Browsing Posts published by Huw

Below is a list of key notes I made whilst studying for the 70-417 exam. They are as brief as I could make them for last minute cramming.

Direct Access

  • Aka Unified Remote Access. A VPN-like technology that can be used to connect clients automatically.
  • Requires Windows 7 and above
  • When using split brain DNS there may be a difference between the public and internal IP for server on your network. If you want a direct access client to access the public IP (rather than internal IP) then you must specify an exemption. This is achieved by not specifying a DNS server for a name suffix.
    • To setup access to intranet servers in the above example you should specify the name of the server with a leading dot (e.g. .intranet.al.net) in the name resolution policy
  • Use the prefer local names allowed option in a group policy to allow remote users to connect to a locally named server (e.g. server1) if the name conflicts with a server in head office.
  • You can specify the “force tunnelling” option to have all traffic routed through the direct access connection.

File Resource Manager

  • To setup Access Denied Assistance –
    • Install file server resource manager on the file server(s).
    • You may need to setup an email address for this
    • You must then edit a GPO to enable this.

  • Folder “classifications” are a feature of file server resource manager

Failover Cluster

  • Failover cluster servers must have
    • 1 NIC for network communication and another for cluster communication.
    • Shared storage
    • Both servers in the cluster must be identical
  • Before creating a cluster it must be “validated”. If validation doesn’t pass you won’t be able to create a cluster
  • As a general rule when you configure a quorum, the voting elements in the cluster should be an odd number. Therefore, if the cluster contains an even number of voting nodes, you should configure a disk witness or a file share witness. The cluster will be able to sustain one additional node down. In addition, adding a witness vote enables the cluster to continue running if half the cluster nodes simultaneously go down or are disconnected.
    • A disk witness is usually recommended if all nodes can see the disk. A file share witness is recommended when you need to consider multisite disaster recovery with replicated storage. Configuring a disk witness with replicated storage is possible only if the storage vendor supports read-write access from all sites to the replicated storage.
  • The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain.
    • Node Majority (recommended for clusters with an odd number of nodes) – Can sustain failures of half the nodes (rounding up) minus one. For example, a seven node cluster can sustain three node failures.
    • Node and Disk Majority (recommended for clusters with an even number of nodes) – Can sustain failures of half the nodes (rounding up) if the disk witness remains online. For example, a six node cluster in which the disk witness is online could sustain three node failures. Can sustain failures of half the nodes (rounding up) minus one if the disk witness goes offline or fails. For example, a six node cluster with a failed disk witness could sustain two (3-1=2) node failures.
    • Node and File Share Majority (for clusters with special configurations) – Works in a similar way to Node and Disk Majority, but instead of a disk witness, this cluster uses a file share witness.
    • No Majority: Disk Only (not recommended) – Can sustain failures of all nodes except one (if the disk is online). However, this configuration is not recommended because the disk might be a single point of failure.
  • If you use a network for iSCSI (storage), do not use it for network communication in the cluster.
  • Scale-Out File Server (SOFS). The SOFS is a special active/active clustered file server role that runs on every node in the file server cluster.
    • It requires shared storage either SAN or storage space
  • The Add-ClusterGenericApplicationRole cmdlet – Configure high availability for an application that was not originally designed to run in a failover cluster.
  • Witness disks must be basic (not dynamic) and formatted with NTFS
  • To specify which server should process client requests in a failover cluster set it as the preferred owner.

  • To move cluster resources to another cluster use “migrate roles”.
  • To move cluster resources between nodes use “move core cluster resources”

 

Clustered File servers

  • Scale Out File Server
    • Doesn’t support DFS
    • All file shares are online on all nodes simultaneously (active-active)
    • Can be used to store HyperV VMs
  • File server for general use
    • Does support DFS
    • Online one node online at a time (active-passive)

IP Address Management (IPAM)

  • IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing the IP address space used on a corporate network. IPAM provides for administration and monitoring of servers running DHCP and DNS. There are a number of cmdlets you may need to use with IPAM:-
    • The Add-DhcpServerInDC cmdlet – Adds the computer running the DHCP server service to the list of authorized DHCP server services in AD.
    • Add-IpamServerInventory – Adds an infrastructure server to an IPAM database.
  • The IPAM server must be added to the “event log readers” group
  • If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate local IPAM security group.
  • The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies. The GpoPrefixName parameter specified should be the same as the prefix configured in the IPAM provisioning wizard.
    • The three Group Policy Objects (GPOs) are created with the suffixes _DHCP, _DNS, and _DC_NPS appended to the GpoPrefixName parameter value
    • Example use :- invoke-IpamGPOProvisioning -domain contoso.com -gpoprefixname IPAM
  • The IPAM installation process

  • To set the manageability status of the ipam change the below

Publishing Apps on the Internet

  • Web Application Proxy – A feature on win2012 that lets you configure a server to act as a reverse proxy
  • Constrained delegation lets you limit the back-end services for which a front-end service can request tickets on behalf of another user. A common example of constrained delegation is the web-browser-to-IIS-to-SQL-Server scenario.
  • Relaying Party Trust – allow a server to request AD information from ADFS

Read Only Domain Controller

You can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects. Adding this type of user is done using the dsmdmt.exe utility at the command prompt. The following graphic shows a few commands including:

  • adding local roles
  • showing local roles

Remember, an RODC does not have all of the capabilities of a writeable domain controller. Consequently, an RODC cannot serve as the global catalog, operations masters, or bridgehead server.

