Installing Intel I211, I217V, I218V and I219V drivers on Windows Server 2016 with EUFI boot

Posted on by
192

Introduction

This blog will be all about installing Intel I211, I217V, I218V and I219V drivers on Windows Server 2016 with EUFI boot. I’m running Windows Server 2016 as my main OS for lab, testing, Hyper-V with nested virtualization etc. I like it that way because I have all the options of the server OS at my disposal. Especially with the nested virtualization an NVME disk comes in handy. I also boot from NVMe so I need UEFI and use secure boot. That’s OK as it’s way better than the old BIOS and enables more scenario.

Windows Server 2016 doesn’t have any drivers for the I211, I217V, I218V and the I219V NICs.

clip_image001

The Intel driver for them are only for Windows 10 and won’t install on a server OS. As you can see in the screenshot above that’s a system where I have the I211 driver already installed actually. We’ll work on the I218V as an example here.

clip_image002

That’s nothing new and we’ve dealt with this before by editing the .inf file for the driver. What might be new to some people as EUFI & NVME become a bit more popular is how to get a driver with an edited .inf file installed on your Windows Server OS.

Don’t worry even with an OS booting from EUFI with secure boot you can still disable driver signing / integrity checking when needed. We’ll walk you through an approach for installing Intel I211, I217V, I218V and I219V drivers on Windows Server 2016 with EUFI boot.

Installing Intel I211, I217V, I218V and I219V drivers on Windows Server 2016 with EUFI boot

Google for the Intel drivers of your NIC. Mine is a I218V. The instructions will work for a I217V or and i219V as well. Just adapt accordingly.

clip_image004

clip_image006

After downloading the most recent Windows 10 (x64 bit, we’ll use them with a server OS so there is no 32 bit here) Intel drivers form the Intel site we rename the exe to identify what package it is. We then extract the content to our work space. A free tool like 7zip will do the job just fine.

clip_image007

Prepping the .INF file

For the I211 we need to edit the .inf file and for the I217V, 218V and 219V we’ll edit the e1d65x64.inf file in note pad or your editor of choice. You’ll find it in the NDIS65 folder: C:\SysAdmin\PROWinx64\PRO1000\Winx64\NDIS65. The 65 in the folder and file names identifies our OS version (Windows 10 / Windows Server 2016).

But how do we know what .inf file to edit? We grab the hardware ID’s from the properties of our NIC or NICS.

clip_image008

Below you see the Hardware IDs for mu I218V. The I211 has PCI\VEN_8086&DEV_1539&SUBSYS_85F01043&REV_03 and my Iv218V has PCI\VEN_8086&DEV_15A1&SUBSYS_85C41043&REV_05.

Drop the PCI\ from the beginning of the string and everything from the “&” on at the end. So for the I211 we’ll use VEN_8086&DEV_1539 and for the I218V we’ll use VEN_8086&DEV_15A1. We throw these ID strings into some PowerShell we run in our C:\SysAdmin\PROWinx64\PRO1000\Winx64\NDIS65 folder.

Get-ChildItem -Path “C:\SysAdmin\IntelWindows10Drivers21.1\PRO1000\Winx64\NDIS65” `

-recurse | Select-String -pattern “ven_8086&dev_1539” | group path | select name

Get-ChildItem -Path “C:\SysAdmin\IntelWindows10Drivers21.1\PRO1000\Winx64\NDIS65” `

-recurse | Select-String -pattern “ven_8086&dev_15A1” | group path | select name

clip_image010

So for my I218V I open op the e1d65x64.inf file in notepad++

clip_image012

I search for [ControlFlags] section and I edit the content of that section by deleting everything in it.

clip_image014

So it looks likes

clip_image016

Then I search for section [Intel.NTamd64.10.0.1] and I copy everything in there (I don’t bother to only copy the entries for my particular NIC or so.

Copy everything under that heading

clip_image018

I then search for section [Intel.NTamd64.10.0] and I paste what I just copied from section [Intel.NTamd64.10.0.1] nicely underneath what’s already in there.

clip_image020

Save the file. Basically, you’re done here.

