Friday, November 30, 2012

Hyper-V 3.0 with SOFS

I've tested Hyper-V clusters on WS2012 using Scale-Out File Server (SOFS) as SAN alternative for application server clusters like Hyper-V. My setup is as follows:
New VMs are created using Failover Cluster manager and attached to the SMB share on the SOFS cluster. I've also tested Quick and Live Migration over SMB3.0.

Here is the link for all necessary step-by-step. Please take note that SOFS is not suitable for all situations, especially for frequent small meta changes in files e.g. end-user file sharing etc (see "When to use Scale-Out File Server")

You might just ask why don't I attach the iSCSI LUN directly to the Hyper-V cluster i.e. 2 nodes instead of 4? Yes, I could also do.  I am trying to learn more about using SOFS. In future, I could just buy the cheaper non-RAID SAS disk arrays e.g. Dell MD12xx and directly attached them directly to SOFS using simple PCIe (i.e. non-RAID SAS HBA) to replace SAN storage for virtualization. See below TechNet Dell-Windows Server 2012 slide:

Thursday, November 29, 2012

EFS Recovery

There are 2 types of recovery for Encrypting File System (EFS): Key Recovery and Data Recovery. When there is a designated Key Recovery Agent (KRA) on a CA server, the KRA is authorized to retrieve the user's certificate and private key from the CA database. The user would then be able to use the recovered key to decrypt EFS files. The "Archive subject's encryption private key" in the template "Request Handling" tab should be enabled for archival. In addition, CA server must be prepared for key archival before any rollout, as the key archival should be encrypted by KRA key. As the KRA can retrieve any archived keys, there should be at least 2 different persons to be the CA administrator and the KRA separately. See "Understanding User Key Recovery".

The recovery of a private key is a manual process that requires the user(s) to contact an administrative authority to perform the necessary processes. It should be a best practice of any organization to separate the roles of CA Officer and KRA as a minimum of two physical persons.

On the other hand, the Data Recovery Agent (DRA) is authorized the recover and decrypt all encrypted files. The DRA must be enrolled and added to the AD Group Policy to allow DRA to decrypt files.  Furthermore, DRA can be updated subsequently using Group Policy if there are any changes.

For further comparison (pros and cons) and the details on both recovery methods, refer to "Key Recovery vs Data Recovery Differences".

Wednesday, November 14, 2012

WSUS Installation on Windows Server 2012 Failed

I was trying to install Windows Server Update Services (WSUS) on a fresh Windows Server 2012. I wasn't expecting any errors, as it was built on a fresh installation. To my surprise, the error prompted "Fatal Error: Failed to start and configure the WSUS service" when the installation was supposed to be completing. So far,  it wasn't a pleasant experience on deploying the new WS8, as there were minor annoying bugs around. When a service wasn't running properly, you'll probably do better to uninstall and install the same service again, especially for in place OS upgrade.

I did the same trick again but the problem still persisted. When I opened the temp log file, I saw

2012-11-14 11:25:12  StartServer encountered errors. Exception=The request failed with HTTP status 503: Service Unavailable.
2012-11-14 11:25:12  Microsoft.UpdateServices.Administration.CommandException: Failed to start and configure the WSUS service
   at Microsoft.UpdateServices.Administration.PostInstall.Run()
   at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)
Fatal Error: Failed to start and configure the WSUS service

It must have to do with the IIS service. I checked the service and it was running fine. Restarting IIS service won't help either. On the IIS manager console, I stopped and deleted the "WSUS Administration" site. Re-start WSUS installation service process. Finally, the installation is complete!

Tips: In Windows Server 2008, TCP port 80 is used by default. In Windows Server 2012, TCP 8530 is used for HTTP and TCP 8531 for HTTPS. Be sure to enable the necessary firewall ports and direct WSUS clients to the correct ports e.g. http://wsus-server:8530 for http update

Tuesday, November 13, 2012

Activating Windows 8 and Windows Server 2012 on existing AD environment

As we putting new Windows 8 and Windows Server 2012 into existing AD environment, there are 2 things that need to be done. First, if you're still using Windows Server 2008 as KMS host, download and install the update 2757817. Otherwise, you'll see the following error when you activate KMS with the new key:

Error: 0xC004F050 The Software Licensing Service reported that the product key is invalid

Next, upgrade the existing key on the KMS host by running:
  1. "slmgr /upk" to uninstall existing key, 
  2. "slmgr /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx" to install new KMS key and;
  3. "slmgr /ato" to activate the new key.
  4. "slmgr /dlv" to verify the key has been successfully upgraded to support the new Windows 8. You should see "VOLUME_KMS_2012_C_channel" on the description.
For detailed step-by-step, check out this blog post.

Thursday, November 8, 2012

Hyper-V Network Virtualization

In one of my earlier posts, I talked about software-based network virtualizaton called "Nicira NVP". The key feature is about multi-tenancy Data Center Interconnect (DCI) by creating multiple layer 2 virtual networks (or pseudo-wire) across an IP network. Layer 2 networks are essential for many Data Center applications, especially for the "free" movement of Virtual Machines (VMs) across sites and IP topology. 

In the new Windows Server 2012, Hyper-V offers similar network virtualization capability using NVGRE, which is another standard L2-over-L3 tunnel. In short, Hyper-V in WS8 includes a "Nicira" software component for network virtualization that allows same virtual subnet addressing across sites and IP topology. For full long-winded story and presentation, please visit this TechEd 2012 site

Here, I would just extract a single slide that tells all:

As for joining the network virtualized environment to the non-network virtualized environment, Hyper-V Network Virtualization gateways are required to bridge the two environments. See "Hyper-V Network Virtualization Gateway Architectural Guide".

Gateways can come in different form factors. They can be built upon Windows Server 2012, incorporated into a Top of Rack (TOR) switch, put into an existing network appliance, or can be a stand-alone network appliance. F5 has announced one such network appliance (F5 To Deliver Microsoft Network Virtualization Gateway).

If you are looking for Technet reference,  click on "Network Virtualization technical details".