When the Update Management feature is enabled in VMM 2012, the admin starts by adding a pre-built WSUS server to VMM 2012. The following blog details how to use the VMM Sample baselines created when VMM 2012 adds an Update Server (WSUS Server). The following steps should help you understand the process flow that occurs when a sample baseline or any custom created baseline is assigned to fabric servers. Of particular focus, in this blog, is the outline of the communication flow between VMM 2012 , WSUS Server, and the managed computer’s WUA agent during baseline assignment and server scan and remediation.
The following detail assumes you are using a dedicated WSUS server, but if you are using a shared WSUS server please ensure the environment is set up properly before proceeding. (See http://technet.microsoft.com/en-us/library/hh341476.aspx.) This applies to situations where you are using a WSUS server that is managed by SCCM or using a straight WSUS server.
1. Two sample baselines get created when an update server (WSUS) is added to VMM. These baselines contain all hot fixes that are security or critical according to the products types selected in WSUS. In this example, when WSUS was set up, the products were selected according to the supported Operating Systems supported by the VMM 2012 for Fabric servers.
By default, this sample baseline has no assignments. This means it is simply a sample object performing no function until you start using it. To start using this baseline a user should provide a custom name, modify any updates (add/remove), and assign scope.
2. What happens when Baseline scope is assigned? In VMM the change properties of a baseline job kicks off:
Inside this running job, VMM is communicating with WSUS and the following occurs:
· VMM is adds the VMM managed computers scoped within the baseline to a target group in WSUS called SCVMM Managed Computers.
· VMM approves the updates in the baseline for this WSUS target group for scan and install.
3. When the job is complete, enter the Fabric space and switch to the Compliance View. In this view the servers that were scoped to the baseline are in an Unknown Compliance status and have an operational status of Pending Compliance Scan.
a. These two states occur when a computer is assigned a new baseline or an existing baseline assigned to a computer is modified. For example, each month I add a select set of patches to my Security Baseline. All computers assigned to this baseline will go into a compliance scan of Unknown and operational status of Pending Compliance Scan. This lets the administrator know something has changed and that action is required.
4. Determining Compliance – Right click on the object and select the Scan Action or select the object and use the Scan Action in the Ribbon.
What is happening during the Compliance scan job?
a. VMM contacts the VMM Agent on the managed computer.
b. The VMM agent triggers the WUA on the managed computer to scan.
c. WUA agent on the managed computer contacts WSUS.
d. The managed computer scans itself against approved updates within the target group.
e. The WUA on the managed computer delivers the scan results to the VMM agent.
f. The VMM agent filters the scan information based upon what is required in the baseline and delivers that back to the VMM Server.
g. The VMM server displays the compliance status of the managed computer.
5. To view the detailed Compliance status of a managed computer use the Compliance Properties action.
Compliance Properties dialog brings up a detailed list of the compliance according to each assigned baseline:
6. Remediation - In VMM the next step is to use Remediation to bring the managed computer into Compliance.
For the purpose of this blog we are patching a single computer so no orchestration is required. Simply select the managed computer for remediation, the remediation dialog appears. By default any non-compliance patches are automatically selected, but if desired that can be modified to be as granular as you need.
The remediation job starts and the steps below describe what is happening within the context of the running job.
a. VMM sends a list of required updates to the VMM agent on the managed computer.
b. The VMM agent instructs the WUA agent to installed the updates specified in the remediation job.
c. The WUA performs the installation and when it is complete delivers the results to the VMM agent.
d. The VMM agent delivers the results back to the VMM server and the compliance status is reflected in the Compliance view.
Hopefully, this will help everyone understand how to use a sample baseline and the process flow for when a baseline is assigned. From this you should also understand the communication flow between VMM, WSUS, and the WUA agent on each managed computer.
Carmen M. Summers – Senior Program Manager, VMM 2012
Here’s another great new KB article we published today. This one will tell you how to fix an issue where a P2V fails with error 8007001F:
=====
A System Center Virtual Machine Manager 2008 (SCVMM) Physical to Virtual (P2V) conversion fails when attempting to mount a .VHD file, reporting that a device attached to the system is not functioning. The hex code is highly correlated with this issue.
