Category Archives: Expert advice on Windows based systems and hardware

Expert advice on Windows based systems and hardware

Server Core management remains a challenge for some

Server Core introduced a number of benefits to IT, but certain hurdles have stymied its progress in the enterprise.

Microsoft unveiled Server Core with Windows Server 2008. It wasn’t a new operating system, but a slimmed-down version of the full server OS. Server Core removed the GUI, but kept its infrastructure functionality. This reduced the codebase and brought several advantages: a smaller attack surface, fewer patches, quicker installs and more reliability.

But the lack of a GUI also made Server Core management a challenge. The absence of a traditional Windows interface took away the comfort level for the admin when it came to deployments and overall use of the operating system.

Administrators missed the interface because, while using the command line might not have been a complete mystery, using it to manage every aspect of the OS was new. A strong focus on PowerShell to control this OS caused further discomfort for many in IT. This new language came in at a time with Server Core to make the admin feel very unwelcome in this new world.

Server Core management with PowerShell and the command prompt are two very different things.

Server Core management with PowerShell and the command prompt are two very different things. Besides the language, scripting is linear, and PowerShell is an object-oriented language. The MS-DOS command prompt has been around a lot longer, but has not kept up with the features and functionality in the newer Windows operating systems. Microsoft expanded on scripting after MS-DOS with Visual Basic Script (VBS) but that introduced security issues from VBS-based viruses. Microsoft developed PowerShell to provide extensive functionality with fewer security liabilities. PowerShell has cmdlets tightly integrated with Microsoft’s newest operating systems for both basic and advanced functionality — which MS-DOS and VBS lacked.

Microsoft aids learning efforts

PowerShell is the predominant command-line language for Windows. MS-DOS exists but has had few updates to its core. Microsoft helped establish this course in the later versions of Windows Server. Many of the traditional server configuration wizards can produce the PowerShell code for the actions the administrator executes from the GUI. This capability changed the game for many administrators with limited programming experience or time to learn PowerShell scripting. Rather than write scripts from scratch, IT pros could take the automatically generated code and manipulate it to work on other servers. This feature was a step up from taking code examples from the Internet that only worked with very specific conditions or environments.

Microsoft helped spur Server Core adoption with improved remote management with later server OS versions with its Server Manager console. While Microsoft always had some level of remote management with Windows Server 2012 and beyond, a much stronger focus on this meant the admin could use a single GUI-based server to handle Server Core management for dozens — or even hundreds — of installations of this minimal operating system over the network. This kept the GUI aspect the admins were familiar with but allowed the enterprise to take advantage of more Server Core deployments. While they did not get the full benefits of what PowerShell and other automation tools do, this move helped admins get started with Server Core.

 When administrators start with Server Core, it’s helpful to look at the long-term view. How far do you want to go with it? Some companies that want to implement Server Core will be content to use remote management, but PowerShell will unlock the full potential of this server OS deployment.

Admins new to PowerShell will have a bit of a learning curve to overcome, but a few things can help. There are utilities, such as Notepad++, that make editing PowerShell code easier with its contextual highlighting feature. Another scripting tool is Microsoft’s PowerShell Integrated Scripting Environment, which can test code blocks and commands that help debug issues in a context-sensitive environment.

Server Core should only grow in popularity. Microsoft runs workloads on its new Azure Stack on Server Core. Administrators should consider its use just for the reduced patching workload.

In Windows Server 2016, the default installation is Server Core, and administrators need to manually select a different option to get the full server GUI setup. Also removed from Windows Server 2016 is the ability to install a desktop onto Server Core after deployment.

With the enhancements to remote management, the future is clear for the Microsoft server OS — and it’s without a GUI.

 

How does Data Protection Manager 2016 save and restore data?

on the DPM server. But administrators have flexibility to put those backups on storage that is located — and partitioned — elsewhere.

To get started, IT administrators install a DPM agent on every computer to protect, then add that machine to a protection group in DPM. A protection group is a collection of computers that all share the same protection settings or configurations, such as the group name, protection policy, disk target and replica method.

After the agent installation and configuration process, DPM produces a replica for every protection group member, which can include volumes, shares, folders, Exchange storage groups and SQL Server databases. System Center Data Protection Manager 2016 builds replicas in a provisioned storage pool.

