Archive for the ‘Windows Server 2008’ Category

h1

Quick-Take: How Virtual Backup Can Invite Disaster

August 1, 2012

There have always been things about virtualizing the enterprise that have concerned me. Most boil down to Uncle Ben’s admonishment to his nephew, Peter Parker, in Stan Lee’s Spider-Man, “with great power comes great responsibility.” Nothing could be more applicable to the state of modern virtualization today.

Back in “the day” when all this VMware stuff was scary and “complicated,” it carried enough “voodoo mystique” that (often defacto) VMware admins either knew everything there was to know about their infrastructure, or they just left it to the experts. Today, virtualization has reached such high levels of accessibility that I think even my 102 year old Nana could clone a live VM; now that is scary.

Enter Veeam Backup, et al

Case in point is Veeam Backup and Recovery 6 (VBR6). Once an infrastructure exceeds the limits of VMware Data Recovery (VDR), it just doesn’t get much easier to backup your cadre of virtual machines than VBR6. Unlike VDR, VBR6 has three modes of access to virtual machine disks:

  1. Direct SAN  Access – VBR6 backup server/proxy has direct access to the VMFS LUNs containing virtual machine disks – very fast, very low overhead;
  2. Virtual Appliance – VBR6 backup server/proxy, running as a virtual machine, leverages it’s relation to the ESXi host to access virtual machine disks using the ESXi host as a go-between – fast, moderate overhead;
  3. Network – VBR6 backup server/proxy accesses virtual machine disks from ESXi hosts similar in a manner similar to the way the vSphere Client grants access to virtual machine disks across the LAN – slower, with more overhead;

For block-based storage, option (1) appears to be the best way to go: it’s fast with very little overhead in the data channel. For those of us with grey hair, think VMware Consolidated Backup proxy server and you’re on the right track; for everyone else, think shared disk environment. And that, boys and girls, is where we come to the point of today’s lesson…

Enter Windows Server, Updates

For all of its warts, my favorite aspect of VMware Data Recovery is the fact that it is a virtual appliance based on a stripped-down Linux distribution. Those two aspects say “do not tamper” better than anything these days, so admins – especially Windows admins – tend to just install and use as directed. At the very least, the appliance factor offers an opportunity for “special case” handling of updates (read: very controlled and tightly scripted).

The other “advantage” to VMDR is that is uses a relatively safe method for accessing virtual machine disks: something more akin to VBR6’s “virtual appliance” mode of operation. By allowing the ESXi host(s) to “proxy” access to the datastore(s), a couple of things are accomplished:

  1. Access to VMDKs is protocol agnostic – direct attach, iSCSI, AoE, SAS, Fiber Channel and/or NFS all work the same;
  2. Unlike “Direct SAN Access” mode, no additional initiators need to be added to the target(s)’ ACL;
  3. If the host can access the VMDK, it stands a good chance of being backed-up fairly efficiently.

However, VBR6 installs onto a Windows Server and Windows Server has no knowledge of what VMFS looks like nor how to handle VMFS disks. This means Windows disk management needs to be “tweaked” to ignore VMFS targets by disabling “automount” in VBR6 servers and VCB proxies. For most, it also means keeping up with patch management and Windows Update (or appropriate derivative). For active backup servers with a (pre-approved, tested) critical update this might go something like:

  1. Schedule the update with change management;
  2. Stage the update to the server;
  3. Put server into maintenance mode (services and applications disabled);
  4. Apply patch, reboot;
  5. Mitigate patch issues;
  6. Test application interaction;
  7. Rinse, repeat;
  8. Release server back to production;
  9. Update change management.

See the problem? If Windows Server 2008 R2 SP1 is involved you just might have one right around step 5…

And the Wheels Came Off…

Service Pack 1 for Windows Server 2008 R2 requires a BCD update, so existing installations of VCB or VBR5/6 will fail to update. In an environment where there is no VCB or VBR5/6 testing platform, this could result in a resume writing event for the patching guy or the backup administrator if they follow Microsoft’s advice and “fix” SP1. Why?

