Hyper-V integration components 6.3.9600.18692

Posted on by
6

After the July 2017 round of patching we got a new version of the Hyper-V integration components on Windows Server 2012 R2. Yes, something that you no longer need to deal with manually since Windows Server 2016. But hey, my guess is that many of you are still taking care of Windows Server 2012 R2 Hyper-V deployments. I’m still taking care of a couple of Windows Server 2012 R2 Clusters, so don’t be shy now.

The newest version (at the time of writing) is 6.3.9600.18692 and 1st appeared in the June 27, 2017—KB4022720 (Preview of Monthly Rollup) update. It has since  been release in the July 11, 2017—KB4025336 (Monthly Rollup) update. You can follow up on the versions of the IC via this link Hyper-V Integration Services: List of Build Numbers

image

That means that you’ll need to upgrade the integration components for the VMs running on your Hyper-V (cluster) nodes after patching those.

image

And yes despite some issues we have seen with QA on updates in the past we still keep our environment very well up to date as when doing balanced risk management the benefits of a modern, well patched environment are very much there. Both for fixing bugs and mitigating security risks. Remember WannaCry ?

So my automation script has run against my Windows Server 2012 R2  Clusters. have you taken care of yours? I did adapt it to deal with the ever growing number of Windows Server 2016 VMs we see running, yes even on Windows Server 2012 R2 Hyper-V hosts.

image

Vast Experience in NoSQL design

Posted on by
Reply

Staff with a vast experience in NoSQL design?

Some days you come across implementations that make you doubt the sanity of the IT industry. That and our collective ability to learn and make progress.

Note: No fungi, plants, animals or humans were hurt due to the below. It did hurt the psychological well being of one DBA. He’s recovering well en doing fine. thank you for asking.

Some time back I came across this “beauty” at a company that spends many millions per year on developer staff and consultants. It makes uses of modern tools, technologies, frame works. They have coaches for anything you can imagine etc. From a budget and resource perspective they checks all the right boxes. They have analysts, project managers and ITIL with change board and all. Apparently they’re also very deeply invested in and have a staff with a vast experience in NoSQL design. Pun intended.

So on a Windows Server 2016 virtual machine, running SQL Server 2016 there was a request to implement a change to a table: add a ‘MonthNumber’ column to a table. That’s when you find these gems of table design:

image

It’s in Dutch but most of you will notice what’s the issue here.  The optimists call this “NOSQL” I’m sure, and they’re welcome to it Smile.

You don’t have to fight all fights

The good news is they don’t design mission critical systems, don’t do civil engineering or develop software for life or death surgery with robotics. Normally when it’s something that matters this sets off all the alarms and we have to intervene. But they’re quite happy with it and it’s all ITIL approved and compliant with the DevOps  &  agile principles they adhere to. That’s quite a challenge for any organization, to combine these successfully.

I have no skin in this game, so I quietly walked away and when the column was added they were happy and at peace. This fight is not mine, not today.

The Federation Service was unable to create the federation metadata document as a result of an error.Document Path: /FederationMetadata/2007-06/FederationMetadata.xml

Posted on by
2

While working on upgrading a Windows 2012 R2 ADFS Farm to Window Server 2016 I noticed the worried looks of the systems administrators while looking at a warning in the ADFS event log, which they wanted to trouble shoot. I knew they had a hardware load balancer in place which made me 99.999% sure it wasn’t a real issue. You see, early documentation on configuring load balancing for and ADFS farm was often configured with a health check for the following url: /FederationMetadata/2007-06/FederationMetadata.xml. This leads you to an XML file that should be available on a working ADFS node.

This works fine. The Kemp Loadmaster knows the ADFS nodes are functional or not and can do it’s job. There’s a nagging issue however. The ADFS log on the ADFS farm node keep logging every health check with a warning

Event ID 143 AD FS

The Federation Service was unable to create the federation metadata document as a result of an error.Document Path: /FederationMetadata/2007-06/FederationMetadata.xml

Additional Data
Exception details:
System.Net.HttpListenerException (0x80004005): The specified network name is no longer available at System.Net.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 size) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataListener.OnGetContext(IAsyncResult result)

As you cans see it just fills the logs every 9 seconds (the frequency of the health check).

image

This leads to hunting for a “ghost” issue that’s actually only an artefact of checking for .

Kemp has updated their documentation with 2 other values for the health check url to use. The good news is these don’t cause the above artefact of logging warning to the ADFS event log. These 2 options are:

  • /adfs/services/trust/mex

image

This leads to an XML file as well but it doesn’t cause the warning to be logged.

image

  • /adfs/ls/idpInitiatedSignon.aspx.

This leads to the ADFS login page which also doesn’t cause a warning to be logged.

So by changing your health check to any of the  above you get a functional health check for your nodes and you don’t have the phantom warning entries in the ADFS event log. That’s a lot better and at least doesn’t cause any unneeded concerns by the initiated accidental ADFS administrator.

Installing Intel I211, I217V, I218V and I219V drivers on Windows Server 2016 with EUFI boot

Posted on by
185

Introduction

This blog will be all about installing Intel I211, I217V, I218V and I219V drivers on Windows Server 2016 with EUFI boot. I’m running Windows Server 2016 as my main OS for lab, testing, Hyper-V with nested virtualization etc. I like it that way because I have all the options of the server OS at my disposal. Especially with the nested virtualization an NVME disk comes in handy. I also boot from NVMe so I need UEFI and use secure boot. That’s OK as it’s way better than the old BIOS and enables more scenario.

