Search This Blog

Showing posts with label windows. Show all posts
Showing posts with label windows. Show all posts

Setting Up IIS 8 FTP Server Lessons Learned

To test vCSA 6.5 built-in backup, I need a FTP server. Since I already have a Windows Server 2012 R2 running IIS 8 with web service, adding the FTP server feature is just a few clicks.

Even I have not used the Microsoft FTP server since IIS 6, and there are lot of changes between IIS 6 and IIS 8, I thought setting up the FTP server should be a piece of cake. I was wrong! The following are what I have learned on setting up the FTP server in IIS 8.

Lesson #1: Windows Firewall

After installing the FTP service and creating a new FTP site in IIS Manager, I can’t connect to the FTP site from a remote computer; FTP from the server to itself is okay. It must be a Windows firewall issue.

  • I check the Windows Firewall’s Inbound Rules, three FTP rules are created and enabled; and Outbound Rules, two FTP rules are created and enabled. I guess they are automatically created by the FTP service installation. These rules look right, but I still can’t connect from a remote computer.

Windows.Firewall.Inbound.Rule.FTP

Windows.Firewall.Outbound.Rule.FTP

  • Disabling the Windows Firewall on the server, I can connect. This confirms the Windows Firewall causing the issue, but what is the problem? I don’t want to disable Windows Firewall.
  • The default FTP rules are allowed the program “%windir%\system32\svchost.exe”. I’m not sure what the executable runs the FTP service. (Later, I find it via Microsoft FTP Service, General, Path to executable: “C:\Windows\system32\svchost.exe -k ftpsvc”)
  • I created my own FTP rules required in my case - two inbound rules and one outbound rule (highlighted in above pictures) with the same protocol and port number, except that I allow any program. This works! I can connect to the FTP site from a remote computer. (Actually, see Lesson #2 below - it’s not fully working yet. I get another error after entering the login name).
  • I think the default FTP rules don’t work, until I find this post.
  • I delete the FTP rules I created, and restart the “"Microsoft FTP Service”. The FTP connect is still working.

Summary:

  • When troubleshooting issues related to Windows Firewall, restart the application service or the server after adding or changing the rules.
  • Restarting the FTP site in IIS Manage does not work; disabling and enabling the firewall or rule does not work. Restarting the FTP service is required.

Lesson #2: FTP site virtual host name

After the connection problem is resolved (see lesson #1), I continue further on the FTP login. However, after entering the user name, I get the error message “530 Valid hostname is expected. Login failed”.

FTP.Valid.Hostname.Is.Expected

After searching the error message, I learn about the FTP virtual host name

In the past I had used the IIS web site virtual hostname to handle multiple web sites on a single IP address and port number. But I don’t recall if the FTP service in IIS 6 has the host name option. When creating the FTP site, I entered the DNS name of the FTP site as the host name.

FTP.Host.Name

Summary:

  • use <ftp virtual hostname>|<ftp username> as the login name for the FTP server uses the virtual hostname
  • FTP.Virtual.Hostname.Login
  • If you are not going to run multiple FTP sites on the same IP address and port number, leave the host name blank.

One More Reason Not to Disable IPv6

Almost every existing operating system supports IPv6 and enables it by default nowadays. Some system admins still like to disable IPv6, because they think they would not deploy IPv6 in the near future. However, disabling IPv6 can be against the software vendor recommendation or experience the unexpected bug.

For example, Microsoft do not recommend disabling IPv6 in Windows. See “IPv6 for Microsoft Windows FAQ” and “How to disable IPv6 or its components in Windows”.

Recently, VMware ESXi 6.0.x has a known issue when IPv6 is disabled. See “Provisioning the TCP/IP stack does not work when IPv6 support is disabled on the host (2146023)

To avoid the unexpected issue, we should  leave IPv6 enabled (the default).

Change Windows Server 2008 or 2012 Network Profile

Sometimes a Windows server is assigned to the incorrect network profile. It can cause applying the wrong Windows Firewall rules. Here is how to change its network profile.

