Upgrading AD FS to Windows Server 2016 FBL

This article will describe how to install new ADFS 2016 farm or upgrade existing AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016.

Prerequisites:

  • ADFS Role in Windows Server 2016
  • Administrative privilege in both ADFS 2012 R2 and ADFS 2016 Server
  • Local Admin rights in both ADFS 2012 R2 and ADFS 2016 Server
  • WAP role in Windows Server 2016
  • Generate new certificate and signed by public certificate authority for new installation
  •   To use existing certificate, export the certificate from ADFS 2012 R2 with private key and import into ADFS 2016 server.

Mixed Mode Farm: A Windows Server 2016 AD FS server can be added to a Windows Server 2012 R2 farm and it will operate at the same FBL as a Windows Server 2012 R2. When you have a Windows Server 2016 AD FS server operating in this fashion, your farm is said to be “mixed”. However, you will not be able to take advantage of the new Windows Server 2016 features until the FBL is raised to Windows Server 2016.

Installation of ADFS Role

  1. Open the Windows Server 2016, Add Roles and Features Wizard and add the Active Directory Federation Services server role
  2. Proceed through the wizard. Click Configure the federation service on this server.
  3. On the Welcome page in the Active Directory Federation Services Configuration Wizard, choose an option for a federation server, and then click Next
  4. Proceed through the wizard. To join to existing farm, specify the farm name and import the certificate or to create a new farm, click create new farm and provide the details. On the Specify Service Properties page, select your TLS/SSL certificate, enter a Federation Service Name, and then enter a Federation Service Display Name
  5. Proceed through and complete the Active Directory Federation Services Configuration Wizard. Close the Add Roles and Features Wizard
  6. If you have not created a host record in DNS for the federation server name you specified in Step 4 previously, do so now.

Upgrade ADFS 2016

To Upgrade to ADFS 2016, Once you have joined the new ADFS server to existing farm, on the Windows Server 2016 server, open PowerShell and run the following cmdlt:

Set-AdfsSyncProperties -Role PrimaryComputer

On the original AD FS Windows Server 2012 R2 server, open PowerShell and run the following cmdlt:

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName Server2012R2.domain.com

To use ADFS 2016 functionality, you have prepare AD with ADFS 2016 Schema. Mount Windows Server 2016 installation media on a domain controller, open a command prompt and navigate to support\adprep directory. Run the following:

adprep /forestprep

adprep/domainprep

Now Raise farm behavior level to ADFS 2016, Invoke-AdfsFarmBehaviorLevelRaise  PowerShell Cmdlet on the ADFS 2016 primary server.

To test ADFS 2016 signin page, Enable IdP initiated Sign On and RP initiated Sign on using the following cmdlets to ADFS 2016 Server.

Set-ADFSProperties -EnableIdpInitiatedSignonPage $True

Set-ADFSProperties -RelaystateForIdpInitiatedSignonEnabled $True

Open a browser and type https://sts.domain.com/adfs/ls/idpinitiatedsignon

Removing Legacy ADFS and WAP

  • Remote into the servers and uninstall ADFS and Remote Access Role

Installing Federation Proxy

  • Install Windows Server 2016
  • Rename the server
  • Setup IPv4 on the WAP server
  • Install WAP Role using the below PowerShell Cmdlets.
  • Add a host a record of STS in the C:\Windows\systems32\drivers\etc\hosts file of WAP server

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
Install-WebApplicationProxy –CertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’ -FederationServiceName sts.domain.com

Firewall Rules for WAP Servers

Add firewall rules for WAP servers if WAP servers are placed behind firewall. You must allow inbound and outbound rules on port 443 from WAP servers to internet.

Firewall Rules for ADFS servers

ADFS servers are domain joined and placed in internal network but WAP servers are place in different VLANS or DMZ  to secure ADFS servers. You must allow port 443 between ADFS and WAP in both direction.

Firewall Rules for ADFS 2016 with MFA

If your ADFS 2016 servers are behind firewall specially going via Azure Express Route , add the below firewall rules in Azure Network Security Group (NSG) for ADFS 2016 MFA.

10.xx.0.0/24 23.99.10.4 HTTPS (TCP/443) Allow
10.xx.0.0/24 23.99.10.4 HTTPS (TCP/443) Allow
10.xx.0.0/24 168.63.89.78 HTTPS (TCP/443) Allow
10.xx.0.0/24 168.63.89.78 HTTPS (TCP/443) Allow
10.xx.0.0/24 40.77.21.104 Custom (TCP/Any) Allow
10.xx.0.0/24 104.42.126.253 Custom (TCP/Any) Allow
10.xx.0.0/24 40.84.187.178 Custom (TCP/Any) Allow
10.xx.0.0/24 52.161.23.17 Custom (TCP/Any) Allow
10.xx.0.0/24 40.87.57.9 Custom (TCP/Any) Allow
10.xx.0.0/24 134.170.116.0/25 Custom (TCP/Any) Allow
10.xx.0.0/24 134.170.165.0/25 Custom (TCP/Any) Allow
10.xx.0.0/24 70.37.154.128/25 Custom (TCP/Any) Allow

Microsoft Software Defined Storage AKA Scale-out File Server (SOFS)

Business Challenges:

  • $/IOPS and $/TB
  • Continuous Availability
  • Fault Tolerance
  • Storage Performance
  • Segregation of production, development and disaster recovery storage
  • De-duplication of unstructured data
  • Segregation of data between production site and disaster recovery site
  • Continuous break fix of Distributed File Systems (DFS) & File Server
  • Continuously extending storage on the DFS servers
  • Single point of failure
  • File systems is not available always
  • Security of file systems is constant concern
  • Propitiatory non-scalable storage
  • Management of physical storage
  • Vendor lock-in contract for physical storage
  • Migration path from single vendor to multi vendor storage provider
  • Management overhead of unstructured data
  • Comprehensive management of storage platform

