It is important to get the network card configuration right in the parent partition for Hyper-V in Windows Server 2008/R2.
Common problems include:
These problems have nothing to do with Hyper-V actually. They’re just issues you can face with any server containing more than one network card.
Step #1: Ensure that you have a good naming convention for you network cards
As you can see I have explicitly named by network cards. One for the parent partition, one for the VM’s. If you have one or more network cards for VM’s or iSSCI, name them accordingly.
Step #2 : Ensure that the parent partition uses the right network card
In the image below you can see that the Parent Partition network card is first in the order. This means that network services will attempt to use this interface before the VM NIC #1.
Step #3 : Ensure that the VM or iSCSI NIC does not register itself in DNS
Make sure that the network cards you dedicate for VM external networks do not register themselves in DNS. Just configure the basic IP address and mask. You do not need to include DNS servers etc. Remember, you are more or less turning this network card into a virtual switch.
Note that the “Register this connections addresses in DNS” is left un-ticked. If you built you base OS for the parent partition with all the network cards patched, chances are that you will find more than one address registered for the server in DNS. Ensure that you remove unwanted A-records and PTRs.
Step #4: Ensure that you disable NetBIOS over TCP/IP on the VM network cards
I was recently asked a question about PowerShell's ability to read in an XML configuration file at a Virtual Academy I ran last week. One of the strengths of PowerShell is its ability to perform lots of time saving tasks … one of which is reading in an XML file. The Get-Content command can read in an XML file and you can easily loop through the contents.
Example:
[xml]$computerlist = Get-Content computers.xml foreach( $computer in $computerlist.computers.target) { Write-Host $computer.name }
What would the XML file look like?
<computers> <target> <Name>server1</Name> </target> <target> <Name>server2</Name> </target> </computers>
Nice and simple really.
“Although bulk deletions are rare, they are disruptive events that you can guard against by removing the Delete and the Delete Subtree permissions in Active Directory. To guard against accidental deletions, you should remove the Delete and Delete Subtree permissions on organizational units (OUs) that contain user accounts, computer accounts, and security groups in Active Directory. You should also remove the Delete All Child Objects permission on the parent container of an OU that you want to protect.”
This above is taken from http://technet.microsoft.com/en-us/library/cc773347(WS.10).aspx
The TechNet article then shows you how to manually, through the GUI, modify the access control entries (ACE’s). You can find details here.
So, how do you go about this task if you have quite a few OU’s? You need the following from the Windows Server 2003 Support tools:
dsquery will, by default, only return the first 100 results. You’ll need the ‘–limit 0’ to process more than 100 objects, in this case OUs.
To protect all OU’s in a domain run the following:
for /F "tokens=*" %%i in ('dsquery OU -limit 0') do dsacls %%i /D "EVERYONE:SDDCDT"
To protect a specific OU and all leaf OU’s:
for /F "tokens=*" %%i in ('dsquery OU “ou=target,dc=domain,dc=net” -limit 0') do dsacls %%i /D "EVERYONE:SDDCDT"
For /F “tokens=*" %%i in ('dsquery OU –limit 0') do dsacls %%i /S
Life is much easier in Windows Server 2008. By default the containers are protected from accidental deletion.
With the economic down turn and the green agenda Virtualisation has become a hot topic with my customer. These days its all about getting the best value for money as possible with your IT budget, so when my customer had a number of servers out of warranty and due for replacement the Hyper-V platform was the first port of call.
The first thing we did was run the Microsoft MAP tool against these servers to ensure that they were real candidates for Virtualisation. This tool can be found at
http://www.microsoft.com/downloads/details.aspx?familyid=67240B76-3148-4E49-943D-4D9EA7F77730&displaylang=en
Information on using the tool can be found at
http://technet.microsoft.com/en-us/library/bb977556.aspx
Currently my customer has a number of Hyper-V GEO Cluster's based on HP boot from SAN Blades. All of the Virtual Hosts are managed centrally by Microsoft System Centre Virtual Machine Manager (SCVMM). Using the map tool we were able to determine that based on the existing hardware we could achieve an 8 - 1 virtual machine ratio. Considering that the new hardware runs cooler / cheaper and is only a couple of U per blade compared to the 6 - 8 U servers they were replacing everyone was happy.
All of the machines to be Virtualised were Windows 2000 & ran bespoke applications. If we were to rebuild these servers on new kit it would have taken a lot of time and effort to ensure that the applications were tested etc.. not to mention the downtime involved.
Pre-Requisites
You will need the following patches on the Hyper-V target systems.
KB950050, KB951308, KB956589, KB956697, KB956710, KB956774
You will need the following patch on the SCVMM Server
KB959596
You will also need the following version of WAIK for all offline conversions. The version included with the OS will not do the job. Install this on the SCVMM Server.
http://www.microsoft.com/downloads/details.aspx?familyid=C7D4BC6D-15F3-4284-9123-679830D629F2&displaylang=en
Using the P2V Wizard
In this example I am performing a physical to virtual conversion on a Windows 2000 server.
A Windows 2000 server P2V has the following pre-requsites.
As the source service is Windows 2000 the only option is an offline conversion. As part of the process an agent will be installed on the source server and the server will be re-booted into WinPE so that the contents of the source servers hard drive can be copied via BITS.
1. With the Virtual machines menu option high lighted click on Convert Physical Server.
2. Enter the Computer name or IP address of the Physical Server and account details of a user that has local administrator rights on the source Physical Server.
3. Enter a Name for the New Virtual Server. Set the owner of the Virtual Machine (defaults to the logged in user) and add a description for the Virtual Server.
