Remove Symantec Agent with Group Policy.

I had a project where I have to deploy Sophos on 500 PC’s, however Symantec had to be uninstalled as a first step. There are few ways to uninstall Symantec via SCCM or Group policy configured to push out a scheduled tasks and run a powershell command. I choose group policy as it’s the quickest method for me. Symantec licenses were coming to an end and all the remote agents had to be removed.

As a first step create a new Group Policy, call it Uninstall Sep.

Go to Scheduled Tasks, right click and create a new task.

Follow the exact steps and make sure to use the account NT AUTHORITY\System which basically has god permission on all computers. When group policy is pushed to the computer, the scheduled task will run with administrative permissions and it will not prompt the user to enter an account.

You can define the triggers, I set mine to run daily and run at 12pm as users will be at lunch. The action tap is configured to start a program which is powershell as detailed below.

The program command is C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe and the argument -ExecutionPolicy Bypass -windowstyle hidden -noninteractive -nologo -noprofile -file “\\ci-pdc\SYSVOL\yourcompany.local\scripts\Script.ps1” Basically the script will run in the background and the user will not have any popup window, and no interaction whatsoever. I need this to run as quiet as possible. As you can see I put this script on my sysvol on one of my DC’s.

The Script.ps1 contains one simple command: (Get-WmiObject -Class Win32_Product -Filter “Name=’Symantec Endpoint Protection'” -ComputerName . ).Uninstall() this will run in powershell and removed Sep and all the data that is involved with the agent installed. Sophos does not like when you have another anti-virus program running and all the files and data associated with Symantec have to be deleted.

The script does not reboot the PCs and I found out that it’s not necessary to reboot the PC to push out Sophos even though it’s recommended. You can decide what the Settings and Common tap works for you as I left everything as default.

Assign the Group policy to the OU that contains the computers with security filtering configured for Authenticated Users and Domains Computers. You can either let Group policy update the PC’s based on whatever schedule your group policy runs on or force the update by right clicking the OU within Group Policy Management and click on Group Policy Update..

Let Group Policy apply to the PCs and you can check on one of them and go to Tasks Scheduler and see if the new tasks that you created shows up there. Once Group policy is pushed and the tasks had run on the PC, you can go to the Symantec Endpoint Protection Manager and check the status of the PC the agent is installed on. You can do this by going to Clients and see where your PC is and right click on it and select Edit Properties. Check the Deployment status and it should say Uninstall successful. This indicate the script had ran on the PC and uninstalled the SEP agent. You can delete the PC from the Symantec Endpoint Protection Manager to free up the license.

Once all this was done, I used SCCM 2016 to push Sohops as an application. I will include more details on that later on….

 

 

Reload invalid VM’s with this PowerCLI with ESXI 6.5

Sometimes you might have an issue with storage or Veeam backup with Veeamproxy locking files and preventing VM consolidation from occurring. I had an issue where one of my VeeamProxy VM servers became an invalid state and I wasn’t able to power the server up. Since it crashed it locked the files of VM’s that were being backed up and I wasn’t able to consolidate the VM. One way was to use PowerCLI with command:

(Get-View -ViewType VirtualMachine) |?{$_.Runtime.ConnectionState -eq "invalid" -or$_.Runtime.ConnectionState -eq "inaccessible"} |%{$_.reload()}

Essentially the reload function through PowerCLI forces the VM Inventory Management to reload the VM without the need to do a manual process of unregistering and re-registering the VM. The VM was reloaded but I still had to reboot my esxi host since I wasn’t able to unregister and re-register it as I wasn’t able to delete the VM from the inventory.

How do I change office 365 from first release for deferred channel to current channel with office deployment tool?

You can do this using the Office 365 Deployment Tool: Office 2016 Deployment Tool

TechNet has detailed instructions for how to use that tool (Overview: Office Deployment Tool), but the basics for this situation are:

  • Extract setup.exe and the configuration.xml file from the Microsoft download.
  • Edit the XML file to reflect the new settings that you desire (in this case, specifying the current release channel). This is a great interactive tool for helping you build a custom configuration.xml: Office Click-To-Run Configuration XML Editor
  • Open a command line and run: setup.exe /configure configuration.xml (you must have local admin rights to do this and browse to where the files are)
  • The Office click to run installer will make the changes and notify you when complete. This will reinstall office and keep the existing setup settings in place.

Other Method you can try which made this process is easier without the need of deployment tool is utilizing Microsoft script.

How should I end my SPF record? ~all? -all? +all?

What does the standard say?

SPF records let the world know who is authorized to send email on your behalf. Specifically, it is a technical method to prevent sender address forgery.  It allows the owner of a domain to specify the mail servers they use to send mail.  Get this record right, and you’re in good shape with the ISPs.  Mess it up, and you’ll likely end up in the spam folder.

Theallcommand tells mail servers what to do with everything that isn’t sent from a mail server that is listed earlier in your SPF record.

The options and their interpretations are:

  • -allFail: All mail servers not listed in the SPF record are explicitly not authorized to send mail using the sender’s domain.
  • ~allSoft Fail: All mail servers not listed in the SPF record are not authorized to send mail using the sender’s domain, but the owner of the domain is unwilling to make a strong assertion to that effect.
  • ?allNeutral: The domain controller cannot or does not want to assert whether or not all mail servers not listed in the SPF record are authorized to send mail using the sender’s domain.
  • +allPass: All mail servers are authorized to send mail on behalf of the sender’s domain.

