Microsoft Qualification Pathways

June 25, 2013 Microsoft No comments

exam

This may prove helpful to those of you who are undertaking qualifications with Microsoft or upgrading qualifications.

Pathways

  • Client
  • Server
  • Database
  • Developer

exams

Dynamic Access Control on Server 2012

June 10, 2013 Windows Server 2012 No comments

security

What is Dynamic Access Control?

Controlling access and ensuring compliance are essential components of IT systems in today’s business environment. Windows Server 2012 includes enhancements that provide improved authorization for file servers to control and audit who is able to access data on them. These enhancements are described under the umbrella name of Dynamic Access Control and enable automatic and manual classification of files, central access policies for controlling access to files, central audit policies for identifying who accessed files, and the application of Rights Management Services (RMS) protection to safeguard sensitive information.

Dynamic Access Control is enabled in Windows Server 2012 through the following new features:

  • A new authorization and audit engine that supports central policies and can process conditional expressions
  • A redesigned Advanced Security Settings Editor that simplifies configuration of auditing and determination of effective access.
  • Kerberos authentication support for user and device claims
  • Enhancements to the File Classification Infrastructure (FCI) introduced previously in Windows Server 2008 R2
  • RMS extensibility to allow partners to provide solutions for applying Windows Server– based RMS to non-Microsoft file types

There is one good rule of thumb to remember when you’re deploying DAC into existing
Windows networks: NTFS permissions won’t give more access than a claims-based rule
allows, and a claims-based rule won’t give more permission than NTFS allows

dac26

Instructions

Step 1 – Open Active Directory Administrative Center

  • Click Server Manager.
  • Click Tools, and then click Active Directory Administrative Center.
  • NOTE: Active Directory Administrative Center provides functionality that is separate from, but overlapping with Active Directory Users and Computers.
  • Click the Tree View icon to simplify navigation

dac1a

Step 2 – Configure claim types for users

In this step, you will add two existing Active Directory attributes to the list of attributes which can be used when evaluating Dynamic Access Control. The user’s country value and department value will be part of the calculation that determines if they have access to specific files.

  • In Active Directory Administrative Center, expand Dynamic Access Control, and then click Claim Types.
  • Click New, and then click Claim Type.
  • In the Source Attribute list, click Department, and then click OK.
  • NOTE: This uses the existing Active Directory attribute.

dac2

  • Click New, and then click Claim Type.
  • In the Source Attribute list, click C, and then in Display name, type Country.
  • NOTE: This uses the existing Active Directory attribute.
  • Click OK.

dac3a

Step 3 – Configure resource properties for files

In this step, you will configure the properties which will be downloaded by file servers and used to classify files. Future dynamic access control rules will compare user attribute values with resource properties. The list of resource properties is predefined by Microsoft as a starter set of properties that can be used by most organizations. You can enable existing properties or create new ones. You will add a resource property to match the country claim, and then enable the existing department property to match the department claim

  • In Active Directory Administrative Center, click Resource Properties.
  • Click New, and then click Resource Property.
  • In Display name, type Country.

dac4

  • Click Add.
  • In Value and Display Name, type US, and then click OK.
  • Click Add.

DAC5

  • In Value and Display Name, type JP, and then click OK.

DAC6

  • Click OK
  • NOTE: The Country property is now listed and is enabled.

DAC7

  • In the Resource Properties, under ID, locate the Department_MS property.
  • Click Department_MS, and then click Enable

DAC8

  • NOTE: The Country property is now listed and is enabled.

Step 4  – Add resource properties to the global list

Each resource property must be added to at least one resource property list before it is downloaded by file servers. The global resource property list is downloaded by all file servers; however individual lists can be created and delivered to specific file servers using Group Policy.

  • In Active Directory Administrative Center, click Resource Property Lists.
  • Click Add resource properties.
  • Select Country and Department, and then click the Add button (>>).
  • Click OK.

dac10

Step 5 – Create a new central access rule

In this step, you will create a new central access rule. This is similar to an access control list (ACL) in that it describes which conditions must be met in order for file access to be granted. In this specific rule, you will require that the user accounts, department, and country attributes match the value of the file’s department and country attributes prior to access being granted

  • In Active Directory Administrative Center, click Central Access Rules.
  • Click New, and then click Central Access Rule.
  • In Name, type Department-Country-Match-Required.
  • Under Target Resources, click Edit.
  • Click Add a condition.
  • Add the condition Resource-Country-Exists.
  • Click Add a condition.
  • Add the condition Resource-Department-Exists.
  • Click OK.

dac11

  • In Permissions, select Use the following permissions as current permissions.
  • NOTE: This setting enforces dynamic access control. The default setting will only create audit log entries and is used for impact analysis prior to implementation.
  • In Permissions, click Edit.
  • Click Add.
  • Click Select a principal, and then type Authenticated.
  • NOTE: This will automatically select Authenticated Users.

dac12

  • Click OK.
  • In Permissions, check the Full Control check box.
  • Click Add a condition.
  • Add the condition User-Country-Equals-Resource-Country.
  • Click Add a condition.
  • Add the condition User-Department-Equals-Resource-Department.

dac14

  • IMPORTANT: In creating this rule, the list of attributes for the user is generated by the list of attributes used for claim types. The list of attributes for the resource is generated by the list of enabled resource properties.
  • Click OK three times to return to Active Directory Administrative Center.

