Scripting – Page 3 – A Geeks World

Update SCVMM Agent with Powershell

I just updated our System Center Virtual Machine Manager 2012 R2 Environment to Update Release 7. SCVMM would then report that the SCVMM Managed Computers has an Out-of-Date Agent which need to be upgraded.

It’s possible to do it manually by right clicking on each server and choose “Update Agent” or use this short powershell script to do it on all machines at the same time.

# Change name to the RunAs Admin Account specified in SCVMM
$SCVMMADMIN = 'SCVMM_Admin'
$credential = Get-SCRunAsAccount -Name "$SCVMMADMIN" 
Get-SCVMMManagedComputer | where VersionState -ne UpToDate | Update-SCVMMManagedComputer -Credential $credential -RunAsynchronously

# Change name to the RunAs Admin Account specified in SCVMM

$SCVMMADMIN = 'SCVMM_Admin'

$credential = Get-SCRunAsAccount -Name "$SCVMMADMIN"

Get-SCVMMManagedComputer | where VersionState -ne UpToDate | Update-SCVMMManagedComputer -Credential $credential -RunAsynchronously

It will Update the Agent on all Managed Servers for you (no restart needed in my case).

Set or change Owner on a VMM for SCVMM and Azure Pack

Here is a updated script for modifying the owner of a VM, and/or to make it show up in Azure Pack. For a VM that’s been created in VMM to show up in AzurePack, it has to be assigned to a (not part of these scripts) Cloud and a subscription has to be added as owner to the VM (this is done by the scripts below).

Here is the original post: http://www.isolation.se/script-for-importing-existing-vms-into-azure-pack/

And here are the updated scripts:

#####
#
# Set Owner for one specific VM. 
#
$SCVMMSERVER = Get-SCVMMServer -ComputerName $ENV:COMPUTERNAME -ForOnBehalfOf 

$SCCloud = Get-SCCloud -Name (Get-SCCloud | select Name | where Name -notlike "*Tenants*" | Out-GridView -Title "Select Cloud" -PassThru).Name
$SCUser = (Get-SCUserRole | Where-Object Cloud -Match $SCCloud).Name  | Out-GridView -PassThru -Title "Select User" 
$SCAdmin = Get-SCUserRole -Name Administrator
$vmselfserviceuserrole = Get-SCUserRole | Where-Object Cloud -Match $SCCloud | Where-Object Name -Like $SCUser* 
$SCVM = (get-scvirtualmachine ($SCCloud | Get-SCVirtualMachine | select Name, Owner, UserRole | Out-GridView -Title "Select VM" -PassThru).Name)

Set-SCVirtualMachine -VM $SCVM –UserRole $vmselfserviceuserrole –Owner $SCAdmin

#####

# Set Owner for one specific VM.

$SCVMMSERVER = Get-SCVMMServer -ComputerName $ENV:COMPUTERNAME -ForOnBehalfOf

$SCCloud = Get-SCCloud -Name (Get-SCCloud | select Name | where Name -notlike "*Tenants*" | Out-GridView -Title "Select Cloud" -PassThru).Name

$SCUser = (Get-SCUserRole | Where-Object Cloud -Match $SCCloud).Name | Out-GridView -PassThru -Title "Select User"

$SCAdmin = Get-SCUserRole -Name Administrator

$vmselfserviceuserrole = Get-SCUserRole | Where-Object Cloud -Match $SCCloud | Where-Object Name -Like $SCUser*

$SCVM = (get-scvirtualmachine ($SCCloud | Get-SCVirtualMachine | select Name, Owner, UserRole | Out-GridView -Title "Select VM" -PassThru).Name)

Set-SCVirtualMachine -VM $SCVM –UserRole $vmselfserviceuserrole –Owner $SCAdmin

The script will ask you for a Cloud and list the subscriptions you can choose from, and then ask which VM to set the Owner on.

The difference here is that it will also set the VMM Administrators as an Owner so you can do maintenance tasks on the VM from VMM without modifying ownership back and forth.

And then a second script that will just set the same Owner on all VMs in a cloud. It’s nice when you have a lot of existing VM’s in an environment and would like to assign them to one specific user/subscription in one go.

#####
#
# Set same Owner for all VMs in a specific Cloud. 
#
$SCVMMSERVER = Get-SCVMMServer -ComputerName $ENV:COMPUTERNAME -ForOnBehalfOf 

$SCCloud = Get-SCCloud -Name (Get-SCCloud | select Name | where Name -notlike "*Tenants*" | Out-GridView -Title "Select Cloud" -PassThru).Name
$SCUser = (Get-SCUserRole | Where-Object Cloud -Match $SCCloud).Name | Out-GridView -PassThru -Title "Select User" 
$SCAdmin = Get-SCUserRole -Name Administrator
$vmselfserviceuserrole = Get-SCUserRole | Where-Object Cloud -Match $SCCloud | Where-Object Name -Like $SCUser* 
# $SCVM = (get-scvirtualmachine ($SCCloud | Get-SCVirtualMachine | select Name, Owner, UserRole | Out-GridView -Title "Select VM" -PassThru).Name)

Get-SCCloud $SCCloud | Get-SCVirtualMachine | Set-SCVirtualMachine –UserRole $vmselfserviceuserrole –Owner $SCAdmin

#####

# Set same Owner for all VMs in a specific Cloud.

$SCVMMSERVER = Get-SCVMMServer -ComputerName $ENV:COMPUTERNAME -ForOnBehalfOf

$SCCloud = Get-SCCloud -Name (Get-SCCloud | select Name | where Name -notlike "*Tenants*" | Out-GridView -Title "Select Cloud" -PassThru).Name

$SCUser = (Get-SCUserRole | Where-Object Cloud -Match $SCCloud).Name | Out-GridView -PassThru -Title "Select User"

$SCAdmin = Get-SCUserRole -Name Administrator

$vmselfserviceuserrole = Get-SCUserRole | Where-Object Cloud -Match $SCCloud | Where-Object Name -Like $SCUser*

# $SCVM = (get-scvirtualmachine ($SCCloud | Get-SCVirtualMachine | select Name, Owner, UserRole | Out-GridView -Title "Select VM" -PassThru).Name)

Get-SCCloud $SCCloud | Get-SCVirtualMachine | Set-SCVirtualMachine –UserRole $vmselfserviceuserrole –Owner $SCAdmin

Both of the script are written to be executed on the VMM Server, though you can probably change the $ENV:COMPUTERNAME to point to your VMM Server and then execute the script remotely.

