2014
04.02

Windows XP gets all the headlines, but some old Microsoft virtualization products are going end of life in the coming months too.

Virtual PC 2004 gave us a desktop-based virtualization product from Microsoft. VPC came from the Connectix acquisition. It was a paid product at first and then went free. I ordered 3 copies of it for my team on the day it was released! I doubt many are using VPC 2004 any more, but extended support is ending on 8th April, 2014, the same day that Windows XP goes bye-bye. Something tells me there’ll be a few shots of whiskey consumed in a certain quiet corner in Redmond Smile

Virtual Server 2005 was Microsoft’s first server-based virtualization product. VS2005 was also a paid-for product, and I also bought it on the first day of release to help the company I worked for at the time reduce the physical server count.  VS2005 and VS2005R2 became free products, and were eventually replaced by Hyper-V, a true type 1 hypervisor. If you are still using Virtual Server (2005 or 2005 R2) then you need to plan for extended support ending on 13th January 2015.

In case you might be wondering, XP Mode is also going end of life. This Windows 7 “hack” for Windows XP compatibility runs Windows XP, and therefore it is also going EOL on April 8th 2014.

2014
04.01

How My New Azure VM Web Server Is Configured

Following yesterday’s “I’ve moved to Azure” post, I decided to write a bit more about what I’ve done. For obvious reasons, I will not get into deep specifics.

The first step was to create a cloud service. Each cloud service in Azure should be seen as an external point of contact … a public IP address if you want to think of it that way.

I then created a single subnet virtual network.

A storage blob was created in Azure to store the VHD files of the new virtual machine.

A small spec VM (single core, 1.7 GB RAM) was created. An endpoint was created for HTTP in the Azure portal to allow incoming web traffic. I don’t need HTTPS and I don’t use the FTP functionality of WordPress.

I then created a WS2012 R2 Datacenter virtual machine. I configured patching using GPEDIT.MSC, and a few other things. I added IIS and ran the Web Platform Installer to install MySQL, PHP and a few other WordPress prerequisites. I also installed MySQL Workbench … I can’t be bothered googling for MySQL commands.

Two websites were created in IIS and two databases/service accounts were created in MySQL. I have this blog and my photography website to host. I downloaded and extracted 2 copies of the WordPress files, and configured each blog.

I’ve only migrated this site so far – the photography site will be next (more complex because of galleries). I decided against exporting the database from the old server; this was an opportunity to go with whole new versions of everything. So I did WordPress export/import. The export file was bigger than the 2 MB max so I split the export file using a free tool called WXR File Splitter. 2 MB files were too large and caused the import to timeout, so I went with 512 KB. Apparently a hack of PHP would have been an alternative, but I want to avoid hacks.

I added all my WordPress plug-ins and configured them, making sure that my advertisers were OK. And then I tested a bit. And then came the next step: switching the A records for my domain to switch to the new server. That’s the REAL test – will this server work for you.

The last steps were to configure backup. I configured a MySQLDump job to export all databases using Task Scheduler and a batch file. That backs up to a folder called Backup. I then configured an Azure Recovery Services backup Vault for Azure Online Backup. I created a 3 year 2048 bit certificate using the CA in the lab, uploaded the public key to Azure Backup, and imported the private key into the My Computer – Personal Store in the guest OS of the VM. I downloaded the Azure backup agent and configured a daily backup job to backup the Inetpub and the Backup folders. That’s the data of the two WordPress sites saved.

And that’s the lot!

There’s a new Basic VM configuration coming this week. I’ll consider migrating again to a higher spec one of those.

The one question I’ve gotten over and over is “how much does this cost?”. The answer: nothing. I’m using the benefits of my personal MSDN subscription (€75/month). The other one (which I answered in the previous post) was “Why not use an Azure web site?”. Simple: it does not offer enough disk capacity.

Technorati Tags: ,
2014
04.01

Windows Intune was originally launched to the sound of silence. This was because it was too expensive and it didn’t really do what it needed to in the market that Microsoft was pushing it to.

How the market originally reacted to Windows Intune

The product gained features as a mobile device management (MDM) solution that is integrated into your on-premise network. The packaging and pricing were also restructured to make Intune much more attractive.

But one problem remained. Intune was sold only directly to customers, and not through the channel. This is a huge deal breaker for partners … the people who actually implement Microsoft solutions in the majority of cases for small, medium, and large customers.

Today is the first day that you can buy Windows Intune through volume licensing. That means a partner can buy the software/service from a distributor (at a reduced price) and sell it to their customer (at the regular price). Now the partner has a reason to care about Intune (cold reality: sales people sell toasters at a profit and don’t give a flying monkey’s you-know-what about solutions).

Will availability help Intune? In my opinion: yes. We have been getting calls from partners over the past few weeks about this. History (Office 365) tells us that availability through VL not only gave MSFT a new VL sales income, but it increased MOSPA (direct) sales – that’s because the partners were invested in the ecosystem and sometimes a direct sale is best for a customer scenario.

Learn about Windows Intune now:

BTW, this is another product I expect will be renamed to Microsoft Intune. It does cover Windows, Windows RT, Windows Phone, but also iOS (phone and tablet) and Android (phone and tablet). And long term, it would make sense if it merged or consumed System Center Configuration Manager with just proxy/auditing/distribution points placed on-site.

Technorati Tags: ,

2014
03.31

EDIT: You might have seen this post and then it “disappeared”. It was the one post that was not exported when I migrated my blog to Microsoft Azure.

The Cloud OS online event presented by British and Irish MVPs has begun. The presentations are pre-recorded and shared on YouTube. You can follow events and ask questions using #UKMVPCLOUD on Twitter.

image

I have two sessions. It was originally supposed to be only one but I had to record a substitute at the last second.

