23 May 2012

Enable or Disable IPv6 with a script or registry entry

I recently found something interesting while doing DirectAccess troubleshooting.  DirectAccess requires IPv6 to work.  On a stock standard Dell built machine I found that despite the check box for IPv6 being enabled there was no IPv6 active.

You can see that on IPv4 is visible when doing an ipconfig

What you should be seeing is the following that contains IPv6 addresses

The reason for this is that the IPv6 components are disbled via the registry.  For more info on this you can check  http://support.microsoft.com/kb/929852

Below are two scripts one to enable this and the other to disable it.

To Enable

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents", "0" ,"REG_DWORD"

To Disable

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents", "255" ,"REG_DWORD"

The thing I do find very interesting is that it is being disabled by Dell where the default is to have it enabled.

21 May 2012

DirectAccess UAG Array in 10 steps - expanded

Documentation for building DirectAccess with UAG is at best a little clumsy.  Jason Jones has an excellent 10 step guide and Dr Tom Schinder has excellent lab guides.  While following the combination of these two in my latest build I figured I would just write down the steps that needed expanding.   This is essentially my rough notes.

Original Sources:

Step 1: Configure Supporting Infrastructure
  • Create ISATAP, NLS and IP-HTTPS DNS records
On every Authorative DNS Server in the domain
Remove the ISATAP and WPAD entries from the DNS Block list
dnscmd /config /globalqueryblocklist
To see that the entries are remove see that they do not show up in the result of
dnscmd /info /globalqueryblocklist

Create ISATAP DNS Entry
On the DNS console 
Create a new Host A record ISATAP - the IP should be the internal IP of the UAG server
Create a new Host A record ISATAP - the IP should be the internal IP of the second UAG server
Create a new Host A record NLS the IP should be that of your NLS server

Confirm that you can resolve the DNS name with nslookup ISATAP

  • Create DirectAccess client and server security groups
From Active Directory users and Computers great a new group - "Direct Access Computers"
  • Create DirectAccess certificate templates
On the PKI server open 
MMC - Certificate Templates
Select the Web server Template - Duplicate - 2008 Enterprise
General Tab
Name : UAG NLS Webserver
Server Tab 
Check "Do not include revocation information in issued certificates"
Security Tab 
Authenticated users - Allow Enroll
Add domain computes - Allow Enroll
Request Handling Tab
Check Enable private key to be exported
certutil -ping  -- To force update the certificate templates availabale

Open MMC - Certification Authority
Select the CA Server
Select Certificate Templates - New - Certificate to issue
Select the UAG NLS Webserver template create earlier

Request and install a Computer certificate on each node
  • Create service account for UAG array management
From Active Directory users and Computers create a new account - add as a member of a group that has administrative access on all the Direct Access servers (UAG and NLS)

*** Create ICMP4 and ICMP6 Echo request firewall rules in Group Policy ***

Create or select a suitable Group Policy that can be applied to the DA clients and other DA associated servers.
Open the Group Policy Management console
Expand Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with advanced Security\

Inbound Rules add
Inbound ICMPv4 Echo
Inbound ICMPv6 Echo

Outbound Rules add
Outbound ICMPv4 Echo
Outbound ICMPv6 Echo

                        Specify – Protocol ICMPv4 or v6 - Customize – Check “Echo Requests” only

Step 2: Configure Network Location Servers
  • Create website and enrol/bind NLS certificate
  • Repeat for additional NLS servers and potentially implement NLB
Step 3: Prepare and Install UAG Servers
  • Install OS, activate, run Windows Update, join AD domain
  • Configure static routes – see here
By default the machines would be built with the default gateway as the internal network.  To enable you to remotely build the servers via RDP you need to ensure the routes are always configured to get to the internal

route add MASK -P

configure the external NIC with default gateway
remove the default gateway from the internal NIC

route print  

check that mask point to the externals default gateway.  If there is a duplicate route for the 

route delete

Re-set the external with the correct default gateway

  • Configure network interfaces and amend bind order – see here
Change the Binding order so that the internal binds first

Default Gateway should not be defined 
DNS Servers should be defined 
Register this connection’s address in DNS – Enabled 
File and Printer Sharing for Microsoft Networks – Enabled 
Client for Microsoft Networks – Enabled 
NetBIOS over TCP/IP – Default or Enabled

Default Gateway should be defined 
DNS Servers should not be defined 
Register this connection’s address in DNS – Disabled 
File and Printer Sharing for Microsoft Networks – Disabled 
Client for Microsoft Networks – Disabled 
NetBIOS over TCP/IP – Disabled
  • Enrol IP-HTTPS and IPsec certificates
On UAG01 - Request certficate
Import to UAG02
  • Install UAG + UAG and TMG updates
UAG SP1  -http://www.microsoft.com/en-us/download/details.aspx?id=13885 Includes TMG SP1 and SP1U1 and includes UAG Update 1 and 2

  • Repeat for additional UAG servers
Step 4: Configure UAG Array
  • Configure first UAG server as the array manager
Start UAG management
Complete Step 1 - Configure Network Settings
Step 2 Define Server Topology
Select Array Member
Select Set this server as the array manager
Specify the user account created earlier

