The Remote Desktop Gateway mysterious case of Error 0

Let’s face it , most Active Directory Domains were created a long long time ago. And while most of these are now migrated to newer versions , Group Policies sometimes were left as is. These Group Policy objects are what I like to call “Lingering GPO Settings” 🙂

This case was both simple and complicated , a client had a brand new installation of Windows Server 2012 R2 Remote Desktop Services and various clients connecting to it. Some of those clients were unable to connect to the gateway for no obvious reason. Only a couple of warnings logged on the Microsoft-Windows-TerminalServices-RDPClient/Operationall logs:

  • RDPClient_Gateway: An error was encountered when transitioning from AAStateCreatingOutChannel to AAStateError in response to 3 (error code 0x800703E5).
  • RDPClient_Gateway: An error was encountered when transitioning from AAStateInitializingTunnel to AAStateError in response to 6 (error code 0x800703E5).

The problem laid within a Group Policy setting that was configured quite some time ago. This policy forced the client to use “Send LM & NTLM Responses” on Computer Configuration->Windows Settings->Security Settings->Security Options->Network Security:  LAN Manager Authentication Level. Changing that to “Send NTLMv2 response only” immediately enabled those clients to connect.

So while sometimes an error may seem Remote Desktop related make sure you check all of the underlying technology to ensure security protocol compliance and proper operation.

Merging VHD

Last night I had to troubleshoot a low free space alert on a cluster. While everything looked normal and no Checkpoints or backups of Virtual Machines were on the Clustered Shared Volume a problem with the backup software flew under the radar and created a massive problem! There was an offending VM that was backed up normally and no checkpoints existed but it’s VHD files were differencing disks. A situation most of the IT Pro’s out there are familiar with.

So how do you rectify this? This VM had grown to a TB of data and while no checkpoints existed it had over 300 differencing VHD files. Restoring such a VM would take hours so that’s not a great option. Well I first started with copying over the XML configuration files of the virtual machine and importing this VM again with NO-VHD drives on it. So far so good we have a working VM with the same GUID and the same network adapters but with no drives.

{Powershell} to the rescue!

Powershell is capable of doing amazing things so I wrote this little script that actually gets each drive and then merges all of the VHD files into the parent so that you can attach it again on the virtual machine. Enjoy!

 

The Cloud Society is here!

Cloud Society

The cloud is here and it will definitely be around for the next century ! A new kind of IT Pro skills are needed in order to be successful with managing resources in this new environment. Hopefully Microsoft tries its best to provide FREE training ! Recently Microsoft launched a new site that will help you get trained , it is called the Cloud Society Program and you should enroll right now! Here is the official Microsoft statement on what it is about:

 

What is Microsoft Cloud Society Program all about?

Microsoft has introduced the Microsoft Cloud Society Program to identify and engage with passionate and influential cloud computing focused experts from the industry.

Microsoft Cloud Society is a program designed to support you in becoming a world-class expert in the space of cloud computing. It deepens your Microsoft Azure knowledge and builds the next generation of systems and solutions in the Cloud.

Microsoft Cloud Society is designed for experts who are on the ‘bleeding edge’ of technology know-how, and have an unstoppable urge to get their hands on future-oriented technologies.

Microsoft Cloud Society is your one-stop platform for all you need to become a Microsoft Azure Expert: free online trainings, certification learning paths, resources, events roadshow and more.

Νέα Windows Insider build για τον Server 2016

Η υπόσχεση της Microsoft σχετικά με τον κύκλο των αναβαθμίσεων γίνεται πραγματικότητα. Μέσα από ένα λεπτομερέστατο blogpost η Dona Sarkar ανακοινώνει την νέα έκδοση του Server που μπορείτε να κατεβάσετε ως μέλος του Windows Insider Program ή του Windows Insider for Business . Μερικές από τις νέες δυνατότητες όπως τις αναφέρεις το άρθρο:

 

General Scenario Highlights

Developers and Containers:

  • New base container images (available on Windows Insider Docker Hub repo)
    • Optimized Nano Server base image (over 70% smaller)
      • The .NET team is providing an preview image based on Nano Server with .NET Core 2.0
      • The PowerShell team is providing a preview image based on PowerShell 6.0
    • Optimized Server Core base image (over 20% smaller)
  • Support for SMB volume mounting
  • Infrastructure for Orchestrators
    • Networking enhancements for on going Kubernetes work
    • Named pipe mapping support
  • Bug fixes, performance enhancements

