Active Directory 2012, Group Policy Management Tips

Replication Status

Microsoft released a great feature here especially for people working in an international infrastructure with unreliable and low bandwidth links.

In this kind of context it often happen that you modify a GPO that has not been replicated between DC.

You are now able to see the replication status and set a baseline DC.

To set your Domain Controller baseline, click change:



Select your reference DC :



And generate the report :



You know see the GPO replication status between your domain controllers.



If you need to check the replication status of a unique GPO select it under “Group Policy Object” folder (not the linked GPO).

You see the replication status and where the GPO in not yet replicated.



Click on GPO Version to see the detailed status as bellow:



GPO Update

Who never said to a user «Please open a command prompt and run a GPUPDATE /force” or ” Please, Log Off / Log One”.

In order to avoid this curious situation Microsoft finally gives us a tools.






It’ll then create two scheduled task to update computer and user policy. The triggers is in a 10minutes range.



If you don’t want to apply the Group policy to all users and computers under the OU then you’ll need to run a PowerShell script :



Invoke-Gpupdate documentation :

http://technet.microsoft.com/en-us/library/hh967455.aspx

Different RSOP :



In the result set of policy you have a different presentation and especially the Processing time and event log of the different components:



See more here:

http://channel9.msdn.com/Shows/Edge/EdgeShow-46-Whats-up-with-GPOs-in-Windows-Server-2012?format=html5

Enjoy,

Julien

Hyper-v 2012 Replica: Configure and test scenarios

Introduction

In this article I’ll try to show you in a very simple way, how to implement and test the new Replica feature included in Win2012 Hyper V.
Replica allows you to build a Disaster Recovery strategy with a built in feature in Hyper-v with no additional license cost!

Configuration

My lab infrastructure is pretty basic:

  • Two Hyper-v hosts in a cluster linked to a NAS via iSCSI and using Clustered Shared Volume
  • One hyper-v core with local storage
  • For test purpose all hyper-v are running on the same network


The first step is to create in the cluster node a replica broker:

Then the Replica Broker should start.

In my case I encountered the following error: “Cluster network name resource failed to create its associated computer object in domain …”

And the replica service couldn’t start.

The fact is that when you create a Replica broker the cluster try to create the Replica object in his active directory container.
This error shows that the Cluster Object does not have enough right to do it!
To correct the issue open “AD Users and computers” in Advanced Features view, locate the OU where your cluster object is located



Right click on your OU and view the advanced security parameters

Add to your cluster object the necessary right to create and delete computer objects

Apply change and start the replica broker.

It should be better:

Now we can configure the replication.
Select your replica server (here HYPERV03), open “Hyper-V Settings” and modify the replica configuration as shown below:

Authorize your Replica broker to replicate with the server

Now ye also need to configure the replica broker. To do so open “Replication settings”:

Modify as shown below:

Now our infrastructure is configured to run replication.

Select the desire Virtual Machine (here it’s a test VM) and activate replication:

Select the replica server:

Configure the replication history and the snapshot recurrence:

The replication will begin and you can see the status on the VM summary:

Now that the replication is finished we can proceed to several tests.

1 – Test Failover (TFO)

A TFO allows you to test global replication mechanism in a controlled environment without any impact on current replication or production.

To do so go on your replica server (here HYPERV03), select the replica VM and select “Test Failover”

Select the appropriate Recovery point:

After validating the Test Failover a VM with name “VM NAME – Test” will be created.
By default the VM has no virtual switch connected. Verify this setting and configure it if you want to test it with another VM.
Be careful, the Master VM is still running in your production network so for test purpose isolate this replica VM.

You can therefore start your VM and test if everything works as you need.

You also can configure a specific IP address for this replica VM. Thus when your replica VM will start on the replica server the new IP configuration will be applied. This is to adapt your VM to your DR IP plan.

After your tests shut down the VM and stop the test failover from the replica VM.

The replica test VM will be deleted.

2 – Planned Failover (PFO)

The planned Failover allows you to move the master VM from your main site to the DR site. This can be very helpful in case of a planned outage, a natural disaster risk or anything that can cause failure of your main site and which can be anticipate.

Open a console view on your test machine and on the desktop create a text file named Replica.txt, write test01 in it to mark the initial demo step.