For example,v=spf1 include:sendgrid.net -allmeans that email from SendGrid will pass SPF validation, but all other email servers are explicitly not authorized.

Everything past the all is ignored. If you don’t end with one of those options, then?allis assumed.

What do people actually do?

We looked at the SPF records for the top 500,000 sites, as rated by Alexa. Of those, 205,043 had the phrasev=spf1in their TXT or SPF Type 99 records, meaning they had an SPF record (though many were not valid). 97% of the SPF records ended with some variation ofall. Here is a breakdown of the results:

SPF_all

Only the first five are valid (allmaps to+all, according to the standard).

In fact, probably only the first three should be considered valid SPF records, as+allmeans that anyone is authorized to send email from your domain. This is much worse than having no SPF record at all! The folks who wrote the standard have this to say about using+all: “The domain owner thinks that SPF is useless and/or doesn’t care.”

What is the worst mistake I can make?

If you just useall, then+allis assumed, meaning that everybody is authorized to send email from your domain!

We saw hundreds of domains that had~ allrather than~all. Those show asallin the table. This accidental space between the tilde and the all changes the meaning from the intended “soft fail all email from domains or IPs not listed in the SPF record” to “pass all email”. Oops.

How can I check my record?

Fill out the automated SPF record check form, and we will make sure your SPF record is correct and that the email you sent passes the validation check.

What is UPN and why to use it?

UPN or User Principal Name is a logon method of authentication when you enter the credentials as username@domainname.com instead of Windows authentication method: domainname\username to be used as login. So UPN is BASICALLY a suffix that is added after a username which can be used in place of “Samaccount” name to authenticate a user. So lets say your company is called ABC, then instead of ABC\Username you can use username@ABC.com at the authentication popup.

The additional UPN suffix can help users to simplify the logon information in long domain names with an easier name. Example: instead of “username@this.is.my.long.domain.name.in.atlanta.com”, change it to “username@atlanta”, if you create an UPN suffix called Atlanta.

To add an UPN to active directory (via AD Domains and Trusts) is very simple (A Global Catalog Server is required; see note at the end of this post). See here or read below the steps to add UPN suffix to a florest

“Adding a UPN Suffix to a Forest

Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forest.
Click Add, and then click OK.

Now when you add users to the forest, you can select the new UPN suffix to complete

the user’s logon name.”

Terminology:
ADSI – This is an acronym for Active Directory Service Interface. A library of routines that provide an interface to various directories, such as the Windows NT user account database and Active Directory. ADSI can be used in VBScript, Visual Basic, Visual Basic for Applications, and other environments. Besides NT and Active Directory, ADSI also supports Novell bindery, Novell NDS, Internet Information Server (IIS), and other LDAP compliant directories.

LDAP – This stands for Lightweight Directory Access Protocol. A language based on the X.500 directory standard that allows clients and servers to communicate. The LDAP provider allows access to the hierarchical structure of Active directory. However, the Windows NT user account database (the SAM account database on local computers) is not LDAP compliant.

WinNT – Windows NT namespace provider, supporting the Windows NT user account database. The WinNT provider can also be used to access Active Directory, but it exposes it as a flat namespace.

PowerShell – Microsoft’s new scripting language and command line shell, based on C# and the Microsoft .NET Framework. PowerShell statements can be entered one at a time in the PowerShell command line shell, or in a script with the statements saved in a file with .ps1 extension.

Directory Service – Repository of network operating system information to manage users and resources in a network.

Active Directory – Microsoft’s directory service database for Windows 2000, 2003, and 2008 networks. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Recently, this has been called Active Directory Domain Services, or AD DS. Microsoft also has a product called Active Directory Lightweight Domain Services, or AD LDS (formerly called Active Directory Application Mode, or ADAM).

AD DS – Acronym for Active Directory Directory Services.

AD LDS – Acronym for Active Directory Lightweight Directory Services. This used to be called Active Directory Application Mode, or ADAM.

ADO – Acronym for ActiveX Data Objects. ADSI can act as an OLE-DB provider that allows database queries of Active Directory using ADO. Searches using ADO are only allowed in the LDAP namespace. For more information, see ADO Search Tips.

WMI – Acronym for Windows Management Instrumentation. WMI is a new management technology allowing scripts to monitor and control managed resources throughout the network. Resources include hard drives, file systems, operating system settings, processes, services, shares, registry settings, networking components, event logs, users, and groups. WMI is built into clients with Windows 2000 or above, and can be installed on any other 32-bit Windows client.

ADsPath – A string that specifies an object in Active Directory or the NT SAM account database. In Active Directory, the ADsPath includes the provider (either “LDAP://” or “WinNT://”) and the path to the object in Active Directory. Using the LDAP provider, this path includes the Distinguished Name of the object.

Distinguished Name – A string that uniquely identifies an object in Active Directory. Used by the LDAP provider to bind to the object. The Distinguished Name, sometimes abbreviated DN, specifies the name of the object (the Relative Distinguished Name) and the location of the object in the hierarchical structure of Active Directory. The DN of any object is a string of Relative Distinguished Names separated by commas.