Windows Server 2016 doesn’t have any drivers for the I211, I217V, I218V and the I219V NICs.

clip_image001

The Intel driver for them are only for Windows 10 and won’t install on a server OS. As you can see in the screenshot above that’s a system where I have the I211 driver already installed actually. We’ll work on the I218V as an example here.

clip_image002

That’s nothing new and we’ve dealt with this before by editing the .inf file for the driver. What might be new to some people as EUFI & NVME become a bit more popular is how to get a driver with an edited .inf file installed on your Windows Server OS.

Don’t worry even with an OS booting from EUFI with secure boot you can still disable driver signing / integrity checking when needed. We’ll walk you through an approach for installing Intel I211, I217V, I218V and I219V drivers on Windows Server 2016 with EUFI boot.

Installing Intel I211, I217V, I218V and I219V drivers on Windows Server 2016 with EUFI boot

Google for the Intel drivers of your NIC. Mine is a I218V. The instructions will work for a I217V or and i219V as well. Just adapt accordingly.

clip_image004

clip_image006

After downloading the most recent Windows 10 (x64 bit, we’ll use them with a server OS so there is no 32 bit here) Intel drivers form the Intel site we rename the exe to identify what package it is. We then extract the content to our work space. A free tool like 7zip will do the job just fine.

clip_image007

Prepping the .INF file

For the I211 we need to edit the .inf file and for the I217V, 218V and 219V we’ll edit the e1d65x64.inf file in note pad or your editor of choice. You’ll find it in the NDIS65 folder: C:\SysAdmin\PROWinx64\PRO1000\Winx64\NDIS65. The 65 in the folder and file names identifies our OS version (Windows 10 / Windows Server 2016).

But how do we know what .inf file to edit? We grab the hardware ID’s from the properties of our NIC or NICS.

clip_image008

Below you see the Hardware IDs for mu I218V. The I211 has PCI\VEN_8086&DEV_1539&SUBSYS_85F01043&REV_03 and my Iv218V has PCI\VEN_8086&DEV_15A1&SUBSYS_85C41043&REV_05.

Drop the PCI\ from the beginning of the string and everything from the “&” on at the end. So for the I211 we’ll use VEN_8086&DEV_1539 and for the I218V we’ll use VEN_8086&DEV_15A1. We throw these ID strings into some PowerShell we run in our C:\SysAdmin\PROWinx64\PRO1000\Winx64\NDIS65 folder.

Get-ChildItem -Path “C:\SysAdmin\IntelWindows10Drivers21.1\PRO1000\Winx64\NDIS65” `

-recurse | Select-String -pattern “ven_8086&dev_1539” | group path | select name

Get-ChildItem -Path “C:\SysAdmin\IntelWindows10Drivers21.1\PRO1000\Winx64\NDIS65” `

-recurse | Select-String -pattern “ven_8086&dev_15A1” | group path | select name

clip_image010

So for my I218V I open op the e1d65x64.inf file in notepad++

clip_image012

I search for [ControlFlags] section and I edit the content of that section by deleting everything in it.

clip_image014

So it looks likes

clip_image016

Then I search for section [Intel.NTamd64.10.0.1] and I copy everything in there (I don’t bother to only copy the entries for my particular NIC or so.

Copy everything under that heading

clip_image018

I then search for section [Intel.NTamd64.10.0] and I paste what I just copied from section [Intel.NTamd64.10.0.1] nicely underneath what’s already in there.

clip_image020

Save the file. Basically, you’re done here.

Installing the driver

We now need to alter the standard startup setting of Windows Server 2016 temporarily because we will not be able to install a driver that’s been tampered with. If you don’t lower the security settings, you’ll get an error just like this one:

clip_image021

What I did is run the following in an elevated command prompt:

bcdedit /set LOADOPTIONS DISABLE_INTEGRITY_CHECKS

Note: as I’m using UEFI & secure boot the following won’t work as if you were using an older BIOS without secure boot.

bcdedit /set TESTSIGNING ON

bcdedit /set nointegritychecks OFF

clip_image022

But that’s OK. What we need to do is turn it of in another way. That last command bcdedit /set nointegritychecks OFF iIs not needed anyway. So, forget about that one. As a replacement for bcdedit /set TESTSIGNING ON you can use and advanced start option (requires reboot). You can also disable secure boot in EUFI, start again and then run bcdedit /set TESTSIGNING ON. I prefer the first as fixes itself the next boot and I don’t have to turn secure boot on again afterwards.

Go to setting and select Update & security.

clip_image024

Navigate to Recovery and click Restart Now

clip_image026

It will reboot to the following screen.Click Troubleshoot.

clip_image027

Select and click Advanced options.

clip_image029

Click Startup Settings.

clip_image031

We click restart on the next screen

clip_image033

It will restart Advanced boot options. Select to disable driver signature enforcement. Hit ENTER.

clip_image035

When your server has restarted, you’ll be able to install the driver you tampered with. To do so, in device manager select your NIC and click Update Driver Software.

clip_image037

Select to Browse my computer for driver software

clip_image039

Point to the C:\SysAdmin\PROWinx64\PRO1000\Winx64\NDIS65 folder with your edited .inf files.

clip_image041

You’ll get a warning that the publisher of this driver can’t be verified. But as you’re the one doing the tampering here, you’ll be fine.

clip_image043

The result is successful install of the driver with a functional NIC for your system.

clip_image045

Cool, you’re in business!

No please reverse the setting you made to the integrity checks to make your system more secure again. From an elevated command prompt run:

bcdedit /set LOADOPTIONS ENABLE_INTEGRITY_CHECKS

Now reboot and you’re all secure again. That’s it, you’re done. I had both an I211 and an I218V NIC on my motherboard so I had to do this for both. Happy testing!