For standalone server

  • Can change the profile to public or private; but cannot set to domain
  • For Windows Server 2012
    • Open PowerShell as administrator
    • Get-NetconnectionProfile | Set-NetconnectionProfile -NetworkCategory [Private | Public]
  • For Windows Server 2008 or 2012
    • gpedit.msc, Computer Configuration, Windows Settings, Security Settings, Network List Manager Profiles
    • Select the network name, Properties, Network Location
    • Under Location Type, select Private or Public

For domain joined server

Extend Microsoft Cluster Shared Disk in VMware

A VM shared disk on Microsoft Cluster Service (MSCS) is running out of disk space. The VMs are on a single host (aka cluster in a box - CIB). I can think of two ways to expand the disk storage.

  • create a new big shared disk for the cluster, migrate the data, then change the new disk to the same drive letter as the original disk
  • extend the size of the existing shared disk

Obviously the latter seems simpler, but it requires special attention. The shared disk format in MSCS VMs must be in eager zeroed thick format. However, when extending an eagerzeroedthick VMDK, the extended chuck is in lazy zeroed thick format by default (reference “Extending an EagerZeroedThick Disk”. In my test, vSphere 6 has the same behavior)

Here is how I extend the MSCS shared disk

  • Power off both servers in the cluster
  • Increase the VMDK disk size. There are two ways:
    • GUI: edit the VM settings, increase the shared disk size
    • CLI: use vmkfstools -X <newsize> -d eagerzeroedthick <vmdkfile>
  • Using the GUI, the extended chuck will be in lazy zero thick format. The VM will fail to power on with the error “VMware ESX cannot open the virtual disk for clustering…”

cluster.vm.power.on.error

  • There are two ways to convert the extended chuck to eagerzeroedthick format
    • Migrate the VM to another storage, and specify the eager zero thick format for the disk
    • Use vmkfstools -k <vmdkfile>
      vmkfstools.convert.eagerzeroedthick
  • Once the entire shared disk is the eager zeroed thick format, the VM will be able to power on.
  • Extend the Windows partition as KB304736

Brocade FC Switch FOS v7.2.0a WebTools Access in Windows Server 2012 R2 with IE 11

I got some errors (see at the end of the post) when setting up a brand new Brocade Fibre Channel switch running FOS v7.2.0a on a Windows Server 2012 R2 server with IE 11. The following instruction fixed the error.

  • Install Oracle JRE 1.7.0 update 25 Windows x86 version
    • According to its release note, FOS v7.2 is qualified and supported only with Oracle JRE 1.7.0 update 25.
    • Install JRE Windows x86 version (32-bit), instead of Windows x64 version (64-bit) even Windows Server 2012 R2 is a 64-bit OS
  • Launch “Java (32-bit)” in Control Panel
    • Security tab, lower Security Level to Medium
    • java.security
    • (optional) Advanced tab, set “Perform certificate revocation checks on” to “Do not check”. This will speed up the “Verifying application” process if the server does not have the Internet access.
    • java.advanced
  • Launch Internet Explorer
    • Click Tools, “Compatibility View settings” to add the Brocade switch IP address to the compatibility view list
    • ie.compatibility.setting.01
    • ie.compatibility.setting.02
  • Enter the IP address of the Brocade switch in Internet Explorer
    • brocade.fc.webtool.01
    • brocade.fc.webtool.02
    • brocade.fc.webtool.03

The error messages I experienced and possible solutions

  • “The version of Java plugin needed to run the application is not installed. The page from where the plugin can be downloaded will be opened in a new window.”
    • Install the supported JRE version. see FOS release note for the supported JRE version
    • Install the 32-bit version of JRE, instead of 64-bit version
    • Verify Java Plug-In is enabled in IE
    • Add the FC switch IP to IE’s compatibility list
  • “Unable to launch the application” or “Unable to load resource: http://<switch-ip>/loc_res.jar
    • Install the supported JRE version. See FOS release note for the supported JRE version
  • “Application Blocked by Security Settings”
    • Lower the Java Security to Medium in Java 1.7 Update 25. For the newer version of Java, add the FC switch URL to the Java Security Exception Site List.