Then shut down the VM and select “Planned failover”

From the replica VM

Note: If you do the “Planned failover” from, Hyper-v manager instead of Cluster Manager you’ll not have to select the Failover operation on the replica VM.

Now your VM should be running on your replica server which is located on your DR site. The VM is now the master VM and the VM which is still in your cluster is the replica VM. The replication direction has been reversed.
Connect and check the replica VM. The file should be present with “test01”.

To follow the next step write “test02” and save the file.

When your main site becomes safe again you’ll want to revert back your VM from Replica site to Main site.

To do so shutdown the VM on Hyperv03.

Run a “Planned failover”

The virtual machine start on the master node (Cluster).
 Connect to it and check the replica file. You’ll see that the modifications you did when the VM were running in your DR site is present.

3 – Unplanned failover (UFO)

An unplanned is when your primary site goes down because of a power outage, a natural disaster or anything that could happen in your main site and which could not have been planned.
 To follow the demo steps open a console on your test VM (the same that you used during the previous steps) and add “test03»:

In my demo I simulated a failover by deactivate all network on Hyperv01 and Hyperv02.
As you can see in the following screenshot both node off and my Cluster is down.
 In the DR site you’ll have to connect to your replica server and activate the Failover feature of the virtual machine.

Select the appropriate snapshot.

The VM start:

Connect to the VM and open the Replica file. As you can see the “test03” is not present. Indeed, the last VM snapshot did not contained the modification. Thus we lost data between the last snapshot and the main site outage. As I configured the snapshot recurrence to 1hours I’ll only lost 1h our data production but this data loss depends on your replica configuration.

If the latest recovery point is not what you need you can revert to an older point N-1, N-2; N-3 etc. depending on how many snapshot you selected during initial configuration. To do so you can select “Cancel Failover”, re-do a “Failover” and select another recovery point.

To continue in our test process write test04 in the replica file.

Use your VM as normal.

When main site come back both virtual machine will be running, so turn the main site VM off.
 Merge all snapshot on your active VM (on the replica server).

To move back the master VM to the main site you’ll need first to “Remove Replication” on the VM located on your main site

Then “Reverse replication” from the replica VM (on HYPERV03).

Specify the replica broker and configure all replication:

The VM will begin to send replication to the VM in the cluster:

Once the replication is over, to move back the master role to the VM located on the cluster run a planned failover.

So shut down the VM on hyperv03 and select “Planned Failover»:

The virtual machine located on the Cluster boot.

You lost the data between outage and recovery but retrieve data created during outage on the VM located on the DR site.

Check the replication health:

Comments

1 – Each time I run a TFO a new test VM is created. Then when you stop TFO the VM is deleted.
BUT when you look in your VMM 2012 console the VM are still present:

You’ll have to manually delete it:

2 – I HIGHLY regret that one of the greatest and smartest feature of Hyper-v 2012 is not included in the VMM console!!!

Conclusion

Hyper-v replica is a great and easy to use feature. It allows you to build a disaster recovery solution with no additional costs. The TFO allows you to test regularly your disaster recovery solution without any impact on your infrastructure.
The PFO allows you to be proactive on any risky intervention or external activity in your primary datacenter.
Then is the most undesired case the UFO give you the ability to restart your production infrastructure in your disaster recovery environment very quickly and with a small data loss.
However, I regret that the behavior and the configuration take place in three different consoles VMM, Failover Cluster and Hyper-V Manager.

 

Sources

http://technet.microsoft.com/en-us/library/jj134172.aspxg
http://blogs.technet.com/b/virtualization/archive/2012/07/26/types-of-failover-operations-in-hyper-v-replica.aspx
http://amaugard.wordpress.com/2012/08/30/hyper-v-r3-et-la-replication/
http://flemmingriis.com/?p=854

What’s new in Active Directory 2012

More than a month after the official release of Windows 2012 I wanted to give an overview of the most asked question you will hear in the next years : “What’s new in AD 2012”

Recycle Bin GUI : you remember this big improvement in AD 2008 R2 ? That was great ! The only problem was that you had to activate it via Powershell command use Ldp.exe to use it ! WHY ?
Years later Microsoft finally built a GUI !

To activate it go in he AD Administrative Center and :

Enable Recycle Bin

Try to create a user, delete it go select the “Tree view” go to Deleted Objects and see what’s in there !

