the whole closet at once. You could decide to magically repaint all your underwear purple. You could turn all those old magazines (that you never even read once) into boxes of Raisin Bran. 

Heck, the closet would be an object too, right? Just turn it into a new closet. Or a spaceship. Whichever is more exciting for you.

The Super Basics

The stuff in this section is what you gotta know if you want to be able to say, "Yes, I know at least a little of PowerShell beyond the fact that it is named PowerShell."

Use PowerShell ISE or be dumb


"What's that program you're running?" asked the person on our team who was brought on to write PS scripts.

"Oh, nothing..." I said, smugly. The joke's on him because it is not nothing.


ISE stands for Integrated Scripting Environment. It is the tool to use when you want to turn a string of commands into an actual script. I won't go too far into this in today's post, but it really is amazing. I mean, I've actually tried looking for something else out there, out of pure astonishment at ISE's functionality, but I don't think it exists. The team behind this really did stellar work.

Just because it is used for scripting does not mean you cannot just run commands out of it. This is the excuse I hear most often as to why they opted for "regular" PowerShell over ISE. You see that blue area of the screen in the picture above? They made it that color blue for a reason. It works just like the "regular" version.

Actually, I take that back. It works WAY better than the command-only window. Here's why:


As you start typing out the parameters of a cmdlet, a nifty thing called IntelliSense will kick in. It will provide a list of parameters that you can use and sometimes even suggest the value to input.

Just FYI, IntelliSense does have to process a lot of data, so it may occasionally "time out". Just hit backspace and retype the dash.

A command is what you run and a cmdlet is what makes it happen: 

When you hit Enter on your keyboard after typing stuff into PowerShell, you just ran a command. The terminology gets mixed up even by the most guru-y of the gurus, but it's an important distinction. A command is made up of 2 parts: the cmdlet and the parameters. Take a look at the command below:

Add-Computer -DomainName "hyperi2.net" -Credential "hyperi2\Administrator" -Restart

Sometimes there will be only one parameter. Sometimes the command will be so long that you don't remember how old you were when you started typing it. Sometimes you won't have any parameters and the cmdlet and the command are the same thing.

One tiny extra consideration: cmdlet may also be referring to the syntax as well as the first part of the command. For example, someone might say, "How do you run that cmdlet?" If you asked how to run a command, a pretentious annoying person might answer back, "Press Enter!" And then they'd do that annoying laugh that goes on for way too long.

Every cmdlet = Verb-Noun: 

Say what you're going to do (the "verb") and then which object (the "noun") to do it to. Let's use the same example as before:

Add-Computer -DomainName "hyperi2.net" -Credential "hyperi2\Administrator" -Restart

If someone was panicking and said, "What am I going to do? How do I fix this?!" the answer would be a cmdlet. The verb is what to do and "this" is the noun. So, in order to fix the problem, I am going to add the computer to the domain. This may seem incredibly obvious, but there's often a lot of context to sort through.

Also important to note: parameters can almost always be re-arranged in a command. What if it began "Add-Computer -Restart"? That's not as clear, but it will still work.*

I chose this example specifically because it leaves a lot of unanswered questions. I mean, we know that we are adding a computer to something. But to what? The domain? Which computer? Is DomainName specifying the domain that the machine is already a part of? That last one seems strange, but there are a lot weirder cmdlets out there.

PowerShell and Windows are released at the same time, and versions matter:

Here's a helpful breakdown:

PowerShell 1.0 was released with Windows XP and Server 2003
PowerShell 2.0 was released with Windows 7 and Server 2008 R2
PowerShell 3.0 was released with Windows 8 and Server 2012
PowerShell 4.0 was released with Windows 8.1 and Server 2012 R2
...and I'm sure you could have guessed that 5.0 will be out with the next kernel

To be honest, I wasn't using PowerShell back in the XP days, so I can't really speak to that. However, the differences between version 2.0 and 3.0 are HUGE. Not only did they add a tremendous amount of cmdlets, they also loosened up the syntax and made alterations to already existing cmdlets. This doesn't matter much if you've stuck with 2.0, but it can be a real pain when you're used to 3.0 and find yourself in a situation where you have to use 2.0.

One of my favorite parameters in a cmdlet is -Recurse for Get-ChildItem. Well, I once structured the logic of a very important script around the fact that I could use it. When the script started failing and after I spent several anger-filled hours losing my mind, I realized that this parameter was released for 3.0.

One very important thing to note is that you can use the next versions up in some cases. For example, if you're on Windows 7 with Service Pack 1, you can skip all the way from 2.0 to 4.0. If you can upgrade, you should upgrade.

You can find your PowerShell version simply by typing $PSVersionTable and hitting enter.



Intermediate Basics

It's okay to ask for help

Given that we are using a shell, many people open PowerShell for the first time and type "help." You would assume that you'd get some helpful information about how to get started and perform your first simple tasks. Instead, what you get is a help file that describes the help system. That can be confusing, but it's honestly a huge freaking clue that you're going to be using it a LOT.

It also tells you right away that you're going to need to update your help files. And that doesn't mean just "regularly". What I mean is that you might open up a help file and see this:


So, let's do it. You do need an internet connection or at least a means to transfer the files over. Remembering that cmdlets are a combination of verbs and nouns, we can update help files simply by typing Update-Help. You should do this right away after installing a fresh instance of PowerShell, and then about every week after that. I know it's hard to remember to do that with our busy schedules. If only there were some way to do it automatically... (spoiler alert: use PowerShell)

After running Update-Help, you'll see lots and lots of help files being downloaded, like so:


Then, you might get some errors. That's okay.


