Category Archives: Microsoft

Microsoft Azure Operational Insights Preview Series – SQL Assessment (Part 7)

During the last couple of months System Center Advisor or as probably will be known as Microsoft Azure Operational Insights Preview after TechEd Europe 2014 has received a lot of improvements and feature so we are now to Part 7. With this blog post I am also renaming all other blog posts. Here is the full list:

In this post we will have a quick look at a new intelligence pack called SQL Assessment:

image

After you add it to you Operational Insight account the following tile:

image

Keep in mind that the first assessment can take up to 4 hours before you see any data. After data is gathered and assessed you will see similar results. Lets click on the tile and see what surprise awaits us:

image

As you can see we have now the well known graphics in Advisor but you will notice a few differences compared to the other packs. While the other packs focus on providing you the information, so you can make easier assessment and decisions this one gives you a straight knowledge.

During my deployments of System Center I know a thing or two about SQL but I do not consider myself expert. This Intelligence Pack not only can show you potential issues/problems but also can give you some knowledge about SQL. The reason why this pack is different because it tries to provide some continuum to the old Configuration Assessment which I didn’t covered in these series. May be I had the feeling that the old Configuration Assessment will probably be converted to something else. BTW I’ve showed this Intelligence Pack to a SQL MVP and received positive feedback.

Now let’s click on graphic or recommendation and see what we will face:

image

As I’ve said you will be faced with a lot of knowledge just like the knowledge in the SCOM Management Packs. You will see that the knowledge has some rating. I guess that rating is a static number for every recommendation that is available in the IP. I couldn’t find if the rating rises up if you more affected objects. The good part about this recommendations are that they go down to database level making the results more granular.

From here clicking on the affected object or on the graphic will lead you to the search query result:

image

image

As you can see there are a lot of properties that are collected to help you make interesting queries query. Here is a list of those provided by the Advisor team:

image

I will show you a little more. I want to see what are the recommendation result statuses  and how many are available for each of them:

Type=SQLAssessmentRecommendation  | measure count() by RecommendationResult

image

Now rather seeing where I’ve failed I want to see where I’ve done good and for which servers:

Type=SQLAssessmentRecommendation IsRollup=false  RecommendationResult=passed

image

As you will see the Intelligence Pack makes even some server checks that are valid for SQL servers.

Let’s see which server passed most checks:

Type=SQLAssessmentRecommendation IsRollup=false  RecommendationResult=passed | Measure count() by Computer

image

Let’s measure by affected object name which could divide results to granular objects like database:

Type=SQLAssessmentRecommendation IsRollup=false  RecommendationResult=passed | Measure count () by AffectedObjectName

image

I am curious what those inconclusive results are:

Type=SQLAssessmentRecommendation IsRollup=false  RecommendationResult=inconclusive

image

It is interesting that there is another status specific to the affected object:

Type=SQLAssessmentRecommendation IsRollup=false  | Measure count() by AffectedObjectResult

image

Some last tips when you use queries:

  • Use RecommendationPeriod in queries to get more accurate results.
  • Use sorting sort RecommendationWeight desc to get more urgent recommendations on top

Definitely interesting Intelligence Pack and I encourage you to try it. Happy searching.

Tip from Daniele Muscetta:

‘inconclusive’ means that check wasn’t able to complete, hence it can’t really tell for sure if you are affected by an issue, or not. it is a way to mitigate false positives. Often this might have to do with permissions required to collect some config point, check the runas account info in the documentation http://technet.microsoft.com/en-us/library/dn818161.aspx (we are updating this doc as there are a few more permissions currently not listed), and/or let me know if any specific check consistently does not work we can investigate – it’s like the previous alert rules – and escalate to the content owner.

I will be using my SQL monitoring account for this:

SQL Advisor Account

Another tip from me if you want to disable Advisor SQL monitoring for certain servers override this rule for them:

override

System Center Universe (aka Community MMS) Europe 2014 Now Available on Channel9

Just want to tip you that SCU Europe 2014 (aka Community MMS) sessions are now available on Channel9. All 60 sessions are available:

  1. Advanced Orchestrator Runbook Authoring and Management
  2. Author your own custom gallery item and deploy VM roles in Windows Azure Pack
  3. Building a Real self-service platform with SCSM, SMA PowerShell Workflows
  4. Building solid business continuity plans using System Center, Windows Server and Azure
  5. Compliance Management – the new orange in Client Management
  6. Configuration Manager 2012 R2 – a site review
  7. Creating awesome System Center Reports with PowerBI and PowerView
  8. Customer requirements first – Service Manager Customizations without limits
  9. Data Deduplication in depth
  10. Deploy the Microsoft Cloud OS in high available
  11. Deploy Windows Azure Pack across sites
  12. Disaster Recovery in a service provider cloud
  13. Disaster Recovery with Azure Site Recovery
  14. Enterprise Management Solution (EMS) – the full story
  15. How to build a service provider cloud
  16. How to deliver BaaS, RaaS and DRaaS in a modern datacenter using System Center & Azure
  17. Hybrid Cloud DevOps with APM
  18. Identity Management for Hybrid IT with Windows Azure and Windows Server 2012 R2
  19. Integrating the System Center components – your path to the galaxy
  20. Leaving the dark ages – Migrating from Configuration Manager 2007 to 2012 R2
  21. Manage your Azure through Service Manager and SMA
  22. Managing your IP Addresses the Easy Way with IPAM
  23. Microsoft Hybrid Cloud – Manage Azure with Microsoft System Center
  24. Microsoft Mobile Device Management from A to Z
  25. Multi-factor authentication for your clouds
  26. My top ten things in Windows Server 2012 R2 that will make your life easier
  27. OMI and DAL – Understanding the big picture
  28. OpsMgr Dashboards – new widgets and possibilities
  29. Optimize Azure Virtual Machines for performance and availability
  30. PowerShell’s Desired State Configuration – Resource authoring
  31. PowerShell’s Desired State Configuration – Notes from the field
  32. Self-service software provisioning with SCSM, SCORCH and SCCM
  33. Send your monitoring probes deep into unexplored space
  34. Service Management Automation – Introduction
  35. Service Management Automation (SMA) deep dive
  36. Service Manager – Performance and Scalability best practices
  37. Show me the reporting money with System Center
  38. Software Defined Networking – Comparison of different solutions
  39. Speed Lab – Deploy a Microsoft System Center 2012 R2 environment
  40. Sponsor Session OPSLOGIX & ITNETX – Conference Closing Note
  41. Sponsored Session BLUESTRIPE SOFTWARE – Using System Center and BlueStripe for dynamic application management across Azure and datacenter business applications
  42. Sponsored Session CASED DIMENSIONS – How to make Service Manager enterprise
  43. Sponsored Session CIRESON – Worldwide First – Unveiling Cireson Portal v3
  44. Sponsored Session CISCO – a Unified Data Center – Best integration for Microsoft Environments
  45. Sponsored Session COMTRADE – Deliver Citrix desktop virtualization confidently with Operations Manager
  46. Sponsored Session DERDACK – Never miss a critical IT incident again. Resolve IT incidents on-the-go. On-call duty redefined
  47. Sponsored Session MATRIX42 – Web Console for SCCM – easiness and delegation
  48. Sponsored Session NUTANIX – Automating Your Datacenter – Web-Scale Style
  49. Sponsored Session STEFFEN INFORMATIK – SCOM Manager
  50. Sponsored Session SYLIANCE IT SERVICES – Customizing System Center – Things you’ve never seen before!
  51. Sponsored Session VEEAM – Rock your Microsoft datacenter with Veeam
  52. Storage Spaces – Scale-out file server deep dive
  53. System Center Orchestrator – Runbook Design 101
  54. Unified Device Management – It’s all about the experience
  55. Upgrading to Configuration Manager 2012 R2
  56. VMware to Hyper-V Migration
  57. Welcome Note and Keynote Going beyond the borders – prepare yourself for the future!
  58. Windows Apps in the Cloud – Azure RemoteApp
  59. Windows Azure Pack – Usage Metering & Reporting Troubleshooting Guide
  60. Windows Azure Pack usage metering

Creating Azure-like Windows Server Images with System Center

Update

——————————————————————————

A small update on this topic. If you do not want your customers to face error 0x800F0906 when they try to install .NET Fraemwork 3.5 on Windows Server 2012 or 2012 R2 I would suggest you to install and disable .net FRamework 3.5 feature with DISM prior syspreping your images. The following commands should do the work:

For Windows Server 2012:

dism /image:”D:\2012″ /enable-feature /featurename:NetFx3 /All /Source:G:\sources\sxs

dism /image:”D:\2012″ /disable-feature /featurename:NetFx3

where D:\2012 is your mounted 2012 VHD and G:\sources\sxs is the installation files on your Windows Server 2012 setup DVD.

For Windows Server 2012 R2

dism /image:”D:\2012r2″ /enable-feature /featurename:NetFx3 /All /Source:G:\sources\sxs

dism /image:”D:\2012r2″ /disable-feature /featurename:NetFx3

 

where D:\2012r2 is your mounted 2012 R2 VHD and G:\sources\sxs is the installation files on your Windows Server 2012 R2 setup DVD.

After executing the commands you can commit the image. That way when your customers try to install .NET Framework 3.5 will not recieved the error and do not have to uinstall KB2966828: MS14-046: Description of the security update for the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2: August 12, 2014 or KB2966827: MS14-046: MS14-046: Description of the security update for the .NET Framework 3.5 on Windows 8 and Windows Server 2012: August 12, 2014.

—————————————————————————–

When you go to Microsoft Azure and try to create a Windows Server virtual machine you will see that Microsoft displays a couple of images with different dates:

image

As you can see you can choose a different patch level.

