Apply logical Switch to Hyper-v Host Fail

when you try to apply a logical switch to Hyper-v Host , you might get an SCVMM error like the one below :

Error (2915)
The Windows Remote Management (WS-Management) service cannot process the request. The object was not found on the server (win12-hv.jitpros.local).

WinRM: URL: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/virtualization/v2/Scvmm_VirtualEthernetSwitchInternalSettingData?InstanceID=Microsoft:Definition\8b54c928-eb03-4aff-8039-99171dd900ff\Default]

Unknown error (0×80338000)

Recommended Action
Ensure that the VMM agent is installed and running. If the error persists, restart the virtualization server (win12-hv.jitpros.local) and then try the operation again.

This error can also happen due to an older version of the VMM agent on the virtualization server. Ensure that the VMM agent is upgraded to the latest version, and then try the operation again.

To resolve this try this solution :

1. Use Physical Adapter to manage Hyper-v Host , if your Physical Adapter  has a Virtual Switch the addition would fail .

2. Disable IP 4 and IP 6 on Team adapters (if your DHCP provide a DNS configuration that are different than your management DNS configuration )

Windows 2012 Hyper-v 3.0 Network Virtualization

This Blog post was inspired by a set of blog post by BrianEh at his blog http://ITProctology.blogspot.com  in effort to better understand Windows 2012 Virtualization.

A new feature in Hyper-v 3.0 is network virtualization which allow hosting providers to host VMs from different customer that can have the same IP address schema without the need to change their IP address or facing any IP conflict errors. Hyper-v provide two method to achieve this :

• IP packet encapsulation protocol Generic Routing Encapsulation (GRE), that encapsulate VM traffic into hyper-v traffic and use the host IP to deliver the encapsulated traffic to its destination hosting hyper-v.
• IP Rewrite : is Kind of Static Nat configuration where each VM IP address get rewritten using physical  IP address before it is transferred on the physical network.

The example below use GRE ,The following description was take form Simple Hyper-V Network Virtualization Script with Gateway

“Hyper-V Network Virtualization (WNV) virtualizes the VM networks by:
1. Associating each VM IP address (Customer Address, CA) with a corresponding physical IP address used on the actual packets on the wire (PA)

2. (Provider Address,PA). Each VM packet is transformed (rewritten or encapsulated) from a CA  packet to PA packet before the packet is transmitted onto the physical  network.

3.On the destination host, the packet is transformed back with matching rules from PA packet to CA packet before it is delivered to the destination VM.

The WNV module operates on the packets based on the virtualization policy rules provisioned from management servers such as SCVMM (System Center Virtual Machine Manager). These policy rules define the mapping of CA:PA for each VM, the corresponding virtualization mechanism (rewrite/encap), and which customer virtual subnet these rules are for. Additionally, the virtualization rules also defines routing topology between customer virtual  subnets, and between WNV virtual subnets and non-WNV networks (cross premise, virtual-to-physical resources, etc.) “

its So lets see the below Scenario where we will host two VMs for two different customers on the same Host using the same IP address.I used BLACK font for host1 configuration , RED for host 2 configuration and Blue for PowerShell output

The steps to enable and configure network virtualization:

1. Assign VMs to a Virtual network id

2. Enable network Virtualization

3. Assign Provider IPs

4. Create Domain and Define Customer Routes

5. Build Lookup table (Routing table) 

1. Assign VMs to a Virtual network id 

To Start lets  Setup CustomerA-VM1 and CustomerB-VM1 on Host1 connecting them to the external Switch , if you assign IP address  to these Two Machines you would end with IP Conflict error on one these machines. An IPconfig/all would show this :

now you can solve this by assigning each VM to different VLAN , but you can only use maximum of 4,096 also , you would need to configure your switch for VLAN Tagging. Hyper-v 3.0 remove this limitation using network Virtualization .

So lets First Solve this issue at the level of single host , using the Get-VMNetworkAdapter PowerShell command , we can look at the IPs assigned to these two machines , in the output below note that  CustomerB-VM1 has two IP address one of them is APIPA address due to Address conflict

Get-VMNetworkAdapter cu*

Name            IsManagementOs VMName        SwitchName         MacAddress   Status IPAddresses
—-            ————– ——        ———-         ———-   —— ———–
Network Adapter False          CustomerB-VM1 LAN Virtual Switch 00155DFA9905 {Ok}   {192.168.50.1, 169.254.97.103, f…
Network Adapter False          CustomerA-VM1 LAN Virtual Switch 00155DFA9904 {Ok}   {192.168.50.1, fe80::2c30:3b37:8…

So to solve this Problem  assign each machine to a different Virtual LAN using the  Set-VMNetworkAdapter  commandlet , we will assign Customer A the VLAN ID 445566 and Customer B the VLAN ID  7788990 , you can notice that we have passed the 4096 limitation of the IEEE 802.1Q limitation . On Host1 Open PowerShell command prompt :

Get-VMNetworkAdapter customerA-vm1 | Set-VMNetworkAdapter -VirtualSubnetId 445566

Get-VMNetworkAdapter customerb-vm1 | Set-VMNetworkAdapter -VirtualSubnetId 7788990

you can now go and disable and re-enable Network adapter at CustomerB-VM1 and see that your IP address conflict have been cleared . you can check this again by reissuing the command:

Get-VMNetworkAdapter cu*

Name            IsManagementOs VMName        SwitchName         MacAddress   Status IPAddresses
—-            ————– ——        ———-         ———-   —— ———–
Network Adapter False          CustomerB-VM1 LAN Virtual Switch 00155DFA9905 {Ok}   {192.168.50.1, fe80::857b:2c47:a…
Network Adapter False          CustomerA-VM1 LAN Virtual Switch 00155DFA9904 {Ok}   {192.168.50.1, fe80::2c30:3b37:8…

Even Without enable network Virtualization on the host we where able to solve this conflict and by pass the VLAN Limitation problem. the same command need to be applied to VMs on Host2.

