Category Archives: Uncategorized

Self managing lab environment using Hyper-V and SCVMM 2012

In january when I started my new job at Transcendent Group there were developers that needed a test / lab environment for testing Team Foundation Server and other products. Since we’re only ~40 employees we don’t have the manpower to manage stuff like this manually. What better way to solve this problem than building a private cloud with Hyper-V and System Center Virtual Machine Manager 2012?!

I started off with installing Windows Server 2008 R2 complete with all patches and drivers. After activating Hyper-V I attached an iSCSI-disk to the server for storage of virtual machines. This is also for future possibility to build a cluster, easily converting that storage to a CSV.

The first thing I did was to create a new VM and installed SCVMM 2012 in that one. With that in place I could start configuring both my Hyper-V environment and the SCVMM solution to enable our users to create, use and destroy their own lab environments. I’m actually running my VMM-instance in a virtual machine which makes it easier, and since I’m connecting my data disk through iSCSI it won’t matter if I move the VM to another machine.

Networking

I decided to have five different clouds. Three for general use and two “private” since we are two internal users that needed our own environments. I created five internal networks, LabNet01 – 05 and one external that connects to our production network.

In Hyper-V it looks like this:

In each cloud there is one Smoothwall which is a Linux-based firewall with a very small footprint. These are used just for routing but could easily be used to publish services from each cloud. I chose this setup so we could separate services like DHCP and other “disturbing” services from our production network.

There’s also one domain controller in each cloud, with different domain names. The domains are named lab01.local – lab05.local. This gives the users the ability to join their lab computers to a domain, without having to clutter our production AD.

The Clouds

The naming conventions are planned so every user that uses each environment easily knows which lab user has access to which cloud. In the SCVMM self service portal there are five user accounts that are tied to our production Active Directory. These are named labuser01 – labuser05 with a common password known to everyone, the labs are open for everyone and booked as rooms through Outlook.


Cloud Account Firewall DC Subnet
LabNet01 LabUser01 SmoothWall01 LabDC01 10.10.1.0/24
LabNet02 LabUser02 SmoothWall02 LabDC02 10.10.2.0/24
LabNet03 LabUser03 SmoothWall03 LabDC03 10.10.3.0/24
LabNet04 LabUser04 SmoothWall04 LabDC04 10.10.4.0/24
LabNet05 LabUser05 SmoothWall05 LabDC05 10.10.5.0/24

Using the clouds

Using the system is a matter of booking a cloud in Outlook, and then logging into the self service portal.

Logged on as LabUser02, which gives access to Cloud02.

Logged on as LabUser03, which gives access to Cloud03.

When the user wants to create a new machine, the wizard for new machine in the portal is used. Since each user only has access to one cloud there won’t be any users creating VM’s in each others environments.

Access to the lab environment

Reaching the VM’s on the internal networks is either done through the portal, or for the users not wanting to use a browser, through an RDS Gateway. The gateway is connected to each of the internal networks witch makes it possible to connect to any computer on the inside once it has an IP address.

In this case we’re not using the same credentials for the remote computer as we’re doing for the gateway. This is because the gateway belongs to our production domain, but the remote server belongs to the lab domain. The RDS gateway settings can be found under the Advanced tab in the RDP-client.

With that we’ve constructed an enviroment which lets the users logon, create, use and destroy their own lab. In the next post we’ll take a look at more specific settings and group policies which makes life easier for both administrators and users of this environment.

[socialwrap align=”left” ] [socialicon name=”fb” /] [socialicon name=”linkedin” /] [socialicon name=”twitter” /] [socialicon name=”google” /] [/socialwrap]

Direct Access / UAG Troubleshooting Steps

I spent last week installing, configurating and troubleshooting UAG for Direct Access. Considering that nobody likes troubleshooting, I thought I’d share some tips and a list of the steps I took to get it up and running.

This guide/list focuses on troubleshooting Direct Access through Microsoft Forefront Unified Access Gateway (UAG), but also applies on Direct Access enabled through Windows Server 2008 R2.

Thanks to Hasain Alshakarti for answering all my questions and giving me a quick lesson on PKI!

Testing:
Try to test your first client from the same network as your outside addresses on your DA/UAG, I’ve spent almost a day troubleshooting a configuration where it turned out that the 3G operator blocks 6to4 (IP Protocol 41). If it works on that network, then you can try it out with 3G.

If it doesn’t work then, you’ll need to create another GPO that disables 6to4 which will make your clients use either Teredo or IPHTTPS instead. Check the netsh-section further down for how to disable it manually. If you don’t it might work with some operators and not work with others, troubleshooting this when your users are road warriors isn’t as fun as one might think…

Note on images: All ip’s / hostnames are masked for customer security.

Server side:

External interface

IPv4 + Ipv6 enabled
Two consecutive IP’s entered
No DNS – This forces the server to always lookup in the internal DNS / through forwarders
No client for Microsoft networks
No file / printer sharing

(click for Lightbox)

Internal interface

No gateway
Internal DNS

(click for Lightbox)

Client side:
Check certificate – Needs to contain a subject name or SAN (Subject Alternative Name) which matches the DNS name of the client. (This also applies to the certificate used for the UAG-server’s SSL-connection.) If the certificate is not properly configured you’ll most likely get eventid 4653 for IPSec.

(click for Lightbox)

Checking the tunnels:
Start Windows Firewall with Advanced Security
Open Monitoring, Security Associations and check under Main + Quick Mode that your tunnels are established. This could also be done with netsh, see below.