Restore AD object

 

Fine Grained Password Policy GUI : Another win2008R2 “revolution” ! But once again it turned into low adoption because because you had to use a “not so familiar tool” called AdsiEdit !

So now still on the AD Administrative center, select the tree view, go under system / Password Setting Container just right click and Create a new Password Settings :

Password policy 1

Complete all required field and if need apply to groups or users !

Password policy 2

Easy !

Dynamic access control : This brand new feature allows you to create access rules based on user and/or device claims.
For example : Allow access to shared folder named “Finance” to only people which Departement field in AD is set to Finance.
I’ll write an article on this !

But basically all is done here :

Dynamic Access Control 1

 

Windows Powershell History Viewer : This great feature allows you to see which poweshell command is created when you do an action in the GUI.
Basically it can really help you to learn the command and build your own scripts.

Dynamic Access Control 2

 

Windows PowerShell Cmdlets for Active Directory Replication and Topology : this is a new set of Cmdlet all is here :
http://technet.microsoft.com/en-us/library/jj574083.aspx

Active Directory-Based Activation (ADBA) : This is replacing KMS server. All computer who have GVLK licence when they join the domain are automatically activated. This role is domain base and so hosted by every domain controller. But it only work with windows 8 and windows 2012.

Flexible Authentication Secure Tunneling (FAST) : also named Kerberos Armoring and definning in RDC 6113. It provide a secure channel between the client and the KDC.
This is required if you want to use claims within Dynamic Access Control.

More : http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/05/new-features-in-active-directory-domain-services-in-windows-server-2012-part-11-kerberos-armoring-fast.aspx

Virtualisation safe tech : Active Directory is now fully with virtualization tech (At least HyperV). It allows you to clone and copy a DC to deploy it easily and quickly. You can also now safely create snapshot of your domain controllers. The technology that allow these features is VM Generation ID. Of course it’s implemented in HyperV and Microsoft also provided API to VMware and Citrix.

Easy deployment : Microsoft simply shot ADPREP and Dcpromo ! All is now integrated in a wizard. You can therefore deploy a new windows 2012 DC it will prepare forest or domain automatically. Awesome !

Off-premises Domain join : You can now using directAccess join your computer to the domain over internet.

Kerberos Constrained Delegation across domains : KCD permits interaction between multi-tier server using service accoun on behalf of users. It was before limited to domain and is now extanded.

GMSAs – Group Managed Service Accounts : MSA has been introduced with windows 2008 R2 allows admins to create administrative accounts which password reset automatically such as computers password. In windows 2012 GMSAs extend this administrative accounts to clustered or load balanced services.

Other technical :

Install From Media defrag is still default but no more mandatory (should be included in the command line)
Dcpromo retry bug fixed
RID Improvments (from 1 to 2 billion, event warning on consumption)

 

Source :

http://technet.microsoft.com/fr-fr/library/hh831477.aspx
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/SIA312

 

Powershell commands to create Hyper-v 2012 VMs

In this post I wanted to point some interesting way to create VMs.

A VM can host several type of virtual disks

First there is two file format VHD and the new VHDX. VHD can be up to 2TB where VHDX can go up to 64TB. Also VHDX are more resilient to VM hard shutdown but are only supported by WS 2012 and so I think also Windows 8.

Then there is three types of disks :

  • Fixed : The complete volume of the disk is created at the beginning. This kind of disk is more effective but will use the total allocated space.
  • Dynamic : this type of virtual disk create a small disk that contain the data hosted. Then as long as you fullfill the disk in the VM the hosted file will grow
  • Differencing : this type of disk is based on another disk called the parent disk. The child disk contain only the differences you made in the VM. Both disks (parent and child) could be Fixed or Dynamic disk but the format should be the same (VHD or VHDX). This kind of disk reduce disk space usage.

If you use the UI or the command line New-VM the default dynamic type will be used.If you want to use fixed or differencing size you’ll need to create the disk separatly.

Of course you can use the UI to create VHD and VM, it’s great to build a few VM but if you want to create several VM and always use the same configuration you really should write some Powershell Scripts.

