Wednesday 29 August 2018

Legacy Windows XP for Industrial Machine Access and Management and Accounting Apps

There are quite a few systems out there that still use Windows XP or an earlier operating system to run the equipment.

So, what do we do when we need to get access to one of these kinds of machines?

Well for one, we make sure they are completely isolated and not accessible from anywhere except perhaps one secure jump point.

For another, when we do need to access the legacy system here's one method that allows for maintaining the legacy system's isolation:

  1. Enable RDP Inbound on the legacy system (Windows)
  2. Set up a vanilla Windows 7 Service Pack 1 VM that is set to not update
    • This would be our jump point
    • The Win7 VM would be left off except when needed
    • If need be, set this VM up on a laptop that can be plugged in to the legacy system's network
  3. Set up any needed tools on the Win7 VM
    • RMM, Remote Desktop Shadow/Sharing tools, Firefox (leave the base level IE in place), any needed tools
  4. Log on to the legacy Windows XP via RDP
    • Make sure Drive Redirection is enabled
    • Use Drive Redirection to transfer any files that won't go via Copy & Paste (Clipboard)
  5. Use the Win7 VM as the default work-from desktop
  6. When done, shut the Win7VM down
    • Unplug from the legacy network when done if using a laptop with the Win7VM

For legacy systems require some form of *NIX the above process can be used for a vanilla install of the needed distro and kept offline until needed.

The principle at work here is to keep the legacy systems isolated from everywhere especially the Internet. And, to keep any jump points running an intermediary operating system that is too far back to keep safe and secure offline until needed.

As an FYI, we keep one or two legacy Windows 7 and Windows XP VMs in an offline state with legacy accounting applications installed as a just-in-case. There are times where a firm may need to go way back for a client file.

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service

Wednesday 15 August 2018

PowerShell Paradise: Installing and Configuring Visual Studio Code (VS Code) and Git

It was Ben Thomas that gave me the prodding to look into Visual Studio Code (VS Code) for PowerShell coding and troubleshooting. I had an error in a PowerShell step that puzzled me. It turned out to be the auto-replaced hyphens that got introduced into that PowerShell step somewhere along the lines since I keep (kept) everything in OneNote.

There are several reasons why coding in any form are difficult for me, suffice it to say it took a few days to get over the, "Oh no, yet something else to learn" initial reaction to that prodding.

With a little downtime late last week, the opportunity presented itself to at least do a cursory search and skim of info on VS Code and PowerShell.

What I saw amazed me so much so that the time to learn became a non-starter.

First, download VS Code but don't install it right away.

Next, download GIT for Windows (there's other versions).

Now, there's a bit of a Catch-22 in this process as Git looks for VS Code and VS Code looks for Git.

Install VS Code and Git

Install order to make things simple:

  1. Install VS Code
    • image
  2. Run VS Code and ignore the Git prompt
    • image
  3. Install Git and choose VS Code
    • image
    • This is where things can get weird. If VS Code does not get started first, the Next button will not light up!
    • If not, leave this window, start VS Code, ignore the prompt, and close it.
    • Hit the Back button and then the Next button again and the Next button on this window should now be lit up.
  4. We chose Use Git from the Windows Command Prompt
    • image
  5. On the next window Use the OpenSSL Library
  6. Checkout Windows-style, commit Unix-style line endings
    • image
  7. Use MinTTY (the default terminal of MSYS2)
    • image
  8. We left the defaults for Configuring extra options
    • Enable file system caching
    • Enable Git Credential Manager

Once Git has been installed the next thing to do is to start VS Code and it should find Git:


Initialize the Git Repository

A few more steps and we'll be ready to code a new PowerShell script, or transfer in from whatever method we've been using prior.

  1. Create a new folder to store everything in
    • We're using OneDrive Consumer as a location for ours to make it easily accessible
  2. CTRL+SHFT+E --> Open Folder --> Folder created above
    • VS Code will reload when the folder has been chosen
  3. CTRL+SHFT+G --> Click the Initialize Repository button
    • image
  4. Click the Initialize Repository button with the folder we opened being the default location
  5. Git should be happy
    • image

Now, we're almost there!

VS Code Extension Installation

The last steps are to get the PowerShell Extension installed and tweak the setup to use it.

  2. Type PowerShell in the Marketplace search
  3. Click the little green Install button then after the install the little blue Reload button
    • image
  4. Additional VS Code Extensions we install by default
    1. Better Comments
      • Allows for colour coded # ! PowerShell Comments
    2. Git History
      • Allows us to look at what's happening in Git
    3. VSCode-Icons
      • Custom icons in VS Code

VS Code Quick Navigation

Once done, the following key strokes are the first few needed to get around and then there's one more step:

  • Source Control: Git: CTRL+SHFT+G
  • Extensions: CTRL+SHFT+X
  • Folder/File Explorer: CTRL+SHFT+E
  • User/Workspace Settings: CTRL+,

Create the Workspace

And finally, the last step is to:

  1. File
  2. Save Workspace As
  3. Navigate to the above created folder
  4. Name the Workspace accordingly
  5. Click the Save button

Then, it's Ready, Set, Code! :)

Note that the PowerShell .PS1 files should be saved in the Workspace folder and/or subfolders to work with them.