Solutions:

Microsoft Software Defined Storage AKA Scale-Out File Server is a feature that is designed to provide scale-out file shares that are continuously available for file-based server application storage. Scale-out file shares provides the ability to share the same folder from multiple nodes of the same cluster.Microsoft Software Defined Storage offerings compared with third party offering:

Storage feature Third-party NAS/SAN Microsoft Software-Defined Storage
Fabric Block protocol

 

File protocol Network

 

Network Low latency network with FC

 

Low latency with SMB3Direct Management

 

Management Management of LUNs

 

Management of file shares Data de-duplication

 

Data De-duplication Data de-duplication

 

Data de-duplication Resiliency

 

Resiliency RAID resiliency groups

 

Flexible resiliency options Pooling

 

Pooling Pooling of disks

 

Pooling of disks Availability

 

Availability High

 

Continuous (via redundancy) Copy offload, Snapshots

 

Copy Offloads, Snapshots Copy offload, Snapshots

 

SMB copy offload, Snapshots Tiering

 

Tiering Storage tiering

 

Performance with tiering Persistent write-back cache

 

Persistent Write-back cache Persistent write-back cache

 

Persistent write-back cache Scale up

 

Scale up Scale up

 

Automatic scale-out rebalancing Storage Quality of Service (QoS)

 

Storage Quality of Service (QoS) Storage QoS

 

Storage QoS (Windows Server 2016) Replication

 

Replication Replication

 

Storage Replica (Windows Server 2016) Updates

 

Updates Firmware updates

 

Rolling cluster upgrades (Windows Server 2016)

 

    Storage Spaces Direct (Windows Server 2016)

 

    Azure-consistent storage (Windows Server 2016)

 

 Functional use of Microsoft Scale-Out File Servers:

1. Application Workloads

  • Microsoft Hyper-v Cluster
  • Microsoft SQL Server Cluster
  • Microsoft SharePoint
  • Microsoft Exchange Server
  • Microsoft Dynamics
  • Microsoft System Center DPM Storage Target
  • Veeam Backup Repository

2. Disaster Recovery Solution

  • Backup Target
  • Object storage
  • Encrypted storage target
  • Hyper-v Replica
  • System Center DPM

3. Unstructured Data

  • Continuously Available File Shares
  • DFS Namespace folder target server
  • Microsoft Data de-duplication
  • Roaming user Profiles
  • Home Directories
  • Citrix User Profiles
  • Outlook Cached location for Citrix XenApp Session Server

4. Management

  • Single Management Point for all Scale-out File Servers
  • Provide wizard driven tools for storage related tasks
  • Integrated with Microsoft System Center

Business Values:

  • Scalability
  • Load balancing
  • Fault tolerance
  • Ease of installation
  • Ease of management/operations
  • Flexibility
  • Security
  • High performance
  • Compliance & Certification

SOFS Architecture:

Microsoft Scale-out File Server (SOFS) is  considered as a Storage Defined Storage (SDS).  Microsoft SOFS is independent of hardware vendor as long as the compute and storage is certified by Microsoft Corporation. The following figure shows Microsoft Hyper-v cluster, SQL Cluster and Object Storage on the SOFS.

image

                 Figure: Microsoft Software Defined Storage (SDS) Architecture

image

                     Figure: Microsoft Scale-out File Server (SOFS) Architecture

image

                                      Figure: Microsoft SDS Components

image

                        Figure: Unified Storage Management (See Reference)

Microsoft Software Defined Storage AKA Scale-out File Server Benefits:

SOFS:

  • Continuous availability file stores for Hyper-V and SQL Server
  • Load-balanced IO across all nodes
  • Distributed access across all nodes
  • VSS support
  • Transparent failover and client redirection
  • Continuous availability at a share level versus a server level

De-duplication:

  • Identifies duplicate chunks of data and only stores one copy
  • Provides up to 90% reduction in storage required for OS VHD files
  • Reduces CPU and Memory pressure
  • Offers excellent reliability and integrity
  • Outperforms Single Instance Storage (SIS) or NTFS compression.

SMB Multichannel

  • Automatic detection of SMB Multi-Path networks
  • Resilience against path failures
  • Transparent failover with recovery
  • Improved throughput
  • Automatic configuration with little administrative overhead

SMB Direct:

  • The Microsoft implementation of RDMA.
  • The ability to direct data transfers from a storage location to an application.
  • Higher performance and lower latency through CPU offloading
  • High-speed network utilization (including InfiniBand and iWARP)
  • Remote storage at the speed of local storage
  • A transfer rate of approximately 50Gbps on a single NIC port
  • Compatibility with SMB Multichannel for load balancing and failover

VHDX Virtual Disk:

  • Online VHDX Resize
  • Storage QoS (Quality of Service)

Live Migration

  • Easy migration of virtual machine into a cluster while the virtual machine is running
  • Improved virtual machine mobility
  • Flexible placement of virtual machine storage based on demand
  • Migration of virtual machine storage to shared storage without downtime

Storage Protocol:

  • SAN discovery (FCP, SAS, iSCSI i.e. EMC VNX, EMC VMAX)
  • NAS discovery (Self-contained NAS, NAS Head i.e. NetApp OnTap)
  • File Server Discovery (Microsoft Scale-Out File Server, Unified Storage)

Unified Management:

  • A new architecture provides ~10x faster disk/partition enumeration operations
  • Remote and cluster-awareness capabilities
  • SM-API exposes new Windows Server 2012 R2 features (Tiering, Write-back cache, and so on)
  • SM-API features added to System Center VMM
  • End-to-end storage high availability space provisioning in minutes in VMM console
  • More Windows PowerShell

ReFS:

  • More resilience to power failures
  • Highest levels of system availability
  • Larger volumes with better durability
  • Scalable to petabyte size volumes

Storage Replica:

  • Hardware agnostic storage configuration
  • Provide a DR solution for planned and unplanned outages of mission critical workloads.
  • Use SMB3 transport with proven reliability, scalability, and performance.
  • Stretched failover clusters within metropolitan distances.
  • Manage end to end storage and clustering for Hyper-V, Storage Replica, Storage Spaces, Scale-Out File Server, SMB3, Deduplication, and ReFS/NTFS using Microsoft software
  • Reduce downtime, and increase reliability and productivity intrinsic to Windows.

