How to Configure Microsoft ADFS with Azure MFA as Primary Authentication

Gallery

In order to setup Azure MFA as Primary Authentication with AD FS, this does require you to move to Azure MFA (cloud-based version). I have not deployed Azure Multi-Factor Authentication Server (on-prem/hybrid version) in a few years for anyone as … Continue reading

Upgrading AD FS to Windows Server 2016 FBL

Gallery

This article will describe how to install new ADFS 2016 farm or upgrade existing AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016. Prerequisites: ADFS Role in Windows Server 2016 Administrative privilege in both ADFS … Continue reading

Microsoft Software Defined Storage AKA Scale-out File Server (SOFS)

Business Challenges:

  • $/IOPS and $/TB
  • Continuous Availability
  • Fault Tolerance
  • Storage Performance
  • Segregation of production, development and disaster recovery storage
  • De-duplication of unstructured data
  • Segregation of data between production site and disaster recovery site
  • Continuous break fix of Distributed File Systems (DFS) & File Server
  • Continuously extending storage on the DFS servers
  • Single point of failure
  • File systems is not available always
  • Security of file systems is constant concern
  • Propitiatory non-scalable storage
  • Management of physical storage
  • Vendor lock-in contract for physical storage
  • Migration path from single vendor to multi vendor storage provider
  • Management overhead of unstructured data
  • Comprehensive management of storage platform

Solutions:

Microsoft Software Defined Storage AKA Scale-Out File Server is a feature that is designed to provide scale-out file shares that are continuously available for file-based server application storage. Scale-out file shares provides the ability to share the same folder from multiple nodes of the same cluster.Microsoft Software Defined Storage offerings compared with third party offering:

Storage feature Third-party NAS/SAN Microsoft Software-Defined Storage
Fabric Block protocol

 

File protocol Network

 

Network Low latency network with FC

 

Low latency with SMB3Direct Management

 

Management Management of LUNs

 

Management of file shares Data de-duplication

 

Data De-duplication Data de-duplication

 

Data de-duplication Resiliency

 

Resiliency RAID resiliency groups

 

Flexible resiliency options Pooling

 

Pooling Pooling of disks

 

Pooling of disks Availability

 

Availability High

 

Continuous (via redundancy) Copy offload, Snapshots

 

Copy Offloads, Snapshots Copy offload, Snapshots

 

SMB copy offload, Snapshots Tiering

 

Tiering Storage tiering

 

Performance with tiering Persistent write-back cache

 

Persistent Write-back cache Persistent write-back cache

 

Persistent write-back cache Scale up

 

Scale up Scale up

 

Automatic scale-out rebalancing Storage Quality of Service (QoS)

 

Storage Quality of Service (QoS) Storage QoS

 

Storage QoS (Windows Server 2016) Replication

 

Replication Replication

 

Storage Replica (Windows Server 2016) Updates

 

Updates Firmware updates

 

Rolling cluster upgrades (Windows Server 2016)

 

    Storage Spaces Direct (Windows Server 2016)

 

    Azure-consistent storage (Windows Server 2016)

 

 Functional use of Microsoft Scale-Out File Servers:

1. Application Workloads

  • Microsoft Hyper-v Cluster
  • Microsoft SQL Server Cluster
  • Microsoft SharePoint
  • Microsoft Exchange Server
  • Microsoft Dynamics
  • Microsoft System Center DPM Storage Target
  • Veeam Backup Repository

2. Disaster Recovery Solution

  • Backup Target
  • Object storage
  • Encrypted storage target
  • Hyper-v Replica
  • System Center DPM

3. Unstructured Data

  • Continuously Available File Shares
  • DFS Namespace folder target server
  • Microsoft Data de-duplication
  • Roaming user Profiles
  • Home Directories
  • Citrix User Profiles
  • Outlook Cached location for Citrix XenApp Session Server

4. Management

  • Single Management Point for all Scale-out File Servers
  • Provide wizard driven tools for storage related tasks
  • Integrated with Microsoft System Center

Business Values:

  • Scalability
  • Load balancing
  • Fault tolerance
  • Ease of installation
  • Ease of management/operations
  • Flexibility
  • Security
  • High performance
  • Compliance & Certification

SOFS Architecture:

Microsoft Scale-out File Server (SOFS) is  considered as a Storage Defined Storage (SDS).  Microsoft SOFS is independent of hardware vendor as long as the compute and storage is certified by Microsoft Corporation. The following figure shows Microsoft Hyper-v cluster, SQL Cluster and Object Storage on the SOFS.

image

                 Figure: Microsoft Software Defined Storage (SDS) Architecture

image

                     Figure: Microsoft Scale-out File Server (SOFS) Architecture

image

                                      Figure: Microsoft SDS Components

image

                        Figure: Unified Storage Management (See Reference)

Microsoft Software Defined Storage AKA Scale-out File Server Benefits:

SOFS:

  • Continuous availability file stores for Hyper-V and SQL Server
  • Load-balanced IO across all nodes
  • Distributed access across all nodes
  • VSS support
  • Transparent failover and client redirection
  • Continuous availability at a share level versus a server level

De-duplication:

  • Identifies duplicate chunks of data and only stores one copy
  • Provides up to 90% reduction in storage required for OS VHD files
  • Reduces CPU and Memory pressure
  • Offers excellent reliability and integrity
  • Outperforms Single Instance Storage (SIS) or NTFS compression.

SMB Multichannel

  • Automatic detection of SMB Multi-Path networks
  • Resilience against path failures
  • Transparent failover with recovery
  • Improved throughput
  • Automatic configuration with little administrative overhead

SMB Direct:

  • The Microsoft implementation of RDMA.
  • The ability to direct data transfers from a storage location to an application.
  • Higher performance and lower latency through CPU offloading
  • High-speed network utilization (including InfiniBand and iWARP)
  • Remote storage at the speed of local storage
  • A transfer rate of approximately 50Gbps on a single NIC port
  • Compatibility with SMB Multichannel for load balancing and failover

VHDX Virtual Disk:

  • Online VHDX Resize
  • Storage QoS (Quality of Service)

Live Migration

  • Easy migration of virtual machine into a cluster while the virtual machine is running
  • Improved virtual machine mobility
  • Flexible placement of virtual machine storage based on demand
  • Migration of virtual machine storage to shared storage without downtime

Storage Protocol:

  • SAN discovery (FCP, SAS, iSCSI i.e. EMC VNX, EMC VMAX)
  • NAS discovery (Self-contained NAS, NAS Head i.e. NetApp OnTap)
  • File Server Discovery (Microsoft Scale-Out File Server, Unified Storage)

Unified Management:

  • A new architecture provides ~10x faster disk/partition enumeration operations
  • Remote and cluster-awareness capabilities
  • SM-API exposes new Windows Server 2012 R2 features (Tiering, Write-back cache, and so on)
  • SM-API features added to System Center VMM
  • End-to-end storage high availability space provisioning in minutes in VMM console
  • More Windows PowerShell

ReFS:

  • More resilience to power failures
  • Highest levels of system availability
  • Larger volumes with better durability
  • Scalable to petabyte size volumes

Storage Replica:

  • Hardware agnostic storage configuration
  • Provide a DR solution for planned and unplanned outages of mission critical workloads.
  • Use SMB3 transport with proven reliability, scalability, and performance.
  • Stretched failover clusters within metropolitan distances.
  • Manage end to end storage and clustering for Hyper-V, Storage Replica, Storage Spaces, Scale-Out File Server, SMB3, Deduplication, and ReFS/NTFS using Microsoft software
  • Reduce downtime, and increase reliability and productivity intrinsic to Windows.

Cloud Integration:

  • Cloud-based storage service for online backups
  • Windows PowerShell instrumented
  • Simple, reliable Disaster Recovery solution for applications and data
  • Supports System Center 2012 R2 DPM

Implementing Scale-out File Server

Scale-out File Server Recommended Configuration:

  1. Gather all virtual servers IOPS requirements*
  2. Gather Applications IOPS requirements
  3. Total IOPS of all applications & Virtual machines must be less than available IOPS of physical storage 
  4. Keep latency below 3 ms at all time for high performance
  5. Gather required capacity + potential growth + best practice
  6. N+1 Compute, Network and Storage Hardware
  7. Use low latency, high throughput networks
  8. Segregate storage network from data network using logical network (VLAN) or fibre channel
  9. Tools to be used

*Not all virtual servers are same, DHCP server generate few IOPS, SQL server and Exchange can generate thousands of IOPS.

*Do not place SQL Server on the same logical volume (LUN) with Exchange Server or Microsoft Dynamics or Backup Server.

*Isolate high IO workloads to separate logical volume or even separate storage pool if possible.

Prerequisites for Scale-Out File Server

  1. Install File and Storage Services server role, and the Failover Clustering feature on the cluster nodes
  2. Configure Microsoft failover Clusters using this article Windows Server 2012: Failover Clustering Deep Dive Part II
  3. Add Cluster Share Volume
  • Log on to the server as a member of the local Administrators group.
  • Open Server Manager> Click Tools, and then click Failover Cluster Manager.
  • Click Storage, right-click the disk that you want to add to the cluster shared volume, and then click Add to Cluster Shared Volumes> Add Storage Presented to this cluster.

Configure Scale-out File Server

  1. Open Failover Cluster Manager> Right-click the name of the cluster, and then click Configure Role.
  2. On the Before You Begin page, click Next.
  3. On the Select Role page, click File Server, and then click Next.
  4. On the File Server Type page, select the Scale-Out File Server for application data option, and then click Next.
  5. On the Client Access Point page, in the Name box, type a NETBIOS of Scale-Out File Server, and then click Next.
  6. On the Confirmation page, confirm your settings, and then click Next.
  7. On the Summary page, click Finish.

Create Continuously Available File Share

  1. Open Failover Cluster Manager>Expand the cluster, and then click Roles.
  2. Right-click the file server role, and then click Add File Share.
  3. On the Select the profile for this share page, click SMB Share – Applications, and then click Next.
  4. On the Select the server and path for this share page, click the name of the cluster shared volume, and then click Next.
  5. On the Specify share name page, in the Share name box, type a name for the file share, and then click Next.
  6. On the Configure share settings page, ensure that the Continuously Available check box is selected, and then click Next.
  7. On the Specify permissions to control access page, click Customize permissions, grant the following permissions, and then click Next:
  • To use Scale-Out File Server file share for Hyper-V: All Hyper-V computer accounts, the SYSTEM account, cluster computer account for any Hyper-V clusters, and all Hyper-V administrators must be granted full control on the share and the file system.
  • To use Scale-Out File Server on Microsoft SQL Server: The SQL Server service account must be granted full control on the share and the file system

      8. On the Confirm selections page, click Create. On the View results page, click Close.

Use SOFS for Hyper-v Server VHDX Store:

  1. Open Hyper-V Manager. Click Start, and then click Hyper-V Manager.
  2. Open Hyper-v Settings> Virtual Hard Disks> Specify Location of Store as \\SOFS\VHDShare\ and Specify location of Virtual Machine Configuration \\SOFS\VHDCShare
  3. Click Ok.

Use SOFS in System Center VMM: 

  1. Add Windows File Server in VMM
  2. Assign SOFS Share to Fabric & Hosts

Use SOFS for SQL Database Store:

1. Assign SQL Service Account Full permission to SOFS Share

  • Open Windows Explorer and navigate to the scale-out file share.
  • Right-click the folder, and then click Properties.
  • Click the Sharing tab, click Advanced Sharing, and then click Permissions.
  • Ensure that the SQL Server service account has full-control permissions.
  • Click OK twice.
  • Click the Security tab. Ensure that the SQL Server service account has full-control permissions.

2. In SQL Server 2012, you can choose to store all database files in a scale-out file share during installation.  

3. On the step 20 of SQL Setup Wizard , provide a location of Scale-out File Server which is \\SOFS\SQLData and \\SOFS\SQLLogs

4. Create a Database on SOFS Share but on the existing SQL Server using SQL Script

CREATE DATABASE [TestDB]
ON  PRIMARY
( NAME = N’TestDB’, FILENAME = N’\\SOFS\SQLDB\TestDB.mdf’ )
LOG ON
( NAME = N’TestDBLog’, FILENAME = N’\\SOFS\SQLDBLog\TestDBLogs.ldf’)
GO

Use Backup & Recovery:

System Center Data Protection Manager 2012 R2

Configure and add a dedupe storage target into DPM 2012 R2. DPM 2012 R2 will not backup SOFS itself but it will backup VHDX files stored on SOFS. Follow Deduplicate DPM storage and protection for virtual machines with SMB storage  guide to backup virtual machines.

Veeam Availability Suite

  1. Log on to Veeam Availability Console>Click Backup Repository> Right Click New backup Repository
  2. Select Shared Folder on the Type Tab
  3. Add SMB Backup Target \\SOFS\Repository
  4. Follow the Wizard. Make Sure Service Account of Veeam has full access permission to \\SOFS\Repository  Share.
  5. Click Scale-out Repositories>Right Click Add Scale-out backup repository> Type the Name
  6. Select the backup repository you created in previous>Follow the Wizard to complete tasks.

References:

Microsoft Storage Architecture

Storage Spaces Physical Disk Validation Script

Validate Hardware

Deploy Clustered Storage Spaces

Storage Spaces Tiering in Windows Server 2012 R2

SMB Transparent Failover

Cluster Shared Volume (CSV) Inside Out

Storage Spaces – Designing for Performance

Related Articles:

Scale-Out File Server Cluster using Azure VMs

Microsoft Multi-Site Failover Cluster for DR & Business Continuity

Understanding Network Virtualization in SCVMM 2012 R2

Gallery

This gallery contains 4 photos.

Networking in SCVMM is a communication mechanism to and from SCVMM Server, Hyper-v Hosts, Hyper-v Cluster, virtual machines, application, services, physical switches, load balancer and third party hypervisor. Functionality includes: Logical Networking of almost “Anything” hosted in SCVMM- Logical network … Continue reading

Understanding Dynamic Quorum in a Microsoft Failover Cluster

Windows Server 2012: Failover Clustering Deep Dive

Microsoft introduced an advanced quorum configuration option in Windows Server 2012/R2. You can choose to enable dynamic quorum management by cluster. There are major benefits of having dynamic quorum in any Microsoft cluster whether for Exchange DAG, SQL cluster, Hyper-v cluster or file server cluster. When you configure dynamic quorum, the cluster dynamically manages the vote assignment to nodes, based on the state of each node. Votes are automatically removed from nodes that leave active cluster membership, and a vote is automatically assigned when a node re-joins the cluster. Dynamic quorum remove dependencies of a quorum disk in Hyper-v and also enable multi-site cluster in a diverse geographic location without sharing common disk.

Pros:

  • With dynamic quorum management, it is also possible for a cluster to run on the last surviving cluster node.
  • By dynamically adjusting the quorum majority requirement, the cluster can sustain sequential node shutdowns to a single node.
  • The cluster software automatically configures the quorum for a new cluster, based on the number of nodes configured and the availability of shared storage.

Cons:

  • Dynamic quorum management does not allow the cluster to sustain a simultaneous failure of a majority of voting members. To continue running, the cluster must always have a quorum majority at the time of a node shutdown or failure.
  • If you have explicitly removed the vote of a node, the cluster cannot dynamically add or remove that vote.

How to configure a dynamic quorum?

Configure a standard cluster as you do in a Microsoft environment. Then use Quorum Configuration Wizard in Cluster Manager to configure advanced quorum.

  1. In Failover Cluster Manager, select the cluster that you want to change.
  2. With the cluster selected>under Actions>click More Actions> and then click Configure Cluster Quorum Settings> Click Next.
  3. On the Select Quorum Configuration Option page>click Advanced quorum configuration and witness selection
  4. On the Select Voting Configuration page>select an option to assign votes to nodes. By default, all nodes are assigned a vote.
  5. On the Configure Quorum Management page> enable the Allow cluster to dynamically manage the assignment of node votes
  6. On the Select Quorum Witness page>select Do not configure a quorum witness, and then complete the wizard
  7. Click Next>then click Next.

Once quorum is reconfigured then you run the Validate Quorum Configuration test to verify the updated quorum settings. Follow the steps to validate quorum.

  1. In Failover Cluster Manager, select the cluster> run the Validate Quorum Configuration test to verify the updated quorum settings.

Design and Build Microsoft Distributed File System (DFS)

Supported:

  • Windows and DFS Replication support folder paths with up to 32 thousand characters.
  • DFS Replication is not limited to folder paths of 260 characters.
  • Replication groups can span across domains within a single forest
  • VSS with DFS is supported.

Scalability on Windows Server 2012 R2

  • Size of all replicated files on a server: 100 terabytes.
  • Number of replicated files on a volume: 70 million.
  • Maximum file size: 250 gigabytes.
  • File can be staged ranging 16KB to 1MB. Default is 64KB when RDC is enabled. When RDC is disabled 256KB from sending member.
  • Up to 5000 folders with target. Maximum 50000 folders with targets.

Scalability on Windows Server 2008 R2

  • Size of all replicated files on a server: 10 terabytes.
  • Number of replicated files on a volume: 11 million.
  • Maximum file size: 64 gigabytes.

Unsupported:

  • Cross forests replication is unsupported
  • NTBackup for remotely backup DFS folder.
  • DFS in a workgroup environment

Determining Time Zone in DFS

Universal Coordinated Time (UTC). This option causes the receiving member to treat the schedule as an absolute clock. For example, a schedule that begins at 0800 UTC is the same for any location, regardless of time zone or whether daylight savings time is in effect for a receiving member. For example, assume that you set replication to begin at 0800 UTC. A receiving member in Eastern Standard Time would begin replicating at 3:00 A.M. local time (UTC – 5), and a receiving member in Rome would begin replicating at 9:00 A.M. local time (UTC + 1). Note that the UTC offset shifts when daylight savings time is in effect for a particular location.

Local time of receiving member. This option causes the receiving member to use its local time to start and stop replication. Local time is determined by the time zone and daylight savings time status of the receiving member. For example, a schedule that begins at 8:00 A.M. will cause every receiving member to begin replicating when the local time is 8:00 A.M. Note that daylight savings time does not cause the schedule to shift. If replication starts at 9 A.M. before daylight savings time, replication will still start at 9 A.M. when daylight savings time is in effect.