And when you create virtual machine in Azure and logon on it to see installed updates you will see that most of them are installed on one particular date:

image

This got me thinking on how Azure makes them own Windows Server images? And of course is there a way to do that on-premise?

So you’ve probably figured out already how Azure probably do it:

  1. Create base image for every OS version without none or some updates.
  2. Make a copy of a base image and update it with the latest updates.

  3. Publish the updated image to the portal.

But let’s go into detail about the three main OS versions (Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1) and how to create these images with some System Center magic.

Let’s first start with:

Creating base image for Windows Server 2008 R2 SP1

First you need to grab Windows Server 2008 R2 SP1 iso from MSDN or Volume license. As Azure is using Datacenter Edition for all their server versions I will use the same.

Than you can easily convert the iso to VHDX with the following script:

.\Convert-WindowsImage.ps1 -SourcePath “D:\en_windows_server_2008_r2_with_sp1_x64_dvd_617601.iso” -VHDFormat VHDX -Edition “ServerDataCenter” -SizeBytes 120GB -RemoteDesktopEnable -VHDPath D:\WS2008R2SP1Base.vhdx -VHDType Dynamic

If you want to use other editions or different disk size you can change the parameters to whatever makes sense in your case.

After that it is good to install IE11 in advance. That could happen by mounting the VHDX file with dism:

dism /mount-image /imagefile:”D:\WS2008R2SP1Base.vhdx” /mountdir:D:\2008r2 /index:1

Than you apply IE11 prerequisites:

dism /Image:”D:\2008r2″ /add-package /Packagepath:”D:\Windows6.1-KB2729094-v2-x64.msu

dism /Image:”D:\2008r2″ /add-package /Packagepath:”D:\Windows6.1-KB2726535-x64.msu

dism /Image:”D:\2008r2″ /add-package /Packagepath:”D:\Windows6.1-KB2670838-x64.msu

dism /Image:”D:\2008r2″ /add-package /Packagepath:”D:\Windows6.1-KB2834140-v2-x64.msu

dism /Image:”D:\2008r2″ /add-package /Packagepath:”D:\Windows6.1-KB2786081-x64.msu

And now you can install IE11 itself:

dism /Image:”D:\VHD\2008″ /add-package /Packagepath:”D:\IE11-Windows6.1-KB2841134-x64.cab

As you will probably use this image on Hyper-V server 2012 or 2012 R2 it is good to install the latest Integration Service. They can be found by mounting iso file located in “C:\Windows\System32\vmguest.iso” on  Windows 8.1 or Windows Server 2012 R2:

dism /Image:”D:\2008r2″ /add-package /Packagepath:”E:\support\amd64″

After applying this last update you can save the image by committing the changes:

dism /unmount-image /mountdir:”D:\2008r2″ /commit

If you want too apply some additional configurations to that base image like firewalls rules and etc. you need to create a VM from that image. Install the OS. Make the changes you want to the VM and sysprep it with the following command:

.\Sysprep.exe /generalize /shutdown /oobe

After the sysprep command your Windows Server 2008 R2 SP1 base image is ready.

Creating base image for Windows Server 2012

The steps for Windows Server 2012 base image are similar. Download your iso from MSDN or Volume License.

Convert the iso:

.\Convert-WindowsImage.ps1 -SourcePath “D:\en_windows_server_2012_x64_dvd_915478.iso” -VHDFormat VHDX -Edition “ServerDataCenter” -SizeBytes 120GB -RemoteDesktopEnable -VHDPath D:\WS2012Base.vhdx -VHDType Dynamic

Mount the vhd with dism:

dism /mount-image /imagefile:”D:\WS2012Base.vhdx” /mountdir:D:\2012 /index:1

There is no IE11 for Windows Server 2012 but there is one important update that you need to apply in advance:

dism /Image:”D:\2012″ /add-package /Packagepath:”D:\Windows8-RT-KB2871777-x64.msu

Through several tests I’ve found that this update is needed for future proper updating of this base image.

Apply the latest Hyper-V Integration services if needed:

dism /Image:”D:\2012″ /add-package /Packagepath:”E:\support\amd64″

Commit the changes:

dism /unmount-image /mountdir:”D:\2012″ /commit

If also you need to apply some configuration changes to this image you need to start it as a virtual machine, make the changes and sysprep it:

.\Sysprep.exe /generalize /shutdown /oobe

And now your Windows Server 2012 base image is also ready.

Creating base image for Windows Server 2012 R2 Update

This one is the most easy one as you just need to convert it:

.\Convert-WindowsImage.ps1 -SourcePath “D:\en_windows_server_2012_r2_with_update_x64_dvd_4065220.iso” -VHDFormat VHDX -Edition “ServerDataCenter” -SizeBytes 120GB -RemoteDesktopEnable -VHDPath D:\WS2008R2SP1Base.vhdx -VHDType Dynamic

You do not need to mount it dism as there are no updates that you need to add and the the latest Integration services are already there.