Server Core Edition

  • There are a number of ways to manage a Windows core server
    • The Server Configuration tool (Sconfig.cmd) can be used to configure and manage several common aspects of Server Core installations

  • You can use server manager installed by default on 2012. For windows 8 you need to download the remote server administration tools
  • To open the firewall to allow MMC remote management use the command Enable-NetFirewallRule -DisplayGroup “Remote Administration”
  • To enable RDP run the command cscript C:\Windows\System32\Scregedit.wsf /ar 0 on the core server
  • To join a domain you can use either:-
    • Powershell – Add-computer (you will be prompted for further info)
    • Cmd line – netdom join <ComputerName> /domain:<DomainName> /userd:<UserName> /passwordd:*
  • To make a core server a domain controller in an existing domain enter the below in the cmd prompt
    • Powershell
    • Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    • Install-ADDSDomainController
  • To convert to the GUI version of windows you can use either dism or powershell:-
    • DISM –
      • Dism /online /enable-feature /featurename:Server-Gui-Mgmt /featurename:Server-Gui-Shell /featurename:ServerCore-FullServer
    • Power shell
      • Add-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra, or
      • Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

Workplace Join

  • Allows BYOD devices to get active directory access without being explicitly added to the domain.
  • The setup process is:-
    • SSL cert – install a public trusted certificate
    • install ADFS – In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication
    • Setup device registration service (powershell cmds are Initialize-ADDeviceRegistration & Enable-AdfsDeviceRegistration) to configure a server in an AD FS farm to host the Device Registration Service.
    • Register device registration service endpoint in DNS – create enterpriseregistration record
  • The Workplace Join process creates a new device object in AD and also installs a certificate on the device. You can then create conditional access policies to permit access to only authorized network applications and services.
  • The SSL certificate on the ADFS server MUST have the below settings:-
    • Subject Name (CN): adfs1.contoso.com
    • Subject Alternative Name (DNS): adfs1.contoso.com
    • Subject Alternative Name (DNS): enterpriseregistration.contoso.com

     

Hyper-V

  • With Hyper-V Replica, one can replicate a virtual machine from one location to another simple utilizing Hyper-V and a network connection.
    • To replicate a VM you must setup the destination hyperV server as a “replica server” and you must edit the settings of the VM to enable replication.
    • You will also need to have certificate services setup on the domain if you want to encrypt the replication
  • Live Migration – almost instantaneous moving of a VM between hosts. A live migration can be used for planned maintenance but not for an unplanned failover. You cannot move multiple VMs simultaneously.
  • Quick Migration – slower than live migration. You can move multiple VMs with a quick migration
  • Port mirroring – can be used to capture all network traffic to another port
  • You can use the Resource Control settings to balance resources:-

  • Virtual Machine Reserve (percentage) – this value says how much CPU is kept aside for the running Virtual Machine.
  • Percent of total system resources – this is a percent of a Virtual Machine processor time, that is measured by how many processors are assigned to the virtual machine
  • Virtual Machine Limit (percentage) – this is a percent of CPU that the running Virtual Machine is not allowed to go over the top of
  • Percent of total system resources – this is percent of a VM processor time, that is measured by how many processors are assigned to the physical computer
  • Relative Weight – this is used to decide how CPU is distributed. (Basically a virtual machine with the higher weight (say 500) will get twice the CPU time as a virtual machine with a weight lower weight (say 400).
  • You can use resource metering to gather stats on a VM.
  • Use import-vm powershell command to import a VM into Hyper-V from a file.
  • Single root I/O virtualisation capable network adaptors can be assigned diretly to a VM. This is useful for VMs that generate a lot of network traffic.
  • You can test the failover of a HyperV replicated VM by right clicking on it and selecting “test failover”

Network Access Protection

  • Restricts client PC access to your network. NAP can test “health” of clients by checking status of; AV, patching, firewall. If fails status check it can provide access to a “remediation” network that could contain an AV server
  • There are 4 components
    • Network Policy Server (NPS) – used to manage network access through the VPN server, RADIUS servers and other points of access to the network. Can be a RADIUS server, a RADIUS proxy or a NAP policy server. The NPS works in conjunction with other components, including the System Health Agents (SHAs) and System Health Validators (SHVs).
    • Health Registration Authority (HRA) – validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. HRA requests a special type of certificate from the CA called a health certificate. The health certificate is used by NAP client computers to communicate on an IPsec-protected network.
      • Requirements for HRA automatic discovery
        • Client computers must be running Windows Vista® with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).
        • The HRA server must be configured with a Secure Sockets Layer (SSL) certificate.
        • The EnableDiscovery registry key must be configured on NAP client computers.
        • DNS SRV records must be configured.
        • The trusted server group configuration in either local policy or Group Policy must be cleared.
    • Host Credential Authorization Protocol (HCAP)
    • RADIUS server and proxy
  • You can configure the NAP server with three different types of policies:
  1. Connection Request Policies that use connections and settings to authenticate client requests to access the network. These policies also control where the authentication will be performed. You must have a connection request policy for each NAP enforcement method.
  2. Network Policies that use conditions, settings and constraints to determine the level of access that will be authorized for a client that attempts to connect to the network. You need at least two network policies to deploy NAP: one for client computers that are found to be compliant with your health policies and one for those clients that are out of compliance.
  3. Health Policies that specify which System Health Validators (SHVs) are to be evaluated and how they’re to be used to evaluate health status. You have to enable at least one SHV for each health policy.
  • NAP Policies can be IPsec, VPN, 802.1x, RD Gateway and DHCP.

