Tuesday, November 13, 2018

Cloud Witness option is disabled in Failover Cluster

I had my SQL Server Cluster AG up and running and using the local File Witness Sharing, but later on I decided to move witness to the Azure cloud as I need to expand my cluster to a DR Site.
When I try to change the cluster quorum setting to I got this
There is no indication why, nothing in the windows event log, or cluster log.
I tried to use Powershell to change the setting using the command in the following URL

Set-ClusterQuorum -CloudWitness -AccountName -AccessKey
But I got the following error message

Set-ClusterQuorum : The current cluster functional level does not support cloud witness. Please update your cluster
nodes to Windows Server 2016.
At line:1 char:1
+ Set-ClusterQuorum -CloudWitness -AccountName -AccessKey 

In Windows 2016, its possible to have multiple OS in the same cluster like Windows 2012 and 2016, this will force the cluster to operate in a lower function level for the compatibility reasons.
To address this issue we need to raise the Cluster Function Level using the following command 
Update-ClusterFunctionalLevel and press enter
after running this command and confirm the changes to the function level, I was able to configure the cloud witness via the GUI :)

Sunday, June 24, 2018

Powershell: Test RPC Connection and the RPC higher ports

I had an issue in troubleshooting the RPC connection between two networks.
Services that use RPC will connect to the destination server on port 135 and obtain the list of higher random RPC ports.

The script will connect if used with no parameter to localhost, or can be called using the -Servername parameter and set the computer you want to scan.
You will need to download a tool named PortQry The script will use this tool in the discovery after the script gets the list of services, it will run a test-netconnection on the port and return a True if it was reachable
NOTE: Please make sure that the Portqry.exe is in the following path "C:\PortQryV2\


if (Test-Path "C:\PortQryV2\"){

        $RPCPorts=  C:\PortQryV2\PortQry.exe -e 135 -n $Servername  | findstr "ncacn_ip" | Select-Object -Unique
            if ($RPCPorts.length -eq 0){
                Write-Host "No output, maybe incorrect server name" -ForegroundColor Red
        ForEach ($SinglePort in $RPCPorts){
        $porttocheck=$porttocheck.Remove($porttocheck.Length -1)
        $Result=Test-NetConnection -ComputerName $Servername -Port $porttocheck
        Write-Host "Port health for $Servername on port $porttocheck is " -NoNewline
        Write-Host $Result.TcpTestSucceeded -ForegroundColor Green

        Write-Host $_.Exception.Message -ForegroundColor Red


    Write-Host "PortQry is not found"

The output should look similar to this

Thursday, July 13, 2017

Get All Windows Services account that are configured to use a domain account in the trusted network

This small script will get all the services that are configured with a RunAs account
The service will be using several possible accounts like LocalSystem , Network Services.. and also a domain account.
The common thing is the service that will be using a domain account should have the UPN (FQDN) or SamAccountName (NetBIOS)

$Netbios=(Get-ADDomain).NetBIOSName #Get the Domain NetBIOS Name
$fqdn=(Get-ADDomain).dnsroot #Get the Domain FQDN Name

#The WMI Query that will be used
$WMIQuery="select * from Win32_Service where startname like '$Netbios%' or startname like '%$fqdn'"

#Getting computer list from AD, you can use the filter that fit your criteria, in my case, I have used a computer name as my filter criteria, you can use the search base.
Then I am executing the gwmi Get-WMIObject on the computer I got from the pipeline 
Get-ADComputer -Filter {name -like "*MyServers*"} | foreach {gwmi -ea SilentlyContinue -ComputerName $_.DNSHostName -Query$WMIQuery}  |ft -AutoSize SystemName,caption,startname 

The result should be something like this.

SystemName                       caption                                         startname        
----------                               -------                                             ---------        

HQ-SRV-N1       SQL Server Reporting Services                  Domain\report

Friday, January 13, 2017

Microsoft Direct Access Failed After Migration, V2V,P2V or changing nic adapter

To make long story short.
This happense because the Network Adapter (NIC) GUID in the GPO is not exist in the server.
Backup the DirectAccess Server GPO.
Edit the registry.pol (using 3rd party software)
Import it again to the server.
Enjoy your weekend

Full Story.
You are using MS DA (Microsoft Direct Access) and users are happy (as well as you hopefully).
But in some cases were you have to perform V2V or P2V or what ever kind of migration from one server to another, or from one hypervisor to anohter.
After the a successful VM migration, you start with the hypervisor tools install/upgrade.
Add the IP address to the nics and the server seems to be OK.
But DA failed and client are stucked in Connecting... state. 