To start all new files in the PowerShell language by default add the following to User Settings

  1. CTRL+,
  2.     "files.defaultLanguage": "powershell"

One of the beauties of this setup is the ability to look at various versions of the files, much like we can with SharePoint and Office files, to compare the changes made over the history of the PowerShell Code.

Another is the ability to see in glorious colour!


Thanks to Ben Thomas' challenge PowerShell is already so much easier to work with!

2018-08-15 EDIT: Oops, missed one important step.

  1. Open Git GUI
  2. Click Open Existing Repository
  3. Navigate to the Workspace folder with the .git hidden folder
  4. Open
  5. Set the User's name and E-mail address for both settings
    • image
  6. Click Save

Git should be happy to Commit after that! :)

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book !
Our Web Site
Our Cloud Service

Friday 10 August 2018

Intel/LSI/Avago StorCli Error: syntax error, unexpected $end FIX

We're working with an Intel setup and needed to verify the setup on an Intel RAID Controller.

After downloading the command line utilities, since we're in Server Core, we hit this:

C:\Temp\Windows>storcli /cx show

syntax error, unexpected $end

     Storage Command Line Tool  Ver 007.0415.0000.0000 Feb 13, 2018

     (c)Copyright 2018, AVAGO Technologies, All Rights Reserved.

help - lists all the commands with their usage. E.g. storcli help
<command> help - gives details about a particular command. E.g. storcli add help

List of commands:

Commands   Description
add        Adds/creates a new element to controller like VD,Spare..etc
delete     Deletes an element like VD,Spare
show       Displays information about an element
set        Set a particular value to a property
get        Get a particular value to a property
compare    Compares particular value to a property
start      Start background operation
stop       Stop background operation
pause      Pause background operation
resume     Resume background operation
download   Downloads file to given device
expand     expands size of given drive
insert     inserts new drive for missing
transform  downgrades the controller
/cx        Controller specific commands
/ex        Enclosure specific commands
/sx        Slot/PD specific commands
/vx        Virtual drive specific commands
/dx        Disk group specific commands
/fall      Foreign configuration specific commands
/px        Phy specific commands
/[bbu|cv]  Battery Backup Unit, Cachevault commands
/jbodx      JBOD drive specific commands

Other aliases : cachecade, freespace, sysinfo

Use a combination of commands to filter the output of help further.
E.g. 'storcli cx show help' displays all the show operations on cx.
Use verbose for detailed description E.g. 'storcli add  verbose help'
Use 'page=[x]' as the last option in all the commands to set the page break.
X=lines per page. E.g. 'storcli help page=10'
Use J as the last option to print the command output in JSON format
Command options must be entered in the same order as displayed in the help of
the respective commands.

What the Help does not make clear, and what our stumbling block was, is what exactly we're missing.

It turns out, that the correct command is:

C:\Temp\Windows>storcli /c0 show jbod
CLI Version = 007.0415.0000.0000 Feb 13, 2018
Operating system = Windows Server 2016
Controller = 0
Status = Success
Description = None

Controller Properties :

Ctrl_Prop Value
JBOD      ON

CFShld-Configured shielded|Cpybck-CopyBack|CBShld-Copyback Shielded

The /cx switch needed a number for the controller ID.

A quick search turned up the following:

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service

Thursday 9 August 2018

PowerShell: Add-Computer Error when Specifying OUPath: The parameter is incorrect FIX

We're in the process of setting up a second 2-node Kepler-64 cluster when we hit this when running the Add-Computer PowerShell to domain join a node:

Add-Computer : Computer 'S2D-Node03' failed to join domain 'Corp.Domain.Com from its current
workgroup 'WORKGROUP' with following error message: The parameter is incorrect.
At line:1 char:1
+ Add-Computer -Domain Corp.Domain.Com -Credential Corp\DomainAdmin -OUPath  …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : OperationStopped: (S2D-Node03:String) [Add-Computer], InvalidOperation
     + FullyQualifiedErrorId : FailToJoinDomainFromWorkgroup,Microsoft.PowerShell.Commands.AddComp

The PowerShell line it's complaining about is this one:

Add-Computer -Domain Corp.Domain.Com -Credential Corp\DomainAdmin -OUPath "OU=S2D-OpenNodes,OU=S2D-Clusters,DC=Corp,DC=Domain,DC-Com" -Restart

Do you see it ? ;)

The correct PoSh for this step is actually:

Add-Computer -Domain Corp.Domain.Com -Credential Corp\DomainAdmin -OUPath "OU=S2D-OpenNodes,OU=S2D-Clusters,DC=Corp,DC=Domain,DC=Com" -Restart

When specifying the OUPath option if there is any typo in that setting the nondescript error is "The parameter is incorrect."

