WMI Filter Features on Demand GPO

Last week, Yung Chou from Microsoft put up a post about using Group Policy to provide Features on Demand for Windows Server 2012 R2 and how this can help in restricted environments where servers don’t have access to Windows Update to retrieve on-demand features such as .NET Framework 3.5 or where you don’t want to be left manually providing UNC paths to operating system media.

This is certainly true, and even if you aren’t in a restricted environment this is worthy of doing because it makes it much easier for administrators to add certain roles and features to Windows Server however the one point that was missed from the post is that you will probably want to WMI Filter this Group Policy Object so that only Windows Server 2012 R2 operating systems will be able to read it and apply the policy setting.

I’m not going to walk through the process of creating a WMI Filter and applying it to a GPO as that’s pretty simple stuff but finding the right query to craft can sometimes be a challenge so here you go:

SELECT ProductType, Version FROM Win32_OperatingSystem WHERE (Version LIKE "6.3%") AND (ProductType = "2" OR ProductType = "3")

This query will pick out Windows Server 2012 R2 with the Version LIKE 6.3% syntax however this alone would also resolve true on Windows 8.1 client machines so the addition of ProductType equals 2 or 3 means that only server types will be matched.

This filter can be used for targeting any GPO that requires Windows Server 2012 R2 specifically. If you wanted to craft a WMI Filter which explicitly calls out Windows 8.1 instead then simply replace ProductType 2 or 3 with ProductType equals 1.

 

License Types with Automatic Virtual Machine Activation

A couple of weeks ago, I posted an article on how to use Automatic Virtual Machine Activation (AVMA) with Windows Server 2012 R2 and Hyper-V. I wanted to follow this up with a brief note on license types Microsoft provide and how they seem to work with AVMA.

In production environments you will be using keys purchased through either a Select, Volume License or other commercial agreement and in test and development, you may well be using keys from MSDN or TechNet according to how you operate.

It appears through some testing I did that AVMA only works with operating system media and license keys obtained through volume license channels and that for operating system source media downloaded from TechNet or MSDN that the AVMA client key will not be accepted as a valid one. This is especially worth noting if you are using VMM to automate the deployment of a virtual machine onto Hyper-V as the result will be that steps in the VMM virtual machine creation process will fail after the Customizing Virtual Machine phase. Connecting to the newly spawned VM with either the Connect via Console option in VMM or from Hyper-V Manager will reveal the machine is stuck at the license key entry step of the operating system OOBE process.

If you are using a single VMM instance to manage your production and testing and development clouds and guest workloads and you plan on using AVMA for virtual machine activation that you will need to have provisioned separate virtual machine templates and Guest OS Profiles in your VMM library for your various environments using the respective media from TechNet, MSDN or volume license to be able to properly compete an automated VMM virtual machine deployment.

Mixing TP-Link Switches and Cisco SFP Modules

Sometime ago, I posted reviews of my use of two TP-Link switches to operate my home network. To recap briefly, I use a TP-Link TL-SG3424 as my core switch and a TP-Link TL-SG3210 as my access switch. Both switches are Gigabit Ethernet across every port which I love. The pair of switches cost me under £200 new for the pair.

Recently I’ve deployed some extra devices into my home office leaving the TL-SG3210 a little short a free ports (a la none) so I was interested in moving my two LAG trunk ports onto the SFP Mini-GBIC modules to free up two ports. Taking a look at the TP-Link Media Converters and Modules page at http://uk.tp-link.com/products/?categoryid=225 reveals that they do produce fibre modules but nothing for Ethernet which had me a little worried about the future of my eight port home office switch.

Determined not to be beaten, and not wanting to fork out to lay fibre through my house or buy a new, larger switch, I decided to take a punt on buying two used but functional Cisco GLC-T= SFP modules. These are 1000BaseT Gigabit Ethernet modules taking copper connectivity as opposed to fibre (or fiber depending on your preference). With Mini-GBIC SFP being an industry standard, I figured it must work right?

