Archive for June 2014

Using the partedUtil command line utility on ESXi and ESX

partedUtilpic.bmp

What is the partedUtil Utility?

You can use the partedUtil command line utility to directly manipulate partition tables for local and remote SAN disks on ESX and ESXi. The partedUtil command line only is supported for disk partitioning from ESXi 5.0. The command line utility fdisk does not work with ESXi 5.0.

Note: VMFS Datastores can be created and deleted using the vSphere Client connected to ESX/ESXi or to vCenter Server. It is not necessary to manually create partitions using the command line utility

Caution: There is no facility to undo a partition table change other than creating a new partition table. Ensure that you have a backup before marking any change. Ensure that there is no active I/O to a partition prior to modifying it.

We came across this tool when we had issues deleting a datastore. It was recommended we try deleting the partition on the datastore which allowed us to completely remove it from vCenter in the end.

What actions can partedUtil do?

  • Retrieve a list of Disk devices
  • ls /vmfs/devices/disks/

partedUtilb (2)

  • Printing an existing partition table
  • partedUtil getptbl “/vmfs/devices/disks/DeviceName”

partedUtilb (1)

  • Delete a partition table
  • partedUtil delete “/vmfs/devices/disks/DeviceName” PartitionNumber

partedUtil3

  • Resize a partition
  • partedUtil resize “/vmfs/devices/disks/DeviceName” PartitionNumber NewStartSector NewEndSector

partedUtil4

  • Create a new partition table
  • partedUtil setptbl “/vmfs/devices/disks/DeviceName” DiskLabel [“partNum startSector endSector type/guid attribute”]*

partedUtil6

Links

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1036609

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2008021

 

Setting up a Mandatory Roaming Profile on 2008 R2

Roaming

What is a Mandatory Roaming Profile?

A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.

User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to NTuser.man. The .man extension causes the user profile to be a read-only profile.

User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\mandatoryprofile.man\.

Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile.

Only system administrators can make changes to mandatory user profiles.

This has advantages and disadvantages

Advantages

  • Since mandatory profiles are read-only, a single mandatory profile can be used for large groups of users. Storage requirements are minimal – a single mandatory profile is kept on the file servers instead of thousands of roaming profiles.
  • Users cannot interfere with a mandatory profile. As soon as they log off and back on, everything is reset to its original created state.
  • Because a mandatory profile can be used for large groups of users, very few mandatory profiles are needed. This makes manual customization possible. Adding a link here and changing a registry value there poses no problems at all. Compare this to thousands of roaming profiles – carefully fine tuning each profile is out of the question for the huge amount of work involved.
  • Mandatory profiles must not contain user-specific data. That makes them very small. As a result, logons are fast since the amount of data that needs to be copied over the network is negligible

Disadvantages

  • Users like to customize their own work environment in some way or another. These customizations are stored in the user profile. With mandatory profiles, any changes are discarded upon logoff. This can tend to annoy users who have saved work only to find it gone on their next logon but with education this can be a business process that everyone should adhere to
  • Mandatory profiles are difficult to create. Although the process looks pretty straightforward at first, it is hard to get exactly right. Do not underestimate the amount of tuning required.

Instructions on setting up a Mandatory Roaming Profile

  1. Create a folder called Profiles on one of your servers
  2. Right click on the folder and select Properties
  3. Click Sharing > Advanced Sharing
  4. Put a tick in Share this folder

Roaming1

  • Select permissions and remove the Everyone Group and add Authenticated User with Read Permissions and Administrators with Full Control

Roaming2

  • Click OK and click Security to set the NTFS Permissions on the folder
  • System should have Full Control
  • Administrators should have Full Control
  • Authenticated Users should have Read and Execute

Roaming4

  • Inside the Profiles folder you need to create a folder which will house your Mandatory Roaming Profile Account. See below. It needs to have .v2 added on to the end of it

Roaming5

  • Create a new Profile in Active Directory. I called mine Mandatory
  • Add the security groups you need for this account

Roaming3

  •  Next you will need to log on to a server as your mandatory profile and configure the necessary customisations. For example put shortcuts on the desktop, pin applications to the Start menu and open applications and configure settings etc
  • When you have finished customising then you will need to log off
  • Next log on with a different Administrator account
  • Click Start > Right click on My Computer and select Properties. Select Advanced System Settings
  • Click Settings under User Profiles

Roaming6

  • You will then see your profiles. I have left my mandatory one highlighted for visibility.
  • Then I encountered a problem. It turns out in Windows 2008 R2 and Windows 7, Microsoft has disabled the “Copy To” button on the User Profiles screen. See link below for more information but carry on for now. You can read this later as well.
  • http://support.microsoft.com/kb/973289