4. Click Scan System to install the SCVMM agent & gather information on the Physical Server.
5. After the scan the System Information panel will be populated. Click Next to continue.
6. Here we select the volumes to be copied to the new VM as part of the P2V process. You can also change the VHD type from Dynamic to Fixed.
7. Typically on this screen I choose to obtain an IP address automatically from DHCP. You can specify an IP address & Network card (using MAC address) if required.
8. On this screen you can specify the number of process and amount of RAM the VM will use. I usually set the VM to use 2 processors during the P2V process. This helps with the integration components setup, it can be changed back to a single processor later. Please note that these settings will be used to determine the placing of the VM on a host server as we will see later.
9. Here you choose the server that will host the VM. You can see the suitability of each host based on the Star Rating. This is much improved when SCOM is used in conjunction with SCVMM. In the screen shot below SCOM was not configured.
10. As the host I selected was a Windows 2008 Hyper-V cluster I got this message box popping up. Click Yes to continue. SCVMM will set up the new virtual server as a clustered VM.
11. Select the volume that the VM will reside on. If your target volume does not appear on this list refresh the cluster information within SCVMM.
12. Select the Virtual Network that the Virtual Machine will use.
13. As this VM will reside on a cluster do not change these settings. This allows the cluster service to manage the Virtual Machine.
14. If all is ok you should see this screen. You can run into an issue that can occur with legacy hardware (i.e. RAID controllers) not included with the WINPE Image, which is used to boot into the P2V environment . If you can obtain the Vista driver for the problem hardware copy it to SCVMM\Drivers\Import folder to solve the issue.
15. This last screen gives us a summery of the P2V job & the option to View and copy the PowerShell script generated by the wizard. You can copy out this script and modify it for automating this process if required.
16. After clicking Create the jobs screen will pop up. This screen provides real time information regarding the P2V process including the time required to copy the contents of the targets volumes to the new virtual machine.
17. Here we can see the BITS copy in progress and the amount of time remaining to copy the volumes.
18. The script we created with the Wizard also installs the required virtual machine components. In some cases this process will seem to hang. This can be resolved by using the Hyper-V console on the target machine to re-start the VM.
20. Once the jobs screen completes we will have a running Windows 2000 VM. Check that the VM is running on the External Virtual Network and that the source machine is turned off and removed from the Network.
The process was quick with minimal downtime for the users. We did run into some issues with legacy RAID controllers but got around them using the fix mentioned in step 14. The new VM’s are a lot more stable than the previous hardware and are now on a high availability platform giving my customer more peace of mind.
One of the most common conversations I have about virtualisation is the "how do I make my virtual machines highly available?" one. Topics like Hyper-V Quick Migration are then discussed and off the techie goes to start testing. When I revisit the discussion I have noticed the false sense of security people get just because their virtual machines are highly available. HA options for VM's do not mean stop worrying about host clustering, network load balancing or traditional backups ... no matter how clever the technology. Highly available virtual machines no longer have the single point of failure at the (host) hardware level .. and that's about as far as it goes. You still have to mitigate against the same risks at the OS level (and above) regardless of whether or not its physical or virtual. Okay, some of you are saying duh! Bear with me though. It's not uncommon for people to think just because they have a Hyper-V cluster or VMWare HA that the majority of potential outages are accounted for.
Consider the following:
With the above in mind, have a read of the following:
Long story short, virtualisation has not changed anything when it comes to mitigation against system failure/outage. The same rules still apply. Virtualisation high availability solutions represent only the first layer of protection .. just don't forget the other options like:
We are running an event this December for Microsoft Premier customers. I'm pretty excited about it actually. Premier Field Engineering and Microsoft Consulting Services are teaming up to present real world details on Hyper-V, System Centre Virtual Machine Manager 2008 and Application Virtualisation. We plan on running as many demonstrations as possible during the event so death by PowerPoint should not be an issue.
This event is only open to Microsoft Premier Customers. Contact your Technical Account Manager to reserve your place. If you are not a Premier Customer we plan on running the event again early in 2009. Drop me an email if you are interested in attending.
Here is the agenda for the event :
Title: Technology Day – Microsoft Virtualisation (Level: 300)
Location
Microsoft Sandyford Building 3, (Atrium B) Carmenhall Road, Sandyford Industrial Estate, Dublin 18
Training Room 5.41
Date & Time Fri 5th December @ 9:15 Breaks
15 mins @ 11:15 am 1 hour @ 1pm – 2pm (Lunch) 15 mins @ 3:30pm
Morning
09:30
Workshop Introduction
09:45
Microsoft Virtualisation @ Nissan Ireland Rory Donnelly (CIO Nissan Ireland)
10:00
Virtual Data Centre :
Microsoft Server Virtualisation and System Centre Virtual Machine Manager Gavin McShera, Victor Arzate Rodriguez and David McCormick
This session is aimed at providing skills to deploy and administer a Virtualised Data Centre, using Microsoft Server Virtualisation products and System Centre Virtual Machine Manager 2008.
Content:
Hyper-V Architecture
Getting to grips with Server Core Hyper-V and Hyper-V Server
Performance Best Practice & High Availability
Managing Hyper-V
Deploying and Migrating to Hyper-V
Afternoon
02:15
Application Virtualisation with Microsoft App- V (formerly Softgrid) Alan Stone and Paul Devlin
This session introduces Microsoft Application Virtualisation and provides notes from the field with real world scenarios
Notes from the Field
Application Virtualisation 4.5 What does the future hold?