For additional configurations you have to do the same steps as the other two.

 

Prerequisites

Now that we have our base images let’s on the solution how to have new updated image every month. I will start with the prerequisites. Later on when you look at how the whole solution works you may find other ways to do it in your environment if you do not have some of them.

We will need the following servers:

  • WSUS
  • VMM
  • SCSMA

The WSUS server is needed so we can grab all Windows Updates directly from the WSUS Content share. But when you have WSUS server connected to VMM the updates will be downloaded on the WSUS content share after you create Update Baselines in VMM, add updates to these baselines and assign at least  one server in VMM to these baselines. So let’s create 3 empty Update baselines in VMM:

  • WS2012R2
  • WS2012
  • WS2008R2

Do not add updates to them but assign at least one server in VMM to them. We will update these baselines later with SMA Runbook.

On the VMM server on C:\ drive you can create three folders:

  • C:\ovpWS2012R2
  • C:\ovpWS2012
  • C:\ovpWS2008R2

We will use these folders to mount the different images on them with DISM.

Next create a share on a server. For example named Base. I create such share on my VMM Library server. On that share I copy all the base images we’ve created earlier.

The last part of the prerequisites puzzle is Service Management Automation.

Let’s start first by creating some assets in my new favorite automation solution.

Create Connection asset named VMMConnection and for type VirtualMachineManager. For credentials use service account that has Administrator rights on your VMM server. That account should also have full share and NTFS permissions on the Base share that you’ve created earlier. And for computer name you should use the FQDN of your VMM server.

image

Next you need to create Variable asset of Type String. For name enter WSUSServer and for value the FQDN of your WSUS server.

image

The last asset you need to create is also variable. For name use VMMLibraryServer and for value the FQDN of your VMM Library server.

image

Now that we have our SMA assets create 5 empty SMA Runbooks:

  • Update-VMMBaslines
  • Update-BaseImageWS2012R2
  • Update-BaseImageWS2012
  • Update-BaseImageWS2008R2
  • Set-VHDProductKey

In SMA you can open Update-VMMBaselines for edit. Remove the empty workflow and copy the following runbook directly:

workflow Update-VMMBaselines
{

Connection to access VMM server.

$VmmConnection = Get-AutomationConnection -Name ‘VmmConnection’
$VmmServerName = $VmmConnection.ComputerName  

# Create a PSCredential from the ‘Username’ and ‘Password’ fields within

‘VmmConnection’ because this is the form of authentication that an

inlinescript accepts.

$SecurePassword = ConvertTo-SecureString -AsPlainText -String $VmmConnection.Password -Force
$VmmCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $VmmConnection.Username, $SecurePassword

inlinescript {  

 

# Import VMM module.
Import-Module virtualmachinemanager

Connect to VMM server.

Get-SCVMMServer -ComputerName $Using:VmmServerName  

Import-Module VirtualMachineManager

Get-SCUpdateserver | Start-SCUpdateServerSynchronization
#Windows Server 2008 R2 Update Baseline
$ContosoBaseline2008R2 = Get-SCBaseline | where { $_.Name -eq “WS2008R2″ }

$baseline2008R2 = Get-SCBaseline -ID $ContosoBaseline2008R2.ID

$addedUpdateList2008R2 = @()

$SCVMMJobGUID = [System.Guid]::NewGuid()

$ContosoLatestUpdates2008R2 = Get-SCUpdate | where { ($.UpdateClassification -eq “Security Updates” -or $.UpdateClassification -eq “Critical Updates” -or $.UpdateClassification -eq “Updates”-or $.UpdateClassification -eq “Update Rollups”) -and ($.Products -eq “Windows Server 2008 R2″ -or $.Products -eq “Windows Server 2003, Datacenter Edition, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2″ -or $.Products -eq “Windows 7, Windows Server 2008 R2″ -or $.Products -eq “Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2″ -or $.Products -eq “Windows 7, Windows Embedded Standard 7, Windows Server 2008 R2″ -or $.Products -eq “Windows Server 2003, Datacenter Edition, Windows Server 2003, Windows Vista, Windows XP x64 Edition, Windows Server 2008, Windows 7, Windows Server 2008 R2″ -or $.Products -eq “Windows Server 2003, Datacenter Edition, Windows Server 2003, Windows XP, Windows Vista, Windows XP x64 Edition, Windows Server 2008, Windows 7, Windows Server 2008 R2″ -or $.Products -eq “Windows Server 2003, Datacenter Edition, Windows Server 2008, Windows Server 2003, Windows Server 2008 R2″ -or $.Products -eq “Windows Vista, Windows Server 2003, Datacenter Edition, Windows Server 2008, Windows 7, Windows Server 2003, Windows Server 2008 R2″) -and $.IsExpired -eq $false -and $_.CreationDate -gt ‘2/16/2011 10:00′}

