28 January 2013

PowerShell to "Allow management operating system to share this network adapter"

When you are configuring Hyper-V switches one should always keep in mind that the host needs a communication network too.   I was busy configuring network teams and virtual switches when I successfully managed to configure the following.  Three virtual switches, consuming all of the 5 network adapters, not one of them set to   "Allow management operating system to share this network adapter."

The net result of this configuration is that all the virtual machines are on the network and working perfectly but the host itself is not!  This effectively also cuts off all remote administration and ability to fix this remotely. One more thing....  I am using Hyper-V Server so no GUI tools to help out.

There was nothing left to do but physically log onto the host and fix it with PowerShell

First up check that all the NIC are up and running


Next up you need to get a list of the virtual switches and pick one to share with the host


Now you need to check the configuration of the switch.  In my case it is "Corporate Team"

Get-VMSwitch -name "corporate team" |select *

You will probably notice that the AllowManagmentOS value is False.  To chnages this and fix the problem you need to turn it on with the following command

Set-VMSwitch -name "corporate team" -AllowManagementOS 1

Once this has had a minute or so to readjust thing you should now be able to remote manage and connect to the host again.

25 January 2013

Windows 8 Hyper-V limitations

One of the coolest things about Windows 8 is that you now have Hyper-V available to you.  No more do you have a need to run Windows Server on your desktop just to get Hyper-V.   Having said that, there are a few differences or limitation on the Windows 8 Hyper-V (client)compared to the Window Server Hyper-V (server)

First up let's just highlight one thing.  Hyper-V on the Windows 8 desktop operating system is not intended as an alternative to Windows server.  It is intended and does a great job of being a personal proper full feature virtual platform.

System Requirements:
Windows 8 Pro or Enterprise x64
CPU: Needs to Support SLAT (Intel i3, i5, i7  or  AMD Opteron 3rd Gen) enabled in BIOS
Storage : 20GB for OS and Additional space per VM

Adding Hyper-V features
To install or enable Hyper-V you can perform the Add or Remove Windows Features

Check Hyper-V select Management tool to install all the tools including PowerShell CMDlets
Check Hyper-V platform to install the actual Hyper Visor.

Or you can run the following PowerShell command

enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

Compare Windows 8 to Windows 2012 features

When you add you local machine to the Hyper-V management console and you compare it to a Server based Host you will notice that Windows 8 lacks the following features

Physical GPU
Live Migrations
Replication Configuration

There are also a few differences on the following:

Numa Spanning
Enabled  by default on server not in client

Storage Migration
Limited to moving virtual drive on the local machine only.  You cannot move or run a virtual machine from a SMB 3 file share.

Virtual Switch Extentions
Client does not support Microsoft VMM DHCPv4 Server Switch extention

Virtual hardware
Client does not offer RemoteFX 3D Video Adapter

Both the client and the server version can be managed through the Hyper-V management console.  Both are also fully support in PowerShell.  Here is one big limitation....

Client cannot be managed with System Centre Virtual Machine Manager (VMM)

Hyper-V in Windows 8 is a great local virtual platform and support almost all of the virtual features.  It is not geared for moving virtual machines across host or to be managed with VMM.

Side Note:  If you want full Hyper-V functionality without having to pay for a Windows Server License - check out Windows Hyper-V Server 2012 it is free and supports EVERYTHING!

23 January 2013

Convert VMDK and physical drives to VHD and VHDX

If you have ever wanted to move a virtual machine or virtual disk form VMware or to create a virtual copy of a physical drive, this is a great little free tool to do this.  I was in a bit of a bind with not being able to import a machine into VMM and this one helped me out.

2Tware Convert VHD

Simply specify the VMDK file and a destination VHD file and click convert.  Easy.

The process the convert a physical disk is just as straight forward.

Once you have your VHD you can use it in your Hyper-V environment   If you want to further convert it it the new Hyper-V 3 VHDx format you can do so in the Hyper-V console.

  • Open the Hyper-V management console
  • Select Edit Disk form the Action pane
  • Locate the VHD file
  • Choose to Convert
  • Select VHDX
  • Either Fixed or Dynamic depending on your need
  • Specify a new file name
  • Finish the wizard

21 January 2013

Windows 8 Offline Installation of .Net 3.5

Windows 8 include .Net 3.5 on the installation media.  It is however not installed by default.  To further complicate things it attempt to do an online installation if you enable it through the Windows Features.

To manually install directly from the installation media use the following command.  Just Specify the source drive letter. In this case it was D:

Dism /online /enable-feature /featurename:NetFx3 /All /Source:D:\sources\sxs /LimitAccess

The installation should complete without requiring a reboot.

Checking the Windows Features you should now see that it is listed as installed.

20 January 2013

Managing the Windows Firewall with PowerShell

Using PowerShell to manage the Windows Advanced Security and Firewall is extremely handy when dealing with a Server Core installations and even more so when you are managing Hyper-V server 2012.