03:45
Open Discussion – Q & A
Single Sign On (SSO) to Windows Server 2008 (W2K8) Terminal Services uses the Credential Security Service Provider (CredSSP). CredSSP delegates credentials to defined target servers and is native to Windows Vista. Windows XP SP3 includes CredSSP but it is not enabled by default. Windows XP SP2 clients can still connect to W2K8 Terminal Services but users will be prompted for credentials upon establishing the first session. Having to enter your username and password ruins the RemoteAPP experience. So what do you need to get your Windows XP client seamlessly connecting to a W2K8 Terminal Server?
KB951608 explains the CredSSP for Windows XP SP3 in detail.
Once you have SP3 installed you need to make the following changes:
Client side:
Server side:
Enable CredSSP
The CredSSP settings have to be APPENDED to the existing parameters. See KB951608. Appending to existing keys could prove time consuming if you have a lot of clients. Here is a script written in VBS that may make automating the task a little easier.
Disclaimer: Do not blindly run these scripts without testing first. Make sure you take a backup of the registry!
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
‘strKeyPath = "SYSTEM\CurrentControlSet\Control\Lsa"
strValueName = "Security Packages"
oReg.GetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrSecurityPackages
For Each strValue In arrSecurityPackages
if lcase(strValue) = "tspkg" then intTSPKG = 1 ‘ Set a flag to say that value already exists
Next
if intTSPKG <> 1 then ‘Value doesn’t exist so lets create it
intNewArraySize = Ubound(arrSecurityPackages) + 1
reDim Preserve arrSecurityPackages(intNewArraySize) ‘Resize the array for new value and keep existing values
arrSecurityPackages(intNewArraySize) = "tspkg" ‘ Add the new value
oReg.SetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrSecurityPackages
End if
strKeyPath = "SYSTEM\CurrentControlSet\Control\SecurityProviders"
strValueName = "SecurityProviders"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
intResult = InStr(strValue, "credssp.dll") ‘Will return position found in string
if intResult = 0 then ‘Position of 0 means string not found
strValue=strValue & ",credssp.dll"
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
Configure Single Sign On and define target servers
The following registry changes enable CredSSP for the default credentials.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]
"AllowDefaultCredentials"=dword:00000001
"ConcatenateDefaults_AllowDefault"=dword:00000001
The following registry changes define the target servers.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials] "1"="TERMSRV/*"
You can explicitly name your terminal servers e.g. :
RDP Protocol changes
You have to make some changes to the default RDP protocol settings on your server in order to allow Windows XP SP3 clients connect.
Open Terminal Server Configuration snap-in and modify the RDP connection properties as follows:
Note that the tick has been removed from the "Allow connections only from computers running Remote Desktop with Network Level Authentication". I have the Encryption level set of Client Compatible but there is no reason why you cannot use High.
Make sure that the Use client-provided log on information radial button is selected.
You should now be in a position to make use of the SSO functionality from your Windows XP clients. However, there is a KB titled When you enable SSO for a terminal server from a Windows XP SP3-based client computer, you are still prompted for user credentials when you log on to the terminal server which comes with a patch. During my testing I did not come across this problem ... but I figured it was worth noting.
Over the past week or so Microsoft have clarified the support statement for server products running in virtual environments. The most significant announcement was the Server Virtualisation Validation Program (SVVP). To quote "The Server Virtualization Validation Program (SVVP) is open to any vendor who delivers a virtualization machine solution that hosts Windows Server 2008, Windows 2000 Server Service Pack 4 and Windows Server 2003 Service Pack 2 and subsequent service packs. The virtualization solution can either be hypervisor-based or a hosted solution. The program enables vendors to validate various configurations so that customers of Windows Server can receive technical support in virtualized environments. Customers with validated solutions will benefit from the support provided by Microsoft as a part of the regular Windows Server technical support framework."
The participating vendors (at time of writing are):
The SVVP does not mean that Microsoft support the products from the vendors listed above. The SVVP means the validated third party product provides a suitable environment upon which the Microsoft operating system can run. If you think about it, the SVVP is very similar to the hardware certification for Microsoft operating systems.
Now that you know the supportability of your Microsoft operating systems turn your eyes to the support statements for Microsoft server software. Microsoft server software and supported virtualization environments.
You'll find statements for :
Licensing changes:
There are plenty of posts on the interweb that show you how to mount and unmount vhds via powershell. I downloaded the Hyper-V PowerShell management library from CodePlex.com here as created by James O'Neil. In it he kindly provides two scripts (mount-VHD.ps1 and Unmount-VHD.ps1) along with a REG file. Assuming you have PowerShell 1.0 installed (available feature in Windows Server 2008) these scripts and registry settings work fine.
I ran into problems once I downloaded and installed the Windows PowerShell 2.0 Community Technology Preview (CTP). Powershells execution policy wouldnt let the scripts run anymore.
You can change the executionPolicy a number of ways:
Registry:
HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Change the key: REG_SZ ExecutionPolicy to Unrestricted
HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Change the key: REG_SZ ExecutionPolicy to Unrestricted
PowerShell:
set-executionpolicy unrestricted
Note: By changing the execution policy you are technically opening your system up to remote execution of PowerShell scripts from unsigned/untrusted sources. I want to be able to mount vhds easily coz Im a lazy kinda guy. Im running Hyper-V on my laptop so Im not too concerned about security in this instance. You should think carefully about making this change in a production environment.