Cloud Integration:

  • Cloud-based storage service for online backups
  • Windows PowerShell instrumented
  • Simple, reliable Disaster Recovery solution for applications and data
  • Supports System Center 2012 R2 DPM

Implementing Scale-out File Server

Scale-out File Server Recommended Configuration:

  1. Gather all virtual servers IOPS requirements*
  2. Gather Applications IOPS requirements
  3. Total IOPS of all applications & Virtual machines must be less than available IOPS of physical storage 
  4. Keep latency below 3 ms at all time for high performance
  5. Gather required capacity + potential growth + best practice
  6. N+1 Compute, Network and Storage Hardware
  7. Use low latency, high throughput networks
  8. Segregate storage network from data network using logical network (VLAN) or fibre channel
  9. Tools to be used

*Not all virtual servers are same, DHCP server generate few IOPS, SQL server and Exchange can generate thousands of IOPS.

*Do not place SQL Server on the same logical volume (LUN) with Exchange Server or Microsoft Dynamics or Backup Server.

*Isolate high IO workloads to separate logical volume or even separate storage pool if possible.

Prerequisites for Scale-Out File Server

  1. Install File and Storage Services server role, and the Failover Clustering feature on the cluster nodes
  2. Configure Microsoft failover Clusters using this article Windows Server 2012: Failover Clustering Deep Dive Part II
  3. Add Cluster Share Volume
  • Log on to the server as a member of the local Administrators group.
  • Open Server Manager> Click Tools, and then click Failover Cluster Manager.
  • Click Storage, right-click the disk that you want to add to the cluster shared volume, and then click Add to Cluster Shared Volumes> Add Storage Presented to this cluster.

Configure Scale-out File Server

  1. Open Failover Cluster Manager> Right-click the name of the cluster, and then click Configure Role.
  2. On the Before You Begin page, click Next.
  3. On the Select Role page, click File Server, and then click Next.
  4. On the File Server Type page, select the Scale-Out File Server for application data option, and then click Next.
  5. On the Client Access Point page, in the Name box, type a NETBIOS of Scale-Out File Server, and then click Next.
  6. On the Confirmation page, confirm your settings, and then click Next.
  7. On the Summary page, click Finish.

Create Continuously Available File Share

  1. Open Failover Cluster Manager>Expand the cluster, and then click Roles.
  2. Right-click the file server role, and then click Add File Share.
  3. On the Select the profile for this share page, click SMB Share – Applications, and then click Next.
  4. On the Select the server and path for this share page, click the name of the cluster shared volume, and then click Next.
  5. On the Specify share name page, in the Share name box, type a name for the file share, and then click Next.
  6. On the Configure share settings page, ensure that the Continuously Available check box is selected, and then click Next.
  7. On the Specify permissions to control access page, click Customize permissions, grant the following permissions, and then click Next:
  • To use Scale-Out File Server file share for Hyper-V: All Hyper-V computer accounts, the SYSTEM account, cluster computer account for any Hyper-V clusters, and all Hyper-V administrators must be granted full control on the share and the file system.
  • To use Scale-Out File Server on Microsoft SQL Server: The SQL Server service account must be granted full control on the share and the file system

      8. On the Confirm selections page, click Create. On the View results page, click Close.

Use SOFS for Hyper-v Server VHDX Store:

  1. Open Hyper-V Manager. Click Start, and then click Hyper-V Manager.
  2. Open Hyper-v Settings> Virtual Hard Disks> Specify Location of Store as \\SOFS\VHDShare\ and Specify location of Virtual Machine Configuration \\SOFS\VHDCShare
  3. Click Ok.

Use SOFS in System Center VMM: 

  1. Add Windows File Server in VMM
  2. Assign SOFS Share to Fabric & Hosts

Use SOFS for SQL Database Store:

1. Assign SQL Service Account Full permission to SOFS Share

  • Open Windows Explorer and navigate to the scale-out file share.
  • Right-click the folder, and then click Properties.
  • Click the Sharing tab, click Advanced Sharing, and then click Permissions.
  • Ensure that the SQL Server service account has full-control permissions.
  • Click OK twice.
  • Click the Security tab. Ensure that the SQL Server service account has full-control permissions.

2. In SQL Server 2012, you can choose to store all database files in a scale-out file share during installation.  

3. On the step 20 of SQL Setup Wizard , provide a location of Scale-out File Server which is \\SOFS\SQLData and \\SOFS\SQLLogs

4. Create a Database on SOFS Share but on the existing SQL Server using SQL Script

CREATE DATABASE [TestDB]
ON  PRIMARY
( NAME = N’TestDB’, FILENAME = N’\\SOFS\SQLDB\TestDB.mdf’ )
LOG ON
( NAME = N’TestDBLog’, FILENAME = N’\\SOFS\SQLDBLog\TestDBLogs.ldf’)
GO

Use Backup & Recovery:

System Center Data Protection Manager 2012 R2

Configure and add a dedupe storage target into DPM 2012 R2. DPM 2012 R2 will not backup SOFS itself but it will backup VHDX files stored on SOFS. Follow Deduplicate DPM storage and protection for virtual machines with SMB storage  guide to backup virtual machines.

