Using Powershell and Excel to compare Microsoft Hotfixs on Servers and Virtual Machines.

Hello All,

 

Two Types of Comparisons Devised

I have been working several Clustering and Hyper-V cases Recently.  I have come to a point where I notice the Virtual Machines rarely have the same level of  Microsoft Updates that the Cluster Node does. I finally had a few minutes to look at this issue, and I even made an Excel Spreadsheet to compare updates to other machines.

Fortunately, When I got serious about making a Spread Sheet Script, I noticed there were some pretty good work already available. In fact, I found one that will likely serve to compare updates on all the Nodes, all the VMs and more. I am sure I can do cross checks using a Host as the standard, and a bunch of VM’S as the comparisons.

So we are basically showing off two different ways of doing the same thing.  The Gallery script vs. MyExcelHotfixCompare. These are different things for different reasons. But its good to have them in the same place, Because they both have their own purpose.

 

 

First thing you want to do have is a copy of the spread sheet, MYexcelHotfixCompare , and a copy of the The Gallery script

 

Why Two Comparisons

So I made one up, and I found the other by accident! That is true. However, I discovered these both served different purposes.

The First method came from Stane Monsik. What this count does, is aggregate the KB’s for every server in the survey. So your Final report answers the question “when you updated Server Group X with KB Group Summation(A-Z), did you do that same thing to all the other servers? This is what I started out to have answered! If the answer to this is no, then I always tell my customer to finish his updates right away.

However, another question I was often asking, was not being answered by this script. The Questions was, When we know that there are X updates packages for Technology Y, how many of those updates did you apply to your server? Then Question #2,  For X and Y, did you apply these updates to just the server which had problems? The answer to this question should be that you updated all the servers which contained technology Y, with every Update Package X. I found this question was often met with Guesstimates more than actual proof; this was an easy question to get a good guess on. It’s also an easy question to just accept the guess and move on.  In today’s complex world, that is no longer acceptable. So I set out to easily answer this kind of question.

 

Method1 Script

This script will take “a list of Machines” and show you what updates the entire list has and does not have. Every KB gets added to the list, no matter what server it was found on.

The Script, located at Gallery.Tech.net.Microsoft.Com , Goes to every server and pulls the list of hot fixes. Then it goes through the hot fix list and checks every computer, to see if the hot fix has been applied to the computer.

To make GetHotfixCompare_Gallery work, all you have to do is open the .PS1 file with notepad and add your list of computer names. You can add as many computers as you like, but realize it takes longer and longer and longer to complete. The text you are editing looks like this in the file:  See Figure 1. :

# —————————————————————————————————-

$computers = “ComputerName1”, “ComputerName2”, “ComputerName3”, “ComputerName4”, “ComputerName5”

# —————————————————————————————————-

The Result is a very nice HTML report:

 

Figure 1.

1comparetable

 

Once you populate the script with edits on the names of computers, you run the PS1 file by right Clicking the file and choosing Run With Power Shell. The Script runs (longer the more computers you select), then generates an HTML file of your KB’s. There is an orderly chart of stars telling you which KB’s have stars for the machine, and which do not have stars.

 

All in all, A  very good method. But in order for me to answer the technology related questions, I needed to use something different.

 

Method 2 Spread Sheet comparison (MY_excel_GetHotfixCompare)

On the Excel Help article, called “Compare two lists and highlight matches and differences” I use Example 4 of that section. Example 4 runs a comparison from column one (the update list of a server (get-hotfix)  against column two (the list of updates for the specific technology) .  The comparison Colorizes the two list columns to highlight where the updates match or are unique.

MY_ExcelGetHotfixCompare Is the name of the spread, and you just need to right click and save as to save the file as an XLSX file.

This method will always work, as long as you can find a list of key updates, Microsoft says is relevant. This list below is not unabridged. This is just areas where I work most often. Below are some Example Technology Patch lists, that will power column two, on your spread sheets.

Server 2012 and Exchange make you dig a little bit to get the actual KB list, but you get the Idea. The point is to get the list of “important hotfixes” and be able to use them to “audit” you current situation. So let’s get to the formulas and make a spread sheet!