  • Network Policy Server (NPS) – The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy is automatically installed when you install HRA. You can configure NPS on your HRA server as either a NAP health policy server or NPS proxy.
  • System Health Validators – When you install an SHV, it is added to the list of SHVs in the Network Policy Server (NPS) console and becomes available for use in health policies. The Windows Security Health Validator (WSHV) is available by default.

Group Policy

  • WMI filtering allows you to filter the application of group policies based on hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.
  • When a group policy is enforced it means it cannot be overruled by another GPO underneath it in AD. Enforced policies are applied last with policies “higher” in the AD tree being applied after “lower” policies.
  • By default settings in Group Policy Objects (GPOs) get applied in the following order:
    • Local system policies
    • Site
    • Domain level
    • OUs (starting at the root of the domain).
  • In Win2012 you can now force a group policy update from the management console

Backups

  • You cannot use Azure backups to backup a USB flash drive
  • Azure Powershell commands
    • Set-OBMachineSetting – used to specify proxy server settings for accessing the internet, network bandwidth throttling settings, and the encryption passphrase
    • Start-OBRegistration – Registers the current computer with Windows Azure Backup using the credentials (username and password) created during enrolment.
    • Get-OBPolicy | Start-OBBackup – start backup job using a policy
  • When using server backup to a network share it will only store one backup. Subsequent backups overwrite the previous

Installation

  • Files used in the installation of roles is held in the winsxs folder
  • Deployment Image Servicing and Management (DISM.exe) is a command-line tool that can be used to service a Windows image – e.g. to add drivers. An example command to mount an image = dism.exe /mount /wimfile c:\yourserverimage.wim /index:4 /mountdir:c:\mount
    • For example to install the server migration tools into this image run the cmd Dism /image:C:\mount /Enable-Feature /FeatureName:migration /All
  • You cannot upgrade and “core” installation of windows server and switch to a GUI in one step. If you want to upgrade 2008r2 core to 2012 GUI you should upgrade to 2012 as the first step and then add the Server Graphical Shell feature
  • You can upgrade standard versions of win2012r2 to datacentre by using the dism tool (dism /online /set-edition:ServerDatacenter /productkey:<Datacenter key, e.g. AAAAA-BBBBB-CCCCC-DDDDD-EEEEE> /AcceptEula)
  • Powershell – You can use the below commands
    • Install-ADDSDomainController – Creates a new domain controller in an existing domain.
    • Install-ADDSDomain – Creates a new domain in an existing forest.
    • Install-ADDSForest – Creates a new forest. Note you will need to run this one first when first setting up AD
  • The Active Directory installation wizard gives options to install DNS and setup as a GC

Powershell Web Access Gateway

  • Windows PowerShell Web Access provides a web-based Windows PowerShell console. It enables IT Pros to run Windows PowerShell commands and scripts from a Windows PowerShell console in a web browser, with no Windows PowerShell, remote management software, or browser plug-in installation necessary on the client device.
  • Install-PswaWebApplication – Configures the Windows PowerShell Web Access web application in IIS.
  • Add-PswaAuthorizationRule – Adds a new authorization rule to the Windows PowerShell Web Access authorization rule set.

Remote Management

  • On Win2012 remote management is enabled by default
  • LocalAccountTokenFilterPolicy – registry setting that must be enabled to allow remote management in non-domain environment. It disables remote UAC
  • You can enable server manager remote management via the powershell commands:-
    • Set-Execution-Policy -ExecutionPolicyRemote signed
    • Configure-SMRemoting.exe –enable – this will enable all firewall rule exceptions needed
  • The cmd winrs -r:SERVERNAME ipconfig can be used to remotely retrieve the ip details of a server
  • To manage 2008r2 servers from 2012 you must (on the 2008r2 server):-
    • Install .net 4 and windows management framework 3
    • Run the powershell commands:-
      • Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
      • Configure-SMRemoting.ps1 -force -enable
  • To enable remote management via powershell you can use enable-pssessionconfiguration although enable-psremoting is the preferred option