Cloud Guest:

  • IIS
    • TLS info: administrators can make specific recommendations to default to HTTPS
  • Disaster Recovery
    • Storage Replica Test Failover
  • Guest + Host better together
    • vPMEM in Guest: Tenants can use and manage PMEM/SCM
    • Tenant-Aware VM Start Ordering: App Ready / OS Heartbeat for better load balancing
    • Guest RDMA
  • Improvement in time accuracy
  • Azure enlightened clusters – optimized to run on Azure IaaS

Cloud Host:

  • Software Defined Data Center (SDDC) host
    • Security
      • Shielded Linux VM
      • SDN: Encrypted virtual networks
      • Secure clusters
      • SMB 1 disabled  by default
    • Resiliency and Availability
      • SDN: Reduced downtime for tenant connections through gateways
      • Spaces Direct: Scoped Spaces to mitigate impact of multi-node loss
      • Spaces Direct: Marginal drive handling for predictive detection of drive failures
    • Efficiency
      • Data Deduplication available for ReFS
      • New Data Deduplication DataPort API for optimized ingress/egress
      • Space efficiency with ReFS Compaction
      • Performant Spaces Direct Multi Resilient Volumes (MRV)
    • Hyper-converged Scale
      • Cluster Sets: Significantly increases hyper-converged SDDC cloud scale by grouping multiple clusters into a larger fabric
    • Hardware support
      • Support for Storage Class Memory (SCM) in Spaces Direct

RDS Modern infrastructure

Στο Inspire conference η Microsoft έκανε τις πρώτες ανακοινώσεις σχετικά με το RDS Modern Infrastructure. Αυτή είναι η μεγαλύτερη αλλαγή που θα πραγματοποιηθεί τα τελευταία χρόνια στο Remote Desktop με τη χρήση Azure App Services καθώς και νέα χαρακτηριστικά όπως το RD HTML5 Client! Επίσης μπορείτε να κάνετε εγγραφή για να δοκιμάσετε τα νέα χαρακτηριστικά σε Preview όταν είναι διαθέσιμα!

 

 

 

 

Enterprise Security and Mobility videos

Check out some of the Enterprise Mobility and Security Suite functionality on the following videos!

Enterprise Mobility + Security Full Training Video

Access all of your apps: Enterprise Mobility + Security

User self-services: Enterprise Mobility + Security

Information Protection: Enterprise Mobility + Security

Conditional Access: Enterprise Mobility + Security

Microsoft Intelligent Security Graph: Enterprise Mobility + Security

Managed Mobile Productivity

Identity Driven Security

Comprehensive security solution: Enterprise Mobility + Security

Multi-factor authentication: Enterprise Mobility + Security

Identify and control cloud apps: Enterprise Mobility + Security

 

Wiki Ninja contest 2017!

Last December I wrote an article regarding the installation of Windows Server 201x using an unattend.xml file , a syspreped vm and some powershell Code. So the story is about an IT guy who needs to get things up and running blazingly fast when deploying. He also has to make sure that all of his setup is consistent no matter how many times the VMs are deployed plus the fact that you simply can’t open a HyperV manager console in Server Core.

So if you need to spin up a VM and have it deployed using a specified password and IP and all of the config needed for remoting , you need a way to provide all of these stuff during the installation and simply start the VM. Sounds great but wait a minute.

How do you configure all of these settings without console access? How do you do that if you simply have a Windows Server 2016 core and nothing else? Or if you do not want to use a whole bunch of consoles and mouse clicks?

The solution is easy: Use Unattend.xml files with a sysprepped VM. In the article I have posted on the TechNet WiKi you will find a sample unattend.xml which you can customize with the sample PowerShell code. The script will create a new vm, copy the sysprepped file in it , create a new vhd with the unattend.xml file and spin up the VM. In a few minutes …. voila! The VM is ready to accept connections with PowerShell remoting where you can continue workload setup.

