What’s new in the Windows 10 Fall Creators Update (2017)

With the Windows 10 Fall Creators Update, Microsoft are introducing some fun, new ways to get creative – from bringing mixed reality and 3D to the masses, to faster broadcasting for gaming, to turning photos and videos into real memories, and a few things more. The Fall Creators Update can be experienced on a wide variety of Windows 10 PCs (Except Intel Clover Trail systems) and on a few of Windows Mixed Reality headsets listed here.

Continue reading What’s new in the Windows 10 Fall Creators Update (2017)

Advertisements

Network Quality of Service (QoS) on Windows

The goal of Quality of Service (QoS) is to provide preferential treatment to certain subsets of data, enabling that data to traverse the traditionally best-effort Internet or intranet with higher quality transmission.

By using QoS you can:

  • Specify or request bandwidth requirements particular to their application, such as latency requirements for streaming audio.
  • Give applications their required bandwidth — provided bandwidth availability exist.
  • Control network device resources based on user policy and/or application usage.
  • Reserve portions of a given bandwidth for applications or users that require such availability for core business activities.
  • Shape and smooth the traffic that clients submit to the network, thereby avoiding the overburdening of switches and routers suffered with traditional burst transmissions.

 

QoS History in Windows

Windows 2000 introduced the Generic QOS (GQOS) application programming interface (API) as a framework for QOS. The GQOS API provided access to QOS mechanisms that were available as part of the networking stack. Windows 2000 also provided tools, such as Subnet Bandwidth Manager (SBM) and QOS policy control.

In Windows XP, the focus was on prioritization and traffic shaping mechanisms. Although GQOS continued to be the application interface for accessing prioritized QOS, the reservation mechanisms had been removed. The kernel component that implemented prioritization and traffic shaping was the QOS Packet Scheduler, called the Traffic Control (TC) API. The TC API provided control of QOS mechanisms (such as prioritization and shaping) at the host level rather than at the application level, but it required administrative privileges to be invoked. The QOS mechanisms provided in Windows XP supported enterprise QOS needs for wired networks. In Windows XP Service Pack 2 (SP2), the GQOS mechanisms allowed the application to set Layer 3 priorities only. Applications that set Layer 2 priorities for their traffic had to implement an independent service with administrative privileges to set Layer 2 priorities using TC APIs.

In Windows Vista, two features were introduced: Quality Windows Audio Video Experience (qWAVE) and policy-based QOS. qWAVE is designed to estimate the network bandwidth, intelligently mark the application packets (with proper DSCP values), and interact with the application in the event of network congestion or bandwidth fluctuations (informing the application to take appropriate actions). Policy-based QOS allows IT administrators to apply QOS to applications (which do not need to have native support for QOS), computers, and users in their enterprise network.

In Windows 7, enhancements were made to allow policies to be created based on the URL of an HTTP server (rather than just on an application name), source and/or destination IP addresses, source and/or destination ports, and protocol).

 

Using PowerShell to manage QoS

With the following cmdlets you can manage your QoS.

Get-NetQosPolicy      Retrieves network Quality of Service (QoS) policies.
New-NetQosPolicy      Creates a new network QoS policy.
Set-NetQosPolicy      Updates the QoS policy settings.
Remove-NetQosPolicy   Removes a network Quality of Service (QoS) policy.

Lets get started:

Step 1

As usual step 1 is to know from where you are starting. So we are going to check if some NetQosPolicy is already defined. Open PowerShell with administrative priviledges.

The Get-NetQosPolicy cmdlet allows you to retrieve Quality of Service (QoS) policies from a computer.

QoS policies can originate from many sources, such as from the administrator of a local computer, from a domain controller, or from applications that use the QoS Windows Management Instrumentation (WMI) APIs. Therefore, the QoS policies are stored in different locations. If the location as provided by the PolicyStore parameter is not specified, then this cmdlet retrieves all the policies stored on the local computer (localhost).

