Create an Additional Domain Controller Using Install From Media (IFM)

 

Do you ever wait for a long period when setup an additional domain controller especially in branch environment and wait for it to replicate AD database? You may need to wait a bit longer especially when you have limited Internet connectivity.

Well, we do and we even tested to deploy a virtualized domain controller in branch and it only has 128K bandwidth. The connection was crawling like turtle speed and it took very long to replicate entire active directory database.

To solve this problem, we decided to use IFM (Install from media). To start with, make sure your existing domain controller

• running at least Windows Server 2012
• DNS
• Global catalog

Use command prompt and type

ntdsutil activate instance NTDS ifm create sysvol full C:\backup\ifm

This process will store active directory database, registry and sysvol into C:\Backup\IFM

Once complete, transfer the entire folder in C:\backup to your branch virtualized domain controller. Now you have successful created an IFM using ntdsutil.

Next step is setup an additional domain controller at branch.

Make sure you have install Active Directory Domain Services roles and then configure DC using Server Manager.

Click “Promote this server to a domain controller”

Select “Add a domain controller to an existing domain”

Select the site that you’ve created and enter Directory Service Restore Mode password”

IMPORTANT

Select Install from media , define the path which consist your backup ntds and select replicate from nearest DC

Then Define the path of new active directory database to another path (normally another disk). For more info, you can check out “Best Practice on Virtualizing Domain Controller post”

Click Install to start the installation

Verification

Verify that you can access the following snap-in:-

• Active Directory User and Computer
• Active Directory Sites and Services
• Active Directory Domain and Trust

Lastly initiate force replication to sync with primary domain controller to get the latest active directory database.

Well, that’s all for now.

As a conclusion, by using IFM it can you a lot of time and also your network bandwidth. Give it a try if you do have multi site branch Active directory deployment.

NEW Veeam Availability Suite

 

Availability for the Modern Data Center

Today’s business environment is changing. Connected customers, partners, suppliers, and employees demand access to information and applications at any time and from any device, with no tolerance for downtime or data loss. IT organizations must enable the Always-On Business™ by making data and applications available 24/7.

Being Always-On typically means significant investment in fully redundant systems with instant failover capabilities protecting only the most critical applications. Or, businesses settle for less expensive legacy backup solutions with recovery objectives (RPOs and RTOs) of several hours or days. Both options fail to meet the needs of the Always-On Business – creating an availability gap.

Veeam bridges the availability gap by leveraging the capabilities of the modern data center – including virtualization, new storage integration, and cloud capabilities – providing Recovery Time and Point Objective (RTPO™) of less than 15 minutes. Veeam delivers Availability for the Modern Data Center™, including:

• High Speed Recovery
• Data Loss Avoidance
• Verified Protection
• Risk Mitigation
• Complete Visibility

NEW Veeam Availability Suite™

RTPO <15 min. For ALL Applications.

How do customers get Availability for the Modern Data Center? Today – customers buy Veeam Backup & Replication™ or one of our Suites. With the launch of v8 in Q3 customers will buy our NEW Veeam Availability Suite™! This suite replaces Veeam Backup Management Suite™ – same price, same editions, same features – but with a new name aligned with our new messaging. (No changes to Veeam Backup & Replication™ and Veeam ONE SKUs – still are available)

Veeam Availability Suite v8 delivers High-Speed Recovery, Data Loss Avoidance, Verified Protection, Risk Mitigation and Complete Visibility to the Always-On Business, with more new features:

• Faster backups and rapid item-level recovery of hardware snapshots with NetApp snap support
• Lower RTOs with granular transaction-level recovery of SQL databases and Active Directory (in addition to Explores for Exchange, SharePoint, HP and NetApp snapshots as well as U-AIR for all other applications)
• Improved off-site recovery with major replication enhancements

To know more, click

HERE 

Free Study Guide for Microsoft Certification Exam 74-409: Server Virtualization with Windows Server Hyper-V and System Center

 

This study guide for Microsoft's 74-409 Server Virtualization with Windows Server Hyper-V and System Center exam will take you through each of the exam objectives, helping you to prepare for and pass the examination. By reading these 8 chapters of the study guide you will learn about:

• Virtual Machine Settings
• Virtual machine storage
• Hyper-V Virtual Networks and virtualization networking
• Implementing virtual machines
• Managing Virtualization Hosts and Infrastructure
• Hyper-V Failover Clustering and Failover Clustering Roles
• Virtual Machine Movement
• Monitoring and disaster recovery
Free download, just click here. (Provided by Veeam). Enjoy!

