Some steps you can try if you encounter issues:

• Delete all VM snapshots and check if they are fully merged (so that no .avhd file exists)
• Check free disk space on all affected drives
• Check if the VM has set any special CPU settings
• Turn off the VM before moving (seems to help especially when moving from Windows Server 2019 to 2022)
• Do not write destination server name manually (use the dialog/assistant instead)

To get the shutdown feature running, you need to prepare some simple steps on the Windows client.

Issues

Trying the first time you might encounter one of these error messages:

Could not initialise pipe winreg. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND

WERR_CALL_NOT_IMPLEMENTED

Solution

• Create a separate local Windows user which is used only for this purpose (shutting down the machine), like “remoteShutdown” with the same password (not your usual one, as this might be stored on the calling system).
• (Optional) Assign user to the local Administrators group
• Run “secpol.msc” and assign the user to the object which allows Remote Shutdown
  • Note that even if the user Administrator is already listed there, it might not work with it. This is why we created the new user.
• Configure Windows Firewall to allow Remote Shutdown and WMI, you find both properties in “Allowed apps”.
• Make sure “Remote Registry” service is enabled (automatic) and running.

[:]

Scenario

USB server devices, e.g. used for virtual appliances, can be error-prone when it comes to auto-reconnect USB client devices on startup. In addition, if you have to redirect USB license dongles to some virtual server, some devices might get “lost” from time to time for whatever reason.

Solution / Help

Using the following PowerShell script you can add some checks to your NSClient / Nagios or similar monitoring.

#2021-08 www.dxsdata.com
#Checking existence of certain USB devices
#To get the IDs, execute this script with -Debug option, or execute below Get-... command

param(
[switch] $Debug
)

#adjust to your needs
$neededUsbDevices = @(
    [pscustomobject]@{NameFriendly='Dongle1';Id='USB\HASP\2&1234'}
    [pscustomobject]@{NameFriendly='Dongle2'; Id='USB\HASP\2&2345'}
    [pscustomobject]@{NameFriendly='Dongle3'; Id='USB\VID_0529&PID_0001\1&3456'}
    [pscustomobject]@{NameFriendly='Dongle4'; Id='USB\VID_0529&PID_0001\1&4567'}
)


#$existingUsbDevices = Get-WmiObject Win32_USBControllerDevice | ForEach-Object { [wmi]$_.dependent } | select-Object description,deviceid
$existingUsbDevices = Get-PnpDevice -PresentOnly -Class "USB" | Select-Object FriendlyName,DeviceID

if ($Debug) 
{
    "Debug output enabled. "
    "These devices will be checked: "
    $neededUsbDevices | fl
    "These devices are connected: "
    $existingUsbDevices
    ""
    ""
    "Comparing:"
}

$err = $False;

$output = "";
foreach($device in $neededUsbDevices)
{
    $result = $existingUsbDevices.Where({$_.DeviceID -eq $device.Id})
    $exists = $result.Count -gt 0
    $existsFriendly = If ($exists) {"OK"} Else {"MISSING"}
    $output += $device.NameFriendly + " " + $existsFriendly + ". " #cosmetics for nagios

    if (!$exists) { $err = $True; }
}
$output

$exitcode = if ($err) { 1 } Else { 0 }

if ($Debug) { "Exit code (Nagios Warning = 1, OK = 0) -> " + $exitcode }

exit($exitcode);

Save it into your NSClient’s scripts folder.

Modify nsclient.ini:

; Below [/settings/external scripts/scripts]
check_usb = cmd /c echo scripts\check_usb.ps1; exit($lastexitcode) | powershell.exe -command -

I assume you have several options already enabled, like CheckExternalScripts = 1, allow arguments etc.

Don’t forget to restart your NSClient service.

You might also want to check the result on your Nagios server like:

./check_nrpe -H myserver -c check_usb

References

https://docs.microsoft.com/en-us/powershell/module/pnpdevice/get-pnpdevice?view=windowsserver2019-ps

https://docs.nsclient.org/howto/external_scripts/[:]

Scenario

Local printers are deployed via central GPP to your domain’s workstations.