ActiveStore

ActiveStore is a special location. If ActiveStore is specified as the location, the user will see all the effective QoS policies, regardless of where the QoS policies are stored.

This command gets a list of QoS policies currently effective on the computer:

Get-NetQosPolicy -PolicyStore "ActiveStore"

This command gets all of the properties of a specific QoS policy.

Get-NetQosPolicy -Name "YOUR POLICY HERE" | Format-List -Property *

 

Step 2

The New-NetQosPolicy cmdlet creates a new network Quality of Service (QoS) policy. A QoS policy consists of two main parts: match conditions also known as filters, and actions. If the PolicyStore parameter is not specified, then the new policy is added to local computer (localhost). If a policy is stored in ActiveStore, then the policy will not persist after reboot.

This command creates a QoS policy named FTP that matches an application path at ftp.exe and throttles the traffic at 1,000,000 bits per second.

New-NetQosPolicy -Name "FTP" -AppPathNameMatchCondition "ftp.exe" -ThrottleRateActionBitsPerSecond 1MB -PolicyStore ActiveStore

 

This command creates a QoS policy named SMB Policy that classifies SMB traffic and tags it with 802.1p priority value of 1. The SMB parameter is a built-in filter

New-NetQosPolicy -Name "SMB Policy" -SMB -PriorityValue8021Action 1

This command creates a QoS policy named Backup that matches traffic sent to 10.1.1.176/28 subnet and tags it with DSCP value of 40. This policy is effective only on traffic sent on a domain-joined network adapter.

New-NetQosPolicy -Name "Backup" -IPDstPrefixMatchCondition "192.168.1.170/28" -NetworkProfile Domain -DSCPAction 40

You can also use a single IP as a IPDstPrefixMatchCondition and the NetworkProfile can be: Domain, Public, Private, or All.

Option 3

The Set-NetQosPolicy cmdlet modifies an existing Quality of Service (QoS) policy. You need to specify the existing name to change values in this policy.

This command updates the QoS policy named SMB Policy so that it only applies to traffic that is outgoing from a domain-joined network adapter.

Set-NetQosPolicy -Name "SMB Policy" -NetworkProfile Domain

Step 4

The Remove-NetQosPolicy cmdlet removes the network Quality of Service (QoS) policies. All the policies, in a policy store, are removed unless a specific policy is named.

This example removes a policy named as Backup.

Remove-NetQosPolicy -Name "Backup"

This example removes all the policies from the ActiveStore.

Remove-NetQosPolicy -PolicyStore ActiveStore

 

With this information you can get into shape… 😉

 

Extra Info:

Differentiated Services and DSCP

Diffserv (Differentiated Services) is a protocol that defines traffic prioritization at Layer 3 of the OSI model. Layer 3 network devices, such as routers, that support this protocol use Diffserv markings to identify the forwarding treatment, or per-hop behavior (PHB), that marked traffic is to receive. Diffserv markings for a packet are placed in the IP header.
RFC 2475 defines the architecture for Diffserv. RFC 2474 defines the bits in the Diffserv field.
RFC 2474 redefines the IPv4 TOS octet as 6 bits for the Diffserv value, also known as Diffserv code point or DSCP, followed by 2 unused bits.

DSCP values are backward-compatible with IP precedence values, which means that legacy routers that support only IP precedence can interpret DSCP values. Valid values are 0-63.

Common values sorted from low to high are: 0,8,16,24,32,40,48,56

IEEE 802.1p Priority Levels

IEEE 802.1p defines a 3-bit field called the Priority Code Point (PCP) within an IEEE 802.1Q tag. The PCP value defines 8 priority levels, with 7 the highest priority and 1 the lowest priority. The priority level of 0 is the default. Each priority level defines a class of service that identifies separate traffic classes of transmitted packets.

