Markus Lassfolk – Page 7

Azure Pack: SMA Script to set a Static MAC Address for New Virtual NICs

When a user is using AzurePack to add additional Virtual Network Adapters to a Virtual Machine, they end up with a Dynamic MAC Address. This is regardless of what the settings are in the VM Template that were used to create the VM. The NIC(s) created at deployment of the VM, will honor the setting in the Template. It’s just when additional NICs are added this happens.

We have had some issues with VM’s using Dynamic MAC Addresses, where they got a new MAC Address after migrating to another host, resulting in Linux machines being unhappy and som other servers getting new DHCP Addresses.

I figured that this could be an excellent task to get more familiar with SMA and use that cool feature of Azure Pack. So I made a script which will execute when a new Network Adapter is added to a VM through AzurePack, and will set the MAC Address to a Static entry and let SCVMM pick one from the pool.

# SMA Runbook script to change VM NIC to Static MAC Address. 

workflow New-NetworkAdapter
{

# Import information in Parameters passed to script.  
param([object]$params) 


# Connection Credentials. Need to exist in SMA Assets as VMMConnection. 
$con = Get-AutomationConnection -Name 'VmmConnection'

$secpasswd = ConvertTo-SecureString $con.Password -AsPlainText -Force
$ruSMAcreds = New-Object System.Management.Automation.PSCredential ($con.username, $secpasswd)

# Execute commands on SCVMM Server. Connect with VMMConnection Credentials 
InlineScript {

    $con=$USING:Con
    $ruSMAcreds=$USING:ruSMAcreds
    $params=$USING:params
    
Invoke-Command -ComputerName $con.computername -Credential $ruSMAcreds -ArgumentList ($params.VMId),$con -ScriptBlock {

 param(
    $VMID,
    $con
    )

# Check if VM is already running, then first try a Shutdown, and else do a power off. 
# The user could have been quick and started the VM before the SMA Job starts. 
$restart = $false
if ((Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID).VirtualMachineState -ne "PowerOff") {
    $restart = $true
    Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Stop-SCVirtualMachine -Shutdown 
    }
if ((Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID).VirtualMachineState -ne "PowerOff") {
    $restart = $true
    Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Stop-SCVirtualMachine -force
    }

# Change to a Static MAC Address for all NICs on that VM. 
Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Get-SCVirtualNetworkAdapter | where {$_.MACAddressType -EQ "Dynamic"} | Set-SCVirtualNetworkAdapter -MACAddressType "Static" 

# Start VM if it was previously running. 
if ($restart -eq "$true") {Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Start-SCVirtualMachine } 

  }
 }
}

# SMA Runbook script to change VM NIC to Static MAC Address.

workflow New-NetworkAdapter

{

# Import information in Parameters passed to script.

param([object]$params)

# Connection Credentials. Need to exist in SMA Assets as VMMConnection.

$con = Get-AutomationConnection -Name 'VmmConnection'

$secpasswd = ConvertTo-SecureString $con.Password -AsPlainText -Force

$ruSMAcreds = New-Object System.Management.Automation.PSCredential ($con.username, $secpasswd)

# Execute commands on SCVMM Server. Connect with VMMConnection Credentials

InlineScript {

$con=$USING:Con

$ruSMAcreds=$USING:ruSMAcreds

$params=$USING:params

Invoke-Command -ComputerName $con.computername -Credential $ruSMAcreds -ArgumentList ($params.VMId),$con -ScriptBlock {

param(

$VMID,

$con

)

# Check if VM is already running, then first try a Shutdown, and else do a power off.

# The user could have been quick and started the VM before the SMA Job starts.

$restart = $false

if ((Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID).VirtualMachineState -ne "PowerOff") {

$restart = $true

Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Stop-SCVirtualMachine -Shutdown

}

if ((Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID).VirtualMachineState -ne "PowerOff") {

$restart = $true

Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Stop-SCVirtualMachine -force

}

# Change to a Static MAC Address for all NICs on that VM.

Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Get-SCVirtualNetworkAdapter | where {$_.MACAddressType -EQ "Dynamic"} | Set-SCVirtualNetworkAdapter -MACAddressType "Static"

# Start VM if it was previously running.

if ($restart -eq "$true") {Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Start-SCVirtualMachine }

}

You will need to create a new Runbook called New-NetworkAdapter with tag SPF, and paste the above code into that runbook.