We always prefer to drop a server or desktop right into their respective OU containers as that allows our Group Policy settings to take giving us full access upon reboot and more.

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book !
Our Web Site
Our Cloud Service

Wednesday 8 August 2018

QuickBooks Desktop Freezes: Running Payroll, Downloading Online Transactions, and Closing Company File - Workaround

There seems to be an issue with the Canadian version of Intuit QuickBooks where the software freezes when doing a payroll run, downloading online transactions into QuickBooks, and when closing the Company file.

The workaround is to do the following:

  1. Close your company file.
  2. Open a sample file within QuickBooks
  3. From the No Company Open window, select Open a sample file
  4. Select a sample company file
  5. Click Ok to the warning You're opening a QuickBooks Desktop sample company file.
  6. In the sample company file, go to the Employees menu > Pay Employees > Scheduled Payroll
  7. Click Start Scheduled Payroll.
  8. Click Continue.
  9. Select one of the employees listed and click Continue.
  10. Click Ok to the warning message.
  11. Click Create Pay Cheques.
  12. Click Yes to the Past Transactions message.
  13. Click Close

We have a confirmation with one of our accounting firm clients that had the problem that this "fixes" it at least for now.

Intuit Help Article: QuickBooks Desktop freezes trying to create paycheques (CA only)

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service

Monday 6 August 2018

Cloud Hosting Architecture: Tenant Isolation

Cloud Vendors Compromised

Given the number of backchannels we are a part of we get to hear horror stories where Cloud Vendors are compromised in some way or get hit by an encryption event that takes their client/customer facing systems out.

When we architect a hosting system for a hosting company looking to deploy our solutions in their hosting setup, or to set up an entirely new hosting project, there are some very important elements to our configuration that would help to prevent the above from happening.

A lot of what we have put into our design is very much a result of our experiences on the frontlines with SMB and SME clients.

One blog post that provides some insight: Protecting a Backup Repository from Malware and Ransomware.

It is absolutely critical to isolate and off-site any and all backups. We've also seen a number of news items of late where a company is completely hosed as a result of an encryption event or other failure only to find out the backups were either wiped by the perps or no good in the first place.

Blog Post: Backups Should Be Bare Metal and/or Virtually Test Restored Right?

The full bare metal or virtual restore is virtually impossible at hyper-scale. Though, we've seen that the backups being done in some hyper-scale cloud vendor's environments have proven to be able to be restored while in others a complete failure!

However, that does not excuse the cloud customer or their cloud consultancy from making sure that any and all cloud based services are backed up _off the cloud_ and air-gapped as a just-in-case.

Now, to the specific point of this blog post.

Tenant Isolation Technique

When we set up a hosting solution we aim to provide maximum security for the tenant. That's the aim as they are the ones that are paying the bills.

To do that, the hosting company needs to provide a series of layered protections for tenant environments.

  1. Hosting Company Network
    • Hosting company AD
    • All hosting company day-to-day operations
    • All hosting company on-premises workloads specific to company operations and business
    • Dedicated hosting company edges (SonicWALL ETC)
  2. Tenant Infrastructure Network
    • Jump Point for managing via dedicated Tenant Infrastructure AD
    • High Availability (HA) throughout the solution stack
    • Dedicated Tenant Infrastructure HA edges
      • Risk versus Reward: Could use the above edges but …
    • Clusters, servers, and services providing the tenant environment
    • Dedicated infrastructure switches and edges
    • As mentioned, backups set up and isolated from all three!
  3. Tenant Environment
    • Shared Tenant AD is completely autonomous
    • Shared Tenant Resources such as Exchange, SQL, and more are appropriately isolated
    • Dedicated Tenant AD is completely autonomous
    • Dedicated Tenant Resources such as Exchange, SQL, and more are completely isolated to the tenant
    • Offer a built-in off-the-cloud backup solution

With the solution architected in this manner we protect the boundaries between the Hosting Company Network and the Tenant Environment. This makes it extremely difficult for a compromise/encryption event to make the boundary traversal without some sort of Zero Day involved.


We've seen a few encryption events in our own cloud services tenants. None of them have traversed the dedicated tenant environments they were a part of. None. Nada. Zippo.

Containment is key. It's not "if" but "when" an encryption event happens.

Thus, architecting a hosting solution with the various environment boundaries in mind is key to surviving an encryption event and looking like a hero when the tenant's data gets restored post clean-up.

Thanks for reading!

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service