Most Popular Posts

Monday, 23 January 2012

VmWare Workstation and remote file system 2gb limit


If you get the following error

 "VMware Workstation cannot open one of the virtual disks needed by this VM because it is larger than the maximum file size supported by the host file system.  Some remote file systems do not support files larger than 2 GB, even though the file system on the server might.
Cannot open the disk ".....vmdk" or one of the snapshot disks it depends on.
Reason: The file is too large."

Then simply edit the vmx file for the machine in a text editor and add this line:

diskLib.sparseMaxFileSizeCheck= "false"

Now your machine will boot fine :)

Hope it helps!

change the Bitlocker cipher strength - SCCM Task sequence

Here is a fantastic blog post that explains how to change the Bitlocker cipher strength during your SCCM task sequence, very handy to know! :)

http://blogs.technet.com/b/configurationmgr/archive/2010/08/10/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx

Monday, 16 January 2012

New PC Build

I just had to post this, my new build purely for virtualising and learning the entire system center 2012 suite.....
I bet it plays BF3 well XD

Saturday, 14 January 2012

Setting Up Bitlocker Using SCCM & Group Policy (and optionally HP SSM)

This is a step by step of how I setup Bitlocker in my TEST environment; please use it only as a reference if you get stuck and as always before beginning RTFM! :)

Step 1 – Update the Schema / Verify you have the correct Schema

All of my DC’s were either running 2008 R2 or were higher than the minimum of server 2003 SP1.
If you have a mixture of DC’s like me, you will be fine as server 2008 DC’s already have the schema extensions in place for bitlocker. If have an all server 2003 environment then update the Schema using the official documentation found here:
http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx

Its also worth noting that BitLocker does not impose any requirements on domain or forest functional levels. However, domain controllers running operating systems earlier than Windows Server 2003 with SP1 should be removed from mixed-functional-level environments (or upgraded), because backed up BitLocker and TPM information will not be protected on those domain controllers.

If you wish to verify that you have the correct schema extensions in place (as I did) then hop onto a DC as a domain admin/schema admin and crack open ADSI edit.
Right at very root of ADSI edit click right click and select “connect to” then under the naming context select the schema as below



Browse through the schema and you should see 6 attributes (only 5 are in the shot below)




These are:
CN=ms-FVE-KeyPackage
CN=ms-FVE-RecoveryGuid
CN=ms-FVE-RecoveryInformation
CN=ms-FVE-RecoveryPassword
CN=ms-FVE-VolumeGuid
CN=ms-TPM-OwnerInformation

Step 2 – Run Add-TPMSelfWriteACE.vbs to allow recovery passwords to be stored in AD

For the next step hop back onto a DC as domain admin and run the script Add-TPMSelfWriteACE.vbs and verify that you get a “success” message. The sample deployment scripts for bitlocker (including this one) can be found here:
http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205
If you are not sure how to run these scripts please seek help from a colleague.

Step 3 – Verify the ACE has been added

To do this I suggest using a domain admin account again and drilling down deep into your AD structure and finding a random computer object (this is just to prove that the ACE has been inherited)
If you right click on your computer, properties and under security click effective permissions and enter “SELF” you should see these 2 attributes:
Create msFVE-RecoveryInformation Objects
Delete msFVE-RecoveryInformation Objects
This will allow computers to read and write their recovery passwords to and from AD.


Step 4 – Configuring Group Policy To automate saving Recovery Passwords & TPM info To AD

Below is the Group policy I set for our Bitlocker test environment, set yours up the same (You can always come back later and tweak it, but for now let’s just get it working ;) )


Now Apply this to a test OU with a single computer in it and let’s start with SCCM

Step 5 – Setting Your Disk In The SCCM Tasksequence

The first step is to partition the disk correctly. Copy / create a new task sequence and edit your “Partition Disk” step as follows ensuring that BDE is the boot partition

Ensure that BDE is the Boot Partition, it is 1536mb in size (or bigger if you wish) and that you set a variable called BDEPART


Ensure that OS partition has a variable set called OSPART, the partition can be whatever size you like (I just set mine to use 100% of the remaining space)


Now open your “Apply Operating System” step and set the destination to a “Logical drive letter stored in a variable” and set the Variable name to OSPART as below:


Step 6 – Setting up the enable bitlocker Step

Within your Task sequence add the “Enable Bitlocker” step and configure it as shown below:

Step 7 – Setup HP SSM (optional)

The machine I was testing on was a HP 2730p so I decided to go down the route of using a utility from the HP SSM called “BiosConfigUtility.exe”
Download the HP SSM from here:
http://h20331.www2.hp.com/hpsub/cache/284133-0-0-225-121.html?jumpid=ex_R2845_vanityim/gossm/ka011106
I booted up my 2730p and ran the following:
BiosConfigUtility.exe /Advanced /GetConfig:GetConfig2730p.txt
This created me a text file showing all of the current settings and more importantly what their names are. I then began to construct my task sequence, the finished article is below but I will go through each step:

Step 8 – The BiosConfigUtility Steps

I placed a restart in between each step since we are editing Bios settings (just to be on the safe side). During my testing I found (from the smsts.log file) that the “Enable Bitlocker” step would not work unless I set the restart to boot into full OS as shown below:

So I set all of the restarts to do this and haven’t yet changed any of them back so they may work from the boot image they may not, when I get chance I will test and edit this post.
Anyway, setting the bios password.
This step runs a batch file that contains the following:
xcopy /S /E /R /I /Q /Y "%~dp0"*.* "%systemroot%\temp\HPSSM" >NUL
"%systemroot%\temp\HPSSM\BiosConfigUtility.EXE" /NewSetupPassword:MyBiosPassword
rd "%systemroot%\temp\HPSSM" /s /q
exit /b
Obviously that’s not my password but you get the idea.

The next step “HP 2730p – Full TPM Setup” was originally all of the TPM settings in “GetConfig.txt” set to enabled but I found that the TPM wasn't enabling so I put it in a step of its own. Below is my batch file that applies this config:
xcopy /S /E /R /I /Q /Y "%~dp0"*.* "%systemroot%\temp\HPSSM" >NUL
"%systemroot%\temp\HPSSM\BiosConfigUtility.EXE" /CurSetupPassword:MyBiosPassword /Advanced /SetConfig:FullTPMConfig2730p.txt
rd "%systemroot%\temp\HPSSM" /s /q
exit /b
And below are the contents of “FullTPMConfig2730p.txt”
English
Embedded Security Device
*Device available
Device hidden
Embedded Security Activation Policy
F1 to Boot
Allow user to reject
*No prompts
OS Management of TPM
*Enable
Disable
OS management of Embedded Security Device
*Enable
Disable
Reset of TPM from OS
*Enable
Disable
Reset of Embedded Security Device through OS
*Enable
Disable
Always Prompt for HP SpareKey Enrollment
*Disable
Enable
HP SpareKey
*Disable
Enable

The next step is to take ownership of the TPM, I did this using the manage-bde.exe tool. Create a batch file as follows:
manage-bde -tpm -TakeOwnership MyTPMPassword
exit /b
Again not my password so put something better in there.

The final Step is to Enable the TPM, as I said I tried this in the Full setup step but it didn’t work, perhaps If I take ownership of the TPM then apply the settings it will work. Anyway for now this is what I have so again to enable the TPM create a txt file called “EnableTPM.txt” containing this:
English
Activate Embedded Security On Next Boot
*Enable

And apply it using this batch file:
xcopy /S /E /R /I /Q /Y "%~dp0"*.* "%systemroot%\temp\HPSSM" >NUL
"%systemroot%\temp\HPSSM\BiosConfigUtility.EXE" /CurSetupPassword:MyBiosPassword /Advanced /SetConfig:EnableTPM.txt
rd "%systemroot%\temp\HPSSM" /s /q
exit /b

That’s it for those steps, now update your DP’s and PXE boot your machine. Good Luck!
P.S Im sure I could cut down those steps now but this worked for me last thing on Friday so I’m blogging it over the weekend, I will update this once I have cleaned up a bit :)

Grab a cup of Coffee, wait for your image to apply and move onto the next step.....

Step 9 – Verifying your Recovery Password and TPM info have been stored in AD

If you skipped the HP SSM Steps carry on here.
Now we have a machine with Bit locker installed the first thing I did was to run
manage-bde.exe -status
from a command prompt as admin and check that the drive was indeed encrypting:

As you can see that looks promising (apart from the AES 128, I will be changing that in group policy later)
So that’s our machine encrypting lets check AD…..
If you run the active directory snap-in as domain admin you should see the bitlocker recovery tab with the current password stored in there as below:

If you do not see this tab you will need to run:
regsvr32.exe BdeAducExt.dll
on your workstation and then re-open the active directory snap-in as domain admin.
The last step is to verify the TPM Owner info is being stored in AD, I did this by opening the computer object in ADSI edit and checking that the attribute msTPM-OwnerInformation had a hash of my password in there:

And I also ran the script Get-TPMOwnerInfo.vbs from the machine in question and verified that I got back the hash as expected

That’s pretty much it, one more thing to note is that you will see this now in Active Directory to enable you to search for bitlocker recovery passwords

And as always test test and test some more, this is only a very rough guide but it works which is the main thing, I still have lots of testing and tweaking to do myself before implementing but I will be putting all of my findings up here for future reference.
Also Thanks to this guy:
http://weikingteh.wordpress.com/2011/02/23/enabling-bitlocker-with-configuration-manager-sccm-operating-system-deployment-osd
For getting me started with partitioning the disk correctly,
Cheers!