Active Directory

  • The Active Directory Recycle bin needs to be manually enabled
  • Dcpromo is not available in the GUI version of 2012 but is available in the core edition. You will need to use server manager or powershell
    • The powershell commands are Import-Module ADDSDeployment and Install-ADDSForest
  • The Active Directory Database Mounting Tool, Dsamain.exe, allows an ntds.dit file to be mounted and exposed as an LDAP server, which means you can use such tools as ADSIEdit, LDP.exe, and Active Directory Users and Computers to interact with the data.
    • Obviously because you’re mounting on a DC, you can’t mount the AD database on the standard LDAP port of 389 – you must choose another port.
  • The overall function of the Federation Service in Active Directory Federation Services (AD FS) is to issue a token that contains a set of claims. The decision regarding what claims AD FS accepts and then issues is governed by claim rules.
    • AD FS includes a predefined set of claim rule templates that are designed to help you easily select and create the most appropriate claim rules for your particular business need.
      • Acceptance Transform Rule Set – A set of claim rules that you use on a particular claims provider trust to specify the incoming claims that will be accepted from the claims provider organization and the outgoing claims that will be sent to the relying party trust.
      • Issuance Transform Rule Set – A set of claim rules that you use on a relying party trust to specify the claims that will be issued to the relying party.
      • Issuance Authorisation Rule Set – A set of claim rules that you use on a relying party trust to specify the users that will be permitted to receive a token for the relying party.
      • Delegation Authorisation Rule Set – A set of claim rules that you use on a relying party trust to specify the users that will be permitted to act as delegates for other users to the relying party.
      • Impersonation authorization Rule Set – A set of claim rules that you configure using Windows PowerShell to determine whether a user can fully impersonate another user to the relying party.
  • The Invoke-GPUpdate cmdlet refreshes Group Policy settings, including security settings. It needs to be scripted to apply to remote computers
  • If having problems with ADFS and 3rd party applications you can disable extended protection for authentication by running the command Set-ADFSProperties –ExtendedProtectionTokenCheck “None”. This is not recommended as it lowers security.
  • Use NTDSUTIL to mount an AD snapshot. You can then use DSAMAIN to make this data available via ldap.
  • After a migration you may need to rebuild sysvol and netlogon shares. You can so this forcing an authoritative (D4) and non-authoritative (D2)
    synchronization. The steps are:-
    • Stop FRS service
    • Edit registry – Set “burflags” key to either D2 or D4
    • Start FRS service
  • A non-authoritative SYSVOL restore will re-deploys SYSVOL data from working Domain Controller using DFS-R (DFS Replication). The process to do this is:-
    • adsiedit – to set the DFSR-Enabled value to “false”
      • repadmin /syncall /AdP – initiate AD replication
      • dfsrdiag PollAD – to synchronize with the global information store
    • adsiedit – to set the DFSR-Enabled value to “true”
      • repadmin /syncall /AdP – again start AD replication
      • dfsrdiag PollAD – sync with global information store (again)

Troubleshooting

  • The cmd-line Logman tool can create and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.

  • Use subscription managers to automatically send event log data to another server

  • Source-initiated subscriptions allow you to define a subscription on an event collector computer without specifying the event source computers.
  • Collector initiated subscriptions must define all the event sources in the event subscription.

Performance Counter Thresholds

If any of the below counters are giving reading above the threshold, you have an issue

Performance Counter

Threshold

Memory\Available MBytes     

<10%

Memory\Pages/sec

>1000

Processor Interrupt Time

>30%

System\Processor Queue Length

> 2 per processor

Processor\%Processor Time

> 90%

 

FSMO Roles

Forest Wide Roles

  • Schema Master – The schema master controls all updates and modifications to the schema.
  • Domain Naming
    Master – responsible for making changes to the forest-wide domain name space of the directory in the Partitions container.

Domain Wide Roles:

  • Relative ID (RID) Master – Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain. When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.
  • PDC Emulator – acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC. Responsible for time synchronising. Is ultimately responsible for passwords with all password changes being replicated to the PDC emulator as soon as possible.
  • Infrastructure Master – The infrastructure master is responsible for updating references from objects in its domain to objects in other domains.

Storage Spaces

  • When adding a new disk to a win2012 server it will go into the primordial storage space.
  • You require 2 disks for a “mirrored” storage space
  • A “parity” storage space requires 3 disks.

Dynamic Access Control

You can use dynamic access control to limit access to files based on AD attributes and folder properties. For example allow all Canadian users to access a file share with the vale “Canada” setup on it.

To setup dynamic access control you must:-

  • “Enable KDC support for claims, compound authentication, and Kerberos armouring” in GPO
  • Create a claim type – e.g. if users home country is set to Canada

  • Configure Resource properties for files – Select the relevant information from the file share (e.g. country, department)


  • Create Resource property lists – every resource property needs to be added to a list. Once done you can now classify the files\folders via this property.
  • Create New Central Access Rule – i.e. Canadian users can access file shares with the “Canadian” field setup
  • Create Central Access Policy – Create a policy to use the above rule
  • Apply in GPO

 

Computer Management

You can create a VHD from computer management

Djoin

  • Can be used with win7 and 2008r2 and above
  • Allows a computer to join a domain without connectivity to a DC

Misc

  • The Netlogon.dns file can be used to locate SRV records
  • The cmdlet set-executionpolicy specifies the security restrictions:-
    • Restricted: Does not load configuration files or run scripts. “Restricted” is the default execution policy.
    • AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
    • RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
    • Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
    • Bypass: Nothing is blocked and there are no warnings or prompts.
    • Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.
  • Use the new-virtualdisk cmdlet to create a vhd.
  • Managed Service Accounts can be used for services to run under.
    • They can be created via powershell New-ADServiceAccount
    • Use sc.exe to change the log on credentials of a service

  • Use NTDSUTIL to manage active directory application partitions
  • To prepare a domain controller for cloning, place the customdccloneallowlist.xml file in the same directory as the AD database (ntdis.dit)
  • To export a custom Data Collector Set from one computer to another right click on it and select save template.