PolicyStore

Specifies the location of the policy that is stored. The acceptable values for this parameter are:

  • ActiveStore
  • COMPUTERNAME
  • GPO:COMPUTERNAME
  • GPO:DOMAIN\GPONAME
  • LDAP://LDAP-URL

Samba – SMB browsing elections wars

I while ago I posted a page about Kodi and SMB. Read about it here. My goal than was to disable SMBv1 and ban it from my network.

Today I did a new installation of my Chromebook (with Chromebook Unix on the side). I noticed I couldn’t browse with the file manager from my distro and after editing the samba configuration file to bumb the client max protocol to level 3 it still wouldn’t work.

Having multiple looks at my smb.conf file and restarting the service multiple times after uncommenting some settings I had no clou what was going on. Samba can be a handfull but has an overwhelming documentation library. Reading Chapter 7. Name Resolution and Browsing pointed my in the right direction to solve this.

Continue reading Samba – SMB browsing elections wars

Features that will be removed in the next Windows 10 Update

When Microsoft talked about Windows 10 before releasing it they said it will be around for a long time and will be getting updates in a different way than we were used to.

Looking back at this it looks like we already got a sneak preview at this concept with Windows 8 and Windows 8.1 (and remember the Windows XP Media Center disc 2?).

Continue reading Features that will be removed in the next Windows 10 Update

Hyper-V Server 2016 for a workgroup environment – Part 1

Pop quiz: Which Operating System edition from Microsoft has been free for use throughout it’s almost 10 year long lifespan?

Microsoft Hyper-V Server.

What is it?

Hyper-V is Microsoft’s hardware virtualization product. It lets you create and run a software version of a computer, called a virtual machine. Each virtual machine acts like a complete computer, running an operating system and programs. When you need computing resources, virtual machines give you more flexibility, help save time and money, and are a more efficient way to use hardware than just running one operating system on physical hardware.+

Hyper-V runs each virtual machine in its own isolated space, which means you can run more than one virtual machine on the same hardware at the same time. You might want to do this to avoid problems such as a crash affecting the other workloads, or to give different people, groups or services access to different systems.

Virtualization

VMware

There are 3 big players in the virtualization scene. VMware is probably the most well-known player and has been around for a long time. I have worked with ESX from their 2.5 days somewhere in 2004. While many things have changed, the basics are still the same.

You start with the Hardware > Installation of Hypervisor > Management through web interface. This is basically it. ESX has become picky with web browsers but in theory all you need is your web browser to do all the things on your server.

Hyper-V

Microsoft began with Hyper-V as a direct competitor against VMware with the introduction of Windows Server 2008 (aka the Vista edition). Yes it was a 1.0 product for them but it worked. One advantage and probably a disadvantage at the same time was that it could be a dedicated role on your server but it also allowed you to use your server as a regular server with the role Hyper-V on the side. Management throughout the GUI was done by a MSC (Microsoft Management Console snap-in). If you had a full server installed with GUI it was easy to manage on the server itself otherwise you almost had to have the server joined in a domain to manage it. It was possible to manage it from a workgroup but you would have to ‘break’ security on the server-side and perform some DCOM (Distributed Component Object Model) actions on the managing computer that resemble working with a crowbar.

XenServer

Xen backed by Citrix is the third player in the Hypervisor scene. Began as open-source project, was bought by Citrix and given back to the community. In comparison to VMware and Hyper-V it looks more like VMware. I have never worked with the pre-Citrix area of this product but from version 5.6 on you could manage your server through the XenCenter application, a Windows only program. There were alternatives for Linux like OpenXenManager but they were not officially supported by Citrix. The XenCenter application allows to connect to your server over the network with a username and password.

The Interfaces

vSphere 6.5 webclient, navigation bar on the left, menu bar on the top, content in the large screen. It’s okay for regular use. In previous versions you could ‘hack’ the performance monitoring tab to extend the only one hour limit of the free version to 3 days but this doesn’t seem to be possible anymore which is a shame and kind of negative point if you don’t have another system monitoring performance (which is kind of unusual in homelab setups)

Vsphere 6.5 interface

Hyper-V Manager, traditional MMC layout. List on the left, middle part has the content, right side covers the action bar. The Hyper-V Manager has has the basics of what you could do with a VM. Performance monitoring is real-time and will show only live CPU usage and Memory demand/usage.

