Adding standalone VM to Hyper-V Cluster

If you already have created VM on Hyper-V standalone and its running, but now you want to add to part of Hyper-V Cluster so its high availability, then the process is simple.  Before taking this action make sure your storage is available on Cluster storage because your current VM will move its current local storage from standalone to Cluster storage. Also, it’s best to have a good backup in case something were to go wrong with the process. This was done on Microsoft Windows server 2012 R2, the process is similar to Windows 2016 server. When you move the VM from Windows 2012 or 2012 R2, you may get upgrade version option, don’t upgrade if you want to replicate or have option to run VM on Windows 2012 or 2012 R2.

Open up Failover Cluster Manger

Expand tree and right click on Roles>Configure Role
You may or may not get Wizard screen if you had selected “Do not show this page again” before

Select Virtual Machine from the list of Role

It’s going to find any VM that is not part of Cluster, you just need to select that VM then click Next

Confirm Virtual Machine, click Next

You will get Summary and will have option for report, double check everything well went, you may get some warning about storage or networking. like I had here, The path VMname.vhdx where the virtual hard disk is stored is not a path to storage in the cluster or to storage that can be added to the cluster. You must ensure this storage is avaiblale to every node in the cluster to make this virtual machine highly available

How to change the Storage of VM on Hypev-V Cluster:

While in the failover Cluster Manger

Right click on the VM that you want to move the Storage to cluster then Move>Virtual Machine Storage

Change the storage to new location of the Cluster storage and click Start to move the storage.

That’s is you should see your new VM now on the Hyper-V cluster

if you have any issues, check the logs, firewall, storage, version, etc.. and try again.



How to secure your Ubuntu server

As you may know, already there are many ways to secure Ubuntu server based on your environment and version of OS. Double checking to be sure you are secure does not hurt at all, but don’t go overboard by locking your self from accessing own server. I have been working with Ubuntu server since Ubuntu 5.04 back in 2007, but have not done any post about it and was not using that much as I am now. Ubuntu Linux system has come a long way for sure, now even power users start using their desktop version. For the most part default security secures your server from any major attack to your server. There are many attacks are from within your own environments and some lazy admin or management who don’t want to pay for support or just keeps post ponding updates. Anyways here I have some list of tweaks I have been using and learning more from other Linux admins on internet.

Keep your server up to date:


sudo apt-get update This will search for an update of your current version and packages that in installed
sudo apt-get upgrade This will install the updates and packages
sudo apt-get dist-upgrade This will look for newer next LTS version

Check supported Releases:
https://wiki.ubuntu.com/Releases

Remove unnecessary packages

sudo apt-get auto-remove
sudo apt-get purge NameOfPackage

Enable built-in basic Uncomplicated Firewall (ufw): by allowing only need services name or ports

ufw allow ssh
ufw allow 80
ufw allow ftp

Disabled telnet: very old but have seen people still using it
apt-get remove telnet

Check for hidden open ports with:

netstat

Set a shorter timeout for root sessions

edit /etc/profiles
[ $UID -eq 0 ] && TMOUT=600.
The $UID -eq 0 part refers to the user with the ID of 0 — always root.
The TMOUT=600 or 900 part sets the timeout limit to 10-15 minutes (600-900 seconds)

Change default SSH port from 22 to something else and disable Root user:

Port 22 > Port 90xx or whatever port you want (don’t forget to add a new port to your firewall)
edit /etc/ssh/sshd_config:
PermitRootLogin yes > PermitRootLogin no

Limiting allowed users to login via SSH:

edit /etc/ssh/sshd_config to have ssh login for specific users
bottom of the file, add the line x=device you going to log in from IP or just type User1 User2, etc…
AllowUsers YourUserName@192.xxx.xxx.x
if you need to use a wildcard: to allow any username and from x=network:
AllowUsers @192.xxx.xxx.*

You could also add a Group:
Create group:
groupadd -r SSHGroupName

Add allowed group to /etc/ssh/sshd_config
AllowGroups SSHGroupName

Then add user to the group:
usermod -a -G SSHGroupName user1

service ssh restart

edit /etc/ssh/sshd_config to have ssh login for specific users
bottom of the file, add the line x=device you going to log in from IP
AllowUsers YourUserName@192.xxx.xxx.x
if you need to use a wildcard: to allow any username and from x=network:
AllowUsers @192.xxx.xxx.*

service ssh restart

Add Login Banner which displays before user login:

edit /etc/issue.net
add your own warning message whomever login can see

Then edit /etc/ssh/sshd_config and uncomment the line:
Banner /etc/issue.net

some more options to disable server info by comment out:

edit /etc/pam.d/sshd
session optional pam_motd.so motd=/run/motd.dynamic

network messages to allow or disable (like ICMP, redirects, SYN, etc..):
edit /etc/sysctl.conf

Blocking IP spoofing:


edit /etc/host.conf
change from “multi on” to “nospoof on”

To Turn off Server Signature:

edit /etc/apache2/apache2.conf and add these 2 lines at the end of the config file. Most cases user types wrong URL or by IP address, it display’s your web server info by default.
ServerSignature Off
ServerTokens Prod

service apache2 restart

Hide PHP Version

edit (your version of PHP maybe different) /etc/php/7.0/apache2/php.ini
expose_php = Off