This article explains how to create an SMTP relay on windows server. We have found that after migrating businesses to Office365 there are certain applications that need to send emails. By creating a local SMTP relay you bypass the need to relay the emails through Office365.

In this example we are installing and SMTP relay on Windows 2008r2

Pre-requisites

The server that will be acting as an SMTP relay must be allowed through the firewall for outbound port 25 connections.

Step 1 – Add SMTP server feature

Select SMTP server. It will ask you to install the pre-requisite roles which you will need to do.

 

Step 2 – Allow Relay

Open IIS Manager and go to the relay section of the SMTP virtual server (as shown below).

Enter the IP of the servers you would like to relay though this.

Step 3 – Configure Application

In the below example I have configured Veeam to use this server

 

Best Practise

As you have just created a non-registered SMTP server, there is a high chance that this email may be classed as spam. The below list will help ensure your email reaches its destination but are out of the scope of this article. You may want to

  1. Add the sending address to a whitelist (e.g. mimecast permitted senders)
  2. Add public IP used by the server to an allow list (such as the office365 allow list)
  3. Setup PTR record for the public IP used by this server
  4. Update SPF records to include the public IP used by this server

THE END

In this article I explain how to perform a simple P2V using vmware convertor. This guide is designed for IT professionals.

Pre-Requisite Checks

  • Are there any usual PCI cards e.g. SCSI cards. If there are you may not be able to virtualise
  • Are there any USB devices connected.
  • How big are the server drives will they fit on the destination ESXi server
  • Is there enough RAM on the destination ESXi server
  • Confirm both source and destination servers are on a GB port otherwise the p2v may take a long time.

Step 1 – Prepare the Machine for P2V

I recommend the following steps:-

  • Make a note of the IP settings. Go to the start menu, then choose run and enter “cmd”. This will bring up a cmd prompt. In the cmd prompt enter ipconfig /all > c:\ipconfig.txt. On windows 7 you will have to run the cmd prompt with administrative permissions or you may get an access denied error

This is because following the p2v a “new” network adaptor is installed and this will need to have the IP information entered into it.

  • Stop any services that will keep data files open for example the exchange information store or SQL services

This will ensure that the files are brought across in a consistent state.

Step 2 – Download and Install VMWare Convertor

  • Download and install. Although you can run vmware convertor remotely you will have a greater chance of success if you install it on the machine you want to p2v. Vmware convertor can be downloaded from here:-

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vcenter_converter_standalone/5_0

  • Disable SSL (optional) – By default, VMware Converter uses SSL to transmit data. Switching off SSL will speed up the p2v. You can do this by editing an xml file on the machine running VMware converter. It is located in

    C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\converter-client.xml

    Look in the NFC section:

    <nfc>

    <useSsl>false</useSsl> –Change to false.

    </nfc>

 

Step 3 – Start the P2V

  1. Open VMware converterand select “convert machine”, then “This local machine” (assuming you installed the converter on the machine you want to p2v).

  1. Enter the details for the ESXi server you want to connect to and click next. Note that if you use a vCenter Server you may want to enter those details instead. Ignore any SSL errors.

  1. On the next screen enter the name of the VM and click next.
  2. On the next screen where you want to store the VM. Obviously make sure there is sufficient disk space!
  3. On the options section there are a few things you will wish to check. Firstly the disk layout if there machine has multiple drives you may wish to make sure they are all on separate virtualdisks. This will make resizing the drives in the future far easier.

  4. vCPUs – consider the number of CPUs needed for the virtual machine. If the VM is not running software that takes advantage of multiple CPUs (such as exchange, SQL etc) then there is little point having more than one CPU.
  5. Networks – Again if the VM only requires one network card there is little point having 2. I also recommend disabling the network card. This allows you to check the p2v has been successful before shutting down the original physical machine.

  1. Services – I recommend disabling any hardware specific services (such as Dell Openmanage) that will not be required once the machine is virtualised.

  1. I recommend choosing to install vmware tools following conversion (this saves doing it manually).

  1. Click next and start the p2v process.

 

Step 4 – Post P2V

  • Logon to the ESXi server (or vCenter) and check that the new virtual machine has started up successfully.
  • Assuming it has you can now power down the original host.
  • If you disabled the network card in step 7 above then you now need to enable it. You can do this by editing the properties of the VM.

  • Go to the control panel and remove any hardware specific software which is now not needed. For example Dell OpenManage software.
  • Again in the control panel go to the network section and put the IP addresses into the network card. You can get the IP information from the c:\ipconfig.txt file created in step 1.

  • Reboot the new VM and verify you can access it over the network.

THE END

 

In this article I am setting up a vCenter appliance and configuring it with Active Directory.

 

1 – Download and deploy appliance

Log onto vmware.com and browse to the download section.

Log onto one of your ESXi hosts and deploy via the VI client.

I would also check the time on the ESXi hosts is correct and matches the time on your Active Directory DCs.

Follow the wizard, once complete you should have a running appliance.