Here are the Command to create all sort of disks :

Dynamic without source :

New-VHD -Path “C:ClusterStorageVolume1BASE2012.VHDX” -Dynamic -SizeBytes 127GB -ComputerName hyperv01

Dynamic with source :

New-VHD -Path “C:ClusterStorageVolume1VM001.VHDX” -ParentPath “C:ClusterStorageVolume1BASE2012.VHDX” -Dynamic -SizeBytes 127GB -ComputerName hyperv01

Fixed without source :

New-VHD -Path “C:ClusterStorageVolume1BASE2012.VHDX” -Fixed -SizeBytes 60GB -ComputerName hyperv01

Fixed with source :

New-VHD -Path “C:ClusterStorageVolume1VM001.VHDX” -SourceDisk C:ClusterStorageVolume1BASE2012.VHDX -Fixed -SizeBytes 60GB -ComputerName hyperv01

Differencing disk :

New-VHD -Path “C:ClusterStorageVolume1VM001.VHDX” -ParentPath “C:ClusterStorageVolume1BASE2012.VHDX” -Differencing -SizeBytes 127GB -ComputerName hyperv01

(The source is a base disk)

To create a new VM you can :

Create a VM and a new VHD (Dynamic) :

New-VM -Name VM01 -NewVHDPath “c:ClusterStorageVolume1VM01.VHDX” -NewVHDSizeBytes 60GB -ComputerName Hyperv01

Create a VM with no disk :

New-VM -Name VM01 -noVHD -ComputerName Hyperv01

Create a VM and attach an existing VHD :

New-VM -Name VM01 -VHDPath “c:ClusterStorageVolume1VM01.VHDX” -ComputerName Hyperv01

Ok so now that we have all the basics command let’s create a script to build 5 VM with fixed size disk (CreateVMFixedVhd) :

$vhdpath = “C:ClusterStorageVolume1VHD”
$vmnetworkName = “External01″
$memorySize = 1GB
$VmtoCreate = 5
$DiskSize = 60GB
$HyperVhost = hyperv01

1..$VmtoCreate | % {
New-VHD -Path $vhdpath”VM$_.VHDX” -Fixed -SizeBytes $DiskSize -ComputerName $HyperVhost
New-VM -Name VM00$_ -VHDPath $vhdpath”VM$_.VHDX” -Memory $memorySize -SwitchName $vmnetworkName -ComputerName $HyperVhost
Start-VM VM00$_ -ComputerName $HyperVhost

}

The problem with this method is that you’ll have to install all OS. Thus, we’ll need a source disk.To do so we will first create the base VM to create the base image :

New-VHD -Path “C:ClusterStorageVolume1VHDBASE2012.VHDX” -Fixed -SizeBytes 60GB -ComputerName hyperv01

New-VM -Name VMBase2012 -VHDPath “C:ClusterStorageVolume1VHDBASE2012.VHDX” -ComputerName Hyperv01

Set-VMDVDDrive -VMName VMBase2012 -Path C:ClusterStorageVolume1ISOWin2012_RTM.iso -CmputerName Hyperv01

Start-VM VMBase2012 -ComputerName Hyperv01

  • Install the OS
  • Install integration services and make any changes you want
  • Sysprep it and shutdown
  • c:WindowsSystem32sysprepsysprep.exe /generalize /oobe /shutdown
  • Remove the base2012 VM from Hyperv manager (Command : Remove-VM Base2012)
  • This command delete the VM but not the VHD

Then we’ll be able to use this disk as a source for our new virtual machines.

Indeed, I choose to build several VM using Differencing disks.

$vhdpath = “C:ClusterStorageVolume1VHD”
$vmnetworkName = “External01”
$memorySize = 1GB
$VmtoCreate = 5
$DiskSize = 80GB
$HypervHost = “hyperv01″
1..$VmtoCreate | % {
New-VHD -Path $vhdpath”VM00$_.VHDX” -ParentPath $vhdpath”BASE2012.VHDX” -Differencing -SizeBytes $DiskSize -ComputerName $HypervHost
New-VM -Name VM00$_ -VHDPath $vhdpath”VM00$_.VHDX” -Memory $memorySize -SwitchName $vmnetworkName -ComputerName $HypervHost
Start-VM VM00$_ -ComputerName $HypervHost
}

Then if you want to add this Virtual machines to your failover cluster

$VmtoAdd = 5
$ClusterName = “Cluster01”
1..$VmtoAdd | % {
Add-ClusterVirtualMachineRole -VirtualMachine VM00$_ -Name VM00$_ -Cluster $ClusterName
}

Enjoy

Source :

http://technet.microsoft.com/en-us/library/hh848559.aspx

http://technet.microsoft.com/library/hh847239.aspx

Create a two node HyperV Cluster

After trying the two node no share “Cluster” I decided to move to a more traditional cluster. Why ? First because I am curious and second because a cluster offer failover ! Basically what we need more is a shared storage, I mean a SAS, Fibre Channel or ISCSI Volumes.
Microsoft Best Practice : Each host that you want to cluster must have access to the storage array.

