Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Monday, October 22, 2012

Powershell/Veeam Mixed Post

My retention periods are as follows:
Daily VMs: These VMs are servers that have data that changes often. Examples include File servers, SQL Servers, and Mail Servers. I keep four restore points, and these jobs run on M, T, W, and Th. The jobs are daisy-chained using a Powershell script like this:

Add-PsSnapIn VeeamPSSnapIn
get-vbrjob -name "Daily-Web" | start-vbrjob

Upon completion of the last job, the files that compose the Veeam backup job are copied over a WAN link using robocopy to a NAS that I recently acquired. I'm very happy with the NAS! It's an Iomega StorCenter px6-300d that I bought with no drives for $900. Then I bought 6 3TB SATA disks for another $900 or so and arranged them in RAID5. I have around 14TB in usable space for less than 2 grand!!!

Weekly VMs: These are application servers that very rarely change, like terminal servers and print servers. The weekly job also includes all VMs in my "Daily-VM" jobs, so I can save one copy of them every week. This allows me to have grandfather-father-son retention. I save 4 restore points for all of these VMs, and after the job runs I copy the files offsite to the NAS. The challenging part I ran into was working a way for my script to detect that it was the last Friday of the month, and then start the Backup Exec job to also write the Veeam backup files to tape. My first search turned up this Powershell function created by PoSH Pete  called LastXofMonth. I whittled the script down, because I only need to find the last friday, and came up with this:

#Get the date of the last Friday of this month
$Dayname = "Friday"
$LastDayOfMonth = (Get-Date -Year (Get-Date).Year -Month (Get-Date).Month -Day 1).AddMonths(1).AddDays(-1)
If($LastDayOfMonth.DayOfWeek -eq $DayName)
{
$Answer = $LastDayOfMonth
} #End If
Else {
While($Answer -eq $Null)
{
$LastDayOfMonth = $LastDayOfMonth.AddDays(-1)
If($LastDayOfMonth.DayOfWeek -eq $DayName)
{
$Answer = $LastDayOfMonth
} #End If
  }#End While
}#End Else

#Get Today's date and do some date formatting
$Date = ((get-date).ToShortDateString())
$LastFriday = ($Answer.date)

#If Today's date is past or equal to the date of the last friday, start the BE job that writes monthly Veeam backups to tape
If ($Date -ge $LastFriday){
start-process "C:\Program Files\Symantec\Backup Exec\bemcmd.exe" -ArgumentList '-o1 -jCITYBU01 - Veeam to Tape'
} #End If

Something I have forced myself to do with my scripts is to put comments at the end of any command blocks, like If, Else, While, etc. Anywhere that there's code within a set of curly braces that spans more than one line gets a comment. It make nested conditional statements much better to trace out and troubleshoot.
One nice thing I discovered when working with datetime datatypes in this script is that if you take two dates you can compare them. Well, I didn't discover it; it makes sense. I had never done it before and was pleasantly surprised that it worked like I thought it should.

[datetime]$date1 = "11/1/2012"
$date2 = ((get-date).ToShortDateString())
$date1 -gt $date 2

This evaluates as true, because November 1 is "greater than today, which is 10/22/2012.



Sunday, October 21, 2012

I Rooted my Phone and Found Some Great New Apps

So if you read my post from Saturday, I watched the guy next to me use an app called DroidSheep to hijack someone's Facebook connection. So far, I've avoided rooting my phone because it just works. BUT, this app got me to wondering what other apps were out there that would make things work better if only my phone was rooted. So, I rooted my phone. Besides the aforementioned DroidSheep app, I also downloaded and installed:

  • ShootMe (take screenshots just by shaking your phone)
  • Titanium Backup Root w/ Pro key (it backs up to DropBox, holy crap!). There's a how-to on Lifehacker for setting up Titanium to properly protect your phone here. It's a little dated now, but a little adaptation seems to have done the trick.
  • AdFree (redirects app requests to a curated list of IPs to 127.0.0.1)

I also bought and installed Tasker and Locale, which will make my life MUCH easier by automating things (too bad this thing doesn't run Powershell amiright?). I've missed too many calls because my phone was left on the silent setting, and I can set it to put my phone in airplane mode when I go to the movies. Locale deals with these issues. Tasker looks dead useful, and there's a whole list of things from their wiki that I want to try.