Get-VMNetworkAdapter customerA-vm2 | Set-VMNetworkAdapter -VirtualSubnetId 445566

Get-VMNetworkAdapter customerb-vm2 | Set-VMNetworkAdapter -VirtualSubnetId 7788990

2. Enable network Virtualization

But  VMs on different hosts will not be able to communicate with each other until we enable the Hyper-v network Virtualization part , also notice that these assigned   VLANS will not show in the Hyper-v GUI , to see to which VLAN each machine is assigned use the command :

Get-VMNetworkAdapter * | Format-Table VMName, Name, MACAddress, VirtualSubnetID, IPAddresses -AutoSize

VMName                 Name                            MacAddress   VirtualSubnetId IPAddresses
——                         —-                               ———-   ————— ———–
SQL2012-161            Network Adapter 00155DFA9900               0     {192.168.250.161}
SQL2008-160          Network Adapter 00155DFA9903               0      {192.168.250.160}
SCVMM-162             Network Adapter 00155DFA9902               0      {192.168.250.162}
SCSMMGM-164      Network Adapter 00155DFA9908               0       {192.168.250.164}
SCSMDW-165          Network Adapter 00155DFA9907               0       {192.168.250.165}
SCOM-163               Network Adapter 00155DFA9906               0        {192.168.250.163}
CustomerB-VM1     Network Adapter 00155DFA9905         7788990 {192.168.50.1}
CustomerA-VM1     Network Adapter 00155DFA9904          445566 {192.168.50.1}
APPController-167 Network Adapter 00155D0F2724               0 {}

Note: you can reset your VLAN Assignment by assigning the machine to VLAN 0.

so to use Windows Network Virtualization we need to  Enable the WNV binding on each host external switch that network traffic pass through.

use the command  Get-VMSwitch -SwitchType External to get a list of the external switches

Get-VMSwitch -SwitchType External

Name               SwitchType NetAdapterInterfaceDescription
—-               ———- ——————————
LAN Virtual Switch External   Intel(R) 82579LM Gigabit Network Connection

To Enable the WNV binding use:

Enable-NetAdapterBinding -InterfaceDescription “Intel(R) 82579LM Gigabit Network Connection” -ComponentID “ms_netwnv”

to check  ms_netwnv Use the command:

Get-NetAdapterBinding -ComponentID ms_netwnv

On Host2 we issue the same command to Enable MS Network virtualization:

Enable-NetAdapterBinding -InterfaceDescription “Realtek PCIe GBE Family Controller” -ComponentID “ms_netwnv

3. Assign Provider IPs

Now we need to define the Provider Address at local host:

Get-NetAdapter –InterfaceDescription “Intel(R) 82579LM Gigabit Network Connection”

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
—-                      ——————–                    ——- ——       ———-             ———
Ethernet                  Intel(R) 82579LM Gigabit Network Con…      12 Up           38-60-77-CD-80-1E         1 Gbps

New-NetVirtualizationProviderAddress -InterfaceIndex 12 –ProviderAddress 192.168.250.153 -PrefixLength 24

ProviderAddress : 192.168.250.153
InterfaceIndex  : 12
PrefixLength    : 24
VlanID          : 0
AddressState    : Preferred

The Same on Host 2:

New-NetVirtualizationProviderAddress -InterfaceIndex 13 –ProviderAddress 192.168.250.166 -PrefixLength 24

ProviderAddress : 192.168.250.166
InterfaceIndex  : 13
PrefixLength    : 24
VlanID          : 0
AddressState    : Preferred

4. Create Domain and Define Customer Routes

For Hyper-v Hosts to understand that traffic from VMs belong to the same Customer and to provide isolation between customers traffic Hyper-v provide what called routing domain , you can think of routing domains as a physical switch where all customer VLANS live. The Routing domain is built using GUID , so to create to new routing domains use the following:

$CustAGUID = [system.guid]::newguid()
$CustBGUID = [system.guid]::newguid()

# Format the GUID string properly
$CustAGUID = “{” + [string]$CustAGUID + “}”
$CustBGUID = “{” + [string]$CustBGUID + “}”

we will Define a Customer Route for each customer so on host 1:

New-NetVirtualizationCustomerRoute -RoutingDomainID $CustAGUID  -VirtualSubnetID 445566 -DestinationPrefix “192.168.50.0/24“ -NextHop 0.0.0.0 -Metric 255
New-NetVirtualizationCustomerRoute -RoutingDomainID $CustBGUID -VirtualSubnetID 7788990 -DestinationPrefix “192.168.50.0/24“ -NextHop 0.0.0.0 -Metric 255

RESULT Should Show:

RoutingDomainID   : {0501F8D4-3C91-4566-B74B-6C1CAC82C6F7}
VirtualSubnetID   : 7788990
DestinationPrefix : 192.168.50.0/24
NextHop           : 0.0.0.0
Metric            : 255

