Tuesday, November 26, 2013

Hyper V Server 2012 remote management from Windows 8

Now that we have had  a look at how to do the Installation and initial configuration of Hyper V Server 2012 in my previous blog post, lets start on the management part.

In this blog, I will explain how to manage your Hyper V installation from a Windows 8 machine

Remote management:

Since Hyper V Server 2012 server core machine, you may want to manage it remotely using the familiar GUIs and MMC consoles. You can do so remotely, but before that you need to set the firewall rules to allow that.In the command prompt windows of the server, get a poweshell prompt by typing in "powershell". Now you can execute the following powershell command

Enable-NetFirewallRule -DisplayGroup *

Note: I used this command since it is my test network, you may want to lockdown the firewall rules a bit if in case of production network

Inorder to connect to the Hyper V server using MMC from my PC, I had to run the following command in the PC command prompt

cmdkey /add:<ServerName> /user:<UserName> /pass:<password>


Servername - Used IP of the Hyper-v server
Username,Password -> Provided credentials of the Hyper-V

Ref: http://technet.microsoft.com/en-us/library/ddb147c1-621c-4b89-9003-81c93ba050d7#BKMK_1.4

In this scenario, Hyper V was not member of Domain , by my PC was..hence by default when we try connecting to Hyper V server through MMC, it will try to connect using your domain credentials and you will get an error.

Managing from Windows 8 PC:

1) Hyper V management tools is available as a feature in Windows 8. You can install the same from "Turn Windows features on or off" windows















PS: You can also manage Hyper V from your windows 7 PC by installing the Remote administration tools pack . Somehow the installation was taking ages in my Windows 7 machine and hence I opted for Windows 8

2) Now you need to set the windows firewall rules in Windows 8 to allow access to the Hyper V server. In an elevated powershell window, run the following command
Enable-NetFirewallRule -DisplayGroup *

3) In my test scenario, both Hyper V and Windows 8 PC(hereby referred to as client machine) were not members of the domain. So if you want to manage the hypervisor from the client machine, you need to create a local admin account in Hyper V that matches your client admin credentials. You can do so by using option 3 in sconfig.cmd window











4) Now if you try conecting to the Hyper V Server from the Hyper V manager, you might get the
“Access denied. Unable to establish communication between Client and Server”. You will have to tweak the COM security permissions on your client to sort this out. This can be done from the DCOMCNFG MMC.

Open the console, go to Component Services > Computers > My Computer
Right click, select properties of "My Computer" -> COM Security Tab
Select "Edit Limits" on the Access permissions area













Scroll down to find the "Anonymous Login" group and ensure that "Remote access" is allowed
















 5) You can set the Server name in the Hyper V server 2012 using the 2nd option in the sconfig.cmd window and use this server name in Hyper V manager to connect to the Hypervisor











Note: If you client machine is not in domain, you will need to add a host entry in the client host file to ensure that the name resolution happens

After this, you should be able to connect to the Hyper V Server from the  management console and create VMs !!!.. 

Hyper V Server 2012 installation on VMware Workstation 8

Having heard a lot about the latest free virtualization from Microsoft, Hyper-V server 2012 , I coudnt resist giving it a whirl.. After all, it is not daily that Microsoft comes out with "free" offerings ;)

Let us admit it..Ever since the advent of virtualization, we have few physical servers lying around.All of them have joined the virtualization bandwagon. My case was no different, so I decided to try out  Hyper-V server 2012 as a virtual machine in VMware Workstation 8 installed in my PC.

Installation preparation:

Few things to be taken care before you start the actual installation

1)Download the Hyper V Server 2012 ISO from Microsoft site:

http://technet.microsoft.com/en-US/evalcenter/dn205299.aspx

2)VMware workstation 8 does not have Server 2012 in the Windows OS list.Hence you need to select the option "Windows Server 2008 R2 x64" when you create the Virtual machine











3) There is a small tweak to the Processor settings that should be done before starting the installation. Edit the Virtual machine settings->Processors and select the option "Virtualize Inter VT-x/EPT or AMD-V/RVI"
















4) The last step is to tweak the vmx file of the VM and add the following setting
hypervisor.cpuid.v0="FALSE"

PS: The vmx file can be found in the installation directory of the VM,Go to VM settings-> Options->Genaral and refer to the Working directory setting on the right pane

All done now!! You can connect the downloaded ISO and start the installation..