 

2- Setup Appliance

Log on to the appliance using the link specified above (e.g. 10.0.0.1:5480). Note that the default username is root with a password of vmware.

Run through the wizard using the default settings.

Enter IP information on below section. Enter the Active Directory DNS servers.

Make sure the time zone is correct

 

3 – Configure Active Directory Integration

Go to the below tab and enter your active directory details. You will need to reboot the appliance once entered.

Then log onto the vCenter web client. This is on https://IP-OF-VCSA:9443

Note if you get an SSL error when trying to log into the web client you may need to regenerate the SSL certificate and reboot the appliance.

Once you have logged on go to the below section and add the active directory details. E.g.

Primary Server URL = ldap://FQDN-of-your-1st-DC

Secondary Server URL = ldap://FQDN-of-your-2nd-DC

Base DN for users = specify the active directory DN

Domain alias = your domain name

Base DN for groups = as above specify the active directory DN

Authentication type = Password

Username and password = enter the details of an active directory account

Click ok and then I would recommend rebooting the appliance.

Once rebooted you will need to log onto the appliance and manually add any active directory groups you want to give permissions to – see below.

THE END

 

This article explains how to upgrade the firmware on a Cisco SGE or SFE 2000 series switch. The firmware files are uploaded using TFTP so you will need to have this installed on whatever computer you are using to update from (i.e. your PC).

Download Firmware Update and Copy to TFTP

  • The current release for the SFE 2000 series switches (v3.0.2) can be found here
  • The current release for the SGE 2000 series switches (v3.0.2) can be found here
  • Once downloaded you should extract the firmware update file (.ros) and copy to the TFTP directory on your PC. I am using Solarwinds TFTP.

Note I have copied the .ros file into the TFTP directory

Upload to Switch

  • Log onto the switches web interface and navigate to the below screen.

  • Once you have filled out the appropriate info as shown above click on “apply”. This will initiate an upload of the file from your PC.
  • Once complete click “done” and navigate to the “active image” section

  • Change the active image after reboot. For example if the current active image is “Image 1″ change the after reset image to be “Image 2″. If the active image is “Image 2″ change the after reset image to “Image 1″.
  • Click Apply.

Reboot Switch

  • You must then reboot the switch. Go to the below screen and click on reset.

The switch will reboot and the firmware update should be complete.

THE END

This article explains how to install an SSL certificate on a Watchguard SSL100. I have purchased the certificate from godaddy.

If you found this article useful please click on my referral link before ordering your SSL certificate – cheers! http://www.godaddy.com/itbook

 

Step1 – Download and Install OpenSSL

NB – The SSL100 requires the certificate to be PEM formatted with a separate private key.

I recommend using openssl to generate the certificate signing request (CSR). You can download this from www.openssl.org

I recommend downloading the version shown below.

Once downloaded please install this. If prompted to install any dependencies (e.g. Microsoft Visual C++ 2008 Redistributable Package) then please do so before installing openssl.

Step2 – Use OpenSSL to generate CSR

Open an elevated command prompt and change to the openssl-win32 directory (i.e. enter the commend cd \openssl-win32\bin). Then enter the below.

openssl genrsa -out wgnet.key 2048

openssl req -new -key wgnet.key -out wgnet.csr

Lastly you need to convert the private key into PKCS#8 format. Enter the command

openssl pkcs8 -topk8 -in wgnet.key -out wgnet.pk8

You have now generated 3 files – wgnet.csr, wgnet.key and wgnet.pk8

Step3 – Use CSR to generate SSL certificate

In this example I am buying the certificate from godaddy (http://www.godaddy.com). I chose godaddy as their certificates are easy to rekey incase of any errors or lost certificates. They are also cheap.

If you found this article useful please click on my referral link before ordering your SSL certificate – cheers! http://www.godaddy.com/itbook

You require a standard SSL certificate.

Once purchased go to manage your certificates and setup the certificate you have just bought.

Open the wgnet.csr file in notepad.

Copy the contents into the CSR window as shown below.

Follow the wizard through. You will need to run through domain validation before the certificate is issued.

Step 4 – Install Certificate

Once you have completed domain authentication you will get an email from godaddy with a link to download the certificate. Note below I have chosen the certificate type “other”.

Log onto the Watchguard SSL and go to manage system – certificates.

Click on add server certificate

Select the certificate you downloaded from godaddy and the key file you created in step 2. Use the password also created in step 2.

Then to make the certificate live go to “administration service” and select the server certificate you just added – as shown below.

Select “save” and then “publish”.

Then go to “device settings”. Select the new certificate here also. Note this will cause the device to reboot as shown below.

Once the device is back up select publish to make your changes live. You can then test this externally.

Again, if you found this article useful please click on my referral link before ordering your SSL certificate – cheers! http://www.godaddy.com/itbook

THE END

This article explains how to restore a single file from a Windows server using Veeam Backup and Recovery v6.5

Open Veeam Backup and Recovery and click “restore”, then choose “Guest files (windows)”

Select the server

They select the backup you want to restore from.