The second thing I noticed was that the registry settings provided by James no longer worked. So I came up with a slight modification as follows:
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\Virtual.Machine.HD] [HKEY_CLASSES_ROOT\Virtual.Machine.HD\DefaultIcon]@="%SystemRoot%\\system32\\imageres.dll,26" [HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell]@="Mount" [HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell\Mount] [HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell\Mount\command]@="cmd /k \"powershell -NoProfile -Command \"& 'c:\\Program Files\\Hyper-V\\Mount-VHD.ps1' '%1'\"\"" [HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell\Unmount] [HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell\Unmount\command]@="cmd /k \"powershell -NoProfile -Command \"& 'c:\\Program Files\\Hyper-V\\Unmount-VHD.ps1' '%1'\"\"" [HKEY_CLASSES_ROOT\.vhd]@="Virtual.Machine.HD"
[HKEY_CLASSES_ROOT\Virtual.Machine.HD]
[HKEY_CLASSES_ROOT\Virtual.Machine.HD\DefaultIcon]@="%SystemRoot%\\system32\\imageres.dll,26"
[HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell]@="Mount"
[HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell\Mount]
[HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell\Mount\command]@="cmd /k \"powershell -NoProfile -Command \"& 'c:\\Program Files\\Hyper-V\\Mount-VHD.ps1' '%1'\"\""
[HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell\Unmount]
[HKEY_CLASSES_ROOT\Virtual.Machine.HD\shell\Unmount\command]@="cmd /k \"powershell -NoProfile -Command \"& 'c:\\Program Files\\Hyper-V\\Unmount-VHD.ps1' '%1'\"\""
[HKEY_CLASSES_ROOT\.vhd]@="Virtual.Machine.HD"
I've used cmd/k instead of cmd/c so I can see what the PowerShell script reports when its finished along with a couple of changes to get PowerShell to accept the string after the -Command.
Now all is great in the land of Hyper-V on my laptop.
Where is the cluster log in Windows 2008 ?
This short answer is its no longer there. On our Windows 2008 cluster node if we navigate to %systemroot%\system32\LogFiles\Cluster your wont find the cluster.log file anymore.
Why ? Its been replaced by a much more sophisticated event based tracing system.
The Vista\Windows Server 2008 Event Model is the next generation of Windows Event Logging and replaces the current version of the Event Log shipped in Microsoft® Windows® 2003 Server, Microsoft® Windows® XP, Windows 2000, and previous versions of Microsoft® Windows NT®.
The new model is a major update to the NT Event Log service. It maintains 100% backwards compatibility with the existing APIs and functionality and fully leverages the existing NT Event Log instrumentation in the applications and services. At the same time, it eliminates some of the limitations of the NT Event Log and provides additional features to better support monitoring and diagnostics of Windows applications, services, components, and drivers.
In a future post I will go through the new Logging and tracing features for clusters in Windows 2008 but for now lets look at how to get access to the old familiar cluster.log file.
Here's how to go about it.
1. Go to a command prompt
2. Type "Cluster /Cluster:yourclustername log /gen /copy "C:\temp". You should get output as follows
3. Navigate to the c:\temp directory and there you will find the .log files for each node of your cluster.
The cluster log can now be opened in Notepad.
Please note that you need to run this command after each change as its not dynamically updated like the old .log file.
This is a not so common issue I can across this week . The background is as follows.
The command responds with the output show in the screen shot below
Your server is now in limbo. You cannot un-install the cluster service and you cannot re-join the cluster, the cluster network driver and cluster disk driver are still online. Most people would re-install the server from scratch at this point. There is however a workaround that will save you time.
1. Open up regedit on the system in question & Navigate to HKEY Local Machine\Software\Microsoft\Windows NT\Currentversion\Cluster Server
2. Right click ClusterInstallationState and choose Modify
3. Change the value to 3
4. Click OK
5. Exit Regedit and reboot your server.
6. Log back into windows and go to a command prompt.
7. Run "Cluster node /forcecleanup" you should see the following output
That's it !! No rebuild required. You can now operate the node as a stand alone box or join another cluster.
The information in this weblog is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. These posts are just the ramblings of few nerds. Inappropriate comments will be deleted at the authors discretion. All code samples are provided "AS IS" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. This means don't run the scripts blindly without testing. Be sure to take the appropriate backup/backout precautions before making ANY change to production systems. You have been warned!
Need some light reading for the weekend? Have a look at the links below. All part of the growing body of knowledge around Hyper-V.
