All posts by mwinkler

Data Protection Manager, SystemCenter, Windows

Install SystemCenter DPM 2016 – HowTo…

February 18, 2017 mwinkler 1 Comment

Prerequisites:

We need the following prerequisites first:

VM:

2 vCPU
4096MB Memory dynamic min. 512MB – max. 8192MB
Systemdrive – 128GB Dynamic
Backupdrive – <whatever you need>GB

User Accounts:

Login	Purpose	Permission
DOMAIN\_svc_sqlservice	Account for SQL Database Instance on DPM Server	none (permissions set by sql setup…)
DOMAIN\_svc_sqlreporting	Account for SQL Reporting Instance on DPM Server	none (permissions set by sql setup…)
DOMAIN\_svc_sqlagent	Account for SQL Agent on DPM Server	none (permissions set by sql setup…)

SQL:

Install SQL Server local on DPM Server or use a remote SQL Server (DPM 2016 does not support AlwaysOn Groups – so i will install a local SQL Server instance on DPM VM itself)

<sql.ini>

SQL components you need:

DataBase engine
Reporting Services Native

..in addition you need SQL Server Management Studio (DPM setup check this prerequisite) – if you do not install management studio you will receive this error while installation of DPM:

..so start install of SQL Management Studio:

Install:

The ISO of DPM you can download, have only a single MSI file that extract the source files for installation – you can mount this from a remote source, extract remote, or as same i will do – copy the MSI to C:\Temp – double-click on the MSI package and enter C:\Temp\DPM2016Setup as destination directory.

After extracting – double-click on setup.exe – install will start:

…enter the localhost-name and the name of the sql instance you installed before with the SQLxxx.ini…

…setup will check and install all prereq´s – while installing Hyper-V PowerShell Modules you have to restart the DPM server and run setup again:

..after reboot – start DPM setup again:

…after finishing of setup – install all updates – at time of creation of this blog it is “Update Rollup 2 – Data Protection Manager 2016”

Remote Administration:

If you want to remotely manage your DPM server and have a “Administration Workstation” you can install “DPM Remote Administration” there. (HINT: other tutorials and howto´s tell you that you need SCOM, Management-Packs,… to install Remote Tools – thats not correct – for “Remote Administration” you need nothing of these – you need SCOM,.. only if you want to install “DPM Central Console”…

…after finish setup of Remote Administration you have to check for Updates – because DPM Console checks the version between Console and Server and need the same on both. (you receive an error starting a console with an old version…)

Post-Task´s after finishing setup:

Add Disks/Volumes to DPM:

DPM uses a new concept called MBS (Modern Backup Storage) – based on ReFS Volumes with Storage Spaces – so adding disks is completely different than in DPM 2012R2 – in my case i will add two virtual disks (dynamic and 64GB) to my DPM Server VM (you can add additional disks later) and start with Server Manager in dem DPM Server VM:

…right click on the first disk and click on new storage pool (choose ONE disk has a reason: this will create a Storage Pool with column size 1 – so you can later simple add single disks to the pool)

..give the new pool a name:

…if you have a physical DPM Server with JBODs – best practice here is to add several disks and configure one of them as Hot-Spare – because we have a DPM virtually – we need no hot-spare:

…now we create a virtual disk:

…best practice is to use a simple layout:

…we use Fixed provisioning type:

…specify a size a little smaller than the disk (we expand this volume later):

…deselect create volume and click on close:

…add the second disk to storage pool:

…and extend the virtual disk:

..i will not use all (in this example) 128GB:

…now we can create a volume on the new vdisk:

..add a drive letter:

…now you can add this volume to DPM:

HINT: you have to click on rescan if you don´t see your new volume here…

…give it a friendly name and click ok:

Add Agents:

Now it´s time to add agents to DPM – click on Agents in console and click Install:

HINT: if you want to install an agent in a untrusted source (not domain joined source or in a domain that do not trust – see my post: Install DPM agent in unstrusted workgroup…

..in my environment in want to install it first on my hyper-v cluster – so i choose my both hyper-v nodes (not necessary to include clustername – ie “hvfc”):

..enter a account that has local admin rights on this servers (you can use your own account, it is only for the installation of agent NOT for service or other purposes..)

..a reboot of ALL (because it is a cluster) is necessary to add hyper-v nodes/cluster to DPM – i will not start automatically (you must restart ALL clusternodes)

..if you receive a error – check your firewall settings on the target computers (for all port exclusions see: https://technet.microsoft.com/en-us/library/hh757794(v=sc.12).aspx – for a list of exclusions only for dpm agents see: https://technet.microsoft.com/en-us/library/hh758204(v=sc.12).aspx):

HINT: easy way – use the following powershell cmdlets on the potentially protected computers:

New-NetFirewallRule -DisplayName "DPM Agent (TCP-In)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5718,5719 -Profile Domain
New-NetFirewallRule -DisplayName "DPM Agent (Installer)" -Direction Inbound -Program "{f321a3273508e012828bee88f7f7d1fc79db37bd942019dfde610afc495b4bd7}windir{f321a3273508e012828bee88f7f7d1fc79db37bd942019dfde610afc495b4bd7}\microsoft data protection manager\dpm\protectionagents\ac\5.0.158.0\dpmac.exe" -Action Allow -Profile Domain

New-NetFirewallRule -DisplayName "DPM Agent (TCP-In)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5718,5719 -Profile Domain

New-NetFirewallRule -DisplayName "DPM Agent (Installer)" -Direction Inbound -Program "{f321a3273508e012828bee88f7f7d1fc79db37bd942019dfde610afc495b4bd7}windir{f321a3273508e012828bee88f7f7d1fc79db37bd942019dfde610afc495b4bd7}\microsoft data protection manager\dpm\protectionagents\ac\5.0.158.0\dpmac.exe" -Action Allow -Profile Domain

..or use a GPO – after setting the correct port exclusion – agent installation will work:

Automation, Server 2016, Windows

Create a SET Team in Server 2016 – HowTo…

December 8, 2016 mwinkler

SET (Switch Embedded Teaming) is a new technology in Windows Server 2016 and the successor to the “standard” teaming technology in Server 2012R2 (LBFO Team) – read more: https://technet.microsoft.com/en-us/library/mt403349.aspx

HINT: only available if you have added the Hyper-V role in Windows, because otherwise no PS-CMDLets are available to configure…

Create a vSwitch

First you have to create a new virtual switch and add the physical NICs:

New-VMSwitch -Name "TeamedvSwitch" -AllowManagementOS $true -NetAdapterName "Ethernet","Ethernet 2" -EnableEmbeddedTeaming $true

1	New-VMSwitch -Name "TeamedvSwitch" -AllowManagementOS $true -NetAdapterName "Ethernet","Ethernet 2" -EnableEmbeddedTeaming $true

…a vswitch with the name “TeamedvSwitch” is created – the physical adapters will be connected to this vswitch and a vNIC with the default name “vEthernet (TeamedvSwitch)” are created:

HINT: like in 2012R teaming, it is possible to create a SET team with a single physical NIC and add additional NICs later – so my recommendation is to create always a SET team even if you have only a single NIC.

