Posts by Hans Vredevoort

Bare Metal Post-Deployment – Running the Post-Deployment Automation and Bonus – Part 5

Earlier this week I introduced Ben Gelens and his blog series on Hyper-V Bare Metal Post-Deployment. Here is part 5, a continuation on the topic of Constructing the Post-Deployment automation. This blog post series consists of 5 parts:

  1. Part 1: Introduction and Scenario
  2. Part 2: Pre-Conditions
  3. Part 3: Constructing the Post-Deployment automation
  4. Part 4: Constructing the Post-Deployment automation continued
  5. Part 5: Running the Post-Deployment automation and Bonus (this blog post)


Running the Post-Deployment automation

So you have arrived at the last blog post in this series. Hope you have enjoyed everything you have read and must importantly have learned what you were seeking to learn. As a little extra, I’ve put in a little bonus script to finalize a Hyper-V cluster configuration.

When everything is in place we simply run the “Run-HyperVPostdeployment” runbook.

Output of child runbooks is returned to the master runbook by using return statements and sending them back as strings. You only have to check the job summery of the master runbook to get a view of how things went.

When things didn’t go well, you can see at which stage the failure occurred and start troubleshooting from there. Check the VMM job log to get more detailed information.

I didn’t include cleanup steps but it’s really easy to restart the process by removing all logical switches from the host and just restart the master Runbook.

Bonus Post Cluster Deployment Configuration script

Run the following script on one of the Cluster nodes (this has to run only once per cluster). The script will:

  • Configure the cluster to register its PTR records into the reverse lookup zone.
  • Rename the cluster networks
  • Configure the correct cluster network metrics
  • Configure the networks allowed for live migration
  • Configure 512MB RAM as CSV block cache
  • Configure the SameSubnetThreshold for 20 seconds
  • Configure the cluster service shutdown timeout to 30 minutes
  • Renames the CSV mount point to reflect the volume name
  • Remove the quorum drive letter

Please find a link to all script files here.

Bare Metal Post-Deployment – Constructing the Post Deployment Automation (continued) Part 4

Earlier this week I introduced Ben Gelens and his blog series on Hyper-V Bare Metal Post-Deployment. Here is part 4, a continuation on the topic of Constructing the Post-Deployment automation.

This blog post series consists of 5 parts:

  1. Part 1: Introduction and Scenario
  2. Part 2: Pre-Conditions
  3. Part 3: Constructing the Post-Deployment automation
  4. Part 4: Constructing the Post-Deployment automation continued (this blog post
  5. Part 5: Running the Post-Deployment automation and Bonus


Constructing the Post-Deployment automation (continued)


This blog post will describe the model and configuration specific part of the automation which is called upon the master runbook described at the previous post.

Child Runbook “Config-BL460CGen8″.

Config-BL460CGen8 runbook is called as a child runbook when the Hyper-V host involved is a BL460C Gen8 blade. The runbook is not started inline but is started with its own job by using the Start-SmaRunbook command (my preferred method). Differentiation between configurations from different environments are made through the Type parameter.

The runbook will put the host through the following process:

  • Implement Fully Converged networking including MAC address fix (bug in SCVMM is circumvented).
    • Create the logical Infra switch on a designated Infra team NIC which is not used for management.
    • Run bl460c_converged.ps1 on the host (for more details see the script below).
    • Refreshes SCVMM host information.
  • Creates the VM logical switch on designated VM team NICs.
  • Add LM and CSV vNICs to Infra switch.
  • Configures live migration settings.
  • Run Hostdeploy scripts from the Hostdeploy custom resource (for more details see the script section).
    • Postdeploy.ps1
    • BL460_npiv.ps1
      • Reboots the host for NPIV to become available
    • BL460_vmsan.ps1
    • BL460_xxxx_vmq.ps1

The script will return a Success statement to the master runbook when the entire child runbook has run successfully. If something goes wrong during the child runbook process, the process is terminated for the hosts and a Failed at stage … statement is returned to the master runbook (effectively terminating the process entirely for the host).