Determine AD Forest

  • The forest uses the Windows Server 2003 or higher forest functional level.
  • The domain uses the Windows Server 2008 or higher domain functional level.
  • All namespace servers are running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

Using RDC:

Remote differential compression (RDC) is a client-server protocol that can be used to efficiently update files over a limited-bandwidth network. RDC detects insertions, removals, and rearrangements of data in files, enabling DFS Replication to replicate only the changes when files are updated. RDC is used only for files that are 64 KB or larger by default. RDC can use an older version of a file with the same name in the replicated folder or in the DfsrPrivate\ConflictandDeleted folder (located under the local path of the replicated folder).

RDC is used when the file exceeds a minimum size threshold. This size threshold is 64 KB by default. After a file exceeding that threshold has been replicated, updated versions of the file always use RDC, unless a large portion of the file is changed or RDC is disabled.

  • RDC is available Windows Server 2008 R2 Enterrprise and Datacenter Edition.
  • RDC is available Windows Server 2012/R2 Standard and Datacenter Edition.

DFS Namespaces Settings and Features

A referral is an ordered list of targets, transparent to the user that a client receives from a domain controller or namespace server when the user accesses the namespace root or a folder with targets in the namespace. The client caches the referral for a configurable period of time.

Targets in the client’s Active Directory site are listed first in a referral. (Targets given the target priority “first among all targets” will be listed before targets in the client’s site.) The order in which targets outside of the client’s site appear in a referral is determined by one of the following referral ordering methods:

Lowest cost, Random order, Exclude targets outside of the client’s site

Design the Replication Topology

To publish data, you will likely use a hub-and-spoke topology, where one or more hub servers are located in data centers, and servers in branch offices will connect to one or more hub servers. To prevent the hub servers from becoming overloaded, we recommend that fewer than 100 spoke members replicate with the hub server at any given time. If you need more than 100 spoke members to replicate with a hub server, set up a staggered replication schedule to balance the replication load of the hub server.

The lowest cost ordering method works properly for all targets only if the Bridge all site links option in Active Directory is enabled. (This option, as well as site link costs, are available in the Active Directory Sites and Services snap-in.) An Inter-site Topology Generator that is running Windows Server 2003 relies on the Bridge all site links option being enabled to generate the inter-site cost matrix that the Distributed File System service requires for its site-costing functionality. If the Bridge all site links option is enabled, the servers in a referral are listed in the following order:

  1. The server in the branch site.
  2. The server in regional data center site 1. (Cost = 10)
  3. The server in regional data center site 2. (Cost = 30)
  4. The server in regional data center site 3. (Cost = 50)

A domain-based namespace can be hosted by multiple namespace servers to increase the availability of the namespace. Putting a namespace server in remote or branch offices also allows clients to contact a namespace server and receive referrals without having to cross expensive WAN connections.

Definitions:

Namespace server . A namespace server hosts a namespace. The namespace server can be a member server or a domain controller.

Namespace root . The namespace root is the starting point of the namespace. In the previous figure, the name of the root is Public, and the namespace path is \\Contoso\Public. This type of namespace is a domain-based namespace because it begins with a domain name (for example, Contoso) and its metadata is stored in Active Directory Domain Services (AD DS). Although a single namespace server is shown in the previous figure, a domain-based namespace can be hosted on multiple namespace servers to increase the availability of the namespace.

Folder . Folders without folder targets add structure and hierarchy to the namespace, and folders with folder targets provide users with actual content. When users browse a folder that has folder targets in the namespace, the client computer receives a referral that transparently redirects the client computer to one of the folder targets.

Folder targets . A folder target is the UNC path of a shared folder or another namespace that is associated with a folder in a namespace. The folder target is where data and content is stored. In the previous figure, the folder named Tools has two folder targets, one in London and one in New York, and the folder named Training Guides has a single folder target in New York. A user who browses to \\domain.com\Public\Software\Tools is transparently redirected to the shared folder \\server1\Tools or \\server2\Tools, depending on which site the user is currently located in.

By default, DFS replication between two members is bidirectional. Bidirectional connections occur in both directions and include two one-way connections. If you desire only a one-way connection, you can disable one of the connections or use share permissions to prevent the replication process from updating files on certain member servers.

Step1: Organise Folder Structure in multiple servers in geographically diverse location

Example:

Server1 in Perth

D:\Marketing

D:\HR

D:\IT

Server2 in Melbourne

D:\Marketing

D:\HR

D:\IT

Step2: Install DFS on Server

Before setting up replication between servers, the DFS Replication roles need to be installed on each server that is going to participate in the replication group. Open Server Manger by clicking on the Server Manager icon on the task bar

  1. On the Welcome Tile, under Quick Start, click on Add roles and features to start the Add Roles and Features Wizard. If there’s no Welcome Tile, it might be hidden. Click View on the menu bar and click Show Welcome Tile.
  2. Click Next.
  3. Select Roll-based or feature-based installation and click Next.
  4. Select a server from the server pool and select the server on which you want to install DFS Replication. Click Next.
  5. Under Roles, expand File and Storage Services, expand File and iSCSI Services, select DFS Replication and click Next.
  6. If you have not already installed the features required for DFS Replication, the following box will pop up explaining which features and roles will be installed along with DFS Replication.
  7. Click Add Features.
  8. Back to the Select server roles dialog. It should now show DFS Replication as checked along with the other roles required for DFS Replication.
  9. Click Next.
  10. The Select features dialog shows the features that will be added along with the DFS Replication role.
  11. Click Next.
  12. Click Install.
  13. Click Close when the installation completes.
  14. You will notice a new DFS management icon.

Step3: Create New Namespace

  1. Double click on this icon to open the DFS Management MMC.
  2. In the DFS Management console, right click on Namespaces and select new namespace. In the New Namespace Wizard, select the server that will host the namespace (the DFS server) and click next to continue.
  3. Give your DFS and easy to understand namespace and click next.
  4. The next step asks whether you want to use a domain based namespace or a stand alone namespace. Select domain-name based DFS namespace and click next, then create.
  5. Once finished, you will see the newly created namespace in the namespace section of the DFS Manager along with its UNC path. This is the path you will use to access the DFS share.
  6. Now that we have create the namespace, it’s time to add some folders. In DFS, you can access multiple shared folders using a single drive letter. Add the required folders to the DFS namespace.
  7. Right click on the DFS namespace and select new folder.
  8. In the new folder window, create a folder named X, then click on the add button and locate the folder on the required server. When finished, click OK.
  9. Repeat the process to add the other shared folders.
  10. To test – Open a browser and type the UNC path of your DFS namespace. All folders appear in a single share.

Step5: Replicate Folders

  1. In the DFS Management console, double click on the folder to view its path.
  2. Log in to server 2 and create a folder named admin as well.
  3. Right click on the folder and select add folder target.
  4. Enter the UNC path of the folder located on the second server and click OK.
  5. You will be prompted to create a replication group. Click yes.
  6. Follow the wizard to configure the replication parameters.
  • Primary Member: This is the server that has the initial copy of the files you want to replicate.
  • Topology: This dictates in what fashion the replication will occur.
  • Bandwidth and Schedule: How much bandwidth to allocate and when to synchronize.
  1. Once you have finished, click create. Any file that you create, modify or delete when using the namespace UNC path will be almost immediately copied to both replicating folders.

Step6: Manually creating replication group if you didn’t create in step1

  1. In the console tree of the DFS Management snap-in, right-click the Replication node, and then click New Replication Group.
  2. Follow the steps in the New Replication Group Wizard and supply the information in the following table.
  3. Select Multipurpose replication group>Type the name of the replication group> Click Add to select at least two servers that will participate in replication. The servers must have the DFS Replication Service installed.
  4. Select Full Mesh> Select Replicate continuously using the specified bandwidth.> Select the member that has the most up-to-date content that you want to replicate to the other member.
  5. Click Add to enter the local path of the Data folder you created earlier on the first server. Use the name Data for the replicated folder name.
  6. On this page, you specify the location of the Data folder on the other members of the replication group. To specify the path, click Edit, and then in the Edit dialog box, click Enabled, and then type the local path of the Data folder.
  7. On this page, you specify the location of the Antivirus Signatures folder on the other members of the replication group. To specify the path, click Edit, and then in the Edit dialog box, click Enabled, and then type the local path of the Antivirus Signatures folder.
  8. Click Create to create the replication group.
  9. Click Close to close the wizard. Click OK to close the dialog box that warns you about the delay in initial replication.

Migrate WSUS Server from Server 2008/R2 to Server 2012/R2

The following procedure apply if you have an existing WSUS server installed on a Windows 2008 R2 OS with SQL Express and you wish to migrate to Windows Server 2012 R2 WSUS server and a separate backend database server.

Step1: Backup SQL DB of Old WSUS Server

Log on to existing WSUS server. Open SQL Management Studio>Connect to DB>Right Click SUSDB>backup full database.

clip_image002

Step2: Export metadata from old WSUS Server

The WSUS Setup program copies WSUSutil.exe to the file system of the WSUS server during installation. You must be a member of the local Administrators group and WSUS Administrator Group on the WSUS server to export or import metadata. Both operations can only be run from the WSUS server itself and during the import or export process, the Update Service is shut down.

Open command prompt as an administrator>go to C:\program Files\Update Services\Tools

Issue wsusutil.exe export c:\export.cab c:\export.log command

Move the export package you just created to the new Microsoft WSUS Server.

 

If you have .netFramework v.2 or v.4 but not configured in IIS Application. Then most likely above command will fail giving you some grief. Here is a solution for this.

Verify that WSUS is configured to use the .NET4 libraries in IIS>Application Pool

clip_image004

Create a file named wsusutil.exe.config in C:\Program Files\Update Services\Tools

Edit the file and add the following:

<configuration><startup><supportedRuntime version=”v4.0.30319″ /></startup></configuration>

If issue persists, please try to unapprove KB3020369 in WSUS Console then try again.

Re-run the wsusutil command but instead of making a CAB file make a .xml.gz file and all should be well.

clip_image006

clip_image008

Further reading 1

Further reading 2

 

Step3: Build New WSUS Server

Virtualize a new Windows Server 2012 R2 Server. Setup static IP, Join the server to domain. Install .NetFramework 4 in new server.Do not Configure WSUS at this stage. Go to Step4.

 

Step4: Restore SQL DB in New SQL Server (Remote and/or Local )

Log on to SQL Server. Open SQL Management Studio>Create a Database named SUSDB

Restore old SUSDB to new SUSDB with override option.

Assign sysadmin, setupadmin role to the person who will install WSUS role in new WSUS server.

clip_image013

image

clip_image018

clip_image020

Step5: Install WSUS Role & Run Initial Configuration Wizard.

Installation of WSUS

 Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group.

 In Server Manager, click Manage, and then click Add Roles and Features.

 On the Before you begin page, click Next.

 In the Select installation type page, confirm that Role-based or feature-based installation option is selected and click Next.

 On the Select destination server page, choose where the server is located (from a server pool or from a virtual hard disk). After you select the location, choose the server on which you want to install the WSUS server role, and then click Next.

 On the Select server roles page, select Windows Server Update Services. Add features that are required for Windows Server Update Services opens. Click Add Features, and then click Next.

 On the Select features page. Retain the default selections, and then click Next.

 On the Windows Server Update Services page, click Next.

 On the Select Role Services page, Select Windows Server Update Services and Database, and then click Next.

 On the Content location selection page, type a valid location to store the updates. For example, type E:\WSUS as the valid location.

 Click Next. The Web Server Role (IIS) page opens. Review the information, and then click Next. In Select the role services to install for Web Server (IIS), retain the defaults, and then click Next.

 On the Confirm installation selections page, review the selected options, and then click Install. The WSUS installation wizard runs. This might take several minutes to complete.

 Once WSUS installation is complete, in the summary window on the Installation progress page, click Launch Post-Installation tasks. The text changes, requesting: Please wait while your server is configured. When the task has finished, the text changes to: Configuration successfully completed. Click Close.

 In Server Manager, verify if a notification appears to inform you that a restart is required. This can vary according to the installed server role. If it requires a restart make sure to restart the server to complete the installation.

 

Post Configuration

Open Server Manager>Add/Remove program. It will provide you with previous installation Wizard. Launch Post Configuration Wizard.

 On the Welcome page, click Next.

 On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.

 Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.

On the Select Update Source page, you can specify where client computers get updates. If you select the Store updates locally check box, updates are stored on WSUS, and you can select a location (E:\WSUS) in the file system where updates should be stored. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

Make your selection, and then click Next.

On the Database Options page, you select the software used to manage the WSUS database. Type <serverName>\<instanceName>, where serverName is the name of the server and instanceName is the name of the SQL instance. Simply type remote or local SQL Server Name and then click Next.

On the Web Site Selection page, you specify the Web site that WSUS will use to point client computers to WSUS. If you wish to use the default IIS Web site on port 80, select the first option. If you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option. Make your selection, and then click Next.

 On the Ready to Install Windows Server Update Services page, review your choices, and then click Next.

 The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. After you click Finish the configuration wizard will be launched.

 

Step6: Match the Advanced Options on the old WSUS Server & the new WSUS Server

Ensure that the advanced synchronization options for express installation files and languages on the old server match the settings on the new server by following the steps below:

  1. In the WSUS console of the old WSUS server, click the Options tab, and then click Advanced in the Update Files and Languages section.
  2. In the Advanced Synchronization Settings dialog box, check the status of the settings for Download express installation files and Languages options.
  3. In the WSUS console of the new server, click the Options tab, and then click Advanced in the Update Files and Languages section.
  4. In the Advanced Synchronization Settings dialog box, make sure the settings for Download express installation files and Languages options match the selections on the old server.

Step7: Copy Updates from File System of the old WSUS Server to the new WSUS server

To back up updates from file system of old WSUS server to a file, follow these steps:

  1. On your old WSUS server, click Start, and then click Run.
  2. In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
  3. Click the Backup tab, and then specify the folder where updates are stored on the old WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\.
  4. In Backup media or file name, type a path and file name for the backup (.bkf) file.
  5. Click Start Backup. The Backup Job Information dialog box appears.
  6. Click Advanced. Under Backup Type, click Incremental.
  7. From the Backup Job Information dialog box, click Start Backup to start the backup operation.
  8. Once completed, move the backup file you just created to the new WSUS server.

To restore updates from a file to the file system of the new server, follow these steps:

  1. On your new WSUS server, click Start, and then click Run.
  2. In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
  3. Click the Restore and Manage Media tab, and select the backup file you created on the old WSUS server. If the file does not appear, right-click File, and then click Catalog File to add the location of the file.
  4. In Restore files to, click Alternate location. This option preserves the folder structure of the updates; all folders and subfolders will appear in the folder you designate. You must maintain the directory structure for all folders under \WSUSContent.
  5. Under Alternate location, specify the folder where updates are stored on the new WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\. Updates must appear in the folder on the new WSUS server designated to hold updates; this is typically done during installation.
  6. Click Start Restore. When the Confirm Restore dialog box appears, click OK to start the restore operation.

Alternative option would be use FastCopy Software. Copy and paste WSUS content from old server to new server.

Step8: Copy Metadata from the Database on the old WSUS Server to the new WSUS Server

To import metadata into the database of the new Microsoft Windows Server Update Services Server, follow these steps:.

Copy export.xml.gz or export.cab file from old server to new server using copy/Paste or FastCopy software.

Note: It can take from 3 to 4 hours for the database to validate content that has just been imported.

At a command prompt on the new WSUS server, navigate to the directory that contains WSUSutil.exe. Type the following: wsusutil.exe import packagename logfile (For example: wsusutil.exe import export.cab import.log or wsusutil.exe import export.xml.gz export.log)

Step9: Point your Clients to the new WSUS Server

Next you need to change the Group policy and make it point top the new server.  To redirect Automatic Updates to a WSUS server, follow these steps:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Specify Intranet Microsoft update service location.
  3. Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. With the new server details and port For example, type http(s)://newservername :Port in both boxes.

Step10: Invoke GPUpdate

Open PowerShell command prompt as an administrator in any computer. Run Invoke-GPUpdate Servername to synchronise server with new WSUS Server.

Bulk Migration of Printer from Windows Server 2008/R2 to Windows Server 2012/R2

Bulk Migration of Printer from Windows Server 2008/R2 to Windows Server 2012/R2

The following steps are from those who would like to migrate print server from legacy Server 2008/R2 to Windows Server 2012/R2. This steps will bring new drivers and avoid bringing old corrupt drivers and configuration into new systems. If you utilize print migration wizard then you may bring legacy corrupt driver into new systems. This steps also helpful if you are using Citrix Universal Print Driver.

Step1: Download correct and latest Generic/Universal/Global print driver. HP called Universal. Other manufacturer may call global or generic driver. Help yourself from Bing.

Step2: Install Generic Driver.

Open Server manager>Print Management>print Servers>Server name>Drivers.

Right Click and add x64 & x86 drivers.

Step3: Extract Legacy print Configuration.

Open PowerShell as an administrator. Run the following command.

$printserver = “printservername.domain.com”

Get-WMIObject -class Win32_Printer -computer $printserver | Select Name,DriverName,PortName,sharename,location,comment | Export-CSV -path ‘C:\printers.csv’

Step4: Create a CSV file shown below from the CSV File extracted in step3.

Create a CSV fileand store the file into c:\printers.csv in new Windows Server 2012 R2.

First row of CSV shown below. Add relevant rows to your CSV file.