Migrate VMs to another Hostgroup via SCVMM and Powershell

Earlier this week I had a need to move a lot of VM’s from a couple of Hosts to another cluster. And instead of doing it one by one in VMM (Virtual Machine Manager), I wrote a small quick and dirty script that I had not really planned on publishing. Though a customer had a need for that script today, so I figured more people might need it.

Enter the name of the current Host where the VM’s are running.
Enter the name of the destination Hostgroup (seen in VMM). Start script.

$VMHost = "FAHOST11"   #Name of current Host where VMs are running 
$HostGroup = "Workload"  #Name Hostgroup of Destination Servers 
$SleepTime = "10"  #Seconds to wait between each move. To give the Move time to complete before next start. Else all server might end up on the same Host. 
 
################
$SCHostGroup = Get-SCVMHostGroup -Name $HostGroup
$VMs = Get-SCVirtualMachine -VMHost $VMHost
 
foreach ($vm in $VMs) {
 
  $BestHost = Get-SCVMHostRating -HighlyAvailable $true -VMHostGroup $SCHostGroup -VM $VM | where VMHost -notlike $VMHost | Sort-Object Rating -Descending | select -first 1 
  Write-Host $vm $BestHost
  Move-SCVirtualMachine -VM $vm -VMHost $BestHost.VMHost -HighlyAvailable $true -RunAsynchronously 
  sleep -Seconds $SleepTime   
}

$VMHost = "FAHOST11" #Name of current Host where VMs are running

$HostGroup = "Workload" #Name Hostgroup of Destination Servers

$SleepTime = "10" #Seconds to wait between each move. To give the Move time to complete before next start. Else all server might end up on the same Host.

################

$SCHostGroup = Get-SCVMHostGroup -Name $HostGroup

$VMs = Get-SCVirtualMachine -VMHost $VMHost

foreach ($vm in $VMs) {

$BestHost = Get-SCVMHostRating -HighlyAvailable $true -VMHostGroup $SCHostGroup -VM $VM | where VMHost -notlike $VMHost | Sort-Object Rating -Descending | select -first 1

Write-Host $vm $BestHost

Move-SCVirtualMachine -VM $vm -VMHost $BestHost.VMHost -HighlyAvailable $true -RunAsynchronously

sleep -Seconds $SleepTime

}

The script will calculate the best possible host to move the VM too and then move it there and make it HighAvailable.

I didn’t initially have the sleep line in my script, though I did notice while it was executing that it tried to move too many at the same time (I think the default limit is 2) so some failed. And another issue is that the HostRating may get wrong if its doing a lot of calculations while there are no VMs on the destination host, and then suddenly lots of VMs end up there at the same time. So a sleep should hopefully take care of both those problems at the same time.

Automatically generate RDCMan connection files with a script

RDCMan has to be my favorite tool. It’s a free program from Microsoft, where you can store all RemoteDesktop connections to your own servers and to your customers servers. I’m using each day, and I’m probably spending more time in that program than even Web Browsing and Outlook combined.

When I’m building new Private Clouds (datacenters) for customers, we deploy 20+ servers in a short time, and it’s quite a lot of work to add each server manually to RDCMan even though I’m of course using inherit on most settings, so all that needs to be done is add the servername and displayname. Though repetetive! So, lets use powershell!

RDCman is using a XML file for all the information, which it’s possible to create via powershell. I was lucky and found an almost perfect script done by powershell guru and MVP Jan Egil Ring.

I’ve modified that script a bit to be more in line with what I need, and updated it for RDCman 2.7 (no big deal, the old file worked in 2.7 too).

Version 2.0 of the script released 15/07/2015:

Updated for RDCMan 2.7
Only including ComputerObjects (no ClusterNames, Cluster Resources etc)
Only including Enabled Computer objects
Adds Computer Description as Comment
Not using a Group. I felt no need for that as there is just one environment in each RDG File
Support for Providing a RDGateway Address
Changed file name to reflect FQDN of Domain (we have several customers with the same Netbios name)
Sort servers alphabetically in the list.

Just run the script on a server with powershell and AD module installed, and it will create a brand new RDG file for you in your profile.
Note that it’s possible to provide a RDGateway Address and if it’s should be enabled by default.

The script gets scrambled when I’m publishing it on my blog, so please download the script from TechNet Gallery here: https://gallery.technet.microsoft.com/scriptcenter/Automatically-generate-da1d502b

Please let me know if you have any issues or suggestions for making the script even better.
Thanks!

Set MPIO Policy via PowerShell for Storage Spaces

Here is a small script to set the MPIO Policy via Powershell according to Microsofts Best Practices for Storage Spaces as seen here https://technet.microsoft.com/library/0923b851-eb0a-48ee-bfcb-d584363be668

It will set the Global MPIO policy to Least Block and then change the MPIO Policy for all SSD’s to Round Robin. Though, it’s possible that mpclaim.exe will use a different DiskID from what Powershell/Device Manager is using.
So the script has a built-in feature to adjust the DiskId if needed, though you have to verify and set the value manually before running the script!