Nano Server DNS

Nano server is Microsofts new implementation of Windows Server for the cloud born datacenters. Nano has a very small footprint that allows for better security and management. One of the roles that are supported on Nano Server is the DNS server and it makes perfect sense to have a Nano DNS server hosting your public DNS records as it will be super lightweight and a born security champion. Here comes the tough part , you have to configure Nano by using PowerShell.  To add some extra difficulty your primary DNS server should be located in a DMZ with the smallest possible attack surface so the only thing allowed would be remote management. Since I have a lot of labs going on and build up and tear down is trivial to success here is the PowerShell commands to configure your Nano DNS server. This specific code is from an O365 lab where numerous resource records have to be created for O365 suite to work , so you will get a great example of configuring most of the types of records required in a DNS server. It is build for a new DNS Zone but you can easily customize it and simply add records to your zone. Here it is:

 

EMS Subscription on MSDN

Finally! A 12 month  Enterprise Mobility + Security subscription is available on MSDN Subscriptions.

 

Together with Azure credit you can now test all of the features available on the cloud platform. I have three MSDN subscriptions , one as a Certified Trainer, one as a Microsoft Partner (from the company I work for) and one as an Enterprise Mobility MVP. The EMS offering is available on MPN and NFR subscriptions but not in the MCT services. In any case super exciting news!

 

Νέο δωρεάν ebook Server 2016 Ultimate Guide

Ένα νέο δωρεάν βιβλίο είναι διαθέσιμο για τον Windows Server 2016! Μπορείτε να το κατεβάσετε από αυτόν το σύνδεσμο.

Drive innovation while reducing security risks and efficiency disruptions

With Windows Server 2016, organizations of all sizes can take advantage of the innovation powering the world’s largest cloud datacenter – Microsoft Azure – and bring new layers of security, datacenter efficiency and agility in application development to drive your organization forward.

Learn about the latest technology in Windows Server 2016 and what is means for your organization.

  • Better protect credentials, the operating system and VMs through just-in time administration and shielded VMs.
  • Improve datacenter efficiency with enterprise-class virtualization and software-defined storage and networking.
  • Deliver application innovation through improved security, new modernization capabilities and cloud-native app development.

The Ultimate Guide to Windows Server includes an 18 page overview and 180 page deep-dive.

SDDC 2016 availability

Με την έναρξη της Ignite και ακριβώς όπως υποσχέθηκε η Microsoft είναι πλέον διαθέσιμες οι RTM εκδόσεις για evaluation και labs του Windows Server 2016 / System Center 2016!

Σε λίγες μέρες θα είναι διαθέσιμα και τα κανονικά ISO από το MSDN καθώς επίσης σύμφωνα με τους executives θα μπορεί κανείς να τα αγοράσει από τις αρχές Οκτωβρίου!

Read more “SDDC 2016 availability”

AFF Performance Review

Αφού τελείωσε η φυσική εγκατάσταση του All Flash FAS ήρθε η ώρα να περάσουμε σε κάποια τυπικά test. Καταρχήν να μιλήσουμε λίγο για το Setup

O server πάνω από τον οποίο θα τρέξουμε το test έχει 2 CPU Xeon E5 2650 και 512GByte RAM. Επίσης έχει 4 κάρτες 10GBit SFP+ από τις οποίες θα χρησιμοποιήσουμε τις 2 κάρτες για το iSCSI Traffic. Το storage έχει 24 δίσκους SSD των 800GB σε RAIDDP (Dual Parity) με ένα spare, οπότε έχουμε 21 δίσκους στη διάθεσή μας, περιμένουμε περίπου 60Κ random IOPS 🙂

Πριν κάνουμε τα test θέλαμε να σιγουρέψουμε πως δε θα υπάρχει κάποιο bottleneck σχετικά με το NIC ή το CPU οπότε γυρίσαμε τα RSS σε Numa Scaling mode , έτσι ώστε με 2 NUMA Nodes να έχουμε 2 τουλάχιστον CPU για το network traffic. Σε περίπτωση που το traffic μπορούσε να περάσει τη χρήση 2  CPU ο Windows Server 2012 R2 θα φρόντιζε να κάνει assign περισσότερα έτσι ώστε να μπορέσει να εξυπηρετήσει την κίνηση. Παρόλα αυτά δεν φάνηκε σε κανένα test να έχουμε ανάγκη γιατί τα 2 CPU ήταν υπεραρκετά για τα 10GBit.Επίσης ανοίξαμε όλα τα offloads στην κάρτα για να έχουμε όσο το δυνατόν λιγότερη χρήση CPU.

