HOTFIX: Localized VMM Administrator console fails to connect after you install VMM 2012 R2 Update Rollup 6

May 15, 2015, 2:56 pm

≫ Next: How to update untrusted hosts in System Center 2012 R2 Virtual Machine Manager

After you install VMM 2012 R2 Update Rollup 6, a localized version of the Virtual Machine Manager administrator console fails to connect. A hotfix is now available that resolves this issue.

For more details regarding this problem as well as a download link to a hotfix that resolves it, please see the following:

KB3065235 - Localized Virtual Machine Manager Administrator Console fails to connect after you install VMM 2012 R2 Update Rollup 6 (https://support.microsoft.com/en-us/kb/3065235)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

↧

How to update untrusted hosts in System Center 2012 R2 Virtual Machine Manager

May 19, 2015, 9:22 am

≫ Next: Summary of Virtual Machine Manager news and sessions from Microsoft Ignite 2015

≪ Previous: HOTFIX: Localized VMM Administrator console fails to connect after you install VMM 2012 R2 Update Rollup 6

~ Somaning Turwale| Support Escalation Engineer

This post covers managing untrusted hosts in System Center 2012 R2 Virtual Machine Manager (VMM 2012 R2). Adding Hyper-V hosts or Hyper-V host clusters in an untrusted Active Directory domain as managed Hyper-V hosts in Virtual Machine Manager (VMM) is documented here: https://technet.microsoft.com/en-in/library/gg610609.aspx.

NOTE Be aware that during the agent installation, VMM generates a certificate that is used to secure communications with the host. When VMM adds the host, the certificate is automatically imported into the VMM server’s trusted certificate store.

How to update the Untrusted VMM agents

When an Update Rollup (UR) is installed on VMM server, all managed hosts will show a Needs Attentionstatus, however when you try to update the agents on any untrusted host, the below error message is displayed:

Error (10436)
Virtual Machine Manager does not support updating or re-associating an agent on a host that is in a non-trusted domain or on a perimeter network.

Recommended Action
If the host is in a non-trusted domain, remove the host (RINKU.Contoso.com) from VMM in the VMs and Hosts workspace of the VMM console. Then, use the Add Hosts Wizard to add the host and automatically install a new agent.
If the host is on a perimeter network, after you remove the host from VMM, you must manually uninstall the VMM agent from the host computer, install a new agent locally on the host, and then add the host to VMM.

As stated in the error message, the host or cluster can be removed and re-added, however this approach will cause an issue if service templates are deployed on these untrusted hosts.

The following procedure should be used when updating the VMM agent on untrusted hosts:

1. Take a full backup of the System Center 2012 R2 Virtual Machine Manager database.

2. Log in to the untrusted host and uninstall the VMM agent using Add/Remove Programs.

3. Copy the latest VMM agent installation files from C:\Program Files\Microsoft System Center 2012 R2\Virtual Machine Manager\agents\amd64 on the VMM server to a temporary location on the host. In my case I am upgrading to Update Rollup 6 so I copied the 3.2.8002.0version to the host.

4. Open an elevated Command Prompt (Run as Administrator) on the host.

5. From the Command Prompt, change the path to the location where you copied the installation files (e.g. CD C:\temp\3.2.8002.0).

6. From the Command Prompt, run the command below:

VMMagent.msi NONTRUSTEDMACHINE=1 ENCRYPTIONKEY=********** CREDENTIALEXPORTDIRECTORY=\\localhost\admin$ WSMANPORT=5986 BITSPORT=443 REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Windows\system32 CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=6836

Note that the command above is one line and may wrap on your display.

7. The VMM Agent installation wizard will open. Click Next to continue.

8. The wizard will prompt for the encryption key. Retype the encryption key and confirm the information.

9. Follow the wizard to install the agent.

10. Once the agent is installed successfully, go to Computer Management\Local users and Groups\Users.

11. You will see the local user created by the VMM agent installation with a name similar to SCVMM as shown in the screen shot below:

12. Go to the Properties of the local user and on the Member of tab add the user to the “Virtual Machine Manager Servers” group.

13. Click Start, then Run, then run certlm.msc

14. Expand the Personalstore.

15. Locate the certificate with a friendly name starting with SCVMM_CERTIFICATE_KEY_CONTAINER.

16. Right-click on that certificate and select All Tasks and then choose Export… Follow the wizard's prompts and choose the default options.

17. Copy the exported certificate to the VMM server.

18. On the VMM server, repeat steps 13 through 16.

19. Expand Trusted People.

20. Delete the existing certificate for the untrusted host.

21. Right-click on Trusted People, select All Tasks and then Import.

22. Browse to the path where you copied the certificate on step 21.

23. Once the import is successful, open the VMM console and refresh the host.

24. The host should now show a status of OK.

Somaning Turwale| Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

↧

Summary of Virtual Machine Manager news and sessions from Microsoft Ignite 2015

May 22, 2015, 9:48 am

≫ Next: Support Tip: Microsoft Windows Azure Pack Usage data stops being collected

≪ Previous: How to update untrusted hosts in System Center 2012 R2 Virtual Machine Manager

Ignite was a busy week for the VMM team! If you weren’t able to catch everything we did on-site, you can see a summary of our news and sessions below.

Platform Vision & Strategy (6 of 7): What’s New in System Center for Management

http://channel9.msdn.com/Events/Ignite/2015/BRK2459

Great for an all up view across System Center
VMM content starts at 26:40

Microsoft System Center Virtual Machine Manager: Technical Overview and Roadmap

https://channel9.msdn.com/Events/Ignite/2015/BRK2473

Overview of features recently available through URs and the Operations Management Suite as well as roadmap and announcements about vNext.

Announcements:

Initial management of VMware 5.5 in 2012 UR6

vNext announcements:

Bare metal ease of use improvements
Rolling upgrade support
Improved Diff Disk management
Simplified logical switch creation and deployment
Guarded host and shielded VM support
Storage replication automation with ASR
Improved Storage Monitoring with SCOM
Software load balancer and network controller support
CDN support for guests
SOFS with Storage Spaces Direct and with SAN storage automation
Storage QoS policy management

Demos:

User voice
Azure view in UR6
Capacity management with the Microsoft Operations Management Suite
Disaster Recovery using Azure Site Recovery
Rolling upgrade
Spaces Direct

Managing and Securing the Fabric

http://channel9.msdn.com/events/Ignite/2015/BRK3502

Announcements:

Shielded VM support in VMM
Mixed mode cluster support in VMM
Cluster rolling upgrade orchestration through VMM

Demos:

Creating a shielded VM
Creating a shielded VM template
Configuring a guarded host
Cluster rolling upgrade orchestration through VMM

Managing Storage with Microsoft System Center Virtual Machine Manager: A Deep Dive

http://channel9.msdn.com/events/Ignite/2015/BRK3498

Demos:

Hyperconverged block storage management
Managing Scale-out File Server backed by SAN
Deployment and management of Storage Spaces Direct
Site to Site Disaster Recovery with Azure Site Recovery
Site to Azure Disaster Recovery with Azure Site Recovery and NetApp NPS

Deploying Hyper-V Network Virtualization

http://channel9.msdn.com/events/Ignite/2015/BRK3492

Great overview of HNV Networking
Why deploy network virtualization? Value proposition behind deploying network virtualization in the datacenter.
How to prepare your infrastructure for network virtualization.
Isolating network traffic and configuring QoS.
Detailed explanation of the various HNV Gateway roles
Configuration of Multi-tenancy in the Gateways and Firewall requirements
Integrating HNV Gateways with your infrastructure
Insider tips and tricks for making network virtualization really perform

Demos:

Step-by-step deployment of HNV Networks including NVGRE Gateways!
Setup Logical Networks
Setup Static IP Pools
Create and configure Logical Switches and Port Profiles
Logical Switch Deployment
Deployment and configuration of Windows Server 2012 R2 NVGRE NAT Gateway.
Hidden tips and gotchas with HNV Network Deplyoments
HNV Diagnostics PowerShell script for validating HNV Gateway deployments and troubleshooting configuration and connectivity issues included in the presentation deck!

Enjoy!

Jonobie Ford | Senior Program Manager | Microsoft

Get the latest System Center news on FacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

System Center 2012 Virtual Machine Manager

System Center 2012 R2 Virtual Machine Manager VMM 2012 R2 SCVMM 2012 R2

↧

Support Tip: Microsoft Windows Azure Pack Usage data stops being collected

May 27, 2015, 8:23 am

≫ Next: KB: How to install, remove, or verify update rollups for Virtual Machine Manager 2012 R2

≪ Previous: Summary of Virtual Machine Manager news and sessions from Microsoft Ignite 2015

~ Brian McDermott | Escalation Engineer

If you use Microsoft Windows Azure Pack and WAP Usage used to work but has now mysteriously stopped working then this post is for you. If it has never been working then you need to first set it up and configure it correctly, and you need to read this instead. However, if it still isn’t working after you have done all of that, read on for some tips on how to get it going again.

Be aware that while WAP Usage may not be working for the reason I list below, this is not the only possible reason. I promise more articles will follow covering some of those other reasons but I have to start somewhere.

What needs to be working for WAP Usage to work

1. Virtual Machine Manager.
2. The VMM to Operations Manager connection.
3. Operations Manager.
4. The OperationsManager DB to OperationsManagerDW DB synchronization workflows.
5. The OperationsManagerDW data aggregation workflows.
6. Service Provider Foundation (SPF).
7. The SCSPFDB.
8. The Usage service.
9. The UsageDB.

If WAP usage has stopped working then it has stopped working somewhere in the middle of this, somewhere at the edges, or somewhere in the detail between the bits I have listed.

This article will only cover one very particular way it can stop, and I will follow up additional blogs on the others.

VM display names and SQL DB tables

When designing your application, one of the things you need to think about is how your application will store its data. A very popular way to do this is to use a SQL database as your store. In fact, it is so popular that the Usage service uses no fewer than seven databases, and once you include the end-user billing systems, it is often many more. If you are using a SQL DB then when you are creating your tables you need to specify for each column how big the entries are going to be.

When it comes to WAP Usage we defined the maximum size of certain property tables to be 64 characters, as that is the maximum size of a VM name when you are creating it from VMM (which is what WAP does). When you are creating VMs this way, it cannot be any longer. Unfortunately, as the data is arriving in the Usage DB via the OperationsManagerDW DB, it is possible that some VMs who have their data in the OperationsManagerDW have been created outside of WAP and are managed outside of WAP, and the VM names have been changed to contain more than 64 characters outside of WAP.

It should be noted that the VM display name is not the same thing as the computer name of the VM, but is rather how VMM displays the name of the VM in its console.

When VM names contain more than 64 characters

So what happens when a VM display name is changed to contain more than 64 characters? Put simply, WAP Usage breaks.

The data will have been gathered into the OperationsManager DB and the OperationsManagerDW DB, and it will have been correctly aggregated, however when the SPF service attempts to pull this data into the SPF Usage tables it will fail.

If you enable SPF debug logging then you will find entries logged similar to this:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-ServiceProviderFoundation" Guid="{1111d4e2-0e8e-1b8b-af11-faa11ad42a01}" />

< EventID>11</EventID>

< Version>0</Version>

< Level>2</Level>

< Task>65523</Task>

< Opcode>0</Opcode>

< Keywords>0x0</Keywords>

<TimeCreated SystemTime="2015-04-27T14:53:47.925530600Z" />

< EventRecordID>14718</EventRecordID>

<Correlation />

<Execution ProcessID="2592" ThreadID="3056" ProcessorID="4" KernelTime="39" UserTime="3359" />

<Channel>Microsoft-ServiceProviderFoundation/Analytic</Channel>

< Computer>computer.contoso.com</Computer>

<Security UserID="S-1-5-21-123456789-123456789-123456789-1234567" />

</System>

<EventData>

<Data Name="component">7</Data>

<Data Name="context">{ABCDEF12-3456-7890-ABCD-EF1234567890}</Data>

<Data Name="elapsedMilliseconds">0</Data>

<Data Name="activityName">WebAuthentication Call</Data>

<Data Name="activityId">{ABCDEF12-3456-7890-ABCD-EF1234567890}</Data>

<Data Name="parentActivityName">none</Data>

<Data Name="parentActivityId">{00000000-0000-0000-0000-000000000000}</Data>

<Data Name="message">The SPF Usage Metering Retriever encountered an error while attempting to retrieve usage data. All SCSPFDB database changes have been rolled back. Failure information: The given value of type String from the data source cannot be converted to type nvarchar of the specified target column..</Data>

</EventData>

</Event>

How to tell if this is the problem

Run the following SQL against the Operations Manager DB:

USE OperationsManager

select displayname,len(displayname)as [No. of Chars] from basemanagedentity

where FullName LIKE'Microsoft.SystemCenter.VirtualMachineManager.2012.VirtualMachine:%'

andlen(displayname)> 64

This will list the names of all VMs that have been given a display name that can break the Usage service.

