Last updated by at .

  • Microsoft Azure
  • Virtual Machine Manager

Tag: Virtual Machine Manager

PowerShell NetAdpater Advanced Property

Hyper-V Network Virtualization NVGRE: No connection between VMs on different Hyper-V Hosts

I have worked on some project with Hyper-V Network Virtualization and NVGRE, and today I have seen an issue with Encapsulated Task Offloading on some HP Broadcom Network adapters.

 

Issue

I have Hyper-V Hosts running with 10GbE Broadcom Network Adapters (HP Ethernet 10Gb 2-port 530FLR-SFP+ Adapter) with driver version 7.8.52.0 (released in 2014). I have created a new VM Network based on Hyper-V Network Virtualization using NVGRE. VM1 is running on Host1 and VM2 is running on Host2. You can ping VM2 from VM1 but there is no other connection possible like SMB, RDP, HTTP or DNS. If you are using a NVGRE Gateway you can no even resolve DNS inside those VMs. If VM1 and VM2 are running on the same Hyper-V host everything between those VMs works fine.

Advanced Driver Settings

If you are using Server Core, which you should by the way, you can use the following command to check for those settings:

PowerShell NetAdpater Advanced Property

 

Resolution

The Broadcom Network adapters have a feature called Encapsulated Task Offloading which is enabled by default. If you disable Encapsulated Task Offloading everything works fine. You can disable it by using the following PowerShell cmdlet.

After that connection inside the VMs started to work immediately, no reboot needed.



Savision Cloud Advisor VMM Tuning Tips

Cloud Advisor for System Center Virtual Machine Manager

As you may know I do a lot of work around Hyper-V, System Center and Windows Azure Pack. One of the most critical parts of the Microsoft Cloud is System Center Virtual Machine Manager. VMM is the component where mostly everything comes together in some way. From the Fabric resource such as Storage, Compute and Networking up to the Virtual Machines and Services running on top of the Fabric layer. Virtual Machine Manager basically allows you to pool resources and offer them to tenants which can than deploy services and virtual machines to the pools.

This means VMM manages not only your Virtual Machines, Virtual Machine Manager also manages your network environment, your storage and a lot more. So wouldn’t it be great to use the data Virtual Machine Manager collects to review your environment and get some tips you can optimize it? This is exactly what Savision did with their Virtual Machine Manager Add-in called Cloud Advisor which includes tuning and optimization recommendations.

Savision’s Cloud Advisor looks for problems like:

  • “Virtual Machine Appears to be Unused”
  • “Prediction: All Available Memory Will Be Consumed By…”
  • “Virtual Guest Services Are Not Installed”
  • “Starting Memory Is Too High”
  • “Low Disk Space On Cluster Shared Volume”
  • “Dynamic Memory is not enabled”
  • and a lot more…

Most of you will think okay, this sounds great but how much will this thing cost. Well that’s the great part, the Savision Cloud Advisor for System Center Virtual Machine Manager is absolutely free. So there is absolutely no reason why you shouldn’t deploy the Savision Cloud Advisor in your Virtual Machine Manager environment.

Simply go the Savision homepage, download the Cloud Advisor and import it to VMM.

Import Cloud Advisor Addin into VMM

After that you will have to connect to the VMM database and to let the Savision Cloud Advisor his job, showing you tips and recommendations for your environment.

Savision Cloud Advisor VMM Tuning Tips

By the way there are other cool VMM Add-in from Cisco for their UCS Bladecenter and 5Nine for the Virtual Firewall Appliance.



Hyper-V Gernal Access dinied error

Hyper-V over SMB: Set SMB Constrained Delegation via PowerShell

When you are having configured a Hyper-V over SMB configuration, which means the virtual machines are running on Hyper-V host and are stored on a SMB file share, and you try to manage the virtual machine remotely from Hyper-V Manager or Failover Cluster Manager, you will run into access denied errors. The same error can also happen if you try live migrate the virtual machine. This error is caused because you are using the credentials from the machine which Hyper-V or Failover Cluster Manager is running on to access the file share via the Hyper-V host. This “double-hop” scenario is not by default not allowed because of security reasons. You can find more about Kerberos Authentication on TechNet.

To avoid this error you have to configure the SMB Constrained Delegation in Active Directory to allow this scenario for specific “double-hops”. In Windows Server 2012 Microsoft made setting up Kerberos constrained delegation much easier by introducing resource-based Kerberos Constrained Delegation. This it wasn’t that easy to deploy and required some step. In Windows Server 2012 R2 Microsoft introduced new Windows PowerShell cmdlets to configure SMB Constrained Delegation directly from PowerShell. These cmdlets are offered by the Active Directory PowerShell module.

