itramblings

Ramblings from an IT manager and long time developer.

By

Configure the NTP Server on Windows Server 2016

Copied from https://www.ceos3c.com/2017/07/06/configure-ntp-server-windows-server-2016/

We will use PowerShell to change the NTP Server and we will validate if it worked afterwards.

Configure the NTP Server on Windows Server 2016

On your Windows Server 2016 hit the Windows Button and type: PowerShell and right-click it and select Run as Administrator

Type the following commands

  • w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
  • Stop-Service w32time
  • Start-Service w32time

Of course, you can take any NTP Server that you want.

Now verify if the time-server was set correctly on your Server 2016 by typing:

  • w32tm /query /status

You should get a reply like this:

Now we will go ahead and verify if our clients sync properly.

 

Verifying if the Time Server was correctly set on our Clients

On a client computer open a PowerShell with right-click and Run as Administrator….

Type:

  • w32tm /query /status

Check the time-server and type:

  • w32tm /resync
  • w32tm /query /status

Then you are able to see that the time-server actually changed like in the example below.

And that’s it! Easy, right?

Always make sure that you use the same time-server in your network and that all your clients are syncing from it. If you have time differences inside of your Active Directory Domain you will run into major issues.

By

Troubleshooting 502 Errors in ARR

Taken from here: https://docs.microsoft.com/en-us/iis/extensions/troubleshooting-application-request-routing/troubleshooting-502-errors-in-arr

Troubleshooting 502 Errors in ARR

by Richard Marr

Tools Used in this Troubleshooter:

  • IIS Failed Request Tracing
  • Network Monitor
  • Winhttp Tracing

This material is provided for informational purposes only. Microsoft makes no warranties, express or implied.

HTTP 502 – Overview

When working with IIS Application Request Routing (ARR) deployments, one of the errors that you may see is “HTTP 502 – Bad Gateway”. The 502.3 error means that – while acting as a proxy – ARR was unable to complete the request to the upstream server and send a response back to the client. This can happen for multiple reasons – for example: failure to connect to the server, no response from the server, or the server took too long to respond (time out). If you are able to reproduce the error by browsing the web farm from the controller, and detailed errors are enabled on the server, you may see an error similar to the following:

Click to Expand

Figure 1 (Click image to expand)

The root cause of the error will determine the actions you should take to resolve the issue.

502.3 Timeout Errors

The error code in the screenshot above is significant because it contains the return code from WinHTTP, which is what ARR uses to proxy the request and identifies the reason for the failure.

You can decode the error code with a tool like err.exe. In this example, the error code maps to ERROR_WINHTTP_TIMEOUT. You can also find this information in the IIS logs for the associated website on the ARR controller. The following is an excerpt from the IIS log entry for the 502.3 error, with most of the fields trimmed for readability:

sc-status sc-substatus sc-win32-status time-taken
502 3 12002 29889

The win32 status 12002 maps to the same ERROR_WINHTTP_TIMEOUT error reported in the error page.

What exactly timed-out?

We investigate this a bit further by enabling Failed Request Tracing on the IIS server. The first thing we can see in the failed request trace log is where the request was sent to in the ARR_SERVER_ROUTED event. The second item I have highlighted is what you can use to track the request on the target server, the X-ARR-LOG-ID. This will help if you are tracing the target or destination of the HTTP request:

77. ARR_SERVER_ROUTED RoutingReason=”LoadBalancing”, Server=”192.168.0.216″, State=”Active”, TotalRequests=”3″, FailedRequests=”2″, CurrentRequests=”1″, BytesSent=”648″, BytesReceived=”0″, ResponseTime=”15225″ 16:50:21.033
78. GENERAL_SET_REQUEST_HEADER HeaderName=”Max-Forwards”, HeaderValue=”10″, Replace=”true” 16:50:21.033
79. GENERAL_SET_REQUEST_HEADER HeaderName=”X-Forwarded-For”, HeaderValue=”192.168.0.204:49247″, Replace=”true” 16:50:21.033
80. GENERAL_SET_REQUEST_HEADER HeaderName=”X-ARR-SSL”, HeaderValue=””, Replace=”true” 16:50:21.033
81. GENERAL_SET_REQUEST_HEADER HeaderName=”X-ARR-ClientCert”, HeaderValue=””, Replace=”true” 16:50:21.033
82. GENERAL_SET_REQUEST_HEADER HeaderName=”X-ARR-LOG-ID”, HeaderValue=”dbf06c50-adb0-4141-8c04-20bc2f193a61″, Replace=”true” 16:50:21.033
83. GENERAL_SET_REQUEST_HEADER HeaderName=”Connection”, HeaderValue=””, Replace=”true” 16:50:21.033

The following example shows how this might look on the target server\’s Failed Request Tracing logs; you can validate that you have found the correct request by matching up the “X-ARR-LOG_ID” values in both traces.

