Configure iSCSI Initiator on Windows Server Core

To configure the iSCSI Initiator to connect to an iSCSI drive on a Windows Server Core system,  perform the below steps:

  1. Start up the Microsoft iSCSI Initiator service and then configure it to start automatically. You can use the sc (service control) command line tool to set the service for automatic startup:
    sc \\<server_name> config msiSCSI start= auto
    Next, run net start msiSCSI to start the service
  2. Set the advanced features of  the Windows firewall to allow for the iSCSI Initiator service. You can use the netsh command line tool or the Windows Firewall snap-in on a remote Windows Server 2008 system.
  3. Once the iSCSI service has been started, you will need to add a target portal to be able to add the server to the target server and assign LUNs for storage. The below command will perform this:
    iSCSIcli QAddTargetPortal <Portal IP Address>
    Next, configure the LUN information on the target. When the command has completed, run the iSCSIcli ListTargets command to verify the target name. When the target has been identified, you should login to the target using the below command:
    iSCSIcli QloginTarget <Targetname>
    To ensure the target persists after reboots, execute the below command:
    iSCSIcli PersistentLoginTarget <target_iqn> T * * * * * * * * * * * * * * * 0
  4. Ensure that the target and list the mappings on the target have been persisted. The two commands for this are iSCSIcli and ListPersistentTargets.
  5. Confirm connectivity to the storage and then prepare the storage by using diskpart.

For more information on iSCSI on Windows Server please see http://blogs.technet.com/daven/archive/2008/06/19/iscsi.aspx

Configure Local Security Policy on Windows Server Core

Setting the account policy and local security on a Windows Server  Core system, you must first create a security template on a full Windows Server  installation and subsequently apply these settings to the Windows Server Core system:

On the reference server (ie Windows Server full installation)

  1. From the Start menu, enter secpol.msc in the Start Search box and hit Enter to launch the Local Security Policy snap-in on another system.
  2. Configure the security policies according to your needs,  then right-click the Security Settings and click Export policy to save this as a security template.

On the Server Core server

  1. Copy the newly created security template from the reference server to the Server Core system.
  2. Run the below command to apply the security policy to the server Core system:
    secedit /configure /cfg <Policy File Name> /db secedit.sdb

Add a DEP Exception for a Program on Windows Server Core

Data Execution Prevention (DEP) is a group of software and hardware which perform additional security checks prevent malicious code from running on a system. However you may wish to turn off DEP for some applications and programs on a Server Core system, to do this perform the below three steps :

1. Check The Current DEP level

Run the below command:

wmic OS Get DataExecutionPrevention_SupportPolicy

This will return an integer which corresponds to a DEP Support Policy:

DEP Support Policy Policy Level Description
2 OptIn?Default? Turn on DEP for essential Windows programs and services only
3 OptOut Turn on DEP for all programs and services except those I select. Admin can add create one DEP exception list
1 AlwaysOn Enable DEP for all process
0 AlwaysOff Disable DEP for all process

2. Alter the DEP Policy Level

To add a program to DEP exception list,  change the Policy Level to “OptOut” (please refer to the above table). The below command will perform this action:

bcdedit.exe /set {current} nx OptOut

Then restart the system.

3. Create An Exception List

Add the application to the DEP exception list by altering the registry as below:

For each application you wish to disable the DEP for,  create a String Value with the name of the value being the full path to the executable (such as C:\Program Files\Windows Live\WindowsLiveWriter.exe) and the value data being “DisableNXShowUI”  under the below registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Note that using Registry Editor improperly may result  in serious issues that could require a reinstall of Windows. The Registry Editor should be used sparingly and with caution. For more information on the registry see http://support.microsoft.com/?id=256986

Moving a Virtual Machine (VM) Between Hyper-V Servers

You can move Virtual Machines (VMs) between Hyper-V servers by either exporting the virtual machine from a Hyper-V server and subsequently importing it on another Hyper-V server. Alternatively you can use the System Center Virtual Machine Manager. Note than you cannot move VMs by simply copying the VHD and XML files to a new Hyper-V Server and and attempting to use them there.

To use the first method above (ie exporting and importing the VM) follow the below steps :

On Hyper-V Source Server

  1. Open the Hyper-V Manager console then right-click the VM  to export, and select  Export.
  2. Specify the location  to store the Export files (this can be a network share if you wish).
  3. Once the Export process has completed, copy the export files to the target Hyper-V server.