Bare Metal Post-Deployment – Constructing the Post-Deployment Automation – Part 3

Earlier this week I introduced Ben Gelens and his blog series on Hyper-V Bare Metal Post-Deployment. Here is part 3 on the topic of Constructing the Post-Deployment automation.

This blog post series consists of 5 parts:

  1. Part 1: Introduction and Scenario
  2. Part 2: Pre-Conditions
  3. Part 3: Constructing the Post-Deployment automation (this blog post)
  4. Part 4: Constructing the Post-Deployment automation continued
  5. Part 5: Running the Post-Deployment automation and Bonus


Constructing the Post-Deployment automation

To make the process extensible we use a master runbook to determine the common tasks that need to be executed on all hosts and decide where to call which child runbook when tasks become specific. When a custom resource script is run, the script is described after the runbook.

This chapter will be split into 2 blog posts. Let’s start with the master runbook.

Master Runbook “Run-HyperVPostDeployment”.

At first the runbook will acquire the credentials and FQDN needed to connect to the SCVMM environment. Then it will pass the data to the Get-HyperVHosts child runbook and will ask it to deliver Hyper-V hosts which are ready for post deployment. For every host which is returned, a connectivity check is performed against WinRM. When a Host is responsive, it will be placed in maintenance mode and the hardware type will be queried from it to be stored together with the SCVMM host object in memory. Every non-active host is filtered out. All active hosts will then run the following process in parallel (2 at a time because of the throttlelimit set at the $throttlelimit variable, 5 is the maximum limitation of workflow):

  • Group policy update (make sure all GPO firewall rules are applied)
  • Filtering of hardware type and environment
  • Processing specific child runbook (if ran successfully continue, else break for Host)
  • Perform the NIC registry fix
  • Switch off maintenance mode
  • Marked “Finished” with post deployment (Post Deployment Status custom property = “Finished”)


Side note
Inlinescript sections share the same session which is why you only have to import the SCVMM PowerShell module once. For more info see about_InlineScript.

Custom Resource: Nic_registryfix.ps1

Nic_registryfix.ps1 will run on all hosts and it will handle the following tasks:

  • Query for all VM Switches
  • Lookup the NIC on which a switch is bound
  • If the NIC is an team multiplexor NIC, lookup all team member adapters
  • For all NICs found, add registry items to disable DNS dynamic update and DHCP.


Child Runbook “Get-HyperVHosts”.

Get-HyperVHosts runbook queries SCVMM for all Hyper-V hosts and either checks if the “Post Deployment Status” custom attribute is empty (-ReadyForPostDeploy $true) or has the value provided by the invoker (e.g. -PostDeploymentStatus “Finished”). If the non-mandatory parameters are omitted, it will return all Hyper-V host objects. This runbook can be called directly or as a child runbook. In this case it will be called directly with the inline method (nested).


I’ll be using multiple methods to show the possibilities in SMA. For more info see:


Bare Metal Post-Deployment – Pre-Conditions Part 2

Earlier this week I introduced Ben Gelens and his blog series on Hyper-V Bare Metal Post-Deployment. Here is part 2 describing the pre-conditions.

This blog post series consists of 5 parts:

  1. Part 1: Introduction and Scenario
  2. Part 2: Pre-Conditions  (this blog post)
  3. Part 3: Constructing the Post-Deployment automation
  4. Part 4: Constructing the Post-Deployment automation continued
  5. Part 5: Running the Post-Deployment automation and Bonus



In this blog post all fundamentals will be put into place so we have some hooks and workable items for the automation to utilize.

I’ll assume you have a working SCVMM and SMA environment and are already able to perform the bare metal deployment process itself. For an excellent guide on how to start with SMA, download the SMA Whitepaper written by MVP Michael Rueefli. I also assume Windows Azure Pack is in place to front-end SMA.

You have to install the SCVMM Console on the SMA Runbook Worker for the described runbooks to work.

Host Groups

Because one server model can of course be utilized for multiple environments (e.g. Production and Test), I have configured multiple hosts groups for these servers. The host groups are used as a filter mechanism for the SMA runbooks to apply different configurations, if any exist (e.g. uplink port profile or differences in hardware resources).