Step 3 complete it and select yes or no to participate

Activate the changes
  • Add additional UAG servers to the ‘Managed Server Computers’ computer set in TMG
Open the TMG console
Select the Firewall Policy
From the Tool box - Network Object - Managed Server Computers

  • Join additional UAG servers to the array
Start UAG management
Complete Step 1 - Configure Network Settings
Step 2 Define Server Topology
Select Array Member
Select Add this server to an array
Specify the FQDN of the array manager
Specify the service account created earlier

Step 5: Configure UAG NLB
  • Define internal NLB virtual IP address with unicast mode
  • Define external NLB virtual IP addresses (at least two consecutive) with unicast mode
On the array manager open the UAG management console
From the Admin Menu select Network Load balancing
Add- External – Specify the first external VIP and additional ones
ADD – Internal – Specify a VIP
Apply the changes – Use the Activation Monitors to see that the changes are applied to both nodes.
  • Start NLB on each array member
Start the UAG Web Monitor console
Select Array Monitor
Check the Servers – from the drop down box select Start click apply

Step 6: Configure UAG DirectAccess
  • Enable NAT64/DNS64
Form The UAG Management console select Direct Access
Step 1 – Configure
Select “Allow DirectAccess client......”
Select your domain
Modify the Policies and give then appropriate names – UAG DirectAccess - <Role>
 Select Client group or OU

Step 2 – Configure
Select Windows Network Load Balancing
Proceed past the warning if you have installed 2008R2 SP1
Select the First external VIP
Select the Internal VIP
Take note of the IP addresses that need to be configured for ISATAP
Select the certificate created and installed earlier
For IPSec certificate authentication select the Intermediary form which you requested your computer certificate

  • Define appropriate NRPT entries (Name Resolution Policy table)

Step 3 - Configure
Specify the URL for the network location -NLS server and validate
Accept Default DNS entries
Add an exclusion for your WPAD specified proxy servers and wpad name
Management servers are servers that provide services such as Antivirus updates WSUS etc
When done – Apply Policy
Check the review and – Apply Now
If you get error for creating the GPO it might be because of the Replication that has not yet occurred.  In this case give it a few minutes and try again.
When activating the changes you might also get an error relating to the GPO not being present – for this also just wait it out for a few minutes and try again

Step 7: Configure DirectAccess Clients
  • Enrol IPsec certificates
Manually request or autenroll the computer with a “Computer Certificate”
  • Add clients to DirectAccess security group and reboot
Add the Computer account of the client machine to the “Direct Access Computers” group created earlier this is the one referenced in Direct Access Wizard
  • Install DCA client
Part 1  - Configure Group Policy
Downlaod the DCA zip file and extract the files
To be able to use the Direct Access components you need to add the ADMX and ADML files to your group policy central store.
One a domain controller copy the admx file to:
And copy the adml file to:
C:\Windows\SYSVOL\sysvol\ yourdomain.com \Policies\PolicyDefinitions\en-us
Allow a few minutes for replication to the Central Stores
Open the Group Policy Management console
Locate and edit the UAG DirectAccess Clients group policy (created by the UAG DA Wizard)
Expand the policy to Computer Configuration/Policies/Administrative Templates/DirectAccess Connectivity Assistant/
Corporate Resources - This will affect whether the DCA shows active or broken connection
Here specify resources that are normally accessible to DirectAccess clients.  In my case I specified a ping to two domain controller configured with IPv6
Read the description and specify values for Corporate Portal Site, Portal Name and Support Email
LocalNamesOn – Setting allows the client to manually switch between using domain and public DNS (useful for troubleshooting)

Part 2  - Deploy the MSI
Use whatever your preferred automation method is or manually install/

Step 8: Configure Active Directory and DNS
  • Add IPv6 prefixes and assign to AD sites
  • Add DNS reverse lookup zones for IPv6 prefixes

Step 9: Test DirectAccess
  • Test internal ISATAP
Open a command prompt and Ping the UAG internal IP address
The reply should come back with a ISATAP result as in hex: hex: hex: hex: hex: hex: should look something like 2002:a504:b1f:8000:0:5efe:
  • Test external Teredo, 6to4 and IP-HTTPS
Disconnect the machine from the internal network and connect to a direct internet link
IPconfig /all
Look for Tunnel Adapter IPHTTPSInterface
There should be a few IPv6 addresses listed there
Ping a host on the internal  network with IPv6 enabled
You should get an IPv6 ISATAP reply

Step 10: Complete Post-Installation Tasks
  • Define custom TMG rules for systems management (SCOM, SCCM, Cert Enrolment etc.)
  • Apply UAG SCW hardening template using Group Policy
  • Install and run UAG BPA

04 May 2012

Add domain group to local group script

I found and used this little scrip and know I will probably try and find it again in the future...