Step 6 – Create a central access policy

In this step, you will take the new rule and add it to a central access policy. A central access policy is a group of rules that are enforced as a unit. A file or folder can have only one central access policy applied to it.

  • In Active Directory Administrative Center, click Central Access Policies.
  • Click New, and then click Central Access Policy.
  • In Name, type Contoso File Server Policy, and then click Add.
  • Click Department-Company-Match-Required, and then click the Add button (>>)

dac15

  • Click OK.
  • Click OK.

Step 7 – Publish the central access policy with Group Policy

In this step, you will create a new Group Policy Object (GPO) to deliver the central access policy to your file servers. This will make the policy available, but will not enforce it on individual files or folders.

  • Open Server Manager.
  • On the Tools menu, click Group Policy Management.
  • Under Domains, click Contoso.com.
  • Click Action, and then click Create a GPO in this domain and link it here.
  • Type Dynamic Access Control Policy, and then click OK.
  • Expand Contoso.com, click Dynamic Access Control Policy, and then click OK.
  • In Security Filtering, click Authenticated Users, click Remove, and then click OK.
  • Click Add.
  • Click Object Types, check Computers, and then click OK.
  • Type Server1, and then click OK.
  • NOTE: We are limiting this GPO to be applied only on Server1.

dac16

  • Right-click Dynamic Access Control Policy, and then click Edit.
  • Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/File System, and then click Central Access Policy.

dac17

  • On the Action menu, click Manage Central Access Policies.
  • Click Contoso File Server Policy, and then click Add.

dac18

Step 8 – Enable Kerberos armoring for domain controllers

In this step, you will enable Kerberos armoring for domain controllers, which ensures that Kerberos tickets contain the required claims information which can then be evaluated by file servers.

  • In Group Policy Management Console, navigate to Contoso.com, and then click Default Domain Policy.
  • Click OK.
  • On the Action menu, click Edit.
  • Navigate to Computer Configuration/Policies/Administrative Templates/System/KDC.
  • Click KDC Support for claims, compound authentication, and Kerberos armoring.
  • NOTE: This setting must be applied to all domain controllers in your organization to extend the Kerberos protocol to support Dynamic Access Control. You can do this in any manner which is appropriate for your organization.
  • Kerberos armoring addresses security concerns that dogged Kerberos authentication,
    such as vulnerability to brute force attacks and spoofing. With Kerberos armoring, a
    secured tunnel is created between a domain client and a domain controller

dac21

  • On the Action menu, click Edit. Select Enabled
  • Click OK.
  • Navigate to Computer Configuration/Policies/Administrative Templates/System/Kerberos.
  • Click Kerberos client support for claims, compound authentication, and Kerberos armoring.
  • NOTE: This setting must be applied to all clients in your organization to extend the Kerberos protocol to support Dynamic Access Control. You can do this in any manner which is appropriate for your organization.

dac20

  • On the Action menu, click Edit > Enabled
  • Click OK.
  • Close Group Policy Management Editor.

Step 9 – Deploying a File Server with Dynamic Access Control

In this exercise, you will install the required components for Dynamic Access Control on a file server, and then configure the resources properties of a folder.
Install the file server roles and role features
In this step, you will install the file server role and the file server resource manager role service.

  • Open Server Manager.
  • In Server Manager, click Add Roles and Features.
  • Click Next at each step of the wizard until you reach the Select server roles page.
  • Expand File and Storage Services (Installed).
  • Check File and iSCSI Services, and then expand File and iSCSI Services.
  • NOTE: File Server Resource Manager is required to manage DAC properties locally

dac22

Step 10 – Add classification data to the file share

In this step, you will classify the files in the file share by adding and configuring the resource properties you defined in Step 1

  • In Windows Explorer, navigate to C:\Shares on the File Server
  • Right-click CorpData, and then click Properties.
  • Click the Classification tab.
  • NOTE: Note that the two defined resource properties are available.
  • IMPORTANT: If you do not see Country and Department, run the Windows PowerShell command Update-FSRMClassificationPropertyDefinition, as this will force the update to occur. You will need to reopen the properties box after this command.

dac23

  • In CorpData Properties, click Country, click JP, and then click Apply.
  • Click Department, and then click Finance.
  • NOTE: The department list is present because the resource property Department is predefined by Microsoft and contains this set of default department names.

dac24

  • Click Apply and leave the Properties window open

Step 11 – Add the central access policy to the CorpData folder

In this step, you will configure the CorpData folder to use the central policy you created in Step 1 as part of the access control evaluation process.

  • Click Windows PowerShell.
  • Type GPUpdate /Force, and then press ENTER. Wait for Group Policy to refresh.
  • NOTE: This is required to ensure the central policy defined by the Dynamic Access Control Policy GPO is applied to this system. Under normal circumstances, the regular group policy refresh would perform this step.
  • Switch to the CorpData Properties window.
  • On the Security tab, click Advanced.
  • Click Central Policy, and then click Change.
  • Select Contoso File Server Policy, and then click Apply.

dac25

  • NOTE: You can use this screen to review the policy rules and the conditions when selecting the policy.

