2019 Storage Spaces Write Performance Guide

This guide was posted on the Microsoft forms.

RS5 (Build 17763, Windows 10 1809) update brings improved parity write performance to storage spaces. The improvement comes from being able to bypass the parity space write cache for full stripe writes. Previously created storage spaces will also benefit from these improvements (once the storage pool is upgraded with Update-StoragePool). For best results, you will need to create a new storage space with specific interleave size.

Step 1

Upgrade your storage pool to the latest version.

Get-StoragePool <NameOfPool> | Update-StoragePool

Confirm

Are you sure you want to perform this action?

This will upgrade the StoragePool “TestPool” to the latest version. This is an irreversible action.

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”):  

Verify that your pool is at least at “Server 2019” version or later

Get-StoragePool | ? IsPrimordial -eq $false | ft FriendlyName,Version

FriendlyName Version

———— ——-

NameOfPool   Windows Server 2019

Step 2

 Create a new parity virtual disk, with an interleave size of 32KB, 3 columns. This maximizes your flexibility in adding capacity to your space, and ensures that the data stripe size is 64KB, which will match the NTFS allocation unit (cluster) size of 64KB that you will use in the next step. (If you use the Storage Spaces Control Panel UI to create the space, it will typically have an interleave size of 256KB and an NTFS cluster size of 4KB, which doesn’t guarantee that all writes will be aligned to data stripe boundaries)

New-VirtualDisk -StoragePoolFriendlyName <NameOfPool> -ProvisioningType Thin -Interleave 32KB -FriendlyName FastParity -Size 1TB -ResiliencySettingName Parity -NumberOfColumns 3

Step 3

Go to disk management, initialize the disk corresponding to the newly created virtual disk, and format it with NTFS (or REFS) filesystem with an allocation unit (cluster) size of 64KB.

Step 4

Verify that copying large files to this volume is fast. Provided you are copying from a source that is *different* from any of the virtual disks in the storage pool, you should be able to achieve a write performance that is close to 2x the write performance of the slowest physical disk in your storage pool. With typical consumer SATA hard disks, if your source is sufficiently fast (e.g. internal SSD), you should be able to hit 200MB/sec for copying large files.

You can use the performance monitor (perfmon.exe) to verify that your new virtual disk has a high “Write Bypass %”. When correctly configured, you should expect this value to be >99%. The  Counter set name is “Storage Spaces Write Cache”

Parity (Single disk failure resilient) recommended configurations for Archival workloads

Storage Spaces Interleave Size

Number of Columns

Data Stripe Size

FileSystem

Allocation Unit Size
(Cluster Size)

Expected Write Performance
(Multiples of single disk performance)

32KB

3

64KB

NTFS

64KB

2x

32KB

3

64KB

REFS

64KB

2x

16KB

5

64KB

NTFS

64KB

4x

16KB

5

64KB

REFS

64KB

4x

Dual Parity (Two disk failure resilient) recommended configurations for Archival workloads

Storage Spaces Interleave Size

Number of Columns

Data Stripe Size

FileSystem

Allocation Unit Size
(Cluster Size)

Expected Write Performance
(Multiples of single disk performance)

16KB

7

64KB

NTFS

64KB

4x

16KB

7

64KB

REFS

64KB

4x

Sharing error OSE204 from OneDrive

If you’ve tried sharing a file outside of your organisation team share in OneDrive to anonymous parties, you might run in to a problem with sharing settings.

This is not easily solvable at first. There are a number of settings in Office 365 which can affect this, from:

  • Office Active users page, you can select individual users, select One Drive and see the sharing access they have
  • One Drive Admin: on the sharing page, there are a number of options here
  • SharePoint Admin: Again, there are a number of options here.

Make sure you check those above sections to ensure the correct settings are set. If you still cannot share the files, you will need to connect to SharePoint Online via power shell.

  1. Make sure the power shell command is installed:
    Install-Module -Name Microsoft.Online.SharePoint.PowerShell
  2. Connect to your instance
    $adminUPN="<the full email address of a SharePoint administrator account, example: jdoe@contoso.onmicrosoft.com>" $orgName="<name of your Office 365 organization, example: contosotoycompany>" $userCredential = Get-Credential -UserName $adminUPN -Message "Type the password." Connect-SPOService -Url https://$orgName-admin.sharepoint.com -Credential $userCredential
  3. Set the permissions on your site
    set-sposite -identity 'https://contoso.sharepoint.com/sites/Sales' -sharingcapability ExternalUserAndGuestSharing

The above should do the trick. Just note that it does take some time to take affect.

See: Sharing Errors

Teams – new features for April 2020

Microsoft is about to roll out new features for Teams.

You likely saw last week that Microsoft introduced new backgrounds for meetings, likely to combat Zoom’s popularity. Microsoft really needs to add more than 4 people on screen at one time, but we hear this is coming soon.

New features coming this April:

  • Raise hands in meetings – I hope this extends to live events so we can have more than one person on screen able to grab control
  • Multi-chat window
  • End meeting for all participants – this has just been release
  • More settings for organizers once a meeting is in progress
  • Downloading of a participant report once a meeting has finished
  • New policy to enforce lobby settings for external users
  • New policies around creating and joining meetings. You will be able to stop everyone being able to create meetings. If the user does not have the create meeting option, when they join meetings the meeting will not start until someone with this privilege joins

And finally coming for May 2020 we have more than 4 people on video within a Teams meeting.

Full details:

We are increasing the number of participants who can be viewed simultaneously on the Teams meeting stage from 4 to 9. This new experience optimizes for attendees who have enabled video and places the remaining audio-only participants below the meeting stage. To provide a high audio and video quality experience, the layout logic will consider user bandwidth and alter the number of videos shown to provide the best meeting experience. We’ll be gradually rolling this out to customers near the end of April and expect the rollout to be completed in early May.