The good news folks is that it does work. The Cisco modules work just great and I’ve got four of the modules now. I am using a pair of them at either end of my LAG for consistency to I’m connecting SFP to SFP and I’ve had no issues with them at all.

Hyper-V Integration Services Error in VMM 2012 R2

When working with System Center Virtual Machine Manager 2012 R2 recently, I encountered an issue whereby deploying a Windows Server 2012 R2 virtual machine from template worked great but deploying a Windows Server 2008 R2 virtual machine from template reported a failure in the VMM Jobs view. The error shown is that Hyper-V Integration Services reported an error installing and generated the error code 60001.

When working with virtual guests it is important to consider the requirements for the guest operating system. In this incident, the issue was caused by using Windows Server 2008 R2 as the guest operating system however as per the About Virtual Machines and Guest Operating Systems page on TechNet at http://technet.microsoft.com/en-us/library/cc794868(v=ws.10).aspx for Windows Server 2008 R2, you must be running Service Pack 1.

After using an updated template with Service Pack 1 incorporated, the error no longer occurs when deploying the guest operating system. A lesson to us all to double check everything. I had assumed that the .iso file I was using for Windows Server 2008 R2 incorporate Service Pack 1 however clearly on this occasion, it didn’t.

Automatic Virtual Machine Activation with Windows Server 2012 R2

Previously, I have posted articles on updates released for KMS host to allow you to volume activate Windows 8.1 and Windows Server 2012 R2 and Windows 8 and Windows Server 2012. These have been two of my most popular posts so volume licensing and activation is clearly something people need and want to know about.

To help celebrate Valentines Day, I thought I would share some more licensing love with you all and introduce a new feature in Windows Server 2012 R2 called Automatic Virtual Machine Activation (AVMA). This new feature allows customers using Windows Server 2012 R2 Hyper-V virtualization and Windows Server 2012 R2 guest operating systems running as Hyper-V virtual machines to activate their guest operating systems not with a KMS host as normal but instead, by using the Hypervisor.

In essence, your Hyper-V server becomes your KMS host for your virtual machines. This allows you to keep, track and record all of your virtual machine licensing in your virtual environment. This is also great for hosters or companies running internal private clouds where you may have an infrastructure network consisting of an Active Directory Domain Services domain and KMS host for your servers but not for your customer servers, virtual guests on the Hyper-V servers which have no access to your hosting infrastructure.

The requirements for AVMA to work are as follows:

  • Windows Server 2012 R2 Server with the Hyper-V role installed
  • Windows Server Datacenter license applied to the Hyper-V host (either by a network KMS host or a MAK key)
  • Windows Server 2012 R2 guest operating system
  • Data Exchange Integration Service is enabled for the virtual guest

License the Hyper-V Host Server

If your environment is licensed using a Windows KMS host, you can enter the command cscript slmgr.vbs -ipk W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9 to install the Windows Server 2012 R2 Datacenter KMS client key on the Hyper-V host. If you are using MAK keys for single activations then use the command cscript slmgr.vbs -ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX and replace the X’s with your MAK key for Windows Server 2012 R2 Datacenter. If you use KMS licensing, please bear in mind that this KMS activation needs to be renewed quite frequently so the KMS host needs to remain on the network and online.

To verify the license status of the Hyper-V host server, you can use the command cscript slmgr.vbs -dlv to display the current license type and the activation status.

License the Virtual Guest Server

Manual Virtual Guest Activation

Once your host server is activated, you can start doing guest activations from the Hyper-V host server. To do this manually, enter the command cscript slmgr.vbs -ipk YYYYY-YYYYY-YYYYY-YYYYY-YYYYY and replace the Y’s with one of the follows AVMA client keys according to your guest operating system edition.

Windows Server 2012 R2 Datacenter Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TV
Windows Server 2012 R2 Standard DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Windows Server 2012 R2 Essentials K2XGM-NMBT3-2R6Q8-WF2FK-P36R2

Once this is done, entering the command cscript slmgr.vbs -dlv will show you that the description for the licensing activation is Windows(R) Operating System, VIRTUAL_MACHINE_ACTIVATION and the Hyper-V hostname which performed the activation for the guest will be displayed further down the output.