(click for Lightbox)

Netsh

(click for Lightbox)

Show main/quick mode connections (read here for more information on IPSec and connections)

netsh advfirewall monitor
show mmsa
show qmsa

Show 6to4 adapter state
netsh int 6to4
show state

Show Teredo adapter state
netsh int teredo
show state

Show IPHTTPS adapter state
netsh in http
show int

Show dns client settings
netsh dnsclient
show state

Show DNS effective name resolution policy table(NRPT)
netsh namespace
show effective

Useful resources and reading:
A useful 6to4 calculator – http://waldner.netsons.org/f6-6to4.php

Designing a Direct Access solution – http://technet.microsoft.com/en-us/library/dd637836(WS.10).aspx
Direct Access Management – http://technet.microsoft.com/en-us/library/ee624048(WS.10).aspx
The Direct Access Test Lab Step-by-Step Guide – http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=8d47ed5f-d217-4d84-b698-f39360d82fac
General troubleshooting for Direct Access – http://technet.microsoft.com/es-es/library/ee624058(WS.10).aspx

Hope that you’ll get it up and running. I have another post drafted that will deal with the “manage out”-perspective that will allow you to remotely manage / access your clients, will post ASAP!

MVP 2010 – Another great year ahead!

After a long wait today the email finally showed up in my inbox. I’ve been awarded the Microsoft MVP award in Cluster / High Availability for another year. As you might or might not know this award is given to those who spent time and effort in teaching others about Microsoft technologies, answering questions both live and on the internet and speaking at events such as TechEd.

Congratulations to fellow Swedish MVP’s: Björn Axell, Andreas Stenhall, Anders Bengtsson and Patrik Löwendahl. (and I’ve probably missed a few…)

This will be celebrated with a glass of champagne with the family, also celebrating the purchase of our summerhouse!

TechEd New Orleans – Day 2

Left the convention center right after my TLC-duty yesterday to work on my demo. Spent a few hours in front of the computer and then decided to have dinner with Lidholm/Lindström/Edman, my partners in crime. My plan for dinner and one beer didn’t hold up so I came back to the hotel around 11 PM for some more demo work. Got up at 6 AM to finish the scripts, have breakfast and get ready.

My session went ok, one demo failed (which is a must, there’s always one that fails). Other than that my evals were “ok”, I missed out on the stuff that I should’ve thought about. Like font size, not zooming in and such easy things. Didn’t think of the fact that the session rooms here are like 4 times the size compared to Sweden. I know that now 🙂

The rest of the day will be spent in the Clustering TLC-booth, if you’re around and have a question or just wanna say hi you know where I’m at. Tonight we’ll go shopping, and we probably will end up at Bourbon Street like the rest of the attendees here…

If you’re not in New Orleans but wanna be part of it you can always watch http://www.msteched.com/ where Channel9 broadcasts live interviews. You can also find a lot of other content there.

Some other useful stuff I’ve learned today:
The System Center stuff found over at https://connect.microsoft.com/MSDSA will give you documentation and VHD’s for trying out / demonstrating System Center software. It’s on Connect as you can see, so you’ll need to sign in / sign up as usual on Connect.

Microsoft will support memory over-“allocation” (the term varies a little depending on how you see it) together with USB-devices in Hyper-V (through RDP-connected clients that is, not on the host-level). Full article here.

If you’re running Hyper-V and System Center Operations Manager you might be interested in the free management pack for Hyper-V. You can find that over at Bridgeways.ca!

And last but not least: Analyzing storage performance in Hyper-V or just monitoring performance, two really good articles.

Now, TLC-booth duty!

Preflight – TechEd North America 2010

Nothing is like the calm when you’re done with your presentation, the demo is working (just gotta decide which demo to run) and I’ve packed. Now I’ll hang on the balcony with a beer and a whisky and watch some episodes of Fringe and Mad Men, waiting for the wife to come home.

It’ll be interesting to see New Orleans and how much they’ve restored after Katrina. Have a great list over bars and clubs to visit, and it’ll be fun to meet my old colleagues again. I fear Howl At The Moon already!

Leaving tomorrow morning for Chicago / New Orleans and will post pictures and observations throughout the week.

Are you going? Tweet / email me and I’ll meet you there!

Celebrations and reading

Yey, today is Geek Pride Day, which is celebrated by all geeks/nerds around the world. According to Wikipedia:

“Geek Pride Day is an initiative which claims the right of every person to be a nerd or a geek. It has been celebrated on May 25 since 2006, celebrating the premiere of the first Star Wars movie in 1977.

It shares the same day as two other science-fiction fan ‘holidays’ – Towel Day, for fans of the Hitchhiker’s Guide to the Galaxy Trilogy by Douglas Adams, and the Glorious 25th of May, for fans of Terry Pratchett’s Discworld.”

And for the reading I’ve been reading on the Hyper-V security model at http://blogs.technet.com/b/jhoward/archive/2009/08/31/explaining-the-hyper-v-authorization-model-part-one.aspx and how to avoid the old “domain could not be contacted”-error which you usually get with snapshots or offline machines at http://www.petri.co.il/working-with-domain-member-virtual-machines-and-snapshots.htm

Currently busy working with my presentation for TechEd and my new job offers some challenges too… Learning all there is to know about Salesforce and administration, and trying to get my head around SCCM (don’t miss the beta 1 of v.Next over at http://blogs.technet.com/b/systemcenter/archive/2010/05/24/the-next-generation-of-client-management.aspx) and Direct Access in multi-site deployments with UAG which isn’t happening until SP 1 apparently.