Home lab upgrade log April 11, 2019

Last year, I bought a few new used HP computers via eBay to build-out my VMware lab setup

-A EliteDesk 800 G3 SFF – which has a Intel core i5 6500 CPU, non-hyper threaded!
-A HP Prodesk 400 G3 mini – which has a Intel core i5 6500T CPU, non-hyper threaded! This is the 2nd of these models I’ve bought

I had chosen the HP EliteDesk 800 G3 as it featured the right combination of PCIe, drive slots to support use as a replacement for my existing full-size ATX file server.

The unit itself came with no RAM/HDD, or add-in cards, which suited me fine, as it kept the price low on eBay

I added the following:
-Seagate 12 TB EXOS 3.5 7200 RPM HDD
-32 GB (2 x 16) DDR4 RAM
-Intel Server Adapter I350-T4 V2 Quad- Port gigabit card
-HP 1 TB NVM SSD

The HP ProDesk 400 G3 Mini got a Samsung 256 GB NVM SD and 32 GB RAM, for the OS, I installed ESXi 6.5, ESXi 6.7 is not possible with this particular model of HP , as it’s got the dreaded Realtek NIC, which has been blacklisted in recent ESXi 6.7 builds. I didn’t actually know this when I purchased the unit, so I will eventually be selling it, as i’m keen to level-set my vSphere setup on 6.7

With OS installs completed on the 2 new HP units, physical keyboard/mouse/video connections were removed.

Low-level remote mgmt (aka lights out/IPMI) on my remote lab has always been a challenge for me, as I never had “server grade” systems / motherboards. However, as luck would have it, the HP EliteDesk 800 G3 was vPro enabled, which means Intel AMT ! I’ve seen the vPro sticker on a 1000 Dell/Lenovo/HP desktops I’ve worked on over the years, but never considered it suitable for “lights out” mgmt, as everywhere i’ve worked has used another facility – or none at all – for lights-out mgmt of desktops.

Anyway, I enabled AMT on my HP EliteDesk 800 G3, and it’s been working great for remote mgmt I need to do that can’t be done over RDP, OS re-install, BIOS changes, force reboots, etc

I’m so happy with it, that i’ve already started building the replacement for my HP Prodesk 400 G3 mini around a vPro enabled motherboard!

This one, here: https://www.gigabyte.com/Motherboard/Q370M-D3H-GSM-PLUS-rev-10#kf

Which features a Q370 chipset. Q? Q? No, not that “Q”

Q series chipsets go into PC’s destined for use in business, so feature vPro / AMT for remote management

As such, they are much less common than the Z series: Z390 for instance, each of the “big 4” mobo makers (Asus, Asrock, Gigabye, MSI) have dozens of iterations for ITX/MATX/ATX

Where as, for the Q370 line, you’ve just got 3 models (1 each from Asus, Asrock, Gigabyte)
Asrock Q370M
Asus Prime Q370M
Gigabyte Q370M (which I bought)

Sourcing the Gigabyte Q370M here in Canada was a chore! I ended up buying it from a store/drop-shipper I’ve never used before called SoftwareCity. They’ve let me know the item is on back order, with 3-4 weeks typical processing time. Fingers crossed it arrives, as i’m keen to buy the other pieces, which are as follows

-Intel Core i7 8700 (6 core / 12 threads)
-32 GB DDR4 RAM (2x 16) – I will more than likely expand this to 64 at a late date
-Intel Server Adapter I350-T4 V2 Quad- Port gigabit card (on it’s way from Chinese eBay seller)
-Jonsbo UMX3 case
-TBD Modular ATX PSU
-TBD CPU cooler
-TBD 1TB NVM
-TBD 10 GBe NIC (either SFP or RJ45 based)

New year’s resolutions don’t work

As per the title of this post, I don’t believe in new year’s resolutions. Any date you can put a “magic” start time on, is a date you can prepare a dozen excuses not to make once the date comes up.

That’s why I like to make changes all year around: this week, it was cycling out old hardware. 

This picture represents the past and the present, not the future!

The items in green are older Intel NUC units that I retired over the Christmas break. One is a 2nd gen Core i3 NUC, the other is an original 1st gen Intel nuc ATOM! Both saw active duty on my home network, but were tool old to keep paying the power bill for

The items in blue are units i’ll keep for the moment. All of the items in green/blue are sat upon two larger Antec cases. These large Antec cases are the core lab servers:

The first is a Win 2016 / Hyper-V host is a 3rd gen Core i5-based system with 24 GB RAM The 2nd is an ESXi 6.5 host with is a 2nd gen Core i5-based system 24 GB RAM (ancient!)

Both will be retired in Q1 of 2019. both are still running fine, but i’m keen to reduce the number of larger tower units i’ve got running at home, so am in the process of switching over to smaller / faster units.

Owen


How I automate windows updates/reboots on my home lab



As my home lab has grown, so has the amount of time that I spend manually patching/rebooting each server, no fun!

So last weekend, I came up with a means to automate the process with active directory groups, group policy and powershell. 