RoutingDomainID   : {1ABB06F2-CE16-4125-A7E6-510A1B7273DD}
VirtualSubnetID   : 445566
DestinationPrefix : 192.168.50.0/24
NextHop           : 0.0.0.0
Metric            : 255

on Host2:

$CustAGUID=”{1ABB06F2-CE16-4125-A7E6-510A1B7273DD}”
$CustBGUID=”{0501F8D4-3C91-4566-B74B-6C1CAC82C6F7}”

New-NetVirtualizationCustomerRoute -RoutingDomainID $CustAGUID  -VirtualSubnetID 445566 -DestinationPrefix “192.168.50.0/24“ -NextHop 0.0.0.0 -Metric 255
New-NetVirtualizationCustomerRoute -RoutingDomainID $CustBGUID -VirtualSubnetID 7788990 -DestinationPrefix “192.168.50.0/24“ -NextHop 0.0.0.0 -Metric 255

RESULT Should Show:

RoutingDomainID   : {0501F8D4-3C91-4566-B74B-6C1CAC82C6F7}
VirtualSubnetID   : 7788990
DestinationPrefix : 192.168.50.0/24
NextHop           : 0.0.0.0
Metric            : 255

RoutingDomainID   : {1ABB06F2-CE16-4125-A7E6-510A1B7273DD}
VirtualSubnetID   : 445566
DestinationPrefix : 192.168.50.0/24
NextHop           : 0.0.0.0
Metric            : 255

5. Build Lookup table (Routing table) 
The Routing table need to be constructed on both hosts:

$CustAGUID=”{1ABB06F2-CE16-4125-A7E6-510A1B7273DD}”
$CustBGUID=”{0501F8D4-3C91-4566-B74B-6C1CAC82C6F7}”

New-NetVirtualizationLookupRecord -VMName CustomerA-VM1 -VirtualSubnetID 445566 -CustomerAddress 192.168.50.1 -MACAddress 00155DFA9904 -ProviderAddress 192.168.250.153 -Rule TranslationMethodEncap -CustomerID $CustAGUID

New-NetVirtualizationLookupRecord -VMName CustomerA-VM2  -VirtualSubnetID 445566 -CustomerAddress 192.168.50.2 -MACAddress 00155DFAA600 -ProviderAddress 192.168.250.166 -Rule TranslationMethodEncap -CustomerID $CustAGUID

New-NetVirtualizationLookupRecord -VMName CustomerB-VM1 -VirtualSubnetID 7788990 -CustomerAddress 192.168.50.1 -MACAddress 00155DFA9905 -ProviderAddress 192.168.250.153 -Rule TranslationMethodEncap -CustomerID $CustBGUID
New-NetVirtualizationLookupRecord -VMName CustomerB-VM2 -VirtualSubnetID 7788990 -CustomerAddress 192.168.50.2 -MACAddress 00155DFAA601 -ProviderAddress 192.168.250.166 -Rule TranslationMethodEncap -CustomerID $CustBGUID

Managing such configuration for large number of VMs  and host would be a nightmare for administrators , SCVMM 2012 SP1 take care of all these configuration and updates to the lookup Records when machines move between hosts.

Windows Server® 2012 Hyper-V Network Virtualization Survival Guide

BrianEh I.T. Proctology blog

Hyper-v Fail on removable media

On my test machine which is an Intel X79 Desktop motherboard , suddenly hyper-v stopped working and I could not start or create any Virtual machines I got the errors  “General access denied error (0×80070005)“ during trouble shooting this issue I notices that the source of event log was “removable media “ , I know that I don’t have any removable media attached to my hyper-v also  I have noticed the icon of USB device on my task bar informing me that all my local hard disks where ejectable ,  the solution was to install the new Intel(R) Rapid Storage Technology Enterprise Driver  for windows 8  64-bit , below are the event logs that appeared in my event log

“ windows* INF File for AHCI Intel(R) Rapid Storage Technology Enterprise Driver 
; **               Installs: RSTe AHCI RAID Controller Miniport (without RST Filter Driver)
; **               Only for Windows 8 releases “

Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin
Source:        Microsoft-Windows-Hyper-V-VMMS
Date:          3/20/2013 11:31:42 AM
Event ID:      16320
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      win12-hv.jitpros.local
Description:
Cannot load a snapshot configuration: General access denied error (0×80070005). (Snapshot ID D261B782-CCB5-4BE1-9FE9-8006E760AB0E)

Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin
Source:        Microsoft-Windows-Hyper-V-VMMS
Date:          3/20/2013 11:31:42 AM
Event ID:      16300
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      win12-hv.jitpros.local
Description:
Cannot load a virtual machine configuration: General access denied error (0×80070005). (Virtual machine ID A5EA8F00-569B-441B-BF1B-8DAB27C2D153)

Connecting App Controller to Windows Azure Subscription

After installing APP controller SP1 and to connect to your azure subscription , you will need to export your App controller certificate and upload it to windows Azure. two certificate are used for this a DER exported certificate that Contains your public key and a PKCS certificate that include your private Key in addition to your Azure subscription ID.