Backup Consistency Types

This post is to summarize the various backup consistency types:

  • Inconsistent Backup
    • Any file changed after it was backed up but before the job completed, the result is an inconsistent backup
    • e.g. File A and B, File A is backed up, then File A and B are changed, then File B is backed up. Now the backup of File A and B is inconsistent
    • The content in memory or pending I/O is not backed up
  • Crash-Consistent Backup
    • All data is backed up at exactly the same time via techniques like Volume Shadow Copy Service (VSS) to take a block-level snapshot, and then the backup software pulls its backup from that snapshot
    • This backed up data is in the same state it would have been if the system had crashed
    • The content in memory or pending I/O is not backed up
    • Many applications, like Active Directory, have an automated recovery mechanism and will attempt to handle the inconsistent problem without administrator intervention. If these automated systems aren’t successful, a manual process is needed. For Microsoft SQL, you may need to know how to replay logs into a database file.
  • Application-Consistent Backup
    • For Windows applications, the application manufacturer provide a VSS writer. When the VSS service is triggered, it will notify these writers that a backup is occuring. Then it’s up to the VSS writer how to handle it.
    • A proper VSS writer will make the application flushing all of its memory and I/O operations to the disk, as it would be if the application were properly closed
    • When the VSS snapshot is complete, it signals the VSS writers, then application resume normal operation and the backup software pulls its backup from that snapshot
    • If an application does not provide or properly register a VSS provider but its data resides on a volume with VSS enabled, the data is backed up in a crash-consistent state
  • Image-Level Backup
    • The other backups back up when a machine is actively running
    • An image-level backup backs up when the machine is shut down

Source: VSS Crash-Consistent vs Application-Consistent VSS Backups

Add Fonts to Windows Command Prompt

By default, Windows 10 Command Prompt only offers two font choices - Consolas and Lucida Console, even other fonts are installed. To add more a font to selection, add a String Value registry key in

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Console\TrueTypeFont

In the following screenshot, I added Bitstream Vera Sans Mono to my command prompt.

regedit_2016-02-25_14-18-08

conhost_2016-02-25_14-20-18

Source: http://www.watchingthenet.com/how-to-add-and-change-fonts-in-windows-command-prompt.html

Use Dig to Troubleshoot DNS Issue on Windows

Get dig.exe on Windows

  • Download and extract the BIND binary zip file to a folder from ISC.
  • Open a command prompt and navigate to the folder
  • Enter dig, no installation is required.

Basic syntax

  • dig @dns-server name type
  • dig @dns-server -q name -t type

Simplify the output

  • dig +nocmd +noall +answer @dns-server name
  • dig +nocmd +noall +answer +multiline @dns-server name any

Windows Page File Purposes and Sizing

Consider the following for page file sizing

  • System crash dump: the page file must exist and be larger than the physical memory (RAM)
  • Peak system committed memory:
    • system committed memory = physical memory + all page files combined size
    • page.file.01page.file.02
    • The system with 8GB RAM + 1.3GB page file = 9.2GB committed RAM
  • Infrequently accessed pages: Infrequently accessed modified pages are removed from physical memory and stored in the page files. The “\Memory\Modified Page List Bytes” performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk.

Extend or add a page file if all the following performance counters are true:

  • \Memory\Available MBytes is low (more available phyiscal memory is in use): less than 4 MB 
  • \Memory\Modified Page List Bytes is high 
  • \Paging Files(_Total)\%Usage is high: more than 70%

General recommendation

  • Windows Server DC and DFS replication, certificate, and LDS servers are not supported without a configured page file
  • Exchange Server requires a page file
  • Set a static page file size rather than dymantically managed by Windows
  • For Windows Server 2012 or R2 Hyper-V, the page file of the management OS (the host OS) should be left at the default of setting of “System Managed”
  • For 64-bit SQL Server, enable “Lock Page in Memory” for the SQL Server service account
  • For 64-bit SQL Server, set Page File to be a static 6 GB

Source:

Use \\?\UNC\ on A UNC Name to Work Around Windows 260 Characters File Name Limit

Prefixing the file name with “\\?\” can work around the Windows 260 characters (up to 32,000 characters) file name limit in some command line utilities. For example, for local file, dir \\?\c:\longfilename.txt.

However, the syntax is different on a UNC name, it needs to be \\?\UNC\servername\share\longfilename.txt. For example, dir \\?\UNC\fileserver\dept\it\longfilename.txt.

Not all the command line utilities support this syntax.

  • Icacls - support
  • PowerShell (get-acl) - not support, because of .NET

For more info see

Long Paths in .NET, Part 1 of 3

Extend a Logical Drive in Windows Server 2008 R2

I recently successfully P2V a Windows Server 2008 R2 physical server to a vSphere VM. The server has two drives (Drive C and D), and both of drives were originally on one RAID 5 LUN. I didn’t know how the drives were originally created on the physical server, e.g.  whether Drive D is a primary partition or a logical drive on an extended partition.