Roaming7

  • I have found a way to get round this by using a piece of software called Windows Enabler. You will need to download and extract this to the server where the profile is. Should look like the below screenprint

Roaming8

  • Right click on Windows Enabler and select Run as Administrator
  • Once you have started the Windows Enabler application you will notice a new icon in the system tray.
  • Make sure you click on it once to enable the application. You will see a small message appear on the icon when you have enabled it
  • Click Start > Run and type sysdm.cpl

Roaming10

  • Navigate to the Advanced tab | User profiles | Settings
  • Click on the desired profile and you will notice that ‘Copy To‘ button is disabled
  • Click on the Copy To button and you will notice it will become enabled
  • Click Copy To and the following box will pop up

Roaming11

  • Click Browse and browse or type the location where you set up the folder share \\server\profiles\mandatory.v2
  • Click on Permitted to use > Change and select Everyone

Roaming12

  • You will get a message come up as per below screenprint

Roaming13

  • If it errors after this message then the account you are trying to use to copy the profile does not have access to the \\server\profiles\mandatory.v2 folder
  • When it has copied, have a look at the share and check you have all your user profile folders there

Roaming14

  • Next you need to look for a file called NTUSER.DAT in the profile folder
  • You may need to open Folder Options and deselect Show Hidden folders, Files and Drives and possibly Hide Protected Operating System Files

Roaming15

  • You will then see it in the Profile folder

Roaming16

  •  Leave this for now and go Start > Run > regedit and highlight HKEY_LOCAL_MACHINE

Roaming20

  • Click File > Load Hive > Select ntuser.dat

Roaming21

  • In Load Hive put in your username which is mandatory

Roaming22

  • You will see the profile as per below screenprint

Roaming23

  • Right click on the mandatory key and select Permissions

Roaming24

  • You need to add Domain Admins Full Control and replace all child object permissions with inheritable permissions from this object and replace all child object permissions
  • You need to add Authenticated Users Full Control and replace all child object permissions
  • You need to add Domain Admins Full Control and replace all child object permissions
  • See screenprint below

Roaming26

  • Now we need to unload the hive. Go to File Unload Hive

Roaming27

  • Now go back to your mandatory profile folder and we need to rename ntuser.dat to ntuser.man. When you have renamed it, it should look like the below (ntuser.man)

Roaming17

  • Next Delete the Local and LocalLow folders from the AppData folder if they exist. They are Local profile folders and uneeded
  • Next we need to configure a Group Policy to enable the mandatory profile for Remote Desktop Services
  • Open up GPMC
  • Create a new GPO and attach it to your Terminal Server/RDS OU
  • Add the RDS Servers into the scope along with Authenticated Users
  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles > Use Mandatory Profiles on the RD Session Host Server

Roaming19

  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles >Set Path for Remote Desktop Services Roaming User Profile > Enabled
  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles >Set Path for Remote Desktop Services Roaming User Profile > \\servername\profiles\mandatory (Do not include the .v2 on the end of the profile folder name)

Roaming31

  • You now need to run a gpupdate /force on the Domain Controller and on the Terminal/RDS Servers to refresh Group policy
  • Now test logging on to an RDS Server and note you will be able to save a doc say into My Documents but try logging off and logging on again and you will find it has gone
  • If you go Start > Run sydm.cpl > Advanced > User Profiles > Settings > Check your user profile which you have logged on with (In my case Eskimo1) you should see that the type of profile is now mandatory

Roaming29

  • Congratulations. You have set up a Mandatory Roaming Profile 🙂

Using Windows Firewall to block Ports

firewall

What is Windows Firewall with Advanced Security in Windows?

Windows Firewall with Advanced Security in Windows® 7, Windows Vista®, Windows Server® 2008 R2, and Windows Server® 2008 is a stateful, host-based firewall that filters incoming and outgoing connections based on its configuration. While typical end-user configuration of Windows Firewall still takes place through the Windows Firewall Control Panel, advanced configuration now takes place in a Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. The inclusion of this snap-in not only provides an interface for configuring Windows Firewall locally, but also for configuring Windows Firewall on remote computers and by using Group Policy. Firewall settings are now integrated with Internet Protocol security (IPsec) settings, allowing for some synergy: Windows Firewall can allow or block traffic based on some IPsec negotiation outcomes.

Windows Firewall with Advanced Security supports separate profiles (sets of firewall and connection security rules) for when computers are members of a domain, or connected to a private or public network. It also supports the creation of rules for enforcing server and domain isolation policies. Windows Firewall with Advanced Security supports more detailed rules than previous versions of Windows Firewall, including filtering based on users and groups in Active Directory, source and destination Internet Protocol (IP) addresses, IP port number, ICMP settings, IPsec settings, specific types of interfaces, services, and more.