You can  connect App controller to your windows Azure Subscription using the following Steps:

1. On your App Controller open MMC console

2. Add File menu , add the certificates Snap-in

3. Select Computer Account –> local Computer –> then select the personal Folder –> certificate

4.Right Click Your App controller Certificate and select Export

5. Click Next ,  Then Select “No don’t export Private Key” and click Next

6.Select the DER encoded X.509 (.CER) and Click Next

7. Enter File Name and Browse to store the file

8.This file will be uploaded to your Azure Subscription , it contains your certificate public key

9. You need to export the same certificate again but this time with private Key , Once again right Click the Same certificate and Click Export , then Click Next

10. Select the “Yes Export private key” option and click Next

11. Select the personal information Exchange – PKCS(.PFX) and click Next

12. Select Password from the security option and enter a password and click Next

13. Browse and enter name for your certificate and Click next , then Finish .

14. log in to your azure subscription  and select settings

15. Click the Upload management certificate Link and browse to your DER Certificate, click Ok and wait until the upload is finish.

16. high light your Subscription ID and Copy it .

17. Open your App Controller web Site , and click the “Connect windows Azure subscription” Link.

18. in the Connect windows Azure subscription windows , enter a name for your connection , description , Paste your Azure subscription Id , click browser and select your Exported Personal Exchange Key , type the password that you used to protect your exported certificate and click OK.

  19. Once connected you can manage and connect to your VMs and Applications on Azure

Migrate Hyper-V File based Authorization Store to AD Authorization Store Script

MS Hyper-V implements role-based access control to define what users can and cannot do with virtual machines, after installing the Hyper-V it will always be configured to use a local XML file located at \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition. The store file content used to perform access checks to grant or deny a user account access to operations based on roles that user account is a member of. The Hyper-v Store can be stored in Active Directory database, which must be at the Windows Server 2003 Domain functional level, or in an XML file on the local server running the Hyper-V role.

The Authorization Manager snap-in (AzMan.msc) is the user interface tool to manipulate the content of authorization store, to create new User roles and delegate permission on hyper-v .

Two registry keys on Hyper-V define policy store both are under:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Virtualization.

StoreLocation points to a file called InitialStore in a hidden directory c:\ProgramData.
ServiceApplication defines the application Name in the policy store.

When Hyper-v Host added to SCVMM the default Authorization store is changed to use a new file located at “%systemDrive%\ProgramData\Microsoft\Virtual Machine Manager\HyperVAuthStore.xml” and point hyper-v to that file. Every 30 minutes, VMM will run a refresher that will update this file and ensure that the only privileges to VMs are the ones that VMM knows about.

On heavy used Hosts where SCVMM perform multiple VM management tasks such as creating multiple VMs or change multiple VM’s Owners , multiple JOB threads might try to update the Authorization store file simultaneously, This will result in an error to be logged on Hyper-v event logs as access valuation error.

Event ID 17090, Source Hyper-V-VMMS/Admin, User: System

The content of the authorization store could not be updated from the persistent location.

Error: The process cannot access the file because it is being used by another process. (0×80070020)

This error is due to the fact that NTFS file system does not support applications issuing a sequence of separate write operations as a single logical write to a file when multiple applications write to the same file

To overcome this problem the Authorization store can be migrated to AD and Hyper-v be configured to use AD store instead of File based Authorization store. There is no Built-in utility on windows that can perform this operation. The below PowerShell Script can be used to Create and migrate Hyper-v Authorization store file to utilize Authorization Store in AD. The script Create Authorization Store at CN=ProgramData,DC=Domain,DC=DomainSuffix , it must be run on each Hyper-v host that will use AD as authorization Store for the hyper-v Role. Each Host Should have its own Authorization Store Container in AD.

Notes:

1. The Script will create a backup of the current registry setting in the same folder with name BackupRegVirtualization.reg , you can restore your pervious configuration by double click this File.

2. The AD Store name is constructed as : CN=AZ+HostName,CN=Program Data,DC=Domain,Dc=Domain

3. VDI Virtualization Hosts is not Supported , this script will fail if Remote Desktop Virtual host is installed

4. The Script support hosts under SCVMM control

Power Shell Script below :

——————————Start Of Script ———————-

# Copy Roles Definitions

function CopyRoleDefinition($taskName)

{

$sourceTask = $HyperVAzManStoreSource.OpenTask($taskName);

$targetTask = $HyperVAzManStoretarget.CreateTask($taskName);

$targetTask.IsRoleDefinition = $true

$operations = $sourceTask.Operations

for ($opIdx = 0; $opIdx -lt $operations.length; $opIdx++)

{

$targetTask.AddOperation($operations[$opIdx])

}

$targetTask.Submit()

}

#Copy role Assignment

function CopyRoleAssignmet($AssingedRole)

{

$sourceRoleAssignment = $HyperVAzManStoreSource.OpenRoleAssignment($AssingedRole)

$targetRoleAssignment = $HyperVAzManStoretarget.CreateRoleAssignment($AssingedRole)

$targetRoleAssignment.Description=$sourceRoleAssignment.Description

$sourceRoleAssignment.members | ForEach-Object { $targetRoleAssignment.addmember($_)}

$sourceRoleAssignment.Tasks | ForEach-Object { $targetRoleAssignment.addtask($_)}

$sourceRoleAssignment.Operations | ForEach-Object { $targetRoleAssignment.AddOperation($_)}

$targetRoleAssignment.Submit()

}

Function CopyScope($ScopeName)

{

# Create AzMan Application

$HyperVAzManStoreSource.OpenScope($ScopeName)

$targetScope=$HyperVAzManStoretarget.CreateScope($ScopeName)

$targetScope.submit()

#CopyRoleDefinition($ScopeName)

#CopyRoleAssignmet($ScopeName)

}

# copy Scope Role Definistion

function CopyScopeDefinition($SourceScopeRole)

{

$sourceTask = $ScopeEnmDefSource.OpenTask($taskName);