Fixing the SP1 installation problem is quite simple:

Quick steps to do this in case you forgot are:

1.  Run DISKPART

2.  automount enable

3.  Restart

4.  Install SP1

Technet Blogs, Windows Servicing Guy, SP1 Fails with 0x800f0a12

Done, right? Possibly in more ways than one. By GLOBALLY enabling automount, rebooting Windows Server and installing SP1, you’ve opened-up the potential for Windows to write a signature to the VMFS volumes holding your critical infrastructure. Fortunately, it doesn’t have to end that way.

Avoiding the Avoidable

Veeam’s been around long enough to have some great forum participants from across the administrative spectrum. Fortunately, a member posted a solution method that keeps us well away from VMFS corruption and still solves the SP1 issue in a targeted way: temporarily mounting the “hidden” system partition instead of enabling the global automount feature. Here’s my take on the process (GUI mode):

  1. Inside Server Manager, open Disk Management (or run diskmgt.msc from admin cmd prompt);
  2. Right-click on the partition labled “System Reserved” and select “Change Drive Letter and Paths…”
  3. On the pop-up, click the “Add…” button and accept the default drive letter offered, click “OK”;
  4. Now “try again” the installation of Service Pack 1 and reboot;
  5. Once SP1 is installed, re-run Disk Management;
  6. Right-click on the “System Reserved” partition and select “Change Drive Letter and Paths..”
  7. Click the “Remove” button to unmap the drive letter;
  8. Click “Yes” at the “Are you sure…” prompt;
  9. Click “Yes” at the “Do you want to continue?” prompt;
  10. Reboot (for good measure).

This process assumes that there are no non-standard deployments of the Server 2008 R2 boot volume. Of course, if there is no separate system reserved partition, you wouldn’t encounter the SP1 failure to install issue…

SOLORI’s Take: The takeaway here is “consider your environment” (and the people tasked with maintaining it) before deploying Direct SAN Access mode into a VMware cluster. While it may represent “optimal” backup performance, it is not without its potential pitfalls (as demonstrated herein). Native access to SAN LUNs must come with a heavy dose of respect, caution and understanding of the underlying architecture: otherwise, I recommend Virtual Appliance mode (similar to Data Recovery’s take.)

While no VMFS volumes were harmed in the making of this blog post, the thought of what could have happened in a production environment chilled me into writing this post. Direct access to the SAN layer unlocks tremendous power for modern backup: just be safe and don’t forget to heed Uncle Ben’s advice! If the idea of VMFS corruption scares you beyond your risk tolerance, appliance mode will deliver acceptable results with minimal risk or complexity.

h1

Quick-Take: NexentaStor 3.1.3 New AD Group Feature, Can Break AD Shares

June 12, 2012

The latest update of NexentaStor may not go too smoothly if you are using Windows Server 2008 AD servers and delegating shares via NexentaStor. While the latest update includes a long sought after fix in AD capabilities (see pull quote below) it may require a tweak to the CIFS Server settings to get things back on track.

Domain Group Support

It is now possible to allow Domain groups as members of local groups. When a Windows client authenticates with NexentaStor using a domain account, NexentaStor consults the domain controller for information about that user’s membership in domain groups. NexentaStor also computes group memberships based on its _local_ groups database, adding both local and domain groups based on local group memberships, which are allowed to be indirect. NexentaStor’s computation of group memberships previously did not correctly handle domain groups as members of local groups.

NexentaStor 3.1.3 Release Notes

In the past, some of NexentaStor’s in-place upgrades have reset the “lmauth_level” of the associated SMB share server from its user configured value back to a “default” of four (4). This did not work very well in an AD environment where the servers were Windows Server 2008 and running their native authentication mode. The fix was to change the “lmauth_level” to two (2) via the NMV or NMC (“sharectl set -p lmauth_level=2 smb”) and restart the service. If you have this issue, the giveaway kernel log entries are as follows:

smbd[7501]: [ID 702911 daemon.notice] smbd_dc_update: myad.local: locate failed
smbd[7501]: [ID 702911 daemon.notice] smbd_dc_monitor: domain service not responding

However, the rules have changed in some applications; Nexenta’s new guidance is:

Summary Description CIFS Issue

A recent patch release by Microsoft has necessitated a changed to the CIFS authorization setting. Without changing this setting, customers will see CIFS disconnects or the appliance being unable to join the Active Directory domain. If you experience CIFS disconnects or problems joining your Active Directory domain, please modify the ‘lmauth_level’ setting.