Transforming the Data Centre – What’s New in Windows Server 2012 R2

Transforming the Data Centre – Storage Spaces

Keep following on Twitter and watching the YouTube MVP Rocks channel to see more sessions appearing tomorrow.

2014
03.31

Tonight I completed the migration of this WordPress blog to Windows Azure.

PoweredByAzure

 

I was having performance and health issues with the VM that I was renting from a local hosting company. The admin portal was proving to be a nightmare. I had upgrade the VM but the VM wasn’t upgraded. The hard disk was filling frequently and killing MySQL, and therefore killing the WordPress blog.

Why was I on a VM? Because I needed more processor & bandwidth capacity.

A failure last week led me to look at my options. I’ve grown comfortable with Microsoft Azure so this was the place that I decided to move to. My free €75 credit per month thanks to my MSDN account doesn’t hurt either!

I looked at the website hosting options but they provide too little disk space. The VMs, even the smaller ones, give you loads of disk space. I decided to fire up a cloud service, blob, virtual network and a small VM instance just for my new web server VM. I installed IIS, added the sites, installed PHP, WordPress, MySQL, and a few other bits and bobs and started the laborious process of migrating from the old VM.

I could have cheated but I decided to do a fresh install. It was more time consuming, especially when I had to split the WordPress export file into 40 smaller export files (the import of 2MB files was timing out). I added and configured all the plugins. And then the final steps:

  • After some tests I configured the website to bind to aidanfinn.com and www.aidanfinn.com.
  • I changed the DNS A records for those two URLs to switch to the public IP of the Azure cloud service.

My next steps will be:

  • Configure MySQL automated export
  • Deploy Windows Azure Online Backup to backup the IIS Inetpub folder and the MySQL export

And maybe I’ll configure the endpoint monitoring option in the Azure portal Smile

2014
03.28

Some questions are flying around the net at the moment. Is Office for iPad free? How do I buy Microsoft Office for iPad? Which Office 365 plans include Office for iPad? Let’s answer them all here.

image

Is Office for iPad Free?

Yes, but ..

This is what we would call Free-mium software. You can quite happily download Microsoft Office for iPad from iTunes without paying a penny. And the four products will allow you to view/present your documents … and nothing more.

To create or edit content you will need to pay for a suitable Office 365 plan, which you can buy online or in a retail store (basically a key code).

How do I buy Microsoft Office for iPad?

You will need to buy a suitable Office 365 plan. Right now, those plans allow for 5 installs on PCs & Macs, and 5 installs on tablets. A new Personal plan will allow for 1 install – I don’t know the precise details but I suspects one install on PC/Mac and one on tablet.

Which Office 365 plans include Office for iPad?

As stated by Microsoft, the plans are:

  • Office 365 Home
  • Office 365 Small Business Premium
  • Office 365 Midsize Business
  • Office 365 E3 (Enterprise and Government)
  • Office 365 E4 (Enterprise and Government)
  • Office 365 Education A3
  • Office 365 Education A4
  • Office 365 ProPlus
  • Office 365 University
  • Office 365 Personal – when it becomes available later this spring

Basically, if the Office 365 plan includes Office for install on PC/Mac, then it includes Office for iPad. Microsoft has been hinting this since Office 365 was launched. Most of the Microsoft media talked about the following text from the plans comparisons site back then, suggesting that touch versions of Office for cross-platforms was coming:

image

So my advice: if there’s any chance that your users/customers will require office on cross platform devices, then buy an M plan (medium biz) or an E3/E4 plan (larger biz or fully featured). Or choose the appropriate education plan or consumer plan for those markets.

BTW, the education plans are REALLY attractive to institutions now. Associate with and talk to a cloud distributor to learn more.

Note that if you did buy an E1 plan then you can upgrade to an E3 or E4 plan. If you bought Small Business then you have lots of options.

EDIT#1

I was talking with the Office 365 licensing guru of Ireland, Nicole Sheridan of MicroWarehouse, tonight about this topic and she corrected me on something. Customers can only upgrade their plan if they bought direct (MOSPA). Upgrades are not available via other channels.

EDIT#2

If you obtain your Office for iPad licensing via a non-commercial plan, i.e. Home or Personal, then you may not use that license for commercial work. Doing so is a breach of the terms of licensing (you need a  license upgrade). BTW CIOs, this is impossible to audit.

Technorati Tags: ,,
2014
03.25

image

Our daring UK/IE MVP Lead, Claire Smyth, has organized an online event running on March 31st and April 1st to educate about the Microsoft Cloud OS. “What’s that?” you say … well that means you need to learn about how Windows Server 2012 R2, Hyper-V, System Center 2012 R2, Windows Azure, and more can be combined to make private, public, and hybrid cloud IaaS solutions, tailored to your specific needs.

Most of the presenters, such as myself, are MVPs, and we are (as I have to remind some people sometimes) independent experts:

image

This is an event presented by UK and Irish MVPs, but everyone is welcome. Note that the times are UK/Irish, so add 5 hours from US Eastern or subtract 1 hour from Central European.

The agenda for the two days is as follows:

31 March: Transform the datacentre

Time

Topic

MVP Speakers

9.30

Transform the Datacentre with Microsoft Cloud OS

Patrik Bihammar

10.15

What’s New in Windows Server 2012 R2?

Aidan Finn

11.00

What’s New in System Center 2012 R2?

Gordon McKenna

12.15

What’s New in Windows Azure?