$targetTask = $ScopeEnmDeftarget.CreateTask($taskName);

$targetTask.IsRoleDefinition = $true

$operations = $sourceTask.Operations

for ($opIdx = 1; $opIdx -lt $operations.length; $opIdx++)

{

$targetTask.AddOperation($operations[$opIdx])

}

$targetTask.Submit()

}

# Copy Sole Role Assignment

function CopyScopeAssignmet($AssingedRole)

{

$sourceRoleAssignment = $ScopeEnm.OpenRoleAssignment($AssingedRole)

# $sourceRoleAssignment

$targetRoleAssignment = $ScopeEnmDeftarget.CreateRoleAssignment($AssingedRole)

$targetRoleAssignment.Description=$sourceRoleAssignment.Description

$sourceRoleAssignment.members | ForEach-Object { $targetRoleAssignment.addmember($_)}

$sourceRoleAssignment.Tasks | ForEach-Object { $targetRoleAssignment.addtask($_)}

$sourceRoleAssignment.Operations | ForEach-Object { $targetRoleAssignment.AddOperation($_)}

$targetRoleAssignment.Submit()

}

# Convert a domain Name from DNS Form to DN

function DomainStringtoDN ($DomainName)

{

$DomainNameArray = $DomainName.Split(“.”)

for ($Dom = 0; $Dom -lt $DomainNameArray.Length ; $Dom++)

{

if ($Dom -eq ($DomainNameArray.Length – 1)){$Separator = “”}

else{$Separator =”,”}

[string]$DN += “DC=” + $DomainNameArray[$Dom] + $Separator

}

return $DN

}

# This Script will Create an AD AzMan Store using a path constructed from Hyper-v Hostname and Domain Name that the host is Joined to

# The Store path is CN=AZ+HostName,CN=Program Data,DC=Domain,Dc=Domain

# to Setup up manual AD Location , specify static value for the $AzManStoreLocationtraget Variable

$HyperVHostName=Get-WmiObject -class win32_computersystem

$DomainDN=DomainStringtoDN($HyperVHostName.Domain)

# Construct the Target AD Store Location

$AzManStoreLocationtraget=”msldap://CN=”+”Az”+$HyperVHostName.Name+”,CN=Program Data,”+$DomainDN

#get Current Store location

$AzManStoreLocationSource = (Get-ItemProperty -path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization”).StoreLocation

# Check if System Already configured with AD AzMan Store

if ($AzManStoreLocationSource.contains(“msldap:”))

{

Write-host ” Your System Already use AD Autorization Store”

exit

}

# Open the XML AzMan store

$AzManStore = new-object -ComObject “AzRoles.AzAuthorizationStore”

$AzManStore.Initialize(2, $AzManStoreLocationSource)

# Handle the default Hyper-V AzMan store and the SCVMM AzMan store

if (@($AzManStore.Applications | ? {$_.Name -contains “Hyper-V services”}).count -eq 1)

{

$HyperVAzManStoreSource = $AzManStore.OpenApplication(“Hyper-V services”)

}

elseif (@($AzManStore.Applications | ? {$_.Name -contains “Virtual Machine Manager”}).count -eq 1)

{

$HyperVAzManStoreSource = $AzManStore.OpenApplication(“Virtual Machine Manager”)

}

else

{

Write-Host “Unable to find AzMan application group.”

Write-Host -NoNewLine “Press any key to continue…”

$null = $Host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)

exit

}

# Backup registry Key before Operations

regedit /e BackupRegVirtualization.reg “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization”

# Create New AzMan Store in AD

$AzManStoreTarget = new-object -ComObject “AzRoles.AzAuthorizationStore”

$AzManStoreTarget.Initialize(1, $AzManStoreLocationtraget)

$AzManStoreTarget.Submit()

$AzManStoreTarget.UpgradeStoresFunctionalLevel(0×20)

$AzManStoreTarget.Submit()

# Create AzMan Application

$HyperVAzManStoretarget=$AzManStoreTarget.CreateApplication($HyperVAzManStoreSource.name)

$HyperVAzManStoretarget.version=$HyperVAzManStoreSource.version

$HyperVAzManStoretarget.submit()

### Copy Oprations

$AzOperationCount=$HyperVAzManStoreSource.Operations.Count

#$AzOperationCount

for ($i=1; $i -le $AzOperationCount; $i++)

{

$sourceOp = $HyperVAzManStoreSource.Operations.Item($i)

$targetOp = $HyperVAzManStoretarget.CreateOperation($sourceOp.Name)

$targetOp.OperationID = $sourceOp.OperationID

$targetOp.Submit()

}

# Select Default Role Defintions

$RolesDef=$HyperVAzManStoreSource.RoleDefinitions | select -ExpandProperty name

$Rolesdef | ForEach-Object { CopyRoleDefinition($_) }

# Select Default Role Assingnment

$RoleAssignment=$HyperVAzManStoreSource.RoleAssignments | select -ExpandProperty name

$RoleAssignment | ForEach-Object {CopyRoleAssignmet($_)}

# Scope Copy Operation

$AZSourceScops=$HyperVAzManStoreSource.Scopes | select -ExpandProperty name

$AZSourceScops | ForEach-Object {CopyScope($_)}

$AZTargetScops=$HyperVAzManStoretarget.scopes | select -ExpandProperty name

for ($i=1; $i -le $HyperVAzManStoreSource.Scopes.count; $i++)

{

$ScopeEnm=$HyperVAzManStoreSource.Scopes.item($i)

