Thursday, December 10, 2015

Migrating local users from one windows computer to another (2003 to 2008 32 bit)

This is for local users. I think you can do some domain things as well with these tools, but it's not my particular case today. Also, there are newer ways of doing this with PowerShell, but I've used this method to move from Windows 2000 to 2003 before, and today from 2003 to 2008 32 bit. We can't use a newer version because of incompatibility of CopyPWD with 64 bit.

Also, the official version of CopyPWD works for 2003 and older, but for 2008 32 bit, use the v1.1 named copypwd2 that is available in the links on this forum post . Again, I have not been able to get this to work on 64 bit, not even with the service method, which to me seems flawed, but I tried to fix and also couldn't get it to work. Please tell me in comments if you do.

Get information from original server:

Addusers copies the user information, but does not copy passwords. Check options here . Run from an elevated prompt.

/d is dump

Addusers.exe /d users.txt

Open the file and you will users under [User], [Global] which I believe is not used, and Local Groups in [Local]

I delete everything except [User] for my purposes. Also, I open this in excel, and fill in a temporary password, otherwise I will get errors when creating the users, and save as a csv. Copy to the new server with the same executable.


CopyPWD copies the password hash - note you have to run this from a console session, not regular RDP. Either use a real console or establish a console RDP session, and an elevated prompt (note, if using TS with /admin , only the old version worked for me).

CopyPwd DUMP > copypwd.txt

This creates a file with all local users and a hash - sensitive information, by the way. Copy to the new server with the same executable and dll. Please note this has to be the file name, as the SET command doesn't take arguments as far as I saw from the instructions.


Apply information on new server:

Copy the output files and from an elevated prompt, first create the users:

/c is create
/p:e is passwords never expire, and implies l which is users do not have to change passwords. This is my particular case, you will have to figure out what switch to use in yours.

Addusers.exe /c Users.csv /p:e

You should see a lot of messages creating users, and your users, with their comments should be on the server now. Alas, they all have the temp passwords you set in the CSV. To set the password use the CopyPWD command again:

For CopyPWD the command is 

CopyPWD SET

Please note the copypwd.txt with the password hashes has to be in the same directory. If the user existed on the server, this process set the old password. You can now try the local accounts. Also - I had to use the new version of CopyPWD at http://www.systemtools.com/download/copypwd2.zip for this to work on Windows 2008 32 bit.

Hit me up on twitter if you have other problems @arielsanchezmor

Wednesday, December 9, 2015

Testing SSD-enabled VMware products in the nested home lab

So here's a little project for December.

I use 3 solutions at work that rely on SSDs, or offer them as an option. The solutions are:

PernixData FVP
Stormagic SVSAN
VMware Virtual SAN (VSAN)

I want to run them on my home lab. However, my home lab is one 32gb desktop. I do have a 500GB SSD and normal spinning disk on it, so at least there is SSD performance available, but I may need to get creative.

So, my little experiment will be to created two or three "SSD enabled" hosts and test if the products will install and run. I leave here the links for requesting the product trials:

https://get.pernixdata.com/FVPTrial
http://www.stormagic.com/60-day-free-trial/
https://www.vmware.com/products/virtual-san/vsan-hol.html

I will blog my experience with each one, including any tricks I had to use to make the nested hosts work properly. I obviously can't really run any production on these; this basically is a lab for me to test installation, upgrades and what happens if I switch from vsphere 5.x to v6. I obviously will google and tweet questions as needed.

Friday, November 6, 2015

Checking SSL/TLS versions for audit purposes

SSL and TLS have long been thought as secure, but several problems have exposed SSL to be insecure. The PCI standard will begin flagging all versions of SSL and TLS 1.0 as insecure in June 2016 (link here). It makes sense as TLS 1.0 was released in 1999.

Many have found the hard way that securing servers will break some things. I learned about Windows server OS support for each cipher by looking at the table in this MSDN article. You can see that when securing servers, the client portion is very important - it's what's holding back many websites from removing old version support. If your legacy application still has legacy clients and you can't modernize both, you will not be able to pass industry certifications, and you will have to fix both.