After DPM generates the initial replicas, its agents track changes to the protected data and send that information to the DPM server. DPM will then use the change journal to update the file data replicas at the intervals specified by the configuration. During synchronization, any changes are sent to the DPM server, which applies them to the replica.

DPM also periodically checks the replica for consistency with block-level verification and corrects any problems in the replica. Administrators can set recovery points for a protection group member to create multiple recoverable versions for each backup.

Application data backups require additional planning

Application data protection can vary based on the application and the selected backup type. Administrators need to be aware that certain applications do not support every DPM backup type. For example, Microsoft Virtual Server and some SQL Server databases do not support incremental backups.

Administrators need to be aware that certain applications do not support every DPM backup type.

For a synchronization job, System Center Data Protection Manager 2016 tracks application data changes and moves them to the DPM server, similar to an incremental backup. Updates are combined with the base replica to form the complete backup.

For an express full backup job, System Center Data Protection Manager 2016 uses a complete Volume Shadow Copy Service snapshot, but transfers only changed blocks to the DPM server. Each full backup creates a recovery point for the application’s data.

Generally, incremental synchronizations are faster to backup but can take longer to restore. To balance the time needed to restore content, DPM will periodically create full backups to integrate any collected changes, which speeds up a recovery. DPM can support up to 64 recovery points for each member of a protection group. However, DPM can also support up to 448 full backups and 96 incremental backups for each full backup.

The DPM recovery process is straightforward regardless of the backup type or target. Administrators select the desired recovery point with the Recovery Wizard in the DPM Administrator Console. DPM will restore the data from that point to the desired target or destination. The Recovery Wizard will denote the location and availability of the backup media. If the backup media — such as tape — is not available, the restoration process will fail.

Windows Server hardening still weighs heavily on admins

In these heady times of software-defined technologies and container virtualization, many IT professionals continue to grapple with an issue that has persisted since the advent of the server: security.

Ever since businesses discovered the advantages of sharing resources in a client-server arrangement, there have also been intruders attempting to bypass the protections at the perimeter of the network. These attackers angle for any weak point — outdated protocols, known vulnerabilities in unpatched systems — or go the direct route and deliver a phishing email in the hopes that a user will click on a link to unleash a malicious payload onto the network.

Windows Server hardening remains top of mind for most admins. Just as there are many ways to infiltrate a system, there are multiple ways to blunt those attacks. The following compilation highlights the most-viewed tutorials on SearchWindowsServer in 2017, several of which addressed the ways IT can reduce exposure to a server-based attack.

5. Manage Linux servers with a Windows admin’s toolkit

While not every Windows administrator is comfortable away from the familiarity of point-and-click GUI management tools, more in IT are taking cues from the world of DevOps to implement automation routines.

It took a while, but Microsoft eventually realized that spurning Linux also steered away potential customers. About 40% of the workloads on the Azure platform run some variation of Linux, Microsoft is a Platinum member of the Linux Foundation, and the company released SQL Server for Linux in September.

Many Windows shops now have a sprinkling of servers that use the open source operating system, and those administrators must figure out the best way to manage and monitor those Linux workloads. The cross-platform PowerShell Core management and automation tool promises to address this need, but until the offering reaches full maturity, this tip provides several options to help address the heterogeneous nature of many environments.

4. Disable SMB v1 for further Windows Server hardening

Unpatched Windows systems are tempting targets for ransomware and the latest malware du jour, Bitcoin miners.

A layered security approach helps, but it’s even better to pull out threat enablers by the roots to blunt future attacks. Long before the spate of cyberattacks in early 2017 that hinged on an exploit in Server Message Block (SMB) v1 that locked up thousands of Windows machines around the world, administrators had been warned to disable the outdated protocol. This tip details the techniques to search for signs of SMB v1 and how to extinguish it from the data center.

3. Microsoft LAPS puts a lock on local admin passwords

For the sake of convenience, many Windows shops will use the same administrator password on each machine. While this practice helps administrators with the troubleshooting or configuration process, it’s also tremendously insecure. If that credential falls into the wrong hands, an intruder can roam through the network until they obtain ultimate system access — domain administrator privileges. Microsoft introduced its Local Administrator Password Solution (LAPS) in 2015 to help Windows Server hardening efforts. This explainer details the underpinnings of LAPS and how to tune it for your organization’s needs.