$ScopeEnmDeftarget=$HyperVAzManStoretarget.OpenScope($ScopeEnm.name)

# Select Default Role Defintions

$ScopeEnmDefSource=$ScopeEnm.RoleDefinitions | select -ExpandProperty name

if ($ScopeEnmDefSource -ne $null) {

$ScopeEnmDefSource | ForEach-Object { CopyScopeDefinition($_) }

}

}

###################

for ($i=1; $i -le $HyperVAzManStoreSource.Scopes.count; $i++)

{

$ScopeEnm=$HyperVAzManStoreSource.Scopes.item($i)

$ScopeEnmDeftarget=$HyperVAzManStoretarget.OpenScope($ScopeEnm.name)

# Select Default Role Defintions

$ScopeEnmDefSource=$ScopeEnm.RoleAssignments | select -ExpandProperty name

$ScopeEnmDefSource | ForEach-Object { CopyScopeAssignmet($_) }

}

# Set Hyper-v registry to use AD Azman Store

Set-ItemProperty -path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” -name StoreLocation -Value $AzManStoreLocationtraget

Write-Host (“Completed ………………………….!”)

——————————End Of Script ———————-

After the Script Complete Open The new Store in AZMAN , right click the sore name , select the security Tab and Add the Host Computer account and SCVMM service account as administrators

Restart the Hyper-V Virtual Machine Management service

The following error Might appear in your event log if your host is also a Domain Controller :

Log Name: Microsoft-Windows-Hyper-V-Worker-Admin

Source: Microsoft-Windows-Hyper-V-Worker

Date: 9/3/2012 11:53:25 AM

Event ID: 17040

Task Category: None

Level: Error

Keywords:

User: NETWORK SERVICE

Computer: JDC01.jitpros.local

Description:

The authorization store could not be initialized from storage location ‘msldap://CN=AzJDC01,CN=Program Data,DC=jitpros,DC=local’. Error: Insufficient access rights to perform the operation. (0×80072098).

To solve the problem Run Azman.msc , Open the Created AD Authorization Store , right click the Application name , select security tab , add Host name and Network services (only if the host is also a DC)

Configuring Windows 2012 Private VLAN (PVLAN)

Among the new features brought by Widows 2012 Hyper-v 3.0 Extendable switch Is the support of PVLAN creation , you can find information about hyper-v extendable features on TechNet , PVLAN are kind of VLANS inside a VLAN a good article to understanding of PVLAN can be found at http://blog.ine.com/tag/private-vlan/ , PVLAN allows Administrators to Prevent hosts from communicating to each other even through they are located in the Same VLAN and using the Same IP Address Class.

Cisco definition of PVLAN  “A PVLAN is a VLAN with configuration for Layer 2 isolation from other ports within the same broadcast domain or subnet. You can assign a specific set of ports within a PVLAN and thereby control access among the ports at Layer 2. You can configure PVLANs and normal VLANs on the same switch.

There are three types of PVLAN ports: promiscuous, isolated, and community.

• A promiscuous port communicates with all other PVLAN ports. The promiscuous port is the port that you typically use to communicate with external routers, LocalDirectors, network management devices, backup servers, administrative workstations, and other devices.

• An isolated port has complete Layer 2 separation from other ports within the same PVLAN. This separation includes broadcasts, and the only exception is the promiscuous port. A privacy grant at the Layer 2 level occurs with the block of outgoing traffic to all isolated ports. Traffic that comes from an isolated port forwards to all promiscuous ports only.

• Community ports can communicate with each other and with the promiscuous ports. These ports have Layer 2 isolation from all other ports in other communities, or isolated ports within the PVLAN. Broadcasts propagate only between associated community ports and the promiscuous port. “

To demonstrate PVLAN configuration we will create four VMs SRV1,SRV2,SRV3 and SRV4  all VM are connected to the same Hyper-v Switch and will be assigned to Primary VLAN 55 . we will configure PVLAN using secondary VLAN 10, 11 to create Isolation as following :

SRV1: configured in  promiscuous mode and hence all VMs can communicate with it

SRV2: configured in  Isolated  mode and hence can communicate only with SRV1

SRV3: Configured in  Community mode and hence can communicate with SRV1,SRV4

SRV4: Configured in  Community mode and hence can communicate with SRV1,SRV3

Using the Get-VMNetworkAdapterVlan  PowerShell command you can  get your VM Current VM Assignment , the output of the command will show the list of VLANs  that VM Belong to in the VLANList column.

Get-VMNetworkAdapterVlan srv1

VMName VMNetworkAdapterName Mode   VlanList
—— ——————– —-   ——–
SRV1   SRV1                 Access 0

 Note: To clear VLAN configuration for VM and restore the default settings use

Set-VMNetworkAdapterVlan -VMName srv1 -Access -VlanId 0

Configure SRV1:

1. check Information about VM Network Adapter

Get-VMNetworkAdapter -VMName srv1

Name IsManagementOs VMName SwitchName       MacAddress   Status IPAddresses
—- ————– —— ———-       ———-   —— ———–
SRV1 False          SRV1   Intel2 TrunK VSW 00155D0F271D {Ok}   {172.16.55.1, fe80::3897:d606:5706:4f46}

2. Check VM VLAN Configuration

Get-VMNetworkAdaptervlan -VMName srv1

VMName VMNetworkAdapterName Mode   VlanList
—— ——————– —-   ——–
SRV1   SRV1                 Access 0