185. GENERAL_REQUEST_HEADERS Headers=”Connection: Keep-Alive Content-Length: 0 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Host: test Max-Forwards: 10 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0) X-Original-URL: /time/ X-Forwarded-For: 192.168.0.204:49247 X-ARR-LOG-ID: dbf06c50-adb0-4141-8c04-20bc2f193a61
345. GENERAL_FLUSH_RESPONSE_END BytesSent=”0″, ErrorCode=”An operation was attempted on a nonexistent network connection. (0x800704cd)” 16:51:06.240

In the above example, we can see that the ARR server disconnected before the HTTP response was sent. The timestamp for GENERAL_FLUSH_RESPONSE_END can be used as a rough guide to find the corresponding entry in the IIS logs on the destination server.

date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username sc-status sc-substatus sc-win32-status time-taken
2011-07-18 16:51:06 92.168.0.216 GET /time/ - 80 - 200 0 64 45208

Note that IIS on the destination server logged an HTTP 200 status code, indicating that the request completed successfully. Also note that the win32 status has changed to 64, which maps to ERROR_NETNAME_DELETED. This generally indicates that the client (ARR being the \’client\’ in this case) had disconnected before the request completed.

What happened?

Only the ARR server is reporting a timeout, so that is where we should look first.

In the IIS log entry from the ARR server, we can see that the time-taken is very close to 30 seconds, but the member server log shows that it took 45 seconds (45208 ms) to send the response. This suggests that ARR is timing the request out, and if we check the proxy timeout in the server farm\’s proxy settings, we will see that it is set to 30 seconds by default.

So in this case we can clearly see that the ARR timeout was shorter than the execution of the request. Therefore, you would want to investigate whether this execution time was normal or whether you would need to look at why the request was taking longer than expected. If this execution time was expected and normal, increasing the ARR timeout should resolve the error.

Other possible reasons for ERROR_WINHTTP_TIMEOUT include:

  • ResolveTimeout: This occurs if name resolution takes longer than the specified timeout period.
  • ConnectTimeout: This occurs if it takes longer than the specified timeout period to connect to the server after the name resolved.
  • SendTimeout: If sending a request takes longer than this time-out value, the send operation is canceled.
  • ReceiveTimeout: If a response takes longer than this time-out value, the request is canceled.

Looking at the first two examples, ResolveTimeout and ConnectTimeout, the troubleshooting methodology outlined above would not work. This is because you would not see any traffic on the target server and therefore would not know the error code. Thus in this case of ResolveTimeout or ConnectTimeout you would want to capture a WinHTTP trace for additional insight. See the WinHTTP/WEBIO Tracing section of this troubleshooter as well as the following blogs for additional examples on troubleshooting and tracing:

502.3 Connection Termination Errors

502.3 errors are also returned when the connection between ARR and the member server is disconnected mid-stream. To test this type of problem, create a simple .aspx page that calls Response.Close(). In the following example there is a directory called “time” which is configured with a simple aspx page as the default document of that directory. When browsing to the directory, ARR will display this error:

Click to Expand

Figure 2 (Click image to expand)

The error 0x80072efe corresponds to ERROR_INTERNET_CONNECTION_ABORTED. The request can be traced to the server that actually processed it using the same steps used earlier in this troubleshooter, with one exception; while Failed Request Tracing on the destination server shows the request was processed on the server, the associated log entry does not appear in the IIS logs. Instead, this request is logged in the HTTPERR log as follows:

HTTP/1.1 GET /time/ - 1 Connection_Dropped DefaultAppPool

The built-in logs on the destination server do not provide any additional information about the problem, so the next step would be to gather a network trace from the ARR server. In the example above, the .aspx page called Response.Close() without returning any data. Viewing this in a network trace would show that a Connection: close HTTP header was coming from the destination server. With this information you could now start an investigation into why the Connection: close header was sent.