# Compare existing updates with new one

      Compare-Object -ReferenceObject $ContosoBaseline2008R2.Updates -DifferenceObject $ContosoLatestUpdates2008R2 -IncludeEqual | % {
if($.SideIndicator -eq ‘=>’) { $addedUpdateList2008R2 += Get-SCUpdate -ID $.inputobject.id }
}

Set-SCBaseline -Baseline $baseline2008R2 -Name $ContosoBaseline2008R2.Name.ToString() -RunAsynchronously -AddUpdates $addedUpdateList2008R2 -JobGroup $SCVMMJobGUID.ToString() -StartNow

#Windows Server 2012 Update Baseline
$ContosoBaseline2012 = Get-SCBaseline | where { $_.Name -eq “WS2012″ }

$baseline2012  = Get-SCBaseline -ID $ContosoBaseline2012.ID

$addedUpdateList2012 = @()

$SCVMMJobGUID = [System.Guid]::NewGuid()

$ContosoLatestUpdates2012 = Get-SCUpdate | where { ($.UpdateClassification -eq “Security Updates” -or $.UpdateClassification -eq “Critical Updates” -or $.UpdateClassification -eq “Updates”-or $.UpdateClassification -eq “Update Rollups”) -and ($.Products -eq “Windows Server 2012″ -or $.Products -eq “Windows 8, Windows Server 2012″) -and $_.IsExpired -eq $false}

# Compare existing updates with new one

      Compare-Object -ReferenceObject $ContosoBaseline2012.Updates -DifferenceObject $ContosoLatestUpdates2012 -IncludeEqual | % {
if($.SideIndicator -eq ‘=>’) { $addedUpdateList2012 += Get-SCUpdate -ID $.inputobject.id }
}

 

Set-SCBaseline -Baseline $baseline2012 -Name $ContosoBaseline2012.Name.ToString() -RunAsynchronously -AddUpdates $addedUpdateList2012 -JobGroup $SCVMMJobGUID.ToString() -StartNow

#Windows Server 2012 R2 Update Baseline
$ContosoBaseline2012R2 = Get-SCBaseline | where { $_.Name -eq “WS2012R2″ }

$baseline2012R2 = Get-SCBaseline -ID $ContosoBaseline2012R2.ID

$addedUpdateList2012R2 = @()

$SCVMMJobGUID = [System.Guid]::NewGuid()

$ContosoLatestUpdates2012R2 = Get-SCUpdate | where { ($.UpdateClassification -eq “Security Updates” -or $.UpdateClassification -eq “Critical Updates” -or $.UpdateClassification -eq “Updates”-or $.UpdateClassification -eq “Update Rollups”) -and ($.Products -eq “Windows Server 2012 R2″  -or  $.Products -eq “Windows 8.1, Windows Server 2012 R2″) -and $_.IsExpired -eq $false}

# Compare existing updates with new one

      Compare-Object -ReferenceObject $ContosoBaseline2012R2.Updates -DifferenceObject $ContosoLatestUpdates2012R2 -IncludeEqual | % {
if($.SideIndicator -eq ‘=>’) { $addedUpdateList2012R2 += Get-SCUpdate -ID $.inputobject.id }
}

 

Set-SCBaseline -Baseline $baseline2012R2 -Name $ContosoBaseline2012R2.Name.ToString() -RunAsynchronously -AddUpdates $addedUpdateList2012R2 -JobGroup $SCVMMJobGUID.ToString() -StartNow

}-PSComputerName $VmmServerName -PSCredential $VmmCredential  

}

I’ve took some parts of this script and made some changes to adopt it for my needs. Thank you Markus Lassfolk.

The script basically connects to VMM, Synchronizes the updates in VMM with the WSUS server and adds updates to the three baselines we’ve created earlier. The script is made in a way to add all the updates available for every corresponding OS version including .net Framework updates. Of course you can modify it whatever suits your needs.

After you import the runbook, save it and run it for first time you may need to wait some time until all added updates are downloaded on your WSUS server. Remember that download will be initiate only if you have at least one server assigned to your VMM baselines.

Next you can open for edit Update-BaseImageWS2012R2 SMA Runbook. Delete the contents in it and copy the following SMA runbook in it directly:

<#
Version 1.0
.SYNOPSIS
Update WS2012R image
#> 

 

workflow Update-BaseImageWS2012R2
{

Connection to access VMM server.

$VmmConnection = Get-AutomationConnection -Name ‘VmmConnection’
$VmmServerName = $VmmConnection.ComputerName  

# Create a PSCredential from the ‘Username’ and ‘Password’ fields within

‘VmmConnection’ because this is the form of authentication that an

inlinescript accepts.