Chances are that the home location for a module has been moved or about a million other possible problems can come up. Just be sure that the error doesn't say that it can't reach the internet at all.

Modules: A fancy word for "things"

Without any modules, PowerShell wouldn't do anything. Even the most basic cmdlets wouldn't exist. So to say that they rev .NET into overdrive is an understatement. 

I don't want to go too deeply into modules right now, because I'd rather focus on how to find and load them, but just know that modules are incredibly simple. Soon enough, you'll be writing your own scripts and functions and setting up how to use them. Well, string a few of those together with a similar purpose, add some help file documentation, and then package it for easy access and you have a module.

So, with how important modules are, don't be surprised when we run Get-Module, which returns the ones that are loaded, and see the screen just explode with text. I mean, it's going to be a massacre. See?


Wait, what?! 2 of them? Do we need to add them in or something? Do you have to do it every time?

The answer is technically yes to those last two questions, but Microsoft was a sport and made it incredibly easy. There are LOTS of modules installed but loading all of them at start-up would be really taxing. It does take time to process each one simply because the .NET library is so large. You will also notice that ISE is tremendously faster at this task.

Let's do an experiment. Those of you who have access to a computer with the Active Directory module installed can follow along.

1. First, open regular old PowerShell (not ISE). 
2. Once you are able to type, type Get-Module and hit enter. You'll notice that the system lags behind as it gets all the background gears and sprockets into place. It feels like it takes forever just to get going.
3. After a bit, the shell will be back to normal speed and you can try out some simple commands like "Set-Location C:\" and "Get-ChildItem". It should be responding much more quickly now.
4. Now we're going to run an AD command. Type out "get-adcom" and hit tab. We're trying to get it to complete a cmdlet for us that belongs to a module that isn't loaded. It searches through the loaded modules first, doesn't find "Get-ADComputer" inside those, so it starts searching through modules that are not loaded. There will be additional lag time as it goes looking, but then it will give you the full cmdlet.
5. You can finish the command by typing "Get-ADComputer -Filter *" and hitting enter. It will return every single computer in the domain. If you have a lot of computers, this will take a while and you won't even be able to read them all.
6. Type Get-Module again. You'll notice that the module "ActiveDirectory" has now appeared. Even if you were to delete the command without hitting the enter key, the module would still be loaded. This is because it automatically loads the module you need as soon as its able to.

One last thing on modules: there are obviously countless modules available online, but there actually are a lot already installed and waiting to be loaded. To get a list of all the modules on your computer, type Get-Module -ListAvailable.

Finding the Right Cmdlets

I'll tell you right now: often times, the best way to figure out how to do something in PowerShell is just to Google it. However, the best way to learn what is and isn't possible in PowerShell is to dig into it and try to find answers on your own.

In the shell, type "gcm". This is going to give you a LOT of output because it is showing you every cmdlet, function, and some aliases. By the way, "gcm" is an alias itself. It is an abbreviated way to type out Get-Command. To see more aliases, type Get-Alias. You can even create your own.

Earlier today, I was trying to figure out how to set the connection-specific DNS suffix for a network interface. It might seem really difficult to find the right combination of cmdlet and parameters, but not really. I just typed "gcm *dns*" to return every cmdlet that contains that letter combination. I knew that I would be using a set- cmdlet because I was actually making a modification. Here's what popped up:



By the way, you can use multiple wildcards (*) in a search, so I could have done "gcm set*dns*client*" to narrow down the search a bit more.

Then, I needed to poke around in that cmdlet to find the right parameters. And that leads me into our final section...

Advanced Basics: "shcm"

This will change your PowerShell life.

shcm is an alias for Show-Command.

When I was looking for the command to set a DNS suffix, I picked a cmdlet that sounded like it might work, Set-DnsClient, and then put "shcm" in front of the cmdlet. Here is the window that popped up along with the command I typed underneath it.


You'll notice that I entered information into the fields that it provided just like I would type out a command. Once I had it how I wanted it, I just hit "Copy" down at the bottom and pasted it into my script. This is how it came out:

Set-DnsClient -InterfaceAlias "Ethernet" -ConnectionSpecificSuffix hyperi2.net -PassThru -RegisterThisConnectionsAddress $True

You can also just hit "Run" if you will only be using it one time.

That is substantially easier than trying to build the command one parameter at a time. It even tells you what type of information to enter if you mouse over one of the fields. If you hit the blue "?" at the top right, it will give you a modifiable, scalable, and searchable version of the help file.

You'll eventually have commonly-used cmdlets and their parameters memorized, but this is an absolutely crucial tool for learning at any level of scripting.


I hope this has been informative for you, and I'd like to thank you for watching--err, reading. I think I've been watching too many CBT Nuggets videos...
Posted by at No comments:
Labels: , , ,

Tuesday, January 27, 2015

Solving Just About Every Azure Login Problem That Exists

Oh. My. God. I recently rolled off of one project and onto another. Any other consultants out there know that this is no small walk in the park. You have to close up all your duties for one client, take care of all the interim stuff like feedback and resume updates and skills assessments, and then start gearing up for the next gig. In my case, I didn't just find myself in a war zone... I was smack dab in No Man's Land during trench warfare.

And yes, you continually update your resume as a consultant. It's a lot like your job is to keep finding new jobs. You make yourself as marketable as you can while trying to prove yourself when it counts so the right people later say the right things. The smart ones race against the learning curve so that they can one day catch up to it and then start defining it. Okay, maybe it's not that much different from any other job after all.