Automated New Virtual Guest Activation

If you are in a new build greenfield environment then you can use the AVMA client keys shown above as part of your operating system build and deployment process. You can do this in a number of way such as manually as part of a GUI driven Windows Server 2012 R2 installation, via an unattend.xml file incorporated on your installation media be it manual, via Windows Deployment Services (WDS), System Center Configuration Manager (SCCM) Operating System Deployment or using the AVMA client key on a sysprep virtual machine template. If you are maximizing your investment in Hyper-V and Windows Server, you can use this license key in your System Center Virtual Machine Manager (SCVMM) VM Templates and Guest OS Profiles.

Automated Existing Virtual Guest Activation

If you’ve got existing virtual machines running Windows Server 2012 R2 that you want to move from KMS or MAK to AVMA licensing but you don’t want to do it manually either because you have too many systems to touch or because you want it done in a consistent and automated fashion then my colleague Craig Taylor has written a post on how he used the Windows Task Scheduler to deliver a single run task onto all of the virtual machines in a VMM managed environment to update the key and activate the machines. You can read Craig’s post over on his blog at Remote activation of Windows Server Licensing via PowerShell (sort of).

Unknown VMBUS Devices in Device Manager

If you deploy AVMA licensing into your environment, you may want to have a look at this post by Aidan Finn who has come across an issue whereby Unknown Device (VMBUS) appears in the Device Manager for some Windows Server 2012 R2 machines. There’s nothing to worry about as this is a byproduct of the AVMA process but something you will probably want to be aware of. His post is at KB2925727 – Unknown Device (VMBUS) In Device Manager In Virtual Machine For WS2012 R2 AVMA.

SQL 2012 and System Center 2012 R2 Guide

Over on the TechNet Gallery a great new guide has been published titled SQL 2012 and System Center 2012 R2. The guide delves into the configuration of SQL Server best practice, how to deploy SQL Server and how to protect SQL Server, all specifically focused around using SQL Server with System Center 2012 R2 products such as Virtual Machine Manager (SCVMM), Operations Manager (SCOM), Orchestrator (SCO). The guide also looks at SQL Server 2012 AlwaysOn HADR, Hyper-V Replica and SQL Azure.

You can download the guide from http://gallery.technet.microsoft.com/SQL-2012-and-System-Center-553b5161.

The guide has been published and largely written by Paul Keely, Microsoft Private Cloud and Datacenter MVP (@paul_keely). The guide is really good, however in the interests of honesty, the contributors on this book, aside from Robert all work for Infront Consulting, my employers. Paul Keely is also my Principal Consultant for Infront Consulting Europe.

The guide has been contributed to additionally by other people including myself, Craig Taylor (@LupoLoopy), Matthew Long (@MatthewLongUK), Pete Zerger (@pzerger) and Robert Hedblom (@RobertandDPM).

WordPress Database Index with SQL Azure

As part of a moving my online services between two Windows Azure subscriptions last week, I did some upgrades to the blog including moving the database to Windows Azure SQL (SQL Azure). To facilitate this, I’m using the WP DB Abstraction plugin for WordPress available from http://wordpress.org/plugins/wordpress-database-abstraction/. Using this plugin does take a bit of guts I hasten to add as it hasn’t been updated in over two years and it will prevent some plugins from functioning but for core WordPress it’s great.

After migrating the site to the new subscription I was doing some validation checking in the SQL Azure Management portal. I was querying the database for various things and I noticed that there were no indexes on any of the tables, a byproduct of the WP DB Abstraction plugin translating the native WordPress MySQL syntax into MSSQL I suspect. Luckily for me, WordPress have a great in-depth article on their Codex for the database schema, mappings for all of the primary and foreign keys and most importantly, all of the indexes.