PrintServer|Driver|PortName|IPAddress|Sharename|Location|Comment|Printername

Step5: Create a Powershell script as below (Extracted the script from http://poshcode.org/1462)

Open a notepad. Copy from below and paste into the notepad. Rename to CreatePrinter.PS1

function CreatePrinter {

$server = $args[0]

$print = ([WMICLASS]”\\$server\ROOT\cimv2:Win32_Printer”).createInstance()

$print.drivername = $args[1]

$print.PortName = $args[2]

$print.Shared = $true

$print.Sharename = $args[3]

$print.Location = $args[4]

$print.Comment = $args[5]

$print.DeviceID = $args[6]

$print.Put()

}

function CreatePrinterPort {

$server = $args[0]

$port = ([WMICLASS]”\\$server\ROOT\cimv2:Win32_TCPIPPrinterPort”).createInstance()

$port.Name= $args[1]

$port.SNMPEnabled=$false

$port.Protocol=1

$port.HostAddress= $args[2]

$port.Put()

}

$printers = Import-Csv c:\printers.csv

foreach ($printer in $printers) {

CreatePrinterPort $printer.Printserver $printer.Portname $printer.IPAddress

CreatePrinter $printer.Printserver $printer.Driver $printer.Portname $printer.Sharename $printer.Location $printer.Comment $printer.Printername

}

Step6: run the scrip

Log on to new Server 2012/R2 print server. Open PowerShell as an administrator. Run the above script. You have to tweak little bit such as additional drivers. Amendment of print properties. But this is little effort than creating entire print server manually.

Further reading:

install unsigned drivers

Hyper-v Server 2016 What’s New

Changed and upgraded functionality of Hyper-v Server 2016.

  1. Hyper-v cluster with mixed hyper-v version
  • Join a Windows Server 2016 Hyper-v with Windows Server 2012 R2 Hyper-v
  • Functional level is Windows Server 2012 R2
  • Manage the cluster, Hyper-V, and virtual machines from a node running Windows Server 2016 or Windows 10
  • Use Hyper-V features until all of the nodes are migrated to Windows Server 2016 cluster functional level
  • Virtual machine configuration version for existing virtual machines aren’t upgraded
  • Upgrade the configuration version after you upgrade the cluster functional level using Update-VmConfigurationVersion vmname cmdlet
  • New virtual machine created in Windows Server 2016 will be backward compatible
  • Hyper-V role is enabled on a computer that uses the Always On/Always Connected (AOAC) power model, the Connected Standby power state is now available
  1. Production checkpoints
  • Production checkpoints, the Volume Snapshot Service (VSS) is used inside Windows virtual machines
  • Linux virtual machines flush their file system buffers to create a file system consistent checkpoint
  • Check point no longer use saved state technology
  1. Hot add and remove for network adapters, virtual hard drive and memory
  • add or remove a Network Adapter while the virtual machine is running for both Windows and Linux machine
  • Adjust memory of a running virtual machine even if you haven’t enabled dynamic memory
  1. Integration Services delivered through Windows Update
  • Windows update will distribute integration services
  • ISO image file vmguest.iso is no longer needed to update integration components
  1. Storage quality of service (QoS)
  • create storage QoS policies on a Scale-Out File Server and assign them to one or more virtual disks
  • Hyper-v auto update storage policies according to storage policies
  1. Virtual machine Improvement
  • Import virtual machine with older configuration version, update later and live migrate across any host
  • After you upgrade the virtual machine configuration version, you can’t move the virtual machine to a server that runs Windows Server 2012 R2.
  • You can’t downgrade the virtual machine configuration version back from version 6 to version 5.
  • Turn off the virtual machine to upgrade the virtual machine configuration.
  • Update-VmConfigurationVersion cmdlet is blocked on a Hyper-V Cluster when the cluster functional level is Windows Server 2012 R2
  • After the upgrade, the virtual machine will use the new configuration file format.
  • The new configuration files use the .VMCX file extension for virtual machine configuration data and the .VMRS file extension for runtime state data.
  • Ubuntu 14.04 and later, and SUSE Linux Enterprise Server 12 supports secure boot using Set-VMFirmware vmname -SecureBootTemplate MicrosoftUEFICertificateAuthority cmdlet
  1. Hyper-V Manager improvements
  • Support alternative credential
  • Down-level management of Hyper-v running on Windows Server 2012, Windows 8, Windows Server 2012 R2 and Windows 8.1.
  • Connect Hyper-v using WS-MAN protocol, Kerberos or NTLM authentication
  1. Guest OS Support
  • Any server operating systems starting from Windows Server 2008 to Windows Server 2016
  • Any desktop operating systems starting from Vista SP2 to Windows 10
  • FreeBSD, Ubuntu, Suse Enterprise, CentOS, Debian, Fedora and Redhat

9. ReFS Accelerated VHDX 

  • Create a fixed size VHDX on a ReFS volume instantly.
  • Gain great backup operations and checkpoints

10. Nested Virtualization

  • Run Hyper-V Server as a guest OS inside Hyper-V

11. Shared VHDX format

  • Host Based Backup of Shared VHDX files
  • Online Resize of Shared VHDX
  • Some usability change in the UI
  • Shared VHDX files are now a new type of VHD called .vhds files.

12. Stretched Hyper-V Cluster 

  •  Stretched cluster allows you to configure Hyper-v host and storage in a single stretch cluster, where two nodes share one set of storage and two nodes share another set of storage, then synchronous replication keeps both sets of storage mirrored in the cluster to allow immediate failover.
  • These nodes and their storage should be located in separate physical sites, although it is not required.
  • The stretch cluster will run a Hyper-V Compute workload.

 

Unsupported:

Hyper-V on Windows 10 doesn’t support failover clustering

How to deploy VDI using Microsoft RDS in Windows Server 2012 R2

Remote Desktop Services is a server role consists of several role services. Remote Desktop Services (RDS) accelerates and securely extends desktop and applications to any device and anyplace for remote and roaming worker. Remote Desktop Services provide both a virtual desktop infrastructure (VDI) and session-based desktops.

In Windows Server 2012 R2, the following roles are available in Remote Desktop Services: 

Role service name Role service description
RD Virtualization Host RD Virtualization Host integrates with Hyper-V to deploy pooled or personal virtual desktop collections
RD Session Host RD Session Host enables a server to host RemoteApp programs or session-based desktops.
RD Connection Broker RD Connection Broker provides the following services

  • Allows users to reconnect to their existing virtual desktops, RemoteApp programs, and session-based desktops.
  • Enables you to evenly distribute the load among RD Session Host servers in a session collection or pooled virtual desktops in a pooled virtual desktop collection.
  • Provides access to virtual desktops in a virtual desktop collection.
RD Web Access RD Web Access enables you the following services

  • RemoteApp and session-based desktops Desktop Connection through the Start menu or through a web browser.
  • RemoteApp programs and virtual desktops in a virtual desktop collection.
RD Licensing RD Licensing manages the licenses for RD Session Host and VDI.
RD Gateway RD Gateway enables you to authorized users to connect to VDI, RemoteApp

For a RDS lab, you will need following servers.

  • RDSVHSRV01- Remote Desktop Virtualization Host server. Hyper-v Server.
  • RDSWEBSRV01- Remote Desktop Web Access server
  • RDSCBSRV01- Remote Desktop Connection Broker server.
  • RDSSHSRV01- Remote Desktop Session Host Server
  • FileSRV01- File Server to Store User Profile

This test lab consist of 192.168.1.1/24 subnets for internal network and a DHCP Client i.e. Client1 machine using Windows 8 operating system. A test domain called testdomain.com. You need a Shared folder hosted in File Server or SAN to Hyper-v Cluster as Virtualization Host server. All RD Virtualization Host computer accounts must have granted Read/Write permission to the shared folder. I assume you have a functional domain controller, DNS, DHCP and a Hyper-v cluster. Now you can follow the steps below.

Step1: Create a Server Group

1. Open Server Manager from Task bar. Click Dashboard, Click View, Click Show Welcome Tile, Click Create a Server Group, Type the name of the Group is RDS Servers

2. Click Active Directory , In the Name (CN): box, type RDS, then click Find Now.

3. Select RDSWEBSRV01, RDSSHSRV01, RDSCDSRV01, RDSVHSRV01 and then click the right arrow.

4. Click OK.

Step2: Deploy the VDI standard deployment

1. Log on to the Windows server by using the testdomain\Administrator account.

2. Open Server Manager from Taskbar, Click Manage, click Add roles and features.

3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.

4. On the Select Installation Type page, click Remote Desktop Services scenario-based Installation, and then click Next.

clip_image002

5. On the Select deployment type page, click Standard deployment, and then click Next. A standard deployment allows you to deploy RDS on multiple servers splitting the roles and features among them. A quick start allows you to deploy RDS on to single servers and publish apps.

clip_image004

6. On the Select deployment scenario page, click Virtual Desktop Infrastructure, and then click Next.

clip_image006

7. On the role services page, review roles then click Next.

clip_image008

8. On the Specify RD Connection Broker server page, click RDSCBSRV01.Testdomain.com, click the right arrow, and then click Next.

clip_image010

9. On the Specify RD Web Access server page, click RDSWEBSRV01.Testdomain.com, click the right arrow, and then click Next.

clip_image012

10. On the Specify RD Virtualization Host server page, click RDSVHSRV01.Testdomain.com, click the right arrow, and then click Next. RDSVHSRV01 is a physical machine configured with Hyper-v. Check Create a New Virtual Switch on the selected server.

clip_image014

11. On the Confirm selections page, Check the Restart the destination server automatically if required check box, and then click Deploy.

clip_image016

12. After the installation is complete, click Close.

clip_image018

 

 

Step3: Test the VDI standard deployment connectivity

You can ensure that VDI standard deployment deployed successfully by using Server Manager to check the Remote Desktop Services deployment overview.

1. Log on to the DC1 server by using the testdomain\Administrator account.

2. click Server Manager, Click Remote Desktop Services, and then click Overview.

3. In the DEPLOYMENT OVERVIEW section, ensure that the RD Web Access, RD Connection Broker, and RD Virtualization Host role services are installed. If there is an icon and not a green plus sign (+) next to the role service name, the role service is installed and part of the deployment

clip_image020

 

Step4: Configure FileSRV1

You must create a network share on a computer in the testdomain domain to store the user profile disks. Use the following procedures to connect to the virtual desktop collection:

  • Create the user profile disk network share
  • Adjust permissions on the network share

Create the user profile disk network share

1. Log on to the FileSRV1 computer by using the TESTDOMAIN\Administrator user account.

2. Open Windows Explorer.

3. Click Computer, and then double-click Local Disk (C:).

4. Click Home, click New Folder, type RDSUserProfile and then press ENTER.

5. Right-click the RDSUSERPROFILE folder, and then click Properties.

6. Click Sharing, and then click Advanced Sharing.

7. Select the Share this folder check box.

8. Click Permissions, and then grant Full Control permissions to the Everyone group.

9. Click OK twice, and then click Close.

Setup permissions on the network share

1. Right-click the RDSUSERPROFILE folder, and then click Properties.

2. Click Security, and then click Edit.

3. Click Add.

4. Click Object Types, select the Computers check box, and then click OK.

5. In the Enter the object names to select box, type RDSVHSRV01.Testdomain.com, and then click OK.

6. Click RDSVHSRV01, and then select the Allow check box next to Modify.

7. Click OK two times.

Step5: Configure RDSVHSRV01

You must add the virtual desktop template to Hyper-V so you can assign it to the pooled virtual desktop collection.

Create Virtual Desktop Template in RDSVHSRV01

1. Log on to the RDSVHSRV01 computer as a Testdomain\Administrator user account.

2. Click Start, and then click Hyper-V Manager.

3. Right-click RDSVHSRV01, point to New, and then click Virtual Machine.

4. On the Before You Begin page, click Next.

5. On the Specify Name and Location page, in the Name box, type Virtual Desktop Template, and then click Next.

clip_image022

6. On the Assign Memory page, in the Startup memory box, type 1024, and then click Next.

clip_image024

7. On the Configure Networking page, in the Connection box, click RDS Virtual, and then click Next.

clip_image026

8. On the Connect Virtual Hard Disk page, click the Use an existing virtual hard disk option.

clip_image028

9. Click Browse, navigate to the virtual hard disk that should be used as the virtual desktop template, and then click Open. Click Next.

clip_image030

10. On the Summary page, click Finish.

Step6: Create the managed pooled virtual desktop collection in RDSVHSRV01

Create the managed pooled virtual desktop collection so that users can connect to desktops in the collection.

1. Log on to the RDSCBSRV01 server as a TESTDOMAIN\Administrator user account.

2. Server Manager will start automatically. If it does not automatically start, click Start, type servermanager.exe, and then click Server Manager.

3. In the left pane, click Remote Desktop Services, and then click Collections.

4. Click Tasks, and then click Create Virtual Desktop Collection.

clip_image031

5. On the Before you begin page, click Next.

6. On the Name the collection page, in the Name box, type Testdomain Managed Pool, and then click Next.

clip_image033

7. On the Specify the collection type page, click the Pooled virtual desktop collection option, ensure that the Automatically create and manage virtual desktops check box is selected, and then click Next.

clip_image035

8. On the Specify the virtual desktop template page, click Virtual Desktop Template, and then click Next.

clip_image037

9. On the Specify the virtual desktop settings page, click Provide unattended settings, and then click Next. In this step of the wizard, you can also choose to provide an answer file. A Simple Answer File can be obtained from URL1 and URL2

10. On the Specify the unattended settings page, enter the following information and retain the default settings for the options that are not specified, and then click Next.

§ In the Local Administrator account password and Confirm password boxes, type the same strong password.

§ In the Time zone box, click the time zone that is appropriate for your location.

11. On the Specify users and collection size page, accept the default selections, and then click Next.

12. On the Specify virtual desktop allocation page, accept the default selections, and then click Next.

13. On the Specify virtual desktop storage page, accept the default selections, and then click Next.

14. On the Specify user profile disks page, in the Location user profile disks box, type \\FileSRV01\RDSUserProfile, and then click Next. Make sure that the RD Virtualization Host computer accounts have read and write access to this location.

15. On the Confirm selections page, click Create.

Step8: Test Remote Desktop Services connectivity

You can ensure the managed pooled virtual desktop collection was created successfully by connecting to the RD Web Access server and then connecting to the virtual desktop in the Testdomain Managed Pool collection.

1. Open Internet Explorer.

2. In the Internet Explorer address bar, type https://RDSWEBSRV01.Testdomain.com/RDWeb, and then press ENTER.

3. Click Continue to this website (not recommended).

clip_image039

4. In the Domain\user name box, type TESTDOMAIN\Administrator.

5. In the Password box, type the password for the TESTDOMAIN\Administrator user account, and then click Sign in.

6. Click Testdomain Managed Pool, and then click Connect.

Relevant Configuration

Remote Desktop Services with ADFS SSO

Remote Desktop Services with Windows Authentication

RDS With Windows Authentication

How to Connect and Configure Virtual Fibre Channel, FC Storage and FC Tape Library from within a Virtual Machine in Hyper-v Server 2012 R2

Windows Server 2012 R2 with Hyper-v Role provides Fibre Channel ports within the guest operating system, which allows you to connect to Fibre Channel directly from within virtual machines. This feature enables you to virtualize workloads that use direct FC storage and also allows you to cluster guest operating systems leveraging Fibre Channel, and provides an important new storage option for servers hosted in your virtual infrastructure.

Benefits:

  • Existing Fibre Channel investments to support virtualized workloads.
  • Connect Fibre Channel Tape Library from within a guest operating systems.
  • Support for many related features, such as virtual SANs, live migration, and MPIO.
  • Create MSCS Cluster of guest operating systems in Hyper-v Cluster

Limitation:

  • Live Migration will not work if SAN zoning isn’t configured correctly.
  • Live Migration will not work if LUN mismatch detected by Hyper-v cluster.
  • Virtual workload is tied with a single Hyper-v Host making it a single point of failure if a single HBA is used.
  • Virtual Fibre Channel logical units cannot be used as boot media.

Prerequisites:

  • Windows Server 2012 or 2012 R2 with the Hyper-V role.
  • Hyper-V requires a computer with processor support for hardware virtualization. See details in BIOS setup of server hardware.
  • A computer with one or more Fibre Channel host bus adapters (HBAs) that have an updated HBA driver that supports virtual Fibre Channel.
  • An NPIV-enabled Fabric, HBA and FC SAN. Almost all new generation brocade fabric and storage support this feature.NPIV is disabled in HBA by default.
  • Virtual machines configured to use a virtual Fibre Channel adapter, which must use Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 or Windows Server 2012 R2 as the guest operating system. Maximum 4 vFC ports are supported in guest OS.
  • Storage accessed through a virtual Fibre Channel supports devices that present logical units.
  • MPIO Feature installed in Windows Server.
  • Microsoft Hotfix KB2894032

Before I begin elaborating steps involve in configuring virtual fibre channel. I assume you have physical connectivity and physical multipath is configured and connected as per vendor best practice. In this example configuration, I will be presenting storage and FC Tape Library to virtualized Backup Server. I used the following hardware.

  • 2X Brocade 300 series Fabric
  • 1X FC SAN
  • 1X FC Tape Library
  • 2X Windows Server 2012 R2 with Hyper-v Role installed and configured as a cluster. Each host connected to two Fabric using dual HBA port.

Step1: Update Firmware of all Fabric.

Use this LINK to update firmware.

Step2: Update Firmware of FC SAN

See OEM or vendor installation guide. See this LINK for IBM guide.

Step3: Enable hardware virtualization in Server BIOS

See OEM or Vendor Guidelines

Step4: Update Firmware of Server

See OEM or Vendor Guidelines. See Example of Dell Firmware Upgrade

Step5: Install MPIO driver in Hyper-v Host

See OEM or Vendor Guidelines

Step6: Physically Connect FC Tape Library, FC Storage and Servers to correct FC Zone

Step7: Configure Correct Zone and NPIV in Fabric

SSH to Fabric and Type the following command to verify NPIV.

Fabric:root>portcfgshow 0

If NPIV is enabled, it will show NPIV ON.

