Categories
Information Technology

Change Service Provider Foundation (SPF) port after installation without reinstall

One of my biggest pet peeves when installing software is when the installer outright says to you “you cannot change these values after otherwise you’ll need to reinstall”. It’s like the developer is speaking to their grandfather assisting them reset their WIFI – “unplug it and plug it back in”.

With SPF, you’re prompted during install to change the default port from 8090 to something else. Most people would want to flip it to HTTPS on 443 and you would assume you would just change the binding in IIS to do that. Well, that’s just one step, because they bury the port value in a web.config file and the registry. Why don’t they just store it in a single location, like say… the SPF SQL database? Who knows. But here are the steps to get your environment working without a full rebuild.

1 – IIS Website Port Bindings

This one is fairly obvious if you have ever administered IIS before. There’s only a single SPF website that you need to change here. This is also where you would assign your SSL certificate and possibly bind an IP address and host header name. Those steps are not necessary, but if you do decide to change the host name, you’ll need to change it somewhere else (more on that later).

 

2 – Registry

This one is easy. Pop open regedit and browse to HKLM\SOFTWARE\Microsoft\Service Provider Foundation and change the PortNumber key’s value.

 

 

3 – Web.Config

The last change is buried obnoxiously deep in one of the web application’s web.config file. I presume the key is set during installation – something even Microsoft Premier Support couldn’t find documented anywhere. Five days after a SevB ticket was opened and Premier Support was engaged the SCVMM Product Group without answers, I grew annoyed and started searching for the port’s value as a string everywhere. And I found it.

Browse to the directory where your SPF website’s Provider folder is located – by default, it should be C:\inetpub\SPF\Provider

Open up the web.config file and edit the highlighted lines below. If you bound your website to a specific host header name in Step 1, this is where you would change “localhost” to match that FQDN.

Categories
Information Technology

Rooting an Amazon Fire 7 to Vanilla Android

Dumping ground link OMFG: https://www.thepolyglotdeveloper.com/2016/05/install-better-custom-rom-amazon-kindle-fire/

And it works!

Categories
Information Technology

A romp through installing SCVMM 2016 Tech Preview

Another “brain-purge” blog post. Please please please do these things in this order or you will want to kill yourself. SCVMM’s pre-requisite check does a decent job at identifying certain things missing on the server, but it fails miserably at checking the things you can potentially waste a lot of time on. So here is a quick recap:

  1. If you’re installing this onto a VM, you should probably give it a good amount of RAM and at least 2 cores.
  2. Install .NET 3.5 first. You probably need to mount the server ISO and install from D:\Sources\sxs
  3. Restart the server. Just do it. Trust me.
  4. Install a version of SQL Server that isn’t Express. SCVMM won’t tell you this until halfway thru the install, so again, save yourself the time.
  5. Create an AD service account. I believe it has to be an actual User object, not one of those new-fangled “Managed Service Accounts” that debuted in Windows 7 + 2008 R2. Add it as a local admin to the SCVMM machine.
  6. Install SCVMM.
  7. Wait awhile.

More info here: https://blogs.technet.microsoft.com/kevinholman/2013/10/18/scvmm-2012-r2-quickstart-deployment-guide/

Categories
Information Technology

Office 365 + Importing PST Files

I have yet to try this myself, but I figured a single, documented location for this process should be somewhere on the interwebs:

  • PST Capture – Microsoft-developed tool for scanning your network and computers for PST files: https://technet.microsoft.com/en-us/library/hh781034(v=exchg.141).aspx
  • AzCopy – Import PST files directly into Azure Storage Explorer and run PowerShell script against mailboxes to import: https://www.reddit.com/r/sysadmin/comments/45ga6y/microsoft_utility_pst_capture_will_scan_your/czxuxeo
Categories
Information Technology

Cryptolocker FSRM Template Scripts

Nothing fancy… but I decided to whip together some scripts to make my FSRM file screen templates easier to install.