Some more amazing apps I stumbled upon are:
SwipePad (Gesture driven pop-up menus - Just try it, I've been looking for something like this for a looooong time)
Multicon (let's you put four icons in a widget in the space of one icon)

Aaaand I'm also on LauncherPro, having moved from Holo Launcher. To make my home screens less busy, I've removed text labels from all of the icons on my home screen, which is taking some getting used to.


Saturday, October 20, 2012

SUMIT 2012 - Security at U of M IT

Yesterday was a lot of fun: I attended the SUMIT security conference at the University of Michigan. This is an annual conference, and every year I'm reinvigorated to learn more about security. The guy next to me was showing me Droidsheep on his Galaxy Tab, and successfully intercepted another attendee's Facebook connection over the open wireless. We made an innocuous post on his wall touting the conference.

Some interesting things I learned:

  • I NEED to start playing with the Backtrack Linux distro. 
  • I now have zero faith in the security of unencrypted files stored on computers that are connected to the internet. The hackers are too good, and too numerous. I wonder what will happen when no one can rely on proof of identity anymore? When everyone's identity is out there, how can any agreements be trusted that aren't made in person? I asked the group I was with that question, and they immediately said biometric devices, but that's just another digital system that can and will be manipulated.
  • On your network, you should block any outgoing UDP traffic where the sender's address is not within your network (in other words, spoofed). Evidently, this act is considered just being a good netizen. This prevents many different kinds of attacks that use spoofed UDP packets from being perpetrated from your network.
  • I never thought about it before, but I wonder what Google thinks of all of the insecure Android devices out in the public? Think about it: If you own an Android device (and you're not rooted) you don't get updates for Google's OS until your carrier releases them. I'm on Sprint and I've only had Ice Cream Sandwich for 2 months! I've now found a very wonderful reason to root my phone: security! Isn't that ironic?
  • There was a presenter from the ACLU speaking about how easy and pervasive wiretapping is now. Cellphone companies track your every movement, sure. We all know this. But do you know how long the different companies keep your data? AT&T is the worst offender at 3 years. How many requests from law enforcement were made last year? Something like 1.5 million!

Thursday, October 18, 2012

Nice Stopwatch Tool (online or off)

I've been doing a lot of real-time based testing lately for some odd reason. How fast does this file open? How long does it take to transfer a gigabyte file to that server across this WAN link? I was using my phone at first, but I wanted a desktop option and found a great site called online-stopwatch.com. You can use their many different timers right through the webpage, or download them and run them locally.

Yeah I'm reaching (not to detract from the utility of the online-stopwatch!). I've been pretty much building virtual machines and scoping out performance requirements for a new SAN we'll hopefully be ordering in Q1 2013. Pretty boring stuff.

Monday, October 15, 2012

How to Tell Windows to Ignore One of Your NICs

My testing computer runs VMware Workstation and has two network cards. One of the NICs is connected to my production network cards and is my main NIC. The other NIC is used to connect any virtual networks within my VMware Workstation environment to the internet if I need to. I didn't want the computer to send any traffic out to this testing NIC. Of course, disabling that NIC in Windows would have rendered it unusable to my VMware environment. Here's how I got around that:

  1. Opened the properties of my test NIC.
  2. Opened the Internet Protocol Version 4 (TCP/IPv4) properties.
  3. Click "Advanced"
  4. Uncheck the box that says "Automatic Metric" and enter a high number. I used 500.
  5. Hit OK multiple time to close the dialog boxes and apply the setting.
Now, when Windows needs a path, it will see the high metric and use the production NIC. My production VMs will only see the NIC I assign to to them (the test NIC with the high metric) and won't have any choice but to use the test interface for outgoing traffic.


Sunday, October 14, 2012

A New Remote Desktop Services Server! (Terminal Server)

Preface: I use the term Terminal Server and RDS Server pretty interchangeably. RDS Server is the new terminology, but using the old "Terminal Server" is a difficult habit to break.

