My IT Adventure
I bought a new 4K monitor recently. It’s connected with HDMI to my laptop. The cursor is lagging when moving on the external 4K monitor. This is the second time that I noticed cursors move slow on an external 4K monitor.
The solution is on the internet. Change the Screen refresh rate to the same with the primary screen. It’s 60 hertz in my case.
And I also noticed that the screen refresh rate can cause other issues. Such as screenshot software, game, or other applications may crash.
Azure provides a lot of pre-configured images for customers. But it’s not always satisfied the needs. People may want to migrate on-premise virtual machines to Azure. There are several ways to migrate VMware virtual machines to Azure. The easiest way is to leverage Azure Migrate. This article introduces how to fix failed to register Azure Migrate appliance.
There are two ways to deploy Azure Migrate appliance:
There is an issue if you installed it with option 2 above. As a result, you may see the “failed to register Azure Migrate” error below.
An error occurred as the scenario type (VMware/Hyper/Physical) of the appliance ‘xxx’ – does not match the one in the Azure Migrate project key.
Looks like this is a bug in the installation scripts. Therefore you have to run the installer with the following parameters:
./AzureMigrateInstaller.ps1 -Scenario VMware -Cloud Public
There are default shares for administration purposes on Windows. You can access it by //computer name/admin$ or //computer name/c$.
You may see the “password is incorrect” error when accessing the network shares. Even you entered the correct password for the machine.
The problem is the Windows local group policy is using guest only mode for sharing. But the guest account is disabled on the target machine.
You need to run gpedit.msc to open Local Group Policy Editor. And change the option “Sharing and security model for local accounts” to Classic.
You may see a Windows machine lost network connectivity every 20 minutes. Or you may see the Windows machine lost network when you are connecting it via remote desktop protocol (RDP). I wrote an article to discuss virtual machine lost network connectivity problem on Emulex powered ESXi host. You may want to check out if you are running legacy ESXi and HPE hardware.
You may see following error if you check Application event log:
Source: Dot3Svc
Event ID: 15506
Description: Network authentication attempts have been temporarily suspended on this network adapter.
Or following error:
Source: Dot3Svc
Event ID: 15514
Description: Wired 802.1X Authentication failed.
There is a Reason Code in the event logs above. The code could be 327685, 327682, or 327626.
The reason is the Windows machine cannot get authenticated on an authentication enabled network. It could be certification file expired on the machine or server side, or something wrong between its.
Actually you can workaround this issue by disable “Enable IEEE 802.1x authentication for this network” option in Authentication tab in the network adapter Properties.
Please refer to Microsoft official document “advanced troubleshooting 802 authentication” if you want go deeper.
I think to maintain a solid security policy is mandatory in an enterprise network. The information leak not only a threat to IT but also impact the firm’s profits and stock performance. Firms usually leverage Active Directory Group Policy to control security settings on Windows. The PowerShell execution policy is the one most company ITs would restrict.
IT Pros may need to do some testing in scripting. I have posted how to change PowerShell execution policy by PowerShell command.
Following is the step of how to get rid of the restriction. This is just for temporary use. You should revert it immediately after testing!!!
regedit.mscHKLMSOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell.ExecutionPolicy value to RemoteSigned.If you don’t want to change the registry key. You can paste the scripts into Windows PowerShell ISE and run all of the lines. Please note this option may throw error if you have relative paths in the script due to the temp script running under the same directory of Windows PowerShell ISE application.
Please refer to Microsoft document if you want to learn more about PowerShell execution policy.
Ansible is a popular automation tool for infrastructure configuration. It runs on the Linux system. CentOS is an ideal distribution to run Ansible for lab purposes. It is similar to the Red Hat Linux but free. And the latest major release is CentOS 8. It contains Python 3 by default. So the Ansible configuration is different from CentOS 7. I will focus on the configuration in the lab environment. The goal is to create a simple environment to manage Windows servers with Ansible.
I used CentOS 8 mini installation. It has no extra software installed. The procedure below maybe a bit different from your environment if you installed other roles on the OS.
Ansible is a standalone application that not rely on databases. There are two files it mainly needed in a quick lab environment: Playbook and host files. You can install multiple Ansible servers. They can run independently to control the same group of Windows servers.
I would suggest you take a snapshot before moving forward if your Ansible will running on a virtual machine.