Hyper-V Host Custom Property

To determine which Hyper-V hosts are subject to a post deployment process, a Custom Property is implemented and bound to the Hyper-V host object. In this case we define that if this property on a host has no value, the post deployment process will run against that.

To create a custom property in SCVMM, run the following cmdlet:|

This host has finished its post deployment process and won’t be part of the next cycle.

Custom Resource

Post-deployment tasks are run through a series of scripts, coordinated by an SMA runbook, which are executed on the Hyper-V hosts. SCVMM will be used to deploy and start the scripts. The scripts and supporting utilities are stored in an SCVMM custom resource. To create a custom resource simply create a new folder in your SCVMM library and name it with a “.cr” extension (e.g., then refresh your library.


During post deployment, HP Smart Update Manager (HPSUM) will be invoked to install drivers and additional HP software. HPSUM and packages must be present on a file server share (a later described custom resource script will invoke HPSUM). Download the latest (Service Pack for ProLiant) (SPP) and extract the content of the swpackages folder to the share.

During the post-deployment process, the content of the share is copied to the Hyper-V host entirely so HPSUM can be executed with a local repository (earlier versions ran well with a repository on a share, the newer versions unfortunately do not). You can remove the Virtual connect firmware from the HPSUM share, this will reduce the amount of data which need to be copied dramatically.

Download the latest version of “OneCommand Fibre Channel and Converged Network Adapter Configuration Utility” from the website and add the CP package to the HPSUM share. This utility will be used by “BL460_npiv.ps1″ (custom resource script) to enable NPIV support.

SMA Variables and Stored Credentials

For SMA to interface with other components, some variables and credentials need to be created as an SMA Asset.

Asset Name Asset Type Notes
SMA SCVMM Service Account Credential Domain Account.
Member of SCVMM Administrator Role
VMMServer String Variable FQDN of VMM Server
SMAWebServer String Variable FQDN of SMA Web Administration Server


The SMA Runbook worker account must be an SMA Administrator to start child runbooks via the SMA web service. This can be done either by making the service account a member of the Active Directory group specified during installation or as a member of the smaAdminGroup local group on the SMA web server. You can of course also create a credential asset and adjust the runbook to use these credentials when starting the child runbook which would probably be better.

SCVMM Stored Credentials

For SCVMM to run scripts on Hyper-V hosts, an SCVMM Run As account with local administrator rights on the Hyper-V hosts needs to be in place.

Run As Account Name Notes
SCVMM Admin Run As Account Domain Account.

Member of Local Administrators Group on Hyper-V hosts.

Rename Uplink Port Profile Sets

When you configure a Logical Switch with an uplink port, an uplink port profile set is created. The name is based on the uplink port profile display name appended by a GUID. Since we need to specify the uplink port profile set to use when we implement the logical switch on the Hyper-V host, and the GUID will complicate this a little bit, we will strip the GUID off. This is not a mandatory pre-condition but helpful for this blog.

To do this for all uplink sets run:


To do this for all uplink sets associated with a logical switch run:



Bare Metal Post-Deployment – Introduction and Scenario Part 1

Allow me to introduce Ben Gelens, who has just joined INOVATIV as a consultant focusing on Windows Server, Hyper-V, Azure, Cloud and Automation. Ben got my attention after writing several superb blogs on Virtual Machine Manager at:

Several weeks ago Ben sent me a huge blog on Hyper-V Bare Metal Post-Deployment which I reviewed and advised to split into a number of smaller blogs. Ben kindly accepted my wish to publish his blog series on, so please enjoy!



In this series of blog posts I will describe a method for Hyper-V host Bare Metal Post-deployment which I developed and have been using in a production environment. This method of course is just one example of a viable solution and it is not per se THE method. My intention is that you can gather enough information from these posts to develop your own method.

This method uses:

  • SCVMM Custom Resource containing PowerShell configuration scripts and supporting executables (a.k.a. Generic Command Execution, GCE).
  • Service Management Automation (SMA) runbooks to orchestrate the post installation process and parallelize the process across multiple hosts.