Creating Multi-Site VPN in Windows Azure

 

Not long ago I’ve met several customers and we had a great discussion on setup Windows Azure. Most of them would like to put Active Directory in Windows Azure but it has a limitation that you only can setup one connection from your on-premise to Azure. What happen when you have multiple branch environment and would like to connect to same virtual network on Azure?

Too bad it won’t work till recently TechEd NA 2014. Guess what? Microsoft make an announcement to released this feature called “Multi-site VPN”.

Something great and excited to deploy. Here is my setup environment:-

Datacenter

HQ MS4U

• External Public IP
• Firewall that support dynamic routing VPN / route based VPN
• MS4ULAN Site – 192.168.20.0/24 Subnet

Branch MS4U

• External Public IP
• Firewall that support dynamic routing VPN /route based VPN
• Site2MS4ULAN Site – 192.168.30.0/24 Subnet

Azure (Region SEA)

• Virtual Network
  • Infra Subnet – 10.0.0.0/27
  • Web Subnet – 10.0.1.0/27
  • Database Subnet – 10.0.2.0/27

Virtual Network Gateway – must configure to use dynamic routing

Note:-

• No overlap ip between HQ and branch local network
• Primary DC (holding FSMO roles) located at HQ MS4U

Step 1:-

• Configure Site to Site VPN to HQ MS4U using Azure Management Portal
• Make sure site to site vpn is establish between Azure VPN Gateway with HQ MS4U Firewall
• Setup an additional domain controller in Windows Azure. Click here to learn on how to setup DC. The guide is refer to Read Only Domain Controller (RODC) but the step is identical. (Just don’t select RODC role)

Step 2:-

• Export network configuration on the virtual network that you have created on Step 1

Network | (your virtual network) | Export | Save as NetworkConfig.xml

• Edit the network configuration using notepad. Modify to include 2nd site information (highlighted in green)

<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">   <VirtualNetworkConfiguration>     <Dns>       <DnsServers>         <DnsServer name="MS4U-DC" IPAddress="192.168.20.10" />         </DnsServers>     </Dns>     <LocalNetworkSites>       <LocalNetworkSite name="MS4ULAN">         <AddressSpace>           <AddressPrefix>192.168.20.0/24</AddressPrefix>         </AddressSpace>         <VPNGatewayAddress>14.1.200.31</VPNGatewayAddress>       </LocalNetworkSite>     <LocalNetworkSite name="Site2MS4ULAN">         <AddressSpace>           <AddressPrefix>192.168.30.0/24</AddressPrefix>         </AddressSpace>         <VPNGatewayAddress>113.210.136.164</VPNGatewayAddress>       </LocalNetworkSite>     </LocalNetworkSites>     <VirtualNetworkSites>       <VirtualNetworkSite name="MS4U-AzureVnet" AffinityGroup="MS4U-LabAG">         <AddressSpace>           <AddressPrefix>10.0.0.0/24</AddressPrefix>           <AddressPrefix>10.0.1.0/24</AddressPrefix>           <AddressPrefix>10.0.2.0/24</AddressPrefix>         </AddressSpace>         <Subnets>           <Subnet name="InfraSubnet">             <AddressPrefix>10.0.0.0/27</AddressPrefix>           </Subnet>           <Subnet name="WebSubnet">             <AddressPrefix>10.0.1.0/27</AddressPrefix>           </Subnet>           <Subnet name="DatabaseSubnet">             <AddressPrefix>10.0.2.0/27</AddressPrefix>           </Subnet>           <Subnet name="GatewaySubnet">             <AddressPrefix>10.0.2.32/29</AddressPrefix>           </Subnet>         </Subnets>         <DnsServersRef>           <DnsServerRef name="MS4U-DC" />         </DnsServersRef>         <Gateway>           <ConnectionsToLocalNetwork>             <LocalNetworkSiteRef name="MS4ULAN"><Connection type="IPsec" /></LocalNetworkSiteRef>          <LocalNetworkSiteRef name="Site2MS4ULAN"><Connection type="IPsec" /></LocalNetworkSiteRef>           </ConnectionsToLocalNetwork>         </Gateway>       </VirtualNetworkSite>     </VirtualNetworkSites>   </VirtualNetworkConfiguration> </NetworkConfiguration>

• Save it and import to Azure using Azure Management Portal.
• + New | Network Services | Virtual Network | Import Configuration.