Server 2012 and Up:

New-FsrmFileGroup -Name "Cryptolocker 20160314" –IncludePattern @("_Locky_recover_instructions.txt","DECRYPT_INSTRUCTIONS.TXT","DECRYPT_INSTRUCTIONS.HTML","DECRYPT_INSTRUCTION.TXT","DECRYPT_INSTRUCTION.HTML","HELP_DECRYPT.TXT","HELP_DECRYPT.HTML","DecryptAllFiles.txt","enc_files.txt","HowDecrypt.txt","How_Decrypt.txt","How_Decrypt.html","HELP_TO_DECRYPT_YOUR_FILES.txt","HELP_RESTORE_FILES.txt","HELP_TO_SAVE_FILES.txt","restore_files*.txt","restore_files.txt","RECOVERY_KEY.TXT","how to decrypt aes files.lnk","HELP_DECRYPT.PNG","HELP_DECRYPT.lnk","DecryptAllFiles*.txt","Decrypt.exe","ATTENTION!!!.txt","AllFilesAreLocked*.bmp","MESSAGE.txt","*.locky","*.ezz","*.ecc","*.exx","*.7z.encrypted","*.ctbl","*.encrypted","*.aaa","*.xtbl","*.abc","*.JUST","*.EnCiPhErEd","*.cryptolocker","*.micro","*.cryptotorlocker*","*.frtrss","*.vault","*want your files back.*","confirmation.key","cryptolocker.*","*decrypt_instruct*","*help_decrypt*","help_restore*.*","how to decrypt*.*","how_to_decrypt*","how_to_recover*","howtodecrypt*","install_tor*.*","last_chance.txt","recovery_file.txt","vault.hta","vault.key","vault.txt","HOW_TO_RECOVER_FILES.*","HELP_YOUR_FILES*","*.zzz","*.xyz","*.ccc","*.vvv","*.xxx","*.ttt","*.locked","*.crypto","_crypt","*.crinf","*.r5a","*.XRNT","*.crypt","*.R16M01D05","*.pzdc","*.good","*.LOL!","*.OMG!","*.RDM","*.RRK","*.encryptedRSA","*.crjoker","*.LeChiffre","*.keybtc@inbox_com","*.0x0","*.bleep","*.1999","*.HA3","*.toxcrypt","*.magic","*.SUPERCRYPT","*.CTB2","HELPDECRYPT.TXT","HELP_YOUR_FILES.TXT","HELP_RECOVER_FILES.txt","INSTRUCCIONES_DESCIFRADO.TXT","How_To_Recover_Files.txt","YOUR_FILES.HTML","YOUR_FILES.url","encryptor_raas_readme_liesmich.txt","HOW_TO_DECRYPT_FILES.TXT","ReadDecryptFilesHere.txt","Coin.Locker.txt","_secret_code.txt","About_Files.txt","Read.txt","ReadMe.txt","DECRYPT_ReadMe.TXT","FILESAREGONE.TXT","IAMREADYTOPAY.TXT","HELLOTHERE.TXT","READTHISNOW!!!.TXT","SECRETIDHERE.KEY","IHAVEYOURSECRET.KEY","SECRET.KEY","HELPDECYPRT_YOUR_FILES.HTML","help_decrypt_your_files.html","RECOVERY_FILES.txt","RECOVERY_FILE*.txt","HowtoRESTORE_FILES.txt","howto_recover_file.txt","restorefiles.txt","howrecover+*.txt","_how_recover.txt","recoveryfile*.txt","recoverfile*.txt","Howto_Restore_FILES.TXT","help_recover_instructions+*.txt")