I came across something I just had to share. I was tearing my hair out trying to get Azure's PowerShell module to start working... again. It was working without any sort of problem. Then, while I still had the shell open, I start seeing this:

Text: Your Azure credentials have not been set up or have expired, please run Add-AzureAccount to set up your Azure credentials.
Okay. I'll run the cmdlet I ran to get started in the first place even though you could just grow some eyeballs and look about 10 lines above you to see that I already have an account! And so I do...


Microsoft Accounts Really, Really Suck at Being Completely Awesome

Microsoft came out with this brilliant idea that you could have one single account for all of your Windows devices where all your common settings are saved and shared automatically. It's honestly a fantastic idea. I'm not sure if Google Chrome's account sharing features came first or second, but Microsoft envisioned that it would be like that--which it is--and that it would be that great--which it isn't. 

The problem that they ran into is that they were also ramping up their cloud services platforms and wanted to roll those all into the MS Account as well. That wasn't all, either... they just started lumping any and all Microsoft-related accounts under the same credential umbrella. As it stands right now, I use the same email address to access my organizational account for Office 365 and whatnot, to log into my personal account which also happens to be attached to MSDN and Azure, and also for certifications.

Add to this the confusion that all your old accounts that you used to log into Microsoft environments with suddenly became Microsoft accounts. Gmail, Yahoo, Hotmail (which became Outlook.com and is actually quite awesome), and even random Exchange addresses all magically became unified. Not to each other, mind you, but in a confusing mish-mash of spiderwebs that remarkably never touch each other.

Russian Roulette with Your Sanity

Every once in a while, I'll boot up PowerShell ISE to work on my script that endlessly provisions new Azure virtual machines and configures them any which way I want. But then I discover that the game's over before it started.

After you get the error message I showed above, you'll try to add an Azure account to your Azure PowerShell configuration. But the problem is that you already have done that. In fact, chances are that you can run these two cmdlets and the output will be correct for both:

Get-AzureAccount

Get-AzureSubscription

If you decide to run Add-AzureAccount again, it might just work, honestly. I had it work 2 or 3 times before it went insane. It would pop up and say, "You're already logged in, dude. Why are you trying to log on again?" 

I'd click "Remain logged in with this account" and then it would prompt me for my password. When I put in my password, I would get a message on my Microsoft Account mobile app asking me to approve the request. This is first machine I ever configured for access to the two-factor authentication and it's never had an issue otherwise. So, I approve the request, and then it tells me, "Dude. You again? I just told you, you're already logged in. Just remain logged in with..."

And you get the point. Eventually, it just started cycling between asking for email AND password and pinging my phone once a second to approve the requests. I had to just re-install the app because of how badly my PC was misbehaving. 

Man... I hope someone finds this post and I can save them some frustration. This one had me wanting to unlearn computers.

Enough of This -- Let's Fix Every Azure Login Issue


Just do this. Instead of logging in with an email address each time, it stores a very long hash. It's like it gives it a nickname. Just imagine that Azure is cozying up to your Microsoft Account.

You still have to log in the first time -- and I'm not promising that problems won't come up ever again -- but this is quick.

1. Get-AzureSubscription | Remove-AzureSubscription


If you have a whole bunch of accounts and they're all working for you, don't run this. It clears out all your Azure subscriptions from cache. It DOES NOT affect anything on your account:


You might want to clear all your subscriptions, honestly. This method of configuration was designed specifically for this purpose.

2. Get-AzureAccount

Just check to see what's still hanging around. It shouldn't display anything. You can pipe that cmdlet to, you guessed it, Remove-AzureAccount if you want to clear everything and start fresh.

3. Get-AzurePublishSettingsFile

This opens up a webpage which immediately prompts you to save a file. Put it anywhere you want, but do yourself a favor and copy the path while you're there. You'll be finding it within PowerShell. Or just put it somewhere like C:\PS so you don't have to type a lot.

Don't bother reading the instructions on that page. They aren't really applicable right now.

4. Import-AzurePublishSettingsFile "<File location>"

Once you get that .publishsettings file imported, you'll see that your account is now much harder to remember than your email address. Mission accomplished!

But seriously, now run an Azure cmdlet like Get-AzureVM. Viola.

If you ever run into again, just do step 1 and step 4 again. You don't need get a new file each time. Heck, you could just modify $PROFILE so that it clears it each time you open PowerShell. But that's probably not necessary.
Posted by at No comments:
Labels: , ,

Tuesday, January 13, 2015

SQLync Cheatsheet, or The Quick Rundown on SQL Server and Lync Server 2013

SQL Server and Lync Server 2013. Back-end and front-end. The yin and the yang of Lync infrastructure functionality.

And yet... there is very little documentation out there for all the questions people might have about how these two systems work together. Well, it's out there... it's just spread out like not enough marmalade on far too much toast. Consequently, I'm going to throw together a little cheat sheet for people first diving into their Lync Server 2013 install.

The one thing I won't go into is SQL redundancy or high availability. This is just enough marmalade to get you going.

In typical fashion, this post turned into a behemoth. Seriously, there's so much juicy information right after the jump.


Which SQL Server Versions Should I Use?


You can use these:

  • SQL Server 2012
  • SQL Server 2008 R2
Note that "SQL Server 2008" is not listed there. It is not compatible with Lync Server 2013.

Just use whichever one you have access to. 2012 is going to be better overall for a lab and production, but there won't be any loss of functionality or power using 2008 R2 for Lync in a homelab.

How Many SQL Servers Do I Need?