Relative Distinguished Name – The name of an object in Active Directory relative to it’s location in the hierarchical structure of AD. The Relative Distinguished Name, sometimes abbreviated RDN, will be the lowest level component of the Distinguished Name. The RDN must be unique in the container (or OU), while the DN will be unique in the forest.
Also

cn = Common Name
Active Directory Attribute = SAM-Account-Name
LDAP property = sAMAccountName

source: Names for Objects in Active Directory:

Well written article on name atributes

More in UPN

Good information on UPN with screenshots

NOTE:
When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.

Installation, Storage and Compute With Windows server 2016

This is my personal study notes for the book https://www.amazon.com/70-740-Installation-Storage-Compute-Windows/dp/0735698821 and exam https://www.microsoft.com/en-us/learning/exam-70-740.aspx. This is a supplement book that should be used with other materials to prepare you for the exam.

Chapter 1 Key Notes:

Install Windows Servers in host and compute environment.

Skills in this Chapter:

  • Install, upgradeI, migrate servers and workloads.
  • Install and configure Nano Server
  • Create, manage, and maintain images for deployment

Skills 1.1: Install, upgrade, and migrate servers and workloads

  • Which Windows server should you install?
  • Which installation option should you use?
  • Which roles and features does the server need?
  • What virtualization strategy should you use?

Minimum hardware Requirement for installing Windows Server 2016:

  • Processor: 1.4Ghz 64bit
  • Ram: 512 MB ECC for server core, 2GB WCC for server with Desktop Experience.
  • Disk Space: 32Gb bare Minimum on a SATA or comparable drive
  • Network adapter: Ethernet, with gigabit throughput
  • Monitor: Super VGA (1024 X 768) or higher
  • Keyboard and mouse
  • Internet (Activation, Windows updates)

Windows Server 2016 does not support the use of ATA, PATA, IDE, or EIDE interfaces fot boot, page, or data drives. Additional space is need when installing Desktop Experience, additional roles, computer has more than 16GB or more of RAM. The additional disk space is required for paging, hibernation, and dump files.

Maximum hardware and Virtualization limits:

Previously processor maximum were at one time measured in the number of sockets, now it has changed to numbers of cores and logical processors.

The maximum hardware configuration for Windows Server 2016 are as follows:

  • Processor: A server host supports up to 512 logical processors (LPs) if Hyper-v is installed.
  • Memory: Up to 24 Terabytes per host server and up to 12 terabytes per virtual machine.
  • VHDX Size: Up to 64 Terabytes.
  • Virtual Machine: Up to 1,024 per host machine.
  • Virtual machine processors: Up to 240 virtual machine.

* Inter Processors have a feature called Hyperthreading, which enables a single core to process two threads simultaneously when Hyper-V is running. Intel processors have two LPs per core when Hyper-v is running and one LP per core when Hyper-v is not running. AMD Processors have a one LP per core.

Determining appropriate Windows Server 2016 edition per Workloads:

Questions to ask:

  • What roles and features will you need to run on the server?
  • How will you obtain license for the server?
  • Will you be running Windows Server 2016 on a virtual or physical machine?

Windows Server 2016 Editions:

  • Windows Server 2016 Datacenter, This is intended to large and powerful servers in highly virtualized environment. It allows for unlimited number of operating system environment (OSEs) or Hyper-v Containers. (OSE is used to describe Windows instances running on a computer. An OSE can be physical or virtual machine. An example would be a server running hyper-v as well as one virtual machine, each would be considered an instance.) Datacenter Features include: Storage Space Direct, Storage Replica, Shielded VM and a new networking stack with additional virtualization options.
  • Windows server 2016 Standard can run two OSE, and it has the same core set of features as the Datacenter. It lacks the storage and networking features.
  • Windows Server 2016 Essentials: Same features as in the Datacenter and Standard, however it does not include the Core installation option, It supports only one OSE and a maximum of 25 users and 50 devices.
  • Windows Server 2016 Multi-point Premium Server, It used for academic licensing and enable multiple users to access a single server installation.
  • Windows storage server 2016 server: The storage server edition is bundled as part of a dedicated storage hardware solutions.
  • Windows Hyper-V server 2016: Available at not cost, it’s only a hypervisior without GUI.

Storage Space Direct: We can use inexpensive drive arrays to create high-availability storage solutions without the need for expensive arrays or controllers with built-in storage management intelligence. The intelligence is incorporated into the OS enabling the use of JBOD(just bunch of disks arrays) .

Storage Replica: Provides-Storage-agnostic, synchronous, asynchronous volume replication between local or remote servers using SMB Version 3 protocol.

Shielded Virtual Machine: Provides VM’s with from compromised admins that have access to Hyper-V host computer by encrypting the VMs state and its virtual disks.

Network controller: Provides a central automation point for network infrastructure configuration, monitoring, and troubleshooting.

Performing a mass deployment:

For a mass operating system deployment, you can use a server-based technology, such as Windows Deployment Services (WDS), to deploy image files automatically. WDS enables you to create boot images as a way of deploying the WDS boot image is to use the Preboot Execution Environment (PXE) feature included with most network interface adapters. PXE is built into the adapter’s firmware and enables a computer with no operating system to discover a Dynamic Host Configuration Protocol (DHCP) server on the network and request a configuration from it. The DHCP server supplies the client with the IP address of a WDS server, which the client then uses to connect to the server and download a boot image. The client system can then boot from that image and run a WDS client program that initiates the operating system installation.