Server 2008 and 2008 R2:

filescrn filegroup add /filegroup"CRYPTO2016" /members"_Locky_recover_instructions.txt|DECRYPT_INSTRUCTIONS.TXT|DECRYPT_INSTRUCTIONS.HTML|DECRYPT_INSTRUCTION.TXT|DECRYPT_INSTRUCTION.HTML|HELP_DECRYPT.TXT|HELP_DECRYPT.HTML|DecryptAllFiles.txt|enc_files.txt|HowDecrypt.txt|How_Decrypt.txt|How_Decrypt.html|HELP_TO_DECRYPT_YOUR_FILES.txt|HELP_RESTORE_FILES.txt|HELP_TO_SAVE_FILES.txt|restore_files*.txt|restore_files.txt|RECOVERY_KEY.TXT|how to decrypt aes files.lnk|HELP_DECRYPT.PNG|HELP_DECRYPT.lnk|DecryptAllFiles*.txt|Decrypt.exe|ATTENTION!!!.txt|AllFilesAreLocked*.bmp|MESSAGE.txt|*.locky|*.ezz|*.ecc|*.exx|*.7z.encrypted|*.ctbl|*.encrypted|*.aaa|*.xtbl|*.abc|*.JUST|*.EnCiPhErEd|*.cryptolocker|*.micro|*.cryptotorlocker*|*.frtrss|*.vault|*want your files back.*|confirmation.key|cryptolocker.*|*decrypt_instruct*|*help_decrypt*|help_restore*.*|how to decrypt*.*|how_to_decrypt*|how_to_recover*|howtodecrypt*|install_tor*.*|last_chance.txt|recovery_file.txt|vault.hta|vault.key|vault.txt|HOW_TO_RECOVER_FILES.*|HELP_YOUR_FILES*|*.zzz|*.xyz|*.ccc|*.vvv|*.xxx|*.ttt|*.locked|*.crypto|_crypt|*.crinf|*.r5a|*.XRNT|*.crypt|*.R16M01D05|*.pzdc|*.good|*.LOL!|*.OMG!|*.RDM|*.RRK|*.encryptedRSA|*.crjoker|*.LeChiffre|*.keybtc@inbox_com|*.0x0|*.bleep|*.1999|*.HA3|*.toxcrypt|*.magic|*.SUPERCRYPT|*.CTB2|HELPDECRYPT.TXT|HELP_YOUR_FILES.TXT|HELP_RECOVER_FILES.txt|INSTRUCCIONES_DESCIFRADO.TXT|How_To_Recover_Files.txt|YOUR_FILES.HTML|YOUR_FILES.url|encryptor_raas_readme_liesmich.txt|HOW_TO_DECRYPT_FILES.TXT|ReadDecryptFilesHere.txt|Coin.Locker.txt|_secret_code.txt|About_Files.txt|Read.txt|ReadMe.txt|DECRYPT_ReadMe.TXT|FILESAREGONE.TXT|IAMREADYTOPAY.TXT|HELLOTHERE.TXT|READTHISNOW!!!.TXT|SECRETIDHERE.KEY|IHAVEYOURSECRET.KEY|SECRET.KEY|HELPDECYPRT_YOUR_FILES.HTML|help_decrypt_your_files.html|RECOVERY_FILES.txt|RECOVERY_FILE*.txt|HowtoRESTORE_FILES.txt|howto_recover_file.txt|restorefiles.txt|howrecover+*.txt|_how_recover.txt|recoveryfile*.txt|recoverfile*.txt|Howto_Restore_FILES.TXT|help_recover_instructions+*.txt"
Categories
Information Technology

How to get your Chromecast to work with Popcorn Time again

Yes, I use Popcorn Time, specifically whatever the latest “clean” Community build is from /r/PopCornTime. It works great for TV shows I missed and other things…

When I recently moved, setup my new WIFI SSID, and reconfigured my Chromecasts, I decided to rename them based on what room they were in. We decided on using the first initials of our first names and then the room it was in (ex: E&S Bedroom). Everything continued to work just fine when I casted to them: YouTube from my iPhone, Chrome tabs from my Macbook or Windows laptops, Spotify…

…except Popcorn Time

Why? I literally tried every build possible (old and new) with no hope. Did Chrome block the AppID or something? The Chromecast devices show up in the little drop-down menu! No errors were being spit out by app or the Chromecast. Doing some Googlein’g didn’t help either. No one had this specific problem… but one person did have an issue with his Android phone, his Android build of Popcorn Time, and his Chromecast with an “apostrophe” in its name.