Please note that if none are listed then this isn’t your problem.

The fix

The easiest way to fix this is to rename the listed VM names so that they are less than or equal to 64 characters, using the console where it was changed in the first place (Hyper-V or VMM). Once done, wait for the data flow to move through and Usage will commence once again.

As I mentioned above, it is possible there are other causes of a breakage in the WAP usage service and I will be adding to this post with some more in the very near future. If this isn’t your problem then keep watching.

Brian McDermott| Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

↧

KB: How to install, remove, or verify update rollups for Virtual Machine Manager 2012 R2

June 16, 2015, 2:00 pm

≫ Next: Microsoft Virtual Machine Manager Network Object Fundamentals

≪ Previous: Support Tip: Microsoft Windows Azure Pack Usage data stops being collected

We have a new Knowledge Base article available with information on how to complete the following in System Center 2012 R2 Virtual Machine Manager:

- How to back up the Virtual Machine Manager database
- How to install a Virtual Machine Manager update rollup
- How to check whether an update rollup installed successfully
- How to remove an update rollup
- How to check whether an update rollup was removed successfully
- How to restore a database backup in Virtual Machine Manager

For all the details please see the following:

KB3066343 - How to install, remove, or verify update rollups for Virtual Machine Manager 2012 R2 (https://support.microsoft.com/en-us/kb/3066343)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

VMM 2012 R2

↧

Microsoft Virtual Machine Manager Network Object Fundamentals

June 30, 2015, 1:15 pm

≫ Next: Update Rollup 7 for System Center 2012 R2 Virtual Machine Manager is now available

≪ Previous: KB: How to install, remove, or verify update rollups for Virtual Machine Manager 2012 R2

System Center 2012 R2 Virtual Machine Manager (VMM 2012 R2) is an essential tool used to deploy Microsoft private and public clouds, but before you begin building clouds it is important to understand the fundamental networking objects in VMM. These networking objects form the network infrastructure of your cloud, including the virtual networks that you or your tenants create.

All of the new terms and concepts can be a little confusing at first, so we’ve created an article that covers the basics that you need to understand before you move on to more complex topics such as advanced VMM features and functions or planning and designing private and public clouds. These topics include:

Hosts and host groups: Hyper-V hosts that VMM manages organized into groups based on location or purpose.
Logical networks: Networks that represent your physical networks.
Network sites: Logical groupings of hosts, IP Subnets and/or VLANs.
IP address pools (logical networks): A static pool of IP addresses used for the associated network sites’ IP subnet/VLAN pairs.
VM networks: A network that virtual machines and hosts connect to.
IP address pools (VM Networks): A static pool of IP addresses for the VM network.
Logical Switch: A template used to create virtual switches consistently across many hosts.
Uplink port profiles: Defines the network sites associated with the switch.
Virtual network adapter port profiles: Define the virtual network adapter properties for the virtual network adapters available with the logical switch.
Port classifications: A label to abstract the adapter port profile settings.
Gateways: Used to connect a Hyper-V Network Virtualization (HNV) VM network to an external network.

You can check out these topics and more here.

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

↧

Update Rollup 7 for System Center 2012 R2 Virtual Machine Manager is now available

July 29, 2015, 8:33 am

≫ Next: Update Rollup 10 for System Center 2012 Virtual Machine Manager Service Pack 1 is now available

≪ Previous: Microsoft Virtual Machine Manager Network Object Fundamentals

We are happy to announce that Update Rollup 7 (UR7) for Microsoft System Center 2012 R2 Virtual Machine Manager is now available for download. Please see the following Knowledge Base article for details about the fixes and installation instructions for VMM 2012 R2:

3066340 Update Rollup 7 for System Center 2012 R2 Virtual Machine Manager

Please note that Microsoft recommends that all of the System Center 2012 R2 subcomponents be upgraded to the same Update Rollup version. You can upgrade different System Center subcomponents in any desired sequence. Be aware that using subcomponents that are at different Update Rollup versions could lead to compatibility issues and is not a Microsoft supported scenario. For all the latest information regarding Update Rollup 7 for System Center 2012 R2 please see the following:

3069110Description of Update Rollup 7 for System Center 2012 R2

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

↧

Update Rollup 10 for System Center 2012 Virtual Machine Manager Service Pack 1 is now available

July 29, 2015, 9:46 am

≫ Next: KB: How to reassociate orphaned VMs with a service instance or VM role in VMM 2012 R2 Update Rollup 7

≪ Previous: Update Rollup 7 for System Center 2012 R2 Virtual Machine Manager is now available

We are happy to announce that Update Rollup 10 for System Center 2012 Virtual Machine Manager Service Pack 1 (VMM 2012 SP1) is now available for download. There are three updates available for System Center 2012 Virtual Machine Manager SP1: One for servers, one for the administrator console and one for the guest console.

Please see the following Knowledge Base article for details about the fixes and installation instructions for VMM 2012 SP1:

3076889 Update Rollup 10 for System Center 2012 Virtual Machine Manager Service Pack 1

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

↧

KB: How to reassociate orphaned VMs with a service instance or VM role in VMM 2012 R2 Update Rollup 7

July 29, 2015, 10:24 am

≫ Next: How to Deploy Host Guardian Service using Service Templates in VMM Tech Preview 3

≪ Previous: Update Rollup 10 for System Center 2012 Virtual Machine Manager Service Pack 1 is now available

When you have Microsoft System Center 2012 R2 Virtual Machine Manager with Update Rollup 7 (VMM 2012 R2 UR7) or a later version in your VMM environment, you can now reassociate an orphaned virtual machine with its Service or VM role after the host server is recommissioned with VMM. This is helpful if Service or VM role VMs are orphaned during the host add or remove cycle. This is helpful also to implement Recovery and Backup scenarios for Services and VM roles.

For complete details and instructions on how to reassociate a VM, please see the following:

KB3083085 - How to reassociate orphaned virtual machines with a service instance or VM role in System Center 2012 R2 with Update Rollup 7 (http://support.microsoft.com/kb/3083085)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

ConfigMgr 2012 R2

↧

How to Deploy Host Guardian Service using Service Templates in VMM Tech Preview 3

September 16, 2015, 7:53 am

≫ Next: KB: A VM that Azure Site Recovery helps protect goes into a resynchronization state

≪ Previous: KB: How to reassociate orphaned VMs with a service instance or VM role in VMM 2012 R2 Update Rollup 7

~ Maha Ibrahim | Senior Software Engineer

Host Guardian Service (HGS) is a main component for configuring guarded hosts and running shielded VMs in Windows Server and System Center Virtual Machine Manager Technical Preview 3.

In this post we will demonstrate how to automate the deployment of Host Guardian Service using VMM service templates. The resulting Host Guardian Service instance can be used for your test or demo environments.

First, we will cover the relevant VMM service template configuration details, then show the steps needed to import and deploy the Host Guardian service template that can get you a virtualized HGS instance just in few clicks.

This post assumes you have some background about using VMM service templates, however if you’re interested in more details about HGS outside of the scope of this article you can refer to Windows Server TechNet articles about Guarded Fabric and Shielded VMs, or http://aka.ms/shieldedvms

Requirements

Microsoft System Center Virtual Machine Manager – Technical Preview 3 – Download link
Windows Server Technical Preview 3 Virtual Hard Disk Image – Download link

Host Guardian Service VMM Service Template

Now let’s start with details about how we’re configuring the Host Guardian Service using VMM service template.

There are 2 key configurations for the template:

1. Enable the Windows Server role for “Host Guardian Service” in the operating system configuration of the service template.

2. Run application configuration scripts to install and configure the Host Guardian service. For this purpose we are using two scripts: Install-HostGuardianService.ps1 and Configure-HostGuardianService.ps1. To make it simple, both of the scripts are placed in a single custom resource folder named HostGuardianServiceScripts.cr.

Now let’s take a deeper look at the contents of the two scripts:

Install-HostGuardianService.ps1

# Purpose: Install Host Guardian Service (HGS)

# Arguments: <HGS Domain Name> <Safe Mode Admin Password>

# Example: ./Install-HostGuardianService.ps1 Relecloud.com Pass@word1

param(

[Parameter(Mandatory=$true)]

[string]$HgsDomainName,

[Parameter(Mandatory=$true)]

[string]$HgsSafeModeAdminPassword

)

Set-ExecutionPolicyRemoteSigned-Force

$adminPassword=ConvertTo-SecureString$HgsSafeModeAdminPassword-AsPlainText-Force

Write-Host"Test HGS Pre-requisites.`n"

Test-HgsServer-HgsDomainName$HgsDomainName-SafeModeAdministratorPassword$adminPassword;

Write-Host"Install HGS Server.`n"

Install-HgsServer-HgsDomainName$HgsDomainName-SafeModeAdministratorPassword$adminPassword;

Write-Host"Exit and Reboot.`n"

[Environment]::Exit(“3011”)

In a nutshell, the script tests the pre-requisites of the machine, installs host guardian service, then exits with an exit code that allows VMM to orchestrate the machine reboot per the restart policy of the application script.

In the service template, the parameters will be passed to the script through VMM service settings:

Configure-HostGuardianService.ps1

# Purpose: Configure Host Guardian Service (HGS)

# Arguments: <HGS Server Name> <HGS Domain Name> [AD Mode] [Fabric AD Group SID] [Fabric DNS IP Address] [Fabric Domain Name] [Fabric Domain User] [Fabric Domain Password]

# Example1: AD Mode Partial Configuration: ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com

# Example2: TPM Mode Full Configuration: ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com 0

# Example3: AD Mode Full Configuration: ./Configure-HostGuardianService.ps1 MyHgsService Relecloud.com 1 S-1-5-21-3623811015-3361044348-30300820-1013 1.2.3.4 Fabric.com FabricAdmin pass@word1

param(

[Parameter(Mandatory=$true)]

[string]$HgsServiceName,

[Parameter(Mandatory=$true)]

[string]$HgsDomainName,

[Parameter(Mandatory=$false)]

[bool]$AdMode=$true,

[Parameter(Mandatory=$false)]

[string]$FabricAdGroupSid,

[Parameter(Mandatory=$false)]

[string]$FabricDnsIpAddress,

[Parameter(Mandatory=$false)]

[string]$FabricDomainName,

[Parameter(Mandatory=$false)]

[string]$FabricDomainUser,

[Parameter(Mandatory=$false)]

[string]$FabricDomainPassword

)

Write-Host"Wait some time to give ADWS a chance to be ready before proceeding.`n"

Sleep300

$communicationCert=New-SelfSignedCertificate-DnsName"$env:computername.$env:userdnsdomain"-CertStoreLocationcert:\LocalMachine\My-KeyExportPolicyExportable

$signingCert=New-SelfSignedCertificate-DnsName"Signing-$env:computername.$env:userdnsdomain"-CertStoreLocationcert:\LocalMachine\My-KeyExportPolicyExportable

$encryptionCert=New-SelfSignedCertificate-DnsName"Encryption-$env:computername.$env:userdnsdomain"-CertStoreLocationcert:\LocalMachine\My-KeyExportPolicyExportable

Export-Certificate-Cert$communicationCert-FilePath'c:\communication.cer'

Import-Certificate-CertStoreLocationCert:\LocalMachine\Root-FilePath'C:\communication.cer'

Write-Host"Initialize HGS Server.`n"

$params= @{

HgsServiceName =$HgsServiceName

EncryptionCertificateThumbprint =$encryptionCert.Thumbprint

SigningCertificateThumbprint =$signingCert.Thumbprint

CommunicationsCertificateThumbprint =$communicationCert.Thumbprint}

if ($AdMode-eq$true)

{

$params.TrustActiveDirectory =$true

}

Initialize-HgsServer@params–force-confirm:$false

if($AdMode-eq$true)

{

Write-Host"Configure AD Based Attestation.`n"

if($FabricDnsIpAddress)

{

Write-Host"Add DNS Server forwarder to fabric domain.`n"

Add-DnsServerForwarder–IPAddress$FabricDnsIpAddress

}

if($FabricDomainName-and$FabricDomainUser-and$FabricDomainPassword)

{

Write-Host"Set domain trust"

netdomtrust$HgsDomainName/domain:$FabricDomainName/userd:$FabricDomainName\$FabricDomainUser/passwordd:$FabricDomainPassword/add

}

if($FabricAdGroupSid)

{

Write-Host"Add Host Group Policy to HGS Server.`n"

$GroupPolicyName="HostGroup_"+$FabricAdGroupSid

Add-HgsAttestationHostGroup-Name$GroupPolicyName-Identifier$FabricAdGroupSid

}

else

{

Write-Host"Configure TPM Based Attestation.`n"

if(Test-Path.\TpmHosts)

{

Write-Host"Add TPM Hosts.`n"

Get-ChildItem-Path.\TpmHosts|ForEach { Add-HgsAttestationTpmHost-Name$_.BaseName -Path$_.FullName }

}

if(Test-Path.\TpmPolicies)

{

Write-Host"Add TPM Policies.`n"

Get-ChildItem-Path.\TpmPolicies|ForEach { Add-HgsAttestationTpmPolicy-Name$_.BaseName -Path$_.FullName }

}

if(Test-Path.\CIPolicies)

{

Write-Host"Add CI Policies.`n"

Get-ChildItem-Path.\CIPolicies|ForEach { Add-HgsAttestationCIPolicy-Name$_.BaseName -Path$_.FullName -ConvertToHash }

}

This script has a number of input parameters that enable customizations which in turn will result in the desired configuration for your HGS server, whether using AD or TPM based attestation.