2. Chocolatey sweetens software installations on servers

While not every Windows administrator is comfortable away from the familiarity of point-and-click GUI management tools, more in IT are taking cues from the world of DevOps to implement automation routines. Microsoft offers a number of tools to install applications, but a package manager helps streamline this process through automated routines that pull in the right version of the software and make upgrades less of a chore. This tip walks administrators through the features of the Chocolatey package manager, ways to automate software installations and how an enterprise with special requirements can develop a more secure deployment method.

1. Reduce risks through managed service accounts

Most organizations employ service accounts for enterprise-grade applications such as Exchange Server or SQL Server. These accounts provide the necessary elevated authorizations needed to run the program’s services. To avoid downtime, quite often administrators either do not set an expiration date on a service account password or will use the same password for each service account. Needless to say, this procedure makes less work for an industrious intruder to compromise a business. A managed service account automatically generates new passwords to remove the need for administrative intervention. This tip explains how to use this feature to lock down these accounts as part of IT’s overall Windows Server hardening efforts.

What are the key System Center DPM 2016 features?

There are many commercial data protection tools, but Microsoft updated System Center Data Protection Manager 2016…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

with a number of enterprise-grade features to aid IT pros in their backup and recovery efforts.

System Center DPM 2016 protects and restores data resources deployed in multiple ways — at the system, file, application and VM levels — across the organization to give IT enormous flexibility and granularity in data protection policies and practices.

At the system level, System Center DPM 2016 creates bare-metal backups for 32- and 64-bit client systems that run Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10. System Center DPM 2016 protects 32- and 64-bit server systems on Windows Storage Server 2008, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 with SP1, Windows Server 2012 R2 and Windows Server 2016.

But backups are not an all-or-nothing proposition. DPM also protects at the file level to back up system volumes, folders and individual files on Windows systems.

At the application level, DPM provides native backup and restoration services for major enterprise applications. DPM covers SQL Server, including SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, SQL Server 2012 with SP1, SQL Server 2012 with SP2, SQL Server 2014 and SQL Server 2016. DPM also protects Exchange Server, including Exchange 2007, Exchange 2010, Exchange 2013 and Exchange 2016. DPM supports backups for SharePoint, including SharePoint 2007, SharePoint 2010, SharePoint 2013 and SharePoint 2016. DPM 2016 also protects System Center Virtual Machine Manager (VMM), specifically VMM 2012 and VMM 2016 — along with the SP1 and R2 versions.

DPM 2016 supports backup and restoration of VMs in Windows environments. Administrators deploy DPM protection agents in Hyper-V host servers, Hyper-V clusters and individual VMs. DPM safeguards VMs that run Windows Server 2008, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. DPM also protects Linux that runs as a Hyper-V guest operating system.

DPM 2016 supports three principal backup targets: disk, cloud and tape. Disk is the most common and traditional backup target. The administrator can enlist pools of low-cost, high-volume disks — such as Serial Advanced Technology Attachment or Serial-Attached SCSI — for backup tasks. For additional security, the IT admin can set up replication of this disk storage to an off-site location, such as a secondary data center.

DPM 2016 hooks into the public cloud — specifically through the Azure Backup service — as a backup target. This feature gives the enterprise flexibility and satisfies the need for off-premises storage. While the traditional disadvantages of tape storage mean many organizations have moved on to other options, DPM 2016 works with local and remote tape storage.

A key feature of DPM 2016 is its restoration flexibility … DPM gives the option to rebuild data to alternate destinations.

A key feature of DPM 2016 is its restoration flexibility. Admins can restore data to its original location. However, if that is not possible or desirable, DPM gives the option to rebuild data to alternate destinations or targets.

In System Center DPM 2016, Microsoft introduced what it calls Modern Backup Storage on machines that run Windows Server 2016. The company said the incremental backup feature — which uses Resilient File System block cloning and VHDX functionality — cuts storage needs by 50 percent and shortens backup times by three. Microsoft also added support for resilient change tracking, which eliminated consistency checks and backs up only changed blocks.

Azure Backup service adds layer of data protection

more important to have a solid backup strategy for company data and workloads. Microsoft’s Azure Backup service has matured into a product worth considering due to its centralized management and ease of use.

Whether it’s ransomware or other kinds of malware, the potential for data corruption is always lurking. That means that IT admins need a way to streamline backup procedures with the added protection and high availability made possible by the cloud.