 

Get Hot-fix Compare Spread Sheet

The Compare column Colorizes numbers in column A , that are also in column B. And Vice Versa. So there is only one caveat to this method. If the KB shows up twice in the same column, then the cell becomes colored, denoting that the patch has a match. But, This is an impossibility of the get-hot fix command. As long as your pasting in get-Hotfix results from only one machine per column, you will get a valid result. So the limitation of this, or any tool reviewing hot-fixes; don’t try to do two machines in one spread.

Steps to create:

  1. Open Excel and put your Values for Get-Hotfix (just the KB) into column 1.
  2. Copy the Hot-fix numbers for the relevant Microsoft KB numbers from your articles like above, into Column 2.
  3. With Excel at the Home Tab, Choose “Conditional Formatting” and Manage Rules . You will see a pop up window, New Formatting rule: (figure Below)

 

2spread

 

  1. Choose New Rule and “Format only unique or duplicate values”
  2. There is a little Drop down that says Duplicate or Unique- You will make that choice here

3spread

 

6.Then you see where it says no format set? (above) This is where you choose your color.

7. Hit the Format button. Then choose the Fill tab.

8. Now see the Fill tab below Choose your color and hit Ok.

3color

 

9 Then Choose OK Below

5

 

10. Now Comes the important part. You simply highlight all values in both columns and there is a wizard that will form the formula for you based on how many rows each column has in it. I am showing the screenshot below, after I clicked into the “applies to field” and held down the left click of the mouse while I selected both columns and went down enough rows to cover all values in both columns. I also found that if you pre-select both columns, before clicking conditional format, then these vales will be there automatically

6

11.  The only thing you can’t see in the picture above is the dashed line that is now hovering over both columns. Once I hit OK or apply, it all goes away and my formula is:

=$A$3:$B$13

Pre-Select your columns before you start with Conditional formatting

Now I found out some weirdness about the formula. If you have to go back and change the length of the column, you have to make the formula a little differently.  You click into the applies to field

and highlight Column one, then you type a comma, and then you highlight column 2. So the formula looks like this

=$A$3:$A$13,$B$3:$B$13

The more general solution is coming up below:

=$A:$A,$B:$B

I like the second formula better, because you can see the start and finish of each column. But the more general one covers all KB in both Columns. cant beat that. I am editing this sentence,

after the fact, and I found that if you select the columns, by Highlighting the columns entirely, you don’t have to deal with touching any formula aspect at  all.

Here the download again for My Excel HotfixCompare , You can also watch the video at the top and make your own spread.

Believe it or not, that is it! When you hit OK, your values immediately calculate out:

7

 

The next issue I tried to solve was the length of the column. It looks to me that this is the master formula, no matter how many KB s you have  (=$A:$A,$B:$B). This is for column A and B.

I do believe you could replace these values with columns a and c or b and E or whatever. This can help you move columns for your ease of use and you list can be as long or short as you want.

So use this in your Duplicate Values formula:

=$A:$A,$B:$B

Again, I am coming back after the fact, and just saying to Highlight the columns you want to use, before you start, and you don’t have to deal with the formulas at all. I have a second Excel

Method for comparing up to 6 servers, but I will let you just download the Excel File and see how it works!!! Watch the video, I performed that in about 1 minute in the video. also

after the fact, and I found that if you select the columns, by Highlighting the columns entirely, you don’t have to deal with touching any formula aspect at  all.

 

How do I get my Hot-fix list = Get-Hotfix

So this is all we have left to cover. Below these are the steps I use to get that list of KB numbers isolated from the rest of the information you find when you run the Get-Hotfix command.

 

1. Open PowerShell as Administrator
2. You may run Get-Hotfix > c:\myhotfix.txt
3. Open Notepad ++ and Open myhotfix.txt
4. Hold Control and Alt Key on your keyboard at the same time
5. While (4) use the mouse to select just the KB column
6. once the KBs are highlighted Right click and choose copy.
7. Paste you KBs into notepad for transport to your work station.

That’s It! I hope you have enjoyed this article. In closing I have the original link for the script in the initial discussion. I also have a method to update your Hyper-V Cluster automatically with a script. That can be pretty handy.