For AD trust mode, the values for the parameters will control whether to configure the domain trust and DNS forwarder to the fabric domain, and whether to add the SID of the fabric AD group. Fabric hosts that are joined to this AD group are deemed guarded by HGS.

For Trusted Hardware TPM Mode, the content of HostGuardianServiceScripts.cr subfolders will determine whether and what TPM hosts and/or polices to add to the HGS server; if adding Code Integrity Policies, TPM Hosts and TPM policies is desired, then include the necessary files to your library in the respective subfolders prior to the deployment of the service configuration.

Below is the folder structure for the HostGuardianServiceScript.cr custom resource.

For details about how to create the files for TPM hosts, Code Integrity Policy or TPM policy, refer to the Windows Server TechNet articles about Guarded Fabric and Shielded VMs or http://aka.ms/shieldedvms

In the service template, the parameters will be passed to the script through VMM service settings:

The full parameters field is shown below for reference.

-file .\Configure-HostGuardianService.ps1 @HgsServiceName@ @HgsDomainName@ @AdMode@ @FabricAdGroupSid@ @FabricDnsIpAddress@ @FabricDomainName@ @FabricDomainUser@ @FabricDomainPassword@

Note that the order of the service settings must match the script parameters.

Now we should have a good understanding of the configuration required to orchestrate the deployment of the virtualized Host Guardian Service using VMM service template. The next section will cover how to download the service template, import it and deploy the Host Guardian Service.

Install Steps

1. Download compressed file from this download link.

2. Extract the custom resource folder HostGuardianServiceScripts.cr and copy it to your VMM library, then refresh the library share.

3. Create a Run As Account to be used for the Local Administrator of the HGS machine.

4. Verify that the Windows Server Technical Preview 3 VHD is imported in the VMM library.

5. Import the XML file as a VMM service template and map the resources according to resources included in the library.

6. If needed, open the computer tier properties and update the product key in the operating system configuration.

7. Save and configure deployment.

8. Specify the VM Network to be used.

9. Specify the service settings per the configuration of the desired deployment. This is an example for settings needed to deploy a full-fledged AD mode HGS server:

And here’s an example for settings needed to deploy a TPM Mode HGS server. Host, code integrity and CI policies will be added to the HGS server only if the respective files are included in the subfolders as referred to earlier. If the files do not exist at the time of deployment then extra configuration steps will be needed before the HGS server can be used for host guarding.

Now that the service configuration is ready to be deployed, click Deploy Service and wait for the job to complete. Once complete, you’ll have a Host Guardian Service instance up and running!

Troubleshooting Tips

- When specifying the values for the service settings, choose different names for the HgsServiceName and the ComputerName of the VM.
- If for any reason the service deployment failed, retrying the failed service deployment job may not work since the virtual machine would have joined a different domain than what VMM expects. Investigate the cause of the failure and remediate in a new service deployment job.
- For failure analysis, the script output and error logs will be located inside the guest operating system under the C:\ drive (e.g. C:\hgs_install.* & C:\hgs_configure.*).

After the service deployment completes, before you can use the resulting instance for host guarding, extra configurations may be needed:

- For Both TPM and AD setup: Configure name resolution between the existing fabric domain and the new HGS domain.
- For AD Setup: Verify that the hosts where guarding is desired are added to the AD group whose SID is added to the HGS.

Here’s an example for the Attestation and Key Protection servers URLs per the service setting example values used in this article:

AttestationServerUrl: http://MyHgsService.ReleCloud.com/Attestation

KeyProtectionServerURl: http://MyHgsService.ReleCloud.com/KeyProtection

Happy host guarding and virtual machine shielding!

Maha Ibrahim | Senior Software Engineer | Microsoft

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

↧

KB: A VM that Azure Site Recovery helps protect goes into a resynchronization state

September 21, 2015, 10:06 am

≫ Next: 2nd Edition of Microsoft System Center: Building a Virtualized Network Solution now available and free to download

≪ Previous: How to Deploy Host Guardian Service using Service Templates in VMM Tech Preview 3

A virtual machine (VM) that Microsoft Azure Site Recovery (ASR) helps protect in a Hyper-V to Azure scenario may repeatedly go into a resynchronization state. You cannot manually resynchronize, and you may receive the following error message for the replication health of the VM:

Replication State: Resynchronization required
Replication Mode: Primary
Current Replica Server: Microsoft Azure
Replication Health: Critical
Resynchronization is required for the machine X. Resume replication to start resynchronization.
Successful replication cycles: 0 out of Y (0%). More than 20% of replication cycles have been missed for virtual machine X.

You may also see events logged that resemble the following:

Log Name: MicrosoftAzureRecoveryServices-Replication
Source: MicrosoftAzureRecoveryServices
Event ID: 67
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Description:
Resynchronization for virtual machine 'VMName' was marked corrupted by the service. (Virtual Machine ID 11201f14-2111-4a79-97d3-c312d9bcab00, Data Source ID <Number>, Task ID cbb6cfa2-cbbc-4f54-9c21-3fecbb84fe44)

and

Log Name: MicrosoftAzureRecoveryServices-Replication
Source: MicrosoftAzureRecoveryServices
Event ID: 32
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Description:
Resynchronization failed for virtual hard disk 'V:\VMName\Virtual Hard Disks\VMName.vhd', of virtual machine VMName'. (Virtual Machine ID 11201f14-2111-4a79-97d3-c312d9bcab00, Data Source ID <Number>, Task ID cbb6cfa2-cbbc-4f54-9c21-3fecbb84fe44)

For complete details as well as a resolution, please see the following:

KB3094171 - A VM that Azure Site Recovery helps protect goes into a resynchronization state (https://support.microsoft.com/en-us/kb/3094171)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

VMM 2012 R2 SCVMM 2012 R2

↧

2nd Edition of Microsoft System Center: Building a Virtualized Network Solution now available and free to download

September 24, 2015, 4:38 am

≫ Next: How to deploy software defined networks using VMM 2016 Tech Preview 3

≪ Previous: KB: A VM that Azure Site Recovery helps protect goes into a resynchronization state

Book The second edition of Microsoft System Center: Building a Virtualized Network Solution has been completely updated and rewritten for the VMM 2012 R2 release and also contains approximately 90 pages of new content which covers the Hyper-V gateway, troubleshooting, as well as details of the network architecture in Microsoft Cloud Platform System (CPS). The main chapter content is outlined below with a summary from the original announcement on MSPRESS which is available here.

Topics included in this book

The vast majority of the book is focused on architecture and design, highlighting key design decisions and providing best practice advice and guidance relating to each major feature of the solution.

Chapter 1: Key conceptsA virtualized network solution built on Windows Server and System Center depends on a number of different features. This chapter outlines the role each of these features plays in the overall solution and how they are interconnected.

Chapter 2: Logical networksThis chapter provides an overview of the key considerations, outlines some best practice guidance, and describes a process for identifying the set of logical networks that are needed in your environment.

Chapter 3: Hyper-V port profilesThis chapter discusses the different types of port profiles that are used in Virtual Machine Manager, outlines why you need them and what they are used for, and provides detailed guidance on how and when to create them.

Chapter 4: Logical switchesThis chapter describes the function and purpose of logical switches, which are essentially templates that allow you to consistently apply the same settings and configuration across multiple hosts.

Chapter 5: Network Virtualization gatewayThis chapter outlines key design choices and considerations for providing cross-premises connectivity from networks at tenant sites to virtual networks dedicated (per tenant) in a service provider network.

Chapter 6: DeploymentThis chapter builds on the material discussed in previous chapters and walks through common deployment scenarios, highlighting known issues (and workarounds) relating to the deployment and use of logical switches in your environment.

Chapter 7: OperationsEven after having carefully planned a virtual network solution, things outside of your immediate control might force changes to your virtualized network solution. This chapter walks you through some relatively common scenarios and provides recommendations, advice, and guidance for how best to deal with them.

Chapter 8: Diagnosing Connectivity IssuesThis chapter looks at how to approach a connectivity problem with a virtualized network solution, the process you should follow to troubleshoot the problem, and some actions you can take to remediate the issue and restore service.

Chapter 9: Cloud Platform System network architectureThis chapter reviews the design and key decision points for the network architecture and virtualized network solution within the Microsoft Cloud Platform System.

To recap, this book is mainly focused on architecture and design (what is needed to design a virtualized network solution) rather than on the actual steps required to deploy it in your environment. Other than in a few select chapters, you will find few examples of code. This is by design. The focus here is not to provide details on how you achieve a specific goal, but rather on what you need to do to build out a solution that meets the needs of your business and provides a platform for the future.

You can get more details including a download link here.

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

↧

How to deploy software defined networks using VMM 2016 Tech Preview 3

October 1, 2015, 11:18 am

≫ Next: Update Rollup 8 for System Center 2012 R2 Virtual Machine Manager is now available

≪ Previous: 2nd Edition of Microsoft System Center: Building a Virtualized Network Solution now available and free to download

Microsoft’s Windows Server IX networking team just added a new topic to the TechNet Library that you’ll want to check out. It’s titled Deploy Software Defined Networks using Virtual Machine Manager and it helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview and Virtual Machine Manager 2016 Technology Preview 3. In particular, this topic is focused on scenarios that incorporate VMM with Network Controller, a new feature in the Windows Server 2016 Technical Preview.

In this topic you'll find information on the recommended test topology, including the number of Hyper-V hosts and virtual machines that you need to deploy SDN in a test lab. There are instructions on how to deploy your compute and network infrastructure, Active Directory and DNS, and how to deploy the Management logical network. VM service templates, Software Load Balancing, and other technologies are also covered in detail. For all the details see the following:

Use System Center VMM to Deploy Software Defined Networks

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

↧

Update Rollup 8 for System Center 2012 R2 Virtual Machine Manager is now available

October 28, 2015, 10:35 am

≫ Next: Ensuring your GCE scripts that use Run As accounts continue to execute in Microsoft Virtual Machine Manager

≪ Previous: How to deploy software defined networks using VMM 2016 Tech Preview 3

Update Rollup 8 for System Center 2012 R2 Virtual Machine Manager has been released and is now available to download. The KB article below describes the issues that are fixed in Update Rollup 8 (UR8) for Microsoft System Center 2012 R2 Virtual Machine Manager.

There are two updates available for System Center 2012 R2 Virtual Machine Manager: One for servers and one for the Administrator Console. The KB article also contains the installation instructions for Update Rollup 8 for System Center 2012 R2 Virtual Machine Manager.

For complete details as well as a download link, please see the following:

KB3096378 - Description of Update Rollup 8 for System Center 2012 R2 (https://support.microsoft.com/en-us/kb/3096378)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

VMM 2012 R2 UR8

↧

Ensuring your GCE scripts that use Run As accounts continue to execute in Microsoft Virtual Machine Manager

November 18, 2015, 9:26 am

≫ Next: The new checkpoint options in Microsoft Virtual Machine Manager

≪ Previous: Update Rollup 8 for System Center 2012 R2 Virtual Machine Manager is now available

~ Jeff Towarnicki | Software Engineer

Beginning with the February security patch for Windows (MS15-011) and Update Rollup 6 for System Center 2012 R2 Virtual Machine Manager (VMM 2012 R2), you may need to modify the way your GCE scripts are executed in order to ensure that those scripts continue to work after these security patches are applied.

The guest agent in VMM was updated in UR6 and later versions to accommodate the Windows security update and changed to use BATCH instead of INERACTIVE in order to successfully create processes. Because of this change, your Run As user account must be added to the local admin group, or be granted the Log on as a batch job privilege in the local group policy of the guest VM. If this is not done, your GCEs that use a Run As account will fail after VMM is updated to UR6 or later. Note that this applies to the Virtual Machine Manager Tech Previews as well.

If your Run As account does not have Administrator privileges in the guest VM, here are some options for making sure your GCE scripts continue to run:

Option 1: Manually give administrative privileges to the user account

If the Run As user account is not already a member of the local admin group on the guest VM, simply add the user account to the local admin group. To do this, open an administrative command prompt (Run as Administrator) on the guest VM and run lusrmgr.msc to open Local Users and Groups. From there, add the user that maps to your Run As account to the local admin group. In the example below I add the user mydomain\user which maps to my Run As account.

