Remote Symbolic Links – Redirecting fileserver data

So we had this problem, several of our Windows 2008 R2 fileservers were running full and due to technical issues (old hardware) replacing the disks became VERY expensive.

So alternatives, I started to thing – hey, lets create an “ISCSI drive” on a remote datacenter server, mount the ISCSI drive into the directory structure as a mountpoint named “Archive” or something.  Now users could put “old” archival data here, thus removing it from the server but still being available – clever 😀  A few issues crept up however, when creating an ISCSI target on a Windows 2008 R2 server this is “terminated” as a VHD file – this proved annoying (eg for backup etc), besides a friend of mine pointed out that they had tried something similar once – sadly if connectivity was sketchy this could cause the fileserver to hang as it was unable to connect to the iscsi target.

My friend however pointed out that he had had success with using “Links”, right – I have heard of these Junction points and symbolic links, but never really found any real good use for it.  But it turn out you can create a symbolic link from the directory structure on one server, pointing to a share on a different server.

So eg. O:\ could have a lot of directories, however we also make a Symbolic Link there named “Archive” – if you now perform a dir you will find all the subdirectories, however you will also find O:\Archive which looks just like a directory (the icon gets a screwy arrow but thats all) however it’s not, it is instead a “pointer” to a share on a different server (this share we can easily backup and maintain).

So the command to use is;

MKLINK /D <NAME> \\<SERVERNAME>\Sharename

2017-02-04 23_22_50-mRemoteNG - confCons.xml

eg,  MKLINK /D HyperVisor5 \\SECRETSERVER\aarhus

HyperVisor5 is the name the directory will get locally the /D indicate it is a directory junction, and the link will point to \\SECRETSERVER\aarhus (aarhus is the share name on the SECRETSERVER)..

2017-02-04 23_23_46-mRemoteNG - confCons.xml

Ohh that was easy you say, yeah – well – it did not work 🙁

2017-02-04 23_18_39-mRemoteNG - confCons.xml

When a workstation attempted to access a mapped drive (eg. O:\Archive) it would get the above error.

A bit of googleing let to;
https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/

And the solution was simple enough, you need to execute this command on the workstation that has the problem;

2017-02-04 23_46_00-mRemoteNG - confCons.xml

(the command above the yellow one show the state of your computer)

And now your workstation can browse the directory (which is actually a pointer to a share on a different server) just like it was on the local server.

This should also be controllable via Group Policy, however I have not had the chance to test it yet;

https://technet.microsoft.com/en-us/library/5c7ffdb9-7066-4bdf-bc7d-eded8db2ce82
The symlink evaluation settings can also be controlled via Group Policy. Go to Computer Configuration > Administrative Templates > System > Filesystem and configure “Selectively allow the evaluation of a symbolic link”.

 

 

Wipe free space

cipher

Let’s imagine you need to turn over your old computer to friends or family, you for some reason do not wish to re-install Windows all over – well there is a middelground that I imagine could be used in case it’s close friends or relatives.  Remove all your personal stuff, documents, mails etc. from the computer, remember to empty the recycle bin, clear all browser caches and clear restore points – if possible create a new user and from this delete your old user profile.  Final step is to run the command below, this will wipe all free space on the disk – the command is a buildin Windows command that was introduced back in WinXP, so no need for additional software etc.  Is it safe enough?  Well as I say, if it is close relatives or friends it may be ok as long as you are sure that all sensetive data is removed, but I would likely not advice this for a computer you sell etc.  Again, it all depends.

Command to issue;

Cipher /w:c:

(for the C: drive, replace C: with other drivelettes as you need).

MS – Direct Access Debugging

Debugging Microsoft Direct Access can be a pain, Microsoft however did release a utility to make this a little easier..DA_DEBUG

Microsoft Windows DirectAccess Client Troubleshooting Tool
http://www.microsoft.com/en-us/download/details.aspx?id=41938

Be sure to click the “enable debug mode” before scanning to get all the juicy details.

DA_DEBUG2

USB Tree View

USB Device Tree ViewerIf you ever need to debug some USB driver or device, then this utility seem like a nice utility to have in your backpack.

It is not soo much better than the devicemanager but still it seem a bit more accessable.

Download it here;

http://www.uwe-sieber.de/usbtreeview_e.html

Direct link;
http://www.uwe-sieber.de/files/UsbTreeView.zip

Stop Being Admin – the easy way :-D

logo-512x5123Just a quick heads up on a cool new utility (free even) …

Working as an IT specialist within a large international corporate entity, we had the challenge regarding “Administrative/Non administrative” user rights on our corporate Windows machines.  We likely have all faced this question/challenge, we WANT to tighten the machines down to gain the added security and subsequently lower the support need, however the hurdle of preparing for this (as well as maintenance) puts great demand on the planning and deployment of corporate machines/software – especially if you like us have many people in the field.

See if we removed all administrative rights from users, then they would have to call the ServiceDesk whenever they needed administrative rights- this could be to install a printer, software, drivers etc. Now for some very “static” machines this would not be a real big problem, but for a large segment of our users, this would be very annoying and troublesome – especially for users in the field where the ServiceDesk may have problems connecting.

On the other hand, having users not be local administrators is a huge gain when it comes to protection against malware and exploits, according to a podcast “Security Now” on the twit network you can minimize the risk/impact of IE exploits by up to 99+% by being a non-administrative user. In other words, there is a heavy tradeoff here.

Then again, perhaps not anymore – there now seem to be a way to both “have your cake and eat it” at the same time.

