Storage Tiering for Scale-out file server JBOD SAS

Well I had the pleasure of playing around with Windows Server 2012 R2 scale-out file server with a JBOD SAS chassis. Then I wanted to try the storage tiering feature in R2.

So in my case I had a SAS chassis with 4 SSD drivers and 12 7K

First I created a storage pool for the one with tiering.

Next we have to create a virtual disk from the storage space.
When we create a new virtual disk on the pool, here we have to define a storage tier.

Next we have to define a layout of the Storage, I created a simple layout for both pools.

Next we have to define what size we would use on the SSD and on the HDD volume.

After I have created two virtual drivers on top on the storage spaces and used fsutil file create new to create a random file on both of the drives.

Next I tried sqlio.exe to do a random 8k IOs againt the newly created file on each of the pools.

The below is the storage tiereing virtual drive (310k IOPS) the file I used then did not use the whole cache drive. Next run I created a file which in theory would fill the SSD drives and had to move it over to the HDD drive.

More blog post will come when I have tested some more!

#storage-tiering, #window-server, #windows-server-2012-r2

Securing Hyper-V 2012R2 hosts and VMs

Microsoft has implemented a lot of new cool security features in Hyper-V on the 2012R2 release, and most importently statefull firewall and network inspection features.

From the 2012 release, Microsoft introduced features like
* ARP Guard https://msandbu.wordpress.com/2013/04/03/arp-guard-in-hyper-v-2012/
* DHCP Guard
* Router Guard
(These three functions are also included in regular network devices from most vendors)

The use of Bandwidth control as well is useful for limiting for instance DDOS attacks.
* Bitlocker with Network Unlock (To protect a VM from theft)
* NVGRE (Network virtualization, which is not a security feature but it can be used to define each customer to its own network segment without the use of VLANs (This offers security since it is not able for instance to use VLAN-hopping)
* PVLAN (In many cases the use of VLANS still has its purpose for instance you can define three types of PVLANs (Isolated, Promiscuous and Community)
* VM stateless firewalls (Not on the indvidual VM but on the Hyper-V traffic going to the VMs) But these had pretty limited functionality (Which was restricted to IP-ACL, couldn’t define port or TCP EST)
* Bitlocker for CSV (Encrypt everything in a cluster)

So what else has Microsoft implemented of Security mechanisms in the OS-stack with the new R2 release ?

Not much info here yet.. but they are mostly related to hyper-v networking rules, new generation VMs with UEFI boot options (UEFI enable secure boot which makes it harder for rootkits to get installed)

What else can you do to secure your hosts and VM*s running on Hyper-V?

Microsoft has released a built-in baseline configuration that you can start from Server Manager this has some rules that It can use to scan if your hosts are according to best-practice, this offers you tips on what you should do.

Microsoft also offers other tools that can be used deploy security according to best practice  (This uses Group Policy for deployment of security settings)  for instance Security Compliance Manager http://www.microsoft.com/en-us/download/details.aspx?displayLang=en&id=16776

Installing all Hyper-v hosts as Server Core will also limit the attack surface on the hosts since it does not install all the unnecessery components like Internet explorer, .Net framework etc.
Which makes the host less open for attacks. (And also don’t use RDP there have been many security holes here which hackers have taken advantage of so If you need to enable RDP use NLA as well)

Monitoring / Antivirus and Patching

Integration with System Center also can prove to be quite useful for many reasons.
Which can offer you features like
* Anti-malware / Anti-virus (Configuration Manager)
* Patch management (Virtual Machine Manager / Configuration Manager)
* Baselining and remediation (Configuration Manager / Virtual Machine Manager)

* Monitoring (Operations Manager)

But this will require a number of agents being installed on all VM’s for instance Configuration Manager with Endpoint Protection and Operations Manager (and VMM agent on Hyper-v hosts)
(NOTE: You can enable baseline configuration in Operations Manager as well, instead of using Server Manager and with the integration of System Center Advisor you will get more intel)

Now Microsoft recommends that the parent partition to be as clean as possible, therefore they recommend not installing AV on the Hyper-V hosts (Since you will also suffer some performance loss), but if it is a part of the company policy.
Remember that if you install endpoint protection for Hyper-V hosts, put exclusions for these folders.“%PROGRAMDATA%\Microsoft\Windows\Hyper-V”
C:\ClusterStorage
You can read more about it here –> http://social.technet.microsoft.com/wiki/contents/articles/2179.hyper-v-anti-virus-exclusions-for-hyper-v-hosts.aspx

When regarding firewalls, each host running Windows has Windows Firewall enabled by default, should we then use Hyper-V port ACLs also ?
Hyper-V port ACLs follow the virtual machines so if you move them to another host, the ACL sticks. But they have different features.
The built-in firewall from Windows can allow Applications to communicate and is not restricted to a port or protcol, the firewall can also use IPsec.
While a Hyper-V port ACL can check if it is a statefull connection while the built-in firewall cannot. Hyper-V port ACL can also measure the traffic bandwidth that goes trough.
For many reasons you should use for built-in firewall for most cases (Create Group policies for the most common use server roles) and in more extreme cases where you need to lock down more and controll the traffic flow more you deploy and hyper-v port ACL.

You should also move your management traffic to a dedicated NIC outside of other traffic so it is not so easy to “sniff” on your traffic.

RBAC (Role Based Access Control) an easy rule of thumb is to split user rights where you can.
For instance an hyper-v administrator should not have admin-rights on VMs and vice versa.
If  you are using SCVMM you should create custom User Roles (For instance you can define a user role that (Group 1) has access to which can be used to administrate their hosts (Which is under a host group) and access to certain run as roles)

Sysinternals also should be used when evaluating your security for instance to see if there are any open ports that shouldn’t be open by using TCPView
http://technet.microsoft.com/en-US/sysinternals

Make sure that your internal network is configured as it should.
By disabling CDP on access ports (If you are using Cisco)
Enabling all ports as Access Ports (Portfast) so you can’t be hijacked by STP attacks.