Hyper-V 2016 interface

XenCenter, navigation bar on the left, toolbar with operations on the top, works with tabs for each different feature. Works great and I love the performance graphs. In previous releases Citrix sometimes used to change the feature level of the free edition and in the 6.x era you could enable enterprise features by using an older client but there is no need for these tricks anymore for regular users.

XenServer 7.2 interface

And XenCenter has one small benefit over the other 2 products with small and simple console allow you to start or shutdown VM’s on the console.

And XenServer has a simple interface on the server for basic operation.

 

Part 1 Finished

I won’t be going into much details which product is better for what reason but I chose Hyper-V Server for 1 reason as my ‘home‘ server. While VMware and Xen are pure virtualization hosts, Hyper-V allows me to use my server also as a file server.

Sure you can run a guest VM on VMware or Xen with multiple terabytes storage but my files are more important that a virtual machine and keeping my files on my harddisk on a VMFS formatted datastore in a VMDK or a XenServer Storage Repository running LVM and ext3 could be hell is something goes wrong with the hypervisor. I prefer to have my files on a harddisk and in case of a server failure I can remove the disk out of my server and plug it into a USB dock. Couldn’t be more simple than that.

Next time

Part 2 will cover the commands to make the most kickass home server setup for file sharing and running some VM’s.

 

Windows Home Server 2011 End of Mainstream Support – Users left abandoned

Windows Server logo

Windows Home Server 2011 mainstream support has ended in the second quarter of 2017

What does this mean for you?

This means that Microsoft will no longer issue security updates for the Home Server-specific components that make up Windows Home Server 2011. If you are still running Windows Home Server 2008 or Windows Home Server 2011, Microsoft recommends bringing in a new device running Windows Server Standard or Windows Server Essentials and migrating your roles, features and data to the new appliance. Today’s new hardware is significantly faster and cheaper and can better handle the latest Windows security infrastructure, roles and features. Customers moving to a modern operating system will benefit from dramatically enhanced security, broad device support, higher user productivity, and a lower total cost of ownership through improved management capabilities.

Why migrate from Windows Home Server to Windows Server Essentials?

The latest versions of Windows Server Essentials support improvements in security, scalability, and manageability, and it contains device driver support for new hardware and silicon.
Simplified setup. There is no easier way to set up a server than using the Windows Server Essentials Out-of-Box experience. Windows Server Essentials configures AD, certificate services, and DNS. It helps get a public domain name set up, and it generates and installs SSL certificates and everything you need to get started with your own hybrid cloud setup.
Data redundancy and single pool of storage. Windows Server Essentials includes a feature called Storage Spaces that provides data redundancy and storage pooling functionality like that provided by Drive Extender in WHS. Windows Server Essentials has a much more reliable and resilient storage subsystem.
Centralized PC backup and restore. Windows Server Essentials includes the next generation version of the centralized PC backup and restore functionality from Windows Home Server 2011 as well as centralized File History storage for all your PCs. Windows Server Essentials supports up to 75 PC backups vs. Windows Home Server’s 25 PC backup limitation. Windows Server Essentials 2016 also supports backing up volumes to Azure and backing up VMs to Azure Site Recovery (ASR).
Centralized PC and server health monitoring. Windows Server Essentials includes health monitoring, both for the server itself as well as for all the connected PCs.
Document and media sharing. Windows Server Essentials can share content using SMB, iSCSI or NFS. Windows Server Essentials 2016 no longer includes the media streaming codecs, however, we found that people were not actually using that feature and they prefer to decode in the respective media applications.
Remote access. Windows Server Essentials has the remote access gateway feature that automatically generates SSL certificates for your server from GoDaddy. Essentials includes a web-based client for accessing home documents and media, and you can also remote desktop into the server if needed for administration purposes.