Rename vNIC(s)

We want to rename the default vNIC for better administration:

Get-VMNetworkAdapter -SwitchName "TeamedvSwitch" -ManagementOS | Rename-VMNetworkAdapter -NewName "Management"

1	Get-VMNetworkAdapter -SwitchName "TeamedvSwitch" -ManagementOS \| Rename-VMNetworkAdapter -NewName "Management"

HINT: you see that i have two physical NICs from different vendors – it work´s in my vLab but for production environment it is not supported to have a SET team with NICs from different vendors, with different firmware or drivers…

Add vNIC(s)

…and we want to add another vNIC for LiveMigration traffic:

Add-VMNetworkAdapter -ManagementOS -SwitchName "TeamedvSwitch" -Name "LiveMigration"

1	Add-VMNetworkAdapter -ManagementOS -SwitchName "TeamedvSwitch" -Name "LiveMigration"

…and additional vNICs for CSV/ClusterHB and Storage Traffic:

Add-VMNetworkAdapter -ManagementOS -SwitchName "TeamedvSwitch" -Name "ClusterHB_CSV"
Add-VMNetworkAdapter -ManagementOS -SwitchName "TeamedvSwitch" -Name "SMBStorage1"
Add-VMNetworkAdapter -ManagementOS -SwitchName "TeamedvSwitch" -Name "SMBStorage2"

Add-VMNetworkAdapter -ManagementOS -SwitchName "TeamedvSwitch" -Name "ClusterHB_CSV"

Add-VMNetworkAdapter -ManagementOS -SwitchName "TeamedvSwitch" -Name "SMBStorage1"

Add-VMNetworkAdapter -ManagementOS -SwitchName "TeamedvSwitch" -Name "SMBStorage2"

Show all “Management” adapters in powershell:

Get-VMNetworkAdapter -ManagementOS

1	Get-VMNetworkAdapter -ManagementOS

Set VLANid on vNIC(s)

I have different VLANs for the traffic:

VLANid	Description
0(native/untagged)	Management/RDP/PXE/DHCP….
400	LiveMigration
300	SMB-Storage Traffic
250	ClusterHB

# Set VLANid 400 for LiveMigration
$NIC = Get-VMNetworkAdapter -Name "LiveMigration" -ManagementOS
Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Access -VlanId 400
# Set VLANid 300 for both Storage vNICs
$NIC = Get-VMNetworkAdapter -Name "SMBStorage1" -ManagementOS
Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Access -VlanId 300
$NIC = Get-VMNetworkAdapter -Name "SMBStorage2" -ManagementOS
Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Access -VlanId 300
# Set VLANid 250 for ClusterHB
$NIC = Get-VMNetworkAdapter -Name "ClusterHB_CSV" -ManagementOS
Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Access -VlanId 250
# Set (untagged/native) on Management
$NIC = Get-VMNetworkAdapter -Name "Management" -ManagementOS
Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Untagged

# Set VLANid 400 for LiveMigration

$NIC = Get-VMNetworkAdapter -Name "LiveMigration" -ManagementOS

Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Access -VlanId 400

# Set VLANid 300 for both Storage vNICs

$NIC = Get-VMNetworkAdapter -Name "SMBStorage1" -ManagementOS

Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Access -VlanId 300

$NIC = Get-VMNetworkAdapter -Name "SMBStorage2" -ManagementOS

Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Access -VlanId 300

# Set VLANid 250 for ClusterHB

$NIC = Get-VMNetworkAdapter -Name "ClusterHB_CSV" -ManagementOS

Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Access -VlanId 250

# Set (untagged/native) on Management

$NIC = Get-VMNetworkAdapter -Name "Management" -ManagementOS

Set-VMNetworkAdapterVlan -VMNetworkAdapter $NIC -Untagged

HINT: many switch vendors won´t pass traffic class information on untagged networks. Best practice if using RDMA, DCB and PFC is that the “untagged” network are on VLAN 0 (tagged) – i.e. “Set-VMNetworkAdapterVlan -VMNetworkadapter $NIC -Access -VlanId 0” for the management interface. This set all vNICs in a VLAN, class information can be inserted into the VLAN header of IP packets and the physical switch pass this type of traffic.

Enable JumboFrames

Dont forget to enable Jumbo Frames, this can significant speed up your network.

To enable Jumbo Frames you have to configure it on the switch side with the appropriate tools WebGUI,CLI,.. – i always use 9KB – on most NICs it exist a value of 9014 bits, but this is depending on your NIC vendor and driver. Check the Advanced Properties on the NIC in windows – if you dont see settings for Jumbo Frames and/or 9KB (sometimes if you using original windows drivers for nic) update to the latest vendor driver.

The following is a example of a Realtek NIC with the shipped windows driver in server 2016:

(the max value in JumboPacket is 4k and fixed size, no bigger values available…)

AFTER updating the driver to realtek driver version 10.2.703.2015:

(now 9KB is available in advanced properties…)

Set the value on all physical NICs:

Set-NetAdapterAdvancedProperty -Name "Ethernet","Ethernet 2" -RegistryKey "*JumboPacket" -RegistryValue 9014

1	Set-NetAdapterAdvancedProperty -Name "Ethernet","Ethernet 2" -RegistryKey "*JumboPacket" -RegistryValue 9014

(regarding 9014 bits: i prefer this little smaller value than in the switch port setting (9216) but realtek does not allow 9014 like intel and other vendors, you have to use 9216 if you have realtek nic)

HINT: in Windows 2012R2 the vNICs inherit the settings from the LBFO-Team, so if you set all physical NICs to JumboFrame with i.e. 9014 bits – all the vNICs have automatically 9014 bits in their settings – in Windows 2016 with SET teaming this is different (!) – you have to set explicit ALL physical AND vNICs to JumboFrame.

Set all vNICs to Jumbo Frames:

Get-NetAdapter -Name "vEthernet*" | Set-NetAdapterAdvancedProperty -RegistryKey "*JumboPacket" -RegistryValue 9014

1	Get-NetAdapter -Name "vEthernet" \| Set-NetAdapterAdvancedProperty -RegistryKey "JumboPacket" -RegistryValue 9014

Now we have divided the traffic into several VLANs, but every kind of traffic using all of the available bandwith and have no priority of each other – we have two options to deal with that:

QoS
PFC and DCB

Automation, Windows

Time Synchronizing Domain Controllers with NTP – HowTo

November 15, 2016 mwinkler

…to synchronize your DC(s) with a correct timesource and make the DCs authorative to the clients you have to follow these steps:

If you have more than one domain-controller only the PDC-Emulator should sync his time with NTP – all other DCs should sync with NT5DS against PDC-emulator – we can easily filter the PDCe with a WMI query.

Create two WMI filters in Group Policy Console:

DC with PDC emulator -> “Select * from Win32_ComputerSystem where DomainRole = 5”

all other DCs -> “Select * from Win32_ComputerSystem where DomainRole = 4”

Create two Policies (Sync with NTP for DC with PDCe and Sync with NT5DS for non PDCe DCs)

Create a Policy for non PDC-emulator Domain-controllers:

…ignore the default ntpserver entry, because not used if type is NT5DS (domain hierarchy)…

…not necessary to create a policy for workstations/desktops and non-DomainController servers (domain-joined) because they will sync automatically with DC…

Link to Domain Controller OU:

If you running your domain controllers in virtual environments like HV/Azure… – you must disable time-sync againts host on all VMs within the domain (otherwise you play ping-pong – policy set the time, host set it back, policy set time, host set it back,…..).

Change registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider]

“Enabled”=dword:00000000

Policy Update:

gpupdate /target:computer /force

check registry settings:

HKLM\SYSTEM\SOFTWARE\Policies\Microsoft\W32Time\Parameters\….

force sync:

net stop w32time && net start w32time

w32tm /resync /force

check eventlog Application/time-source:

Automation, Windows

Create policy to put users/groups in local admin group…

November 6, 2016 mwinkler

Prerequisites:

i want to put ie my service account named _svc_vmmservice to the local admin group in my vmm nodes. following the microsoft AGLP (accounts->global groups->local groups->permissions) first i create a global group named “_gg_localAdminVMM” and a local group named “_lg_localAdminVMM” – put _svc_vmmservice in global group and put global group in local group:

…in addition you need a Group for VMM servers/nodes (not users) – do the same for VMM servers:

Create Policy:

…remove “Authenticated users” and change scope of this policy to VMM servers group:

…dont forget to link this GPO to your ServerOU..

time to apply this new policy with:

gpudpate /force /target:computer

1	gpudpate /force /target:computer

…you can check it with the command:

gpresult /r /scope:computer

1	gpresult /r /scope:computer

…before gpupdate:

and after gpupdate:

HINT: if you dont see your policy applied and you have created the computer group for your VMM servers a short time before – you have to reboot your VMM servers to apply the membership of the group first!