# sharectl set -p lmauth_level=4 smb

– NexentaStor 3.1.3 Release Notes

While this may work for others out there it does not universally work for any of my tested Windows Server 2008 R2, native AD mode servers. Worse, it appears to work with some shares, but not all; this can lead to some confusion about the actual cause (or resolution) of the problem based on the Nexenta release notes. Fortunately (or not, depending on your perspective), the genesis of NexentaStor is clearlyheading toward an intersection with Illumos although the current kernel is still based on Open Solaris (134f), and a post from OpenIndiana points users to the right solution.

(Jonathan Leafty) I always thought it was weird that lmauth_level had to be set to 2 so I
bumped it back to the default of 3 and restarted smb and it worked...
(Gordon Ross) Glad you found that.  I probably should have sent a "heads-up" when the
"extended security outbound" enhancement went in.  People who have
adjusted down lmauth_level should put it back the the default.

– CIFS in Domain Mode (AD 2008), OpenIndiana Discussion Group (openindiana-discuss@openindiana.org)

Following the advice for OpenIndiana re-enabled all previously configured shares. This mode is also the default for Solaris, although NexentaStor continues to use a different one. According to the man pages for smb on Nexenta (‘man smb(4)’) the difference between ‘lmauth_level=3’ and ‘lmauth_level=4’ is as follows:

lmauth_level

Specifies the LAN Manager (LM) authentication level. The LM compatibility level controls the type of user authentication to use in workgroup mode or
domain mode. The default value is 3.

The following describes the behavior at each level.

2 – In Windows workgroup mode, the Solaris CIFS server accepts LM, NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on
the Solaris CIFS server sends NTLM requests.

3 – In Windows workgroup mode, the Solaris CIFS server accepts LM, NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on
the Solaris CIFS server sends LMv2 and NTLMv2 requests.

4 – In Windows workgroup mode, the Solaris CIFS server accepts NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on the
Solaris CIFS server sends LMv2 and NTLMv2 requests.

5 – In Windows workgroup mode, the Solaris CIFS server accepts LMv2 and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris
CIFS server sends LMv2 and NTLMv2 requests.

Manpage for SMB(4)

This illustrates either a continued dependency on LAN Manager (absent in ‘lmauth_level=4’) or a bug as indicated in the OpenIndiana thread. Either way, more testing to determine if this issue is unique to my particular 2008 AD environment or this is a general issue with the current smb/server facility in NexentaStor…

SOLORI’s Take: So while NexentaStor defaults back to ‘lmauth_level=4’ and ‘lmauth_level=2’ is now broken (for my environment), the “default” for OpenIndiana and Solaris (‘lmauth_level=3’) is a winner; as to why – that’s a follow-up question… Meanwhile, proceed with caution when upgrading to NexentaStor 3.1.3 if your appliance is integrated into AD – testing with the latest virtual appliance for the win.

h1

In-the-Lab: Tweak 2008R2 post-clone for View Transfer Server

April 4, 2011

View Transfer Server supports Server 2008 R2 but does not support the use of the “default” virtual LSI Logic SAS controller. If you’ve already carved-out a cloning template using the LSI Logic SAS template, it is not necessary to create a new template (or fresh installation) just to spool-up a Transfer Server. In fact, it will take you TWO re-boots from clone completion to LSI Logic Parallel replacement.

CAUTION: You must configure the virtual machine that hosts View Transfer Server with an LSI Logic Parallel SCSI controller. You cannot use a SAS or VMware paravirtual controller.

On Windows Server 2008 virtual machines, the LSI Logic SAS controller is selected by default. You must change this selection to an LSI Logic Parallel controller before you install the operating system.

– VMware View Upgrades (EN-000526-00), Page 13

Here’s the process to take you from completed Server 2008/R2 clone with LSI Logic SAS to LSI Logic Parallel – by-passing the Windows blue screen at boot:

  1. Clone your Server 2008/R2 server as normal,
  2. Shutdown clone and edit settings,
    1. Change Options>Advanced>Boot Options to “Force BIOS Setup” on next reboot;
    2. Hardware>Add…>Hard Disk>Create a new virtual disk>4GB, Thin Provisioning>SCSI(1:0)
    3. Hardware>SCSI Controller 1>Change Type…>LSI Logic Parallel
    4. Power-on

      Dropping-in a "dummy" LSI Logic Parallel disk to enable the drive controller for View Transfer Server.