Some printers should not be used by certain users, but users should be able to switch workstations quickly,

Solution

Open Windows Print Management on a local workstation where the certain printer is installed.

Modify the permissions according to your needs.

The both special permissions should stay there. E.g. only delete the “everyone” permission and replace it with a stricter one.

Open RegEdit with administrative permissions and open this key item:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\<PRINTER NAME>\Security

The “security” item contains binary information about the printer’s permission.

You can either export it via RegEdit into a .reg file which you can distribute manually, or you import it into your central GPO, e.g. via the registry item assistant to avoid issues with the binary data (the wizard allows to import the item from your remote station).

Reference[:]

Get it via GitHub.

[github-commits username=”DXSdata” repository=”explorerFilePreview” limit=”10″][:]

Because I use the R340 in a quiet office and did not get useful support regarding this topic, I decided to replace the fans which quieter ones.

My recommendation: Replace all 8 fans with model Noctua NF-A4x20 PWM.

Dell’s 6-Pin fan connector is a proprietary solution. You can either use modified breadboard wires to create an adaption, or you cut off the connector of the Noctua fans, and solder breadboard female connectors. Remove the plastics of the connectors and replace it with shrinking tubes, as you see on the photos below, otherwise it won’t fit into the mainboard’s connector.

I used a combination of breadboard wire connectors and direct soldering, because especially for the CPU fans you would experience space problems.

Dell 6-pin fan wire colors (for 2 fans each):

• Black: GND
  • 2 pins are black and as you see on the original fans, these 2 pins have also to be connected to each other. Otherwise, the fan won’t spin up.
• Red: +12V
• Blue: PWM signal from mainboard
• Yellow: PWM sensor signal from fan (one for each fan)

Noctua / default PWM pins:

• Black and Blue: Like above
• Yellow: +12V
• Green: PWM sensor signal from fan

So you have to connect black/black, red/yellow, blue/blue, yellow/green.

Use e.g. double-sided tape to fix the fans in the server chassis.

Finally, you can try again to use Dell’s recommended thermal profiles.

In my case however, the fans spin too high, so at the moment I use a manual setting of 32 % RPM which is about 1900 RPM with the Noctua model. The temperature outlet sensor stays at about 33 °C, and the fans are as silent as other 120mm fans spinning with ~500 RPM.

You may have to experiment with the default fan RPMs for your needs.

 [:]

However, in silent office environments, the fan noise can be annoying, especially the ones in 1U cases.

Even if you do not need the server’s full power all the time, the fans run way too fast in my opinion.

Possible Solutions

Replacing or even removing the OEM fan hardware is not recommended. The current fans, e.g. in an R430, must have 6 pins, so cannot be replaced by other fans in a simple way, and the server logs and dashboards would be full of critical errors. In many cases you would also lose warranty etc.

A safer way would be to optimize the fans via software.

The official recommended steps would be to connect to your iDRAC controller’s web interface and set a temperature profile which reduces the fan’s RPM.

Unfortunately, the minimum % RPM via web interface is limited to 11 % upwards, which might still be too high.

“Raw” solution

We want to set the fan RPM to 1 %, which can only be done via IPMI.

The setting is not saved permanently and has to be re-set after restarting iDRAC.

1. Download Dell OM BMC Utility (Windows) which contains IPMITool.
2. Extract it to e.g. c:\OpenManage, then run BMC setup from there. Note: You do not have to install it on your server, you can also use any server which is connected to your LAN (same LAN where your server’s LAN port and iDRAC port reside)
3. Open an Admin CMD window and change to ipmitool.exe folder, e.g. c:\program files (x86)\dell\sysmgmt.
4. First, activate manual fan control:

   1. ipmitool -I lanplus -H yourIdracIp -U root -P yourIdracPw raw 0x30 0x30 0x01 0x00

       

5. Then reduce the fan’s RPM value to e.g. 1 %:

   1. ipmitool -I lanplus -H yourIdracIp -U root -P yourIdracPw raw 0x30 0x30 0x02 0xff 0x01

      The last value is a hexadecimal value for the RPM in percent. E.g. if you use 0x0f, you will hear the fan noise increase.