 

Advertisements

Jetstress – Too Many IOPS? Andrew Higginbotham

Hello all,

This is a shout out at my Friend Andrew Higginbotham. This man is a multi-MVP and MCM in Exchange Server. He penned an article about Jet Stress, Which is very useful.

The issue is Page Fault Stalls/sec and the subject is SSD Solid State Drives.

I admit to not spending my time in Jet stress, as I don’t work on design elements as much as I do Skype. Andrew has come to my rescue on a few Design issues and Jet Stress on more than one occasion.

It turns out you should read this if you using SSD Flash Drives and Jet Stress= Here

This quick reference in my Blog is to support Andrews Blog and Recommend you read everything he writes. He is truly one of the best Exchange Persons around the US neighborhood.

Andrew thanks for your time on this case. I hate not being the expert but I am proud to work on a team with such strengths. I am just glad to be part of a team of individuals whose strengths compliment each other.

https://exchangemaster.wordpress.com/2017/07/12/jetstress-too-many-iops/

 

Louis

Some tips on fixing Warning – Reverse DNS does not match the SMTP Banner

 

 

I have a pretty common error that I get asked about pretty frequently. I wanted to take a moment to hopefully share some information on what the error is, what to focus on, and what tools you need to fix and monitor.

First of all, please understand this paper covers the simplest of scenarios. Multiple sites, Smart Hosts, Bridgeheads, and multiple Accepted Domains will quickly muddy the waters, but for a basic Exchange Server, This Article Applies directly.

 

The Error

Exchange Server 2013 SMTP banner does not match reverse lookup. or

Warning – Reverse DNS does not match the SMTP Banner

 

Disclaim

First be aware, there is a lot of misinformation out there. Stop and read and understand, before you decide which articles are telling you the truth. This error is likely to pop up in a few situations. I wanted to take a minute to clarify this message and what is needed to clear this up.

First you must understand this error  is directional and relative to a point in mail flow. So you really have to nail down your situation before you set out on solving the problem. You risk getting yourself more confused. Speaking of that, let me try to hopefully explain in a simple way.

First let me say the SMTP Banner is more generally a problem for outbound mail. You may still get an error for inbound connectors,  but mail will not usually fail either. Internal mail uses Internal banner (host) and DNS, and external mail uses External Banner and DNS.  An error comes about, generally where you have mail received across the public internet, where a reference is made to an internal FQDN in the SMTP Header.

Inbound Banner

So if you think you have an inbound banner issue, just go into your inbound mail connector, and then try to save it, without making changes. If there is a problem, you should get a pop up message similar to figure A

Figure A. Inbound Banner issues are identifiable

 

Exchange will promptly give you an error when your inbound connector has a banner issue. Why you ask? Because  the Banner is checked by Exchange, against the security settings.  Think of it like a security Guard. They always check you coming in, but once you have cleared security, it is not as difficult to leave.

So I won’t go into the explanation of inbound banners, except to say, by the time your mail hits this server, the lookup is internal, so the Banner should always be internal. In addition, you have a server, with a certificate, matching this FQDN, so it should make sense that these should all be the same name. Do what the error says and set the Banner to the Internal FQDN.

Outbound Banner

Outbound is really the same sort of thing, for any outbound Internal Connectors. Internal connector, Internal FQDN. The change comes when you have an outbound Internet connector. So this connector will be the banner for your reverse look ups by external recipients. That is, unless you have a third party device doing store and forward for you, in which case, you should be able to set the SMTP banner there as well. Assuming you don’t use a smart host, your Send connector header would look like this:

 

Figure B. Send Connector Scoping Tab.

 

This should make sense. You see this is the external facing send connector. Once mail leaves this connector, the mail will be called External Mail. From this point mail will have to rely on MX, DNS or a Smart host to propagate.

So.. What do you think gets queried for the reverse lookup? The mail server at the destination Is going to query public records it finds, against the header and other information it has received, when it looks your mail domain up. So the checks done include reverse lookup, Public MX record, A record, Text Record and SPF record. So all you need to do to is make sure these records contain your correct Public IP address for your Exchange server, the correct resolution of the  Banner to an IP address, and verify the other records contain the same Name and or IP addresses.