  • The Multipath I/O (MPIO) feature must be added on each host that will access the Fibre Channel or iSCSI storage array. You can add the MPIO feature through Server Manager. If the MPIO feature is already enabled before you add a host to VMM management, VMM will automatically enable MPIO for supported storage arrays by using the Microsoft provided Device Specific Module (DSM). If you already installed vendor-specific DSMs for supported storage arrays, and then add the host to VMM management, the vendor-specific MPIO settings will be used to communicate with those arrays.If you add a host to VMM management before you add the MPIO feature, you must add the MPIO feature, and then manually configure MPIO to add the discovered device hardware IDs. Or, you can install vendor-specific DSMs.
  • If you are using a Fibre Channel storage array network (SAN), each host must have a host bus adapter (HBA) installed, and zoning must be correctly configured. For more information, see your storage array vendor’s documentation.
  • If you are using an iSCSI SAN, make sure that iSCSI portals have been added and that the iSCSI initiator is logged into the array. Additionally, make sure that the Microsoft iSCSI Initiator Service on each host is started and set to Automatic. For more information about how to create an iSCSI session on a host when storage is managed through VMM

Source : http://technet.microsoft.com/en-us/library/gg610630.aspx

For my test lab i’ll use ISCSI storage. Unfortunatly I don’t have physical NAS or SAN so I’ll use the new ISCSI Server on Win 2012. To do so I’ll create a new server named Infra02 with a normal config (1Cpu, 1GB Ram, join domain). On my previous post I had two volume 750GB mounted on each HyperV server, I just mooved it to the new server INFRA02.

 

Storage pools : Before doing anything let’s just explain the new Storage Pool service provided in Win2012. Usually, on a server with several disks you can build a RAID unit using the physical RAID card.. But if the server doen’t provide RAID card, if you have a JBOD device connected to it, if you want to put together NAS storages (strange thing but why not), if you have different disk type and volumes or all this things then you can use the Storage Pool service proposed by Microsoft. The storage pool allow us to put together several storage unit in a logical pool. Then you can use this pool to create Virtual Disk.

So you can combine your 3 DAS storage on a server maybe with your old JBODs and a NAS array to create one or two Pool and then create several Virtual Disk that will be presented as Iscsi Volumes such as :

In my case the two 750GB volume represent two physical Direct Attached Storage (DAS). And so the INFRA02 server will allow us to build a real ISCSI storage device for the HyperV Cluster.

Ok I can create Iscsi virtual disk directly on physical disk but i repeat we are in a test environment.

First of all we need to add the Iscsi server features on INFRA02 :

add-WindowsFeature FS-iSCSITarget-Server

To build the cluster we’ll need :

  • 1 Volume for the cluster (witness disk)
  • Shared Storage for Virtual machines

So, to begin and in order to be able to run our own scripts we need to se the execution policy.

Set-executionPolicy Unrestricted
Then we need to create a Storage pool, add our disk to it and create the Virtual disks.
To do so, create a script that containing the following code (createStorage.ps1) and put it under c:scripts:

$disks = Get-PhysicalDisk –CanPool $true $storagesub = Get-StorageSubsystem New-StoragePool -FriendlyName StoragePool01 -StorageSubsystemFriendlyName $storagesub.FriendlyName -PhysicalDisks $disks $newSpace = New-VirtualDisk –StoragePoolFriendlyName StoragePool01 –FriendlyName Storage01 -Size (1500GB) -ResiliencySettingName Simple -ProvisioningType Fixed

You’ll then have one new “StoragePool01” a new disk named “Storage01”

  • In the Server manager disk view bring the disk online
  • Inittialize it
  • Create a partition using the full disk space
  • Use x: letter
  • (Script coming. One day … or not)
Then we are going to create the Iscsi target and assign the three disks to it :

New-IscsiServerTarget -TargetName FileCluster -InitiatorID IPAddress:10.0.0.10, IPAddress:10.0.0.11