Veeam Availability Suite

  1. Log on to Veeam Availability Console>Click Backup Repository> Right Click New backup Repository
  2. Select Shared Folder on the Type Tab
  3. Add SMB Backup Target \\SOFS\Repository
  4. Follow the Wizard. Make Sure Service Account of Veeam has full access permission to \\SOFS\Repository  Share.
  5. Click Scale-out Repositories>Right Click Add Scale-out backup repository> Type the Name
  6. Select the backup repository you created in previous>Follow the Wizard to complete tasks.

References:

Microsoft Storage Architecture

Storage Spaces Physical Disk Validation Script

Validate Hardware

Deploy Clustered Storage Spaces

Storage Spaces Tiering in Windows Server 2012 R2

SMB Transparent Failover

Cluster Shared Volume (CSV) Inside Out

Storage Spaces – Designing for Performance

Related Articles:

Scale-Out File Server Cluster using Azure VMs

Microsoft Multi-Site Failover Cluster for DR & Business Continuity

Understanding Network Virtualization in SCVMM 2012 R2

Networking in SCVMM is a communication mechanism to and from SCVMM Server, Hyper-v Hosts, Hyper-v Cluster, virtual machines, application, services, physical switches, load balancer and third party hypervisor. Functionality includes:

SCVMM Network

Logical Networking of almost “Anything” hosted in SCVMM- Logical network is a concept of complete identification, transportation and forwarding of Ethernet traffic in virtualized environment.

  • Provision and manage logical networks resources of private and public cloud
  • Management of Logical networks, subnets, VLAN, Trunk or Uplinks, PVLAN, Mac address pool, Templates, profiles, static IP address pool, DHCP address pool, IP Address Management (IPAM)
  • Integrate and manage third party hardware load balancer and Cisco virtual switch 1000v
  • Provide functionality of Virtual IP Addresses (VIPs), quality of service (QoS), monitor network traffic and virtual switch extensions
  • Creation of virtual switches and virtual network gateways

Network Virtualization – Network virtualization is a parallel concept to a server virtualization, where it allows you to abstract and run multiple virtual networks on a single physical network

  • Connects virtual machines to other virtual machines, hosts, or applications running on the same logical network.
  • Provides an independent migration of virtual machine which means when a VM moved to a different host from original host, SCVMM will automatically migrate that virtual network with the VM so that it remains connected to the rest of the infrastructure.
  • Allows multiple tenants to have their own isolated networks for security and privacy reason.
  • Allows unique IP address ranges for a tenant for management flexibility.
  • Communicate using a gateway of a site or a different site if permitted by firewall
  • Connect a VM running on a virtual network to any physical network in the same site or a different location.
  • Connect cross-network using an inbox NVGRE gateway that can be deployed as a VM to provide this cross-network interoperability.

Network Virtualization is defined in Fabric>Networking Tab of SCVMM 2012 R2 management console. Virtual Machine networking is defined in VMs and Services>VM Networks Tab of SCVMM 2012 R2 management console.

Host Config

Network virtualization terminology in SCVMM 2012 R2:

Fabric.networking

Logical networks: A logical network in VMM which contains the information of VLAN, PVLAN and subnets of a site in a Hyper-v host or a Hyper-v clusters. An IP address pool and a VM network can be associated with a logical network. A logical network can connect to another network or many network or vice-versa. Cloud function of each logical network is:

Logical network Purpose Tenant Cloud
External ·Site-to-site endpoint IP addresses

·Load balancer virtual IP addresses (VIPs)

·Network address translation (NAT) IP addresses for virtual networks

·Tenant VMs that need direct connectivity to the external network with full inbound access

Yes
Infrastructure Used for service provider infrastructure, including host management, live migration, failover clustering, and remote storage. It cannot be accessed directly by tenants. No
Load Balancer ·Uses static IP addresses

·Has outbound access to the external network via the load balancer

·Has inbound access that is restricted to only the ports that are exposed through the VIPs on the load balancer

Yes
Network Virtualization · This network is automatically used for allocating provider addresses when a VM that is connected to a virtual network is placed onto a host.

·Only the gateway VMs connect to this directly.

· Tenant VMs connect to their own VM network. Each tenant’s VM network is connected to the Network Virtualization logical network.

·A tenant VM will never connect to this directly.

·Static IP addresses are automatically assigned.

Yes
Gateway Associated with forwarding gateways, which require one logical network per gateway. For each forwarding gateway, a logical network is associated with its respective scale unit and forwarding gateway. No
Services · The Services network is used for connectivity between services in the stamp by public-facing Windows Azure Pack features, and for SQL Server and MySQL Database DBaaS deployments.

·All deployments on the Services network are behind the load balancer and accessed through a virtual IP (VIP) on the load balancer.

·This logical network is also designed to provide support for any service provider-owned service and is likely to be used by high-density web servers initially, but potentially many other services over time.

No

IP Address Pool: An IP address pool is a range of IP addresses assigned to a logical network in a site which provides IP address, subnets, gateway, DNS, WINS related information to virtual machines and applications.

Mac Address Pool: Mac Address Pool contains default mac address ranges of virtual network adapter of virtual machine. You can also create customised mac address pool and assign that pool to virtual machines.

Pool Name Vendor Mac Address
Default MAC address pool Hyper-V and Citrix XenServer 00:1D:D8:B7:1C:00 – 00:1D:D8:F4:1F:FF
Default VMware MAC address pool VMware ESX 00:50:56:00:00:00 – 00:50:56:3F:FF:FF

Hardware Load Balancer: Hardware load balancer is a functionality within SCVMM networking to provide third party loading balancing of application and services. A virtual IP or IP address Pool can be associated with hardware load balancer.