3. Set SRV1 Port to  trunk mode and set Primary Vlan ID and Allowed Vlan list

Set-VMNetworkAdapterVlan -VMName srv1 -Trunk -AllowedVlanIdList “55,10,11″ -NativeVlanId 55

4.Set PVLAN port mode , assign Primary Vlan ID and secondary Vlan IDs

Set-VMNetworkAdapterVlan -VMName srv1 -Promiscuous -PrimaryVlanId 55 -SecondaryVlanIdList 10-11

4. check your Configuration

Get-VMNetworkAdapterVlan -VMName srv1

VMName VMNetworkAdapterName Mode        VlanList
—— ——————– —-        ——–
SRV1   SRV1                 Promiscuous 55,10-11

Configure SRV2:

1. Check SRV VM configuration

Get-VMNetworkAdapter -VMName srv2

Name IsManagementOs VMName SwitchName       MacAddress   Status IPAddresses
—- ————– —— ———-       ———-   —— ———–
SRV2 False          SRV2   Intel2 TrunK VSW 00155D0F271C {Ok}   {172.16.55.2, fe80::19dd:7129:ae76:4608}

Get-VMNetworkAdaptervlan -VMName srv2

VMName VMNetworkAdapterName Mode   VlanList
—— ——————– —-   ——–
SRV2   SRV2                 Access 0

2. Set PVLAN Mode and configure Primary Vlan Id and Secondary Vlan Id

Set-VMNetworkAdapterVlan -VMName srv2 -VMNetworkAdapterName srv2 -Isolated -PrimaryVlanId 55 -SecondaryVlanId 10

3. Check VM configuration

Get-VMNetworkAdapterVlan -VMName srv2

VMName VMNetworkAdapterName Mode     VlanList
—— ——————– —-     ——–
SRV2   SRV2                 Isolated 55,10

Configure SRV3 & SRV 4 PVLAN mode community and Primary VLAN ID and Secondary ID :

Set-VMNetworkAdapterVlan -VMName srv3 -VMNetworkAdapterName srv3 -Community -PrimaryVlanId 55 -SecondaryVlanId 11

Set-VMNetworkAdapterVlan -VMName srv4 -VMNetworkAdapterName srv4 -Community -PrimaryVlanId 55 -SecondaryVlanId 11

Check VM configuration by pinging other machines, the SRV2 will only be able to ping SRV1. while SRV3.4 should not be able to communicate with SRV2.

Deploying MS PetShop 4 using SCVMM 2012 service template

I have seen many links to deploy MS Petshop using SCVMM but non of them was working , so I decided to build one and share it . This is actually a working Deployment of Petshop 4 using SCVMM service template as 2 tier Application.

If you are tuned for my book , that I hope to publish by the 1st quarter of 2013 You will find in the book more complex service templates and steps toward building  service template for different applications . Wish me Luck on that .

This article is a Walk through deploying MS PetShop 4 Application http://msdn.microsoft.com/en-us/library/aa479070.aspx using SCVMM service template. The petshop package “petshopservice”  files needed for this deployment include the following components:

1. PetShop Web Application zip file

2. SQL Scripts to enable SQL User , Grant permission and load data

3. Script to configure MSDTC security and Firewall

4. Script to register petshop DB on SQL Server

5. 4 SQL DAC packages

6. PetShop Service template configuration file.

You can build your own service template or import the included service template which require that you provide the following information:

1. Windows 2008R2 SP1 Syspreped VHD

2. SQL 2008R2 Syspreped VHD

3. Runs as Account to Join VM to Your Domain

4. Run as Account for SQL Authentication SA Account

5. Run as Account for SQL Windows Account Authentication

6. Run As Account for SQL instance Services

7. Web deploy Application Framework (WebDeploy_x64_en-US_2.0.1070.cr)

8. SQL DAC Framework for SQL 2008R2

9. Logical Network

After importing the Service template you need to open it and Change the configuration for SQL VM tier on the Tabs OS Configuration and SQL Server to Your environment setting you need to change:

1. Domain Name in OS Configuration

2. SQL Server Configuration (SQL Admin Account, Source directory for SQL Syspreped files )

3. Check the web Tier Domain Name in OS Configuration

Below steps are for build your own service template , To successfully deploy this application you will need:

1. Windows 2008R2 VM template , please follow my recommendationon create VM template

2. SQL SysPreped installation VM template

3. PetShop Package files

Note: both VM should be configured with PowerShell remotesinged execution policy

Steps that will be carried out:

1. Extract the petshop package to your SCVMM Library server

2. Create SQL Profile

3. Create Application profile for SQL Petshop DAC packages

4. Create Service template

We will create a Service template using Two Tier Application pattern, because our service template is not planed to scaled-out we will use Hardcoded machine names in the service template for the SQL Server and Web Server. The SQL Machine will be named PetSQL and the web Server will be names PetWeb

1. Create SQL Profile following instruction step 7 ,8 from my previous blog post Deploying incentive Social collaboration Software using SCVMM 2012 Service template Part 1

2. Create Application Profile for Petshop SQl DAC Packages , in the library workspace right click application Profiles and select Create application profile

3. Name your Application profile PetShopDAC , the select Application configuration , in OS compatibility Select The windows 2008R2 OS , Click Add Button and add 4 SQL Server Data-Tier Application, Select the First DAC Application and Add Application Script .