Option 2: Grant admin privileges to the user account using a service template script

Within your service template, create a Pre-Install script that runs before any scripts that require a Run As account, then use that script to add the users of those Run As accounts to the local admin group on the VM. In the example below I run the following command in my pre-install script:

cmd.exe /q /c net localgroup administrators mydomain\myuser /add

When this command runs as part of the Pre-Install script, the specified user (mydomain\myuser) is added to the local admin group and thus automatically has privileges to login as BATCH.

Option 3: Manually grant “Logon as a batch job” privileges to the user account in the local group policy of the guest VM

If you need finer granularity of the permissions for your users, you can simply grant the Run As user account Log on as a batch job privileges in the local group policy of the guest VM. This way you don’t have to add user accounts unnecessarily to the admin group. Here are the steps:

1. Open Local Security Policy from Windows Administrative Tools:

Under User Windows Settings/Security Settings/User Rights Assignment, right-click on Log on as a batchjob and then add the Run As user (mydomain\myuser in this example) to the group:

That’s it. After these steps, the user in your Run As account will have the necessary privileges to run a GCE after the latest Windows and VMM updates are installed.

Jeff Towarnicki | Software Engineer | Microsoft

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

VMM 2012 R2

↧

The new checkpoint options in Microsoft Virtual Machine Manager

November 19, 2015, 1:07 pm

≫ Next: KB: VM cloud fails to load when admin portal is accessed on a Microsoft Windows Azure Pack server

≪ Previous: Ensuring your GCE scripts that use Run As accounts continue to execute in Microsoft Virtual Machine Manager

~ Dipti Goyal | Software Engineer II

Hello, my name is Dipti Goyal and I’m an engineer on the System Center Virtual Machine Manager Team. System Center 2016 Virtual Machine Manager has the capability to create Production or Standard checkpoints, and now that Tech Preview 4 is released I wanted to take a minute and go through the process and explain how this works.

A little about Hyper-V Production Checkpoints

Production checkpoints allow you to easily create “point in time” images of a virtual machine which can then be restored later on in a way that is completely supported for all production workloads. This is achieved by using backup technology inside the guest to create the checkpoint instead of using saved state technology. For production checkpoints, the Volume Snapshot Service (VSS) is used inside Windows virtual machines, whereas Linux virtual machines flush their file system buffers to create a file system consistent checkpoint. If you want to create checkpoints using saved state technology you can still choose to use standard checkpoints for your virtual machine.

For any new virtual machines, the default is to create production checkpoints with a fallback to standard checkpoints. More details on this can be found here.

What’s new in VMM Checkpoint options:

Hyper-V has added 4 types for checkpoints:

Disabled
Production
ProductionOnly
Standard

We have implemented these types in VMM so let’s look at each of them in detail.

1. Disabled: This option disables the check-pointing ability on the VM. Once Checkpoint Type is set to Disabled, a checkpoint cannot be taken on that VM until it’s set to some other value.

Example: Set-SCVirtualMachine –CheckpointType Disabled

As you can see here, this sets the CheckpointType property on the VM to Disabled:

2. Production: Production checkpoints are application consistent snapshots of a virtual machine. Hyper-V leverages the guest VSS provider to create an image of the virtual machine where all of its applications are in a consistent state. The production snapshot does not involve the autorecovery phase during creation. Applying a production checkpoint requires the restored virtual machine to boot from an offline state just like with a restored backup. This is always more suitable for production environments.

Example: Set-SCVirtualMachine –CheckpointType Production

This sets the CheckpointType property on the VM to Production. With this option, if a production checkpoint fails for any reason, a standard checkpoint will be taken.

3. ProductionOnly: This option is the same as Production with one key difference: With ProductionOnly, if a production checkpoint fails then no checkpoint will be taken. This is different from Production where if a production checkpoint fails, a standard checkpoint will be taken instead.

Example: Set-SCVirtualMachine –CheckpointType ProductionOnly

As shown below, this sets the CheckpointType property on the VM to ProductionOnly:

4. Standard: With a Standard checkpoint, all of the memory state of running applications gets stored so that when you apply the checkpoint it’s back in the same state. For a production environment with a SQL server or Exchange server, this obviously would not serve the right purpose, therefore this type of checkpoint is typically more suitable for development and test environments.

Example: Set-SCVirtualMachine –CheckpointType Standard

This sets the CheckpointType property on the VM to Standard:

The examples above examples are for Set-SCVirtualMachine, however in VMM, CheckpointType can also be set during the following operations:

New-SCVirtualMachine –CheckpointType
New-SCHardwareProfile –CheckpointType
Set-SCHardwareProfile –CheckpointType
New-SCVMTemplate –CheckpointType
Set-SCVMTemplate –CheckpointType

If you want to change this from within the VMM UI, here are the options:

This gives VMM users the flexibility to change the checkpoints based on their requirements.

I hope this is helpful and thanks for reading!

Dipti Goyal | Software Engineer II | Fabric Management

Get the latest System Center news onFacebookandTwitter:

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

VMM 2012 R2

↧

KB: VM cloud fails to load when admin portal is accessed on a Microsoft Windows Azure Pack server

November 30, 2015, 10:05 am

≫ Next: Deploying Highly Available Host Guardian Service using VMM Service Templates in Microsoft System Center Tech Preview 4

≪ Previous: The new checkpoint options in Microsoft Virtual Machine Manager

Consider the following scenario:

- Windows Azure Pack (WAP) is installed on two servers using express installation (WAP 1 and WAP 2). The two WAP servers are load balanced.

- Service Provider Foundation (SPF) is installed on two servers (SPF1 and SPF2). The two SPF servers are load balanced.

- A VM cloud is successfully registered.

In this scenario, the virtual machine cloud fails to load when the admin portal is accessed on the WAP2 server, however the VM cloud can be successfully loaded without errors when accessed via the admin portal on the WAP1 server. You may also see the following exception on either SPF computer:

Log Name:      Microsoft-ServiceProviderFoundation/Analytic
Source:        Microsoft-ServiceProviderFoundation
Date:          Event ID:      11
Task Category: (65523)
Level:         Error
Keywords:      None
User:          S-1-5-21-3138815620-4253048750-3916773603-117721
Computer:      Description:
Component: VMMActivity [Powershell::Invoke, id {21C04886-019D-49EA-989B-916B44B6D9AB}]
Parent activity [Get, id {1EFAC67B-981A-4764-9BE6-0D2FCD887E43}]Elapsed: 169ms
Context: {70BAB268-8316-4FC7-B28B-821C9192BC4C} Error when aggregating resources. Cannot query resources on stamp VMMServerName.Contoso.com Reason: The connection to the VMM management server VMMserverName.Contoso.com was lost. (Error ID: 1610)
Ensure that VMMServerName.Contoso.com is online and that you can access the server remotely from your computer. Then connect to VMMServerName.Contoso.com and try the command again using the new connection. Or, you can ensure that the Virtual Machine Manager service is started on VMMServerName.Contoso.com . Then connect to VMMServerName.Contoso.com and try the command again using the new connection. If the command fails again because of a connection failure, restart the Virtual Manager service and then try the operation again.

For complete details regarding this problem as well as a resolution, please see the following:

KB3110311 - VM cloud fails to load when admin portal is accessed on a Windows Azure Pack server (https://support.microsoft.com/en-us/kb/3110311)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

VMM 2012 R2 WAP

↧

Deploying Highly Available Host Guardian Service using VMM Service Templates in Microsoft System Center Tech Preview 4

December 1, 2015, 10:02 am

≫ Next: KB: How to enable event-based refresher mode for Microsoft Virtual Machine Manager hosts

≪ Previous: KB: VM cloud fails to load when admin portal is accessed on a Microsoft Windows Azure Pack server

~ Maha Ibrahim | Senior Software Engineer

In an earlier post we discussed how to deploy HGS using VMM service templates in Technical Preview 3 release, however now with Technical Preview 4, a few changes are required. The Host Guardian Service supports high availability so changes were made to the service template and the associated application scripts to support installing and configuring an additional HGS node. Also in this release, VMM supports generation 2 service templates so we will deploy generation 2 virtual machines using GPT partition disk image.

In this post, I’ll cover the relevant updates applicable to the Technical Preview 4 release for deploying the highly available Host Guardian Service using generation 2 virtual machines which can be used for test or demo environments.

For more details about HGS setup outside the scope of this article, you can refer to Windows Server TechNet articles about Guarded Fabric and Shielded VMs, or http://aka.ms/shieldedvms.

Requirements

1. Microsoft System Center Virtual Machine Manager – Technical Preview 4 – Download link
2. Windows Server 2016 Technical Preview 4 – Download link
3. Windows Server 2016 Technical Preview 4 Virtual Hard Disk Image using GPT partition (for generation 2 VMs) which can be created using Wim2VHD - Download link

Installation Steps

1. Download the compressed file from this download link.
2. Extract the custom resource folder named HostGuardianServiceScripts.cr and copy it to your VMM library, then refresh the library share.
3. Create a Run As Account to be used for the Local Administrator of the HGS machine.
4. Verify the Windows Server Technical Preview 4 VHDX (GPT partition image) is imported in the VMM library.
5. Import the XML file as a VMM service template and map the resources according to resources included in the library:

6. If needed, open the computer tier properties and update the product key in the operating system configuration.
7. Save and configure deployment.
8. Specify the VM Network to be used:

9. Specify the service settings per the configuration of the desired deployment. Below are example settings to deploy an AD mode HGS server:

Here are example settings to deploy a TPM Mode HGS server:

10. For TPM Mode, if adding Code Integrity Policies, TPM Hosts and TPM policies is desired, then include the necessary files to your library prior to the deployment of the service configuration and per the folder structure below. If this step is skipped then extra configuration is needed before the HGS instance can be used. Refer to this link for more details on how to create these files: http://aka.ms/shieldedvms.

Now the service configuration is ready to be deployed. Click Deploy Service and wait for the job to complete. Once completed you’ll have a highly available Host Guardian Service instance up and running!

Notes

After the service deployment completes, and before you can use the resulting instance for host guarding, extra configurations may be needed:

For Both TPM and AD setup: Configure name resolution between the existing fabric domain and the new HGS domain.
For AD Setup: verify that the hosts where guarding is desired are added to the AD group whose SID is added to the HGS.

Here’s an example for the Attestation and Key Protection server URLs per the service setting example values used here:

AttestationServerUrl: http://MyHgsService.ReleCloud.com/Attestation
KeyProtectionServerURl: http://MyHgsService.ReleCloud.com/KeyProtection

Happy host guarding and virtual machine shielding!

Maha Ibrahim | Senior Software Engineer | Microsoft

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

VMM 2012 R2

↧

KB: How to enable event-based refresher mode for Microsoft Virtual Machine Manager hosts

December 2, 2015, 10:30 am

≫ Next: KB: Recommended antivirus exclusions for System Center Virtual Machine Manager and managed hosts

≪ Previous: Deploying Highly Available Host Guardian Service using VMM Service Templates in Microsoft System Center Tech Preview 4

System Center 2012 Virtual Machine Manager SP1 and above (VMM 2012 SP1+, VMM 2012 R2+) enable a new, event-based triggering system for host refresh. This replaces previous push-based models that were based on intervals specified in the Registry. In general, this model is recommended as it ensures faster consistency and less data to notify the Virtual Machine Manager server of changes.

In some cases the refresher model may not be automatically set on VMM hosts. To update host machines, see the information in the following KB article:

KB3001854 - How to enable event-based refresher mode for Virtual Machine Manager hosts (https://support.microsoft.com/en-us/kb/3001854)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

↧

KB: Recommended antivirus exclusions for System Center Virtual Machine Manager and managed hosts

December 3, 2015, 8:16 am

≫ Next: Deploying Network Controller using Microsoft Virtual Machine Manager 2016 Technical Preview 4

≪ Previous: KB: How to enable event-based refresher mode for Microsoft Virtual Machine Manager hosts

If antivirus software is running on your Microsoft System Center 2012 Virtual Machine Manager server (VMM 2012 or VMM 2012 R2) or the managed hosts, antivirus exclusions should be set. This new Knowledge Base article below describes the antivirus exclusions as they pertain to the SCVMM 2012 server itself and to the hosts that are managed by SCVMM.

KB3119208 - Recommended antivirus exclusions for System Center Virtual Machine Manager and managed hosts (https://support.microsoft.com/en-us/kb/3119208)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

ConfigMgr 2012 R2

↧

Deploying Network Controller using Microsoft Virtual Machine Manager 2016 Technical Preview 4

January 5, 2016, 4:46 am

≫ Next: How to deploy Software Load Balancer using Microsoft Virtual Machine Manager Tech Preview 4

≪ Previous: KB: Recommended antivirus exclusions for System Center Virtual Machine Manager and managed hosts

Introduction

This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview 4. In particular, it focuses on using System Center Virtual Machine Manager (VMM) 2016 Technical Preview 4 for deploying Network Controller, a new feature in Windows Server 2016. Network Controller is a scalable and highly available server role that enables you to automate the configuration of network infrastructure instead of performing manual configuration of network devices.

