Certlm.msc on Windows Server 2012 / Windows 8 or later

Started from Windows Server 2012 / Windows 8 or later, there is a new msc, Certlm.msc, were added to the Windows. Certlm.msc can directly open a computer certificate store. As previous, we needed to use Microsoft Management Console to add the computer certificate store to the console. So, It's easy for administrator to check the computer certificate via GUI.

This posting is provided “AS IS” with no warranties, and confers no rights!

Enable disk performance monitor on task manage for Windows Server 2012 and later

On Windows 8 and later, you can find the disk performance item on task manager.

However, the disk monitor is disabled on server operating systems like Windows Server 2012 and later. To enable disk performance monitor on task manager, we can launch "Command Prompt" as administrator. Then, perform diskperf -y to enable it.

As a result, disk performance monitor item has been enabled on task manager.

To disable it, we can perform diskpery -n on "Command Prompt" as administrator.

This posting is provided “AS IS” with no warranties, and confers no rights!

Using robocopy for file servers migration

"Robocopy" is a robust and powerful command on Windows to copy files and directories. Why do we use "robocopy" for file server migration?

There are some reasons.

1. It can maintain NTFS permission of files and directories during copy to new file server within the same domain.

2. It provided verification function to check the difference of source and destination

3. "Robocopy" supports multi-threaded copies. It improves the efficiency.

4. The backup mode of "robocopy" can copy files or directories to destination which you aren't granted permission to access it.

In my case, I performed "robocopy" with the following parameters to copy files and directories from source to destination.

Assuming that I logged in to a new file server, Windows Server 2012 R2, and then mapped network to the old file server.

For the first time, I performed Robocopy <source directory or drive> <Destination directory or drive> /ZB /e /sec /copyall /TEE /MT:128 /r:0 /log:C:\copylog.txt

/ZB: use restart mode first. If the file or directory isn't granted permission for us to copy, use backup mode to copy it.

/e: copy subdirectories, including Empty ones.

/sec: copy files and directories with Security

/copyall: copy files and directories info like auditing info

/TEE: this is an optional parameter which is displayed the coping status on "Command Prompt"

/MT:128 use 128 threaded to copy files and directories. However, it use many CPU resource.

/r:0 I don't want to retry at this time.

/log: save a log file to location

The second time, I prefer to copy the delta of files and directories. I added 4 parameters to copy from source to destination again.

Robocopy <source directory or drive> <Destination directory or drive> /ZB /e /sec /copyall /TEE /MT:128 /r:1 /XD /XF /XO /purge /log:C:\copylog.txt

/XD: eXclude Directories matching given names/paths but it can still add new or extra directories

/XF: eXclude Files matching given names/paths/wildcards but it still can add new or extra files

/XO: exclude older files or directories

/purge: delete dest files/dirs that no longer exist in source. 

After that, we can migrate share permission of share folder. To migrate share permission, please read Migrating File Servers in the same domain. Then, we can stop sharing from the old server and change the network drive mapping to the new file server.

This posting is provided “AS IS” with no warranties, and confers no rights!

Change network connection profile by PowerShell on Windows 8 or later

Started from Windows 8, there are 2 PowerShell cmdlets for administrators to get and set network connection profiles which are Get-NetConnectionProfile and Set-NetConnectionProfile.

Get-NetConnectionProfile can check the current network connection profile for all network NICs.

The current network profile of this NIC is "Private"

To change the network connection profile to public, we can perform Set-NetConnectionProfile -InterfaceAlias <NIC Name> -NetworkCategory Public.

The network connection profile has been changed to "Public"

Make sure the PowerShell console is "run as administrator". if not, you get the following error message.

Set-NetConnectionProfile : Unable to set the NetworkCategory ...

From Windows 10 PowerShell console

The another reason to show this error message is that you performed Set-NetConnectionProfile to "DomainAuthenticated".

From Windows 8.1 PowerShell console

"DomainAuthenticated" network connection profile should be automatically assigned when a computer was joined domain. It cannot be changed by Set-NetConnectionProfile cmdlet because it is controlled by "Network List Manager" of Group Policy. However, we can change the other NICs of domain computers.

