Windows Azure Pack configuration with a named instance and a non-default SQL port

Installing Windows Azure Pack in a lab environment is relatively easy. You control all the environment variables. Changes to operating systems, required permissions or other settings are within your own hands.

How different is this when you implement Windows Azure Pack in a Service Provider or Enterprise Organization environment. All kind of security requirements are in place. Each change in the environment is preceded by a request for change procedure. Planning, prerequisites and design documents are essential from the start of the project. If you have not invested in these upfront you will find yourself confronted with a new change each time that, in its turn, results in another RFC with accompanying handling time. Within a couple of days your teeth marks will be visible in the steering wheel of your car.

(Previously) a prerequisite for Windows Azure Pack:

  • Windows Azure Pack requires a SQL server running in mixed authentication mode and the SQL instance must be running on the default SQL port 1433

But the security policy at the Enterprise Organization or Service Provider dictates:

  • The SQL Server must be in Windows Authenticated mode only using a named instance and non-default SQL port

Most deployments start with an installation in a development environment that reflect the production environment. In the development environment the SQL configuration that is required for Windows Azure Pack is tolerated but flagged. Once we move to production the RFC can possibly block the implementation.

I contacted the folks from the Windows Azure Pack program group a couple of months ago. They provided the means to configure Windows Azure Pack with a named instance and against a non-default SQL port. It was OK to use this configuration for the development environments, but they needed some additional testing to validate that this configuration would not break in hotfix or upgrade scenarios.

Named instance and non-default SQL port

It is now supported to configure Windows Azure Pack with a named instance and a non-default SQL port using the following format in the configuration wizard.

Configure the database connection in the configuration wizard with the following format.

<SQL Server>\<Instance>,<Port number>

In this example

SQL01\hypervu,10001

Custom SQL port

SQL Authentication

Windows Azure Pack does still require a SQL Server in mixed authenticated mode. During the installation SQL accounts are created that are used in the encrypted part of the web.config file of each Windows Azure Pack website. But if this SQL authentication discussion comes up in a project consider this:

A long time ago, Microsoft recommended “When possible, use Windows Authentication” for SQL databases. That recommendation was not based on security issues with SQL authentication. It was a best practice for applications which would work better with pass through user authentication rather than using a service principle. That statement was interpreted by most organizations with “you should never use SQL authentication”.

Is that statement (still) true or is SQL authentication a secure choice?

The best example of using SQL authentication for databases is Microsoft itself. Microsoft Azure SQL Database (database-as-a-service) supports only SQL Server Authentication. Windows Authentication (integrated security) is not supported.

If Microsoft wasn’t comfortable using SQL authentication, they wouldn’t run a few hundred thousand SQL servers. That are on the internet!!

Image taken from the new Microsoft Azure Portal that is in preview.

Azure SQL

More Information

Windows Azure Pack, SQL Always On, Listener and Port story

Microsoft SQL Server versions supported in a Windows Azure Pack deployment

Windows Azure Pack – Active Directory Design Choices

Darryl van der Peijl wrote this great guest blog on design considerations for Active Directory in a Windows Azure Pack environment:

In this blog I will discuss different Active Directory designs, focusing on the use of Windows Azure Pack. Since Windows Azure Pack is nothing different from a regular web service, these designs can be used in a very generic way.

When talking Active Directory, we are actually talking security. The design decisions you make can have a huge impact on the vulnerability of your infrastructure.

Windows Azure Pack is offering a number of services that can be accessed from the Internet like the Tenant Portal and Tenant Public API, and don’t forget the “Remote Console” feature which will need a Remote Desktop Gateway server accessible from the Internet as well.

It is recommended to put servers in a DMZ/Perimeter network which can be accessed from the outside. Since they are reachable from the potentially ‘hostile’ external world, these servers can become subject to intrusion or hijacking by attackers. The DMZ/Perimeter network is a containment area so that a breached server does not gain immediate access to your internal infrastructure.

So, let’s get started!

I will discuss the following four different Active Directory designs and sum up the advantages and disadvantages.