Error (12700) VMM cannot complete the Hyper-V operation on the contoso10.com server because of the error: 'The system failed to mount 'C:\ClusterStorage\Volume3\NewSystem\C_2011-11-29T035848.vhd'. Error Code: A device attached to the system is not functioning. (A device attached to the system is not functioning (0x8007001F))
This can occur if antivirus realtime scanning places a lock on the file in the error message, making it impossible for SCVMM to continue operations.
Modify the antivirus realtime scanning operations so that the file extensions and processes below are excluded. Perform this action on the SCVMM Server and all Hosts it manages.
To resolve this issue, configure the real-time scanning component within your antivirus software to exclude the following directories and files:
For more information on antivirus options with Microsoft products see this article.
Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows http://support.microsoft.com/kb/822158
To continue reading this article please see the link below:
2628135: A System Center Virtual Machine Manager 2008 P2V fails with 'A device attached to the system is not functioning (0x8007001F)'
J.C. Hornbeck | System Center Knowledge Engineer
App-V Team blog: http://blogs.technet.com/appv/ AVIcode Team blog: http://blogs.technet.com/b/avicode ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ DPM Team blog: http://blogs.technet.com/dpm/ MED-V Team blog: http://blogs.technet.com/medv/ OOB Support Team blog: http://blogs.technet.com/oob/ Opalis Team blog: http://blogs.technet.com/opalis Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/ SCMDM Support Team blog: http://blogs.technet.com/mdm/ SCVMM Team blog: http://blogs.technet.com/scvmm Server App-V Team blog: http://blogs.technet.com/b/serverappv Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials WSUS Support Team blog: http://blogs.technet.com/sus/
Here’s one more KB article we published today. This one talks about an issue where the reinstallation of System Center Virtual Machine Manager 2008 R2 fails with "Library Share ‘MSSCVMMLibrary’ already exists":
When attempting to reinstall System Center Virtual Machine Manager 2008 R2 (SCVMM) the installation fails with the following error:
Library Share MSSCVMMLibrary already exists. Specify a unique library share name, and then try the operation again. ID: 819
This can occur if there is a mismatch in the local path field in the SCVMM database for the corresponding library (i.e. the path of the Library seen in the database is different from the actual path of the Library).
1. Take a backup of the SCVMM Database. See http://technet.microsoft.com/en-us/library/cc956045.aspx for more details. 2. Open the SQL Management Studio and browse to the VirtualManagerDB database. 3. Right-click on the tbl_IL_LibraryShare table and select Edit Top 200 Rows (or Select the Top 1000 depending on your installation). This will contain the share name and the local share path. 4. The LocalPath field will have a path that will be incorrect. Change it to the correct path if it is pointing to the wrong location. 5. Begin the process of re-installing SCVMM 2008 R2 again.
2629737: Reinstallation of System Center Virtual Machine Manager 2008 R2 fails with "Library Share ‘MSSCVMMLibrary’ already exists"
We recently posted the VMM 2012 error codes to the TechNet wiki. The main page is located here: http://social.technet.microsoft.com/wiki/contents/articles/4906.aspx.
For each error code, the error or warning message and recommended action is listed. The recommended action is the in-product troubleshooting information that is displayed together with the error or warning message. There’s also an Additional Troubleshooting Information column. This is where you can all help add value. If you know more about how to troubleshoot an error than what is included in the Recommended Action (in product) column, please edit the wiki page to add that information. To edit you need to sign in with a Windows Live account. For information about how to join the wiki, see http://social.technet.microsoft.com/wiki/contents/articles/129.aspx.
(Note that the VMM 2008 R2 (including SP1) error codes are also posted to the TechNet wiki at http://social.technet.microsoft.com/wiki/contents/articles/virtual-machine-manager-vmm-2008-r2-error-codes.aspx.)
Thanks!
VMM Content Team
Here’s another new KB article we published today. This one involves a VMM R2 migration appearing to take longer than expected:
Transfers during a System Center Virtual Machine Manager 2008 R2 (SCVMM R2) migration appear to take longer than expected.
This can happen because in SCVMM R2, BITS transfers are set to be encrypted by default.