You can easily check TLS version in most browsers by clicking on the lock icon and fishing a bit - I use Chrome and Mozilla and found the TLS version very easily. 



However my good friend @edmsanchez13 pointed out that McAfee has a free tool called SSLSmart that checks SSL and TLS 1.0 ciphers. This tool is very useful, since these are the problematic versions, and because this is free and can be run by you against internal servers, while testing several ciphers in batch mode. I recommend it for when you are in need of verifying how your internal servers are acting.

It is curious to see how certain websites handle the issue. For example, Google.com uses a HTTP 301 message - moved permanently for some of the older ciphers. The included PDF with SSL Smart tool also explains why sometimes scanning solutions give false positives. For example, https://www.ssllabs.com/ssltest/index.html which is a public and free SSL analyzer, ranks Google with a B in several options, but the problems it finds correspond to the responses that give a HTTP 301 message. It's also interesting to see the Recent Best and Recent Worst list to see good and bad examples for your testing and learning.

I leave here other two good links i found while testing and making this post


  • A Mozilla security engineer named Julien Vehent made an analysis of the web's top million websites - his findings here
  • https://www.howsmyssl.com/ tests the client (browser in my case)

Thursday, November 5, 2015

Digging deeper into vRealize Operations

I've been attending vRealize Operations webinars that go deeper into a feature. Anybody that has deployed or played around with vRealize Ops knows it's a huge product that takes some time to fully understand - plus every release brings new features.

Thanksfully, I received this link by email today where all past webinars have been posted. This is a great resource to learn more about vRealize Ops!

http://www.vmware.com/go/getmore

Apart from the official courses, I find Iwan Rahabok blog and Packt book plus Sunny Dua's blog to be great sources of info. Follow them, read them, and if needed, ask them - they are incredible guys - both are office of CTO members :)

Thursday, October 15, 2015

Upgrading Intel SSD firmware on Dell servers

I have retail Intel DC S3710 SSDs installed on Dell servers and and I wanted to do firmware upgrades on them. I went to the product page and found there is an Intel SSD Data Center Tool.

Links as of 10/15/2015 are

download: https://downloadcenter.intel.com/download/23931/Intel-Solid-State-Drive-Data-Center-Tool
manual: https://downloadmirror.intel.com/23931/eng/Intel_SSD_Data_Center_Tool_2_3_x_User_Guide_331961-005.pdf

This is a command line tool. Install the x64 or x32 version. Then run a command prompt as administrator and navigate to c:\isdct

Normally you would run this and expect to get information

C:\isdct>isdct.exe show -intelssd
No results

You will not get information when running it from a Dell server. Dell servers normally have a PERC RAID HBA card between the OS and the drives; PERC is based on the LSI MegaRAID cards.

In the manual, there is this disclaimer:

The Intel SSD DCT does not support SSD Data Center SATA drives behind HBAs (exception: LSI Mega RAID adapters).

So i'm thinking this might work.

The command to enable the LSI adapter is

c:\isdct>isdct.exe set -system EnableLSIAdapter = true
Set EnableLSIAdapter successful.

Results:
1. Dell R610 with a 6/i card

I ran this on a Dell R610 with a 6/i card and then ran the isdct show -intelssd command. After 2 or so minutes, it crashed the server. This can be found in the event logs after rebooting:

Controller event log: Fatal firmware error: Driver detected possible FW hang, halting FW. 

:  Controller 0 (PERC 6/i Integrated)


I couldn't get any further, and had to upgrade the drives on another server and bring them back to this.


2. R710 with a H700 card

I ran it on a R710 with a H700 card and it did complete (although I did get errors in the Wndows System log with any operation)

C:\isdct>isdct show -intelssd
- IntelSSD BTHV503605A9400NGN -
DeviceStatus: Healthy
Firmware: G2010110
FirmwareUpdateAvailable: G2010140
ModelNumber: INTEL SSDSC2BA400G4
ProductFamily: Intel SSD DC S3710 Series
SerialNumber: BTHV503605A9400NGN
Index: 0
DevicePath: LSI4
Bootloader: Property does not exist.