So whats going on.
- DA Store its configuration as a GPO and link it with the top level domain, and use Security Filter to apply the settings to the DA Server.
All DA settings are stored in the GPO and so the IP Addresses and GUID for the network interface used.
As new drivers are presented to the server DA Server, a new Network Drivers are also presented with new GUID, which simply dont match the one in the GPO.
The Server will try to apply the GPO setting and will find a mismatch and will failed to apply the policy.
So if you open DA console > Operations Status

Click on DirectAccess and VPN

Click on Remote Access Server
You may find the configuration mismatching with the correct configuration and also you cannot change any option, its all grayed out.

Continuing the wizard and trying to apply the policy will failed.

How to Fix
As I mention earlier, the Network GUID stored in the GPO are for the old NIC which are no longer exist.
Open the DA GPO > Settings > Policies > Administrative Templates > Extra Registry Settings.
and write down the following 

This is the GUID for the old NIC and we need to update these value with GUID for the new NIC 
To Get the Current GUID that are assigned with each network interface, use the following powershell command

Get-WmiObject -Query "select * from win32_networkadapter" | select GUID,NetConnectionID | where {$_.GUID -notlike $null} | ft -AutoSize

The return result are something like:
GUID                                   NetConnectionID
----                                           ---------------
{3DD2D838-35A2-4E05-8A4A-364F8801FCA5} External (The External Interface)
{5D946A6A-63A5-4FFA-951D-A7421EA2068D} Internal (The Internal Interface)

These GUID should be updated in the GPO, and as I did not find a way to directly edit (Extra Registry Settings), I backup DA GPO, and save it some where.
To update these value we need to download and install the following application Registry Workshop
Run the application and open the location you stored the backup GUID\ Domainsysvol\GPO\Machine\Registry.pol
Expand the tree to the following directory

double click on InternalInterface and replace it with the new GUID you get from the powershell script, and same for the InternetInterface, save the file and close the application.
make sure that the replication is finished.
Run Gpupdate /force /target:computer
Open again Remote Access Management (DA Console) > DirectAccess and VPN > Remote Access Server and you will see the configuration are now correct
Click next and update with the correct values

happy working Direct Access
You may get a DNS Warning, just simple remove the DNS Servers from the Infrastructure Server and re-add them.

Wednesday, October 26, 2016

A File I/O error occurred while accessing ". VMWare Converter

I like VMWare converter as it save a lot of time when it come to P2V or V2V.
Recently I faced a strange error
I checked that I ran the application as Administrator and have full permission on the machine and on the vCenter.
To make long story short.
It was a DNS Settings on the nic interface Issue
even I used vCenter IP address insted of name, but it seems that the converter is doing a reverse lookup for a reason, maybe some certificate validation.
once I updated the DNS settings on the nic, the converter continue normal and was sucess

Monday, October 24, 2016

Enter Maintenance Move For ESXi Standard using PowerCLI

I dont know why ESXi Standard Edition had some dummy limitation.
Like when i wana place a server in maintenance mode, I have to manually move all the VM to another server and then it can go to maintenance mode.
its really something silly, as its a very basic feature. anyway
I made a quick script that can migrate all VMHost to another and place the server in maintenance mode.
the script also will do basic check to see if the destination server can handle the load


    if ($global:DefaultVIServer.count -eq 0){
        write-host "Please Connect to vCenter using Connect-VIServer first" -ForegroundColor Green

    write-host "Performing Server Basic Readiness"
    [int]$FreeRAMOnDestServer=(Get-VMHost -Name $ToVMHostName -ErrorAction Stop).MemoryTotalGB - (Get-VMHost -Name $ToVMHostName -ErrorAction Stop).MemoryUsageGB
    [int]$UsedRAMOnSourceServer=(Get-VMHost -Name $FromVMHostName -ErrorAction Stop).MemoryUsageGB
    if ($FreeRAMOnDestServer -le $UsedRAMOnSourceServer){
    Write-Host "No enough memory on the destination server for migration to complete" -ForegroundColor Red

