Windows Server 2016 RTM in Azure

Despite the fact that there are no Windows Server 2016 RTM images up in Azure yet, after a bit of experimentation I've managed to get an RTM build (14393.206) installed and activated just fine. It seems that Microsoft enabled KMS activation around the same time as Ignite began. It's been awfully handy having the RTM up and running ahead of the official release.

Windows Update doesn't mind servicing these machines as normal. I've got no idea if Microsoft approve of this behaviour though, so use caution.

If you've managed to obtain any of the RTM ISOs, simply install the Datacenter SKU in a local Hyper-V VM, Sysprep and generalize, copy your image up to your Azure storage account, and create a VM with it. You can read the Microsoftian on how to do that here.

Once your VM is up and running in Azure, install a 2016 VL product key by running this from an elevated PowerShell:

iex “$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /ipk CB7KF-BWN84-R7R2Y-793K2-8XDDG”

The final step is activation, and it's dead simple. Deliver this sweet one liner to point your box at the friendly Azure KMS:

iex “$env:windir\system32\cscript.exe $env:windir\system32\slmgr.vbs /skms kms.core.windows.net:1688”

Winning

2016rtm-azure

 

Mikrotik CHR in Azure: Part Two

A lot has changed since I first wrote about CHR in Microsoft Azure. The latest RouterOS is 6.37 and our routers are working better than ever.

To update my earlier observations:

  • CHR VMs will now gracefully Start and Stop without the risk of them ending up in an inconsistent state.
  • Recent RouterOS upgrades we've performed have completed without issue.
  • You still need to convert the Mikrotik supplied VHDX to VHD before uploading.
  • Redeploying/resizing a CHR will result in the software ID changing.
  • We get much better performance by using Standard VM SKUs as opposed to Basic

As promised, here are the basic steps to get one up and running. I'm time poor so I'm assuming you already know your way around the ARM portal and can connect to your Azure account with the PowerShell module.

Firstly, to save you the time of converting the Mikrotik VHDX, here's a VHD of 6.37.1 I prepared earlier.

You'll need a resource group, NIC, and storage account if you don't already have these. It's also a good idea to attach a public IP address to the NIC, and set up a security group allowing winbox access, if you don't have VPN access to your Azure environment, or a pre-existing jump host. Note that your new CHR will have a blank password, so be conscious of exposing it to the internet in this configuration.

Upload the VHD to your storage account using PowerShell, or the Azure Storage Explorer. This VHD will be attached to your CHR, so name it accordingly.

You can then modify the following PowerShell for VM creation:

$SubscriptionId = "12345678-1234-1234-a123-1a23b4cde56f"
$VMName = "vm-chr-test"
$ResourceGroupName = "rg-test-env"
$StorageAccountName = "sa-pebkac-test"
$LocationName = "US West"
$VMSize = "Standard F1"
$InterfaceName = "nic-chr-test"
$SourceImageUri = "https://$StorageAccountName.blob.core.windows.net/vhds/vm-chr-disk1.vhd"

$StorageAccount = Get-AzureRmStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
$Interface = Get-AzureRmNetworkInterface -Name $InterfaceName -ResourceGroupName $ResourceGroupName
$VirtualMachine = New-AzureRmVMConfig -VMName $VMName -VMSize $VMSize
$VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id $Interface.Id
$VirtualMachine = Set-AzureRmVMOSDisk -VM $VirtualMachine -Name $VMName -VhdUri $SourceImageUri -Caching "ReadWrite" -CreateOption "Attach" -Linux
New-AzureRmVM -ResourceGroupName $ResourceGroupName -Location $LocationName -VM $VirtualMachine -Verbose

After this, your VM will take a few minutes to create, and you'll be able to login and continue configuration.

Here's one of our busy VPN routers cruising along:

azure_chr

Mikrotik CHR in Microsoft Azure (ARM)

At the time of writing, Mikrotik's current CHR build is 6.35rc49.

While purported to work in a Hyper-V VM, there are no instructions I could find to get one up and running in Microsoft Azure (with ARM).

Knowing that it should be theoretically possible, given Azure utilises a hypervisor with the same origins as Hyper-V, I went down the rabbit hole.

The salient points are as follows:

  • It works! We have stable CHRs in ARM VMs supporting production workloads.
  • You must convert the Mikrotik supplied VHDX to a VHD before uploading to Azure's blob storage, as Azure doesn't support the newer format. (I installed the Hyper-V role on my Windows box, which includes a utility to do the conversion)
  • You must use the -CreateOption Attach parameter with the Set-AzureRmVMOSDisk cmdlet, otherwise you'll end up with an Azure VM object stuck in a "Provisioning" or "Creating" state. You can just use the URL for the VHD you upload to blob storage for the -VhdUri parameter.
  • The CHR VM doesn't respond to Stop or Restart requests from the Resource Manager Portal or PowerShell cmdlets. Attempting these actions can put the CHR VM into an inconsistent state.
  • You can safely delete CHR VMs and the disks are left intact in blob storage and can be re-attached to a new VM. (Would need to re-license)
  • You can restart the router from within Winbox / CLI as well as perform upgrades. (Back up your config first, sometimes the upgrades fail)
  • A lot of scenarios will require IP forwarding to be enabled on your CHR NIC. This can only be done with PowerShell, set the EnableIPForwarding property to true on a NIC object and then update with Set-AzureRmNetworkInterface. Update: IP Forwarding can now be enabled from the Azure Portal in the NIC IP Properties.