$SecurePassword = ConvertTo-SecureString -AsPlainText -String $VmmConnection.Password -Force
$VmmCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $VmmConnection.Username, $SecurePassword

#Connection to access WSUS Server
$WSUS = Get-AutomationVariable -Name ‘WSUSSERVER’
#Connection to access VMM Library Server
$VMMLirbary = Get-AutomationVariable -Name ‘VMMLibraryServer’

inlinescript {  

 

# Import VMM module.
Import-Module virtualmachinemanager

Connect to VMM server.

Get-SCVMMServer -ComputerName $Using:VmmServerName  

#Get all available Update at WSUS
$Updatelistcab = get-childitem -Path “\$using:wsus\wsuscontent” -include *.cab -recurse -File
$Updatelistmsu = get-childitem -Path “\$using:wsus\wsuscontent” -include *.msu –recurse -File  

#Path for mounting
$OVPPath=”C:\ovp2012R2″

#Get Path to Base Image
$VHDGOLDPath=”\$using:VMMLirbary\Base\WS2012R2VLBase.vhdx”

#Get Path to Updated Image
$VHDPath=”\$using:VMMLirbary\Base\WS2012R2Updated.vhdx”

#Check if Updated VHD exists and delete it
$VHDexists=Test-Path $VHDPath
If ($VHDexists) {
Remove-Item $VHDPath
}

#Try to copy Base VHD
try {
Copy-Item $VHDGOLDPath $VHDPath
}

Catch {
Write-Output “GODL VHD cannot be copied”
}

#Mount Image and try to updated from WSUS updates
try{
Mount-WindowsImage -ImagePath “$VHDPath” -Path “$OVPPath” -Index 1
}
catch {
Write-Output “Cannot mount VHD”
}

Foreach ($Updatecab in $Updatelistcab)
{
$UpdateReady=get-windowspackage -PackagePath $Updatecab -Path “$OVPPath”
If ($UpdateReady.PackageState -eq “installed”)
{Write-Output $UpdateReady.PackageName “is already installed”}
elseif ($updateReady.Applicable -eq “true”)
{Add-WindowsPackage -PackagePath $Updatecab.Directory -Path “$OVPPath”}
}
Foreach ($Updatemsu in $Updatelistmsu)
{
add-windowspackage -PackagePath $Updatemsu.Directory -Path “$OVPPath”
}  

#Try Dismount and save VHD
Try {
Dismount-WindowsImage -Path “$OVPPath” -save
}
catch {
Write-Output “Cannot Dismount and save VHD”
}      


}-PSComputerName $VmmServerName -PSCredential $VmmCredential
}

The runbook will take the WS 2012 R2 base image make a copy of it in the same folder with other name, mount the copied image on a folder on the VMM server and will start updating. Updating is done by taking all available updates on the WSUS content share and trying to apply them one by one. When it is done changes are committed. When running this runbook you may see a lot of errors and warnings but this is normal as many of the updates that are tried to be applied are not for this OS version and are just rejected. This solution for updating is taken from Building Clouds blog and modified for our needs. Depending on your environment this runbook can run for a couple of days even.

I will not post the Runbooks for the other two images as they are basically the same with a few modifications on names.

The last runbook Set-VHDProductKey is kind of optional. If you are deploying Windows Azure Pack VM Roles you might want to embed product keys into your updated VHDs:

<#
Version 1.0
.SYNOPSIS
Set Product Keys to VHDs
#> 

workflow Set-VHDProductKey
{

Connection to access VMM server.

$VmmConnection = Get-AutomationConnection -Name ‘VmmConnection’
$VmmServerName = $VmmConnection.ComputerName  

# Create a PSCredential from the ‘Username’ and ‘Password’ fields within

‘VmmConnection’ because this is the form of authentication that an

inlinescript accepts.

$SecurePassword = ConvertTo-SecureString -AsPlainText -String $VmmConnection.Password -Force
$VmmCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $VmmConnection.Username, $SecurePassword

#Connection to access WSUS Server
$WSUS = Get-AutomationVariable -Name ‘WSUSSERVER’
#Connection to access VMM Library Server
$VMMLirbary = Get-AutomationVariable -Name ‘VMMLibraryServer’

inlinescript {  

# Import VMM module.
Import-Module virtualmachinemanager

Connect to VMM server.

Get-SCVMMServer -ComputerName $Using:VmmServerName  

#LibraryName
$tVMMLibraryName=”Library”

#Set KMS Key for WS 2008 R2 Datacenter
$VHD2008R2=Get-SCVirtualHardDisk | where -Property Location -eq “\$using:VMMLirbary\$VMMLibraryName\WS2008R2.vhdx”
Set-SCVirtualHardDisk -VirtualHardDisk $VHD2008R2 -ProductKey “74YFP-3QFB3-KQT8W-PMXWJ-7M648″

#Set KMS Key for  WS 2012 Datacenter
$VHD2012=Get-SCVirtualHardDisk | where -Property Location -eq “\$using:VMMLirbary\$VMMLibraryName\WS2012.vhdx”
Set-SCVirtualHardDisk -VirtualHardDisk $tVHD2012 -ProductKey “48HP8-DN98B-MYWDG-T2DCC-8W83P”

#Set Autmoatic Virtual Machine Activation Key for WS 2012 R2 Datacenter
$VHD2012R2=Get-SCVirtualHardDisk | where -Property Location -eq “\$using:VMMLirbary\$VMMLibraryName\WS2012R2.vhdx”
Set-SCVirtualHardDisk -VirtualHardDisk $VHD2012R2 -ProductKey “Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW”

}-PSComputerName $VmmServerName -PSCredential $VmmCredential
}

You might want to change some values in it depending on where you store your VHDs.