Richard Astbury

13.00

PowerShell – Desired State

Jonathan Noble

14.15

Windows Server 2003 Migration – App Migration

Paul Keely

15.00

The hot topic of the moment: Storage Spaces 

Patrick Lownds

16.15

Find out more about SCOM

Kevin Greene

17.00

Understand how to use Service Manager

Steve Beaumont

18.15

Understand more about Azure Pack

Damian Flynn

1 April: Empower People Centric IT

Time

Topic

MVP Speakers

9.30

What is People Centric IT?

Stuart Leddy

10.30

Why Windows 8.1 and Devices Overview

Mike Halsey

11.30

Windows XP End of Support – Why is this important to you?

Mike Halsey

12.30

Operating System Deployment in SCCM

Raphael Perez

13.30

Desktop and App Delivery with Virtual Desktop Infrastructure VDI /RDS

Robert Marshall

14.30

Unified Device Management with SCCM + Windows Intune

Gordon McKenna

15.30

Exploring Bring your own device (BYOD) vs. Choose your own device (CYOD)

Simon Skinner

16.30

Access to corporate apps and data with work folders/dynamic access control/RMS/Direct Access/VPN

David Nudelman

17.30

Identity Management with WS 2012 R2/AD/ADF

Simon Skinner

The sessions are pre-recorded – I just finished editing my one. They will be released on a YouTube channel for each time slot.

To view the MVP videos, please:

2014
03.24

Windows Azure (errr Microsoft Azure) has a weird system for assigning IP addresses to VMs in virtual networks. Like VMM, it uses a pool of IP addresses. And that’s where the similarities end. Azure’s method appears to be more like DHCP.

For example:

  • When you log into the guest OS, the VM is configured to use DHCP
  • The address is not reserved like with DHCP. It is possible that a VM could be offline, come back, and get a new IP address.

The latter bit is bad, especially for services such as Active Directory and DNS where a predictable IP address is required.

Note: The first step in configuring a valid network configuration is to set the DNS servers and subnet masks for your virtual network in the Azure portal.

There is no nice GUI method for reserving an IP address. There is a PowerShell method, which gives you a clue as to how this stuff works under the hood.

The first step is to get your VM:

$VM=Get-AzureVM -ServiceName “Demo-MWH-A” -Name “Azure-DC1″

As you can see above, I am configuring a static IP address for a domain controller. Next, I set the static IP. Note that we are configuring a static virtual network IP for the VM.

Set-AzureStaticVNetIP -VM $VM -IPAddress “10.0.2.40″ | Update-AzureVM

Also note, that in my tests, most of the time that I run Update-AzureVM, the VM is restarted. It doesn’t happen all of the time with these two cmdlets, but it happens most of the time.

Armed with these two cmdlets, you could set up a CSV file with Service/VM names and IP addresses, and run a loop to configure lots of VMs at once.

EDIT#1

To be clear, the above steps do not configure a static IP inside the guest OS – you should not do that. The above steps simply configure the virtual network to assign the same IP to your VM’s vNIC every time the VM starts up. You are manipulating the system to get the results you need.

Technorati Tags: ,,
2014
03.21

Deduplication was added in WS2012. Microsoft says that you might achieve 80-95% optimization by using dedupe on volumes that are used for virtualization libraries. The benefits could be huge in a real world deployment. Consider a cloud where you’ll have WS2008 R2, WS2012, and WS2012 VHDX images. Each might have the last 1-3 builds with varying patch levels. For each version you might have one that includes specializations for different purposes. That’s a lot of wasted space when you consider that it’s empty blocks (fixed VHDX) and redundant storage of the same core OS over and over and over and over.  Deduplication of the file system could save you a lot of money.

Dedupe is easy to install in Server Manager:

image

I always place the VMM library on a non-OS drive such as the D: drive. I will enable deduplication on that volume in Server Manager:

image

Then during setup of SCVMM I will configure VMM to use that drive to store the library share:

image

Simples!

EDIT:

MVP Stanislav Zhelyazkov (@StanZhelyazkov) reported that the above optimization will prevent you from leveraging ODX to speed up the copy of VHDX files from the library to hosts if they are on the same ODX enabled storage.

image

Another System Center MVP, Flemming Riis (@FlemmingRiis) also knows of other issues that VMM will have.

Technorati Tags: ,,,

2014
03.21

If you are deploying lots of System Center products, then it’s not uncommon to use a single SQL server/cluster for one instance per component (Service Manager is a whole other ball of wax but I stay away from that game). This means setting up a remote SQL database for VMM. It’s no big deal, and it increases scalability for the truly large deployments. It also makes clustering VMM a realistic possibility – and that’s a must-do if you’re creating a cloud.

image

When at the above screen, the connection to the remote server to allow you to select an instance can freeze or fail if you have not configured the Windows Firewall of the remote SQL server. Configure the firewall, and away you go.

Note: the lazy and less secure method is to open the firewall completely. Don’t do that if you can help it.

Technorati Tags: ,,,
2014
03.21

The setup routine for SCVMM asks you to enter the domain name (domainusername) and password of a service account for the SCVMM service to log in with. If you get the below error then you have missed a step:

image

Add the service account to the local Administrators group of the VMM management server. The wizard should complete once that is done. If you’re doing this via Group Policy Restricted groups then don’t forget to run GPUPDATE /FORCE to force the policy to run immediately.

Technorati Tags: ,,
2014
03.20

I am attempting to map out the infrastructure elements (not the app/dev elements) of the Microsoft hybrid cloud. This is a work in progress. If you spot any missing pieces then please comment and I will update.

You’ve heard terms like Cloud OS and hybrid cloud. What do they mean? I will attempt to map out the Microsoft hybrid cloud’s infrastructure-as-a-service (IaaS) ans software-as-a-service (SaaS) elements in this post.