When this blog post series is done, the entire post deployment sequence can be fully automated and made available at the push of ONE button!


When I just started working with the bare metal deployment features of SCVMM 2012, I soon found this blog written by Mike DeLuca. My work started based on this blog post so many credits go here!

These blog posts are not intended to be a PowerShell or SMA course. I will assume you are able to read and interpret the PowerShell lines provided and will not go into detail what every line does. Instead I’ll briefly describe what happens when a script or runbook is executed.

This blog post series consists of 5 parts:

  1. Part 1: Introduction and Scenario (this blog post)
  2. Part 2: Pre-Conditions
  3. Part 3: Constructing the Post-Deployment automation
  4. Part 4: Constructing the Post-Deployment automation continued
  5. Part 5: Running the Post-Deployment automation and Bonus

So that’s it for the introduction, let’s move on!


For this blog post I have 2 environments, Production and Test, with the same hardware (HP BL460c Gen8). Servers have been bare metal deployed with Windows Server 2012 R2.

All blades are equipped with 2 Emulex FlexibleLOMs I/O cards (2x 40Gb/s full duplex). Let’s elaborate a little bit so you have a better understanding (what I explain here is the 554 family of FlexibleLOM cards, other cards can have different options).

A FlexibleLOM I/O card can be divided into multiple FlexNICs and a FlexHBA (Host Bus Adapter). FlexibleLOM cards have 2 ports each mapped to a respective interconnect bay port (FlexFabric or Flex10). The cards can have a maximum of 4 devices per port (3 FlexNICs and 1 FlexHBA per port). The FlexHBA can be either an FCOE or an iSCSI HBA. In this case the FLB card (FlexibleLOM for Blade, mandatory card installed at manufacturing) will have 1 FCOE FlexHBA per port to facilitate FCOE connectivity for the CSV and Quorum volumes and virtual Fibre Channel Switches (2Gbps per port is still unassigned which can be used for other means, e.g. iSCSI VM switches). The Mezzanine card will have 2 FlexNICs, 1 for infrastructure connectivity per port and 1 for VM connectivity per port. Bandwidth for all FlexNICs and FlexHBAs is assigned with minimum guaranteed values but is allowed full capacity when this is available and required. At the Windows level, all NICs are 10Gbps which is a behavioral change introduced in Virtual Connect firmware 4.01 (at firmware levels before 4.01 the bandwidth was assigned statically as a maximum value and was reported to Windows as well).

Windows is presented with 10Gbps adapters. Because of this VMQ is enabled the moment a VM Switch is attached to an adapter.


Because port 1 and port 2 of each adapter breaks out to a different interconnect bay which on their turn break out to a different core switch and / or Fibre fabric, full path redundancy can be achieved by teaming the FlexNICs at the OS level and by using MPIO for the Fibre connections.


Windows Azure Pack – Active Directory Design Choices

Darryl van der Peijl wrote this great guest blog on design considerations for Active Directory in a Windows Azure Pack environment:

In this blog I will discuss different Active Directory designs, focusing on the use of Windows Azure Pack. Since Windows Azure Pack is nothing different from a regular web service, these designs can be used in a very generic way.

When talking Active Directory, we are actually talking security. The design decisions you make can have a huge impact on the vulnerability of your infrastructure.

Windows Azure Pack is offering a number of services that can be accessed from the Internet like the Tenant Portal and Tenant Public API, and don’t forget the “Remote Console” feature which will need a Remote Desktop Gateway server accessible from the Internet as well.

It is recommended to put servers in a DMZ/Perimeter network which can be accessed from the outside. Since they are reachable from the potentially ‘hostile’ external world, these servers can become subject to intrusion or hijacking by attackers. The DMZ/Perimeter network is a containment area so that a breached server does not gain immediate access to your internal infrastructure.

So, let’s get started!

I will discuss the following four different Active Directory designs and sum up the advantages and disadvantages.