Windows Firewall with Advanced Security can be part of your defense in depth security policy. Defense in depth is the implementation of a security policy that uses multiple methods to protect computers and all components of the network from malicious attacks.

Protection must extend from the network perimeter to:

  • Internal networks
  • Computers in the internal network
  • Applications running on both servers and clients
  • Data stored on both servers and clients

Windows Firewall with Advanced Security provides a number of ways to implement settings on both local and remote computers. You can configure Windows Firewall with Advanced Security in the following ways:

  • Configure a local or remote computer by using either the Windows Firewall with Advanced Security snap-in or the Netsh advfirewall command.
  • Configure Windows Firewall with Advanced Security Group Policy settings by using the Group Policy Management Console (GPMC) or by using the Netsh advfirewall command.

Rules

Firewall rules from different sources are first merged together. Rules can be stored on the local computer, or in a variety of Group Policy objects (GPOs).

Windows Firewall with Advanced Security uses a specific order in which firewall rule evaluation takes place.

This order is as follows:

FirewallRules

Example Firewall Tasks

One task we were asked to was to block our TEST Terminal Servers from being able to connect to DFS Shares on a DEV DFS Server. Below is a list of points to bear in mind.

  • It is best to control Server Firewall Rules by Group Policy
  • The GPO needs to apply to a Computer OU containing the DEV Server
  • The DEV Server can be put in the scope of the GPO
  • We could have an option to turn the Firewall on and then block servers
  • We could have an option to turn the Firewall off and then allow servers
  • We could use inbound rules blocking the DFS Ports – TCP Port 445 (SMB) TCP Port 135 (RPC) TCP Port 139 (NetBIOS Session Service) UDP Port 137 (NetBIOS Name Resolution) UDP Port 138 (NetBIOS Datagram Service)
  • If you set up Inbound Rules, you then need to set the scope which includes setting the Local Server IP Address (The DEV DFS Server) and the Remote Servers IP Addresses (The servers you want to block)

Useful Link for showing what ports applications use

http://technet.microsoft.com/en-us/library/cc875824.aspx

Example 1 (Turn Firewall On and Allow connections but block TEST Servers)

  • Open Group Policy Management
  • Right click on DEV DFS Server OU and select Create a GPO in this domain , and Link it here
  • Put in a name
  • Right click on new GPO and select Edit
  • Navigate to Computer Configuration > Polices > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile and Enable Windows Firewall: Protect all network connections

firewallblock12

  • Navigate to Computer Configuration > Polices > Windows Settings > Security Settings > Windows Firewall with Advanced Security
  • Click on Windows Firewall Properties (See Circled below)

firewallblock

  • Go through Domain Profile, Private Profile and Public Profile and set the following options for each one

firewallblock2

firewallblock3

firewallblock4

  • Navigate to Computer Configuration > Polices > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules
  • Right clicked on Inbound rule > Selected New inbound rule > Select Custom

firewallblock5

  • Choose All Programs

firewallblock6

  • Choose Any for Protocol Type

firewallblock7

  • In Scope, leave the Local IP Addresses as Any IP Address and then for the Remote IP Addresses, put in the IP Addresses of the servers you want to block

firewallblock8

  • Choose Block as your Action

firewallblock9

  • Apply the rule to all Profiles

firewallblock10

  • Put in a Rule Name and Description

firewallblock11

  • Click Finish
  • Test accessing a DFS Share from a blocked server. It should be blocked

firewall20

 The second way of doing this

The second way of doing this is a kind of reverse way of doing this by turning the Windows Firewall on through Group Policy which by default should look like the below on a DFS Server when GPO is applied so you are blocking incoming connections but then you modify the Group Policy to only allow certain networks to use File and Printer Sharing.

Capture

  • Next log into Group Policy Management Console
  • Create a new GPO and attach it to your DFS Servers
  • Put the DFS Servers in the scope of the GPO
  • Now adjust the following settings
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Domain Profile > Firewall State (Turn On)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Domain Profile >Inbound Connections (Block Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Domain Profile > Outbound Connections (Allow Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Private Profile > Firewall State (Turn On)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Private Profile >Inbound Connections (Block Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Private Profile > Outbound Connections (Allow Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Public Profile > Firewall State (Turn On)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Public Profile >Inbound Connections (Block Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Public Profile > Outbound Connections (Allow Default)
  • Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections (Enable)
  • Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow inbound file and printer sharing (You will need to enable this and then put in the network which is allowed to access this)

fileandprint

  • Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow inbound Remote Desktop Connections
  • And then test this from a network you want to block from your DFS Servers etc
  • Voila 🙂