Websites
Microsoft Virtualization Home Page
http://www.microsoft.com/virtualization/default.mspx
Virtualization Case Studies
http://www.microsoft.com/virtualization/case-studies.mspx
Virtualization Solution Accelerators
http://technet.microsoft.com/en-us/solutionaccelerators/cc197910.aspx
Windows Server 2008 Virtualization & Consolidation: http://www.microsoft.com/windowsserver2008/en/us/virtualization-consolidation.aspx
Hyper-V FAQ
http://www.microsoft.com/windowsserver2008/en/us/hyperv-faq.aspx
Optimized Desktop Infrastructure (VDI and much more): http://www.microsoft.com/windows/products/windowsvista/enterprise/default.mspx
Virtualization TechCenter:
http://technet.microsoft.com/en-us/virtualization/default.aspx
How to Install Windows Server 2008 Hyper-V RC
http://www.microsoft.com/windowsserver2008/en/us/hyperv-install.aspx
Windows Server 2008 Hyper-V Performance Tuning Guide
http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx
MSDN & TechNet Powered by Hyper-V
http://blogs.technet.com/virtualization/archive/2008/05/20/msdn-and-technet-powered-by-hyper-v.aspx
MSDN & TechNet Powered by Hyper-V Whitepaper
http://download.microsoft.com/download/6/C/5/6C559B56-8556-4097-8C81-2D4E762CD48E/MSCOM_Virtualizes_MSDN_TechNet_on_Hyper-V.docx
Blogs:
http://blogs.technet.com/virtualization/default.aspx
http://blogs.msdn.com/virtual_pc_guy/
http://blogs.technet.com/jhoward/
http://blogs.technet.com/roblarson/
http://blogs.technet.com/virtualworld/
http://blogs.technet.com/windowsserver/
http://blogs.technet.com/mapblog/
http://blogs.technet.com/stbnewsbytes/
Webcasts:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032368894&CountryCode=US
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032372420&CountryCode=US
The print spooler is a temperamental beast at the best of times. Print servers end up with a whole myriad of drivers, print monitors and print processors. The more queues and printers there are the greater the potential for problems. Clustering your print server makes sense but it does add another layer of complexity for you to manage. I recently tackled a problematic print cluster and thought Id blog about it. In this post I have pulled together information on how to “clean up” a clustered print spooler. I’ve drawn information from a few sources for this post. Big thanks to Paul Cook (Premier Field Engineer in the UK) for his advice … the man knows his print clusters :)
Before we begin, have a read of the following posts:
http://blogs.technet.com/askperf/archive/2007/07/20/windows-2003-print-clusters-part-one.aspx http://blogs.technet.com/askperf/archive/2007/07/27/windows-2003-print-clusters-part-two-recommendations.aspx http://blogs.technet.com/askperf/archive/2007/08/07/windows-2003-print-clusters-part-three-troubleshooting-missing-print-queues.aspx
Right, so now you know how it all ties together. Let’s tackle a few problems that I encountered:
Unsupported Print Monitors are a common explanation for the spooler biting back.
WARNING
Use the Printing tool to take a backup of your current configuration BEFORE continuing. I would also advise that you take a system state backup to ensure that the cluster configuration is safe and sound. Let me re-iterate again, TAKE A BACKUP. Oh, and don’t forget to test everything before tackling your production systems!
Unsupported Print Monitors
When a printer is installed into a cluster using a driver that ships with Windows Server 2003, the cluster service only uses the standard TCP/IP or LPR monitors. No third-party monitors are supported on server clusters.
The following monitors are considered supported:
Make sure that each queue is using the Standard TCP/IP port monitor. You can see the monitors installed on the cluster by viewing:
HKLM\Clusters\Resources\<resource id>\Parameters\Monitors
You should remove any unsupported print monitors from the above registry key once all queues are configured to use supported monitors.
Print Queues using third party Print Processors
The official line is that third party print processors ARE supported but NOT recommended (Microsoft recommend using the WinPrint processor). Print processors are user-mode dynamic-link libraries that are responsible for converting the spooled data of a print job to a format that can be sent to a print monitor. Print processors are also responsible for handling program requests to pause, to resume, and to cancel print jobs.
You wont know what processor a particular driver will use unless you edit the INF before installing. Realistically editing the INF is not an enticing option. I prefer changing the queue to WinPrint after you have set it up. So the the first challenge is to identify what Print Queues are not using the WinPrint processor. You could manually go through each subkey in
HKLM\Cluster\Resources\<resource id>\Parameters\Printers
Or, you could script your way out of the problem like this:
strLogfile = "C:\results.txt" strComputer = "target server" intCounter = 0
Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.CreateTextFile(strLogFile)
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv") strKeyPath = "Cluster\Resources\<resouce id>\Parameters\Printers\"
objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
For Each strSubkey in arrSubKeys objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath & strSubkey,"Print Processor", strPrintProcessor objFile.WriteLine "Print: " & strSubkey & vbTab & "Print Processor: " & strPrintProcessor intCounter= intCounter + 1 Next
WScript.Echo "Finished processing " & intCounter & " printer queues" objFile.WriteLine "Eunumerated " & intCounter & " printer queues"
WScript.Quit
This script creates a log file called results.txt listing the print processors for each print queue. Now you know what queues are not using WinPrint, how do you go about changing them? You have three options:
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv") strKeyPath = "Cluster\Resources\<resource id>\Parameters\Printers\"
For Each strSubkey in arrSubKeys objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath & strSubkey,"Print Processor", strPrintProcessor If LCase(strPrintProcessor) <> "winprint" Then objReg.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath & strSubkey,"Print Processor", "WinPrint" objFile.WriteLine "Printer: " & strSubkey & vbTab & "Print Processor was: " & strPrintProcessor & " but has now been changed to WINPRINT" intCounter= intCounter + 1 End if Next
WScript.Echo "Finished. Modified " & intCounter & " printer processors" objFile.WriteLine "Modified" & intCounter & " printer processors"
Once you have changed all queues to WinPrint you could now remove the third party print processors from the cluster. However, think about the consequences before decide to delete them.
If a print queue is configured to use a print processor that no longer exists it will not appear when the print spooler is restarted. To get the queue back you have to edit the registry to change the print processor to WinPrint and restart the spooler.
Should you still wish to delete the print processors you will find them, depending on the environment in:
HKLM\Cluster\Resources\<resource id>\Parameters\Environments\Windows NT x86\Print Processors
Regardless of whether you delete the third party print processors every time you create a new queue or install a new driver, make sure you change the print processor to WinPrint.