VIP Templates: VIP templates is a standard template used to define virtual addresses associated with hardware load balancer. VIP is allocated to application, services and virtual machines hosted in SCVMM 2012 R2. A template that specifies the load-balancing behaviour for HTTPS traffic on a specific load balancer by manufacturer and model.

Logical Switch: logical switches act as containers for the properties or capabilities that you want network adapters to have. Instead of configuring individual properties or capabilities for each network adapter, you can specify the capabilities in port profiles and logical switches, which you can then apply to the appropriate adapters. Logical switches act as an extension of physical switch with a major difference that you don’t have to drive to data center, take a patch lead and connect to computer, then configure switch ports and assign VLAN tag to that port.  Logical switch where you define uplinks or physical adapter of Hyper-v hosts, associate uplinks with logical networks and sites.

Port Profiles: Port profiles act as containers for the security and privacy that you want network adapters to have. Instead of configuring individual properties or capabilities for each network adapter, you can specify these capabilities in port profiles, which you can then apply to the appropriate adapters. Port profiles are associated with an uplinks in logical switch.

Port Classification: Port classifications provide global names for identifying different types of virtual network adapter port profiles. A port classification can be used across multiple logical switches while the settings for the port classification remain specific to each logical switch. For example, you might create one port classification named FAST to identify ports that are configured to have more bandwidth, and another port classification named SLOW to identify ports that are configured to have less bandwidth.

Network Service: Network service is container whether you can add Windows and non-Windows network gateway and IP address management and monitoring information. An IP Address Management (IPAM) server that runs on Windows Server 2012 R2 to provide resources in VMM. You can use the IPAM server in network resource tab of SCVMM to configure and monitor logical networks and their associated network sites and IP address pools. You can also use the IPAM server to monitor the usage of VM networks that you have configured or changed in VMM.

Virtual switch extension: A virtual switch extension manager in a SCVMM allows you to use a software based vendor network-management console and the VMM management server together. For example you can install Cisco 1000v extension software in a VMM server and add the functionality of Cisco switches into the VMM console.

VM Network: A VM network in a logical network is the endpoint of network virtualization which directly connect a virtual machine to allow public or private communication among VMs or other network and services. A VM network is associated with a logical network for direct access to other VMs.

VM Networks

Related Articles:

Cisco Nexus 1000V Switch for Microsoft Hyper-V

How to implement hardware load balancer in SCVMM

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

Understanding Dynamic Quorum in a Microsoft Failover Cluster

Windows Server 2012: Failover Clustering Deep Dive

Microsoft introduced an advanced quorum configuration option in Windows Server 2012/R2. You can choose to enable dynamic quorum management by cluster. There are major benefits of having dynamic quorum in any Microsoft cluster whether for Exchange DAG, SQL cluster, Hyper-v cluster or file server cluster. When you configure dynamic quorum, the cluster dynamically manages the vote assignment to nodes, based on the state of each node. Votes are automatically removed from nodes that leave active cluster membership, and a vote is automatically assigned when a node re-joins the cluster. Dynamic quorum remove dependencies of a quorum disk in Hyper-v and also enable multi-site cluster in a diverse geographic location without sharing common disk.

Pros:

  • With dynamic quorum management, it is also possible for a cluster to run on the last surviving cluster node.
  • By dynamically adjusting the quorum majority requirement, the cluster can sustain sequential node shutdowns to a single node.
  • The cluster software automatically configures the quorum for a new cluster, based on the number of nodes configured and the availability of shared storage.

Cons:

  • Dynamic quorum management does not allow the cluster to sustain a simultaneous failure of a majority of voting members. To continue running, the cluster must always have a quorum majority at the time of a node shutdown or failure.
  • If you have explicitly removed the vote of a node, the cluster cannot dynamically add or remove that vote.

How to configure a dynamic quorum?

Configure a standard cluster as you do in a Microsoft environment. Then use Quorum Configuration Wizard in Cluster Manager to configure advanced quorum.

  1. In Failover Cluster Manager, select the cluster that you want to change.
  2. With the cluster selected>under Actions>click More Actions> and then click Configure Cluster Quorum Settings> Click Next.
  3. On the Select Quorum Configuration Option page>click Advanced quorum configuration and witness selection
  4. On the Select Voting Configuration page>select an option to assign votes to nodes. By default, all nodes are assigned a vote.
  5. On the Configure Quorum Management page> enable the Allow cluster to dynamically manage the assignment of node votes
  6. On the Select Quorum Witness page>select Do not configure a quorum witness, and then complete the wizard
  7. Click Next>then click Next.

Once quorum is reconfigured then you run the Validate Quorum Configuration test to verify the updated quorum settings. Follow the steps to validate quorum.

  1. In Failover Cluster Manager, select the cluster> run the Validate Quorum Configuration test to verify the updated quorum settings.

Design and Build Microsoft Distributed File System (DFS)

Supported:

  • Windows and DFS Replication support folder paths with up to 32 thousand characters.
  • DFS Replication is not limited to folder paths of 260 characters.
  • Replication groups can span across domains within a single forest
  • VSS with DFS is supported.

Scalability on Windows Server 2012 R2

  • Size of all replicated files on a server: 100 terabytes.
  • Number of replicated files on a volume: 70 million.
  • Maximum file size: 250 gigabytes.
  • File can be staged ranging 16KB to 1MB. Default is 64KB when RDC is enabled. When RDC is disabled 256KB from sending member.
  • Up to 5000 folders with target. Maximum 50000 folders with targets.

Scalability on Windows Server 2008 R2

  • Size of all replicated files on a server: 10 terabytes.
  • Number of replicated files on a volume: 11 million.
  • Maximum file size: 64 gigabytes.