  • No Active Directory in DMZ / Perimeter Network
  • Extended Forest
  • Forest with child domains
  • Isolated Forests

The following terms will be used:

ADDS Active Directory Domain Services
DMZ / Perimeter Network The zone for external facing services
Local Network The zone for internal services
Local infrastructure Infrastructure (servers) in the Local Network
Perimeter infrastructure Infrastructure (servers) in the Perimeter Network


No Active Directory in DMZ / Perimeter Network

You can implement Windows Azure Pack without the use of Active Directory, so you don’t have to create a separate domain for WAP in the perimeter. Windows Azure Pack will use the local server’s Security Accounts Manager (SAM) database to authenticate identities and will use SQL authentication for the databases.

The security risk of this design is medium.


  • No ADDS needed (Advantage?)
  • No VMs for ADDS


  • Managing of users and the servers need to be done locally on each server
  • You cannot setup Failover Clusters without ADDS (Hyper-V, SQL Always on, ..)
  • The Kerberos protocol or certificates are not available for local SAM authentication.
  • Centralized updates (WSUS) cannot be implemented
  • No ability to use ADFS

For Windows Azure Pack build-in functionality like “Console Connect” or “Network Virtualization” you will need to build a Hyper-V cluster. READ MORE »

Additional Background on the VMQ Issue with Emulex and HP

Today I had a conference call with the people from Emulex responsible for the network adapters, firmware and drivers. As many of you know we’ve had a long lasting issue with HP/Emulex 554FLB CNAs in HP BL460c Gen 8 blade servers in c7000 blade enclosures. After we had replaced Windows Server 2012 with Hyper-V by Windows Server 2012 R2 with Hyper-V on the same hardware, we started to notice virtual machines losing connection. We have multiple guest clusters on top of the Hyper-V clusters and sometimes during Live Migration of one of the cluster nodes, we would see that connectivity was lost, even to the point that a cluster node would be forced to leave the cluster and come back later when the network connection was re-established. In fact that was our single best test to reproduce the problem.

Marc van Eijk en Peter Noorderijk wrote blogs about it and together they got over 200 comments from customers all over the world seeing the same problem, the majority of them having Emulex through an OEM like HP, Dell, IBM and Cisco. In fact we also read similar cases with HP rack servers, other NICs and different hardware combinations which led me to believe there could also be an issue in the networking/teaming stack in Windows Server 2012 R2.

During the months of November and December 2013 we collected a list of 10 registered support cases with either HP, Microsoft or both. At that time my primary contact was a senior escalation engineer at Microsoft who was able to collect several customer cases mostly from European customers. Unfortunately we could not register a support case with HP ourselves because we did not have a support contract with them. But the amount of customers that discovered they had the same problem, grew and grew. There must have been hundreds of open support calls with both HP and Microsoft and the storm of discontent was growing.

According to HP they were dependent on Emulex and HP did not get any feedback either. Also Microsoft was left in the dark for a long time.


System Center, Hyper-V, Azure and Meat

If you like System Center, Hyper-V, Azure as well as meat, don’t forget to register for System Center Summer Night “The MasterChef edition” which is rapidly approaching. In 10 days from today, nine experts, seven of them are MVPs, will present five interesting presentations.

Because we have plenty of space left we invite those who have registered to bring a friend without additional cost. If you haven’t registered yet, please do and have a great afternoon which is completed with a nice barbecue.

Date of event

June 26th


15:00 – 16:15 How many System Center fits on one grill by Ronny de Jong / James van den Berg [MVP] / Helmer Zandbergen / Marc van Eijk [MVP] / Dieter Wijckmans [MVP]

16:15 – 17:30 How Service Manager can do everything you need – a best-of-the-best Swiss cheese selection by Marcel Zehner [MVP]

17:30 – 17:45 Break

17:45 – 19:00 Light up the fire on your Hyper-V by Hans Vredevoort [MVP] & Peter Noorderijk on Hyper-V Architecture

19:00 – 20:15 Become a Masterchef on Microsoft Azure Automation by Maarten Goet [MVP]

20.15 BBQ time

This event is organized by and


Please register at


4103 NM Culemborg

Hyper-V Amigos Back in Quartet Formation

Back in 2011, four Hyper-V MVPs decided to take on a server virtualization master class series focusing on Hyper-V for which they adopted the Spanish sounding name “The Hyper-V Amigos”. In the previous months German Hyper-V MVP Carsten Rachfahl, well known for his Hyper-V podcasts and videos, had already made three episodes with Belgian Hyper-V MVP, Didier van Hoye aka @WorkingHardInIT which gave us a lot of background of both Carsten and Didier in Episode 1, as well as some great explanatory showcasts on Unmap and Live Migration in Windows Server 2012 R2 in Episodes 2 and 3.