And also add a SMA Connection Asset, with credentials for connecting to SCVMM.
Name the connection VmmConnection. The script will look for a connection object called VmmConnection, use that Username + Password to connect to the SCVMM Server specified in the same connection object.

And finally, create an Automated Task of this information.

Please let me know if you find this useful, if you have any issues or suggestions on how to improve my script.

List all VM’s with a Dynamic MAC Address

Short, simple script to list all VM’s which has NIC’s with a Dynamic MAC Address set.

# Get all VM's from Localhost (change to SCVMM Server if running remote) 
$AllVMS = Get-SCVirtualMachine -VMMServer localhost
$DynamicVMs = @()

# For each VM, check Virtual Network Adapters if Mac = Dynamic. 
foreach ($vm in $AllVMS ) {
   $vmnics = $vm | Get-SCVirtualNetworkAdapter
     if ($vmnics.MACAddressType -eq "Dynamic") {     
     $DynamicVMs += $vm.Name
     }
   }

# List all VM's with a Dynamic Mac address. 
$DynamicVMs | Sort-Object
Write-Output "--------"
$DynamicVMs.Count

# Get all VM's from Localhost (change to SCVMM Server if running remote)

$AllVMS = Get-SCVirtualMachine -VMMServer localhost

$DynamicVMs = @()

# For each VM, check Virtual Network Adapters if Mac = Dynamic.

foreach ($vm in $AllVMS ) {

$vmnics = $vm | Get-SCVirtualNetworkAdapter

if ($vmnics.MACAddressType -eq "Dynamic") {

$DynamicVMs += $vm.Name

}

# List all VM's with a Dynamic Mac address.

$DynamicVMs | Sort-Object

Write-Output "--------"

$DynamicVMs.Count

It will give a list of all VM’s and the number of VM’s in that list.
Small, simple and efficient.

Controlling my intrusion detection system (alarm) via Powershell!

I’ve recently invested in a alarm for my house, after quite a lot of research i finally went for Siemens SPC 5320 for all the cool features, it feels like one of the most modern alarms out there. As it can be controlled from the web, smartphone applications for iphone and android, usb, ethernet (ip) etc etc.

It’s more of a high-risk enterprise alarm, than a residence alarm as it got Grade 3 (and can have up to Grade 5) classification, making it usable for Banks and other high-risk objects, or to protect my geek lair (man-cave), son’s hideout, my wife’s gym, bedroom, the kitchen and other areas, also known as our home.

Another reason I bought that specific alarm is that a Swedish company called Lundix has recently released a Gateway that can talk with the Alarm and connect it to other systems. Or just execute things when specific triggers happen in the alarm. Like send a mail (to specific persons) when the Alarm goes off, or maybe notice the parents when a specific person arms or unarms the alarm, ie leaves and gets home from school.
It’s even possible to get noticed if that’s done outside the normal hours. For example if personnel in the store is late unarming the alarm, or arms it too early…

Summary: The SPC Web Gateway is providing a generic open web interface to Siemens SPC panels. The interface will simplify SPC integration with third party applications and products such as Home and Building Automation Systems, Smartphone Apps and Web applications. The Web API is using HTTP and REST principles (RESTful) for requests to SPC panel and WebSocket to reporting events from the SPC panel

And as the Gateway talks REST and WebSocket, it makes it possible to use Powershell! Looks how easy, cool, and smoth it is;

Next step is to add it to the new-user-creation workflow. So when a new user is created in AD, it will also create a user in the Alarm, generate a random PIN code and include that information in the Welcome Mail and SMS sent to new users.

