Akzium_Blog - Akzium

Multiple DHCP Scopes in Windows Server DHCP

2/5/2026

If you're using a Windows server as a DHCP server, you can configure multiple DCHP scopes for different VLANs. There are two main concepts to understand for this setup: 1) Each scope needs a route to reach the intended VLAN via the route setting in the scope; 2) Your core switch that controls your VLAN settings needs to have a "helper IP" set to know where to route DHCP requests on each VLAN. In addition to these settings, the DCHP server's assigned VLAN and static IP address must have the ability to reach each VLAN segment that it is serving via inter-VLAN routing if the DCHP server only has a single network interface.

So, don't put your DCHP server on a VLAN with other servers or devices that should not be reachable by endpoint devices that it is servicing for DCHP requests. For example, don't put your DCHP server on your servers VLAN and have it serve up DCHP requests for your Guest Wifi VLAN.

Also, just a quick note about the Filters setting. Filters are applied to the entire DHCP server instance, not on a per-scope basis. If you enable ALLOW filtering, only those MAC addresses listed in the Allow filter list will get an IP address via DCHP. All other DHCP requests will be denied. If you enable DENY filtering, any MAC address in the Deny filter list will be denied an IP address while all other devices will be assigned an IP.

Installing Uptime Kuma on Ubuntu 24.04

5/5/2025

These instructions assume the installation of Ubuntu 24.04 has already been done. The example USERID for the Ubuntu login will be UbuntuUser. The example USERID for the Uptime Kuma admin screen will be KumaAdmin. Adjust instructions accordingly.

Log in to the Ubuntu instance and launch a terminal window.
In our example, this will put us in the /home/UbuntuUser folder.
Verify your folder ID by typing pwd at the terminal command promt

sudo apt-get update -y

sudo apt-get upgrade -y

sudo apt-get install nodejs -y

sudo node -v to check the nodejs installed version

sudo apt-get install git -y

sudo git clone https://github.com/louislam/uptime-kuma.git

You can verify the git clone process by typing ls -l at the prompt which should now show an uptime-kuma folder

sudo apt-get install npm --no-install-recommends

at the /home/InsertUserIDHere prompt type: cd uptime-kuma

sudo npm run setup
*this will install uptime-kuma

sudo npm install pm2 -g

**PM2 is a production process manager for Node.js applications with a built-in load balancer. It allows you to keep applications alive forever, to reload them without downtime, and to facilitate common system admin tasks.

sudo pm2 install pm2-logrotate

*You should see output similar to the image below:

Verify your location is still /home/InsertUserIDhere

cd uptime-kuma
*type pwd to verify location is /home/InsertUserIDHere/uptime-kuma

sudo pm2 start server/server.js --name uptime-kuma

*You should see output similar to the image below:

If you do not see this output, then type:

sudo pm2 status

Now, type:

sudo pm2 startup

sudo pm2 save

cd /etc/systemd/system

sudo nano pm2-root.service

find the line labeled Environment=PATH=....

go to the end of the line

add the following: :/home/InsertUserIDHere/uptime-kuma/server
*note: be sure to include the : and do not put a space after the end of the previous entry on the line

Ctrl+O to write file edits to disk. Ctrl+X to exit nano editor

Now, we'll install the Nginx web server:

sudo apt-get install nginx -y

sudo nano /etc/nginx/conf.d/kuma.conf

Add the following lines:

server {
listen 80;
servername kuma.example.com;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}

Ctrl+O to write file to disk. Ctrl+X to exit nano editor.

Now, copy the kuma.conf file to /etc/nginx/sites-available folder by typing:

sudo cp /etc/nginx/conf.d/kuma.conf /etc/nginx/sites-available/kuma
*note: leave the .conf off of the target filename

Now, create a symbolic link in the /etc/nginx/sites-enabled folder to the kuma file in the /etc/nginx/sites-available folder

sudo ln -s /etc/nginx/sites-available/kuma /etc/sites-enabled/kuma

Verify the link by:
cd /etc/nginx/sites-enabled
sudo ls -la
There should be a kuma symbolic link file in the /etc/nginx/sites-enabled folder

Remove the Nginx default website link
cd /etc/nginx/sites-enabled
sudo rm /etc/nginx/sites-enabled/default
sudo ls -la

Reboot the host:
sudo reboot

Now, you should be able to navigate within the Kuma host linux system using a browser to:
http://localhost:3001

This will bring up the initial setup Kuma administrator login screen.