# As you can see in the ForEach section I had to subtract -1 from the DiskID to make the DiskIDs right. 
# It's because mpclaim can only see MPIO Disks, and will not see the OS Disk (that Powershell lists) 
# You need to verify this manually before running the script like this: 
#
# 1. Open DeviceManager 
# 2. Locate one random SSD 
# 3. Manually change MPIO Policy to Round Robin 
#    Select Details Tab
#    Select "Physical Device Object Name" in the dropdrown list. 
#    Take note of the DiskId 
#    Click OK
# 4. Run this command line: 
#    mpclaim -s -d | findstr /i /c:RR
#    Take note of the DiskId 
# 5. Compare the Numbers from #3 and #4. How much do they differ? 
# 
# When I wrote this script, the numbers in this environment differed -1 (mpclaim was 24 and DeviceManger was 25). 
# So I adjusted the script below to reduce the number by -1. 
# 
# While in another environment the Numbers between DeviceManager and mpclaim matched. So no need to subract. 
# Adjust $subtract below accordingly to the test above. 

#################
# 
# Set Global MPIO Policy to Least Blocks according to Microsoft Best Practices 
Set-MSDSMGlobalDefaultLoadBalancePolicy –policy LB 

# Get all SSD Drives 
$ssds = Get-PhysicalDisk | where MediaType -EQ SSD

foreach ($ssd in $ssds) { 
 
 $subtract = "1"    # set to 0 if numbers match in the test above. 
 $id = (($ssd.DeviceId) -$subtract).ToString()
 # Set Policy to Round Robin = 2 
 start-process "c:\windows\system32\mpclaim.exe" -ArgumentList "-l -d $id 2" -Wait  
 }

Write-Output "Show all Drives with Round Robin MPIO Policy"
c:\windows\system32\mpclaim.exe -s -d | findstr /i /c:RR

# As you can see in the ForEach section I had to subtract -1 from the DiskID to make the DiskIDs right.

# It's because mpclaim can only see MPIO Disks, and will not see the OS Disk (that Powershell lists)

# You need to verify this manually before running the script like this:

# 1. Open DeviceManager

# 2. Locate one random SSD

# 3. Manually change MPIO Policy to Round Robin

# Select Details Tab

# Select "Physical Device Object Name" in the dropdrown list.

# Take note of the DiskId

# Click OK

# 4. Run this command line:

# mpclaim -s -d | findstr /i /c:RR

# Take note of the DiskId

# 5. Compare the Numbers from #3 and #4. How much do they differ?

# When I wrote this script, the numbers in this environment differed -1 (mpclaim was 24 and DeviceManger was 25).

# So I adjusted the script below to reduce the number by -1.

# While in another environment the Numbers between DeviceManager and mpclaim matched. So no need to subract.

# Adjust $subtract below accordingly to the test above.

#################

# Set Global MPIO Policy to Least Blocks according to Microsoft Best Practices

Set-MSDSMGlobalDefaultLoadBalancePolicy –policy LB

# Get all SSD Drives

$ssds = Get-PhysicalDisk | where MediaType -EQ SSD

foreach ($ssd in $ssds) {

$subtract = "1" # set to 0 if numbers match in the test above.

$id = (($ssd.DeviceId) -$subtract).ToString()

# Set Policy to Round Robin = 2

start-process "c:\windows\system32\mpclaim.exe" -ArgumentList "-l -d $id 2" -Wait

}

Write-Output "Show all Drives with Round Robin MPIO Policy"

c:\windows\system32\mpclaim.exe -s -d | findstr /i /c:RR

Update VMM Agent via PowerShell

PowerShell script to update VMM Agent on all VMM Managed Computers after Update Rollup is installed on VMM Server.

You can find the AgentVersion here: http://social.technet.microsoft.com/wiki/contents/articles/15361.list-of-build-numbers-for-system-center-virtual-machine-manager-vmm.aspx

$credential = Get-SCRunAsAccount -Name "VMMAdminAccount" 
$managedComputer = Get-SCVMMManagedComputer | where -Property VersionState -eq "UpgradeAvailable" 
foreach ($server in $managedComputer) { 
Update-SCVMMManagedComputer -Credential $credential -RunAsynchronously -VMMManagedComputer $server 
 }

$credential = Get-SCRunAsAccount -Name "VMMAdminAccount"

$managedComputer = Get-SCVMMManagedComputer | where -Property VersionState -eq "UpgradeAvailable"

foreach ($server in $managedComputer) {

Update-SCVMMManagedComputer -Credential $credential -RunAsynchronously -VMMManagedComputer $server

}

Update AD-Users with new Phone-number and Pager via Powershell

Had a quick question from a customer about how one can automatically update the phone number and pager of a lot of AD users. The customer was changing switchboard and had to add 1 number in front of the current number. Adding it in the middle of the string is also possible, but slightly more complicated as you have to split the string.

This is possible to do in a few different ways, but I chose the quickest way for me, via Powershell.

# Verify how it looks like before executing the script. 
# It's easy to add a Export-CSV at the end of this line to have a backup. 
Get-ADUser -SearchBase "OU=Test,DC=dreamhouse,DC=local" -Filter * -properties *| select Name, telephoneNumber, Pager 

# Add a "2" infront of Pager 
# Add a "8" infront of TelephoneNumber 
Get-ADUser -SearchBase "OU=Test,DC=dreamhouse,DC=local" -Filter * -properties * |            
 ForEach-Object {
 Set-ADObject -Identity $_.DistinguishedName -Replace @{Pager="2$($_.Pager)"}
 Set-ADObject -Identity $_.DistinguishedName -Replace @{telephoneNumber="8$($_.telephoneNumber)"}
 }     

# And Verify it went well. 
 Get-ADUser -SearchBase "OU=Test,DC=dreamhouse,DC=local" -Filter * -properties *| select Name, telephoneNumber, Pager