Note:-

• From now onward, you need to use network configuration to configure settings.  Once you import the settings, you will not able to change from UI.

Before import:-

After import the new configuration, the virtual network will display the following information. You need to use Windows Powershell or REST API.

2 tunnel created

• MS4ULAN Site – for HQ MS4U
• Site2MS4ULAN Site – for branch MS4U

Step 3:-

• Download Windows Azure Powershell  from here.
• Connect to your subscription
• Get your pre-shared key for the VPN tunnel

Get-AzureVnetGatewayKey –VNetName (site to site vpn virtual network) –LocalNetworkSiteName (site name)

Check the multi site tunnel using Get-AzureVnetConnection

Step 4:-

• Configure branch –MS4U firewall to setup site to site vpn to same VPN gateway in Azure
• Sorry. No VPN script that you can download. This option is no longer available once you import the network configuration to allow multisite.
• You must familiar on how to setup site to site VPN on firewall
• Enter the pre-shared key that you’ve gathered in Step 3

Step 5:-

You are almost there…

• On the Azure Management Portal, you will be able to see both firewall has successful connected to VPN gateway in Azure and we now have “Multi-site VPN”

• On branch MS4U, you can proceed to setup another an additional domain controller which pointing to Windows Azure DC.

That’s all for now. We will do more further test and post it in our next article.

Stay tuned!

Best Practice on Virtualizing Domain Controller

 

Here is some guideline when setup a virtualize domain controller on Hyper-V platform

1. Keep 1 Host on a Physical Server. Don’t be smart to virtualize entire domain controller and put into cluster. As long you have at least 1 on physical server, then you can put virtualize DC on Hyper-V especially Hyper-V cluster.

2. Disable Time Synchronization – uncheck on the VM Properties. (on Hyper-V platform)

Active Directory domain controller has a built-in mechanism to deal with the time synchronization with the help of the Windows Time Service. Therefore it is recommended to disable it and let Active Directory manage the time synchronization between Virtual domain controllers.

3. No snapshot – unless the domain controller operating system running Windows Server 2012 or higher.

4. Apply Update – to help preserve the integrity of the Active Directory Database if a power loss. Especially virtual hard disk connected using virtual IDE controller.

When your DC is

• Windows Server 2012 – must install update rollup 2855336 on Hyper-V Host (July 2013 Update)
• Windows Server 2008 R2 – must install update rollup 2853952

How about turn off write caching? Well, you would not be able to turn off it from Device Manager-inside guest OS. Just apply the update and make sure on SAN / Hyper-V local disk has turn off write caching.

The best is create a virtual hard disk and connect to SCSI controller. Then move the ntds.dit and log to new location.

• Boot to Directory Service Repair Mode or stop Active Directory Domain Services on Services.msc
• Open an elevated command prompt and type the following command to move the ntds.dit and log to E:\NTDS

ntdsutil activate instance ntds files move db to e:\ntds move logs to e:\ntds integrity quit quit

• Restart the VM and backup the System State.

5. Avoid pausing Active Directory beyond than tombstone depend on operating system.

• Win 2003 – 60 day tombstone life time
• 2003 SP1 and later – 180 days tombstone life time

6. Create multiple active directory VM and put in multiple host. Configure availability set. Availability Sets are used to keep virtual machines separate from each other so they do not run on the same physical host. This works via anti-affinity rules inside a Hyper-V host cluster, but with System Center Virtual Machine Manager allows you to do this even with standalone hosts, which makes really sense since you can move virtual machines without downtime in your whole datacenter via Shared Nothing Live Migration.

If you create an Availability Set in Virtual Machine Manager for two different virtual machines, Virtual Machine Manager will attempt to keep those virtual machines on separate hosts and avoid placing them together on the same host whenever possible. This helps to improve service update for these virtual machines especially for workload farm.

7. Backup System State. Always backup active directory system state. You may require it when disaster happen.

Hope this guideline help..

Hyper-V or Vmware Hypervisor Compatible Running Windows Server 2012 / 2012 R2 Guest Operating System

 

Before deploy Windows Server 2012/ 2012 R2 operating system on either Hyper-V or VMware platform, it is recommended to check the compatibility list. Here is the summary of information that I’ve gathered.