On the Hyper-V  Target Server

  1. On the target Hyper-V server, open Hyper-V Manager console and then right-click the Hyper-V server node and click Import Virtual Machine.
  2. Browse to the root folder which contains the Export files and hit Select.

Thats it! You have now migrated a virtual machine from one Hyper-V server to another.

Note that which the Importing process has completed, all  snapshots and VHD files will be stored at the location where you place  the Export files which can be an issue if you wish to keep all snapshots and VHD files in a different location.

For more info on Virtual Machine import/export, please see http://blogs.technet.com/tonyso/archive/2009/08/04/hyper-v-r2-how-to-move-a-vm-storage-snapshots.aspx

Manage Updates on a Windows Server Core System

Windows Server Core saves on system resources, however some familiar features on the  full Windows Server install are not as obvious on Server Core. For performing and managing updates on a Server Core installation you have the below options:

  • To install a Windows update : At the command prompt enter wusa <update>.msu /quiet
  • To list the Windows updates already installed : At the command prompt enter systeminfo
  • To remove a Windows update :
    1.  At the command prompt enter expand /f:* <update>.msu c:\test
    2.  Go to c:\test\ and then open <update>.xml using a text editor
    3.  In <update>.xml, replace Install with Remove and then save the file
    4.  At the command prompt enter pkgmgr /n:<update>.xml
  • Configure automatic Windows updates :
    – To see the current Windows update setting, enter: cscript scregedit.wsf /AU /v
    – To see the automatic Windows updates, enter: cscript scregedit.wsf /AU /4
    – To disable automatic Windows updates, enter: cscript scregedit.wsf /AU /1

Install Disk Cleanup on Windows Server

Disk Cleanup is one of several features which are not installed by default on Windows Server 2008. To use the Disk Cleanup (cleanmgr.exe) on  Windows Server 2008, you will have to install the “Desktop Experience” feature on the machine. To install Desktop Experience follow the below steps simply open the Server Manager and select Add feature, then select Desktop Experience.

After Desktop Experience has been installed, you can find the Disk Cleanup tool under the System tool subcategory :

Start > Programs > Accessories > System Tools > Disk Cleanup

TCP/IP Debugging Tools in Windows Server – Route, Nslookup and DCDiag

Completing  our series on the Windows Server TCP/IP debugging tools we look at the Route, Nslookup and DCDiag tools.

Route

The Route tool is especially useful for troubleshooting any incorrect static routes and also for adding a route to a route table to temporarily bypass a problematic gateway. Static routes may be used instead of implicit routes specified by a default gateway. Use the Route tool to add static routes for forwarding packets going to a gateway specified by default to improve traffic time, avoid loops etc.
The main parameters for the Route tool are as below:

  • -add : Adds a route to a table, use in combination with –p to set the route as persistent for subsequent sessions.
  • -Delete : This deletes a route from the table.
  • -Print : This prints a route.
  • -change : Modifies an already existing route.
  • -destination : This parameter specifies the host address.
  • -gateway : This parameter specifies the address of  gateway for Route.
  • IF interface : This parameter specifies the interface for the routing table to modify.
  • -mask Netmask : Uses the subnet mask as specified by Netmask, if mask isn’t used, it will default to 255.255.255.255.
  • -METRIC Metric :This parameter specifies the metric for the route using the value Metric.
  • -f : This parameter clears the routing table of all gateway entries.
  • -p : Use  with the -add parameter to create a persistent route.

Nslookup

The Nslookup tool is used queries the DNS, this can be thought of as a simple diagnostic client for DNS servers. Nslookup can operate in two different modes: Interactive and Noninteractive. Noninteractive can look up a single piece of data, whereas Interactive mode should be used to lookup look up more than one piece of data . Interactive mode can be halted at any by pressing Ctrl+B. To exit from the command, enter the term exit. If Nslookup is used with no parameters, it will use the default DNS  for the lookup.
The three parameters for Nslookup are as below:

  • -ComputerToFind : Looks up info for the defined ComputerToFind. By default this will use default DNS name server.
  • -Server : Specifies the server for the DNS nameserver.
  • -SubCommand : Specifies one or several Nslookup subcommands as a command line option. Enter a question mark (?) to display a listing of available subcommands.

