Running SSH commands from Powershell

There is a really simple way of running ssh commands on unix/linux boxes from a Powershell script. In fact, altough Powershell does not natively support running ssh commands, it can rely on external third party tools to get the job done. The tool I am talking about today is Plink.

Plink (Putty link) is a Putty command line tool similar to ssh that you can get from here. 

The Powershell  script can call the Plink.exe executable this way:

$sshcommand = & .\plink.exe unixhost -load unixhostsession "mkdir testfolder/testsubfolder;"

or:

$sshcommand = & .\plink.exe unixhost -load unixhostsession "chmod 2750 /testfolder/testsubfolder;"

or even:

$sshcommand = & .\plink.exe unixhost -load unixhostsession "useradd testuser -d /testuser/workshop/home"

As you can understand any command can be fired with Plink.

Of course you can use Powershell variables inside these commands: 

$unixhostname = "sysx.yourcompany.com"

$folder1 = "testfolder"

$folder2 = "testsubfolder"

$sshcommand = & .\plink.exe $unixhostname -load unixhostsession "mkdir $folder1/$folder2;"

In these examples we are using the pretty useful -load switch, which is used by plink to load a saved Putty session. In this case the credentials (username and password, or username and key) are retrieved by Plink from the session named 'unixhostsession'. The session parameters are stored in the Windows Registry under the following registry key:

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\unixhostsession

Remark also the use of the Powershell Call operator (the ampersand, &), which is used to lanch any exe/script.

Last but not least, know that you can concatenate commands using a semi-colon. Just be sure to enclose everything in quotes.

vMotion of MSCS cluster nodes running Windows 2008

Being able to vMotion MSCS cluster nodes is something that is quite difficult to achieve and that need some fine tuning of Windows cluster parameters. The modifications I am going to show you are meant to increase the cluster heartbeat timeout and to decrease the cluster sensitivity to network connection interruptions.

By default MSCS will fail your node if five pings are lost and will initiate a failover.

Unfortunately 5 seconds is sometimes an insufficient time slot for VMWare to complete the vMotion process because while the contents of the guest's memory are copied from one physical host to another, the guest is queisced for a few seconds in order to allow the synchronization of changed blocks of memory. Typically you may lose up to 3 pings.

You need then to change the heartbeat values to their maximums by issuing the commands below on just one of your cluster nodes:

cluster /prop SameSubnetThreshold=10:DWORD

cluster /prop SameSubnetDelay=2000:DWORD

Here's the explanation of these parameters:

• SameSubnetDelay: The value in milliseconds of the cluster heartbeat frequency.  By default, this value is 1,000 milliseconds. The maximum possible value is 2000.
• SameSubnetThreshold: The value represents the amount of missed heartbeats that will be tolerated before a failover event occurs. The default value is 5. The maximum value is 10.

Setting these values to 2000 and 10 means that the cluster service will wait for 20 seconds before initiating a failover. 

The commands above are a new feature of the cluster service under Windows 2008. There have been in fact many improvements to the Windows Server 2008 failover clustering service. One of this improvements concerns exactly the cluster heartbeat mechanism.

If these modifications don't resolve your failover problem, then you might also play with some more parameters:

• check the cluster resource health check policy for each cluster resource

• increase the value of the Timeoutvalue of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk registry key, as shown here.

I hope this helps.

Setting up an account for the antivirus agent on a NetApp

When you install an antivirus server like Trend Micro ServerProtect or McAfee VirusScan Enterprise for Storage or a backup agent (such as HP Data Protector) and you want to plug them on your NetApp, there is one action which is necessary to allow the Trend or ePO agent to communicate with the filer.

This action is to set up a user account which can bypass file security to scan or backup the shared files wherever they are stored on the NetApp qtrees.

So, the first step to accomplish this action is to create an Active Directory user account named yourdomain\youravuser (if you don't have one already). Then you have to add yourdomain\youravuser to the local backup operator group on the NetApp.

The commands to use are shown below.

Celebrating 20 years of Linux

Understanding Windows Services Recovery features

As you probably know Windows has the ability to automatically perform some predefined action in response to the failure of a Windows Service. The Recovery tab in the Service property page let you in fact define the actions that the system has to perform on first failure, second failure, and subsequent failures.

Valid options are "Take No Action", "Restart the Service", "Run a Program", and "Restart the Computer".

In my case I have configured my test Trend ServerProtect service to restart after the first and the second failure, then a system reboot is executed the next time this service fails.