Or possibly initiate a company wide erase of confidential data, in case of a Alarm. Anyone who can see that going wrong and causing problems? Especially as I saw some figures stating that more than 90% of all Alarms are false due to user error or indicator faults.

Well, I’ve just started playing around with it and if there is interest I’ll keep you posted on my progress and different automation scenarios i setup.

Recommended hotfixes for Windows Server

A great article listing all known issues and available hotfixes for Windows Server 2012 R2 Hyper-V Network Virtualization;

KB:2974503 – Recommended hotfixes, updates and known solutions for Windows Server 2012 and Windows Server 2012 R2 Hyper-V Network Virtualization (HNV) Environments
http://support.microsoft.com/kb/2974503/

Another fantastic source of information is Hyper-V.nu that always keeps a list to the latest updates for Windows Server (Cluster and Virtualization) here; http://www.hyper-v.nu/hotfixes/

List and Remove Corrupted files reported by Data Deduplication with Powershell

I’ve been copying 7TB of data in about 100.000 files from an old fileserver to the new one, but I just noticed that some of the files are corrupted! Gahhh…

Chkdsk found some issues, but didn’t solve the problem. As this server is running Windows Server 2012 R2 with Data Deduplication I decided to have a look at that.

Yeah, unfortunately a lot of corrupted files with EventID 12800

Log Name:      Microsoft-Windows-Deduplication/Scrubbing
Source:        Microsoft-Windows-Deduplication
Date:          5/16/2014 11:11:10 AM
Event ID:      12800
Task Category: Data Deduplication Scrubbing Task
Level:         Error
Keywords:      Reporting
User:          SYSTEM
Description:
Data Deduplication service detected corruption in "Drive:\PATH\FILE.Name". The corruption cannot be repaired.

Log Name: Microsoft-Windows-Deduplication/Scrubbing

Source: Microsoft-Windows-Deduplication

Date: 5/16/2014 11:11:10 AM

Event ID: 12800

Task Category: Data Deduplication Scrubbing Task

Level: Error

Keywords: Reporting

User: SYSTEM

Description:

Data Deduplication service detected corruption in "Drive:\PATH\FILE.Name". The corruption cannot be repaired.

So Data Deduplication is reporting a lot of corrupted files, and this error message didn’t really make me any happier.

Log Name:      Microsoft-Windows-Deduplication/Operational
Source:        Microsoft-Windows-Deduplication
Date:          5/21/2014 8:00:16 PM
Event ID:      4105
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Description:
Data Deduplication error: Unexpected error.


Operation:
   Add a merged target chunk store container.
   Reconciling duplicate chunks in the chunk store.
   Running the deduplication job.

Context:
   File name: \\?\Volume{d44b1e9d-922f-46b7-965b-05d184cc6b74}\System Volume Information\Dedup\ChunkStore\{D2110CC9-B0D2-4F6A-B391-0680AE13C77B}.ddp\Stream\002b0000.00000002.ccc
   File name: \\?\Volume{d44b1e9d-922f-46b7-965b-05d184cc6b74}\System Volume Information\Dedup\ChunkStore\{D2110CC9-B0D2-4F6A-B391-0680AE13C77B}.ddp\Stream\002b0000.00000001.ccc
   Chunk store: \\?\Volume{d44b1e9d-922f-46b7-965b-05d184cc6b74}\System Volume Information\Dedup\ChunkStore\{D2110CC9-B0D2-4F6A-B391-0680AE13C77B}.ddp\Stream
   Volume name: E: (\\?\Volume{d44b1e9d-922f-46b7-965b-05d184cc6b74}\)

Log Name: Microsoft-Windows-Deduplication/Operational

Source: Microsoft-Windows-Deduplication

Date: 5/21/2014 8:00:16 PM

Event ID: 4105

Task Category: None

Level: Error

Keywords:

User: SYSTEM

Description:

Data Deduplication error: Unexpected error.

Operation:

Add a merged target chunk store container.

Reconciling duplicate chunks in the chunk store.

Running the deduplication job.