IO

Yeah, so this means the product line Home Server is dead and users are forced to migrate an domain, certificates and data. Well data migration isn’t that hard, a basic copy can do the job, but before they can do this they need to setup Storage Spaces which is a new concept for them.

Storage Pools

Do you know how to setup a storage pool with existing data? Well you don’t because it’s not possible…

Migrate Domain

Migrating a domain controller and removing the first existing domain controller used to be a lot of work if done properly. Good thing Microsoft made it easier with 2016. Basically all you need to do is delete the Computer Account from Active Directory Sites and Services (dsa.msc) and after this open a elevated Command Prompt or Powershell and

type ntdsutil and enter. 
Then metadata cleanup
Next type remove selected server <yourservername>

There is still one little issue with this. Server 2016 Essentials is designed to be a domain controller. If you are following the wizard pages after you login you will end up with another domain and joining the first domain will be a hard job. You have to cancel the wizard and join your new 2016 Essentials server manually to the existing domain.

Certificates

You will also have to import the EFS (Encrypted File System) and CA (Certification Authority) from one server to another.

EFS migratation contains files and certificates. The File is located in

%APPDATA%\Microsoft\Crypto\RSA

And you will need to export a certificate under the Administrator account Certificates\Personal\ of the File Recovery type. Export with private key or else you can’t use it.

For the CA feature there are more guides around on the interwebs.

Microsoft hasn’t made a guide for the 2016 edition yet, but the 2012 doesn’t seem that off.

 

So does this sound easy peasy for you? Well go ahead then with your new server (with new harddisks) if you have the funds and are willing to pay for it. It’s just $559 at the Microsoft Store 🙂 Not really a home product isn’t it….

Kodi and SMBv1 – how to jump into the 21st century

Kodi logo

What is it?

The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application or the user can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.

What versions are out there?

The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists.

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008. The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

WannaCry

Almost everyone has heard of WannaCry in the recent weeks, an exploit that propagates EternalBlue, made by the NSA and lost by the NSA, an exploit of Windows’ Server Message Block (SMB) protocol.

WannaCry is made less harmful by patching Microsoft’s Operating Systems, disabling SMBv1 and blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

 

How to enable or disable SMB protocols on the Windows SMB server

If you are running Windows Server you can use the Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component. You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration -EnableSMB1Protocol $false
Notes
  • You must run these commands at an elevated command prompt.
  • You do not have to restart the computer after you make these changes.

 

To enable or disable SMB protocols on an SMB Server that is running a Windows Desktop OS use Windows PowerShell or Registry Editor.

To disable SMBv1 on the SMB server-side, run the following cmdlet:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
Notes
  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

 

How to enable or disable SMB protocols on the Windows SMB client

Note

You might think a Windows Server has nothing to do with the client side of SMB but it uses the client to connect to other servers. So if you want to completely disable SMBv1 you also need to do the following on the Server OS.

To disable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi 
sc.exe config mrxsmb10 start= disabled
Notes
  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

 

How to gracefully remove SMBv1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016

If you are sure you do not need SMBv1 and will never need it you can also remove it from the OS.

If you are using Windows Server run the following cmdlet:

Remove-WindowsFeature FS-SMB1

If you are using a Windows Client IS run the following cmdlet:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Note
  • You must run these commands at an elevated command prompt.

 

 

When does Kodi come into play?

You might have read this so far and asked yourself what has this to do with Kodi? Well after I disabled SMBv1 on my free Microsoft Hyper-V Server 2016 (Blog Post coming soon) I noticed my OSMC Kodi client couldn’t access the libraries anymore.

That’s weird, OSMC is running a fairly new Linux kernel and is normally shipped with up to date packages. Samba 3.6 was the first version that made SMBv2 possible. Released at the end of 2011 this should have worked.

After a lot of time on the Kodi and OSMC forum it turns out that Kodi has some sort of its own smb configuration.

