Posts from 2014

License Types with Automatic Virtual Machine Activation

Richard Green on

A couple of weeks ago, I posted an article on how to use Automatic Virtual Machine Activation (AVMA) with Windows Server 2012 R2 and Hyper-V. I wanted to follow this up with a brief note on license types Microsoft provide and how they seem to work with AVMA.

In production environments you will be using keys purchased through either a Select, Volume License or other commercial agreement and in test and development, you may well be using keys from MSDN or TechNet according to how you operate.

It appears through some testing I did that AVMA only works with operating system media and license keys obtained through volume license channels and that for operating system source media downloaded from TechNet or MSDN that the AVMA client key will not be accepted as a valid one. This is especially worth noting if you are using VMM to automate the deployment of a virtual machine onto Hyper-V as the result will be that steps in the VMM virtual machine creation process will fail after the Customizing Virtual Machine phase. Connecting to the newly spawned VM with either the Connect via Console option in VMM or from Hyper-V Manager will reveal the machine is stuck at the license key entry step of the operating system OOBE process.

If you are using a single VMM instance to manage your production and testing and development clouds and guest workloads and you plan on using AVMA for virtual machine activation that you will need to have provisioned separate virtual machine templates and Guest OS Profiles in your VMM library for your various environments using the respective media from TechNet, MSDN or volume license to be able to properly compete an automated VMM virtual machine deployment.

Mixing TP-Link Switches and Cisco SFP Modules

Richard Green on

Sometime ago, I posted reviews of my use of two TP-Link switches to operate my home network. To recap briefly, I use a TP-Link TL-SG3424 as my core switch and a TP-Link TL-SG3210 as my access switch. Both switches are Gigabit Ethernet across every port which I love. The pair of switches cost me under £200 new for the pair.

Recently I’ve deployed some extra devices into my home office leaving the TL-SG3210 a little short a free ports (a la none) so I was interested in moving my two LAG trunk ports onto the SFP Mini-GBIC modules to free up two ports. Taking a look at the TP-Link Media Converters and Modules page at http://uk.tp-link.com/products/?categoryid=225 reveals that they do produce fibre modules but nothing for Ethernet which had me a little worried about the future of my eight port home office switch.

Determined not to be beaten, and not wanting to fork out to lay fibre through my house or buy a new, larger switch, I decided to take a punt on buying two used but functional Cisco GLC-T= SFP modules. These are 1000BaseT Gigabit Ethernet modules taking copper connectivity as opposed to fibre (or fiber depending on your preference). With Mini-GBIC SFP being an industry standard, I figured it must work right?

The good news folks is that it does work. The Cisco modules work just great and I’ve got four of the modules now. I am using a pair of them at either end of my LAG for consistency to I’m connecting SFP to SFP and I’ve had no issues with them at all.

Hyper-V Integration Services Error in VMM 2012 R2

Richard Green on

When working with System Center Virtual Machine Manager 2012 R2 recently, I encountered an issue whereby deploying a Windows Server 2012 R2 virtual machine from template worked great but deploying a Windows Server 2008 R2 virtual machine from template reported a failure in the VMM Jobs view. The error shown is that Hyper-V Integration Services reported an error installing and generated the error code 60001.

When working with virtual guests it is important to consider the requirements for the guest operating system. In this incident, the issue was caused by using Windows Server 2008 R2 as the guest operating system however as per the About Virtual Machines and Guest Operating Systems page on TechNet at http://technet.microsoft.com/en-us/library/cc794868(v=ws.10).aspx for Windows Server 2008 R2, you must be running Service Pack 1.

After using an updated template with Service Pack 1 incorporated, the error no longer occurs when deploying the guest operating system. A lesson to us all to double check everything. I had assumed that the .iso file I was using for Windows Server 2008 R2 incorporate Service Pack 1 however clearly on this occasion, it didn’t.