DCDiag

The DCDiag  (Domain Controller Diagnostic) tool will analyze the state of the  domain controllers and services in an Active Directory (AD) forest. This is installed when the AD DS  (Active Directory Domain Services) role is added to the Windows Server 2008  install. DCDiag is a very good general-purpose testing tool for checking the health of the AD infrastructure.
The available tests include replication errors, domain controller connectivity,  permissions, proper roles, and connectivity, and other general AD  health tests. DCDiag is even capable of  running nondomain controller-specific tests like whether a server may be promoted to a domain controller (this is the dcpromo test). It can also register its records properly in DNS using the RegisterInDNS test.

DCDiag is run exclusively on domain controllers, with the only exceptions being the dcpromo and RegisterInDNS tests. When DCDiag is run without any parameters, all the tests are  run against the current domain controller, this will run all the main tests and is normally sufficient for most purposes.
The parameters for DCDiag are :

  • /s:DomainController : Specifies using the domain controller as the home server.
  • /n:NamingContext : Specifies using the specified naming context (FQDN, NetBIOS,  or distinguished name) to test.
  • /u:Domain\UserName /p:{*|Password|””} : Specifies using the supplied credentials for running the tool.
  • /a : Will test all the domain controllers in the site.
  • /e : Will test all the domain controllers in the enterprise.
  • /q : Shows quiet output (errors only).
  • /v : Shows verbose output.
  • /I : Ignores any minor error messages.
  • /fix : Fixes the minor problems.
  • /f:LogFile : Logs to a defined log file.
  • /ferr:ErrorLogFile : Logs any errors to the log file.
  • /c : Comprehensively runs all the tests.
  • /test:TestName : Runs only specified tests .
  • /skip:TestName : Skips all the specified tests.

When you are specifying tests to run or to skip, note that all nonskippable tests will be run regardless.

DCDiag is automatically included on  Windows Server 2008  when the AD DS (Active Directory Domain Services) role is added. Alternatively, on non-domain controllers, the utility may be installed by adding the Remote Server Administration Tools feature from the Server Manager.

TCP/IP Debugging Tools in Windows Server – Ipconfig, Arp and Netstat

Continuing with our look at the Windows Server TCP/IP debugging tools we turn our attention to the Ipconfig, Arp and Netstat tools.

Ipconfig

The Ipconfig tool shows all the TCP/IP configuration values, this is of particular use on systems running DHCP. It is used to refresh the DHCP settings and  determine the TCP/IP configuration values which are assigned by DHCP. If the Ipconfig tool is used with no parameters, it will show the IP addresses, subnet masks, and also the gateways for all adapters on a system. The adapters can be either physical network adapters or else logical adapters like dialup connections.

Some  parameters for Ipconfig are as below:

  • /all : Shows all the TCP/IP configuration values.
  • /displaydns : Shows the contents of the DNS client resolver cache.
  • /flushdns : Resets and also flushes all the contents of the DNS client resolver cache. This also includes entries which have been  made dynamically.
  • /registerdns : Specifies the manual dynamic registration for DNS names and the IP addresses that are configured on a system. This can be especially useful when troubleshooting  DNS name registrations or any dynamic update issues between the  DNS server and client.
  • /release[Adapter] : This sends a DHCP release message to a DHCP server to disregard the DHCP-configured settings for  adapters, this only available for DHCPenabled clients. If there is no adapter is specified, the IP address configuration is released for all the adapters.
  • /renew[Adapter] : Renews the DHCP configuration for all the adapters (if no adapter has been specified) and also for a specific adapter if an Adapter parameter has been included. This is only available for clients which are DHCP-enabled.
  • /setclassid Adapter [classID] : Configures the DHCP class ID for a certain adapter, this can configure the DHCP class ID for all the adapters by including a wildcard (*) character in place of the Adapter.
  • /showclassid Adapter : Shows the DHCP class ID for a certain adapter.
  • /allcompartments : Shows info about all the compartments.
  • /allocmpartments /all : Shows detailed info on all compartments.

Ipconfig shows the assigned configuration for the system such as default gateway, local IP address, DNS servers,  subnet mask etc. When  debugging network problems, you may use the Ipconfig tool to confirm that the correct TCP/IP settings are set for a system so that a server will properly communicate on the network.