While normal Linux systems have the configuration file located in the /etc/samba/smb.conf file, it turns out that Kodi uses it own configuration file.

While bumping the system wide smb.conf file for Samba up to SMB2 or higher I was still unable to connect my Pi with OSMC to my Ubuntu Server running SMB3.

Using smbstatus you can get a report on current Samba connections

$ sudo smbstatus -b

Note

To get the Windows equivalent of smbstatus use the following PowerShell line:

Get-SmbSession | Select-Object -Property SessionId,ClientComputerName,ClientUserName,NumOpens,Dialect | Format-Table

 

The almost hidden .smb/smb.conf

Kodi has very poorly documented its own smb.conf file in the ~/.kodi/.smb/smb.conf location. This is the file that Kodi uses for its Samba configuration.

I started adding the option client min protocol = SMB2 to bypass SMB1. After this I still couldn’t make a connection with my files. Some people stated client max protocol = SMB3 should go along with the min setting. I also added client NTLMv2 auth = yes since this kinda is the default settings since Windows Server 2008.

After this I was able to connect with my Windows Server 2016 but still not with my Ubuntu Server. I downgraded the server protocol to SMB2 with server min protocol = SMB2 and things started to work.

$ sudo smbstatus -b

Samba version 4.3.11-Ubuntu
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
1741 nobody nogroup 172.16.1.195 (ipv4:172.16.1.195:50393) Unknown (0x0311)
1758 nobody nogroup 172.16.1.187 (ipv4:172.16.1.187:47632) SMB3_00
1758 -1 -1 172.16.1.187 (ipv4:172.16.1.187:47632) SMB3_00

Nice to see the client is connecting with SMB3 while it wouldn’t connect while the server was on SMB3 level… interoperability… jeej! 😉

So after some time I ended with the following configuration file for my Linux computers:

smb.conf

[global]
 client min protocol = SMB2
 client max protocol = SMB3
 client NTLMv2 auth = yes
 server min protocol = SMB2

 

After-effects

Disabling SMBv1 in Kodi breaks the SMB browsing function. You will not be able to use the SMB browser to navigate through your network and shares. If you want to connect to a new source you will have to type smb://MyServer/MyShare/

Android Phones/Tables/Players will not be able to make use of the more secure servers. While the same mechanism is still there the Samba client shipped with Kodi is not able to connect to SMB2/3 shares. According a developer from Kodi their Samba version for Android is not compatible with it.

Android/data/org.xbmc.kodi/files/.smb/smb.conf

A bit snooping arround github shows they are probably using Samba 3.0 with a lot of patches. The good news is that three weeks ago they started some work with Samba 4.1.

Until that work is complete a workaround for Kodi on Android might be switching to NFS or going truly hardcore with mounting cifs on the Android system.

Windows Server 2016 docs are now on docs.microsoft.com

Windows Server logo

Microsoft announced the availability of the IT pro technical documentation for Windows Server 2016 and Windows 10 and Windows 10 Mobile on docs.microsoft.com.

docs.microsoft.com?

Docs is a crisp new design that should work better on your phone, tablet, and PC. You’ll see new ways to engage with Microsoft and contribute to the larger IT pro community on docs.

Performance Tuning Guidelines for Windows Server 2016

When you run a server system in your organization, you might have business needs not met using default server settings. For example, you might need the lowest possible energy consumption, or the lowest possible latency, or the maximum possible throughput on your server. This guide provides a set of guidelines that you can use to tune the server settings in Windows Server 2016 and obtain incremental performance or energy efficiency gains, especially when the nature of the workload varies little over time.

It is important that your tuning changes consider the hardware, the workload, the power budgets, and the performance goals of your server. This guide describes each setting and its potential effect to help you make an informed decision about its relevance to your system, workload, performance, and energy usage goals.

Warning

Registry settings and tuning parameters changed significantly 
between versions of Windows Server. Be sure to use the latest 
tuning guidelines to avoid unexpected results.

You can download the official document here.