To enable NPIV on a specific port type portCfgNPIVPort 0 1  (where 0 is the port number and 1 is the mode 1=enable, 0=disable)

Open Brocade Fabric, Configure Alias. Red marked are Virtual HBA and FC Tape shown in Fabric. Note that you must place FC Tape, Hyper-v Host(s), Virtual Machine and FC SAN in the same zone otherwise it will not work.

image

Configure correct Zone as shown below.

image

Configure correct Zone Config as shown below.

image

Once you configured correct Zone in Fabric, you will see FC Tape showing in Windows Server 2012 R2 where Hyper-v Role is installed. Do not update tape driver in Hyper-v host as we will use guest or virtual machine as backup server where correct tape driver is needed. 

image

Step8: Configure Virtual Fibre Channel

Open Hyper-v Manager, Click Virtual SAN Manager>Create new Fibre Channel

image

Type Name of the Fibre Channel> Apply>Ok.

image

Repeat the process to create multiple VFC for MPIO and Live Migration purpose. Remember Physical HBA must be connected to 2 Brocade Fabric.

On the vFC configuration, keep naming convention identical on both host. If you have two physical HBA, configure two vFC in Hyper-v Host. Example: VFC1 and VFC2. Create two VFC in another host with identical Name VFC1 and VFC2. Assign both VFC to virtual machines.

Step9: Attach Virtual Fibre Channel Adapter on to virtual Machine.

Open Failover Cluster Manager,  Select the virtual machine where FC Tape will be visible>Shutdown the Virtual machine.

Go to Settings of the virtual machine>Add Fibre Channel Adapter>Apply>Ok.

image

Record WWPN from the Virtual Fibre Channel.

image

Power on the virtual Machine.

Repeat the process to add multiple VFCs which are VFC1 and VFC2 to virtual machine.

Step10: Present Storage

Log on FC storage>Add Host in the storage. WWPN shown here must match the WWPN in the virtual fibre channel adapter.

image

Map the volume or LUN to the virtual server.

image

Step11: Install MPIO Driver in Guest Operating Systems

Open Server Manager>Add Role & Feature>Add MPIO Feature.

image

Download manufacturer MPIO driver for the storage. MPIO driver must be correct version and latest to function correctly.

image

Now you have FC SAN in your virtual machine

image

image

Step12: Install Correct FC Tape Library Driver in Guest Operating Systems.

Download and install correct FC Tape driver and install the driver into the virtual backup server.

Now you have correct FC Tape library in virtual machine.

image

Backup software can see Tape Library and inventory tapes.

image

Further Readings:

Brocade Fabric with Virtual FC in Hyper-v

Hyper-V Virtual Fibre Channel Overview

Clustered virtual machine cannot access LUNs over a Synthetic Fibre Channel after you perform live migration on Windows Server 2012 or Windows Server 2012 R2-based Hyper-V hosts

Migrate Network Policy Server (NPS) From Windows Server 2008 R2 to Windows Server 2012 R2

Scenario:

  1. Migrate to a new server with new NetBIOS Name and New IP Address
  2. Migrate to a new server retaining NetBIOS Name and IP Address

Step1: Backup NPS Server, NPS Policy & certificate

  1. Open NPS Policy Server from Server Manager>Right Click on NPS(Local)>Export Configuration.
  2. Select I am aware that I am exporting all shared secret. Click Ok>Export as a XML File into a UNC path accessible to new server.
  3. right Click on Template Management>Export Template to a File. Export as a XML File into a UNC path accessible to new server.
  4. Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Export Certificate with Private Key.
  5. Use Windows Backup to backup NPS server. If NPS server is virtualized, then simply right click the virtual machine from Hyper-v manager and rename the machine. Now Power of the VM.

Step2: Build a new Server.

  1. Build a new server. Activate Windows. Assign TCP/IP and join to the domain.
  2. Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Import Certificate with Private Key.
  3. From Roles and Feature Wizard>add network Policy and Services>Select NPS, NAP and Health registration services, Click Next>Select Certificate Authority>Select Certificate>Select Finish Installation.

Step3: Register NPS.

  1. If you have retained NetBIOS Name and IP Address mentioned in scenario 2 then you don’t  need to re-register. It’s already registered.
  2. If you have a different NetBIOS Name and IP address then Right Click NPS(Local)>Register NPS Server to Active Directory.

Step4: Import NPS Policies

  1. Open NPS Policy Server>right Click on NPS(Local)>Import Configuration. Point to the XML file you have exported in step1 and import the file.
  2. Right Click on Template Management>Import template from a File. Point to the XML file you have exported in step1 and import the file.

Step5: Test Client

  1. Connect a client using WIFI or VPN whichever purpose you have configured NPS.
  2. Open Event Viewer in NPS Server and Check Security log. You will see clients are connected successfully.

Relevant Articles:

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2

Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

With Server virtualization you can run multiple server instances concurrently on a single physical host; yet servers are isolated from each other and operate independently. Similarly Network virtualization provides multiple virtual network infrastructures run on the same physical network with or without overlapping IP addresses. Each virtual network infrastructure operates as if they are the only virtual network running on the shared network infrastructure. Hyper-v Network Virtualization also decouples physical network from virtual network. Network virtualization can be achieved via System Center Virtual Machine Manager (SCVMM) managing multiple Hyper-v Servers, a single Hyper-v Server or clustered Hyper-v Servers. Microsoft Hyper-v Network Virtualization provides multi-tenant aware, multi-VLAN aware and non-hierarchical IP address assignment to virtual machines in conventional on-premises and cloud based data center.

Hyper-v Virtual Network Type

  • Private Virtual Network Switch allows communication between virtual machines connected to the same virtual switch. Virtual Machines connected to this type of virtual switch cannot communicate with Hyper-V Parent Partition. You can create any number of Private virtual switches.
  • Internal Virtual Network Switch can be used to allow communication between virtual machines connected to the same switch and also allow communication to the Hyper-V Parent Partition. You can create any number of internal virtual switches
  • External Virtual Network Switch allows communication between virtual machines running on the same Hyper-V Server, Hyper-V Parent Partition and Virtual Machines running on the remote Hyper-V Server. It requires a physical network adapter on the Hyper-V Host that is not mapped to any other External Virtual Network Switch. As a result, you can create External virtual switches as long as you have physical network adapters that are not mapped to any other external virtual switches.

Follow the guide lines to configure Virtual Networking in Windows Server 2012 R2 Hyper-v role installed. A highly available clustered Hyper-v server should have the following configuration parameters.

Example VLAN

Network Type VLAN ID IP Addresses
Default 1 10.10.10.1/24
Management 2 10.10.20.1/24
Live Migration 3 10.10.30.1/24
Prod Server 4 10.10.40.1/24
Dev Server 5 10.10.50.1/24
Test Server 6 10.10.60.1/24
Storage 7 10.10.70.1/24
DMZ 99 192.168.1.1/24

Example NIC Configuration with 8 network card (e.g. 2x quad NIC card)

Virtual Network Name Purpose Connected Physical Switch Port Virtual Switch Configuration
MGMT Management Network Port configured with VLAN 2 Allow Management Network ticked

Enable VLAN identification for management operating system ticked

LiveMigration Live Migration Port configured with VLAN 3 Allow Management Network un-ticked

Enable VLAN identification for management operating system ticked

iSCSI Storage Port configured with VLAN 7 Allow Management Network un-ticked

Enable VLAN identification for management operating system ticked

VirtualMachines Prod, Dev, Test, DMZ Port configured with Trunk Mode Allow Management Network un-ticked

Enable VLAN identification for management operating system un-ticked

Recommendation:

  • Do not assign VLAN ID in NIC Teaming Wizard instead assign VLAN ID in Virtual Switch Manager.
  • Configure virtual switch network as External Virtual Network.
  • Configure Physical Switch Port Aggregation using EtherChannel.
  • Configure Logical Network Aggregation using NIC Teaming Wizard.
  • Enable VLAN ID in Virtual Machine Settings.

Example Virtual Machine Network Configuration

Virtual Machine Type VLAN ID Tagged in VM>Settings>Network Adapter Enable VLAN identifier Connected Virtual Network
Prod VM 4 Ticked VirtualMachines
Dev VM 5 Ticked VirtualMachines
Test VM 6 Ticked VirtualMachines
DMZ VM with two NICs 4, 99 Ticked VirtualMachines

 

NIC Teaming with Virtual Switch

Multiple network adapters on a computer to be placed into a team for the following purposes:

  • Bandwidth aggregation
  • Traffic failover to prevent connectivity loss in the event of a network component failure

There are two basic configurations for NIC Teaming.

  • Switch-independent teaming. This configuration does not require the switch to participate in the teaming. Since in switch-independent mode the switch does not know that the network adapter is part of a team in the host, the adapters may be connected to different switches. Switch independent modes of operation do not require that the team members connect to different switches; they merely make it possible.
  • Switch-dependent teaming. This configuration that requires the switch to participate in the teaming. Switch dependent teaming require participating NIC to be connected in same physical switch. There are two modes of operation for switch-dependent teaming: Generic or static teaming (IEEE 802.3ad draft v1). Link Aggregation Control Protocol teaming (IEEE 802.1ax, LACP).

Load Balancing Algorithm

NIC teaming in Windows Server 2012 R2 supports the following traffic load distribution algorithms:

  • Hyper-V switch port. Since VMs have independent MAC addresses, the VM’s MAC address or the port it’s connected to on the Hyper-V switch can be the basis for dividing traffic.
  • Address Hashing. This algorithm creates a hash based on address components of the packet and then assigns packets that have that hash value to one of the available adapters. Usually this mechanism alone is sufficient to create a reasonable balance across the available adapters.
  • Dynamic. This algorithm takes the best aspects of each of the other two modes and combines them into a single mode. Outbound loads are distributed based on a hash of the TCP Ports and IP addresses. Dynamic mode also rebalances loads in real time so that a given outbound flow may move back and forth between team members. Inbound loads are distributed as though the Hyper-V port mode was in use.

NIC Teaming within Virtual Machine

NIC teaming in Windows Server 2012 R2 may also be deployed in a VM. This allows a VM to have virtual NICs connected to more than one Hyper-V switch and still maintain connectivity even if the physical NIC under one switch gets disconnected.

To enable NIC Teaming with virtual machine. In the Hyper-V Manager, in the settings for the VM, select the VM’s NIC and the Advanced Settings item, then enable the checkbox for NIC Teaming in the VM.

Physical Switch Configuration

  • In Trunk Mode, a virtual switch will listen to all the network traffic and forward the traffic to all the ports. In other words, network packets are sent to all the virtual machines connected to it. By default, a virtual switch in Hyper-V is configured in Trunk Mode, which means the virtual switch receives all network packets and forwards them to all the virtual machines connected to it. There is not much configuration needed to configure the virtual switch in Trunk Mode.
  • In Access Mode, the virtual switch receives network packets in which it first checks the VLAN ID tagged in the network packet. If the VLAN ID tagged in the network packet matches the one configured on the virtual switch, then the network packet is accepted by the virtual switch. Any incoming network packet that is not tagged with the same VLAN ID will be discarded by the virtual switch.

Cisco EtherChannel

EtherChannel provides automatic recovery for the loss of a link by redistributing the load across the remaining links. If a link fails, EtherChannel redirects traffic from the failed link to the remaining links in the channel without intervention. EtherChannel Negotiation Protocols are:

  • PAgP (Cisco Proprietary)
  • LACP (IEEE 802.3ad)

EtherChannel with Switch Independent NIC Teaming

This example shows how to configure an EtherChannel on a switch. It assigns two ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable:

1. To configure specific VLAN for teamed NIC

Switch# configure terminal
Switch(config)# interface range gigabitethernet0/1 -2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# channel-group 5 mode desirable non-silent
Switch(config-if-range)# end

2. To configure Trunk for teamed NIC

Switch# configure terminal
Switch(config)# interface range gigabitethernet0/1 -2
Switch(config-if-range)# switchport mode Trunk
Switch(config-if-range)# channel-group 5 mode desirable non-silent
Switch(config-if-range)# end

EtherChannel with Switch dependent NIC Teaming

This example shows how to configure an EtherChannel on a switch. It assigns two ports as static-access ports in VLAN 10 to channel 5 with the LACP mode active:

Switch# configure terminal
Switch(config)# interface range gigabitethernet0/1 -2
Switch(config)#switchport
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# channel-group 5 mode active
Switch(config-if-range)# end
Switch# show port lacp-channel

This example shows how to configure a cross-stack EtherChannel. It uses LACP passive mode and assigns two ports on stack member 2 and one port on stack member 3 as static-access ports in VLAN 10 to channel 5:

Switch# configure terminal
Switch(config)# interface range gigabitethernet2/0/4 -5
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# channel-group 5 mode active
Switch(config-if-range)# exit
Switch(config)# interface gigabitethernet3/0/3
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# channel-group 5 mode active
Switch(config-if)# exit

Setup Dynamic Load Balance with 802.3ad NIC Teaming and load balance method: Automatic.

Switch#conf t
Switch(config)#int Gi2/0/23
Switch(config-if)#switchport
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 100
Switch(config-if)#spanning-tree portfast
Switch(config-if)#channel-group 1 mode active
Switch(config)#port-channel load-balance src-mac
Switch(config)#end
Switch#show etherchannel 1 summary
Switch#show spanning-tree interface port-channel 1
Switch#show etherchannel load-balance

HP Switch Configuration

LACP Config:

PROCURVE-Core1#conf ter
PROCURVE-Core1# trunk PORT1-PORT2 (e.g. C1/C2) Trk<ID> (a.e. Trk99) LACP
PROCURVE-Core1# vlan <VLANID>
PROCURVE-Core1# untagged Trk<ID> (e.g. Trk99)
PROCURVE-Core1# show lacp
PROCURVE-Core1# show log lacp

Trunk Config:

PROCURVE-Core1#conf ter
PROCURVE-Core1# trunk PORT1-PORT2 (e.g. C1/C2) Trk<ID> (a.e. Trk99) TRUNK
PROCURVE-Core1# vlan <VLANID>
PROCURVE-Core1# untagged Trk<ID> (e.g. Trk99)
PROCURVE-Core1# show Trunk
PROCURVE-Core1# show log trunk

Migrating VMs from Standalone Hyper-v Host to clustered Hyper-v Host

Scenario 1: In-place migration of two standalone Windows Servers (Hyper-v role installed) into clustered Windows Servers (Hyper-v role installed).

Steps involved in this scenario. There will be downtime in this scenario.

  1. Delete all snapshots from VMs
  2. Update Windows Server to latest patches and hotfixes
  3. Reboot hosts
  4. Install Failover Clustering Windows Feature in both hosts
  5. Connect hosts with shared storage infrastructure either iSCSI or fibre channel
  6. Present shared storage (5GB for Quorum disk and additional disk for VMs store) to Hyper-v Hosts.
  7. Run Failover cluster Wizard, create cluster.
  8. From the failover cluster manager, Click Disk, select virtual machine storage and convert the disk to clustered share volume
  9. Open Hyper-v Manager from Server Manager, run storage migration and migrate all VM data to single location which is shared storage.
  10. Now use Configure Role Wizard from Failover Cluster Manager, Select Virtual Machine from drop down list, Select one or More VMs and migrate those VMs to Failover cluster node.
  11. Test Live migration.

Scenario 2: Migrating standalone Windows Servers (Hyper-v role installed) using local storage to different Windows Servers (Hyper-v role installed) cluster using shared storage.

In this scenario, clustered Windows servers doesn’t see local storage available in old Hyper-v host and old Hyper-v host doesn’t see shared storage in new Hyper-v clustered environment. There will be downtime when you migrate VMs. Delete any snapshot, backup all VMs before you proceed.

Option A: Download Veeam Backup & Replication 8 trial version, configure a VM as Veeam management server. Add Source host as standalone hyper-v host and target host as Hyper-v cluster. Replicate all the VMs. Shutdown old VMs in standalone Hyper-v Hosts, then Power on VMs in Hyper-v cluster. Delete old VMs.

Option B: Copy VHD and configuration file and save into clustered shared storage. Log on to one of the clustered hyper-v host, Open Hyper-v Manager, Import VM option to import VM. Then use Configure Role option in failover Cluster Manager in same host to migrate the VM into cluster, then Power on VM in cluster.

My recommendation: use Veeam B&R.

Scenario 3: Migrating standalone Windows Servers (Hyper-v role installed) using iSCSI storage to different Windows Servers (Hyper-v role installed) cluster using fibre channel or iSCSI storage.

Option A: shutdown VMs. Present same iSCSI storage connected standalone hosts to clustered hosts. Use storage migration to migrate VMs to clustered Hosts. Then use configure role option, Failover cluster manager to migrate VMs to Hyper-v cluster.

Option B: Again use Veeam to do the job.

There are many factors/challenges when migrating VMs from standalone environment to clustered environment.

  1. iSCSI storage to Fibre Channel storage. When new cluster has host bus adapter (HBA) and old standalone host doesn’t have HBA. You can use Microsoft iSCSI initiation to fulfil the initiator requirement in new host.
  2. Fibre channel storage to iSCSI storage. There will heaps of downtime to fulfil this requirement because of new architecture. Veeam can be part of a solution.
  3. Multi-site and geographically diverse cluster will depend on MPLS or IPVPN network latency and bandwidth.

In conclusion, there is no silver bullet for individual situation. You have to consult with Microsoft partner to get a correct migration path that best fit your requirements.

How to install and run Hyper-v Server 2012 R2 on USB

Requirements:

 Note: The following steps work for Hyper-v 2012 R2. You have to use SConfig tool to configure basic Hyper-v settings such as remote administration and networking. When you boot server using this USB stick containing .vhdx file, Setup begins. You can then select preferred option.