On your management box or where ever you want to configure SMB Constrained Delegation you have to install the Active Directory PowerShell module. (You don’t need the module on the Hyper-V host or SMB file servers)

Now you can use the following cmdlets.

  • Get-SmbDelegation –SmbServer FileServer
  • Enable-SmbDelegation –SmbServer FileServer –SmbClient HyperVHost
  • Disable-SmbDelegation –SmbServer FileServer [–SmbClient HyperVHost] [-Force]

For example if you are running a two node Hyper-V cluster and you use a Scale-Out File Server cluster (SOFS01) as virtual machine storage, the configuration could look like this.

Because these cmdlets only work with the new resource-based delegation, the Active Directory forest must be in “Windows Server 2012” functional level. A functional level of Windows Server 2012 R2 is not required.

And as I mentioned before you can also use System Center Virtual Machine Manager (VMM) to manage your storage, which uses a different approach and does not need the configuration of Kerberos Constrained Delegation.

 



System Center Logo

Update Rollup 1 for System Center 2012 R2 available

Microsoft released Update Rollup 1 for System Center 2012 R2 with updates and fixes for Virtual Machine Manager, Data Protection Manager and Operations Manager.

Components that are fixed in this update rollup

  • Data Protection Manager (KB 2904687)
  • Operations Manager (KB 2904678)
  • Virtual Machine Manager (KB 2904712)

In Virtual Machine Manager Microsoft lists the following fixes:

System Center 2012 R2 Virtual Machine Manager cannot deploy a new or imported VMWare template.

  • A virtual machine with that uses VHDX cannot be refreshed correctly in System Center 2012 R2 Virtual Machine Manager, and you receive the following error message:
    Refresh job failed with error 2912: The requested operation cannot be performed on the virtual disk as it is currently used in shared mode (0xC05CFF0A)
  • Database operations sometimes fail with “FailedToAcquireLockException.”
  • A new virtual machine template from a template that specifies an operating system profile doesn’t use credentials from the operating system profile.
  • Virtual machines in VMWare that connect by the using Cisco N1000V dvSwitch are unavailable for management from Virtual Machine Manager.
  • System Center Virtual Machine Manager service crashes if you disable one of the teamed network adapters.
  • The Get-Scstoragearray -host command should return storage arrays that are visible to a host that is using zoning.
  • During the discovery of a network-attached storage (NAS) provider, the credentials that are used do not include a domain name.
  • Some localized strings are not displayed correctly in the UI.
  • A query to find the certificate should match both the subject name and the friendly name because FindBySubjectName is a wildcard search.
  • Template deployment fails, and you receive the following error message:
    Error (2904) VMM could not find the specified path on the <Server name> server. The system cannot find the path specified (0×80070003)
  • Virtual Hard Disk (VHD) cannot be mounted on a host because VHD conflicts with other disks because of a stale entry that was left in the dictionary of Virtual Machine Manager memory.
  • Differencing disk based deployment may fail because the parent disk is being refreshed as noncached.

 

Checkout the Blog from MVP Daniel Neumann for a German version.

 

 



Building Clouds

Windows Azure for your Datacenter

Some years back, when Microsoft launched Windows Azure and I was working for a Hosting company, I remember that we were thinking and talking about this and were hoping that Microsoft would make Windows Azure available for hosters. At the beginning of last year Microsoft made this step by releasing Windows Azure Services for Windows Server and together with Windows Server, Hyper-V and System Center you could build your own Windows Azure. With the R2 wave of System Center and Windows Server, Microsoft also renamed Windows Azure Services for Windows Server to Windows Azure Pack (wow what a great idea ;-)) and added some great new functionality to the product it self.

Windows Azure Pack Archtiecture Overview

Windows Azure Pack is a collection of Windows Azure technologies, available to Microsoft customers at no additional cost for installation into your data center. It runs on top of Windows Server 2012 R2 and System Center 2012 R2 and, through the use of the Windows Azure technologies, enables you to offer a rich, self-service, multi-tenant cloud, consistent with the public Windows Azure experience.

The Windows Azure Pack is basically a framework which offers you to build several offerings for customers.