If you encounter error messages:

• Make sure you have enabled IPMI remote management within your iDRAC config.
• Make sure you can ping your iDRAC IP.
• Check your iDRAC login credentials, especially special characters can be error-prone.

Note: Always check the temperature behavior after manually controlling the fans!

There are also some scripts available to simplify this.

Update: Added a simple PowerShell script which can be run via Task Scheduler to check temperature and fans:

$sensorName="Exhaust Temp"
$tempThreshold="34"
$ipmiExe = 'C:\Program Files (x86)\Dell\SysMgt\bmc\ipmitool.exe'
$ipmiParams = @("-Ilanplus", "-H10.1.2.34", "-UfanControl", "-PpwFanControl")

$ipmiGet = @("sdr", "type", "temperature")

$ipmiSet = @("raw", "0x30", "0x30")
$ipmiSetManual = @("0x01", "0x00")
$ipmiSetLow = @("0x02", "0xff", "0x26"); 
$ipmiSetHigh = @("0x02", "0xff", "0x64");
#https://www.hexadecimaldictionary.com/
#20% = 0x14
#30% = 0x1e
#32% = 0x20
#37% = 0x25
#100% = 0x64

"Checking server temperature..."

$val = & $ipmiExe $ipmiParams $ipmiGet
$val =  $val | Select-String $sensorName
$val = "" + $val #tostring
$val = $val.Split('|')[4]
$val = $val.Trim().Split(' ')[0]
"Current degrees: " + $val

& $ipmiExe $ipmiParams $ipmiSet $ipmiSetManual

if ($val -gt $tempThreshold)
{
    "too high -> increasing fan rpm";
    & $ipmiExe $ipmiParams $ipmiSet $ipmiSetHigh
}
else
{
    "OK -> using low fan rpm"
    & $ipmiExe $ipmiParams $ipmiSet $ipmiSetLow
}

To create a scheduled Windows task for the script, use “powershell” as command and e.g. “-f c:\fans.ps1” as argument, and run it every 5 – 15 minutes.

Other matters

In my case, one of the ~6 server fans (FAN1 port) indeed had to be replaced, it just made a more annoying noise than the other fans like CPU/RAM fans, even with same RPM. For testing, you can simply swap the identically constructed fans within the unit to see which one is faulty.

Replacement

In my case, the fans still were too loud, so I replaced them.[:]

Solution

Open regedit and delete

HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\ddeexec\topic

(or delete the default value of this key).

Background

Some Firefox setup procedures seem to set this key for whatever reason. E.g. v61 does not set it, v55 does set it.

Even if you upgrade to a newer version, this key is not removed automatically! (But at least it is not re-set in newer versions)[:]

Depending on your Windows domain network structure, the AppData folder might have been configured to be redirected to a central server using group policies and the folder redirection feature (and/or server-sided user profiles). So because of the permanent r/w network access to those directories, every Node.js processing becomes very slow and buggy.

In addition, you might run into troubles if the user works with default (non-admin) permissions. Global packages have to be installed with admin rights by default, which leads to several issues because of the different user names, profile directories etc.

Workaround

My basic suggestions for a working Node.js system in a multi-user domain environment:

• Do not ever install NPM packages as admin user!
• Instead, create a separate nodejs folder where the global packages can be installed with user permissions
• Move and redirect all Node.js’ user folders to a local directory.

Steps

You might want to start uninstalling Node.js in general and also remove existing folders manually:

• %programfiles%\nodejs
• %programfiles(x86)%\nodejs
• %appdata%\npm
• %appdata%\npm-cache

Then install the current LTS version of Node.js using the .exe or .msi package.