Installing Powershell to install roles:

The basic syntax of the cmdlet is as follows:  install-windowsfeature -name featurename [- includeallsubfeature] [-includemanagementtools] To install a role or feature, you must use a PowerShell session with administrative privileges. Then, you must determine the correct name to use for the role or feature you want to install. To do this, you can list all of the available roles and features available in Windows by running the Get-WindowsFeature cmdlet, the first part of which is shown in Figure 1-11.

You can also add the IncludeAllSubFeature parameter to install all of the subordinate components for a role. Unlike Server Manager, which automatically includes the management tools associated with a role when you install it, the Install-WindowsFeature cmdlet does not. If you want to install the Microsoft Management Console snap-in or other tools used to manage a role or feature, you must add the IncludeManagementTools parameter on the command line.

*In Windows Server 2016, you can no longer add or remove the GUI elements after the operating system installation. In addition, there is no Minimal Server Interface option, as in Windows Server 2012 R2. This means that, at installation time, you must choose between a full graphical interface, similar to that of Windows 10, and a command line only.

When you select the Windows Server Core installation option, you get a stripped-down version of the operating system. There is no Taskbar, no Explorer shell, no Server 39 Manager, no Microsoft Management Console, and virtually no other graphical applications. However, the advantages of running servers using the Server Core option are several, including the following: Hardware resource conservation Server Core eliminates some of the most memory- and processor-intensive elements of the Windows Server 2016 operating system, thus devoting more of the system resources to running applications and essential services. Reduced disk space Server Core requires less disk space for the installed operating system elements, as well as less storage space devoted to memory swapping, which maximizes the utilization of the server’s storage resources. Fewer updates The graphical elements of Windows Server 2016 are among the most frequently updated features, so running Server Core reduces the number of updates that administrators must apply. Fewer updates also means fewer server restarts and less downtime. Reduced attack surface The less software there is running on the computer, the fewer entrances there are available for attackers to exploit. Server Core reduces the potential openings presented by the operating system, increasing its overall security

Configuring Server Core:

Immediately after the installation, however, you might be forced to perform some basic post-installation tasks interactively, such as configuring the network adapter, renaming the computer, and joining the server to a domain

With this information, you can select the interface of the adapter you want to configure and use a command like the following to configure it: new-netipaddress -interfaceindex 6 -ipaddress 192.168.0.200 – prefixlength 24 -defaultgateway 192.168.0.1

The functions of the command line parameters are as follows:

interfaceindex Identifies the adapter in the computer to be configured, using index numbers displayed by the Get-NetAdapter cmdlet.

ipaddress Specifies the IP address to be assigned to the adapter.

prefixlength Specifies the subnet mask value to be associated with the IP address. The numeral specifies the number of network bits in the IP address. For example, a prefixlength value of 24 is the equivalent of a subnet mask value of 255.255.255.0.

defaultgateway Specifies the IP address of a local router that the computer should use to access other networks.

To configure the DNS server addresses for the adapter, you use the SetDnsClientServerAddress cmdlet, as in the following example: Set-dnsclientserveraddress -interfaceindex 6 -serveraddresses (“192.168.0.1″,”192.168.0.2”)

To rename the computer and join it to a domain, you can use the Add-Computer cmdlet, as in the following example: add-computer -domainname adatum.com -newname ServerB – credential adatum\administrator

The functions of the command line parameters are as follows:

domainname Specifies the name of the domain that you want the computer to join

newname Specifies a computer name that you want to assign to the computer

credential Specifies the domain and account names for a domain user with domain join privileges

Manage Windows Server Core installations using Windows PowerShell, command line, and remote management capabilities

As an alternative to the Add-Computer PowerShell cmdlet, you can use the Netdom.exe tool from the command prompt to rename a computer and join it to a domain. To rename a computer, you use the following command:  netdom renamecomputer %computername% /newname: newcomputername, To restart the computer after changing its name, you use the Shutdown.exe tool, as follows: shutdown /r.  To join a computer to a domain using Netdom.exe, use the following command: netdom join %computername% /domain: domainname /userd: username /passwordd:* In this command, the asterisk (*) in the /password parameter causes the program to prompt you for the password to the user account you specified.

In Windows Server 2016, the Windows Remote Management (WinRM) service is enabled by default, so you can create a remote PowerShell session using the New-PsSession cmdlet, as in the following example: new-pssession -computername rtmsvrd

In this example, Rtmsvrd is the remote Server Core computer you want to manage. 43 Running this command creates a connection to remote computer and assigns it an ID number as shown in Figure:

 

STACKING CISCO SWITCHES

Each switch in the stack is referred to a member of the stack. Members work together as a unified system, appearing administratively as a single switch. A switch stack of 3650/3850s (note you can’t mix these in a stack) can have up to nine stacking-capable switches connected through their stackwise ports.

The alternative way of interconnecting the switches would be to daisychain the switches using the ports on the front of the switch. Cosmetics aside using stackwise is a better option for a number of reasons:

  • Doesn’t use up existing switchports
  • Stackwise maximises bandwidth between switches in stack (160G)
  • All switches in the stack appear as a single switch on the cli
  • Hot pluggable/swappable

What’s the most efficient way to configure these switches into a stack?

We’ll cover three areas.