The error below is another example of an invalid response from the member server:

Click to Expand

Figure 3 (Click image to expand)

In this example, ARR started to receive data from the client but something went wrong while reading the request entity body. This results in the 0x80072f78 error code being returned. To investigate further, use Network Monitor on the member server to get a network trace of the problem. This particular error example was created by calling Response.Close() in the ASP.net page after sending part of the response and then calling Response.Flush(). If the traffic between the ARR server and the member servers is over SSL, then WinHTTP tracing on Windows Server 2008 or WebIO tracing on Windows Server 2008 R2 may provide additional information. WebIO tracing is described later in this troubleshooter.

502.4 No appropriate server could be found to route the request

The HTTP 502.4 error with an associated error code of 0x00000000 generally indicates that all the members of the farm are either offline, or otherwise unreachable.

Click to Expand

Figure 4 (Click image to expand)

The first step is to verify that the member servers are actually online. To check this, go to the “servers” node under the farm in the IIS Manager.

Click to Expand

Figure 5 (Click image to expand)

Servers that are offline can be brought back online by right-clicking on the server name and choosing “Add to Load Balancing”. If you cannot bring the servers back online, verify the member servers are reachable from the ARR server. The “trace Messages” pane on the “servers” page may also provide some clues about the problem. If you are using Web Farm Framework (WFF) 2.0, you may receive this error if the application pool restarts. You will need to restart the Web Farm Service to recover.

WinHTTP/WebIO Tracing

Usually, Network Monitor will provide you with the information you need to identify exactly what is timing out, however there are times (such as when the traffic is SSL encrypted) that you will need to try a different approach. On Windows 7 and Windows Server 2008R2 you can enable WinHTTP tracing using the netsh tool by running the following command from an administrative command prompt:

netsh trace start scenario=internetclient capture=yes persistent=no level=verbose tracefile=c:\temp\net.etl

Then, reproduce the problem. Once the problem is reproduced, stop the tracing by running the following command from the command prompt:

netsh trace stop

The stop command will take a few seconds to finish. When it is done, you will find a net.etl file and a net.cab file in C:\temp. The .cab file contains event logs and additional data that may prove helpful in analyzing the .etl file.

To analyze the log, open it in Netmon 3.4 or later. Make sure you have set up your parser profile as described here. Scroll through the trace until you find the w3wp.exe instance where ARR is running by correlating with the “UT process name” column. Right click on w3wp and choose “Add UT Process name to display filter”. This will set the display filter similar to:

 UTProcessName == "w3wp.exe (1432)

You can further filter the results by changing it to the following:

UTProcessName == "w3wp.exe ()" AND ProtocolName == "WINHTTP_MicrosoftWindowsWinHttp"
You will need to scroll through the output until you find the timeout error. In the example below, a request timed out because it took more than 30 seconds (ARR\'s default timeout) to run.
336 2:32:22 PM 7/22/2011 32.6380453 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver starts in _INIT state
337 2:32:22 PM 7/22/2011 32.6380489 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::current thread is not impersonating
340 2:32:22 PM 7/22/2011 32.6380584 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver processing WebReceiveHttpResponse completion (error-cdoe = ? (0x5b4), overlapped = 003728F0))
341 2:32:22 PM 7/22/2011 32.6380606 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver failed to receive headers; error = ? (1460)
342 2:32:22 PM 7/22/2011 32.6380800 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::ERROR_WINHTTP_FROM_WIN32 mapped (?) 1460 to (ERROR_WINHTTP_TIMEOUT) 12002
343 2:32:22 PM 7/22/2011 32.6380829 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver returning ERROR_WINHTTP_TIMEOUT (12002) from RecvResponse()
344 2:32:22 PM 7/22/2011 32.6380862 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-req completes recv-headers inline (sync); error = ERROR_WINHTTP_TIMEOUT (12002)

In this next example, the content server was completely offline:

42 2:26:39 PM 7/22/2011 18.9279133 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::WinHttpReceiveResponse(0x11d23d0, 0x0) {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
43 2:26:39 PM 7/22/2011 18.9279633 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver starts in _INIT state {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
44 2:26:39 PM 7/22/2011 18.9280469 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::current thread is not impersonating {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
45 2:26:39 PM 7/22/2011 18.9280776 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver processing WebReceiveHttpResponse completion (error-cdoe = WSAETIMEDOUT (0x274c), overlapped = 003728F0)) {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
46 2:26:39 PM 7/22/2011 18.9280802 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver failed to receive headers; error = WSAETIMEDOUT (10060) {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
47 2:26:39 PM 7/22/2011 18.9280926 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::ERROR_WINHTTP_FROM_WIN32 mapped (WSAETIMEDOUT) 10060 to (ERROR_WINHTTP_TIMEOUT) 12002 {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
48 2:26:39 PM 7/22/2011 18.9280955 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver returning ERROR_WINHTTP_TIMEOUT (12002) from RecvResponse() {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}

Other Resources

By

Cisco AnyConnect

Cisco AnyConnect is an SSL VPN client that provides reliable and easy-to-deploy encrypted (SSL) network connectivity for Windows.

Typically, the Cisco AnyConnect client would be downloaded from the VPN site, but the version currently available from that location is not compatible with current versions of Windows 7 and Windows 8 and will not function properly due to Microsoft Windows security updates.

Note: Remember to verify you are running the most recent version of java (java.com)

Download Link

AnyConnect-3.1.02026

By

Manually enable Appear Offline in Lync 2013 (or Skype for Business 2016) via Registry

Lync 2013, just as with previous releases, allows the ability to Appear Offline. And just as with previous releases, you can enable this functionality in the Lync Client Policies. For information on how Lync Client Policies work, see my post here. To enable Appear Offline through Client Policy against the Global Policy, use the following command:

Get-CSClientPolicy | Set-CSClientPolicy -EnableAppearOffline $true

This will require a Lync 2013 client restart.

As an Administrator, you may not want to make this change to a Client Policy as the goal of Lync is to promote collaboration, not inhibit it by having users Appear Offline and hide from other users. At the same time, you may want to enable it for a user or two at request and won’t want to have to bother providing this small group of users their own Client Policy. Lync 2010 provided the ability to do that via registry key. Mike Pfeiffer provides a great article on Lync 2010 for setting the Lync 2010 registry key to manually enable Appear Offline in Lync 2010. You can see his article here.

The goal of this article is to show how to do the same in Lync 2013. Because Lync 2013 is now a part of Office 2013, Lync 2013 registry items are now under the Office 2013 registry section (Office 15.0). There are two ways to set this registry:

  1. Cmd.exe
  2. Regedit.exe

Using Cmd.exe

The type the following command:

Office 2013

Reg Add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\15.0\Lync" /V "EnableAppearOffline" /D 1 /T REG_DWORD /F

Office 2016

Reg Add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0\Lync" /V "EnableAppearOffline" /D 1 /T REG_DWORD /F

Using Regedit.exe

  1. Start regedit.exe
  2. In Registry Editor, expand HKEY_LOCAL_MACHINE, expand Software, expand Policies, expand Microsoft, expand Office, expand 15.0, expand Lync
  3. Right-click the Lync registry key, point to New, and then click DWORD (32-bit) Value
  4. After the new value is created, type EnableAppearOffline to rename the value.
  5. Double-click the new EnableAppearOffline registry value.
  6. After the new value is created, type EnableAppearOffline to rename the value.
  7. Double-click the new EnableAppearOffline registry value.
  8. In the Edit DWORD (32-bit) Value dialog box, type 1 in the Value data box, and then click OK.

By

Fix: Unable to write files to USB with Windows 7 USB/DVD Download tool

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/unable-to-copy-files-using-windows-7-usbdvd/bd21e76d-5174-4f76-8db5-36df105a12c5

By

Force Windows 8 to show all user accounts on the sign on screen.

Taken from here: http://www.techrepublic.com/blog/windows-and-office/force-windows-8-to-show-all-user-accounts-on-the-sign-on-screen/

By

Don’t rejoin to fix the trust relationship between this

Copied from here: http://www.implbits.com/about/blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/default.aspx

 

f you Google “the trust relationship between this workstation and the primary domain failed”, you get plenty of information from support blogs and Microsoft articles; however, most of them ask you to rejoin your machine to the domain. That’s not always possible.