The Hybrid Cloud

A private cloud is a single-tenant (but many users) service that is typically run on-premise. Note that there is a concept of a hosted private cloud; this is where a hosting company runs your single tenant infrastructure. An example of a private cloud is Hyper-V with elements of System Center (VMM, App Controller, Windows Azure Pack, etc) running in your data centre.

A public cloud is a hosted multi-tenant service that you do not own, but you consume services from. The perfect examples of this are Amazon Web Services (AWS) and Microsoft Windows Azure. The hosting company runs and hides the infrastructure from you. You subscribe to services from this shared infrastructure and have no visibility of other tenants. Those offerings are IaaS. There is platform-as-a-service (PaaS) which Windows Azure also offers for developers to run their applications without worrying about VM guest operating systems. And there is software-as-a-service (SaaS) such as Office 365 and Windows Intune where you use some software that the hosting company runs and sells to you from the cloud.

A hybrid cloud is where you mix elements of private cloud with public cloud. Microsoft is in a very unique position because they operate/sell IaaS, PaaS, and SaaS in public and private cloud. This allows you to integrate the best elements (for you) of on-premise with the public cloud offerings of Microsoft to create a hybrid offering.

The Map

image View the image to see full size

Windows Azure Site-Site VPN

You can deploy virtual machines in Windows Azure. They are very similar to Hyper-V VMs, because at this point, Windows Azure is running WS2012 Hyper-V (not WS2012 R2, as you can tell by digging around). You can deploy Software-Defined-Networking (SDN) within Windows Azure in the form of Virtual Networks; you define a network and then you define automatically routed subnets. You can configure a remote gateway to enable site-to-site VPN connectivity between your on-premise infrastructure and the network within Windows Azure. That creates intriguing possibilities where you run some services within Windows Azure to take advantage of elasticity and instant resource availability, and take advantage of on-premise where you can customise and specialise to your heart’s content.

An MPLS alternative has gone into beta with AT&T in the USA. Basically the Windows Azure network becomes another branch office on your WAN. That would be a much nicer and more fault tolerant option than single site-to-site VPN.

Note:

You will use SCVMM to manage your on-premise cloud(s) and use System Center App Controller to enable easy deployment of VMs/services in your hybrid cloud.

Active Directory

One of the biggest historical pains in IT for users is having multiple usernames and passwords. You can have single-sign-on (SSO) across your on-premise and Microsoft public cloud services by synchronising Active Directory with Windows Azure Active Directory (WAAD). WAAD is used in a couple of ways:

  • PaaS: Developers can use synchronised IDs for their custom applications.
  • SaaS: Office 365 (Midsize [M] plan and up) and Windows Intune can use the same user names for Exchange Online, SharePoint Online, Lync Online, etc, as are entered when users sign into their PC every day.

There are two ways to synchronise AD with WAAD:

  • DirSync: Is a simple-to-install and manage solution for smaller businesses.
  • ADFS: Active Directory Federation Services is used for larger installs. It requires HA because ADFS becomes a point of dependency to sign into services.

Another interesting option is to deploy VMs into Windows Azure, promote one or more to be domain controllers, and treat that as another site in your Active Directory forest. Your on-premise DCs will replicate with the DCs running in Windows Azure. This is used to enable traditional user & computer join/login to your AD forest.

Note: You must follow specific guidelines for creating DCs in Windows Azure. For example, all domain databases must be placed on an additional data drive that you attach to the VM. This is required to avoid corruption.

Office 365

I’ve already mentioned how users can sign into Office 365 (M plan and higher) using the same username and password as they use on their PC. You can also run hybrid Office services. For example, an Exchange organisation can span on-premise Exchange servers and the cloud.

Windows Intune & System Center Configuration Manager

System Center Configuration Manager (SCCM) is Microsoft’s corporate device deployment & management solution. I believe it is best used when limited to direct management of domain-joined Windows computers. Note that SCCM does allow you to deploy a distribution point (a content library that users/computers install from) in the cloud (hosted by Windows Azure).

You can also get Windows Intune, Microsoft’s cloud-based device management solution. Being cloud based makes it easy to deploy, and better for managing remote or widely distributed devices. Intune is less AD-centric, and that also makes it a great product for dealing with bring-your-own-device (BYOD). And Intune is also designed from the ground up to manage non-Windows OSs such as Android, iOS, and Windows Phone.

You can integrate Windows Intune into SCCM so admins have a single console to manage. I see Intune as the mechanism for dealing with widely distributed devices, roaming devices, mobile devices, and BYOD. SCCM is the solution for dealing with domain-joined corporate computers.

System Center Operations Manager

SCOM is Microsoft’s service-focused monitoring solution. You can get lots of Microsoft developed (free) management packs for monitoring on-premise stuff such as Windows Server, AD, SQL Server, and much more. There are also free third-party management packs (HP, Dell, Citrix, and more), and paid-for products from the likes of Veeam (which happens to have a limited free package for vSphere monitoring).

SCOM can also be used with the cloud in a few ways:

  • Global Service Monitor: GSM allows you to monitor the availability and quality of web services from Microsoft’s data centres around the world. This accounts for the fact that the Internet is complex and localised failures can affect international service availability in unpredictable ways. You configure GSM to monitor site(s) and the results appear in SCOM.
  • System Center Advisor: Think of this as a best practices analyzer from the cloud. SCOM can monitor the results of Advisor scans.
  • Windows Azure: You can monitor the services that you deploy in Azure in two ways. You can monitor the Azure service itself for failures. You can also install SCOM agents into the guest OS of your VMs to monitor the OS and services from within the VMs.