Unsupported:

  • Cross forests replication is unsupported
  • NTBackup for remotely backup DFS folder.
  • DFS in a workgroup environment

Determining Time Zone in DFS

Universal Coordinated Time (UTC). This option causes the receiving member to treat the schedule as an absolute clock. For example, a schedule that begins at 0800 UTC is the same for any location, regardless of time zone or whether daylight savings time is in effect for a receiving member. For example, assume that you set replication to begin at 0800 UTC. A receiving member in Eastern Standard Time would begin replicating at 3:00 A.M. local time (UTC – 5), and a receiving member in Rome would begin replicating at 9:00 A.M. local time (UTC + 1). Note that the UTC offset shifts when daylight savings time is in effect for a particular location.

Local time of receiving member. This option causes the receiving member to use its local time to start and stop replication. Local time is determined by the time zone and daylight savings time status of the receiving member. For example, a schedule that begins at 8:00 A.M. will cause every receiving member to begin replicating when the local time is 8:00 A.M. Note that daylight savings time does not cause the schedule to shift. If replication starts at 9 A.M. before daylight savings time, replication will still start at 9 A.M. when daylight savings time is in effect.

Determine AD Forest

  • The forest uses the Windows Server 2003 or higher forest functional level.
  • The domain uses the Windows Server 2008 or higher domain functional level.
  • All namespace servers are running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

Using RDC:

Remote differential compression (RDC) is a client-server protocol that can be used to efficiently update files over a limited-bandwidth network. RDC detects insertions, removals, and rearrangements of data in files, enabling DFS Replication to replicate only the changes when files are updated. RDC is used only for files that are 64 KB or larger by default. RDC can use an older version of a file with the same name in the replicated folder or in the DfsrPrivate\ConflictandDeleted folder (located under the local path of the replicated folder).

RDC is used when the file exceeds a minimum size threshold. This size threshold is 64 KB by default. After a file exceeding that threshold has been replicated, updated versions of the file always use RDC, unless a large portion of the file is changed or RDC is disabled.

  • RDC is available Windows Server 2008 R2 Enterrprise and Datacenter Edition.
  • RDC is available Windows Server 2012/R2 Standard and Datacenter Edition.

DFS Namespaces Settings and Features

A referral is an ordered list of targets, transparent to the user that a client receives from a domain controller or namespace server when the user accesses the namespace root or a folder with targets in the namespace. The client caches the referral for a configurable period of time.

Targets in the client’s Active Directory site are listed first in a referral. (Targets given the target priority “first among all targets” will be listed before targets in the client’s site.) The order in which targets outside of the client’s site appear in a referral is determined by one of the following referral ordering methods:

Lowest cost, Random order, Exclude targets outside of the client’s site

Design the Replication Topology

To publish data, you will likely use a hub-and-spoke topology, where one or more hub servers are located in data centers, and servers in branch offices will connect to one or more hub servers. To prevent the hub servers from becoming overloaded, we recommend that fewer than 100 spoke members replicate with the hub server at any given time. If you need more than 100 spoke members to replicate with a hub server, set up a staggered replication schedule to balance the replication load of the hub server.

The lowest cost ordering method works properly for all targets only if the Bridge all site links option in Active Directory is enabled. (This option, as well as site link costs, are available in the Active Directory Sites and Services snap-in.) An Inter-site Topology Generator that is running Windows Server 2003 relies on the Bridge all site links option being enabled to generate the inter-site cost matrix that the Distributed File System service requires for its site-costing functionality. If the Bridge all site links option is enabled, the servers in a referral are listed in the following order:

  1. The server in the branch site.
  2. The server in regional data center site 1. (Cost = 10)
  3. The server in regional data center site 2. (Cost = 30)
  4. The server in regional data center site 3. (Cost = 50)

A domain-based namespace can be hosted by multiple namespace servers to increase the availability of the namespace. Putting a namespace server in remote or branch offices also allows clients to contact a namespace server and receive referrals without having to cross expensive WAN connections.

Definitions:

Namespace server . A namespace server hosts a namespace. The namespace server can be a member server or a domain controller.

Namespace root . The namespace root is the starting point of the namespace. In the previous figure, the name of the root is Public, and the namespace path is \\Contoso\Public. This type of namespace is a domain-based namespace because it begins with a domain name (for example, Contoso) and its metadata is stored in Active Directory Domain Services (AD DS). Although a single namespace server is shown in the previous figure, a domain-based namespace can be hosted on multiple namespace servers to increase the availability of the namespace.

Folder . Folders without folder targets add structure and hierarchy to the namespace, and folders with folder targets provide users with actual content. When users browse a folder that has folder targets in the namespace, the client computer receives a referral that transparently redirects the client computer to one of the folder targets.

Folder targets . A folder target is the UNC path of a shared folder or another namespace that is associated with a folder in a namespace. The folder target is where data and content is stored. In the previous figure, the folder named Tools has two folder targets, one in London and one in New York, and the folder named Training Guides has a single folder target in New York. A user who browses to \\domain.com\Public\Software\Tools is transparently redirected to the shared folder \\server1\Tools or \\server2\Tools, depending on which site the user is currently located in.

By default, DFS replication between two members is bidirectional. Bidirectional connections occur in both directions and include two one-way connections. If you desire only a one-way connection, you can disable one of the connections or use share permissions to prevent the replication process from updating files on certain member servers.