  3. Boot the modified VM and (optionally) confirm new drive and controller
    1. Boot VM
    2. Modify boot order to insure SAS boot priority

      Modify boot order in BIOS to insure that the SAS controller is primary.

    3. (optional) Open Server Manager>Diagnostics>Device Manager
      1. View “Storage controllers”

        Confirming the operational status of both LSI controller types: Parallel and SAS.

    4. Shutdown
  4. Edit settings to modify boot and remove additional disk
    1. Hardware>SCSI Controller 0>Change Type…>LSI Logic Parallel
    2. Hard Disk 2>Remove>Remove from virtual machine and delete files from disk
      1. SCSI Controller 1 will automatically be removed
    3. Save and power-on
  5. Boot disk will now be LSI Logic Parallel

NOTE: In this example, the Server 2008/R2 VM is composed onto a single LSI Logic SAS disk (Hard Disk 1, SCSI controller 0). If your VM template is different, substitute your specific disk and/or controller numbers accordingly.

Nice, simple and now ready to install the View Transfer Server. Now on to the PCoIP Secure Gateway…

h1

In-the-Lab: Default Rights on CIFS Shares

December 6, 2010

Following-up on the last installment of managing CIFS shares, there has been a considerable number of questions as to how to establish domain user rights on the share. From these questions it is apparent that the my explanation about root-level share permissions could have been more clear. To that end, I want to look at default shares from a Windows SBS Server 2008 R2 environment and translate those settings to a working NexentaStor CIFS share deployment.

Evaluating Default Shares

In SBS Server 2008, a number of default shares are promulgated from the SBS Server. Excluding the “hidden” shares, these include:

  • Address
  • ExchangeOAB
  • NETLOGON
  • Public
  • RedirectedFolders
  • SYSVOL
  • UserShares
  • Printers

Therefore, it follows that a useful exercise in rights deployment might be to recreate a couple of these shares on a NexentaStor system and detail the methodology. I have chosen the NETLOGON and SYSVOL shares as these two represent default shares common in all Windows server environments. Here are their relative permissions:

NETLOGON

From the Windows file browser, the NETLOGON share has default permissions that look like this:

NETLOGON Share permissions

Looking at this same permission set from the command line (ICALCS.EXE), the permission look like this:

NETLOGON permissions as reported from icacls
The key to observe here is the use of Windows built-in users and NT Authority accounts. Also, it is noteworthy that some administrative privileges are different depending on inheritance. For instance, the Administrator’s rights are less than “Full” permissions on the share, however they are “Full” when inherited to sub-dirs and files, whereas SYSTEM’s permissions are “Full” in both contexts.

SYSVOL

From the Windows file browser, the NETLOGON share has default permissions that look like this:

SYSVOL network share permissions

Looking at this same permission set from the command line (ICALCS.EXE), the permission look like this:

SYSVOL permissions from ICACLS.EXE
Note that Administrators privileges are truncated (not “Full”) with respect to the inherited rights on sub-dirs and files when compared to the NETLOGON share ACL.

Create CIFS Shares in NexentaStor

On a ZFS pool, create a new folder using the Web GUI (NMV) that will represent the SYSVOL share. This will look something like the following:
Creating the SYSVOL share
Read the rest of this entry ?

h1

In-the-Lab: Windows Server 2008 R2 Template for VMware

September 30, 2010

As it turns out, the reasonably simple act of cloning a Windows Server 2008 R2 (insert addition here) has been complicated by the number of editions, changes from 2008 release through 2008 R2 as well as user profile management changes since its release. If you’re like me, you like to tweak your templates to limit customization steps in post-deployment. While most of these customizations can now be setup in group policies from AD, the deployment of non-AD members has become a lot more difficult – especially where custom defaults are needed or required.

Here’s my quick recipe to build a custom image of Windows Server 2008 R2 that has been tested with Standard, Enterprise and Foundation editions.

