Category Archives: Microsoft

Introduction to Team Access Control for Azure Pack

Team Access Control is a new third-party Resource Provider for Azure Pack. Along with UR5 for Azure Pack this resource provider is now available trough the Web Platform Installer.

This blogs aims at giving you initial look at the installation and configuration of this Resource Provider and what it offers. The Resource Provider is a paid solution and this blog post does not aim at marketing and selling it.

So let’s get started. As I’ve said it is available at Web Platform installer and after you install Web PI you can easily get the setup with simple commands. Web PI has command line tool with which we can get all solutions available for install/download:

webpicmd.exe /list /listOption:all

image

Searching trough the list we find the RP and we can download the setup with simple command:

webpicmd.exe /offline /Products:TAC_WAP_Extensions /Path:D:\WAP

image

When the command finishes we have the setup itself:

image

We can copy that setup to our WAP server and install it. In my example I have one WAP server with all web sites/roles install on it so I will install all web sites / roles of TAC RP on the WAP server. The RP itself support installing the different web sites on different servers so you can have more distributed and production deployment. There is a guide with instructions which I will reference later.

So let’s start the setup on our WAP server:

image

image

I select all roles for install:

image

image

image

image

image

When the installation finishes we can logon to the Azure Pack Admin Portal and check the RP:

image

There on the first page you will find instructions how to configure it like very other RP.

First step will open a link to a PDF guide. There you will find information on how to do the configuration in different scenarios. I will do the configuration myself and will let you know for any caveats you may stumble upon.

The configuration is simple and basically consists of one command that you will need to execute. The command will change the configuration of the web service for TAC RP and connect the web service to your SQL server that you use for WAP databases. TAC RP has a database on its own that you will need to host. As the DB is not resource intensive you can safely located along with WAP databases. To execute that configuration command you will need to generate random passwords and encryption key. To ease this TAC RP has a command that you can execute and that command will generate such keys for you that you can later store on safe location.

You need to start PowerShell in admin mode on the WAP server where TAC RP is installed and navigate to the TAC RP installation folder. Than you can execute the following command:

.\TACConfig.exe –action:genkeys

image

The keys are generated along with the actual parameters that are needed for the configuration command. Keep in mind that the encryption key ends right before PS C:\Program Files\Terawe\TAC4WAPack\bin>

Now that we have those passwords we can execute the configuration command. Keep in mind that when you are copying such commands directly some symbols like – may not be copied correctly so it is good always to check them in Notepad.

.\TACConfig.exe -action:install -path:C:\inetpub\TAC4WAPack\Web.Config -apiusername:TACApiClient -tenantpublicapiurl:https://WAPServer.contoso.com:30006/ -sqlserver:WAPSQL.contoso.com -dbuserpwd:RpOJ9IwAUJhnk1QA/0CnlvDahIaG7UF8eOZ9rJDhPpw= -ap
iuserpwd:BM4z/WebcsJ5YSmHdlkxgavGx3T3h9xjrI9AeGiSWUE= -encryptkey:Hho+lGf8YviXS0+saxlOsEsqT+OUGX2lgda+liB88do=

image

So your –action says install. Parameter –Path is the location of the web config file for TAC RP. Parameter –apiusername can be any user you want to be created. Parameter –tenantpublicapiurl is the Tenant Public IP URL. Parameter –sqlserver is the SQL server where you want to put the DB for TAC RP. The last three parameters you can copy directly from the command that generated them.

After you run the command you should see successful message.

You can now again open Azure Pack Admin portal. In TAC RP you now can register the TAC API.

image

For REST API Endpoint you point where TAC RP was installed. In our case the WAP server. User Name and password are  the same ones you’ve used in the configuration command.

You will see successful message when registration is successful:

image

After that you can start using Team Access Control Resource Provider. Let’s see simple example on how you can use it.

The goal of TAC RP is to have two groups of users. First group is Managers who have full subscription rights for VM Clouds Resource provider. Second group is members who can have less or equal access to Virtual Machines and VM Clouds Resources. And Managers can delegate access and resources to members for VM Clouds Resource Provider. Simply put Team Access Control achieves Role Based access for VM Clouds Resource Provider.

Let’s first start by creating a hosting plan for Managers group.

image

This hosting plan needs to have resources from VM Clouds and Team Manager.

image

image

Once plan is created let’s go and configure VM Clouds for that plan. There is nothing special in configuring VM clouds for it. Just use the configurations you usually do.

image

Next you need to configure Team Manager for that plan. Let’s say we will have maximum 10 teams for this plan and save it:

image

Now let’s create another plan for Members:

image

This hosting plan will be attached only to Team Member service:

image

image

This plan does not need any configuration.