Other resources:
http://www.microsoft.com/en-us/download/details.aspx?id=16650 This is an old security guide from Microsoft but alot of it still applies today.

Might also mention that there are some third party solutions that you can use to secure Hyper-V.

5-Nine –> http://www.5nine.com/
Watchguard –> http://www.watchguard.com

#arp-guard, #hyper-v, #nvgre, #router-guard, #security, #statefull-firewalls, #watchguard, #windows-server-2012-r2

Error adding a RemoteFX video adapter to a VM running Windows Server 2012 R2

When I was trying to add a remotefx video adapter to a VM running on Windows Server 2012 R2 I got an error message 
Error applying RemoteFX 3D Video Adapter Changes.

And what is that? Well clearly its a GUI bug as I see several other have the same issues as well.The solution was to run this command from PowerShell

Import-Module RemoteDesktopServices

Add-VMRemoteFx3dVideoAdapter -VMName nameofcomputer

SET-VMRemoteFx3dVideoAdapter –VMName nameofcomputer

After that the adapter worked as it should

#rds2012, #windows-server-2012-r2

Azure Pack configuration for Windows Server 2012 R2

So Microsoft has released the new wave of products into preview, including the next version of Katal (Azure Services) for Microsoft, called Azure Pack. This pack transforms your datacenter into Azure allowing users to sign up using plans and be able to use your infrastructure into a IaaS platform.

You can download the trial for Azure Pack here –> http://www.microsoft.com/en-us/server-cloud/windows-azure-pack.aspx

Now there are some prerequisites for using this pack.
You can read more about them here –> http://technet.microsoft.com/en-us/library/dn296442.aspx

But in order to integrate Azure pack with your on-premise solution it uses Service Provider Foundation (Which is included in the Orchestrator installation media)

Not that this requires the installation of SCVMM 2012 R2 Console on the same machine as SPF since it uses the VMM APIs to communicate with it.

It also requires some other prerequisites such as

WCF Data Services 5.0 can be found here –> http://www.microsoft.com/en-us/download/details.aspx?id=29306

.NET features 4.5 WCF is a part of .Net 4.5 which can be installed from Server Manager

Management ODATA IIS is also a part of 2012 R2 installation media

ASP.NET MVC 4 can be downloaded from here –> http://www.asp.net/mvc/mvc4

Next we configure a database for use for SPF

In this database the SPF stores information such as
Tenants
Usage Records
Gallery Items
Roles
Servers
And Tenants Stamps

Next we choose where to deploy the SPF files and what certificate we want to use.
In my case for this demo I used a self-signed certificate.

Next we define credentials for the admin web service

NOTE: If you choose Network Service here you need to make sure that the machine account is a VMM administrator

In my case I choose a Service Account and entered a domain user.
After that you are done with SPF

Next we move on to the Azure Pack installation
You can download the pack from here –> http://technet.microsoft.com/en-us/library/dn296435.aspx?CR_CC=200142594

All it does is download a profile which uses webdeploy.

Now by default it will install all the web roles on the same servere

Click I accept (ill come back to what the different roles do)
And Note this installing part may take some time.

After that is done, press Continue and ill will start the Service Management Configuration site.

It will open a browser window on the localhost on port 30101, and again we will have to define a Database and server for the Azure Pack.

Here you have the option to use a Windows user or a regular SQL user.
Remember that you have to enable Mixed Mode on the SQL server in order to use regular SQL users.

Make sure that you write down the passphrase. If you forget or lose this passphrase, there is no way to recover it. This is used to encrypt and decrypt the Configuration Store..

Next we define a FQDN for the host

After this is done it will start configuring the different roles on the Server

After that is done we continue on with the configuration

NOTE: You may need to log out of your system and log back in before you can access the management portal for administrators. This is due to Windows authentication and the need to add the security group to your security token.

If you continue to see an access denied error, even after logging back in, close all Internet Explorer windows, and run Internet Explorer as an administrator.

Now the setup will open a browser on port 30091 which is the default port for the management portal for administrators

 

Now you can see the difference between “Katal” and Azure Pack

Katal (The old version)

(Azure Pack the New one)

New stuff is including
Reporting provider (This is also a feature that is on the Orchestrator installation media)
Service Bus Clouds (Read more about setting up service bus here –> http://msdn.microsoft.com/en-us/library/windowsazure/dn282152(v=azure.10).aspx )
Automation (This requires Service Management Automation web service)

So in my case I define the Service Provider Foundation endpoint for Azure Pack
And then Go to VM Clouds and connect to my VMM Management Server.

Add some bugs when connecting to my cloud but after a IISreset it worked just fine

This gets the cloud container from VMM, from here I can view resources in my cloud

Now for the end-user I can sign up using the tenant portal.
Which is on the same server you installed Azure Pack only on port 30081 remember thou that you need to create a plan and publish it in order for users to subscribe to that plan.

Here I signed up with a regular user account

Choose Add Plan and select a public plan which was created on the management portal.
Note thou that here we have external users created we can also use AD authentication

For the tenant portal you can configure this using ADFS here –> http://technet.microsoft.com/en-us/library/dn296436.aspx#WAP_AddADFSAuth

Note when you sign up for a plan you need to go back to the administration portal and approve the subscription.

Now If I want to automate a task associated with VM create I can do this in the management portal

All for this time, all dive in a bit more when I got the time  
Stay tuned

#active-directory, #azure, #service-provider-foundation, #system-center-2012, #windows-server-2012, #windows-server-2012-r2