**NOTE: Be careful in choosing your admin USERID here as there is not a simple process for changing this ID once it is created and written into the SQLlite database.

Remove Ghost Network Adapters in Windows

4/19/2025

Ghost adapters left behind by physical-to-virtual conversions have been an issue since the early days of virtualization. The Great VMWare Exodus has brought this issue back into the limelight as Broadcom customers begin to abandon VMware in favor of more customer-friendly Type 1 Hypervisor companies.

If you're preparing to migrate a VMware virtual machine over to, let's say a KVM-based Type-1 Hypervisor environment, there are several preparation steps that should be undertaken, the first of which will be to change the network adapter from a static IP addresss to a DHCP address, and to remove the VMware Tools. If you forget to remove VMware tools prior to conversion, the converted VM may not boot. If you forget to manipulate the network LAN adapter settings, you could end up with a "ghost" adapter, one that has entries in the Windows registry, but that does not show up in device manager. If you also forgot to change the static IP address to a DHCP address, the static IP could be "trapped" by the ghosted adapter and Windows will give you error messages saying another adapter already has that IP address.

Here's how to "reveal" those ghosted adapters so you can clean up the mess left behind by a hypervisor platform migration.

1. Launch a command prompt as administrator in the VM.
2. Run: set devmgr_show_nonpresent_devices=1 (press enter)
3. Launch Device Manager (devmgr.msc)
4. In Device Manager -> View select "Show Hidden Devices"
5. Scroll down to Network Devices and expand
6. Ghost adapters will be greyed out - right click and Uninstall
7. Select Action -> Scan for Hardware Changes to refresh device list
8. Repeat as necessary until all ghost adapters are removed

Windows OS Hub has a write-up on this process here: https://woshub.com/remove-hidden-ghost-network-adapter-windows/

Interworks has a blog post about the topic here:
https://interworks.com/blog/ijahanshahi/2014/08/21/removing-hidden-device-device-manager/

The official VMware-to-Proxmox conversion instructions are here:
https://pve.proxmox.com/wiki/Migrate_to_Proxmox_VE

Scale Computing has their own SC//Migrate toolkit to make VMware to Scale migrations easy:
https://www.scalecomputing.com/resources/sc-migrate-data-sheet

Windows Server Change Time Commandline

4/15/2025

Ever join a server to the domain and forgot to change the time zone beforehand, then the Time Zone GUI change options are greyed out? There's a way around that using either a command line option or via PowerShell.

Option1: Invoke CMD as administrator
tzutil /g (displays current time zone)
tzutil /l (displays all time zone options)
tzutil /s "Central Standard Time" (sets time zone)
tzutil /g (to verify change)

Option2: Invoke Powershell as administrator
Get-TimeZone
Get-Timezone -ListAvailable
Set-Timezone -Id "Central Standard Time"
Get-TimeZone

Add email aliases to personal Gmail accounts

4/14/2025

Creating email aliases for work emails is common, but did you know you can also create emails aliases for your (at)gmail(.)com email address using Gmail+ email aliases? Example: if your email is bobsmith(at)gmail you can create an alias email such as bobsmith+myamazonorders(at)gmail, use that alias for receiving emails and they will come to the inbox for your primary email account.

Here are the steps:
1. Log in to your personal gmail account in a browser
2. Go to the Settings gear icon at the top right
3. See all settings
4. Go to the Accounts and Import tab
5. Navigate down to Send Email As section
6. Click on Add another email address
7. The the email address box type your email addres and a + sign and whatever you want to add to it (ex: bobsmith+myamazonorders(at)gmail, but use the actual at sign. LinkedIn keeps trying to link when I attempt to use it in a post.
8. Make sure the "Treat as an alias" box is checked

Now you can use this alias email as a filter or in some cases to sign into a website that is having problems directing you do different sign-in functions using the same email address.