Let’s look at the the whole process of this solution:

image

The step of copying the updated images to your VMM library is manual but of course you can make that automatic. In fact you can make the whole solution automatic. There are certainly many ways to do that solution like using Orchestrator instead of SMA, mounting the images on your SMA servers and etc.

Hope this solution will be workable and useful solution for you.

Microsoft Azure Operational Insights Preview Series – Time Matters in Dashboard (Part 6)

So far I’ve covered almost every Intelligence Pack. Last week a new feature “My Dashboard” was released. This is one of the features I’ve voted on. With this short post I want to share a tip how to make your tiles in My Dashboard more useful.

When you create Tiles in my dashboard you may found that more information than needed is displayed.

You can have a query like that:

Type:RequiredUpdate UpdateClassification:”Security Updates”  Product:”Windows Server 2008 R2″ or Product:”Windows Server 2012″ or Product:”Windows Server 2012 R2″   | select UpdateTitle,KBID,UpdateClassification,UpdateSeverity,PublishDate,Server

image

and such query will return a lot of results because it is based on the last 7 days. This is the default when you go to the search pane. Of course you can narrow down the time trough the bar on the left but if you save the query that narrowing of time will not be saved.

If you than later you use the same query in My Dashboards you will end with result Test instead of the result in Test2

image

Test2 is more accurate in our case and it is simple achieved by adding time constrain in our query:

Type:RequiredUpdate UpdateClassification:”Security Updates”  Product:”Windows Server 2008 R2″ or Product:”Windows Server 2012″ or Product:”Windows Server 2012 R2″ TimeGenerated:NOW/DAY  | select UpdateTitle,KBID,UpdateClassification,UpdateSeverity,PublishDate,Server

image

As you probably see these events are generated always at midnight and that is why I’ve chosen NOW which gives me the current date and time and by providing /DAY gives me midnight of the current date. Basically this query gives me the latest information on missing updates and not information that is 5 days old. That way your tiles become more meaningful.

image

Similarly  we can have this query :

Type:ProtectionStatus   | measure max(ProtectionStatusRank) as Rank by DeviceName | where Rank:270

image

Which gives us inaccurate current information. A simple time constrain statement results in  accurate up-to-date results.

Type:ProtectionStatus  TimeGenerated>NOW-2DAYS | measure max(ProtectionStatusRank) as Rank by DeviceName | where Rank:270

image

In this example I get current date(NOW) and return two days from now (-2DAYS) and I get every result after that date (TimeGenerated>).

With this query now I can have a tile that will be highlighted if the query returns more than 2 counts:

image

You can see that time matters in search queries and especially in Live tiles. It is also very useful when you search information for specific time frame in the past.

Adding Windows Server Gateway Cluster as Network Service in VMM 2012 R2 UR2 for Monitoring with SCOM

Not so long ago I’ve reported an issue where Multi-Tenant RRAS (Windows Server Gateway) is not discovered by by the Multi-Tenant RRAS Management Pack. This problem has been fixed in Update Rollup 2 for System Center  2012 R2 Virtual Machine Manager. If you add Windows Server Gateways as Network Service in VMM as usual you will not notice a difference in the wizard and after the gateway is added successful you will probably had to create that Client Access Point resource manually. That is because the fix is not exposed directly in the wizard, it is actually a parameter that you have provide in the connection string. And actually the parameters are two:

  • MPDiscovery=true
  • MPDiscoveryIPAddress=<IP if static>

MPDiscovery parameter is mandatory and MPDIscoveryIPAddress is required when you are not using DHCP for your gateway clusters.

In the end it will look something like this:

image

Keep in mind that this works on newly added Network Services with VMM 2012 R2 UR2 and it is only needed for Windows Server Gateway clusters. For existing Windows Server Gateway clusters you have to apply the workaround in my article.

Thank you Microsoft for fixing this bug and providing the information.

Note: The IP that is entered for the parameter is from your management network subnet and not the public one.