This time Carsten also invited Aidan Finn, Hyper-V MVP out of Ireland and myself to what seemed like a reunion. Three of the MVPs had visited TechEd North America and in Episode 4 they look back on how they came to know as The Hyper-V Amigos and what their thoughts were on the TechEd 2014 event.

I invite you to watch the next episode of The Hyper-V Amigos:

Update Rollup for June 2014

The update rollup for June 2014 fixes the issues that are documented in the following Microsoft Knowledge Base (KB) articles:

  • ( )

    Update for data deduplication to improve scalability in Windows Server 2012 R2

  • ( )

    You are prompted for BitLocker recovery key when Windows enters the automatic repair process

  • ( )

    “Hyper-V Replica Cluster Broker is not installed” error when you replicate private clouds to Windows Azure

  • ( )

    DNS server crashes after you install update 2919355 for Windows Server 2012 R2.

  • ( )

    Connectivity lost between two nodes when a node reconnects to a Windows Server 2012 R2-based cluster

  • ( )

    CPrepSrv.exe process crashes or Failover Cluster Manager freezes when you validate storage in Windows Server 2012 R2

  • ( )

    Removed nodes can access shared disk resources unexpectedly in Windows Server 2012 R2

  • ( )

    You cannot stop the cluster service on a Windows Server 2012 R2-based failover cluster

  • ( )

    Storage spaces take a long time to move to another node after a node fails on a Windows Server 2012 R2 failover cluster

  • ( )

    STS passive sign-in fails when a sign-in request is sent to a Windows Server 2012 R2-based STS server through STS proxy

  • ( )

    AD FS device authentication is slow or fails in Windows Server 2012 R2

  • ( )

    Authentication failures and event 422 when AD FS STS servers and AD FS proxy servers are in Windows Server 2012 R2

  • ( )

    Long wait when you first open File Explorer in Windows RT 8.1 or Windows 8.1

  • ( )

    Virtual machine network fails when you start the second VM on a Windows Server 2012 R2-based Hyper-V server

  • ( )

    Windows Update does not download drivers for shared printers in Windows 8.1 or Windows Server 2012 R2

  • ( )

    Error occurs when you run Get-VirtualDisk|Get-ClusterResource cmdlet in Windows 8.1 or Windows Server 2012 R2

  • ( )

    OneDrive improvement update for Windows RT 8.1 and Windows 8.1: June 2014

  • ( )

    “0x80041013″ error on a WMI provider in Windows RT 8.1, Windows 8.1, or Windows Server 2012 R2

  • ( )

    “There was a problem” error when you redeem a promotional CSV token in Windows 8.1 or Windows Server 2012 R2

  • ( )

    Cannot select Chinese suggestion words from on-screen keyboard in Windows 8.1 or Windows Server 2012 R2

  • ( )

    Settings are migrated incorrectly after you refresh the system by using PBR in Windows RT 8.1 or Windows 8.1

  • ( )

    Logon UI crashes when you connect to a remote server that is running a Windows Server 2012 R2 Core installation

  • ( )

    Update to improve the OneDrive experience in Windows RT 8.1 and Windows 8.1

  • ( )

    Excel freezes when you convert Japanese characters in Windows

  • ( )

    Audit event ID 4661 triggers an invalid XML error in a Windows Server 2012 R2 or Windows Server 2008 environment

  • ( )

    “The CA certificate could not be retrieved, element not found” error occurs when the CA server host name is longer than 52 characters

  • 2936341( ) The WebClient service does not send cookies in Windows

Our Sponsors

Powered by