The goals

  1. Automate patching / rebooting of all vmware/hyper-v guest operating systems in my home lab
  2. As I’ve got about 20 VM’s across 4 physical hypervisors, separating the guests into two reboot windows was ideal
  3. Dynamically update the reboot windows as I add/remove servers
Implementation
  1. Created AD group called “Sat AM patching servers”
  2. Created AD group called “Sun AM patching servers”
  3. Created GPO called “Sat AM Patching” at top-level OU that sets the following:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update  > Configure Automatic Updates – Sat @ 5 am

  4. Within the “DELEGATION” tab, I set “Sat AM patching servers” to have read/apply group policy rights on the GPO
  5. To stop the “Sat AM patching” GPO from applying to servers in the Sun group, I then set the “Sun AM patching” servers group to DENY for read and “apply this GPO”
  6. Created GPO called “Sun AM patching” at top-level OU that sets the following:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update  > Configure Automatic Updates – Sun @ 5 am

  7. Within the “DELEGATION” tab, and set “Sun AM patching servers” to have read/apply group policy rights on the GPO
  8. To stop the “Sun AM patching” GPO from applying to servers in the SAT group, I then set the “Sat AM patching” servers group to DENY for read and “apply this GPO”

    Note:
     Additional info on the above GPO settings is available here
  9. Steps 1-8 address goals 1 & 2 , which left goal 3 ; to automate the process by which servers would be added/removed from the SAT and SUN global groups ; powershell to the rescue! 
  10. Step 10 was the creation of a new Powershell script, full details are below:

For years, I’ve been naming any virtual servers created on my esxi/hyperv hosts to include either a “1” or “2” in their name. The servers are spread out across multiple OU’s. For instance, my Citrix OU has VDA1, VDA2, my SQL servers are in another OU, and called SQL1, SQL2, my AD controllers are in another OU, and called ADDC1, ADDC2, etc, you get the idea

The actual Powershell code to achieve this was less than 40 lines, here its:

### Filter out servers that we don’t want to regularly patch
$Servers = Get-ADComputer -Filter * | Sort DNSHostname `
| Where {$_.DNShostName -notlike “*GOL*”} `
| Where {$_.DNShostName -notlike “*ESX*”}

### Filter $Servers to include servers with the # 1 in their name
$Servers2AddtoGrp1 = $Servers | Where {$_ -like “*1*”}

### Filter $Servers to include servers with the # 2 in their name
$Servers2AddtoGrp2 = $Servers | Where {$_ -like “*2*”}

### Create object for patching group 1
$ADGrp1 = Get-ADGroup -Filter * | Where {$_.name -eq “SAT AM Patching”}

### Create object for patching group 2
$ADGrp2 = Get-ADGroup -Filter * | Where {$_.name -eq “SUN AM Patching”}

### Reset Patching Group 1 members
Get-ADGroupMember $ADGrp1 | ForEach {

    Remove-ADGroupMember $ADGrp1 -members $_ -Confirm:$False

}

### Reset Patching Group 2 members
Get-ADGroupMember $ADGrp2 | ForEach {

    Remove-ADGroupMember $ADGrp2 -members $_ -Confirm:$False

}

### Add all entries from $Servers2AddtoGrp1
Add-ADGroupMember $ADGrp1 -Members $Servers2AddtoGrp1

### Add all entries from $Servers2AddtoGrp2

Add-ADGroupMember $ADGrp2 -Members $Servers2AddtoGrp2

The script resides on GitHub, HERE
So, we have a script that reads ALL computer accounts in my home lab domain, filters out those with names I don’t want to patch (like esx*), resets their respective AD groups, then adds the servers
The above covers step 10

Step 11, was just to create a scheduled task on my ADDC1 and ADDC2 to run the Powershell script 1 hour before Sat/Sun patch window kicks in!

Hopefully you found the above useful, it wasn’t TOO much work. I was done in the time I took my to consume about 2 servings of Jameson Irish Whiskey/ Dr Pepper (2 hours?) Whiskey purists will scoff @ me, but I won’t see said scoffs, as this is the internet :p

Owen


Export-STFConfiguration / Import-STFConfiguration fails

On a few new Win 2012 / Win 2016 systems I’ve setup on my home lab over the past week , I’ve noted various error messages on attempting the following simple Powershell cmdlet based process which you would use to export the config of a working StoreFront server to a new StoreFront server.