Prerequisites

Before proceeding to deploy Network Controller, make sure that you have performed the following steps:

Create an Active Directory security group for Network Controller management

You need to create an Active Directory security group for Network Controller management. The group should be a Domain Local group. Members of this group will be able to create, delete, and update the deployed Network Controller configuration. You need to create at least one user account that is a member of this group and have access to its credentials.

Create an Active Directory security group for Network Controller clients

You need to create an Active Directory security group for Network Controller clients. The group should be a Domain Local group. Once the Network Controller is deployed, any members of this group will have permissions to communicate with the controller via REST interface. You need to create at least one user account that is a member of this group. After the Network Controller is deployed, VMM can be configured to use this user account’s credentials to establish communication with the Network Controller.

Prepare an SSL Certificate

You need an SSL certificate that will be used to establish secure communication (https) between VMM and Network Controller. There are two methods you can use to generate an SSL certificate: generate a self-signed certificate or use a Certificate Authority (CA).

1. Use a self-signed certificate

The following example creates a new self-signed certificate, and can be run from a PowerShell command window on any computer running Windows Server 2016 Technical Preview. Make note of the names you use to create the certificate and use the same names when you deploy the Network Controller.

New-SelfSignedCertificate -KeyUsageProperty All -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "<YourNCComputerName>" -DnsName @("<YourNCFQDN>")

You can use the Certificates snap-in to manage your certificate. Click Start, type manage computercertificates and press Enter. A Certificates - Local Computer console starts, where you can find your Network Controller certificate under Personal, Certificates.

2. Use a Certificate Authority

For Windows-based enterprise CA, follow the steps available here to request a CA-signed certificate. The certificate must include the serverAuth EKU, specified by the OID 1.3.6.1.5.5.7.3.1. In addition, the certificate Subject Name must match the DNS name of the Network Controller.

After requesting the certificate, use the Certificates snap-in to export it and its private key into a .pfx file. When exporting, choose Personal Information Exchange - PKCS #12 (.PFX) and accept the default to Include all certificates in the certification path if possible. The export wizard requires that you protect the private key by either a security or a password. Be sure to assign a password, as you will need it later during Network Controller deployment.

Prepare a file share for keeping diagnostic logs (optional)

This share will be accessed by the Network Controller to store diagnostics information throughout its lifetime. Create a file share that can be accessed by the Network Controller. You may also optionally assign access permissions for the share to a specific domain user account. Store the username and password for this account which will be used later during Network Controller deployment.

Setup

This section covers the setup require for deploying the Network Controller.

Topology

The following test topology is designed to allow you to evaluate the SDN features on a small hardware footprint without requiring a large test bed. You can deploy this topology if you want but it’s not required. It is just a guide to help you understand the pieces that are required to deploy an SDN fabric and how they fit together. We assume that you already have VMM 2016 Technical Preview 4 installed with a few hosts under management.

Important

As you plan to deploy an SDN fabric to an existing environment that may also have hosts that do not use the Network Controller, you need to do the following:

1.Create a separate Host Group for hosts that will be managed by the Network Controller. The Network Controller supports Windows Server 2016 Technical Preview hosts only.

2. Ensure that you have a dedicated subnet for Logical Networks that will be managed by the Network Controller. You cannot share a subnet or Logical Network that is managed by the Network Controller with non-managed hosts running Windows Server 2016 Technical Preview or with hosts running previous versions of operating system.

The topology to deploy Network Controller consists of three physical hosts, one virtual machine for Network Controller, and two tenant virtual machines that will be used for Network Controller deployment validation.

Hosts

Host	Hardware Requirements	Software Requirements
Host 1 Infrastructure Host	2 x 1Gb physical network adapter	Windows Server 2016 Technical Preview
Host 2 Virtual Machine Host	2 x 1Gb physical network adapter	Windows Server 2016 Technical Preview
Host 3 Virtual Machine Host	2 x 1Gb physical network adapter	Windows Server 2016 Technical Preview

Virtual Machines

Virtual Machine	Software Requirements
Network Controller Virtual Machine	Windows Server 2016 Technical Preview 4 (VHD)
Tenant VM 1	Windows Server 2016 Technical Preview 4 (VHD)
Tenant VM2	Windows Server 2016 Technical Preview 4 (VHD)

The physical network must be configured so that the following networks are available. Subnets and VLAN IDs are examples and can be customized for your environment:

Network Name

Subnet

Mask

VLAN ID on trunk

Gateway

Management

The subnet that connects VMM with NC Host and VM Hosts.

10.60.34.0

10.60.34.1

Backend

The subnet for the Provider Addresses. You will need this network to validate the Network Controller deployment.

10.60.33.128

10.60.33.129

Active Directory and DNS must be reachable from these subnets.

Management Logical Network

The Management logical network models the Management network connectivity for the VMM host, NC host, and VM hosts.

To create the Management logical network:

1. Open the Fabric workspace in the VMM Console, expand Networking and select the Logical Networks node.

2. Right-click the Logical Network node and select Create Logical Network.

3. Specify a Name and optional Description for this network. For example, you can call it MGMT. Click Next.

4. On the Settings page, be sure to select One Connected Network, since all Management networks need to have routing and connectivity between all hosts in that network. Check the Create a VM Network with the same name… to automatically create a VM Network for your Management network. Click Next.

5. In the Network Site panel, click Add to add a new network site. Select the host group for the hosts that will be managed by the Network Controller. Insert your management network IP subnet information. This network should already exist and be configured in your physical switch. Click Next when you’re ready to proceed.

6. Review the Summary information and click Finish to complete.

Management Logical Switch

The Management logical switch needs to be deployed on the NC host and provides the Management network connectivity to the NC VM. To create Management logical switch:

1. Click Create Logical Switch on the ribbon in the VMM Console.

2. Review the Getting Started information and click Next.

3. Provide a Name and optional Description. For the Uplink mode, be sure to select No Uplink Team. Click Next to proceed.

4. For Minimum Bandwidth mode, choose Absolute. Click Next.

5. Accept the default switch extension and click Next to proceed.

6. You can add a Virtual Port Profile and choose a Port Classification for Host Management on this page if you want but it is not required. Click Next when you’re finished.

7. Create a new Uplink Port Profile directly from the Logical Switch wizard. Click Add and select New Uplink Port Profile from the drop down menu.

8. Provide a name and optional description for your uplink port profile.

a. Use the defaults for Load Balancing algorithm and Teaming Mode.
b. Be sure to select all the network sites that are part of the Management logical network you created.
c. Select the Uplink Port Profile you created and click New virtual network adapter. This adds a host virtual network adapter (vNIC) to your logical switch and uplink port profile, so when you add the logical switch to your hosts, the vNICs get added automatically.
d. Provide a name for the vNIC. Verify that the management VM network is listed under the Connectivity section.
e. Check the Inherit connection settings from the host adapter box. This allows you to take the vNIC adapter settings from the adapter that already exists on the host.
f. If you created a port classification and virtual port profile earlier, you can select it now.

g. Click Next.
h. Review the Summary information and click Finish to complete the wizard.

To deploy the Management logical switch on the NC host, follow the steps available at this page.

Deployment

Prepare VHD for the Network Controller virtual machine

The service template requires one virtual hard disk that must be prepared prior to importing the service template. This virtual disk must contain an operating system running Windows Server 2016 Technical Preview and should be in VHD format. Download and use Windows Server 2016 Technical Preview 4 ISO image from here. Please note that with TP4, VMM service template for Network Controller only supports single node deployment on a generation 1 virtual machine.

Note

You cannot use a VHDX as VMM doesn’t support deploying Network Controller Service template on a Generation 2 Virtual Machine.

Import the service template

This section tells you how to import Network Controller service template into your VMM library. Before proceeding to import Network Controller Service template, download the template to your machine from our download center here.

To import the service template into the VMM library

1. In VMM, navigate to Library.

2. In the top of the left pane, in the Templates section, select Service Templates.

3. In the ribbon at the top, click Import Template.

4. Browse to your service template folder, select the Network Controller Standalone.xml file and follow the prompts to import it.

The service template uses the following virtual machine configuration parameters. Update the parameters to reflect the configuration for your environment as you import the service template.

Resource Type	Resource name and description
Library Resources	Resource Name: WinServer.vhd Description: Windows Server Virtual Hard Disk. Format should be VHD. Select the base VHD image that you prepared earlier and imported into your VMM library.
NCSetup.cr	A library resource that contains scripts to be utilized to setup the Network Controller. Map to the NCSetup.cr library resource in your VMM library.
ServerCertificate.cr	A library resource that contains an SSL Certificate in .PFX format. Select the ServerCertificate.cr library resource that you prepared earlier and imported into you VMM library.
TrustedRootCertificate.cr	A library resource that contains a certificate public key (.CER) to be imported as a trusted root certificate to validate the SSL Certificate. The trusted root certificate is optional. If a trusted root certificate is not needed, this resource will still need to be mapped to a CR folder, however the folder should be left empty. Map to the TrustedRootCertificate.cr in your VMM library.

Configure and deploy the service

Use the following process to deploy a network controller service instance.

1. Select the Network Controller service template and click Configure Deployment to begin. You will have to select a name and destination for the service instance. The destination must map to a Host Group that contains the hosts configured in an earlier step in this topic.

2. In the Network Settings section, you must map to the management VM network that you set up previously.

3. Once you are done with mapping the destination and network settings, the Deploy Service dialog will appear. It is normal for the virtual machine instances to be initially red. Click Refresh Preview to have the deployment service automatically find suitable hosts (from the destination you mapped earlier) for the virtual machines to be created. This can be can be done manually if needed.

4. In the map diagram, click the virtual machine element and change the VM name and computer name to match the computer name you used when you created the computer certificates.

5. On the left side of the configure deployment window there are a number of settings that you must configure. The table below summarizes each field's values.

Setting

Requirement

Description

ClientSecurityGroup

Required

Name of the security group containing Network Controller client accounts. This is the group you created previously.

Example: contoso\Network Controller Clients

DiagnosticLogShare

Optional

File share location where the diagnostic logs will be periodically uploaded. If this is not provided, the logs are stored locally on each node.

Example: \\fileserver.contoso.com\nc_logs\

DiagnosticLogShareUsername

Optional

Full username (including domain name) for an account that has access permissions to the diagnostic log share. Must be in the form [domain]\[username].

Example: contoso\Username

DiagnosticLogSharePassword

Optional

The password for the account specified in the DiagnosticLogShareUsernamee parameter.

EnableApplicationLogging

Required

Indicates whether to enable network controller application logging. These are intended to be used to debug issues. Leaving this option set to True will consume disk space.Options are “False” and “True”.Recommended set to “False”.

LocalAdmin

Required

Select a Run as account in your environment which will be used as the local Administrator on the NC virtual machines.

User name should be .\Administrator

MgmtDomainAccount

Required

Select a Run as account in your environment which will be used to prepare the Network Controller. This user must be a member of the management security group, specified below, which has privileges to manage the network controller.

MgmtDomainAccountName

Required

This must be the full username (including domain name) of the Run as account mapped to MgmtDomainAccount.

Example: contoso\Username.

Note

The domain username will be added to the Administrators group during deployment.

MgmtDomainAccountPassword

Required

Password for the management Run as account mapped to MgmtDomainAccount.

MgmtDomainFQDN

Required

Fully qualified domain name for the Active directory domain that the network controller virtual machines will join.

Example: Contoso.com

MgmtSecurityGroup

Required

Name of the security group containing network controller management accounts. This is the group you created previously.

Example: contoso\Network Controller Management

ServerCertificatePassword

Required

Password needed to import the SSL Certificate into the machine store.

6. After you configure these settings, click Deploy Service to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes.

Add and configure Network Controller service to VMM

After the network controller service is successfully deployed, the next step is to add it to VMM as a network service. This works just like adding other network services in VMM; you begin this process with the Add Network Service wizard.

To run the Add Network Service wizard

1. Navigate to the Fabric node in the VMM console.

2. Right-click the Network Service icon under Networking and click Add Network Service.

3. The Add Network Service Wizard starts. Click Next.

4. Provide a name for your Network Controller Network Service and an optional description. Click Next.

5. Select Microsoft for the manufacturer and for model select Microsoft Network Controller. Click Next.

6. On the Credentials tab, provide the RunAs account you want to use to configure the Network Service. This should be the same account that you included in the Network Controller Clients group. Click Next.

7. For the Connection String, use the FQDN you registered in DNS for the network service you deployed previously. Your connection string should look similar to this:

serverurl=https://<NCName.DomainName>/;SouthBoundIPAddress=<IP address>

Note

One way to verify the IP address of the network controller is to ping the network controller computer name.

9. On the Review Certificates page, a connection is made to the network controller virtual machine to retrieve the certificate. Verify that the certificate shown is the one you expect. Ensure you select the These certificates have been reviewedand can be imported to the trusted certificate store check box. Click Next.

10. On the next screen, click Scan Provider to connect to your service and list the properties and their status. This is also a good test of whether or not the service was created correctly, and that you’re using the right connect string to connect to it. Examine the results, and when it completes successfully, click Next.