Browse through to the file you want to restore. I recommend copying this to another location and then renaming the document – e.g. WordDoc1-RESTORED.docx

THE END

Installation:

Pre-Install

  • Check that “virtualization technology” is enabled in the BIOS

Load ESXi software

  • Where possible download the vendors version of ESXi. For example Dell provide their own customized ISO that contains Dell specific settings for SNMP etc.
  • (Alternatively you can use the Dell Uniform Server Configurator – you will still need the Dell ESXi ISO however.

  • After downloading the ISO from the Dell Website I have booted the server off it and install ESXi.

  • Choose keyboard layout and enter root password

  • After reboot press F2 to enter the configuration screen

  • Configure the IP address, subnet mask, default gateway, DNS servers, hostname and suffix.

Patching

It is far, far easier to patch using virtual center if one is available.

Patching via command line

If the server connects to virtual center then I recommend using the “update” plugin to patch the host. Otherwise you will need to manually install the patches from the command line (either via the VMA or the vSphere CLI). Below are the commands to patch from the command line (warning it is likely that further patches will be released in addition to the below):

Please replace XXXX with the host ip address of your ESX server

Please replace YYYY with the root password

vihostupdate.pl –server XXXX –username root –password YYYY -i -b ESXi410-201010001.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b ESXi410-201011001.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b ESXi410-201104001.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b ESXi410-201107001.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b update-from-esxi4.1-4.1_update01.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b OM-SrvAdmin-Dell-Web-6.5.0-2247.VIB-ESX41i_A01.zip

Patching Using VC

You will need to have the update manager plugin install on the VC.

Then use the update manager tab to patch the servers.

Install Custom Updates

If using a Dell server download and install the Equallogic Openmanage VIB.

Import the patch into the repository

Create a baseline for the patch

Configure

If you haven’t got the Vmware VI client installed on your PC already you will then want to download the VI client to enable you to manage this server. You can get this by opening a web browser and entering in the IP of the ESXi server (as shown in the diagram above).

Although I have configured the below settings via vi client you can also set these on the console of the ESXi server.

  • Click on the link highlighted above and install the VI client. Note that this downloads the client from the web and not from this server. It may take a few minutes.
  • Once installed open the vi client and connect to the ESXi server IP as shown below. Note the default username is root with no password.

You may now want to customise your install.

Add other NICs to vSwitch:

This will improve performance and add a degree of fault tolerance with the network cards.

Setup NTP:

Note that VMs will likely pickup the time from the ESXi server so it is important the time is correct

I recommend using the NTP servers:-

  • 0.pool.ntp.org
  • 1.pool.ntp.org
  • Tick.usno.navy.mil
  • Tock.usno.navy.mil

License VMware:

You will need to Register with Vmware and they will email you a license. Once you have this you can enter this on the below screen.

Setup iSCSI

If connecting to an iSCSI SAN you will need to setup iSCSI.

Create VMkernal ports

As below. Note the iSCSI heartbeat port must have the lowest vmk number.

Enable jumbo frames (if used on iSCSI network).

Change the MTU for the vSwitch

For each port group change the MTU to 9000

Change each of the iSCSI port groups to use an active and standby adapter. Each (iSCSI) port group should use a different active and unused adapter. i.e. the active adapter on iSCSI 1 is the unused adapter on iSCSI 2 and vice versa.

Add and Enable iSCSI adaptor

An iSCSI software adaptor should appear. Go into the properties of this and bind with VMkernel adapters.

Setup CHAP (If used)

Bind VMkernel ports

Connect to SAN

In the below example I have entered the Group IP of the iSCSI SAN

You should then rescan the adaptor

You should now be able to see LUNs from the SAN

Setup vMotion

In a multiple server environment with shared storage (e.g. SAN) you will want to setup vMotion to enable live migration of VMs.

Add a new (VMkernel) vSwitch and select the VMNIC you have setup for vMotion

Allocate a range on the vMotion subnet, click next and finish.

 

Health Monitoring (If using Virtual Center)

You can configure virtual center to send email alerts for specific events. You will need to setup your email server to allow smtp relay from the virtual center server. This is setup at the VC level so may already be enabled.

Configure Virtual Center Server settings

Configure the alert you want to be emailed about

Setup Scratch Location (if installed on SD or USB card)

VMWare recommend a persistant scratch location for temporary data such as logs, diagnostics, system swap etc. If you have install ESXi on an SD or USB card there may be no space for this. In this instance I have created a LUN specifically for scratch data.

Create a folder on the LUN for the new server

Go to “advanced settings” then “ScratchConfig” and specify the location you have just created (i.e. /vmfs/volumes/DatastoreName/foldername)

You will need to reboot for these changes to take effect.

 

Add other NICs to vSwitch0

It is recommended to add multiple NICs to vSwitch0 (to enable VMs to communicate over multiple NICs).

 

In this example I am installing the VMWare Storage Appliance onto ESXi servers that have existing running VMs. This is known as a brownfield installation.

Basics

  • The VSA Manager must be installed on a 64-bit Windows vCenter machine that runs vCenter Server version 5.0 or later.
  • vCenter does not need to be on the same subnet as the cluster
  • The VSA cluster service must be installed on a machine in the same subnet as the cluster
  • Once installed you cannot add another ESXi host to a running vCenter cluster
  • You can resize the size of the VSA storage after installation
  • You will need at least 2GB free space on the machine where you are installing the VSA cluster service.
  • The VSA Cluster Service is only necessary in two node configurations

Scenario

  • 2x ESXi servers in head office
  • 1x ESXI server in branch office

Pre-requisites

  • You must have a vcenter server, with a data center created and the ESXi hosts added

Heap Size

  • I recommend changing the heap size on each ESXi server in the cluster to 256 (see below).