To test this I have written a basic batch script which recursively kills the service. Doing so I have just discovered that, with the default setting, Windows always performs the action defined for the first failure (in my case my TREND ServerProtect test service is restarted) and will never go through successive actions.

Furthermore I see that the event log reports all the time the same diagnostic message, even in case of recurring service failures:

Log Name:      System
Source:        Service Control Manager
Date:          07/12/2011 10:54:25
Event ID:      7031
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      servername
Description:
The Trend ServerProtect service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

The "It has done this 1 time(s)" sentence looks problematic to me because I am recursively killing this service and the failure counter should increase.

If I double check the recovery parameters with sc.exe I am happy with the output:

sc qfailure spntsvc
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: spntsvc
   RESET_PERIOD (in seconds)    : 0
   REBOOT_MESSAGE               :
   COMMAND_LINE                 :
   FAILURE_ACTIONS              : 
     RESTART -- Delay = 60000 milliseconds.
     RESTART -- Delay = 60000 milliseconds.
     REBOOT -- Delay = 60000 milliseconds.

So, why does the failure counter does not increase? Cleary it looks like there is a bug in the way the Service Control Manager reads or understands the parameters I have set.

After deep investigation, and a after many searches throughout technet.microsoft.com, I found that setting the "Reset fail count after:" option to 0 means that the failure counter will not be stored at all. So I completely misunderstood its meaning. At first I was lost for words when I discovered that this parameter did not do what I expected from it.

Anyway, once you know that keeping this option set to 0 disables both the "second failure" and "subsequent failure" actions, the solution is pretty simple: set its value to 1 (or whatever you like) and you'll get the desired behavior upon service failure (in my case the server will restart upon third failure).

I hope this post will help you and, if so, do not hesitate to comment!

VMware vMotion and the CPU incompatibility problem

By default, VirtualCenter only allows migrations with vMotion between compatible source and destination CPUs. So if you have been trying to move a VM from one host to another, and you got stuck with a error message telling you that the CPU of your destination host in incompatible with the CPU configuration of your Virtual Machine, then this usually means one of the following:

a) you did not mask the NX/XD bit in the settings of the VM or...
b) you did not enable the "No-Execute Memory Protection" on both your source host and destination host or...
c) you did not have your cluster of ESX hosts configured for Enhanced VMotion Compatibility (EVC)

The complete error message you get is:

CPU of the host is incompatible with the CPU feature requirements of virtual machine;
Problem detected at CPUID level 0x80000001 register edx 

There are different methods to get past this blocking point.

Disabling Auto Restart After Windows 7 Update

I have recently choose Windows 7 as the Operating System for my home NAS. After testing FreeNAS, Ubuntu, Linux Mint, Windows XP and Windows 2003 Server, I must say that there are many reasons that pushed me to this difficult choice and there are a lot of advantages to use Windows 7 as a File Server.

However I am not going to talk about this right now.

What I wanted to talk about is NAS availability: if there is one thing I expect from my NAS, it is it to be on and ready to serve all the time. Not a minute less.

Unfortunately this Microsoft OS is too often trying and sometimes succeeding in rebooting my home server in the middle of the night, when I less expect it. And this is something I don't like at all, not even to apply critical security patches that clever people at Big Brother Microsoft have crafted for me.

That's why I want to share a not-so-secret hint on how to stop Windows update from restarting your system once and for all. It is a easy painless method which, as usual under Windows, consists of adding a registry key.

Windows 2008 R2 folder security issue and UAC

It is incredible how many Windows system administrators have been impacted by the introduction of UAC in Windows 2008 R2. These days I have been asked how to solve general security issues with folder security in 2008 R2. These issues weren't present in previous Windows versions such as Windows 200/2003, that's why many of us were surprised by new unknown behaviors.

In particular people were facing a situation in which on some folders or drives, when opening the Properties window as a member of the local Administrators group and selecting the Security tab, they had to click on 'Continue' before they could see the folder NTFS permissions.

The particular message shown was: 

"To continue, you must be an administrative user with permission to view this object's security properties. Do you want to continue?" 

and they were supposed to click the 'Continue' button.

If they explicitly granted the very same user account Full Control access to the folder, the NTFS permissions showed up without any further hassle.

In the same context, they got an 'Access Denied' error on the same folders even if they were members of the local Administrators group. Enabling Auditing on these folders showed up many 4656 events telling that their access was not granted.

If you have this problem also, the solution is simple: lower UAC to 0, following the procedure I have posted here:

How to disable UAC

How to disable UAC for System Administrators only

UAC is a major change (or 'improvement' if you wish..) in Windows 2008 R2, but it can be a real obstacle to everyday sysadmin tasks. So getting rid of it can sometimes be the only possible solution.