Next we can make both plans public:

image

Now we need to create a user and subscription and assign it to the Managers plan:

image

Let’s also create user and subscription and assign it to Members plan:

image

If you go to VMM you will see that User role is created only for manager user as that user/subscription is only assigned to VM Clouds:

image

Now let’s login to Azure Pack Tenant portal with manager user:

image

Once we are logged on first thing we need to do it open https://WAPserver.contoso.com:Port/publishsettings . When you open it browser will ask you to save a file. Save it.

image

When you download that file you go again to Tenant portal –> Team Manager –> Management Certificates –> Upload

image

You need to upload that same file.

This configuration is important as it will enable members to be able to do actions.

Our next step as manager is to create a team.

image

image

Once we have team we can assign quota to that team in  the form of cores and memory:

image

After creating this team we can dive deep into that team by clicking on it. There we have option to add members to that team.

image

Once we add that member to that team we can also specify quota for that specific member:

image

image

The cool part is that on the Subscription of the Manager you can see how many members and teams you have:

image

Now let’s login as member and see what we have available:

image

As you can see we have only one Resource provider and that is Team Member:

image

Under there we can see our assigned quota:

image

On Virtual Machines you will see the virtual machines you have access to.

image

Of course to have that you will need to create VMs:

image

image

In VMM the VM is created on behalf of the Manager subscription:

image

Team Managers can also see it:

image

You can be more granular on permissions for VMs by creating a role:

image

Than you can add members to that role:

image

And assign permissions to that role for a VM:

image

So you can have only certain set of VM permissions for those members:

image

 

There is good to know of some limitation for members:

  • Members cannot deploy Gallery Items
  • Members cannot connect to Remote Console

Hope this introduction was useful for you.

Azure Pack / SCVMM NAT Rule Port Ranges

When you are creating NAT rules either in VMM or Azure Pack you should know there are some limitations on Source and Destination Ports. When we open Azure Pack Tenant portal, go to our VM Network, than to Rules you have the Add button on bottom. This assumes that you’ve already enabled NAT for that VM Network. When you click Add the following dialog appears:

image

The name of the NAT rule does not necessary needs to be unique. What needs to be unique for VM Network/NAT connection is the pair of Source Port and Protocol.

Now about the port ranges for Source and Destination:

  • There are no limitations for Destination Port than the standard one. There you can put any number from 1- 65535.
  • For source port you can put number only in the following range 1-49151. The reason behind this is probably ports above 49151 are used by the gateway itself.

The same rules apply when you use VMM PowerShell or VMM console.

You can find more about ports here.

Install SMB Share SCVMM 2012 R2 UR5 UI Hotfix

With UR5 there is a bug in the UI that does not show SMB file shares when you try to deploy HA VM or do storage migration to SMB share. Functionality was still working when you use PowerShell.

Microsoft quickly released hotfix for that located here. When you request it, download it and extract it, it is just one dll file:

  • Microsoft.VirtualManager.UI.CommonControls.dll

That dll is only for the VMM console.

You need to copy it to:

%ProgramFiles%\Microsoft System Center 2012 R2\Virtual Machine Manager\bin

Of course %ProgramFiles% is the location where your VMM console is installed.

When you copy it, it will replace the existing dll file. You will need to close all vmm consoles on that server in order to be able to replace it.

After that you should no longer have that UI bug on that server when you start VMM console.

Update: Please hold off applying the hotfix as more hotfixes are expected to be released and it will be easier to apply them in bulk.

Update 2: Hotfix has been republished along with other fixes. Instructions for deployment are in the KB article.

Tips From the Field: Applying Update Rollup 5 to System Center 2012 R2 and Windows Azure Pack

So I’ve had the chance to try installing UR5 so here are some tips from me:

  • If you have VMM console on VMM server install first the VMM server update and than VMM console update. Restart the VMM server as per the KB just to be on the safe side.
  • VMM DHCP agent is now updated with the VMM agent so you do not need to that manually anymore.
  • If you have VMM agent installed on Infrastructure go in Infrastructure View, refresh those servers and you will se option for update. If on any of these servers you have IIS with site on 443 and https you certificate binding may be lost and you will need to rebind it manually.
  • UR5 also has updated Management Packs for VMM. You will need to update them in SCOM.
  • In UR5 I’ve stumbled upon on this issue again.
  • Service Manager requires to run a PowerShell script after install. You can see full details in KB. If you have run it before you do not run it again but if you want to be on the safe side do it.
  • Operations Manager has scripts that you need to run manually against OperationsManager DB and OperationsManagerDW DB.
  • Operations Manager has several packs for update. There are a lot of Operational Insights Management packs for update but you can only install the English versions.
  • SCOM agents also need update. You can do that trough the console.
  • Windows Azure Pack requires running a script after applying it. Check the KB for more info.
  • Haven’t tested DPM it has updated Management Packs that you can download. Info in KB.