Automation, Windows

Create a policy to add local admin account – the new way…

November 5, 2016 mwinkler

Since Microsoft changed the security policies the “old way” via policy to create a local admin account and give them a password does not work anymore – information about this security update can be found at: https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/

if you have installed this security patch and want to create a new policy “old-way” with a new user and password – you can not type-in any passwords because the fields are greyed-out:

The new way to do this is with Microsoft´s Local Admin Password Solution (LAPS) – see: https://www.microsoft.com/en-us/download/details.aspx?id=46899

HowTo Install:

you need a Management computer for installing the management tools, powershell module,… – in addition it is useful to have also all the AD management tools (users and computers, group policy editor,..) installed on this management computer.

Download all (you will need x86 and x64 later) packages from: https://www.microsoft.com/en-us/download/details.aspx?id=46899 to the management computer and start LAPS.x64.msi – or x86 if you have a 32bit management computer (build client packages later):

..install all the features:

Policy for installing client package:

LAPS needs a dll on all the computers where laps should store and change the local admin pwd. The easiest way to do that is, create a policy for deploying this package – start group policy editor and create a new policy :

..choose the LAPS x64 package first, for deploying software to 64bit clients/servers:

…we need also the x86 package:

…i will rename the packages (looks better than (2)) – right click -> properties:

…we want to avoid that the x86 package are also distributed to x64 computers – right click on x86 package and choose properties:

…uncheck “Make this 32-bit…..”:

…i have several OUs in my AD – Resources->Computers where all Workstations and Servers reside – i will link this GPO to my Resources OU:

..unfortunately LAPS client need a reboot to complete the update – you see this after GPUPDATE /FORCE:

Extend the AD schema:

open powershell with admin rights on your management server and import the laps ps module:

Import-Module AdmPwd.ps
Get-Command -Module AdmPwd.ps

1 2	Import-Module AdmPwd.ps Get-Command -Module AdmPwd.ps

…update schema:

Update-AdmPwdADSchema

1	Update-AdmPwdADSchema

Set/Check Permissions:

…the default permission to manage local passwords are less restrictive (Domain Users can read) – we want to change it – open ADSIEdit:

…because i have my own OU structure Resources->Computers,.. i have to right-click on ComputersOU and select Properties:

…be sure that under Security Tab are only Users that you give permissions are “All extended rights” checked – ie. Remove this checkmark from Everyone… (in Server 2016 permissions are correct (only Domain Admins, Enterprise Admins have rights), nothing to do in this OS…):

…now give all computers under your OU the permission to change their passwords for itself:

Set-AdmPwdComputerSelfPermission -OrgUnit "OU=<name of OU>,DC=<name of dom>,DC=<name of dom>"

1	Set-AdmPwdComputerSelfPermission -OrgUnit "OU=<name of OU>,DC=<name of dom>,DC=<name of dom>"

next give users the permission to read the passwords for computer in a OU (in my case ComputersOU) – you can make this very granular, ie use a AD group for workstations and another AD group for servers – Domain Admins are ok for my environment:

Set-AdmPwdReadPasswordPermission -OrgUnit "OU=<name of OU>,DC=<name of Dom>,DC=<name of Dom>" -AllowedPrincipals "Domain Admins"

1	Set-AdmPwdReadPasswordPermission -OrgUnit "OU=<name of OU>,DC=<name of Dom>,DC=<name of Dom>" -AllowedPrincipals "Domain Admins"

Create Local Password Policy:

Last step is to create a policy for changing local passwords, complexity and other – LAPS setup had installed a ADM template on your management workstation for that – so if you have also Group Policy Editor installed on this workstation open GPMC create a new policy and browse to CompConfig->Policies->Admin Templates->LAPS:

enable pwd management and change the other settings depending on your needs:

…if you have another policy that disables the local account named “Administrator” and create another user with the name ie “_adm_localAdmin” you must enable this policy setting and change the name to the name of your local admin account (if you have no policy like that and want to change the default local account named “Administrator” you can leave this as default – not configured:

dont forget to link your password policy to the appropriate OUs..

Read Passwords:

LAPS Setup installs a GUI Utility called “LAPS UI” on your management workstation:

or you find it in AD Users and Computers -> Computer Object -> Attributes (dont forget to check View->Advanced to show this tab):

Data Protection Manager, SystemCenter, Windows

Install DPM Agent in untrusted Workgroup…

October 31, 2016 mwinkler 1 Comment

To install the DPM Agent on computers running outside the DPM domain is a little bit tricky – hopefully the steps below are helping to describe this procedere:

first find the agent setup files on DPM server – to do this locate the agent setup directory with the newest version – on DPM Server browse to C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\agents\RA

inside this folder copy the appropriate OS version – ie. amd64 for the 64-bit agent:

paste this on the computer where you want to install the agent – ie. C:\Temp\DPM\Agent:

on the computer where you want to install the agent, open a CMD with admin rights and change to the directory where you copied the setup files – ie. C:\Temp\DPM\agent\amd64\1033

DPM agent needs the FQDN of the DPM server – check nslookup if name resolution working correctly or edit Hosts file to have a local name resolution

HINT: for DPM the fqdn name and NETBIOS name are two different things (!) – if you enter fqdn here, you have to enter also the fqdn on DPM SERVER side while adding the agent…

to install the agent with showing a progress bar – enter the following command:

DPMAgentInstaller_KB3162908_AMD64.exe <fqdn_of_DPM_server> /IAcceptEULA

1	DPMAgentInstaller_KB3162908_AMD64.exe <fqdn_of_DPM_server> /IAcceptEULA

to install completely silent – enter:

DPMAgentInstaller_KB3162908_AMD64.exe <fqdn_of_DPM_server> /q /IAcceptEULA

1	DPMAgentInstaller_KB3162908_AMD64.exe <fqdn_of_DPM_server> /q /IAcceptEULA

(KBxxxx reference to the newest version of agent – in this case DPM agent 2012R2CU10…)

HINT: ..if you get a 0x80070005 “Access is denied” error – try to start the DPMAgentInstaller without parameters!

confirm the “Restart message” and change to the new install dir of agent:

cd c:\program files\Microsoft data protection Manager\DPM\bin

1	cd c:\program files\Microsoft data protection Manager\DPM\bin

enter the following command:

.\SetDpmServer.exe -dpmServerName <fqdn_of_DPM_Server> -isNonDomainServer -userName <new_accountname_for_dpm_agent>

1	.\SetDpmServer.exe -dpmServerName <fqdn_of_DPM_Server> -isNonDomainServer -userName <new_accountname_for_dpm_agent>

…choose a password and DPM is creating a local user account with the name you choose – you can check this with Computer Management->Local User and Groups->Users

Agent setup also creates the following three groups:

DPMRADCOMTrustedMachines
DPMRADmTrustedMachines
DPMRATrustedDPMRAs

…the new account is member in the first two groups..