This is by design, although if you have implemented another form of encryption such as IPsec, or have otherwise secured your virtualized environment, you may want to take advantage of the new option in SCVMM R2 to allow unencrypted file transfers for individual library servers and individual host groups. Allowing unencrypted file transfers can improve performance during virtual machine creation and migration. For files to be transferred unencrypted, unencrypted file transfers must be allowed on both the source and destination computer. This option is available by updating the properties of the library server.
Disable Bits encryption for both Hosts and the SCVMM Library:
Disabling SCVMM 2008 R2 Encrypted Transfers for Hosts
References:
How to Modify the Properties of a Host Group : http://technet.microsoft.com/en-us/library/cc956106.aspx How to Allow Unencrypted File Transfers for a Library Server : http://technet.microsoft.com/en-us/library/ee236497.aspx Hardening VMM Library Servers : http://technet.microsoft.com/en-us/library/dd548289.aspx
For the following issues please reference the blog post below:
How to Troubleshoot Slow BITS Performance, Hosts 'Not Responding' and 'Needs Attention' Communication Issues : http://blogs.technet.com/b/jonjor/archive/2008/12/29/how-to-troubleshoot-slow-bits-performance-hosts-not-responding-and-needs-attention-communication-issues.aspx
1. Deployment or migration of data utilizing LAN (not SAN Transfer) is very slow in general 2. BITS is slow in one direction only: Fast from Host01 to Host02, but slow from Host02 to Host01 for example 3. Host reports in SCVMM Admin Console "Host not responding" or "Needs attention" 4. Under 'Status' of the Host the following may show "Not Responding" - Connection status - Agent Status
For the most current version of this article please see the following:
2625478: Migration job transfers may take longer than expected in System Center Virtual Machine Manager 2008 R2
In VMM2012, sensitive data like RunAs Account passwords are encrypted using the configured encryption technology.
There are two options for which technology to use for encryption key management. These are:
1. DPAPI: This is the default. All previous VMM versions use this. Encryption keys are stored on the VMM server.
2. Distributed Key Management: Encryption keys are stored in Active Directory. For Highly Available VMM installations, this is the only option for storing encryption keys.
Option 2 might have an initial configuration overhead; however, the encryption keys will still be on AD if the VMM server machine is lost, which aides in a quicker restoration. Especially, in the scenarios like formatting the VMM server machine, disk drive failure or reinstalling your VMM server on another machine, the keys will still be there. With Option1 you will need to redefine all your sensitive data like RunAs account passwords for these scenarios.
We will focus on Option 2 (Distributed Key Management) for this blog post.
In order to configure Distributed Key Management, during setup, you will be asked to enter the location in AD that you would like to use for storing your encryption keys. The location is the distinguished name of the container.
The prerequisite of Option 2 is that the user running VMM server setup needs to have the following access rights on the location that you specify during setup.
· Generic Read,
· Generic Write
· Create Child
Definition of these rights in AD:
Here is how you specify the AD location during VMM Server setup.
If the user running setup has the right to create container in AD (under Container1 or VMMDKM), nothing else is necessary. Here is what happens in detail.
1. VMM Setup checks if there is a VMMDKM container under Container1. If there is VMMDKM container already created in AD,
2. VMM Setup creates a new container under VMMDKM and gives necessary permissions to the VMM Service account for this new container. Note that the VMM Service account is also selected in this wizard page. For HA VMM installations Local System account is disabled.
3. If VMMDKM container does not exist in AD, setup tries to create that container first and then goes ahead with Step 2.
Below is how container looks like after setup;
I hope this information was informative and helpful. Please refer to our TechNet Library for more details on VMM 2012 setup.
Gokcen Iskender – Software Development Engineer
VMM 2012 introduces the concept of services: it allows defining service templates (blueprints of user applications), deploying services from service templates (creating VMs and applications), and servicing services with updated service templates (updating VMs and applications). A service template can contain configurable service settings that are referenced within the service template.
Service settings, just like Windows environment variables, are a set of dynamic named values that can affect the way a service is deployed/serviced.