Context:

File name: \\?\Volume{d44b1e9d-922f-46b7-965b-05d184cc6b74}\System Volume Information\Dedup\ChunkStore\{D2110CC9-B0D2-4F6A-B391-0680AE13C77B}.ddp\Stream\002b0000.00000002.ccc

File name: \\?\Volume{d44b1e9d-922f-46b7-965b-05d184cc6b74}\System Volume Information\Dedup\ChunkStore\{D2110CC9-B0D2-4F6A-B391-0680AE13C77B}.ddp\Stream\002b0000.00000001.ccc

Chunk store: \\?\Volume{d44b1e9d-922f-46b7-965b-05d184cc6b74}\System Volume Information\Dedup\ChunkStore\{D2110CC9-B0D2-4F6A-B391-0680AE13C77B}.ddp\Stream

Volume name: E: (\\?\Volume{d44b1e9d-922f-46b7-965b-05d184cc6b74}\)

Hopefully this quick and dirty powershell script that I just wrote can help you too.
As I still had the working fileserver with working files available, I decided to just delete all corrupted files with this script.

$corrupted = Get-WinEvent -LogName Microsoft-Windows-Deduplication/Scrubbing | where ID -EQ "12800" 

$msg = $corrupted | select Message 
$file = $msg -replace ". The corruption cannot be repaired.}",""
$files = $file -replace "@{Message=Data Deduplication service detected corruption in ",""

foreach ($file in $files) {
  Get-Item ($file.Remove(0,1) -replace ".$") | Remove-Item
}

$corrupted = Get-WinEvent -LogName Microsoft-Windows-Deduplication/Scrubbing | where ID -EQ "12800"

$msg = $corrupted | select Message

$file = $msg -replace ". The corruption cannot be repaired.}",""

$files = $file -replace "@{Message=Data Deduplication service detected corruption in ",""

foreach ($file in $files) {

Get-Item ($file.Remove(0,1) -replace ".$") | Remove-Item

}

And then ran a robocopy script to recopy everything (it will skip any files that already exists making it a quite fast process).
robocopy /mir /copyall /r:1 /w:1 \\source\path \\destination\path

Updated 2014-05-22 16:22: Added a full delete and copy script, which is a bit better written;

$corrupted = Get-WinEvent -LogName Microsoft-Windows-Deduplication/Scrubbing | where ID -EQ "12800" | Sort-Object -Property Message

$sourcedir="\\server\share$\"

foreach ($entry in $corrupted) {
#  Write-Output $entry
   $file = "$((($entry | select -ExpandProperty Properties)[4]).value)$((($entry | select -ExpandProperty Properties)[5]).value)$((($entry | select -ExpandProperty Properties)[6]).value)" 
   write-output "Deleting file: $file" 
   Get-Item $file -ErrorAction SilentlyContinue | Remove-Item -Force
   write-output "Copying file: $file" 
   Copy-Item "$($sourcedir)$((($entry | select -ExpandProperty Properties)[5]).value)$((($entry | select -ExpandProperty Properties)[6]).value)" -Destination $file -Force 
}

$corrupted = Get-WinEvent -LogName Microsoft-Windows-Deduplication/Scrubbing | where ID -EQ "12800" | Sort-Object -Property Message

$sourcedir="\\server\share$\"

foreach ($entry in $corrupted) {

# Write-Output $entry

$file = "$((($entry | select -ExpandProperty Properties)[4]).value)$((($entry | select -ExpandProperty Properties)[5]).value)$((($entry | select -ExpandProperty Properties)[6]).value)"

write-output "Deleting file: $file"

Get-Item $file -ErrorAction SilentlyContinue | Remove-Item -Force

write-output "Copying file: $file"

Copy-Item "$($sourcedir)$((($entry | select -ExpandProperty Properties)[5]).value)$((($entry | select -ExpandProperty Properties)[6]).value)" -Destination $file -Force

}

Azure Pack: Failed to load virtual machine templates for subscription …

Problem: When a user login to Azure Pack, they sometimes get the error message: “Failed to load virtual machine templates for subscription <subscription ID>”.
And if the user tries to deploy a a Virtual Machine, there is no templates to choose from.