# Verify how it looks like before executing the script.

# It's easy to add a Export-CSV at the end of this line to have a backup.

Get-ADUser -SearchBase "OU=Test,DC=dreamhouse,DC=local" -Filter * -properties *| select Name, telephoneNumber, Pager

# Add a "2" infront of Pager

# Add a "8" infront of TelephoneNumber

Get-ADUser -SearchBase "OU=Test,DC=dreamhouse,DC=local" -Filter * -properties * |

ForEach-Object {

Set-ADObject -Identity $_.DistinguishedName -Replace @{Pager="2$($_.Pager)"}

Set-ADObject -Identity $_.DistinguishedName -Replace @{telephoneNumber="8$($_.telephoneNumber)"}

}

# And Verify it went well.

Get-ADUser -SearchBase "OU=Test,DC=dreamhouse,DC=local" -Filter * -properties *| select Name, telephoneNumber, Pager

End Result:

Updating SCVMM DHCP Server Agent for Update Rollup 3 with Powershell

I’ve been to a couple of customers in the past month who has applied Update Rollup 3 for System Center 2012 R2 Virtual Machine Manager, through WSUS, but didn’t read the fine print.

So I wrote a quick script to locate all Hyper-V Hosts with the old/incorrect version.

# List all VM-Hosts with an old version of SCVMM DHCP Extension 
# Currently, the latest version is 3.2.7672.0

# Specify your VMM Server Name
$VMMServer = "VMMServerName"

Invoke-Command -ComputerName (get-scvmhost -VMMServer $VMMServer).Name -Command { 
  (Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -ne 3.2.7672.0} ) 
  }

# List all VM-Hosts with an old version of SCVMM DHCP Extension

# Currently, the latest version is 3.2.7672.0

# Specify your VMM Server Name

$VMMServer = "VMMServerName"

Invoke-Command -ComputerName (get-scvmhost -VMMServer $VMMServer).Name -Command {

(Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -ne 3.2.7672.0} )

}

And the next step was obviously, how to update the agent on all the Hyper-V hosts remotely and automatically!
There are a couple of different ways to do this, let me go through a couple of them.

One of the easiest ways is to use Sysinternals PSExec, just run psexec against those servers and execute uninstall of the old and installation of the new agent. In my humble opinion, it’s too much manual work to do it this way with a lot of hosts. So I rather use Powershell.

Looking at the above Powershell example, you almost have a full script for doing the rest.
Have a look at this;

# Check for old SCVMM DHCP Server Agent, uninstall old version, install new version. 
# Specify your VMM Server Name
$VMMServer = "VMMServerName"

Invoke-Command -ComputerName (get-scvmhost -VMMServer $VMMServer).Name -ArgumentList $VMMServer -ScriptBlock { 
    Param ($VMMServer) 
    $old = (Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -lt "3.2.7672.0"})
    $setup = ("\\"+ $VMMServer +"\c$\Program Files\Microsoft System Center 2012 R2\Virtual Machine Manager\SwExtn\DHCPExtn.msi")
 
    if(Test-Path -PathType Container ("\\" + $VMMServer + "\c$") -Verbose){ 
        Write-Output "$env:ComputerName sucessfully connected to $Setup"

        if (($old.Version).Count -eq 1) {
            $version = $old.version
            $name = $old.Name
             Write-Output "Found old version of $Name $version. Uninstalling it." 
        ((Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -lt "3.2.7672.0"})).Uninstall()

        Write-Output "Done Uninstalling"
        Write-Output "Installing newest version of $Name from SCVMM Server" 
        Start-Process "$setup" /qn -Wait
        }
    else { Write-Output "Couldn't connect to install share, aborting"} 
}
}

# Check for old SCVMM DHCP Server Agent, uninstall old version, install new version.

# Specify your VMM Server Name

$VMMServer = "VMMServerName"

Invoke-Command -ComputerName (get-scvmhost -VMMServer $VMMServer).Name -ArgumentList $VMMServer -ScriptBlock {

Param ($VMMServer)

$old = (Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -lt "3.2.7672.0"})

$setup = ("\\"+ $VMMServer +"\c$\Program Files\Microsoft System Center 2012 R2\Virtual Machine Manager\SwExtn\DHCPExtn.msi")

if(Test-Path -PathType Container ("\\" + $VMMServer + "\c$") -Verbose){

Write-Output "$env:ComputerName sucessfully connected to $Setup"

if (($old.Version).Count -eq 1) {

$version = $old.version

$name = $old.Name

Write-Output "Found old version of $Name $version. Uninstalling it."

((Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -lt "3.2.7672.0"})).Uninstall()

Write-Output "Done Uninstalling"

Write-Output "Installing newest version of $Name from SCVMM Server"

Start-Process "$setup" /qn -Wait

}

else { Write-Output "Couldn't connect to install share, aborting"}

}

Word of warning, the above script should be considered a “proof of concept” or give you a rough idea of how to do it. I’ve run it once, and it did work so it will hopefully work for you too.

There is a minor problem with the above solution. That script will do something called a “double hop”. It’s when you run something on Computer A, which gets executed on Computer B which in turn tries to connect to Computer C and use the credentials provided in A. Two hops, aka double hop.
In the above script, it’s when it’s accessing the install files from a remote share.
And to solve that problem you have to enable something you might have heard about, called Kerberos Constraint Delegation on all Hyper-V hosts (or other servers you want to double hop via).
In most environments KCD is not enabled, so the above script would not work to 100%. In fact, the uninstall would work, but not the installation so would will end up with a server that’s missing the DHCP Agent.
In case you ran the script without reading this part or before adding KCD, I added a small safeguard against that by doing a Test-Path before uninstalling the agent which probably told you it failed.

My good friend and college Mikael Nyström wrote a great blog post here recently on how to rather utilize CredSSP instead of using KCD for tasks like this.