On DPM server do the following:

click on Management->Add -> Windows Servers:

…be careful here to enter the correct values – FQDN must resolvable from DPM server – username is in format <new_created_local_account_before> (don’t use <DOMAIN>\<accountname> here !)

click attach:

..agent should be attached with status “Success” – you have to restart the agent Computer to finish the agent Installation…

Data Protection Manager, SystemCenter

Install DPM Agent on a Domain Controller in a untrusted Domain/Workgroup…

October 31, 2016 mwinkler

Installing a DPM Agent on a domain controller is unfortunately not so easy as installing a dpm agent in a untrusted workgroup (dpm agent installer wants to create a local user…)

Tasks to do on DPM agent computer:

install Agent (ie. DPMAgentInstaller_AMD64.exe <fqdn_of_DOM_server>
open cmd Shell with admin rights
change to DPM directory (c:\Program Files\Microsoft Data Protection Manager\DPM\bin)
call setup:

.\SetDpmServer.exe -dpmServerName <fqdn of DPM Server> -isNonDomainServer -userName <new_Name_for_dpm_agent>

1	.\SetDpmServer.exe -dpmServerName <fqdn of DPM Server> -isNonDomainServer -userName <new_Name_for_dpm_agent>

enter a new Password for DPM Agent/Server communication

Since the DPM agent computer is a domain controller of other domain, setup is creating a domain account called <new_name_for_dpm_agent>:

Add the agent account to the following groups on the domain controller:
- DPMRADCOMTrustedMachines$…
- DPMRADmTrustedMachines$…

Tasks to do on DPM server computer:

open Computer Management on DPM server to add the <new_name_for_dpm_agent> account to the following groups:

DPMRADCOMTrustedMachines
DPMRADmTrustedMachines
MSDPMTrustedMachines
Distributed COM Users

(only necessary if you have added this agent before) – open DPM ManagementShell with admin rights and change to DPM\bin directory – enter:

.\Update-NonDomainServerInfo.ps1 -DPMServerName <fqdn of DPM Server> -PSName <fqdn of dpm Agent>

1	.\Update-NonDomainServerInfo.ps1 -DPMServerName <fqdn of DPM Server> -PSName <fqdn of dpm Agent>

add agent on DPM server as usual
a few minutes later the new agent should appear as “Agent Status” – OK in DPM console…

Automation, SystemCenter, Virtual Machine Manager, Windows

Installing Highly Available SystemCenter VMM 2016 – HowTo…

October 30, 2016 mwinkler

Prerequisites:

if you want to install a highly available VMM you need two VM´s (to create a VMM cluster) and a extra HA SQL Server (ideally two SQL 2016 core Nodes with AlwaysOn – for installing this SQL nodes see http://mscloudgurublog.azurewebsites.net/2016/10/28/installing-sql-server-2016-core-on-windows-server-2016-core/

VM(s):

Create two VMs with a OS vhdx (optional one additional Data drive if you want to split OS and VMM in two different drives), 2 vCPUs and at minimum 4096 MB Memory (if you want to use Dynamic RAM, set Startup value to 4096MBs or more and Minimum RAM to 2048 or more, otherwise setup check will fail…) – see SystemCenter requirements: https://technet.microsoft.com/en-us/system-center-docs/system-requirements/minimum-hardware-recommendations
Create a cluster with this two VMs, no cluster disks necessary, don’t forget to create a witness (my preferred FileShare or Cloud Witness)

# Rename the NICs
Rename-NetAdapter -Name "Ethernet" -NewName "Management"
Rename-NetAdapter -Name "Ethernet 2" -NewName "ClusterHB"

# Change IP´s and Set DNS
Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias "Management" | Remove-NetIPAddress -Confirm:$false | New-NetIPAddress -IPAddress "managementIP.of.your.node" -PrefixLength 24 -DefaultGateway "IP.of.your.GW"
Set-DnsClientServerAddress =InterfaceAlias "Management" -ServerAddresses "xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy"
Set-DnsClient -InterfaceAlias "Management" -RegisterThisConnectionsAddress:$true

Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias "ClusterHB" | Remove-NetIPAddress -Confirm:$false
New-NetIPAddress -InterfaceAlias "ClusterHB" -AddressFamily IPv4 -IPAddress "clusterhbIP.of.your.node" -PrefixLength 24
Set-DnsClient -InterfaceAlias "ClusterHB" -RegisterThisConnectionsAddress:$false

# Install Failover Cluster Feature
Install-WindowsFeature –Name Failover-Clustering,RSAT-Clustering-PowerShell

# Disable all the unneeded things on ClusterHB NIC
$clusterhb_vnic_name = "ClusterHB"
$clhbnic = Get-WmiObject Win32_NetworkAdapter -filter "netconnectionid='$clusterhb_vnic_name'"      # Read correct Adapter 
$clhbadapter = Get-WmiObject Win32_NetworkAdapterConfiguration -filter Index=$($clhbnic.DeviceID)   # Read Index
$clhbadapter.SetTcpipNetbios(2)                                                                     # Disable NetBios over TCP/IP
Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_pacer                        # Disable QoS Packet Scheduler
Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_server                       # Disable File and Print Sharing
Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_msclient                     # Disable Client for Microsoft Networks
Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_rspndr                       # Disable Link-Layer Topology Discovery Responder
Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_lltdio                       # Disable Link-Layer Discovery Mapper I/O Driver

# Disable DHCP on all interfaces
Set-NetIPInterface -InterfaceAlias "*" -DHCP Disabled

# Set Management Interface to highest metric
Set-NetIPInterface -InterfaceAlias "Management" -InterfaceMetric 1

# Create a Cluster - assuming VMMFC is your ClusterName, VMM1/2 are the names of your nodes
New-Cluster -Name VMMFC -Node VMM1,VMM2 -StaticAddress "your.Cluster.IP" -NoStorage

# Rename Cluster Networks (assuming 10.1.0.0 is your Management Net and 192.168.13.0 is your ClusterHB net)
(Get-ClusterNetwork | Where-Object {$_.Address -eq "10.1.0.0"}).Name = "Management"
(Get-ClusterNetwork | Where-Object {$_.Address -eq "192.168.13.0"}).Name = "ClusterHB"

# Rename the NICs

Rename-NetAdapter -Name "Ethernet" -NewName "Management"

Rename-NetAdapter -Name "Ethernet 2" -NewName "ClusterHB"

# Change IP´s and Set DNS

Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias "Management" | Remove-NetIPAddress -Confirm:$false | New-NetIPAddress -IPAddress "managementIP.of.your.node" -PrefixLength 24 -DefaultGateway "IP.of.your.GW"

Set-DnsClientServerAddress =InterfaceAlias "Management" -ServerAddresses "xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy"

Set-DnsClient -InterfaceAlias "Management" -RegisterThisConnectionsAddress:$true

Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias "ClusterHB" | Remove-NetIPAddress -Confirm:$false

New-NetIPAddress -InterfaceAlias "ClusterHB" -AddressFamily IPv4 -IPAddress "clusterhbIP.of.your.node" -PrefixLength 24

Set-DnsClient -InterfaceAlias "ClusterHB" -RegisterThisConnectionsAddress:$false

# Install Failover Cluster Feature

Install-WindowsFeature –Name Failover-Clustering,RSAT-Clustering-PowerShell

# Disable all the unneeded things on ClusterHB NIC

$clusterhb_vnic_name = "ClusterHB"

$clhbnic = Get-WmiObject Win32_NetworkAdapter -filter "netconnectionid='$clusterhb_vnic_name'" # Read correct Adapter

$clhbadapter = Get-WmiObject Win32_NetworkAdapterConfiguration -filter Index=$($clhbnic.DeviceID) # Read Index

$clhbadapter.SetTcpipNetbios(2) # Disable NetBios over TCP/IP

Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_pacer # Disable QoS Packet Scheduler

Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_server # Disable File and Print Sharing

Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_msclient # Disable Client for Microsoft Networks

Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_rspndr # Disable Link-Layer Topology Discovery Responder

Disable-NetAdapterBinding -Name "ClusterHB" -ComponentID ms_lltdio # Disable Link-Layer Discovery Mapper I/O Driver

# Disable DHCP on all interfaces

Set-NetIPInterface -InterfaceAlias "*" -DHCP Disabled

# Set Management Interface to highest metric

Set-NetIPInterface -InterfaceAlias "Management" -InterfaceMetric 1

# Create a Cluster - assuming VMMFC is your ClusterName, VMM1/2 are the names of your nodes

New-Cluster -Name VMMFC -Node VMM1,VMM2 -StaticAddress "your.Cluster.IP" -NoStorage