Step1: Organise Folder Structure in multiple servers in geographically diverse location

Example:

Server1 in Perth

D:\Marketing

D:\HR

D:\IT

Server2 in Melbourne

D:\Marketing

D:\HR

D:\IT

Step2: Install DFS on Server

Before setting up replication between servers, the DFS Replication roles need to be installed on each server that is going to participate in the replication group. Open Server Manger by clicking on the Server Manager icon on the task bar

  1. On the Welcome Tile, under Quick Start, click on Add roles and features to start the Add Roles and Features Wizard. If there’s no Welcome Tile, it might be hidden. Click View on the menu bar and click Show Welcome Tile.
  2. Click Next.
  3. Select Roll-based or feature-based installation and click Next.
  4. Select a server from the server pool and select the server on which you want to install DFS Replication. Click Next.
  5. Under Roles, expand File and Storage Services, expand File and iSCSI Services, select DFS Replication and click Next.
  6. If you have not already installed the features required for DFS Replication, the following box will pop up explaining which features and roles will be installed along with DFS Replication.
  7. Click Add Features.
  8. Back to the Select server roles dialog. It should now show DFS Replication as checked along with the other roles required for DFS Replication.
  9. Click Next.
  10. The Select features dialog shows the features that will be added along with the DFS Replication role.
  11. Click Next.
  12. Click Install.
  13. Click Close when the installation completes.
  14. You will notice a new DFS management icon.

Step3: Create New Namespace

  1. Double click on this icon to open the DFS Management MMC.
  2. In the DFS Management console, right click on Namespaces and select new namespace. In the New Namespace Wizard, select the server that will host the namespace (the DFS server) and click next to continue.
  3. Give your DFS and easy to understand namespace and click next.
  4. The next step asks whether you want to use a domain based namespace or a stand alone namespace. Select domain-name based DFS namespace and click next, then create.
  5. Once finished, you will see the newly created namespace in the namespace section of the DFS Manager along with its UNC path. This is the path you will use to access the DFS share.
  6. Now that we have create the namespace, it’s time to add some folders. In DFS, you can access multiple shared folders using a single drive letter. Add the required folders to the DFS namespace.
  7. Right click on the DFS namespace and select new folder.
  8. In the new folder window, create a folder named X, then click on the add button and locate the folder on the required server. When finished, click OK.
  9. Repeat the process to add the other shared folders.
  10. To test – Open a browser and type the UNC path of your DFS namespace. All folders appear in a single share.

Step5: Replicate Folders

  1. In the DFS Management console, double click on the folder to view its path.
  2. Log in to server 2 and create a folder named admin as well.
  3. Right click on the folder and select add folder target.
  4. Enter the UNC path of the folder located on the second server and click OK.
  5. You will be prompted to create a replication group. Click yes.
  6. Follow the wizard to configure the replication parameters.
  • Primary Member: This is the server that has the initial copy of the files you want to replicate.
  • Topology: This dictates in what fashion the replication will occur.
  • Bandwidth and Schedule: How much bandwidth to allocate and when to synchronize.
  1. Once you have finished, click create. Any file that you create, modify or delete when using the namespace UNC path will be almost immediately copied to both replicating folders.

Step6: Manually creating replication group if you didn’t create in step1

  1. In the console tree of the DFS Management snap-in, right-click the Replication node, and then click New Replication Group.
  2. Follow the steps in the New Replication Group Wizard and supply the information in the following table.
  3. Select Multipurpose replication group>Type the name of the replication group> Click Add to select at least two servers that will participate in replication. The servers must have the DFS Replication Service installed.
  4. Select Full Mesh> Select Replicate continuously using the specified bandwidth.> Select the member that has the most up-to-date content that you want to replicate to the other member.
  5. Click Add to enter the local path of the Data folder you created earlier on the first server. Use the name Data for the replicated folder name.
  6. On this page, you specify the location of the Data folder on the other members of the replication group. To specify the path, click Edit, and then in the Edit dialog box, click Enabled, and then type the local path of the Data folder.
  7. On this page, you specify the location of the Antivirus Signatures folder on the other members of the replication group. To specify the path, click Edit, and then in the Edit dialog box, click Enabled, and then type the local path of the Antivirus Signatures folder.
  8. Click Create to create the replication group.
  9. Click Close to close the wizard. Click OK to close the dialog box that warns you about the delay in initial replication.

Migrate WSUS Server from Server 2008/R2 to Server 2012/R2

The following procedure apply if you have an existing WSUS server installed on a Windows 2008 R2 OS with SQL Express and you wish to migrate to Windows Server 2012 R2 WSUS server and a separate backend database server.

Step1: Backup SQL DB of Old WSUS Server

Log on to existing WSUS server. Open SQL Management Studio>Connect to DB>Right Click SUSDB>backup full database.

clip_image002

Step2: Export metadata from old WSUS Server

The WSUS Setup program copies WSUSutil.exe to the file system of the WSUS server during installation. You must be a member of the local Administrators group and WSUS Administrator Group on the WSUS server to export or import metadata. Both operations can only be run from the WSUS server itself and during the import or export process, the Update Service is shut down.

Open command prompt as an administrator>go to C:\program Files\Update Services\Tools

Issue wsusutil.exe export c:\export.cab c:\export.log command

Move the export package you just created to the new Microsoft WSUS Server.

 

If you have .netFramework v.2 or v.4 but not configured in IIS Application. Then most likely above command will fail giving you some grief. Here is a solution for this.

Verify that WSUS is configured to use the .NET4 libraries in IIS>Application Pool

clip_image004

Create a file named wsusutil.exe.config in C:\Program Files\Update Services\Tools

Edit the file and add the following:

<configuration><startup><supportedRuntime version=”v4.0.30319″ /></startup></configuration>

If issue persists, please try to unapprove KB3020369 in WSUS Console then try again.

Re-run the wsusutil command but instead of making a CAB file make a .xml.gz file and all should be well.

clip_image006

clip_image008

Further reading 1

Further reading 2

 

Step3: Build New WSUS Server

Virtualize a new Windows Server 2012 R2 Server. Setup static IP, Join the server to domain. Install .NetFramework 4 in new server.Do not Configure WSUS at this stage. Go to Step4.

 

Step4: Restore SQL DB in New SQL Server (Remote and/or Local )

Log on to SQL Server. Open SQL Management Studio>Create a Database named SUSDB

Restore old SUSDB to new SUSDB with override option.