And here is a slightly modified script using CredSSP instead of KCD.

#Set default values

# Specify your VMM Server Name
$VMMServer = "VMMServerName"


$Servers = (get-scvmhost -VMMServer $VMMServer).Name
$InstallPath = "\\" + "$VMMServer" + "\c$"
$FQDN = "$env:USERDNSDOMAIN"
$Cred = Get-Credential -Message "Type your Admin credentials used to connecting to other servers" 


#Set Config for client (where you execute the script) 
Disable-WSManCredSSP -Role Client
Enable-PSRemoting -Force
Enable-WSManCredSSP -Role Client -DelegateComputer ("*."+$FQDN) -Force
Get-WSManCredSSP

#Configure the Servers to accept CredSSP Credentials 
foreach ($Server in $Servers)
{
    Invoke-Command -ComputerName $Server -ScriptBlock {
    Enable-WSManCredSSP -Role Server -Force
    Get-WSManCredSSP
    }
}

#Upgrade old version of agent. 
foreach ($Server in $Servers) {
    $ServerFQDN = $Server
    Invoke-Command -ComputerName $ServerFQDN -Authentication Credssp -EnableNetworkAccess -Credential $Cred -ArgumentList $Server,$InstallPath -ScriptBlock {
    Param ($Server,$InstallPath)
    $old = (Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -lt "3.2.7672.0"})

    if (($old.Version).Count -eq 1) {

       # Verify that we can access C$ on SCVMM Server for installing the agent. 
       if(Test-Path -PathType Container $InstallPath -Verbose){ 
             Write-Output "$Server sucessfully connected to $InstallPath"
             $version = $old.version
             $name = $old.Name
             Write-Output "Found old version of $Name $version. Uninstalling it." 
             ((Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -lt "3.2.7672.0"})).Uninstall() 
             Write-Output "Done Uninstalling"

             Write-Output "Installing newest version of $Name from SCVMM Server" 
             $setup = ($InstallPath +"\Program Files\Microsoft System Center 2012 R2\Virtual Machine Manager\SwExtn\DHCPExtn.msi")
             Start-Process "$setup" /qn -Wait 
        } 
                
        else {
              Write-Output "Unable to connect to Installation Location at $InstallPath" 
              Write-Output "Found old version of $Name $version. But did not uninstall it."         
              }
    }
}
}

#Set default values

# Specify your VMM Server Name

$VMMServer = "VMMServerName"

$Servers = (get-scvmhost -VMMServer $VMMServer).Name

$InstallPath = "\\" + "$VMMServer" + "\c$"

$FQDN = "$env:USERDNSDOMAIN"

$Cred = Get-Credential -Message "Type your Admin credentials used to connecting to other servers"

#Set Config for client (where you execute the script)

Disable-WSManCredSSP -Role Client

Enable-PSRemoting -Force

Enable-WSManCredSSP -Role Client -DelegateComputer ("*."+$FQDN) -Force

Get-WSManCredSSP

#Configure the Servers to accept CredSSP Credentials

foreach ($Server in $Servers)

{

Invoke-Command -ComputerName $Server -ScriptBlock {

Enable-WSManCredSSP -Role Server -Force

Get-WSManCredSSP

}

#Upgrade old version of agent.

foreach ($Server in $Servers) {

$ServerFQDN = $Server

Invoke-Command -ComputerName $ServerFQDN -Authentication Credssp -EnableNetworkAccess -Credential $Cred -ArgumentList $Server,$InstallPath -ScriptBlock {

Param ($Server,$InstallPath)

$old = (Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -lt "3.2.7672.0"})

if (($old.Version).Count -eq 1) {

# Verify that we can access C$ on SCVMM Server for installing the agent.

if(Test-Path -PathType Container $InstallPath -Verbose){

Write-Output "$Server sucessfully connected to $InstallPath"

$version = $old.version

$name = $old.Name

Write-Output "Found old version of $Name $version. Uninstalling it."

((Get-WmiObject -Class win32_product | where {$_.Name -like "Microsoft System Center Virtual Machine Manager DHCP Server*" -and $_.Version -lt "3.2.7672.0"})).Uninstall()

Write-Output "Done Uninstalling"

Write-Output "Installing newest version of $Name from SCVMM Server"

$setup = ($InstallPath +"\Program Files\Microsoft System Center 2012 R2\Virtual Machine Manager\SwExtn\DHCPExtn.msi")

Start-Process "$setup" /qn -Wait

}

else {

Write-Output "Unable to connect to Installation Location at $InstallPath"

Write-Output "Found old version of $Name $version. But did not uninstall it."

}

Word of warning, the above script should be considered a “proof of concept” or give you a rough idea of how to do it. I’ve run it once, and it did break anything in that environment, so it might work for you too.

Basically, the script will enable CredSSP on the computer you run it on, and allow the credentials to be used on all remote servers that’s part of your domain. It will then connect to all Hyper-V hosts known by SCVMM and enable those as Credential Receivers.
Following that part, it will once again connect to those servers and check if the SCVMM DHCP Agent is outdated and if it’s able to connect to the install location (SCVMM Servers C$ Share).
I made sure it verifies that it can connect to the install location before uninstalling the Agent. Because in case it can’t connect to SCVMM Server, I would rather have an old DHCP Agent, than no agent at all.
And finally, it’s uninstalling the old agent and installing the new one.
Done!

It’s also possible to use SCVMM’s Job function to schedule a job to be executed on all Hosts. But I’ll cover that in some future post.

Azure Pack: Add a new user to a plan automatically

Update: It looks like SMA is not executing the script when a new Tenant is created, but rather when a subscription is added to the user.
Trying to get it confirmed from Microsoft if that is a bug that’s been introduced in one of the latest updates. See comments for more details.