MailMeteor has a good write-up outlining the steps here: https://mailmeteor.com/blog/gmail-alias

Streak has a blog post about the process here: https://www.streak.com/post/gmail-plus-addressing-trick

*kudos to Streak for the cool graphic below this post.

Easy File Server Migrations

4/7/2025

The registry key that contains all of the shares and share permissions on a Windows file server is located: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
and the Security subkey. You can export this key set from your current file server, mount the shares data drive to a new server with an updated OS and import this registry key to restore all of the shares and their associated permissions. Since you've moved the data drive to the new server, all files retained their NTFS permissions. Also, this detach/re-attach process assumes you're not using DFS.

So, step by step (assuming you're doing this in a virtual environment):
1) Create new VM with virtual HDD for OS
2) Install new OS, patch, update, etc. (Do not join to domain yet)
3) Export registry key from old file server
4) Copy registry key file to new file server
4) Unjoin old file server from domain
5) Change server name and IP address of old file server and shut down
6) Detach data volume virtual disk from old file server
7) Change server name and IP address of new file server to match old server and reboot sever
8) Join new file server to domain
9) Attach data drive virtual disk to new file server and mount with same drive letter as it had on the old file server
10) Import registry key from old file server
11) Reboot new file server

Instructions for Exporting Registry Key from old server:
Navigate to:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
Right click on Shares in the left-side view window
Select Export
Name file. Example: filesharesexport.reg
copy this file to the new server

Instructions for Importing Registry Key to New Server:
Open Registry Editor on the new server.
Go to File > Import
Navigate to the location where you copied the .reg file.
Double-click the .reg file to start the import process.
You may be prompted to confirm the import, click "Yes" to proceed.
The registry key will be added to the registry on the new server.

At this point your new file server has the data volume mounted from the old file server and the shares permissions have been imported. I'll make a separate post on some ways to consolidate the new VM data files with the old server data virtual disk into a single folder.

*edit: One problem we have become aware of in using this process is the shared folder OWNER permissions. If the shared folder on the source system is OWNED by a LOCAL administrator user, the NTFS and share permissions of the sub-folders WILL NOT be applied on the target system. Local user \\Server1\Administrator is NOT the same as local user \\Server2\Administrator, even though the names are the same. To "fix" the issue, we changed the OWNER of the root folders on the source system to a DOMAIN admin user with local admin rights on the source and target servers. After that change, the sub-folder permissions were applied properly on the target system after the .reg key import. This is also a problem if sub-folder permissions were granted using local users instead of domain users on the source host.

If you are migrating a physical file server to a virtual machine, or possibly migrating a VM-based file server to an new VM on a different platform, you can create a root shared folder on the target system, map a drive to the shared folder from the existing file server, and use a robocopy job to copy the data to the new server.

Example1: robocopy e:\rootshare r:\remoteshare /e /copy:datso /z /MT:128

Example 2: robocoy e:\rootshare r:\remoteshare /mir /z /MT:128 /LOG+:logfilename.log

After the copy job finishes and is validated, export the registry key that stores the share permissions data from the existing file server and then import the exported .reg file into the new file server's registry.

I recently had a customer's file server boot drive MBR record get irreparably corrupted. We mounted the boot volume to the new file server as a data disk, used the remote registry mount utility to mount the \Windows\System32\Config\SYSTEM registry file and export the shares registry key. When you use the remote mount utility you have to give it a temporary name. Thus, when you export the key the registry file header data has the temporary name in the (2) header paths instead of the correct header path names. We had to correct those using notepad to edit the .reg file two header data paths as follows before attempting to import the shares key into the new file server.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security]

Don't forget to change the notepad save settings to *.* to preserve the .reg file extension.

Link to all Robocopy Commands: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy

Windows 11 24H2 Bypass Microsoft Account Requirement

4/1/2025

Microsoft is removing the OOBE\BYPASSNRO.cmd command from the Windows 11 installer in yet another attempt at forcing every Windows 11 PC to have a Microsoft online account. The good news is that NeoWin is reporting that there's another workaround available.

1. Start Windows 11 Setup
Begin the Windows 11 Setup Process.
Select your region and keyboard layout.

2. Stop at the Secondary Keyboard Layout Screen
When you reach the Secondary Keyboard Layout screen, DO NOT click Skip.

3. Open the Developer Console
Press Ctrl + Shift + J to open the Developer Console.
Your screen will go dark and will appear with a prompt (indicated by a > symbol) at the top left of the screen.

