Category Archives: Microsoft

GRE Tunneling with NVGRE Gateways and SCVMM 2012 R2 UR5

GRE tunneling option was enabled with Update Rollup 5 in SCVMM 2012 R2. But to fully enable it you had to install some update on NVGRE Gateways. I’ve predicted that such hotfix will be available soon and now it is out. You can find it here and enable the full scenario with VMM and NVGRE Gateways. Here are some of the scenarios that you can use this feature for. Documentation is for vNext but now this feature is enabled in Windows Server 2012 R2 and System Center 2012 R2.

Update:

To enable it. Download and install the hotfix on your NVGRE Gateways. Restart will be required. Make sure your SCVMM 2012 R2 server is Update Rollup 5. Refresh your gateways in VMM console -> Fabric Pane-> Networking -> Network Service -> right click Gateway and refresh. Open the properties of a gateway. Go to Provider tab. Click Test. After that for VM Network you will be able to add GRE tunnel when you have Gateway attached to that network.

GRE

 

Microsoft Azure Operational Insights Preview Series – Removing Legacy Configuration Assessment (Part 13)

Previously on Microsoft Azure Operational Insights Preview Series:

To be honest I do not use the legacy Configuration Assessment in Azure Operational Insights. It is just not relevant for me at this time. I do not know if this function will be removed in the future but what seems that it will be replaced in the future by other Intelligence Packs. In the past I’ve disabled that feature by simply deselecting all rules in it:

Configuration Assessment tile –> Alerts Tile –> View all alerts –> Manage Alerts –> Available alerts rules

image

image

image

image

image

But now via Twitter trough Daniele Muscetta I’ve found out that you can actually remove Configuration Assessment like modern Intelligence Pack:

image

After that you will no longer see Configuration Assessment tile on your dashboard and data for it will not be gathered.

If you wan of course you can enable it at any time again:

image

Microsoft Azure Operational Insights Preview Series – AD Assessment (Part 12)

Previously on Microsoft Azure Operational Insights Preview Series:

There is a new Intelligence Pack on the horizon. This IP uses the same model for information like the SQL Assessment IP. You can just go Intelligence Pack Gallery and add it:

image

After adding it you will need to wait up to 4 hours until you see some results:

image

As far as I understand you do not need special accounts to make it work. You may need to bounce the SCOM agent on the domain controllers to make it work according to Daniele Grandini, Tao Yang and Cameron Fuller.

After those 4 hours you should start see that tile filled with information:

image

Digging into it it has the same look and feel like SQL Assessment IP.:

image

Let’s see how a recommendation looks like:

image

Clicking on one of the affected objects goes to Search:

image

As this IP follows the same structure as the SQL Assessment one you can use similar or the same queries to find the information you need.

And btw after adding it we’ve found a real world problem by the recommendations from AD Assessment IP. This is a very nice addition to the Azure Operational Insights service.

Microsoft Azure Operational Insights Preview Series – Usability Improvements (Part 11)

Previously on Microsoft Azure Operational Insights Preview Series:

For the last couple of months the Azure Operation Insights team has made several changes that improving the overall usability of the service. This post aims introducing them to you.

1. Overview page

If we look at he Overview page we will see that the all Management tiles ( I couldn’t think of better name) are now on the right side. Previously some of them were on the left side. Any legacy menus are removed. That way the experience starts to look more and more like the one in the new Azure Preview portal.

image

2. Filter Experience

Filter experience is now clearer. Since the introduction of save queries the filter was moved from left to the right side. In latest updates it is better sized, will show better suggestion depending on your query, and instead of scrolling down endlessly now there is a button +Add with which you can add more fields if you like.

image

image

3. Search Autocomplete

The biggest improvements are in Search. When you try to type a query Search will show you suggestions from recent searches, saved searches, available fields and commands. This is bringing kind of IntelliSense experience. Suggestions are being show while you type and change dynamically.

image

4. Renaming in SCOM

Update Rollup 5 for System Center Operational Manager 2012 R2 renames System Center Advisor to Azure Operational Insights in the Administration pane.

image

I really like those changes as they improve the overall experience and usability of Azure Operational Insights.