You may have older version of PHP:
/etc/php5/apache2/php.ini
expose_php = Off

Also youcould add to your .htaccess file:
# Disable server signature
ServerSignature Off

will add more later on



Windows Admin Center to manage Local and Remote server

Microsoft had announced Windows Admin Center (formerly Project Honolulu) back on April 12, 2018, and it’s been increasing use of Windows Admin Center to manage local and remote servers.  It’s used by many IT admins since it’s very lightweight and it can be installed on Windows 10 client machine (need admin rights to manage servers).  Microsoft has been adding many features on every new updates, it also have Extensions supports, so more products can be intergraded, at the moment more Preview.  If you are using Microsoft Azure, this would be great tool going forward to use instead of using 3rd party systems.  Once you have installed Windows Admin Center on your Windows 10 Client machine or on Windows server 2016 there are no agents need on target system. It uses Microsoft Edge (Windows 10, version 1709 or later) or Google Chrome browser.  It can manage Windows server 2008 R2, 2012, 2012 R2, 2016, and manage hyper-converged clusters, only requirements are windows management framework 5.1

It’s similar to Remote Server Administration Tools (RSAT), Microsoft Management Console (MMC) and other tools.  This does not replace but it give more options in central modern management and it’s free.

To get started first download the Windows Admin Center: http://aka.ms/WACDownload


1. Double click the setup to start the install, accept the terms and click Next

2. Click Next

3. Click Install (if you want or need to change port you can and also if you want to create desktop shortcut select box)

4. If everything goes well you should see following screen, and ready to be used.

Go to URL:6516 or whatever ports you had set on step 3 and start adding servers.

You will see Tools based on your server or PC hardware/software capabilities, here is compare tools between Windows server 2016 vs. Windows 10 Pro

That’s it, enjoy it


If you have issues as I did, here are some options to fix

If you get an error: Microsoft.PowerShell.LocalAccounts

Run this on powershell with admin rights:
[Environment]::SetEnvironmentVariable(“PSModulePath”,”%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules;” + ([Environment]::GetEnvironmentVariable(“PSModulePath”,”User”)),”User”)


Also, you may need to re-run the install again to uncheck the “Allow Windows Admin Center to modify this machine’s trusted hosts settings” Modifying TrustedHosts is required in a workgroup environment, or when using local administrator credentials in a domain. You need to configure TrustedHosts manually.


Common FaQ’s: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/troubleshooting

For more information: https://www.microsoft.com/en-us/cloud-platform/windows-admin-center



How to set accurate time for Windows Server

Having the right time on your network is very critical to have all your network devices function correctly. Also best for troubleshooting issues to see a pattern, otherwise you will have some devices reporting a few minutes or even hours off from real-time. These days most if not all of the networks are in virtual environments (for some it’s called cloud). Windows Hyper-V’s recommendation is to turn off time sync for all VMs and let the PDC role holder go out to the internet and get time from a reliable source, then have your local device sync up to PDC. The Second option for a smaller network synchronizes your Hyper-V hosts’ hardware clock to the NTP authority. This guide is to have your Windows primary domain controller configuration of NTP (Network Time Protocol) point to the reliable source, so your local devices also get the correct time. Let’s get started

Login to your Primary Domain Controller:
Open CMD console with Admin rights:
First, check the current status:
W32tm /query /status

Or check the NTP server in use
net time

To see the current time server source:
w32tm /query /source

Then, check the current configuration:
w32tm /query /configuration

Once you have verified status and configuration, then stop the NTP service: 
net stop w32time

Find your time zone NTP server from https://www.ntppool.org/en/
Example of NorthAmerican time zone setting few servers:

w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org3.pool.ntp.org”

Or you could you w32tm /config /syncfromflags:manual /manualpeerlist:pool.ntp.org and it will find the closest server automatically

To make your DC reliable time source:

w32tm /config /reliable:yes
net start w32time

To verify you can run check current configuration comment:
w32tm /query /configuration

Or registry check you should see the same:

That should be it, verify your network firewalls allowing the NTP protocol across the network.
check more info from Microsoft for Windows server NTP

common issues and solutions:

If you see the source as “Free-running System Clock”, which means your system does not have a time server set

You may get: Local CMOS Clock if it’s not updated yet

Once you have configured correctly you should see something like this:

If you see this message in your VM: Integration Services “Time synchronization” is on



How to restore Remote Server Administration Tools on Windows 10

When you get the Microsoft windows to update your Remote Server Administrations Tools (RSAT) gets removed, this happened to me 3 times already after windows 10 updates.  Many system admins use this to manage their server, so they don’t have to RDP to each server, even though now many tasks can be done via Powershell commands.  Some of the GUI is not available for server, you need to know Powershell to manage, add or remove features or services.  It does not happen for smaller updates, only major updates.  Also, you may see other settings get reset like Suggested notification, default app, printer and you may want to double check your settings to make sure it’s not reset.

I had server admin tools and after the windows 10 updates, it got removed, as you can see in this screenshot:

Remote Server Administration Tools (RSAT) for Windows 10

You can download it from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=45520

Then just run the installer wizard

If everything went well you should see whatever you had pinned to your start menu shows up

I notice when I had Windows updates for 1709 and 1803 updates, hope this helps someone out there.  Learning Powershell command is a way to go for doing server manage for many repetitive tasks.  Knowing Powershell commands also helps for user device troubleshooting too.