For Node’s global files which should be able to be installed with user permissions, I use a separate folder f:\nodejs in this example. Of course, you can also place this folder e.g. on c:\nodejs.

Open CMD window with elevated permissions and enter:

npm config set prefix f:\nodejs --global
npm config set cache f:\nodejs\npm-cache --global

Then do the same in a CMD window with default permissions.

To be safe, add some folder redirections (NPM’s config is not always considered for unknown reason):

mklink /d "c:\program files\npm\etc" f:\nodejs\etc
mklink /d "%appdata%\npm-cache" f:\nodejs\npm-cache

Edit the user’s PATH environment variable to also match the new nodejs directory:

Re-check if the paths really changed to f:\nodejs:

npm config list

You can also check Node’s config files, like %appdata%\npm\etc\npmrc and %programfiles%\nodejs\etc

Then try to install a test package using “npm install”. If you add the “-g” parameter, it should be installed in f:\nodejs\node_modules; otherwise in your project’s folder as usual.

Optional: If you use Visual Studio, you might want to change the setting to use the Node.js version you installed separately, and not the one included in VS, as it could maybe use other versions and config files. Open VS settings -> Web Package Management -> External Web Tools. It could look like this (German):

 [:]

But especially in small organizations the port 443 has already been used, in most cases for the various tools of MS Exchange Server.

Changing to alternative ports for certain services globally often is de facto not realizable, so one solution can be a webserver’s reverse proxy feature which I will explain here.

This tutorial is tested with and should work with Ubuntu/Apache2 as public webserver, Windows 2016 Server for Exchange Server 2016 and Outlook 2016, using SSL certificates from Let’s Encrypt.

Preparation

Basically, our webserver will be our new public port 443 access point. It will handle all HTTPS web requests and will also forward data to Exchange if necessary.

So in the end, we need to have valid SSL certificates on the webserver and on the Exchange server. For Exchange, we copy the certificate from the webserver and import it (creating it “live” on Exchange is hardly possible in this case due to the webserver’s needed proxy settings).

Router / Firewall

In your router config, create a new NAT rule which allows you to quickly switch incoming port 443 forwarding from mailserver to webserver. Do not enable it at this point, we will need that later.

DNS

If you use external DNS providers with automatic HTTP(S) proxies to speed up your website like Cloudflare, you might want to disable it (at least the proxy features) for the time of the configuration process, as it can produces some unpredictable behaviour in combination with the browser cache, tests etc.

Webserver / WordPress

You might also want to temporarily disable plugins for first tests like WP Super Cache, Minify etc. to get immediate results of the changes.

New configurations

Webserver

First we install Let’s Encrypt’s Certbot . Make a snapshot or backup before, then run it without any parameters. It shows a user friendly wizard which assists you in converting your existing Apache Virtual Hosts to SSL enabled websites. If everything runs fine, you have your websites easily prepared for HTTPS and Apache is configured automatically.

Note for Cloudflare

If you are using web cache/proxy services, certbot/letsencrypt might end with TLS handshake errors.

Workaround:

certbot –preferred-challenges http

Reverse Proxy for Exchange

Create a new Apache configuration file for Exchange’s new reverse proxy:

<VirtualHost *:443>

ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAdmin webmaster@example.com

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early

SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
Header unset WWW-Authenticate
Header add WWW-Authenticate "Basic realm=mail.example.com"

ProxyRequests Off
ProxyPreserveHost On

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

#longer connection timeout to prevent activesync errors
ProxyPass / https://exchange2016.example.local/ connectiontimeout=600
ProxyPassReverse / https://exchange2016.example.local/

<Directory /Microsoft-Server-ActiveSync>
#attachment/activesync bugfix
SSLRenegBufferSize 31457280
</Directory>

#charset e.g. for german special chars
AddDefaultCharset ISO-8859-1

DocumentRoot /var/www/html

<Directory />
    Order deny,allow
    Deny from all
</Directory>

<Directory /var/www/html>
    DirectoryIndex index.php index.html
    Options -Indexes +FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>

<Proxy *>
        SetEnv proxy-nokeepalive 1
        SetEnv force-proxy-request-1.0 1
        Order deny,allow
        Allow from all
</Proxy>

  SSLEngine on

    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

We only need this reverse proxy on port 443, not 80.