Azure Backup protects on-premises workloads — SharePoint, SQL Server, Exchange, file servers, client machines, VMs, and cloud resources like infrastructure-as-a-service VMs — into one recovery vault with solid data protection and restore capabilities. Administrators can monitor and start backup and recovery activities from a single Azure-based portal. After the initial setup, this arrangement lightens the burden on IT because off site backups require minimal time and effort to maintain.

How Azure Backup works

The Azure Backup service stores data in what Microsoft calls a recovery vault, which is the central storage locker for the service whether the backup targets are in Azure or on premises.

Whether it’s ransomware or other kinds of malware, the potential for data corruption is always lurking.

The administrator needs to create the recovery vault before the Azure Backup service can be used. From the Azure console, select All services, type in Recovery Services and select Recovery Services vaults from the menu. Click Add, give it a name, associate it with an Azure subscription, choose a resource group and location, and click Create.

From there, to back up on-premises Windows Server machines, open the vault and click the Backup button. Azure will prompt for certain information: whether the workload is on premises or in the cloud and what to back up — files and folders, VMs, SQL Server, Exchange, SharePoint instances, system state information, and data to kick off a bare-metal recovery. When this is complete, click the Prepare Infrastructure link.

[embedded content]

Configure backup for a Windows machine

The Microsoft Azure Recovery Services Agent (MARS) handles on-premises backups. Administrators download the MARS agent from the Prepare Infrastructure link — which also supplies the recovery vault credentials — and install it on the machines to protect. MARS picks up the recovery vault credentials to link the MARS agent instances of the on-premises machine to the Azure subscription and attendant recovery vault.

Azure Backup pricing

Microsoft determines Azure Backup pricing based on two components: the number of protected VMs or other instances — Microsoft charges for each discrete item to back up — and the amount of backup data stored within the service. The monthly pricing is:

  • for instances up to 50 GB, each instance is $5 per month, plus storage consumed;
  • for instances more than 50 GB, but under 500 GB, each instance is $10, plus storage consumed; and
  • for instances more than 500 GB, each instance is $10 per nearest 500 GB increment, plus storage consumed.

Microsoft bases its storage prices on block blob storage rates, which vary based on the Azure region. While it’s less expensive to use locally redundant blobs than geo-redundant blobs, local blobs are less fault-tolerant. Restore operations are free; Azure does not charge for outbound traffic from Azure to the local network.

Pros and cons of the Azure Backup service

The service has several features that are beneficial to the enterprise:

  • There is support to back up on-premises VMware VMs. Even though Azure is a Microsoft cloud service, the Azure Backup product will take VMware VMs as they are and back them up. It’s possible to install the agent inside the VM on the Windows Server workload, but it’s neater and cleaner to just back up the VM.
  • Administrators manage all backups from one console regardless of the target location. Microsoft continually refines the management features in the portal, which is very simple to use.
  • Azure manages storage needs and automatically adjusts as required. This avoids the challenges and capacity limits associated with on-premises backup tapes and hard drives.

The Azure Backup service isn’t perfect, however.

  • It requires some effort to understand pricing. Organizations must factor in what it protects and how much storage those instances will consume.
  • The Azure Backup service supports Linux, but it requires the use of a customized copy of System Center Data Protection Manager (DPM), which is more laborious compared to the simplicity and ease of MARS.
  • Backing up Exchange, SharePoint and SQL workloads requires the DPM version that supports those products. Microsoft includes it with the service costs, so there’s no separate licensing fee, but it still requires more work to deploy and understand.

The Azure Backup service is one of the more compelling administrative offerings from Microsoft. I would not recommend it as a company’s sole backup product — local backups are still very important, and even more so if time to restore is a crucial metric for the enterprise — but Azure Backup is a worthy addition to a layered backup strategy.

Use SCVMM to diagram VM network connectivity

host were commonly all connected to a single virtual switch, which was tied to a physical network interface card or network interface card team.

Over time, however, virtualized networks have become far more complex. No longer is it the norm for VMs to share a single, common virtual network. Instead, a virtualized infrastructure might contain any number of physical, virtual, logical or software-defined networks.

Of course, this increased complexity can sometimes make life difficult, especially when troubleshooting is required. Thankfully, System Center Virtual Machine Manager (SCVMM) contains native tools to help administrators make sense of the often complex VM network web. Better still, these tools are really easy to use — if you know where to find them.

Create a VM network diagram

The easiest way to view VM network connectivity is to open the SCVMM console and then go to the VMs and Services workspace. From there, right click on the VM you wish to examine, and then choose the Connect or View > View Networking commands from the resulting shortcut menus. You can see what this looks like in Figure A.