Installing the driver

We now need to alter the standard startup setting of Windows Server 2016 temporarily because we will not be able to install a driver that’s been tampered with. If you don’t lower the security settings, you’ll get an error just like this one:

clip_image021

What I did is run the following in an elevated command prompt:

bcdedit /set LOADOPTIONS DISABLE_INTEGRITY_CHECKS

Note: as I’m using UEFI & secure boot the following won’t work as if you were using an older BIOS without secure boot.

bcdedit /set TESTSIGNING ON

bcdedit /set nointegritychecks OFF

clip_image022

But that’s OK. What we need to do is turn it of in another way. That last command bcdedit /set nointegritychecks OFF iIs not needed anyway. So, forget about that one. As a replacement for bcdedit /set TESTSIGNING ON you can use and advanced start option (requires reboot). You can also disable secure boot in EUFI, start again and then run bcdedit /set TESTSIGNING ON. I prefer the first as fixes itself the next boot and I don’t have to turn secure boot on again afterwards.

Go to setting and select Update & security.

clip_image024

Navigate to Recovery and click Restart Now

clip_image026

It will reboot to the following screen.Click Troubleshoot.

clip_image027

Select and click Advanced options.

clip_image029

Click Startup Settings.

clip_image031

We click restart on the next screen

clip_image033

It will restart Advanced boot options. Select to disable driver signature enforcement. Hit ENTER.

clip_image035

When your server has restarted, you’ll be able to install the driver you tampered with. To do so, in device manager select your NIC and click Update Driver Software.

clip_image037

Select to Browse my computer for driver software

clip_image039

Point to the C:\SysAdmin\PROWinx64\PRO1000\Winx64\NDIS65 folder with your edited .inf files.

clip_image041

You’ll get a warning that the publisher of this driver can’t be verified. But as you’re the one doing the tampering here, you’ll be fine.

clip_image043

The result is successful install of the driver with a functional NIC for your system.

clip_image045

Cool, you’re in business!

No please reverse the setting you made to the integrity checks to make your system more secure again. From an elevated command prompt run:

bcdedit /set LOADOPTIONS ENABLE_INTEGRITY_CHECKS

Now reboot and you’re all secure again. That’s it, you’re done. I had both an I211 and an I218V NIC on my motherboard so I had to do this for both. Happy testing!

You cannot connect multiple NICs to a single Hyper-V vSwitch without teaming on the host

Posted on by
Reply

Can you connect multiple NICs to a single Hyper-V vSwitch without teaming on the host

Recently I got a question on whether a Hyper-V virtual switch can be connected to multiple NICs without teaming. The answer is no. You cannot connect multiple NICs to a single Hyper-V vSwitch without teaming on the host.

This question makes sense as many people are interested in the ease of use and the great results of SMB Multichannel when it comes to aggregation and redundancy. But the answer lies in the name “SMB”. It’s only available for SMB traffic. Believe it or not but there is still a massive amount of network traffic that is not SMB and all that traffic has to pass through the Hyper-v vSwitch.

What can we do?

Which means that any redundant scenario that requires other traffic to be supported than SMB 3 will need to use a different solution than SMB Multichannel. Basically, this means using NIC teaming on a server. In the pre Windows Server 2012 era that meant 3rd party products. Since Windows Server 2012 it means native LBFO (switch independent, static or LACP). In Windows Server 2016 Switch Embedded Teaming (SET) was added to your choice op options. SET only supports switch independent teaming (for now?).

If redundancy on the vSwitch is not an option you can use multiple vSwitches connected to separate NIC and physical switches with Windows native LBFO inside the guests. That works but it’s a lot of extra work and overhead so you only do this when it makes sense. One such an example is SR-IOV which isn’t exposed on top of  a LBFO team.

Unable to correctly configure Time Service on non PDC Domain Controller

Posted on by
Reply

Introduction

Around new year, between the 31st 2016 and the 1st of January 2017 some ISP had issues with the time service. It jumped 24 hours ahead. This cause all kinds of on line services issues ranging from non working digital TV to problems with the time service within companies. That caused some intervention time and temporarily switching the external reliable NTP time server sources to another provider that didn’t show this behavior. Some services required a server reboot to sort things out but things were operational again. But it became clear we still had a lingering issue afterwards as we were unable to correctly configure Time Service on non PDC Domain Controller.

Unable to correctly configure Time Service on non PDC Domain Controller

A few days later we still had one domain, which happend to be 100% virtualized, with issues. As turned out the second domain controller, which did not hold the PDC role, wasn’t syncing with the PDC. No matter what we tried to get it to do so. If you want to find out how to do this properly for virtualized environment I refer you to a blog post by Ben Armstrong Time Synchronization in Hyper-V and fellow MVP Kevin Green Hyper V Time Synchronization on a Windows Based Network.