Oh my god. Are you kidding me?! Popcorn Time isn’t parsing the string name correctly and I guess wasn’t escaping out the & in the E&S name.

Removed the & and boom… working again.

Categories
Information Technology

Intel NUC NUC5CPYH: An Adventure with WDS, USB 3.0, and Windows 7

Another day, another hiccup in the usually amazing procedure of using WDS for quick mass deployments of OS images. Today’s annoyance comes courtesy of using an Intel NUC that only has USB 3.0 ports and no way to force them into USB 2.0 mode. Why is this an issue? Because after deploying a Windows 7 image via WDS and PXE, you’re left with the Setup Windows screen uncontrollable via keyboard or mouse.

Erm……

This is a documented and well-known issue with the Intel NUC NUC5CPYH. As a matter of fact, for fresh installs of Windows 7 (via USB), there’s an official Intel tool that will modify the setup files to alleviate your pain. Very nice. If you want to go the manual route, there’s also tutorials to do that as well.

But what about us Sysadmins who want to use WDS? I’ve had wonky results with using the WDS console to add USB 3.0 drivers for PnP install at setup. I finally decided to just mount the specific image with DISM and inject the drivers myself to force the issue. There’s actually 2 sets of drivers to install: one for a virtual hub and one for the actual USB 3.0 ports itself. But beware! You can’t just grab the smaller .WIM file you think you would want to modify. You first must export from WDS to generate a catalog and resource file to get an injectable .WIM

  1. In the WDS console, find the install image you want to inject the drivers into and export it somewhere. Right-click and export… In this example, I’m going to call it “biz-usb3.wim
  2. Download the USB 3.0 drivers from Intel’s site
  3. Extract the drivers, specifically HCSwitch and Win7, to a folder called usb3. Move the usb3 folder into the same place your biz-usb3.wim is located.
  4. Create a temporary mount location for your .wim image to be manipulated in. Make a folder and call it mount.
  5. Open an admin CMD console and CD into the directory where your biz-usb3.wim, mount, and usb3 folder are located.
  6. Mount the biz-usb3.wim image using DISM: dism /mount-wim /wimfile:"biz-usb3.wim" /index:1 /mountdir:"mount"
  7. After the mounting is complete, inject the drivers: dism /image:"mount" /add-driver /driver:"usb3" /recurse
  8. Save changes to the image: dism /unmount-wim /mountdir:"mount" /commit
  9. Import the .wim back into WDS and name it whatever you want. Now would be a good time to disable the old image to make sure you don’t confuse them during deployment. You can delete if you want, but I find disabling prevents any accidental screw-ups from happening. Plus, the delta should only be a few megabytes, so no need to stress about storage (more on this below).

If all was done correctly, you should be able to PXE boot or whatever into your WDS server and deploy the Windows 7 image to the NUC with USB 3.0 drivers enabled. For what it’s worth, there isn’t much of a difference going on here from the original tutorial; I’m just using similar steps to edit a WDS image instead of a raw Windows 7 install image. The only extra step is exporting the .WIM from WDS to generate a resource catalog.

A few gotchas:

  • If upon PXE booting you see 2x the new image listed, don’t panic. You probably just did all your work in WDS’s image folder itself. This isn’t a bad thing, just kind of sloppy. I would recommend deleting the larger of the two .WIM files (in this example, biz-usb3.wim). The imported one automatically was diff’d and only the delta is stored. WDS is smart enough to not waste gigabytes of space when the base image already has 99% of the stuff you need.
Categories
Information Technology

Failover Cluster Validation Hiccups (Or: How to Be a Network Cable Detective)

I don’t get to spend a lot of time at my current company’s offsite DR location. I’m currently building the cluster stack from the ground up, mimicking our production environment almost 1:1. Other than a shittier SAN and one less server in the cluster, the specs are just about the same. The problem is getting it all up and running with what little time I have on location.