Cause: I’m not sure what the real cause is, but it seems to be a bug where Azure Pack forgets that information. The template information is there, it’s just Azure Pack that does not read it.

Workaround: Until this is solved by Microsoft in a hotfix or next updated you will have to handle this by yourself.
You can as an Administrator touch the Plans so they are re-synced and it will immediately start working again. Or you can schedule a powershell script to run regularly, touching the plans.

Here is the powershell command I’ve setup for our environment.

# Fill in values
# Address to your ADFS Server 
$adfsAddress = 'https://adfs.server.com'

# Address to Admin Sites AdminAPI
$adminUri = 'https://admin.server.com:30004'

# Username to connect to the server 
$username = 'domain\username'

# Use this command once to generate the passwords file
# read-host -assecurestring | convertfrom-securestring | out-file C:\path\to\passwords\file\password.txt 
$password = get-content C:\path\to\passwords\file\password.txt | convertto-securestring

$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $username,$password

$token = Get-AdfsToken -adfsAddress $adfsAddress -credential $credentials 
$plans = Get-MgmtSvcPlan -AdminUri $adminUri -Token $token -DisableCertificateValidation:$true 

# Loop though all plans and sync them 
foreach ($id in $plans) { 
  write-host Syncing $id.DisplayName
  Sync-MgmtSvcPlan -AdminUri $adminUri -Token $token -DisableCertificateValidation:$true -PlanId $id.id
  }

# Fill in values

# Address to your ADFS Server

$adfsAddress = 'https://adfs.server.com'

# Address to Admin Sites AdminAPI

$adminUri = 'https://admin.server.com:30004'

# Username to connect to the server

$username = 'domain\username'

# Use this command once to generate the passwords file

# read-host -assecurestring | convertfrom-securestring | out-file C:\path\to\passwords\file\password.txt

$password = get-content C:\path\to\passwords\file\password.txt | convertto-securestring

$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $username,$password

$token = Get-AdfsToken -adfsAddress $adfsAddress -credential $credentials

$plans = Get-MgmtSvcPlan -AdminUri $adminUri -Token $token -DisableCertificateValidation:$true

# Loop though all plans and sync them

foreach ($id in $plans) {

write-host Syncing $id.DisplayName

Sync-MgmtSvcPlan -AdminUri $adminUri -Token $token -DisableCertificateValidation:$true -PlanId $id.id

}

First of all, notice that it’s using a file for the password, to make this automatic.
Use this command once to creat the password.txt file

read-host -assecurestring | convertfrom-securestring | out-file C:\path\to\passwords\file\password.txt

1	read-host -assecurestring \| convertfrom-securestring \| out-file C:\path\to\passwords\file\password.txt

And it’s using the Get-AdfsToken function to get the a ADFS Token from our ADFS Server (more info: Get-AdfsToken Function), but you can modify the above script to use a normal Windows Token too if you rather want to use the Windows Authentication site than ADFS. Then use this command (replace line 17 in the script above with this line):

$Token = Get-MgmtSvcToken –Type Windows –AuthenticationSite https://yourauthenticationsite:30072 – ClientRealm http://azureservices/AdminSite -User $Credentials -DisableCertificateValidation

1	$Token = Get-MgmtSvcToken –Type Windows –AuthenticationSite https://yourauthenticationsite:30072 – ClientRealm http://azureservices/AdminSite -User $Credentials -DisableCertificateValidation

Get-MgmtSvcToken to get a ADFS Token is broken

Last week, I spent hours trying to get Get-MgmtSvcToken to get a Admin Token from our ADFS server without succeeding.

Get-MgmtSvcToken

Creates an identity token.