# Rename Cluster Networks (assuming 10.1.0.0 is your Management Net and 192.168.13.0 is your ClusterHB net)

(Get-ClusterNetwork | Where-Object {$_.Address -eq "10.1.0.0"}).Name = "Management"

(Get-ClusterNetwork | Where-Object {$_.Address -eq "192.168.13.0"}).Name = "ClusterHB"

SQL:

create a AlwaysOn Listener on your SQL cluster (you can deploy VMM in a “Common” Instance with other databases or you prefer a dedicated instance for VMM – collation should be: SQL_Latin1_General_CP1_CI_AS

Software:

Download Windows ADK: https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
(the adksetup is web-based but you can download this software on a different workstation first and choose the “download only” option):

Install ADK on both VMM nodes with the following options:
- DeploymentTools
- Windows Preinstallation Environment

…copy downloaded ADKSetup Files to both VMM nodes and install with GUI or unattended:

adksetup.exe /quiet /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment /log C:\Temp\install.txt

1	adksetup.exe /quiet /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment /log C:\Temp\install.txt

…after a few minutes check c:\temp\install.txt – the last entry should be “…Exit code 0…”:

Download SQL feature pack 2012 from: https://www.microsoft.com/en-US/download/details.aspx?id=43339 – you need the following packages:

Install the SQL tools in GUI mode or unattended:

.\sqlncli.msi /qb iacceptsqlnclilicenseterms=yes
.\sqlcmdlnutils.msi /qb iacceptsqlcmdlnutilslicenseterms=yes

1 2	.\sqlncli.msi /qb iacceptsqlnclilicenseterms=yes .\sqlcmdlnutils.msi /qb iacceptsqlcmdlnutilslicenseterms=yes

do this on both vm nodes and restart the servers

Accounts:

Login	Purpose	Permission
DOMAIN\_svc_vmmservice	SCVMM Service Account	Local admin rights on VMM nodes
DOMAIN\_svc_vmmrunas	Service Account for manageging Hyper-V Hosts	Local admin rights on Hyper-V servers/nodes
(optional) DOMAIN\_svc_vmm2scom	SCVMM to SCOM connector account	SCOM Admin and SCVMM Admin role
(optional) DOMAIN\_svc_vmmtemplate	Account used in templates to join Domain and run scripts while deployment	you can use delegate control in AD for this account – Computer Objects/Reset Password/Validated write to DNS host name/Validated write to service principal name/Read/Write Account Restrictions (This object and all descendant objects – Create/Delete Computer Objects)

Groups:

Name	Members	Scope	Permission
gg_VMMAdmins	your account/_svc_vmmservice/_svc_vmmrunas	Global	-
lg_VMMAdmins	gg_VMMAdmins	Local	Put this group in local admins group on VMM nodes

AD container:

if you install VMM in HA mode you must create a container in AD to allow VMM to store their key´s. See https://technet.microsoft.com/en-us/library/gg697604(v=sc.12).aspx

open ADSIEdit.msc and connect to the domain partition of the active directory domain:

…double click on “Default namin context…” and right click on domain context:

..give it a name (ie. VMMDKM – “Virtual Machine Manager Distributed Key Management”)

…refresh the console:

…click on domain -> your container -> and check your if your container is created successfully:

…close ADSIEdit and open “Active Directory Users and Computers” – click View -> Advanced Features:

…open Properties of your container:

…add VMM service account with R/W/Create child permissions:

…click Advanced and chance permissions to all descendant objects:

FileShare:

In a VMM HA install the FileShare for Library must be created outside of VMM servers – you have to create a fileshare on a MS fileserver or fileservercluster (NAS or other CIFS components are not possible because VMM installing his own VMM agent on the fileserver for management purposes…)

Install:

you can choose between nonGUI and GUI VMM setup – even on server core edition:

Server core install:

change to your VMM setup path and edit the file VMserver.ini (ie: C:\VMMSetup\amd64\Setup\VMserver.ini)

[OPTIONS]
ProductKey=<put your VMM key here>
UserName=MCS				# only display name in help
CompanyName=Microsoft Corporation	# only display name in help
ProgramFiles=C:\Program Files\Microsoft System Center 2016\Virtual Machine Manager
CreateNewSqlDatabase=1			# create a new DB within the instance
SqlInstanceName=SCVMMDB			# name of the SQL instance
SqlDatabaseName=VirtualManagerDB
RemoteDatabaseImpersonation=0		# your account has SQL server rights
SqlMachineName=SCVMMHA			# if AlwaysOn - name of the SQL listener
IndigoTcpPort=8100
IndigoHTTPSPort=8101
IndigoNETTCPPort=8102
IndigoHTTPPort=8103
WSManTcpPort=5985
BitsTcpPort=443
CreateNewLibraryShare=0		# do not create a new share, use existing
LibraryShareName=VMMLibrary	# share name for vmm library
LibrarySharePath=\\SOFS1	# name of the server that hosts the fileshare
# LibraryShareDescription=Virtual Machine Manager Library Files
SQMOptIn = 1			# opt in to Customer Experience Improvement Program
MUOptIn = 1			# use MS Update
VmmServiceLocalAccount = 0	# do not use a local account - you have to specifiy the domain account within the cmd line parameter...
TopContainerName = "CN=VMMDKM,DC=corp,DC=mscloud,DC=guru"	# container name in AD for storing VMM keys
HighlyAvailable = 1		# install VMM in HA mode
VmmServerName = VMMCL		# name for VMM cluster role
VMMStaticIPAddress = 10.1.1.45	# IP for VMM cluster role

[OPTIONS]

ProductKey=<put your VMM key here>

UserName=MCS # only display name in help

CompanyName=Microsoft Corporation # only display name in help

ProgramFiles=C:\Program Files\Microsoft System Center 2016\Virtual Machine Manager

CreateNewSqlDatabase=1 # create a new DB within the instance

SqlInstanceName=SCVMMDB # name of the SQL instance

SqlDatabaseName=VirtualManagerDB

RemoteDatabaseImpersonation=0 # your account has SQL server rights

SqlMachineName=SCVMMHA # if AlwaysOn - name of the SQL listener

IndigoTcpPort=8100

IndigoHTTPSPort=8101

IndigoNETTCPPort=8102

IndigoHTTPPort=8103

WSManTcpPort=5985

BitsTcpPort=443

CreateNewLibraryShare=0 # do not create a new share, use existing

LibraryShareName=VMMLibrary # share name for vmm library

LibrarySharePath=\\SOFS1 # name of the server that hosts the fileshare

# LibraryShareDescription=Virtual Machine Manager Library Files

SQMOptIn = 1 # opt in to Customer Experience Improvement Program

MUOptIn = 1 # use MS Update

VmmServiceLocalAccount = 0 # do not use a local account - you have to specifiy the domain account within the cmd line parameter...