You need 1 server for each Front End pool. If you have 3 FEs spread across 2 Front End pools, then you need 2 separate SQL servers. If you have 13 Standard Edition servers and 23 Enterprise Front End servers spread across 17 pools, then you need 17 SQL servers.

Can I virtualize SQL Server?

Yes. SQL Server 2012 is going to support the fancier virtualization technologies that sprouted up in Hyper-V version 3, but it won't necessarily run much faster than SQL Server 2008 R2.

Which Ports Need to Be Opened? What About Windows Firewall?


  • UDP
    • 1434
  • TCP
    • Any statically defined ports
    • 1433 if using default instance

If you're just using Windows Firewall or also using it on top of a more illustrious security solution, be sure to allow the SQL applications through. Create a new program-specific rule for each of the paths below and set it to "Allow This Connection."

  • C:\Program Files\Microsoft SQL Server\MSSQL<Version#>.<MyInstanceName>\MSSQL\Binn\sqlservr.exe
  • C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
The second one on that list I'm not 100% on. I've heard that leaving it as is can lead to very frustrating problems down the road. Yes, it is "x86" even though you installed a 64-bit program.

How Should I Handle Service Accounts?

3 options here, which can be summarily labeled the "easy way," the "slightly harder way," and the "awesome way."

Easy Way


Just click next when you see the permissions. It's really not much harder to do the other two ways, so I don't recommend this. If things start breaking, you're taking a lot of power out of your own hands. So, unless you want to screw over Future You, don't do this.

Slightly Harder Way


Manually create an account in Active Directory to use on the Service Accounts screen. It doesn't need any particular permissions. Make sure to remember the password! Also, don't let it expire! If you don't want to mess with all that, see the Awesome Way below.

Awesome Way


This creates an Active Directory Managed Service Account (MSA) that you can set and forget.

Use this way to never have to change a password, manage permissions, or basically remember anything. And it's way tighter security. You can use the same MSA for all your instances (1 account per server, though) or very easily use the first one as a template to create another.

From the SQL Server, run Powershell as a Domain Admin. If the AD module is not yet installed (or if you're not sure), type:

Install-WindowsFeature RSAT-AD-PowerShell

Then type:

New-ADServiceAccount -Name <SQL MSA Name> -Enabled $true

Then:

Add-ADComputerServiceAccount -Identity <SQL Server Hostname> -ServiceAccount <SQL MSA Name>

Finally:

Install-ADServiceAccount <SQL MSA Name>

When you are specifying the Service Accounts during installation, here's what you put for the Account Name:


Leave the password blank. Make sure to put that dollar sign at the end! The MSA that I'm using looks like this:

hyperi2\SQLMSA01$

And that's it! MSAs are super fun! 

Should I Use the Default Insta--

No. Don't use the default instance. Create individual named instances.

If you messed up and used the default instance, it will still work. No need to reinstall. Just keep it in mind when things go wrong. The default instance works differently than named instances. Be sure to open TCP port 1433 in your firewall if you've set things up this way.

How Many Instances Do I Need?

1 as a "base", which most people call "RTC", that you point your Front End and mediation services at
1 for Persistent Chat, if deployed (CANNOT be colocated with another instance)
1 for Archiving, if deployed*
1 for Monitoring, if deployed*

* You can get away with colocating these. I have an ARCMON instance within my lab.

What Exactly Should I Install?

Boom. You need:

  • Instance Features
    • Database Engine Services
  • Shared Features
    • Management Tools - Basic
      • Management Tools - Complete
If you are setting up archiving and monitoring, also install "Reporting Services - Native" for that instance only.


Which Port Is My Instance Using?

You can find this by opening SQL Server Configuration Manager, then:

1. Expand "SQL Server Network Configuration"
2. Click "Protocols for <MyInstanceName>"
3. On the right side, double-click "TCP/IP".
4. Click the "IP Addresses" tab. You're now looking for the line that says "TCP Dynamic Ports" that isn't blank and does not just have a 0. You may have to scroll down a bit.

I should note that this port will be auto-negotiated by Lync Server 2013 (over UDP port 1434). However, if that's not working and you're troubleshooting, you may need to open this up.

This, of course, does not apply when the port has been statically configured to something else, but you should see another line in the properties for this.
Posted by at No comments:
Labels: , , , ,

Monday, January 5, 2015

"Windows detected a hard disk problem" - Do I go into too much detail?

People have told me many times in my life that I am way too wordy when I write. That's not exactly how they say it. They'll say, "It's very detailed!" or "Can we maybe trim this section down?"

Well, I'm sorry. Actually, I'm sorry I'm not sorry. No, I was not trying to bore the external auditor to death. It is his job to read boring stuff all day. If I could actually bore a man like that to death, I would quit my job and be on C-SPAN within 6 months.

So, this will be a short post.


Windows detected a hard disk problem


Text: Windows detected a hard disk problem
Back up your files immediately to prevent information loss, and then contact the computer manufacturer to determine if you need to repair or replace the disk.
This means you need a new hard drive.

Posted by at No comments:
Labels: ,

Tuesday, December 30, 2014

Getting pfSense Up and Routing in Hyper-V - Series, Part 3: The Synergy of Hyper-V and pfSense

I had a nice little break for Christmas, but we have work to do. Let's get this pfSense router working with Hyper-V and then we'll go into some extra bonus features. I say some because you could write an entire blog on pfSense features.

In part one, we focused on setting up Hyper-V so that it doesn't freak out when you slap pfSense inside of it. It took a lot of trial and error on my part to figure it out back in the day, so now you don't have to.

