Setting up the lab environment – Hyper-V: Virtual Machines

Now to the good stuff

Usually when working with Hyper-V I use reference disks, mainly to save space on rather expensive disks. But is there much to gain when using deduplication? I was on sure, so asked in Tech Konnect

The response from Tech Konnect confirmed, when using deduplication, it out wages the other issues with reference disks, rather than saving disk space.

Since it’s not possible to create folders or groups within the Hyper-V Management Console, I will be using a naming standard: <Group> – <Generation> – <OS> – <hostname>

The first Virtual Machine will be a Domain Controller, what better way to start?

Virtual Machine Configuration:
Generation: 2
Startup memory: 4096
Dynamic Memory: Enabled
Network Connection: External
Disk size: 60 GB
Boot from the ISO File – Windows Server 2016 Standard (Desktop Experience)

The quick wins for a Generation 2 Virtual Machine

  • PXE Boot by using a standard network adapter
  • Boot from a SCSI virtual hard disk
  • Boot from SCSI virtual DVD
  • Secure Boot (enabled by default
  • UEFI firmware support
  • Shielded Virtual Machines
  • Storage spaces direct
  • Hot add/removal of virtual network adapters

Note: IDE drives and legacy network adapter support has been removed.
For more info: Generation 2 Virtual Machine Overview and Hyper-V feature compatibility by Generation and Guest

The memory assigned might be a bit overkill, but for now it will be OK.
When configuring the second DC i will only assign: 2048.
The complete installation time to logon was 3 minutes and 9 seconds

Both DCs can actually live with 2048 mb ram, so it can always be cut down, but keep in mind we are using Dynamic Memory allocation.

I will of course be setting up MDT and ConfigMgr at a later point, to streamline and gain a bit of speed.

 

Setting up the lab environment – Deduplication

The next step for the lab or so-called home data center: Installing and Configuring Deduplication

I was going to use a USB stick for the Windows Server 2016 OS.
The main reason for this: DEDUPLICATION.

I did start out with a USB stick, but due to performance issues this was changed – read the follow-up post (https://blog.thomasmarcussen.com/follow-up-on-the-home-datacenter-hardware/)

The reason for having the OS on a separate volume: Deduplication is not supported on system or boot volumes. Read more about Deduplication here: About Data Deduplication

Let’s get started

Installing and Configuring Deduplication

  1. Open an elevated PowerShell prompt
  2. Execute: Import-Module ServerManager
  3. Execute: Add-WindowsFeature -Name FS-Data-Deduplication
  4. Execute: Import-Module Deduplication

Installing Deduplication

Now we installed data Deduplication and it’s ready for configuration.

My Raid 0 volume is D:
The volume will primarily hold Virtual Machines (Hyper-V)
I’m going to execute the following command: Enable-DedupVolume D: -UsageType HyperV

Enable Deduplication for volume

You can read more about the different usage types here: Understanding Data Deduplication

Some quick info for the usage type Hyper-V:

  • Background optimization
  • Default optimization policy:
    • Minimum file age = 3 days
    • Optimize in-use files = Yes
    • Optimize partial files = Yes
  • “Under-the-hood” tweaks for Hyper-V interop

You can start the optimization job and limited (if needed) the amount of consumed memory for the process: Start-DedupJob -Volume “D:” -Type Optimization -Memory 50

 

 

 

You can get the deduplication status with the command: Get-DedupStatus

 

 

 

 

The currently saved space on my volume is 46.17 GB
That is for a 2 ISO files and a reference machine for Windows Server 2016 and the reference disks copied to separate folder.

More usefull powershell cmdlets here: Deduplication Cmdlets in Windows PowerShell

I do love deduplication especially for virtual machines, hence most of the basic data is the same.
The disks are also rather expensive so getting the most out of them is preferred.

 

Follow up on the home datacenter hardware

It’s time for a small update – the previous post is available here: https://blog.thomasmarcussen.com/new-lab-home-datacenter/

The datacenter has been running for about a week now – quite good…. but…..

I’ve been using the Samsung USB as OS drive – Samsung USB 3.0 Flash Drive FIT 32GB
It does have fast read, and a not that slow write, according to Samsung: Up to 130 MB/s

The week passed with setting up and installing VMs – using the actual VMs etc.
But when installing Windows Updates on the Hyper-V host, installing Features/Roles or anykind of configuration, it seems to slow down to useless/freeze.

Running a full Windows Update took about 2 days to reach fully patched level.
During that time it was useless as in no respondig.