How to install Hyper-v Server 2012 R2 on USB

Step1: Install Windows WAIK on a Windows 8 PC

You will see DISM.exe in C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools\amd64\DISM

Step2: Extract Windows Server 2012 R2 and copy install.wim file in C:\Win2012R2ISO location

Step3: Create VHDX file

Open elevated command prompt, issue the following command step by step

mkdir c:\Win2012R2

diskpart

create vdisk file=c:\Win2012R2\HYPV2012R2.vhdx maximum=81920 type=fixed

where 81920 is 80GB.

select vdisk file=c:\Win2012R2\ HYPV2012R2.vhdx

attach vdisk

create partition primary

assign letter=r

format quick fs=ntfs label=HYPV2012R2

exit

Step4: Apply install.wim file

Open elevated command prompt, issue the following command step by step

cd /d “c:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\<architecture>\DISM” where architecture is amd64 or x86

dism.exe /apply-image /Imagefile: C:\Win2012R2ISO\install.wim /Index:1 /ApplyDir:R:\

Step5: Insert USB stick and create partition

Open elevated command prompt, issue the following command step by step

diskpart

list disk

select disk <USB stick number>

clean

create partition primary

select partition 1

active

format quick fs=ntfs

assign letter=v

exit

Step6: Remove PageFile from Bootable disk

Open elevated command prompt, issue the following command step by step

reg load HKLM\HyperVTemp r:\windows\system32\config\system

reg add “HKLM\HyperVTemp\ControlSet001\Control\Session Manager\Memory Management” /v PagingFiles /t REG_MULTI_SZ /d “” /f

reg delete “HKLM\HyperVTemp\ControlSet001\Control\Session Manager\Memory Management” /v ExistingPageFiles /f

If you receive invalid key error. Simply type regedit and go this location and delete PagingFiles key.

reg unload HKLM\HyperVTemp

Step7: Copy VHDX to USB stick

Say USB stick is presented as V: drive of your PC. Copy the VHDX file from c:\Win2012R2\HYPV2012R2.vhdx to V: drive where the USB stick is attached. Open elevated command prompt, issue the following command step by step

diskpart

list disk

select vdisk file=V:\HYPV2012R2.vhdx

attach vdisk

exit

Step8: Make it bootable

Open elevated command prompt, issue the following command step by step

cd /d ” c:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\<architecture>\BCDBoot”

bootsect /nt60 v: /force /mbr

Use the BCDBoot tool to copy the necessary boot files so that you can boot your USB stick.

bcdboot r:\windows /s v:

Step9: Dettach r:\HYPV2012R2.vhdx

Open elevated command prompt, issue the following command step by step

diskpart

select vdisk file=r:\HYPV2012R2.vhdx

detach vdisk

exit

Step10: Test

Detach USB stick from PC and insert into server. Power on Server. Go to BIOS of the server. Change boot order to USB/ Build in Hypervisor. Save and Exit BIOS. Reboot the server.

Step11: Troubleshooting if required

  • Put the USB in to your server
  • Boot the server using a Hyper-v 2012 R2 DVD
  • Select your language, click Next, then select ‘Repair your computer’
  • Select ‘Command prompt’
    Run ‘bcdedit /enum’, it’s probably still pointing to your .vhdx file (check ‘device’ and ‘osdevice’)
  • Fix this by using bcdedit, I used;
    exe /set {default} device vhd=[C:]\HYPRV2012R2.vhd
    and
    bcdedit.exe /set {default} osdevice vhd=[C:]\HYPRV2012R2.vhd
  • Now remove the Windows dvd and boot from USB.

References http://technet.microsoft.com/en-us/library/ee731893%28WS.10%29.aspx

Migrate Windows Server 2008/R2 Active Directory to Windows Server 2012/R2 Active Directory

Forest Functional Prerequisites

  1. Check to ensure the Domain Functional Level is currently setup to at least Windows 2003 mode.
  2. Open the Active Directory Users and Computers console, select the domain via the right mouse button on it.
  3. Select Raise Domain Functional Level and review the Current domain functional level reported minimum Windows Server 2003.

RBAC Requirement

Your account must be a member of Domain Admins, Schema Admins and Enterprise Admin.

Systems Requirement

Processor 1vCPU
RAM 4GB
Free disk space requirements 32 GB
Screen resolution 800 x 600 or higher
Network 1 Ethernet
DVD 1

Prepare Windows Machine

  1. Download Windows Server 2012 R2.
  2. Build Windows Server 2012 R2
  3. Join the Server to Domain with a static IP

Prepare Forest and Domain

  1. Mount Windows Server 2012 R2 ISO on to the Windows Server 2008 R2 Domain Controller.
  2. Log on to Windows 2008 R2 Domain as an administrator.
  3. Open command prompt as an administrator, and type adprep /forestprep and press enter.
  4. Open command prompt as an administrator, and type adprep /domainprep and press enter.

Install AD DS Role

  1. Open the Server Manager console and click on Add roles and features
  2. Select Role-based of featured-based installation and select Next.
  3. Select the Active Directory Domain Services role.
  4. Accept the default features required by clicking the Add Features button.
  5. On the Features screen click the Next button.
  6. On the Confirm installation selections screen click the Install button. Check off the Restart the destination server automatically if required
  7. Click the Close button once the installation has been completed.
  8. Once completed, notification is made available on the dashboard highlighted by an exclamation mark. Select it and amidst the drop down menu select Promote this server to a domain controller.
  9. Select add a Domain Controller into existing domain
  10. Ensure the target domain is specified.  If it is not, please either Select the proper domain or enter the proper domain in the field provided.
  11. Click Change, provide the required Enterprise Administrator credentials and click the Next button.
  12. Define if server should be a Domain Name System DNS server and Global Catalog (GC). Select the Site to which this DC belongs to and define Directory Services Restoration Mode (DSRM) password for this DC
  13. Click the Next button on the DNS options screen.
  14. Click the Next button once completed.
  15. Specify location for AD database and SYSVOL and Click the Next button.
  16. Next up is the Schema and Domain preparation.  Alternately, one could run ADPrep prior to commencing these steps, if ADPrep is not detected, it will automatically be completed on your behalf.
  17. Finally, the Review Options screen provides a summary of all of the selected options for server promotion. As an added bonus, when clicking View Script button you are provided with the PowerShell script to automate future installations. To click the Next button to continue.
  18. Should all the prerequisites pass, click the Install button to start the installation.
  19. After it completes the required tasks and the server restarts, the new Windows Server 2012 R2 Domain Controller setup is completed.

Check New Domain Controller in AD Sites and Services

  1. Open Active Directory Users and Computers, expand <Your Domain> and click the Domain Controller OU to verify your server is listed.
  2. Open DNS Manager, right-click on <Your Domain>, select Properties and then click Name Servers Verify that your server is listed in Name Servers: lists.
  3. Open Active Directory Sites and Services; verify that your server is listed in Servers under Default-First-Site-Name.

Check New Domain Controller in DNS Manager

  1. Open DNS Manager in new Domain Controller
  2. Expand Forward Lookup Zone
  3. Select FQDN of domain> Double Click on Name Server (NS)>Properties>Check New Server in Name Server Tab.

Transfer FSMO Role

Now transfer all the FSMO roles from windows 2008 domain controller to windows 2012 R2 domain controller. Log on to windows 2008 domain controller as enterprise admin. Open command prompt type these command as follows:

ntdsutil

roles

connections

connect to server WIN2012R2SERVERNAME

q

Transfer domain naming master

Transfer PDC

Transfer Schema Master

Transfer RID master

Transfer infrastructure master
Change DNS Properties of Servers and Workstation

On each server and workstation within the target domain require a NIC properties configuration update to point to the new Domain Controller. Open the DHCP management console, select Option no. 006 and under server scope options and add the IP address of your new Domain Controller as DNS server.

Removing the Windows 2008 R2 domain controller

  1. On the Windows 2008 R2 server click Start, Click Run, type dcpromo, then click
  2. After the Welcome to the Active Directory Installation Wizard page, be sure to leave the Delete the domain because this server is the last domain controller in the domain
  3. On the Administrator Password Page, enter your password and click Next.
  4. On the Summary page, click Next, wait for the process to end, then click
  5. On the Completing the Active Directory Domain Services Installation Wizard, click
  6. On the Active Directory Domain Services Installation Wizard page, click Restart Now to Restart the server.
  7. After the reboot is completed, delete the Windows Server 2008 R2 server from the domain to a workgroup and remove any unnecessary record from Active Directory Sites and Services.

Note: Wait for all schema object to be cleaned automatically. Do not rush to clean any schema object or DNS record in new Domain Controller.

Windows Server 2012 R2 Gateway

Windows server 2012 R2 can be configured as a Gateway VM in a two or four node cluster on Hyper-v Host. Gateway VM or router enhance Data Center by providing them a secure router for public or private cloud. Gateway VM cluster can provide routing functionality up to 200 tenants. Each Gateway VM can provide routing functionality for up to 50 tenants.

Two different versions of the gateway router are available in Windows Server 2012 R2.

RRAS Multitenant Gateway – The RRAS Multitenant Gateway router can be used for multitenant or non-multitenant deployments, and is a full featured BGP router. To deploy an RRAS Multitenant Gateway router, you must use Windows PowerShell commands

RRAS Gateway configuration and options:

  • Configure the RRAS Multitenant Gateway for use with Hyper-V Network Virtualization
  • Configure the RRAS Multitenant Gateway for use with VLANs
  • Configure the RRAS Multitenant Gateway for Site-to-Site VPN Connections
  • Configure the RRAS Multitenant Gateway to Perform Network Address Translation for Tenant Computers
  • Configure the RRAS Multitenant Gateway for Dynamic Routing with BGP

Windows Server 2012 R2 Gateway – To deploy Windows Server Gateway, you must use System Center 2012 R2 and Virtual Machine Manager (VMM). The Windows Server Gateway router is designed for use with multitenant deployments.

Multi-tenancy is the ability of a cloud infrastructure to support the virtual machine workloads of multiple tenants, but isolate them from each other, while all of the workloads run on the same infrastructure. The multiple workloads of an individual tenant can interconnect and be managed remotely, but these systems do not interconnect with the workloads of other tenants, nor can other tenants remotely manage them.

This feature allow service provider the functionality to virtually isolate different subnets, VLANs and network traffic which resides in same physical core or distribution switch. Hyper-v network virtualization is a Network Virtualization Generic Routing Encapsulation NVGRE which allows tenant to bring their own TCP/IP and name space in cloud environment.

Systems requirements:

Option Hyper-v Host Gateway VM
CPU 2 Socket NUMA Node 8 vCPU for two VMs

4 vCPU for four VMs

CPU Core 8 1
Memory 48GB 8GB
Network Adapter Two 10GB NICs connect to Cisco Trunk Port1 4 virtual NICs

  • Operating Systems
  • Clustering heartbeat
  • External network
  • Internal network
Clustering Active-Active Active-Active or Active-Passive

1-NIC Teaming in Hyper-v Host- You can configure NIC teaming in Hyper-v Host for two 10GB NICs. Windows Server 2012 R2 Gateway VM with four vNIC that are connected to the Hyper-V Virtual Switch that is bound to the NIC Team.

Deployment Guides:

Windows Server 2012 R2 RRAS Deployment Guide

Test Lab Guide: Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM

Clustering Windows Server 2012 R2

How to configure SMB 3.0 Multichannel in Windows Server 2012 Step by Step

SMB Multichannel

The SMB protocol follows the client-server model; the protocol level is negotiated by the client request and server response when establishing a new SMB connection. Windows Server 2012 introduces a feature called SMB 3.0 Multichannel. Multichannel provides link aggregation and fault tolerance.

SMB 3.0 introduces multipath I/O (MPIO) where multiple TCP connections can be established with given SMB session. Benefits include increase bandwidth, enable transparent network interface failover and load balancing per session.

SMB Encryption

Open following registry key

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

  • If value of EncryptData DWORD is set to 0 then communication between SMB client and server is encrypted
  • If value of RejectUnencryptedAccess DWORD is set to 1 then communication between SMB client and server is rejected.

SMB Multichannel Requirement:

  • At least two computers that run on Windows Server 2012 R2, Windows Server 2012, or Windows 8 operating systems. No additional features have to be installed—SMB Multichannel is enabled by default.
  • Multiple network adapters in all hosts
  • One or more network adapters that support Receive Side Scaling (RSS)
  • One of more network adapters that are configured by using NIC Teaming
  • One or more network adapters that support remote direct memory access (RDMA)
  • Both NICs must be in different subnets
  • Enable NICs for client access
  • Dedicated subnets SMB storage
  • Dedicated Storage VLAN depending on if/how you do converged fabrics
  • VNX File OE version 7.1.65 and later or SMB 3.0 compliant storage
  • Port Channel Group configured in Cisco switch

TCP/IP session without Multichannel Session

  • No Automatic failover or Automatic failover if NICs are teamed
  • No Automatic failover if RDMA capability is not used
  • Only one NIC engaged
  • Only one CPU engaged
  • Can not use combined NIC bandwidth

TCP/IP session without Multichannel Session

  • Automatic failover or faster automatic failover if NICs are teamed
  • Automatic failover if RDMA capability is used. Multiple RDMA connection
  • All NICs engaged
  • CPU work load shared across all CPU cores
  • Combine NIC bandwidth

Which one to use, RDMA or RSS?

If you are looking fault tolerance and throughput then obvious choice is NIC teaming with RSS.

Adding a SMB Share in VNX Storage

  1. Create a network. Go to Settings -> Network -> Settings for File, Setup your network information
  2. Go to Storage -> Storage Configuration -> File Systems to create storage. Setup your storage configuration
  3. Go to CIFS Servers tab and create your Server configuration.
  4. Go back to your CIFS Share configuration and assign your CIFS Server as allowed and allow SMB protocol.
  5. Connect your CIFS Share with \\CIFSServer\CIFSShare and your new administrator password.

Adding a port channel group in Switch

Configuration of Cisco Switch with 2 network ports (If you have Cisco)

Switch#conf t
Switch(config)#Int PORT (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active
Switch(config)#Int port (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active

Configuration of HP Procurve with 2 network ports (If you have HP)

PROCURVE#conf ter
PROCURVE# trunk PORT1-PORT2 (a.e. C1/C2) Trk<ID> (a.e. Trk99) LACP
PROCURVE# vlan <VLANID>
PROCURVE# untagged Trk<ID> (a.e. Trk99)
PROCURVE# show lacp
PROCURVE# show log lacp

Adding SMB 3.0 Share in Hyper-v

  1. From Server Manager, click Tools and then click Hyper-V Manager
  2. Click Hyper-v Settings, Click Virtual Hard Disk, Type UNC path of SMB 3.0. Click Virtual Machine, Type UNC path of SMB 3.0
  3. Click Ok.
  4. Open PowerShell Prompt, Enable Multichannel using the following cmdlets.
  5. Configure SMB Multichannel using Windows PowerShell

Get-SmbClientConfiguration | Select EnableMultichannel

Get-SmbServerConfiguration | Select EnableMultichannel

    6. Enable Multichannel

Set-SmbServerConfiguration -EnableMultiChannel $true

Set-SmbClientConfiguration -EnableMultiChannel $true

   7. Verify Multichannel

Get-SmbConnection

Get-SmbMultichannelConnection

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Assumption:

I assume you have the following infrastructure ready.

  • Domain Controller: DC1PVDC01
  • Certificate Authority: DC1PVCA01
  • AD FS Server: DC1PVADFS01
  • Exchange Server: DC1PVEXCH01

Naming Convention:

  • DC1= Data Center 1 (location)
  • P=Production Systems
  • V=Virtual Server
  • DC=Domain Controller

So on so forth.

Proposed Web Application Proxy Server:

Option Description
Virtual Machine Name DC1PVWAP01
Memory 4GB
vCPU 1
Hard Disk 1 50GB
Network Adapter 2
Guest Operating System Windows Server 2012 R2
Hyper-v Integration Service Installed

Windows Server Role:

Role Web Application Proxy

 

Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated WAP network name. The following binding order will be maintained within Windows operating systems:

  1. First in Order- WAP internal adapter connected to the trusted network.
  2. Second in Order- WAP external adapter connected to the un-trusted network.

The following are the network configuration for WAP server.

Option IP Address Subnet Default Gateway DNS
Internal Network 10.10.10.2 255.255.255.0 Not required 10.10.10.1
External Network 192.168.1.1 255.255.255.0 192.168.1.254 Not required

Important! External Network can be assigned public IP if WAP server isn’t placed behind frontend router/firewall. In an edge configuration WAP external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and WAP wizard/console names. For example:

  • WAP adapter connected to the trusted network: Internal Network
  • WAP adapter connected to the un-trusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your un-trusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the WAP Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a WAP cluster.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

  1. Internal Network (Highest)
  2. External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose Public Host Name Public IP Address
Exchange webmail.yourdomain.com 203.17.x.x
SharePoint sharepoint.yourdomain.com 203.17.x.x

 

External Firewall Rules

The following NAT rules will be added into perimeter network to publish application and services through WAP. This rule is only apply if you please Web Application Proxy (WAP) behind a firewall or Cisco ASA otherwise you don’t need it.

Rule(s) Description Source IP Destination IP Address Port NAT Destination
1 Exchange Any 203.17.x.x 443 192.168.1.2
2 SharePoint Any 203.17.x.x 443 192.168.1.3

 

Building Web Application Proxy Server on Windows Server 2012 R2 Steps:

  1. Install Windows Server 2012 R2.
  2. Configure TCP/IP of Windows Server 2012 R2
  3. Join Web Application Proxy server to Domain
  4. Install Web Application Proxy Role
  5. Configure Kerberos Constraint Delegation
  6. Configure the firewall to allow HTTPS traffic on port 443 for clients to communicate with the AD FS server
  7. Configure Firewall if WAP Server placed behind a Cisco ASA
  8. Install Public certificate into Web Application Proxy Server
  9. Publish Application

Configure Kerberos Constraint delegation

1. On the domain controller, open Server Manager. To do this, click Server Manager on the Start screen.

2. Click Tools, and then click ADSI Edit.

3. On the Action menu, click Connect To, and then on the Connection Settings dialog box, accept the default settings to connect to the default naming context, and then click OK.

4. In the left pane, expand Default naming context, expand DC=yourdomain, DC=com, expand CN=Computers, right-click CN=DC1PVWAP01, and then click Properties.

5. On the CN=DC1PVWAP01 Properties dialog box, on the Attribute Editor tab, in the Attributes list, select servicePrincipalName, and then click Edit.

6. On the Multi-valued String Editor dialog box, in Value to add, enter HTTP/DC1PVWAP01.yourdomain.com and click Add. Then enter HTTP/DC1PVWAP01 and click Add. The Values list now contains two new entries; for example, HTTP/DC1PVWAP01.yourdomain.com and HTTP/DC1PVWAP01.