  • No Active Directory in DMZ / Perimeter Network
  • Extended Forest
  • Forest with child domains
  • Isolated Forests

The following terms will be used:

ADDS Active Directory Domain Services
DMZ / Perimeter Network The zone for external facing services
Local Network The zone for internal services
Local infrastructure Infrastructure (servers) in the Local Network
Perimeter infrastructure Infrastructure (servers) in the Perimeter Network

 

No Active Directory in DMZ / Perimeter Network

You can implement Windows Azure Pack without the use of Active Directory, so you don’t have to create a separate domain for WAP in the perimeter. Windows Azure Pack will use the local server’s Security Accounts Manager (SAM) database to authenticate identities and will use SQL authentication for the databases.

The security risk of this design is medium.

Advantages:

  • No ADDS needed (Advantage?)
  • No VMs for ADDS

Disadvantages:

  • Managing of users and the servers need to be done locally on each server
  • You cannot setup Failover Clusters without ADDS (Hyper-V, SQL Always on, ..)
  • The Kerberos protocol or certificates are not available for local SAM authentication.
  • Centralized updates (WSUS) cannot be implemented
  • No ability to use ADFS

Note:
For Windows Azure Pack build-in functionality like “Console Connect” or “Network Virtualization” you will need to build a Hyper-V cluster. READ MORE »

Presentaties online; System Center Summer Night

Op 26 juni jl. vond de tweede editie van de System Center Summer Night plaats. Een event samen georganiseerd door de Hyper-V.nu en System Center User Groep NL. Een middag en avond boordevol met System Center en Hyper-V! Een geslaagde dag met +100 bezoekers, +10 nationale en internationale topsprekers en uitstekend BBQ weer!

Voor de geïnteresseerde staan de presentaties klaar om te downloaden via onderstaande link:

Alle sponsors – HP, Veeam, Savision en Secunia nogmaals bedankt voor het mogelijk maken van deze dag! En alle bezoekers; dank voor jullie komst! Hopelijk mogen wij jullie volgend jaar wederom  verwelkomen op de derde editie :-).

Windows Azure Pack: Infrastructure as a Service Jump Start

Date: July 16 & 17, 2014
Time: 9am–1pm PDT
CTA(s): Registration page: http://www.microsoftvirtualacademy.com/liveevents/windows-azure-pack-infrastructure-as-a-service-jump-start

Alternative link: http://aka.ms/WAPIaaS

IT Pros, you know that enterprises desire the flexibility and affordability of the cloud, and service providers want the ability to support more enterprise customers. Join us for an exploration of Windows Azure Pack’s (WAP’s) infrastructure services (IaaS), which bring Microsoft Azure technologies to your data center (on your hardware) and build on the power of Windows Server and System Center to deliver an enterprise-class, cost-effective solution for self-service, multitenant cloud infrastructure and application services.

WAP

Join Microsoft’s leading experts as they focus on the infrastructure services from WAP, including self-service and automation of virtual machine roles, virtual networking, clouds, plans, and more. See helpful demos, and hear examples that will help speed up your journey to the cloud. Bring your questions for the live Q&A!

Course Outline
Day 1

  • Introduction to the Windows Azure Pack
  • Install and Configure WAP
  • Integrate the Fabric
  • Deliver Self-Service

Day 2

  • Automate Services
  • Extend Services with Third Parties
  • Create Tenant Experiences

Metadescription: Free online course for IT Pros: Windows Azure Pack IaaS, including VM roles. Build and manage modern apps, unlock insights

Keywords: Windows Azure Pack, Microsoft Azure, Windows Server, System Center, SQL Server

Instructors

Andrew Zeller | Microsoft Senior Technical Program Manager

Andrew Zeller is a Technical Program Manager at Microsoft, focusing on service delivery and automation with Windows Server, System Center, and the Windows Azure Pack.

Symon Perriman | Microsoft Senior Technical Evangelist |@SymonPerriman

​As Microsoft Senior Technical Evangelist and worldwide technical lead covering virtualization (Hyper-V), infrastructure (Windows Server), management (System Center), and cloud (Microsoft Azure), Symon Perriman is an internationally recognized industry expert, author, keynote presenter, executive briefing specialist, and technology personality. He started in the technology industry in 2002 and has been at Microsoft for seven years, working with multiple teams, including engineering, evangelism, and technical marketing. Symon holds several patents and more than two dozen industry certifications, including Microsoft Certified Trainer (MCT), MCSE Private Cloud, and VMware Certified Professional (VCP). In 2013, he co-authored Introduction to System Center 2012 R2 for IT Professionals (Microsoft Press) and he has contributed to five other technical books. Symon co-hosts the weekly Edge Show for IT Professionals, and his technologies have been featured in PC Magazine, Reuters News, and The Wall Street Journal. He graduated from Duke University with degrees in Computer Science, Economics, and Film & Digital Studies, and he also serves as the technical lead for several startups and entertainment production companies.