- IntelSSD BTHV50360580400NGN -
DeviceStatus: Healthy
Firmware: G2010110
FirmwareUpdateAvailable: G2010140
ModelNumber: INTEL SSDSC2BA400G4
ProductFamily: Intel SSD DC S3710 Series
SerialNumber: BTHV50360580400NGN
Index: 1
DevicePath: LSI5
Bootloader: Property does not exist.


To run the firmware upgrade you use load and use the index number that it had reported.

C:\isdct>isdct load -intelssd 0
WARNING! You have selected to update the drives firmware!
Proceed with the update? (Y|N): Y
Updating firmware...
Firmware update successful. Please reboot the system.


C:\isdct>

Please note that I lost access to the server after the firmware had completed!

I power cycled the server (server off, wait 5 seconds, turn on) and did the next SSD (after which the server again failed and had to be power cycled). After the reboot I got a good status:

C:\isdct>isdct.exe show -intelssd
- IntelSSD BTHV503605A9400NGN -
DeviceStatus: Healthy
Firmware: G2010140
FirmwareUpdateAvailable: The selected Intel SSD contains current firmware as of
this tool release.
ModelNumber: INTEL SSDSC2BA400G4
ProductFamily: Intel SSD DC S3710 Series
SerialNumber: BTHV503605A9400NGN
Index: 0
DevicePath: LSI4
Bootloader: Property does not exist.

- IntelSSD BTHV50360580400NGN -
DeviceStatus: Healthy
Firmware: G2010140
FirmwareUpdateAvailable: The selected Intel SSD contains current firmware as of
this tool release.
ModelNumber: INTEL SSDSC2BA400G4
ProductFamily: Intel SSD DC S3710 Series
SerialNumber: BTHV50360580400NGN
Index: 1
DevicePath: LSI5

Bootloader: Property does not exist.

Running any isdct operation still showed several Sense and drive not certified errors on the Windows System log though, but they stopped after that.


3. R620 with a PERC H710P Mini

I ran it o a R620 with a PERC H710P Mini

C:\isdct>isdct.exe show -intelssd
- IntelSSD BTHV503605AM400NGN -
DeviceStatus: Healthy
Firmware: G2010110
FirmwareUpdateAvailable: G2010140
ModelNumber: INTEL SSDSC2BA400G4
ProductFamily: Intel SSD DC S3710 Series
SerialNumber: BTHV503605AM400NGN
Index: 0
DevicePath: LSI6
Bootloader: Property does not exist.

- IntelSSD BTHV503602BZ400NGN -
DeviceStatus: Healthy
Firmware: G2010110
FirmwareUpdateAvailable: G2010140
ModelNumber: INTEL SSDSC2BA400G4
ProductFamily: Intel SSD DC S3710 Series
SerialNumber: BTHV503602BZ400NGN
Index: 1
DevicePath: LSI7
Bootloader: Property does not exist.

C:\isdct>isdct load -intelssd 0
WARNING! You have selected to update the drives firmware!
Proceed with the update? (Y|N): y
Updating firmware...
Firmware update successful. Please reboot the system.

C:\isdct>isdct load -intelssd 1
WARNING! You have selected to update the drives firmware!
Proceed with the update? (Y|N): y
Updating firmware...
Firmware update successful. Please reboot the system.

C:\isdct>

This one did not fail on me after the first disk - I was able to run the two firmware upgrades and shut down the server cleanly. I did do power cycle (server off, wait 5 seconds, then turn on) after the firmware upgrades.

4. R610 with a H700 card

I also did this on an R610 with a H700 and the OS failed as well once a SSD was flashed, so it seems to be a problem with the H700 card specifically.