This posting is provided “AS IS” with no warranties, and confers no rights!

Install or uninstall multiple Windows Updates by WUSA and PowerShell

WUSA is a command for Windows to install or uninstall Windows update. In this post, I'd like to use WUSA to work with PowerShell to install or uninstall Windows Update on a computer.

Install

To silently install a Windows update and postpone restart a computer, we can perform (Get-ChildItem <Windows Update Package path>).FullName | %{Start-Process wusa "$_ /quiet /norestart" -wait} on PowerShell console

Uninstall

To silently uninstall a Windows update and postpone restart a computer, we can perform wusa /uninstall /kb:<the number of the KB> /quiet /norestart

Remark: Some Windows Updates are required to restart a computer to take action.

To combine with PowerShell to uninstall some Windows Updates, we can perform (Get-Hotfix).hotfixid.substring(2) | Select -last 3 | %{Start-Process wusa "/uninstall /kb:$_ /quiet /norestart" -wait} on PowerShell console to uninstall last 3 Windows Updates. 

There is an example. Based on the search criteria, we can change it like this Get-Content <File Name> | %{Start-Process wusa "/uninstall /kb:$_ /quiet /norestart" -wait}

This posting is provided “AS IS” with no warranties, and confers no rights!

Check an unique ID of LUN by PowerShell

Each LUN has a Unique ID so we can perform Get-Disk | Select UniqueId on PowerShell to check this ID.

Based on the Unique ID, we can perform Get-Disk | Where UniqueId -eq <UniqueId> | Get-Partition | Select AccessPaths to check this LUN mapped to which CSV.

This posting is provided “AS IS” with no warranties, and confers no rights!

Check allocation unit size of formatted NTFS volume

To easily check the current allocation unit size of formatted NTFS volume, we can perform fsutil command to do it.

1. Launch Command Prompt at administrator.

2. Perform fsutil fsinfo ntfsinfo <Drive letter or CSV path> to check the "Bytes Per Cluster".

This volume was formatted as 4K

This volume was formatted as 64K

Or, we can perform Get-CimInstance Win32_Volume | FT Name,BlockSize -AutoSize to check it.

This posting is provided “AS IS” with no warranties, and confers no rights!

Convert an existing virtual machine to a high availability virtual machine on Failover Cluster Manager

After configuring a Hyper-V cluster on Windows Server 2012 or Windows Server 2012 R2, we should use Failover Cluster Manager to create a high availability virtual machine. If we use Hyper-V Manager of one of cluster nodes, a virtual machine doesn't appear on Failover Cluster Manager because the virtual machine isn't high availability. 

Before converting an existing machine, make sure it stored on a shared path of the cluster.

1. To convert an existing virtual machine to a high availability virtual machine, Right-click Roles > Configure Role on Failover Cluster Manager.

2. On "Select Role" window, select Virtual Machine and then click Next.

3. In "Select Virtual Machine" window, check the virtual machine name and then click Next.

4. On "Confirmation" window, click Next.

5. On "Summary" window, click Finish.

As a result, the virtual machine has been converted to a high availability virtual machine within the cluster.

We can perform Get-VM <VMName> | Add-ClusterVirtualMachineRole to complete the above task in a same cluster node.

This posting is provided “AS IS” with no warranties, and confers no rights!

Setup Nano Server of Windows Server 2016 TP3 version on Hyper-V virtual machines

In one of  Microsoft Ignite 2015 sessions, Jeffrey Snover introduced a new Window Server installation option, Nano Server, on the Windows Server 2016 Technical Preview 2. In Windows Server 2016 Technical Preview 3, Microsoft attached 2 PowerShell scripts on the installation media to let administrators to create a new VHD of NanoServer easily. At this moment, Nano Server supports the following features:

• Hyper-V Compute
• Windows Containers
• Storage Server (SOFS)
• Failover Clustering

For more information what Nano Server supports, please read Getting Started with Nano Server.

In this post, I will try to create a Nano Server VHD by the scripts which are provided by Microsoft. Then, boot the Nano Server VHD and VHDX on a Hyper-V Server.