  1. Configuring a stack of new switches
  2. Adding or replacing a switch in an existing stack
  3. Upgrading IOS

CONFIGURE A NEW STACK


First physically connect the switches using stackwise cables. Here’s Cisco’s recommendation:

347682

Note: The switch to be added to the stack must be off. Otherwise, the hole stack will reload.

1.- Add the new switch to the stack by connecting the stack cables to the switch (every cable has a cisco logo on the connector, it must be in the upright position) as shown in the picture below (1):

log.jpg

Each switch has two stack ports to which stackwise cables are connected. Viewed as above from the rear the stack port on the left is Port1 and the one on the right Port2. This is true of all switches in the stack.

These two stack ports on each switch are connected to their neighbor, defined as physically located above and below. The top and bottom switches in the stack are neighbors for the purpose of this connectivity.

It doesn’t matter which ports we use to arrive at this connectivity (stack port 1 or 2), but without what is effectively a ring topology between all switches in the stack we won’t have redundancy should one of the stackwise connections fail. We then run the risk of the stack being “split” (into two stacks due to lack of connectivity between switches) should only one link fail, resulting in connectivity issues for attached end devices as their shared network exists in two different places. Another reason to stack the switches in a ring is the stackwise cables are similar in function to a backplane in a chassis switch. Therefore if a member only has connectivity to one neighbor we’ve halved it’s bandwidth (see note 1 below).

Onto our lab. We have a stack of 3 x 3650s connected as per the above.

Switch#show switch stack-ports
Switch# Port1 Port2 
----------------------------
1 OK OK 
2 OK OK 
3 OK OK 

Switch#

OK. We’ve verified connectivity on each of the stack ports.

https://supportforums.cisco.com/document/12575126/how-form-catalyst-3850-data-stack-and-power-stack

CONCEPT: SWITCH STACK ROLES

Active – aka master. Operates the stack. Holds run and startup configs for stack. Only one active switch in stack. Standby – the “backup active” if there’s a problem. Only one standby switch in stack. Member – a switch in the stack that isn’t an active or standby switch. All other switches in the stack have this role. Just as with OSPF DR election, the stack master is non-preemptive. This means that to engineer the desired stack roles, the order in which switches are powered on can affect which switch in the stack becomes the active aka the master switch (although if we did use this method it’s a pretty poor way of doing it – see note 2 below). In view of the above output, in our lab the switches are physically stacked as follows

stack mac

In our lab the switches were taken out of sealed boxes, connected with stackwise cables in the recommended way and powered on simultaneously.

Switch#show switch 
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                          H/W   Current
Switch#  Role    Mac Address   Priority Version  State 
------------------------------------------------------------
*1      Active   74a0.2f45.2380    1      V01    Ready 
 2      Standby  74a0.2f58.7180    1      V01    Ready 
 3      Member   a0ec.f936.4d00    1      V01    Ready 

Switch#

Why have the switch roles resulted as per the above show switch output?

The answer is that should all switch priorities be equal, the switch with the LOWEST mac address wins and takes the active role. The next lowest mac in the stack takes the standby role, that is it will take over active should the current active fail (in which instance a re-election is avoided and there is no interruption to service). Other switches in the stack assume the member role up to the maximum total stack size of 9 switches.

The switch stack will operate fine in this configuration with one bugbear…

CONCEPT: SWITCH # (MEMBER NUMBER)

Note the first column in the show switch output above. Out of the box a switch will have a default member number of 1 (see note 1 below). Observe that the member numbers have been derived from the switch role, with active role taking a member number of  1. It’s the member number that determines the interface numbering for a switch in the stack.

A member number of 1 means the interfaces on that individual switch will be Gi1/0/1-48. However in our lab this switch is physically the second physical switch in the stack! Similarly Gi2/0/1-48 are on the standby switch, physically the first switch in the stack. To make administration of the switches less confusing, lets’s reconfigure the member number on the stack to align with how the switches are physically stacked.

Switch#switch 1 renumber 2
WARNING: Changing the switch number may result in a configuration change for that 
switch. The interface configuration associated with the old switch number will 
remain as a provisioned configuration. Do you want to continue?[y/n]y
Switch#switch 2 renumber 1
WARNING: Changing the switch number may result in a configuration change for that 
switch. The interface configuration associated with the old switch number will 
remain as a provisioned configuration. Do you want to continue?[y/n]y
Switch#show switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                           H/W   Current
Switch#   Role   Mac Address    Priority Version  State 
------------------------------------------------------------
*1       Active  74a0.2f45.2380    1      V01     Ready 
 2       Standby 74a0.2f58.7180    1      V01     Ready 
 3       Member  a0ec.f936.4d00    1      V01     Ready

Switch#wr
Building configuration...
Compressed configuration from 6558 bytes to 2242 bytes[OK]

Switch#show switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                           H/W   Current
Switch#   Role   Mac Address    Priority Version  State 
------------------------------------------------------------
*1       Active  74a0.2f45.2380    1      V01     Ready 
 2       Standby 74a0.2f58.7180    1      V01     Ready 
 3       Member  a0ec.f936.4d00    1      V01     Ready
Switch#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]y
<snip>
Press RETURN to get started!


Switch>en
Switch#sh switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                            H/W   Current
Switch#   Role   Mac Address     Priority Version  State 
------------------------------------------------------------
 1      Standby  74a0.2f58.7180     1       V01    Ready 
*2      Active   74a0.2f45.2380     1       V01    Ready 
 3      Member   a0ec.f936.4d00     1       V01    Ready 

Switch#

Note that whilst our original member numbers were derived from switch role, reconfiguring member numbers has no influence on election of active/standby. In this case the Active and Standby roles are still elected using mac address, all priority values being equal.