Yesterday, I spent a good portion of my time on-site cleaning up some wiring and getting my Hyper-V servers ready to be clustered remotely. Switches were on the correct management VLAN, iDRAC access was working smoothly, everything else should be able to be handled from my desk or laptop in a different ZIP code. Cool.

So today, I plop myself down at my desk, RDP into both Hyper-V nodes, and begin the Failover Cluster wizard. And so my troubles began:

NODE1 - iSCSI1 cannot communicate with NODE2 - iSCSI1

That’s weird. Why would only one set of my iSCSI NICs not see each other? (I have two Quad Port NICs on each server; Intel and Broadcom). After some PING’ing out of specific interfaces, the only conclusion I could come to was I crossed a patch cable somewhere (or worse yet, didn’t click it in all the way!). That would absolutely suck – I would have to drive back out there just to plug a stupid network cable in? Complete waste of a day. Unless….

I popped open the switch’s config and dumped out which ports had jumbo packets detected on their connection. “Spaced” out correctly were 4 ports, 2 for each server, showing 9216 byte frame sizes. Perfect! The cables are plugged in and now I know which ports they’re actually on. Could I really have been so foolish and forgotten to untag those ports for my iSCSI VLAN? No way…

Yup. That was it. Something so simple. Validation passed and I moved on with my life.

So, lessons learned:

  1. Always make sure your switches are manageable offsite.
  2. Always document your switchport usage somewhere (Wiki, JIRA ticket, whatever). I have a small environment where I could visualize what was what. Coupled with my jumbo frame detective work, I was able to figure this one out.
  3. Bonus Lesson: Always make sure you have your iDRAC / out-of-band management working before you leave. You cannot rely on RDP, especially when fixing wonky network settings on switches and clusters. Things will absolutely drop!
Categories
Information Technology

WDS + Windows 7 + Windows 10 Installer Files = Kill Me

I was having issues getting a desktop to install updates recently from my company’s WSUS server. Being that I was in a time crunch and needed these updates installed within the next 24 hours, I decided to take the desktop off the domain and grab the Windows Updates directly over the internet from Microsoft.

Spoiler Alert: This was a terrible idea.

Fast forward to the next day. Updates are downloaded, installed, and the machine is ready to be sysprep’d for WDS. I finish up a few last software tweaks and capture the image via PXE boot + WDS. Everything goes smoothly and the .WIM file is appearing on my WDS server. Hooray! Let’s start pushing this out to a few machines.

WDS: Windows cannot install required files. Make sure all files required for installation are available, and restart the installation.

What?

What does that even mean? I do a WDS service restart just to make sure I’m not losing my marbles, but I keep getting the same, nonsensical error. After Google was consulted, the only information I could find was from January concerning a WinPE image source sitting in a hidden folder on the C: drive.

Wait… C:\$WINDOWS.~BT … why does that sound familiar? Oh that’s right, it’s the directory Microsoft has been pushing Windows 10 install files to! When I walked away the night before after taking the machine off the domain, it had grabbed the update from Microsoft. Show Hidden Files was off by default, so I never even saw the directory!

OK, so easy-peasy fix. Pop open ImageX or DISM and let’s mount the .WIM and trash that directory.

The specified image file did not contain a resource section.

What?

Ugh… of course, I need to export the .WIM out of WDS first, then mount, make my changes, and commit.

dism /Mount-Image /ImageFile:"exported_image.wim" /index:1 /mountdir:"C:\mount_wim"

Trashed the C:\$WINDOWS.~BT directory and imported back into WDS. Full steam ahead!

Dism /Commit-Image /MountDir:"C:\mount_wim"

This is a real pain in the neck, though. There’s no clear way to block Windows 10 from installing its slimy files on your box. Some people have suggested blocking it at the firewall, but I’m sure Microsoft’s CDN will wreck havoc on that idea. I guess I should have never taken the machine off the domain!