Lab environment

• 1 x Windows Server 2012 R2 Hyper-V Server

1. Log in a Hyper-V server as administrator.

2. Launch PowerShell as administrator.

3. Navigate to installation DVD path \NanoServer.

4. Perform . .\new-nanoserverimage.ps1 to load the PowerShell function.

5. Perform New-NanoServerImage -MediaPath <Source path of installation DVD of folder> -BasePath <Temporary folder path for conversion> -TargetPath <Target folder path> -<Feature Name> -EnableIPDisplayOnBoot to create a Nano Server vhd.

This script prompted you to enter the local administrator password for the Nano Server.

Eventually, the Nano Server was created on the destination folder.

Then, you can create a Generation 1 virtual machine and then attach the virtual hard disk.

Remark: The current script, New-NanoServerImage, created the VHD with MBR boot partition so we need to use generation 1 virtual machine to mount it. To use generation 2 virtual machine for Nano Server, we can update this script manually to change to vhdx with GPT boot partition. Based on my testing, I updated the following line numbers of this script.

Line 611, 701, 707, 925

As a result, we can set up Nano Server on virtual machines. To manage Nano Servers, we can perform PowerShell cmdlet, Enter-PSSession, to connect and manage the Nano Servers.

This posting is provided “AS IS” with no warranties, and confers no rights!

Top Support Solutions for Windows Server 2012 and Windows Server 2012 R2 by TechNet Blogs post

I'd like to share one of useful TechNet blogs posts, Top Support Solutions for Windows Server 2012 and Windows Server 2012 R2. This post shared a lot of web sites for troubleshooting the following Windows Features, DirectAccess, Active Directory related, unexpected errors and restarts, Remote Desktop Services, Windows updates related, Failover Clustering, DNS and Access to file shares (SMB). 

We may find some hints from the web sites for troubleshooting the above Windows Features. Don't forget to bookmark this web site.

This posting is provided “AS IS” with no warranties, and confers no rights!

Setup Point-To-Site VPN to Microsoft Azure

Microsoft Azure accepts Point-To-Site VPN to connect a Microsoft Azure Virtual Network from a workstation or server. To configure Point-To-Site VPN to Microsoft Azure Virtual Network, you don't need any VPN device. All configurations are software based and can be done on a Windows 7 or later workstation. I'm going to configure Point-To-Site VPN for testing.

These are the high level configuration tasks for Point-To-Site VPN.

1. Create a virtual network with point-to-site connectivity or modify existing virtual network with point-to-site connectivity.

2. Create a dynamic routing gateway for the virtual network.

3. Generate a root certificate and computer certificate for VPN authentication by Microsoft Visual Studio Express 2013 for Windows Desktop

4. Download the VPN client configuration package for a computer which will be connected to the virtual network.

Goal
Configure a VPN connection from a workstation to Microsoft Azure virtual network.

Prerequisites

• Microsoft Azure Account is ready for testing
• Download and install Microsoft Visual Studio Express 2013 for Windows Desktop on a Windows 7 or later for generating root and client certificates

Lab environment

• 1 x Windows 10 64 bit workstation was installed Microsoft Visual Studio Express 2013 for Windows Desktop. This workstation is under 172.16.x.x network. I will use this workstation to set up VPN and then connect to Microsoft Azure virtual network

Lab

Create a new virtual network with Point-to-Site Connectivity

1. On Azure management portal, click "New > Network Services > Virtual Network > Custom Create".

2. On "Virtual Network Details" window, enter a name and select location. Then, click "Next" button.

In my lab environment, I entered VPNNetwork for the virtual network name.

3. On "DNS Servers and VPN Connectivity" window, check Configure a point-to-site VPN" option.

I will use a IP address to connect a virtual machine on this virtual network so I don't enter any DNS servers information.

4. Click "Next" button.

5. On "Point-to-Site Connectivity" window, you can only select private network because these IP will be assigned to VPN clients.

At this time, I select 192.168.0.0 IP address range for VPN clients.

The maximum IP address range for VPN clients is 24 bit. There are total 254 IP addresses.