Problem: When a new employee for TrueSec (our company) is logging into Azure Pack he has to be added to the “Tenants – TrueSec Employees” plan manually.

Solution: One way is to add a “signup code” to the plan and tell new employees to manually join the plan with that specific code. It could work, but does not feel like the most optimal solution.

The desired way would be if all new employees could be added to that plan automatically. Is that possible?
– Of course it is, with the help of SMA! Let me show one way to do this.

Pre-Requisits: Connection Asset, SMA Runbook, Link Runbook to a task.

In my case, I’m using the MgmtSvcAdmin asset which looks like this. But you can also create other types of Connections with working credentials. Just notice that you have to enter the name of the Admin Site server in the Asset, as the script will use that info. And the useraccount specified obviously need access to use the Admin site (to modify the subscriptions).

Add a new Runbook with the script below. In my case, I’m using ADFS to connect to the Admin site, so the script has to generate a ADFS token first.
if you are not using ADFS, you will have to modify the script to use a normal Windows authentication. It’s the most common way to authenticate, so there shouldn’t be any problems finding example code for.

Though, please note that the script is currently matching the new users e-mail address to (in our case) @truesec.com or @truesec.se. If you don’t use ADFS, it’s possible for a user to type any name they want during registration and then possibly get added to a plan they should not have access too.

And finally, add a new Automation Task, you do that under Clouds -> Automation.
Object: SPF Tenant
Action: Create
Runbook: New-Tenant

The script:

workflow New-Tenant {

param([object]$resourceObject) 
# write-output ($resourceObject.Name -split "_" | select -first 1)

# Get Connection Credentials. Change Name to your own Asset. 
$con = Get-AutomationConnection -Name 'CLAZAS01_RU_SMA'

$secpasswd = ConvertTo-SecureString $con.Password -AsPlainText -Force
$ruSMAcreds = New-Object System.Management.Automation.PSCredential ($con.username, $secpasswd)

# Execute commands on AzurePack Admin site. Connect with Asset Credentials 
InlineScript {
    $con=$USING:Con
    $ruSMAcreds=$USING:ruSMAcreds
    $resourceObject=$USING:resourceObject
    
Invoke-Command -ComputerName $con.computername -Credential $ruSMAcreds -ArgumentList ($resourceObject.Name -split "_" | select -first 1),$con -ScriptBlock {

param(
    $NewUserEmail,
    $con
    )


# We use ADFS for our Azure Pack site, so have to generate a ADFS Token first. 
function Get-AdfsToken([string]$adfsAddress, [PSCredential]$credential)
{
    $clientRealm = 'http://azureservices/AdminSite'
    $allowSelfSignCertificates = $true

    Add-Type -AssemblyName 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
    Add-Type -AssemblyName 'System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'

    $identityProviderEndpoint = New-Object -TypeName System.ServiceModel.EndpointAddress -ArgumentList ($adfsAddress + '/adfs/services/trust/13/usernamemixed')
    $identityProviderBinding = New-Object -TypeName System.ServiceModel.WS2007HttpBinding -ArgumentList ([System.ServiceModel.SecurityMode]::TransportWithMessageCredential)
    $identityProviderBinding.Security.Message.EstablishSecurityContext = $false
    $identityProviderBinding.Security.Message.ClientCredentialType = 'UserName'
    $identityProviderBinding.Security.Transport.ClientCredentialType = 'None'

    $trustChannelFactory = New-Object -TypeName System.ServiceModel.Security.WSTrustChannelFactory -ArgumentList $identityProviderBinding, $identityProviderEndpoint
    $trustChannelFactory.TrustVersion = [System.ServiceModel.Security.TrustVersion]::WSTrust13

    if ($allowSelfSignCertificates)
    {
        $certificateAuthentication = New-Object -TypeName System.ServiceModel.Security.X509ServiceCertificateAuthentication
        $certificateAuthentication.CertificateValidationMode = 'None'
        $trustChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = $certificateAuthentication
    }

    $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($credential.Password)
    $password = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)
    [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($ptr)

    $trustChannelFactory.Credentials.SupportInteractive = $false
    $trustChannelFactory.Credentials.UserName.UserName = $credential.UserName
    $trustChannelFactory.Credentials.UserName.Password = $password #$credential.Password

    $rst = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityToken -ArgumentList ([System.IdentityModel.Protocols.WSTrust.RequestTypes]::Issue)
    $rst.AppliesTo = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.EndpointReference -ArgumentList $clientRealm
    $rst.TokenType = 'urn:ietf:params:oauth:token-type:jwt'
    $rst.KeyType = [System.IdentityModel.Protocols.WSTrust.KeyTypes]::Bearer

    $rstr = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityTokenResponse

    $channel = $trustChannelFactory.CreateChannel()
    $token = $channel.Issue($rst, [ref] $rstr)

    $tokenString = ([System.IdentityModel.Tokens.GenericXmlSecurityToken]$token).TokenXml.InnerText;
    $result = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenString))
    return $result
}

# Fill in values for your environment. 
# ADFS Server address 
$adfsAddress = 'https://adfs.labcenteronline.com'

$credentials=$ruSMAcred
# Name and port for the Admin Site. 
$adminUri = 'https://adminsite.labcenteronline.com:30004'

$secpasswd = ConvertTo-SecureString $con.Password -AsPlainText -Force
$ruSMAcreds = New-Object System.Management.Automation.PSCredential ($con.username, $secpasswd)

$token = Get-AdfsToken -adfsAddress https://adfs.labcenteronline.com -credential $ruSMAcreds 


$newuser = Get-MgmtSvcUser -Token $token -AdminUri $adminUri -DisableCertificateValidation -Name $NewUserEmail
$uname=$newuser.name

# Change the e-mail suffix to match your environment. 
    if (($uname -like "*@truesec.com") -or ($uname -like "*@truesec.se")) {
    #TrueSec Employees