Register today!

Additional Background on the VMQ Issue with Emulex and HP

Today I had a conference call with the people from Emulex responsible for the network adapters, firmware and drivers. As many of you know we’ve had a long lasting issue with HP/Emulex 554FLB CNAs in HP BL460c Gen 8 blade servers in c7000 blade enclosures. After we had replaced Windows Server 2012 with Hyper-V by Windows Server 2012 R2 with Hyper-V on the same hardware, we started to notice virtual machines losing connection. We have multiple guest clusters on top of the Hyper-V clusters and sometimes during Live Migration of one of the cluster nodes, we would see that connectivity was lost, even to the point that a cluster node would be forced to leave the cluster and come back later when the network connection was re-established. In fact that was our single best test to reproduce the problem.

Marc van Eijk en Peter Noorderijk wrote blogs about it and together they got over 200 comments from customers all over the world seeing the same problem, the majority of them having Emulex through an OEM like HP, Dell, IBM and Cisco. In fact we also read similar cases with HP rack servers, other NICs and different hardware combinations which led me to believe there could also be an issue in the networking/teaming stack in Windows Server 2012 R2.

During the months of November and December 2013 we collected a list of 10 registered support cases with either HP, Microsoft or both. At that time my primary contact was a senior escalation engineer at Microsoft who was able to collect several customer cases mostly from European customers. Unfortunately we could not register a support case with HP ourselves because we did not have a support contract with them. But the amount of customers that discovered they had the same problem, grew and grew. There must have been hundreds of open support calls with both HP and Microsoft and the storm of discontent was growing.

According to HP they were dependent on Emulex and HP did not get any feedback either. Also Microsoft was left in the dark for a long time.

READ MORE »

Emulex driver and firmware update

On this blog we’ve blogged about several issues with Emulex adapters on Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, for example blog 1 and blog 2.

Yesterday Emulex announced a driver and firmware update that should solve these issues: http://blogs.emulex.com/implementers/2014/06/19/microsoft-windows-20122012-r2-hyper-vms-losing-network-connectivity-workaround/

As we can read in this blog: Status on 6/19/2014:  Updated driver and firmware code that addresses the VMQ network connectivity issues is currently going through comprehensive validation and test and is estimated to be available for Emulex branded products by mid-July 2014. Driver releases of specific OEM configurations are being evaluated now. We will update this blog as soon as we confirm the timing and location of each OEM release.

That’s good news! Let’s hope that this update will be available as soon as possible and that this update will fix the VMQ issue!

You can help shape the future of Windows Azure Pack

Windows Azure Pack delivers Microsoft Azure technologies for you to run inside your datacenter. It offers rich, self-service, multi-tenant services and experiences that are consistent with Microsoft’s public cloud offering.

You can help shape the future of Windows Azure Pack. The Windows Azure Pack team has created a user voice site where you can post feature suggestions and vote on the suggestions of others.

You can find the Azure Pack user voice site here http://feedback.azure.com/forums/255259-azure-pack

01 General

Sign in to track your submitted ideas and comments.

When you would like to submit a new suggestion, type in one or more relevant keyword. This will automatically filter the already submitted items. If somebody else already submitted the same suggestion, it allows you to vote on that suggestion. As a signed in user you will have a total of 10 votes. With these votes you can submit new suggestions or vote on existing ones.

Vote for existing suggestions

When you vote for existing items, you can choose to give 1, 2, or 3 votes for more weight. You are able to change your assigned votes afterwards. When suggestions are closed, the votes you assigned to that suggestion are available again.

02 Vote for exisiting idea

Submit a new suggestion

To submit a new suggestion, provide the title for the suggestion and optionally enter a description and category. Select to attach a file if that helps to explain the suggestion and choose how many votes you would like to put on this suggestion.

03 Post new idea

Help shape Windows Azure Pack with the user voice site http://feedback.azure.com/forums/255259-azure-pack

System Center, Hyper-V, Azure and Meat

If you like System Center, Hyper-V, Azure as well as meat, don’t forget to register for System Center Summer Night “The MasterChef edition” which is rapidly approaching. In 10 days from today, nine experts, seven of them are MVPs, will present five interesting presentations.