TopContainerName = "CN=VMMDKM,DC=corp,DC=mscloud,DC=guru" # container name in AD for storing VMM keys

HighlyAvailable = 1 # install VMM in HA mode

VmmServerName = VMMCL # name for VMM cluster role

VMMStaticIPAddress = 10.1.1.45 # IP for VMM cluster role

call the setup with the following parameter:

setup.exe /server /i /f c:\VMMSetup\amd64\setup\vmserver.ini /vmmServiceDomain <your domain> /vmmServiceUserName <your service account> /vmmServiceUserPassword <your service account pwd> /IACCEPTSCEULA

1	setup.exe /server /i /f c:\VMMSetup\amd64\setup\vmserver.ini /vmmServiceDomain <your domain> /vmmServiceUserName <your service account> /vmmServiceUserPassword <your service account pwd> /IACCEPTSCEULA

check the VMMLog in C:\ProgramData\VMMLogs

Installation in GUI mode:

..start setup – choose install, click VMM server and next:

Server name -> Name of you AlwaysOn Listener

Port -> Listener Port

Instance name -> name of SQL instance

use your vmm-service account -> see “Accounts” above and the Distinguished Name of the container you created in AD before (see container above)

HINT: ..normally everything should ok – if you get an error like me (see text in screenshot) regarding the SCP in AD – maybe you have moved your Nodes in AD in another OU and forget to give the ClusterObject the permission to create Computer Objects within this OU! – see: https://technet.microsoft.com/en-us/library/dn466519(v=ws.11).aspx or see: http://www.systemcenter.ninja/2014/01/creating-service-connection-point-scp.html

..in my case i manually create the computer object (same OU as FC object) and give the failoverclusterobject Full-rights on this new object – after that i run the configurescptool.exe command (see text above) again and voila – in Cluster Manager the Role can be started with success…

On second node:

start setup (vmmsetup recognize that it runs in a cluster and that a “primary” vmm node exist):

…if you click on VMM management server in next screen you will get the following message:

…enter registration informations again:

…settings for database are greyed-out because setup reads this info from primary installed node:

…reeenter password for vmm-service:

accept all other with next and click install:

…after a while setup should finished with success:

Last step in HA install is to make the VMM DB highly-available – we installed it with the AlwaysOn Listener but the DB itself must be switched to HA with the SQL AlwaysOn Wizard – open the SQL Studio and connect to your AO Database:

…standard SQL setup for join a single DB to AO group – change recovery mode/make backup/add db to ao group:

…right click on AOgroup and select “Add Database…”:

HINT: in SQL Alvailability group dont forget to keep your SQL users on the database in sync (!) – see: http://mscloudgurublog.azurewebsites.net/2016/10/28/installing-sql-server-2016-core-on-windows-server-2016-core/ since every works perfekt until the first failover of the DB – then VMM service failed to start, because the (ie. _svc_vmmservice) user does not exist on the failover target server.

FINISH: now you have a fully highly available SCVMM installation – test it with failover of DB (nothing should happen) – and failover of VMM (an open VMM console should simple reconnecting after a few seconds)

Automation, SQL, Windows

Installing SQL Server 2016 Core on Windows Server 2016 Core

October 28, 2016 mwinkler

Prerequisites:

Account(s):

as a best practice you should create two (domain) accounts for running the sql service and the sql agent:

Login	Description
_svc_sqldb	SQL Server Service Account – is NOT local Admin on SQL Servers
_svc_sqlagent	SQL Server Agent Account – is NOT local Admin on SQL Servers

…in addition i create a global domain and local domain group in AD for SQL Admins – put Members to the global domain group, put global domain group into local domain group (local group gets the permission for sql server –> see sql.ini file…)

Name	Description
_gg_SQLAdmins	Global Group – All SQL Administrators
_lg_SQLAdmins	Local Group – All Glocal SQL Admin Groups

Disk:

best practice for SQL servers is to put Data, Log and Temp Files in different harddrives (in physical word in different raid configs) – i prefer this also in virtual environments even if i have a config that puts all vDisks on the same physical drives – per SQL VM create 4 vDisks:

Filename	Description
SystemOS.vhdx	Boot Disk with OS
SQL-Data.vhdx	Shared SQL Components and Instance Dirs
SQL-Temp.vhdx	Drive for SQL Temp DB's
SQL-Log.vhdx	Drive for SQL Log's

(see sql.ini for configuring the different drive letters and paths…)

if you want to manage your harddrives remotely by mmc plugin – you have to enable the appropriate firewall-rules on server core AND your workstation machine (if you not enable on your workstation machine you will get the error “RPC server unavailable):

check if the rules for remote disk management are enabled:

Get-NetFirewallRule | Where { $_.DisplayGroup -Eq "Remote Volume Management" } | Format-Table

1	Get-NetFirewallRule \| Where { $_.DisplayGroup -Eq "Remote Volume Management" } \| Format-Table

…not enabled by default – type:

Enable-NetFirewallRule -DisplayGroup "Remote Volume Management"

1	Enable-NetFirewallRule -DisplayGroup "Remote Volume Management"

…and check again:

…if you prefer the GUI – Server Manager from Admin Workstation is great – you can use it to manage disks remotely (change disk label,…)

Hotfixes, CUs, SPs and Patches:

..while setup is running, it can implement existing updates – copy all updates in a directory named i.e C:\SQLSetup\Updates\… and refer this path in your SQL.ini

mkdir C:\SQLSetup\Updates
copy <sqlupdates> C:\SQLSetup\Updates

1 2	mkdir C:\SQLSetup\Updates copy <sqlupdates> C:\SQLSetup\Updates

i.e. for SQL Server 2016 RTM – download CU2: https://www.microsoft.com/en-us/download/details.aspx?id=53338

SQL.INI:

…if you do not created a ini file before, you can copy this sample sql.ini and edit for your own:

;SQL Server 2012/2014/2016 Configuration File
[OPTIONS]

; Required to acknowledge acceptance of the license terms.

IACCEPTSQLSERVERLICENSETERMS="True"

; Specifies a Setup work flow, like INSTALL, UNINSTALL, or UPGRADE. This is a required parameter.

ACTION="Install"

; Detailed help for command line argument ENU has not been defined yet.

ENU="True"

; Parameter that controls the user interface behavior. Valid values are Normal for the full UI,AutoAdvance for a simplied UI, and EnableUIOnServerCore for bypassing Server Core setup GUI block.

; UIMODE="EnableUIOnServerCore"&nbsp;&nbsp;&nbsp; --> cannot be used with Quietsimple Parameter...

; Setup will not display any user interface.

QUIET="False"

; Setup will display progress only, without any user interaction.

QUIETSIMPLE="True"

; Specify whether SQL Server Setup should discover and include product updates. The valid values are True and False or 1 and 0. By default SQL Server Setup will include updates that are found.

UpdateEnabled="True"

; Specify whether SQL Server setup should discover and include product updates. The valid values are True and False or 1 and 0. By default, SQL Server setup will include updates that are found.

UpdateSource="C:\SQLSetup\Updates"

; Specifies features to install, uninstall, or upgrade. The list of top-level features include SQL, AS, RS, IS, MDS, and Tools. The SQL feature will install the Database Engine, Replication, Full-Text, and Data Quality Services (DQS) server. The Tools feature will install Management Tools, Books online components, SQL Server Data Tools, and other shared components.

FEATURES=SQLENGINE

; Displays the command line parameters usage

HELP="False"

; Specifies that the detailed Setup log should be piped to the console.

INDICATEPROGRESS="False"

; Specifies that Setup should install into WOW64. This command line argument is not supported on an IA64 or a 32-bit system.

X86="False"

; Specify the root installation directory for shared components.&nbsp; This directory remains unchanged after shared components are already installed.

INSTALLSHAREDDIR="D:\Program Files\Microsoft SQL Server"

; Specify the root installation directory for the WOW64 shared components.&nbsp; This directory remains unchanged after WOW64 shared components are already installed.

INSTALLSHAREDWOWDIR="D:\Program Files (x86)\Microsoft SQL Server"

; Specify a default or named instance. MSSQLSERVER is the default instance for non-Express editions and SQLExpress for Express editions. This parameter is required when installing the SQL Server Database Engine (SQL), Analysis Services (AS), or Reporting Services (RS).

INSTANCENAME="SCVMMDB"

; Specify the Instance ID for the SQL Server features you have specified. SQL Server directory structure, registry structure, and service names will incorporate the instance ID of the SQL Server instance.

INSTANCEID="SCVMMDB"

; Specify that SQL Server feature usage data can be collected and sent to Microsoft. Specify 1 or True to enable and 0 or False to disable this feature.

SQMREPORTING="False"

; Specify if errors can be reported to Microsoft to improve future SQL Server releases. Specify 1 or True to enable and 0 or False to disable this feature.

ERRORREPORTING="False"

; Specify the installation directory.

INSTANCEDIR="D:\Program Files\Microsoft SQL Server"

; Specifies the directory for the data files for tempdb.