Create VM, use VMXNET3 as NIC(s), 40GB “thin” disk, using 2008 R2 Wizard

This is a somewhat “mix to taste” step. We use ISO images and encourage their use. The size of the OS volume will end-up being somewhere around 8GB of actual space-on-disk after this step, making 40GB sound like overkill. However, the OS volume will bloat-up to 18-20GB pretty quick after updates, roles and feature additions. Adding application(s) will quickly chew-up the rest.

  • Edit Settings… ->
    • Options -> Advanced -> General -> Uncheck “Enable logging”
    • Hardware -> CD/DVD Drive 1 ->
      • Click “Datastore ISO File”
        • Browse to Windows 2008 R2 ISO image
      • Check “Connect at power on”
    • Options -> Advanced -> Boot Options -> Force BIOS Setup
      • Check “The next time the virtual machine boots, force entry into the BIOS setup screen”
  • Power on VM
  • Install Windows Server 2008 R2

Use Custom VMware Tools installation to disable “Shared Folders” feature:

It is important that VMware Tools be installed next, if for no other reason than to make the rest of the process quicker and easier. The additional step of disabling “Shared Folders” is for ESX/vSphere environments where shared folders are not supported. Since this option is installed by default, it can/should be removed in vSphere installations.

  • VM -> Guest -> Install VMware Tools ->
    • Custom -> VMware Device Drivers -> Disable “Shared Folder” feature
  • Retstart

Complete Initial Configuration Tasks:

Once the initial installation is complete, we need to complete the 2008 R2 basic configuration. If you are working in an AD environment, this is not the time to join the template to the domain as GPO conflicts may hinder manual template defaults. We’ve chosen a minimal package installation based on our typical deployment profile. Some features/roles may differ in your organization’s template (mix to taste).

  • Set time zone -> Date and Time ->
    • Internet Time -> Change Settings… -> Set to local time source
    • Date and Time -> Change time zone… -> Set to local time zone
  • Provide computer name and domain -> Computer name ->
    • Enterprise Edition: W2K8R2ENT-TMPL
    • Standard Edition: W2K8R2STD-TMPL
    • Foundation Edition: W2K8R2FND-TMPL
    • Note: Don’t join to a domain just yet…
  • Restart Later
  • Configure Networking
    • Disable QoS Packet Scheduler
  • Enable automatic updating and feedback
    • Manually configure settings
      • Windows automatic updating -> Change Setting… ->
        • Important updates -> “check for updates but let me choose whether to download and install them”
        • Recommended updates -> Check “Give me recommended updates the same way I receive important updates”
        • Who can install updates -> Uncheck “Allow all users to install updates on this computer”
      • Windows Error Reporting -> Change Setting… ->
        • Select “I don’t want to participate, and don’t ask me again”
      • Customer Experience Improvement Program -> Change Setting… ->
        • Select “No, I don’t want to participate”
  • Download and install updates
    • Bring to current (may require several reboots)
  • Add features (to taste)
    • .NET Framwork 3.5.1 Feautures
      • Check WCF Activation, Non-HTTP Activation
        • Pop-up: Click “Add Required Features”
    • SNMP Services
    • Telnet Client
    • TFTP Client
    • Windows PowerShell Integrated Scripting Environment (ISE)
  • Check for updates after new features
    • Install available updates
  • Enable Remote Desktop
    • System Properties -> Remote
      • Windows 2003 AD
        • Select “Allow connection sfrom computers running any version of Remote Desktop”
      • Windows 2008 AD (optional)
        • Select “Allow connections only from computers runnign Remote Desktop with Network Level Authentication”
  • Windows Firewall
    • Turn Windows Firewall on of off
      • Home or work location settings
        • Turn off Windows Firewall
      • Public network location settings
        • Turn off Windows Firewall
  • Complete Initial Configuration Tasks
    • Check “Do not show this window at logon” and close

Modify and Silence Server Manager

(Optional) Parts of this step may violate your local security policies, however, it’s more than likely that a GPO will ultimately override this configuration. We find it useful to have this disabled for “general purpose” templates – especially in a testing/lab environment where the security measures will be defeated as a matter of practice.

