Start here

Converting Fixed Size VHDs to Dynamic Sized VHDs

I was called in to help a company recently with a small Hyper-V environment.  They created a 2TB VHD file (they had good reasons for not using .vhdx files, but the steps in this article will work for both versions). 

They realized that they had unnecessarily created the drive as a 2TB Fixed Size disk rather than a Dynamically Expanding disk.  While there are no real performance differences between the two in Server 2012 R2, when it comes to portability, the dynamically expanding drives have a huge advantage.  When they realized that they were planning for a SAN upgrade, the IT Administrator decided to take the preemptive step of converting the disk.

It’s actually pretty easy… In the Hyper-V menu you click on Edit Disk…, and when the Edit Virtual Hard Disk Wizard comes up you go through the steps of selecting the appropriate file, and on the Choose Action screen select the radio button Convert.  On the next screen you specify the destination file, which eventually is where the problem is going to lie.  But for now you enter the filename, click Next, then click Finish to begin the process.

For those of you who are PowerShell fans, you can accomplish the same task by running the following cmdlet:

Convert-VHD D:\Hyper-V\HardDisk.vhdx -DestinationPath D:\Hyper-V\NewHardDisk.vhdx -VHDType Dynamic

Great.  Now you go into the settings of your virtual machine, point it to the new file, and boot it up.

Microsoft Emulated IDE Controller (Instance ID
{83F8638B-8DCA-4152-9EDA-2CA8B33039B4}): Failed to Power on with Error ‘General access denied error’
IDE/ATAPI Account does not have sufficient privilege to open attachment
‘D:\Hyper-V\NewHardDisk.vhd. Error: ‘General access denied error’
Account does not have sufficient privilege to open attachment
‘D:\Hyper-V\NewHardDisk.vhd. Error: ‘General access denied error’

Un-oh.  That doesn’t look good.  I click on the option to see the details, and it expands to the following:

‘VMName’ failed to start. (Virtual machine ID
1DC704C1-6075-4F6C-B364-AFE4947304F3)
‘VMName’ Microsoft Emulated IDE Controller (Instance ID
{83F8638B-8DCA-4152-9EDA-2CA8B33039B4}): Failed to Power on with Error ‘General access denied error’ (0x80070005). (Virtual machine ID
1DC704C1-6075-4F6C-B364-AFE4947304F3)
‘VMName’: IDE/ATAPI Account does not have sufficient privilege to open attachment D:\Hyper-V\NewHardDisk.vhd. Error: ‘General access denied error’ (0x80070005). (Virtual Machine ID 1DC704C1-6075-4F6C-B364-AFE4947304F3)
‘VMName’: Account does not have sufficient privilege to open attachment
D:\Hyper-V\NewHardDisk.vhd. Error: ‘General access denied error’ (0x80070005). (Virtual Machine ID 1DC704C1-6075-4F6C-B364-AFE4947304F3)

Alright, it looks like I have a file permission error.  When I look at the Security tab on the Properties window of the source VHD file I see the following:

image

Great… all I have to do is add that user (group?) to the new VHD file, and I’ll be set.  The problem is… how the heck do I do that?  I certainly can’t do it from the GUI… No problem. 

  1. Open a Command Prompt with Administrator credentials.
  2. type the following command: icacls “D:\Hyper-V\NewHardDisk.vhd” /grant “NT Virtual Machine\1DC704C1-6075-4F6C-B364-AFE4947304F3”:F
  3. The response should read:

processed file: D:\Hyper-V\NewHardDisk.vhd
Successfully processed 1 files; Failed processing 0 files
.

If this is what you got, then you are ready.  You should now be able to start up your virtual machine without error.

Good luck… now go forth and virtualize!

End Of Days 2003: The End is Nigh!