(Part 1) The Synergy of Hyper-V and pfSense - Prepping Hyper-V


In part two, we installed and configured pfSense so that we could get connected through webConfigurator, the web GUI. However, that's all we did, so we need to turn it into an actual router.

(Part 2) The Synergy of Hyper-V and pfSense - Connecting to the webConfigurator


So, here's what we're looking at...


webConfigurator - Configuration Using the Web... even though it's not on the "web"



Username: admin
Password: pfsense

Log in, and you get this screen:


If you log in and do not get this screen and want to get this screen to follow along, go to System -> Setup Wizard from the landing page.


Normally, I skip this wizard and go straight to setting up firewall rules on all the interfaces, but we'll go through it this time. This wizard is honestly fantastic for such a powerful piece of technology.

1. Click Next.

2. pfSense Gold is definitely worth it and you should consider it at some point in the near future. However, because you're just getting started, just go ahead and click Next.

3. Fill out the fields for hostname, domain, and DNS server(s). See my router below.


You technically don't need to enter anything here. You could just hit next. But entering a hostname is just smart, putting the domain is helpful, and DNS servers are required to reach external update and patch servers. For DNS servers, you can use the ones I used above because they are publicly accessible and usable.

For "Override DNS", this means that if you connect the router directly to the internet and it receives a public IP address from your ISP, it will also receive a list of DNS servers. This also applies if your network has a DHCP server of its own on that subnet. If the router won't be directly connected to the web and your network won't ever have a DHCP server on this subnet, it doesn't matter what you put here. Just uncheck it if you are unsure.

Click Next.

4. Choose your timezone. The default NTP server will work just fine. More specific time servers can be found at http://www.pool.ntp.org/en/. Click Next.

5. We'll now configure our WAN interface first. Remember that WAN/LAN/OPT interface design plays a bigger role when using pfSense on physical hardware, but it's still important here. Let's take another look at the diagram for the router I'm configuring to determine how to set up this interface.


We'll go ahead and designate our interfaces based on this. I'm choosing these arbitrarily, but it needs to stay consistent so we don't get confused and misconfigure things. I'm also going to list the routes on these interfaces, which we'll come back to.

  • WAN interface: 10.123.123.6 /30      Routes: Default route through 10.123.123.5
  • LAN interface: 10.123.123.14 /30      Routes: 10.10.0.0 /24 through 10.123.123.13
  • OPT1 interface: 10.0.0.1 /25      Routes: none
  • OPT2 interface: 10.0.0.129 /25      Routes: none
So now we know what to enter on this screen. 

For "Selected Type" under "Configure WAN Interface", select Static.



For "IP Address" and "Upstream Gateway" under "Static IP Configuration", enter the correct information. Alternatively, you could enter the incorrect information. I'm using the info I listed above.


Remove the checkmarks for "RFC1918 Networks" (private addresses) and also for "Block bogon networks." We covered these types of addresses in part two of this series.


Click Next.

6. For the LAN interface, to which we're currently connected, just click Next. We'll fix it after we know that we can connect through another interface.

7. Set your administrator password on the next screen and click Next. If you can't think of a good password, use PenguinsDoNotLikeFalafel23.

8. Click Reload on the next screen to reload the webConfigurator. This means that, up to this point, no changes have been made. Once you reload, all your settings are saved. Keep this in mind if you ever forget to complete the wizard.


It's normal for this to take a long time. For some reason, I occasionally need to manually reboot the router to be able to reconnect. This is option 5.

9. Log back in with your new password.

10. If you have any additional interfaces, go ahead and configure them now. You can do this by selecting Interfaces -> OPT1 or whichever number it is.


The configuration screen is the same as what we saw for the WAN interface in step 5, except you first have to enable the interface. You do not need to configure a IPv6 address.

Be sure to Apply Changes whenever you're done making them. Otherwise, they won't take effect.


11. Now we're going to open up the firewall temporarily so that traffic can pass through. The idea is that you open it up all the way so that you can do other configuration first. That way, if you run into issues, you know that the firewall rules are not the issue. Later, when everything is working, you will go back to the inherent deny all system that I described in the previous post.

Go to Firewall -> Rules.


12. For the WAN interface, click the icon shown below to add a new rule.


13. The only thing you need to change is Protocol. Make it "any".


Click Save.

14. Click the icon for "add a new rule based on this one", shown below.


15. Change the interface to LAN. Click Save. Then repeat steps 14 and 15 for any additional interfaces. You can also make copies of your IPv4 rules and change it to IPv6 if you want. You can't have rules that apply to both IPv4 and IPv6. If you did that, you would have created 2 rules for each interface. The LAN interface should automatically have some extra rules.

16. After you have all your rules set, Apply Changes.

17. Go to System -> Routing.


18. Delete the gateway associated with the LAN interface.

(I forgot to highlight the delete button. It's the one with the X on the right side.)

19. We're now going to connect through a different interface so that we can make changes to the LAN interface, which we've been using to get to the webConfigurator. We first need to make sure you're all set with routing so you can, you know, reach the router.

Important: Keep in mind that your other routers need to be aware that the new guy and the network behind him exist. There should be a route set up on each upstream* router to direct traffic downstream. The process for this will vary greatly depending on what brand of equipment is being used. Refer to this footnote** for a little more information.

You can just try connecting via the browser at one of the other interfaces. The problem with this is that it might take longer than expected to load. That might also be annoying if you sit there waiting for it to load for a solid minute and then it fails.

You can also use these methods which will conveniently give you a tour of other parts of the interface.

If the router will have access to the Internet
The fastest way to make sure all is well is to go to Status -> Dashboard.

FYI, this is the "start screen" after you log in.