Introduction to Team Access Control for Azure Pack

Team Access Control is a new third-party Resource Provider for Azure Pack. Along with UR5 for Azure Pack this resource provider is now available trough the Web Platform Installer.

This blogs aims at giving you initial look at the installation and configuration of this Resource Provider and what it offers. The Resource Provider is a paid solution and this blog post does not aim at marketing and selling it.

So let’s get started. As I’ve said it is available at Web Platform installer and after you install Web PI you can easily get the setup with simple commands. Web PI has command line tool with which we can get all solutions available for install/download:

webpicmd.exe /list /listOption:all

image

Searching trough the list we find the RP and we can download the setup with simple command:

webpicmd.exe /offline /Products:TAC_WAP_Extensions /Path:D:\WAP

image

When the command finishes we have the setup itself:

image

We can copy that setup to our WAP server and install it. In my example I have one WAP server with all web sites/roles install on it so I will install all web sites / roles of TAC RP on the WAP server. The RP itself support installing the different web sites on different servers so you can have more distributed and production deployment. There is a guide with instructions which I will reference later.

So let’s start the setup on our WAP server:

image

image

I select all roles for install:

image

image

image

image

image

When the installation finishes we can logon to the Azure Pack Admin Portal and check the RP:

image

There on the first page you will find instructions how to configure it like very other RP.

First step will open a link to a PDF guide. There you will find information on how to do the configuration in different scenarios. I will do the configuration myself and will let you know for any caveats you may stumble upon.

The configuration is simple and basically consists of one command that you will need to execute. The command will change the configuration of the web service for TAC RP and connect the web service to your SQL server that you use for WAP databases. TAC RP has a database on its own that you will need to host. As the DB is not resource intensive you can safely located along with WAP databases. To execute that configuration command you will need to generate random passwords and encryption key. To ease this TAC RP has a command that you can execute and that command will generate such keys for you that you can later store on safe location.

You need to start PowerShell in admin mode on the WAP server where TAC RP is installed and navigate to the TAC RP installation folder. Than you can execute the following command:

.\TACConfig.exe –action:genkeys

image

The keys are generated along with the actual parameters that are needed for the configuration command. Keep in mind that the encryption key ends right before PS C:\Program Files\Terawe\TAC4WAPack\bin>

Now that we have those passwords we can execute the configuration command. Keep in mind that when you are copying such commands directly some symbols like – may not be copied correctly so it is good always to check them in Notepad.

.\TACConfig.exe -action:install -path:C:\inetpub\TAC4WAPack\Web.Config -apiusername:TACApiClient -tenantpublicapiurl:https://WAPServer.contoso.com:30006/ -sqlserver:WAPSQL.contoso.com -dbuserpwd:RpOJ9IwAUJhnk1QA/0CnlvDahIaG7UF8eOZ9rJDhPpw= -ap
iuserpwd:BM4z/WebcsJ5YSmHdlkxgavGx3T3h9xjrI9AeGiSWUE= -encryptkey:Hho+lGf8YviXS0+saxlOsEsqT+OUGX2lgda+liB88do=

image

So your –action says install. Parameter –Path is the location of the web config file for TAC RP. Parameter –apiusername can be any user you want to be created. Parameter –tenantpublicapiurl is the Tenant Public IP URL. Parameter –sqlserver is the SQL server where you want to put the DB for TAC RP. The last three parameters you can copy directly from the command that generated them.

After you run the command you should see successful message.

You can now again open Azure Pack Admin portal. In TAC RP you now can register the TAC API.

image

For REST API Endpoint you point where TAC RP was installed. In our case the WAP server. User Name and password are  the same ones you’ve used in the configuration command.

You will see successful message when registration is successful:

image

After that you can start using Team Access Control Resource Provider. Let’s see simple example on how you can use it.

The goal of TAC RP is to have two groups of users. First group is Managers who have full subscription rights for VM Clouds Resource provider. Second group is members who can have less or equal access to Virtual Machines and VM Clouds Resources. And Managers can delegate access and resources to members for VM Clouds Resource Provider. Simply put Team Access Control achieves Role Based access for VM Clouds Resource Provider.