Do not hesitate to comment if you find this post useful or if you wan to share your point of view on UAC.

Disabling automatic KMS to DNS publishing

If for some reasons you want to stop your Windows 2008 R2 KMS server from publishing everyday its Resource Record (RR) to the DNS, you have to use the built-in Software Licensing Management Tool (slmgr.vbs).

To do so, open  an elevated command prompt on the KMS server and run:

slmgr /cdns

A pop-up will appear telling to you to reboot the KMS Service:

From the same elevated command prompt, run the following command to restart the KMS Service:

Net Stop sppsvc && Net Start sppsvc

If you are running your KMS service on a older Windows version (not R2), run the following command instead (the service executable has been renamed in Windows 2008 R2... don't know why...):

Net stop slsvc && Net start slsvc

Now there are two ways to check that your KMS server has stopped trying to register its Resource Record in the DNS.

The first one is to open the Registry and see that the DisableDnsPublishing DWORD key has been added under :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform

The value of this key has also been set to 1.

The second way to check that KMS publishing to DNS is off is with the command:

slmgr.vbs dlv

I hope this solution helped you. If you have any question or any comment do not hesitate to post.

Cluster Validation Error due to duplicate NIC GUIDs

If you are running a Windows 2008 R2 Failover Cluster, you may see the following error when running the Failover Cluster Validation tests:

 It tells:

Validate Windows Firewall Configuration
Validate that the Windows Firewall is properly configured to allow failover cluster network communication.
Validating that Windows Firewall is properly configured to allow failover cluster network communication.
An error occurred while executing the test.
There was an error verifying the firewall configuration.
An item with the same key has already been added.

The last line is telling us that two elements have the same value. These elements are the Network adapters and the offending value are the adapter GUIDs. These GUIDs should be unique but if you have cloned your servers or if your Cluster servers are cloned VMWare Virtual Machines, this error might occur.

To solve this issue, start by running a Powershell session, then run the following command on every Cluster node and compare the GUID of your Network adapters:
 

Get-WmiObject Win32_NetworkAdapter | format-list Name,GUID

You should see that the Network adapters have the same GUID on different servers.

If this is your case, uninstall all of your Network adapters from Device Manager from all the Cluster members except one (but first note your IP address configuration!). Reboot them, re-run the Powershell command and you should find that your Network adapters are back with brand new GUIDs (thanks Plug and Play!).

Re-run the Cluster Validation Report and everything should be OK.

Please leave a comment if this post helped you!

Setting DisableStrictNameChecking in Windows 2008 R2

I recently faced a problem whereby I had to install a Windows 2008 R2 Failover Cluster Server and make a CNAME alias point to it but I was unable to get to the CNAME network share from remote clients.

Fortunately this wasn't a difficult problem to solve as I was aware of the existence of the DisableStrictNameChecking registry key under previous Windows versions. This key tells the server to allow inbound connections which are not explicitly directed to its main hostname, so it is a protective feature, not a bug.

So, to loosen security a bit allowing proper network access to a Windows server using a DNS alias, fire an elevated command prompt, type regedit and move to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Right-click Parameters, click New, and then click DWORD (32-bit) Value.

Type DisableStrictNameChecking and press ENTER.

Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK and close the Registry Editor.

This should solve your issue with accessing a Windows 2008 R2 server with a CNAME.

Windows 2003: extending the Schema to R2 for DFS-R

Recently I have been trying to install a DFS Replication Group on two brand new Windows 2008 R2 Enterprise boxes belonging to a pretty old Windows 2003 Active Directory Domain.

Nothing specially tricky in this activity, apart the fact that the AD Schema must be extended before we define a new replication group. This is due to the fact that DFS-R stores its configuration info in the domain partition. The aim of this blog post is to share my quick procedure to do it, in case somebody should face the same situation, as I am sure there are still many Windows 2003 Domains around.

First thing is "Don't panic". The Schema extension is pretty straightforward and it doesn't need you to reboot any of your precious DCs. You can do it without actually upgrading the Operating System on your DCs.

Just keep in mind that some parameters will be added to you Active Directory in order to DFS-R to work. These are, for instance:

1. msDFSR-DfsPath
2. msDFSR-ReplicationGroupGuid

If you don't update the Schema, you won't be able to set-up any Replication Group and you will receive the following error when trying to create a Replication Group:

"domain.com: The Active Directory schema on domain controller DC1.domain.com cannot be read. This error might be caused by a schema that has not been extended, or was extended improperly. See Help and Support Center for information about extending the Active Directory schema. A class schema object cannot be found."

