Updating SCVMM DHCP Server Agent for Update Rollup 3 with Powershell

I’ve been to a couple of customers in the past month who has applied Update Rollup 3 for System Center 2012 R2 Virtual Machine Manager, through WSUS, but didn’t read the fine print.

ur3

So I wrote a quick script to locate all Hyper-V Hosts with the old/incorrect version.

And the next step was obviously, how to update the agent on all the Hyper-V hosts remotely and automatically!
There are a couple of different ways to do this, let me go through a couple of them.

One of the easiest ways is to use Sysinternals PSExec, just run psexec against those servers and execute uninstall of the old and installation of the new agent. In my humble opinion, it’s too much manual work to do it this way with a lot of hosts. So I rather use Powershell.

Looking at the above Powershell example, you almost have a full script for doing the rest.
Have a look at this;

Word of warning, the above script should be considered a “proof of concept” or give you a rough idea of how to do it. I’ve run it once, and it did work so it will hopefully work for you too.

There is a minor problem with the above solution. That script will do something called a “double hop”. It’s when you run something on Computer A, which gets executed on Computer B which in turn tries to connect to Computer C and use the credentials provided in A. Two hops, aka double hop.
In the above script, it’s when it’s accessing the install files from a remote share.
And to solve that problem you have to enable something you might have heard about, called Kerberos Constraint Delegation on all Hyper-V hosts (or other servers you want to double hop via).
In most environments KCD is not enabled, so the above script would not work to 100%. In fact, the uninstall would work, but not the installation so would will end up with a server that’s missing the DHCP Agent.
In case you ran the script without reading this part or before adding KCD, I added a small safeguard against that by doing a Test-Path before uninstalling the agent which probably told you it failed.

My good friend and college Mikael Nyström wrote a great blog post here recently on how to rather utilize CredSSP instead of using KCD for tasks like this.

And here is a slightly modified script using CredSSP instead of KCD.

Word of warning, the above script should be considered a “proof of concept” or give you a rough idea of how to do it. I’ve run it once, and it did break anything in that environment, so it might work for you too.

Basically, the script will enable CredSSP on the computer you run it on, and allow the credentials to be used on all remote servers that’s part of your domain. It will then connect to all Hyper-V hosts known by SCVMM and enable those as Credential Receivers.
Following that part, it will once again connect to those servers and check if the SCVMM DHCP Agent is outdated and if it’s able to connect to the install location (SCVMM Servers C$ Share).
I made sure it verifies that it can connect to the install location before uninstalling the Agent. Because in case it can’t connect to SCVMM Server, I would rather have an old DHCP Agent, than no agent at all.
And finally, it’s uninstalling the old agent and installing the new one.
Done!

It’s also possible to use SCVMM’s Job function to schedule a job to be executed on all Hosts. But I’ll cover that in some future post.

Azure Pack: SMA Script to set a Static MAC Address for New Virtual NICs

When a user is using AzurePack to add additional Virtual Network Adapters to a Virtual Machine, they end up with a Dynamic MAC Address. This is regardless of what the settings are in the VM Template that were used to create the VM. The NIC(s) created at deployment of the VM, will honor the setting in the Template. It’s just when additional NICs are added this happens.

vmnic1

We have had some issues with VM’s using Dynamic MAC Addresses, where they got a new MAC Address after migrating to another host, resulting in Linux machines being unhappy and som other servers getting new DHCP Addresses.

I figured that this could be an excellent task to get more familiar with SMA and use that cool feature of Azure Pack. So I made a script which will execute when a new Network Adapter is added to a VM through AzurePack, and will set the MAC Address to a Static entry and let SCVMM pick one from the pool.

You will need to create a new Runbook called New-NetworkAdapter with tag SPF, and paste the above code into that runbook.

sma1And also add a SMA Connection Asset, with credentials for connecting to SCVMM.
Name the connection VmmConnection. The script will look for a connection object called VmmConnection, use that Username + Password to connect to the SCVMM Server specified in the same connection object.
vmm1

And finally, create an Automated Task of this information. sma2

Please let me know if you find this useful, if you have any issues or suggestions on how to improve my script.

List all VM’s with a Dynamic MAC Address

Short, simple script to list all VM’s which has NIC’s with a Dynamic MAC Address set.

It will give a list of all VM’s and the number of VM’s in that list.
Small, simple and efficient.

List and Remove Corrupted files reported by Data Deduplication with Powershell

I’ve been copying 7TB of data in about 100.000 files from an old fileserver to the new one, but I just noticed that some of the files are corrupted! Gahhh…

Chkdsk found some issues, but didn’t solve the problem. As this server is running Windows Server 2012 R2 with Data Deduplication I decided to have a look at that. Data Deduplication Errors

Yeah, unfortunately a lot of corrupted files with EventID 12800

So Data Deduplication is reporting a lot of corrupted files, and this error message didn’t really make me any happier.