 

Testing an install of Microsoft Virtual Machine Manager 2012 SP1 on Windows 2012

June 1, 2013 Windows Server 2012 No comments

cloud

What is Microsoft Virtual Machine Manager? Virtual Machine Manager (VMM) is a management solution for the virtualized datacenter, enabling you to configure and manage your virtualization host, networking, and storage resources in order to create and deploy virtual machines and services to private clouds that you have created A deployment of VMM consists of the following: vmm Pre-Requisites Your servers may slightly differ as to how many roles you put on one server but you will generally need the following. I am going to presume you have a Domain Controller and a Hyper V Server.

  • 1 x Windows 2008 or Windows 2012 Domain Controller
  • 1 x Windows 2012 Server running Microsoft Virtual Machine Manager
  • 1 x Windows 2012 Server running Microsoft SQL Server 2008 or 2012
  • 1 x Windows 2012 Server running Hyper V 2012 Server for testing VMM. Note: You will need to add hypervisor.cpuid.v0 = “FALSE” and mce.enable = “TRUE” and vhv.enable = “True” to the .vmx file if this server is a VM running on VMware
  • For System Center 2012 – Virtual Machine Manager: Windows Automated Installation Kit (AIK) for Windows 7
  • For VMM in System Center 2012 SP1: Windows Assessment and Deployment Kit (ADK) for Windows 8. SCVMM Management Server only requires the Deployment Tools and Windows PE components.
  • For System Center 2012 – Virtual Machine Manager: At least Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
  • For VMM in System Center 2012 SP1: Microsoft .NET Framework 4, or Microsoft .NET Framework 4.
  • The computer on which you install the VMM management server must be a member of an Active Directory domain.
  • The name of the computer on which you install the VMM management server cannot exceed 15 characters.
  •  The SCVMM machine name can’t include –SCVMM- for example My-SCVMM-Server but can be called SCVMM.
  • If using Dynamic memory the start-up RAM must be at least 2048 MB.  This demo uses 4096 MB of RAM.
  • It is also recommended that the SQL Command Line Tools and Native Client Tools are also installed on the SCVMM server. See links at the end of this article.  We have used the SQL 2012 versions here.
  • Membership in the local Administrators group, or equivalent, on the computer that you are configuring is the minimum required to complete this procedure.

Extra Notes on SQL Server In System Center 2012 Service Pack 1 (SP1) you can take advantage of the AlwaysOn feature in Microsoft SQL Server 2012 to ensure high availability of the VMM database. To configure SQL Server with the AlwaysOn feature, complete both procedures below. For more information about the AlwaysOn feature, and AlwaysOn availability groups see the followings:

Before you begin the installation of the VMM management server, ensure that you have a computer with a supported version of Microsoft SQL Server installed and running. Unlike VMM 2008 R2, System Center 2012 – Virtual Machine Manager will not automatically install an Express edition of SQL Server Instructions

  • Firstly make sure you have Windows Server 2012 installed on your VMM Server
  • Click Manage > Install Roles and Features on your VMM Server

iis1

  • Select Installation type as Role based or Feature based installation

iis2

  • Select Destination Server

iis3

  • Go to Roles and select Web Server (IIS)

iis4

  • Click Add Features > Next

iis5

  • Select Features

iis6

  • Read the Information

iis7

  • Add Windows Authentication

iis8

  • Check Install Information and tick Restart if required

iis9

  • Click Install

iis10

  • Next Install Windows Assessment and Deployment Kit which you should have downloaded and copied to your VMM Server ready to install
  • Note this seems to take long to install!
  • The Windows ADK is a collection of tools that you can use to customise, assess and deploy Windows Operating Systems to new computers, is a pre-requisite for VMM 2012 SP1 and is used for bare metal deployment of Hyper-V Servers
  • Specify Location

deploy1

  • Join the Customer Improvement Program

deploy2

  • Accept the License Agreement

deploy3

  • Select the Features to Install. You generally need Deployment Tools and Windows Pre-Installation Environment (Windows PE)

deploy4

  • Click Install

deploy5

  • On the SCVMM server – install the SQL 2012 Native Client with SQL 2012 Command Line Utilities to follow
  • SQL Native Client contains runtime support for applications using native code APIs (ODBC, OLE DB and ADO) to connect to Microsoft SQL Server 2005, 2008, 2008 R2 and 2012. SQL Native Client is used to enhance applications that need to take advantage of new SQL Server 2012 features

sql1

  • Accept the License Agreement

sql2

  • Choose your Features in the Feature Selection Box

sql3

  • Install

sql4

  • Next Install SQL 2012 Command Line Utilities
  • The SQLCMD utility allows users to connect to, send Transact SQL batches from and output row set information from SQL Server 2008, 2008 R2 and 2012. It is used to enhance applications that need to take advantage of new SQL Server 2012 features