In a couple of days we will be saying goodbye to 2014 and ringing in the New Year 2015.  Simple math should show you that if you are still running Windows Server 2003, it is long since time to upgrade.  However here’s more:

When I was a Microsoft MVP, and then when I was a Virtual Technical Evangelist with Microsoft Canada, you might remember my tweeting the countdown to #EndOfDaysXP.  That we had some pushback from people who were not going to migrate, I think we were all thrilled by the positive response and the overwhelming success we had in getting people migrated onto either Windows 8, or at least Windows 7.  We did this not only by tweeting, but also with blog articles, in-person events (including a number of national tours helping people understand a) the benefits of the modern operating system, and b) how to plan for and implement a deployment solution that would facilitate the transition.  All of us who were on the team during those days – Pierre, Anthony, Damir, Ruth, and I – were thrilled by your response.

Shortly after I left Microsoft Canada, I started hearing from people that I should begin a countdown to #EndOfDaysW2K3.  Of course, Windows Server 2003 was over a decade old, and while it would outlast Windows XP, support for that hugely popular platform would end on July 14th, 2015 (I have long wondered if it was a coincidence that it would end on Bastille Day).  Depending on when you read this article it might be different, but as of right now the countdown is around 197 days.  You can keep track yourself by checking out the website here

It should be said that with Windows 7 there was an #EndOfDaysXP Countdown Gadget for the desktop, and when I migrated to Windows 8 I used a third party app that sat in my Start Menu.  One friend suggested I create a PowerShell script, but that was not necessary.  I don’t remember exactly which countdown timer I used, but it would work just as well for Windows Server 2003 – just enter the date you are counting down to, and it tells you every day how much time is left.

The point is, while I think that migrating off of Server 2003 is important, it was not at that point (nor is it now) an endeavour that I wanted to take on.  To put things in perspective, I was nearing the end of a 1,400 day countdown during which I tweeted almost every day.  I was no longer an Evangelist, and I was burnt out.

Despite what you may have heard, I am still happy to help the Evangelism Team at Microsoft Canada (although I think they go by a different name now).  So when I got an e-mail on the subject from Pierre Roman, I felt it important enough to share with you.  As such, here is the gist of that e-mail:

1) On July 14, 2015 support for Windows Server will come to an end.  It is vital that companies be aware of this, as there are serious dangers inherent in running unsupported platforms in the datacenter, especially in production.  As of that date there will be no more support and no more security updates.

2) The CanITPro team has written (or re-posted) several articles that will help you understand how to migrate off your legacy servers onto a modern Server OS platform, including:

3) The Microsoft Virtual Academy (www.microsoftvirtualacademy.com) also has great educational resources to help you modernize your infrastructure and prepare for Windows Server 2003 End of Support, including:

4) Independent researchers have come to the same conclusion (IDC Whitepaper: Why You Should Get Current).

      5) Even though time is running out, the Evangelism team is there to help you. You can e-mail them at cdn-itpro-feedback@microsoft.com if you have any questions or concerns surrounding Windows Server 2003 End of Support.

      Of course, these are all from them.  If you want my help, just reach out to me and if I can, I will be glad to help! Smile  (Of course, as I am no longer with Microsoft or a Microsoft MVP, there might be a cost associated with engaging me Smile)

      Good luck, and all the best in 2015!

Sharing Passwords

This is NOT an article about my mother.  She just happens to be the person at the other end of this conversation, but it could have been any house guest.

My mother has been staying with me for the past few days.  It is the first time she has stayed with me, and it has been a learning experience for both of us.

One of the things that she had to get used to was that my TV is not set up in any useable way to anyone but me.  I know, it’s a pain in the ass, but I live alone, and under normal circumstances the only person (other than me) who would ever use the TV is my son… and he is just as happy to let me log in for him.

I promise, someday I will get around to making the system more useable, but it’s just not a priority.

So this morning I had one foot out the door when my mother asked me ‘Oh… if I want to watch TV, how do I do it?’  The simple answer is… You don’t.  Okay, you have an iPad, you can watch Netflix.

‘But why can’t you just show me how to use your TV?’