A couple of weeks ago we had a request for six new workstations to be created for outside contractors to remote into. They already had 3 Windows 7 VMs for this purpose, and this was just too much. I had been advocating against Terminal Servers because I was in charge of them at my last job and hated (HATED) them, but I'm not running 9 Windows 7 VMs just to meet this goal; management simplicity, space, and all that, you know. After I built the new RDS Server I discovered that my loathing was really just targeted at roaming profiles, and not terminal servers, so I feel better about that. Thankfully, this RDS Server will be used by outside contractors, and I don't have to worry about redirecting folders or roaming folders.

I did run into a few frustrating problems, but I found the solutions scattered about the internet. First, I found a pretty good guide to locking down an RDS Server on Technet. One good thing about the article is that it talks about removing libraries, whereas other RDS lockdown articles I found were written for Windows Server 2003.

Issue number two was that I was having a hard time figuring out how to remove the Administrative Tools from my users' start menu. There wasn't a group policy that affected this, but I DID find a group policy preference!
  1. In your group policy, go to User Configuration > Preferences > Control Panel Settings > Start Menu.
  2. Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item".
Another issue (and most infuriating here) was that none of my icons were showing up on my users' desktops. Icons that you create in C:\Users\Public\Desktop (Windows Server 2008/R2/Vista/7) or C:\Documents and Settings\All Users\Desktop (Windows Server 2003/XP) should show up for everyone, and mine weren't because of a group policy that I had set called “Remove common program groups from Start Menu”. This can be found in "User Configuration > Policies > Administrative Templates > Start Menu and Taskbar", and has the unintended consequence of hiding icons on all users/public desktops. So, I set the policy to "Not Configured" and then removed the "Everyone" and "Domain Users" groups from the C:\ProgramData\Microsoft\Windows\Start Menu (Windows Server 2008) or C:\Documents and Settings\All Users\Start Menu (Windows Server 2003) folder permissions. You will need to remove inheritance to make this happen. 

Friday, October 12, 2012

Great (GREAT) Powershell cheat sheet

A cohort over on the Ars Technica forums (seriously great site and community, if you aren't a member already you should change that post-haste) created a great Powershell cheat sheet. I printed it out and hung it in my cubicle, and it's saved me a ton of time so far. I seemed to spend an inordinate amount of time using get-command because I didn't remember exactly what I was about, and this has cut that down quite a bit.

You can find Cookie Monster's Powershell cheat sheet here.

Wednesday, October 10, 2012

VMware Workstation - Can't take ownership/Windows 8 rant

I'm currently working on creating a standard image for my company's desktops, and I'm playing with a neat Linux-based imaging application called FOG. It really is a nice piece of software to use, after flailing my arms trying to make the Microsoft Deployment Toolkit to do what I wanted. Seriously, I just want to make an image and deploy it. Is there some reason Microsoft can't make a more streamlined approach for an IT shop that doesn't have someone completely dedicated to this project?

So I built a domain controller and configured my FOG server, then built an VM that I wanted to be a base image. I installed Windows 7, all of the updates and the service pack, then more updates (jeesh there's a lot of updates) and a few static pieces of software that our employees use. I got everything just so, and shut down the VM. I made a copy of the VM's folder so I could go back if I found there were things I forgot to do while in testing. Makes sense, right? I didn't want to go through the entire process again; the updates were brutal! I made another copy after I had sysprepped the Windows install. I recommend doing this because I needed to PXE boot the machine, and trying to boot to something other than the hard disk in a VM on an SSD is nearly impossible. Especially since you can't get focus on the VM inside of workstation until it starts booting, and you have 2 seconds before "Starting Windows" comes up. On this point, please VMware, give us somewhere to adjust the BIOS screen delay before boot!!!