sql5

  • Accept License Agreement

sql6

  • Click Install

sql7

  • Next go to your SQL Server 2012 Server
  • Attach the SQL ISO
  • Run the Installer > New SQL Server stand-alone installation

sql1

  • Setup Support Rules will run > Click Next

sql2

  • Choose Specify the free edition

sql3

  • Accept the License Terms

sql4

  • Select Next to Install Product Updates if connected to the internet

sql5

  • You will see the status of the updating

sql6

  • Check Setup Support Rules

sql7

  • Choose SQL Server Feature Installation

sql8

  • Select All on the Feature Installation and choose where you want to install the Shared Feature Directories

sql9

  • Check Installation Rules

sql10

  • Just keep the Default Instance for now – MSSQLSERVER

sql11

  • Check Disk Space Requirements

SQL12

  • Check SQL Server Service Accounts and add your own as required

SQL13

  • Check Collation

sql14

  • Database Engine Configuration > Choose Mixed Mode and add the Domain Admin

sql15

  • Choose Data Directories

sql16

  • Check Analysis Services Settings

sql17

  • Reporting Services Configuration > Choose Install Only

sql18

  • Distributed Replay Controller > Just add the current user

sql19

  • Distributed Replay Client

sql20

  • Check Error Reporting

sql21

  • Installation Configuration Rules check

sql22

  • Ready to Install

sql23

  • Click Install

sql24

  • Don’t forget to go into SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for MSSQLSERVER and enable Named Pipes and TCP/IP

sqlports

sqlports2

  • Restart SQL Services once this is done and it should look like the below

SQL Enabled

  • I also found I had to add my Domain Admin account to the Local Administrators group on the SCVMM and SQL Server or I got a message saying “Setup cannot connect to the specified SQL Server Instance. Ensure the server name is correct etc”
  • I also found that I add to adjust the hosts file in c:\Windows\System32\Drivers\etc on both the SCVMM Server and SQL Server and add in a mapping for the SQL Server
  • Now you are ready to install Microsoft VMM
  • Launch the Installer
  • Click Install

vmm1

  • Choose Features
  • Select VMM Server, VMM Administrator Console

vmm2

  • Put in Product Registration Information > Name, Organisation and Product Key if you have one. If not it will enter Evaluation Mode

VMM3

  • Accept the License Agreement

vmm4

  • Choose an option for the Customer Service Program

vmm5

  • Turn on Microsoft Update

vmm6

  • Select Installation Location

vmm7

  • Pre-Requisite Checking will then run. You can see I need to put more memory in my VM

vmm8

  • Put in your Database configuration. In my case I am using a separate SQL 2012 Server called DACVSQL002
  • Change the Database Name if you want to and the port is usually 1433
  • If you find you experience connection errors, then you will need to adjust firewall ports

vmm10

  • Put in Service Account Information
  • Ignore Distributed Key Management for now
  • DKM is used to store VMM encryption keys in Active Directory Domain Services. By default, using the Windows Data Protection API (DPAPI) VMM encrypts some data in the VMM Database (for example the Run As account credentials and passwords) and this data is tied in to the VMM server and the service account used by VMM. However with DKM, different machines can securely access the shared data. Once a HA VMM Node fails over to another node, it will start accessing the VMM database and use the encryption keys conveniently stored under a container in AD to decrypt the data in the VMM database

vmm11

  • Check Port Configuration Information

vmm12

  • Specify a Share for the Virtual Machine Manager Library

vmm13

  • Check the Installation Summary

vmm14

  • Install

vmm15

  • Once finished it should look like the following

vmm16

  • If there is a problem with setup completing successfully, consult the log files in the %SYSTEMDRIVE%\ProgramData\VMMLogs folder. ProgramData is a hidden folder.
  • Connect to VMM Console

vmm17

  • You will now see the VMM Console

vmm18

  • Next explore around VMM 2012.
  • Create a Run As account

creds

  • Practice adding a host Group and a Hyper-V Host
  • Right click on All Host and Select Create Host Group
  • Right click the New Host Group and select Add Hyper V Hosts and Clusters

hyperv1

  • Specifiy credentials to run for discovery. Use your previously created Run As account

Add resource

  • Choose the scope to search for the Hosts you want or add them manually

hyperv1

  • Choose your Hyper V Server

hyperv2

  • Choose Host Group and Virtual Machine Placement

HostSettings

  • Choose Migration Settings

Migration

  • Check Summary and Confirm Details

summary

  • You will see the job start in the job window
  • Check any warnings post addition

finish

  • See the articles below by Scott Lowe which walk you through VMM 2012

Links

Windows 2012 Domain Controller Command Line Tools

May 31, 2013 Windows Server 2012 No comments

tools-icon

Once you install the Windows 2012 Domain Controller Role, you will find you are able to right click on the server in the console and a menu will appear showing that you are able to connect to several different command line tools. This looks like a very handy feature to have so lets have a deeper look at these tools

You can run these commands in the Active Directory Module for Windows PowerShell or cmd.exe

tools

What does Dcdiag.exe do?

This command-line tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually or as part of a suite to verify domain controller health and DNS Health

dcacls

What does Dsacls.exe do?

Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

dsacls

What does Dsdbutil.exe do?

Dsdbutil is a command-line tool that is built into Windows Server 2008. It is available if you have the AD LDS server role installed. To use dsdbutil, you must run the dsdbutil command from an elevated command prompt It performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer

dbsdbutil

What does Dsmgmt.exe do?

Dsmgmt is a command-line tool which is available if you have the AD LDS server role installed. To use dsmgmt, you must run the dsmgmt command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. It facilitates managing Active Directory Lightweight Directory Services (AD LDS) application partitions, managing and controlling flexible single master operations (FSMO), and cleaning up metadata that is left behind by abandoned Active Directory domain controllers and AD LDS instances. (Abandoned domain controllers and AD LDS instances are those that are removed from the network without being uninstalled.)

dsm

What does Gpfixup.exe do?

This tool is used to fix domain name dependencies in Group Policy Objects (GPOs) and Group Policy links after a domain rename operation

gpfixup

What does ldp.exe do?

This GUI tool is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata. LDP is a GUI-based, Windows Explorer–like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP operations. Any text displayed in the details pane can be selected with the mouse and “copied” to the Clipboard.

  • Connect through PowerShell to ldp.exe
  • Click Connection
  • Put in your DC Name
  • You are then connected and ready to use the tool

http://technet.microsoft.com/en-us/library/cc756988%28v=ws.10%29.aspx

ldp

What does Netdom.exe do?

This command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust relationships from the command line. You can join a machine to a domain, manage computer accounts for domain member workstations and member servers, establish one-way or two-way trust relationships between domains, including certain kinds of trust relationships, verify and/or reset the secure channel for the following configurations and manage trust relationships between domains

http://technet.microsoft.com/en-us/library/cc781853%28v=ws.10%29.aspx 

What does Nltest.exe do?

Nltest.exe is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT) This tool can do the following

  • Get a list of domain controllers
  • Force a remote shutdown
  • Query the status of trust
  • Test trust relationships and the state of domain controller replication in a Windows domain
  • Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

http://technet.microsoft.com/en-us/library/cc731935%28v=WS.10%29.aspx

What does Ntdsutil.exe do?

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.

ntdsutil

What does Repadmin do?

This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.

Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.

Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems.

http://technet.microsoft.com/en-us/library/cc736571%28v=ws.10%29.aspx

What does W32tm.exe do?

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such

http://technet.microsoft.com/en-us/library/cc773263%28v=WS.10%29.aspx

Active Directory Lightweight Directory Services on VMware

May 29, 2013 AD LDS No comments

images

What is AD LDS?

AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. You can run multiple instances of AD LDS concurrently on a single computer, with an independently managed schema for each AD LDS instance.

AD DS provides directory services for both the Microsoft® Windows Server server operating system and for directory-enabled applications. For the server operating system, AD DS stores critical information about the network infrastructure, users and groups, network services, and so on. In this role, AD DS must adhere to a single schema throughout an entire forest.

The AD LDS server role, on the other hand, provides directory services specifically for directory-enabled applications. AD LDS does not require or rely on Active Directory domains or forests. However, in environments where AD DS exists, AD LDS can use AD DS for the authentication of Windows security principals.

How does ADLDS apply to Applications?

AD LDS can store “private” directory data, which is relevant only to the application, in a local directory service—possibly on the same server as the application—without requiring any additional configuration to the server operating system directory. This data, which is relevant only to the application and which does not have to be widely replicated, is stored solely in the AD LDS directory that is associated with the application. This solution reduces replication traffic on the network between domain controllers that serve the server operating system directory. However, if necessary you can configure this data to be replicated between multiple AD LDS instances.

VMware Considerations

With the introduction of vSphere 4.x, vCenter 4.x started using

  • Active Directory Application Mode (ADAM) on Windows Server 2003
  • Active Directory Lightweight Directory Services (AD LDS) on Windows Server 2008

This Mode/Service accommodates information relating to

  • Linked Mode
  • Licensing
  • Roles
  • Permissions for vCenter
  • Inventory Service

The roles and permissions are stored in the ADAM or AD LDS database which is called VMwareVCMSDS. In order to restore the roles and permissions, the ADAM or AD LDS database must be backed up. This data is regularly backed up every 5 minutes to the vCenter Server database in the VPX_BINARY_DATA table

vCenter Visibility

  • Control Panel

adlds

  • VMwareVCMSDS Service

adlds2

It is not recommended to uninstall this service unless you have a backup of the vCenter Server and vCenter Server Database Server!