When the Drive D starts low on the free disk space, I thought it’s very simple to extend a drive since the server is running Windows Server 2008.

  • I increase the size of hard disk 1 on the VM (both Drive C and D are on the hard drive) while the server is on
  • In Wndows Disk Management, rescan disks and then the extra unallocated disk space is showed
  • At this point, I noticed Drive D is a logical drive on an extended parition. I normally create the drive on the primary partition.
  • When right-click on the logical drive, the “Extend Volume” option is grayed out.
  • I had extended a non-OS drive in Windows Server 2008 via GUI before; and for Windows Server 2003, I had to use the diskpart utility.
  • Why I cannot extend this drive? Is it because it’s a logical drive on an extended partition? I’m not sure.
  • I know there are some third-party utilities can resize the partition. But I don’t have them handy.
  • Finally, I want to try the diskpart utility.
    • First, I tried extending the extended partition. It didn’t work. (see the yellow highlight)
    • Next, I tried extending the logical partition directly. It worked. (see the green highlight)

    C:\Windows\system32>diskpart

    Microsoft DiskPart version 6.1.7601
    Copyright (C) 1999-2008 Microsoft Corporation.
    On computer: AVLDB

    DISKPART> list disk

      Disk ###  Status         Size     Free     Dyn  Gpt
      --------  -------------  -------  -------  ---  ---
      Disk 0    Online          360 GB  1024 KB

    DISKPART> select disk 0

    Disk 0 is now the selected disk.
     
    DISKPART> list partition

      Partition ###  Type              Size     Offset
      -------------  ----------------  -------  -------
      Partition 1    OEM                 40 MB  1024 KB
      Partition 2    Primary           3072 MB    41 MB
      Partition 3    Primary             60 GB  3113 MB
      Partition 0    Extended           200 GB    63 GB
      Partition 4    Logical            200 GB    63 GB

    DISKPART> select partition 0

    Partition 0 is now the selected partition.

    DISKPART> extend

    There is no volume selected.
    Please select a volume and try again.

    DISKPART> list partition

      Partition ###  Type              Size     Offset
      -------------  ----------------  -------  -------
      Partition 1    OEM                 40 MB  1024 KB
      Partition 2    Primary           3072 MB    41 MB
      Partition 3    Primary             60 GB  3113 MB
    * Partition 0    Extended           200 GB    63 GB
      Partition 4    Logical            200 GB    63 GB

    DISKPART> select partition 4

    Partition 4 is now the selected partition.

    DISKPART> extend

    DiskPart successfully extended the volume.

Robocopy Command Examples

In my previous post, I summarize some key information about Robocopy. In this post, I will share some Robocopy command examples that I have used in the file migration projects. Even these examples have been successfully used on the production environment, please verify yourself before use. That is why I add the /L option on all the examples. Save the following to a batch file and pick the command by remove the rem at the beginning of the line.

@echo off

set LOG_FILE="C:\Temp\ROBOCOPY_LOG.TXT"
set SOURCE="Source Path"
set DEST="Destination Path"

rem Remove rem on the command line you want to run
rem Only one Robocopy command line is used at a time
rem Remove /L to apply the change after confirm the outcome in the log file

rem *************************************************
rem /PURGE option
rem Mirror the source to the destination - the newer file in the destination will be overwritten, the extra file in the destination will be purged
rem robocopy %SOURCE% %DEST% /E /COPYALL /PURGE /MT /R:1 /W:1 /V /NP /TEE /LOG+:%LOG_FILE% /L

rem /ZB option
rem Use /ZB option when file cannot be copied
rem robocopy %SOURCE% %DEST% /E /ZB /COPYALL /PURGE /MT /R:1 /W:1 /V /NP /TEE /LOG+:%LOG_FILE% /L

rem *************************************************
rem default option - changed, newer, and older file is copied; extra file is not impacted
rem Copy the source to the destination - the newer file in the destination will be overwritten, but keep the extra file in the destination
rem robocopy %SOURCE% %DEST% /E /COPYALL /MT /R:1 /W:1 /V /NP /TEE /LOG+:%LOG_FILE% /L

rem *************************************************
rem /XO option
rem Copy the source to the destination - keep the newer file and extra file in the destination
rem robocopy %SOURCE% %DEST% /E /COPYALL /MT /R:1 /W:1 /V /NP /TEE /LOG+:%LOG_FILE% /XO /L

rem *************************************************
rem /FFT option
rem Copy the source to the destination - when the third-party storage system is used
rem robocopy %SOURCE% %DEST% /E /COPYALL /MT /R:1 /W:1 /V /NP /TEE /LOG+:%LOG_FILE% /FFT /L

Robocopy Usage Summary

Robocopy is a feature-rich and powerful file migration tool in Windows. The built-in help system (robocopy /?) provides the basic usage of each option, but it doesn’t thoroughly explain why and how to use these options.