7. On the Multi-valued String Editor dialog box, click OK.

8. On the CN=DC1PVWAP01 Properties dialog box, click OK.

9. In Server Manager, click Tools, and then click Active Directory Users and Computers.

10. In the navigation pane, under yourdomain.com, click Computers. In the details pane, right-click the Web Application Proxy server, and then click Properties.

11. On the DC1PVWAP01 Properties dialog box, on the Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.

12. Click Add, and on the Add Services dialog box, click Users or Computers.

13. On the Select Users or Computers dialog box, in Enter the object names to select, enter the name of the web servers that use Integrated Windows authentication; for example, WebServ1, and then click OK.

14. On the Add Services dialog box, in the Available services list, select the http service type, and then click OK.

15. On the DC1PVWAP01 Properties dialog box, click OK.

Configure AD FS (Optional when using pass-through pre-authentication)

1. On the Start screen, type AD FS Management, and then press ENTER.

2. Under the AD FSTrust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

3. On the Welcome page, click Start.

4. On the Select Data Source page, click Import data about the relying party published online or on a local network. In Federation metadata address (host name or URL), type the federation metadata URL or host name for the partner, and then click Next.

5. On the Specify Display Name page type a name in Display name, under Notes type a description for this relying party trust, and then click Next.

6. On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party then click Next.

7. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.

8. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box. For more information about how to proceed with adding claim rules for this relying party trust, see the Additional references.

9. in the AD FS Management console, you must set the endpoint to be Proxy Enabled

Configure Certificate Template in CA

Note: This steps is only applicable when using Enterprise certificate authority.

1. Open the Certificate Templates snap-in.

2. In the details pane, right-click an existing certificate that will serve as the starting point for the new certificate, and then click Duplicate Template.

3. Choose whether to duplicate the template as a Windows Server 2003–based template or a Windows Server 2008–based template.

4. On the General tab, enter the Template display name and the Template name, and then click OK.

5. Define any additional attributes such as mark “private key exportable” for the newly created certificate template.

Export & Import Certificates into Web Application Proxy Server

This is a very important steps for published app to work correctly. You must export .pfx certificate from application servers (Exchange, SharePoint or Lync Server) to Web Application Proxy Server so that internet explorer, web application proxy server and application servers validate same certificates.

Exporting a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Choose Yes, export the private key and include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  8. Leave the default settings and then enter your password if required.
  9. Choose to save the file and then click Finish. You should receive an “export successful” message. The .pfx file is now saved to the location you selected.

Importing from a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Install Web Application Proxy Role

1. On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.

2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

3. On the Select server roles dialog, select Remote Access, and then click Next.

4. Click Next twice.

5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.

6. On the Confirm installation selections dialog, click Install.

7. On the Installation progress dialog, verify that the installation was successful, and then click Close.

Configure Web Application Proxy

1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. In the navigation pane, click Web Application Proxy.

3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

5. On the Federation Server dialog, do the following, and then click Next:

  • In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.yourdomain.com.
  • In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.

6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

7. The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.yourdomain.com.

8. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

9. On the Results dialog, verify that the configuration was successful, and then click Close.

Publish Application using AD FS Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://sp.yourdomain.com/app1/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://sp/app1/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish an integrated Windows authenticated application

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://owa.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://owa/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.
  • In the Backend server SPN box, enter the service principal name for the backend server; for example, HTTP/owa.yourdomain.com.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Client Certificate Pre-Authentication

You can publish an application using pre-authenticated client certificate. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://app.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://app.yourdomain.com/&#8217;

-Name ‘Client certificate preauthentication application’

-ExternalPreAuthentication ClientCertificate

-ClientCertificatePreauthenticationThumbprint ‘123456abcdef123456abcdef123456abcdef12ab’

Publish Application using Pass-through Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Preauthentication page, click Pass-through, and then click Next.

4. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://maps.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://maps/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

5. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

6. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Windows Store App or Oauth2

You can publish an application using pre-authenticated Windows Store App. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Set-WebApplicationProxyConfiguration –OAuthAuthenticationURL ‘https://fs.yourdomain.com/adfs/oauth2/&#8217;

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://storeapp.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://storeapp.yourdomain.com/&#8217;

-Name ‘Windows Store app Server’

-ExternalPreAuthentication ADFS

-ADFSRelyingPartyName ‘Store_app_Relying_Party’

-UseOAuthAuthentication

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Web Application Proxy is a role in Windows Server 2012 R2. Web Application Proxy brings some functionality of Microsoft Forefront TMG and Microsoft Forefront UAG but not all of them. Since Microsoft phased out Forefront product line except FIM. Web Application Proxy provides functionality or role in Windows Server 2012 R2 for customer who still wants use Microsoft platform to publish their application such as Exchange 2013, Lync 2013 and SharePoint 2013 to external clients and vendors.

Web Application Proxy provides pre-authentication and authorization method using Active Directory Federation Services including multifactor authentication and access control. Deployment of ADFS is separate to Web Application Proxy which means you must have a separate server hosting ADFS role.

Benefits of Web Application Proxy

  • Pre-authentication—Only authenticated traffic can get into the corporate network.
  • Network Isolation—Incoming web traffic cannot directly access backend servers.
  • Selective Publishing—Only specific applications and paths within these applications are accessible.
  • DDoS Protection—Incoming traffic arrives at Web Application Proxy before hitting the corporate network. Because Web Application Proxy acts as a proxy, many DDoS attacks can be prevented from reaching the backend servers.
  • Selective Ports- Apply deny ALL and allow selected ports. This policy will prevent SQL injection.
  • Extended validation– URL validation and verification using public certificate authority. Support strong security and encryption using SHA and 2048 bit certificate encryption.

Web Application Proxy Infrastructure

  • Active Directory Domain Services (AD DS)
  • Internal Domain Naming System (DNS)
  • External DNS Name Resolver or ISP
  • Active Directory Federation Services (AD FS)
  • Active Directory Certificate Services (AD CS)
  • Web Application Proxy Server(s)
  • Public Certificate Authority
  • Internal Enterprise Certificate Authority
  • Backend Application Server(s)

Web Application Proxy Network

Web Application proxy can be deployed in several topologies. In all these scenario Web Application Proxy needs two network adapter.

Edge Firewall: Behind a frontend firewall like Cisco ASA to separate it from internet. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server.

DMZ: Behind a frontend firewall like Cisco ASA to separate it from internet and before corporate firewall like Cisco ASA to separate it from corporate network. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server. For client certificate authentication, you must also configure the firewall to allow traffic on port 49443.

Edge Configuration: One network adapter directly connected to internet and another network adapter connected to corporate network. Web Application Proxy can be a member of an Active Directory Domain.

TCP/IP Configuration Examples

Scenario Internal NIC External NIC
non-domain joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: 10.10.10.254

DNS:10.10.10.21

IP:192.168.0.10Subnet: 255.255.255.0

Gateway: NIL

DNS: NIL

Domain Joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: NIL

DNS:10.10.10.21

IP: 203.17.x.x Public IPSubnet: 255.255.255.0

Gateway:203.17.x.254 Public Gateway

DNS: 8.8.8.8 or Public DNS

DNS Requirement

  • Internal DNS: Web Application Proxy must resolve internal fully qualified domain name of backend application server such as Exchange or SharePoint server. You must configure correct DNS record and TCP/IP Settings of Web Application Proxy Server either using DNS server or editing hosts file in WindowsSystems32DriversEtc location.
  • External DNS: External client must resolve fully qualified domain name of application. In this case, you must configure HOST (A) record in public DNS server. Note that the external URL must resolve to the external IP address of the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server.

Load Balancer Consideration

Web Application Proxy does not have in-built load balancer or ISP redundancy functionality. Depending on your requirements, you can use any hardware or software load-balancer to balance load between two or more Web Application Proxy Servers.

Domain Joined or non-domain joined

Web Application Proxy can be deployed without joining the server to an Active Directory domain or by joining the Web Application Proxy server to a standalone domain in a perimeter network.

You can deploy Web Application Proxy with a read-only domain controller. However, if you want to deploy Web Application Proxy and DirectAccess on the same server, you cannot use a read-only domain controller.

Authentication Consideration

Web Application Proxy can work with the following authentication protocols.

  • AD FS pre-authentication
  • Integrated Windows authentication
  • Pass-through pre-authentication

Network Time Protocol (NTP)

You must have a proper NTP server in your organization. NTP server can be your domain controller or a Cisco Core Switch. Timestamp must identical between AD FS and Web Application Proxy Server.

Certificate Authority

There are two types of certificate requirements for Web Application Proxy Server- Public CA and Enterprise CA.

  • Public CA: External clients to be able to connect to published web applications using HTTPS, Web Application Proxy must present a certificate that is trusted by clients. In this case you must bind a public certificate with published application in backend server and web application proxy server.
  • Enterprise CA: AD FS certificates must match federation service value. AD FS can use internal Enterprise CA. For examples, Common Name (CN) of Certificate is adfs.superplaneteers.com

Supported Certificate Template

Web Server Certificate with single common name, subject alternative name (SAN) certificates, or wildcard certificates.

Pass-Through Pre-Authentication

When you publish Exchange and SharePoint using Web Application proxy Server, you can pass-through authentication to the specific application instead of AD FS or Web Application Proxy. In this case Web Application Proxy forwards the HTTPS request directly to the backend server using either HTTP or HTTPS. Pass-through authentication is still a worry-free deployment because it prevent DDoS and SQL injection and provide network isolation.

Migrate WSUS to Windows Server 2012 R2

Prerequisites

  • Collect source and destination server name, IP address, Database Name, Instance Name, service account for Database instance.
  • Download Microsoft SQL Server Management Studio and install on source and destination SQL Server.
  • Make sure destination server is joined to the domain and time is synced
  • Do not run initial configuration wizard in Destination Server.
  • As best practice, do not migrate WSUS into a Domain Controller.
  • Obtain appropriate permission in source server, destination server and SQL server to initiate and complete migration tasks

Migrate local users and groups

1. Right-click in the Taskbar, click Properties, highlight Toolbars, and then click Address.

2. Type lusrmgr.msc, and then press ENTER.

3. In in the console tree of the Local Users and Groups MMC snap-in, double-click Users.

4. Manually create a list of the local users.

5. In the console tree of the Local Users and Groups MMC snap-in, double-click Groups.

6. Manually add the users from the source server to the WSUS Administrators and WSUS Reporters groups.

Back up the WSUS database on the source server

1. After you connect to the appropriate instance of the database in Object Explorer, click the server name to expand the server tree.

2. Expand Databases, and select the SUSDB database.

3. Right-click the database, point to Tasks, and then click Back Up. The Back Up Database dialog box appears.

4. In the Database list, verify the database name.

5. In the Backup type list, select Full.

6. Select Only Backup. only backup is a SQL Server backup that is independent of the sequence of conventional SQL Server backups.

7. For Backup component, click Database.

8. Accept the default backup set name that is suggested in the Name text box, or enter a different name for the backup set.

9. Follow the prompt to complete backup.

Restore the WSUS database backup on the destination server

1. After you connect to the appropriate instance of the database in Object Explorer, click the server name to expand the server tree.

2. Expand Databases, and select the SUSDB database.

3. Right-click the database, point to Tasks, and then click Restore. The Restore Database dialog box appears.

4. On the General page, use the Source section to specify the Source.

5. In the Destination section, the Database box is automatically populated with the name of the database to be restored.

6. In the Backup sets to restore grid, select the backups to restore. This grid displays the backups available for the specified location. By default, a recovery plan is suggested.

7. Follow the prompt to complete Restore. Click OK

Install WSUS Server on the destination server

Before you begin installing WSUS server into the destination server you must install Microsoft .NET Framework, Background Intelligent Transfer Service (BITS) 2.0 and Microsoft Internet Information Services (IIS) on the destination server. Follow the procedure to install WSUS into destination server and point to the new Database.

1. Open Server Manager, Click Add Roles and Features, Select WSUS and install WSUS role.

2. On the Welcome page, click Next.

3. Read the terms of the license agreement carefully, click I accept the terms of the License Agreement, and then click Next.

4. On the Select Update Source page, you can specify where client computers get updates. If you select Store updates locally, updates are stored on WSUS and you can select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

5. Make your selection, and then click Next.

6. On the Database Options page, click Use an existing database server, and select the instance name from the drop-down list.

7. Make your selection, and then click Next.

8. On the Web Site Selection page, you specify the Web site that WSUS will use. Note two important URLS: the URL to point client computers to WSUS and the URL for the WSUS console where you configure WSUS.

9. Make your selection, and then click Next.

10. On the Mirror Update Settings page, you specify the management role for this WSUS server. If you want a central management topology, enter the name of the upstream WSUS server. If this is the first WSUS server on your network or you want a distributed management topology, skip this screen.

11. Make your selection, and then click Next.

12. On the Ready to Install Windows Server Update Services page, click Next.

Change the WSUS server identity

Performing this step guarantees that WSUS-managed clients are not affected during the migration process. If the source server and the destination server run with the same identity, and a change is made to one of the servers, the communication between the client and server will fail.

1. On the destination server, open an elevated Windows PowerShell prompt and run the following script:

$updateServer = get-wsusserver

$config = $updateServer.GetConfiguration()

$config.ServerId = [System.Guid]::NewGuid()

$config.Save()

2. As soon as the server identity is changed, run the following command to generate a new encryption key:

WSUSUTIL.exe Postinstall

Point the WSUS clients to the new destination server

1. Open the Local Group Policy Editor, and in Specify intranet Microsoft update service policy, change the URL to reflect the new WSUS server.

2. Update the Group Policy settings that are used to point WSUS clients to the WSUS server by entering the FQDN of the new WSUS server. After you have updated the Group Policy settings, WSUS clients will synchronize with the new WSUS server.

3. To force the clients to detect the new destination server, open a command prompt, and run wuauclt.exe /resetauthorization /detectnow and GPUpdate /Force.

Verify the destination server configuration

  1. In Server Manager, click Tools, and then click Windows Server Update Services.
  2. In the WSUS Administration Console, expand Computers, and verify that all the Computer Groups that existed on the source server are displayed.
  3. Expand Synchronizations. In the Actions pane, click Synchronize now. After the synchronization is complete, (this may take several minutes), confirm that Succeeded is displayed in the Results column.

Reconfigure Group Policy

Open WSUS Group Policy, Edit Group Policy and Change WSUS Server.

Verify client computer functionality

After the detection is finished, open Windows Explorer and check the %WinDir%WindowsUpdate.log to verify that the forced detection was successful.

Data Deduplication in Windows Storage Server 2012 R2

Deduplication in Windows Server: Data deduplication involves finding and removing duplication within data without compromising its fidelity or integrity. The goal is to store more data in less space by segmenting files into small variable-sized chunks (32–128 KB), identifying duplicate chunks, and maintaining a single copy of each chunk. Redundant copies of the chunk are replaced by a reference to the single copy. The chunks are compressed and then organized into special container files in the System Volume Information folder.

Enhanced Dedupe features in Windows Server 2012 R2

  • Data deduplication for remote storage of Virtual Desktop Infrastructure (VDI) workloads
  • Expand an optimized file on its original path.

When using the Data Deduplication feature for the first time or migrating from a previous version of Windows Server, be sure to consider the following related technologies and issues:

  • BranchCache
  • Failover Clusters
  • DFS Replication
  • FSRM quotas
  • Single Instance Storage or NAS Box

Install and Configure Data Deduplication using GUI

1. Open Server Manager, From the Add Roles and Features Wizard, under Server Roles, select File and Storage Services.

2. Select the File Services check box, and then select the Data Deduplication check box.

3. Click Next until the Install button is active, and then click Install.

4. From the Server Manager dashboard, right-click a data volume and choose Configure Data Deduplication. The Deduplication Settings page appears.

5. In the Data deduplication box, select the workload you want to host on the volume. Select General purpose file server for general data files or Virtual Desktop Infrastructure (VDI) server when configuring storage for running virtual machines.

6. Enter the number of days that should elapse from the date of file creation until files are deduplicated, enter the extensions of any file types that should not be deduplicated, and then click Add to browse to any folders with files that should not be deduplicated.

7. Click Apply to apply these settings and return to the Server Manager dashboard, or click the Set Deduplication Schedule button to continue to set up a schedule for deduplication.

Install and Configure Data Deduplication using Windows PowerShell

Start Windows PowerShell. Right-click the Windows PowerShell icon on the taskbar, and then click Run as Administrator.

Import-Module ServerManager | Add-WindowsFeature -name FS-Data-Deduplication

Import-Module Deduplication

Enable-DedupVolume E: -UsageType HyperV

Enable-DedupVolume E: -UsageType Default

Set-Dedupvolume E: -MinimumFileAgeDays 20

Get-DedupVolume | fl

Start-DedupJob E: –Type Optimization –Wait

References:

Windows Server 2012 R2 NAS Box with Deduplication Capacity

Introduction to Windows Deduplication

Windows PowerShell Cmdlet for Deduplication

VMware vs Hyper-v: Can Microsoft Make History Again?

In 1852 Karl Marx published “The Eighteenth Brumaire of Louis Napoleon”. In his book, Karl Marx quotes “that history repeats itself, “the first as tragedy, then as farce”, referring respectively to Napoleon I and to his nephew Louis Napoleon (Napoleon III).

Here I am not talking about Karl Marx, I am not a specialist on this matter. I am a computer geek. So Why I am refer to Karl Marx? I believe above remarks can be connected to a history between Microsoft and Novell.

In my past blog I compared VMware and Hyper-v:

http://microsoftguru.com.au/2013/01/24/microsofts-hyper-v-server-2012-and-system-center-2012-unleash-ko-punch-to-vmware/

http://microsoftguru.com.au/2013/09/14/vsphere-5-5-is-catching-up-with-hyper-v-2012-r2/

http://microsoftguru.com.au/2013/04/07/is-vmwares-fate-heading-towards-novell/

I found some similar articles echoed by other commentator:

http://blogs.gartner.com/david_cappuccio/2009/06/30/just-a-thought-will-vmware-become-the-next-novell/

http://virtualizedgeek.com/2012/12/04/is-vmware-headed-the-slow-painful-death-of-novell/

Here is Gartner Inc.’s verdict:

http://www.gartner.com/technology/reprints.do?id=1-1GJA88J&ct=130628&st=sb

http://www.gartner.com/technology/reprints.do?id=1-1LV8IX1&ct=131016&st=sb

So the question is; can Microsoft defeat VMware? Can Microsoft make history again? Here is why I believe Microsoft will make history once again regardless what VMware fan boy think. Let start….