4. Select the first Added SQL Server Data-tier Application and fill the information

Name	SQL Server Data-Tier MSPetShop4
SQL Server Data-tier Application Package	MSPetShop4.dacpac
SQLDAC Instance name	MSPetShop4
Authentication Type	Windows authentication
Deployment run as Account	SQL Admin Account

5. Select SQL Script and Add two post install scripts the CreateDBLoginMSPetShop4.sql has order set to 1 and LoadTablesMSPetShop4.sql has order set to 2 the Scripts will enable the SQL User account mspetshop and grant it owner permission of the DB, then load data into the database.

Name	CreateDBLoginMSPetShop4.sql
Order	1
Type	Post-install
Log file name	c:\windows\temp\DBloginPetshop4
SQL Authentication type	Windows authentication
Run as Account	SQL Admin Account

Name	LoadTablesMSPetShop4.sql
Order	2
Type	Post-install
Log file name	c:\windows\temp\loadtables.txt
SQL Authentication type	Windows authentication
Run as Account	SQL Admin Account

6. Select the Application Script and set it to pre-install, in executable file type cmd.exe in the parameter type: /q /c DTCFirewallRules.cmd, click browse to select the PetShopDTC.cr package and select an Admin Account for this installation.

7. Add another 3 SQL Data-Tier Applications using the below information.

Name	SQL Server Data-Tier MSPetShop4Services
SQL Server Data-tier Application Package	MSPetShop4Services.dacpac
SQLDAC Instance name	MSPetShop4Services
Authentication Type	Windows authentication
Deployment run as Account	SQL Admin Account

SQL Server Scripts:

Name	CreateDBLoginMSPetShop4Services.sql
Order	1
Type	Post-install
Log file name	c:\windows\temp\DBloginPetServices.txt
SQL Authentication type	Windows authentication
Run as Account	SQL Admin Account

Name	SQL Server Data-Tier MSPetShop4Profile
SQL Server Data-tier Application Package	MSPetShop4Profile.dacpac
SQLDAC Instance name	MSPetShop4Profile
Authentication Type	Windows authentication
Deployment run as Account	SQL Admin Account

SQL Server Scripts:

Name	CreateDBLoginMSPetShop4Profile.sql
Order	1
Type	Post-install
Log file name	c:\windows\temp\dbloginProfile.txt
SQL Authentication type	Windows authentication
Run as Account	SQL Admin Account
Name	SQL Server Data-Tier MSPetShop4Orders
SQL Server Data-tier Application Package	MSPetShop4Orders.dacpac
SQLDAC Instance name	MSPetShop4Orders
Authentication Type	Windows authentication
Deployment run as Account	SQL Admin Account

SQL Server Script:

Name	CreateDBLoginMSPetShop4Orders.sql
Order	1
Type	Post-install
Log file name	c:\windows\temp\dbloginservice.txt
SQL Authentication type	Windows authentication
Run as Account	SQL Admin Account

8. Select the Post Install Script configure it as the table below

Executable program	Cmd.exe
Parameters	/q /c RegPetShop4DB.cmd
Script resource package	PerShopRegDB.cr
Run as Account	Admin Account on machine

9. Select he pre-install Script and configure it as table below

Executable program	Cmd.exe
Parameters	/q /c InstallSqlDAC.cmd
Script resource package	SQL2008R2_DAC_Framework_X64.cr
Run as Account	Admin Account on machine

10. Create a new service template using Two Tier Application Pattern

11. Drag your SQL Syspreped VM template to First Tier instance and you Windows IIS server to Second tier instance

12. Select your First Tier SQL instance and fill name and Description , Set the Preferred Deployment order 1 and preferred service order to 1

13. Check your Hardware configuration and OS configuration (set VM Name to ETSQL) , your VM should be configured correctly for network connectivity and domain Join with prober credentials

14. In Application Configuration select the Petshop DAC Application profile created earlier.

15. Select SQL Server Configuration and Select you SQL Server Profile and click Ok.

16. Select you second tier machine and fill name and Description , Set the Preferred Deployment order 2 and preferred service order to 2

17. Check your Hardware configuration your VM should be configured correctly for network connectivity

18. Select OS configuration (set VM Name to ETWEB) set domain Join configuration with prober credentials then select roles and add the IIS Role and .Net 3.51 feature.

19. To configure Our Web Application we will add the petshop web application package and use Script to install the web deploy Framework into the server

a. Select Application Configuration , click add button and Select web Application

b. Is OS compatibility Select the OS your using (64 windows 2008R2)

c. Type a Name for petshop web Application

d. Click Browse and select Petshop4webpkg.zip package

e. Because we already know the SQL Server machine name we can update the connection strings that will be used by Petshop web server

f. In the setting Section select the connection strings one at a time and change the SQL server Name PETSQL (or what name you chosen for your SQL Instance)

g. Select The web Application and Click Add Application Script , we will add a script to configure MS DTC Security setting and Firewall Rules

h. Select the Application Script and set it to post-install , in executable file type cmd.exe in the parameter type: /q /c DTCFirewallRules.cmd, click browse to select the PetShopDTC.cr package and select an Admin Account for this installation.

i. Select Add and select Script set its type to preinstall, in executable file type cmd.exe in the parameter type: /q /c InstallWebDeploy.cmd , click browse to select the web deploy package and select an Admin Account for this installation and click OK.

20. The Final Service template Should look like this

21. Click configure deployment , select destination Cloud or Host Group

22. If you selected Host Group for deployment you can set the IP Pool to be used for VMs and click deploy .

23. After deployment is finished open internet explorer with the address http://petweb/petshop4