 

Installing a Windows Server 2012 Domain Controller and DNS

May 24, 2013 IT, Windows Server 2012 No comments

corpdir-lg

Installing a new DC

  • Install Windows Server 2012
  • Click Manage > Install Roles and Features
  • The Add Roles and Features Wizard will start

step_1

  • Click Next
  • Choose Role based or Feature installation

Step-2

  • Select the Server

Step-3

  • Click Next and Choose Active Directory Domain Services

Step-4

  • A box will pop up as per below
  • Click Add Features

Step-5

  •  Click DNS as well

step-9

  • A box will pop up
  • Click Add Features

Step-8

  • Click Next
  • Read the Notes

Step-7

  • Read the Notes about the DNS Server

step-10

  • Select Restart

Step-11

  • You will get the following message after selecting the checkbox for Restarting

step-12

  • Click Install
  • The final screen will show the progress of the install

step13

  • You can also Export Configuration Settings which are in the form of PowerShell commands allowing you to install from these to another DC in the future
  • Click Export Configuration Settings

step14

  • Once AD Domain Services has been installed, you now need to promote this server to be a Domain Controller
  • In Server Manager, you will see a notification triangle in the top right. Click this and you will get the following message

step15

  • Click Promote this server to a Domain Controller

step16

  • I am going to add this Domain Controller to my current domain dacmt.local
  • Click Next

step17

  • Type in a Directory Services Restore Mode Password
  • Click Next
  • Click Next on the DNS Screen

step18

  • Choose your replication option

step19

  • Choose paths for the AD Files
  • Note Best Practice would advise you to separate out these services on different redundant drives but this is just a demo so they all reside on the C Drive

step20

  • Check the Preparation Options

step21

  • Review Options

step22

  • Pre Requisites Check

step23

  • Click Install
  • Reboot when Install is finished
  • Once in Server Manager and you have chosen the AD DS role scroll down and you will see a section called Best Practices Analyzer. You can then go to Tasks and choose to run the BPA scan. This BPA scan can also be run from Windows PowerShell

Microsoft Technet Further Information

http://technet.microsoft.com/library/hh472162.aspx

Changing between Windows Server 2012 Installation Types

May 20, 2013 IT, Windows Server 2012 No comments

core4

As in Windows Server 2008 and Windows Server 2008 R2, Windows Setup in Windows Server 2012 allows you to choose one of two installation types:

  • Server Core Installation
  • Server with a GUI (also called a full installation)

server2012c

One of the more interesting new features in Windows Server 2012 is the ability to convert a full installation to a Server Core Installation and vice versa. You can switch between a Server Core installation and full installation in Windows Server 2012 because the difference between these installation options is contained in two specific Windows features that can be added or removed

server2012full

Features

  • Server Core. None of the options are selected. No GUI Interface
  • Graphical Management Tools and Infrastructure (Server-Gui-Mgmt-Infra) This provides a minimal server interface and server management tools such as Server Manager and the Microsoft Management Console
  • Server Graphical Shell (Server-Gui-Shell) It is dependent on the first feature and provides the rest of the GUI experience, including Windows Explorer
  • Desktop Experience is a third available GUI feature. It builds on the Server Graphical Shell feature and is not installed by default in the Server with a GUI installation of Windows Server 2012. Desktop Experience makes available Windows 8 client features such as Windows Media Player, desktop themes, and photo management.

The Different Types of Setup

Windows 2012 brings in another user interface for use; GUI, Server Core & Something in-between called Minimal Server Interface

  • Server Core – always installed and enabled; the baseline feature for all Windows Servers

server2012core

  • Server Graphical Management Tools & Infrastructure – functionality for Minimal Server Interface. No Desktop, Start Screen, Windows Explorer or Internet Explorer

server2012_minimal

  • Server Graphical Shell – equivalent to Server with a GUI

server2012full

Using PowerShell to swap between different Installations

  • Making Server 2012 a Server Core Installation

PowerShell Core

  • Making Server 2012 a Minimal Interface Installation

PowerShell Minimal

  • Making PowerShell a Full GUI Installation

Powershell Full

sconfig in a Server Core Installation

In Windows Server 2012, you can use the Server Configuration tool (Sconfig.cmd) to configure and manage several common aspects of Server Core installations. You must be a member of the Administrators group to use the tool.

Sconfig.cmd is available in the Minimal Server Interface and in Server with a GUI mod

sconfig

Reference Table

2012

Changing the queue depth for QLogic and Emulex HBAs in VMware 4

May 7, 2013 Storage No comments

ladies-que-2

If the performance of your hardware bus adapters (HBAs) is unsatisfactory, or your SAN storage processors or heads are over-utilized, you can adjust your ESXi/ESX hosts’ maximum queue depth value. The maximum value refers to the queue depths reported for various paths to the LUN. When you lower this value, it throttles the ESXi/ESX host’s throughput and alleviates SAN contention concerns if multiple hosts are over-utilizing the storage and are filling its command queue.

When one virtual machine is active on a LUN, you only need to set the maximum queue depth. When multiple virtual machines are active on a LUN, the Disk.SchedNumRegOutstanding value is also relevant. The queue depth value, in this case, is equal to whichever value is the lowest of the two settings: adapter queue depth or Disk.SchedNumReqOutstanding

Instructions

  • On vSphere 4, go to Hosts and Clusters > Configuration > Software . Advanced Settings
  • Highlight Disk and scroll down to Disk.SchedNumReqOutstanding

queuedepth1

  • Change Queue Depth to 64
  • Open Putty or Local Console
  • Verify which HBA module is currently loaded by entering one of these commands on the service console:
  • vmkload_mod -l | grep qla
  • vmkload_mod | grep lpfc

queuedepth2

  • As you can see the first command did not return anything but the second command returned information about the Emulex driver
  • To modify Q Logic, do the following

qlogic2

  • To modify Emulex, do the following

emulex

  • For multiple instances of Emulex HBAs being presented to a system, use:

emulex2

  • Reboot your host
  • Run this command to confirm if your changes are applied
  • esxcfg-module -g driver. Where driver is your QLogic or Emulex adapter driver module, such as lpfc820 or qla2xxx.