# Replace DisplayName to match your Plan. 
        $plan = Get-MgmtSvcPlan -Token $token -AdminUri $adminUri -DisableCertificateValidation -DisplayName "*Tenan*Truesec*" | where State -notlike "Decommissioned" | select -first 1
        $planname=$plan.DisplayName

        # Get Current Subscriptions for user that matches the Plan to get added to.  
        $currentsubs = Get-MgmtSvcSubscription -Token $token -AdminUri $adminUri -DisableCertificateValidation | where AccountAdminLiveEmailId -like "$uname" | where OfferFriendlyName -like "$planname"

        if ($currentsubs.count -lt $plan.MaxSubscriptionsPerAccount){
            $newsubscription = Add-MgmtSvcSubscription -Token $token -AdminUri $adminUri -DisableCertificateValidation -AccountAdminLiveEmailId $uname -AccountAdminLivePuid $uname -PlanId $plan.id -FriendlyName $plan.DisplayName
            write-output "$uname has been added to $planname with subscriptionid $newsubscription"
        }
        else {
            Write-Output "User already has a subscriptions for $planname"
        }
    }
else {
    write-output "Not a Truesec Employee, did not add user to any plan."  
    }
  }
 }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

workflow New-Tenant {

param([object]$resourceObject)

# write-output ($resourceObject.Name -split "_" | select -first 1)

# Get Connection Credentials. Change Name to your own Asset.

$con = Get-AutomationConnection -Name 'CLAZAS01_RU_SMA'

$secpasswd = ConvertTo-SecureString $con.Password -AsPlainText -Force

$ruSMAcreds = New-Object System.Management.Automation.PSCredential ($con.username, $secpasswd)

# Execute commands on AzurePack Admin site. Connect with Asset Credentials

InlineScript {

$con=$USING:Con

$ruSMAcreds=$USING:ruSMAcreds

$resourceObject=$USING:resourceObject

Invoke-Command -ComputerName $con.computername -Credential $ruSMAcreds -ArgumentList ($resourceObject.Name -split "_" | select -first 1),$con -ScriptBlock {

param(

$NewUserEmail,

$con

)

# We use ADFS for our Azure Pack site, so have to generate a ADFS Token first.

function Get-AdfsToken([string]$adfsAddress, [PSCredential]$credential)

{

$clientRealm = 'http://azureservices/AdminSite'

$allowSelfSignCertificates = $true

Add-Type -AssemblyName 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'

Add-Type -AssemblyName 'System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'

$identityProviderEndpoint = New-Object -TypeName System.ServiceModel.EndpointAddress -ArgumentList ($adfsAddress + '/adfs/services/trust/13/usernamemixed')

$identityProviderBinding = New-Object -TypeName System.ServiceModel.WS2007HttpBinding -ArgumentList ([System.ServiceModel.SecurityMode]::TransportWithMessageCredential)

$identityProviderBinding.Security.Message.EstablishSecurityContext = $false

$identityProviderBinding.Security.Message.ClientCredentialType = 'UserName'

$identityProviderBinding.Security.Transport.ClientCredentialType = 'None'

$trustChannelFactory = New-Object -TypeName System.ServiceModel.Security.WSTrustChannelFactory -ArgumentList $identityProviderBinding, $identityProviderEndpoint

$trustChannelFactory.TrustVersion = [System.ServiceModel.Security.TrustVersion]::WSTrust13

if ($allowSelfSignCertificates)

{

$certificateAuthentication = New-Object -TypeName System.ServiceModel.Security.X509ServiceCertificateAuthentication

$certificateAuthentication.CertificateValidationMode = 'None'

$trustChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = $certificateAuthentication

}

$ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($credential.Password)

$password = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)

[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($ptr)

$trustChannelFactory.Credentials.SupportInteractive = $false

$trustChannelFactory.Credentials.UserName.UserName = $credential.UserName

$trustChannelFactory.Credentials.UserName.Password = $password #$credential.Password

$rst = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityToken -ArgumentList ([System.IdentityModel.Protocols.WSTrust.RequestTypes]::Issue)

$rst.AppliesTo = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.EndpointReference -ArgumentList $clientRealm

$rst.TokenType = 'urn:ietf:params:oauth:token-type:jwt'

$rst.KeyType = [System.IdentityModel.Protocols.WSTrust.KeyTypes]::Bearer

$rstr = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityTokenResponse

$channel = $trustChannelFactory.CreateChannel()

$token = $channel.Issue($rst, [ref] $rstr)

$tokenString = ([System.IdentityModel.Tokens.GenericXmlSecurityToken]$token).TokenXml.InnerText;

$result = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenString))

return $result

}

# Fill in values for your environment.

# ADFS Server address

$adfsAddress = 'https://adfs.labcenteronline.com'

$credentials=$ruSMAcred

# Name and port for the Admin Site.

$adminUri = 'https://adminsite.labcenteronline.com:30004'

$secpasswd = ConvertTo-SecureString $con.Password -AsPlainText -Force

$ruSMAcreds = New-Object System.Management.Automation.PSCredential ($con.username, $secpasswd)

$token = Get-AdfsToken -adfsAddress https://adfs.labcenteronline.com -credential $ruSMAcreds

$newuser = Get-MgmtSvcUser -Token $token -AdminUri $adminUri -DisableCertificateValidation -Name $NewUserEmail

$uname=$newuser.name

# Change the e-mail suffix to match your environment.

if (($uname -like "*@truesec.com") -or ($uname -like "*@truesec.se")) {

#TrueSec Employees

# Replace DisplayName to match your Plan.

$plan = Get-MgmtSvcPlan -Token $token -AdminUri $adminUri -DisableCertificateValidation -DisplayName "*Tenan*Truesec*" | where State -notlike "Decommissioned" | select -first 1