Here are the updated components and their KBs:

There are a lot of improvements in all components and mostly in VMM. Here are some of them:

  • Support for SUSE Linux Enterprise Server 12 – 64 bit

image

  • Start Page in VMM

image

  • Hyper-V Recovery Manager rebranded as Azure Site Recovery

image

  • Now instead of using differencing disks for VM roles you can use normal disks. Simply add DifferencingDiskOptimizationSupported with value false to custom properties of a cloud

image

  • Now we can add GRE tunnel and not only S2S VPN to a network that is connected to Windows Server Gateway:

image

image

image

image

Unfortunately this feature requires update on the Windows Server Gateway which I guess will see in the following months.

 

Hope this was helpful for you.

Adding Gateway to VM Network As Tenant Administrator

I’ve been exploring VMM PowerShell cmdlets recently especially related to Network Virtualization. I was thinking of blogging about adding Gateway, NAT Connection and VPN connection to VM Network but I was too occupied with work. Today on the TechNet VMM Forum I’ve saw a question on how to add Gateway to a VM Network as Tenant Administrator. Apparently if you go as Tenant Administrator to the properties of the VM Network you will not see an UI for adding Gateway:

image

My guess the reason behind this is that the usual UI for this option was built for the Administrator role. The Administrator can see all Network Services of type Gateway and has full access to them. On the other hand Tenant Administrator does not have access to those objects. Tenant Administrator has access only to objects in its own scope which what that Tenant Administrator has created. To this problem there are a couple of solutions:

  • Give your tenants the Azure Pack experience. They will be able to access Azure Pack Tenant Portal and add Gateways (NAT Connection and VPN Connections) on their own.
  • Contact administrator and ask him/her to add a Gateway to your VM Network.
  • Add Gateway on your own trough PowerShell

The third option is easy also. You fire up PowerShell. Get the VM Network you want to add Gateway to a variable like this:

$VMnetwork=Get-SCVMNetwork -Name  VMNetwork66

And than you add Gateway to your VM Network like this:

$GatewayName = $VMnetwork.Name + “_Gateway”

Add-SCVMNetworkGateway -VMNetwork $VMnetwork –Name $GatewayName

image

image

After this you have your Gateway added to VM Network. As a Tenant Administrator VMM does not allow you to see available Gateways so it will choose automatically the first that has enough resources.

After that you can easily add NAT Connection for example:

$NATConnectionName=$VMnetwork.Name + “_NATConnection”

$Gateway=Get-SCVMNetworkGateway -VMNetwork $VMnetwork –Name $NATConnectionName

image

After adding the Gateway you can also use Add-SCVPNConnection to add S2S VPN.

Also with Administrator role you have the option to add Gateway, NAT Connection and VPN Connection on behalf of the Tenant Administrator by using –OnBehalfOfUser and  -OnBehalfOfUserRole paramaters. I’ve covered in the past how to execute those.

Fix Non-Compliant Virtual Network Adapters in VMM with SMA Runbook

Many do not know but besides keeping the compliance of vSwitches on Hyper-V hosts VMM also keeps compliance of the Virtual Network Adapters on VMs. You can easily find that information by opening the VMM console –> Fabric Pane –> Networking –> Logical Networks and in the ribbon menu instead of Fabric Resources choose Virtual Machines. There you will see all Virtual Network Adapters listed, to which machine they belong and their compliance status. When you right click on a non-compliant Virtual Network Adapter you have the option to Remediate it. On the backend that option actually executes a cmdlet Repair-SCVirtualNetworkAdapter. Non-compliant virtual network adapters can cause QoS and other Port Profile settings not to work. It will be cool in the future VMM to act or integrate with DSC (Desired State Configuration) on these drifts. At current state we can achieve similar thing with Service Management Automation. We simply create a Runbook that finds non-compliant adapters and make them compliant. We can schedule that runbook to run once, twice a day or as many times as you want. I am giving you this runbook so you can apply this practice to your environment. The runbook requires VMM Connection named “VmmConnection”. The inlinescript is executes on your SMA Runbook servers so you will need VMM cmdlets installed there. If you want to be executed on VMM Server itself just -PSComputerName $VmmServerName -PSCredential $VmmCredential at the closing bracket of the inlinescript.

The Runbook you can find in TechNet Gallery.

Migrating VM Role from One Subscription to Another in Azure Pack

First I would like to note that the solution below is not official guide from Microsoft and you should use it at your own risk.’’

Note: The PowerShell commands provided may have different values than the once showed in the screenshots.

In the past I’ve show you a way to assign Tenant User role and Owner to a VM which basically covers the scenario of moving a VM created by VM template to a subscription in Windows Azure Pack.