Connect or View > View Networking commands”/><figcaption><i class=Figure A. Choose the Connect or View > View Networking commands from the shortcut menu.

At this point, you’ll be taken to a screen that is similar to the one in Figure B, below. As you can see, this screen shows the VM name and the name of the virtual switch to which the VM is connected. At first, this screen might seem minimally helpful. After all, you can easily get this information from the VM’s settings screen or PowerShell. However, there’s more going on here than meets the eye.

Network diagram
Figure B. This is a simple network diagram.

If you look at the figure above, you’ll notice that the toolbar contains several different icons, and that, currently, the VM Networks icon is selected. Clicking the Host Networks icon causes System Center to display a completely different view of the networking resources.

As you can see in Figure C, the Host Networks view displays the virtual switches that exist on a host and the physical network interface controllers (NICs) to which the virtual switches are attached. The diagram also shows the relationship between VM networks and logical networks.

Host Networks view
Figure C. The Host Networks view displays virtual switches and physical NIC connections.

The Network Topology view, which you can access by clicking on the Network Topology icon, displays a higher level view of the relationship between VM networks and logical networks. You can see an example of this in Figure D.

Network Topology view
Figure D. The Network Topology view shows a higher level view of this relationship.

Of course, my lab environment is really simple, but in the case of a more complex environment, these diagrams can become somewhat cluttered. If necessary, you can reduce some of the clutter — and customize the look of your diagram — by using the plus and minus signs to expand or collapse various parts of the diagram.

Oh, and in case you are wondering, even though I’ve created these diagrams using a VM as a starting point, you aren’t limited to creating diagrams in this way. You can use the SCVMM console to create network diagrams from other levels of the infrastructure. For example, when I create a diagram from a host server, the diagram displays all of the VMs that are connected to the host’s virtual switch, as shown in Figure E.

VM diagram
Figure E. This diagram was created at the VM host level.

Export the VM network diagram to Visio

As helpful as it might be to have a graphical diagram of your VM network, SCVMM has one more feature that’s worth mentioning.

If you look back at Figure B, you’ll notice that the upper left corner of the screen capture contains an icon that looks like a down arrow — the icon is located just above the Select Objects icon. Clicking on this icon reveals an option to export the diagram to Microsoft Visio. From there, you can print, edit or modify the diagram as needed.

Troubleshoot System Center Orchestrator RunBook issues

Repeated tasks are the bane of IT pros’ existence. System Center Orchestrator alleviates some of that burden by…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

automating several key runbook management and troubleshooting activities while preserving event history for review as needed. 

System Center Orchestrator consolidates runbook tasks into a single task, then executes against a target using System Center Orchestrator RunBook. You can add instructions to control the sequence of activities in a runbook. You can also create unlimited runbooks and execute one or all of them at the same time. When it comes to troubleshooting System Center Orchestrator RunBook issues, reference the log files where runbook-related activities are recorded. You can view log files to learn the status of each runbook, collect real-time log events for runbooks that are executing and also check runbook audit history. In Runbook Designer, you can view real-time log events, historic events and runbook auditing history.

Real-Time Log: The Real-Time Log shows activities related to running instances of runbooks and the time a runbook was started.

Historic Log: The Historic Log includes start and end times of a runbook. You might want to check whether a runbook executed all the activities or not. If a runbook terminates unexpectedly, you won’t see the end time. If you want to see which activity failed, double click on the runbook to see details about the activity.

Runbook Audit History: If a runbook ran successfully previously but failed to execute recently, it makes sense to check the Runbook Audit History page. The Runbook Designer keeps track of changes to each activity in the runbook and the user who made the changes, including the date and time when the changes were made. Runbook Audit History also includes previous values, so it’s easy to revert back to them.

When troubleshooting runbook failures, enable the Activity-specific Published Data option for each activity. By default, published data isn’t included for each activity. You need to enable published data for runbooks from the logging property of the runbook as shown in Figure A:

Runbook logging property options
Figure A. Enable published data for runbooks from the logging property

While System Center Orchestrator RunBook logs might help you troubleshoot issues, a freeware utility called Orchestrator Health Checker helps you understand active runbooks and performs other runbook-related actions.

Dig Deeper on Virtual machine monitoring, troubleshooting and alerting

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.