Installation procedure:

It is pretty straight forward, screenshots below

1)Select the language,time & keyboard format













2)Accept the License agreement

 3)Now the installation will start














4)Once completed, you will get a prompt saying that the administrator password needs to be changed.












5)Set the administrator password and login!!












Now that you have logged in , you will be welcomed by two windows, One command prompt in a normal shade of black and another command prompt in a pretty shade of blue , called sconfig.cmd













As you guessed correctly, this is a stripped down server core edition of Windows Server 2012 with Hyper-V and hence there will not be any GUI. You need to do the initial configurations from the sconfig.cmd prompt

Initial Configuration:

First things first, lets get the network configured

1)Select option 8. It will show the current network connection settings.

 

2)If you already have a DHCP server in your network, you will automatically get the IP from it. However, it is always good to set a static IP from a management perspective. Inorder to set a static IP, select the Index number of the adapter. You will  get options to set the IP address, DNS server as well as to clear the DNS settings











3) While all was setup and done, I realized that I was unable to ping to the hyper-V server from any of the other machines in the network. However, the server was able to ping to other machines. Turned out that ping is not enabled by default, we need to enable it through the Renote management option in sconfig. Select option 4 to do this











4)You need to select the option number 3 in above menu  ie "Configure Server response to Ping" to enable ping to the machine











In my next blog post, I will explain how to manage your Hyper V server remotely..

Reference for Installation prep: This nice blog from Veeam
http://www.veeam.com/blog/nesting-hyper-v-with-vmware-workstation-8-and-esxi-5.html

Wednesday, November 20, 2013

Windows server 2012: where is my start button??

If you have been using Windows Server OS for a while, the one thing that will strike you most when you login to a Windows server 2012 is that there is no start button!!.. What??..How am I going to manage it??
Microsoft feels that you really dont need a start button, since you can do almost everything from your server  manager or even remotely from your desktop. After all the initial configurations are done, you could also do away with the GUI and go back to server core option.(In server 2012, there is an option to add and remove GUI).

So does that mean, you need to learn to live without a start button. Actually no, the start button is very much there .Lets start looking for it.

Option 1:

There is "charms" bar on the side of your deskop, where you will find a "start" option. You can use the "Windows +C" shortcut to pop out the charms bar


















Option 2:

There is a hidden "start area"in  the bottom left corner of your desktop , in the blank space next to your server manager icon(PS:The desktop is also called start screen in Server 2012 jargon). Just hover your mouse over there and the start button will pop out.








You can click on the start option and then start typing your shortcuts , the search option will come up and dutifully find out your application for you.







You can the right click them and add them as icon on your desktop, or pin it to your task bar etc


















Option 3:

If you click the windows button on your keyboard, it will take you to the start menu and you can type your shortcuts  there.








Hope that helps!!

Windows Server 2012 Editions & hardware requirements.

This article gives a brief about the various editions of Windows server 2012 available:

If you are purchasing or downloading the ISO, there are only two editions of Windows server 2012 available . They are 

  •  Windows Server 2012 Standard Edition 
  •  Windows Server 2012 Datacenter Edition

As opposed to windows server 2008,  there is functionally no difference between both editions, ie clustering, hyper v etc possible in both. Also there is no hardware limitations between the editions. Only difference is in the virtualization rights. While standard edition licenses upto 2 vituial instances , Datacenter provides license for unlimited virtual instances.