Syntax
Parameter Set: Default
Get-MgmtSvcToken [-Type] TokenType {Adfs | Membership | MembershipAdfs | Windows | WindowsAdfs} [-AuthenticationSite] Uri [-ClientRealm] Uri [-AdfsAddress Uri ] [-AdfsRealm Uri ] [-DisableCertificateValidation] [-User PSCredential ] [ CommonParameters ]

				1
2

						Parameter Set: Default
Get-MgmtSvcToken [-Type] TokenType {Adfs | Membership | MembershipAdfs | Windows | WindowsAdfs} [-AuthenticationSite] Uri [-ClientRealm] Uri [-AdfsAddress Uri ] [-AdfsRealm Uri ] [-DisableCertificateValidation] [-User PSCredential ] [ CommonParameters ]

I tried every possible combination with both “-type WindowsADFS” and “-type ADFS” in combination with various URL’s that should have worked, but didn’t.

With the help of @vNiklas and @_marcvaneijk on Twitter, I was pointed to TechNet where there is a documented bug/error/problem with the Get-mgmtSvcToken command.
By writing this blog, I hope someone will find it through a search and save themselves some time as that TechNet article never showed up when I was searching.

Technet Article: Why can’t I get a token with the Get-MgmtSvcToken cmdlet?

And the solution is to use your own function instead like this;

function Get-AdfsToken([string]$adfsAddress, [PSCredential]$credential)
{
    $clientRealm = 'http://azureservices/AdminSite'
    $allowSelfSignCertificates = $true

    Add-Type -AssemblyName 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
    Add-Type -AssemblyName 'System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'

    $identityProviderEndpoint = New-Object -TypeName System.ServiceModel.EndpointAddress -ArgumentList ($adfsAddress + '/adfs/services/trust/13/usernamemixed')
    $identityProviderBinding = New-Object -TypeName System.ServiceModel.WS2007HttpBinding -ArgumentList ([System.ServiceModel.SecurityMode]::TransportWithMessageCredential)
    $identityProviderBinding.Security.Message.EstablishSecurityContext = $false
    $identityProviderBinding.Security.Message.ClientCredentialType = 'UserName'
    $identityProviderBinding.Security.Transport.ClientCredentialType = 'None'

    $trustChannelFactory = New-Object -TypeName System.ServiceModel.Security.WSTrustChannelFactory -ArgumentList $identityProviderBinding, $identityProviderEndpoint
    $trustChannelFactory.TrustVersion = [System.ServiceModel.Security.TrustVersion]::WSTrust13

    if ($allowSelfSignCertificates)
    {
        $certificateAuthentication = New-Object -TypeName System.ServiceModel.Security.X509ServiceCertificateAuthentication
        $certificateAuthentication.CertificateValidationMode = 'None'
        $trustChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = $certificateAuthentication
    }

    $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($credential.Password)
    $password = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)
    [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($ptr)

    $trustChannelFactory.Credentials.SupportInteractive = $false
    $trustChannelFactory.Credentials.UserName.UserName = $credential.UserName
    $trustChannelFactory.Credentials.UserName.Password = $password #$credential.Password

    $rst = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityToken -ArgumentList ([System.IdentityModel.Protocols.WSTrust.RequestTypes]::Issue)
    $rst.AppliesTo = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.EndpointReference -ArgumentList $clientRealm
    $rst.TokenType = 'urn:ietf:params:oauth:token-type:jwt'
    $rst.KeyType = [System.IdentityModel.Protocols.WSTrust.KeyTypes]::Bearer

    $rstr = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityTokenResponse

    $channel = $trustChannelFactory.CreateChannel()
    $token = $channel.Issue($rst, [ref] $rstr)

    $tokenString = ([System.IdentityModel.Tokens.GenericXmlSecurityToken]$token).TokenXml.InnerText;
    $result = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenString))
    return $result
}

# Fill in values
$adfsAddress = 'https://adfshost'
$username = 'domain\username'
$password = 'password'
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$securePassword

$token = Get-AdfsToken -adfsAddress $adfsAddress -credential $credential 
$token

function Get-AdfsToken([string]$adfsAddress, [PSCredential]$credential)

