How I automate windows updates/reboots on my home lab

As my home lab has grown, so has the amount of time that I spend manually patching/rebooting each server, no fun!

So last weekend, I came up with a means to automate the process with active directory groups, group policy and powershell. 

The goals

  1. Automate patching / rebooting of all vmware/hyper-v guest operating systems in my home lab
  2. As I’ve got about 20 VM’s across 4 physical hypervisors, separating the guests into two reboot windows was ideal
  3. Dynamically update the reboot windows as I add/remove servers
  1. Created AD group called “Sat AM patching servers”
  2. Created AD group called “Sun AM patching servers”
  3. Created GPO called “Sat AM Patching” at top-level OU that sets the following:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update  > Configure Automatic Updates – Sat @ 5 am

  4. Within the “DELEGATION” tab, I set “Sat AM patching servers” to have read/apply group policy rights on the GPO
  5. To stop the “Sat AM patching” GPO from applying to servers in the Sun group, I then set the “Sun AM patching” servers group to DENY for read and “apply this GPO”
  6. Created GPO called “Sun AM patching” at top-level OU that sets the following:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update  > Configure Automatic Updates – Sun @ 5 am

  7. Within the “DELEGATION” tab, and set “Sun AM patching servers” to have read/apply group policy rights on the GPO
  8. To stop the “Sun AM patching” GPO from applying to servers in the SAT group, I then set the “Sat AM patching” servers group to DENY for read and “apply this GPO”

     Additional info on the above GPO settings is available here
  9. Steps 1-8 address goals 1 & 2 , which left goal 3 ; to automate the process by which servers would be added/removed from the SAT and SUN global groups ; powershell to the rescue! 
  10. Step 10 was the creation of a new Powershell script, full details are below:

For years, I’ve been naming any virtual servers created on my esxi/hyperv hosts to include either a “1” or “2” in their name. The servers are spread out across multiple OU’s. For instance, my Citrix OU has VDA1, VDA2, my SQL servers are in another OU, and called SQL1, SQL2, my AD controllers are in another OU, and called ADDC1, ADDC2, etc, you get the idea

The actual Powershell code to achieve this was less than 40 lines, here its:

### Filter out servers that we don’t want to regularly patch
$Servers = Get-ADComputer -Filter * | Sort DNSHostname `
| Where {$_.DNShostName -notlike “*GOL*”} `
| Where {$_.DNShostName -notlike “*ESX*”}

### Filter $Servers to include servers with the # 1 in their name
$Servers2AddtoGrp1 = $Servers | Where {$_ -like “*1*”}

### Filter $Servers to include servers with the # 2 in their name
$Servers2AddtoGrp2 = $Servers | Where {$_ -like “*2*”}

### Create object for patching group 1
$ADGrp1 = Get-ADGroup -Filter * | Where {$ -eq “SAT AM Patching”}

### Create object for patching group 2
$ADGrp2 = Get-ADGroup -Filter * | Where {$ -eq “SUN AM Patching”}

### Reset Patching Group 1 members
Get-ADGroupMember $ADGrp1 | ForEach {

    Remove-ADGroupMember $ADGrp1 -members $_ -Confirm:$False


### Reset Patching Group 2 members
Get-ADGroupMember $ADGrp2 | ForEach {

    Remove-ADGroupMember $ADGrp2 -members $_ -Confirm:$False


### Add all entries from $Servers2AddtoGrp1
Add-ADGroupMember $ADGrp1 -Members $Servers2AddtoGrp1

### Add all entries from $Servers2AddtoGrp2

Add-ADGroupMember $ADGrp2 -Members $Servers2AddtoGrp2

The script resides on GitHub, HERE
So, we have a script that reads ALL computer accounts in my home lab domain, filters out those with names I don’t want to patch (like esx*), resets their respective AD groups, then adds the servers
The above covers step 10

Step 11, was just to create a scheduled task on my ADDC1 and ADDC2 to run the Powershell script 1 hour before Sat/Sun patch window kicks in!

Hopefully you found the above useful, it wasn’t TOO much work. I was done in the time I took my to consume about 2 servings of Jameson Irish Whiskey/ Dr Pepper (2 hours?) Whiskey purists will scoff @ me, but I won’t see said scoffs, as this is the internet :p


Export-STFConfiguration / Import-STFConfiguration fails

On a few new Win 2012 / Win 2016 systems I’ve setup on my home lab over the past week , I’ve noted various error messages on attempting the following simple Powershell cmdlet based process which you would use to export the config of a working StoreFront server to a new StoreFront server.