VMware Links

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1267

Configure VMware vMA as an ESXi 4 Syslog Server

April 30, 2013 Logs No comments

magglass

Configure VMware vMA as an ESXi 4 Syslog Server

A lot of people don’t know you can set up vMA as a Syslog Server in vSphere ESXi 4. vSphere 5 has the built-in SysLog Installation but what do you do if you’re running vSphere 4?

Pre Requisites

  • VMware vMA

Instructions

Step 1 – Deploy a vMA Server

  • Deploy a vMA Server in vCenter. Follow this link for full instructions
  • Specify the Hostname, IP address, Subnet Mask, Default gateway and DNS information
  • Specify a Password for the vi-admin account

Step 2 – Configure Time

ESXi uses UTC for internal time stamping. In order to avoid timestamp issues the vMA should be set to UTC for time keeping. When vMA collects the logs from your ESXi Host, sometimes the logs have the ESXi Host timestamp and sometimes they will have the vMA Localtime timestamp

  • Remove the Local Time
  • sudo rm /etc/localtime
  • Create a symbolic link to the UTC timezone
  • sudo ln –s /usr/share/zoneinfo/UTC /etc/localtime
  • Edit the NTP configuration file. Find the section # Use public servers from the pool.ntp.org project and replace the current entries with your preferred NTP servers
  • sudo nano /etc/ntp.conf
  • Configure the NTP daemon to start on reboot
  • sudo /sbin/chkconfig ntpd on
  • Restart the NTP daemon:
  • sudo /sbin/service ntpd restart
  • Confirm the NTP server connections are up
  • sudo ntpq -np
  • Change the keyboard to English if required in the location below. Change KEYTABLES=”us” to use the keyboard you have, for example: KEYTABLES=”en”
  • sudo vi /etc/sysconfig/keyboard

Step 3 – Add additional Storage to the vMA

  • Shutdown the vMA VM
  • Attach an additional disk to the VM. Choose how big you want it. A very rough estimate of the amount of log information captured would be 500MB per host, per day.
  • Power on vMA
  • Login in using vi-admin
  • Format the new Disk with the following command
  • fdisk /dev/sdb
  • Use the n command to create a new partition
  • Use the p command to make the new partition a primary partition
  • Press 1 to make it partition #1
  • Use the default for the First Cylinder
  • Use the default for the Last Cylinder
  • Use the p command to verify the partition table
  • Use the w command to write the partition table to the hard disk
  • Press Enter a couple of times to confirm it’s finished and return to the command prompt
  • Now we need to format the partition using the follow command
  • sudo mkfs -t ext3 /dev/sdb1

Step 4 – Mount the Disk

  • Edit /etc/fstab using the following command
  • nano /etc/fstab
  • Enter in the following line. Use tab to line up the entries
  • /dev/sdb1  /var/log/syslog  ext3  defaults,auto  1 2
  • Use Ctrl+X then Y to save the file
  • Next: cd /var/log/ then mkdir syslog
  • Change the owner of the /syslog dir
  • sudo chown vi-admin:root /var/log/syslog
  • finally mount the disk
  • mount /var/log/syslog

Step 5 – Edit the vilogger application file so it knows where to store the logfiles. The default location is /var.log/vmware which needs changing

  •  Edit the vilogger config file
  • sudo nano /etc/vmware/vMA/vMA.conf
  • Change the location entries (three of them) to <location>/var/log/syslog</location>
  • Use Ctrl+X then Y to save the file
  • Start (or restart) the vilogger daemon
  • sudo service vmware-vilogd start
  • Now vilogger is set to store the logs on to your new disk

Step 6 – Configure vMA to collect your logs

  •  Add the first host using fastpass authentication
  • vifp addserver –authpolicy fpauth
  • Add the second host, then the third host and all hosts you need before proceeding to the next step
  • Enter the root password when prompted
  • Verify the server has been added
  • vifp –listservers
  • Enable vilogging
  • vilogger enable –server –numrotation 20 –maxfilesize 10 –collectionperiod 300
  • To access the help type vilogger –help

ESXi logging collects 3 logs (vpxa.log, hostd.log, and messages.log). Rough math is number of logs X number of hosts X maxrotations X maxfilesizes = total MB for logs. You’ll need slightly more than that for vilogger’s logs (depending on where you placed those when you edited vMA.conf).

vilogger Options 

vilogger

Other Links

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1016621

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1024122

Memory Overcommitment and Java Applications

April 15, 2013 Monitoring No comments

java

How can we monitor Java Applications on Virtualised Systems?

We can’t determine all we need to know about a Java workload from system tools such as System Monitor. We need to use specialized Java monitoring tools such as the below tools which helps us see inside the Java Heap, Garbage Collection, and other relevant Java metrics.