Sure enough, I didn't get everything quite right the first time through. So I powered the VM down, copied the backup I'd made back over, and went to open the VM only to see a strange message stating that it looked like the VM was in use. The actual error states "This virtual machine appears to be in  use. If this virtual machine is already in use, press the Cancel button to avoid damaging it. If this virtual machine is not in use, press the take ownership button to obtain ownership." Taking ownership fails. Pressing cancel doesn't help you in your quandary  either. The fix is to look in the folder and delete any .LCK files you see. Then you can use the VM again.

Also in my virtual machine playground, I've been toying with Windows 8. Not a big fan. I can adapt and overcome, but I can just picture my users eyes glaze over as I tell them that to shut down the computer, they have to open up the charms bar. The fact that Microsoft is FORCING this UI change on everyone is ridiculous. Admins know how to manipulate just about everything via group policy, and the fact that they're not giving us control over whether our users' boot into the Metro screen or to the desktop is maddening. Actually, the fact that they're forcing everyone to make this transition is, but especially those of us who have help desks to run and need to manage (dictate, whatever) as much as we can. Also, the windows look blocky. Remember when Vista came out everyone hated the GUI and called it the Playschool GUI? Well, this actually looks like a Playschool GUI. The sleek edges are gone, and everything looks blocky. Like.... Legos. I hereby dub this the Lego interface.

On the other side of this coin, I'm really excited about Windows Server 2012 (what little I've used in it). Yeah, the Metro interface rears its ugly head there as well, but there are actually features in it that make the annoyance worthwhile. Personally, I can't wait to have the time to play with IPAM, which is supposed to track all of my IP address space for me, instead of me fumbling around with spreadsheets (and trusting others to accurately note changes when they make them). Also, we've finally got DHCP failover, which is at least a decade overdue, in my opinion. I'm a VMware guy right now, but if Microsoft keeps on like they are I could be a Hyper-V convert. ESPECIALLY if VMware keeps ticking off its customer base like they did last year with that offensive vRam Entitlement cash grab (which they've relented on, to be fair). Microsoft is making some serious inroads, and VMware will need o step up its game if it wants to keep ahead.

If you need a good overview of what's new in Server 2012, there's a really good series of articles over at 4sysops.com that delves into it.

Tuesday, October 2, 2012

vCMA - VMware vCenter Mobile Access Deployment

So today we got all of our Android apps together, opened up some ports in the firewall, and configured our phones so we can manage things from our phones while we're driving. Kidding. So we've got Paessler PRTG monitoring our servers and applications, HP's IMC monitoring our network infrastructure, Spiceworks doing helpdesk and our "IT Knowledge Base", and now VMware vCenter Mobile Access (vCMA) so that we can access vCenter remotely.

Setting up the virtual appliance, which can be found here, was fairly easy; I followed a couple of very nice sets of instructions here and here. I did get a little lost in a couple of places.

  • First, when you download the vCMA, make sure you go with the OVF download. There's a zip file download there that includes some VMDK files and a VMX file, but I couldn't get it to start. 
  • I actually had to break out my mad vi skills (of which mine are scant) to edit some config files in the vCMA appliance, which is based on a CentOS base. I needed to edit the port that vCMA was listening on from 443 from something else, so I cracked open vi and edited the /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.28/conf/server.xml file and did a search and replace. To do a search and replace with vi, use this: :%s/foo/bar/gc. This command replaces all instances of 'foo' with 'bar' after prompting you each time. When you're done editing, :wq will write your changes to the file and quit vi, by the way. Using vi makes me thank the FSM for nano and gedit, which is included in modern and "fuller" Linux distros.
  • There is no "app" for Android to make use of this that I could find, although from some of the pictures there seems to be a nice iPad app (boooooo). You just point your mobile browser at https://vcmaserver:port and that's it. The instructions I was following were a little hazy on this. Port 5480 is the management port, but you need to go to the SSL port for the app, which is just browser based. I could complain about it being browser-based, but to be fair, I'm not going to be doing "work" from my phone. I just want the ability to reboot some server from the park if I need to, and this achieves that. 

Realistically, I've no reason to complain at all. I really like that VMware has made this capability available, and this is what's called a "fling", meaning that it's unsupported and just for fun. Like hell, that's a handy capability! Thank you VMware! 

P.S. Could you please make an app like the iPad has for Android?