4. Enter the Restart Command
Type the following command exactly as shown:
WinJS.Application.restart("ms-cxh://LOCALONLY")
Note: This command is case-sensitive. You can use Tab-completion to help:
After typing WinJS.A, press Tab to auto-complete Application.
After typing res, press Tab to auto-complete restart.

5. Exit the Developer Console
After entering the command, press Enter to execute it.
Press Escape to exit the Developer Console and return to the OOBE interface.
Note: If the Escape key doesn't close the Console, click anywhere on the screen to ensure the console is focused and then press the key again.

6. Local Account Setup
The Secondary Keyboard Layout screen will refresh, and a Windows 10-style local account setup screen will appear.
Enter your desired username, password, and security questions and click Next.

7. Complete the Setup
The Setup will go black and will then log you in to your newly created account. Allow Windows 11 a few moments to configure the user.
Continue with the remaining privacy setting prompts.
Once finished, you will have successfully created a local account in Windows 11.

Here's a link to the write-up on NeoWin: https://www.neowin.net/news/forget-bypassnro-a-new-internetaccount-bypass-during-windows-11-installs-already-exists/

Here's a fiery Reddit thread discussing the disappearance of the BypassNRO command from the Windows 11 installer ISO: https://www.reddit.com/r/pcmasterrace/comments/1jmgia4/microsoft_is_removing_the_bypassnro_command_which/

Use AWS EC2 VM and IIS to Share Files

3/27/2025

If you need to share large files over an internet connection, one easy way to do that is to spin up an Amazon AWS EC2 virtual server running Windows and the IIS Role and use the virtual directory feature in Microsoft IIS. The real key to ensuring that the files in the shared folder linked to the virtual directory default to "file -> download" when clicked on is to edit the MIME Types function. For each type of file in the virtual directory shared folder (e.g.: .ISO, .EXE, .MSI, .DOC, .PDF, .ZIP, .TGZ, etc.) change the MIME Type flag to file/download. Once you do this, when the user clicks on the file in the browser it will open the file download window. If you don't edit the MIME Type for each file extension that will be in your shared folder, when you click on the file you will get a 404 Error.

One note here is that if using Chrome or Edge and you do NOT install an SSL certificate on the IIS server, it will flag the download as unsecure. If the "Keep" option isn't working properly, you can click on the download icon in the browser toolbar to close the download window and then click it again to re-open the download option window, click on the > to expand the download item prompt, which should give you the option to "Download Insecure File".

One way to restrict access to this publicly-facing IIS file hosting server is to use the AWS EC2 Security Groups - Inbound Rules to only allow HTTP access to the EC2 VM from specific public IP addresses. Once in place, only those public IPs on the Inbound - Allow rules list will have HTTP (port 80) access to the EC2 VM. **NOTE: Be sure to give YOUR public IP address HTTP Allow access for testing. The default rule allows RDP access, which should be edited to restrict access from only YOUR public IP address.**

**EDIT**: I took this "easy" file sharing up a notch by creating a self-signed SSL certificate using Git Bash, importing the certificate into IIS and also into my personal certificates store on my local PC, and binding SSL in IIS using the new self-signed certificate. Now I can access the site using HTTPS and the browser doesn't prompt the download as "insecure".
Launch Git Bash for Windows
$ winpty openssl genrsa -out awsserver.key 4096
$ winpty openssl req -key awsserver.key -out awsserver.csr
*answer prompts*
$ winpty openssl x509 -req -days 3650 -in awsserver.csr -signkey awsserver.key -out awsserver.crt
$ winpty openssl x509 -in awsserver.crt -text -noout (*this verifies certificate)
$ winpty openssl pkcs12 -export -out awsserver.pfx -inkey awsserver.key -in awsserver.crt
*this creates PFX file to import into IIS
** Don't forget to add a DNS entry, either into your local DNS server or your PC's hosts file (Windows/system32/drivers/etc)

Moving Windows Server 2022 Recovery Partition

3/13/2025

When doing a scratch install of Windows Server 2022, some brainiac at Microsoft thought it was a good idea to place the recovery partition at the end of the Disk 0 Volume. So, when you need to extend your "C" drive, you end up with the recovery partition blocking the way. Here are the steps to resolve this issue (and I'm assuming you've already added space to the virtual disk).