#Witness Disk

New-IscsiVirtualDisk -DevicePath X:iScsiVirtualDiskswitness.VHD -Size 5GB Add-iSCSIVirtualDiskTargetMapping -TargetName FileCluster -DevicePath X:iScsiVirtualDiskswitness.VHD

#Storage disks

1..2 | % {New-IscsiVirtualDisk -DevicePath X:iScsiVirtualDisksLUN0$_.VHD -Size 700GB Add-iSCSIVirtualDiskTargetMapping -TargetName FileCluster -DevicePath X:iScsiVirtualDisksLUN0$_.VHD }

In the Iscsi target I also allow 10.0.0.10 and 10.0.0.11 to connect to the iScsi Server

Create another named script  “Connectiscsi.ps1” with:

Set-Service MSiSCSI -StartupType automatic

Start-Service MSiSCSI

New-iSCSITargetPortal -TargetPortalAddress 10.0.0.2

Get-iSCSITarget | Connect-iSCSITarget

Get-iSCSISession | Register-iSCSISession

Execute the script remotely on both servers with :

1::2 | % {Invoke-Command -ComputerName Hyperv0$_ -FilePath “C:scriptConnectiscsi.ps1” }

So far our Storage is on the network and our two HyperV hosts can access it !

Now we can configure the cluster.
On our management server (INFRA01 for me) run the following command to install the Clustering Remote Server Administration Tool:

add-WindowsFeature RSAT-Clustering

Run the following command to install failover clustering feature on each HyperV server :

1..2 | % {Invoke-Command -ComputerName Hyperv0$_ -scriptblock {add-windowsFeature Failover-Clustering} }

From one Hyperv host open the Server manager disk view and :

  • Bring the disk online
  • Inittialize it
  • Create a partition using the full disk space
  • Do not assign letter
  • (Script coming. One day … or not)

Add a new network adapter to each HyperV server and configure it to be : Hyperv01 : 10.0.1.1 /24 Hyperv02 : 10.0.1.2 /24 This network directly link the two hyperv server and will be use to simulate a redunduncy network.

Here we go ! We now have two hosts linked by two networks and each host is connected to 3 iScsi Volumes (1 for witness and 2 for storage). We now have all pre-requisite to build the cluster.

To check if everything is ok you can (should) run a cluster validation test

If you don’t have error and manage warnings then you can create your cluster :

New-Cluster -Name Cluster01 -Node hyperv01,hyperv02 –StaticAddress 10.0.1.3, 10.0.0.3 -noStorage

Then we’ll need to add all available storage to the cluster :

Get-ClusterAvailableStorage Cluster01 | add-ClusterDisk

Configure Cluster Quorum :

Set-ClusterQuorum -NodeAndDiskMajority “Cluster Disk 2” -Cluster Cluster01

Add the two other disk to be Cluster Shared Volumes

Add-ClusterSharedVolume “Cluster Disk1″,”Cluster Disk 3” -Cluster Cluster01

This two shared volumes are now under both hyperv server :

C:ClusterStorage

We can therefore re-configure HyperV to use C:ClusterStorageVolume1 to be the default storage location :

1..2 | % {Invoke-Command -ComputerName Hyperv0$_ -scriptblock {set-VMHost –VirtualHardDiskPath C:ClusterStorageVolume1VHD –VirtualMachinePath C:ClusterStorageVolume1VM} }

To test the failover cluster :

Create a test VirtualMachine :

New-VM VM01 -Memory 1GB -ComputerName Hyperv01

Add-ClusterVirtualMachineRole -VirtualMachine -VM01 -name VM01 -Cluster Cluster01

Start-vm VM01 -ComputerName Hyperv01

Cut the network on Hyperv01 and see if the VM shut down and reboot on Hyperv02 !

In my next post I’ll come with more VM creation options and powershell code.

Enjoy

Build a two node hyperv 2012 no share live migration “Cluster”

In this post I’ll describe the steps to build a two node “cluster”. Why cluster is between quotes, it’s simply because we will not use the clustering features of MS and you’ll neither have fault tolerance with this infrastructure but you’ll be able to live migrate manually VM between two hosts.
To build this infrastructure I’ll use my lab environment which is a normal computer (8cpu, 32GB, 3To) under win7 with VMWare workstation tech preview.