A light conversation

So now we get to brass tacks. So I want to focus you to the main things you would need to set correctly. This is:

  1. Public MX record -Domain.com resolves to target mail.domain.com at PUBLIC IP address
  2. An “A Record” that is the value of the Banner “Mail.domain.com”
  3. An “A record” for values for your setup like “auto-discover.domain.com”
  4. TXT or (PTR) record for your Reverse Lookup DNS record. One domain should be assigned to one PTR record- this is what should match the “send” banner
  5. SPF record. – . Special record with special format for Domain verification by Anti-Spam. SPF record tool will help generate your record

Tools you can use to make sure your records are correct:

  1. Install Dig on your client machine for windows- Dig -x Public IP (will find your PTR record)
  2. Dig domain.com will give you your “A” record.
  3. Dig mail.domain.com txt – will show your SPF record.
  4. Dig mx domain.com to query MX record, or Dig @nameserver.domain.com yourdomain.com

So with this Dig tool, you can check and cross check. If you have an IP address in this mix, that you are not aware of, or are not using, then you will need to fix this.

I am not going into too much detail here, but if you have all these records in place, and make sure they point to the public IP address, which sends the exchange server its mail, then you should be happy. Use the web site IPCHICKEN.COM on your Exchange Server. It will tell you your Public IP, normally used for Setting Public DNS records. For non-smart host or bridgehead customers, your value of IPCHICKEN, should be your Public IP values for these records.

In Closing

You have the public information you need to set records above. Set this correctly. Second, go to Exchange Server and set the FQDN correctly and you should no longer have SMTP banner failing to match the reverse lookup:

  • Send Connector Mail Flow -> Send Connector-> Scoping-> FQDN
  • Receive Connector  Mail Flow -> Send Connector-> Scoping-> FQDN

Make sure these FQDN matches its function. Internal connector is internal FQDN.

Send Connector is Public FQDN. Then make the Records match the correct public values and this issue will be resolved.

In closing Here are some tools you can use to troubleshoot:

Exchange Connectivity.

Dig Bind Tool

MX Tool Box

I hope this is helpful and explains what you are seeing, and how you can fix your SMTP banner issue.

Thank you,

 

Louis

 

 

 

Move-CsUser Fails from command line when Migrating User to New Pool. It succeeds from Graphical Interface

 

Hello All,

I am hoping to make some videos about SFB, but I am still low on time. In the mean time, I hope these articles are helpful to some. My Friend called me with an interesting problem. His move-Csuser command failed from the command line. The GUI move succeeded. I provide below a few things to check and set to repair the issue.

Figure 1. Roman Numerals of Lync Issues Colosseum-Entrance_LII

 

There are a couple reasons for the failure you are having. I will list below, along with the most plausible solutions:

I. The difference between the Command line and GUI is permissions related. When you open the command line, you need to be a member of the following groups :

  • 1. RTCUniversalUserAdmins (not CSUserAdministrators
  • 2. CsAdministrator 
  • 3. I know you think you have proper permissions but please check- This is often gotten wrong
      • a. You will check and see you have two permissions – CSAdministrator and RTCUniversalServerAdmins
      • b. You also need to add – you need to be a member of CsAdministrator and RTCUniversalUserAdmins

II. The other side of this issue is the User. The user may have been one of many users who had their default user created without inheritable permissions. Lync move command will fail!! Fix it before making the move command!

Move command fails due to user permissions

III. User is legacy OCS user? Your error contains the text OCSADUser. Without the full text of the error, there is some guesswork here but, perhaps try this out:

Lync fails to move between pools

    • a. Port 135 is blocked between pools. (not sure how the GUI gets around that)
    • b. Run get-CsManagementStoreReplicationStatus on all Servers. Correct failures
    • c. Check any SBAs they need the right ports etc..
    • d. Did you try the –Force yet? Try it out. If it succeeds, then likely we have a data issue.
    • e. Run Get-CsFabricPoolState and Get-CsBackupServiceStatus if either fail, then we know this needs to be fixed first.
    • f. Move-CsLegacyUser -Identity “sip:kate@domain.net”-Target “lync-se.domain.net