The main benefits of Service settings are re-usability and deployment time configurability:
1. Reusability: Service settings can be reused across multiple tiers within a service template and are centrally configurable, this makes service template authoring easier and less error-prone for administrators. For example, in a typical 3-tier web application, the Middle Tier and the Web Tier need to access the same database; in this case, both tiers can uses a service setting called ConnectionString to set the value of the SQL connection string that should be used.
2. Deployment time configurability: Some information may not be available at the time of service template authoring. For example, since test and production environments are often in different domains, it is necessary to specify the domain name and domain join credentials at deployment time as opposed to hard coding such information in the service template itself.. Service settings provide the flexibility to defer the value assignment to deployment time, rather than baking them into the service template model. As a result, service settings make it possible to deploy multiple services with different settings from the same service template: users can override the service setting values in Service Deployment Configuration and deploy a service from it.
Service settings can contain information such as computer name, file path, database connection string, etc., and can be referenced at a few pre-defined places (for example, the Computer Name property of Guest OS Profile, etc.) within a service template. A service setting is enclosed in paired at sign (“@”): for example, the Computer Name property of Guest OS Profile can be “@SQLComputerName@”.
Users do not have to define service settings first before using them, VMM 2012 will parse and find out the service settings used in the pre-defined places and show their usages, to further simplify service template authoring.
Note: A service setting name cannot contain at sign (“@”); to express literal at sign (“@”), use double at sign (“@@”).
There are two types of Service Setting: string type and Run As Account type, depending on where the service setting is referenced. For example, a service setting referenced by the domain join Run As Account in an OS profile is Run As Account type; a service setting referenced by Computer Name in an OS profile is string type. Users do not need to specify the type of a service setting, VMM figures it out as part of the automatic discovery process mentioned earlier.
A service setting has the following properties:
Name: name of a service setting, and it is the string between the paired at signs (service setting delimiters)
Description: Service template authors can add description for service setting, say, about the usage.
Mandatory (1st checkbox): Service template authors can check this checkbox to make sure a value is provided during deployment.
Encryption (2nd checkbox): Service template authors can check this checkbox to tell VMM that the value needs to be encrypted and handled securely (transported/stored in DB securely).
Value: Service template authors can specify default value, and it can be overridden at deployment time with deployment specific values.
The following is the properties dialog for a string type service setting.
For Run As Account type service settings (as shown in the following dialog), Mandatory and Encryption properties are determined by VMM and are not user settable; and the Value property can be set using a Run As Account picker.
As aforementioned, service settings can be referenced at a few pre-defined places, and here is the list:
1. The Value property of an application setting under an application in an application profile (see fig below).
2. The Parameter property and Run As Account property of application profile-level script (see figure below) or application-level script.
3. The Deployment Run As Account property of SQL Data Tier Application in application profile.
4. The following properties in VM Template/Guest OS Profile: Identity information (computer name), product key, domain, domain Run As account, admin Run As account.
5. Application host machine name
6. SQL script command parameters.
7. All Run As Account properties and Product Key property of SQL Server Deployment in SQL profile
Now, we are ready to create a service template with service settings. Steps are:
1. Create a VM template from above created application profile, guest OS profile, and SQL Server profile. (In the “Library” navigation pane, expand “Templates”, right click on “VM Templates” and select “Create VM Template”)
Specify to use application profile, guest OS profile, and SQL Server profile created above.
2. Create a service template with the VM template. In the “Library” navigation pane, expand “Templates”, right click on “Service Templates” and select “Create Service Template”. For simplicity, choose to create a single tier service template.
Drag and drop the VM template from the “VM Templates” pane on the left to the service designer canvas, then click on “Save and Validate Service Template”, and close the service designer.
A service template has been created, and the service template properties dialog will show the service settings and their usage. (right click on the newly created service template, and choose “Properties”)
We next look at two scenarios where service settings are used: service deployment scenario, and service servicing scenario.
At the time of service template authoring, we can give default values to service settings. During service deployment, the default value of service settings can be overridden, this way we can create different services from the same service template. For example, the same service template can be used to deploy to test environment with one set of credentials and another to deploy to production environment, without having to change the service template.
For an existing service, we can service it by attaching an updated service template (with modified service settings) to it.
1. Service deployment scenario
Up till now, we have created a service template with service settings. Let’s deploy it!