Για τα test φτιάξαμε ένα LUN 2.8TB το οποίο περάσαμε σε έναν από τους cluster nodes,χωρίς να το βάλουμε στο CSV

numa-scaling

Και το αμέσως επόμενο βήμα ήταν να γεμίσουμε το κανάλι 10G με τη χρήση του DISKSPD. Για να το καταφέρουμε αυτό και να βεβαιώσουμε πως όντως έχουμε τη max χρήση του bandwidth τρέξαμε το command:

Diskspd.exe -b64K -d60 -h -L -o4 -t4 -r -w30 -c50M d:\io.dat

έτσι ώστε 64K με 4 queues και 4 threads να δούμε πόσα είναι τα max IOPS που μπορεί να βγάλει το μέσο μεταφοράς. Και τα αποτελέσματα ήταν τα παρακάτω:

64k-full-nic

64k-full-nic-result

15K Random IOPS ,64Κ size σε latency 1ms με τη χρήση του δικτύου στα 8,4GBit per second. Καθόλου κακό 🙂 Αν είχαμε ανοιχτά και τα Jumbo Frames αυτά τα νούμερα θα ήταν σίγουρα καλύτερα σε ποσοστό 7-9%

Read more “AFF Performance Review”

Νέο training Course για το EMS

Το Enterprise Mobility Suite είναι σίγουρα μια από τις πιο hot τεχνολογίες σήμερα στον κόσμο του IT και οι experts σε αυτήν είναι “καταζητούμενοι” από τις μεγάλες εταιρείες του χώρου. Το Microsoft Virtual Academy έχει ένα νέο Course σχετικά με το EMS , το οποίο θα σας βοηθήσει να κατανοήσετε πλήρως τη λειτουργία του , Azure AD Intune RMS , όλα με λεπτομερείς αναφορές!

Μπορείτε να δείτε το training και να κάνετε τα Labs σε αυτόν τον σύνδεσμο:

Deploying Microsoft Enterprise Mobility Suite

Νέα Labs για το Enterprise Mobility Suite !

 

To Mobile Device Management είναι ίσως από τις πιο hot τεχνολογίες στο σημερινό κόσμο του Mobile First IT. Στο TechNet Virtual Labs προστέθηκαν πρόσφατα σημαντικά Labs που θα σας βοηθήσουν να γνωρίσετε καλύτερα τις δυνατότητες του EMS Suite και του Intune της Microsoft.

Τα Labs είναι τα παρακάτω:

1.Acquire Trial Accounts for Intune Enterprise Mobility Suite (EMS) Lab Series

What you’ll learn in this lab
This lab is the first in a series of 7 labs that explore the Enterprise Mobility Suite and the mobile device management (MDM) and mobile application management (MAM) capabilities of Microsoft Intune. In this lab, you will acquire and configure the pre-requisite accounts to enable you to perform subsequent labs in this series. In this lab, you create a dedicated Microsoft Account to create Azure, Enterprise Mobility (EMS), and Office 365 E3 trial accounts. You will sign up for free EMS trial account, acquire an Azure subscription using either a free trial account or an Azure pass promotional code, sign up for a free Office 365 E3 trial account, add lab user accounts to Azure Active Directory (AAD), and assign AAD premium, EMS, and E3 licenses to the lab user accounts. After you complete this lab, you will be able to proceed to the next lab in the series, Lab 2: Microsoft Intune – Configure Conditional Access to Exchange Online.

2.Configure Conditional Access to Exchange Online

What you’ll learn in this lab
This is the 2nd lab in a series of 7 labs that explore the Enterprise Mobility Suite and the mobile device management (MDM) and mobile application management (MAM) capabilities of Microsoft Intune. In this lab, you will learn how to configure Microsoft Intune to manage mobile devices, including Android, iOS and Mac OS X, and Windows Phone 8.0 + devices, and to configure conditional access to Exchange online to block mobile devices from gainin access to email until the devices are enrolled and compliant with corporate policy. After you complete this lab, you may proceed to either Lab 3, Lab 4, or Lab 6. IMPORTANT: To complete this lab, you must have completed the first lab in the series: Lab 1: Acquire Trial Accounts for EMS Lab Series. Visit aka.ms/VLabsEMS for the complete lab series.

Read more “Νέα Labs για το Enterprise Mobility Suite !”