If Mikrotik are not forthcoming with some proper Azure instructions, I'll try and expand on these notes with a full set of step by step instructions.

NB: If you're at the point where you're still choosing your cloud provider, CHR is presently much more mature in AWS on EC2 instances.

chr_azure_winbox

Converting an OpenSUSE 11 Guest from VMWare to Hyper-V

Tasked with a V2V of an OpenSUSE 11.3 web app server, I fired up Microsoft Virtual Machine Converter and expected to be met with little resistance. Unfortunately things didn't go smoothly.

I found a few places on the internet referring to a blog post at http://www.coretekservices.com/2014/apr/29/converting-vmware-linux-guest-hyper-v... but it looks as though the URL schema for their blog changed in a recent site redesign.

The updated URL is http://www.coretekservices.com/2014apr29converting-vmware-linux-guest-hyper-v/

Steps three and four of this post solved my problem in short order. Cheers Jeremy.

Win 10: Changing the default app association for PDF files

Microsoft have apparently modified the handling of file associations in Windows 10, adding additional layers of protection for some file types in an effort to prevent file association hijacking.

A number of clients I work with have encountered issues with Edge as the default PDF viewer, namely with printing. Unfortunately, existing GPOs to modify these default app associations appear to be broken by the additional protections. Some hasty troubleshooting revealed that when the registry changes are made, a desktop notification appears to the user informing them that "An app default was reset", and Edge is promptly reverted back to the the default app for PDF files.

It seems that Microsoft's official method to set app associations is by generating an "AppAssociations.xml" file on a reference computer, and then applying this by group policy or directly with dism.exe. This works fine for any new users created on the system, but those with existing profiles are not affected - making this pretty useless for devices already deployed.

After some searching, I managed to piece the following together from a few different articles, which is resolving the problem when applied to our 10586 clients. I have received feedback that this doesn't work on build 10240 though, probably because the ProgID for that build differs.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Classes\AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723]
"NoOpenWith"=""

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList]
"a"="Acrobat.exe"
"MRUList"="a"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids]
"Acrobat.Document.2015"=hex(0):

I found the ProgID for the current version of Edge here:
2016-02-16 17_39_06-Registry Editor

It is the first registry change above that appears to do the magic of preventing Edge from muscling back in when the other changes are made.

This is a frustrating limitation given the supposed design goals of Windows 10. File associations ought to be trivial to update by group policy, and I am sceptical of the rationale behind Microsoft's decision to cripple this functionality.

Installing the Novell Client from a SCCM Task Sequence

Last week I was asked to install the cancer that is the Novell Client (Version 2 SP4 IR1) as part of an SCCM task sequence for a Windows 10 deployment.

Assuming you've already got an install.ini and a novellclientproperties file, you will find that your install is mostly hands free, aside from a prompt asking you to install some Novell drivers, as they are not signed with a trusted cert.

Obviously I didn't want this prompt in the task sequence, so I needed to add Novell's certificate to the trusted certificates store on the machine prior to the client installation.

Microsoft distribute a utility called certmgr.exe inside the Windows SDK which can be given command line arguments to achieve this. I simply copied the utility into the installation directory of my Novell Client SCCM Package, along with the certificate file.

I then created a command line install script in the same directory, as follows:

@ECHO OFF
START "Cert Install" /WAIT "%~dp0certmgr.exe" -add -c %~dp0Novell.cer -s -r localMachine trustedpublisher
START "Client Install" /WAIT "%~dp0setup.exe"

Finally, I created a "Run Command Line" task sequence step, pointing it at my install script and Novell Client package.

task_sequence

Now, when deploying my task sequence, I see Novell's shitty installer open and obligingly install the client with no user input required. It's not elegant, but no environment still using Novell puts any emphasis on elegance anyway.

Suppressing download dialog with Awesomium.NET

Recently I wanted to automatically trigger and extract some backup files from a web application. Their smug support guy told me this wasn't possible, so I started to throw together a little scraper to prove them wrong.

This particular web app does some funky stuff with javascript when authenticating users, so I couldn't use the HttpWebRequest or WebClient classes. Given that the built-in Web Browser control is a pile of shit, I installed the Awesomium SDK which turned out to be very pleasant to work with. You can just inject your own JS which gives you a lot of flexibility.

I ran across an issue when triggering the actual download of my backup file. A download file dialog displays by default, which is less than ideal. The documentation doesn't do a great job of explaining how to override this behavior, so here's a quick overview of what I did in VB.NET:

Pop this in with your import statements:

Imports Awesomium.Core

Add an event handler:

AddHandler WebCore.Download, AddressOf SkipDLPath

And then put something like this in your handler method:

Private Sub SkipDLPath(sender As Object, e As DownloadEventArgs)
Dim DLPath as String = "C:\Backups\myBackup.zip"
e.Handled = True
e.SelectedFile = DLPath
End Sub

The file chooser prompt should be suppressed and Awesomium will happily start downloading the file. I monitored the progress and completion using the DownloadItem class.

Voilà!
scraper