Friday, 13 January 2012

SCCM Task Sequence Backup and Versioning

Here is a great little script to automate backing up and versioning your SCCM Task sequences, Handy if you are tweaking a lot / have a lot of people editing your TS's
http://mdtcustomizations.codeplex.com/releases/view/65824

Tuesday, 10 January 2012

List of Models & TPM Versions

I am going to maintain a list here of models of computers and what TPM Module they come with. We have so many models in our enterprise so I thought it might be useful to post my findings as a list for everyones reference.
If you can add to this list please comment!
Thanks

HP Elitebook 2730p - TPM 1.2 - IFX
HP Elitebook 2740p - TPM 1.2
HP Elitebook 2760p - TPM 1.2
HP Probook 5330m - TBC
Toshiba Tecra A10 - TPM 1.2
Toshiba Tecra A11 - TBC

Monday, 2 January 2012

Configuring Winrar to queue up files for extraction

just another old KB I wrote, put on here for convenience more than anything:

How to Queue up files for extraction in Winrar:

Open the extraction dialog by selecting a file for extraction from windows explorer. (Right click and choose extract to)
Select the Advanced tab and check the "Wait if other Winrar copies are active"
Then select the General tab and press the "Save settings" button.
Voila, it will always Queue up your file extractions.

Setting up Server core

Here is an old KB I wrote on how to setup server core 2008 from scratch, might be useful to someone..

This document describes how to setup a server core installation from start to finish
Guide to setting up server core 2008


1) Install server core as you would any version of windows

2) now you must set your IP address and DNS server.

3) To set your IP address type the following(omit the outer most quotes)
"netsh interface ipv4 set address name="Local Area Connection" source=static address=x.x.x.x mask=x.x.x.x gateway=x.x.x.x"

4) to set your DNS server type the following
netsh interface ipv4 add dnsserver name="local area connection" address=x.x.x.x index=1

5) you must now enter your product key by typing the following "cscript c:\windows\system32\slmgr.vbs -ipk AAAAA-BBBBB-CCCCC-DDDDD-EEEEE"

6) Now once that key is entered you need to activate it by typing
"cscript c:\windows\system32\slmgr.vbs -ato"

7) Next you have to rename the server do this by typing the following:
"netdom renamecomputer "currentname" /newname:CORESERVER"
press "Y" to the prompts and then reboot (Shutdown.exe -R)

8)now you must disable the firewall temporarily (to drop a text file on the C$ share of the servercore instance" disable the firewall as follows:
"netsh firewall set opmode disable"

9) now create a file called "unattend.txt" and drop it on the c drive of the servercore. Use the below as a template only, there is microsoft documentation on this that is very indepth. The textfile should contain the following:

[DCINSTALL]
username=administrator
Password=PASSWORD
userdomain=YOURDOMAIN.LOCAL
SafeModeAdminPassword=PASSWORD
CriticalReplicationOnly=no
SiteName=SITENAME
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=yourdomain.LOCAL
ReplicationSourceDC=otherserver.yourdomain.LOCAL
RebootOnSuccess=Yes
NOTE: If you cant get on the C$ share Run "net user administrator password" (to reset the admin password) replace "password" with your password

10) With unattend.txt on the c drive of the sever type the following:
"dcpromo /unattend:c:\unattend.txt"

11) after dcpromo has run you need to set up DNS and DHCP. To install DHCP type the following:
"start /w ocsetup DHCPServerCore"
"sc config dhcpserver start= auto"
"net start dhcpserver"

12) Now to install DNS type the following:
start /w ocsetup DNS-Server-Core-Role

13) Now all you need to do is manage these roles (AD, DNS and DHCP) using the MMC snap-ins from another computer.

14)Now to turn the firewall back on type:
"netsh firewall set opmode enable"

15) and to set 2 DNS servers (the servercore as primary and another as secondary) type the folllowing:
"netsh interface ipv4 add dnsserver name="local area connection" address=<127.0.0.1> index=1"

"netsh interface ipv4 add dnsserver name="local area connection" address= index=2"

16) now to set the correct time we need to open time and date by typing:
"timedate.cpl"
and set as you wish

17) now we need to schedule regular windows updates of our servercore box. To do this type the following:
"Cscript c:\windows\system32\scregedit.wsf /au 4"
"Net stop wuauserv"
"Net start wuauserv"

to then detect updates type "wuauclt /detect now"
18) now to allow remote administration through the firewall type:
Netsh advfirewall firewall set rule group="remote administration" new enable=yes

Hope it helps someone :)

Forcefully Seizing FSMO Roles

Just have a bit of a clearout and I found my old personal Knowledge base articles, Going to post a few up here so here goes:

How to Seize Fsmo roles by force
I last had to do this when my DCs were out of sync and i was getting the error:
"The destination server is currently rejecting replication requests" whenever i tried to manually sync the DCs.

To seize all FSMO roles logon to the server that will be the new role holder, open a command windows and type:
ntdsutil
roles
connections
connect to server SERVERNAME
q
?
seize RID master
seize pdc
seize infrastructure master
seize naming master
seize schema master

TO verify this has worked typed
Netdom query FSMO