There are other flavors of the OS that are available through OEM. Given below are the details :

  • Windows Server 2012 Foundation server 
  • Windows Server 2012 Essentials 
  • Windows storage Server 2012 workgroup
  • Windows storage Server 2012 standard
  • Windows Multipoint Server 2012 Standard
  • Windows Multipoint Server 2012 Premium
  • Microsoft Hyper-V Server 2012

Among the above, Foundation server has a limit if 15 users , which cannot be expanded . Also it doesnt support virtualization. Essentials server can support upto 25 users,provides some basic backup/restore functionalities, but again no virtualization functionality

Hyper-V server 2012 is free to download, but doesn't come with any free virtual machine licenses.That means  the hosted Virtual machines should be individually licensed.

Minimum hardware requirements:

Proessor - x86-64
Processor speed - 1.4 ghz
Mem- 512 MB
Hdd space - 32 GB



Monday, November 18, 2013

DNS Round Robin

DNS Round Robin and NLB are two configurations that can be used to ensure application availability in scenarios where there are no shared storages in use. They are usedful for applications which handle one time requests and need not be handled by a singler server throughout the session. This article aims at explaining the basics of DNS Round Robin technique

DNS Round Robin:

Here the load-balancing act happens at the Name resolution stage. There will be multiple entries in the DNS server for a host name , pointing to application server IPs across which the load should be balanced. For eg: there will be n number of IP addresses associated with a host name . When the first client request a name resolution, the first IP from the list is returned.When a second client request a name resolution, the next IP is returned. Thus we can ensure that the incoming requests for a particular application is equally distributed among the available application servers.

An additional option named netmask ordering can be used, if you want to take in consideration the subnet of the querying client. If this option is enabled, the host IP address that is in the same subnet as the querying client is returned. For eg: Te host entry app.testme.com has two records created with IP address 192.168.10.1 and 192.168.20.2 and the netmask ordering option is enabled. When a client from the subnet 192.168.10.x/24 makes a query, the IP 192.168.10.1 is returned. When a client from the subnet 192.168.20.x/24 makes a query, the IP 192.168.20.2 is returned.

Both the DNS round robin and netmask ordering options are available in the properties of your DNS server. ie from DNS manager console->DNS server name->properties-Advanced. You need to select the option "Enable round robin" and "Enable netmask ordering" and enable them.

Saturday, November 16, 2013

Windows server 2003 to 2008: upgrade considerations

If you are planning to upgrade from Windows server 2003 to 2008, here are some
guidelines..
  •  The normal boot-from-CD procedure doesnt work for the upgrade.You will have to start the upgrade process from within the windows server 2003
  • You can upgrade to an equalent or higher edition of windows server 2008 ie you can upgrade from from windows server 2003 standard edition to server 2008 standard or Enterprise edition, but you cannot upgrade from 2003 Enterprise edition to 2008 standard edition
  • However the upgrade options are slightly different in case of Web or datacenter Edition. You can only upgrade from Windows server 2003 web Edition to Windows server 2008 Web edition. Same with Datacenter Edition
  • The final condition is that Windows server 2003 Service pack 1 should be installed if you want to upgrade to server 2008.This means that if you have Windows server 2003 R2, the upgrade is possible without any further service pack installation
The following upgrade paths are possible:

Windows server 2003 standard Edition -> Windows server 2008 standard Edition &
Enterprise Edition

Windows server 2003 Enterprise Edition ->Windows server 2008 Enterprise Edition

Windows server 2003 2003 Datacenter Edition ->Windows server  2008 Datacenter
Edition

Windows server 2003 2003 Web Edition -> Windows Web server 2008

Windows server 2003 2003 for Intanium Enterprise Edition -> Windows sever 2008
for Intanium based system

Note: You cannot upgrade to a different processor architecture, ie you cannot
upgrade from Windows server 2003 x86 Standard edition to Windows server 2008 x64
Edition even if the processor is 64 bit and will support the OS

Friday, November 15, 2013

Understanding different editions of Windows server 2008

It is important to understand the various 'flavors' or Editions of Windows server 2008 before you start planning the deployment of same in your infrastructure. Given below is a brief description of the various versions and scenarios

Standard Edition:

This edition is ideally suited for the role of DC, File and print server, DNS,DHCP & application server in medium-small sized buisiness. Basically all your infrastructure network requirements can be met by this edition.It also supports Network load balancing clusters

Processing Power maximums: 

  • 4 GB RAM, & 4 Processors in SMP configuration(32-bit(x86) version)
  • 32 Gb RAM & 4 processors in SML configuration(64-bit(x64)version)


Limitation: Cannot be used in failover clustering or installation of enterprise edition features like AD federation services. Though it spoorts Hyper-V, it will bundle windows license for only one VM.Hence it is not an ideal choice for large scale virtualization

Enterprise Edition:

This edition is more suitable for large buisinesses. You can use this edition if you plan to install SQL server enterprise edition, Exchange server 2007, Active directory fedeartion services or install failover clustering etc. The said products would need the extra processing power that enterprise edition supports

Processing Power maximums:

  • 64 GB RAM, & 8 Processors in SMP configuration(32-bit(x86) version)
  • 2 TB RAM & 8 processors in SMP configuration(64-bit(x64)version)


Limitation: One limitation that I can think about is again in Virtualization area. Though it bundles more licenses(ie for 4 VMs) than standard edition, again not very useful for large scale virtualization

Datacenter Edition:

This edition is dierectly targetted at large buisinesses. The main advantage is that it offers unlimited Vituial image rights.This will be the first choice for organizations going for large scale virtualization.It also supports enterprise edition feattures like failover clustering and ADFS. Datacenter edition is onlu available through OEM manufactures and implies a significant captital investment

Processing Power maximums:

  • 64 GB RAM, & 32 Processors in SMP configuration(32-bit(x86) version)
  • 2 TB RAM & 64 processors in SMP configuration(64-bit(x64)version)



Web server Edition:

This is a stripped down version of Windows server 2008, which is specifically targetted for Web applications. It doesnt support high end hardware configurations like other editions of the server. However, it does support Network load balancing clusters

Processing Power maximums:

  • 4 GB RAM, & 4 Processors in SMP configuration(32-bit(x86) version)
  • 32 GB RAM & 4 processors in SMP configuration(64-bit(x64)version)


Windows server 2008 for Itanium based systems:

The Intel Itanium 64 bit arhitecture is significantly different than the usual x64 based architecture in Inter Core 2 Duo or AMD Turion processors. You will need the Windows server 2008 Itanium edition if you are using an Itanium 2 processor. It provides both application and web server capabilities, but lacks other roles like virtualization  & Windows deployment services

Processing Power maximums:

  • 2 TB RAM & 64 processors in SMP configuration

Tuesday, November 12, 2013

Azure SQl administration: useful commands

Command to create a new Db as a backup/clone of existing DB:

Connect to the master DB and  execute the following command:

CREATE DATABASE <newDBname> AS COPY OF <name of DB to be backed up>;

Eg: CREATE DATABASE DB2 AS COPY OF DB1

One important thing  to note is that the actual Db copy wouldn't be completed even if the command complete successfully. Inorder to check the status of the copying , you can use the following command

SELECT name, state, state_desc FROM sys.databases WHERE name = 'Databasenew'

The value of  State_desc column in the output will be  'online' when the copying is completed and DB is ready for use.The status will be shown as 'copying' when the DB copy is in progress

Rename database:

Again you need to connect to the masterDB and execute the following query

USE master;
GO
ALTER DATABASE <DB name>
Modify Name = <new DB name> ;
GO

Rename Table:

If you need to rename a table in a DB, use the following command after connecting to the DB

sp_rename '<tablename>', '<tablename-new>'



Securing Windows Azure SQL using service accounts

When you create an SQL server in Windows Azure,you need to create an administrator username and password . This will be the super user account for that server, using which you can carry out any operation in any databases of the databases. That means you can also delete or rename databases using this account.Hence you need to be very careful if you are planning to use this credentials in your application to access the Azure SQL database.