In some instances using the WinPrint Processor can reduce functionality on a printer e.g. twisty text or watermarks and the likes. So, there may be instances where you have to use third party print processors. You could consider creating a new Print Spooler resource on the cluster for third party processors and leave all of the WinPrint queues on another spooler. Each spooler resource on a Windows 2003 cluster can have its own set of drivers, processors and monitors located in HKLM\Cluster\Resources\<resource id>\Parameters
Third party printer drivers
Third party drivers can impact the stability of your print cluster. As a general rule, see if you can use the drivers that ship with Windows Server 2003 before considering the installation of third party ones. Another thing that really kills print servers is running the setup program that comes with printer drivers. Not only is this not the supported method for adding a driver to a print cluster it also installs a whole lot of unwanted “stuff” (like system tray icons). Check out the Cluster Server Resource Centre for more details. Check out How to set up a clustered print server for details on how to setup the spooler and create print queues.
Conclusion
If you tackle the Print Monitors, Print Processors and Drivers you have gone a long way to ensuring that your print server is stable. However, there is one thing that very quickly undoes all of your hard work and that’s Terminal Services Printer Redirection. Imagine you’ve cleaned up your drivers, removed unsupported port monitors and set everything to use the WinPrint processor… all of a sudden different drivers start appearing on your cluster! I recommend disabling client printer redirection on ALL print servers, not just the clusters (in fact, I have in the past disabled it completely on all servers to stop printer drivers being installed). You can find the option to disable client printer redirection under:
Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection
Enable the Do not allow client printer redirection setting.
One last word
Windows Server 2008 Fail-over clusters are well worth looking into. There have been improvements across the board. Print Clusters are now easier to install, configure and manage. Click on the image below to learn more about Windows Server 2008.
I was recently asked (two hours ago) how to tell if a server was running Terminal Services in Application Mode. The customer wanted to run a different script if users were logged into a Terminal Server.
They had looked through the registry and came across the TSEnabled value in :
HKLM\Software\System\CurrentControlSet\Control\Terminal Server
While this key does indicate whether or not TS is enabled, it does not tell you if the server is in Application Mode. To compound the issue this key is also set to 1 by default on Windows XP. So, surely there was a more appropriate way to check? Indeed there is … the Win32_TerminalServiceSetting WMI class will allow you to check. See the code below:
Dim strComputer, objWMIService, colClass, objClass, strTSMode strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colClass = objWMIService.ExecQuery("Select * from Win32_TerminalServiceSetting") For Each objClass in colClass strTSMode = objClass.TerminalServerMode If strTSMode = 1 Then Wscript.Echo "Terminal Server is in Application Server mode." Else Wscript.Echo "Terminal Server is in Remote Administration mode." End If Next
Dim strComputer, objWMIService, colClass, objClass, strTSMode
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colClass = objWMIService.ExecQuery("Select * from Win32_TerminalServiceSetting")
For Each objClass in colClass
strTSMode = objClass.TerminalServerMode
If strTSMode = 1 Then
Wscript.Echo "Terminal Server is in Application Server mode."
Else
Wscript.Echo "Terminal Server is in Remote Administration mode."
End If
Note: This will not work under Windows 2000 as the WMI class does not exist. I have not checked it in Windows 2008.
In my post yesterday I spoke about virtualisation candidates (amongst other things) and how we now know what loads and systems are viable. Have a look at the Microsoft Assessment and Planning (MAP) tool. Its the tool for identifying candidates. There is also a nice video demo from Baldwin Ng, showing the tool in action. The tool will remotely gather information regarding your enterprise without installing agents. The MAP tool then generates a candidacy report(s) that can be used to justify the investment including the hardware requirements for your virtualisation environment.
Note: The RTM version of MAP v3.0 only includes Virtual Server 2005. You will need MAP v3.1 Beta for Hyper-V. Check out this posting for details on joining the beta. It is still worth running the MAP v3.0 against your environments as virtualisation candidates should be the same regardless.
I recently gave an overview of NAP at a Windows Server 2008 event. For the purposes of the event I focused and demo’d DHCP enforcement. From some customers DHCP enforcement was not enough. What about 802.1x enforcement ? Our pals on the NAP team have already blogged this (quite sometime back) as an introduction to what the real world options are. Check it out : NAP 802.1x enforcement. I’d also point you in the direction of the Step by Step lab guide.
For a real world view of NAP in action with Cisco switches check out Michael Kleefs blog here. When I asked about real world implementations Michael's demos where recommended.
While on the topic of NAP…. I was also asked about how much traffic does it generate. Yet again Michael Kleef had the answers.
Update: No sooner had I posted this (7 minutes after to be exact) Jeff Sigman (NAP guru) commented that he setup a rack with 10+ switches. Check out his posting http://blogs.technet.com/nap/archive/2008/04/15/video-nap-world-tour-rsa-2008-san-francisco.aspx. How is that for fast information update! :)
Since Vista RTM’d people have complained to me about UAC (User Account Control) and how often they get warnings and popup’s. They just never seemed to get the point of it. I leave it on for all my Vista machines, even the VMs and even during demos to customers. Why? Easy. It protects my system from drive by style installations or modifications to my Vista machines. Its never really proven to be a hindrance to me, even during demos.
A colleague of mine tipped me off to the following articles.
PCWorld
Reading them was quite interesting. Tests showed that with UAC on, root kits couldn’t install themselves on Vista without alerting the user. No silently slipping onto the OS. However, its the comments at the end of each article that really intrigue me. Some people think Microsoft use UAC as a way of avoiding responsibility. Others, and rightly so in my mind, point out that the best you can do is warn/alert a user that something is attempting to modify their system … but if they don’t take the time to even read what’s on screen malware will always find its way onto a system. Software will always have its flaws.