Note

The Name and Manufacturer fields will be empty. This is to be expected.

11. Configure the Host Group in VMM that your Network Controller will manage. If all your hosts in your VMM deployment will be managed by the Network Controller (for example, if you’re using the minimum deployment topology), then you can choose All Hosts. Otherwise, you will want to choose only the Host Group with Windows Server 2016 Technical Preview hosts that are part of your SDN fabric. Click the appropriate check box and then click Next.

12. Click Finish to complete the Add Network Service wizard. When the service has been added to VMM, you should see it appear in the Network Services list in the VMM Console, and it should look similar to the following:

13. You can right-click the Network Controller object and select Properties to view the properties of your newly created Network Controller.

14. Click OK to finish.

Validation

This section, although not required for Network Controller deployment itself, is intended to allow users to validate successful deployment for Network Controller. We will create a NC managed ‘Back End’ network and configure tenant VM network on top of that. We will also test connectivity between two tenant VMs deployed across different hosts to ensure NC is deployed correctly.

Create Back End network for tenant VM connectivity

The network controller is connected to the Management network, which is the network that is used to deploy and manage the network controller through VMM. Next, you need to create "Back End" network that will be managed by the network controller in your SDN fabric. This network will be used to validate that the Network Controller has been deployed successfully and that tenant virtual machines within same Virtual Network are able to ping each other.

To create the Back End (HNV PA) network

1. Start the Create Logical Network Wizard.

2. Type a name and optional description for this network. The example shown here is Back End Network. Click Next.

3. On the Settings page, be sure to select One Connected Network since all HNV PA networks need to have routing and connectivity between all hosts in that network. Ensure you check Allow new VM networks created on this logical network to use network virtualization. You will also see a new setting: Managed by the Network Controller. Ensure you check this box and then click Next.

4. On the Network Site panel, add the network site information for your HNV PA network. This should include the Host Group, Subnet and VLAN information for your Back End Network. Remember, this network should already exist in your physical network devices (switch) and all your SDN fabric hosts should have physical connectivity to it.

5. Review the Summary information and complete the wizard.

Create IP address pools that will be managed by the network controller

The Back End Network is the HNV Provider Address (PA) network, so it must have a static IP address pool managed by VMM for address assignment, even if DHCP is available on this network. Thus, you need to create a static IP address pool that is associated with this logical network.

To create an IP address pool for the Back End Network

1. Right-click the back end network logical network in VMM and select Create IP Pool from the drop down menu.

2. Provide a name and optional description for the IP Pool and ensure that the back end network is selected for the logical network. Click Next.

3. On the Network Site panel, you need to select the subnet that this IP address pool will service. If you have more than one subnet as part of your HNV PA network, you need to create a static IP address pool for each subnet. If you have only one site (for example, like the sample topology) then you can just click Next.

4. On the IP Address range panel, specify the starting and ending IP address. It is recommended that you start with the second address in your IP address range so that the network controller does not assign the default gateway address for the subnet. Click Next.

5. Now configure the default gateway address. Click Insert next to the Default gateways box, type the address and use the default metric. Click Next.

6. Optionally you can configure DNS information but this is generally not required.

7. Optionally you can also configure WINS server information but this is generally not required. Click Next.

8. Review the summary information and click Finish to complete the wizard.

Configure Back End network

1. In Network Service, right-click the network controller object and select Properties.

2. Click on the Logical Network Affinity tab in the left menu.

3. Select the Back End (HNV PA) network that you created earlier to be your Back-End network.

4. Click OK.

Create an SDN logical switch and deploy to hosts

Now that you have create the logical networks, VM networks, and IP pools for your SDN fabric, you need to create a logical switch that you can deploy to your Windows Server 2016 Technical Preview hosts. This will make the networks that you created available to your hosts via VMM and will enable the Virtual Filtering Platform (VFP) switch extension which will make your hosts available to the network controller. This is also referred to as an SDN switch as it will enable creation and configuration of network objects via the network controller.

To create the SDN logical switch

1. Click Create Logical Switch from the ribbon, or right-click the Logical Switches node in the left hand tree navigation in the VMM console.

2. Review the Getting Started information and click Next.

3. Provide a name (SDN Switch or whatever you want) and optional description. For the uplink mode, ensure you select No Uplink Team.

Important

Switch Embedded Teaming (SET) together with network virtualization are NOT supported in TP4, so be sure that you do not select an Uplink Team for your SDN switch. SET is supported with VLANs in TP4, so if you are testing converged networking with dedicated infrastructure adapters (that will not use networking virtualization) then you may team one or more adapters in this configuration.

4. Click the Managed by Microsoft Network Controller check box and you will notice that the Extensions page disappears. This happens because the network controller requires the VFP extension and thus is selected by default. If your network adapters support SR-IOV and you want to use it, you can enable it here as well and then click Next to proceed.

5. You can optionally select one or more Virtual Port Profiles if you want. This functionality is the same as it was in Windows Server 2012 R2. When you’re ready to proceed, click Next.

6. Add a new Uplink Port Profile directly from the wizard. Click Add and select New Uplink Port Profile from the drop down menu.

7. Provide a name (SDN port profile or whatever you want) and optional description for your Uplink Port Profile.

It is recommended that you use the defaults for Load Balancing algorithm and Teaming Mode.

Ensure you select all the Network Sites you created for your SDN fabric that are managed by the Network Controller as you want to be sure that they are included in this switch.

You do not need to check the Enable Hyper-V Network Virtualization box as you cannot have hosts that do not support this as part of an SDN fabric by definition. The SDN switch is supported on Windows Server 2016 Technical Preview hosts only.

Click Next to proceed.

8. Review the Summary information and click Finish.

To deploy the logical switch to hosts

You can now deploy the SDN logical switch to hosts that will be used to provision tenant virtual machines

1. Navigate to the Host Group that contains your Windows Server 2016 Technical Preview hosts that are be part of your SDN fabric. Right-click a host and select Properties from the drop-down menu.

2. Select Virtual Switches from the left menu.

3. Click New Virtual Switch and select New Logical Switch from the menu. The SDN logical switch that you created previously should appear selected in the logical switch combo box. If it isn't, select it now.

4. Ensure you bind the SDN Logical Switch to the correct physical adapter on the host. It should be a different adapter from the one that the Management logical switch is connected to.

5. Click OK on the Host Properties dialog to complete the operation.

6. Repeat this for each host in your SDN fabric. The Infrastructure host does not need this logical switch.

Create tenant VM networks and IP pools

Next, you will create a VM network and IP pool for a tenant in your SDN infrastructure.

To configure a VM network

Follow steps mentioned here to create VM network and here to create IP address pool.

Tip

You MUST use a value for Starting IP Address that is at least 4 IP addresses into the Address range for the IP Subnet. The Network Controller uses the first three IP addresses of the network range. For example, if your IP subnet is 192.168.0.0/24, you should use 192.168.0.4 as your starting IP address.

Click Next.

Create tenant virtual machines

Now you can create tenant virtual machines connected to the tenant virtual network.

To create a virtual machine from an existing virtual hard disk

Follow these steps to create a VM from an existing virtual hard disk.

Note

During VM Creation, on Configure Hardware page, Connect the Network Adapter 1 of the VM to the tenant VM network that you created earlier in this document.

Tip

To prevent placement from choosing a different value for these settings, click the pin icon next to the setting. Note that self-service users do not see this option.

Once you have deployed at least two virtual machines in your VM Network, you can ping one tenant virtual machine from the other tenant virtual machine to validate that the Network Controller has been deployed successfully and that it can manage Back End network allowing tenant virtual machines to ping each other.

Manish Jha| Program Manager II | Microsoft

Get the latest System Center news onFacebookandTwitter:

Our Blogs

Configuration Manager: http://blogs.technet.com/configurationmgr/
Data Protection Manager: http://blogs.technet.com/dpm/
Orchestrator: http://blogs.technet.com/b/orchestrator/
Operations Manager: http://blogs.technet.com/momteam/
Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
Service Manager: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager: http://blogs.technet.com/scvmm
Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
WSUS: http://blogs.technet.com/sus/
AD and Azure RMS: http://blogs.technet.com/b/rms/
Application Virtualization: http://blogs.technet.com/appv/
MED-V: http://blogs.technet.com/medv/
Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity- support/
Forefront TMG: http://blogs.technet.com/b/isablog/
Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

VMM 2012 R2

↧

How to deploy Software Load Balancer using Microsoft Virtual Machine Manager Tech Preview 4

January 13, 2016, 1:30 pm

≫ Next: KB: How to retain the database when you reinstall Microsoft Virtual Machine Manager

≪ Previous: Deploying Network Controller using Microsoft Virtual Machine Manager 2016 Technical Preview 4

Introduction

This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview and Virtual Machine Manager 2016 Technology Preview 4. In particular, this topic is focused on scenarios that incorporate Microsoft Software Load Balancer (SLB) with System Center Virtual Machine Manager (VMM).

Once you deploy Software Load Balancer along with Network Controller in your VMM set up, you can also leverage multiplexing and NAT capabilities in your datacenter.

Prerequisites

Before we get into details of Software Load Balancer deployment, make sure you have performed the following steps:

1. Deploy Network Controller

This document assumes that you already have Network Controller on boarded into VMM management. If you have Network Controller deployed in your set up, you will have the basic compute and network infrastructure in place to proceed for SLB deployment.

For more details on requirement related to different Hosts, virtual machines, Logical Networks, Subnets, IP Pools, and switches, please refer to the Network Controller deployment guide here.

If you haven’t deployed Network Controller yet, please refer to the Network Controller guide above and come back to this section after deploying Network Controller.

2. Prepare an SSL Certificate

The SLB service template requires that an SSL certificate be prepared prior to importing the service template. You should already have these certificates ready as part of Network Controller deployment. To revisit steps on how to prepare SSL certificates click here.

3. An available Windows Server host

In addition to hosts that you already have in your Network Controller set up, you will require one additional host (also referred to as ‘Edge host’) to deploy Software Load Balancer, according to the shown diagram. Optionally, you can choose one of the existing hosts in your set up to deploy SLB.

Set up

This section covers the setup required for deploying the Software Load Balancer and optionally the BGP router.

Topology overview

The topology consists of four physical hosts, one Network Controller virtual machine, two tenant virtual machines, one Software Load Balancer MUX virtual machine, and optionally one Router – BGP Peer virtual machine. Most of these hosts and virtual machines would already be configured as part of Network Controller on deployment.

You will need to deploy one additional host (the ‘Edge Host’) and two additional virtual machines for Software Load Balancer deployment. All of the virtual machines require an operating system VHD and you can download the Windows Server 2016 Technical Preview 4 ISO image here.

Logical Networks

In addition to the Management and the Backend logical networks that you already have configured during Network Controller deployment, you will need the following networks to deploy SLB.

Network Name

Subnet

Mask

VLAN ID on trunk

Gateway

Front End (or Transit)

Used as SLB Front end networks.

10.60.35.0

10.60.35.1

Public IP Network (used to assign IP address if SLBM)

10.128.134.116

10.128.134.117

Note

The Management, Backend, and Front end subnets must be routable to each other.
Active Directory and DNS must be available and reachable from these subnets. You must have Domain Admin credentials and the ability to create DNS entries in the domain if you choose to use an existing Active Directory domain.

Create the Front End logical network

The Front End network is used for northbound connections in SLB MUX virtual machines and BGP peer virtual machine. To create the Front End logical network, complete the following:

1. Start the Create Logical Network Wizard.

2. Type a name and optional description for this network, then click Next.

3. On the Settings page, ensure you select One Connected Network. You can also check Create a VM network with the same name box to allow virtual machines to access this logical network directly and the Managed by the Network Controller box, then click Next.

4. On the Network Site panel, add the network site information for your VIP subnet. This should include the Host Group and subnet information for your VIP network.

5. Review the Summary information and complete the Logical Network wizard.

Create the Public IP logical network

You need an IP address pool for public IPs and to assign an IP address to SLBM. Public IPs are also used for tenant services that need an internet identifiable public IP address. We will create a Public Logical network in order to specify IP address pool for Public network. To create the Public Logical network, complete the following:

1. Start the Create Logical Network Wizard.

2. Type a name and optional description for this network. Click Next.

3. On the Settings page, be sure to select One Connected Network. You will also see a new settings: Managed by the Network Controller. Ensure that you check this box as well as the Public IP address network box and then click Next.

4. On the Network Site panel, add the network site information for your Public Network. This should include the Host Group and Subnet information.

5. Review the Summary information and complete the wizard.

Create IP address pools required for SLB deployment

Create an IP pool for Front End addresses

This is an IP pool from where DIPs will be assigned to the SLB MUX virtual machines and BGP Peer virtual machine.