  • JConsole
  • vCenter Operations Suite

What is the Java Heap?

The Java Heap is used to store objects that the program is working on. For example, an object could be a customer record, a file or anything else the program has to manipulate. As objects are created, used and discarded by the program, you will see the Heap memory size change. Discarded objects (referred to as dead objects) are not immediately removed from the heap when the program is done with them. Instead, a special task called Garbage Collection, runs through the heap to detect dead objects. Once it detects a dead object, it deletes the object and frees up the memory.

The Java Heap is divided in to pools of memory, referred to as generations. There are three generations called

  • Eden Space
  • Survivor Space
  • Tenured Gen

This helps the Garbage collection (GC) process become more efficient by reducing the amount of memory it has to scan each time a GC is run. GC is run on the ‘Eden Space’ more often as this is where new objects are stored. GC runs less often on the Survivor space and even less often on the Tenured Gen space. If an object survives one GC run in the Eden Space, it is moved to the Survivor Space. If an object exists in the Survivor Space for some time, it is moved to the Tenured Gen.

Memory Reclamation Techniques

When running Java workloads on in an x86 Virtual Machine (i.e. a VM in the VMware sense of the word), it is recommended that you do not overcommit memory because the JVM memory is an active space where objects are constantly being created and garbage collected. Such an active memory space requires its memory to be available all the time. If you overcommit memory, memory reclamation techniques such as compression, ballooning or swapping may occur and impede performance

  • Memory compression involves compressing pages of memory (zipping) and storing them compressed instead of in native format. It has a performance impact because resources are used to compress and uncompress memory as it is being accessed. The host attempts to only compress inactive memory pages if at all possible. As GC runs through the java heap, it accesses lots of memory that may behave been marked as inactive. This causes any memory that has been compressed to decompress using up further VM resources.
  • Ballooning employs the memory balloon driver (vmmemctl), which is part of the VMware Tools package. This is loaded into the guest operating system on boot. When memory resources on the host become scarce (contended), the host tells the balloon driver to request memory (inflate) up to a target size (balloon target). The target is based on the amount of inactive memory the host believes the guest is holding on to. The memory balloon driver starts to request memory from the guest OS to force the guest to clean up inactive memory. Once the balloon driver has been allocated memory by the guest OS, it releases this back to other VMs by telling the Hypervisor that the memory is available. Once again, what appears to be inactive memory to the host may soon be subject to garbage collection, and become active again. If the guest has no inactive memory to release, it starts paging memory to disk in response to the request for memory from the balloon driver. This has a very negative impact on java performance
  • Swapping. This is a last resort memory reclamation technique that no application wants to be faced with. A serious decline in performance is likely with swapping

Best Practices

  • Enterprise Java Applications on VMware Best Practice Guide, which says you should not exceed 80% CPU utilization on the ESX host.
  • Reserving memory at the VM level is in general not a good idea, but essential for Java workloads due to the highly active java memory heap space. However, creating a memory reservation is a manual intervention step that we should try to avoid. Consider the situation in a large, dynamic, automated self-service environment (i.e. Cloud). Also, if we’re reserving memory for peak workloads within our java applications, we’re wasting resources as our applications don’t run at peak workload all the time. It would be good if the Java VM would just talk to the vSphere VM to let it know what memory is active, and what memory is idle so that vSphere could manage memory better, and the administrator could consolidate Java workloads without the fear of memory contention, or reserving memory for peak times.
  • Introducing VMware vFabric Elastic Memory for Java (EM4J). With EM4J, the traditional memory balloon driver is replaced with the EM4J balloon driver. The EM4J memory balloon sits directly in the Java heap and works with new memory reclamation capabilities introduced in ESXi 5.0. EM4J works with the hypervisor to communicate system-wide memory pressure directly into the Java heap, forcing Java to clean up proactively and return memory at the most appropriate times—when it is least active. You no longer have to be so conservative with your heap sizing because unused heap memory is no longer wasted on uncollected garbage objects. And you no longer have to give Java 100% of the memory that it needs; EM4J ensures that memory is used more efficiently, without risking sudden and unpredictable performance problems.

vFabric Elastic Memory for Java (EM4J)

vFabric Elastic Memory for Java (EM4J) is a set of technologies that helps optimize memory utilization for ESXi virtual machines running Java workloads.

EM4J provides vSphere administrators with the following tools:

  • The EM4J plug-in for the vSphere Web Client, together with the EM4J Console Guest Collector, provides a detailed, historical view of virtual machine and JVM memory usage, which helps vSphere administrators size the VM and Java heap memory optimally.
  • The EM4J agent establishes a memory balloon in the Java heap, which helps maintain predictable Java application performance when host memory becomes scarce. The balloon works with the ESXi hypervisor to reclaim memory from the Java heap when other VMs need memory.
  • The EM4J plug-in and the EM4J agent can be used together or independently.

For more information about EM4J, see vFabric Elastic Memory for Java Documentation at the link below

http://www.vmware.com/support/pubs/vfabric-em4j.html

 

« Older Entries   Recent Entries »