During service deployment (right click on the service template and choose “Configure Deployment”), the default value can be overridden and the specified overriding value will be used for deploying that service. For example, in the screenshot below, setting “MyDomain” uses the default value “contoso.com”, whereas setting “SQLAdminAccount” overridden the default value to use “NT AUTHORITY/System” Run As Account. When the deployment starts (click the green arrow icon “Deploy Service”), the service settings will be replaced with their values where referenced, that is, the vm will join domain “contoso.com”, and SQL Server will use “NT AUTHORITY/System” Run As Account as SA account.
After a service is deployed, service settings are also stored with the service. The screenshot below shows the service settings of a different service using PowerShell cmdlets.
2. Service servicing scenario
VMM provides full life-cycle management for services. After a service has been deployed, we can still make changes to it through service servicing. We can either set the service template of the service to be the updated service template; or, if servicing is scoped to applications (e.g., application settings such as database connection strings need to be changed), we can set the servicing settings directly. Now we walk through these two different cases respectively. Case 1: Servicing a service by updating the service template In the following example, a newer version of the service template is created with setting “lobComputerName” value changed from “mtComputerName” to “NewLobComputerName” (this can be done by right click on the original service template and choose “copy”, then change the new copy’s service settings). Now, let’s apply the newer version service template to the service (by right click the service and choose “Set Template”, and then choose the newer version service template). We can see the settings value change for setting “lobComputerName” (New Value in bold): Current value is the value currently being used in the service; New Value comes from the newer version service template, it is the target value for servicing. After servicing finishes successfully, New Value will become Current Value. The summary for servicing actions is also shown. Since setting “lobComputerName” is used in an application, changing in its value leads to an application update. After servicing has successfully completed, the setting “lobComputerName” gets the New Value (New Value before servicing becomes the Current Value after servicing), as shown in the Power Shell screenshot.
VMM provides full life-cycle management for services. After a service has been deployed, we can still make changes to it through service servicing. We can either set the service template of the service to be the updated service template; or, if servicing is scoped to applications (e.g., application settings such as database connection strings need to be changed), we can set the servicing settings directly. Now we walk through these two different cases respectively.
Case 1: Servicing a service by updating the service template
In the following example, a newer version of the service template is created with setting “lobComputerName” value changed from “mtComputerName” to “NewLobComputerName” (this can be done by right click on the original service template and choose “copy”, then change the new copy’s service settings). Now, let’s apply the newer version service template to the service (by right click the service and choose “Set Template”, and then choose the newer version service template).
We can see the settings value change for setting “lobComputerName” (New Value in bold): Current value is the value currently being used in the service; New Value comes from the newer version service template, it is the target value for servicing. After servicing finishes successfully, New Value will become Current Value.
The summary for servicing actions is also shown. Since setting “lobComputerName” is used in an application, changing in its value leads to an application update.
After servicing has successfully completed, the setting “lobComputerName” gets the New Value (New Value before servicing becomes the Current Value after servicing), as shown in the Power Shell screenshot.
Case 2: Servicing a service by updating the service settings directly When the servicing scope is the applications in a service, we can directly set the service settings that are referenced by application settings, and the service setting changes will be applied to appropriate applications. In the following example, we change the service setting “lobComputerName” value from “mtComputerName” to “NewLobComputerName”. Since this service setting is referenced by a WebDeploy application’s settings, the application setting change will be applied during servicing. Similar as the above servicing case, we right click the service and choose “Set Template”, and then choose “Modify application settings for this service”. Next, give the new value to the service setting and click next. The servicing actions show an update action for the WebDeploy application.
Case 2: Servicing a service by updating the service settings directly
When the servicing scope is the applications in a service, we can directly set the service settings that are referenced by application settings, and the service setting changes will be applied to appropriate applications.
In the following example, we change the service setting “lobComputerName” value from “mtComputerName” to “NewLobComputerName”. Since this service setting is referenced by a WebDeploy application’s settings, the application setting change will be applied during servicing.
Similar as the above servicing case, we right click the service and choose “Set Template”, and then choose “Modify application settings for this service”.
Next, give the new value to the service setting and click next.
The servicing actions show an update action for the WebDeploy application.