StorSimple

Many businesses struggle with retaining archive data. Microsoft acquired StorSimple to deal with that issue. This is a on-premise installed 1 GbE iSCSI storage appliance that offers local SSD and HDD tiers with a third colder tier residing within the storage services of Windows Azure.

The appliance is not suitable for all workloads. A key requirement is that your data must have a concept of a “working set”. In other words, there is hot data that you use frequently, and cold data that your do not look at very often. VM VHD/VHDX files are not examples of this. Think of a corporate file server, an CAD library, etc. Those are good examples.

StorSimple also has a built-in backup system that uses snapshot mechanisms to backup your hot/cold data.

Windows Azure Online Backup

There are many ways to use the storage mechanisms in Azure. Another one is to use Online Backup to automate the off-site storage of your backup data. A basic system for a single server would be to let Windows Server Backup send its data directly to the cloud. Larger customers might use something like System Center Data Protection Manager or Commvault Sympana to send their backup data to Windows Azure.

The data is encrypted using your private key. Microsoft never sees this key, and therefore you must keep the key safe; they cannot rescue you if you lose it.

I’ve been told that there is a beta in the USA to assist with getting that first big backup into the data center using secure out of band couriers. This will be a much more complex service to export due to the nature of international cross-border complexities.

Hyper-V Recovery Manager

HRM is not a solution that I am convinced about, due to pricing and the fact that it lives in Azure. I prefer micro-payment and placement in the secondary site.

However, HRM is an orchestration solution that lives in Windows Azure for coordinating Hyper-V Replica between two VMM-managed Hyper-V sites. Asynchronous replication data flows directly between the two sites, never to Azure. HRM purely manages replication and failover.

SQL Server 2014

SQL  Server AlwaysOn availability groups can span on-premise and in-Azure VMs, enabling hybrid cloud HA of your relational data services.

2014
03.14

My job is weird. I basically get told to learn something and spend time promoting it, teaching it, assisting with it to a Microsoft partner audience in Ireland. Lately we’ve taken on some hardware products and I’ve also been given a target to promote Windows Azure. So I’ve been spending time in the lab at work and in Windows Azure.

The latest “mini project” that I set for myself was to create a hybrid cloud, merging my on-premise Hyper-V farm (with SMB 3.0 storage on DataOn Storage JBOD) with VMs running in Windows Azure. Traffic between the two “sites” would be via a secure site-site VPN tunnel. This is Microsoft’s strategy: hybrid cloud.

The On-Premise VPN Concentrator

The first step in that was to get a new firewall appliance operational. Although you can use an on-premise Windows Server to create a site-site VPN connection, I don’t like that option. I’d rather use an edge appliance so my routing can be simplified.

Note: I’m documenting my experience instead of the specific instructions. You’ll read why later.

My employers recently started distributing the XTM range of universal threat management (UTM) firewall appliances from WatchGuard to the Irish reseller market. I have an old 2 series appliance in my lab, equipping me with firewall, AV, URL management, wireless and VPN connectivity. While the hardware might be old, it’s running the latest software and management interface and gives me all the same functionality as the latest and largest 8 series appliances from WatchGuard (just with smaller scalability).

WatchGuard 2 series XTM

I placed the WatchGuard behind the Netgear ADSL router, and have enabled ports passthrough from the router to the firewall:

  • L2TP port: UDP 1701
  • IPsec port: UDP 500
  • IKEv2 port: UDP 4500

My internal network is physical, operating on 172.16.1.0/24, with the XTM being the default gateway on 172.16.1.1.

Enabling Site-Site VPN in Windows Azure Virtual Networking

The next thing I did was sign into Windows Azure and create a virtual network. It’s not quite obvious, but what you are doing in the Azure portal is creating software-defined networks using Hyper-V Network Virtualization. I created a virtual network called 10.0.0.0/16 and then created 3 virtual subnets:

  • 10.0.0.0/24
  • 10.0.1.0/24
  • 10.0.2.0/24

Any virtual machines I created would reside in those subnets and be assigned IPs from those pools (they appear like DHCP addresses in the guest OS). Note that Azure uses a few of the IPs in each virtual subnet and that the subnets will route automatically to each other within the virtual network.

An additional gateway subnet was created on 10.0.255.0/24.

image

My virtual network and subnets in Windows Azure

Here’s the fun bit; you can assign IP address(es) for your desired DNS server(s) in the virtual network settings. I assigned 172.16.1.40, my on-premise DC/DNS VM, as the DNS server for this in-Azure virtual network. My plan: I would only run DCs on premise, and everything in Azure will authenticated against my on-premise DCs via the VPN. Honestly, in the real world I think I would run some VMs as DCs in the same domain/forest within Azure for network fault tolerance. Old fashioned AD replication would be used, treating Azure’s virtual network as another AD site.

During the virtual network wizard, I also enabled site-site connectivity and afterwards I created a gateway. That creates the listener in Azure, on a public IP address, that allows a site-site VPN connection. A really long secret key is created.  I documented all the required information and then returned to the lab.

Starting & Testing The Site-Site VPN

I logged into the console for the WatchGuard XTM and created a site-site VPN connection. The connection was initiated, and then there was suspense. In the Azure portal I could see an “attempting connection” status. That sat there for what felt like an eternity. And then … bingo! It connected.

image

The connected site-site VPN, details obscured

I fired up a VM in Windows Azure on my 10.0.0.0/24 network. It was assigned the first address, 10.0.0.4 with the DNS setting pointing to my DC which is on-premise as 172.16.1.40. With the Windows Firewall configured for ICMPv4 echo requests, I was able to ping in both directions.