    $VmOnHost=Get-VM -ErrorAction Stop| where{$_.host -like $FromVMHostName}
        foreach ($sVM in $VmOnHost){
        Write-Progress -Activity "Migrating VM... Please Wait" -Status "Moving $sVM To $ToVMHostName" -PercentComplete ($I/$VmOnHost.Count*100
        Move-VM -VM $sVM.Name -Destination $ToVMHostName


    Catch [exception]{
        Write-Host $_.Exception.message


if ((Get-VM | where{$_.host -like $FromVMHostName}).count -eq 0){Set-VMHost $FromVMHostName -State Maintenance}


If you have any comment or update for this. let me know in the comment
also give a thumb up if you like :)

Monday, May 2, 2016

VMWare PowerCLI - Connecting to Esxi Server and get ESXi hosts Part 2

In part 1 Getting command and remote connection, I write about how to import PowerCLI modules to be able to execute commands.
Now I will write about how to connect, and where.
Depend on the requirement, you may want to connect to ESXi host or vCenter in order to perform an operation.
Most of the operation can be executed direct after connecting to vCenter, but incase and for a reason vCenter is not available you might connect direct with ESXi Host insted of connecting to vCenter.
Lets assume that we want connect to vCenter and get all the host in all the clusters.
We can use the following commands

#Import Vmware Module
Add-PSSnapin VMware.VimAutomation.Core
#We Will ask the user to write the username and password for vSphere, you can comment this line if your
#vCetner is joined to the domain and you are connected to a domain joined computer
$viCredential = Get-Credential -Message "Please Write your vCenter username and password"
#This command will be used to connect to Esxi Server or vCenter
#You can remote the -Credential $viCredential, if your using domain joined computer and your vCenter is
#Joined to the domain
Connect-VIServer MyvCenterServer -Credential $viCredential
#Get all the Servers in the vCenter in all clustered
Get-VMHost | Format-Table -AutoSize name, NumCpu, ConnectionState
#Close the remote connection
Disconnect-VIServer * 

As you can see the main steps are
1- Make sure that you have the module or import then as I explained in part 1
2- Connect-VIServer is used to connect with ESXi host or with the vCenter, in my case I will connect with vCenter
you can remove the -Credential $viCredential if your Esxi hosts and vCenter are joined to the domain and the computer you are using is domain joined computer.
Get-VMHost can be used to get Esxi hosts piping this command to Format-Table it mean that we want to have custom properties in the returned table.
-Autosize will make the columns close to each other.
name, NumCpu, ConnectionState, are properties we want show in the table.
The output will be something like this

Name              NumCpu ConnectionState
----              ------ ---------------
esxi01.lab.local     32       Connected
esxi02.lab.local     32       Connected
esxi03.lab.local     32       Connected
esxi04.lab.local     32       Connected
esxi05.lab.local     32       Connected
esxi06.lab.local     32       Connected
esxi07.lab.local     32       Connected
esxi08.lab.local     32       Connected
esxi09.lab.local     32       Connected
esxi10.lab.local     32       Connected
esxi11.lab.local     32       Connected
esxi12.lab.local     32       Connected
esxi13.lab.local     32       Connected
esxi14.lab.local     32       Connected
esxi15.lab.local     32       Connected
esxi16.lab.local     32       Connected

Disconnect-viserver * will disconnect all the open session to all VI Servers (ESXi host or vCenter).

If you want to show different properties in the table, you can Pipe Get-VMHost to get-member
so the command will be like Get-VMHost | get-member
Just Run the command above after you connect to vCetner, the result will be like the following

Name                  MemberType
----                  ----------
ConvertToVersion          Method
Equals                    Method
GetHashCode               Method
GetType                   Method
IsConvertableTo           Method
LockUpdates               Method
ToString                  Method
UnlockUpdates             Method
ApiVersion              Property
Build                   Property
Client                  Property
ConnectionState         Property
CpuTotalMhz             Property
CpuUsageMhz             Property
CustomFields            Property
DatastoreIdList         Property
DiagnosticPartition     Property
ExtensionData           Property
FirewallDefaultPolicy   Property
HyperthreadingActive    Property
Id                      Property
IsStandalone            Property
LicenseKey              Property
Manufacturer            Property
MaxEVCMode              Property
MemoryTotalGB           Property
MemoryTotalMB           Property
MemoryUsageGB           Property
MemoryUsageMB           Property
Model                   Property
Name                    Property
NetworkInfo             Property
NumCpu                  Property
Parent                  Property
ParentId                Property
PowerState              Property
ProcessorType           Property
State                   Property
StorageInfo             Property
TimeZone                Property
Uid                     Property
Version                 Property
VMSwapfileDatastore     Property
VMSwapfileDatastoreId   Property
VMSwapfilePolicy      Property