Automatic Virtual Machine Activation with Windows Server 2012 R2

Richard Green on

Previously, I have posted articles on updates released for KMS host to allow you to volume activate Windows 8.1 and Windows Server 2012 R2 and Windows 8 and Windows Server 2012. These have been two of my most popular posts so volume licensing and activation is clearly something people need and want to know about.

To help celebrate Valentines Day, I thought I would share some more licensing love with you all and introduce a new feature in Windows Server 2012 R2 called Automatic Virtual Machine Activation (AVMA). This new feature allows customers using Windows Server 2012 R2 Hyper-V virtualization and Windows Server 2012 R2 guest operating systems running as Hyper-V virtual machines to activate their guest operating systems not with a KMS host as normal but instead, by using the Hypervisor.

In essence, your Hyper-V server becomes your KMS host for your virtual machines. This allows you to keep, track and record all of your virtual machine licensing in your virtual environment. This is also great for hosters or companies running internal private clouds where you may have an infrastructure network consisting of an Active Directory Domain Services domain and KMS host for your servers but not for your customer servers, virtual guests on the Hyper-V servers which have no access to your hosting infrastructure.

The requirements for AVMA to work are as follows:

  • Windows Server 2012 R2 Server with the Hyper-V role installed
  • Windows Server Datacenter license applied to the Hyper-V host (either by a network KMS host or a MAK key)
  • Windows Server 2012 R2 guest operating system
  • Data Exchange Integration Service is enabled for the virtual guest

License the Hyper-V Host Server

If your environment is licensed using a Windows KMS host, you can enter the command cscript slmgr.vbs -ipk W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9 to install the Windows Server 2012 R2 Datacenter KMS client key on the Hyper-V host. If you are using MAK keys for single activations then use the command cscript slmgr.vbs -ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX and replace the X’s with your MAK key for Windows Server 2012 R2 Datacenter. If you use KMS licensing, please bear in mind that this KMS activation needs to be renewed quite frequently so the KMS host needs to remain on the network and online.

To verify the license status of the Hyper-V host server, you can use the command cscript slmgr.vbs -dlv to display the current license type and the activation status.

License the Virtual Guest Server

Manual Virtual Guest Activation

Once your host server is activated, you can start doing guest activations from the Hyper-V host server. To do this manually, enter the command cscript slmgr.vbs -ipk YYYYY-YYYYY-YYYYY-YYYYY-YYYYY and replace the Y’s with one of the follows AVMA client keys according to your guest operating system edition.

Windows Server 2012 R2 Datacenter Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TV
Windows Server 2012 R2 Standard DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Windows Server 2012 R2 Essentials K2XGM-NMBT3-2R6Q8-WF2FK-P36R2

Once this is done, entering the command cscript slmgr.vbs -dlv will show you that the description for the licensing activation is Windows(R) Operating System, VIRTUAL_MACHINE_ACTIVATION and the Hyper-V hostname which performed the activation for the guest will be displayed further down the output.

Automated New Virtual Guest Activation

If you are in a new build greenfield environment then you can use the AVMA client keys shown above as part of your operating system build and deployment process. You can do this in a number of way such as manually as part of a GUI driven Windows Server 2012 R2 installation, via an unattend.xml file incorporated on your installation media be it manual, via Windows Deployment Services (WDS), System Center Configuration Manager (SCCM) Operating System Deployment or using the AVMA client key on a sysprep virtual machine template. If you are maximizing your investment in Hyper-V and Windows Server, you can use this license key in your System Center Virtual Machine Manager (SCVMM) VM Templates and Guest OS Profiles.

Automated Existing Virtual Guest Activation

If you’ve got existing virtual machines running Windows Server 2012 R2 that you want to move from KMS or MAK to AVMA licensing but you don’t want to do it manually either because you have too many systems to touch or because you want it done in a consistent and automated fashion then my colleague Craig Taylor has written a post on how he used the Windows Task Scheduler to deliver a single run task onto all of the virtual machines in a VMM managed environment to update the key and activate the machines. You can read Craig’s post over on his blog at Remote activation of Windows Server Licensing via PowerShell (sort of).