The end result? The virtual network in Windows Azure is effectively a remote data center in my “corporate network”. My on-premise 172.16.1.0/24 can route to the 10.0.0.0/16 network/subnets in Windows Azure and back again. I can deploy VMs to the most suitable networks: on-premise or in the public cloud. If I fire up System Center VMM and App Controller, I can delegate users and give them a single portal for deploying VMs on either part of the hybrid cloud.

Some Useful Info

I had two sources of information to implement this solution.

The first was the excellent blog post by Ryan Boud called Creating a VPN between a WatchGuard XTM 510 and Windows Azure Virtual Networks. The terminology for setting up the site-site VPN is confusing: What’s a local subnet? What’s a remote subnet? It’s all relative! Ryan has excellent clear screenshots that inform you what to type where in the Windows Azure portal to create your virtual network and get the gateway operational. He also goes step-by-step through the WatchGuard XTM configuration.

The second is a set of instructions by WatchGuard. Their documentation only covers the XTM side of things but it does give you a nice method for recording the required information from the Azure portal.

Microsoft has also  shared links to instructions for creating site-site VPN connections using devices from lots of manufacturers, such as Cisco, Juniper, F5, Citrix, Fortinet and Openswan.

FYI, my lab is operating on an ADSL line. It has a single IP address. I am still able to do remote device VPN into my lab. In fact, I am able to VPN into the lab from home and communicate with the Windows Azure VMs by routing through the site-site VPN connection. The Windows Azure network is really acting like a remote data center for my lab.

Summary

I thought setting the site-site VPN up between my “private cloud” and Microsoft’s public cloud was going to be a nightmare. Instead, it was easy. In fact, following Ryan’s and WatchGuard’s instructions enabled me to get it working on my first attempt. The results: magic.

2014
03.12

This KB article was released in January 2014 and is not related to the commonly reported issues with Intel and Emulex 10 GbE NICs. This hotfix is for when Windows Server 2012 R2-based Hyper-V server crashes when network traffic passes through a virtual switch.

Symptoms

Consider the following scenario:

  • You have the Hyper-V server role installed on a computer that is running Windows Server 2012 R2.
  • You create a switch team over a physical network adapter.
    Note The virtual machine queue (VMQ) is enabled on the network adapter.
  • You create a virtual switch over the switch team.
    Note There is no forward extension present.
  • Network traffic passes through the virtual switch.

In this scenario, the computer crashes, and data loss occurs.

A supported hotfix is available from Microsoft.

2014
03.12

There are two new KB articles that offer two different, but very similar, hotfixes for this situation.

The first is KB2929078 which deals with a scenario when you delete and then re-create a file on the live volume in Windows Server 2012, the Cluster Shared Volumes (CSV) snapshot is corrupted.

A hotfix is available.

The second article is KB2929869:

Symptoms

Consider the following scenario:

  • You create some files on a Cluster Shared Volume (CSV) in Windows 8 or Windows Server 2012.
  • You take a snapshot of the CSV.
  • You delete the files.
  • You create some files and delete some older snapshots in parallel.

In this situation, the snapshot CSV snapshot file is corrupted.

A second hotfix is also available for this issue.

2014
03.12

Microsoft has released a hotfix for when CSV block cache causes poor performance of virtual machines on Windows Server 2012 Hyper-V.

Symptoms

Consider the following scenario:

  • You have Hyper-V virtual machines (VM) that are configured on Windows Server 2012 Hyper-V Cluster by using Scale Out File Server as the Storage Solution.
  • The virtual machine .vhdx files are held in Cluster Shared Volume (CSV).
  • CSV Block Cache is enabled on the volume.

In this scenario, virtual machines may experience slow performance.

 

A supported hotfix is available from Microsoft.

2014
03.06

Microsoft released a hotfix for WS2012 and WS2012 R2 to deal with a scenario where CSV failover time is longer than expected in Windows failover cluster.

Symptoms

In a Windows failover-cluster that uses Cluster Shared Volumes (CSV), the diff area that is allocated by Volsnap is large and fragmented. In this situation, you encounter the following issues:

  • The failover time on the CSV is longer than expected.
  • The time that Volsnap takes to mount or unmount snapshots is several minutes.

More Information

When a NTFS or ReFS volume is mounted or dismounted, Volsnap iterates through the diff area to mount or unmount the snapshots that belong to that volume. When the diff area allocation becomes large and fragmented, the time that Volsnap takes to mount or unmount operations could be several minutes. Additionally, failover time can be longer than expected.

The resolution is … hmm … long. It is related to two updates:

Two new cluster Physical Disk resource private properties were added, and they can be manipulated to resolve the issue:

  • SnapshotDiffSize: This property controls the maximum diff area size that can be consumed by Volsnap for a Physical Disk resource configured for CSV. Units: In MB (DWORD), Default Value: 0, Maximum Value: 1 TB, The Physical Disk resource must be taken offline/online for changes to take effect.
  • SnapshotAgeLimit: This property is aResource Type private property of the Physical Disk to control the maximum age of a snapshot. Long lived snapshots are a significant contributor to diff area fragmentation. Units: In Days (DWORD), Default Value: 7, Range: 1-60 , This is a global property which affects  all Physical Disk resources. You do not have to take the resource offline or online for it to take effect.

Get-ClusterSharedVolume <Cluster Disk Name> | Set-ClusterParameter snapshotdiffsize <Snapshot Diff Size in MB>

Get-ClusterResourceType "physical disk" | Set-ClusterParameter snapshotagelimit <Snapshot Age in Days>

My advice: leave well alone and only manipulate these settings under the advice of Microsoft support (not some local dude, but actual Premier support).