  • Security Information -> Configure IE ESC
    • Select Administrators Off
    • Select Users Off
  • Select “Do not show me this console at logon” and close

Modify Taskbar Properties

Making the taskbar usable for your organization is another matter of taste. We like smaller icons and maximizing desktop utility. We also hate being nagged by the notification area…

  • Right-click Taskbar -> Taskbar and Start Menu Properties ->
    • Taskbar -> Check “Use small icons”
    • Taskbar -> Customize… ->
      • Set all icons to “Only show notifications”
      • Click “Turn system icons on or off”
        • Turn off “Volume”
    • Start Menu -> Customize…
      • Uncheck “Use large icons”

Modify default settings in Control Panel

Some Control Panel changes will help “optimize” the performance of the VM by disabling unnecessary features like screen saver and power management. We like to see our corporate logo on server desktops (regardless of performance implications) so now’s the time to make that change as well.

  • Control Panel -> Power Options -> High Performance
    • Change plan settings -> Turn off the display -> Never
  • Control Panel -> Sound ->
    • Pop-up: “Would you like to enable the Windows Audio Service?” – No
    • Sound -> Sounds -> Sound Scheme: No Sounds
    • Uncheck “Play Windows Startup sound”
  • Control Panel -> VMware Tools -> Uncheck “Show VMware Tools in the taskbar”
  • Control Panel -> Display -> Change screen saver -> Screen Saver -> Blank, Wait 10 minutes
  • Change default desktop image (optional)
    • Copy your desktop logo background to a public folder (i.e. “c:\Users\Public\Public Pictures”)
    • Control Panel -> Display -> Change desktop background -> Browse…
    • Find picture in browser, Picture position stretch

Disable Swap File

Disabling swap will allow the defragment step to be more efficient and will disable VMware’s advanced memory management functions. This is only temporary and we’ll be enabling swap right before committing the VM to template.

  • Computer Properties -> Visual Effects -> Adjust for best performance
  • Computer Properties -> Advanced System Settings ->
    • System Properties -> Advanced -> Performance -> Settings… ->
    • Performance Options -> Advanced -> Change…
      • Uncheck “Automatically manage paging file size for all drives”
      • Select “No paging file”
      • Click “Set” to disable swap file

Remove hibernation file and set boot timeout

It has been pointed out that the hibernation and timeout settings will get re-enabled by the sysprep operation. Removing the hibernation files will help in defragment now. We’ll reinforce these steps in the customization wizard later.

  • cmd: powercfg -h off
  • cmd: bcdedit /timeout 5

Disable indexing on C:

Indexing the OS disk can suck performance and increase disk I/O unnecessarily. Chances are, this template (when cloned) will be heavily cached on your disk array so indexing in the OS will not likely benefit the template. We prefer to disable this feature as a matter of practice.

  • C: -> Properties -> General ->
    • Uncheck “Allow files on this drive to have contents indexed in addition to file properties”
    • Apply -> Apply changes to C:\ only (or files and folders, to taste)

Housekeeping

Time to clean-up and prepare for a streamlined template. The first step is intended to aid the copying of “administrator defaults” to “user defaults.” If this does not apply, just defragment.

Remove “Default” user settings:

  • C:\Users -> Folder Options -> View -> Show hidden files…
  • C:\Users\Default -> Delete “NTUser.*” Delete “Music, Pictures, Saved Games, Videos”

Defragment

  • C: -> Properties -> Tools -> Defragment Now…
    • Select “(C:)”
    • Click “Defragment disk”

Copy Administrator settings to “Default” user

The “formal” way of handling this step requires a third-party utility. We’re giving credit to Jason Samuel for consolidating other bloggers methods because he was the first to point out the importance of the “unattend.xml” file and it really saved us some time. His blog post also includes a link to an example “unattend.xml” file that can be modified for your specific use, as we have.