IV. Are the users potentially legacy OCS users? They could be. Try Move-CsLegacyUser

V. Weather legacy or not, the database may have a problem. Try to check the database for clarity below

  • a. The error in this link may not match, but it contains the how to check for Database corruption DBANALYZE
  • b. If the user database is not right, and you cant repair then you may have to homogenize the data by completing the CMS move or moving the CMS to another machine.
  • Or you want to Export and Import the User data, after running a –force on the move command. see roman num. 8 below

VI. User or pool Attributes are wrong or corrupt, or not changeable in AD. Note the following attributes. You can even change manually if you know the values for the desired state. For the Pool:

  • a. msRTCSIP-PoolDomainFQDN
  • b. msRTCSIP-PoolDisplayName
  • c. msRTCSIP-BackEndServer

2. For the User

  • a. msRTCSIP-UserRoutingGroupId
  • b. msRTCSIP-UserEnabled
  • c. msRTCSIP-PrimaryHomeServer

VII. Lync Server Move-CsUser and Move-CsLegacyUser commands fail with error –like  SetMoveResourceData failed because the user is not provisioned.

VIII. This is a perfect little process if Force works. So the commands are restated below. Thanks FlinchBot:

  • a. Export-CsUserData -UserFilter “user@flinchbot.com” -Poolfqdn pool.flinchbot.com -filename “e:\tempuser.zip
  • b. Move-CsUser “user@flinchbot.com” -Target pool.flinchbot.com –force
  • c. Update-CsUserData -UserFilter “user@flinchbot.com” -FileName “e:\tempuser.zip” –verbose

IX. If you Move back in version, it will automatically fail without a force. Here is a long time disclaimer:

“WARNING: Moving a user from the current version to an earlier version (or to a service version) can cause data loss”

X. I just had to get to 10. Now I know My Roman numerals. Ok I am leaving you with a more complex example, which includes two of my fixes from above, in combination. I think I have captured a good number of the reasons why Move-CsUser may fail.

Bonus #11 – Issue with Move command and AD Connect

 

I hope this has been fun and informative. This is a summary article about the many reasons you may not be able to run move-CsUser in the command line. I will leave you with a couple last articles which have to do with getting all the user objects that may be causing things to fail. You can manually parse the list to see if there are any that show up with a problem.

 

 

Louis

Testing Skype for Business with Test Cmdlets Script

This gallery contains 2 photos.

Happy Holidays to Everyone, I am trying to put together a little Skype Training class for some New Lync Students. I have found that some of my Scripts had gotten moldy and didn’t work anymore. The Test Skype Script is an important one for a new person to have, So they have some automated tools, […]

Collecting Sip Stack from Exchange Unified Messaging Server

 

Untitled

Hello everyone. Welcome to more things Exchange and Lync or Skype. That sounds like a good title for an article. Maybe Some day. For today, I would like to just make a call out for a logging process, I have used many times in complex Unified Communication Call issues, normally involving lync.

I spent a lot of time Trying to use the event logs of UM to try to find the problem. The fact is the Sip communication is not happening in Exchange, as many of you know. So then what?

What is UCMA! UCMA takes care of the processing of the sip stack. Therefore, it world make sense that a Skype Engineer would be more interested in seeing the out put from its logs.

Maybe I could have read about IIS to find this out, or maybe I just don’t deal with it enough. So I relied on my friends in the Netherlands to help with the syntax. Please see their original article here

The bottom line is you need to know what is happening in UCMA. Check out this TechNet video. It may give you a start to the path you are about to go under:

Things to know: UCMA uses UCWA. UCMA is only for Voice. UCMA takes the sip messages and turns them into C sharp. This is as close to the Sip message as I have seen. Logs can be viewed in Skype with Snooper.

Now That you have watched the video, Please keep this information handy to begin to log UCMA for sip messaging. Did you know the following all rely on UCWA and UCMA? wow!

  • Mobile App
  • Web Client
  • Outlook web APP
  • Exchange UM
  • REST API

Here are the steps to get your logs.

  • 1. Open command window
  • 2.Go to cd C:\Program Files\Microsoft UCMA 4.0\Core Runtime\Tracing
  • 3. Type OCSTracer.exe Start  /Component:Collaboration,TL_noise,tf_component,tf_diag, tf_protocol,tf_connection
    /Component:S4,TL_VERBOSE,tf_component,tf_protocol / LogFileMode:NewFile,20
  • Reproduce our problem
  • OCSTracer.exe Stop /Component:Collaboration /component:s4  /OutputFile:traces.txt /View

 

I hope this is a helpful read and I hope you fix your Voice issues on UM or Lync or Skype, or Exchange or UCWA or UCMA or wherever they may reside!