SQLTEMPDBDIR="F:\MSSQLTempDB\SCVMMDB"

; Specifies the directory for the log files for tempdb.

SQLTEMPDBLOGDIR="E:\MSSQLTempDBLog\SCVMMDB"

; Specifies the directory for the data files for user databases.

SQLUSERDBDIR="D:\MSSQLData\SCVMMDB"

; Specifies the directory for the log files for user databases.

SQLUSERDBLOGDIR="E:\MSSQLLogs\SCVMMDB"

; Agent account name

AGTSVCACCOUNT="DOMAIN\_svc_sqlagent"
AGTSVCPASSWORD=”Password”

AGTSVCSTARTUPTYPE="Automatic"

; Level to enable FILESTREAM feature at (0, 1, 2 or 3).

FILESTREAMLEVEL="0"

; Account for SQL Server service: Domain\User or system account.

SQLSVCACCOUNT="DOMAIN\_svc_sqldb"
SQLSVCPASSWORD=”Password”

SQLSVCSTARTUPTYPE="Automatic"

; Specifies a Windows collation or an SQL collation to use for the Database Engine.

SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"

; Startup type for Browser Service.

BROWSERSVCSTARTUPTYPE=Automatic

; Use this parameter to provision logins to be members of the sysadmin role.

SQLSYSADMINACCOUNTS="CORP\_lg_SQLAdmins"

; Specifies the directory for backup files.

SQLBACKUPDIR="E:\Backup"

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

;SQL Server 2012/2014/2016 Configuration File

[OPTIONS]

; Required to acknowledge acceptance of the license terms.

IACCEPTSQLSERVERLICENSETERMS="True"

; Specifies a Setup work flow, like INSTALL, UNINSTALL, or UPGRADE. This is a required parameter.

ACTION="Install"

; Detailed help for command line argument ENU has not been defined yet.

ENU="True"

; Parameter that controls the user interface behavior. Valid values are Normal for the full UI,AutoAdvance for a simplied UI, and EnableUIOnServerCore for bypassing Server Core setup GUI block.

; UIMODE="EnableUIOnServerCore"    --> cannot be used with Quietsimple Parameter...

; Setup will not display any user interface.

QUIET="False"

; Setup will display progress only, without any user interaction.

QUIETSIMPLE="True"

; Specify whether SQL Server Setup should discover and include product updates. The valid values are True and False or 1 and 0. By default SQL Server Setup will include updates that are found.

UpdateEnabled="True"

; Specify whether SQL Server setup should discover and include product updates. The valid values are True and False or 1 and 0. By default, SQL Server setup will include updates that are found.

UpdateSource="C:\SQLSetup\Updates"

; Specifies features to install, uninstall, or upgrade. The list of top-level features include SQL, AS, RS, IS, MDS, and Tools. The SQL feature will install the Database Engine, Replication, Full-Text, and Data Quality Services (DQS) server. The Tools feature will install Management Tools, Books online components, SQL Server Data Tools, and other shared components.

FEATURES=SQLENGINE

; Displays the command line parameters usage

HELP="False"

; Specifies that the detailed Setup log should be piped to the console.

INDICATEPROGRESS="False"

; Specifies that Setup should install into WOW64. This command line argument is not supported on an IA64 or a 32-bit system.

X86="False"

; Specify the root installation directory for shared components.  This directory remains unchanged after shared components are already installed.

INSTALLSHAREDDIR="D:\Program Files\Microsoft SQL Server"

; Specify the root installation directory for the WOW64 shared components.  This directory remains unchanged after WOW64 shared components are already installed.

INSTALLSHAREDWOWDIR="D:\Program Files (x86)\Microsoft SQL Server"

; Specify a default or named instance. MSSQLSERVER is the default instance for non-Express editions and SQLExpress for Express editions. This parameter is required when installing the SQL Server Database Engine (SQL), Analysis Services (AS), or Reporting Services (RS).

INSTANCENAME="SCVMMDB"

; Specify the Instance ID for the SQL Server features you have specified. SQL Server directory structure, registry structure, and service names will incorporate the instance ID of the SQL Server instance.

INSTANCEID="SCVMMDB"

; Specify that SQL Server feature usage data can be collected and sent to Microsoft. Specify 1 or True to enable and 0 or False to disable this feature.

SQMREPORTING="False"

; Specify if errors can be reported to Microsoft to improve future SQL Server releases. Specify 1 or True to enable and 0 or False to disable this feature.

ERRORREPORTING="False"

; Specify the installation directory.

INSTANCEDIR="D:\Program Files\Microsoft SQL Server"

; Specifies the directory for the data files for tempdb.

SQLTEMPDBDIR="F:\MSSQLTempDB\SCVMMDB"

; Specifies the directory for the log files for tempdb.

SQLTEMPDBLOGDIR="E:\MSSQLTempDBLog\SCVMMDB"

; Specifies the directory for the data files for user databases.

SQLUSERDBDIR="D:\MSSQLData\SCVMMDB"

; Specifies the directory for the log files for user databases.

SQLUSERDBLOGDIR="E:\MSSQLLogs\SCVMMDB"

; Agent account name

AGTSVCACCOUNT="DOMAIN\_svc_sqlagent"

AGTSVCPASSWORD=”Password”

AGTSVCSTARTUPTYPE="Automatic"

; Level to enable FILESTREAM feature at (0, 1, 2 or 3).

FILESTREAMLEVEL="0"

; Account for SQL Server service: Domain\User or system account.

SQLSVCACCOUNT="DOMAIN\_svc_sqldb"

SQLSVCPASSWORD=”Password”

SQLSVCSTARTUPTYPE="Automatic"

; Specifies a Windows collation or an SQL collation to use for the Database Engine.

SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"

; Startup type for Browser Service.

BROWSERSVCSTARTUPTYPE=Automatic

; Use this parameter to provision logins to be members of the sysadmin role.

SQLSYSADMINACCOUNTS="CORP\_lg_SQLAdmins"

; Specifies the directory for backup files.

SQLBACKUPDIR="E:\Backup"

Install:

..in CMD Shell on server core type:

cd C:\SQLSetup
.\setup.exe /ConfigurationFile=C:\SQLSetup\Install_Instance_SCVMMDB.ini

1 2	cd C:\SQLSetup .\setup.exe /ConfigurationFile=C:\SQLSetup\Install_Instance_SCVMMDB.ini

HINT: see troubleshooting section for a bug in the setup routine – you have to add permissions on your backup dir, if you install additional instances…

after setup is finish – you have to manually create the firewall rule for accessing your instance:

SERVER2016/SQL2016:

per server:

New-NetFirewallRule –Name 'SQL-Server-Browser' –DisplayName 'SQL Server Browser (UDP-In 1434)' –Direction Inbound –Action Allow –Protocol UDP –LocalPort 1434 –Profile Any

1	New-NetFirewallRule –Name 'SQL-Server-Browser' –DisplayName 'SQL Server Browser (UDP-In 1434)' –Direction Inbound –Action Allow –Protocol UDP –LocalPort 1434 –Profile Any

per instance:

New-NetFirewallRule –Name 'SQL-Server-SCVMMDB-Instance' -DisplayName 'SQL Server (TCP-In) SCVMMDB Instance' -Program 'D:\Program Files\Microsoft SQL Server\MSSQL13.SCVMMDB\MSSQL\Binn\sqlservr.exe' -Direction Inbound -Action Allow -Protocol TCP -Profile Any

1	New-NetFirewallRule –Name 'SQL-Server-SCVMMDB-Instance' -DisplayName 'SQL Server (TCP-In) SCVMMDB Instance' -Program 'D:\Program Files\Microsoft SQL Server\MSSQL13.SCVMMDB\MSSQL\Binn\sqlservr.exe' -Direction Inbound -Action Allow -Protocol TCP -Profile Any

per listener (if you use alwayson):