EVC mode

You have 2 options:-

  • Power off all the virtual machines before installing the VSA, or
  • Change the dev.properties file to raise the EVC baseline

The dev.properties file is located on the system where the vCenter Server is installed, under the C:\Program Files\VMware\Infrastructure\tomcat\webapps\VSAManager\WEB-INF\classes. Change the line evc.config.baseline=lowest to evc.config.baseline=highest

Switch Configuration

The switching setup is very important, therefore I recommend writing out what NICs are used for what. I recommend using VLANs to isolate cluster traffic so you will need to know the physical switch port that each VMnic connects to.

ESXi1

VMnic

Switch

Port

Active Use

Standby Use

Vmnic0

1

1

VM Network

Management Network

VSA Front End

Vmnic1

1

2

VSA Front End

VM Network

Management Network

Vmnic2

1

13

VSA-Back End

VSA-VMotion

Vmnic3

1

5

VSA-VMotion

VSA-Back End

ESXi2

VMnic

Switch

Port

Active Use

Standby Use

Vmnic0

2

1

VM Network

Management Network

VSA Front End

Vmnic1

2

2

VSA Front End

VM Network

Management Network

Vmnic2

2

13

VSA-Back End

VSA-VMotion

Vmnic3

1

17

VSA-VMotion

VSA-Back End

I then created a VLAN on the switches for the VSA-Back End (and VSA-VMotion) NICs. This is to isolate the traffic from the main network.

vSwitch Configuration

  • On each ESXi server create the vSwitches as shown below. Note that the Port-group names are case sensitive.
  • You will need to enable vMotion on the VSA-VMotion port group and assign an IP address.

As per the table in the switch section you need to set one active and one standby adaptor for the port groups.

Vmnic

Active for

Standby for

Vmnic0

VM network

Management Network

VSA-Front End

Vmnic1

VSA-Front End

VM network

Management Network

Vmnic2

VSA-Back End

VSA-VMotion

Vmnic3

VSA-VMotion

VSA-Back End

You can set the active/standby adapters for a port group on the below tab.

Install VSA Cluster Service

In the example below I am installing the VSA cluster service on the VMWare Management assistant. You will need to connect to the vMA and have internet access from the vMA. Alternatively there are Windows and Linux versions that can be downloaded and installed on separate OSes. I am not sure if VMWare support installation of the cluster service on the VMA so I would recommend installing it on a separate Windows or Linux VM.

From the vMA enter the below commands (for more information about this install see the excellent guide here):-

  • sudo zypper –gpg-auto-import-keys ar http://download.opensuse.org/distribution/11.1/repo/oss/ vMA-SLES-11.1
  • sudo zypper refresh
  • sudo zypper se gettext
  • sudo zypper in gettext-tools

From the VMware website download the VSA cluster service for Linux (VMware-VSAClusterService-5.1.1.0-858549-linux.zip). Create a folder(tmp) under the /home/vi-admin folder and copy the zip file into that.

Once the copy has completed enter the below commands

  • cd /home/vi-admin/tmp
  • unzip *.*
  • cd V*
  • cd setup
  • sudo ./install.sh

Apparently the above errors are not important

Installation of VSA Manager

On the VC download “VSA Manager” from the VMWare website (in this instance I used VMware-vsamanager-all-5.1.0-859644.exe)

Once installed open the vi client on the virtual center and you should see a VSA manager tab.

Run through the installer and choose the appropriate data center. Then select the hosts to go into the cluster

Note I have entered the IP of the VMA for the cluster service IP address.

Fill out the necessary IP info

Note that the VSA size below is 1TB. This will actually create 2x 500GB VSA datastores. You may want to check if any of your VMs have drives larger than the size of the VSA datastores. The reason it creates 2x 500GB datastores is that each server must replicates the other server’s datastore.

If you choose to format the disks immediately it may take a while.

Note that I have not used dedicated VLANs for the cluster front-end and back-end portgroups. As mentioned about I have created port based VLANs on the switch to isolate the back-end traffic.

I was initially concerned by the below message but I can confirm that after installation it did not wipe the datastores on which the existing VMs resided.

After a short while the installation will complete.

The VSA manager tab should now be populated with information about the cluster and storage. Note the “change password” option. As mentioned above it is recommended to change your password.

The Cluster is now installed and you now have the option to migrate your running VMs onto the VSA storage (e.g. VSADs-0 and VSADs-1)

THE END

When installing vCenter 5.1 you may get the error message:

“Error 32010. Failed to create database users. There can be several reasons for this failure. For more information, see the vmMSSWLCmd.log file in the system temporary folder”

You can find the location of vmMSSQLCmd.log in

The reason for the error should be in this file. In my instance it was because the passwords chosen for the RSA_DBA and RSA_USER accounts did not meet windows complexity requirements. I changed the passwords to something more complex and the install completed successfully.

THE END