Extra Packages for Enterprise Linux for yum.yum install epel-release
yum install ansible
pip for Python 3. This step is for Red Hat 8.yum install python3-pip
pywinrm. The pywinrm will be used to communicate to Windows servers via winrm.pip3 install pywinrm
pywinrm to use Kerberos in order to authenticate to Active Directory.yum install gcc python3-devel krb5-devel krb5-libs krb5-workstation pip3 install pywinrm[kerberos]
Ansible installation is completed. The procedure is elementary level but I spent some time figuring it out. Especially the Kerberos and pywinrm parts. 🙂
Please go to pywinrm GitHub if you want to dig into it.
As I mentioned in the previous section. There are two main files: Playbook and host. A Playbook is a file consist of multiple tasks that will run on the target Windows servers. It’s not covered by this article. The host file stores variables, and target server FQDNs or IP addresses. Ansible gets the target servers’ information in the host file when you run a playbook.
The host file location is /etc/ansible/hosts. There are two sections in the file for lab purpose.
win2019test1.zhengwu.org.[windows] win2019test1.zhengwu.org
[group name:vars].ansible_user. The reason is krb5 requires the uppercase domain name in the configuration file. We should match the name here. The domain name is not required if you use a local account.ansible_winrm_server_cert_validation is optional. It only useful when ansible_winrm_scheme is ‘https‘. ansible_port is ‘5985‘ when ansible_winrm_scheme is ‘http‘. Or ‘5986‘ when ansible_winrm_scheme is ‘https‘.ansible_winrm_transport is ‘kerberos‘ in this example since the target Windows servers are domain members. It can be ‘ntlm‘ if you want to authenticate by local account. There are 5 authentication methods on Windows. Kerberos and NTLM are enabled by default. Please refer to Windows Remote Management for detail.[windows:vars] ansible_user='administrator@ZHENGWU.ORG' ansible_password='123321' ansible_connection='winrm' ansible_winrm_scheme='http' ansible_port='5985' ansible_winrm_transport='kerberos' ansible_winrm_server_cert_validation='ignore'
Apart from Ansible configuration. We should configure Kerberos for domain authentication if the target Windows servers are joined a domain. My lab servers are joined domain ‘zhengwu.org‘. We have installed Kerberos components in the Ansible Installation on CentOS 8 section. So we just need to configure it. Edit Kerberos configuration file: /etc/krb5.conf.
# to uncomment the line. The domain name should be uppercase.default_realm = ZHENGWU.ORG
kdc and admin_server are the same for the lab environment. The following is an example:[realms]
ZHENGWU.ORG = {
kdc = DC.ZHENGWU.ORG
admin_server = DC.ZHENGWU.ORG
}
Please refer to MIT Kerberos Documentation for the explanation.
Now Kerberos is configured. We have configured domain credentials in Ansible configuration file, specified Kerberos as the authentication method, and configured Kerberos for Active Directory. We just need to run the Windows ping module in Ansible to test the connection to target Windows servers. You should complete section Manage Windows servers with Ansible if the testing is failed.
ansible windows -m win_ping
You should see following output if authentication is successfully.
win2019test1.zhengwu.org | SUCCESS => {
"changed": false,
"ping": "pong"
}
You may see authentication problem when validating target Windows server connection by Ansible win_ping module. Here is simple steps to troubleshooting Kerberos authentication
kinit administrator@ZHENGWU.ORG
Ticket cache: KCM:0
Default principal: administrator@ZHENGWU.ORG
Valid starting Expires Service principal
06/26/2020 03:56:12 06/26/2020 13:56:12 krbtgt/ZHENGWU.ORG@ZHENGWU.ORG
renew until 07/03/2020 03:56:09
The target Windows servers should be configured to accept the winrm connection. Ansible provides a PowerShell script to configure target Windows servers automatically. The script should not be used in a production environment according to Ansible stated in their document.
The configuration is super easy for production. Open a command prompt under the administrator permission and then run following command
winrm quickconfig
Manage Windows servers with Ansible is not so hard as long as the authentication is configured correctly. Ansible is not the only tool for automation. I’m a super fan of PowerShell. I have posted some articles for automation you may want to check. PowerShell and Ansible both are automation tools.