In this article I will cover the following:
  • Checking the current firewall configuration
  • Changing the firewall configuration
  • Managing the firewall remotely
These are the basic thing admins would be performing on machines that do not have their firewalls configured with group policy.

Checking the Current Firewall Configuration_
Before you make any changes to the firewall you should have a look at the current configuration.  There are a few ways of doing this, each with it's own benefits. There are two functions that can be used to get this information:
  • Get-NetFirewallRule
  • Show-NetFirewallRule
Since we will really only be looking at a subset of the properties either of these will work perfectly fine.  The various command have different display options, hopefully this helps to show how everything fit together.

The properties we will be looking for are:
  • DisplayName
  • DisplayGroup
  • Enabled
  • Action

To see just this set of properties run the following command

Get-NetFirewallRule | select-object DisplayName, DisplayGroup,Enabled,Action

To see all of the properties available run the following

Get-NetFirewallRule | select-object *

To filter the output so you only see the rules that are enabled run the following

Get-NetFirewallRule | select-object DisplayName, Enabled, Action | where {$_.enabled -eq "True"} | format-table -AutoSize

This now gives a nice concise list of the rules that are enabled and what they do.

Changing the firewall configuration

There are two function that you would normally use for this
  • Enable-NetFirewallRule
  • Disable-NetFirewallRule
To toggle a rule from Enabled to Disabled just switch the verb around.  Since a lot of the system rules work in groups it is a very convenient to enable all the rules on the group in one go.  The group property we will use is the DisplayGroup.  This is a "simple name" and much easier to work with.

To see the list of rules and display group that are currently disabled run the following

Get-NetFirewallRule | select-object displayName, DisplayGroup,Enabled | where {$_.enabled -eq "False"} | format-table -AutoSize

We will use the output of this command to create the enabling command.  Here you can see that the "Virtual machine Monitoring Group contains 5 individual rules.

To turn all of these on run the following command:

Enable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"

The command does not output a result code so best is to check again with the previous command.  To disable the rules in the group again just switch the verb for the function as follows:

Disable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"

To Enable or Disable individual rules you can use the following commands:

Enable-NetFirewallRule -DisplayName "Virtual Machine Monitoring (RPC)"
Disable-NetFirewallRule -DisplayName "Virtual Machine Monitoring (RPC)"

Managing the Firewall Remotely
There are obvious advantages to running all of these command form a remote computer as opposed to being logged onto the actual console.  The two way this can be done are:

  • PSSession - similar to Telnet / SSH
  • Invoking a command to a remote computer
To be able to enable working remotely the target machine needs to have PSRemoting enable.  To do this simply execute:


Form your management machine you can now connect remotely to a session on the server by using:

Enter-PSSession <server-name>

From here you can now run all the commands as shown above.  I would however suggest using the second remote method as it give you more flexibility and power.

From the management machine you will be invoking the command on the target machine.  For the examples below the target machine is named et-lab-fv01.

In it's simplest form it looks as follows

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object DisplayName, DisplayGroup, Enabled, Action}

As you can see the actual command in-between the {} is the same as the first example.  That is what is being run on the remote computer.

One nice feature of doing this is that you can make use of the GridView output option to make thing easier to keep track of and filter.

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object DisplayName, DisplayGroup, Enabled, Action} | Out-GridView

You can see just how useful the GridView is

There is a limit to the amount of columns you can send to the grid view.  For instance of you would like to retrieve all the properties you would use the following.  If you have a look you will a alot more column but the  DisplayGroup column is not listed anywhere.

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object * | Out-GridView

To be able to really get everything and get even more functionality output the result to a csv file and import it into Excel the command to output to a file is as follows

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object *} | Export-Csv c:\firewall.csv

The import into Excel now give you the complete picture.

One other advantage of invoking commands are that they can be preformed on multiple machine at the same time. so you can enable or disable a firewall rule group on multiple machines with a single command. in this case the two machines are called et-lab-hv01 and et-lab-hv02

Invoke-Command -computer et-lab-hv01,et-lab-hv02 {Enable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"}

If you would like to use the MMC console to get a better view on your remote server you will probably have to enable Windows Firewall Remote Management

Enable-NetFirewallRule -Displaygroup "Windows Firewall Remote Management"

07 January 2013

Use PowerShell to query multiple AD server for account lockout events

Here is a quick tip on how to query a named list of domain controller to find a lockout event for a particular users.  This is always a problem since often users have no idea from where the failed authentication attempts are coming that results in the lockout.

Invoke-Command -computername ADSERVER1,ADSERVER2 -command {Get-EventLog Security | where { $_.eventid -eq 4740 -and $_.message -like "*Username*"}} | format-list

This will return a result that looks like this, from here you can see the caller computer from there the account lockout happened.

Simply add additional servers as a comma separated list next to -computername parameter to query more server.

the Username can also contain wildcard character so you can specify "Joe*" or "*Bloggs"

The servers need to be configured for enable PSRemoting to remotely run the query.  On the AD Servers run Powershell as the administrator.


Yes or All top confirm the changes