Your pc has a driver or service that isn’t ready – Windows 10 – 1903

I was attempting to update my home computer to 1903 to test the new Sandbox feature. When I ran the Windows 10 Upgrade Adviser, I hit the following error.

It would be great if this error message showed you what the actual issue was.

Luckily, there is a method to find this out.

  1. Open File explorer and click the View tab. Make sure the check box for Hidden items is selected.
  2. Select This PC, and type *_APPRAISER_HumanReadable.xml in the search box and search the PC for file names that end with this term.  
  3. Right click the file that ends with _APPRAISER_HumanReadable.xml and open the file with Notepad.
  4. Press CTRL + F and search for DT_ANY_FMC_BlockingApplication. Look for the value, it should be True.
  5. Press CTRL + F and search for LowerCaseLongPathUnexpanded. The value contains the file path of the program that should be removed or transferred to another drive.  (It should be located approximately 28 lines under the DT_ANY_FMC_BlockingApplication).
  6. Make note of the file path listed in the value for LowerCaseLongPathUnexpanded.  You can select the file path and copy it to the Notepad by pressing CTRL + C.
  7. Navigate to the file path’s location in File Explorer.  (Click in File Explorer’s address bar and press CTRL + V to paste the file path you copied earlier.)
  8. Once you’ve located the blocking.exe file, transfer the file to another drive or Delete the file.

You may also download run this batch file to automatically perform the steps above: https://aka.ms/AppRPS (You should be prompted to download a zip file named AppRPS.zip)

The zip file method is the fastest.

From the output, you can see the problem service. In my case, it’s BattleEye, an anti-cheat system for games.

From here you will be able to remove the problem applications or update the required drivers.

The information for my BattleEye issue can be found here. In my case, I removed BattleEye with the tool here, and reinstalled it again after the upgrade by running the game.

Hope this helps!

Permanently Delete Office 365 Groups

If you have created teams or channels in Microsoft Teams, you likely know this creates Office 365 groups. Many other Microsoft products in the 365/Azure space create Office 365 groups. This is Microsoft’s new group which allows great flexibility across services.

However, if you have ever decided to delete a Sharepoint site or Microsoft Team, you will find you cannot create another team or site in its place. You will receive an error saying this group still exists.

This is because the group was delete as a ‘soft delete’. Meaning it’s sitting in a recycle bin for a number of days until it’s permanently deleted.

You can speed up this process. The easiest way to do this is to connect via Powershell and run the following commands

  1. Launch Powershell
  2. Run the following command if you don’t have AzureAD installed
Install-Module -Name AzureAD
  1. Connect to AzureAD
Connect-AzureAD
  1. Remove deleted groups
Get-AzureADMSDeletedGroup | Remove-AzureADMSDeletedDirectoryObject

If you don’t feel safe running the above command, just run the Get-AzureADMSDeletedGroup first to see what will be removed.

This will take some time to sync.

Removing an Office 365 Tenancy

There may be a reason you wish to totally remove an Office 365 tenancy. In our case, it was that the company we looked after was sold. They wanted the data removed – and quickly.

It is possible now to totally remove a tenancy following these steps:

  1. Remove any licensing from the Office 365 tenancy
  2. Open Powershell
  3. Connect to Azure AD by typing
    Connect-AzureAD

    If this doesn’t work, you may need to install AzureAD. Do this by typing

    Install-Module -Name AzureAD
  4. Once connected, you need to connect to Active Directory or mosl. To do this type
    Connect-MsolService

    If this does not work, you may need to install msol. Do this by typing

    Install-Module -Name Connect-MsolService
  5. Disable dirsync with the following command, if enabled
    Set-MsolDirSyncEnabled -EnableDirSync $false

    This command will take around 30 minutes for all users to become in cloud users

  6. You now need to remove all users and remove them from the recycle bin. Type
    Get-MsolUser | Remove-MsolUser -Force

    Then after waiting 30 minutes or so, type the following

    Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force

    This command removes the deleted users from the AD recycle bin

  7. The next script will remove all of the enterprise applications in AD. This needs to be done
    $ObjectIds = (Get-AzureADServicePrincipal).ObjectIdFor ($i=0; $i -lt $ObjectIds.Length; $i++){ Remove-AzureADServicePrincipal -objectid $ObjectIds[$i]}
  8. Once these commands are completed, you can check Azure Active Directory by going to https://aad.portal.azure.com. Select Azure Active Directory and try to delete it. You will get something like the following. In this case, once the licenses have expired (these we removed 12 hours ago) you will be able to delete the tenancy.

For more information check out the following links:

RemoteApp Slow after Windows10 1803 update on Server 2012 R2

As the title suggests, after updating Windows 10 computers to 1803, users have reported slow RemoteApp sessions.

You can try disabling Remote FX, but user reports suggest this causes further issues.

The easiest fix is to copy mstsc.exe and mstscax.dll from a 1709 build and replace the files on 1803. We have confirmed this works.

KB4103727 Breaks RDP/Remote Desktop Gateway

This morning we awoke to screams from users not being able to login to our remote desktop servers.

KB4103727 has been released which switches a flag to protect against the CredSSP attack.

The quickest way to fix this to get your users working is to patch your domain controller with the May updates and use group policy to push out a change

You can manually add this to the registry for desktop clients

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

or via command line

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2

To fix this problem, the May updates need to be installed on all servers and workstations.

More information:

 

Patch Tuesday: CVE-2017-11826 Microsoft Office

There is an in-the-wild exploit for Microsoft Office. A patch has been released. This exploit has turned up on Virtus Total today.

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.