Citrix details the process here

1 – Open an elevated Powershell session on your existing StoreFront server that’s fully setup
2 – Add-PSSnapin Citrix*
3 – . “C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1” (note the “.” at the beginning”

4 – Export-STFConfiguration -TargetFolder “c:\StoreFrontConfigs” -ZipFileName Source -NoEncryption

Output of the various config pieces being written to the screen will be shown. With the above commands completed, you would then logon to your second server to import the newly created config where you would run through the following:

1 – Copy over the .zip created in step 4 to a local folder on the new server
2 – Open an elevated powershell session
3 – Add-PSSnapin Citrix*
4 – . “C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1”
5 – Run Import-STFConfiguration -ConfigurationZip “Path to .zip”

That SHOULD be it, right? NOPE! On my test servers at home Win 2012 R2/ Storefront 3.9 and Win 2016 / StoreFront 3.14.0.27 running the import-STFConfiguration resulted in the following cryptic error:

Import-STFConfiguration : An error occurred configuring StoreFront diagnostics. The property ‘instance’ cannot be
found on this object. Verify that the property exists.
At line:1 char:1
+ Import-STFConfiguration -ConfigurationZip C:\StoreFrontConfigs\Source …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-STFConfiguration], Exception
    + FullyQualifiedErrorId : System.Management.Automation.CmdletInvocationException,Citrix.StoreFront.ImportConfiguration

Now, I can still setup the 2nd server by using the Studio method ; where I create a server group between the existing and new server, and sync the config. However, shouldn’t the Import-STFConfiguration cmdlet do the trick? Anyone else seen this and no of a fix? The Citrix forums have a few posts, but nothing definitive.

Owen

Current lab setup
















My current lab environment supports a few goals:

  • Stay sharp with Microsoft active directory and group policy
  • Keep up to date with windows server versions: 2003, 2008, 2012R2, 2016 > beyond
  • Keep up to date with the windows desktop OS family
  • Keep my hardware skills sharp by continuing to build my own desktops and servers
  • Keep up to date with Citrix XenApp/Desktop suite releases: in 2017 alone, I ran 7.11, 7.12, 7.13, and 7.15 LTSR – a lot!
  • Use Powershell for automating routine tasks
  • Enable quick recovery from hardware/software failure through OS virtualization 
  • Prep for certification 
All of the above has been achievable using two full size ATX based towers, and one SFF – a Gigabyte Brix
  1. ATX Tower 1 runs server 2016 and Hyper-V – VMs run SQL , file a backup AD controller
  2. ATX Tower 2 runs ESXi – Citrix StoreFront, Citrix desktop controller, session hosts and MCS
  3. The Gigabyte brix is used for appliance functions – vCenter and active directory primary
DRP is covered by a multi-port UPS and USB 3 10 TB HDD
Each year, (and not always @ x-mas) I have the exact same hardware purchase temptations: 
  • A synology NAS unit for backup
  • An off-lease Dell R series or HP/Cisco equivalent 
However, I always defer to the next year, when I’ve got a newer apartment w. more room 😉

The 3 unit setup covers my needs for 2017 so far, but i’ve become interested in VMWARE VCP-DCV certification recently, in doing so, I would more than likely go to a 4-host setup to enable VSAN. So, purchasing a 4th ATX or MATX based tower will more than likely occur sometime i the next 4-6 months. I’m looking at an Intel Coffee lake based rig, as they traditionally feature better ESXi support.  

Chrome with folder redirection works with only one session

In my previous job, my exposure to Citrix imaging solutions was limited to PVS. So, over the past few days, I’ve been going through the process of setting up MCS in my home lab. 

To be honest, it’s a pretty great out-of-the-box experience. PVS is a lot of work to setup / maintain, man! 🙂

Anyway, I was able to create a nice simple master image for my MCS machine catalog, and tested out basic functionality today, however, I ran into a Google Chrome + Citrix gotcha!

I was logged into a long-build (non-MCS) server VDA session on my home lab hardware, then opened a new MCS VDA server session, all apps opened fine on the 2nd session, but chrome!

I had enabled Chrome folder redirection to cut down on Citrix UPM/roaming profile size, however, when you enable Chrome %AppData% redirection, you can only have one session per user opened at a time!

For reference, the *gotcha* is listed on the Google Chrome product forums, here:


The fix was simple, exit Chrome on session 1, I was then able to open it on Session 2. 

Disabling SMB v1 breaks Sonos home NAS support

I’ve had Sonos gear for about 5 years now. 4 units, great little speakers – when they work!

Case in point, I disabled SMB v1 on my win 2016 hyper-v based file server this weekend, only to discover that the default (as in only) SMB format that Sonos supports to enumerate/connect to windows shares is SMB v1. Yikes!

It’s noted here:
https://sonos.custhelp.com/app/answers/detail/a_id/79/~/using-a-nas-drive-with-sonos

I found it while skimming through 100’s of posts over the past few years on the Sonos customer support forums. 

I was about to take to Twitter-bird to chide Sonos for this over-sight, when I noted MSFT Ned Pyle from Microsoft already had!

He’s got this post from last year on the topic

Regardless, I hope Sonos add SMB v2 or v3 support to their units soon. SMB v1 needs to die!

New lab bits have arrived

I’m going through a multi-stage upgrade to my aged home lab hardware, part 1 includes mostly storage items, 4 of those items arrived today!

1x WD Red 7200 RDP 10 TB HDD for file server
1x mATA  to M.2 HDD adapter for file server
1TB Samsung 960 Pro M.2 HDD
2x 8 GB DDR3l SODIMMS for Gigabyte Brix (ESXi host)

Pic below!

I’m working out a plan to get the new items installed with little to now down time. i’ll post my plan soon!


Create your website with WordPress.com
Get started