What’s New in Windows Server 2012 R2 Hyper-V

Microsoft has traditionally put out point releases to its server operating systems about every two years. Windows Server operating systems is no longer a traditional operating systems. This is cloud OS in true terms and uses. Let’s see what’s new in Windows Server 2012 R2 in terms of virtualization.

· New Generation 2 Virtual Machines

· Automatic Server OS Activation inside VMs

· Upgrade and Live Migration Improvements in Windows Server 2012 R2

· Online VHDX Virtual Disk Resize

· Live VM Export and Clone

· Linux Guest V Enhancements

· Storage Quality of Service ( QoS )

· Guest Clustering with Shared VHDXs

· Hyper-V Replica Site-to-Site Replication Enhancements

Generation 2 VMs

Hyper-V in Windows Server 2012 R2 supports the concept of a totally new architecture based on modern hardware with no emulated devices. This makes it possible to add a number of new features, such as secure boot for VMs and booting off of virtual SCSI or virtual network adapters.

VM Direct Connect

In Windows Server 2012 R2 Hyper-V with the addition of VM Direct Connect allows a direct remote desktop connection to any running VM over what’s now called the VM bus. It’s also integrated into the Hyper-V management experience.

Extend replication to a third site

Hyper-V Replica in Windows Server 2012 is currently limited to a single replication target. This makes it difficult to support scenarios like a service provider wanting to act both as a target for a customer to replicate and a source to replicate to another offsite facility. Windows Server 2012 R2 and Hyper-V now provide a tertiary replication capability to support just such a scenario. By the same token, enterprises can now save one replica in-house and push a second replica off-site.

Compression for faster migration

Two new options in Windows Server 2012 Hyper-V help improve the performance of live migrations. The first is the ability to enable compression on the data to reduce the total number of bytes transmitted over the wire. The obvious caveat is that tapping CPU resources for data compression could potentially impact other operations, so you’ll need to take that into consideration. The second option, SMB Direct, requires network adapters that support RDMA. Microsoft’s advice: If you have 10 GB available, use RDMA (10x improvement); otherwise, use compression (2x improvement). Compression is the default choice and it works for the large majority of use cases.

Online VM exporting and cloning

It’s now possible to export or clone a running VM from System Center Virtual Machine Manager 2012 R2 with a few mouse clicks. As with pretty much anything related to managing Windows Server 2012, you can accomplish the same task using Windows PowerShell.

Online VHDX resizing

In Windows Server 2012 Hyper-V, it is not possible to resize a virtual hard disk attached to a running VM. Windows Server 2012 R2 removes this restriction, making it possible to not only expand but even reduce the size of the virtual disk (VHDX format only) without stopping the running VM.

Storage QoS

Windows Server 2012 R2 includes the ability to limit individual VMs to a specific level of I/O throughput. The IOPS are measured by monitoring the actual disk rate to and from the attached virtual hard drives. If you have applications capable of consuming large amounts of I/O, you’ll want to consider this setting to ensure that a single I/O-hungry VM won’t starve neighbor VMs or take down the entire host.

Dynamic Memory support for Linux

In the Windows Server 2012 R2 release, Hyper-V gains the ability to dynamically expand the amount of memory available to a running VM. This capability is especially handy for any Linux workload (notably Web servers) where the amount of memory needed by the VM changes over time. Windows Server 2012 R2 Hyper-V also brings Windows Server backups to Linux guests.

Shared VHDX

With Windows Server R2 Hyper-V, Windows guest clusters (think traditional Windows Server failover clustering but using a pair of VMs) no longer require an iSCSI or Fibre Channel SAN, but can be configured using commodity storage: namely a shared VHDX file stored on a Cluster Shared Volume. Note that while the clustered VMs can be live migrated as per usual, a live storage migration of the VHDX file requires one of the cluster nodes to be taken offline.

Bigger Bang for the Buck: Licensing Windows Server 2012 R2

The Windows Server 2012 R2 product is streamlined and simple, making it easy for customers to choose the edition that is right for their needs.

Datacenter edition – Unlimited Windows Server 2012 R2 virtualization license.

Standard edition 2 virtualized server license or lightly virtualized environments.

Essentials edition for small businesses with up to 25 users running on servers with up to two processors.

Foundation edition for small businesses with up to 15 users running on single processor servers.

Edition

Feature comparison

Licensing model

Server Pricing*

Datacenter

Unlimited virtual OSE

All features

Processor + CAL

$6,155

Standard

Two virtual OSE

All features

Processor + CAL

$882

Essentials

2 processor

One OSE

Limited features

Server

25 user limit

$501

Foundation

1 processor

Limited features

Server

15 user limit

OEM Only

Client Access Licenses (CALs) will continue to be required for access to Windows Server 2012 R2 servers and management access licenses continue to be required for endpoints being managed by System Center. You need Windows Server 2012 CAL to access Windows Server 2012. You also need CAL to access Remote Desktop Services (RDS) and Active Directory Rights Management Services (AD RMS).

What’s New SCVMM 2012 R2

· Public Cloud for Service Provider using Windows Azure 

· Private Cloud with System Center 2012 R2 VMM

· Any storage approach- Use any kind of Storage: DAS, SAN, NAS, Windows Server 2012 File Server, Scale-out File Server Cluster

· Networking – Management of physical network switches via OMI as well as virtual network infrastructure ( PVLANs, NV-GRE Virtualized Networks, NV-GRE Gateways )

· Virtualization host agnostic – Intel/AMD/OEM Hardware running Windows Server 2012/R2/2008 R2 Hyper-V, VMware or Citrix XenServer

· Cisco Nexus 1000V Switch

· Bootstrapping a repeatable architecture

· Bare-Metal Provisioning Scale-Out File Server Cluster and Storage Spaces

· Provisioning Synthetic Fibre Channel in Guest VMs using VMM

· Guest Clustering with Shared VHDXs

· VMM Integration with IP Address Management ( IPAM )

· Hybrid Networking with Windows Azure Pack and System Center 2012 R2 VMM

· Windows Azure Hyper-V Recovery Manager

· Delegating Access Per Private Cloud

· OM Dashboard for VMM Fabric Monitoring

Fire Power of System Center: Licensing System Center 2012 R2

System Center 2012 R2 has two version: Data Center and Standard. Both version is comprised with the following components

· Operations Manager

· Configuration Manager

· Data Protection Manager

· Service Manager

· Virtual Machine Manager

· Endpoint Protection

· Orchestrator

· App Controller

System Center license is per processor based license. Cost of System Center 2012 R2 data center is USD 3607 and cost of System Center 2012 R2 Standard is USD1323. System Center license comes with a SQL Server standard edition license. This SQL server can only be used for System Center purpose. You can virtualized unlimited number of VMs in SC 2012 R2 data center edition.

Comparing Server 2008 R2 and Server 2012 R2 in terms of virtualization.

Hyper-v is not the same as you knew in Windows Server 2008. To clear fog of your mind about Hyper-v, the following table shows the improvement Microsoft has made over the years.

Comparing VMware with Windows Server 2012 R2

While VMware still number one in Hypervisor markets but the Redmond giant can also leverage on almost a billion Windows OS user globally, as well as its expertise in software and a robust range of services (including Azure, Bing, MSN, Office 365, Skype and many more). A new battle ground is ready between Microsoft and VMware would make 2014 a pivotal hybrid cloud year. The hybrid cloud could indeed give Microsoft the chance to prevail in ways that it couldn’t with the launch of Hyper-V; Hyper-V’s market share has been gradually increasing since early 2011. According to Gartner, Microsoft gained 28% Hypervisor market share last year.

Let’s dig deeper into comparison….

The following comparison is based on Windows Server 2012 R2 Data Center edition and System Center 2012 R2 Data Center edition Vs vSphere 5.5 Enterprise Plus and vCenter Server 5.5.

Licensing:

Options

Microsoft

VMware

# of Physical CPUs per License

2

1

# of Managed OSE’s per License

Unlimited

Unlimited

# of Windows Server VM Licenses per Host

Unlimited

0

Includes Anti-virus / Anti-malware protection

Yes

Yes

Includes full SQL Database Server licenses for management databases

Yes

No

Database, Hosts & VMs

A single database license is enough for 1,000 hosts and 25,000 VMs per management server.

Purchase additional database server licenses to scale beyond managing 100 hosts and 3,000 VMs with vCenter Server Appliance.

Includes licensing for Enterprise Operations Monitoring and Management of hosts, guest VMs and application workloads running within VMs.

Yes

No 

Includes licensing for Private Cloud Management capabilities – pooled resources, self-service, delegation, automation, elasticity, chargeback

Yes

No

Includes management tools for provisioning and managing VDI solutions for virtualized Windows desktops.

Yes

No

Includes web-based management console

Yes

Yes

Virtualization Scalability:

Options

Microsoft

VMware

Maximum # of Logical Processors per Host

320

320

Maximum Physical RAM per Host

4TB

4TB

Maximum Active VMs per Host

1,024

512

Maximum Virtual CPUs per VM

64

64

Hot-Adjust Virtual CPU Resources to VM

Yes

Yes

Maximum Virtual RAM per VM

1TB

1TB

Hot-Add Virtual RAM to VM

Yes

Yes

Dynamic Memory Management

Yes

Yes.

Guest NUMA Support

Yes

Yes

Maximum # of physical Hosts per Cluster

64

32

Maximum # of VMs per Cluster

8,000

4,000

Virtual Machine Snapshots

Yes

Yes

No of Snapshot Per VMS

50

32

Integrated Application Load Balancing for Scaling-Out Application Tiers

Yes

No

Bare metal deployment of new Hypervisor hosts and clusters

Yes

Yes

Bare metal deployment of new Storage hosts and clusters

Yes

No

Manage GPU Virtualization for Advanced VDI Graphics

Yes

Yes

Virtualization of USB devices

Yes

Yes

Virtualization of Serial Ports

Yes

Yes

Minimum Disk Footprint while still providing management of multiple virtualization hosts and guest VM’s

~800KB – Micro-kernelized hypervisor ( Ring -1 )
~5GB – Drivers + Management ( Parent Partition – Ring 0 + 3 )

~155MB – Monolithic hypervisor w/ Drivers( Ring -1 + 0 )
~4GB – Management  ( vCenter Server Appliance – Ring 3 )

Boot from Flash

Yes

Yes

Boot from SAN

Yes

Yes

VM Portability, High Availability and Disaster Recovery:

 Features

Microsoft

VMware

Live Migration of running VMs

Yes

Yes

Live Migration of running VMs without shared storage between hosts

Yes

Yes

Live Migration using compression of VM memory state

Yes

No

Live Migration over RDMA-enabled network adapters

Yes

No

Live Migration of VMs Clustered with Windows Server Failover Clustering (MSCS Guest Cluster)

Yes

No

Highly Available VMs

Yes

Yes

Failover Prioritization of Highly Available VMs

Yes

Yes

Affinity Rules for Highly Available VMs

Yes

Yes

Cluster-Aware Updating for Orchestrated Patch Management of Hosts.

Yes

Yes.

Guest OS Application Monitoring for Highly Available VMs

Yes

Yes

VM Guest Clustering via Shared Virtual Hard Disk files

Yes

Yes

Maximum # of Nodes per VM Guest Cluster

64

5

Intelligent Placement of new VM workloads

Yes

Yes

Automated Load Balancing of VM Workloads across Hosts

Yes

Yes

Power Optimization of Hosts when load-balancing VMs

Yes

Yes

Fault Tolerant VMs

No

Yes

Backup VMs and Applications

Yes

Yes.

Site-to-Site Asynchronous VM Replication

Yes

Yes

Storage:

Features

Microsoft

VMware

Maximum # Virtual SCSI Hard Disks per VM

256

60 ( PVSCSI )
120 (
Virtual SATA )

Maximum Size per Virtual Hard Disk

64TB

62TB

Native 4K Disk Support

Yes

No

Boot VM from Virtual SCSI disks

Yes

Yes

Hot-Add Virtual SCSI VM Storage for running VMs

Yes

Yes

Hot-Expand Virtual SCSI Hard Disks for running VMs

Yes

Yes

Hot-Shrink Virtual SCSI Hard Disks for running VMs

Yes

No

Storage Quality of Service

Yes

Yes

Virtual Fibre Channel to VMs

Yes

Yes.

Live Migrate Virtual Storage for running VMs

Yes

Yes

Flash-based Read Cache

Yes

Yes

Flash-based Write-back Cache

Yes

No

SAN-like Storage Virtualization using commodity hard disks.

Yes

No

Automated Tiered Storage between SSD and HDD using commodity hard disks.

Yes

No

Can consume storage via iSCSI, NFS, Fibre Channel and SMB 3.0.

Yes

Yes

Can present storage via iSCSI, NFS and SMB 3.0.

Yes

No

Storage Multipathing

Yes

Yes

SAN Offload Capability

Yes

Yes

Thin Provisioning and Trim Storage

Yes

Yes

Storage Encryption

Yes

No

Deduplication of storage used by running VMs

Yes

No

Provision VM Storage based on Storage Classifications

Yes

Yes

Dynamically balance and re-balance storage load based on demands

Yes

Yes

Integrated Provisioning and Management of Shared Storage

Yes

No

Networking:

 Features

Microsoft

VMware

Distributed Switches across Hosts

Yes

Yes

Extensible Virtual Switches

Yes

Replaceable, not extensible

NIC Teaming

Yes

Yes

No of NICs

32

32

Private VLANs (PVLAN)

Yes

Yes

ARP Spoofing Protection

Yes

No

DHCP Snooping Protection

Yes

No

Router Advertisement Guard Protection

Yes

No

Virtual Port ACLs

Yes

Yes

Trunk Mode to VMs

Yes

Yes

Port Monitoring

Yes

Yes

Port Mirroring

Yes

Yes

Dynamic Virtual Machine Queue

Yes

Yes

IPsec Task Offload

Yes

No

Single Root IO Virtualization (SR-IOV)

Yes

Yes

Virtual Receive Side Scaling ( Virtual RSS )

Yes

Yes

Network Quality of Service

Yes

Yes

Network Virtualization / Software-Defined Networking (SDN)

Yes

No

Integrated Network Management of both Virtual and Physical Network components

Yes

No

Virtualized Operating Systems Support: 

Operating Systems

Microsoft

VMware

Windows Server 2012 R2

Yes

Yes

Windows 8.1

Yes

Yes

Windows Server 2012

Yes

Yes

Windows 8

Yes

Yes

Windows Server 2008 R2 SP1

Yes

Yes

Windows Server 2008 R2

Yes

Yes

Windows 7 with SP1

Yes

Yes

Windows 7

Yes

Yes

Windows Server 2008 SP2

Yes

Yes

Windows Home Server 2011

Yes

No

Windows Small Business Server 2011

Yes

No

Windows Vista with SP2

Yes

Yes

Windows Server 2003 R2 SP2

Yes

Yes

Windows Server 2003 SP2

Yes

Yes

Windows XP with SP3

Yes

Yes

Windows XP x64 with SP2

Yes

Yes

CentOS 5.7, 5.8, 6.0 – 6.4

Yes

Yes

CentOS Desktop 5.7, 5.8, 6.0 – 6.4

Yes

Yes

Red Hat Enterprise Linux 5.7, 5.8, 6.0 – 6.4

Yes

Yes

Red Hat Enterprise Linux Desktop 5.7, 5.8, 6.0 – 6.4

Yes

Yes

SUSE Linux Enterprise Server 11 SP2 & SP3

Yes

Yes

SUS Linux Enterprise Desktop 11 SP2 & SP3

Yes

Yes

OpenSUSE 12.1

Yes

Yes

Ubuntu 12.04, 12.10, 13.10

Yes

Yes

Ubuntu Desktop 12.04, 12.10, 13.10

Yes

Yes

Oracle Linux 6.4

Yes

Yes

Mac OS X 10.7.x & 10.8.x

No

Yes

Sun Solaris 10

No

Yes

Windows Azure:

Here are a special factors that put Microsoft ahead of VMware: Microsoft Azure for on-premises and service provider cloud.

Windows Azure Pack is shipping with Windows Server 2012 R2. The Azure code will enable high-scale hosting and management of web and virtual machines.

Microsoft is leveraging its service provider expertise and footprint for Azure development while extending Azure into data centers on Windows servers. That gives Microsoft access to most if not all of the world’s data centers. It could become a powerhouse in months instead of years. Widespread adoption of Microsoft Azure platform gives Microsoft a winning age against competitor like VMware.

On premises client install Windows Azure pack to manage their system center 2012 R2 and use Azure as self-service and administration portal for IT department and department within organization. To gain similar functionality in VMware you have to buy vCloud Director, Chargeback and vShield separately.

Conclusion:

This is a clash of titanic proportion in between Microsoft and VMware. Ultimately end user and customer will be the winner. Both companies are thriving for new innovation in Hypervisor and virtualization market place. End user will enjoy new technology and business will gain from price battle between Microsoft and VMware. These two key components could significantly increase the adoption of hybrid cloud operating models. Microsoft has another term cards for cloud service provider which is Exchange 2013 and Lync 2013. Exchange 2013 and Lync 2013 are already widely used for Software as a Service (SaaS). VMware has nothing to offer in Messaging and collaboration platform. Microsoft could become for the cloud what it became for the PC. It could enforce consistency across clouds to an extent that perhaps no other player could. As the cloud shifts from infrastructure to apps, Microsoft could be in an increasingly powerful position and increase Hyper-v share even further by adding SaaS to its product line. History will repeat once again when Microsoft defeat VMware as Microsoft defeated Novell eDirectory, Corel WordPerfect and IBM Notes.

