showing all posts
by lunarg on December 9th 2020, at 11:02
I had an issue where a forwarder service would not work even though all settings were correctly configured (firewall/LM/real server). When troubleshooting using on the LM itself (using tcpdump), I noticed that forwarded requests (from the LB to the real server) were been sent out using the right interface but with the wrong source IP, causing return traffic not to work. As it was a migration from an older Kemp LM, I established the configuration was indeed correct but there was another reason why it was not working.

After some more troubleshooting and comparing against the backup from the original LM (backup files are in fact TGZ-archives and can be unpacked), and found these settings to be  ...
by lunarg on December 9th 2020, at 10:27
To backup Microsoft SQL Server, the account used for VM-side processing (application aware processing) requires certain permissions. Veeam recommends assigning the sysadmin role on the SQL Server but it is also possible to assign minimal permissions on the databases it needs to backup, which is the preferred method for security hardening.

The User Guide for VMware vSphere outlines the required permissions as well but for convenience, I've listed them here as well.

Instance-level roles:

Assign these roles:public


Database-level roles:

Assign these roles:

System databases master and model:db_backupoperator



System database msdb:db_backupoperator

db_dat  ...
by lunarg on December 8th 2020, at 11:52
If the SSL-certificate on your VMware Horizon View Composer server is about to expire, it will have to be replaced. The process is pretty straight forward.

Import the new certificate (in PFX-format) in the Computer certificate store. You can use the MMC snap-in or certutil to accomplish the task. If it's not a publicly signed certificate, you will also need to make sure the intermediate and trusted root CA is imported.

Open an elevated command prompt.

Stop the VMware Horizon Composer service:net stop svid

Navigate to the install location of View Composer. The default location is C:\Program Files (x86)\VMware\VMware View Composer. On a 32-bit machine, leave out "(x86)".

Run t  ...
by lunarg on December 3rd 2020, at 21:21
When downloading files from the internet or copying them from a (foreign) server, these files will be marked as blocked by default.

Each file can be unblocked by right-clicking the file and manually selecting unblock, but what if you have a whole bunch of files to unblock? In that case you can use Powershell:

Get-Item -Path "$env:windir\Fonts\*" -Stream "Zone.Identifier" -ErrorAction SilentlyContinue | % { Unblock-File -Path $_.FileName }

The oneliner above consists of two parts:

The flag that says whether or not a file is blocked is stored in a hidden NTFS-stream called Zone.Identifier, which is stored for each individual file. By looking for those hidden streams,   ...
by lunarg on November 30th 2020, at 16:45
A long standing issue (it goes back as far as Windows 10 1511) exists where GPOs are not (or not always) applied on Windows 10 machines, even though the entire setup checks out (correct GPO links, network in working order, domain controllers functional). Back in Windows 10 1511, there was a certain update introducing something called UNC hardening which caused this behaviour. Although it was expected that this has since been resolved in another Cumulative update, there are still numerous reports of users encountering this issue all the way up to Windows 10 2004.

Should you be affected by this issue, the symptoms are as follows:

You are able to succesfully log on using a domain account you'  ...
by lunarg on November 25th 2020, at 10:12

There are many ways to verify the syntax of a Powershell script (other than running it of course), but the most simple and useful is this one:

Get-Command -Syntax 'path\to\script.ps1'

If the syntax is valid, it will simply return the name of the script. If there are errors, it will provide a detailed syntax error report.

by lunarg on November 16th 2020, at 15:31

Using Powershell, you can quickly verify the status of the replication between domain controllers in Active Directory. This can be used in monitoring to verify a healthy AD replication. This can be run on any domain controller or on another system with RSAT or ActiveDirectory Powershell module.

Get-ADReplicationPartnerMetadata -Target "$env:USERDNSDOMAIN" -Scope Domain | FT -Auto Server,LastReplication*

To see forest-wide replication, replace -Scope Domain with -Scope Forest.

by lunarg on November 13th 2020, at 16:52
By default, Adobe Reader DC pummels you with all kinds of offers for trial versions and cloud accounts, which can be annoying for yourself and your users. Luckily, it can be turned off through a few well-placed registry keys, as described in the Enterprise Toolkit.

Create the following key(s):HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM (for 32-bit app on 64-bit Windows)

Create these DWORD-values and set them to zero:bDontShowMsgWhenViewingDoc (DWORD) = 0

bShowMsgAtLaunch (DWORD) = 0

bAllowUserToChangeMsgPrefs (DWORD) = 0

Note that the value for bDontSh  ...
by lunarg on November 13th 2020, at 13:30
While heavily deprecated and frowned upon, sometimes you'd still need to use the SMB1 protocol in Windows 10. You can effortless enable this through the GUI (Control Panel → Add/Remove Programs), it may be necessary to install it through scripting (e.g. for automated install). One of the methods is through Powershell.

Enabling the SMB1 client but not the server (or vice versa) is a multi-step process, as it's not possible to "only" enable the SMB1 client. First, you need to enable everything of SMB1, then disable the unneeded sub-features. An important item to disable is the SMB1 Deprecation option, as leaving this enabling could result in the automatic removal of all SMB1 fe  ...
by lunarg on November 11th 2020, at 14:40
I ran into an issue where a local group policy had settings that were not accessible or editable using the conventional Local Group Policy editor (gpedit.msc), causing unwanted settings to be re-applied each time the group policy was refreshed. After a bit of searching around on the internet, I found a Powershell module with the ability to add, edit and remove individual items directly from Registry.pol policy files.

The module PolicyFileEditor can be downloaded and installed easily through Powershell:

Install-Module -Name PolicyFileEditor

As with everything from PSGallery, you need to have NuGet installed and updated.