2014
02.28

Way back when Windows 7 was first announced, I got into a wee bit of trouble for criticising Microsoft’s bundling of the differentiating features of the new desktop OS into just the Enterprise edition. Why? That was because only those who licensed the Pro edition via Volume Licensing with Software Assurance would be entitled to the Enterprise edition. If you couldn’t buy all the cool features, then why would a business consider jumping from Windows XP to Windows 7? Sure, there were lots of good stuff in Windows 7 Pro, but all the cool business features were in the Enterprise edition.

Hmm, turns out that lots of businesses don’t actually buy SA. Large enterprises get SA with their Enterprise Agreements. Larger businesses with Select or Select Plus only get SA at extra cost – they choose this program to avoid annuity programs. In the SME world, those with OVS rather than pure Open do get SA. That leaves lots of businesses without SA, and without the benefits of the Enterprise edition that make an upgrade so appealing. And they just were not able to pay for the Enterprise edition because it was only available as an VL+SA benefit.

Well it seems that some backtracking is occurring. Mary Jo Foley reported overnight that Microsoft is to release the Enterprise edition of Windows 8.1 (and therefore lower editions via downgrade rights) as a standalone product via Select, Select Plus and Open – the two programs without SA. Going forward you will be able to buy the Enterprise + SA option through any VL program.

I think that’s a good news story to get March kicked off!

Technorati Tags: ,
2014
02.21

The Irish government has appointed Michael McGrath as interim chief information officer for the Irish government. McGrath replaces epic failure, Bill McCluggage. McCluggages big successes include ….

Nothing.

Less than nothing.

In fact, the Irish government just signed a €3,300,000.00 customer support contract with Microsoft for continued “support” of Windows XP after the April 8th deadline.

Let me put it this way. If you’re the CIO of a large organization, and you were not aware of the firm, not changing ever, deadline of April 8th, then you were beyond ineffective. If you did nothing to get off of Windows XP then you were, in my opinion, negligent, more so if your organisation was licensed for Software Assurance under a government enterprise agreement.

It’s worse than that. Like most governments (probably worse really) the Irish government is littered with redundant IT departments and installations. We have our wasteful projects that never end and are the delight (or should that be Deloitte?) of the consulting community. There should be a government cloud with redundant locations. That should have started building years ago.

What’s been done?

Bupkis.

The waste continues.

Let’s see how quickly McGrath gets that cloud project started and the Windows 7/8.1 migration started … or will he be yet-another-crony?

2014
02.20

Last year I wrote a script that would allow you to specify a virtual machine, and the script would:

  1. Shut down the VM if running
  2. Seek out any VHD files attached to any of the VM’s controllers
  3. Create VHDX files from those VHD files
  4. Replace the VHD files by attaching the VHDX files to the same controllers and locations in the VM settings
  5. Delete the VHD files

In my tests, the script had some issues. But that was nearly a year ago and it was on WS2012 in my lab. The script remained untouched until yesterday. I was chatting with my fellow Hyper-V MVP, Didier Van Hoye (aka @workinghardinit). He told me he was in the process of migrating VMs from an old W2008 R2 cluster to WS2012 and was going to be converting VHD files. Aha! This might be a time for a solution to speed up the process.

I sent the script over to Didier to have a look-see. Would it work. Well, Didier ran a series of tests this morning with guest OSs including W2003 R2 and WS2012. The tests ran flawlessly.

So … here is the script. FYI there are few things to note:

  • You might consider putting in a delay loop to test if the VM is actually shut down if you need to shut it down. Put a timeout of 3 minutes in that. The stop-vm cmdlet is async so it shouldn’t cause an issue as it is below, but you might want to take the extra step, just in case.
  • You might want to comment out the line Remove-VMHardDiskDrive $VHD for your test or pilot runs.
  • I do not support this script :)
  • Run the script and specify the VM name as a parameter.

CREDIT: A big thank you to Didier Van Hoye (aka @workinghardinit) for checking my work.

#—-

[CmdletBinding ()]
Param   (
        [Parameter(Mandatory=$True)]
        [string]$VMName
        )

#Disable error reporting – comment out the following line if you need to troubleshoot the script
$ErrorActionPreference = "SilentlyContinue"

cls

$VM = Get-VM $VMName
$VMStatus = $VM.State

if ($VM.VMid -ne $NULL)
{
    if ($VMStatus -eq "Running")
    {  
        #Shut down the VM if it is running
        Write-Host "Shutting down" $VMName
        Stop-VM $VMName  
    }

    #Get the disks in the VM
    $AllVHD = Get-VMHardDiskDrive $VMName

    if ($AllVHD -eq $NULL)
        {
        Write-Host "There are no virtual hard disks to convert"
        Exit
        }

    foreach ($VHD in $AllVHD)
    {
        #Get the VM path and create a VHDX file path
        [string]$VHDFile = Get-Item $VHD.Path
        $VHDFormat = (Get-VHD $VHDFile).VhdFormat
        if ($VHDFormat -eq "VHD")
            {
            [string]$VHDXFile = $VHDFile + "x"

            [string]$ControllerType = $VHD.ControllerType
            [string]$ControllerNumber = $VHD.ControllerNumber
            [string]$ControllerLocation = $VHD.ControllerLocation

            Write-Host "Converting: " $VHDFile "to" $VHDXFile
            Convert-VHD –Path $VHDFile –DestinationPath $VHDXFile
            Sleep 10

            #Reconfigure the Physical Sector Size of the VHDX file to 4 K
            Set-VHD -Path $VHDXFile -PhysicalSectorSizeBytes 4096
            Sleep 10