The underlying problem when you see this error is that the machine you are trying to access can no longer communicate securely with the Active Directory domain to which it is joined.  The machine’s private secret is not set to the same value store in the domain controller.  You can think of this secret as a password but really it’s some bits of cryptographic data called a Kerberos keytab stored in the local security authority.  When you try to access this machine using a domain account, it fails to verify the Kerberos ticket you receive from Active Directory against the private secret that it stores locally.  I think you can also come across this error if for some reason the system time on the machine is out of sync with the system time on the domain controller.  This solution also fixes that problem.

This problem can be caused by various circumstances, but I most commonly run into it when I reset a virtual machine to a system snapshot that I made months or even years before.  When the machine is reset, it is missing all of the automatic password changes that it executed against the domain controller during the intervening months.  The password changes are required to maintain the security integrity of the domain.

 


Support blogs and Microsoft will generally tell you to rejoin the domain to restore the trust relationship.  Another option they will give is to delete the computer object and recreate it without a password and rejoin.

Microsoft support article on the topic: http://support.microsoft.com/kb/162797

I’m not a fan of any of these options.  This seems heavy handed and sometimes they aren’t even possible.

Recently, when I ran into this problem, the virtual machine that reset was an enterprise certificate authority joined to my test domain.  Well, guess what, Microsoft will not allow you to rename or unjoin a computer that is a certificate authority—the button in the computer property page is greyed out.  There may be another way to unjoin but I wasn’t going to waste time on it when it isn’t even necessary.


Just change your computer password using netdom.exe! 

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAINUser format with rights to change the computer password

Here are the full steps:

  1. You need to be able to get onto the machine. I normally just log in with the local Administrator account by typing, “.Administrator” in the logon window. I hope you remember the password. If you’re creative and resourceful you can hack your way in without the password. Another option is to unplug the machine from the network and log in with domain user. You will be able to do disconnected authentication, but in the case of a reset machine, remember that you may have to use an old password. Your domain user’s cached credential has the same problem as the machine’s private secret.
  2. You need to make sure you have netdom.exe. Where you get netdom.exe depends on what version of Windows you’re running. Windows Server 2008 and Windows Server 2008 R2 ship with netdom.exe you just have to enable the Active Directory Domain Services role. On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT). Google can help you get them. For other platforms see this link: http://technet.microsoft.com/en-us/library/ee649281(WS.10).aspx”
  3. Extra steps if the machine is a domain controller. If the broken machine is a domain controller it is a little bit more complicated, but still possible to fix the problem. I haven’t done this for a while, but I think this works:
    1. Turn off the Kerberos Key Distribution Center service. You can do this in the Services MMC snap-in. Set the startup type to Manual. Reboot.
    2. Remove the Kerberos ticket cache. A reboot will do this for you, or you can remove them using KerbTray.exe. You can get that tool here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17657
    3. Post change steps. Do these in conjunction with 5 below. Turn the Kerberos Key Distribution Center Service back on before rebooting. You should reboot the domain controller and then force replication in the Active Directory Sites and Services MMC snap-in.
  4. Run netdom.exe to change the password.
    1. Open an administrative command prompt. On Windows platforms with UAC enabled, you will need to right-click on cmd.exe and select “run as Administrator”.
    2. Type the following command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
  5. Reboot the machine.

Here is more information on netdom.exe: http://support.microsoft.com/kb/325850

 

I hope this is helpful.  This problem comes up every few months for me, so I wanted to document it for my own use.  It is difficult to find when you just search for the error you get in the login window.

By

Nesting Hyper-V with VMware Workstation 8 and ESXi 5

Original Source Post: http://www.veeam.com/blog/nesting-hyper-v-with-vmware-workstation-8-and-esxi-5.html

 

As Veeam moves forward and starts to become focused two virtualization platforms, I thought to myself now is the time to work out how I’m going to introduce Microsoft Hyper-V in my lab environment. I wanted to know if it could be virtualized running inside a VMware virtual machine of some sorts. Veeam has been very successful in presenting its solutions through the use of portable labs running for example on laptops nested under VMware Workstation. We would often have a nested ESX server, vCenter, DC and Veeam apps running on a single laptop and I wanted to know if Hyper-V could be thrown into the mix.