With our interface numbering fixed by changing the member number, aligning the logical switch numbering with the physical, it’s worth noting that technically it doesn’t really matter which switch is active and standby. Convention is to configure these roles as physical switch 1 and switch 2 in the stack respectively.

CONCEPT: SWITCH PRIORITY

Each switch in the stack has a priority value between 1 and 15, default 1 out of the box. Rather than using the mac address tie breaker during election of the active and standby switches, we can manually engineer which switch we want to assume these switch roles by changing the priority value. Higher is better. Let’s change the priority of the physical switch 1 at the top of our stack to 15 to ensure it’s takes on the active role.

Switch#switch 1 priority 15
WARNING: Changing the switchpriority may result in a configuration change for that
switch. Do you want to continue?[y/n]y
Switch#sh switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                            H/W   Current
Switch#   Role   Mac Address     Priority Version  State 
------------------------------------------------------------
 1      Standby  74a0.2f58.7180     15      V01    Ready 
*2      Active   74a0.2f45.2380     1       V01    Ready 
 3      Member   a0ec.f936.4d00     1       V01    Ready 

Switch#

Note that whilst the priority value has changed the role has not, election being non-preemptive. A reboot will cause a reelection using the revised priority values. For brevity, lets also change the priority values of physical switch 2 and 3, then reload the whole stack.

Switch#switch 2 priority 14
WARNING: Changing the switchpriority may result in a configuration change for that
switch. Do you want to continue?[y/n]y
Switch#switch 3 priority 13
WARNING: Changing the switchpriority may result in a configuration change for that
switch. Do you want to continue?[y/n]y
Switch#sh switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                            H/W   Current
Switch#   Role   Mac Address     Priority Version  State 
------------------------------------------------------------
 1      Standby  74a0.2f58.7180     15      V01    Ready 
*2      Active   74a0.2f45.2380     14      V01    Ready 
 3      Member   a0ec.f936.4d00     13      V01    Ready 

Switch#reload
<snip>
Press RETURN to get started.

Switch>sh switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                            H/W   Current
Switch#   Role   Mac Address     Priority Version  State 
------------------------------------------------------------
*1      Active   74a0.2f58.7180     15      V01    Ready 
 2      Standby  74a0.2f45.2380     14      V01    Ready 
 3      Member   a0ec.f936.4d00     13      V01    Ready
Switch>

Note that by setting the priority value of physical – physical switch 1 to priority 15, physical switch 2 to priority 14 etc. we also influence the logical switch member number to align with the physical switches. This will result in our interface numbering being correct. So, if we want a quick and easy way to setup a switch stack, priority is the single value to change (See the quickstart guide to provisioning a stack using only priority here)

Better understanding switch roles and member numbers however will assist with any troubleshooting when provisioning or making changes to existing switch stacks.

Quickstart: Provisioning a new stack

Step 1 Rack em and stack em. Physically install all switches to be stacked in a powered off state. Connect all stackwise cables. Did i mention don’t power on the switches?

Step 2 Power on physical switch 1 (top of stack). Insert a usb stick with your preferred IOS on into the usb slot on the front of the switch.

Switch#copy usbflash0:cat3k_caa-universalk9.SPA.03.07.03.E.152-3.E3.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.07.03.E.152-3.E3.bin]? 
Copy in progress...
322991728 bytes copied in 52.370 secs (6167495 bytes/sec)

Switch#verify /md5 flash:cat3k_caa-universalk9.SPA.03.07.03.E.152-3.E3.bin
...Done!
verify /md5 (flash:cat3k_caa-universalk9.SPA.03.07.03.E.152-3.E3.bin) 
= 71d48b44bb5ec13d4b4d47d8c3dc9dd7

You can find the md5 of the file on Cisco.com or grab it from the file using md5 checker software e.g WinMd5 (other md5 checkers are available).

Step 3  Enable auto-upgrade of IOS. This will be used by other switch members joining the stack. This is off by default.

Switch(config)#software auto-upgrade enable

Step 4  Change the switch priority of physical switch 1 to priority 15, save. Now initiate the software upgrade which will also reload the switch.

Switch#sh switch
WARNING: Changing the switchpriority may result in a configuration change for that
switch. Do you want to continue?[y/n]y
Switch#sh switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                   H/W    Current
Switch#   Role    Mac Address    Priority Version State 
------------------------------------------------------------
*1       Active   74a0.2f45.2380     1      V01   Ready 

Switch#switch 1 priority 15
WARNING: Changing the switchpriority may result in a configuration change for that switch. Do you want to continue?[y/n]y
Switch#sh switchWARNING: Changing the switchpriority may result in a configuration
change for that switch. Do you want to continue?[y/n]y
Switch#sh switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                   H/W    Current
Switch#   Role    Mac Address    Priority Version State 
------------------------------------------------------------
*1       Active   74a0.2f45.2380     15     V01   Ready 