I ran a WinSat drive test on the Samsung USB Flash Drive:

Random 16.0 Read: 8.87 MB/s
Random 16.0 Write: 5.45 MB/S

Random reads and writes seems pretty low.

The sequential seems a bit better:

Sequential 64.0 Read: 76.89 MB/s
Sequential 64.0 Write: 86.95 MB/s

The Commands used with winsat:
Winsat disk -drive C: -ran -write (Random 16.0 Write)
Winsat disk -drive C: -ran -read (Random 16.0 Read)
Winsat disk -drive C: -seq -write (Sequential 64.0 Read)
Winsat disk -drive C: -seq -read (Sequential 64.0 Write)

So I decided to replace to Samsung USB 3.0 Flash Drive FIT as a OS Drive.

The new hardware choosen ended up being:

1 x StarTech.com USB 3.0 to M.2 SATA External SSD Enclosure with UASP
1 x Samsung 850 EVO M.2 2280 SSD – 250GB

SM2NGFFMBU33 - StarTech.com USB 3.0 to M.2 SATA External SSD Enclosure with UASPMZ-N5E250BW - Samsung 850 EVO M.2 2280 SSD - 250GB
NOTE: the StarTech.com enclosure does not support NVMe, so did choose a m.2 SSD.

I know that StarTech also have USB 3.1, but i really do want to keep the USB 3.1 port free for an additional RAID enclosure when/if needed. Properly a StarTech enscloure but not sure yet.. (USB 3.1 (10Gbps) External Enclosure for Dual 2.5″ SATA Drives) still looking for a nice USB 3.1 enclosure that supports m.2 NVMe…

Samsung states the specs for the new disk as:

  • Up to 500MB/s Sequential Write
  • Up to 540/s Sequential Read

The actual performance test on the Samsung 850 EVO M.2 2280 SSD:

Random 16.0 Read: 276.51 MB/s
Random 16.0 Write: 271.37 MB/S

Sequential 64.0 Read: 388.85 MB/s
Sequential 64.0 Write: 383.71 MB/s

So in any case it’s quite a performance boost for the OS disk.

 

Disable SMB1 on Windows

Disable SMB1 on Windows

To defend yourself against WannaCrypt and other ransomware it is imperative that you disable SMB1 as well as install the patches released by Microsoft.

Open Control Panel > Programs & Features > Turn Windows features on or off.

In the list of options, one option would be SMB 1.0/CIFS File Sharing Support. Uncheck the checkbox associated with it and press OK.

You can also use powershell

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force

On Windows servers you can use the Powershell command: Remove-WindowsFeature FS-SMB1

Windows 10 hangs after patches May/17 (Windows Defender & Trend Micro)

There seems to be an issue with Trend Micro and Windows Defender after Windows/ Defender patches has been applied.

The quick workaround is to deploy are registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
The dword value should be 1: DisableAntiSpyware


In case it does not exist, go ahead and create it.
Restart and you should see things start working again.

If you have the issue, you should be able to deploy it using Group Policy Preferences.

NOTE: You can also enter safe mode and create the needed key.

Reference links:

https://technet.microsoft.com/en-us/library/cc749126(v=ws.10).aspx

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus

https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode

 

Unable to create REFS file system on storage space with 3 drives

So it was time for a reinstallation, time to cleanup and maybe rethink a few things.          I installed Windows 10 1607 Enterprise x64.

I had my old storage space running, but wanted to add an additional disk.

I had to move some disks around, hence the disks was required to have the same block-size. When running the storage space wizard, I marked the disks to add and create the new pool from 

I wanted to go for ReFS this time (some comparison here: http://thesolving.com/storage/refs-vs-ntfs-comparison/)

 

When trying to format the storage spage, it would switch to deleting storage space and show the following error: The parameter is incorrect: (0x00000057)


 

I recall having seen a similar error in Windows 8, the solution was then to create a registry key, to allow for formatning over non mirrored volumes, specifically for ReFS.

Funny think, it was still needed.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT]
“AllowRefsFormatOverNonmirrorVolume”=dword:00000001

Download RegFile


 

Add the key, reboot and retry.

 

Activation tool to use Windows OEM Key from BIOS

A simple tool to extract and use the Windows activation key from BIOS.
The tool will extract the key Windows Management Instrumentation Command-line.
The key extracted will be install and activated using Windows Software Licensing Management Tool.

Tool is command-line based.