DFS-R R2 error when the Schema has not been updated

Solid State Drives, some theory and a selection of videos

Today I have been looking for information about SSD disks because I am probably interested in using them for my future home-made NAS solution. Having found this SSD topic pretty interesting, I have decided to write a post about it.

Let's start form the acronym: SSD means Solid State Drives, which is a new technology spreading very fast and finally reaching the end-user. In general terms, SSD can be defined as a hybrid device which stores your data (as well as your Operating System, of course) in a semi-conductor device known as flash memory with no mechanical parts (no moving heads or spinning disks).

Thanks to their construction, SSDs have rock solid advantages over standard mechanical hard disk drives. These advantages can be summarized as follow:

• No spin-up time
• Extremely low random access time (about 0.1ms)
• Consistent read time throughout the SSD (while on a HDD if the data is written in a fragmented way, read ops will have varying response times)
• Zero defragmentation
• No noise (great for a home NAS)
• Very light (SSDs size is 2,5" with SATA connectors)
• Lower power consumption (Excellent for the environment and for your monthly bill)
• Unaffected by magnetic fields
• Very robust

As you can see some of this advantages are exactly what can be found on everybody's wishlist for a consumer NAS, that is no noise, low power consumption (for instance only 2,5 watts for the Corsair Force GT 120GB - 0,6 watts when in standby) and really high performances. As an example, let's have a look at some scores:

• The Intel 510 Series 250 GB is by far the fastest SSD around with 476MB/s read throughput and 325MB/s for write operations. Such speed require SATA III intrerface of course, being SATA II limited to 300MB/s.
• The Crucial RealSSD M4 256 GB is also a fast model, with 310MB/s for read ops and 273 for write ops.
• The Plextor PX-128M2S can read at 287MB/s and write at 195MB/s.
• Other models are a little slower with an average read throughput of 220MB/s and an average write throughput of 155MB/s. These scores are in any case much higher of those of mechanical hard drives, which have a average read throughput of 105MB/s and and an average write throughput of 103MB/s, plus the extra spin-up time.

There are of course some disadvantages in this new technology that SSD designers and constructors are trying to workaround.

Installing Linux Mint 11

If you are a beginner computer user wishing to learn something different from Windows 7 and don't want to wait for Windows 8 next year to improve your computer knowledge, then you could probably be interested by Linux. Yes, Linux, you heard right. Linux is a powerful Operating System which Windows users sometimes hesitate to install because of its mystical aura of an OS for nerds and geeks. But this is not true today. No more. New Linux distributions are quite easily installed and run without ever touching to its obscure features (the Kernel, the Terminal and so on).

Today many Linux distributions exist. Some are harder to use, some are definitively easier (maybe easier then Windows I daresay). Some are for the IT expert wishing to have full control on its installation (like Slackware, Fedora or Debian, the grandpa of Ubuntu), some are oriented to please the common person using its personal computer for Internet browsing and  listening to music.

Easy desktop distros are, for instance, Ubuntu (mainly for its wide hardware compatibility and its ease of installation) or Linux Mint (mainly due to its familiar GNOME interface).

If I were to define in a few lines the Linux distributions as I see them today, I would say:

• Ubuntu 11.04, Mandriva, Linux Mint is for real beginners
• Fedora 15 and Slackware 13.37 is for skilled geeks
• Puppy Linux 5.2.5 or Xubuntu 11.04 (based on Xfce) is better for installation on older hardware
• Linux Mint 11 or Ubuntu 11.04 is good for your home computer
• Jolicloud 1.2 or MeeGo 1.2 is good for your brand new Netbook
• Debian 6.0.1 is for sysadmins
• OpenSUSE 11.4 is the right one for office automation
• CentOS 5.6 is good for enterprise servers and web servers
• Ubuntu Studio 11.04 or PureDyne 9.11 is for your multimedia station and for creativity

None of these distros is perfect, but they will fulfill various purpose, as you will learn using them. Picking a first Linux distribution to use isn't always easy so I have chosed for you: install Linux Mint 11. The reason for this choice is that Linux Mint is the Linux distribution of the moment, having just pushed Ubuntu (and its Unity interface) out of DistroWatch’s No. 1 spot.

Unix joke

Having just published a joke about Windows Drag & Drop feature, I feel obliged, in fairness, to publish a funny joke about Unix/Linux OSes too:

Unix admin asking for a sandwich

I hope you like it! :-)

Drag and drop...