$planname=$plan.DisplayName

# Get Current Subscriptions for user that matches the Plan to get added to.

$currentsubs = Get-MgmtSvcSubscription -Token $token -AdminUri $adminUri -DisableCertificateValidation | where AccountAdminLiveEmailId -like "$uname" | where OfferFriendlyName -like "$planname"

if ($currentsubs.count -lt $plan.MaxSubscriptionsPerAccount){

$newsubscription = Add-MgmtSvcSubscription -Token $token -AdminUri $adminUri -DisableCertificateValidation -AccountAdminLiveEmailId $uname -AccountAdminLivePuid $uname -PlanId $plan.id -FriendlyName $plan.DisplayName

write-output "$uname has been added to $planname with subscriptionid $newsubscription"

}

else {

Write-Output "User already has a subscriptions for $planname"

}

else {

write-output "Not a Truesec Employee, did not add user to any plan."

}

I hope this helps you automating things in your environment. If you can think of any other great usages for SMA or have need for automating something. Please make a comment, maybe I’ll be able to assist.

Azure Pack: SMA Script to set a Static MAC Address for New Virtual NICs

When a user is using AzurePack to add additional Virtual Network Adapters to a Virtual Machine, they end up with a Dynamic MAC Address. This is regardless of what the settings are in the VM Template that were used to create the VM. The NIC(s) created at deployment of the VM, will honor the setting in the Template. It’s just when additional NICs are added this happens.

We have had some issues with VM’s using Dynamic MAC Addresses, where they got a new MAC Address after migrating to another host, resulting in Linux machines being unhappy and som other servers getting new DHCP Addresses.

I figured that this could be an excellent task to get more familiar with SMA and use that cool feature of Azure Pack. So I made a script which will execute when a new Network Adapter is added to a VM through AzurePack, and will set the MAC Address to a Static entry and let SCVMM pick one from the pool.

# SMA Runbook script to change VM NIC to Static MAC Address. 

workflow New-NetworkAdapter
{

# Import information in Parameters passed to script.  
param([object]$params) 


# Connection Credentials. Need to exist in SMA Assets as VMMConnection. 
$con = Get-AutomationConnection -Name 'VmmConnection'

$secpasswd = ConvertTo-SecureString $con.Password -AsPlainText -Force
$ruSMAcreds = New-Object System.Management.Automation.PSCredential ($con.username, $secpasswd)

# Execute commands on SCVMM Server. Connect with VMMConnection Credentials 
InlineScript {

    $con=$USING:Con
    $ruSMAcreds=$USING:ruSMAcreds
    $params=$USING:params
    
Invoke-Command -ComputerName $con.computername -Credential $ruSMAcreds -ArgumentList ($params.VMId),$con -ScriptBlock {

 param(
    $VMID,
    $con
    )

# Check if VM is already running, then first try a Shutdown, and else do a power off. 
# The user could have been quick and started the VM before the SMA Job starts. 
$restart = $false
if ((Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID).VirtualMachineState -ne "PowerOff") {
    $restart = $true
    Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Stop-SCVirtualMachine -Shutdown 
    }
if ((Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID).VirtualMachineState -ne "PowerOff") {
    $restart = $true
    Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Stop-SCVirtualMachine -force
    }

# Change to a Static MAC Address for all NICs on that VM. 
Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Get-SCVirtualNetworkAdapter | where {$_.MACAddressType -EQ "Dynamic"} | Set-SCVirtualNetworkAdapter -MACAddressType "Static" 

# Start VM if it was previously running. 
if ($restart -eq "$true") {Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Start-SCVirtualMachine } 

  }
 }
}

# SMA Runbook script to change VM NIC to Static MAC Address.

workflow New-NetworkAdapter

{

# Import information in Parameters passed to script.

param([object]$params)

# Connection Credentials. Need to exist in SMA Assets as VMMConnection.

$con = Get-AutomationConnection -Name 'VmmConnection'

$secpasswd = ConvertTo-SecureString $con.Password -AsPlainText -Force

$ruSMAcreds = New-Object System.Management.Automation.PSCredential ($con.username, $secpasswd)

# Execute commands on SCVMM Server. Connect with VMMConnection Credentials

InlineScript {

$con=$USING:Con

$ruSMAcreds=$USING:ruSMAcreds

$params=$USING:params

Invoke-Command -ComputerName $con.computername -Credential $ruSMAcreds -ArgumentList ($params.VMId),$con -ScriptBlock {

param(

$VMID,

$con

)

# Check if VM is already running, then first try a Shutdown, and else do a power off.

# The user could have been quick and started the VM before the SMA Job starts.

$restart = $false

if ((Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID).VirtualMachineState -ne "PowerOff") {

$restart = $true

Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Stop-SCVirtualMachine -Shutdown

}

if ((Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID).VirtualMachineState -ne "PowerOff") {

$restart = $true

Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Stop-SCVirtualMachine -force

}

# Change to a Static MAC Address for all NICs on that VM.

Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Get-SCVirtualNetworkAdapter | where {$_.MACAddressType -EQ "Dynamic"} | Set-SCVirtualNetworkAdapter -MACAddressType "Static"

# Start VM if it was previously running.

if ($restart -eq "$true") {Get-SCVirtualMachine -VMMServer $con.computername -ID $VMID | Start-SCVirtualMachine }

}

You will need to create a new Runbook called New-NetworkAdapter with tag SPF, and paste the above code into that runbook.

And also add a SMA Connection Asset, with credentials for connecting to SCVMM.
Name the connection VmmConnection. The script will look for a connection object called VmmConnection, use that Username + Password to connect to the SCVMM Server specified in the same connection object.

And finally, create an Automated Task of this information.

Please let me know if you find this useful, if you have any issues or suggestions on how to improve my script.