Can be used with your favorite client management tool

https://gallery.technet.microsoft.com/Activate-using-Windows-OEM-db93ca97

Unified Extensible Firmware Interface (UEFI)

Unified Extensible Firmware Interface

For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. UEFI is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.

Introduction to UEFI

BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:

  • 16-bit code
  • 1 MB address space
  • Poor performance on ROM initialization
  • MBR maximum bootable disk size of 2.2 TB

As the replacement to BIOS, UEFI has many features that Windows can and will use.

With UEFI, you can benefit from:

  • Support for large disks. UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
  • Faster boot time. UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
  • Multicast deployment. UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
  • Compatibility with earlier BIOS. Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
  • CPU-independent architecture. Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
  • CPU-independent drivers. On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
  • Flexible pre-operating system environment. UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
  • Secure boot. Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.

Versions

UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.

Hardware support for UEFI

In regard to UEFI, hardware is divided into four device classes:

  • Class 0 devices. This is the UEFI definition for a BIOS, or non-UEFI, device.
  • Class 1 devices. These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
  • Class 2 devices. These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
  • Class 3 devices. These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.

Windows support for UEFI

Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.

With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.

How UEFI is changing operating system deployment

There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:

  • Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
  • When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
  • When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
  • UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).

SUSDB Maintenance

So, you might be stuck with SUSDB maintenace issues – properly the maintence jobs won’t finish without getting timeouts? Something like this maybe?

Msg 1205, Level 13, State 54, Procedure spUpdateChangeTrackingNumber, Line 11

Transaction (Process ID 110) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
here is a script that will help you – you might have to run it multiple times

  1. Execute the next Query over then SUSDB database: exec spGetObsoleteUpdatesToCleanup
  2. Write down the number of Rows given by the output. 
  3. You can find the SQL script that executes the same StoredProcedures as the WSUS GUI, but directly over the database. We just need to change the parameter in SELECT TOP (XXXX) for the number of rows detected on the previous step, or higher.  Script download (the script can also be found at http://www.thomasmarcussen.com in the archive folder SUSDBClean.zip)      (Note: The process should be quite faster than the regular CleanUp on the GUI, but is possible that it can enter a DeadLock condition due to other operation from the WSUS Server. In this case, just re-run the Script)
  4. Once the Script finished successfully, try again the CleanUp from the WSUS GUI. Now it should finish very fast.
  5. For last, in order to keep the SUSDB healthy it is recommended to run the Maintenance script again in order to leave the database reindexed.

Should you install Office 2016 32-bit or 64-bit?

There seems to be some doubt about Office 2016 when to install 64-bit version of office vs 32-bit

Limitations of the 64-bit version of Office

The 64-bit version of Office may perform better in some cases, but there are limitations:

  • Solutions using ActiveX controls library, ComCtl controls won’t work.
  • Third-party ActiveX controls and add-ins won’t work.
  • Visual Basic for Applications (VBA) that contain Declare statements won’t work in the 64-bit version of Office without being updated.
  • Compiled Access databases, like .MDE and .ACCDE files, won’t work unless they’re specifically written for the 64-bit version of Office.
  • In SharePoint, the list view won’t be available.

If you have specific add-ins that you use in the 32-bit version of Office, they may not work in 64-bit Office, and vice versa. If you’re concerned, check your current version of Office before installing the new one. Considering testing the add-in with 64-bit Office, or finding out if a 64-bit version of the add-in is available from the developer.

The 64-bit version of Office has some limitations, but is the right choice when:

  • You work with extremely large data sets, like enterprise-scale Excel workbooks with complex calculations, many PivotTables, connections to external databases, PowerPivot, PowerMap, or PowerView. The 64-bit version of Office may perform better for you.
  • You work with extremely large pictures, videos, or animations in PowerPoint. The 64-bit version of Office may be better suited to handle these complex slide decks.
  • You work with extremely large Word documents. The 64-bit version of Office may be better suited to handle Word documents with large tables, graphics, or other objects.
  • You’re working with files over 2GB in Project, especially if the project has many subprojects.
  • You want to keep the 64-bit version of Office that you’re already using. The 32-bit and 64-bit versions of Office programs aren’t compatible, so you can’t install both on the same computer.
  • You’re developing in-house Office solutions, like add-ins or document-level customizations.
  • Your organization requires Hardware Data Execution Prevention (DEP) be enforced for Office applications. DEP is a set of hardware and software technologies that some organizations use to enhance security.