Recently I discovered a best Robocopy guide (robocopy.doc) in Windows Server 2003 Resource Kit Tools. To access this document without installing, use 7-Zip to extract the rktools.exe file, then extract the rktools.msi file. Even this document is for Version XP010, it is still applicable to the version built-in Windows 10.

I summarize some key information from this Robocopy document along with my usage experience below. It is highly recommended to read the full document if you have time.

What does Newer, Orlder or Extra mean?

File Class

In Source

In Destination

Source/Dest File Time

Source/Dest File Size

Source/Dest Attribute

Lonely

Yes

No

n/a

n/a

n/a

Tweaked

Yes

Yes

Equal

Equal

Different

Same

Yes

Yes

Equal

Equal

Equal

Changed

Yes

Yes

Equal

Different

n/a

Newer

Yes

Yes

Source > Dest

n/a

n/a

Older

Yes

Yes

Source < Dest

n/a

n/a

Extra

No

Yes

n/a

n/a

n/a

Mismatched

Yes (file)

Yes (Directory)

n/a

n/a

n/a

  • By default, Changed, Newer, and Older files are candidates for copying (subject to further filtering, as described later)
  • Same files are not copied
  • Extra and Mismatched files and directories are only reported in the output log
  • Tweaked files are neither identified nor copied - they are usually identified as Same files by default. Only when /IT is used, then Tweaked files will be copied

Use /L option to test Robocopy command

After building a Robocopy command with the options I want, I append /L option at the end of the command.

/L option lists files without copying, deleting, or applying a time stamp to any files.

Running the Robocopy command with the /L option, I can analyze the output to confirm the outcome before the real execution.

Should I use /Z, /B, or /ZB option?

  • /B – copy all files in Backup Mode. Enable you to copy some files as a Backup Operator that you would not be able to copy as a normal user. Backup mode copies are not restartable.
  • /ZB – try to copy files in Restartable Mode (for greater resiliency), and automatically switch to Backup Mode if the Restartable copy fails with an “Access Denied” error.
  • /Z, /B, or /ZB restart from close to the point of failure rather than the beginning of the files. This can decrease Robocopy performance and throughput significantly, as these options involve extra overhead. These options are only recommended when experience indicates you really need them.

My comment: not to use them unless you are not able to copy a file or the network connectivity is unstable.

Robocopy reports the file timestamp is different, even they look the same in Windows Explorer.

This usually happens when copying files between a Windows NTFS volume and a third-party storage system.

FAT file system stores its timestamp for files (modified date, etc) with 2-second granularity

NTFS file system stores its timestamp for files in a 100-nanosecond granularity

File-time granularity is 100 nanoseconds on NTFS, and two seconds on FAT. So copying a file from NTFS to FAT causes file times to be rounded to a value that file FAT file system can manage. When both the source and destination volumes are NTFS, file times are compared exactly. When either the source or destination volume is not an NTFS volume, Robocopy considers file times to be identical if they are within two seconds of each other.

Some third-party operating systems declare that their volumes are NTFS, but only implement FAT-style file times with a 2-second granularity. When copying to such a destination from a true NTFS volume, file time rounding may occur, along with unnecessary copying of file data in subsequence jobs. In this situation, use /FFT (FAT File Time) to tell Robocopy to consider file times to be identical if they are within 2 seconds of each other, even though both source and destination appear to be NTFS. This eliminates unnecessary copying in this scenario.

/FFT is useful for copying to third-party storage systems (when copying from Windows-to-Windows NTFS storage, this option is not needed) that declare a volume to be NTFS but only implement file time with a 2-second granularity.