Update

————————————————

When you use the described solution above a new Client Access Point resource will be created on the cluster. That resource will have the name cluster01rsip where cluster01 is the name of your cluster. Basically the solution takes your cluster name and adds “rsip” for the name of the Client Access Point. The Client Access Point resource creates computer object in AD and if you cluster name is longer than 11 characters you may exceed the 15 character limit when rsip is added. In such cases whatever exceeds 15 characters will be cut off. In such situations you will have two cluster objects in your SCOM server – one with the full name and one with the cut off characters. There is a way your Client Access Points to be created with different than the “rsip” suffix and with fewer characters suffix. Just create string type reg key with the following name HNVGatewayRRASNetworkNameSuffix

in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft System Center Virtual Machine Manager Server\Settings

on your VMM server/s. For example if you cluster is name cluster01 and you create that reg key with value “r” your Client Access Point will be cluster01r.

————————————————-

Microsoft Azure Operational Insights Preview Series – Change Tracking (Part 5)

As System Center Advisor is in Preview there are a lot of changes. One such change is new Intelligence Pack – Change Tracking.

image

The name explains it clearly – it track changes. On the main tile you will see the number of Software and Windows Services happening every day. Currently Change Tracking Intelligence Pack has those two features: tracking software changes and tracking Windows Services changes. In the Advisor User Voice site there are more suggestion for features for this Intelligence Pack and I am sure that the Advisor team will add more with time. Let’s click on the tile and dive deeper:

image

image

We have the familiar interface of graphics and statistics in Advisor. If we look at the Software Changes I can quickly see that I have three software changes. Let’s click on every one of them and see the results:

Of course the result is depicted from a query. I’ve found that this management pack is being modified all the time so I guess the way the MP is built.

image

Let’s moved to the next one:

image

You can see that the software Microsoft Azure Site Recovery Provider (x64) has been modified on my vmm server. You may ask what modified means? As I was playing with that software I’ve removed and installed the software again. So instead of having two separate events for this Advisor is giving one single event. If you ask me that is the right way as if you have two events you may miss one of them for example and think that the software was completely removed. I guess if there is a bigger interval between the removal and the installation than we will have separate events may be.

And the third result:

image

Here you can see that I’ve installed a management pack in my SCOM server.

For getting Services changes I will go directly with a query:

Type=ConfigurationChange ConfigChangeType:WindowsServices SvcName!=AeLookupSvc SvcName!=BITS SvcName!=wuauserv SvcName!=WinHttpAutoProxySvc SvcName!=wmiApSrv SvcName!=TrustedInstaller SvcName!=sppsvc SvcName!=RemoteRegistry  SvcName!=CcmExec  SvcName!=ccmsetup  SvcName!=msiserver  SvcName!=WPDBusEnum  SvcName!=AppXSvc  SvcName!=defragsvc  SvcName!=ddpsvc  SvcName!=smphost  SvcName!=WerSvc  SvcName!=ScDeviceEnum  SvcName!=WdiSystemHost

With such query for example I want to see all services changes but excluding certain services in the result:

image

With similar query you can search for example on service changes on specific server/s or service changes for specific service/s.

I hope this gives you some view of this new Intelligence pack. I really like this Intelligence Pack it is my second favorite after Log Management.

One thing that I saw was missing that on Software changes you cannot see the user who made the change but I guess that can be added later easy.

Error Code:10002 When You Configure Cloud for Protection in Azure Site Recovery

Recently I’ve been dealing with wide range of technologies – Windows Server and System Center stuff, PowerShell/SMA Workflows, DevOps, Azure IaaS and Azure RemoteApp and Azure Site Recovery. This is part of my plan on expending my knowledge.

Anyway this blog post will be focused on an error that I’ve stumbled upon twice when configuring Azure Site Recovery. After you’ve added your VMM server/s in ASR your next will be to configure protection on Cloud. I’ve went to through that step but suddenly when configuration of my target and source Clouds started the jobs failed for both of them with the same error:

VMM Server VMM.Contoso.com couldn’t be configured (Error code: 10002).

Provider error: A request couldn’t be validated with the vault key. To ensure that the VMM server has a valid vault key, run the provider installation wizard on the VMM server and paste in the current key from the Vault Key page in Quick Start. If this doesn’t regenerate the key. This will replace the previous key and update the key settings on VMM servers in the vault. Than retry the operation. (Provider error code: 31255)

Possible cause: The VMM Service might not have the required permissions to install the certificate on the Trusted Root CA store.

Recommendation: Verify the permissions and retry again.

image

So I’ve registered my VMM servers in ASR successfully and my VMM service account has administrator rights on the VMM servers but still I had this error. The workaround is simple:

Open MMC. Open the Local computer Certificate store. Go to the personal Certificate store. Find all certificates deployed by ASR. You will spot them easily. Copy the ASR certificates from the Personal store to the Trusted Root Certificate Authority Store. If you have VMM cluster you will need to export the certificates and deployed them on the passive node also. If you are configuring protection from one VMM instance to another VMM instance you will need to do that on both VMM servers probably.

image

After that you should restart the job for enabling protection on Cloud in ASR and the job should complete successfully this time.