Step1: Remove Existing Recovery Partition
Run CMD as Administrator and execute the following command: reagentc /disable
C:\>reagentc /disable
Next, run DiskPart and execute the following commands:
diskpart
list disk
select disk 0 (or whatever happens to be the disk ID with the recovery partition)
list partition
select partition 4 (again, select the appropriate partition listed as the Recovery Partition)
list partition (ensure the recovery partition has a * beside it)
delete partition override (this deletes the recovery partition)
list partition (the recovery partition should now be deleted)

Step #2: Go into Computer Management and navigate to Disk Management

Right click on the "C" partition and select "extend" and click Next

Reduce the size of the extension by 1GB (see image below as example) to reserve space for the new recovery partition.

Finish task. Now, the "C" partition should be larger and there should be at least 1GB left at the end.

Step #3: Create a New Recovery Volume
Right-click on unallocated space
Choose Simple Volume
NTFS
No Drive Letter
Leave Partition Name Blank
Finish task.
Step #5: Return to CMD as Administrator and DiskPart
Run the following commands:
List Disk
Select Disk 0 (or other as appropriate)
List Partition
Select Partition 4 (this should be the new partition you just created in disk manager)
set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac
gpt attributes=0x8000000000000001

Step #6: Exit DiskPart and Return to Administrative Command Prompt; Re-Enable Recovery Partition

C:\>reagentc /enable

Return to Computer Management->Disk Management

Partition should now show as Healthy (Recovery Partition)

Windows 11 Pro Sandbox

1/25/2025

Windows Sandbox is a lightweight virtual machine that allows users to run applications in isolation from the host operating system by creating a temporary, isolated instance of Windows that runs separately from the host machine. Sandbox was introduced in the Windows 10 update 1903 in May 2019. Since then Microsoft has (slowly) continued to enhance the feature set of the Sandbox environment. Recent updates to Windows 10/11 Sandbox include features like enhanced clipboard redirection, control over audio/video input, the ability to share folders with the host PC, and improved configuration options for managing the virtual hard disk (VHD) size and detachment, allowing for more flexibility in managing the Sandbox environment.

To script installations of apps when launching Windows Sandbox, you need to use the "LogonCommand" option in the Windows Sandbox configuration file, which allows you to specify a command or script that will run automatically when the Sandbox starts up; essentially, you create a script containing your installation commands and then point the LogonCommand to that script file which is mapped into the Sandbox as a shared folder.

Create a script:
Write a PowerShell or batch script that includes the installation commands for the software you want to automatically install in the Sandbox.

Map the script folder:
In your Windows Sandbox configuration file, use the "MappedFolders" option to specify the folder on your host machine where your installation script is located, allowing the Sandbox to access it.

Set the LogonCommand:
Within the configuration file, use the "LogonCommand" tag to point to the path of your installation script within the mapped folder.

"MappedFolders":
This section specifies that the "C:\Users\YourUser\Scripts" folder on the host machine will be accessible within the Sandbox.

"LogonCommand":
This line sets the command that will run when the Sandbox starts, which in this case is the "InstallApps.ps1" script located in the mapped folder.

Example (using PowerShell):
Script (named "InstallApps.ps1"):

Code

Start-Process -FilePath "C:\path\to\installer.exe" -ArgumentList "/silent", "/norestart"

# Add more installation commands for other applications as needed

*note: The sandbox runs with a limited user account ("WDAGUtilityAccount"), so ensure your scripts have appropriate permissions to install software.

Also, you cannot directly link an AD Group Policy Object (GPO) to the Sandbox itself because it is a temporary, isolated environment that does not join the domain; however, you can configure the Sandbox using a configuration file (.wsb) to apply specific settings that mimic certain group policy behaviors. There are also limited Local Group Policy settings available in: "Computer Configuration" > "Administrative Templates" > "Windows Components" > "Windows Sandbox".

Here's the link to the Microsoft Learn article on Sandbox:https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file