/FFT forces Robocopy to use FAT file-time granularity so that the utility uses a 2-second standard for comparing files. As long as files are time-stamped within a 2-second interval, Robocopy considers them identical and doesn’t copy them. (Source: WindowsITPro Robocopy FAQ)

Two-way file change synchronization

/XO excludes “Older” files.

To synchronize two directory trees so that they can be updated simultaneously in separate areas (ensure that the latest files are present in both directory trees). First copy with /XO in one direction, and then in the other.

Exclude File or Directory by name

  • /XF file [file] excludes Files matching given names/paths/wildcards
  • /XD dirs [dirs] excludes Directories matching given names/paths
    • My comment: to exclude multiple directories, simply list them with spaces in between. If the path contains spaces, wrap it in double-quotes (“ ”). The most important thing is DO NOT EVER include a trailing “\” in the excluded paths.
  • /XF and /XD exclude files and directories before all other processing

Refresh security information without copying file data

  • /IS /COPY:SOU refreshes all security information for all selected files, without copying any file data

Directory fragementation for large directories

/CREATE – Robocopy creates only the directory tree and zero-length files as placeholders for the actual files. No file data is copied.

By default (without /CREATE), for the first time copy, the directory entry for each file is created first, and then the file data is copied. If the directory tree contains large directories, however, this sequence can cause fragmentation of the directory structure.

Minimize directory fragmentation for large directories

Run Robocopy with /CREATE (along with whatever the options supposed to be) first, then run the same command again without /CREATE to copy the file data to the destination.

When using this technique, the zero-length files created by the initial /CREATE command are tagged as “Changed” files on the second run.

My comment: The Robocopy version XP010 document states the files are tagged as “Older” files on the second run. When I tested on Windows 7 Pro, it shows “Changed” instead. The “Changed” matches the description in the File Classes for Changed - Source & Destination file times are equal, but file sizes are different.

Install hotfix for Windows 7 and Server 2008 R2 build-in Robocopy

Install the hotfix in KB2639043 to fix the Discretionary Access Control Lists (DACLs) for files issue.

Using nmap to Test DNS Server Recursion

  1. Download nmap binaries. For Windows OS, download the command-line zipfile is sufficient.
  2. Unzip the zip file, and install Winpcap and Visual C++ Redistributable Package installer included in the zip file
  3. Open command prompt
  4. Run “nmap –sU –p53 –script=dns-recursion <DNS_Server_IP>
  5. If the server allows resursion, it shows “Recursion appears to be enabled”

To prevent the DNS server from being used for DNS amplification attacks, disable DNS recursion on the public facing DNS server. The DNS recursion should be enabled on the DNS server serving the internal client.

On a Windows DNS server, this can be done under the DNS server properties, Advanced tab, Server options, check the checkbox “Disable recursion (also disable forwarders)”

WinDNS.Disable.Recursion

Windows Server Message Block (SMB) Protocol

Versions

There are several different versions of SMB used by Windows operating systems:

SMB Version

Operating System

Note

CIFS Windows NT superseded by SMB1
SMB 1.0 (or SMB1) Windows 2000, XP, Server 2003,
Server 2003 R2
SMB 2.0 (or SMB2) Windows Vista (SP1 or later),
Server 2008
SMB 2.1 (or SMB2.1) Windows 7, Server 2008 R2
SMB 3.0 (or SMB3) Windows 8, Server 2012
SMB 3.02 (or SMB3) Windows 8.1, Server 2012 R2 In Windows 8.1 and Server 2012 R2, the option to completely disable CIFS/SMB1 support is introduced. It is not the default configuration.
SMB 3.1.1 Widnows 10, Server 2016

Negotiated Versions

Here’s a table to help you understand what version you will end up using, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server:

OS Windows 8.1
WS 2012 R2
Windows 8
WS 2012
Windows 7
WS 2008 R2
Windows Vista
WS 2008
Previous Version
Windows 8.1
WS 2012 R2
SMB 3.02 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 8
WS 2012
SMB 3.0 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 7
WS 2008 R2
SMB 2.1 SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0
Windows Vista
WS 2008
SMB 2.0 SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0
Previous Version SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0

* WS = Windows Server

Check SMB Version

In Windows 8 or Windows Server 2012 or later, a new PowerShell cmdlet can easily tell what version of SMB the client has negotiated with the File Server. For Windows version prior to Windows 8, there is not an easy way – need to use Network Monitor, Message Analyzer (recommended) or Wireshark to capture and look into the packets.