The module comes with examples on how to use it. It can also be viewe  ...
by lunarg on November 9th 2020, at 16:43
If you are using multi-factor authentication, it is not possible to use the old method of connecting to Exchange Online. You will have to install the Exchange Online PowerShell Module, and use the Connect-ExchangeOnline cmdlet to connect.

With the deprecation of Internet Explorer, the old method below no longer works. Use the method described here to install: Installing Exchange Online Management Powershell cmdlets

Old instructions
Log on to Exchange admin center.

In the left menu, click on hybrid.

Click the configure button for the Exchange Online Remote PowerShell Module. This will start the installation.

In the Application Install that appears, click the Install button.

When using  ...
by lunarg on November 9th 2020, at 16:34

With the deprecation of Internet Explorer, it is currently no longer possible to install the Exchange Online Powershell module via ECP. But you can also install the Exchange Online Powershell module via Powershell itself:

First install the dependencies:

Install-PackageProvider -Name NuGet -Force
Install-Module -Name PowerShellGet -Force

Next install the Exchange Online Management module:

Install-Module -Name ExchangeOnlineManagement
by lunarg on November 4th 2020, at 09:57
Using PowerCLI, you can easily retrieve the status of CPU/Memory hot-add/remove. After logging in (use Connect-ViServer), run this cmdlet:

(Get-VM | Select ExtensionData).ExtensionData.config | FT -Auto Name, MemoryHotAddEnabled,CpuHotAddEnabled,CpuHotRemoveEnabled

If you only want a list of VMs which have hot-add/remove enabled for either CPU or memory, you can use filters to filter on this:

(Get-VM | Select ExtensionData).ExtensionData.config | ? {$_.MemoryHotAddEnabled -eq $true -or $_.CpuHotAddEnabled -eq $true -or $_.CpuHotRemoveEnabled -eq $true} | Select Name, MemoryHotAddEnabled,CpuHotAddEnabled,CpuHotRemoveEnabled | FT -Auto

To export the result to CSV, replace the FT -Auto in t  ...
by lunarg on November 3rd 2020, at 16:16
It is well-known and well-documented that it's possible to create a bootable USB flash drive allowing you to create an installation media to install or re-install macOS on a Mac. Using the same and native tools, it is also possible to create a bootable ISO image. While you won't be using this very often, it could be handy in several cases (e.g. when running a specific version of macOS in VMware Fusion).

In short, instead of writing to an USB drive, you can create a disk image and write the installer to that image, and then convert it to an ISO image file (technically it's CDR, but in nowadays modern systems they are the same). Subsequently, it is possible to write the ISO to an image (but t  ...
by lunarg on November 2nd 2020, at 13:45
The Intune Certificate Connectors provides users and devices managed by Intune (joined in Azure AD) to (auto-)enroll certificates in an Active Directory Certificate Authority, either on-premise or in Azure. The connector is a piece of software which allows Intune to enroll and issue certificates on behalf of users/devices that aren't joined directly in the local AD but are joined in Azure AD instead, and needs to be installed on a server in the same AD domain as the Certificate Authority.

The installation is outlined here, but it isn't entirely complete as it omits a few requirements. After the installation, you are required to enter the credentials of an account with Azure Global administr  ...
by lunarg on October 30th 2020, at 16:30

In the past, whenever you needed to reset the machine (computer) account password for a computer joined to an Active Directory domain, you could use netdom.exe to perform the task. However, this no longer exists in Windows 10, but luckily, you can now perform the task through Powershell:

Reset-ComputerMachinePassword -Server dc.domain.local -Credential (Get-Credential)

Replace dc.domain.local with the FQDN of a domain controller. You will also be prompted to enter the credentials of a domain admin account (or another account which is delegated to reset computer account passwords).

by lunarg on October 29th 2020, at 09:19
When installing the Remote Desktop Session Host role on a Windows Server, you get a 120 days grace period where you do not need to specify a license server and/or have licenses installed. After the grace period, it is no longer possible to log in with even a single session through RDP, unless you use the admin console (/admin option). Luckily, you can reset this counter by getting rid of a specific key which gets created at the start of the grace period, effectively resetting the grace period counter. This can even be done if the grace period isn't completely over.

Log in directly on the server (or use the /admin option) and fire up regedit.

Navigate to the key: HKEY_LOCAL_MACHINE:\SYSTEM\  ...
by lunarg on October 22nd 2020, at 16:52

When troubleshooting VoIP, it is useful to know the most common responses in SIP messages. Similarly to HTTP, each response to a request contains a response code indicating the status/result of the request. A list of the most common response codes is found here:

by lunarg on October 22nd 2020, at 15:12

Black Manticore has recently been moved to a new webserver. The biggest change was the migration from PHP 5 to PHP 7, which, because of the code's age, broke quite a few things. Because of this, the website has been offline for a good while in September, for which we apologize. Most things have been patched since and we expect everything to operate as expected.

Another issue with the tags was discovered lately, causing tags to be absent from new posts. This has been fixed as of today and all affected posts have been updated. Because of the high amount of different tags, we're planning on performing a reorganization and cleanup of the tags in the very near future.

by lunarg on October 22nd 2020, at 14:39
When running the VMware OS Optimization Tool (OSOT), a lot of optimalization is performed to get the best possible performance out of your VDI environment. This also means certain items will be disabled of which you don't want them to be disabled, including some personalization aspects such as setting a wallpaper or a background color.

It is not possible to revert the change from outside the VDI-build: any settings applied through GPO or DEM do not get applied. This is because the local group policy takes precedence and OSOT sets several optimizations through the local group policy. By changing the local group policy in the golden image itself, you can get rid of some of the lockdowns.

To   ...
showing all posts
« January 2021»
« You only find out who is swimming naked when the tide goes out. »
Warren Buffett