Creating service accounts for SQL is a safe option to restrict access to you database , and also to avoid use of the super admin account.You could create service accounts and add them to appropriate SQL roles which has required permissions in the database, say read, write, execute etc..Lets see how to achieve this:



  • First create  an SQL login after connecting to the Master DB. Note that you would need your super admin account for connecting to the master DB.




          CREATE LOGIN <ServiceAccountname> WITH password='<password>'

          For eg: CREATE LOGIN testuser1 WITH password='Password'

  • Service accounts are intended to connect to a specific database. As the next step connect to your target database and create a new user from the login you created above
              



            CREATE USER <ServiceAccountname> FROM LOGIN <ServiceAccountname>;
         
            For eg: CREATE USER testuser1 FROM LOGIN testuser1

  • Now you have created the service account in the database, you will need to assign required level of permissions for the user in the database. We will accomplish this using SQL roles with the correct permission levels.Connect to the target DB and execute the following to create what we can call as a service account role

       CREATE ROLE <rolename>
       GO  

      For eg:
      CREATE ROLE rolserviceaccount
      GO 

  • Now assign the required rights for the service accounts role (again to be executed on the target DB)
      EXEC sp_addrolemember N 'db_datawriter', N '<rolename>'
      EXEC sp_addrolemember N'db_datareader', N'<rolename>'
      EXEC sp_addrolemember N'db_ddladmin', N'<rolename>'

     For eg:
     EXEC sp_addrolemember N 'db_datawriter', N 'rolserviceaccount'
     EXEC sp_addrolemember N'db_datareader', N'rolserviceaccount'
     EXEC sp_addrolemember N'db_ddladmin', N'rolserviceaccount'

Please that the roles used above are inbuilt sql roles, which had read,write and ddladmin rights as the names indicate.You are adding the role that you created as member of those inbuilt roles for getting the required permissions

  • If you need to provide execute permission, first you could create a db_execute role and provide it execute permissions, and then later make your service account role a member of db_execute
      CREATE ROLE [db_execute] AUTHORIZATION [dbo]
      GO
      GRANT EXECUTE TO [db_execute]
      GO

     EXEC sp_addrolemember N 'db_execute', N '<rolename>'

  • The last step is to make your service account as member of the corresponding serviceaccount role
        For eg:
         EXEC sp_addrolemember N'rolServiceaccount', N'testuser1'  


  • You can verify that the permissions are all set correctly using the following sql query    

select m.name as Member, r.name as Role
from sys.database_role_members
inner join sys.database_principals m on sys.database_role_members.member_principal_id = m.principal_id
inner join sys.database_principals r on sys.database_role_members.role_principal_id = r.principal_id


Monday, November 11, 2013

Windows Azure architecture and workflow

So,you just need your .cspkg and .cscfg file to do a deployment to Azure. When the deployment is complete, the instances are spinned up, application is up and running and during the whole process you didn't have to move a finger!!! That is what we call PAAS magic. But what actually happens in the background, lets find out..

Red Dog Front End(RDFE) : When you interact with the Azure platform through management portal or Visual Studio, you are actually talking to the API called RDFE .The request are passed on by the RDFE to Fabric Front end(FFE) layer

Fabric Front End(FFE): It receives the request from RDFE and  converts them to Azure fabric commands which are then passed on to what we call Azure Fabric Controller. FFE decides on the location of the VM based on inputs such as affinity group and Geo Location, and also based on the Fabric inputs such as machine availability

Azure Fabric controller: This is considered to be the kernel of the Cloud OS, simply because it manages all the resources in the datacenter. Fabric controller is responsible for the provisioning and managing the  VMs, their underlying hosts,deploying applications, monitoring the health of the services and  redeploy them if required.