Assign sysadmin, setupadmin role to the person who will install WSUS role in new WSUS server.

clip_image013

image

clip_image018

clip_image020

Step5: Install WSUS Role & Run Initial Configuration Wizard.

Installation of WSUS

 Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group.

 In Server Manager, click Manage, and then click Add Roles and Features.

 On the Before you begin page, click Next.

 In the Select installation type page, confirm that Role-based or feature-based installation option is selected and click Next.

 On the Select destination server page, choose where the server is located (from a server pool or from a virtual hard disk). After you select the location, choose the server on which you want to install the WSUS server role, and then click Next.

 On the Select server roles page, select Windows Server Update Services. Add features that are required for Windows Server Update Services opens. Click Add Features, and then click Next.

 On the Select features page. Retain the default selections, and then click Next.

 On the Windows Server Update Services page, click Next.

 On the Select Role Services page, Select Windows Server Update Services and Database, and then click Next.

 On the Content location selection page, type a valid location to store the updates. For example, type E:\WSUS as the valid location.

 Click Next. The Web Server Role (IIS) page opens. Review the information, and then click Next. In Select the role services to install for Web Server (IIS), retain the defaults, and then click Next.

 On the Confirm installation selections page, review the selected options, and then click Install. The WSUS installation wizard runs. This might take several minutes to complete.

 Once WSUS installation is complete, in the summary window on the Installation progress page, click Launch Post-Installation tasks. The text changes, requesting: Please wait while your server is configured. When the task has finished, the text changes to: Configuration successfully completed. Click Close.

 In Server Manager, verify if a notification appears to inform you that a restart is required. This can vary according to the installed server role. If it requires a restart make sure to restart the server to complete the installation.

 

Post Configuration

Open Server Manager>Add/Remove program. It will provide you with previous installation Wizard. Launch Post Configuration Wizard.

 On the Welcome page, click Next.

 On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.

 Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.

On the Select Update Source page, you can specify where client computers get updates. If you select the Store updates locally check box, updates are stored on WSUS, and you can select a location (E:\WSUS) in the file system where updates should be stored. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

Make your selection, and then click Next.

On the Database Options page, you select the software used to manage the WSUS database. Type <serverName>\<instanceName>, where serverName is the name of the server and instanceName is the name of the SQL instance. Simply type remote or local SQL Server Name and then click Next.

On the Web Site Selection page, you specify the Web site that WSUS will use to point client computers to WSUS. If you wish to use the default IIS Web site on port 80, select the first option. If you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option. Make your selection, and then click Next.

 On the Ready to Install Windows Server Update Services page, review your choices, and then click Next.

 The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. After you click Finish the configuration wizard will be launched.

 

Step6: Match the Advanced Options on the old WSUS Server & the new WSUS Server

Ensure that the advanced synchronization options for express installation files and languages on the old server match the settings on the new server by following the steps below:

  1. In the WSUS console of the old WSUS server, click the Options tab, and then click Advanced in the Update Files and Languages section.
  2. In the Advanced Synchronization Settings dialog box, check the status of the settings for Download express installation files and Languages options.
  3. In the WSUS console of the new server, click the Options tab, and then click Advanced in the Update Files and Languages section.
  4. In the Advanced Synchronization Settings dialog box, make sure the settings for Download express installation files and Languages options match the selections on the old server.

Step7: Copy Updates from File System of the old WSUS Server to the new WSUS server

To back up updates from file system of old WSUS server to a file, follow these steps:

  1. On your old WSUS server, click Start, and then click Run.
  2. In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
  3. Click the Backup tab, and then specify the folder where updates are stored on the old WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\.
  4. In Backup media or file name, type a path and file name for the backup (.bkf) file.
  5. Click Start Backup. The Backup Job Information dialog box appears.
  6. Click Advanced. Under Backup Type, click Incremental.
  7. From the Backup Job Information dialog box, click Start Backup to start the backup operation.
  8. Once completed, move the backup file you just created to the new WSUS server.

To restore updates from a file to the file system of the new server, follow these steps:

  1. On your new WSUS server, click Start, and then click Run.
  2. In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
  3. Click the Restore and Manage Media tab, and select the backup file you created on the old WSUS server. If the file does not appear, right-click File, and then click Catalog File to add the location of the file.
  4. In Restore files to, click Alternate location. This option preserves the folder structure of the updates; all folders and subfolders will appear in the folder you designate. You must maintain the directory structure for all folders under \WSUSContent.
  5. Under Alternate location, specify the folder where updates are stored on the new WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\. Updates must appear in the folder on the new WSUS server designated to hold updates; this is typically done during installation.
  6. Click Start Restore. When the Confirm Restore dialog box appears, click OK to start the restore operation.

Alternative option would be use FastCopy Software. Copy and paste WSUS content from old server to new server.

Step8: Copy Metadata from the Database on the old WSUS Server to the new WSUS Server

To import metadata into the database of the new Microsoft Windows Server Update Services Server, follow these steps:.

Copy export.xml.gz or export.cab file from old server to new server using copy/Paste or FastCopy software.

Note: It can take from 3 to 4 hours for the database to validate content that has just been imported.

At a command prompt on the new WSUS server, navigate to the directory that contains WSUSutil.exe. Type the following: wsusutil.exe import packagename logfile (For example: wsusutil.exe import export.cab import.log or wsusutil.exe import export.xml.gz export.log)

Step9: Point your Clients to the new WSUS Server

Next you need to change the Group policy and make it point top the new server.  To redirect Automatic Updates to a WSUS server, follow these steps:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Specify Intranet Microsoft update service location.
  3. Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. With the new server details and port For example, type http(s)://newservername :Port in both boxes.

Step10: Invoke GPUpdate

Open PowerShell command prompt as an administrator in any computer. Run Invoke-GPUpdate Servername to synchronise server with new WSUS Server.