Switch#
Switch#wr 
Switch#software install file 
flash:cat3k_caa-universalk9.SPA.03.07.03.E.152-3.E3.bin 
Preparing install operation ... 
[1]: Starting install operation 
[1]: Expanding bundle flash:cat3k_caa-universalk9.SPA.03.07.03.E.152-3.E3.bin 
[1]: Copying package files 
[1]: Package files copied 
[1]: Finished expanding bundle flash:cat3k_caa-universalk9.SPA.03.07.03.E.152-3.E3.bin 
[1]: Verifying and copying expanded package files to flash: 
[1]: Verified and copied expanded package files to flash: 
[1]: Starting compatibility checks 
[1]: Finished compatibility checks 
[1]: Starting application pre-installation processing 
[1]: Finished application pre-installation processing 
[1]: Old files list: Removed cat3k_caa-base.SPA.03.06.00E.pkg Removed cat3k_caa-drivers.SPA.03.06.00E.pkg Removed cat3k_caa-infra.SPA.03.06.00E.pkg Removed cat3k_caa-iosd-universalk9.SPA.152-2.E.pkg Removed cat3k_caa-platform.SPA.03.06.00E.pkg Removed cat3k_caa-wcm.SPA.10.2.102.0.pkg 
[1]: New files list: Added cat3k_caa-base.SPA.03.07.03E.pkg Added cat3k_caa-drivers.SPA.03.07.03E.pkg Added cat3k_caa-infra.SPA.03.07.03E.pkg Added cat3k_caa-iosd-universalk9.SPA.152-3.E3.pkg Added cat3k_caa-platform.SPA.03.07.03E.pkg Added cat3k_caa-wcm.SPA.10.3.130.0.pkg 
[1]: Creating pending provisioning file 
[1]: Finished installing software. New software will load on reboot. 
[1]: Committing provisioning file 
[1]: Do you want to proceed with reload? [yes/no]: yes 
[1]: Reloading Switch#

Step 5  Power on physical switch 2 (next one down). This will be the standby switch for the stack. The switch will reload twice, the second time due to auto-upgrade of the IOS before it joins the stack.

Switch#sh switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                   H/W    Current
Switch#   Role    Mac Address    Priority Version State 
------------------------------------------------------------
*1       Active   74a0.2f45.2380     15     V01   Ready 
 2       Standby  74a0.2f58.7180     1      V01   Ready

Now change the second physical switch priority to 14

Switch#switch 2 priority 14 
WARNING: Changing the switchpriority may result in a configuration change for that
switch. Do you want to continue?[y/n]y
Switch#sh switch
Switch/Stack Mac Address : 74a0.2f45.2380 - Local Mac Address
Mac persistency wait time: Indefinite
                                   H/W    Current
Switch#   Role    Mac Address    Priority Version State 
------------------------------------------------------------
*1       Active   74a0.2f45.2380     15     V01   Ready 
 2       Standby  74a0.2f58.7180     14     V01   Ready

Step 6  Continue working down the stack powering on each additional member switch, one at a time. There’s no need to wait for each switch to fully boot before powering on the next as a switch joining the stack will take the lowest available member number. To ensure this order remains after reboot, continue to decrement the switch priority i.e. physical switch 3 priority 13, switch 4 priority 12 etc as you onboard each switch. Once you have configured all the member switches, save and reload the entire stack. Verify.

CHANGING AN EXISTING STACK

SWAPPING OR ADDING A SWITCH IN AN EXISTING STACK

Pitfall 1: Adding a new switch that’s already powered on to the stack (i.e before you connect the stack cables to it) will cause the entire stack to reload and potentially re-elect roles (see note 3). For uninterrupted service ensure the switch being added or removed is powered down/off before connecting or disconnecting stack cables to/from it. This also minimises the risk of accidentally splitting the stack as you disconnect stackwise cables, depending on how they are connected up.

If swapping a switch, provided that the replacement is the exact same model it will automatically take up the relevant config and operate as per the one removed.

ADDING MULTIPLE SWITCHES TO AN EXISTING STACK

Just as with provisioning a new stack, power on each switch you’re adding to an existing stack top down in the order they are physically stacked. A switch is automatically assigned the next lowest available stack member number when it enters the stack. You can then fix its place in the stack topology by changing the priority value. Use the

Switch#reload slot [switch member number]

command to reload each newly provisioned switch individually to verify the stack member numbers are stable on reboot.

REMOVING STACK CONFIGURATION FROM A SWITCH

Have you ever powered on a switch that has been taken out of production only to find that it has old stack configuration on and the interface numbers start with gi3/0/1? Annoying. Have you ever carried on working with it in this state regardless because you couldn’t remember the commands to reset the stack configuration? Don’t be that guy.

There’s two ways to tackle this.

Option 1: Go nuclear. Factory reset the switch

Note: This is an option listed in the Cisco documentation however in my testing this didn’t reset the stack priority to 1 i.e the pre-factory reset value was retained.

Step 1 No need to cycle power. Erase the startup-config if it exists (see note 4 below). Whilst the switch is powered press and hold the Mode button. The switch LEDs begin blinking after about 3 seconds.

Step 2 Continue holding down the Mode button. The LEDs stop blinking after 7 more seconds, and then the switch restarts.

Option 2: Reconfigure the existing stack configuration

There’s no way to turn off or reset the stack feature on 3560/3850s. Even a standalone switch runs in a stack, albeit on its own. The following command is present in a switch that has just been factory defaulted and powered up standalone.

switch 1 provision ws-c3650-48pd

Verification

Switch#show switch
Switch/Stack Mac Address : 74a0.2fc4.4600 - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W  Current
Switch#  Role      Mac Address    Priority Version State 
------------------------------------------------------------
*1      Active     74a0.2fc4.4600    1       V01   Ready

Switch#

Here’s a switch that’s been removed from a stack of two.