Hyper-V – Windows Server 2008 R2 or R2 SP1

• Must install hotfix, click here to download.
• Support to run Windows Server 2012 guest operating system
• Not supported to run Windows Server 2012 R2 guest operating system

Hyper-V Windows Server 2012

• Support to run Windows Server 2012 guest operating system
• Support to run Windows Server 2012 R2 guest operating system

Hyper-V Windows Server 2012 R2

• Support to run Windows Server 2012 guest operating system
• Support to run Windows Server 2012 R2 guest operating system

VMware Esx 4.0 or 4.1

• Not supported to run Windows Server 2012 or Windows Server 2012 R2
• Upgrade to higher version or deploy Windows Server 2012 Hyper-V

VMware Esx 5.0 or 5.1

Do take note the update is installed before deploy the guest operating system

• ESXi 5.0 Update 1, Update 2 or Update 3 to run Windows Server 2012 guest operating system
• ESXi 5.0 Update 2 to run Windows Server 2012 R2 guest operating system
• ESXi 5.1 support to run Windows Server 2012 guest operating system
• ESXi 5.1 or Update 1 to run Windows Server 2012 R2 guest operating system

VMware ESX 5.5

• Support to run Windows Server 2012 guest operating system
• Support to run Windows Server 2012 R2 guest operating system

Information about Vmware compatibility is gathered from here and here.

Integrate IP Address Management (IPAM) with VMM

 

Continuing from our previous post on configure IP Address Pool, next we are going to look on integrate IPAM with VMM. IPAM is an integrated tool to enable end to end planning, deploying, managing and monitoring of your IP address infrastructure from a central interface.

Purpose of the integrate IPAM and VMM:-

• Ensure the IP address settings that are associated with logical networks and virtual machine networks (VM networks) in VMM are kept in synchrony with settings that are stored in the IPAM server.

Scenario:-

• You need VMM 2012 R2
• Installed IPAM on a domain member server. Do not install IPAM on a domain controller. Make sure, this domain member server do not has DHCP roles install as well.

Configuration of IPAM

Just follow these steps as listed on the Server Manager once installed IPAM features

Summarization of the steps:-

• Use Server Manager to connect to IPAM
• Provision the IPAM Server, use Windows Internal Database and select Group Policy method as the provisioning method.
• Use Powershell to create group policy

Invoke-IpamGpoProvisioning -Domain ms4u.local -GpoPrefixName IPAM -IpamServerFqdn MS4U-IPAM01.ms4u.local -Force

• Configure server discovery by selecting your domain
• Start server discovery to detect DNS and DHCP in your environment.
• Once detected, set the server as “Managed”

• Refresh Server Access Status

• Once no error, you can start to “Retrieve All Server Data”"

• That should complete step 1- step 6 listed in Server Manager and you’ve install your 1st IPAM in your environment.

Next, let look on how to integrate IPAM with VMM

Integrate IPAM with VMM

1. Go to Fabric Workspace

2. Expand Networking | Network Service | Add Network Services

3. Next we will keep the configuration simple by highlighting those that is important

4. Select Microsoft (as manufacturer) and Model select as “Microsoft IPAM”

5. Define a RunAs Account which has the following right

• IPAM ASM Administrators: A local group that exists on all IPAM servers, and provides permissions for IP address space management (ASM).
• Remote Management Users: A built-in group that provides access to WMI resources through management protocols, such as WS-Management through the Windows Remote Management service.

6. On Connection string page, enter your <IPAM Server FQDN>

7. On Provider page, Select Microsoft IPAM Provider

8. Lastly Select Host Group for which you want to integration between IPAM and VMM.

After you add an IPAM server to your VMM configuration, you can use the IPAM server to configure and monitor logical networks and their associated network sites and IP address pools. You can also use the IPAM server to monitor the usage of VM networks that you have configured or changed in VMM. However, tenants must continue to use the VMM server (not IPAM) to configure VM networks that use network virtualization—in other words, to control the address space that is typically controlled by tenants rather than by VMM administrators.

Verification on IPAM Console

1. Use Server Manager

2. Navigate to IPAM

View the usage of the IP Pool. Currently the utilization is “Under”

Action that you can perform on the Pool of IP