Using the SQL Azure Management Designer, I was able to create the indexes in SQL Azure to match the WordPress MySQL specification. If you are using WP DB Abstraction for your Widows Azure Web Sites WordPress installation with SQL Azure, I strongly recommend you take a look at your own indexes to see if any exist and if not, look at all of the details on the WordPress Codex article at http://codex.wordpress.org/Database_Description for what indexes should exist.

If I get a chance in the coming days, I’ll update this post with a T-SQL snippet which you can dump into SQL Server Management Studio to create the indexes for you.

Windows Azure Website DIPR Dynamic IP Restrictions

Last week, I posted about Windows Azure Websites Always On as a means to keep your website hot and ready for guest access. Today, I’m going to cover how to make your website more secure in the fight against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

DoS and DDoS attacks are becoming more and more commonplace on the internet and as a site grows more successful and out there in the public eye, the greater your chances of being attacked. If you are running your web site on Windows Azure then the good news is that you are largely already covered as Microsoft employ various security products and technologies to protect the Windows Azure environment. You can find out more about what Microsoft do to protect Azure at the Windows Azure Trust Center at http://www.windowsazure.com/en-us/support/trust-center/security/.

What is Dynamic IP Restrictions

With the above in mind regarding in-built protection in Windows Azure, you can still do more to help yourself with the help of an IIS extension called Dynamic IP Restrictions or DIPR for short. DIPR is available on the Windows Azure Web Sites platform without any plugin or module installationon your part. All you need to do as a site owner or administrator is enable it for use on your site and configure some thresholds. All of this is done through the web.config file for your site.

Configure Dynamic IP Restrictions

To access the Windows Azure Web Site web.config file, use FTP or FTPS to access your wwwroot web site path using your deployment credentials and your favourite FTP client. If you don’t know or remember these then you can view the username in use and reset the password from the Windows Azure Management Portal at https://manage.windowsazure.com.

To enable Dynamic IP Restrictions for your site, add the following lines to your web.config file.

<system.webServer>
   <security>
      <dynamicIpSecurity>
         <denyByRequestRate enabled="true" maxRequests="500" requestIntervalInMilliseconds="5000"/>
      </dynamicIpSecurity>
   </security>
</system.webServer>

The system.webServer node will already exist in your web.config file and there is a chance that the security node may exist already too so check for these and add appropriate lines in the correct place otherwise you risk bringing your site crashing down due to a bad configuration file.

With the lines installed in the file, you need to configure the denyByRequestRate node of dynamicIpSecurity with an appropriate rate limit. maxRequests determines the number of requests a given client IP address may send to the site and requestIntervalInMilliseconds determines the timeframe over which the DIPR extension for IIS will count the number of requests.

Change the Restriction Response Code

When a client breaches the threshold given, the default posture of DIPR is to present the client with a HTTP 403 Forbidden code however you can customise this with any of the following codes:

  • AbortRequest 0
  • Unauthorized 401
  • Forbidden 403
  • NotFound 404

To customise the response, amend the dyanmicIpSecurity node with the denyAction parameter as follows. Just exchange the option inside the denyAction quotation marks with the response you want to use.

<dynamicIpSecurity denyAction="AbortRequest">

Setting the rate for the maxRequests and requestIntervalInMilliseconds is the hardest part here as you need to balance security over functionality. If your site was particularly popular with one company who uses a proxy appliance to route their internet traffic then you could see a high volume of connections coming from a single public IP address which means you may need to raise your limits. Having the limit too high though means that you will be allowing potential attackers the freedom of a head-start against the site before DIPR cuts in to fend them off.

Protect an On-Premise IIS Web Server

My closing remark on this is that although I’ve spoken about DIPR with respect to Windows Azure Web Sites, you can also install this extension for IIS on Windows Server and use it to protect internal corporate sites against disgruntled employees or to protect IIS on Windows Server running in a DMZ segment to protect your on-premise hosted publicly accessible websites. You can download and install DIPR by using the Web Platform Installer (Web PI) from Microsoft at http://www.microsoft.com/web/downloads/platform.aspx.