To use, just change the group names and the "mywindowsdomain"

'get main objects/variables
Set ws = WScript.CreateObject ( "WScript.Shell" )
compname = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )

'add domain groups to local admin group
adGrp.Add ( "WinNT://mywindowsdomain/Domain Admins,group" )

Speed up Hyper-V P2V and deployment from template

One of the best parts of using System Centre Virtual Machine Manager (VMM) is that it becomes very easy to move machines around.  You gain the ability to convert a physical server and then once you have it you can migrate it from host to host or store it in a library or turn it into a template.
The one key thing here is that the VM files are moved around from machine to machine. These files also tend to be pretty big. To ensure reliable and proper bandwidth usage without hogging the line VMM uses (BITS) Background Intelligent Transfer Service)

By default all BITS transfers are done over HTTPS.  This generally does not cause an issue, but if you are doing loads of migrations or importing older, slower physical servers you can speed thing up. BITS support transfer over both HTTPS and HTTP.  The latter having the advantage of not being encrypted.  This speeds up the transfers as the crypto overhead on both sides is not required.  The disadvantage is that your transfers are not longer encrypted.  This is mostly mitigated if you are using this in an enclosed network.

There are two places where you can set the HTTPS requirement.

Disable HTTPS for  HOST to HOST and P2V

  • From the VMM console select the relevant host group
  • Right Click - Properties
  • On the General tab you will see a check box for "Allow unencrypted file transfer"

This will now disable HTTPS when doin P2V or when migrating storage for a VM.  If you want the same for moving files to and from a library or you are deploying from the library you also need to chnage the following.

Disable HTTPS for library

  • Select the Library server
  • Right Click Properties
  • Check the box for "Allow unencrypted file transfer"

You would need to do this for every library server.

The result is now that when you deploy or move VMs around will be noticeably faster.

I only found this by seeking desperately to speed up virtualising older laptops.  Up to this point I had never had a need to improve this as it has always worked very well with the defaults.  Just nice to know there is something you can do about it.

Thanks to Jeff Wouters

I have also noticed that Antivirus - if configured incorrectly will impact the performance of the deploy, P2V and migration processes.

The basic exclusions should be:

  • Default virtual machine configuration directory (C:\ProgramData\Microsoft\Windows\Hyper-V)
  • Custom virtual machine configuration directories
  • Default virtual hard disk drive directory (C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks)
  • Custom virtual hard disk drive directories
  • Snapshot directories
  • Vmms.exe 
  • Vmwp.exe 

And if you are Using CSV - Cluster Shared Volumes

But also check out


02 May 2012

Hyper-V PowerShell script to change all VMs to Dynamic Memory

If you have a very standardized Hyper-V environment such as VDI implementations you may want to automate setting all the hosts to use dynamic memory.

This heavily modified script changes all the VM on a host to use the predefined RAM values and settings

The original can be found here http://thelazyadmin.com/2012/04/xendesktop-vdi-and-dynamic-memory

# PowerShell Script for changing RAM settings for all machines on the hosts specified

Write-Host("This script configures all the VMs on the hosts with dynamic memory.")
Write-Host("Ensure hat all VMs are tunred off on all the hosts")-foregroundcolor RED
$tmp = Read-Host("Press Enter to continue") 

$ServerNames = "hyperv10","hyperv11","hyperv12","hyperv13"  #Enter the list of servernames here
foreach ($ServerName in $ServerNames) {

$Reservation = "512" #Enter Minimum RAM
$Limit = "2048" # Enter Maximum RAM
$Buffer = "20" # Enter Buffer % Default is 20%
$Weight = "5000" # Enter Weight Default is 5000

$VMMS = Get-WmiObject -ComputerName $ServerName -namespace root\virtualization -class Msvm_VirtualSystemManagementService 
$VMs = Get-WmiObject -ComputerName $ServerName -Namespace root\virtualization -class MSVM_ComputerSystem  

Write-Host("Hyper-V Server Name: ", $ServerName) -foregroundcolor Yellow 
foreach ($VM in $VMs) 
              Write-Host("    ",$Vm.ElementName)
$waitstart = 200 
$waitshutdown = 120
$selection = "y"
if ($selection -eq "y")
              write-host("Setting Dynamic Memory.")
              foreach ($VM in $VMs)
if ($VM.ElementName -eq $ServerName) 
{ } else {
$VMSettings = Get-WmiObject -ComputerName $ServerName -Namespace root\virtualization -Query "Associators of {$VM} where ResultClass=Msvm_VirtualSystemSettingData" 
$MemorySettings = Get-WmiObject -ComputerName $ServerName -Namespace root\virtualization -Query "Associators of {$VMSettings} where ResultClass=Msvm_MemorySettingData" 
$MemorySettings.DynamicMemoryEnabled = 1 
$MemorySettings.Reservation = $Reservation
$MemorySettings.VirtualQuantity = $Reservation
$MemorySettings.Limit = $Limit  
Write-Host("Changing memory configuration for ", $VM.ElementName) -foregroundcolor green
$result = $VMMS.ModifyVirtualSystemResources($VM.__PATH, $MemorySettings.psbase.GetText(1)) 

 write-host("Script Completed") -foregroundcolor Yellow 

This is my first Hyper-V PowerShell script so any feedback would be great!!