Create the IP pool for the Front End network by following the same procedure and steps as the back end network. Be sure to use the IP address range that corresponds to your Front End network IP address space. To create the IP pool for Public IP addresses, complete the following:

1. Right-click the Public logical network in VMM and select Create IP Pool from the drop down menu.

2. Provide a name and optional description for the IP Pool and ensure that the Public Logical network is selected for the logical network. Click Next.

3. Accept the default network site as shown in below screen shot and click Next.

4. Choose a starting and ending IP address for your range that contains the entire address range of your Public VIP subnet.

5. In the IP addresses reserved for load balancer VIPs box, type the entire IP address range in the subnet. This should match the range you used for starting and ending IP addresses.

You do not need to provide gateway, DNS or WINS information as this pool is used to allocate IP addresses for VIPs only via the Network Controller, so skip these screens by clicking Next.

6. Review the summary information and complete the wizard.

Note

After you have created all the required logical networks and IP pools, make sure you associate newly create Front End logical network with the SDN uplink port profile you created during Network Controller deployment.

Deploy the Management and SDN logical switch to the Edge host

You should already have an SDN logical switch and a management logical switch available in your setup as part of Network Controller deployment.

If the SDN Switch with Front end and Back end port profiles is not deployed already to the edge host where SLB MUX VMs are going to be deployed, deploy the SDN switch to the host now. Similarly, if the Management logical switch is not deployed on the Edge Host yet, deploy the Management logical switch on the host.

Please refer to Network Controller deployment guide here to learn about deploying SDN and Management logical switches to a host.

Deployment

Now you can deploy the Software Load Balancer MUX into your SDN infrastructure.

Download the service template to a local computer

First, you need to download the SLB MUX service template from here and save it to a folder on your VMM server or a file share that your VMM server has access to.

Add template resources to the VMM Library

Before you import the SLB MUX service template you need to do the following:

Add the custom resources to the VMM library

Copy the .CER certificate that you previously created for the Network Controller to the NCCertificate.CR folder. This is the same .CER certificate you added to the TrustedRootCertificate.CR folder for the Network Controller Service Template.

Add the custom NCCertificate.CR and EdgeDeployment.CR custom resources to the VMM library.

Import the service template

Now you can import the SLB MUX service template to the VMM library. To import the service template into the VMM library, complete the following:

1. In VMM, navigate to Library.

2. In the top of the left pane, in the Templates section, select Service Templates.

3. In the ribbon at the top, click Import Template.

4. Browse to your service template directory, then select the SLBMuxServiceTemplate.2.0.xml file that you downloaded and follow the prompts to import it.

5. The service template uses the following virtual machine configuration parameters, so update the parameters to reflect the configuration of your environment as you import the service template.

Configuration parameters:

Resource type

Resource name and description

Library Resources

Resource name: WinServer.vhd

Description: Windows Server Virtual Hard Disk. Format should be VHD.

Select the base VHD image that you prepared earlier and imported into your VMM library.

Resource name: NCCertificate.cr

Description: A custom library resource that contains the trusted root certificate (.CER) for the Network Controller. This will be used for secure communications between the Network Controller and the SLB MUX instances.

Map to the NCCertificate.cr library resource in your VMM library.

Resource Name: EdgeDeployment.cr

Description: A custom library resource that contains an SSL Certificate in .PFX format.

Select the EdgeDeployment.cr library resource that you prepared earlier and imported into you VMM library.

Configure the deployment

Follow these steps to deploy an SLB MUX service instance.

To configure the deployment

1. Select the SlbMuxServiceTemplate service template and click Configure Deployment to begin. Type a name and optionally a destination for the service instance. The destination must map to a Host Group that contains the hosts configured previously.

2. In the Network Settings section, you must map the networks as follows:

Network setting	Value
DatacenterNetwork	Map this to your Front End or transit VM network.
ManagementNetwork	Map this to your Management VM network.

After you are done with mapping the destination and network settings, the Deploy Service dialog appears. It is normal for the virtual machine instances to be initially red. Click Refresh Preview to automatically find suitable hosts (from the destination you mapped earlier) for the virtual machine. This can be can be done manually if needed.

3. On the left side of the Configure Deployment window there are a number of settings that you must configure. The table below summarizes each field:

Setting	Requirement	Description
Datacenter Network	Required	Your External or transit VM network
Management Network	Required	Choose the Management VM Network that you created for host management.
LocalAdmin	Required	Select a Run as account in your environment which will be used as the local Administrator on the virtual machines. User name should be .\Administrator
SelfSignedConfiguration	Required	If you are using a self-signed certificate you created yourself, set this value to True. If you are using a certificate that has been assigned by an Enterprise CA or external Root CA, set this value to False.

Deploy the SLB MUX service

When the service deployment job has completed, verify that your service appears in the VMM console:

1. Open the VMs and Services workspace.

2. Click Services in the ribbon.

3. Verify that your SLB MUX service instance appears in the VM Network Information for Services window.

4. Right-click the SLB MUX service and select Properties from the menu.

d) Verify that the state is Deployed.

Configure the SLB role and SLB MUX Instance Properties

Now that the service is deployed you can configure its properties. This involves associating the VM instance that we deployed using the SLB MUX service template, and then configuring BGP peering between the SLB MUX instance and a router.

Associate the SLB Service Role with the SLB MUX Instance

1. Open the Fabric workspace.

2. Click Network Service to display the list of network services installed.

3. Right-click the FabricNetworkManagerNetworkController service and select Properties.

4. Find the Associated Service field under Service information and click Browse. Select the SLB MUX service instance you created earlier and click OK.

The Service instances that you deployed are now associated with the Load Balancer role, and you should see the SLB MUX virtual machine instance listed under the Load Balancer role.

Validation

Once you have deployed SLB MUX in your setup, you can validate the deployment by configuring peering of the SLB MUX instance and a BGP router (or RRAS VM), assigning a public IP to a tenant VM or Service, and accessing the tenant VM\service from outside the network.

Configure BGP Peering between the SLB MUX instance and a router

In order to publish the VIP network and addresses to networks outside of your private cloud, you will need to configure Border Gateway Protocol (BGP) peering between the SLB MUX and your external router.

1. First you will need to obtain the IP address and the Autonomous System Number (ASN) of the router that you want to peer with, so start by opening the Fabric workspace.

2. Right-click the FabricNetworkManagerNetworkController service and select Properties.

3. Click the Services tab and select the Load Balancer Role in the list of services.

4. Click the SLB MUX virtual machine instance and you will see the MUX instance BGP settings. For the BGP port, type the value 8560 and for Local ASN, type the ASN number you want to use for BGP peering for the MUX. VMM will accept any value you pick here but if you are peering it with a router in your infrastructure it should match the numbering scheme in your lab or datacenter. In the example below we used a value of 2 for the ASN.

5. To configure the information for the BGP router you want to peer with, click Add and then enter the name, IP address and ASN number of the router you want to peer with. In the screen shot above, you can see that we have peered with the ADVWRKS-ROUTER router using an IP address of 172.27.0.1 and an ASN of 1.

Click OK to complete the SLB MUX service instance configuration.

6. Check the Jobs window to verify that the Update Fabric Role with required configuration and Associate service instance with fabric role jobs have completed successfully.

7. In order to complete the BGP peering operation, you will need to configure BGP to peer with your SLB MUX instance on the router. If you are using a hardware router device, you will need to consult your vendor’s documentation on how to setup BGP peering for that device. You will also need to know the IP address of the SLB MUX instance that you deployed earlier. To do this, you can either log on to the SLB MUX VM instance and obtain the IP address by running IPCONFIG /ALL from a Command Prompt, or from the VMM console.

Provisioning VIPs for tenant virtual machines

You can provision VIPs for tenant virtual machines either individually for each virtual machine or via service templates. Provisioning a VIP for a single virtual machine is not a typical scenario, but for Tech Preview 4 it may be the easiest way to evaluate this functionality. Provisioning a VIP for a single virtual machine must be done via PowerShell.

Provision VIPs for an individual virtual machine

To provision a VIP for an individual VM or set of VMs that were deployed using a VM template, you will need to deploy the VM instances using a VM template, create a VIP template in the VMM console, then create a VIP and assign it to the VMs using PowerShell.

Create a VIP Template

The process for creating a VIP template is as follows:

1. Navigate to the Fabric Workspace in the VMM console.

2. Right-click on the VIP Templates node and select Create VIP Template. Alternately, you can click on the Create VIP Template in the Ribbon toolbar.

3. Provide a name in the Template Name field and an optional description in the Description field.

4. In the Virtual IP Port field, provide a value for the port you wish to test. For our example we used port 5001, but you can choose another port you want to test with if desired.

5. For the Backend Port, provide a value for the port from which you wish to map traffic on the back end. In our example we simply used the same port as the front end virtual IP port: 5001. Once you have provided the port, click the Next button.

6. On the Specify a Template Type screen, click the Specific radio button and select Microsoft for the Manufacturer, then for the Model, select Microsoft Network Controller. Click Next.

7. On the Specify Protocol Options screen, select the protocol you wish to create a VIP mapping for. The HTTP and HTTPS options are commonly used, but for our simple example we selected the Custom option and chose TCP in the Protocol Name field. If TCP does not appear as an option in the drop-down menu you can type it in manually. This is a known issue in TP4. Click Next.

8. You can optionally select enable persistence if you wish to have the load balancer make the connection from the client “sticky”. Click Next.

9. For the Load Balancing method, select Round Robin from the drop down list. Click Next.

10. Health Monitors are not implemented in TP4 so click Next to move past this screen.

11. Confirm your settings and then click Finish when you are ready to create the VIP Template.

Create the VIP using PowerShell

Windows PowerShell for creating a VIP for an individual VM

The following is a sample Windows PowerShell script that will create a VIP for an individual VM. In the script parameters section, be sure to substitute the actual values that match your test environment for the samples that are used in this script. The script should be run on the VMM server, or on a machine with the VMM Admin Console.

param(

[Parameter(Mandatory=$false)]

# Name of the Network Controller Network Service

# This value should be the name you gave the Network Controller service when you on-boarded the Network Controller to VMM

$LBServiceName="NC",

[Parameter(Mandatory=$false)]

# Name of the VM instance to which you want to assign the VIP

$VipMemberVMNames= @("WGB-001"),

[Parameter(Mandatory=$false)]

# VIP address you want to assign from the VIP pool.

# Pick any VIP that falls within your VIP IP Pool range.

$VipAddress="172.27.1.5",

[Parameter(Mandatory=$false)]

# Name of the VIP VM Network

$VipNetworkName="vip",

[Parameter(Mandatory=$false)]

# The name of the VIP template you created via the VMM Console.

$VipTemplateName="ADVWRKS-VIP",

[Parameter(Mandatory=$false)]

# Arbitrary but good to match the VIP you're using.

$VipName="scvmm_172_27_1_5_5001"

)

Import-Modulevirtualmachinemanager

$lb=Get-scLoadBalancer|where { $_.Service.Name -like$LBServiceName};

$vipNetwork=get-scvmnetwork-Name$VipNetworkName;

$vipMemberNics= @();

foreach ($vmNamein$VipMemberVMNames)

{

$vm=get-scvirtualmachine-Name$vmName;

# if ($vm.VirtualNetworkAdapters[0].VMNetwork.ID -ne $vipNetwork.ID)

# {

# $vm.VirtualNetworkAdapters[0] | set-scvirtualnetworkadapter -VMNetwork $vipNetwork;

# }

$vipMemberNics+=$vm.VirtualNetworkAdapters[0];

}

$existingVip=get-scloadbalancervip-Name$VipName

if ($existingVip-ne$null)

{

# foreach ($mem in $existingVip.VipMembers)

# {

# $mem | remove-scloadbalancervipmember;

# }

$existingVip|remove-scloadbalancervip;

}

$vipt=get-scloadbalancerviptemplate-Name$VipTemplateName;

$vip=New-SCLoadBalancerVIP-Name$VipName-LoadBalancer$lb-IPAddress$VipAddress-LoadBalancerVIPTemplate$vipt-FrontEndVMNetwork$vipNetwork-BackEndVirtualNetworkAdapters$vipMemberNics;

Write-Output"Created VIP "$vip;

#foreach ($memberNic in $vipMemberNics)

# $address = $memberNic.IPv4Addresses[0];

# Write-Output "Creating vip member with address " $address;

# New-SCLoadBalancerVIPMember -LoadBalancerVIP $vip -IPAddress $address -Port 82 -VirtualNetworkAdapter $memberNic;

$vip=get-scloadbalancervip-Name$VipName;

Write-Output"VIP with members "$vip;

After running the script, you should see output with details for the VIP you have just created. Once the script is executed successfully and the VIP is assigned to the tenant VM, you should be able to access the tenant VM from outside your datacenter network.