This post will function as a how-to guide and provide a step-by-step process to run Hyper-V virtual machines on either VMware Workstation 8 or ESXi 5.

For a long time, I was told it was impossible, and a few months ago, I heard a passing rumour that it would be possible when ESXi 5 came out. I’d also heard that ESXi 5 running on Intel Nehalem or Intel Core i7 was going to allow nested hypervisors to also contain running, nested 64bit virtual machines. So firstly, I went about making sure that when I was due for a new laptop, I would have this Intel architecture, or equivalent AMD, in my system. I also managed to build a lab with the same architecture that I plan to use on the road for events.

Through Twitter, someone sent me a link to a few blogs that helped me start my quest:

http://www.vcritical.com/2011/07/vmware-vsphere-can-virtualize-itself/#comment-12442

http://www.virtuallyghetto.com/2011/07/how-to-enable-support-for-nested-64bit.html

By the time I’d gotten a chance to give it a whirl, ESXi had gone GA. What I found from the blogs posted above was there were some great pointers, but when I followed either post’s instructions, all I got was a blank Black Screen like a few other people were reporting. No matter what additional information I gave, it just would not work. Undeterred, I decided to try something different. I installed VMware Workstation 8 instead of ESXi 5 and managed to get a nested Hyper-VM working. At this point, I knew my hardware was going to be compatible with nesting Hyper-V. The blog posts above stated the key to making it work is a feature found in your CPU/BIOS called Intel EPT. Now, I read that if you have Nehalem/Core i7, you should have Intel EPT; the blog posts suggested that it should be enabled through the BIOS. However, I didn’t find this option in either of my system BIOS.

While testing what would work, I decided to use Windows 2008 R2 Standard and enable Hyper-V as a Role rather than install the standalone Hyper-V product. I only did this to make my life easier, but the standalone Hyper-V product is a fine option as well.

Nesting a Hyper-VM on VMware Workstation 8

So, following are the steps to create a Microsoft Hyper-V VM running in VMware Workstation 8, but later I’ll show you how to do it in ESXi 5 as well:

1. Create a New VM with version 8 hardware

clip_image002

2. Give it 4 GB RAM and 2 x vCPUs with about 80-100 GB disk space, depending upon how many VMs you wanted nested underneath Hyper-V.

3. The instructions lead you to believe that you should pick a VMware ESX option as the guest OS… STOP! DON’T! Select Windows 2008 R2 x64.

clip_image004

4. When you are finished, make sure you add another NIC to the VM used as the Hyper-V virtual network,

5. Under the settings of the VM > CPU, make sure you have the option to pass-through the Intel VT-x/EPT feature.

clip_image006

6. Make sure you have set the VM to boot from Windows 2008 R2 x64 media ISO.

7. Before booting, you should edit the config file .vmx and add the parameter: hypervisor.cpuid.v0 = “FALSE”

clip_image008

8. Now Boot and Install Windows 2008 R2 x64.

9. Once finished, open up Server Manager and click “Add Role”.

clip_image010

10. Select and install the Hyper-V option. At this point, you will know if your system is working correctly and passing the Intel EPT feature, because if it doesn’t, you won’t be able to go past this point.

clip_image012

11. You’ll also have to select the network adapter used for the virtual network.

clip_image014

12. Now install Hyper-V, which will need a reboot.

13. After it is completed, open Server Manager drill down to Hyper-V and connect to the local server.

clip_image016

14. Now create and install a virtual machine.

clip_image018

Once done, you should be able to use it as normal, albeit slow.

Nesting Hyper-VM running ESXi 5

Now, doing the same thing on ESXi 5 is a little trickier although some of the steps are the same.

1. Before anything you need to place an entry in the /etc/vmware/config file found in the tech support mode on your ESXi 5. I enabled SSH through the security profile in the vSphere Client. Then used putty SSH into the ESXi system.

2. From there I executed the following command which is needed to allow nested hypervisors :

# echo 'vhv.allow = "TRUE" ' >> /etc/vmware/config

Notice the use of single and double quotes in the command-line

3. Now create a virtual machine using version 8 hardware, 4GB (or as much as you can spare), 2 x vCPUs, 2 or more vNICs and a 100GB virtual disk.