 As we all know, Azure uses Hyper V based Virtualization. The architecture of Hyper V uses the concept of  root partition(aka host machine) and Child partition(aka Guest VMs). When the fabric controller builds a root partition ie host in the data center, it installs an agent called 'Host Agent' in these root partitions. Each of the Guest VMs will have a Guest agent installed in them, known as 'WindowsAzureGuestAgent'. Another agent "WaAppAgent" is actually responsible for the installation, configuration and update of the WindowsAzureGuestAgent. This means that your guest agent update is decoupled from the Guest OS upgrades. The "HostAgent" does communicates with the WaAppAgent to do guest OS hearbeat checks and also gives instructions to bring a role to its goal state. If the hearbeat is not received for 10 minutes, the guest OS will be restarted.

 In a role instance, WaAppAgent is listed as "RdAgent" in windows service list

 WindowsAzureGuestAgent:

 WindowsAzureGuestAgent has the following functions:

 - Guest OS level configurations , such as firewalls, ACls, certificates, configuring as per service package file etc
 - Communicates the role status to the Fabric controller
 - Set up SID for the user which the role will be using
 - Starts the waHostBootStrapper application

 If you login to a role instance, you can see this listed as a service "Windows Azure Guest Agent"

 WaHostBootstrapper:

 - It is responsible for starting all appropriate tasks and processes in the role as per the role configuration file
 - This service also monitors the child processes and raise staticheck event on the role host process
 - Executes the simple startup tasks
 -depending on the role type, it will start the host processes. ie WaWorkerHost.exe in case of worker role ,WaIISHost.exe in case of full IIS web role or WaWebhost.exe in case of SDK 1.2 HWC Web role
 -In case of full IIS web role, WaHostBootstrapper starts the IISConfigurator.exe process and configures the IIS Apppools, it is pointed to E:\siteroot\<index> where <index> is a 0 based website index.

 WaHostBootStrapper is listed as a process in the task manager with description " Microsoft Windows Azure Runtime Bootstrapper". It doesnt have  a windows service associated to it.WaWorkerHost.exe,WaIISHost.exe,WaWebhost.exe,IISConfigurator.exe etc are also listed as processes inside the role instance


Reference: http://blogs.msdn.com/b/kwill/archive/2011/05/05/windows-azure-role-architecture.aspx



Wednesday, November 6, 2013

SSL cert considerations in Windows Azure

If your windows Azure application is using an SSl certficate, you need to configure it in both your service definition file and .cscfg file. The whole process is explained clearly in the following Microsoft article:

http://www.windowsazure.com/en-us/develop/net/common-tasks/enable-ssl/

Here, I am going to discuss about few considerations while configuring SSL. As you can see from the above Link, the certificate should be defined in the csdef file

    <Certificates>
        <Certificate name="SampleCertificate" 
                     storeLocation="LocalMachine" 
                     storeName="CA" />
    </Certificates>


The store can be either 'LocalMachine' or 'CurrentUser'. And the storenames can be one of the following -MyRootCATrustDisallowedTrustedPeopleTrustedPublisher,AuthRoot, and AddressBook.
You can also create your custom store name, which in case the store will be created.

 Interestingly, Microsoft by default does not allow direct import to the trusted root store. Even if you give the Storename as "CA" , the cert will be downloaded only to the intermediate cert store. You will have to write a startup task with elevated permissions to move the cert to root store. However, you need to do this only if your SSl cert is issued by a provider who is not included in the Microsoft root certificate program . If a provider is part of the root certificate program, the root certificate corresponding to your SSL certificate will automatically be downloaded to your Azure instance when you deploy it.

The comprehensive list of cert providers included in the root certificate program can be found in this link

Note: Azure had an issue with OS version 2.19_201309-01, where the root certs of providers from the MS root certificate program was not getting downloaded automatically. They have corrected it now and re-released the OS. It is sorted in OS versions 2.19_201309-03 and later..

Tuesday, November 5, 2013

Net use : System error 67 has occured

While trying to map a sharepoint location using net use command,the following error was thrown.


System error 67 has occurred.

The network name cannot be found.

Command used was : net use m: https://<sharepointurl>  /user:domain\user  <password>

Solution: This can happen if the "desktop experience" feature is not installed in Windows server 2008 R2. Install the feature from server manager, restart the server  and it will sort the issue.