Unknown VMBUS Devices in Device Manager

If you deploy AVMA licensing into your environment, you may want to have a look at this post by Aidan Finn who has come across an issue whereby Unknown Device (VMBUS) appears in the Device Manager for some Windows Server 2012 R2 machines. There’s nothing to worry about as this is a byproduct of the AVMA process but something you will probably want to be aware of. His post is at KB2925727 – Unknown Device (VMBUS) In Device Manager In Virtual Machine For WS2012 R2 AVMA.

SQL 2012 and System Center 2012 R2 Guide

Richard Green on

Over on the TechNet Gallery a great new guide has been published titled SQL 2012 and System Center 2012 R2. The guide delves into the configuration of SQL Server best practice, how to deploy SQL Server and how to protect SQL Server, all specifically focused around using SQL Server with System Center 2012 R2 products such as Virtual Machine Manager (SCVMM), Operations Manager (SCOM), Orchestrator (SCO). The guide also looks at SQL Server 2012 AlwaysOn HADR, Hyper-V Replica and SQL Azure.

You can download the guide from http://gallery.technet.microsoft.com/SQL-2012-and-System-Center-553b5161.

The guide has been published and largely written by Paul Keely, Microsoft Private Cloud and Datacenter MVP (@paul_keely). The guide is really good, however in the interests of honesty, the contributors on this book, aside from Robert all work for Infront Consulting, my employers. Paul Keely is also my Principal Consultant for Infront Consulting Europe.

The guide has been contributed to additionally by other people including myself, Craig Taylor (@LupoLoopy), Matthew Long (@MatthewLongUK), Pete Zerger (@pzerger) and Robert Hedblom (@RobertandDPM).

WordPress Database Index with SQL Azure

Richard Green on

As part of a moving my online services between two Windows Azure subscriptions last week, I did some upgrades to the blog including moving the database to Windows Azure SQL (SQL Azure). To facilitate this, I’m using the WP DB Abstraction plugin for WordPress available from http://wordpress.org/plugins/wordpress-database-abstraction/. Using this plugin does take a bit of guts I hasten to add as it hasn’t been updated in over two years and it will prevent some plugins from functioning but for core WordPress it’s great.

After migrating the site to the new subscription I was doing some validation checking in the SQL Azure Management portal. I was querying the database for various things and I noticed that there were no indexes on any of the tables, a byproduct of the WP DB Abstraction plugin translating the native WordPress MySQL syntax into MSSQL I suspect. Luckily for me, WordPress have a great in-depth article on their Codex for the database schema, mappings for all of the primary and foreign keys and most importantly, all of the indexes.

Using the SQL Azure Management Designer, I was able to create the indexes in SQL Azure to match the WordPress MySQL specification. If you are using WP DB Abstraction for your Widows Azure Web Sites WordPress installation with SQL Azure, I strongly recommend you take a look at your own indexes to see if any exist and if not, look at all of the details on the WordPress Codex article at http://codex.wordpress.org/Database_Description for what indexes should exist.

If I get a chance in the coming days, I’ll update this post with a T-SQL snippet which you can dump into SQL Server Management Studio to create the indexes for you.

Windows Azure Website DIPR Dynamic IP Restrictions

Richard Green on

Last week, I posted about Windows Azure Websites Always On as a means to keep your website hot and ready for guest access. Today, I’m going to cover how to make your website more secure in the fight against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

DoS and DDoS attacks are becoming more and more commonplace on the internet and as a site grows more successful and out there in the public eye, the greater your chances of being attacked. If you are running your web site on Windows Azure then the good news is that you are largely already covered as Microsoft employ various security products and technologies to protect the Windows Azure environment. You can find out more about what Microsoft do to protect Azure at the Windows Azure Trust Center at http://www.windowsazure.com/en-us/support/trust-center/security/.