Arp

The Arp (Address Resolution Protocol) tool is enables the display and alteration of the Arp table on a local system, which matches physical MAC addresses of system to the  corresponding IP addresses. The Arp tool increases the speed of connection by eliminating the requirement to match MAC addresses with IP addresses for subsequent connections.
The most important parameters for the Arp tool are as below:

  • -a[InetAddr] [-N IfaceAddr] : Shows  the Arp table for all the adapters on a system. You should use Arp –a with the InetAddr (IP address) parameter to show what the ARP cache entry is on an IP address.
  • -dInetAddr [IfaceAddr] : This deletes an entry with a certain IP address (ie InetAddr). You can use the IfaceAddr parameter (IP address which is assigned to the interface) to delete an entry in a table for a specified interface. The wildcard character can be used  instead of InetAddr to delete all entries.
  • -sInetAddr EtherAddr [IfaceAddr] : This adds a static entry to the ARP cache which resolves the IP address (ie InetAddr) to the  physical address (EtherAddr). Add a static ARP cache entry to the table for a specific interface by using the IP address assigned to the interface (ie IfaceAddr).

Netstat

The Netstat (Network Statistics) tool can be used to monitor connections to a remote host, displaying  protocol stats for active connections, and monitoring IP addresses or the domain names of hosts with established connections.
The main parameters for Netstat are as below:

  • -a : Shows all the connections and the listening ports by hostname.
  • -b : Shows the executable involved in creation of all the  connections.
  • -e : Shows the Ethernet packets and bytes to and from the host.
  • -n : Shows the address and port numbers by does not resolve the address to the hostname.
  • -o : Shows TCP connections and also includes the relevant process ID (PID). This can be used in  with –a, -n, and –p. This is unavailable in Windows versions prior to 2008 R2.
  • -p protocol : Shows the statistics based on protocol specified. The protocols which can be specified are TCP, UDP, TCPv6 and UDPv6. This can be used with the –s  parameter to show TCP, UDP, ICMP, IP, TCPv6, UDPv6, ICMPv6, or IPv6.
  • -s : Shows the statistics on a an individual protocol basis. This can be used with an  –p parameter to define a set of protocols.
  • -t : Shows the current connection offload state.
  • -r : Shows the route table, the information shown includes the network  destination, gateway, netmask, interface, and metric (ie number of hops).
  • [Parameter] Interval : Shows the info at every specified interval, the interval is in seconds. Hit Ctrl+C to stop the intervals.

TCP/IP Debugging Tools in Windows Server – Ping, Tracert and Pathping

TCP/IP is the backbone for communication and transportation in Windows Server, prior to  communicating between machines, TCP/IP will need to first be configured. TCP/IP is installed by default in  Windows Server 2008 R2 and during the operating system installation you can also add or remove TCP/IP . If a TCP/IP connection should fails, you will need to identify the cause and point of failure. Windows Server ships with several useful tools which can troubleshoot connections and also verify connectivity. In this series of articles we will look at Ping, Tracert, Pathping, IPconfig, Arp, Netstat, Route, Nslookup and DCDiag.  Most of the tools are been updated to include switches both  for IPv4 and IPv6.

Ping

Ping stands for Packet Internet Groper and can be used to send an ICMP  (Internet Control Message Protocol) echo request and echo reply which will verify the availability of local or remote machines. Ping can be thought of as a utility which sends a message to another machine requesting a confirmation if the machine is still there. By default,  Ping sends four ICMP packages and awaits for the responses back in one second. This default setting can however be changed and the number of packages sent and the await time for responses can be altered through the options available for Ping.
As well as verifying the availability of  remote machines, Ping can assist in  determining name resolution issues. To use Ping, go to a command prompt and enter Ping Targetname. Several different parameters are available to be used with Ping. To show all the parameters enter Ping /? or Ping (with no parameters). The parameters for use with the Ping command are as below:

  • -4 : Specifies that IPv4 should be used to ping, this  is not required for identifying the target machine with a IPv4 address but it will be required only to identify the target machine by name.
  • -6 : Specifies that IPv6 should be used to ping, similar to –4 this is not required for identifying the target machine with an IPv6 address but it will be required only to identify the target machine by name.
  • -a : Resolves the IP address to the hostname which is displayed if this command is successful.
  • -f : Requests that the echo back messages are sent with a  Don’t Fragment flag in packets (only available in IPv4).
  • -i ttl : Increases the timeout when using slow connections, also sets the value of TTL (Time to Live) the max value for this is 255.
  • -j HostList : Routes the packets using the host list (this is a listing of IP addresses which are separated by spaces), hosts can be separated by intermediate gateways (ie loose source route).
  • -k HostList : Similar to –j but the hosts can’t be separated by intermediate gateways (ie strict source route).
  • -l size : Specifies the length (in bytes) of the packets – default is 32 and the max is 65,527.
  • -n count : Specifies the number of packets which are sent – default is 4.
  • -r count : Specifies the route for the outgoing and the incoming packets, you can specify a count which is equal to or higher than the number of hops between source and destination. The count must be between 1 to 9.
  • -R : Specifies that the round-trip path should be traced (this is only available on IPv6).
  • -s count : Sets a time stamp for the number of hops specified by count, this count needs to be between 1 and 4.
  • -S SrcAddr : Sets the source address  (this is only available on IPv6).
  • -t : Specifies that Ping should continue sending packets to the destination until interrupted. To stop and display statistics, press Ctrl+Break. To stop and quit PING, press Ctrl+C.
  • -v TOS : Sets the value of the type of service in the packet sent (default for this setting is zero). TOS is specified by a decimal between 0 and 255.
  • -w timeout : Sets the time in milliseconds for the packet timeout. If the reply isn’t received before a timeout, the Request Timed Out error message will be shown. The default timeout is four seconds.
  • .TargetName : Sets the hostname or IP address of the destination to ping.

Sometimes remote hosts will be configured to ignore all Ping traffic to  prevent acknowledgment  security reasons. Therefore, the inability to ping a server may not always mean the server is not working.

Tracert

Tracert is typically used to determine the path or route taken to a final destination by sending ICMP packets with varying TTL (Time to Live) values. Every router the packet encounters on the way reduces the value of the TTL by at a minimum of one; invariably TTL is a hop count. The path will be determined by looking at the ICMP Time Exceeded messages returned by the intermediate routers. Not all routers will return Time Exceeded messages for expired TTL values and are therefore not captured by the Tracert tool. In these cases, asterisks are shown for that particular hop. To show the different parameters which are available to be used with Tracert, open the command prompt and enter tracert (with no parameters) to show the help or type tracert /?.

The parameters associated with the Tracert tool  are as below:

  • -4 : Specifies  tracert.exe may only use IPv4 for the trace.
  • -6 : Specifies  tracert.exe can only use IPv6 for the trace.
  • -d : Prevents the resolution of the IP addresses of routers to their hostname, this is typically used  speeding up the Tracert results.
  • -h maximumHops : Sets the max number of hops taken before reaching the destination – default is 30 hops.
  • -j HostList : Specifies that packets must use the loose source route option, this allows successive intermediate destinations to be separated by one or more routers. The max number of addresses in the host list is 9. This is only useful only when tracing IPv4 addresses.
  • -R : Sends the packets to the destination in IPv6, using the destination as an intermediate destination and testing reverse route.
  • -S : Specifies which source address to use, this is only useful when tracing IPv6 addresses.
  • -w timeout : Sets the time in milliseconds to wait for the replies.

Tracert is a good utility for determining the number of hops and also the latency of communications between two end-points. Even when using high-speed Internet connections, if the Internet is congested or if the route a packet needs to follow necessitates forwarding the between several routers along the way, the performance and the latency will cause noticeable delays in  communication.

Pathping

The Pathping tool is a route tracing tool which combines features of both the Ping and Tracert commands with some additional information which neither of those two commands provide. Pathping is most suited for a network with routers or multiple routes between  source  and destination hosts. The Pathping command sends out packets to all  routers on its way to a destination, and subsequently gets the results from each packet that is returned from the router. Since Pathping calculates the loss of packets from each hop, it will be easy to determine which router is causing network issues.
To display the parameters in Pathping, open a command prompt and type Pathping /?.
The parameters for the Pathping command are as follows:

  • -4 : Specifies  tracert.exe may only use IPv4 for the trace.
  • -6 : Specifies  tracert.exe can only use IPv6 for the trace.
  • -g Host-list : Allows for the hosts being separated by intermediate gateways.
  • -h maximumHops : Sets the max number of hops prior to reaching a target – default is 30 hops.
  • -i address : Uses a specified source address.
  • -n : Specifies is  unnecessary to resolve the address to the hostname.
  • -p period : Sets the number of seconds to wait between pings – default is 0.25 seconds.
  • -q num_queries : Sets the query number to each host along the route –  default is 3.
  • -w timeout : Sets the timeout for replies in milliseconds.