4. Before booting up the VM and installing Hyper-V we need to add two lines the virtual machines config file .vmx

You can try this through the vSphere Client in the settings of the virtual machine > Configuration Parameters, whereas I had better luck doing it from command-line

clip_image020

clip_image022

To add them using command-line move back in SSH > change into the directory where you Hyper-V VM is installed

# echo 'vhv.allow = "TRUE" ' >> /etc/vmware/config

In my example the config file is called Hyper-V.vmx. Type the following commands:

# echo 'monitor.virtual_exec = "hardware" ' >> Hyper-V.vmx
# echo 'hypervisor.cpuid.v0 = "FALSE" ' >> Hyper-V.vmx

5. Now back in the VM settings > Options > CPU/MMU Virtualization make sure you have the option to pass the Intel EPT feature.

clip_image024

6. Now in the Options area > CPUID Mask click on Advanced

clip_image026

7. Add the following CPU mask Level ECX: —- —- —- —- —- —- –H- —-

clip_image028

8. Now Install Hyper-V or Windows 2008 R2 and enable the Hyper-V role.

9. You are ready to roll.

Gotchas/Tips

Here are a few tips from Ricky to avoid any of the stopping points along the way:

  • On my system part way through install of Microsoft Hyper-V the OS requires a reboot. When you do this after Hyper-V has been installed it blue screens…DON’T PANIC because it doesn’t blue screen while actually using Hyper-V
  • With both my server and laptop I had no way of telling if my systems had Intel EPT it was a case of seeing if VMware passed Intel EPT without complaining and if Hyper-V spotted it. The give a way for me was when I’d tried VMware Workstation first and it worked straight off. I’ve read a million and 1 things about this subject, but my gut feeling is if you look for Nehalem or Core i7 and a motherboard that supports Intel VT. I think that is a safe bet. I read you need Intel VT –x2 which I don’t have (I don’t think) so that was misleading…If I can narrow the field of information I will update this post.
  • Remember nesting a hypervisor means it’s going to run very, very slow…however installing the nested hypervisor in a datastore that is on SSD disks helps big time.
  • The 2 blogs linked above presented 2 methods for creating the VM using version 4/7 hardware or version 8 hardware. I first went with version 8 hardware and no joy at all. All I got was a blank black screen. I actually tried a combination of the tweaks in both methods and that is what worked for me.
  • The port group that the nested Hyper-V machine resides on should be set to Promiscuous Mode: Accept
  • In one of the blogs there was a note suggesting making the entries manually in the config files (instead of using the GUI) was more stable. I found this too, so hence why I changed the config files in a shell session using putty.

By

Cisco VPN Client and Windows 8 Developer Build

Just to update, the legacy Cisco VPN client (5.0.07.0440 for x64, 5.0.07.0410 for x86) is working for some people. You need to apply a small workaround as explained below –

 

·    Open Registry editor by typingregedit in Run prompt

·    Browse to the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

·    Select the DisplayName to modify, and remove the leading characters from the value data up to the last “%;” i.e.

o    For x86, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to “Cisco Systems VPN Adapter”

o    For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”

·    Try connecting again

 

Please do revert back if this solution does not work.

By

IIS7: Moving the INETPUB directory to a different drive

Great article on what is involved in moving the IIS root folder in Server 2008 and newer OSs.

 

Having your content on a different partition than your Operating System is a good security practice. In previous IIS versions is was possible to do this during setup time in an unattend file. Due to changes in Vista and Windows Server 2008 setup it became impossible to do that however. After setup the IIS7 INETPUB directory will be on the same partition as Windows. Moving the INETPUB directory to a different drive has to be done after setup completes. Here is a table of configuration entries that use the INETPUB directory on a default install. An example in the right column shows how to move the setting to a different drive using the APPCMD command-line tool. Once all the settings are moved the only step left is to copy the INETPUB directory via XCOPY. Here is a link to a batch file (packaged up in MOVEIIS7ROOT.ZIP) that moves the INETPUB directory to a drive of your choice.

