Tag Archives: windows

Install SystemCenter DPM 2016 – HowTo…

Prerequisites:

We need the following prerequisites first:

VM:
  • 2 vCPU
  • 4096MB Memory dynamic min. 512MB – max. 8192MB
  • Systemdrive – 128GB Dynamic
  • Backupdrive – <whatever you need>GB
User Accounts:
Login Purpose Permission
DOMAIN\_svc_sqlservice Account for SQL Database Instance on DPM Server none (permissions set by sql setup…)
DOMAIN\_svc_sqlreporting Account for SQL Reporting Instance on DPM Server none (permissions set by sql setup…)
DOMAIN\_svc_sqlagent Account for SQL Agent on DPM Server none (permissions set by sql setup…)
SQL:

Install SQL Server local on DPM Server or use a remote SQL Server (DPM 2016 does not support AlwaysOn Groups – so i will install a local SQL Server instance on DPM VM itself)

<sql.ini>

SQL components you need:

  • DataBase engine
  • Reporting Services Native

..in addition you need SQL Server Management Studio (DPM setup check this prerequisite) – if you do not install management studio you will receive this error while installation of DPM:

..so start install of SQL Management Studio:

Install:

The ISO of DPM you can download, have only a single MSI file that extract the source files for installation – you can mount this from a remote source, extract remote, or as same i will do – copy the MSI to C:\Temp – double-click on the MSI package and enter C:\Temp\DPM2016Setup as destination directory.

After extracting – double-click on setup.exe – install will start:

…enter the localhost-name and the name of the sql instance you installed before with the SQLxxx.ini…

…setup will check and install all prereq´s – while installing Hyper-V PowerShell Modules you have to restart the DPM server and run setup again:

..after reboot – start DPM setup again:

…after finishing of setup – install all updates – at time of creation of this blog it is “Update Rollup 2 – Data Protection Manager 2016”

Remote Administration:

If you want to remotely manage your DPM server and have a “Administration Workstation” you can install “DPM Remote Administration” there. (HINT: other tutorials and howto´s tell you that you need SCOM, Management-Packs,… to install Remote Tools – thats not correct – for “Remote Administration” you need nothing of these – you need SCOM,.. only if you want to install “DPM Central Console”…

…after finish setup of Remote Administration you have to check for Updates – because DPM Console checks the version between Console and Server and need the same on both. (you receive an error starting a console with an old version…)

Post-Task´s after finishing setup:

Add Disks/Volumes to DPM:

DPM uses a new concept called MBS (Modern Backup Storage) – based on ReFS Volumes with Storage Spaces – so adding disks is completely different than in DPM 2012R2 – in my case i will add two virtual disks (dynamic and 64GB) to my DPM Server VM (you can add additional disks later) and start with Server Manager in dem DPM Server VM:

…right click on the first disk and click on new storage pool (choose ONE disk has a reason: this will create a Storage Pool with column size 1 – so you can later simple add single disks to the pool)

..give the new pool a name:

…if you have a physical DPM Server with JBODs – best practice here is to add several disks and configure one of them as Hot-Spare – because we have a DPM virtually – we need no hot-spare:

…now we create a virtual disk:

…best practice is to use a simple layout:

…we use Fixed provisioning type:

…specify a size a little smaller than the disk (we expand this volume later):

…deselect create volume and click on close:

…add the second disk to storage pool:

…and extend the virtual disk:

..i will not use all (in this example) 128GB:

…now we can create a volume on the new vdisk:

..add a drive letter:

…now you can add this volume to DPM:

HINT: you have to click on rescan if you don´t see your new volume here…

…give it a friendly name and click ok:

Add Agents:

Now it´s time to add agents to DPM – click on Agents in console and click Install:

HINT: if you want to install an agent in a untrusted source (not domain joined source or in a domain that do not trust – see my post: Install DPM agent in unstrusted workgroup…

..in my environment in want to install it first on my hyper-v cluster – so i choose my both hyper-v nodes (not necessary to include clustername – ie “hvfc”):

..enter a account that has local admin rights on this servers (you can use your own account, it is only for the installation of agent NOT for service or other purposes..)

..a reboot of ALL (because it is a cluster) is necessary to add hyper-v nodes/cluster to DPM – i will not start automatically (you must restart ALL clusternodes)

..if you receive a error – check your firewall settings on the target computers (for all port exclusions see: https://technet.microsoft.com/en-us/library/hh757794(v=sc.12).aspx – for a list of exclusions only for dpm agents see: https://technet.microsoft.com/en-us/library/hh758204(v=sc.12).aspx):

HINT: easy way – use the following powershell cmdlets on the potentially protected computers:

..or use a GPO – after setting the correct port exclusion – agent installation will work:

 

Time Synchronizing Domain Controllers with NTP – HowTo

…to synchronize your DC(s) with a correct timesource and make the DCs authorative to the clients you have to follow these steps:

If you have more than one domain-controller only the PDC-Emulator should sync his time with NTP – all other DCs should sync with NT5DS against PDC-emulator – we can easily filter the PDCe with a WMI query.