  • Jason Samuel points out a way to “easily” copy Administrator settings to defaults, by activating the CopyProfile node in an “unattend.xml” file used by sysprep.
  • Copy your “unattend.xml” file to C:\windows\system32\sysprep
  • Edit unattend.xml for environment and R2 version
    • Update offline image pointer to correspond to your virtual CD
      • E.g. wim:d:… -> wim:f:…
    • Update OS offline image source pointer, valid sources are:
      • Windows Server 2008 R2 SERVERDATACENTER
      • Windows Server 2008 R2 SERVERDATACENTERCORE
      • Windows Server 2008 R2 SERVERENTERPRISE
      • Windows Server 2008 R2 SERVERENTERPRISECORE
      • Windows Server 2008 R2 SERVERSTANDARD
      • Windows Server 2008 R2 SERVERSTANDARDCORE
      • Windows Server 2008 R2 SERVERWEB
      • Windows Server 2008 R2 SERVERWEBCORE
      • Windows Server 2008 R2 SERVERWINFOUNDATION
    • Any additional changes necessary
  • NOTE: now would be a good time to snapshot/backup the VM
  • cmd: cd \windows\system32\sysprep
  • cmd: sysprep /generalize /oobe /reboot /unattend:unattend.xml
    • Check “Generalize”
    • Shutdown Options -> Reboot
  • Login
  • Skip Activation
  • Administrator defaults are now system defaults
  • Reset Template Name
    • Computer Properties -> Advanced System Settings -> Computer name -> Change…
      • Enterprise Edition: W2K8R2ENT-TMPL
      • Standard Edition: W2K8R2STD-TMPL
      • Foundation Edition: W2K8R2FND-TMPL
    • If this will be an AD member clone, join template to the domain now
    • Restart
  • Enable Swap files
    • Computer Properties -> Advanced System Settings ->
      • System Properties -> Advanced -> Performance -> Settings… ->
      • Performance Options -> Advanced -> Change…
        • Check “Automatically manage paging file size for all drives”
  • Release IP
    • cmd: ipconfig /release
  • Shutdown
  • Convert VM to template

Convert VM Template to Clone

Use the VMware Customization Wizard to create a re-usable script for cloning the template. Now’s a good time to test that your template will create a usable clone. If it fails, go check the “red letter” items and make sure your setup is correct. The following hints will help improve your results.

  • Remove hibernation related files and reset boot delay to 5 seconds in Customization Wizard
  • Remember that the ISO is still mounted by default. Once VM’s are deployed from the template, it should be removed after the customization process is complete and additional roles/features are added.

That’s the process we have working at SOLORI. It’s not rocket science, but if you miss an important step you’re likely to be visited by an error in “pass [specialize]” that will have you starting over. Note: this also happens when your AD credentials are bad, your license key is incorrect (version/edition mismatch, typo, etc.) or other nondescript issues – too bad the error code is unhelpful…

h1

Short-Take: SQL Performance Notes

September 15, 2010

Here are some Microsoft SQL performance notes from discussions that inevitably crop-up when discussing SQL storage:

  1. Where do I find technical resources for the current version of MS SQL?
  2. I’m new to SQL I/O performance, how can I learn the basics?
  3. The basics talk about SQL 2000, but what about performance considerations due to changes in SQL 2005?
  4. How does using SQL Server 6.x versus SQL Server 7.0 and change storage I/O performance assumptions?
  5. How does TEMPDB affect storage (and memory) requirements and architecture?
  6. How does controller and disk caching affect SQL performance and data integrity?
  7. How can I use NAS for storage of SQL database in a test/lab environment?
  8. What additional considerations are necessary to implement database mirroring in SQL Server?
  9. When do SQL dirty cache pages get flushed to disk?
  10. Where can I find Microsoft’s general reference sheet on SQL I/O requirements for more information?

From performance tuning to performance testing and diagnostics:

  1. I’ve heard that SQLIOStress has been replaced by SQLIOSim: where can I find out about SQLIOSim to evaluate my storage I/O system before application testing?
  2. How do I diagnose and detect “unreported” SQL I/O problems?
  3. How do I diagnose stuck/stalled I/O problems in SQL Server?
  4. What are Bufwait and Writelog Timeout messages in SQL Server indicating?
  5. Can I control SQL Server checkpoint behavior to avoid additional I/O during certain operations?
  6. Where can I get the SQLIO benchmark tool to assess the potential of my current configuration?

That should provide a good half-day’s reading for any storage/db admin…

h1

NexentaStor CIFS Shares with Active Directory Authentication

June 15, 2010

Sharing folders in NexentaStor is pretty easy in Workgroup mode, but Active Directory integration takes a few extra steps.  Unfortunately, it’s not (yet) as easy as point-and-click, but it doesn’t have to be too difficult either. (The following assumes/requires that the NexentaStor appliance has been correctly configured-in and joined-to Active Directory.)