{

$clientRealm = 'http://azureservices/AdminSite'

$allowSelfSignCertificates = $true

Add-Type -AssemblyName 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'

Add-Type -AssemblyName 'System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'

$identityProviderEndpoint = New-Object -TypeName System.ServiceModel.EndpointAddress -ArgumentList ($adfsAddress + '/adfs/services/trust/13/usernamemixed')

$identityProviderBinding = New-Object -TypeName System.ServiceModel.WS2007HttpBinding -ArgumentList ([System.ServiceModel.SecurityMode]::TransportWithMessageCredential)

$identityProviderBinding.Security.Message.EstablishSecurityContext = $false

$identityProviderBinding.Security.Message.ClientCredentialType = 'UserName'

$identityProviderBinding.Security.Transport.ClientCredentialType = 'None'

$trustChannelFactory = New-Object -TypeName System.ServiceModel.Security.WSTrustChannelFactory -ArgumentList $identityProviderBinding, $identityProviderEndpoint

$trustChannelFactory.TrustVersion = [System.ServiceModel.Security.TrustVersion]::WSTrust13

if ($allowSelfSignCertificates)

{

$certificateAuthentication = New-Object -TypeName System.ServiceModel.Security.X509ServiceCertificateAuthentication

$certificateAuthentication.CertificateValidationMode = 'None'

$trustChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = $certificateAuthentication

}

$ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($credential.Password)

$password = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)

[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($ptr)

$trustChannelFactory.Credentials.SupportInteractive = $false

$trustChannelFactory.Credentials.UserName.UserName = $credential.UserName

$trustChannelFactory.Credentials.UserName.Password = $password #$credential.Password

$rst = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityToken -ArgumentList ([System.IdentityModel.Protocols.WSTrust.RequestTypes]::Issue)

$rst.AppliesTo = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.EndpointReference -ArgumentList $clientRealm

$rst.TokenType = 'urn:ietf:params:oauth:token-type:jwt'

$rst.KeyType = [System.IdentityModel.Protocols.WSTrust.KeyTypes]::Bearer

$rstr = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityTokenResponse

$channel = $trustChannelFactory.CreateChannel()

$token = $channel.Issue($rst, [ref] $rstr)

$tokenString = ([System.IdentityModel.Tokens.GenericXmlSecurityToken]$token).TokenXml.InnerText;

$result = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenString))

return $result

}

# Fill in values

$adfsAddress = 'https://adfshost'

$username = 'domain\username'

$password = 'password'

$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force

$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$securePassword

$token = Get-AdfsToken -adfsAddress $adfsAddress -credential $credential

$token

Moving your WordPress site running in Microsoft Azure to Azure Pack

Drum Roll please ….

I’ve now moved my blog from Microsoft Azure to our own Private Cloud running on Windows Azure Pack! Hurray!

It was a really smooth transition, involving a couple of very easy steps to maintain all blogposts, media and comments.

Provision a new WordPress Blog in Azure Pack.
Login to WordPress to finish the installation.
Upgrade WordPress (to the same version as your old wordpress site).
Add the same Themes as on your old site.
Install WP Clone plugin (free) on both the old and the new wordpress site.
On the old blog, use the WP Clone plugin to make a Backup. When it’s done, you will get a URL, save that.
On the new blog, use the WP Clone plugin to import the Backup from the URL you got in the previous step.
In the new site, update your sites URL’s. In my case, I chanced isolation.labcenteronline.com to www.isolation.se.
Update your DNS points, to point to your private cloud url (in my case, isolation.labcenteronline.com).
Done!

Reduce DNS Client Cache in Windows Server 2012 R2

I’m often using Remote Desktop Gateways to connect to various environments, including our Private Cloud. One challenge arises when I change IP-address or network settings on a computer through SCVMM. As the RDGW has cached the DNS entry and IP Address, it takes a while until that information is cleared and I’m able to eastablish a connection. Or to be fair, what I usually do is RDP into the RDGW and does a “ipconfig /flushdns” and then reconnect the first server.
It does work, but wouldn’t it be better if that was kind of done automatically. Well, I guess you could schedule a “ipconfig /flushdns” every X minutes and get the desired result.