            #Remove the old VHD
            Write-Host "Removing $VHDFile from $VMName"
            Remove-VMHardDiskDrive $VHD
            Sleep 10
            #Replace the VHD with the VHDX
            Write-Host "Adding $VHDXFile to $VMName"
            Add-VMHardDiskDrive -VMName $VMName -Path $VHDXFile -ControllerType $ControllerType -ControllerNumber $ControllerNumber -ControllerLocation $ControllerLocation

            #Danger Will Robinson – we are going to delete the original VHD – we hope you have a tested VM backup!
            Write-Host "Deleting $VHDFile"
            Remove-Item $VHDFile -Force
            }
        else
            {
            Write-Host "$VHDFile is already a VHDX file: skipping"
            }
    }

    if ($VMStatus -eq "Running")
    {  
        #Restart the VM if it was running before the conversion
        Write-Host "Starting" $VMName
        Start-VM $VMName  
        #Wait for 10 seconds
        Write-Host "Waiting for 10 seconds to verify the virtual machine …"
        Sleep 10
        $VMStatus = $VM.State
        if ($VMStatus -ne "Running")
        {
            #Something went wrong
            Write-Host "$VMName could not reboot – please restore the VM from backup"     
        }
    }

}
else
{
    Write-Host $VMName "does not exist on this host"
    Exit
}

Write-Host "Processing of $VMName has completed"

2014
02.14

When enabling Hyper-V Replica for Windows VMs, it is recommended to move the guest OS paging file from the C: drive to another virtual hard disk. This allows you to deselect that paging file virtual hard disk from replication, thus saving needless bandwidth.

Microsoft has published a support article for when configuring a page file on a SCSI drive fails on Generation 1 Hyper-V virtual machine.

Symptoms

Consider the following scenario:

  • You create a virtual machine that is running on Windows Server 2008 R2 or Windows Server 2012 Hyper-V.
  • You manually configure a page file on a non-system drive, which is a virtual hard disk (VHD) attached to emulated SCSI adapter.
  • You restart the virtual machine.

In this scenario, no Pagefile.sys is created under the selected drive. Additionally, on Windows Server 2008 R2 Hyper-V, you receive the following error message

Windows created a temporary paging file on your computer because of a problem that occurred with your paging file configuration when you started your computer. The total paging file size for all disk drives may be somewhat larger than the size you specified.

Status

This behavior is by design.

In generation 1 virtual machines, you should create a virtual hard disk on the VM’s IDE controller and move the paging file to that new disk. There are no issues with the paging file being on a SCSI controller in generation 2 virtual machines; they don’t have IDE controllers.

2014
02.13

Unfortunately, problems have arisen with WS2012 R2 Hyper-V networking where Emulex NICs are used. Hans Vredevoort (Hyper-V MVP) and Marc van Eijk (Azure MVP) have been experiencing this issue and blogged about it on Hyper-V.nu.  It appears that lots of you have encountered the same problem with VMs and virtual NICs losing connectivity when a virtual switch is connected to an Emulex NIC – in the guys’ case in HP blades with FlexFabric.

The core issue seems to be related to Emulex 10 GbE NICs – As they guys report in their post Kristian Nese (System Center MVP) also sees the problem on IBM servers with Emulex NICs.

There is no fix. Please watch the thread on Hyper-V.nu to keep up with updates.

2014
02.12

Another hotfix, KB2920193, has been released by Microsoft, this time to deal with a scenario where a virtual hard disk cannot be created on an SMB server without resiliency support from a Windows 8 or Windows Server 2012 computer.

Assume that you have a computer that has Windows 8 or Windows Server 2012 installed and you are connected to a server share across a SMB2 link that does not support resiliency. Resiliency is an optional feature beginning with SMB 2.1 and some SMB2 implementations do not support resiliency. Then, you experience one of the following issues:

  • When you use Windows Server Backup, you receive the following error message: Backup failed to complete. There was a failure in preparing the backup image.
  • When you use Hyper-V manager to create a VHD or VHDX, you receive the following error message: The filename \<system><share>New Virtual Hard Disk.vhdx is reserved for use by Windows.
  • When you try to mount an .ISO image by right-clicking on the .ISO file in Explorer and select mount from the right-click menu, you receive the following error message: sorry there was a problem mounting the file.
  • When you use the Win32 API, CreateVirtualDisk() fails.

Uhhh, SMB 2? Huh? Just use WS2012 on all ends to stick with SMB 3.0 and avoid this issue.

A hotfix is available from Microsoft

2014
02.12

A very useful update, KB2913766, was released by Microsoft to improve storage enclosure management for Storage Spaces in Windows 8.1 and Windows Server 2012 R2.

This article introduces a hotfix that extends platform support for Storage Spaces in Windows 8.1 and Windows Server 2012 R2. After you install this hotfix, storage enclosure management is improved. The improvement is achieved by adding Storage Management Application Programming Interface (SMAPI) support for enclosure awareness that enables managing and health monitoring of just-a-bunch-of-disks (JBOD) enclosures.

The hotfix is available from Microsoft.

There is no documentation to state what the exact improvements are. I know “some” stuff but I don’t know how clear I am to share it. A search based on that “stuff” revealed nothing public.

2014
02.12

Microsoft released KB2908243 to deal with a situation where a Windows Server 2012-based computer on which you configured NIC Teaming has no network connectivity.

Consider the following scenario:

  • You have a computer that is running Windows Server 2012.
  • You configure NIC Teaming, also known as load balancing and failover (LBFO), on the computer.
  • You restart the computer.

In this scenario, you may find that the computer has no network connectivity. However, when you restart the computer, network connectivity is restored.

A supported hotfix is available from Microsoft Support.

Get Adobe Flash player