Typical user and group permissions for a local hard disk in Windows.

Let’s examine the case where a domain admin group will have “Full Control” of the share, and “Everyone” will have read/execute permissions. This is a typical use case where a single share contains multiple user directories under administrative control. It’s the same configuration as local disks in a Windows environment. For our example, we’re going to mimic this setup using a CIFS share from a NexentaStor CE appliance and create the basic ACL to allow for Windows AD control.

For this process to work, we need to join the NexentaStor appliance to the Active Directory Domain. The best practice is to create the machine account in AD first, assign control user/group rights (if possible) and then attempt to join. It is IMPORTANT that the host name and DNS configuration of the NexentaStor appliance match domain norms, or things will come crashing to a halt pretty quickly.

That said, assuming that your DC is 1.1.1.1 and your BDC is 1.1.1.2 with a “short” domain of “SOLORI” and a FQDN of “SOLORI.MSFT” your NexentaStor’s name server configuration (Settings->Network->Name Servers) would look something like this:

This is important because the AD queries will pull service records from the configured domain name servers. If these point to an “Internet” DNS server, the AD entries may not be reflected in that server’s database and AD authentication (as well as join) will fail.

The other way the NexentaStor appliance knows what AD Domain to look into is by its own host name. For AD authentication to work properly, the NexentaStor host name must reflect the AD domain. For example, if the FQDN of your AD domain is “SOLORI.MSFT” then your domain name on the appliance would be configured like this (Appliance->Basic Settings->Domainname):

The next step is to create the machine account in AD using “Active Directory Users and Computers” administrator’s configuration tool. Find your domain folder and right-click “Computers” – select New->Computer from the menu and enter the computer name (no domain). The default user group assigned to administrative control should be Domain Admins. Since this works for our example, no changes are necessary so click “OK” to complete.

Now it’s time to join the AD domain from NexentaStor. Any user with permissions to join a machine to the domain will do. Armed with that information, drill down to Data Management->Shares->CIFS Server->Join AD/DNS Server and enter the AD/DNS server. AD server, AD user and user password into the configuration box:

If your permissions and credentials are good, your NexentaStor appliance is not now a member of your domain. As such, it can now identify AD users and groups by unique gid and uid data created from AD. This gid and uid information will be used to create our ACLs for the CIFS share.

To uncover the gid for the “Domain Admins” and “Domain Users” groups, we issue the following from the NexentaStor NMC (CLI):

nmc@san01:/$ idmap dump -n | grep "Domain Admins"
wingroup:Domain Admins@solori.msft     ==      gid:3036392745
nmc@san01:/$ idmap dump -n | grep “Domain Users”
wingroup:Domain Users@solori.msft     ==      gid:1238392562

Now we can construct a CIFS share (with anonymous read/write disabled) and apply the Domain Admin gid to an ACL – just click on the share, and then click “(+) Add Permissions for Group”:

Applying administrative permissions with the AD group ID for Domain Admins.

We do similarly with the Domain User gid:

Applying the Domain User gid to CIFS share ACL.

Note that the “Domain Users” group gets only “execute” and “read” permissions while the “Domain Admins” group gets full control – just like the local disk! Now, with CIFS sharing enabled and the ACL suited to our AD authentication, we can access the share from any domain machine provided our user is in the Domain Users or Admins group.

Administrators can now create “personal” folders and assign detailed user rights just as they would do with any shared storage device. The only trick is in creating the initial ACL for the CIFS share – as about – and you’ve successfully integrated your NexentaStor appliance into your AD domain.

NOTE: If you’re running Windows Server 2008 (or SBS 2008) as your AD controller, you will need to update the share mode prior to joining the domain using the following command (from root CLI):

# sharectl set -p lmauth_level=2 smb

NOTE: I’ve also noticed that, upon reboot of the appliance (i.e. after a major update of the kernel/modules) your ephemeral id mapping takes some time to populate during which time authentication failures to CIFS shares can fail. This appears to have something to do with the state of ephemeral-to-SID mapping after re-boot.

To enable the mapping of unresolvable SIDs, do the following:

$ svccfg -s idmap setprop config/unresolvable_sid_mapping = boolean: true
$ svcadm refresh idmap