To check the negotiated SMB version between the client and file server

  1. Access a remote file server (or create a new mapping to it)
  2. Use Get-SmbConnection

To check the SMB version on the local computer

  1. dir \\localhost\c$
  2. Get-SmbConnection –ServerName localhost
    • run the Get-SmbConnection cmdlet within 10 seconds after the dir command
    • the SMB client will tear down the connctions if there is no activity

ps_getsmbconnection

Recommendation

Microsoft strongly encourage to update to the latest of SMB. However, be aware of compatibility with the older Windows operating systems and third-party application implementation.

  • VMware
    • vCenter Server Appliance 5.5.x / 6.0.x and vRealize Automation 6.2.x support SMB1 only (KB2134063)

Source

Microsoft Jose Barroeto’s Blog

Windows Server 2016 Licensing Change

Here are the short summary of the changes in Windows Server 2016 licensing comparing with Windows Server 2012.

  • Windows Server 2016 licensing is based on CPU core, not CPU socket. One license pack covers 2 CPU cores.
  • Windows Server 2016 licensing has a minimum of 8 cores (4 packs) per processor, and a minimum of 16 cores (8 packs) per system. If a server has a single CPU with 4 cores, it still requires buying 16 cores (8 packs) license to run Windows Server 2016.
  • Windows Server 2016 Standard and Datacenter edition are functional differences. For example, the following are only available in the Datacenter edition
    • Storage Space Direct (S2D)
    • Storage Replica
    • Shielded Virtual Machines / Host Guardian Service
    • Network Controller
  • Windows Server 2016 Software Assurance licensing allows portable to Azure

Windows 8 Tools

Troubleshoot PEAP Authentication

Environment:

Wireless PEAP with Windows Active Directory domain authentication is configured. (see http://www.techrepublic.com/article/ultimate-wireless-security-guide-an-introduction-to-peap-authentication/6148543 for the setup detail).

Windows Server 2003 with a self-signed digital certificate as the RADIUS server.

Wireless access managed by the Active Directory “WiFi Users” security group.

Access Point: Cisco WAP4410N with firmware 2.0.5.3

Access Point Configuration:

  • Discovery (By Bonjour): Enabled
  • Wireless Security Mode: WPA2-Enterprise Mixed (WPA Algorithm: TKIP or AES)
  • Primary RADIUS Server: Windows Server 2003 RADIUS server IP address
  • Primary RADIUS Server Port: 1812
  • Wireless Connection Control (MAC address filter): Disabled

Problem:

The users in the Active Directory “WiFi Users” security group were able to authenticate and access the wireless with the wireless devices (iPhone, iPad, Windows Phone 7.5, Windows XP with SP3, Windows 7, MAC OS X, etc) configured with the PEAP authentication. One day in August 2012, the Windows Server 2003 RADIUS server was updated with the latest Microsoft security updates. Then, only iOS devices (maybe MAC OS X too) can authenticate and access the wireless; all Windows based devices keep getting the connection failure even the configuration and authentication are correct.

Troubleshoot:

The RADIUS server System log shows a warning from source IAS, event ID 2. The user was denied access; Reason-Code = 266; Reason = The message received was unexpected or badly formatted.

Solution:

The scenario 2 in the KB article (http://support.microsoft.com/kb/933430) matches this issue. Use method 3 in the KB article resolved the problem.

Delete “Account Unknown” Local User Profiles

Issue:

On Windows XP or Server 2003, under Control Panel / System / Advanced / User Profiles / Settings, there are some “Account Unknown” user profile, but the Delete button is grayed out.  And when try to delete the profile from “c:\documents and settings” folder, the error message is “Cannot delete NTUSER.DAT: It is being used by another person or program. Close any programs that might be using the file and try again.”

Solution:

  1. Install “User Profile Hive Cleanup Service” (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6676)
  2. Run uphclean.exe
  3. Then the “Delete” button becomes available


Note: the User Profile Deletion Utility (delprof.exe) (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5405) cannot delete the “Account Unknown” profile, but it is useful to clean up the normal user profile when their account is still active. (delprof.exe /p /c:\\servername)

Use WinSCP to Transfer Files in vCSA 6.7

This is a quick update on my previous post “ Use WinSCP to Transfer Files in vCSA 6.5 ”. When I try the same SFTP server setting in vCSA 6.7...