But no matter what I did, the DC kept  getting the wrong date. I could configure it to refer to the PDC as much as I wanted, nothing helped. It also kept saying the source for the time was the local CMOS (w32tm /query /source). I kept getting an error, we’re normally able to fix by configuring the time service correctly.

image

Another trouble shooting path

The IT universe was not aligned to let me succeed. So that’s when you quit … for a coffee break. You relax a bit, look out of the window whilst sipping from your coffee. After that you dive back in.

I dove into the registry settings for the Windows time service in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time of a functional DC in my lab and the one of the problematic DC in the production domain.  I started comparing the settings and it all seemed to be in order. But for one serious issue with the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security key on the problematic DC.

Trying to open that key greeted me with the following error:

Error Opening key

Security cannot be opened. An error is preventing this key from being opened. Details: The system cannot find the file specified.

image

That key was empty. Not good!

image

I exported the entire W32Time registry key and the Security key as a backup for good measure on the problematic DC and I grabbed an export of the security key from the working DC (any functional domain joined server will do) and imported that into the problematic DC. The next step was to restart the time service but that wasn’t enough or I was to inpatient. So finally I restarted the DC and after 10 minutes I got the result I needed …

image

Problem solved Smile

Manage Your Brocade Fibre Channel Switch with recent Java & browser versions

Posted on by
31

Introduction

I was in the process of setting up a new jump server a management station server virtual machine on Windows Server 2016 Hyper-V. The guest was also Windows Server 2016 (desktop install). That station needed to be used to manage some aging Brocade fibre channel switches. With the default setting and links this will give you some headaches and some solution require you to keep older and insecure browser or java versions installed. We’ll show you how to get GUI access to your FC switches without needing to do that so you can manage your Brocade Fibre channel switch with recent Java & browser versions. Well not all of them, but it can be done with IE 11 and Firefox 52.0.1 (at the time of writing).

Another solution is to use the CLI naturally.

Manage Your Brocade Fibre Channel Switch with recent Java & browser versions

It’s OK to use the most recent Java version available. At the moment that I wrote this blog post that was Java 1.8.0.121. I can’t give guarantees other than that, but for now that does work.

Instead of navigating to http or https to just the IP address which will send you to https://x.x..x.x/switchexplorer you need to create a shortcut link to the following: https://10.30.2.2/switchexplorer_installed.html (or http://10.30.2.2/switchexplorer_installed.html if you have not enabled https on your switch).

Like this:

clip_image001

I normally change the icon to the shortcut to indicate it’s pointing to a network device. I actually created some ico files based on an image of brocades Fibre Channel switches that I use for this. I just place then under C:\Programdata\BrocadeFC for safe keeping together with a cop of the short cuts. On the management station, I add them to the desktop for easy access. Below is a screenshot of my Windows 10 or Windows Server 2016 (Desktop Experience) management station.

clip_image002

But we’re not there yet. You need to go to Java configuration and select the Security Tab. Make sure Enable Java Content in the browser is enabled. Leave the security at high but don’t forget to add the IP addresses of your Brocade switch to the Exception Site List.

clip_image004

You’ll need to add http or https or both depending on your situation. I think we can all agree we should go for https in this day and age.

In Firefox when you launch the shortcut you’ll get asked what app to use for opening this file.

clip_image005

Make sure you point it to javaws.exe (in C:\Program Files (x86)\Java\jre1.8.0_121\bin) if that’s not the case.

clip_image007Also, check to “Do this automatically for files like this from now on” for faster access during normal operations.

In Internet Explorer allow the add-on “Java SE Runtime Environment 8 Update 121 from Oracle America Inc.” to run.

clip_image009

When it comes to Chrome, this doesn’t’ work anymore. See https://www.java.com/en/download/faq/chrome.xml

When the application is launched, depending on the age of the fibre channel switch and the version of the firmware you’ll be greeted by a more or less harsh security warning.

clip_image010

clip_image011

Check the “I accept the risk and want to run this application” or “Do not show this again for this app from the publisher above” depending on the case. This also allows for easy access the next time you launch the shortcut. The app will launch and you’ll be greeted by the login screen.

clip_image012

Juts log in and there’s nothing more to it. You can now manage your FC switches from Firefox again.

image

Hope this helps some of you out there that come across this issue.