I really couldn't resist publishing this funny joke about Windows most known feature: drag and... drop!

A Windows admin troubleshooting Windows 2008

Windows sysadmin will surely understand! :o)))

Clean up Winsxs on Windows 2008 R2 after SP1 install

Last year I wrote a post where I explained what the Winsxs folder was and which were the possible solutions to contain its bad habit of eating free space on your hard drive. Some days ago I have discovered that, starting from Service Pack 1, Windows 2008 R2 (... and Windows 7) finally has a built-in tool to reduce the size of the Windows Side-by-Side DLL repository and free up some GBs on your server storage. This tool is DISM.exe.

Cool news isn't it? Personally I am happy to know that someone at Microsoft has finally decided to make it possible to reclaim a few GBs on the system partition and to partially solve this major bug.

The procedure is the following:

• Install Windows Service Pack 1 then ...
• Start and elevated command prompt (run 'CMD' as administrator) and ...
• Run the DISM command, which replaces the old VSP1CLN and COMPCLN we used on previous Windows versions: DISM.exe /online /Cleanup-Image /spsuperseded
• Wait 10 minutes before the task completes ( it ends with “Service Pack Cleanup operation completed. The operation completed successfully”)

Normally you should have been able to reduce the Winsxs folder size by 1 or maybe 2 GBs, sometimes more. Saved space may vary a lot.

Just know that after using DISM you will not be able to uninstall the Service Pack 1 anymore.

Let's have a look at the used switches for DISM.exe:

• The /online switch tells DISM to work on the running OS installation
• The /spsuperseded option removes the backup files created during installation. 

Optionally you could use the /hidesp option which will remove SP1 (KB976932) from the “Installed Updates” section of Programs and Features, to ensure that users do not try to uninstall the Service Pack.

I hope this helps. Please let me know how much disk space you were able to free up using the given command.

Using Ethtool to configure your nic on CentOS

We are introducing a certain amount of CentOS computers and I am often asked by regional IT people how they can check and change the configuration of their network cards to reflect the configuration of the attached network Switches. That made me think of this post (my first one on CentOS) in which I will explain how you can determine the current Ethernet connection link speed of your CentOS system.

To do that you can take advantage of ETHTOOL, which is an easy utility that can be used to display and/or change settings of your Ethernet Network cards.

In the following example I will assume that you are willing to change the parameters for your first network card (usually eth0).

The syntax to show the NIC parameters is very simple, just enter:

ethtool eth0

and look for the Speed parameter:

Supported ports: [ TP ]

Supported link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

1000baseT/Half 1000baseT/Full

Supports auto-negotiation: Yes

Advertised link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

1000baseT/Half 1000baseT/Full

Advertised auto-negotiation: Yes

Speed: 100Mb/s

Duplex: Half

Port: Twisted Pair

PHYAD: 1

Transceiver: internal

Auto-negotiation: on

Supports Wake-on: g

Wake-on: d

Current message level: 0x000000ff (255)

Link detected: yes

DFS Target refers to a location that is unavailable

Today I have encountered a strange problem with some of my Stand-Alone DFS Targets. Many users using old Windows versions, such as Windows XP pre-SP2, were no more able to browse DFS file shares after I had updated some referrals to reflect an infrastructure change (new folder targets) happening at my company.

The funny thing is that most of the end-users running Windows XP SP2 or Windows 7 had no problem at all in browsing the DFS links from their Windows Explorer.

This problem pushed me to dig inside DFS behavior, design and architecture more than I hadn't done any time before.

After checking that no alerts where reported Server-side, I went to one old XP box and tried to browse the DFS \\dfsserver\root\link. The error I got was a generic "\\dfsserver\root\link refers to a location that is unavailable"...

I then tried to map the DFS link using the good old "net use", hoping for a error code a little bit more specific... but all I got was a "System error 2 has occurred The system cannot find the file specified".

Closing network files on a remote fileserver with PSFile

These days I am migrating some data from our old network file server to a new network storage. The plan is to migrate one folder at the time, and I have found out that in such a situation it can be useful to know how to to close all the open files in a specific directory before migrating in order to evite open files conflicts.

As I do not want to migrate all the data at once (this would be pretty much unpractical with so many gigabytes of data), I cannot simply adopt the solutions of shutting down or restricting access on the fileshare for everyone.

PSFile.Exe from SysInternals is our best friend in this case. Using this small utility, it is possible to retrieve all the open files in a given remote directory and close them altogether.

This is the way it should be used:

psfile \\fileserver.yourcompany.com "t:\folder\subfolder" -c