Well there are a couple of reasons for that, but the one I opted to go with was that I would have had to give her my password, which was my primary password for everything on my network.  I could have gone with ‘I don’t have the time,’ or ‘I’m sorry, but the media device is very finicky and you would be calling me all day to ask questions,’ or ‘I don’t want you surfing my porn collection.’  No, I went with the password.

‘Oh, really… like I would use your password for anything other than watching TV.  Really, I don’t even know how to use your computer!’

There are a lot of arguments that people could make in favour of sharing passwords… and they are all wrong.  There is in my mind no legitimate reason why two people should share their passwords with each other… not when information security is an issue.

What do I mean by ‘Information security?’ Let’s look into this.  If I were to give someone my password, what could they possibly do on my computer?

1. My banking credentials and information may be cached.

2. I have letters and documents that are extremely confidential.  Some are personal, some are business, none are anyone’s business other than the people I share them with.

3. On my desktop there is a link that connects my personal PC to my corporate VPN.  While I do not have my credentials cached, the extra layer of security provides Defense-in-Depth, which is eliminated by sharing my password.

4. My e-mail… In other words, anyone with my password could very easily send an e-mail in my name… to anyone.

5. My blogs are set up so that anyone authenticating to my PC can post to any of them… and that is not acceptable.

6. Oh come on… do I really need to go further?

So if I trust someone 100% should I be willing to trust them with my password?  Well, I don’t trust anyone 100%, but that is not the question.  In this case, even if I trust her 100%, we have to assume that my boss (who has never met her) doesn’t… and since some of the information that my password is protecting is my company’s, the answer is no, I should not trust them with my password.

Do I believe my mother would use my password for any reason other than watching TV?  Frankly I do not.  Do I think she is capable of getting into anything that she shouldn’t? Well, she does know how to use e-mail, so that is a possibility, but I do not think that she would.

The problem is not what I think she would do.  The problem is this: What happens if I get back to my computer tonight, and something is amiss.  What happens if something is missing, or changed, or whatever?  Well the reality is that chances are it is from something that I did, but my first reaction would not be that.  So why take the chance?  Why risk losing the ability to trust my mother because of something that may or may not have been her fault?  Simple… don’t put yourself into the position.

I connected my mother’s iPad to my wireless network, and she should be able to do anything she needs on that device… if she had the wherewithal to hack into my systems via wifi then I would be a sitting duck, but she doesn’t… in fact not only does she not have the ability, she also does not have the desire or malicious intent.

On the first page of the book The Sum of All Fears there is a quote that I have always liked.  I thought it was a Winston Churchill quote, but as I looked it up on the Internet it looks like it is attributed to Benjamin Franklin.  It is:

Three can keep a secret, if two of them are dead

Is that true?  Maybe yes and maybe no, but the only true way you can know for certain that nobody will share your secrets is by not sharing them with anyone else.  Passwords are the same way.

I have been asked before if I have a password store in case I get hit by a truck.  The answer is that I do not.  Why not?  There is nothing that I need people to access if I am dead.  They can reformat my computer and all of my hard drives and use them to their hearts’ content… but the information is mine.  I don’t need anyone logging into my Facebook or LinkedIn after I am gone, and with regard to my banking, well the executor of my estate will have the legal means to deal with the banks.  Some information can die with me, and I am quite at peace with that knowledge.  My blogs?  Once I am dead the last post will have been posted, and they will remain there until WordPress decides to take them down.  E-mail?  Nobody needs to be notified of my death who cannot be notified by other means.

Passwords are private, and should remain so.  The integrity of your data and systems and reputation relies on that.  Sharing them with anyone is a bad idea, and if you disagree?  Well don’t tell me I didn’t warn you!

A VMware Gripe

image

Okay, I can’t delete a file.  Any Level 1 systems administrator would look at this message and say: ‘Okay, VMware is not allowing me to delete an ISO file.  Very likely the ISO file is connected to a virtual machine.’

Ummm… but WHICH virtual machine is it?  Gee thanks, vCenter, I have scores of VMs… would it have been that tough to put into the DETAILS section (see the empty space next to the STATUS section) exactly which virtual machine or virtual machines this ISO is connected to?  Would that really have been a difficult thing to program into your system?