Because we have plenty of space left we invite those who have registered to bring a friend without additional cost. If you haven’t registered yet, please do and have a great afternoon which is completed with a nice barbecue.

Date of event

June 26th

Program

15:00 – 16:15 How many System Center fits on one grill by Ronny de Jong / James van den Berg [MVP] / Helmer Zandbergen / Marc van Eijk [MVP] / Dieter Wijckmans [MVP]

16:15 – 17:30 How Service Manager can do everything you need – a best-of-the-best Swiss cheese selection by Marcel Zehner [MVP]

17:30 – 17:45 Break

17:45 – 19:00 Light up the fire on your Hyper-V by Hans Vredevoort [MVP] & Peter Noorderijk on Hyper-V Architecture

19:00 – 20:15 Become a Masterchef on Microsoft Azure Automation by Maarten Goet [MVP]

20.15 BBQ time

This event is organized by SCUG.nl and Hyper-V.nu

Registration

Please register at https://www.eventbrite.nl/e/tickets-system-center-summer-night-2014-9265847399

Location

Unieplaza
Multatulilaan
4103 NM Culemborg

Hyper-V Amigos Back in Quartet Formation

Back in 2011, four Hyper-V MVPs decided to take on a server virtualization master class series focusing on Hyper-V for which they adopted the Spanish sounding name “The Hyper-V Amigos”. In the previous months German Hyper-V MVP Carsten Rachfahl, well known for his Hyper-V podcasts and videos, had already made three episodes with Belgian Hyper-V MVP, Didier van Hoye aka @WorkingHardInIT which gave us a lot of background of both Carsten and Didier in Episode 1, as well as some great explanatory showcasts on Unmap and Live Migration in Windows Server 2012 R2 in Episodes 2 and 3.

This time Carsten also invited Aidan Finn, Hyper-V MVP out of Ireland and myself to what seemed like a reunion. Three of the MVPs had visited TechEd North America and in Episode 4 they look back on how they came to know as The Hyper-V Amigos and what their thoughts were on the TechEd 2014 event.

I invite you to watch the next episode of The Hyper-V Amigos:
http://www.youtube.com/watch?v=PFURtvxbFaU&feature=youtu.be

Windows Azure Pack Tenant Public API

Microsoft Azure and Windows Azure Pack are like two circles. These circles are moving towards each other and are already overlapping on certain parts. The CloudOS vision is those two circles completely merged into one.

Circles

So, when you work with Windows Azure Pack it is very interesting to keep an eye on Microsoft Azure, the public cloud solution from Microsoft. This gives a good idea of the features that are coming to Windows Azure Pack, but also gives more insight in the features that are already available in Windows Azure Pack today. In this blog we will cover a feature that is not very well known but can be very useful. The Windows Azure Pack Tenant Public API.

Most Windows Azure Pack deployments we see in production are in one way or another related to IaaS. Windows Azure Pack provides a powerful web portal that enables tenants to interact with their IaaS services. They can create, edit and delete Virtual Machines and Virtual Networks with just a few clicks.

The tenant portal experience is awesome, but there are scenarios where other methods are required. Take for example regression testing. A tenant want to schedule a deployment for a set of virtual machines with applications. When the virtual machines are deployed, an automated procedure runs tests against the applications, which logs the performed steps to a location for evaluation. After the tests are completed the virtual machines are decommissioned again. The regression tests are scheduled by the tenants and they make changes to the tests frequently.

The first thing that comes to mind with this example is a combination of the VM Role and Service Management Automation. The VM Role allows you to deploy a virtual machine with an application. Service Management Automation enables scheduling of PowerShell workflows that can deploy the VM Roles for the tenant and run the regression tests as well.

Unfortunately in this release of Windows Azure Pack you need access to the Windows Azure Pack Admin Site to edit or schedule an SMA runbook. This requires Admin interaction for each change in the runbook or each change in the schedule, which is not an option.

Microsoft Azure provides a powerful scripting environment with Azure PowerShell. It allows tenants to interact with the services in their Microsoft Azure subscription with PowerShell cmdlets. These cmdlets can be run from a remote client. The client authenticates to the services in the subscription by using certificates. As you expect from Microsoft Azure it works after some easy steps to get the certificates configured correctly.

WAPack

If you have a closer look at the cmdlets within the Azure PowerShell module you will notice that there are also cmdlets that contain WAPack in their name. This looks promising. READ MORE »