Switch#show run | in provision
switch 1 provision ws-c3650-48pd 
switch 2 provision ws-c3650-48pd
Switch#sh switch
Switch/Stack Mac Address : 74a0.2f59.dd80 - Local Mac Address
Mac persistency wait time: Indefinite
 H/W Current
Switch# Role Mac Address Priority Version State 
------------------------------------------------------------
*1 Active 74a0.2f59.dd80 14 V01 Ready 
 2 Member 0000.0000.0000 0 0 Provisioned

Provisioned means there was a switch there but it’s not there any more. We can Unprovision this redundant switch and upon the next reload it won’t be there any more.

Switch(config)#no switch 2 provision ws-c3650-48pd
Switch(config)#end
Switch#sh switch
*Jun 22 23:29:14.255: %SYS-5-CONFIG_I: Configured from console by consolewitch
Switch/Stack Mac Address : 74a0.2f59.dd80 - Local Mac Address
Mac persistency wait time: Indefinite
 H/W Current
Switch# Role Mac Address Priority Version State 
------------------------------------------------------------
*1 Active 74a0.2f59.dd80 14 V01 Ready 
 2 Member 0000.0000.0000 0 0 Unprovisioned

Switch#

removes the old stack config.

Switch#switch 1 priority 1

restores the default priority. Neither of our changes will take effect until after a reload

Switch#reload
<snip>
Press RETURN to get started.
Switch#sh switch
*Jun 22 23:29:14.255: %SYS-5-CONFIG_I: Configured from console by consolewitch
Switch/Stack Mac Address : 74a0.2f59.dd80 - Local Mac Address
Mac persistency wait time: Indefinite
 H/W Current
Switch# Role Mac Address Priority Version State 
------------------------------------------------------------
*1 Active 74a0.2f59.dd80 14 V01 Ready

SUMMARY

For simple stack setup change the switch priority value.

Be aware of all stack configuration options (i.e not just priority) that can affect the stack topology.

Take note of the order of operation when making changes to switch stacks to minimise disruption.

NOTES

1. The mode button on the front of the switch is not only useful for checking the stack priority. Look at the port leds on the last two ports on the switch (10 gig or sfp ports). If both lit, this visual indicator shows the switch is operating at full bandwidth. We can also verify this on the cli

Switch#show switch stack-ring speed

Stack Ring Speed : 160G
Stack Ring Configuration: Down
Stack Ring Protocol : StackWise

2. Power up the switch you wish to be active first on it’s own. It’s a one horse race. Any switches powered up 2 mins after this will not participate in the election. Note this approach wouldn’t guarantee a stable stack topology on reload. A final note on non-preemptive behaviour. If the active switch is removed from the stack the standby switch becomes active. Any switch subsequently re-inserted into the stack with a higher priority (even if the original active switch is subsequently re-inserted) will not cause the active switch to release it’s role or an election to be triggered.

3. Result of connecting two powered standalone switches together using a single stackwise. Despite having different priorities, each calls a stack merge and both reload.

Switch#
*Jun 22 21:13:59.869: %STACKMGR-1-STACK_LINK_CHANGE: 1 stack-mgr: Stack port 2 on switch 1 is up 
*Jun 22 21:14:00.252: %IOSXE-3-PLATFORM: 1 process stack-mgr: : -Traceback=1#87f75377a54ddceb043862d594ac8de7 :54DA2000+9B564 :54DA2000+1F854 :54DA2000+67B54 :54DA2000+5E5D4 :54DA2000+60914 ngwcutils:2B263000+BE84 ngwcutils:2B263000+DA3C pthread:2AD53000+5DC8 
*Jun 22 21:14:00.262: %IOSXE-3-PLATFORM: 1 process stack-mgr: : -Traceback=1#87f75377a54ddceb043862d594ac8de7 :54DA2000+1F854 :54DA2000+67B54 :show 
<Wed Jun 22 21:14:00 2016> Message from sysmgr: Reason Code:[4] Reset Reason:Reset/Reload requested by [stack-manager]. [stack merge]

Unmounting ng3k filesystems...
Unmounted /dev/sda3...
Warning! - some ng3k filesystems may not have unmounted cleanly...
Please stand by while rebooting the system...
Restarting system.

Booting...

4. Output of pressing the mode button before and after erasing the startup-config:

Switch#
*Jun 22 20:37:36.950: %EXPRESS_SETUP-6-MODE_BUTTON_RESET_IGNORED: mode button pressed for more than 10Sec and startup config is present hence not reloading
Switch#erase startup-config 
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
Switch#
*Jun 22 20:38:06.795: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Switch#
consoleless_setup_process: Entering Setup Mode
*Jun 22 20:38:15.625: %EXPRESS_SETUP-6-MODE_ENTERED: 
*Jun 22 20:38:40.953: %EXPRESS_SETUP-5-CONFIG_IS_RESET: The configuration is reset and the system will now reboot
*Jun 22 20:38:46.209: %SYS-5-RELOAD: Reload requested by NGWC led process. Reload Reason: Reload due to Express Setup.