One of the very talented external consultants we use on a regular basis “Thomas Marcussen”, recently told me about a FREE cool utility they developed called “Access director for Windows”.  What this “Access Director” does is actually simple yet still quite clever, after you install the utility users will have the opportunity to grant themselves temporary administrative rights whenever needed. Therefore, the user account will normally have no administrative rights, however by right clicking the utility icon in your status bar, users can grant themselves a limited period (eg. 2 min) where their user rights are elevated to local admin. Now they will be able to install that printer/driver etc. that they may need to work, and after this period then the local admin rights are automatically revoked and the machine is again secured against malware and exploits.

The optimal implementation of a utility like this would probably be to have a group of “trusted machines” (eg. traveling sales persons, management etc.) where this utility is installed, on these machines users can elevate themselves as needed. Then have another base of “regular” machines (eg. production/office pc’s) where the administrative rights are removed, and the users will still need to contact the ServiceDesk in case administrative rights are required.

Oh yeah, did I remember to mention it is a free utility 😀

 

I talked to Thomas about corporate use of this utility, and he assured me that several corporate initiatives were on the way like; Ability to customize settings via registry settings, Ability to control who can elevate (via groups) plus a manual.  He said that the reason for the lacking documentation was that the release was slightly rushed due to TechEd.  There is a little info on some registry settings here; http://sl.klogmand.dk/RZdo7J

Anyway, enough talk – take a look at the YouTube video and it will all be clear 🙂

Download site is (look for “Download Access Director”);
http://sl.klogmand.dk/1oj6KVi

YouTube Video here;
http://sl.klogmand.dk/1qXwECv

Thanks to Thomas Marcussen for this nice utility.

Get serial number for PC/Server

If you need to get the serial number of a workstation or a server, then this command may be of use to you (not this will likely not work on homebuild systems, but systems like Dell, HP, Lenovo, Acer etc. should work fine) ;

wmic bios get serialnumber
Type it in a command window like this;


WMIC csproduct get name

will get you the product name/model number of the pc (very useful when applying Driver Packs via SCCM with a WMI scope on it, this is the exact model number SCCM-WMI will also get).

Windows 8 – everything is different

So it looks like bad news for those of us still struggling with coming to terms with the new UI in Windows 7 / 2008R2, basically I still think that the Windows 2000 interface was among the better once – all the new magic wizard and color stuff really does not impress me that much. But never the less it looks like Windows 8 might evolve into an over sized mobile os 🙁 Although this may be fine for some home users I don’t see the practicality for the business side, and furthermore Windows 7 and Server 2008R2 are the same – aaaaaaaaargh imagine a server with a Windows 8 interface 😀

Anyway, have a look at this preview of Windows 8.

SCCM – PXE-E55 ProcyDHCP problem

A very strange problem with a very strange resolve.

So we are deploying a bunch of virtual servers and yesterday I found myself in a heap of trouble, I had a server that I needed to be ready but it kept failing the PXE boot.  Normally you would just delete the virtual server and create a new and the problem would likely be solved, however these servers are created by a script which creates a bunch of servers and a bunch of MDT settings and thus re-starting the process would require re-creating a bunch of servers.

The error I got was; PXE-E55: ProxyDHCP service did not reply to request on port 4011.

When I looked in the PXE log on the PXE server however I found;

MAC=02:00:AA:55:1E:02 SMBIOS GUID=4BDBDC9E-FD92-4BBB-BCA3-2D3A0752C049 > Device found in the database. MacCount=1 GuidCount=0 smspxe 01-06-2011 10:21:21 2364 (0x093C)

This appeared like everything was ok, so I tried logging on to the SCCM server and “Cleared last PXE advertisement” but still no luck, and following this I was unable to do so again as from now on SCCM stated that there was no PXE advertisement to clear (even though I tried PXE booting and got the “Device found in the database” in the pxe log).

Anyhow, I moved on to deleting the computer object on the SCCM server and then re-importing it manually (note; we use static ip on our virtual servers, these are created via the create script to avoid MAC conflicts) with the same MAC.  This did no difference, still the PXE log stated the same, Device found in database, but DHCP kept hanging.  I restarted both the SCCM, DHCP and PXE servers but no luck.

So after a bit of googeling which did not really turn up anything I out of fustration tried to set the MAC address to dynamic and booted the server again, this time everything worked fine as an unknown system – thus the connectivity was obviously fine – I even noticed that the GUID stayed the same.  Anyhow more puzzled I set the MAC address back to the static address from before and viola the PXE boot started and worked like a charm..

I have no idea why, my guess would be that the GUID somehow was cached in some stalled state and the the change of MAC somehow jolted that state.

Anyway, changing the MAC address may be worth a try if you find yourself in a similar situation.

Advanced partition recovery

Just stumbled across a free util for advanced NTFS partition repair that I wanted to share, ít may just come in handy someday 🙂

http://www.dtidata.com/resourcecenter/2008/01/25/free-ntfs-partition-repair-data-recovery-software/

Windows 2003 server – gone black

I have twice seen this issue, you try to log on to a Windows 2003 server remote via RDP and get a black screen with black text – now you can still log on but you can’t read what you write on the logon screen.

The issue appear to be rather trivial to resolve, yet I am still puzzled as to what causes the issue in the first place.  A colleague of mine Anuphol Urailat actually found a MS article on this http://support.microsoft.com/kb/906510/en

The problem is that the “Color” section under “Control Panel” in “.Default user” in the registry is set to “0 0 0” (Black) for everything, you simply export a clean “Color” section from another Windows 2003 box and viola everything is back to working condition.  You can even do the import via Remote Registry edit, so it is rather trivial to resolve.

Before;

After fix;