You can add any Property value to the pipe, lets assume u wana get a list of VMHost in a table and view only PowerState,Name,ProcessorType        

#Import Vmware Module
Add-PSSnapin VMware.VimAutomation.Core
#We Will ask the user to write the username and password for vSphere, you can comment this line if your
#vCetner is joined to the domain and you are connected to a domain joined computer
$viCredential = Get-Credential -Message "Please Write your vCenter username and password"
#This command will be used to connect to Esxi Server or vCenter
#You can remote the -Credential $viCredential, if your using domain joined computer and your vCenter is
#Joined to the domain
Connect-VIServer MyvCenterServer -Credential $viCredential
#Get all the Servers in the vCenter in all clustered
Get-VMHost | Format-Table -AutoSize PowerState, Name, ProcessorType
#Close the remote connection
Disconnect-VIServer * 

VMWare PowerCLI - Getting command and remote connection Part 1

Recently we purchase VMware ESXi 6.0 Standard Edition, we did not go for Enterprise Plus edition which have the DRS and other nice feature due to budgets issue.
In my environment we have 16 ESXi host configured as 3 cluster
- Production
- MGMT (vCenter - SRM - vOps)
After installing ESXi, it come the boring part which is doing the configuration 16 time for each host as we dont have DRS
The Configuration include the following:
  • vSwitch
    • NIC Teaming Policy
    • VMKernel
    • Security Profiles
  • Virtual PortGroup
    • I have a lot.. 
  • NTP Configuration
  • Start and stop services
And other details, doing this on server by server is a real time wasting, luckily VMWare have PowerCLI which is a Powershell module for ESXi, you can download and read about it here
As any other module or new module I have to work with the first thing to do is to import the module and discover its commands.
Run the following command on the computer were you install PowerCLI

    Get-Module -ListAvailable -Name vmware* | select name

The result will return the following modules


The main module we will use it VMware.VimAutomation.Core, which include almost everything we need
you can import the module using PowerShell_ISE 

Once you import the module you will be able to see the module name in the module list, by selecting it all the command will appear in the list which will make your life easier.
Or if you want you can use the PowerCLI itself to access the ESXi Command and list them by using
get-command -Module VMware.VimAutomation.Core

Now you are ready to go :)

If you dont have PowerCLI installing in your computer and u wana import the command from remote server that have ESXi modules installed, you can use the following script

$RemoteCLI = New-PSSession -ComputerName PowerCLIServer
Invoke-Command -Session $RemoteCLI -ScriptBlock { Import-Module VMware.VimAutomation.Core }
Import-PSSession $RemoteCLI

Now you have ESXi Powershell modules and you can use then to execute and ESXi command

In My Next Post I will write about also basic understanding for PowerCLI and how to start using its commands

Hope this help

Like it, Share it, or comment on what you want
Hope this help as a start yet more interesting information are coming.

Friday, April 17, 2015

You need to type your username and password when browsing website directly from the IIS Server, but from another client computer it work normally

You are in your office, you login to Windows Server that host IIS, and browse a hosted website which is Windows Authentication Enabled using the configured host header "Lets say the website Host Header is CompanyProtal".
You are prompted to type your username and password.
You open your client computer and try to access the same site by using the configured host header, and the site work correctly without having to write your username and password.

In a close look to Windows Security Event Log you will see a failed login event recorded
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number

If you try to bind the site with IP address (Not loopback address)it will work as expected.

So whats going on?
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

So do you need it?
The recommendation is yes, but for some reason you may need to turn it off, maybe some websites are communicating on the server using the some custom host header.

How to Disable it.
Like most of Microsoft tweaks, its a registry value that you change.

There are 2 type to workaround:
1- Recommended which to specify the host names
2- Totally disable the loopback check (Not recommended).

So Lets start
Method 1: Specify host names (Preferred method if NTLM authentication is desired)

  1. Go to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
  2. Right-click MSV1_0 and select New->Multi-String Value.
  3. Type “BackConnectionHostNames” as the name and press Enter.
  4. Right-click the newly created entry and select Modify.
  5. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK
  6. Quit Registry Editor, and then restart the IISAdmin service.