Manish Jha| Program Manager II | Microsoft

Our Blogs

Configuration Manager: http://blogs.technet.com/configurationmgr/
Data Protection Manager: http://blogs.technet.com/dpm/
Orchestrator: http://blogs.technet.com/b/orchestrator/
Operations Manager: http://blogs.technet.com/momteam/
Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
Service Manager: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager: http://blogs.technet.com/scvmm
Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
WSUS: http://blogs.technet.com/sus/
AD and Azure RMS: http://blogs.technet.com/b/rms/
Application Virtualization: http://blogs.technet.com/appv/
MED-V: http://blogs.technet.com/medv/
Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG: http://blogs.technet.com/b/isablog/
Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

VMM 2012 R2

↧

KB: How to retain the database when you reinstall Microsoft Virtual Machine Manager

January 14, 2016, 7:37 am

≫ Next: Deploying Gateway using Microsoft Virtual Machine Manager Tech Preview 4

≪ Previous: How to deploy Software Load Balancer using Microsoft Virtual Machine Manager Tech Preview 4

When you have Microsoft System Center 2012 R2 Virtual Machine Manager (VMM 2012 R2) installed, you may find yourself in a situation where you need to remove and then reinstall VMM but still retain all of the database information from the current installation. We show you how to do this and provide a SQL stored procedure to make it all work in the following Knowledge Base article:

3132774 - How to retain the database when you reinstall Virtual Machine Manager (https://support.microsoft.com/en-us/kb/3132774)

J.C. Hornbeck | Solution Asset PM | Microsoft

Our Blogs

Configuration Manager: http://blogs.technet.com/configurationmgr/
Data Protection Manager: http://blogs.technet.com/dpm/
Orchestrator: http://blogs.technet.com/b/orchestrator/
Operations Manager: http://blogs.technet.com/momteam/
Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
Service Manager: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager: http://blogs.technet.com/scvmm
Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
WSUS: http://blogs.technet.com/sus/
AD and Azure RMS: http://blogs.technet.com/b/rms/
Application Virtualization: http://blogs.technet.com/appv/
MED-V: http://blogs.technet.com/medv/
Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG: http://blogs.technet.com/b/isablog/
Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

↧

Deploying Gateway using Microsoft Virtual Machine Manager Tech Preview 4

January 19, 2016, 9:40 am

≫ Next: Update Rollup 9 for Microsoft Windows Azure Pack is now available

≪ Previous: KB: How to retain the database when you reinstall Microsoft Virtual Machine Manager

Introduction

This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview and Virtual Machine Manager 2016 Technology Preview 4. In particular, this topic is focused on scenarios that incorporate Gateway with the Virtual Machine Manager (VMM) in Tech Preview 4.

Gateway is a data path element in SDN that enables GRE based S2S connectivity between two autonomous systems. For our scenario here specifically, Gateway enables Site-to-site VPN connectivity between remote tenant networks and your datacenter using Generic Routing Encapsulation (GRE).

In combination with Software Load Balancing (SLB), Gateway can also be used for point-to-site VPN gateway connectivity so that your tenants’ administrators can access their resources on your datacenter from anywhere.

Prerequisites

Make sure you have performed following steps before deploying Gateway.

Deploy Network Controller

This document assumes that you already have Network Controller onboarded into VMM management. If you have Network Controller deployed in your set up, you will have basic compute and network infrastructure in place to proceed for Gateway deployment.

For more details on requirement related to different Hosts, virtual machines, Logical Networks, Subnets, IP Pools, and switches, please refer to Network Controller deployment guide here.

If you haven’t deployed Network Controller as yet, please refer to the Network Controller guide above and come back to this section after deploying Network Controller.

Deploy Software Load Balancer

Although it’s not required that you deploy Software Load Balancer before proceeding to deploy Gateway, for the purpose of simplicity and preview validation, we recommend that you deploy and onboard SLB before proceeding further in this document. Having SLB deployed along with Gateway will enable you to validate the IPSec connection types.

For more details on requirements related to different hosts, virtual machines, logical networks, subnets, IP pools and switches, please refer to the SLB deployment guide here.

If you haven’t deployed Software Load Balancer as yet, please refer to the SLB deployment guide above and come back to this section after deploying Network Controller.

Prepare an SSL Certificate

The Gateway service template requires that an SSL certificate is prepared prior to import. You should already have these certificates ready as part of Network Controller deployment. To revisit steps on how to prepare SSL certificates click here.

Setting it up

This section covers the setup required for deploying the Gateway virtual machine.

Topology overview

The topology consists of four physical hosts, one Network Controller virtual machine, two tenant virtual machines, one Gateway virtual machine, one SLB MUX virtual machine and optionally one Router – BGP peer virtual machine. Most of these hosts and virtual machines would already be configured as part of Network Controller deployment.

You will need to deploy one additional VM for Gateway.

All the virtual machines require an operating system VHD. You can download the Windows Server 2016 Technical Preview ISO image from here.

Logical Networks

In addition to the Management, Back End, Front End and Public IP network that you already have configured, you will need the following network to deploy Gateway:

Network Name

Subnet

Mask

VLAN ID on trunk

Gateway

Reservations (examples)

VIP

The subnet for the GRE VIPs.

10.127.134.128

10.127.134.129

10.127.134.158

Active Directory and DNS must also be available and reachable from this subnet.

Creating the GRE VIP logical network required for Gateway Deployment

You need an IP address pool for private VIPs and to assign virtual IP address to GRE endpoints. We will create a GRE VIP Logical network in order to specify IP address pool for GRE endpoints.

Create a GRE VIP Logical network

The GRE VIP network is a subnet that exists solely for defining VIPs that will be assigned to Gateway virtual machines running on your SDN fabric. This network does not need to be preconfigured in your physical switches or router and need not have a VLAN assigned.

Start the Create Logical Network Wizard.
Type a name and optional description for this network and click Next.
On the Settings page, ensure you select One Connected Network. Optionally, you can also check Create a VM network with the same name box to allow virtual machines to access this logical network directly and the Managed by the Network Controller box then click Next.
On the Network Site panel, add the network site information for your VIP subnet. This should include the Host Group and subnet information for your VIP network.
Review the Summary information and complete the Logical Network wizard

Create an IP pool for GRE VIP addresses

Right-click the GRE VIP logical network in VMM and select Create IP Pool from the drop down menu.
Provide a name and optional description for the IP Pool and ensure that the VIP network is selected for the logical network. Click Next.
Accept the default network site and click Next.
Choose a starting and ending IP address for your range that contains the entire address range of your GRE VIP subnet.
In the IP addresses reserved for load balancer VIPs box, type the entire IP addresses range in the subnet. This should match the range you used for starting and ending IP addresses.
You do not need to provide gateway, DNS or WINS information as this pool is used to allocate IP addresses for VIPs only via the Network Controller, so skip these screens by clicking Next.
Review the summary information and complete the wizard

To deploy the logical switch to Edge host

You will already have an SDN logical switch available in your set up as part of Network Controller and SLB deployment.

Deployment

Now you can proceed to deploy Gateway using VMM Service Template.

Download the service template

First, you need to download the Gateway service template from here and extract the contents to a folder on a local computer. You need to copy the contents to a folder on your VMM server or a file share that your VMM server has access to.

Add template resources to the VMM library

Before you import the Gateway service template you need to do the following:

Copy the .CER certificate that you previously created for the Network Controller to the NCCertificate.CR folder. This is the same .CER certificate you added to the TrustedRootCertificate.CR folder for the Network Controller Service Template.
Add the custom NCCertificate.CR and EdgeDeployment.CR custom resources to the VMM library.

a. In VMM, navigate to Library.
b. In the top of the left pane, in the Templates section, select ServiceTemplates.
c. In the ribbon at the top, click Import Physical Resource.
d. Click Add Custom Resource and navigate to the folder where you copied the Gateway Service Template files. Select the EdgeDeployment.cr and NCCertificate.cr folders and click OK.
e. Under Select Library server and destination for imported resources, navigate to your VMM library server and click OK.
f. Click Import to import the custom resources.

Import the service template

In VMM, navigate to Library.
In the top of the left pane, in the Templates section, select Service Templates.
In the ribbon at the top, click Import Template.
Browse to your service template directory, select the EdgeServiceTemplate.1.0.xml file and click Next.
This service template uses the following virtual machine configuration parameters. Update the parameters to reflect the configuration of your environment.

Configuration parameters:

Resource type

Resource name and description

Library Resources

Resource name: win_server.vhd

Description: Windows Server Virtual Hard Disk. Format can only be VHD.

Prepare a VHD image from the earlier downloaded ISO image. You can use the same VHD which you have prepared for the Network Controller virtual machine

Resource name: NCCertificate.cr

Description: A custom library resource that contains the trusted root certificate (.CER) for the Network Controller. This will be used for secure communications between the Network Controller and the Gateway instances.

Map to the NCCertificate.cr library resource in your VMM library.

Resource Name: EdgeDeployment.cr

Description: A custom library resource that contains an SSL Certificate in .PFX format and the scripts required to install and configure RRAS.

Select the EdgeDeployment.cr library resource that you prepared earlier and imported into you VMM library.

6. Click Next.
7. On the Summary page, click Import.

Configure the deployment

To configure the deployment, complete the following:

1. Select the EdgeServiceTemplate service template and click Configure Deployment to begin. Type a name and choose a destination for the service instance. The destination must map to a Host Group that contains the hosts configured previously for Gateway deployment purpose.
2. In the Network Settings section, you must map the networks as follows.

Network setting	Value
Management Network	Map this to your Management VM network

3. Click OK.

4. After you are done with mapping the destination and network settings, Click OK.

5. The Deploy Service dialog appears. It is normal for the virtual machine instances to initially be red. Click Refresh Preview to automatically find suitable hosts (from the destination you mapped earlier) for the virtual machine. This can be can be done manually if needed.

6. On the left side of the Configure Deployment window, there are a number of settings that you must configure. The table below summarizes each field:

Setting	Requirement	Description
AdminAccount	Required	Select a Runas account in your environment which will be used as the local Administrator on the Gateway virtual machines. User name should be .\Administrator
Management Network	Required	Choose the Management VM Network that you created for host management
SelfSignedConfiguration	Required	If you are using a self-signed certificate you created yourself, set this value to True. If you are using a certificate that has been assigned by an Enterprise CA or external Root CA, set this value to False.

Deploy the Gateway service

After you configure these settings, you can click Deploy Service to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes. When the service deployment job has completed, verify that your service appears in the VMM console by completing the following:

Open the VMs and Services workspace.
Click Services in the ribbon.
Verify that your Gateway service instance appears in the VM Network Information for Services window.
Right-click the Gateway service and select Properties from the menu.
Verify that the state is Deployed.

Configure the Gateway Manager Role

Now that the service is deployed, you can configure its properties.

Open the Fabric workspace.
Click Network Service to display the list of network services installed.
Right-click your network controller service and select Properties.
Click the Services tab and select the Gateway Manager role in the services panel.
Find the Associated Service field under Service information and click Browse.
Select the Gateway service instance you created earlier and click OK.
Select Run As account that will be used by Network Controller to access Gateway VMs.
In IPv4 frontend subnet, select the front end subnet that you have created (It is the Transit subnet).
In GRE VIP subnet, select the VIP subnet that you created above.
In Public IPv4 pool, select the Public IP Pool.
For Public IPv4 address, provide an IP address from the above pool.
Configure the Gateway capacity in the Gateway Capacity field.
Configure the number of reserved nodes for back-up in Nodes for reserved for failures field.
Click OK.

You should see that the jobs below have passed successfully in VMM’s job space:

The Service instance that you deployed is now associated with the Gateway Manager role, and you should see the Gateway virtual machine instance listed under the Gateway Manager role:

Configure and validate Gateway connection types

Once you have deployed Gateway using the Virtual Machine Manager template, you can configure a GRE tunnel and validate Gateway deployment with this tunnel.

To validate GRE connection tunnel:

Choose one of the tenant virtual machines that has GRE tunneling enabled.
Ensure that this virtual machine can ping the edge router IP with the CA IP address.

Manish Jha| Program Manager II | Microsoft

Our Blogs

Configuration Manager: http://blogs.technet.com/configurationmgr/
Data Protection Manager: http://blogs.technet.com/dpm/
Orchestrator: http://blogs.technet.com/b/orchestrator/
Operations Manager: http://blogs.technet.com/momteam/
Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
Service Manager: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager: http://blogs.technet.com/scvmm
Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
WSUS: http://blogs.technet.com/sus/
AD and Azure RMS: http://blogs.technet.com/b/rms/
Application Virtualization: http://blogs.technet.com/appv/
MED-V: http://blogs.technet.com/medv/
Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG: http://blogs.technet.com/b/isablog/
Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/

VMM 2012 R2

↧

Update Rollup 9 for Microsoft Windows Azure Pack is now available

January 28, 2016, 7:47 am

≪ Previous: Deploying Gateway using Microsoft Virtual Machine Manager Tech Preview 4

Update Rollup 9 for Windows Azure Pack is now available to download. For complete details including issues fixed, installation instructions and a download link, please see the following:

3129786 - Update Rollup 9 for Windows Azure Pack (https://support.microsoft.com/en-us/kb/3129786)

J.C. Hornbeck | Solution Asset PM | Microsoft

Our Blogs