What is Dynamic IP Restrictions

With the above in mind regarding in-built protection in Windows Azure, you can still do more to help yourself with the help of an IIS extension called Dynamic IP Restrictions or DIPR for short. DIPR is available on the Windows Azure Web Sites platform without any plugin or module installationon your part. All you need to do as a site owner or administrator is enable it for use on your site and configure some thresholds. All of this is done through the web.config file for your site.

Configure Dynamic IP Restrictions

To access the Windows Azure Web Site web.config file, use FTP or FTPS to access your wwwroot web site path using your deployment credentials and your favourite FTP client. If you don’t know or remember these then you can view the username in use and reset the password from the Windows Azure Management Portal at https://manage.windowsazure.com.

To enable Dynamic IP Restrictions for your site, add the following lines to your web.config file.

<system.webServer>
   <security>
      <dynamicIpSecurity>
         <denyByRequestRate enabled="true" maxRequests="500" requestIntervalInMilliseconds="5000"/>
      </dynamicIpSecurity>
   </security>
</system.webServer>

The system.webServer node will already exist in your web.config file and there is a chance that the security node may exist already too so check for these and add appropriate lines in the correct place otherwise you risk bringing your site crashing down due to a bad configuration file.

With the lines installed in the file, you need to configure the denyByRequestRate node of dynamicIpSecurity with an appropriate rate limit. maxRequests determines the number of requests a given client IP address may send to the site and requestIntervalInMilliseconds determines the timeframe over which the DIPR extension for IIS will count the number of requests.

Change the Restriction Response Code

When a client breaches the threshold given, the default posture of DIPR is to present the client with a HTTP 403 Forbidden code however you can customise this with any of the following codes:

  • AbortRequest 0
  • Unauthorized 401
  • Forbidden 403
  • NotFound 404

To customise the response, amend the dyanmicIpSecurity node with the denyAction parameter as follows. Just exchange the option inside the denyAction quotation marks with the response you want to use.

<dynamicIpSecurity denyAction="AbortRequest">

Setting the rate for the maxRequests and requestIntervalInMilliseconds is the hardest part here as you need to balance security over functionality. If your site was particularly popular with one company who uses a proxy appliance to route their internet traffic then you could see a high volume of connections coming from a single public IP address which means you may need to raise your limits. Having the limit too high though means that you will be allowing potential attackers the freedom of a head-start against the site before DIPR cuts in to fend them off.

Protect an On-Premise IIS Web Server

My closing remark on this is that although I’ve spoken about DIPR with respect to Windows Azure Web Sites, you can also install this extension for IIS on Windows Server and use it to protect internal corporate sites against disgruntled employees or to protect IIS on Windows Server running in a DMZ segment to protect your on-premise hosted publicly accessible websites. You can download and install DIPR by using the Web Platform Installer (Web PI) from Microsoft at http://www.microsoft.com/web/downloads/platform.aspx.

Cisco ASA 5520 Memory Upgrade

Richard Green on

For anyone using a Cisco ASA 5505, 5510, 5520 or 5540 in their home, lab or non-production environments and wants to be able to run ASA OS versions 8.3 and later you’re probably going to be on the market for a memory upgrade. Cisco ASA memory upgrades are bonkers expensive and while for a production environment you’d want to pay this to get the Cisco TAC support, chances are you aren’t going to want to stump up this kind of money for other purposes.

There is an exception to this rule is if you happen to have an ASA whereby it was either built after February 2010 or the previous owner upgraded it but that’s neither here nor there.

The specifications from Cisco on the memory requirements for each model to run ASA OS 8.3 or later and the comparative shipping memory values can be found at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-586414.html.

In my case, the ASA 5520 shipped originally with 512MB of RAM but for ASA OS 8.3 or later you need to have 2GB. The ASA 5520 varies in it’s hardware configuration according to age with some models having four DIMM slots and others only having two. If you’ve got an ASA 5520 or 5540 with only one DIMM slot then sorry, you’ve got an ASA 5510 which has been faked into a 5520 which was a big problem at the time (https://supportforums.cisco.com/message/3517301).