I hope you found this blog informative and helpful. For more information on SCVMM 2012 Service Creation feature please check out our TechNet Library.
Qingbo Cai – SCVMM 2012 System Development Engineer
Just a quick heads up on a new KB article we published today:
Installation of Virtual Guest Services (integration components) fails in System Center Virtual Machine Manager 2008 (SCVMM) but can be successfully installed manually in Hyper-V. Also, Physical to Virtual (P2V) jobs may fail when installing Virtual Guest Services. Another version of this error displays (Unknown error (0x80072f06)) under the Warning section below:
Warning (2912) An internal error has occurred trying to contact an agent on the SCVMMMSVR.Contoso.com server. (The directory is not empty (0x80070091)) Recommended Action Ensure the agent is installed and running. Ensure the WS-Management service is installed and running, then restart the agent.
Warning (2912) An internal error has occurred trying to contact an agent on the SCVMMMSVR.Contoso.com server. (The directory is not empty (0x80072f06)) Recommended Action Ensure the agent is installed and running. Ensure the WS-Management service is installed and running, then restart the agent.
There are two possible reasons for this condition:
Realtime antivirus is interfering with communications.
or
Multiple ports exist with an SSL binding to port 443.
Realtime Antivirus To determine if realtime antivirus is scanning port 443:
At an elevated command prompt run the following command:
netstat –ano | find "443"
If any IP address in the ‘Local Address’ column (besides the ones below) are listening on port 443, there is a conflict.
a. 0.0.0.0:443 b. [::]:443
C:\Windows\system32>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4 TCP 192.168.1.63:443 0.0.0.0:0 LISTENING 1044
SSL Certificates
To determine if there are SSL certificates bound to two or more ports:
netsh http show sslcert
If any two IP addresses (except the defaults below) share the same Certificate Hash, there is a conflict.
a. IPv4 0.0.0.0:443 b. IPv6 all address [::]:443
C:\Windows\system32>netsh http show sslcert SSL Certificate bindings: ------------------------- IP:port : 192.168.1.61:443 Certificate Hash : b435bdda9cab32b4272a80b94b6985acc96bc2de … IP:port : 192.168.1.63:443 Certificate Hash : b435bdda9cab32b4272a80b94b6985acc96bc2de …
Possible solutions are listed below. The best solution is to change the default ports used by SCVMM from 443 to another port such as 765. Specific solutions based on problems found are also included.
Best solution for both problems
Change the BITS port used by SCVMM from the default of 443 to another non-used port such as port 765. To do this, perform these steps on the SCVMM server and all managed Hosts:
1. Open Regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft System Center Virtual Machine Manager Server\Settings.
2. Locate the BITSTcpPort name on the right. It’s data value should be 443.
a. Double click BITSTcpPort in order to modify the data. Make sure the Base is set to ‘Decimal’. b. Change 443 to 765, or any other number less than 32768. Do not use a port that another protocol uses such as RDP (3389). c. Click ‘OK’ to save this value.
a. Double click BITSTcpPort in order to modify the data. Make sure the Base is set to ‘Decimal’.
b. Change 443 to 765, or any other number less than 32768. Do not use a port that another protocol uses such as RDP (3389).
c. Click ‘OK’ to save this value.
3. Restart the ‘Virtual Machine Manager’ and ‘Virtual Machine Manager Agent’ services on the SCVMM server (On managed hosts simply restart the ‘Virtual Machine Manager Agent’ service’).
4. Once complete on the SCVMM server and all Hosts, you can continue using SCVMM.
Solution for Realtime Antivirus
If realtime antivirus is listening on port 443 as ‘192.168.1.63:443’ is in the example above, disable realtime antivirus on the system or make an exclusion for port 443.
Solution for SSL Certificate Binding
If there are multiple ports with an SSL binding to port 443, determine what application is using the binding then remove it if possible. Follow instructions at the following location for more details:
http://msdn.microsoft.com/en-us/library/ms733791.aspx
Port 443 is the default port used by SCVMM for SSL and BITS. When there is a conflict with this port various health and operations issues will appear with SCVMM.
2623572: Installation of Integration Components or a P2V job in system Center Virtual Machine Manager 2008 fails with Error 2912: The directory is not empty (0x80070091)