Check the interfaces. They should all be green and configured correctly--with the exception of the one you're using for the webConfigurator.


Then, look at System Information on the left.


If it says "You are on the latest version" or "Update available", then you are gravy (that's good). Go ahead and connect through the browser to one of the other interfaces.

If it says that it could not connect to check for updates, then you are not gravy. First things first, just reboot. That is pretty likely to fix it, especially if you are using pfSense version 2.1.5.

If you are still having issues, scroll to the bottom of this article and check out the Troubleshooting section.

If the router will not have Internet access
Go to Diagnostics -> Ping.


You want to make sure that you can ping the below hosts. If one works, all the ones below it should as well unless ICMP has been configured to disallow pings.
  • The computer you will access the webConfigurator from, which may be the same one you're using
  • The router closest to that computer along the path to the pfSense router (starting with the far interface, then the nearer one)
  • The next closest router
  • Any host on the directly connected network
  • Itself using the specified address
  • Itself using loopback (example: 127.0.0.1)
You can also do a route trace, but I think squeezing out a few pings ends up being a little faster.

If you're having problems, do a reboot. If you're still having problems, refer to the troubleshooting section at the end of this article.

Go ahead and connect to the interface in your browser and log yourself back in. Remember that you changed your password in an earlier step.

20. Go to Interfaces -> LAN. Configure this interface correctly and apply your changes.

21. Go back to System -> Routing.

22. Make sure you have routes for any networks that:

  • Aren't already going to go out through the default gateway
  • Aren't directly connected (i.e. you don't need a route for 172.16.0.0 if the router interface's IP address is 172.16.0.1 /24)
I am going to add a gateway for 10.123.123.13 /30 because that is how traffic will get to network 10.10.0.0 /24 on the LAN interface. Make sure you do NOT select "default gateway" for this gateway. You should only have one default gateway.


23. Click on the Routes tab.


24. Add any static routes that you need to create. For example:


Apply changes.


Verification

That should be it. The easiest way to verify is to ping a host through the router using another router. Trace route also comes in handy here because you can see the response from our new router.

Also check out Diagnostics -> Routes to make sure nothing is missing. Both the Diagnostics and Status menus are chock full of helpful information and tools.


Extras

I'm just going to point you in the right direction for a few things.



  • Backup/Restore: Backup frequently! It's really easy!! Go to Diagnostics -> Backup/Restore.
  • NAT/Port Forwarding: Go to Firewall -> NAT for both of these.
  • High Availability: Here's a great article on CARP
  • Download add-on packages (I highly recommend using pfSense 2.1.5 for 3rd party stuff): Go to System -> Packages, then click the Available Packages tab
    • Snort: For free, it is an Intrusion Detection System (IDS), letting you know when bad traffic is coming in. For a really great price, it becomes an Intrusion Prevention System (IPS), stopping the traffic as well.
    • Squid ("Squid3"): Forward proxy, reverse proxy, and more. Totally free and totally great.
    • Squidguard: Added to Squid to do URL filtering. Free.
    • iperf: I haven't personally used this on pfSense, but it will tell you all kinds of network information including data transfer rates. Free.
    • HAVP: I honestly haven't used this one personally either, but I've heard great things. It helps prevent viruses from entering the network. Free.



Troubleshooting


If you're having problems, check the following in no particular order:

  • WAN interface (or the one with the default gateway route):
    • Subnet (it might have defaulted to 1 or 32)
    • IP address
    • Network/bogon filters at the bottom are empty
    • Gateway is correct and says it is a default gateway
    • IPv6 address is static or not enabled -- DHCP can be problematic during setup
  • Routes/Gateways:
    • If you've been following along, you should only have one gateway and it should be a default gateway
    • Make sure you only have one default gateway
    • Make sure the gateway is on the same subnet as your interface (it will yell at you if it isn't)
  • Firewall rules:
    • The interface that isn't working should have at least one rule allowing all traffic over IPv4
    • The rule allowing all traffic should be at the top of the list, although this likely isn't an issue yet (the rules are processed in order, from top to bottom, with the invisible implicit deny all hiding at the very bottom)
  • Go to Diagnostics at the top and choose Ping, then start pinging address close to the interface and then move farther away (you can also do Trace Route, but I find that you can throw out quick pings a little faster)
  • Make sure your other routers contain the right networks in their routing tables
  • Remember: rebooting is your friend
  • If all else fails, disable and re-enable the interface. If that doesn't work, uninstall the interface and reinstall. This is more likely to fix the problem if your other interfaces are working correctly.


Footnotes

* The terms upstream and downstream traffic refer to the directions to get out of or deeper into the network. Upstream traffic is heading outward to a WAN interface where it can reach the Internet or get directed to another site. Downstream traffic is heading farther into the network, meaning it will have to pass through another router when it heads upstream. Upstream/downstream can also be used when referring to servers. For example, an upstream Windows Server Update Services (WSUS) server can download Windows updates and pass them to a downstream WSUS server.
** For very basic systems, detailed (static) route information is needed. For example, you would have to use 10.20.30.64 /26 as the destination and it would reach IP addresses from 10.20.30.64 to 10.20.30.127. However, many systems, including pfSense, allow for route aggregation. This lets you specify a range of addresses to route to even if they are spread across multiple subnets. For example, you could just put 10.0.0.0 /8 to send all traffic with a destination IP address starting with "10" in that direction. The majority of hardware routing is managed with routing protocols and does not use static routes, but this is beyond our scope for today.
Posted by at No comments:
Labels: , , , ,

Monday, December 22, 2014

Connecting to the pfSense webConfigurator - Series, Part 2: The Synergy of Hyper-V and pfSense

Hey! Check out the new banner! I actually went to school originally for graphic design, but this was the first time I touched Photoshop in about 6 years. It was really weird that I still remembered a ton of hotkeys. There is just so much random information that we can store in our brains...