I think manage Windows server with Ansible is like outsourcing PowerShell scripting works to communities. You give inputs to the tasks then Ansible modules will execute pre-defined PowerShell scripts and feedbacks output. Ansible reduces the development time of Windows automation but it still has some disadvantages. Such as you have to run multiple tasks to enable Remote Desktop on target Windows servers which is just a single task in PowerShell DSC. So I think automation of infrastructure is a combination of tools like Swiss Army Muti-Tools, each one has an advantage. We have to use them together to achieve the final goal of automation.
I just upgraded a testing machine to Windows 10 1909. And installed VMware Workstation 15 latest version on the testing machine. Somehow the mouse jumps around in VMware Workstation when the mouse pointer is grabbed by a VM. This is very annoying. I only observed this issue when run VMware Workstation in remote desktop session. I didn’t see the same issue when I run a VM on a local computer.
The reason is the testing machine has WDDM graphic driver installed. You can disable WDDM graphic driver in remote desktop session by modifying group policy.
gpedit.msc
Please refer to following VMware KB to understand more about WDDM.
WDDM and XPDM graphics driver support with ESX, ESXi, Workstation and Fusion (1016770)
It’s not clear why the WDDM driver caused the problem. I think the reason probably because WDDM gives benefit to use software and hardware acceleration both. Maybe my testing VM’s physical host doesn’t have hardware acceleration capability. But the mouse jumps around in VMware Workstation due to the driver switching between the acceleration capabilities.
I also posted few articles regarding mouse issue in virtualization environment for your reference.
This post is nothing related to servers. I post that since I couldn’t find anything on the internet about this issue. This “OneDrive Can’t Add Your Folder” spent me quite a while to figure it out. I only found an article talks about IRM after I figured the issue out. So I think it’s maybe valuable to document that. I re-installed the testing machine by different OS versions several times. It’s just happened suddenly. My OneDrive cannot sync any files. I upgraded the client to the latest version but no luck.
The error message I got initially was:
We can’t sync your OneDrive – xxx
Following these steps to fix the problem:
1. Go to portal.microsoft.com/OneDrive, click the Settings icon in the top-right, then click “Site settings”.
2. Under “Site Administration”, click “Site libraries and lists”.
3. Click “Customise Documents”.
4. Click “Information Rights Management” and clear the checkbox.
Then I upgraded OneDrive client, re-installed office, re-installed OS, and enabled full permission to my O365 account on OneDrive folders. I also tracked my OneDrive posting data by a nice free tool Fiddler. There are error keywords related to “IRM” that don’t support in Fiddler when I connected OneDrive to my O365 account. Then I uninstalled OneDrive and installed latest version of it. Now I got following error message when sign in my O365 account in OneDrive.
Sorry, OneDrive can’t add your folder right now
Please contact support.
I eventually figured it out when I was troubleshooting other software issues. The reason is the “Information Rights Management” (IRM) feature was enabled on my O365 account. It restricts file synchronization on unauthorized computers when I log in to a computer with my domain account (it’s also the O365 account). I checked my computer domain account in “Active Directory Users and Computers“. I noticed that the “Managed By” of the computer was blank. The OneDrive issue resolved as soon as I set it to my domain account.
Here is a good article to explain what’s IRM and how it affects OneDrive.
You may see error message “Running setup.py install for pykerberos … error” when install pywinrm on CentOS 8. The additional errors are “unable to execute 'gcc': No such file or directory” and “command 'gcc' failed with exit status 1“.
The reason because gcc dependence is missing on the machine. You need to run following command to install gcc then try install pywinrm again.
# yum install gcc
ESXi servers are fundamental infrastructure. The underly hardware performance has a butterfly effect on the upper layer virtual machines and applications. Since there is less than 10% performance overhead on the virtualization layer. So it’s valuable to get full performance on the hardware layer. Memory is a big player in hardware performance tuning. Balanced memory configuration is very important. I wrote an article “LRDIMM or RDIMM on ESXi hosts?” a long time ago. It was the understanding in 2016. I did some research recently. I hope the following study help with your hardware decisions. This study is based on Intel Xeon 2nd Generation Scalable Processors.
Before we talk about balanced memory and optimized memory. Let’s take a look at some basic concepts which will be used in the article.