References:

http://blogs.technet.com/b/keithmayer/archive/2013/10/15/vmware-or-microsoft-comparing-vsphere-5-5-and-windows-server-2012-r2-at-a-glance.aspx#.UxaKbYXazIV

http://www.datacentertcotool.com/

http://www.microsoft.com/en-us/server-cloud/solutions/virtualization.aspx#fbid=xrWmRt7RXCi

http://wikibon.org/wiki/v/VMware_vs_Microsoft:_It%27s_time_to_stop_the_madness

http://www.infoworld.com/d/microsoft-windows/7-ways-windows-server-2012-pays-itself-205092

http://www.trefis.com/stock/vmw/articles/221206/growing-competition-for-vmware-in-virtualization-market/2014-01-07

Supported Server and Client Guest Operating Systems on Hyper-V

Compatibility Guide for Guest Operating Systems Supported on VMware vSphere

Resolved: WSUS Post Deployment Failed on Windows Server 2012

Error:

2013-11-21 09:43:36  Config file did not contain a value “ContentDirectory”
2013-11-21 09:43:36  Microsoft.UpdateServices.Administration.CommandException: A required configuration value was not found in the system. This is usually caused by installing WSUS through PowerShell and not specifying a configuration file. Review the article Managing WSUS Using PowerShell at TechNet Library (http://go.microsoft.com/fwlink/?LinkId=235499) for more information on the recommended steps to perform WSUS installation using PowerShell.
   at Microsoft.UpdateServices.Administration.PostInstall.GetConfigValue(String filename, String item)

Issue: This is a known issue on Windows Server 2012. Microsoft WSUS team posted an work around to resolve the issue.

Solution: In the WSUS server, open PowerShell, type the following depending on which database you have:

For WID
%programfiles%update servicestoolswsusutil.exe postinstall CONTENT_DIR=C:Wsus

SQL Server databases
%programfiles%update servicestoolswsusutil.exe postinstall CONTENT_DIR=C:Wsus SQL_INSTANCE_NAME=<database server name>

Here content_dir is your real directory where you would like to install WSUS and pointed that directory during WSUS installation and rest are self explanatory. Once you do that you will see output in the logs available in C:UsersthermomixadminAppDataLocalTemp directory.

2013-11-21 09:56:46 Postinstall started

2013-11-21 09:56:46 Detected role services: Api, Database, UI, Services

2013-11-21 09:56:46 Start: LoadSettingsFromParameters

2013-11-21 09:56:46 Content local is: True

2013-11-21 09:56:46 Content directory is: E:WSUS

2013-11-21 09:56:46 SQL instname is: SQL Server Name

2013-11-21 09:56:49 Value is E:WSUS

2013-11-21 09:56:49 Fetching group SIDs…

2013-11-21 09:56:49 Fetching WsusAdministratorsSid from registry store

2013-11-21 09:56:49 Value is S-1-5-2

2013-11-21 10:17:41 Saving Subscription

2013-11-21 10:17:52 Creating default subscription succeeded.

2013-11-21 10:17:54 Populating Auto-Approval Rules.

2013-11-21 10:18:18 Populating Auto-Approval Rules Succeeded.

2013-11-21 10:18:23 StartServer completed successfully.

2013-11-21 10:18:23 Marking PostInstall done for UpdateServices-Services in the registry…

2013-11-21 10:18:23 Mark initialization done in database…

2013-11-21 10:18:25 End: Run

2013-11-21 10:18:25 Postinstall completed

vSphere 5.5 is Catching Up with Hyper-v 2012 R2

Is VMware catching up with Microsoft? Yes you heard correct. I said “VMware is catching up with Microsoft” VMware released a latest update vSphere 5.5 to catch up with Microsoft Windows server 2012 R2. Here is a short comparison of VMware improvement to catch up with Hyper-v 2012 R2.

Options

vSphere 5.5

Hyper-v 2012 R2

Host CPU Core

320 (Previous version 160)

320

vCPU/Host

2048

2,048

vCPU/Guest

64 (Previous version 8)

64

Host Memory

4TB (Previous version 2TB)

4TB

vRAM/VM

1TB (Previous version 32GB)

1TB

VM/Host

2048 (previous version512)

2048

Maximum Node

32

64

Max VM/Cluster

4000

8,000

Networking

Link Aggregation Control Protocol Enhancements

Traffic Filtering

Quality of Service Tagging

SR-IOV Enhancements

Enhanced Host-Level Packet Capture

40GB NIC support

10GigE Simultaneous Live Migrations is only for 8 Vms

Support for SR-IOV networking devices

Dynamic Virtual Machine Queue (D-VMQ)

Accelerating Network I/O

IPsec Task Offload for Virtual Machines

Metering virtual machine use in a multitenant environment

IP Address Management (IPAM)

Hyper-V Network Virtualization

Hyper-V Extensible Switch

Quality of Service (QoS)

Remote Desktop Protocol (RDP) WAN Optimizations

WebSocket Protocol

Server Name Indicator (SNI)

Direct Access and VPN

Private VLANS (PVLANS)

Trunk Mode to Virtual Machines

Unlimited 10GigE Simultaneous Live Migrations

Site-to-site network connections using private IP address

Cisco NVGRE (Network Virtualization using Generic Routing Encapsulation)

Storage

Support for 62TB VMDK

MSCS Updates

vSphere 5.1 Feature Updates

16GB E2E support

PDL AutoRemove

vSphere Replication Interoperability

vSphere Replication Multi-Point-in-Time Snapshot Retention

vSphere Flash Read Cache

64TB VMFS

64TB RDM

64TB VHDX

VHD de-duplication

high availability, performance, reliability, and scalability features on inexpensive commodity storage

Offloaded Data Transfer (ODX)

Resilient File System

Deploy large NTFS volumes

Thin Provisioning and

And Trim

Cluster Shared Volume version 2

iSCSI Software Target

Support for VMware Virtual Machines and NFS 4.1

High Performance Highly Available Storage with SMB

SMB Scale-Out

Virtual Fiber Channel

256TB+ pass through disk (RDM)

Local Storage

64TB (Previous version 2TB)

64TB

Dynamic Memory

Yes

Yes

Resource Metering

Yes (Previous version No)

Yes

Hardware GPU

Yes (Previous version No)

Yes

Unified VDI

No. Buy VMware View

yes

Guest OS Application monitoring

Yes (Previous version No)

yes

Incremental Backups

Yes (Previous version No)

yes

VM Replication

Yes (Previous version No)

yes

Guest Clustering with Dynamic Memory

No

yes

Multi-tenant

No (Buy VMware vCloud)

yes

VMware goes after biz critical apps with vSphere 5.5

VMware what’s New

Windows Server 2012 R2 what’s New

Windows 8.1, Windows Server 2012 R2 and System Center 2012 R2 are coming on October 18

New release of Windows Server 2012 R2, System Center 2012 R2 and Windows 8.1 will be available in October 18, 2013. To find out more on new release visit In the Cloud and Windows 8.1

Windows Server 2012 R2—First Look

Visit What’s New in Windows Server 2012 R2 to find more about Windows Server 2012 R2.

Download Windows Server 2012 R2

 image

image

image

image

image

image

image

image

image

Changes in Windows Tasks Bar.

image

Start Window presents necessary administrative Tile

image

What’s New in Windows Server 2012 R2

Technology

What’s New

iSCSI

  • Prevent data corruption during power failure.
  • sessions per target has increased to 544, and logical units per target has increased to 256.

SMB

  • Support for Hyper-V Live Migration over SMB
  • Support for using shared VHDX files as shared storage for guest clustering
  • improved SMB bandwidth management
  • Support for multiple SMB instances on a Scale-Out File Server
  • Automatic rebalancing of Scale-Out File Server clients

WDS

PowerShell cmdlet scripting

Active Directory

Working anywhere approach, access protected data, multi-factor authentication

DFS

  • Windows PowerShell module for DFS Replication
  • DFS Replication WMI provider
  • Database cloning for initial sync
  • Cross-file RDC disable
  • Database corruption recovery
  • Preserved file restoration
  • File staging tuning

DHCP

DNS suffix based policies

DNS PTR registration options

MSCS Cluster

  • Virtual machine network health detection
  • Virtual machine drain on shutdown
  • Shared virtual hard disk (for guest clusters)
  • Deploy a cluster without network names in Active Directory Domain Services
  • Dynamic witness
  • Force quorum resiliency
  • Tie breaker for 50% node split
  • Configure the Global Update Manager mode
  • Turn off IPsec encryption for inter-node cluster communication
  • Cluster dashboard

GPO

Policy Caching

Item-Level Targeting,

Hyper-v

  • Shared virtual hard disk
  • Storage Quality of Service
  • Virtual machine generation
  • Enhanced session mode
  • Automatic Virtual Machine Activation

IP Address Management (IPAM)

  • Role based access control
  • Virtual address space management
  • External database support
  • Upgrade and migration support

Supported Upgrade Path

From

To

Windows Server 2008 R2 Web, Datacenter or enterprise with SP1

Windows Server 2012 R2 Datacenter, standard

Windows Server 2012 Standard, datacenter

Windows Server 2012 R2 Standard or Windows Server 2012 R2 Datacenter

Hyper-V Server 2012

Hyper-V Server 2012 R2

In-place upgrade of the following is unsupported:

  • from 32-bit to 64-bit architectures
  • from one language to another
  • from one build type to another (fre to chk, for example)
  • Upgrades from pre-release versions of Windows Server 2012 R2 Preview are not supported. Perform a clean installation to Windows Server 2012.
  • switch from a Server Core installation to the Server with a GUI mode

Feature Removed or Deprecated in Windows Server 2012 R2

Removed features

Alternative

File Backup and Restore

File History feature

System Image Backup

Reset your PC

Drivers for tape drives

Use manufacturer drivers

Creation of recovery disk on CD or DVD

Use the Recovery Disk to USB feature

Windows Authorization Manager (AzMan)

use new management tools for virtual machine

Active Directory Rights Management Services (AD RMS) SDK

AD RMS SDK 2.0

The Application Server role

Use features and roles

IIS CertObj COM interface

None

GAA_FLAG_INCLUDE_TUNNEL_BINDINGORDER

None

Dfscmd.exe

Use PowerShell

Mount-IscsiVirtualDiskSnapshot, Dismount-IscsiVirtualDiskSnapshot

Use PowerShell

Nfsshare.exe

Use PowerShell

NFS 2

NFS 3 or NFS4

Network Access Protection (NAP)

Windows Web Application Proxy

Server for Network Information Services (NIS) Tools

Use native LDAP, Samba client, Kerberos

SMB 1.0

SMB 2

Telnet server

Remote desktop

Windows Identity Foundation (WIF) 3.5

Use WIF 4.5 and .net framework 4.5

SQL lite

SQL LocalDb

WMI version 1

WMI version 2

References:

Release Notes: Important Issues in Windows Server 2012 R2 Preview

System Requirements

What’s New

How to create an external trust between two separate domains/forests

A trust is a relationship established between two different domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust in Microsoft Active Directory domain such as External, Realm, Forest and shortcut. External trust is necessary when users of two different domains of two different business units wants to utilize resources such as printers and file server of trusted domains. This article can be applied in Windows Server 2003, Windows Server 2008/R2, Windows Server 2012/R2 and Windows Server 2016 domain using same principle written below.

Authentication Consideration

Authentication Setting Inter-forest Trust Type Description
Domain-wide Authentication External Permits unrestricted access by any users. Default authentication setting for external trusts.
Forest-wide Authentication Forest Permits unrestricted access by any users. Default authentication setting for forest trusts.
Selective Authentication External and Forest Restricts access over an external. Authentication setting must be manually enabled.

Administrative Privilege

To create trust you have to be a member of Domain Admins & Enterprise Admin in both Domains.

Transitive trusts

  • Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest.
  • Forest trust. A transitive trust between one forest root domain and another forest root domain.
  • Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm.

Non-transitive trusts

  • External trust. A non-transitive trust created between a Windows Server 2003 domain and Windows 2000 or Windows Server 2003 domain in another forest.
  • Realm trust. A non-transitive trust between an Active Directory domain and a Kerberos V5 realm.

You have to fulfill few requirements before you can activate external trust. For example: Both domain controller must ping each other by IP address. If both domain controllers are placed in different subnet then proper routing is required. If there is a firewall between domain controllers then proper firewall rules should be in place allowing LDAP, DNS and resources port to be accessible from both sites. Forest and domain functional level must be Windows Server 2003 or later version.

Example:

DC1.DomainA.com  IP address: 192.168.100.2

DC1.DomainB.com  IP address: 192.168.200.2

Step1: Port requirement

If you are using MPLS/IP VPN/VPN make sure inbound and outbound routing are in correct order. If you have firewall between organisation make sure Active Directory ports are open in both sides. Further info on port requirement visit  Active Directory and Active Directory Domain Services Port Requirements

Step2: Add DNS Record in TCP/IP Properties of Domain Controllers

Open TCP/IP Properties of DC1.DomainA.com and add IP address of DC1.DomainB.com in the secondary DNS record.

Open TCP/IP Properties of DC1.DomainB.com and add IP address of DC1.DomainA.com in the secondary DNS record.

Step3: Ping DomainA from DomainB and vice versa

Log on to each domain and ping each other by IP address. Resolve IP without any delay or timed out ping.

Step4: Test AD DS Ports

Telnet to port 389, 636 & 53 from both sides of domain to test whether you can access Active Directory & DNS

Step5: Health Check

Run a quick AD health check in both sides using this Link

Step6: Create PTR Record in both organisation

Add Reverse Lookup Zone of 192.168.200.2 into DC1.DomainA.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.200>Click Next>Finish.

Repeat the step to add 192.168.100.2 PTR into DC1.DomainB.com. To do this, Right Click on Reverse Lookup Zone>New Zone>Click Next>Primary Zone>Click Next>IPV4 reverse Lookup Zone>Type 192.168.100>Click Next>Finish.

Step7: Create Forward Lookup Zones in both organisation

In some DNS environment where DNS have constrained access (situation specific only), you may have to create Forward Lookup Zone for DomainA.com into DomainB.com and Forward Lookup Zone for DomainB.com into DomainA.com. But there is no harm creating a forward lookup zone in both sides as both forests are going to trust each other once trust is activated.

To do this, log on to DomainA.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainB.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainB.com>Allow Secure Dynamic Update>Follow the Wizard.

To do this, log on to DomainB.com >Open DNS Manager>Expand Forward Lookup Zone> Right click on Forward Lookup Zones>New Zones>primary Zones>Type FQDN of forest e.g. DomainA.com. >Select Default or select “To all domain controllers in this forest”> Type Zone Name DomainA.com>Allow Secure Dynamic Update>Follow the Wizard.

Step8: Create Host (A) record in both organisation

Create Host (A) record of Domain Controller of DomainA.com into Domain Controller of DomainB.com. Create Host (A) record of Domain Controller of DomainB.com into Domain Controller of DomainA.com. To do this Log on to DC1.DomainA.com>Right click on Forward Look Up Zone you created in step 7 which is DomainB.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainB.com & Select Associated PTR Record> Click Add Host.

Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Right click on Forward Look Up Zone you created in step7 which is DomainA.com>Click New Host (A)>Leave the Name Blank> Type IP Address of DC1.DomainA.com & Select Associated PTR Record> Click Add Host.

Step9: Add Name Server (NS) in both organisation

You must add Name Server of DC1.DomainA.com into the Name Servers Property of DC1.DomainB.com. Repeat the step to add Name Server of DC1.DomainB.com into the Name Servers Property of DC1.DomainA.com.

To do this log on to DC1.DomainA.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainB.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP Address of DC1.DomainB.com.

Repeat the Steps in DomainB.com. To do this log on to DC1.DomainB.com>Open DNS Manager>Right click on Forward Look Up Zone of DomainA.com>Click Properties>Click Name Servers Tab>Click Add>Type the IP address of DC1.DomainA.com.

Step10: Test DNS Record

Ping FQDN of DomainA.com from DomainB.com

Ping FQDN of DomainB.com from DomainA.com

Ping DC1.DomainA.com from DC1.DomainB.com

Ping DC1.DomainB.com from DC1.DomainA.com

Step11: Create External Trust

Example: One way trust allows users from DC1.DomainB.com (outgoing) get access into DC1.DomainA.com (incoming) but DC1.DomainA.com doesn’t get access to DC1.DomainB.com).

Note : if you want both sides get access to both sides then change that configure to two way trusts and set incoming and outgoing in both sides.

Creating incoming trust in DC1.DomainA.com

1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: incoming, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Trust Password page, type the trust password twice, and then click Next.

With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust.

9. On the Trust Selections Complete page, review the results, and then click Next.

10. On the Trust Creation Complete page, review the results, and then click Next.

11. On the Confirm Incoming Trust page, do one of the following

  • If you do not want to confirm this trust, click No, do not confirm the incoming trust
  • If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain.

12. On the Completing the New Trust Wizard page, click Finish.

 Creating outgoing trust in DC1.DomainB.com
1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.

3. On the Trusts tab, click New Trust, and then click Next.

4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next.

5. On the Trust Type page, click External trust, and then click Next.

6. On the Direction of Trust page, click One-way: outgoing, and then click Next.

7. On the Sides of Trust page, click This domain only, and then click Next.

8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next:

  • Click Domain-wide authentication.
  • Click Selective authentication.

9. On the Trust Password page, type the trust password twice, and then click Next.

10. On the Trust Selections Complete page, review the results, and then click Next.

11. On the Trust Creation Complete page, review the results, and then click Next.

12. On the Confirm Outgoing Trust page, do one of the following:

  • If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
  • If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.

13. On the Completing the New Trust Wizard page, click Finish.

 Step12: Test a Trust Relation

  1. Virtualize two Windows clients
  2. Join them to DomainA and DomainB
  3. Create two test folders in DomainA and DomainB
  4. Share and assign permission to users of DomainA and DomainB for both folders.
  5. Log on to a Windows client in DomainA using credential of DomainB>Access folder of DomainA
  6. Log on to a Windows client in DomainB using credential of DomainA>Access folder of DomainB

How to create an external trust between two seperate domains/forests

Gallery

This gallery contains 8 photos.

A trust is a relationship established between two different domains that enables users in one domain to be authenticated by a domain controller in the other domain. There are different type of trust in Microsoft Active Directory domain such as … Continue reading