New-NetFirewallRule -DisplayName "SQL Listener SCVMMDB Instance (TCP-In <Listener Port ie. 1436>)" -Direction Inbound -Action Allow -LocalAddress <ListenerIP> -Protocol TCP -LocalPort <Listener Port ie. 1436> -Profile Domain

1	New-NetFirewallRule -DisplayName "SQL Listener SCVMMDB Instance (TCP-In <Listener Port ie. 1436>)" -Direction Inbound -Action Allow -LocalAddress <ListenerIP> -Protocol TCP -LocalPort <Listener Port ie. 1436> -Profile Domain

older versions SERVER2012R2/SQL2012 (other Profile Parameter and SQL Path):

per server:

New-NetFirewallRule -DisplayName 'SQL Server Browser (UDP-In 1434)' -Direction Inbound -Action Allow -Protocol UDP -LocalPort 1434 -Profile All

1	New-NetFirewallRule -DisplayName 'SQL Server Browser (UDP-In 1434)' -Direction Inbound -Action Allow -Protocol UDP -LocalPort 1434 -Profile All

per instance:

New-NetFirewallRule -DisplayName 'SQL Server (TCP-In) SCVMMDB Instance' -Program 'D:\Program Files\Microsoft SQL Server\MSSQL11.SCVMMDB\MSSQL\Binn\sqlservr.exe' -Direction Inbound -Action Allow -Protocol TCP -Profile All

1	New-NetFirewallRule -DisplayName 'SQL Server (TCP-In) SCVMMDB Instance' -Program 'D:\Program Files\Microsoft SQL Server\MSSQL11.SCVMMDB\MSSQL\Binn\sqlservr.exe' -Direction Inbound -Action Allow -Protocol TCP -Profile All

per listener (if you use alwayson):

New-NetFirewallRule -DisplayName "SQL Listener SCVMMDB Instance (TCP-In <Listener Port ie. 1436>)" -Direction Inbound -Action Allow -LocalAddress <ListenerIP> -Protocol TCP -LocalPort <Listener Port ie. 1436> -Profile Domain

1	New-NetFirewallRule -DisplayName "SQL Listener SCVMMDB Instance (TCP-In <Listener Port ie. 1436>)" -Direction Inbound -Action Allow -LocalAddress <ListenerIP> -Protocol TCP -LocalPort <Listener Port ie. 1436> -Profile Domain

you can check if everything is ok with management studio – connect to the sql server\instance name and version number should be 13.0.2164 (SQL2016 with CU2) – see version numbers: https://sqlserverbuilds.blogspot.co.at/

AlwaysOn config:

…if you want to create a AlwaysOn SQL Infra – do exact the same on a second server (don’t forget to create cluster first…)

Enable AlwaysOn:

Open PowerShell with Admin Rights (if you have a fresh install and not reopened your powershell window – no SQL cmdlet will be found (!) – so don´t forget to logoff and logon before start PS)

Enable-SqlAlwaysOn –Path SQLSERVER:\SQL\<Name of Server>\<Name of Instance>

1	Enable-SqlAlwaysOn –Path SQLSERVER:\SQL\<Name of Server>\<Name of Instance>

…do this on ALL sql nodes…

HINT – AlwaysOn: if you create a AvailabilityGroup and want to use it for i.e. SystemCenter VMM – see: http://mscloudgurublog.azurewebsites.net/2016/10/30/installing-highly-available-systemcenter-vmm-2016-howto/ don´t forget that AlwaysOn does NOT sync user logins on SQL automatically – so if you install VMM every works perfect until the first SQL Failover – after that VMM services crashes, because it can not connect to your database.

Good way to keep the user´s in sync, is a great tool named dbatools – it´s free of charge and you can find it via: https://dbatools.io/getting-started/

Installation is very simple via PSGallery on your SQL server – open powershell and type:

Install-Module -Name dbatools

1	Install-Module -Name dbatools

..aswer the following questions about NuGet and so on with Yes (you need a internet connection from your server..)

Test the connection to the server you logged in and the other sql server nodes that part of your Availability Group with:

#Syntax: Test-SqlConnection -SqlServer <fqdn of server\Name of Instance>
#Example:
Test-SqlConnection -SqlServer SQL1\SCVMMDB

#Syntax: Test-SqlConnection -SqlServer <fqdn of server\Name of Instance>

#Example:

Test-SqlConnection -SqlServer SQL1\SCVMMDB

Keep users in sync type:

# Syntax: Sync-SqlLoginPermissions -Source <fqdn\instancename> -Destination <fqdn\instancename> -Verbose
# Example:
Sync-SqlLoginPermissions -Source SQL1\SCVMMDB -Destination SQL2\SCVMMDB -Verbose

# Syntax: Sync-SqlLoginPermissions -Source <fqdn\instancename> -Destination <fqdn\instancename> -Verbose

# Example:

Sync-SqlLoginPermissions -Source SQL1\SCVMMDB -Destination SQL2\SCVMMDB -Verbose

i will do this in a scheduled task so have a perfect solution to keep all sql user logins on all sql servers in sync.

Troubleshooting:

you can find any error or information in the SQL Setup log file located in C:\Program Files\MicrosoftSQL Server\130\Setup Bootstrap\Log\ – see the reference article: https://msdn.microsoft.com/en-us/library/ms143702.aspx

HINT: …i found a bug in the sql setup – if you install the instances with a unattended .ini file and point every instance to backup their databases to ie. E:\backup directory – the setup process create only for the FIRST instance the appropriate permissions for this directory (ie: NT Service\MSSQL$COMMON has Full permission to E:\Backup NOT other instances ie. NT Service\MSSQL$SCVMMDB…..) – to solve this open a Admin CMD Shell on every SQL node and enter:

icacls E:\Backup /GRANT "NT SERVICE\MSSQL$SCVMMDB:(CI)(OI)F"

1	icacls E:\Backup /GRANT "NT SERVICE\MSSQL$SCVMMDB:(CI)(OI)F"

you can check the correct permissions with:

icacls E:\Backup

1	icacls E:\Backup

if you have 2 instances (COMMON and SCVMMDB) it should look like this:

Automation, Windows

Initialize additional Disk on Server Core

October 28, 2016 mwinkler

…to get the number of the new disk enter:

Get-Disk

Get-Disk –Number 1 | Set-Disk –IsOffline $false

Get-Disk –Number 1 | Set-Disk –IsReadOnly $false

Get-Disk –Number 1 | Initialize-Disk –PartitionStyle GPT

Get-Disk –Number 1 | New-Volume –FriendlyName “Data” –FileSystem ReFS –DriveLetter “D”

…if you want to change the drive letter of other drives before:

diskpart

select volume x (list volume –> to get volumes with driveletters)

assign letter=y

exit

Prerequisites:

VM:

User Accounts:

SQL:

Install:

Remote Administration:

Post-Task´s after finishing setup:

Add Disks/Volumes to DPM:

Add Agents:

Create a vSwitch

Rename vNIC(s)

Add vNIC(s)

Set VLANid on vNIC(s)

Enable JumboFrames

Create two WMI filters in Group Policy Console:

Create a Policy for non PDC-emulator Domain-controllers:

Link to Domain Controller OU:

Change registry:

Policy Update:

check registry settings:

force sync:

check eventlog Application/time-source:

Prerequisites:

Create Policy:

HowTo Install:

Policy for installing client package:

Extend the AD schema:

Set/Check Permissions:

Create Local Password Policy:

Read Passwords:

Prerequisites:

VM(s):

SQL:

Software:

Accounts:

Groups:

AD container:

FileShare:

Install:

Server core install:

Installation in GUI mode:

On second node:

Prerequisites:

Account(s):

Disk:

Hotfixes, CUs, SPs and Patches:

SQL.INI:

Install:

SERVER2016/SQL2016:

older versions SERVER2012R2/SQL2012 (other Profile Parameter and SQL Path):

AlwaysOn config:

Troubleshooting:

…all the IT stuff..