In this post I will show you how to move VM role from one subscription to another. To do this let’s see what objects are created and how they relate in VMM when VM Role is created trough WAP:

Virtual Machine –> Computer Tier –> SCService –>CloudService.

As I’ve show you in the previous blog post each Virtual Machine instance has UserRole and Owner properties. We can use them to move VM to another user role (subscription in WAP) but if we do that with VM that is created from VM role we will receive message like this:

Set-SCVirtualMachine : Unable to perform the operation because the object cannot have a different owner than its parent (parent’s owner is ). (Error ID: 26706)

If you are familiar wit the architecture of VMM you will know that VMM works with objects and these objects can have other parent and child objects. As it is the case with VM Roles we have the following relationship:

Virtual Machine –> Computer Tier –> SCService –>CloudService.

So logically we should change first the User Role and the Owner of the parent object. Next inline is Computer Tier but that particular object does not have properties UserRole and Owner so we move to the next one. SCService has UserRole and Owner properties. By knowing the name of the VM or the ID you can easily find to which SCService that VM is related:

$VMobj = Get-SCVirtualMachine -Name VM01

$SCServiceID =$VMobj.ComputerTier.ServiceId

$SCServiceObj=get-scservice –ID $SCServiceID 

Now that we have the SCService I would like to pick the User Roles that I will be using in a variables.

I would like to take the Administrator user role in a variable:

$AdminRole=Get-SCUserRole –Name “Administrator”

I would like also to take the User role which we will transfer the VM Role:

$DstTenantRole=Get-SCUserRole –Name “stas@outlook.com_aa764fbe-824d-4ad0-ab5b-a47b5954d4a2”

Next step is to first assign the SCService to the Administrator User role:

get-scservice -ID $SCServiceID | Set-scservice -UserRole $AdminRole –Owner “Dev\stanislav.zhelyazkov”

Note: When you execute the command above it will print out the properties of the changed SCService but in those you may not see the UserRole and the Owner changed. To see those changes open new PowerShell console and execute those commands again:

$VMobj = Get-SCVirtualMachine -Name VM01

$SCServiceID =$VMobj.ComputerTier.ServiceId

$SCServiceObj=get-scservice –ID $SCServiceID

get-scservice -ID $SCServiceID

In the newly opened console you should see those changes. I am not sure why this is happening I guess some caching.

clip_image002

It is pretty interesting that when you change the UserRole and the Owner of SCService you will see those properties changed for the VMs under it:

image

Now our VM that was previously assigned to Tenant User Role and another Owner is now assigned to Administrator User Role.

Let’s now switch from Administrator User role to our other Tenant User role.

get-scservice -ID $SCServiceID | Set-scservice -UserRole $DstTenantRole  –Owner “stas at outlook.com”

Note After executing this command you will need again to open new PowerShell console to see the changes:

clip_image002[8]

And of course UserRole and Owner properties are also changed for the VM/s under that SCService.

image

Changing these properties of SCService and VM will not show the VMs on the Azure Pack Tenant Portal for the User role we’ve assigned them above. The reason for this is Azure Pack has two ways to get VM information – one is trough VM role and the other is directly trough VM instance. If VM instance is not linked to VM role than that VM will be get trough User Role and Owner Properties of the VM but if that VM is linked to VM role than WAP will try to get the VM trough something CloudService. That CloudService is located in VMM again and it is basically the master object in our scenario. So in short we need to change UserRole and Owner properties of CloudService.

We can easily find all cloud services with the following command:

get-cloudservice –all

From the output we can easily find the specific cloud service that we want and assign it new UserRole and Owner:

Get-CloudService -id ba48e972-9269-4f94-af73-5be7ea78af17 | Set-CloudService -UserRole $DstTenantRole –Owner “stas at outlook.com”

Again to see the actual UserRole and Owner changed we need to open new PowerShell console and get the information from there:

Get-CloudService -id ba48e972-9269-4f94-af73-5be7ea78af17

clip_image002[10]

Note: When you assign new –Owner value make sure that the new value you assign is different than the current one. I’ve found out that if values are the same you may not be able to change UserRole.

When you do that last change you should be able to see the VM Role and its VM/s to the new subscription:

clip_image002[12]

clip_image002[14]

 

Note This scenario is only tested with SC 2012 R2 UR4. Do make sure you are using the latest UR when you are trying this solution.

 

There is another way to transfer VMs from VM Role from one subscription to another. You can delete the VM with Remove-SCVirtualMachine cmdlet and –Force option. That will delete the VM object in VMM but will not delete the VM itself. That VM will be discovered again but with different ID which will not be related to any Computer Tier, SC Service or Cloud Service. Basically will become standalone VM. You can change UserRole and Owner of that VM to your new subscription. That subscription should be able to see that VM on the Tenant Portal as standalone VM.