  • Infra01 :
    1,5GB
    2 CPU
    40GB
  • Hyperv01 et Hyperv02
    10GB
    4CPU
    40GB
    Path

To install the VM I’m using the unsuported HyperV os version.
screen02

Then install Windows Server 2012. As I explained in a previous post I prefer to install my server with the full GUI version and then after configuration disable it. So :

screen03

Then it’s a normal install.
Install VMTools
Rename your servers

Set network :

With Cmd

netsh interface ip set address name=Ethernet static 10.0.0.2 255.255.255.0
 netsh interface ip set dns name=Ethernet static 10.0.0.1

Or PowerShell

Get-NetIPAddress
Set-NetIPInterface –InterfaceAlias Ethernet –DHCP Disabled
New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 10.0.0.10 –PrefixLength 24
Set-DnsClientServerAddress –InterfaceAlias Ethernet –ServerAddresses 10.0.0.1

Disable Firewall :
Set-NetFirewallProfile -Enabled False

Install HyperV :

screen04

Install-WindowsFeature Hyper-V

and if you also want the management tools

Install-WindowsFeature RSAT-Hyper-V-Tools

I asked myself a question. Can I build a standalone infrastructure, I mean not joined to an Active Directory Domain like I can do with Esx Servers ? Well you can with … 1 server but if you want to migrate VM without joining HyperV to domain u’ll have this kind message :

screen05

So now join your HyperV server to your domain :

Add-Computer –DomainName myLab.local –Credential myLabAdministrator –Restart

Then we are going to configure Hyper-V settings.
I think you don’t want to host VM and VHD on your C drive so :

set-VMHost –VirtualHardDiskPath E:HYPERVVHD –VirtualMachinePath E:HYPERVVM

If you want to do it on HYPERV02 you can connect directly to it or do it remotly like :

New-PSSession –ComputerName HYPERV02
Enter-PSSession –Id 1

# and then use the same configuration line. This will avoid copy error and different configurations.

screen08

Configure VsWitch :

External

Then we need to configure live migration settings. If you go to the settings with the UI you’ll see that there are two configurations :

screen09

I’ll not go in detailed security things here but basically the difference here is that with CredSSP you’ll have to do all your management tasks from a HyperV host and that’s not really what I want here.

So choose kerberos Authentification

Now if you try to move a virtual machine you will have this wonderfull error :

To solve this we need to create a trust relation between our servers.

Open an Active Directory Users and Computers console, then in Hyperv01 properties add delegation as shown below :

Do the same for Hyperv02.

Now it’s time to move VMs. To do so Create an empty VM named VM01.

From INFRA01 open a Powershell command prompt and open a Pssesion on Hyperv01 and Hyperv02.

From where the VM is located run the following command :

Move-VM VM01 Hyperv02  –IncludeStorage

And it should work … or not !

If like me you have the following error message : AccessDenied,Microsoft.HyperV.Powershell.Commands.MoveVMCommand

It should be because you installed HyperV role before joining the hosts to the domain.

To solve the problem simply add “Domain Admin” or any group you want to use to the HyperV administrator local group on each HyperV host.

 

Enjoy

Windows 2012 : Full or Core install ?

You maybe already noticed that Microsoft changed the default install mode of WS 2012 to core version ! What a change !

Where all Unix based server are proud to have black and white screen Microsoft ignored it since the beginning trying to build the most simple, fashion and powerful user interface. Moreover MS guys sometimes laugh at Unix admin considering them as old school guys using Vi, Emacs or other light and powerful tools

And today, in 2012, 19 years after Windows NT first release, we should install and use core version ! Why ? What happened ?

Well I don’t really know what is driving Microsoft in this direction but I just want to analyze Pro and cons and look at some figures.

First of all I installed two really default version of WS 2012 a full and a Core and here are the basic result of CPU, Memory and disk usage after install and without any utilization.

CPU
FULL
CORE
Memory
FULL
CORE
Disk
FULL
CORE

So if you install a core version you will basically save :

  • 3 process
  • 68 Thread
  • 137 MB of RAM
  • 2,87 GB of disk

You’ll also of course have less files on disk and less I/Os.

Ok ! this are the default figures. Now let’s see what Microsoft is telling us :

  • Greater stability. Because a Server Core installation has fewer running processes and services than a Full installation, the overall stability of Server Core is greater. Fewer things can go wrong, and fewer settings can be configured incorrectly.