A better solution is to reduce the DNS Cache timeout on the RDGW server! I’ve modified mine to cache entries for just 10 seconds, and then do a new DNS query. 10 Seconds might be a bit too aggressive though it works fine for me.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters maxcacheTTL — HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
maxcacheTTL

Use this registry key to set the DNS Client Cache timeout;

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters 
Key: MaxCacheTtl
Type: REG_DWORD
Value: 10  (Decimal, in Seconds)
Default: 0x15180 (86,400 seconds = 1 day)

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

Key: MaxCacheTtl

Type: REG_DWORD

Value: 10 (Decimal, in Seconds)

Default: 0x15180 (86,400 seconds = 1 day)

Restart the “DNS Client” service to take effect. (net stop dnscache & net start dnscache).
I’ve only tried this on Windows Server 2012 R2, but I guess it should also work on Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.

Personally, I’ve set this key through Group Policy Preferences to make sure it’s always done, even if the RDGW Server is reinstalled.

The other two values; MaxCacheEntryTtlLimit and MaxNegativeCacheTtl are leftovers from my testing, it seems those values worked for “Windows 2000” and are not used anymore.

Script for importing existing VMs into Azure Pack

As you start working with Azure Pack, you probably realize that you have a lot of existing VM’s that you would like to import into Azure Pack, and by that be able to use them just as you can handle all new ones?

All that’s needed for that, is to set the correct AzurePack user as the owner and SelfServicUuser on that Virtual Machine. And of course, have the machine in the correct “Cloud”.

Here is a small script which will help you out by;

Asking in a Grid View, which Cloud you would like to import a machine in.
Ask which user that should be the new owner of this VM.
Let you pick, which VM from the Cloud you would like to import.

As we have multiple clouds, and users can have multiple subscriptions, I chose to make the script use GridView, to minimize the risk for human errors (typos).

# You have to set your SCVMM server and use -ForOnBehalfOf to make use of SPF. 
$SCVMMSERVER = Get-SCVMMServer -ComputerName YOUR.SCVVM.SERVER.FQDN -ForOnBehalfOf 

$SCCloud = Get-SCCloud -Name (Get-SCCloud | select Name | Out-GridView -Title "Select Cloud" -PassThru).Name
$SCUser = (Get-SCUserRole | Where-Object Cloud -Match $SCCloud).Name -Replace "_.+","" | Out-GridView -PassThru -Title "Select User" 
$vmselfserviceuserrole = Get-SCUserRole | Where-Object Cloud -Match $SCCloud | Where-Object Name -Like $SCUser* 
$SCVM = (get-scvirtualmachine ($SCCloud | Get-SCVirtualMachine | select Name | Out-GridView -Title "Select VM" -PassThru).Name)

Set-SCVirtualMachine -VM $SCVM –UserRole $vmselfserviceuserrole –Owner $SCUser

# You have to set your SCVMM server and use -ForOnBehalfOf to make use of SPF.

$SCVMMSERVER = Get-SCVMMServer -ComputerName YOUR.SCVVM.SERVER.FQDN -ForOnBehalfOf

$SCCloud = Get-SCCloud -Name (Get-SCCloud | select Name | Out-GridView -Title "Select Cloud" -PassThru).Name

$SCUser = (Get-SCUserRole | Where-Object Cloud -Match $SCCloud).Name -Replace "_.+","" | Out-GridView -PassThru -Title "Select User"

$vmselfserviceuserrole = Get-SCUserRole | Where-Object Cloud -Match $SCCloud | Where-Object Name -Like $SCUser*

$SCVM = (get-scvirtualmachine ($SCCloud | Get-SCVirtualMachine | select Name | Out-GridView -Title "Select VM" -PassThru).Name)

Set-SCVirtualMachine -VM $SCVM –UserRole $vmselfserviceuserrole –Owner $SCUser