Create two WMI filters in Group Policy Console:

DC with PDC emulator -> “Select * from Win32_ComputerSystem where DomainRole = 5”

all other DCs -> “Select * from Win32_ComputerSystem where DomainRole = 4”

Create two Policies (Sync with NTP for DC with PDCe and Sync with NT5DS for non PDCe DCs)

Create a Policy for non PDC-emulator Domain-controllers:

…ignore the default ntpserver entry, because not used if type is NT5DS (domain hierarchy)…

…not necessary to create a policy for workstations/desktops and non-DomainController servers (domain-joined) because they will sync automatically with DC…

Link to Domain Controller OU:

If you running your domain controllers in virtual environments like HV/Azure… – you must disable time-sync againts host on all VMs within the domain (otherwise you play ping-pong – policy set the time, host set it back, policy set time, host set it back,…..).

Change registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider]

“Enabled”=dword:00000000

Policy Update:

gpupdate /target:computer /force

check registry settings:

HKLM\SYSTEM\SOFTWARE\Policies\Microsoft\W32Time\Parameters\….

force sync:

net stop w32time && net start w32time

w32tm /resync /force

check eventlog Application/time-source:

Installing Highly Available SystemCenter VMM 2016 – HowTo…

Prerequisites:

if you want to install a highly available VMM you need two VM´s (to create a VMM cluster) and a extra HA SQL Server (ideally two SQL 2016 core Nodes with AlwaysOn – for installing this SQL nodes see http://blog.mscloud.guru/2016/10/28/installing-sql-server-2016-core-on-windows-server-2016-core/

VM(s):
  • Create two VMs with a OS vhdx (optional one additional Data drive if you want to split OS and VMM in two different drives), 2 vCPUs and at minimum 4096 MB Memory (if you want to use Dynamic RAM, set Startup value to 4096MBs or more and Minimum RAM to 2048 or more, otherwise setup check will fail…) – see SystemCenter requirements: https://technet.microsoft.com/en-us/system-center-docs/system-requirements/minimum-hardware-recommendations
  • Create a cluster with this two VMs, no cluster disks necessary, don’t forget to create a witness (my preferred FileShare or Cloud Witness)

SQL:
  • create a AlwaysOn Listener on your SQL cluster (you can deploy VMM in a “Common” Instance with other databases or you prefer a dedicated instance for VMM – collation should be: SQL_Latin1_General_CP1_CI_AS
Software:

  • Install ADK on both VMM nodes with the following options:
    • DeploymentTools
    • Windows Preinstallation Environment

…copy downloaded ADKSetup Files to both VMM nodes and install with GUI or unattended:

…after a few minutes check c:\temp\install.txt – the last entry should be “…Exit code 0…”:

  • Install the SQL tools in GUI mode or unattended:

  • do this on both vm nodes and restart the servers
Accounts:
Login Purpose Permission
DOMAIN\_svc_vmmservice SCVMM Service Account Local admin rights on VMM nodes
DOMAIN\_svc_vmmrunas Service Account for manageging Hyper-V Hosts Local admin rights on Hyper-V servers/nodes
(optional) DOMAIN\_svc_vmm2scom SCVMM to SCOM connector account SCOM Admin and SCVMM Admin role
(optional) DOMAIN\_svc_vmmtemplate Account used in templates to join Domain and run scripts while deployment you can use delegate control in AD for this account – Computer Objects/Reset Password/Validated write to DNS host name/Validated write to service principal name/Read/Write Account Restrictions (This object and all descendant objects – Create/Delete Computer Objects)
Groups:
Name Members Scope Permission
gg_VMMAdmins your account/_svc_vmmservice/_svc_vmmrunas Global -
lg_VMMAdmins gg_VMMAdmins Local Put this group in local admins group on VMM nodes
AD container:

if you install VMM in HA mode you must create a container in AD to allow VMM to store their key´s. See https://technet.microsoft.com/en-us/library/gg697604(v=sc.12).aspx

open ADSIEdit.msc and connect to the domain partition of the active directory domain:

…double click on “Default namin context…” and right click on domain context:

..give it a name (ie. VMMDKM – “Virtual Machine Manager Distributed Key Management”)

…refresh the console:

…click on domain -> your container -> and check your if your container is created successfully:

 

…close ADSIEdit and open “Active Directory Users and Computers” – click View -> Advanced Features:

…open Properties of your container:

…add VMM service account with R/W/Create child permissions:

…click Advanced and chance permissions to all descendant objects:

FileShare:

In a VMM HA install the FileShare for Library must be created outside of VMM servers – you have to create a fileshare on a MS fileserver or fileservercluster (NAS or other CIFS components are not possible because VMM installing his own VMM agent on the fileserver for management purposes…)

Install:

you can choose between nonGUI and GUI VMM setup – even on server core edition:

Server core install:

change to your VMM setup path and edit the file VMserver.ini (ie: C:\VMMSetup\amd64\Setup\VMserver.ini)

call the setup with the following parameter:

check the VMMLog in C:\ProgramData\VMMLogs

Installation in GUI mode:

..start setup – choose install, click VMM server and next:

Server name -> Name of you AlwaysOn Listener

Port -> Listener Port

Instance name -> name of SQL instance

use your vmm-service account -> see “Accounts” above and the Distinguished Name of the container you created in AD before (see container above)

HINT: ..normally everything should ok – if you get an error like me (see text in screenshot) regarding the SCP in AD – maybe you have moved your Nodes in AD in another OU and forget to give the ClusterObject the permission to create Computer Objects within this OU! – see: https://technet.microsoft.com/en-us/library/dn466519(v=ws.11).aspx or see: http://www.systemcenter.ninja/2014/01/creating-service-connection-point-scp.html

..in my case i manually create the computer object (same OU as FC object) and give the failoverclusterobject Full-rights on this new object – after that i run the configurescptool.exe command (see text above) again and voila – in Cluster Manager the Role can be started with success…

On second node:

start setup (vmmsetup recognize that it runs in a cluster and that a “primary” vmm node exist):

…if you click on VMM management server in next screen you will get the following message:

…enter registration informations again:

…settings for database are greyed-out because setup reads this info from primary installed node:

…reeenter password for vmm-service:

accept all other with next and click install:

…after a while setup should finished with success:

Last step in HA install is to make the VMM DB highly-available – we installed it with the AlwaysOn Listener but the DB itself must be switched to HA with the SQL AlwaysOn Wizard – open the SQL Studio and connect to your AO Database:

…standard SQL setup for join a single DB to AO group – change recovery mode/make backup/add db to ao group:

…right click on AOgroup and select “Add Database…”:

HINT: in SQL Alvailability group dont forget to keep your SQL users on the database in sync (!) – see: http://blog.mscloud.guru/2016/10/28/installing-sql-server-2016-core-on-windows-server-2016-core/ since every works perfekt until the first failover of the DB – then VMM service failed to start, because the (ie. _svc_vmmservice) user does not exist on the failover target server.

FINISH: now you have a fully highly available SCVMM installation – test it with failover of DB (nothing should happen) – and failover of VMM (an open VMM console should simple reconnecting after a few seconds)

Initialize additional Disk on Server Core

…to get the number of the new disk enter:

 

Get-Disk

 

image

 

Get-Disk –Number 1 | Set-Disk –IsOffline $false

Get-Disk –Number 1 | Set-Disk –IsReadOnly $false

Get-Disk –Number 1 | Initialize-Disk –PartitionStyle GPT

Get-Disk –Number 1 | New-Volume –FriendlyName “Data” –FileSystem ReFS –DriveLetter “D”

 

…if you want to change the drive letter of other drives before:

 

diskpart

select volume x    (list volume –> to get volumes with driveletters)

assign letter=y

exit

Solving Win10 (Build 1607) Anniversary Update – Hyper-V Gen2 VM 2016TP5 – boot error

You have Windows 10 with Anniversary Update (Build 1607) – Hyper-V enabled – created a VM with 2016TP5 and your screen looks like this?

<pic>

There are some information on the net about solving this boot problem but the tricky part on that is – you must do this STEP by STEP (to avoid additional errors on boot…)

STEP1:

  • Stop VM
  • Change your Secure Boot Options to “Microsoft UEFI Certificate Authority” (DO NOT Disable Secure Boot, because it is useless here and you end up in the same error…)
  • Start VM
  • Error again – this is ok here…

STEP2:

  • Stop VM
  • Now you can DISABLE Secure Boot Option (if you try this without STEP1 – you VM does not boot…)

Settings for DCI on BIG Ha rdwa re r Add Hardware Firmvvare Soot from File Security Secure Boot disabled Memory 4096 Ma c] Processor 2 Virtual processors SCSI controller Hard Drive OCI 635AID3g-0D3E411-E... Ne M' Ork Adapter Internal vSnitch Management Security Secure Soot use Secure Soot to help prevent unauthorized code from running at boot tme (recommended). Enable Secure Soot Template: Microsoft IJEFI Certficate Authority Encryption Support Enable Trusted Platform Module A Trusted Platform Module (TM) is a special purpose microprocessor "'hich provides cryptographic services to a compute platform. Encrypt state and virtual machine migraton traffc

  • Start VM

..after changing to UEFI and disable UEFI secure boot you can start your VM with 2016TP5 in normal way…

WSUS – HowTo Install

Prerequisites:

Install .NET2.0 Framework:

Install-WindowsFeature -Name NET-Framework-Core

Install Report Viewer 2008 SP1:

http://www.microsoft.com/en-us/download/details.aspx?id=3841

…do Windows-Upate and Restart…

Additional Harddrive:

About 100GB for most updates…

Install:

  • Open Powershell:
    Install-WindowsFeature UpdateServices -IncludeManagementTools
    New-Item -Path D:\ -Name WSUSData -ItemType Directory
    “C:\Program Files\Update Services\Tools\wsusutil.exe postinstall content_dir=D:\WSUSData”

 





Configure WSUS to use SSL:

…Web Server certificate needed…

Enforce SSL on Virtual directories:

The next step is to enforce SSL encryption on the following virtual roots:

  • SimpleAuthWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • ApiRemoting30
  • ClientWebService 






-> Restart IIS

Post-Install:

Start Console:



..Console should now connect correctly..