Citrix details the process here

1 – Open an elevated Powershell session on your existing StoreFront server that’s fully setup
2 – Add-PSSnapin Citrix*
3 – . “C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1” (note the “.” at the beginning”

4 – Export-STFConfiguration -TargetFolder “c:\StoreFrontConfigs” -ZipFileName Source -NoEncryption

Output of the various config pieces being written to the screen will be shown. With the above commands completed, you would then logon to your second server to import the newly created config where you would run through the following:

1 – Copy over the .zip created in step 4 to a local folder on the new server
2 – Open an elevated powershell session
3 – Add-PSSnapin Citrix*
4 – . “C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1”
5 – Run Import-STFConfiguration -ConfigurationZip “Path to .zip”

That SHOULD be it, right? NOPE! On my test servers at home Win 2012 R2/ Storefront 3.9 and Win 2016 / StoreFront running the import-STFConfiguration resulted in the following cryptic error:

Import-STFConfiguration : An error occurred configuring StoreFront diagnostics. The property ‘instance’ cannot be
found on this object. Verify that the property exists.
At line:1 char:1
+ Import-STFConfiguration -ConfigurationZip C:\StoreFrontConfigs\Source …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-STFConfiguration], Exception
    + FullyQualifiedErrorId : System.Management.Automation.CmdletInvocationException,Citrix.StoreFront.ImportConfiguration

Now, I can still setup the 2nd server by using the Studio method ; where I create a server group between the existing and new server, and sync the config. However, shouldn’t the Import-STFConfiguration cmdlet do the trick? Anyone else seen this and no of a fix? The Citrix forums have a few posts, but nothing definitive.


Current lab setup

My current lab environment supports a few goals:

  • Stay sharp with Microsoft active directory and group policy
  • Keep up to date with windows server versions: 2003, 2008, 2012R2, 2016 > beyond
  • Keep up to date with the windows desktop OS family
  • Keep my hardware skills sharp by continuing to build my own desktops and servers
  • Keep up to date with Citrix XenApp/Desktop suite releases: in 2017 alone, I ran 7.11, 7.12, 7.13, and 7.15 LTSR – a lot!
  • Use Powershell for automating routine tasks
  • Enable quick recovery from hardware/software failure through OS virtualization 
  • Prep for certification 
All of the above has been achievable using two full size ATX based towers, and one SFF – a Gigabyte Brix
  1. ATX Tower 1 runs server 2016 and Hyper-V – VMs run SQL , file a backup AD controller
  2. ATX Tower 2 runs ESXi – Citrix StoreFront, Citrix desktop controller, session hosts and MCS
  3. The Gigabyte brix is used for appliance functions – vCenter and active directory primary
DRP is covered by a multi-port UPS and USB 3 10 TB HDD
Each year, (and not always @ x-mas) I have the exact same hardware purchase temptations: 
  • A synology NAS unit for backup
  • An off-lease Dell R series or HP/Cisco equivalent 
However, I always defer to the next year, when I’ve got a newer apartment w. more room 😉

The 3 unit setup covers my needs for 2017 so far, but i’ve become interested in VMWARE VCP-DCV certification recently, in doing so, I would more than likely go to a 4-host setup to enable VSAN. So, purchasing a 4th ATX or MATX based tower will more than likely occur sometime i the next 4-6 months. I’m looking at an Intel Coffee lake based rig, as they traditionally feature better ESXi support.  

Chrome with folder redirection works with only one session

In my previous job, my exposure to Citrix imaging solutions was limited to PVS. So, over the past few days, I’ve been going through the process of setting up MCS in my home lab. 

To be honest, it’s a pretty great out-of-the-box experience. PVS is a lot of work to setup / maintain, man! 🙂

Anyway, I was able to create a nice simple master image for my MCS machine catalog, and tested out basic functionality today, however, I ran into a Google Chrome + Citrix gotcha!

I was logged into a long-build (non-MCS) server VDA session on my home lab hardware, then opened a new MCS VDA server session, all apps opened fine on the 2nd session, but chrome!

I had enabled Chrome folder redirection to cut down on Citrix UPM/roaming profile size, however, when you enable Chrome %AppData% redirection, you can only have one session per user opened at a time!

For reference, the *gotcha* is listed on the Google Chrome product forums, here:

The fix was simple, exit Chrome on session 1, I was then able to open it on Session 2. 

Disabling SMB v1 breaks Sonos home NAS support

I’ve had Sonos gear for about 5 years now. 4 units, great little speakers – when they work!

Case in point, I disabled SMB v1 on my win 2016 hyper-v based file server this weekend, only to discover that the default (as in only) SMB format that Sonos supports to enumerate/connect to windows shares is SMB v1. Yikes!

It’s noted here:

I found it while skimming through 100’s of posts over the past few years on the Sonos customer support forums. 

I was about to take to Twitter-bird to chide Sonos for this over-sight, when I noted MSFT Ned Pyle from Microsoft already had!

He’s got this post from last year on the topic

Regardless, I hope Sonos add SMB v2 or v3 support to their units soon. SMB v1 needs to die!

New lab bits have arrived

I’m going through a multi-stage upgrade to my aged home lab hardware, part 1 includes mostly storage items, 4 of those items arrived today!

1x WD Red 7200 RDP 10 TB HDD for file server
1x mATA  to M.2 HDD adapter for file server
1TB Samsung 960 Pro M.2 HDD
2x 8 GB DDR3l SODIMMS for Gigabyte Brix (ESXi host)

Pic below!

I’m working out a plan to get the new items installed with little to now down time. i’ll post my plan soon!

Create your website with
Get started