Method 2:
This method will totally disable the loopback back and its not recommended in your production, you may use it in development or testing environment 
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  4. Right-click Lsa, point to New, and then click DWORD Value.
  5. Type DisableLoopbackCheck, and then press ENTER.
  6. Right-click DisableLoopbackCheck, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Quit Registry Editor, and then restart your computer
Or use Powershell Command 

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -value "1" -PropertyType dword

Hope that help

Wednesday, February 4, 2015

Read and Export Folder ACL using Powershell

Good day
I have a small old file server with 2 TB of users data and I dont which users have which permission on the folder structure.
There are some tools but most of them are paid, but even in some paid tools I wont be able to do some filtering like exclude Inherided Folder or do not include some certain account like "System or Creator Owner...", so why to buy anything when there is PowerShell
I wrote a script that will read all the folder tree and then export it to csv file
This script have 4 Parameters

.PARAMETER $PathToScan Write the Folder Path you want to scan

.PARAMETER $PathToSaveResult
After Finish scanning the Script will save result to CSV, Please write the full path to store the result

.PARAMETER $IncludeInheritedFolder
Whether or not to include Inherited Objects, Accpted values $True or $False

.PARAMETER $SysBuiltin
Whether to include System account "NT Authority and Builtin" accounts, Accpted values $True or $False

To use the Script:

GetACL.ps1 -PathToScan C:\FolderToScan -PathToSaveResult C:\MyOutput.csv -IncludeInheritedFolder $TRUE or $FALSE -SysBuiltin $TRUE or $FALSE

Always make sure you are running the lastest version of PowerShell and .Net Framework

        [Parameter(Mandatory = $true,
             HelpMessage = 'Write the Folder Path you want to scan')]
        [Parameter(Mandatory = $true,
             HelpMessage = 'After Finish scanning the Script will save result to CSV, Please write the full path to store the result')]
        [Parameter(Mandatory = $true,
             HelpMessage = 'Whether or not to include Inherited Objects, Accpted values $True or $False ')]
        [Parameter(Mandatory = $true,
             HelpMessage = 'Whether to include System account "NT Authority and Builtin" accounts, Accpted values $True or $False')]
$Folderslist = Get-ChildItem $PathToScan -Recurse -Directory #Read all the folder details with the subtree
$Myobj = New-Object -TypeName PSObject #Create an object to save the returned result

Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Username -Value $null 
Add-Member -InputObject $Myobj -MemberType NoteProperty -Name AccessType -Value $null
Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Righttype -Value $null
Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Path -Value $null
Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Inherited -Value $null

foreach ($singleFolder in $Folderslist) #To read Each Folder Details from $Folderslist
        $Access = Get-Acl -Path $singleFolder.PSPath | select $singleFolder.PSPath -ExpandProperty access #Read the Access property which hold the users ACL
        foreach ($single in $access) #As $Access are array, we need to read objects 1 by 1 and store them in $MyObj
            $Myobj.Path = Convert-Path $singleFolder.PSPath 
            If ($SysBuiltin -like "True") { $Myobj.Username = $single.IdentityReference } #If $SysBuiltin Param was $True then Include all the value in the $access.IdentityReference "IdentityReference is the user object"
            if (($SysBuiltin -like "False") -and (($single.IdentityReference -like "NT AUTHORITY*") -or ($single.IdentityReference -like "BUILTIN\*") -or ($single.IdentityReference -like "*CREATOR OWNER*"))) { continue } #if SysBuiltin Param was $False then do not include these users or group
            $Myobj.AccessType = $single.FileSystemRights #What Kind of Access IdentityReference "User / Group Have"
            $Myobj.Inherited = $single.IsInherited #Store the Inheritance value
            If ($IncludeInheritedFolder -like $true) { $Myobj.Inherited = $single.IsInherited } 
            if (($IncludeInheritedFolder -like $false) -and ($single.IsInherited -like $true)) { continue } #If $IncludeInheritedFolder was $False, Do not parse retured result with Inherited items
            $Myobj.Righttype = $single.AccessControlType
            $Myobj.Username = $single.IdentityReference
            Export-Csv -InputObject $Myobj -Append -Path $PathToSaveResult -NoTypeInformation -Encoding UTF8 #Save the result to the Path as in $PathToSaveResult
    Catch #Catch Any Error and write it
        Write-Host $Error[-1].Exception