kierankenny.com

Using PowerShell to enable AutoFailback on clustered roles (or VMs in this case) was a procedure I couldn’t find online recently, so I figured I’d fiddle with it until I got it working myself.

First define the names of the roles you want to adjust. In my case, I wanted to configure this for all VMFleet VMs that I’d created for stress-testing, but I wanted to ensure they failed back if or when I rebooted a node, otherwise I’d have to initiate the moves manually should I want to run another post-tweak test.

$vms = Get-ClusterGroup | ? Name -match "vm-base"

1	$vms = Get-ClusterGroup \| ? Name -match "vm-base"

For each cluster group in that list, set the autofailbacktype to 1

$vms | % {$_.autofailbacktype = 1}

1	$vms \| % {$_.autofailbacktype = 1}

That’s it. You can check that it worked by running:

Get-ClusterGroup | select Name,AutoFailbackType

1	Get-ClusterGroup \| select Name,AutoFailbackType

or by opening the role properties in Failover Cluster Manager and looking at the Failover tab:

26Sep

Disable NLA for RDP remotely

26 Sep 2018 Kieran Kenny Leave a comment

Useful when RDP won’t connect because NLA is an issue, or domain trust issues are present. If the remote OS is still accessible via PowerShell and your current user is also an administrator on the remote OS, try:

$ComputerName = "remotehostname"
(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

1 2	$ComputerName = "remotehostname" (Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

Change the 0 to a 1 to re-enable.

25Sep

Using DPM to backup data on a Cluster Shared Volme

25 Sep 2018 Kieran Kenny Leave a comment

I was having difficulty recently backing up data stored on a shared VHD, presented to two load balanced web-servers as a CSV (VMs configured as a guest fail-over cluster atop a standard failover cluster). DPM couldn’t expand the 'C:\Cluster Storage\Volume1' directory to back up the data therein. Selecting the parent folder in DPM resulted in an empty backup set, so clearly DPM wasn’t able to recursively enumerate the files and folders I needed. Information for this scenario online was severely lacking. Questions were asked on usual forums but no workable answers were given. So what were my options?

I could change the way the web servers are clustered, from a load-balanced active/active arrangement, to a clustered VM maybe. This wasn’t ideal and effectively involved a complete redesign as to how the web services were presented on the network layer, i.e. removing the load balancer and instead hosting it as a single HA VM, not the intended design and not 100% ideal.

I attempted to create a symlink between 'C:\datadir' and 'C:\Clustered Storage\Volume1\datadir' , and while Windows could use this path without issue, and I could browse and select the sub-folders when configuring the backup in the DPM management console, I discovered that this specific backup set was still empty, despite a lovely green tick appearing in DPM. Notably, the allocated storage figure didn’t reflect the content selected either.

So I spent some time looking for ways around this. After all, this was sensitive data that needed to be backed up. I didn’t want to cluster the VMs just to achieve this. They were also intentionally deployed with a numeric affiliation with their respective hosts, e.g. web1 was on hv1, web2 was on hv2, etc. I know I could have configured anti-affinity rules, but that was just too much of a headache for something that should be simple.

Eventually, I discovered that if I selected one (or more) child-folder of the symlinked folder, it would backup correctly; some good news at last. However, selecting the parent folder broke the backup again. That was key. I needed to be able to select the parent folder so that newly created sub-folders would be backed up without manually adding them to DPM. So I tried creating a second symlink this time between 'C:\datadir2' and 'C:\Clustered Storage\Volume1' . Now in DPM if I added 'C:\datadir2\datadir' to the protection group it would backup recursively.

16Apr

Adding non-privileged users as Hyper-V Administrators

16 Apr 2018 Kieran Kenny

These three commands will allow you to grant Hyper-V VM management permissions to non-privileged or quasi-privileged users, i.e. users who won’t inherit these particular rights automatically.

This is useful for Hyper-V Server where you wont have a GUI to perform user/group changes, and if you can’t use Group Policy to achieve the same results. This will allow the specified users to connect from a remote Hyper-V Manager console.

On the HV to be managed, run:

net localgroup "Hyper-V Administrators" /add DOMAIN\UserGroup
net localgroup "Remote Management Users" /add DOMAIN\UserGroup
net localgroup "Remote Desktop Users" /add DOMAIN\UserGroup

net localgroup "Hyper-V Administrators" /add DOMAIN\UserGroup

net localgroup "Remote Management Users" /add DOMAIN\UserGroup

net localgroup "Remote Desktop Users" /add DOMAIN\UserGroup

11Dec

Scheduling a task from command line

11 Dec 2017 Kieran Kenny

Very useful one-liner. Run from CMD, rather than PS:

Schedule once:

schtasks /create /tn "reboot" /sc once /sd dd/MM/yyyy /st HH:mm /rl&nbsp;&nbsp;highest /ru username /tr "shutdown -r -t 0" /f

1	schtasks /create /tn "reboot" /sc once /sd dd/MM/yyyy /st HH:mm /rl  highest /ru username /tr "shutdown -r -t 0" /f

Schedule daily:

schtasks /create /tn "reboot" /sc daily /sd dd/MM/yyyy /st HH:mm /rl&nbsp;highest /ru username /tr 'powershell C:\folder\script.ps1' /f

1	schtasks /create /tn "reboot" /sc daily /sd dd/MM/yyyy /st HH:mm /rl highest /ru username /tr 'powershell C:\folder\script.ps1' /f

18Aug

Enable/Disable Duo for console sessions

18 Aug 2017 Kieran Kenny

To change which logon connections are required to use Duo after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value in

HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Description
RdpOnly	DWORD	Set to 1 to protect RDP logons only or 0 to protect both RDP and local console logons.

When modifying the RdpOnly registry value on a Windows 2003 or XP system a reboot may be required to make the change effective.

3Feb

List users with UPN’s that don’t match their email address.

3 Feb 2017 Kieran Kenny

List users with UPN’s that don’t match their email address.

Get-ADUser -Filter * -SearchBase 'OU=Staff,DC=domain,DC=local' -Properties EmailAddress | where { ($_.UserPrincipalName -ne $_.EmailAddress) -and ($_.Enabled -ne $false) } | FT Name,SamAccountName,UserPrincipalName,EmailAddress

1 2	Get-ADUser -Filter * -SearchBase 'OU=Staff,DC=domain,DC=local' -Properties EmailAddress \| where { ($_.UserPrincipalName -ne $_.EmailAddress) -and ($_.Enabled -ne $false) } \| FT Name,SamAccountName,UserPrincipalName,EmailAddress

Consistency saves confusion when performing migrations, ADFS password resets, logging in to O365, etc.