Thursday, August 27, 2015

finding and breaking external excel links

Apart from the great tips all over the internet such as this one

http://tjshome.com/blog/249/guide/excel/accounting

I find very common when using conditional formatting and copy/pasting from one sheet to another that this link gets created with a reference to the original file. Break links doesn't really break them. Find them by clicking on

Home ribbon, Conditional Formatting, Manage Rules

change the "Show formatting rules for:" drop down to "This worksheet" and look for anything referencing a file instead of a rule, like in this case:



Change the formatting and you are set.

Thursday, August 13, 2015

Adding Dell's and HP's download source URLs to VUM to get updates automatically

This is a short and sweet one. By default VMware adds some URLs to VUM: 




Here is the URL to add Dell (very useful if you install the OMSA vib, for example):

http://vmwaredepot.dell.com/index.xml



Don't forget to click on Apply and Download Now if you are in a hurry :)

Check the patch repository, sort by vendor and you will see new vib packages. I do believe it only shows packages applicable to your hardware




HP's is http://vibsdepot.hp.com/index.xml



Monday, April 27, 2015

some gotchas with drac, java and firmware updates

RAC0218: The maximum number of user sessions is reached

this happens when several people have not logged out their sessions - or may have forgotten about them. The obvious answer is to do it from the OS and Open Manage Server Administrator (OMSA) - but what if that is somehow unavailable (esxi, for example). Two levels of solutions without resetting the drac settings:

1) if you are lucky, establishing a SSH session will allow you to login. issue the drac soft reset command to regain web access (racadm racreset soft, press enter, wait for pings to go away and come back)

2) if the SSH session tells you it's also out of sessions (in a message similar to " Server sent disconnect message type 11 " you can still reset the drac without power cycling the server, but need physical access to the server. Hold the i button on the back of the server approximately 20 seconds (until the drac stops pinging). This is a hardware initiated drac soft reset.

***

Upgrading drac firmware fails at 30% (seems more common on generation 11 dell servers (r710, r610) and early versions of firmware)

What solved it for me was finding a server that still ran internet explorer 6. You have to remember that new browsers were not supported until X moment of time and firmware revision, so always test with browsers available at the time the firmware was released, or different browsers. A friend of mine swears firefox always works.

***

Java, you pain in the butt.

The best version of java for accessing Dell stuff (compellent support actually told me this tip) is version 7 update 45, both x86 and x64 versions. It still prompts if you want to upgrade java or do it later, and still runs everything.

If you don't like this solution, and want to use the latest Java, you can do two things:

1) add the drac url to the java trusted sites (Control Panel, Java, Security tab). this is probably the best way to go.
2) lower Java security to the minimum from Control Panel, Java, Security tab

***

After upgrading the drac's firmware, you get

JAR resources in JNLP file are not signed by the same certificate

The solution to this is to open Java in Control Panel and delete the Temporary Internet files :p


I will add as I find from my own experience.

Saturday, March 21, 2015

Reset domain administrator password in directory services restore mode

Ran into this when I booted my lab DC, which I hadn't used often. It wouldn't take my domain administrator password! I remembered this was a brand new DC and I hadn't created any other domain admin passwords - and I just didn't want to spend the time rebuilding it.

Luckily, after rebooting the VM, pressing F8, and going into Directory Services Restore Mode  (DSRM), my pw did work there (do remember that it boots into a login screen where you now can use a local administrator, so change the user to .\administrator ). The only problem is I didn't know what to do next - how to reset the domain\administrator pw.

It took me a while to find it in Google, but here it is. Marc Weisel did an excellent post.

Head over there and read it all - but if you want the summary, here it is:

You basically create a service that will reset the pw on the next boot. The pw has to comply with your domain policy, and you must also change the user if you know you renamed it.

The commands are:

1) Create a service to reset the pw on next boot
2) reboot
3) delete the service


sc create ResetPW binPath= "%ComSpec% /k net user administrator PA$$w0rd94" start= auto
sc delete ResetPW