  • VM Cloud – This is an infrastructure-as-a-service (IaaS) offering which allows customer to deploy and manage Windows and Linux Virtual Machines including VM Template, scaling and Virtual Networking options.
  • Web Sites – a service that helps provide a high-density, scalable shared web hosting platform for ASP.NET, PHP, and Node.js web applications. The Web Sites service includes a customizable web application gallery of open source web applications and integration with source control systems for custom-developed web sites and applications.
  • Service Bus – a service that provides reliable messaging services between distributed applications. The Service Bus service includes queued and topic-based publish/subscribe capabilities.
  • SQL and MySQL – services that provide database instances. These databases can be used in conjunction with the Web Sites service.
  • Automation and Extensibility – the capability to automate and integrate additional custom services into the services framework, including a runbook editor and execution environment.

Source: TechNet

On top of this Windows Azure Pack offers two management portals, one for tenants and one for administrators which are build on top of the Service Management API. The Service Management API is a RESTful API which allows you build some custom scenarios such as custom portals or billing integrations on top of the Azure Pack framework.

Windows Azure Pack IaaS

In the last months I had time to work within several different project with the integration of Windows Azure Pack, mainly with the VM Cloud and automation integration and also some work with the Service Management API and some customization together with Stefan Johner and Fulvio Ferrarini from itnetx. I will write some blog post about Windows Azure Pack, the stuff we have done and we are doing right now.

If you are looking for some good blogs around Windows Azure Pack you should definitely checkout the blogs from Marc van Eijk, Hans Vredevoort and Kristian Nese or the Windows Azure Pack Wiki on TechNet. And btw. Windows Azure Pack is not just made for hoster and service providers, it is also a great solution for enterprises, check out why by reading Michael Rueeflis blog.

 



5Nine Hyper-V Security Console

5nine Cloud Security for Hyper-V 4.0

Security is a critical part in your datacenter and with a high virtualization rate it gets even more critical and complex to manage. Gartner estimates that in 2014 roughly 75% of all servers will be virtual with the number continuing to rise, year after year. If you are working in a highly virtualized environment you know how difficult it can be to protect your virtual machines and networks. It is even harder if you are a cloud service provider and you want to protect your customer, sometimes you don’t even have access into the virtual machines and you cannot really make sure the customer does everything right.

For some customers I was looking for a solution with centralized management and a solution which has no impact on the performance of the virtual machines. Through some contacts I had the chance to talk with 5Nine Software which offer some great solutions for Hyper-V management and Hyper-V Security. And in December 5Nine Software released its latest beta version of Cloud Security for Microsoft’s Virtualization solutions called 5Nine Cloud Security for Hyper-V. The new version includes some new features like real-time active anti-virus protection, VM Security groups, a new LWF R2 VM Switch extension, role based access and most importantly support for NVGRE or in otherswords Hyper-V Network Virtualization support which will make especially service providers very happy.

5Nine Hyper-V Security Agentless

Some key details about the 5nine Cloud Security for Hyper-V:

  • Multi-tenant security
  • Agentless, host-based solution for AV scans
  • Supporting Windows Server 2012 R2 Hyper-V
  • Granular control over each virtual machine using Hyper-V Extensible Switch, no agent required
    • Configure the Advanced / Full Kernel mode Virtual Firewall for each VM individually
      • MAC Address filtering
      • ARP Rules
      • SPI (stateful packet inspection)
      • Network traffic anomaly analysis
      • Inbound and outbound per VM bandwidth throttling
      • MAC broadcast filtering
      • All filtering events logging with more data (UM logs only contain blocked events)
    • Configure network filtering rules on a per-VM basis
    • Set inbound/outbound traffic limits and bandwidth utilization by virtual machine
  • Meet the security demands of enterprise, management service providers (MSPs), public sector, and hosting providers who leverage Microsoft’s Hyper-V Server and Cloud Platform
  • Provide the first and only seamless agentless compliance and agentless security solution for the Hyper-V Cloud
  • Deliver multi-layered protection together with integrated, agentless antivirus and intrusion detection capabilities
  • Offer unmatched levels of industry-demanded protection and compliance (including PCI-DSS, HIPAA, and Sarbanes-Oxley)
  • Secure the Cloud environment with anti-virus technology that runs with virtually zero performance impact while simultaneously improving virtual machine density
  • Provide network traffic control between virtual machines
  • Enforce secure multi-tenancy and Virtual Machines Security Groups
  • Provide NVGRE support (Hyper-V Network Virtualization)
  • Detect and block malicious attacks
  • Supports any guest OS supported by Windows Hyper-V including Linux

Architecture

In my lab I had the chance to have a look at the latest beta and wow I was pretty impressed. Well the installation and the management is so easy, you don’t really need any documentation. That’s how a security product should work, it should not make your environment even more complex it should help you to keep your environment secure without adding extra complexity to it.