Directory Config setting location Example how to move setting to a different drive (this example uses the F: drive)
LOGSFREBLOGS Failed Request Event Buffering (FREB) is a new IIS7 feature that logs failed requests. The default path for FREB logs is %systemdrive%inetpublogsFailedReqLogfiles. %windir%system32inetsrvappcmd set config -section:system.applicationHost/sites -siteDefaults.traceFailedRequestsLogging.directory:”F:inetpublogsFailedReqLogFiles”
LOGSLOGFILES The default path for IIS7 log files is %systemdrive%inetpublogslogfiles. %windir%system32inetsrvappcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:”F:inetpublogslogfiles”%windir%system32inetsrvappcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:”F:inetpublogslogfiles”%windir%system32inetsrvappcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:”F:inetpublogslogfiles”
TEMPAPPPOOLS AppPool isolation is a new feature in IIS7. A dedicated AppPool configuration file gets automatically created before a new Application Pool is started. The default location of these files is %systemdrive%inetpubtempappPools  reg add HKLMSystemCurrentControlSetServicesWASParameters /v ConfigIsolationPath /t REG_SZ /d f:inetpubtempappPools 
HISTORY Configuration history ensures that changes can be rolled back. The default location for configuration history is %systemdrive%inetpubhistory %windir%system32inetsrvappcmd set config -section:system.applicationhost/configHistory -path:f:inetpubhistory
TEMPASP COMPILED TEMPLATES Classic ASP stores compiled ASP code on disk if more than 250 compiled templates are in memory. The default disk cache location is “%systemdrive%inetpubtempASP Compiled Templates” %windir%system32inetsrvappcmd set config -section:system.webServer/asp -cache.disktemplateCacheDirectory:”f:inetpubtempASP Compiled Templates”
TEMPIIS TEMPORARY COMPRESSED FILES IIS7 will cache compressed responses on disk if necessary. The default location for the compression cache is “%systemdrive%inetpubtempIIS Temporary Compressed Files” %windir%system32inetsrvappcmd set config -section:system.webServer/httpCompression -directory:”f:inetpubtempIIS Temporary Compressed Files”
WWWROOT IIS7 comes with a Default Web Site which points to %systemdrive%inetpubwwwroot. %windir%system32inetsrvappcmd set vdir “Default Web Site/” -physicalPath:f:inetpubwwwroot
CUSTERR IIS7 stores Custom Error Pages in %systemdrive%inetpubcusterr %windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’401′].prefixLanguageFilePath:f:inetpubcusterr%windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’403′].prefixLanguageFilePath:f:inetpubcusterr%windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’404′].prefixLanguageFilePath:f:inetpubcusterr%windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’405′].prefixLanguageFilePath:f:inetpubcusterr%windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’406′].prefixLanguageFilePath:f:inetpubcusterr%windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’412′].prefixLanguageFilePath:f:inetpubcusterr%windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’500′].prefixLanguageFilePath:f:inetpubcusterr%windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’501′].prefixLanguageFilePath:f:inetpubcusterr%windir%system32inetsrvappcmd set config -section:httpErrors /[statusCode=’502′].prefixLanguageFilePath:f:inetpubcusterr
WWWROOT and FTPROOT Locations Service Packs and other installers need to know where your WWWROOT and FTPROOT directory is. That’s why the location is also specified in the registry.

reg add HKLMSoftwareMicrosoftinetstp /v PathWWWRoot /t REG_SZ /d f:inetpubwwwroot
reg add HKLMSoftwareMicrosoftinetstp /v PathFTPRoot /t REG_SZ /d f:inetpubftproot

 

MOVING THE CONTENT:

Once the configuration is changed you have to copy all content from your root drive to your new drive including ACLs and empty directories:

Example:

                    xcopy c:inetpub f:inetpub /E /O /I

 

/E copies all directories even if they are empty
/O copies all security settings, i.e. Access Control Lists on files and directories
/I assumes the destination is a directory

PLEASE BE AWARE OF THE FOLLOWING:
WINDOWS SERVICING EVENTS (I.E. HOTFIXES AND SERVICE PACKS) WOULD STILL REPLACE FILES IN THE ORIGINAL DIRECTORIES. THE LIKELIHOOD THAT FILES IN THE INETPUB DIRECTORIES HAVE
TO BE REPLACED BY SERVICING IS LOW BUT FOR THIS REASON DELETING THE ORIGINAL DIRECTORIES IS NOT POSSIBLE.

Local copy of download

moveiis7root.zip (1.66 kb)