 

Louis

How to Troubleshoot SQL, Skype, Windows, Active Directory, Exchange and Basic Server issues with one tool! Its called Multi-Perf!

 

5

Figure 1. Perfmon

Hello Everyone,

Well Multi-Perf sounds like it will do a lot! I don’t want to mislead anyone, so I will say up front, Yes it will troubleshoot all those products; One at a time. It is an industry Standard, that you only work on one problem at a time. Therefore, This tool will collect performance information, related to one of the topics of concern. Once the log is collected, you can then review it for specific problems, related to your installation.

1Figure Figure 2. Set-Execution Policy

The benefit of this tool, is That I have been fortunate enough to partner with one of my Best Friends; Tommy Paulk. He is a Master Engineer for Exchange Server. My title Is Skype Architect. See where I am going with this? Tommy created the Exchange Counter set. I created the Skype counter set. Each counter set has been created by a professional in their field of study. The bottom line is you get a script that gives you choices on what set of performance information you need.

So the Multi-Perf is run simply as “Multi-Perf  counter”, where the counters are Basic, Active, SQL, EXCH and Skype

0       Figure 3. Multi-Perf and Readme 

Lets go ahead and get started on explaining what you get for your money here. See Figure 1 at the top of this read? That is the result of any counter set; a sort of mix up of settings that you have to get into, dance with, and somehow survive victoriously. The particulars are beyond the scope of this article; but Begin here. No I take that back, I always make the first link, one I would never read myself. Ok, read this one- Windows Perfmon. Its pretty good.

Now that your up to speed, lets get you some instructions! Figure 2 is set-execution policy. You should open your PowerShell as admin, and run this command : Set-Execution Policy –Execution Policy Unrestricted.

Next you just have to know the syntax of the command:

.\Mult-Perf testname –computer mycomputer –instance my instance. Notice the red lines in figure 4? that represents the 3 data points you are responsible for.

0  Figure 4. Mult-Perf Syntax

If you are not using SQL, then you only have 2 items to put  in!. If you are running on the local computer, you only have to put the test name in! If you forget the test name, you automatically get the Basic counter pack.

So this means this tool will work, regardless of input. You wont get the detail you want, but you get a basic counter log, at a minimum. Let me now give you some example of running syntax.

Figure 5. Run Active test on computer 2

See above, you use the form: .\Program testname –computer computername

If you forget the computer name, it will automatically select the local computer:

 

Figure 6. Run as Program .\Multi-Perf.ps1 only

1

in this case you will have no difference in result, because you are giving the most important test variable in, the test type.

 

Figure 7. with SQL; If you forget to specify the instance, you will get another chance to put it in. 3

If you put the instance in, then that is fine. But if you did not, there is no penalty. This makes the Log tool, infallible and easy to use.

As the last example, I will take you over the case where a person starts the SQL trace, and does not input the Instance:

 

0   Figure A. No instance specified.  

 

Instead of failing, The Script looks up the SQL instances, and presents them for the customer. It also says the user must type the instance name themselves, so there is no accident.

1    Figure B

Once the user types in the instance in Figure B, we move to Figure C and we just ask how many seconds between snapshots. 1-60 is best.

2  Figure C

 

Finally, With Figure D, we are just asking for an Enter, to go ahead and create the counter object. Upon hitting enter, The confirmation that the Counter perfmon is started.

3    Figure D

Finally, with Figure E, you see performance counter is stated. As long as that is the end result, The interceding Steps were all successful. You can see the fruits of your labor in Figure F, which is the running Performance monitor!!

 

4    Figure E

 

Figure F is start-> run-> Perfmon

Untitled Figure F Permon running. Always called Perf.

 

The counter that is created is always called Perf. It will always deleted the old one before another one is created. If you want to keep the old one, just rename it.

 

Ok if you made it this far, you must want your copy. Please have it and go in Peace!

Download Me Here

 

L

 

 

g