6. Click "Next" button.

7. On "Virtual Network Address Spaces" window, I choose 10.0.0.0/8 Address Space. Then, I create a subnet which is 10.0.1.0/24 for virtual machine and I also added 10.0.0.0 /29 to this virtual network to be a subnet gateway.

According to Microsoft, gateway service that we run to enable cross-premises connectivity. We need 2 IP addresses from your routing domain for us to enable routing between your premises and the cloud. We require you to specify at least a /29 subnet from which we can pick IP addresses for setting up routes.

Please note that you must not deploy virtual machines or role instances in the gateway subnet.

8. Click "Finish" button.

Create a dynamic routing gateway in VPNNetwork

1. On "VPNNetwork" page, click "Create Gateway" button.

2. Click "Yes" to create.

Then, we can see the notification about creating a gateway on Microsoft Azure Portal. It needs to take about 20 minutes to create a gateway for this virtual network.

Additional information: One of my virtual network stopped at this screen on Microsoft Azure portal. I cannot remove that network at this moment by Portal or PowerShell. Make sure you don't make any change when the gateway is being created.

Then, the gateway IP address is ready.

Generate a root certificate and upload certificate to the virtual network
If the workstation has been installed  Microsoft Visual Studio Express 2013 for Windows Desktop, makecert.exe is located at the following paths.

1. On the Command Prompt, navigate to the "C:\Program Files (x86)\Windows Kits\8.1\bin\x64".

2. Perform makecert -sky exchange -r -n "CN=<Root Cert CN Name>" -pe -a sha256 -len 4096 -ss My "<File path to save the root certificate>" to create a root certificate which is used sha256 algorithm with 4096 key length and then save the file to C:\VPNNetworkRoot.cer

Make sure perform makecert as an administrator Command Prompt. If not, you get the following error message.

Error: WriteFile failed => 0x5 (5)

Failed

Now, we can upload the root certificate to the virtual network.

3. On "VPNNetwork" page, select "Certificates".
4. Click "Upload a Root Certificate".

5. On "Upload Certificate" window, click folder icon to browse the root certificate on the computer.

6. Click "Tick" button.

The root certificate has been uploaded to this virtual network.

Generate a client certificate to connect the Microsoft Azure Virtual network

We're going to use the same workstation to generate the client certificate for VPN connection. Actually, you don't need to install Microsoft Visual Studio Express 2013 for Windows Desktop to all VPN clients. Microsoft Visual Studio Express 2013 for Windows Desktop is applied to generate the root and client certificates. It's okay to assign 1 workstation for generating certificates. In my lab environment, I used the workstation to do both tasks.

To generate a client certificate, make sure you have installed root certificate on the same computer.

  

1. On Windows 10 workstation, perform makecert.exe -n "CN=<VPN client CN name>" -pe -sky exchange -m 96 -ss My -in "<Root cert name>" -is my -a sha256 to generate a client certificate which is used sha256 algorithm.

Then, you can find this client certificate in certificate console.

We can export this client certificate and then import it into another computer which will connect to Microsoft Azure Network. In my lab, I don't need to export this certificate.

Download and install VPN client configuration package 

On the network page of Azure portal, we can download the VPN client configuration package.

1. Run the package.

2. Click "Yes" to install.

Then, you can find the VPN connection on your network setting of the computer.

Verify the result

1. Click the VPNNetwork, select Connect.

2. On VPNNetwork dialog box, click "Connect".

3. Perform ipconfig in the command prompt to verify the result

As a result, the workstation got the IP address 192.168.0.2. Now, it can connect to VPNNetwork which is locate in Microsoft Azure Virtual Network.

Remark: If there is no certificate in the computer, you get this message when click Connect on the dialog box.

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

Additional information

Keith Mayer, Senior Technical Architect at Microsoft, wrote a post about how to revoke the point to site VPN certificate. You can read the following blog post for your information.

Step-by-Step: Revoking and Reinstating Client VPN Certificates for Azure Point-to-Site VPNs

This posting is provided “AS IS” with no warranties, and confers no rights!