My Comment : That’s right. But how many times did your Win 2003 or 2008R2 crashed because of MS process ? The main process included in the full version of course is explorer.exe . This process sometimes crashed but on my PC when I have 20 windows opened, twelve applications and 5 VM running !

  • Simplified management. Because there are fewer things to manage on a Server Core installation, it’s easier to configure and support a Server Core installation than a Full one—once you get the hang of it.

My Comment : This is my main point. I think they forget a point here, It’s easier IF you are a PowerShell expert ! How many of you are ?

  • Reduced maintenance. Because Server Core has fewer binaries than a Full installation, there’s less to maintain. For example, fewer hot fixes and security updates need to be applied to a Server Core installation. Microsoft analyzed the binaries included in Server Core and the patches released for Windows Server 2000 and Windows Server 2003 and found that if a Server Core installation option had been available for Windows Server 2000, approximately 60 percent of the patches required would have been eliminated, while for Windows Server 2003, about 40 percent of them would have.

My Comment : Ok, that’s true. Let’s see, if I take the last 6 month we have for each month from February to July  : 9 – 6 – 6 – 7  – 7 and 9 patches. What is your patching routine ? How many patches really need reboot ? How many patches will be applied to full and core ? and what is the difference between downloading 35 patch, install, reboot and download 5 patches, install, reboot ? Especially every 6 months …

  • Reduced memory and disk requirements. A Server Core installation on x86 architecture, with no roles or optional components installed and running at idle, has a memory footprint of about 180 megabytes (MB), compared to about 310 MB for a similarly equipped Full installation of the same edition. Disk space needs differ even more—a base Server Core installation needs only about 1.6 gigabytes (GB) of disk space compared to 7.6 GB for an equivalent Full installation. Of course, that doesn’t account for the paging files and disk space needed to archive old versions of binaries when software updates are applied. See Chapter 2 for more information concerning the hardware requirements for installing Server Core.

My Comment : (these are Microsoft figures are for WS 2008) Right we saw that. You’ll save about 150 MB of RAM and 2,8 GB of Disk. If you have a huge infrastructure you may care about it.

  • Reduced attack surface. Because Server Core has fewer system services running on it than a Full installation does, there’s less attack surface (that is, fewer possible vectors for malicious attacks on the server). This means that a Server Core installation is more secure than a similarly configured Full installation.

My Comment : Have you ever be victim of a virus or pirate attack because of Windows GUI security vulnerability ? Yes ? so review your network security

Source : http://technet.microsoft.com/en-us/library/dd184076.aspx

Two other important things pointed by MS article, Core server will not improve performances and Core server are only eligible to :

  • AD DS
  • AD LDS
  • DNS
  • DHCP
  • File Services
  • Print Services
  • Streaming Media Services
  • Web Server (IIS)
  • Hyper-V

Ok, I seems to be a server core opponent but I’m not, in fact I’m loving it but in another way, let me explain.

My advise is the following, don’t install your WS2012 in core version, instead use the full version, configure your server, be able to manage it remotely and then after all test disable the GUI. Indeed, you’ll benefit from lower memory utilization, less process, lower security risks etc but not benefits from less disk pace usage because files for the GUI stay on the disk.

To remove the GUI use the GUI (to remove the GUI) or use the following PowerShell command :

Remove-WindowsFeature Server-GUI-Shell, Server-Gui-Mgmt-Infra

By doing that if one day you are not able to do something remotely or lost the server communication or whatever, go on the server and re-activate the GUI with the following PowerShell :

Add-WindowsFeature Server-GUI-Shell, Server-Gui-Mgmt-Infra

Enjoy

Julien

Hyper-v Platform on Windows 8

Windows 8 include a really nice feature. This will for sure help in the development of Hyper-v server 2012 ! This feature is simply an Hyper-V platform for Windows 8.

To do so, i installed a Windows 8 Consumer preview Build 8250 on VmWare Workstation 2012 Tech preview.

Then i changed the OS version

And the Processor to accept virtualization

Then go to “Control Panel / Programs / Turns Windows Features on or off and turn on Hyper-v Platform and tools . Reboot.

If it’s grey and tell you that your processor does not have second level Address Translation just reboot the VM

Then you can open the Hyper-V management console and enjoy

Next we’ll see what we can do with it (replica, Vswitch, storage etc)

Julien