UAC isn’t just about stopping malware … its about protecting users from themselves. It would appear that you can lead a horse to water but you cant’ stop it clicking continue, ok, yes I’m sure, no problem and diving right in.
I’ve had a lot of interest in Hyper-V from customers and quite a few questions too. One of the most common being, “Who is using it in a production environment?”. Up until now I didn't have an answer. … but now I do.
Microsoft are now running the MSDN and TechNet sites on Hyper-V. So, putting that in context, that’s over 4 million hits a day (1 million for TechNet and 3 million for MSDN). This implementation also puts in context what sort of work loads Hyper-V can support. Granted there was a performance overhead for running in a virtual environment when compared with the loads the physical boxes could handle but that’s part of parcel of virtualisation.
More info can be found on Virtualization.info or indeed on our Virtualisation blog here.
Check out the posting on the Windows Virtualization Team blog here for more details.
As usual its a one way upgrade process. Once you go forward there is no coming back! :)
Hyper-V RC0 to RC1 Upgrade Considerations *Saved-state files are not supported between RC0 and RC1 releases of Hyper-V. All virtual machine saved states should be discarded before upgrading to RC1, or prior to resuming virtual machines after upgrading to Hyper-V RC1.
*Online snapshots contain virtual machine save-states and thus online snapshots taken with Hyper-V RC0 are not supported after updating to Hyper-V to RC1. Either apply any online snapshots and shut down the VM or discard the virtual machine save state associated with the snapshot before or after the update to Hyper-V RC1.
*System Center Virtual Machine Manager 2008 Beta does not support Hyper-V RC1.
*New Integration Components (ICs) must be installed for your supported guest operating systems. Integration Components are specific to the build of Hyper-V. RC1 Integration Components for all supported Windows Operating Systems are provided using the ‘Action’ -> ‘Insert Integration Services Setup Disk’ action.
RC1 Integration Components for all supported Windows Operating Systems are now part of the IC Setup Disk. This now includes Windows Server 2008! Simply install the Hyper-V RC1 Integration Components for Windows Server 2008 the same way you do all other Windows ICs (‘Action’ -> ‘Insert Integration Services Setup Disk’). Note You need to close the found new hardware wizard before setup will begin on all Windows Operating Systems.
Improvements Over Hyper-V RC0 In addition to bug fixes and stability improvements we also made some additional changes largely based on feedback from customers, I might have missed a few I’ll add to this list if so… *Integration Components For Windows Server 2008 guest’s included in Integration Services Setup Disk *New Graphics for Hyper-V Manager and Virtual Machine Connection – including a “Now” icon in the snapshot pane *IPv4 Address Migration - when creating a new Virtual Network bound to an adapter with a static IPv4 address the IPv4 settings are migrated to the new virtual adapter
I'm just about to update my own Hyper-V installation so fingers crossed.
I blogged recently on “How to create a Windows Server 2008 Cluster within Hyper-V using simulated iSCSI storage”. This is enough to get you familiar with how clusters work in Windows Server 2008. The next logical step is to understand the high availability options available for VMs running in your Hyper-V environment. The good news is that Hyper-V is cluster aware allowing you to use the Quick Migration functionality. Check out the Step-by-Step Guide for Testing Hyper-V and Fail over Clustering. It explains the requirements and takes you, as the name implies, step-by-step through the process.
[Updated May’09: Windows Storage Server 2008 now available to MSDN/TechNet subscribers. Checkout Jose Barreto's Blog for details.]
Familiar with Virtual Server 2005 and shared disks for creating virtual clusters? Well its different with Hyper-V. The shared disk option is no longer available (which I did not know when I started testing). You have to use iSCSI instead. Here is a step by step method for creating a fail-over cluster within Hyper-V. Its a cheap way of setting up a test lab (assuming you don’t have access to Windows Storage server). In this post I use StarWind to simulate iSCSI storage … its not an endorsement of the product, I just picked it from amongst the crowd.
Windows Server 2008 fail-over clusters support Serial Attached SCSI (SAS), iSCSI and Fibre Channel disks as storage options. So, how would you go about setting up a virtual Windows Server 2008 test cluster using the new Hyper-V vitalisation product? The method I am about to outline is a little different to what you might be used to Virtual Server 2005. The following steps detail how I managed to setup a test cluster using simulated iSCSI storage. Before beginning it’s worth reviewing this article that outlines the storage options that are available to Hyper-V. By the end of this post you should have a simple two node cluster up and running using simulated iSCSI storage.
Tools for the job:
I wont go into how to create a VM but you can find more info from Virtual Guys weblog.
Before I began looking into the iSCSI simulated storage option for my cluster nodes I tried to expose a single VHD to each of my cluster nodes in the hopes that they would share it. I didn’t get very far and was presented with the following error when powering on the VMs:
This error is by design (thanks Justin Zarb for point this out) as Windows Server 2008 Hyper-V does not support this sort of storage (see link above for Hyper-V storage options). The above error is simply a file system error as the VHD “is being used by another process” … should have spotted that
Note: I’m assuming that you know how to install Windows Server 2003 and 2008. I’m also assuming that you know how to install and configure a Window Server 2008 Domain Controller. If you have any questions leave me a comment and I will see if I can point you in the right direction.
Create the network with a connection type of “Internal Only”. I enabled Virtual LAN identification and set the default ID to 2 as this will be my public LAN. Setting the default to 2 means that if I dont specify a VLAN on subsequent NICs they will be classified as public connections.