Make sure you really use local server names (e.g. for ProxyPass) which are always resolved to the server’s local IP (not the firewall ot public IP)! If not sure, you can also use IP addresses, SSL certs are not checked at this point. Otherwise you might experience senseless loopbacks.

Enable the necessary Apache modules:

a2enmod headers
a2enmod rewrite
a2enmod proxy_http
a2enmod ssl

Enable the new virtual host (a2ensite exchange).

Re-run certbot, it should append lines to the file, e.g. “SSLCertificateFile”, keyfile, chainfile etc.

Run “service apache2 reload” and check for errors.

WordPress

Change your site’s URLs to https://www.example.com within the admin area.

Mailserver

In Exchange’s virtual directories, make sure you have basic authentification enabled (for OWA, EWS, …). Apache is not able to use NTLM mechanism, so we need this workaround. You can enable it either via Exchange Administrative Center -> Server -> Virtual Directories, or IIS, or Exchange Management Shell.

Firewall

Activate the new rule you created before, so port 443 is forwarded to your webserver instead of Exchange directly.

Tests

Use Microsoft’s Analyzer to test Exchange connectivity features you need, e.g. Autodiscover, ActiveSync (e.g. mobile phones), Exchange Web Services (EWS) etc.

Check your Apache logfiles for connection errors (500, timeouts, …).

Check if your websites are loading fine via HTTPS URL in every browser. Parts of your sites might still contain HTTP links to scripts or graphics; in this case change the link to the more generic “//” to avoid browser warnings.

Refreshing certificates

Webserver

Create a cronjob similar to this one:

0 0 1 * * /usr/bin/certbot renew --preferred-challenges http >> /var/log/letsencrypt-renew.log
#(HTTP option only for e.g. Cloudflare)

Because your Exchange Server also needs the certificate, but cannot request it itself any more, publish it on your webserver. Exchange will it download later for further processing.

#!/bin/bash

PW=mypw
SHARE=/var/www/html/other
CERTPATH=/etc/letsencrypt/live
MAINDOMAIN=example.com #the first domain name letsencrypt uses (main CN)

#conversion for exchange
openssl pkcs12 -export -in $CERTPATH/$MAINDOMAIN/cert.pem -inkey $CERTPATH/$MAINDOMAIN/privkey.pem -out  $SHARE/exch.p12 -password pass:$PW

Also create a cronjob for it, which runs a few minutes after certbot.

Mailserver

Create a PowerShell script which downloads the certificate from your webserver and imports it into Exchange Server:

$CertPath="c:\letsencrypt\exch.p12"
$ImportPassword="mypw"

Add-PSSnapin *exchange* -ea 0

wget http://www/other/exch.p12 -OutFile $CertPath

$ImportPassword = ConvertTo-SecureString $ImportPassword -AsPlainText -Force

Import-ExchangeCertificate -FileName $CertPath -FriendlyName "example.com" -Password $ImportPassword -PrivateKeyExportable:$true | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS" –force

Also create a scheduled task for it to make it run e.g. twice a week.

Finally, you should have all your websites accessible via HTTP and HTTPS, and Exchange Server including OWA, ActiveSync etc. should work besides.

References

https://serverfault.com/questions/113026/apache-2-2-disable-reverse-proxy-on-location

https://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_inklusive_Outlook_Anywhere_RPC_over_http

https://testconnectivity.microsoft.com

https://www.msxfaq.de/internet/apache.htm

https://stackoverflow.com/questions/14814419/how-do-i-make-urls-case-insensitive-in-linux-server

https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf[:]