Hopefully this quick and dirty powershell script that I just wrote can help you too.
As I still had the working fileserver with working files available, I decided to just delete all corrupted files with this script.

And then ran a robocopy script to recopy everything (it will skip any files that already exists making it a quite fast process).
robocopy /mir /copyall /r:1 /w:1 \\source\path \\destination\path

Updated 2014-05-22 16:22:  Added a full delete and copy script, which is a bit better written;

 

 

Azure Pack: Failed to load virtual machine templates for subscription …

Problem: When a user login to Azure Pack, they sometimes get the error message: “Failed to load virtual machine templates for subscription <subscription ID>”.
And if the user tries to deploy a a Virtual Machine, there is no templates to choose from.

Cause: I’m not sure what the real cause is, but it seems to be a bug where Azure Pack forgets that information. The template information is there, it’s just Azure Pack that does not read it.

Workaround: Until this is solved by Microsoft in a hotfix or next updated you will have to handle this by yourself.
You can as an Administrator touch the Plans so they are re-synced and it will immediately start working again. Or you can schedule a powershell script to run regularly, touching the plans.

Here is the powershell command I’ve setup for our environment.

First of all, notice that it’s using a file for the password, to make this automatic.
Use this command once to creat the password.txt file

And it’s using the Get-AdfsToken function to get the a ADFS Token from our ADFS Server (more info: Get-AdfsToken Function), but you can modify the above script to use a normal Windows Token too if you rather want to use the Windows Authentication site than ADFS. Then use this command (replace line 17 in the script above with this line):

 

SCVMM : Automatic Baseline update script

SCVMM (System Center: Virtual Machine Manager) 2012 and 2012R2 can manage the patch compliance on your servers. That’s a great feature but normally involves some manual work as you have to add each update to the Baselines manually.

My colleague Mikael Nyström (MVP)  made a script to handle this automatically, which I’ve developed a bit further.

The script has a few Pre-Requisites;

  • A WSUS Server defined in SCVMM
  • Approved patches for “Windows Server 2012” and “Windows Server 2012 R2” in WSUS
  • Pre-Defined Baselines (you can use Add-Baseline to create them) with these names;
    • Security Updates
    • Critical Updates
    • Updates
    • Update Rollups

That’s it! You can now run the script and automatically import all matching updates.

The following actions will be performed;

  • Synchronize updates with WSUS
  • Check if there are any updates in the Baseline already
    • If the baseline is empty, import ALL matching updates
    • If the baseline is NOT empty, check the Newest 500 updates and import all matching updates
  • Remove inactive updates
  • Repeat for all Baselines
  • Start a compliance scan

The script will not initiate any remediation. And as the script normally only checks the newest 500 updates, it has to be run fairly regular. In my environment, 500 updates is about 1 month of updates. Though to be safe, run it once a week.

Azure Pack : Tenant Site automatic installation

If you want to install Azure Pack : Tenant Site in a distributed installation meaning not an Express installation on just one server. It’s possible to do it manually, OR … of course in a scripted way, so it’s automatic, scripted and unattended. Same result each time and smallest amount of time wasted on installations.  Here is a small powershell script that will take care of all the dependencies and install all the packages for the Public Tenant Site.

 

List computer certificates that will expire with Powershell

Just a small simple script that will list all Computer Cerificates that will expire in 90 days, to give you a heads up and time to renew them.

To list computer certificates that will expire in 90 days:

Just change “-lt 90” to some other value to adjust the expiry period.

List all Unsigned Drivers with Powershell

I had a need for getting all Unsigned drivers in a Windows 8 system to help out with some debugging.

 

As I’m still learning Powershell there might be better and faster ways of solving this problem, but this seems to work good enough for me, and hopefully for you too.

It’s a quite straight forward and easy script to use and change if there is a need, such as instead of showing Unsigned drivers, list all Signed Drivers by using IsSigned -EQ “TRUE”.
Use driverquery.exe to list all Unsigned Drivers to CSV, then import that CSV into Powershell and display all Drivers that’s unsigned (-EQUAL “False”). You will actually just get the .INF file at this point which kind of sucks, not the driverfile which we need in this case.
So for each returned .INF file, we are then opening those files in c:\windows\INF (that’s where Windows stores all installed INF/diver files) and find all .SYS files (drivers) referenced in the INF files. And after some more filtering, it then outputs a list of the unsigned drivers ($UnSigned), like this.

PS C:> $UnSigned VClone.sys nvhda32.sys nvhda64.sys nvhda32v.sys nvhda64v.sys PS C:>
PS C:> $UnSigned
VClone.sys
nvhda32.sys
nvhda64.sys
nvhda32v.sys
nvhda64v.sys
PS C:>

I’ll then use that list and pass the unsigned drivers list to “Verifier.exe /standard /driver $UnSigned” to enable some Special driver Verification for finding the cause of some blue-screens.
I guess this script should work quite well also on Windows 7, but I’ve not tried it.