Oh, and I figured out AdSense finally. I've tried to make it as unobtrusive as possible while still being visible. I'm not going to type out some heartfelt paragraph about needing to use ads because I survive on their support. I'm doing this blog for the good of the people -- and if I am one of those people who gets some good sent their way, I won't complain. But the honest-to-god truth is that I'm here to write the best dang tech blog I can and I'd be doing that even without the few quarters they mail me every other month.

Back to Business: Installing pfSense

I haven't re-read the post I made yesterday, which accidentally turned itself into this series. For those of you who didn't get a chance to read it, we went over the different pfSense versions, I described some common problems when integrating it with Hyper-V, I was in a state of near delirium, and I almost broke a server. So, go on! Check it out:

(Part 1) The Synergy of Hyper-V and pfSense - Prepping Hyper-V


If you were following along, our paths diverged at the end of the first part of the series. You were left with a whole lot of white text flying across the screen for about a minute as the system booted. Then it asked you if you want to set up VLANs now.

I, on the other hand, had to fight with permissions on two machines so that I could finally do a simple file transfer and get all the VM files in place. I am starting the machine up right........... now. I actually did type "now" and click Start at the same time. I'm such a loser.


Up and running, here's the prompt I was talking about:


1. Take note of those interface names. You will need them in a second and they're not always visible on screen when it asks.

Enter "no" or "n" to skip setting up VLANs.

2. It will ask you to label your interfaces. One thing you need to keep in mind while configuring pfSense is that it was created to run on hardware. The fact that it can run inside a virtual machine is just a really great feature. At this point with a hardware installation, you'd already have your cables connected to physical ports. That's why this matters. However, with a virtual machine, all your ports are whatever you want them to be. A WAN port can turn into a LAN port just by changing the IP. So it doesn't matter which interface is labeled what.

Just run down the interface list above to assign them. Don't just type what I'm typing here. Your interface labels may be completely different.

I have 4 virtual NICs installed, so I labeled 4 interfaces here. Once you've given names to all your interfaces, just hit enter one more time. Then enter "yes" or "y" at the confirmation.

3. It will do router-y and firewall-y things for a bit, then finally bring you to the main menu.


Remember that we downloaded the LiveCD for pfSense. This means that it can run straight off external media. You could go ahead and just move on in. You know, setiup a cozy new home complete with love seat and firewall state tables, but you'd be really annoyed when your furniture got deleted on a reboot.

We had to choose the LiveCD because the other option is built as an IMG file, which Hyper-V does not recognize natively. This really doesn't add much time anyway.

Enter "99" to kick off the installation.

4. Choose "Accept these Settings"


5. At the next screen, you really shouldn't ever need to do a custom install unless you have multiple VHDX files connected and you need to install to a drive not in the first slot of IDE Controller 0. "Quick/Easy Install" formats that disk automatically (which will be explained in the shell) and installs pfSense there.

Select Quick/Easy Install.


6. Select OK on the next prompt. pfSense begins installing.

7. Choose to install the standard kernel. The embedded kernel means that it is being installed on hardware that was likely designed to run it.

8. Once it asks you to reboot, don't. We want to turn the machine off. Keep in mind this is different than "Shut Down."

9. Once the machine has powered off, we need to remove the ISO from the drive. On the menu at the top of the VM window, go to Media --> DVD Drive --> Eject


We did this because FreeBSD will automatically boot from the DVD again each time it starts. If you try to remove the DVD at the moment the machine restarts, you will either get an error from Hyper-V or the system will present a mount error.

10. Start the machine back up.



Let's take a short break from doing stuff and learn some stuff

We now need to configure pfSense so that we can reach webConfigurator, which is the HTTP-/HTTPS-based web GUI. It's smooth sailing once we get to that point. This requires configuring IP addresses on specific interfaces. I can't very well tell you what addresses to use, so we're going to have a little sidebar here. I need to explain what's going on and then show you how it'll work with my network.

Speaking of my network, here is the diagram of our little slice of the lab:



Notice that there are IP addresses with a subnet mask of "/30", which is equivalent to 255.255.255.252. This subnet mask will look strange to someone who's just getting their feet wet in networking. You may be used to addresses with a subnet mask of 255.255.255.0 from having to configure or troubleshoot your network card. A lot of people are surprised, then, when they are told that /30 is the most common subnet mask in the world. The reason for this is because they define the subnet to allow only 2 endpoints, which applies very frequently when one router is connected to another router.

There's a reason why I bring this up. With pfSense, you have to define the interfaces with labels and also with IP addresses. The labels aren't just for show with a virtualized installation, though. They also configure the default firewall rules on each port. There are always going to be two interfaces with pfSense*: the WAN interface and the LAN interface. Any additional interfaces get the designation OPT1, OPT2, and so on.

We need to know this because we have to use the right interface to get connected to the webConfigurator. If we picked OPT2, for example, we wouldn't be able to connect.