Let’s first start by creating a hosting plan for Managers group.

image

This hosting plan needs to have resources from VM Clouds and Team Manager.

image

image

Once plan is created let’s go and configure VM Clouds for that plan. There is nothing special in configuring VM clouds for it. Just use the configurations you usually do.

image

Next you need to configure Team Manager for that plan. Let’s say we will have maximum 10 teams for this plan and save it:

image

Now let’s create another plan for Members:

image

This hosting plan will be attached only to Team Member service:

image

image

This plan does not need any configuration.

Next we can make both plans public:

image

Now we need to create a user and subscription and assign it to the Managers plan:

image

Let’s also create user and subscription and assign it to Members plan:

image

If you go to VMM you will see that User role is created only for manager user as that user/subscription is only assigned to VM Clouds:

image

Now let’s login to Azure Pack Tenant portal with manager user:

image

Once we are logged on first thing we need to do it open https://WAPserver.contoso.com:Port/publishsettings . When you open it browser will ask you to save a file. Save it.

image

When you download that file you go again to Tenant portal –> Team Manager –> Management Certificates –> Upload

image

You need to upload that same file.

This configuration is important as it will enable members to be able to do actions.

Our next step as manager is to create a team.

image

image

Once we have team we can assign quota to that team in  the form of cores and memory:

image

After creating this team we can dive deep into that team by clicking on it. There we have option to add members to that team.

image

Once we add that member to that team we can also specify quota for that specific member:

image

image

The cool part is that on the Subscription of the Manager you can see how many members and teams you have:

image

Now let’s login as member and see what we have available:

image

As you can see we have only one Resource provider and that is Team Member:

image

Under there we can see our assigned quota:

image

On Virtual Machines you will see the virtual machines you have access to.

image

Of course to have that you will need to create VMs:

image

image

In VMM the VM is created on behalf of the Manager subscription:

image

Team Managers can also see it:

image

You can be more granular on permissions for VMs by creating a role:

image

Than you can add members to that role:

image

And assign permissions to that role for a VM:

image

So you can have only certain set of VM permissions for those members:

image

 

There is good to know of some limitation for members:

  • Members cannot deploy Gallery Items
  • Members cannot connect to Remote Console

Hope this introduction was useful for you.

Azure Pack / SCVMM NAT Rule Port Ranges

When you are creating NAT rules either in VMM or Azure Pack you should know there are some limitations on Source and Destination Ports. When we open Azure Pack Tenant portal, go to our VM Network, than to Rules you have the Add button on bottom. This assumes that you’ve already enabled NAT for that VM Network. When you click Add the following dialog appears:

image

The name of the NAT rule does not necessary needs to be unique. What needs to be unique for VM Network/NAT connection is the pair of Source Port and Protocol.

Now about the port ranges for Source and Destination:

  • There are no limitations for Destination Port than the standard one. There you can put any number from 1- 65535.
  • For source port you can put number only in the following range 1-49151. The reason behind this is probably ports above 49151 are used by the gateway itself.

The same rules apply when you use VMM PowerShell or VMM console.

You can find more about ports here.

Install SMB Share SCVMM 2012 R2 UR5 UI Hotfix

With UR5 there is a bug in the UI that does not show SMB file shares when you try to deploy HA VM or do storage migration to SMB share. Functionality was still working when you use PowerShell.

Microsoft quickly released hotfix for that located here. When you request it, download it and extract it, it is just one dll file:

  • Microsoft.VirtualManager.UI.CommonControls.dll

That dll is only for the VMM console.

You need to copy it to:

%ProgramFiles%\Microsoft System Center 2012 R2\Virtual Machine Manager\bin

Of course %ProgramFiles% is the location where your VMM console is installed.

When you copy it, it will replace the existing dll file. You will need to close all vmm consoles on that server in order to be able to replace it.

After that you should no longer have that UI bug on that server when you start VMM console.

Update: Please hold off applying the hotfix as more hotfixes are expected to be released and it will be easier to apply them in bulk.

Update 2: Hotfix has been republished along with other fixes. Instructions for deployment are in the KB article.