The memory channels control reading and writing bandwidth operations between the CPU and memory modules. Think about it like the lanes on a highway connect CPU and memory. There are 6 memory channels on Intel Xeon 2nd generation Scalable processors. This is different from Intel Xeon E7. E7 only has 4 memory channels. If you are an E7 user and transform to Scalable. You should notice that the balanced memory size on E7 doesn’t balance on Scalable processors.
The full name of DIMM is Dual In-line Memory Module. It’s the small chip-set mounted on a printed circuit board. There are multiple DIMMs on the board. We usually call the whole stuff DIMM in life. DIMM should be installed on the DIMM slot on the server’s motherboard. Each memory channel has two DIMM slots for Intel Xeon 2nd Generation Scalable Processors.
The major two types are RDIMM and LRDIMM. The main difference between the two types is that LRDIMM has a buffer in the DIMM. That means LRDIMM is slower than DIMM. LRDMM supports a larger size per DIMM. Such as 128 GB, or higher. RDIMM usually is 16 GB, 32 GB, or 64 GB.
It’s one set of memory chips that are accessed while writing to or reading from the memory. Small DIMM size needs maybe only a single rank. Larger DIMM size needs more ranks. Refer to this article to learn more about rank. Dual-rank is better performance than quad-rank according to hardware vendors.
Memory interleaving allows a CPU to efficiently spread memory accesses across multiple DIMMs. All DIMMs should be in one interleaved set creating a single uniform memory region that is spread across as many DIMMs as possible. If there are different types of DIMM or size of DIMM, the memory subsystem interleaves multiple times to access data.
Memory balance refers to memory population rules on physical servers. There are 6 memory channels on an Intel Xeon 2nd Generation Scalable Processors. Each channel handles two DIMM slots. Enterprise users usually use dual processors for ESXi servers. So there are 24 DIMM slots totally in the server. Each processor handles 12 DIMM slots. The DIMM population should be in pairs and even numbers. For example. You have 12 DIMMs. 6 of 12 should be assigned to the first processor and the other 6 are assigned to the second processor’s DIMM slots. And the 6 DIMMs should be populated on the same slot on each processor. This is called a “balanced memory” population. The memory balance is also related to the NUMA balance for ESXi. The imbalanced memory population causes imbalanced NUMA nodes. This is very important in virtualization performance tuning.
DIMM size and type in the population also impact to memory balance. The DIMM type and size on both processors should be the same. Some customers may want to upgrade existing balanced memory to a higher capacity. The suggestion is to use the same type and size of DIMMs for the upgrading.
Balanced memory is easy. Hardware vendor’s pre-sales usually give a balanced memory configuration. But the trick is the balance doesn’t means optimized. Balanced but non-optimized server’s performance can be only 35% of the balanced and optimized servers according to Lenovo.
Fully populate the DIMM slots is the first rule. Each interleaving grabs data from all DIMM slots. Think about it like 24 lanes highway again. You can load more goods if you dispatch 24 trucks at the same time. One benefit of virtualization is hardware consolidation. We usually see high memory utilization on ESXi. So this is an important point to optimize ESXi performance.
Use the same type and size of DIMM. Do not mix different types or sizes of DIMM in the server. Since different types or size of DIMM means multiple interleaves. Use the same example. The trucks can only load one type of goods each time. If there are two types of goods. The trucks have to go twice even it’s half loaded.
Rank is another weight impact on performance. Dual-rank DIMM is the best performance. Quad-rank usually in big size DIMM. The performance is lower than dual-rank.
Different DIMM type also impacts performance. RDIMM is a better performance than LRDIMM. The reason because LRDIMM has a cache on DIMM to handle data I/O between processor and memory. It slows down the I/O.
The other things impact to ESXi performance are BIOS settings and power settings. These are out of scope of this post. Basically you need to set to high performance for BIOS and power to achieve best memory performance.
Lenovo: Balanced Memory Configurations with Second-Generation Intel Xeon Scalable Processors Dell: How to Balance Memory on 2nd Generation Intel® Xeon™ Scalable Processors Dell: Balanced Memory is Best: 2nd Generation AMD EPYC Processors for PowerEdge Servers Cisco: Intel Xeon Scalable 2nd Generation Processor Recommendations for Cisco UCS M5 Servers (Login required) HPE: Server Memory and Persistent Memory Population Rules for HPE Gen10 Servers With Intel Xeon Scalable Processors VMware: A Performance Comparison of Hypervisors