I didn’t think so.

Fortunately, I have my RV Tools that lets me know what’s what… it made my life slightly easier this week as I prepare to redeploy my SAN Smile

2014: No growth, but no shrinkage.

I want to thank you all, the great readers of The World According to Mitch.

2013 was a year of huge growth for my blog.  I spent the first few months with Microsoft, and so I was cross-posting all of my blogs from there to here (and vice-versa).  The last four months of the year were spent in Japan and Australia, with a lot of travel-related blogging that grabbed your attention.  Because of that, my readership ballooned to just over 181,000 views.

2014 was my annus horribilis.  It was simply a terrible year from the very outset.  Marital separation, unemployment, and depression are the three major themes from the first nine months of the year, and it is reflected in my blogging – my contributions to the site dropped to near zero for a few months.

Fortunately I am back on track; my marriage is not salvageable, but I am no longer unemployed and am much less depressed – or at least my depression is under control and I am managing it.  I have resumed my blogging with a passion, and am even ready to launch my new blog in early 2015.

I want to thank my readers for sticking with me.  As of today, December 24th, the stats are on track to just barely surpass those of 2013… although statistically I would consider it a tie with last year, and knowing what I went through I am more than happy to take it and run.

Thanks to you, I was once again listed on the 50 Must-Read IT Blogs as compiled by BitTech Magazine (see article).  I did my best to play catch-up, and hope that if this year’s appearance on the list was charitable, next year I will once again fully deserve your votes.

In the next few weeks I will have some big changes to announce, and I am looking forward to them.  I will be enjoying new challenges, and will be talking about a lot of technologies that I have not spent a lot of time on this year.  In the meantime I want to close the year by thanking you all, and sharing with you all, on Christmas Eve, a throwback to last year, my poem, A Modern Christmas Carol by Mitch.  Re-reading it reminded me of how much fun I had composing it, and how much I enjoyed my time in Japan.

Merry Christmas to all of you.

Mitch

Offline File Cache Nightmares Resolved

Off-line files are a wonderful thing.  The fact that my users can synchronize the files from a central server (where they are backed up) to their laptop is great.  But what happens when things get out of hand?  In theory, users can save a lot more onto a file server than they can their local machine.  In practice, when the folder is set to synchronize in full to the local hard drive can cause headaches… like waking up one day and realizing that they have 0kb free on their C drive.

Okay, you go to the server and move the offending files to another location.  You log into the affected computer… and nothing doing, still zeroed out. 

The problem is that there is a folder called the Client Side Cache (or Offline Files Cache).  It is stored under the SystemRoot – i.e., it is (by default) c:\Windows\CSC.  Now, this folder can be moved, but it is not a simple process, and I will cover it in a later article.  The issue is that the CSC directory sits on the C Drive, and is completely secured against reasonable attempts to modify it manually… which is good, because trying to do so will cause some pretty serious issues.

So we have fixed the problem on the back-end, and now we have to fix it on the front-end, which means cleaning out the Client-Side Cache.  We can’t simply do this manually, we have to actually clean out the CSC database.  How do we do this:  Here you go:

**VERY IMPORTANT NOTE:

The Windows Registry is not meant to be touched by anyone who does not have a very thorough understanding of how it works, and can cause serious and irrecoverable damage to your Windows installation if handled improperly.  I strongly recommend that you do not do this if you are not extremely comfortable with it.

1. Open the Registry Editor (regedit.msc)

2. Navigate to HKLM\System\CurrentControlSet\Services\Csc\Parameters

3. If there is no Parameters key under CSC then you have to create it. 

4. Under Parameters create a new DWord 32-bit value called FormatDatabase.

image

5. Set the value to FormatDatabase to 1.

SNAGHTML6184ce7

6. Close the registry editor and reboot your computer.

Okay, that is the long way around, but it is also the ‘fewer chances for error’ way.  If you are not afraid of typos, you can do the following:

1. Open a command prompt with elevated privileges.

2. Type: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Csc\Parameters /v FormatDatabase /t REG_DWORD /d 1 /f

(Where /v is the value, /t is the data type, /d is the data, and /f is force overwrite.)