Let’s see first about the architecture of the environment which is pretty easy. Basically you have 3 components:

  • The Management Service – This would be your 5Nine management server which needs a SQL database (minimum MS SQL Express) and all Hyper-V Hosts are connected to this management server.
  • The Host Management Service – which is basically the software and agent running on the Hyper-V host itself.
  • The Management Console – The console where you can configure everything. The console is simply connected to the management server.

Some impressions

If we have a look at one of my Hyper-V Hosts after the installation you can see some new things on the server. Basically 5Nine Cloud Security adds some services to the Hyper-V hosts (not to the virtual machines) for management and malware protection.

5Nine Hyper-V Security Services

And if we have a look at the Hyper-V Virtual Switch, we can see a new extension added to it.

5Nine Hyper-V Virtual Switch Extension

 

The management console is where the magic happens and you configure your environment. the console in my opinion is pretty simple and you can easy find all the options you need.

5Nine Hyper-V Security Console

Besides the Virtual Firewall you can also configure Antivirus Protection, Firewall logging and a lot more.

5Nine Hyper-V Security Antivirus Settings

But wouldn’t it be great to just manage this from your favorite Datacenter Management tool, called System Center Virtual Machine Manager? Well in version 3 5Nine had created a plugin for Virtual Machine Manager which allows you so set all the settings directly from the VMM console.

5Nine Hyper-V Security System Center VMM Plugin

As I already mentioned I am pretty impressed and I think this is exactly what a lot of customers and service providers are looking for. It provides a simple, centralized and easy to manage Hyper-V Security solution and integrates perfectly in your datacenter.

 

 



System Center Logo

Known Issues for Virtual Machine Manager in System Center 2012 R2

On TechNet, Microsoft provides a list of Know Issues with Virtual Machine Manager in Release Notes for Virtual Machine Manager in System Center 2012 R2. If you have trouble or bugs in System Center 2012 R2 Virtual Machine Manager you should definitely check out that page. Here is a short list from 20.01.2014:

  • File servers under management will go into an unknown state after upgrade
  • VMs with shared VHDXs are displayed as “Incomplete VM Configuration”
  • File Server VM migration fails from an MSU host, resulting in Incomplete state
  • A VM on a VMware ESX host cannot be assigned to a cloud while it is running
  • Windows Server Gateway: all gateway virtual machines on a given host cluster must use same back-end network
  • Cannot manage Spaces storage for Scale-out file servers on Windows Server 2012
  • Operations Manager Health Service Might Restart Creating Inaccurate Chargeback Metrics
  • Cannot enter or change application and SQL Server settings directly in VM templates
  • Cannot manage Spaces storage for Scale-out file servers on Windows Server 2012
  • Disk classifications not displayed correctly after a new LUN has been registered
  • VMM no longer supports VDS Hardware ProvidersVMM cannot manage General Use file servers on Windows Server 2012 R2
  • VMM does not manage Storage Tiering in Windows Server 2012 R2
  • VMM does not manage Write-back cache in Windows Server 2012 R2
  • File Server Tasks Not Supported on Untrusted Nodes
  • Incorrect Server Error Code Returned for Invalid Library Paths
  • Windows Azure Hyper-V Recovery Manager Does Not Accept Replication Frequency Changes
  • VMM does Not Provide Centralized Management of WWN Pools
  • Windows Server Operating System MP Disabled by Default
  • Service deployment fails and the guest agent on virtual machines does not work as expected
  • Management of VMs deployed directly on NPIV-exposed LUNs is not supported
  • Windows PowerShell help might not open as expected on computers running
  • Deploying virtual machines to hosts on perimeter networks might fail
  • Registering a storage file share on a library server might cause an error
  • Failing over and migrating a replicated virtual machine on a cluster node might result in an unstable configuration
  • Modifying Tenant Administrator permissions affects permissions for self-service user roles
  • Member-level permissions for network quotas are not applied for the Tenant Administrator role
  • Canceling and restarting when creating a new virtual machine might fail
  • BlogEngine service deployment fails

Check out the TechNet article for workaround or answers.