As I didn’t want to spend £300 on the memory upgrade for mine, I went on a search of the internet as you’d expect of me. It transpires that Cisco used memory from Smart Modular in the ASA appliances. 184-pin PC2700 DDR-333 ECC Unbuffered memory to be exact. According to some clever people on the internet, not many memory modules aside from these from Smart will work in the ASA as the Linux kernel on it is only coded to recognise a select few memory setups however luckily, it appears that Infineon are one of the good guys.

Due to the way that memory under-rates itself when required, you don’t have to stick to PC2700 DDR-333 and nor does it seem that you need ECC memory either. From advice online I’ve found that the following module models from Infineon work great in the ASA 5520. I’ve had none of the commonly reported issues with third-party memory of the appliance only successfully booting one in two or three reload cycles. My ASA has booted first time, every time and I’ve been cycling it about once and hour today to test it.

If you’ve got the luxury of four DIMM slots, go with the Infineon HYS64D64320HU-5-C. It’s a 512MB PC3200 DDR-400 DIMM which you can install four of to make the 2GB requirement. If you’ve only got the two DIMM slots to play with, go with the Infineon HYS64D128320HU-5-B which is a 1GB PC3200 DDR-400 DIMM.

eBay is the place to buy in case there was any doubt over that point and no matter which one of the above options you go with, by using these Infineon DIMM modules, you’ll get a reliable ASA platform and it allows you to hit your memory maximums for ASA OS 8.3 and onwards for about £20 at the time of writing. Just a touch better than the £300 for the official memory right?

Windows Azure Web Sites Always On

Richard Green on

Continuing with my line of Windows Azure posts of late, I wanted to unearth a feature called Windows Azure Web Sites Always On.

Windows Azure Websites Always On

This feature is tucked away in the Configure options for a Windows Azure Web Site. The feature is only available to Standard mode web sites so you will not get this option if you are using the Free or Shared service tiers (sorry). When enabled, Windows Azure will regularly generate a simple HTTP request to the website which means for sites that are based on ASP.NET or other server-side compiling technologies, the website stays warm so that when your first visitor after a period of inactivity hits the site, they aren’t left waiting for it to compile, render and present itself.

Details of the feature are a bit scarce so I haven’t been able to determine yet exactly what the Always On request consists of. The lack of information or configuration options would suggest that it’s as simple as a HTTP GET request to the URL configured in the Site URL field for the web site. There doesn’t either seem to be any indication as to how often this request is issued. If you are already using the Monitoring Endpoints feature or if you are monitoring your web sites with System Center Operations Manager 2012 (SCOM), Global Service Monitor (GSM) for SCOM or another monitoring product then are you are essentially performing this Always On keep-alive activity.

David Attenborough Africa

Richard Green on

I’m a little bit behind the times with this but I’ve just watched the final episode of the David Attenborough series from the BBC called Africa. The series aired late last year in 2013 and I watched all bar the final two episodes until this week.

I love watching his programmes because you get to see truly incredible things and watching them leaves me with an utterly humble feeling inside. Sure, at 88 years old now, he may not be as ‘down in the dirt’ as he used to be but who can blame him? He was in the news in June of last year reportedly to have a pacemaker fitted.

If I can see just 5% of the incredible things that he has been able to witness and experience in his life in my own then I would consider my life to be a rich and fulfilled one. Watching the series Africa also makes me, as a father of three, wonder what will be left for our grandchildren? What natural beauties and ecological wonders will remain for them to see and experience or will they be dependant on records of history like the documentaries of David Attenborough to understand what the world used to be like?

This story on the Radio Times website from July 2013 (http://www.radiotimes.com/news/2013-07-05/david-attenborough-to-make-new-landmark-bbc1-natural-history-series) reports that there will be at least one more high profile series from Attenborough which according to the story will be aired in either 2015 or 2016. I really look forward to it.