VLAN ids:
Tip: Be sure to rename each network card on the hosts to make identification easier. If its the public NIC, call it public etc.
Network settings:
Public NIC: VLAN 2
Heartbeat NIC: VLAN 3
iSCSI NIC: VLAN 4
Note: On all NICs in VLAN 3/4 be sure to disable the Client for Microsoft Networks, disable DNS registration and disable NetBIOS. Be sure to check your binding order too. The public NIC should be first.
Note: On all NICs in VLAN 3/4 be sure to disable the Client for Microsoft Networks, disable DNS registration and disable NetBIOS. Be sure to check your binding order too.
Note: On all NICs in VLAN 3/4 be sure to disable the Client for Microsoft Networks, disable DNS registration and disable NetBIOS. Be sure to check your binding order too. Make sure you format and assign drive letters to the SCSI VHDs on this VM.
Update 17/10/2008: I've also found that using the Image Files option works quite well too. Image files will allow you to pack more than one VM onto a disk partition. Check out http://www.starwindsoftware.com/images/content/StarWind_MSCluster2008.pdf for more info.
Note: Check out the how to the same with Windows Storage Server 2003 R2. http://www.microsoft.com/windowsserversystem/wss2003/productinformation/overview/default.mspx
Update May 09: Windows Storage Server 2008 has now RTM’d and is available online through MSDN and TechNet. http://www.microsoft.com/windowsserver2008/en/us/WSS08.aspx
Configuring the iSCSI target software (Starwind)
Each cluster node now needs to be connected to the iSCSI target. Launch the built in iSCSI initiator and follow the steps below:
When completed (and hosts connected) you should see something like this on the iSCSI target VM.
The new fail-over cluster wizard is quite straight forward and much easier to follow when compared with Windows Server 2003. There isn't much point in going into too much detail … you’ll find plenty of info on the web.
Here is a step by step guide to installing a two node file cluster in Windows Server 2008.
There are plenty of docs and blogs out there digging deep into Hyper-V. However, a few customers have asked a simple question: “What do I need to think about before I start testing Hyper-V?"
These are all very high level points so I will flesh them out over time. Any questions, feel free to comment.
We are running a Deep Dive event in Ireland for Premier customers later this month. Premier Field Engineers from Ireland and the UK (including David and I) will present the event.
- A Deep Dive into Windows Server 2008 –May 22nd /23rd Dublin
Overview Get a get a technical deep dive into Windows Server 2008 from Microsoft Premier Field Engineering (PFE). This 2 Day Level 300 event will provide a unique opportunity exclusively to Microsoft Premier Support Customers to understand and learn the new features in Windows Server 2008. The event, delivered by few of the top Active Directory and Windows Experts at Microsoft, is packed with a deep-level of technical content, and in-depth demos of new features in Windows Server 2008
This Microsoft Tech-Event aims to deliver pure technical content to help IT Pros make decisions about how to best plan, deploy, and upgrade to a Windows Server 2008 Infrastructure.
Sessions over the 2 days Include;
· Server Core· Hyper-V· Networking Features · NAP & Enforcement· Windows Server 2008 Deployment Services· Active Directory Real World Scenarios· Active Directory Read-Only Domain Controllers in Your Enterprise· Windows Server 2008 Failover Clustering
How to Register
You can register directly by clicking here. Alternatively you can contact you Technical Account Manager.
I was asked how to modify an INI from a script. Its quite straight forward. Firstly have a read of the Scripting Guy article here. It explains the process quite well actually. However, I wanted to go a step further and setup arguments to make the script re-useable. So here is the modified script:
'Usage: modini.vbs <full path to ini>, Parameter to change, New Value 'Example: modini.vbs c:\folder\my.ini, Script, change Const ForReading = 1 Const ForWriting = 2 strINIFile = WScript.Arguments.Item(0) strParam = WScript.Arguments.Item(1) strValue = WScript.Arguments.Item(2) If WScript.Arguments.Count <> 3 Then WScript.Quit Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile(strINIFile, ForReading) Do Until objTextFile.AtEndOfStream strNextLine = objTextFile.Readline intLineFinder = InStr(strNextLine, strParam) If intLineFinder <> 0 Then strNextLine = strParam & "=" & strValue End If strNewFile = strNewFile & strNextLine & vbCrLf Loop objTextFile.Close Set objTextFile = objFSO.OpenTextFile(strINIFile, ForWriting) objTextFile.WriteLine strNewFile objTextFile.Close
'Usage: modini.vbs <full path to ini>, Parameter to change, New Value 'Example: modini.vbs c:\folder\my.ini, Script, change
Const ForReading = 1 Const ForWriting = 2
strINIFile = WScript.Arguments.Item(0) strParam = WScript.Arguments.Item(1) strValue = WScript.Arguments.Item(2)
If WScript.Arguments.Count <> 3 Then WScript.Quit
Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile(strINIFile, ForReading)
Do Until objTextFile.AtEndOfStream strNextLine = objTextFile.Readline
intLineFinder = InStr(strNextLine, strParam) If intLineFinder <> 0 Then strNextLine = strParam & "=" & strValue End If
strNewFile = strNewFile & strNextLine & vbCrLf Loop
objTextFile.Close
Set objTextFile = objFSO.OpenTextFile(strINIFile, ForWriting)
objTextFile.WriteLine strNewFile objTextFile.Close
Here is a sample batch file calling the VBS script:
cscript //nologo modini.vbs "c:\my.ini" "Blog" "sometimes"
And thats it! Short and sweet.