Here's a rundown of the default firewall rules for each interface:

  • WAN
    • Deny traffic from private networks
    • Deny traffic from bogons
    • Allow webConfigurator access over port 80 or 443
    • Implicit "deny all"
  • LAN:
    • Allow traffic from current subnet
    • Implicit "deny all"
  • Any OPT interface:
    • Implicit "deny all"

Let me head the questions off at the pass...
  • The private networks are 10.x.x.x, 172.16.x.x through 172.31.x.x, and 192.168.x.x. These have been specially set aside by the Internet Assigned Numbers Authority (IANA) to only be used locally and shouldn't be out on the open web.
  • Bogons are bogus IP addresses. Whenever a block of addresses is reserved with the IANA, they remove the bogon label from them. If an address is a bogon, whoever is using it shouldn't be allowed into your internal network. There's a reason they didn't officially reserve address space and you don't need to find out what that reason is.
  • The implicit deny all** comes at the very end of firewall states (rules) and Access Control Lists (ACLs), the latter of which appear in networking equipment as well as file system security including Windows. In pfSense and some other networking technologies, it doesn't even appear in the list. So, when you first look at your rules for OPT interfaces, they are just empty. To allow traffic through, an administrator has to make rules for what can come in. It's kind of like a boy only allowing other boys into his tree house because he thinks girls are icky.

Looking at the interface list above, it would seem like we want to connect to over the WAN interface. And that would normally be true. But, for whatever reason, it just doesn't work when you use pfSense on Hyper-V. Or at least it's very unreliable. Or maybe it has worked for every single one of you except me.

The fact of the matter is that I have a sure-fire way of getting into the web GUI with the LAN interface. I recommend doing it this way so you don't get so frustrated that you throw a phone book at the mailman. I'm not saying I did that or anything...... that would make my defense attorney's job a lot harder.


Okay, let's stop learning and start doing stuff

11. Before I forget, let's enable SSH (Secure Shell) access to the router. This allows you to access the console easily with PuTTY or connect with WinSCP to modify the FreeBSD file system like you would in Windows Explorer.

Enter "14" at the main menu to enable SSH.


If the menu has disappeared from random status messages filling the screen, just hit Enter to refresh.

12. Back at the main menu, enter "2" to set interface IP addresses.

13. It will give you a list of your interfaces. Enter the number for the LAN interface, which is probably "2".


14. You now have to assign an IP address. We are NOT going to assign anything from our diagram yet. What you want to do is pick an address on the same subnet as the computer that you will access the webConfigurator from.

For example, if you're connecting from your PC and the IP address is 192.168.0.5 (with the /24 mask), then you can set it to 192.168.0.6 or 192.168.0.100 or 192.168.0.179. As long as there isn't another computer on the network with that address, you're gravy. If you want to see what addresses are floating around out there, run "arp -a" from the command prompt on your PC, which sends out a broadcast message to get the identity of computers on the subnet.

For me, I can use 192.168.0.30, so I will:


15. It then asks you for your subnet mask.*** Enter it in as the bit count. It has some examples above.


16. Are you ready for my trick?! This is how I show both Hyper-V and pfSense who's boss. When it asks for the upstream gateway address, set it to whichever computer you want to access it from. Don't set it as your modem or other router. That's when I started running into issues.

I will access the webConfigurator from this address. 192.168.0.224 is a computer on my network.

17. For the IPv6 address, you can just hit Enter. Feel free to type one in if you'd like to use IPv6.

18. Do you want to enable the DHCP server on LAN? No.

19. Do you want to revert to HTTP as the webConfigurator protocol? If you are brand new to pfSense, I'd just say yes.

HTTP is insecure but simpler. With HTTPS, you will have to set up Certification Authorities and configure the trust chains. It's not hard to get going with self-signing, but we won't go into it now. To be honest, I've only done it once. It could be different than I remember.

20. It does some processing and then gives a nice little message that you can access the webConfigurator at the listed address.

Great! Let's do just that! I'm super excited!!

On the computer at 192.168.0.224:


AHH what?? I literally spent like 100 hours writing this post and this is what happens?!

Okay, I knew that was going to happen. We need to do two things first.

(Keep in mind... it could have just worked for you. How pfSense determines your technological karma is mysterious and unknowable... at times just cruel.)

21. Pull up an elevated command prompt and enter the following:

route add -p <IP address of router> mask 255.255.255.255 <IP address of router again>

This basically forces the computer to know that the router exists. It creates a direct connection.

22. Reboot the router. At the main menu, Enter 5 and then confirm it.

Now, it might take a little time for pfSense to get all its ducks in a row. Just to be clear, that is not a technical term... it's an idiom.

Come back to your browser in 5-10 minutes and try the router's IP address again. If you're still having issues, reboot the router once more.

Here it is, folks:

Smells like victory in here.


The username is admin
The password is pfsense               (all lowercase)


Pause button


I never cease to amaze myself with how many extra words I can fit into something without even trying. I could be the next Faulkner if I had any sort of, like, word goodness. But we'll go ahead and pause for part 3

In part 3 (which might turn into part 4 and then 5), we'll walk through the setup wizard--yes, a setup wizard on an amazing piece of networking technology and it rocks--and make sure we can connect from all the interfaces.

In conclusion, I understand the importance of properly selecting the correct words to make bold.











* You actually could configure pfSense with just one network card. You would need to configure two VLANs and assign them both to the same port, then configure routing between them. Traffic going through the port uses a subinterface as well as the interface itself. This process is known as "Layer 3 Switching". The device itself is often called a "Router on a Stick."
** There is an alternative method for managing security that uses an explicit deny. This means that everything can come unless it has been denied.
*** To find your subnet mask, run "ipconfig" from the command prompt on the computer you will access the webConfigurator from. If your address starts with 192, it's extremely likely that the bit count for the mask is 24. Starts with 172? 16. Start with 10? That's kind of a mixed bag, so I'd double-check.

Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)