3. Close the command prompt and reboot your computer.

Once your computer reboots you should be alright.  You shouldn’t even have to enter your Recycle Bin, the disk space should just be there Smile

Good luck, and remember to back it up before you hork it up!

Folder Redirection: Where’d these warnings come from?

Congratulations.  You have decided to implement a Folder Redirection policy on your domain.  There are real advantages to this, not the least of which is that all of your users’ profile folders will get backed up centrally… and that when they change computers their files and settings are just there.

You have created a Group Policy Object (GPO) in Active Directory that you have called Folder Redirection, and you have applied it to the Organizational Unit (OU) that your user account is in, and as is so often the case with Desktop Administrators, you have made yourself the guinea pig.  From Windows you run the command gpupdate /force, and are informed that in order for the Folder Redirection policy to be applied, you will have to log off and then log on again.  You do.

It must have worked!  Why do you I say that?  Because unlike most of the time, when logging on takes a few seconds, it took a full ten minutes this time.  As a seasoned Desktop Admin you understand that this is because all of the folders that you set to redirect – Documents, Pictures, Videos, Favorites, Downloads – are being copied to the server before you are actually allowed onto your desktop.  However a few minutes later, once you are logged on, you open Windows Explorer, and in the navigation pane you right-click on Documents, and see that the My Documents folder is no longer at c:\Users\Mitch, but at \\Sharename\Mitch.

Unfortunately there is one step that you are now saying to yourself ‘Mitch, you missed one thing!’ Because you know that when you clicked on Windows Explorer in the task bar, you got a warning message that looked like this:

SNAGHTML646cc73

As a seasoned IT Pro you know that security warnings are a way of life, and it wouldn’t bother you if you had to accept this every time… but you know your end users are going to go ape, so you need a solution.  No problem.

I should mention that while these steps will work for all versions of Windows since Windows Vista, the way you access the screens may be a little different.

1) Open Control Panel. Don’t be alarmed, you are going to get the same security warning when opening the CP.

2) In the Search window type Internet Options.  When it comes up, click on it.

3) In the Internet Properties window select the Security tab.

4) On the Security tab click on Local Intranet.  Then click on Sites.  Note that the Sites button will be greyed out until you select Local Intranet.

6) In the Local Intranet window click the Advanced button.

5) In the Local Intranet (Advanced) window type the location of your folder redirection share into the box marked Add this website to the zone:  Uncheck the box marked Require server verification (https://) for all sites in this zone.  Click Add.  Then click Close.

6) Close the Internet Properties window.

Now try opening Windows Explorer again.  It should open without the security warning.

If You’re Gonna Do IT Then Do IT Right…

Okay, so you know how to configure this setting for your individual desktop… but you don’t really want to have to go to every desktop/laptop/tablet in the organization and do this, do you?  Of course not, that is what Group Policy is for!

We are going to make one change to your Folder Redirection policy.

1) Open Group Policy Management Console.

2) Right-click on your Folder Redirection policy and click Edit…

3) Navigate to: User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page.

4) Right-click on Site to Zone Assignment List.

5) Enable the policy.

6) In the Options box click on Show…

7) In the Value name cell enter the UNC path of your file share.

8) In the Value cell next to the UNC path you just entered enter the value 1(Where 1=Intranet/Local Zone, 2=Trusted Sites, 3=Internet/Public Zone, and 4=Restricted Sites). Click OK then click OK in the Site to Zone Assignment List dialogue box.

9) Close Group Policy Management Editor.

That should be it… remember you will have to re-run your gpupdate /force on your machine, but even if you don’t it will apply in the next few logoffs, right?

**Thanks to Joseph Moody for the list of settings for the Zone Value list!

DONATE

%d bloggers like this: