Migrate a SQL Server database to Azure SQL Database

Azure Database Migration Service partners with DMA to migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance or SQL Server on Azure virtual machines.

 

SQL Migration.png
Azure SQL Migration (Source Microsoft Corp)

 

Moving a SQL Server database to Microsoft Azure SQL Database with Data Migration Assistant is a three-part process:

  1. Prepare a database in a SQL Server for migration to Azure SQL Database using the Data Migration Assistant (DMA).
  2. Export the database to a BACPAC file.
  3. Import the BACPAC file into an Azure SQL Database.

Using Microsoft Data Migration Assistant

Step 1: Prepare for migration

Complete these prerequisites:

  • Install the newest version of Microsoft SQL Server Management Studio (SSMS). Installing SSMS also installs the newest version of SQLPackage, a command-line utility that can be used to automate a range of database development tasks.
  • Download and Install the Microsoft Data Migration Assistant (DMA).
  • Identify and have access to a database to migrate.

Follow these steps to use Data Migration Assistant to assess the readiness of your database for migration to Azure SQL Database:

  1. Open the Microsoft Data Migration Assistant. You can run DMA on any computer with connectivity to the SQL Server instance containing the database that you plan to migrate; you do not need to install it on the computer hosting the SQL Server instance.
  2. In the left-hand menu, click New to create an Assessment project. Fill in the form with a Project name (all other values should be left at their default values), and then click Create.
  3. On the Options page, click Next.
  4. On the Select sources page, enter the name of SQL Server instance containing the server you plan to migrate. Change the other values on this page if necessary, and then click Connect.
  5. In the Add sources portion of the Select sources page, select the checkboxes for the databases to be tested for compatibility, and then click Add.
  6. Click Start Assessment.
  7. When the assessment completes, look for the checkmark in the green circle to see if the database is sufficiently compatible to migrate.
  8. Review the results the SQL Server feature parity results. Specifically review the information about unsupported and partially supported features, and the recommended actions.
  9. Review the Compatibility issues by clicking that option in the upper left. Specifically review the information about migration blockers, behavior changes, and deprecated features for each compatibility level. For the AdventureWorks2008R2 database, review the changes to Full-Text Search since SQL Server 2008, and the changes to SERVERPROPERTY(‘LCID’) since SQL Server 2000. For details about these changes, links for more information are provided. Many search options and settings for Full-Text Search have changed.
  10. Optionally, click Export report to save the report as a JSON file.
  11. Close the Data Migration Assistant.

Step 2: Export to BACPAC file

Follow these steps to use the SQLPackage command-line utility to export the AdventureWorks2008R2 database to local storage.

  1. Open a Windows command prompt and change your directory to a folder in which you have the 130 version of SQLPackage, such as C:\Program Files (x86)\Microsoft SQL Server\130\DAC\bin.
  2. Execute the following SQLPackage command at the command prompt to export the AdventureWorks2008R2 database from localhost to AdventureWorks2008R2.bacpac. Change any of these values as appropriate to your environment.

SQLPackageCopy

sqlpackage.exe /Action:Export /ssn:localhost /sdn:AdventureWorks2008R2 /tf:AdventureWorks2008R2.bacpac

Once the execution is complete the generated BACPAC file is stored in the directory where the sqlpackage executable is located. In this example, C:\Program Files (x86)\Microsoft SQL Server\130\DAC\bin.

  1. Log in to the Azure portal.
  2. Create a SQL Server logical server

A SQL Server logical server acts as a central administrative point for multiple databases. Follow these steps to create a SQL server logical server to contain the migrated Adventure Works OLTP SQL Server database.

  1. Click the New button found on the upper left-hand corner of the Azure portal.
  2. Type sql server in the search window on the New page, and select SQL server (logical server) from the filtered list.
  3. Click Create, and enter the properties for the new SQL Server (logical server).
  4. Complete the SQL server (logical server) form with the values from the red box in this image.
  5. Click Create to provision the logical server. Provisioning takes a few minutes.

Step 3: Create a server-level firewall rule

  1. Click All resources from the left-hand menu, and click the new server on the All resources page. The overview page for the server opens and provides options for further configuration.
  2. Click Firewall in the left-hand menu under Settings on the overview page.
  3. Click Add client IP on the toolbar to add the IP address of the computer you are currently using, and then click Save. This creates a server-level firewall rule for this IP address.
  4. Click OK.

Step 3: Import a BACPAC file to Azure SQL Database

The SQLPackage command-line utility is the preferred method to import your BACPAC database to Azure SQL Database for most production environments.

SqlPackage.exe /a:import /tcs:”Data Source=<your_server_name>.database.windows.net;Initial Catalog=<your_new_database_name>;User Id=<change_to_your_admin_user_account>;Password=<change_to_your_password>” /sf:AdventureWorks2008R2.bacpac /p:DatabaseEdition=Premium /p:DatabaseServiceObjective=P6

Connect using SQL Server Management Studio (SSMS)

  1. Open SQL Server Management Studio.
  2. In the Connect to Server dialog box, enter this information.
  • Server type: Specify Database engine
  • Server name: Enter your fully qualified server name, such as mynewserver20170403.database.windows.net
  • Authentication: Specify SQL Server Authentication
  • Login: Enter your server admin account
  • Password: Enter the password for your server admin account
  1. Click Connect.
  2. In Object Explorer, expand Databases, and then expand myMigratedDatabase to view the objects in the sample database.

Using Azure Database Migration Service

Azure Database Migration Service (ADMS), now in limited preview, can help you migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance, or SQL Server on an Azure Virtual Machine.

ADMS is designed to simplify the complex workflows you can encounter when migrating various database types to databases in Azure.

  1. In the Azure portal, select Data Migration Service, and then click New Migration Project.
  2. In New Migration Project, enter a unique project name, server source type and a target server type.
  3. Click Start.
  4. Provide all options under Migration target details, and then click Save.
  5. Provide all options under Migration source detail, and then click Save.
  6. In the Select source databases list, select each source database you want to migrate, and then click Save.
  7. Review the details summary, and then click Run Migration to start the migration. The amount of time the migration will run depends on a variety of factors including size and complexity of the database, source disk speed, and network speed.
  8. Once the migration is finished, a Completed status will be displayed in the SQL Migration dashboard.

Migrating VMware Virtual Workloads to Microsoft Azure Cloud

Overview

Migrating to the cloud doesn’t have to be difficult, but many organizations struggle to get started. Before they can showcase the cost benefits of moving to the cloud or determine if their workloads will lift and shift without effort, they need deep visibility into their own environment and the tight interdependencies between applications, workloads, and data. Azure Migrate, Azure Database Migration Service, and Azure Cost Management provides a frictionless approach to moving VMware VMs to Azure.

VMware to Azure.PNG

Microsoft – Cloud Security Certification

Microsoft Azure has been certified by Australian Signals Dicrectorate (ASD), Department of Defence. Check your region to verify Azure certification by the regulator if you have regulatory compliance requirements.

  • Microsoft has undergone an Information Security Registered Assessors Program (IRAP) assessment of Australian Signals Directorate (ASD) and been certified on the Certified Cloud Services List (CCSL) by ASD for Azure, Dynamics 365, and Office 365
  • Microsoft Azure has been awarded PROTECTED classification level by the Australian Signals Directorate (ASD). Microsoft Azure is the first global cloud provider which has been awarded PROTECTED
  • Azure, Cloud App Security, Intune, Office 365, Dynamics 365 and Power BI are awarded certification after rigorous independent assessments of cloud providers by the Cloud Security Alliance (CSA)
  • Azure, Cloud App Security, Intune, Office 365, Dynamics 365 and Power BI are awarded ISO/IEC 27001 certification meeting criteria specified in the ISO certification

Licensing Cost & Azure Hybrid Benefit

  • customers with Software Assurance to run Windows Server VMs on Azure at a lower rate.
  • save up to 40 percent on Windows Server VMs
  • Use existing SQL Server licenses toward SQL Database managed instances
  • Azure Reserved Virtual Machine Instances to further reduce costs—up to 72% on PAYG prices per year or per three years terms on both Windows and Linux virtual machines.
  • pay only for the underlying compute and storage for SQL VM
  • 82% savings over PAYG rates on Azure and up to 67% compared to AWS RIs for Windows VMs.
  • 49% cost savings estimated using the Azure TCO calculator comparing on-premsies VMware VMs. Actual savings may vary based on region, instance type and usage. Reference Nucleus Research
  • You can specify whether you’re enrolled in Software Assurance and can use the Azure Hybrid Use Benefit.

Hybrid Cloud1

Migration Path

Microsoft offers an end-to-end solution to provide you with a proven framework and tools to migrate your first workload and give you a complete roadmap for discovery, migration, and continual optimization, including better insights and strategies for running your entire datacenter portfolio on Azure. Migrating to Azure is simple three-stage process and focuses on how to identify virtual machines, applications, and data that can easily be moved to the cloud.

Hybrid Cloud.PNG

Supported Platform

  • VMware vCenter Server 5.5, 0 and later version managed virtual machines
  • Any On-premises Storage (vSAN, FC SAN, NFS or iSCSI)
  • Appliance-based, agentless, and non-intrusive discovery of on-premises virtual machines.
  • Currently Azure Migrate supports only Locally redundant storage (LRS). However, once you migrated to Azure, you can use Geo-redundant storage.
  • Lift & Shift migration to Azure IaaS Cloud
  • Azure migrate will recommend the use of Azure Database Migration Service
  • Use Azure Site Recovery Manager to migrate business critical and large VMs to Azure Cloud

Stage 1 – Assess Your VMware vSphere Environment

Use these four steps to discover and assess your on-premises workloads for migration to Azure.

  1. Prepare your environment.
  2. Discover virtual machines.
  3. Group virtual machines.
  4. Assess the groups of virtual machines.

Step 1: Prepare your environment

  1. To get started with Azure Migrate, you need a Microsoft Azure account or the free trial.
  2. Assess VMware Virtual machines located on vSphere ESXi hosts that are managed with a vCenter server running version 5.5 or 6.0.
  3. The ESXi host or cluster on which the Collector VM (version 8.0) runs must be running version 5.0 or later.
  4. To discover virtual machines, Azure Migrate needs an account with read-only administrator credentials for the vCenter server.
  5. Create a vCenter virtual machine in .ova format. Download an appliance and import it to the vCenter server to create the virtual machine. The virtual machine must be able to connect to the internet to send metadata to Azure.
  6. Set statistics settings for the vCenter server to statistics level 2. The default Level 1 will work, but Azure Migrate won’t be able to collect data for performance-based sizing for storage.

Tag your virtual machines in vCenter (optional)

Use these steps to tag your virtual machines in vCenter server.

  1. In the VMware vSphere Web Client, navigate to the vCenter server instance.
  2. To review current tags, click Tags.
  3. To tag a virtual machine, click Related Objects > Virtual Machines, and select the virtual machine.
  4. In Summary > Tags, click Assign.
  5. Click New Tag, and specify a tag name and description.
  6. To create a category for the tag, select New Category in the drop-down list.
  7. Specify a category name and description and the cardinality, and click OK.

Step 2: Discover virtual machines

Using Azure Migrate to discover on-premises workloads involves these steps.

  1. Create a Project.
  2. Download the Collector appliance.
  3. Create the Collector virtual machine.
  4. Run the Collector to discover virtual machines.
  5. Verify discovered virtual machines in the portal.

Create a Project

Azure Migrate projects hold the metadata of your on-premises machines and enables you to assess migration suitability.  Use these steps to create a project.

  1. Log on to the Azure portal and click New.
  2. Search for Azure Migrate in the search box, and select the service Azure Migrate (preview) in the search results, and then click Create.
  3. Select the Azure Migrate service from the search results.
  4. Click Create.
  5. Specify a name for the new project.
  6. Select the subscription you want the project to get associated to.
  7. Create a new resource group, or select an existing one.
  8. Specify an Azure location.
  9. To quickly access the project from the Dashboard, select Pin to dashboard.
  10. Click Create. The new project appears on the Dashboard, under All resources, and in the Projects blade.

Download the Collector appliance

  1. Select the project, and click Discover & Assess on the Overview blade.
  2. Click Discover Machines, and then click Download.
  3. Copy the Project ID and project key values to use when you configure the Collector.

Deploy the Collector virtual machine

In the vCenter Server, import the Collector appliance as a virtual machine using the Deploy OVF Template wizard.

  1. In vSphere Client console, click File > Deploy OVF Template.
  2. In the Deploy OVF Template Wizard > Source, specify the location for the .ovf file.
  3. In Name and Location, specify a friendly name for the Collector virtual machine, the inventory object in which the virtual machine will be hosted.
  4. In Host/Cluster, specify the host or cluster on which the Collector virtual machine will run.
  5. In Storage, specify the storage destination for the Collector virtual machine.
  6. In Disk Format, specify the disk type and size.
  7. In Network Mapping, specify the network to which the Collector virtual machine will connect. The network must be connected to the internet to send metadata to Azure.
  8. Review and confirm the settings, and then click Finish.

Run the Collector to discover virtual machines

  1. In the vSphere Client console, right-click the virtual machine > Open Console.
  2. Provide the language, time zone, and password preferences for the appliance.
  3. In the Azure Migrate Collector, open Set Up Prerequisites, and then

o Accept the license terms, and read the third-party information.

o The Collector checks that the virtual machine has internet access. If the virtual machine accesses the internet via a proxy, click Proxy settings, and specify the proxy address and listening port. Specify credentials if proxy access needs authentication.

o The Collector checks that the Windows profiler service is running. The service is installed by default on the Collector virtual machine.

o Select to download and install the VMware PowerCLI.

  1. In Discover Machines, do the following:

o Specify the name (FQDN) or IP address of the vCenter server and the read-only account the Collector will use to discover virtual machines on the vCenter server.

o Select a scope for virtual machine discovery. The Collector can only discover virtual machines within the specified scope. Scope can be set to a specific folder, datacenter, or cluster, but it shouldn’t contain more than 1000 virtual machines.

o If you’re using tagging on the vCenter server, select tag categories for virtual machine grouping. Azure Migrate automatically groups virtual machines based on tag values in the category. If you’re not using tagging, you can group virtual machines in the Azure portal.

  1. In Select Project, specify the Azure Migrate project ID and key you copied from the Azure portal. If didn’t copy them, open Azure in a browser from the Collector virtual machine. In the project Overview page, click Discover Machines, and copy the values.
  2. In Complete Discovery, you can monitor the discovery status, and check that metadata is collected from the virtual machines in scope. The Collector provides an approximate discovery time.

Verify discovered virtual machines in the portal

  1. In the migration project, click Manage > Machines.
  2. Check that the virtual machines you want to discover appear in the portal.

Step 3: Group virtual machines

Enterprises typically migrate virtual machines with dependencies together at the same time to ensure their functionality after migration to Azure. Azure Migrate allows you to categorize the virtual machines by group so you can assess all the virtual machines in a group.

  • If you provided a tag category—which was an optional step while configuring the Collector—groups will be automatically created for the workloads based on the tag values.
  • If a tag category is not provided while configuring the Collector, you can create groups of virtual machines in the Azure Migrate portal.

Optional: Assess machine dependencies before adding them to a group

  1. In Manage > Machines, search the Machine for which you want to view the dependencies.
  2. In the Dependencies column for the machine, click Install agent.
  3. To calculate dependencies, download and install these agents on the machine: o Microsoft Monitoring agent

o Dependency agent

  1. Copy the workspace ID and key to use later when you install the Microsoft Monitoring agent on a machine.
  2. After you install the agents on the machine, return to the portal and click Machines. This time the Dependencies column for the machine should contain the text View dependencies. Click View dependencies.
  3. By default, the dependency time range is an hour. Click the time range to shorten it, specify start and end dates, or change the duration. Press Ctrl + Click to select multiple machines on the map, and then click Group machines.
  4. In Group machines, specify a group name. Verify the machines you added have the dependency agents installed and have been discovered by Azure Migrate. Machines must be discovered to assess them. We recommend that you install the dependency agents to complete dependency mapping.
  5. Click OK to save the group settings. Alternatively, you can add machines to an existing group.

Create a Group

You can create groups of virtual machines from the Machines blade or from the Groups blade, using a similar process.

Create a group from the Machines blade

  1. Navigate to the Dashboard of a project and click the Machines tile.
  2. Click Group Machines.
  3. Specify a name for the group in the Name box, and then select the machines that you want to add to the group.
  4. Click Create.

Add/Remove machines to/from an existing group if you require

  1. Navigate to the dashboard of a project and click the Groups tile.
  2. Select the Group you want to add/remove machines to/from.
  3. Click Add Machines or Remove Machines.
  4. Select the machines that you want to add/remove to/from the group.
  5. Click Add or Remove.

Step 4: Assess groups of virtual machines

Create an assessment

Follow these steps to generate an assessment for the group.

  1. Select the project you want under Project.
  2. On the project dashboard, click Groups.
  3. Create a new group or select an existing group to assess under Group.
  4. Click Create Assessment to create a new assessment for the group.

The assessment includes these details.

  • Summary of the number of machines suitable for Azure which is referred to as Azure Readiness.
  • Monthly estimate of the cost for running the machines in Azure after migration.
  • Storage monthly cost estimate.

Assessment calculation

Azure Migrate performs three checks on virtual machines in this order:

  1. Azure Suitability Analysis
  2. Performance-based sizing
  3. Monthly cost estimate

Stage 2: Migrate virtual machines using Azure Site Recovery

Before you start deployment, review the architecture and make sure you understand all the components you need to deploy.

Next, make sure you understand the prerequisites and limitations for a Microsoft Azure account, Azure networks, and storage accounts. You also need:

  • On-premises Site Recovery components
  • On-premises VMware prerequisites
  • Mobility service component installed on the virtual machine you want to replicate.

These are the general steps to migrate:

  1. Set up Azure services such as Virtual Networks, Availability Group, Network Load Balancer, Address Space, Subnets, Resource Group, Storage Accounts, Public IPs.
  2. Connect to VMware servers.
  3. Set up the target environment.
  4. Complete migration.

I assume, you have completed the step1. So I am moving on to step 2.

Create a Recovery Services vault

  1. Sign in to the Azure portal > Recovery Services.
  2. Click New > Monitoring & Management > Backup and Site Recovery.
  3. In Name, specify a friendly name to identify the vault. If you have more than one subscription, select one of them.
  4. Create a resource group, or select an existing one. Specify an Azure region. To check supported regions, see geographic availability in Azure Site Recovery Pricing Details.
  5. If you want to quickly access the vault from the dashboard, click Pin to dashboard, and then click Create.
  6. The new vault will appear on Dashboard > All resources and on the main Recovery Services vaults blade.

Select a protection goal

In this task, select what you want to replicate, and where you want to replicate to.

  1. Click Recovery Services vaults > vault.
  2. In the Resource Menu, click Site Recovery > Prepare Infrastructure > Protection goal.
  3. In Protection goal, select To Azure > Yes, with VMware vSphere Hypervisor.

Set up the source environment

In this task, set up the configuration server, register it in the vault, and discover virtual machines.

  1. Click Site Recovery > Step 1: Prepare Infrastructure > Source.
  2. If you don’t have a configuration server, click Configuration server.
  3. In Add Server, check that Configuration Server appears in Server type.
  4. Download the Site Recovery Unified Setup installation file.
  5. Download the vault registration key. You need this when you run Unified Setup. The key is valid for five days after you generate it.

Register the configuration server in the vault

The next task requires you to run Unified Setup to install the configuration server, the process server, and the master target server. First however, do these three steps.

  1. On the configuration server virtual machine, make sure that the system clock is synchronized with a Time Server. It should match. If it’s 15 minutes in front or behind, setup might fail.
  2. Run setup as a Local Administrator on the configuration server virtual machine.
  3. Make sure TLS 1.0 is enabled on the virtual machine.

Now you are ready to run Setup.

  1. Run the Unified Setup installation file.
  2. In Before You Begin, select Install the configuration server and process server.
  3. From the Third-Party Software License screen, click I Accept to download and install MySQL.
  4. From the Registration screen, select the registration key you downloaded from the vault, and then click Next.
  5. From the Internet Settings screen, specify how the Provider running on the configuration server connects to Azure Site Recovery over the Internet.
  6. If you want to connect with the proxy that’s currently set up on the machine, select Connect to Azure Site Recovery using a proxy server.
  7. If you want the Provider to connect directly, select Connect directly to Azure Site Recovery without a proxy server.
  8. If the existing proxy requires authentication, or if you want to use a custom proxy for the Provider connection, select Connect with custom proxy settings. o If you use a custom proxy, you need to specify the address, port, and credentials.
  9. From the Prerequisites Check screen, run a check to make sure that installation can run. If a warning appears about the Global time sync check, verify that the time on the system clock (Date and Time settings) is the same as the time zone.
  10. In the MySQL Configuration screen, create credentials for logging on to the MySQL server instance that is installed.
  11. From the Environment Details screen, select whether to replicate VMware virtual machines. If you will, Setup checks that PowerCLI 6.0 is installed.
  12. From the Install Location screen, select where you want to install the binaries and store the cache. The drive you select must have at least 5 GB of disk space available, but we recommend a cache drive with at least 600 GB of available space.
  13. From the Network Selection screen, specify the listener (network adapter and SSL port) on which the configuration server sends and receives replication data. Port 9443 is the default port used for sending and receiving replication traffic, but you can modify this port number to suit your environment’s requirements. In addition to the port 9443, we also open port 443, which is used by a web server to orchestrate replication operations. Do not use port 443 for sending or receiving replication traffic.
  14. In the Summary screen, review the information and click Install. When installation finishes, a passphrase is generated. You will need this when you enable replication, so copy it and keep it in a secure location. After registration finishes, the server is displayed on the Settings > Servers in the vault.

Step 2: Connect to VMware servers

To allow Azure Site Recovery to discover virtual machines running in your on-premises environment, you need to connect your VMware vCenter Server or vSphere ESXi hosts with Site Recovery. Note the following before you start:

  • If you add the vCenter server or vSphere hosts to Site Recovery with an account without administrator privileges on the server, the account needs these privileges enabled:

o Datacenter, Datastore, Folder, Host, Network, Resource, Virtual machine, vSphere Distributed Switch.

o The vCenter server needs Storage views permissions.

  • When you add VMware servers to Site Recovery, it can take 15 minutes or longer for them to appear in the portal.

Step 3: Set up the target environment

Before you set up the target environment, make sure you have an Azure storage account and a virtual network set up.

  1. Click Prepare infrastructure > Target, and select the Azure subscription you want to use.
  2. Specify whether your target deployment model is Resource Manager-based, or classic.
  3. Site Recovery verifies that you have one or more compatible Azure storage accounts and networks.

Create replication policy

You need a replication policy to automate the replication to Azure.

  1. To create a new replication policy, click Site Recovery infrastructure > Replication Policies > Replication Policy.
  2. Under RPO threshold, specify the RPO limit. This value specifies how often data recovery points are created. An alert is generated if continuous replication exceeds this limit.
  3. Under Recovery point retention, specify (in hours) how long the retention window is for each recovery point. Replicated virtual machines can be recovered to any point in a window. Up to 24 hours retention is supported for machines replicated to premium storage, and 72 hours for standard storage.
  4. Under App-consistent snapshot frequency, specify how often (in minutes) recovery points containing application-consistent snapshots will be created.
  5. Click OK to create the policy.
  6. When you create a new policy it’s automatically associated with the configuration server. By default, a matching policy is automatically created for failback. For example, if the replication policy is rep-policy then the failback policy will be rep-policy-failback. The failback policy isn’t used until you initiate a failback from Azure.

Prepare for push installation of the Mobility service

The Mobility service must be installed on all virtual machines you want to replicate. There are several ways to install the service, including manual installation, push installation from the Site Recovery process server, and installation using methods such as System Center Configuration Manager. Here you can review prerequisites and installation methods for the Mobility Service.

If you want to use push installation from the Azure Site Recovery process server, you need to prepare an account that Azure Site Recovery can use to access the virtual machine.

The following describes the options:

  • You can use a domain or local account

For Windows, if you’re not using a domain account, you need to disable Remote User Access control on the local machine. To do this, in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, add the DWORD entry LocalAccountTokenFilterPolicy, with a value of 1.

  • If you want to add the registry entry for Windows from a CLI, type: REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1.
  • For Linux, the account should be root on the source Linux server.

Install Mobility Service manually by using the GUI

  1. Copy the installer executable to the virtual machine that is being migrated to Azure, and then open the installer.
  2. On the Installation Option pane, select Install Mobility Service.
  3. Select the install location and click Install to being the installation procedure.
  4. You can use Installation Progress page to monitor the installer’s progress.
  5. Once installation is complete, click the Proceed to Configuration button to register the Mobility Service with your Configuration server.
  6. Click on the Register button to complete the registration.

Configure replication

After you have installed and configured both the Process Server and the Mobility Service agents, continue configuring replication in Azure.

  1. In the Azure portal, navigate to Site Recovery > Step1: Replicate Application > Enable Replication, and then click Step 1: Source Configure > Source.
  2. In Source, select On-Premises.
  3. In Source location, select your Configuration Server.
  4. In Machine type, select Virtual Machines.
  5. In vCenter/vSphere Hypervisor, select the vCenter server that manages the vSphere host, or select the host.
  6. Select the process server or the configuration server if you haven’t created any additional process servers, and then click OK.
  7. In Target, select the subscription and the resource group in which you want to create the migrated virtual machines. Choose the deployment model for the migrated virtual machines that you want to use in Azure (classic or resource manager).
  8. Select the Azure storage account you want to use for replicating data. If you don’t want to use an account you’ve already set up, you can create a new one.
  9. Select the Azure network and subnet to which Azure Virtual Machines will connect when they’re created after migration. Select Configure now for selected machines to apply the network setting to all machines you select for protection, or select Configure later to select the Azure network per virtual machine.
  10. Point to Virtual Machines > Select, select each enabled machine you want to replicate, and then click OK.
  11. In Properties > Configure properties, select the process server account that will automatically install the Mobility service on the machine.
  12. By default, all disks are replicated. Click All Disks and clear any disks you don’t want to replicate, and then click OK. You can set additional virtual machine disk properties later if needed.
  13. In Replication settings > Configure replication settings, verify that the correct replication policy is selected. If you modify a policy, changes will be applied to the replicating machine and to new machines.
  14. Enable Multi-VM consistency if you want to gather machines into a replication group, specify a name for the group, and then click OK.
  15. Click Enable Replication. You can track progress of the Enable Protection job in Settings > Jobs > Site Recovery Jobs. After the Finalize Protection job runs the machine is ready for failover.

Step 4: Complete migration

Because migration is different than failover, it is important to configure Site Recovery for a migration.

For migration, you don’t need to commit a failover or delete machines. Instead, select the Complete Migration option for each machine you want to migrate.

  1. In Replicated Items, right-click the virtual machine, and then click Complete Migration.
  2. Click OK to complete the migration.

You can track progress in the virtual machine properties by monitoring the Complete Migration job in Site Recovery jobs. The Complete Migration action completes the migration process, removes replication for the machine, and stops Site Recovery billing for the machine.

At this point, your virtual machine has been migrated to Azure and you can begin using the IP addresses you set up in Networking. If you must migrate a database, the next section outlines migrating SQL Server databases using Migration Data Assistant and Azure Database Migration Service. Otherwise, the migration process continues with

Stage 3: Optimize migrated workloads

Cloudyn helps ensure migrated virtual machines continue to deliver targeted resource utilization and best cost by recommending changes. Track costs against budget using spending reports that help identify which virtual machine types are consuming budget and support decisions on how to modify the Azure environment to maximize ROI. Cloudyn benefits include:

  • Visibility into resource costs
  • Visibility into application and departmental costs
  • Budgeting
  • Cost optimization with right-sizing guidance

As organizations move on-premises virtual machines to Azure, a best practice is to move workloads through three stages: discover, migrate, and optimize. Microsoft and its partners offer tools to help increase the efficiency and reduce the complexity of those stages.

Windows Server 2008 R2 Active Directory Certificate Services Deep Dive

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

Create a text file using notepad. copy the following content and paste inside the text file and save as request.inf.

;copy from here

[Version]

Signature=”$Windows NT$

[NewRequest]
Subject = “CN=myserver.microsoftguru.com.au” ; must be the FQDN of domain controller
EncipherOnly = FALSE ; only for Win2k3 & WinXP
Exportable = TRUE  ; TRUE = Private key is exportable
KeyLength = 2048    ; Common key sizes: 2048, 4096, 8192, 16384
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC ; or PKCS10

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]

; If your client operating system is Win2k8,Win Vista, Win7

; SANs can be included in the Extensions section by using the following text format.

;Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = “{text}”

_continue_ = “dns=Exchange1.microsoftguru.com.au&”

_continue_ = “dn=CN=Exchange1,OU=My Servers,DC=microsoftguru,DC=com,DC=au&”

_continue_ = “url=http://myserver.microsoftguru.com.au&”

_continue_ = “ipaddress=172.31.10.134&”

_continue_ = email=test@microsoftguru.com.au&

_continue_ = upn=test@microsoftguru.com.au&

_continue_ = “guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&”    

;Alternatively you create a SAN attribute using a script provided in KB

; use text format or encrypted format of SAN. 2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==

[RequestAttributes]

; Multiple alternative names must be separated by an ampersand (&).

;In the example I have shown two different types of SAN. Use only one type of SAN.

;Asterisk *.yourdomainname.com.au is used for Wildcard certificates.

SAN=”dns=exchange1.microsoftguru.com.au&dns=www.microsoftguru.com.au&ipaddress=172.31.10.130″

SAN=”dns=webmail.microsoftguru.com.au&dns=*.microsoftguru.com.au&dns=autodiscover.microsoftguru.com.au”

CertificateTemplate = WebServer

; change template name depending on your environment.

; remove “;” from request.inf file. file ends here.

Important Note: Some third-party certification authorities (For examples ISPs who sell SSL certificate) may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=”E=test@microsoftguru.com.au, CN=<FQDN of server>, OU= My Servers, O=Microsoftguru, L=Perth, S=WA, C=AU.” Amend Request.inf as per your need. For a standard certificate request you can omit SAN, [Extensions] and[EnhancedKeyUsageExtension] section.

Open a command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new c:request.inf c:certnew.req

At the command prompt, type the following command, and then press ENTER:

certreq -submit c:certnew.req c:certnew.cer

If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.

certreq -submit -config “DC.microsoftguru.com.auMYCA” c:certnew.req c:certnew.cer

Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:

certreq -retrieve RequestID c:certnew.cer

You can also use the -config switch here to retrieve the certificate request from a specific CA.

At the command prompt, type the following command, and then press ENTER:

certreq -accept c:certnew.cer

This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in previous step.

How to configure a CA to accept a SAN attribute from a certificate request

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

To repair a certificate
  1. If you are using a network HSM, complete steps 8 through 10 to repair the association between the imported CA certificate and the private key that is stored in the HSM.

  2. In the console tree, double-click Personal Certificates, and click the imported CA certificate.

  3. On the Action menu, click Open. Click the Details tab, copy the serial number to the Clipboard, and then click OK.

  4. Open a Command Prompt window, type certutil –repairstore My “{Serialnumber}” and then press ENTER.

image

How to enable secure certificate enrolment in certificate authority

Step1: Create request.inf file using WebServer template

Step2: Generate a web server certificate request.req file using certreq.exe tools

certreq -new c:request.inf c:request.req

Step3: Submit the request.req file using certreq.exe or CA Management Console. Save certificate.cer

Open CA MMC>Select CA server>Right click on CA Server>Click All Task>Submit a new request

Point the location c:request.req and submit. you will be prompted to save certificate.

image

Step4: Import the certificate into certificate authority

Start Microsoft Management Console (MMC). Add the Certificates snap-in that manages certificates on the local computer.

Expand Certificates (Local Computer), expand Personal, and then expand Certificates. Right Click Import certificate you saved in previous steps.

Step5: Open IIS Management Console>Select Default Web Site>Click Bindings from Action Pan>Click Add>Select HTTPS>Select the certificate you just imported in previous step. Click OK.

image

image

image

Step6: Run iisreset /restart from command prompt

Step7: Test https://MYCA/certsrv

How to use secure Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

  1. Open Internet Explorer. In Internet Explorer, connect to https://MYCA/certsrv.
  2. Click Request a Certificate.>Click Advanced certificate request.

image

  1. Click request a certificate
  2. In the Certificate Template list, click Web Server. Note The CA must be configured to issue Web Server certificates.
  3. Provide identifying information as required.
  4. In the Name box, type the fully qualified domain name FQDN of the server.
  5. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 – 16384
    • Automatic key container name
    • Store certificate in the local computer certificate store

Under Advanced Options, set the request format to CMC. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

san:dns=dns.name[&dns=dns.name]

image

Multiple DNS names are separated by an ampersand (&). For example, if the name of the server is myserver.microsoftguru.com.au and the alias are autodiscover.microsoftguru.com.au and webamil.microsoftguru.com.au, these names must be included in the SAN attributes. The resulting attribute string appears as follows:

san:dns=myserver.microsoftguru.com.au&dns=myweb.microsoftguru.com.au&dns=mysite.microsoftguru.com.au

 

image

Click Submit. If you see the Certificate Issued Web page, click Install this Certificate.

My preferred way to request a certificate is to create a .req file shown in previous steps. open .req file in a notepad and copy the contents. click submit a certificate request by using base 64-encode

image

Paste the contents into base 64-encode. Select web server template. click submit.

image

Now obtain certificate click yes.

image

to download certificate with root CA CRL  click Download certificate chain in p7b format

to download only certificate click download certificate and save.

image

How to configure Private Key in Certificate Authority and Export Private Key

1. Open CA MMC from Administrative Tools>Right Click on Certificate Template>Click Manage

image

2. Select WebServer Template>Right Click on WebServer Template>Click Duplicate Template>Select Win2k3 or Win2k8 OS Version>Type Template Name as WebServer With Private Key in General Tab

3. Click Request Handling Tab>Check Allow private key to be exported

 image

4. Click Security Tab> Allow appropriate security for the person who will enroll and export the certificates

image

5. Click Ok. Close CA MMC.

6. Create a WebServer Request.inf. Create Request.req file

7. Submit WebServer request to https://myca/certsrv . Download and install certificate.

To export a certificate with the private key

1.Open Certificate Manager by clicking the Start button>Search Box>Type certmgr.msc, and then pressing ENTER.‌

2. Go to Certificates-Current UserPersonalCertificates>Select Certificate you would like to export.

3. On the Action menu, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Yes, export the private key.

Note that this option will appear only if the private key is marked as exportable in request.inf file and you have access to the private key.

4. Under Export File Format, do one or all of the following, and then click Next.

  • To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box.
  • To delete the private key if the export is successful, select the Delete the private key if the export is successful check box.

5. In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.

6. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.

How to import Private Key

  1. Click Start Menu>Search Box>Click mmc.msc>Click Certificates>Add Computer Account>Click OK.

  2. Click a folder, click the Action menu, point to All Tasks, and then click Import.

image

3. Browse to the location where you exported certificates>Select Certificate>Provide password to import the certificate.

4. Click Next, and then follow the instructions.

Playing with AD CS Administration Cmdlets in Windows PowerShell

The following Windows PowerShell® cmdlets that are for use in administering the Active Directory Certificate Services (AD CS) certification authority (CA) role service in Windows Server® “8” Beta.

  • Import-Module ServerManager – Imports the Server Manager module that provides the Add-WindowsFeature cmdlet.
  • Add-WindowsFeature Adcs-Cert-Authority – Adds the Certification Authority role service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Pol – Adds the Certificate Enrllment Policy Web Service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Svc – Adds the Certificate Enrollment Web Service binaries.
  • Add-WindowsFeature Adcs-Web-Enrollment – Adds the Certification Authority Web Enrollment role service binaries.
  • Add-WindowsFeature Adcs-Device-Enrollment – Adds the Network Device Enrollment Service binaries.
  • Add-WindowsFeature Adcs-Online-Cert – Adds the Online Responder role service binaries.
  • Get-Command -Module AdcsDeployment – Displays all the cmdlets that are associated with AD CS Deployment.

Disaster recovery or Migrate procedure of Active Directory Certificate Authority:

Moving a CA from one computer to a second computer involves the following procedures:

  • Backing up the CA on the first computer
  • Restoring the CA on the second computer

You must be a member of domain admins security group to perform the following operation. To move a CA from a server that is running Windows Server 2003 to a server that is running Windows Server 2008, you can either complete the Windows upgrade first and then move the CA or move the CA first and then upgrade Windows.

  • To upgrade Windows first: Upgrade the first server from Windows Server 2003 to Windows Server 2008, back up the CA on this server, and then restore the CA on a second server running Windows Server 2008.
  • To move the CA first: Back up the CA on a computer running Windows Server 2003, restore the CA on a second computer running Windows Server 2003, and then upgrade the second server to Windows Server 2008.

To back up a CA

  1. Open the Certification Authority snap-in.

  2. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

image

3. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Specify the backup location, and then click Next.

image

4. Type a password for the CA private key backup file, and type it a second time to confirm the password. then click Finish

image

5. Click Start, click Run, type regedit, and then click OK. Locate and right-click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration

 

image

6. Click Export. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.

7. Backup the CA logs from the D:WinntSystem32Certlog folder, you must restore the backup to the D:WinntSystem32Certlog folder. After you restore the backup, you can move the CA database files to a different location.

image

8. In addition of above steps back up CAPolicy.inf . If your source CA is using a custom CAPolicy.inf file, you should copy the file to the same location as the source CA backup files. The CAPolicy.inf file is located in the %SystemRoot% directory, which is usually C:Windows.

To back up a CA database and private key by using Certutil.exe
  1. Log on with local administrative credentials to the CA computer.

  2. Open a Command Prompt window.

  3. Type Certutil.exe –backupdb <BackupDirectory> and press ENTER.

  4. Type Certutil.exe –backupkey <BackupDirectory> and press ENTER.

  5. Type a password at the prompt, and press ENTER. You must retain a copy of the password to access the key during CA installation on the destination server.

  6. Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service. The service must be stopped to prevent issuance of additional certificates.

  7. After the backup completes, verify the following files in the location you specified:

    • CAName.p12 containing the CA certificate and private key
    • Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb
  8. Copy all backup files to a location that is accessible from the destination server; for example, a network share or removable media.

How to remove the CA role service from the source server

It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.

Highly Recommended Tasks. Staging a certificate restore is most import part before you decommission existing certificate server. Create a isolated environment similar to your Active Directory Domain Services. Add new Certificate Authority and restore the database and private key. test certificates, templates, registry and private key whether it is similar to your Production infrastructure. Once you happy and restoration tasks complete successfully you can decommission certificate authority. if source certificate authority is virtual than I would recommend you to take a snapshot before you remove the CA role.

  • To remove the CA on a computer running Windows Server 2003, use the Add/Remove Windows Components wizard.
  • To remove the CA on a computer running Windows Server 2008, use the Remove Roles Wizard in Server Manager.

To restore a CA on a new server from a backup copy

  1. Open Server Manager, and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  3. On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.

    noteNote You must have a network connection to a domain controller in order to install an enterprise CA.

  4. On the Specify CA Type page, click the appropriate CA type, and then click Next.

  5. On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

  6. On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.

  7. In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

  8. Click Next two times.

  9. On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next.  On the Confirm Installation Options page, review all of the configuration settings> click Install and wait until the setup process has finished.

  10. Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. Verify the registry in the following location. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc

11. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

12. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open the Certification Authority Restore Wizard.

image

13 Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Type the backup folder location, and then click Next. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. Click Finish, and then click Yes to restart AD CS when the CA database is restored.

To restore the CA database by using Certutil.exe
  1. Log on to the destination server by using an account that is a CA administrator.

  2. Open a Command Prompt window.

  3. Type certutil.exe -f -restoredb <CA Database Backup Directory> and press ENTER.

To Restoring the certificate templates list

Log on with administrative credentials to the destination CA.

  1. Open a command prompt window.

  2. Type certutil -setcatemplates +<templatelist> and press ENTER.

ImportantImportant ! Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.

Verify registry location and Configuration parameters are: 

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfiguration

  • DBDirectory
  • DBLogDirectory
  • DBSystemDirectory
  • DBTempDirectory
  • DBSessionCount

image

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfigurationCAname

  • CACertPublicationURLs
  • CRLPublicationURLs

image

 

Granting permissions on AIA and CDP containers

If the name of the destination server is different from the source server, the destination server must be granted permissions on the source server’s CDP and AIA containers in AD DS to publish CRLs and CA certificates. Complete the following procedure in the case of a server name change.

To grant permissions on the AIA and CDP containers
  1. Open Active Directory Sites and Services> In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, expand Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply.

  6. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

  7. In the console tree, expand CDP, and then click the name of the source server.

  8. In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.

image

4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

6. Repeat steps 13 through 18 for each cRLDistributionPoint item.

Additional procedures for failover clustering

  • CA Role must be installed on both nodes

  • Stop Active Directory Certificate Services from Services.msc

  • Ensure shared storage is online.

  • certificate store and logs must be placed in shared storage.

To verify shared storage is online

  1. Log on to the destination server. Start Server Manager.

  2. In the console tree, double-click Storage, and click Disk Management.

  3. Ensure that the shared storage is online and assigned to the node you are logged on to.

To configure AD CS as a cluster resource

Follow Configure Microsoft Fail over Cluster URL to create and configure a cluster.

  1. Open Failover Cluster Manager from Administrative Tools> Right Click on newly created cluster node>click Configure a service or Application. If the Before you begin page appears, click Next.

  2. In the list of services and applications, select Generic Service, and click Next.

  3. In the list of services, select Active Directory Certificate Services, and click Next.

  4. Specify a service name, and click Next. Select the disk storage that is still mounted to the node, and click Next.

  5. To configure a shared registry hive, click Add, type SYSTEMCurrentControlSetServicesCertSvc, and then click OK. Click Next twice.

  6. Click Finish to complete the failover configuration for AD CS.

  7. In the console tree, double-click Services and Applications, and select the newly created clustered service.

  8. In the details pane, click Generic Service. On the Action menu, click Properties.

  9. Change Resource Name to Certification Authority, and click OK.

If you use a hardware security module (HSM) for your CA, complete the following procedure.

To create a dependency between a CA and the network HSM service
  1. Open the Failover Cluster Management snap-in. In the console tree, click Services and Applications.

  2. In the details pane, select the previously created name of the clustered service.

  3. On the Action menu, click Add a resource, and then click Generic Service.

  4. In the list of available services displayed by the New Resource wizard, click the name of the service that was installed to connect to your network HSM. Click Next twice, and then click Finish.

  5. Under Services and Applications in the console tree, click the name of the clustered services.

  6. In the details pane, select the newly created Generic Service. On the Action menu, click Properties.

  7. On the General tab, change the service name if desired, and click OK. Verify that the service is online.

  8. In the details pane, select the service previously named Certification Authority. On the Action menu, click Properties.

  9. On the Dependencies tab, click Insert, select the network HSM service from the list, and click OK.

To grant permissions on public key containers: If you are migrating to a failover cluster, complete the following procedures to grant all cluster nodes permissions to on the following AD DS containers:
  • The AIA container
  • The Enrollment container
  • The KRA container
To grant permissions on public key containers in AD DS
  1. Open Active Directory Sites and Services. In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, then Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the computer account names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  6. In the console tree, click Enrollment Services.  In the details pane, right-click the name of the source CA, and then click Properties.

  7. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK. Type the computer account names of all cluster nodes, and click OK.

  8. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  9. In the console tree, click KRA.

image

10. In the details pane, right-click the name of the source CA, then click Properties. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

11. Type the names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

To check the DNS name for a clustered CA in AD DS
  1. Log on to the active cluster node as a member of the Enterprise Admins group.

  2. Open ADSI Edit. On the Action menu, click Connect to. click Configuration, and click OK.

  3. In the console tree, expand ConfigurationServicesPublic Key ServicesEnrollment Services.

  4. Double click on CN and check check dNSHostName mentioned same as Failover Cluster Management in the Failover Cluster Manager snap-in, and click OK. if not add proper FQDN DNS of cluster as shown on the screenshot. Click OK to save changes.

image

5. Open dnsmgmt.msc from the start menu>run. Verify a Host (A) DNS record has been added with the same name and IP address of the Cluster. 

Configuring CRL distribution points for failover clusters

When a CA is running on a failover cluster, the server’s short name must be replaced with the cluster’s short name in the CRL distribution point and authority information access locations. To publish the CRL in AD DS, the CRL distribution point container must be added manually.

The following procedures must be performed on the active cluster node.

To change the configured CRL distribution points
  1. Open registry edit and Locate the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration.

  2. Click the name of the CA. In the right pane, double-click CRLPublicationURLs.

image

3. In the second line, replace %2 with the service name specified in step 6 of the procedure “To configure AD CS as a cluster resource.”  The service name also appears in the Failover Cluster Management snap-in under Services and Applications. Restart the CA service.

4. Open a command prompt, type certutil -CRL, and press ENTER.

5. To create the CRL distribution point container in AD DS At a command prompt, type cd %windir%System32CertSrvCertEnroll, and press ENTER. The CRL file created by the certutil –CRL command should be located in this directory.

6. To publish the CRL in AD DS, type certutil -f -dspublish “CRLFile.crl” and press ENTER.

To setup Audit on CA. Open CA MMC>Select the Certificate Server>Right Click>Click Property

image

Check desired Events to audit>Click Ok. restart CA Services.

To deploy Enterprise root CRL using GPO. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click on trusted Root Certificates>Click Import>Locate root certificate and import the certificate. Click Close.

image

To request Automatic Certificate request. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click Automatic Certificate Request >Click New >Click Automatic certificate Request>Configure Certificate template and request. Follow the screenshot. Note that Auto Enroll must be allowed in the security tab of certificate template in CA.

image

Additional references

How to extend root certificate authority and subordinate CA

Configure Microsoft Fail over Cluster

Active Directory Certificate Services Overview

System Center Virtual Machine Manager 2012 Beta First Look

Systems Requirement:

  • Windows Server 2008 R2 x64 domain member
  • Windows Remote Management (WinRM) 2.0
  • Windows PowerShell 2.0
  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
  • Windows AIK for Windows 7
  • SQL Server 2008 or SQL Server 2008 R2
  • WDS and WSUS roles installed 

Installation of System Center Virtual Machine Manager 2012:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

System Center Virtual Machine Manager 2012 Beta – Evaluation (VHD)

SCVMM 2012 Beta Download

Remove initial configuration wizard on Windows Server 2008 using GPO

Open GPO management console using administrative privilege. Create and link a GPO with Enterprise Server OU. Right Click on Enterprise Server OU> Click on Property

image

Expand and locate Server Manager section in the following section of GPO. Expand Computer Configuration>Expand Policies>Expand Administrative Templates>Expand Systems>Select Server Manager.

image

image

Enable both the options as shown on screenshots.

image

Close the window. Run gpupdate on servers to apply GPO or wait for GPO to refresh at configured GP refresh time.

Configure Microsoft Fail over Cluster for DHCP services—step by step

Microsoft Cluster Requirements:  Servers, NIC and Storage must validate Microsoft cluster requirements to configure MSCS using two or more independent computers . The objectives to create a cluster is to avoid a single point of failure that is to create a high availability for services or application. Before you configure a cluster you must keep in mind that your design must meet this primary conditions.

To achieve redundancy, you can connect your cluster nodes with networks that is constructed with teamed network adapters, redundant switches, redundant routers that removes single points of failure.

Serial Attached SCSI or Fibre Channel must be identical and use same firmware version. For iSCSI storage, you must use dedicated HBA or gigabit network adapters for storage purpose. This adapter can not be used for network communication. To use the native disk support included in failover clustering, use basic disks, not dynamic disks. Microsoft recommend that you use NTFS for quorum disk and shared storage. you can use either master boot record (MBR) or GUID partition table (GPT). A LUN used for one set of cluster servers should be isolated from all other servers through LUN masking or zoning. In a highly available storage fabric, you can deploy failover clusters with multiple host bus adapters by using multipath I/O software or Microsoft Multipath I/O (MPIO). At least two HBA of server connecting two different fabric switches.
Windows Server 2012 Step by Step

You can configure Microsoft Cluster using all version of Windows Server 2008 Enterprise and data center. You must configure both node using same architecture, OS, patches and hotfixes. For example, if one node is x64 than all other node must be x64 in a single cluster. To achieve MSCS, you must have functional AD DS, Active Directory Domain Controller, Administrative roles to manage MSCS.

Unsupported configuration:

  • NIC Teaming other than use of manufacturer teaming software
  • IP addresses assigned from a Dynamic Host Configuration Protocol (DHCP) server for the cluster administration address (which is associated with the cluster name) or any IP address resources.
  • NIC non-multiported
  • For iSCSI, you cannot use teamed network adapters, because they are not supported with iSCSI
  • Windows Server 2008 standard
  • MSCS can not be formed in between two nodes that are members of two different Active Directory forest.

Configure Network: MSCS requires minimum two network adapters in each node of the cluster to be certified for the HCL. One for heartbeat network and another for public network or simply data transmission for internal network. All network cards on the public network need to be on the same logical network (same subnet) regardless of their physical location. It is recommended that you put the private network adapter from Class A, Class B or Class C IP rages.

39

Microsoft does not recommend that you use network teaming on a cluster. However, if you do use manufacturer-specific network adapter teaming software (dell advanced network management suite) it must be seamless to the cluster and must reside only on the public network. NIC is connected with a separate crossover cable (or to a switch in same vlan).

Sample IP configuration of Internal NIC:

IP Address 10.10.10.20/24  DG: 10.10.10.1  DNS: 10.10.10.5

Sample IP configuration of Heartbeat:

IP Address 192.168.100.0/24 DG: Null DNS: Null

Open Failover Cluster Management Console>Click on Networks>Right Click on Heartbeat Network>Click Property>Click on “Do not allow the cluster to use this network”>Click on Apply and OK. Note that this NIC is dedicated for heartbeat network. Client should be using another network.

42

Configure Shared Storage:  I used freenas as iSCSI target. To use Freenas as iSCSI target, download Freenas iSCSI target VMware vmdk file from sourceforge or freenas.org

Add target disks for quorum and shared storage.

43

Start Freenas VM. From Console setup, setup LAN IP and WebGui Password. Open IE in Windows 7 and browse freenas ip. Make sure script and active x allowed in IE. Click Services>iSCSI target>Click on portal>Add IP address as your LAN IP address you setup in LAN IP.

44

Click Settings>Enable iSCSI target. Do not change default settings. Click Target>Click Add Extend to mount disk. Once finish, add target and assign to this disk you added in previous steps. add many disk and target you want from this window. Apply changes.

 15

16

Log on to Cluster server, Administrative Tools>Click iSCSI initiator>Click on Discovery Tab>Click on Add portal. Type the ip address of the iSCSI target, leave rest of settings default and add target portal.

11

Click Targets tab>Click on refresh. you will be presented with target disk. Select target disk, click log on. Check Automatically restore this connection when computer start, click ok.

12

37

13

36

38

Start Menu>run>type diskmgmt.msc and click ok>See the disk visible to Cluster server. Configure the disk as basic and NTFS file systems.

40

Note that for this article, I am using software initiator as I don’t have a HBA in my test infrastructure. So don’t ask why use MS iSCSI initiators. you can use other means of connecting storage with your server. you are free to do so as long as it support Microsoft HAL.

Install Fail Over Cluster Feature: In the Server Manager, Click Add Features Wizard, click Failover Clustering, and then click Install. Follow Installation Wizard.

41

Configure Cluster: To open the failover cluster snap-in, click Start, click Administrative Tools, and then click Failover Cluster Management. Right Click Failover Cluster Management> click Create a cluster. Add servers that involve in this Cluster, Type IP address, Type name of the cluster, Add shared storage. Follow wizard and finish creation of cluster.

1

2

3

4

5

6

7

8

9

20

19

Check Clustered Disk:

Open fail over Cluster management, Click Storage and view available storage. You may level your quorum disk as “quorum” and “Q” as drive letter to quickly identify quorum disk.

33

Configure Quorum Disk:

The quorum algorithm is a mathematical method for determining if a majority of Cluster members exist so resources can be shared across an Cluster system. Quorum is the number of votes that must be present for the cluster to function. A cluster system can designate a disk as quorum disk. The quorum disk acts as a virtual cluster member whose purpose is to add one vote to the total cluster votes. For example, if you have a thirteen nodes cluster and your seventh node fails then cluster will be inoperative. By establishing a quorum disk, you can increase the availability of a two-node cluster; such configurations can maintain quorum in the event of failure of either the quorum disk or one node, and continue operating. There are four quorum modes, they are Node Majority, Node and Disk Majority, Node and File Share Majority, No Majority: Disk Only.

Right click on Storage>Click add disk>Select Cluster disk>Click ok. You can create 2GB quorum disk for your cluster. Don’t worry about this screen shot. This is just for this article.

21

17

Right click on Fail over cluster management>Click on validate cluster>Select on disk validation and perform validation. You will see you passed validation.

18

Right-click on FQDN of Failover Cluster, click More Actions, and then click Configure Cluster Quorum Settings. MSCS will recommend cluster mode for your settings, select recommended. Click Next.

22

23

Select Witness storage disk and click next. Click finish and see the report.

24

25

26

Configure Services or Application: Once you finish, configuring MSCS, now you are ready to create service or application in this cluster. For this article, I am going to create DHCP Cluster. Please note that, to create a clustered services or server role you must have specific server role installed in both node of cluster.

Right click on services and application>Click Configure a service or application> Select DHCP Server>Click Next>Type Clustered DHCP IP address>Select Shared Storage, Follow wizard and Finish.

10

27

28

29

30

31

32

Now right on testDHCP>Click Manage.

34

Now you add DHCP scope, superscope. Note that your ip helper address in Cisco L3 switch or core switch will be the virtual cluster IP of DHCP cluster.

35

Command Line: Open Elevated Command prompt. Type Cluster /help to see all cluster commands. Type Net Start CLUSSVC /FQ  and press enter to start cluster quorum. Type CLUSTER [cluster-name] NODE node-name /STATUS and press enter to see the status of cluster node. To seek more help about cluster node type following and press enter CLUSTER GROUP /? and CLUSTER NODE /?

Relevant Study:

Download TechNet Resources

HAL Requirements

Microsoft Cluster on VMware vSphere

FreeNas