• A
    Adam Tyler

    Hello ITPro.TV! I'm looking for some guidance on configuration options for the "Provisioning Traffic" of vSphere 6 and above. I am very familiar with vMotion traffic and use the "Multi-NIC" setup for vMotion often in my single cluster deployments. I'd like to use the same approach to configure Provisioning Traffic, but I can't find any VMware documentation stating that vSphere actually supports "Multi-NIC" provisioning traffic.

    Furthermore, I'm not sure what good Provisioning Traffic would do me in a single cluster scenario where all hosts in the cluster have access to all datastores. It seems that a "cold" migration of a VM from one datastore to another would all be IO traffic over iSCSI or NFS. The only time a cold migratoin of a VM would utilize the provisioning vmkernel seems to be if you were using the Provisioning TCP/IP stack and performing a cold migration or clone with routing to a different cluster and a separate set of storage.

    Maybe I am off base, can anyone confirm when the "provisioning" traffic would be utilized in a single cluster where all hosts have direct access to all shared storage volumes?

    Regards,
    Adam Tyler

    posted in General Discussion read more
  • A
    Adam Tyler

    Hello ITPro.TV! I am going through the AD CS section of the 70-242 exam course and had a question regarding enterprise root vs stand-alone CAs.

    First, my understanding of the two is that stand-alone CAs are not domain joined and consequently cannot be used for auto-enrollment process via GPO. Whether you are using stand-alone CAs or Enterprise CAs, it is typically accepted as a best security practice to keep the root CA "offline".

    This brings up a flurry of questions from me.... Hopefully They are quick and easy to answer.

    1. If you keep your enterprise root CA offline, what about domain "trust" issues when the SID of the computer object tombstones while the server is offline for an extended period of time?

    2. Windows updates? How are you supposed to apply Windows updates to an offline root CA? Let's say your environments patching policy is such that patches must be applied within 30-days of release.

    3. Can you have enterprise subordinate CAs that use a stand-alone (non domain joined) root CA? That way you don't have to deal with domain integration on the root, but can still use auto-enrollment features?

    4. When (if ever) is it acceptable to use an enterprise root CA that stays online at all times?

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    @adam-gordon Thanks Adam!

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Hello ITPro.TV! Quick question around using a central repository for GPO policy definitions. I ran into an issue recently where new Windows 10 systems required a Policy Definition update in order to turn specific "update" knobs which were not present in previous versions. I ended up finding the latest ADMX file for just Windows Updates and overwriting the policy within our central store at the following path for example:

    \domain.local\SYSVOL\domain.local\Policies\PolicyDefinitions

    My question is, what's to stop me from updating the entire repository on a regular basis? What is the "go to" Microsoft URL for obtaining this new set of policy definitions and is it safe to simply download them whenever there is an update and overwrite what we have in the existing PolicyDefinitions folder? Or do we need to be careful about what version our domain/forest is in before using new policy definitions?

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    So as is the way with IT, persistence and patience over skill gets you there. I finally got this working. I think my biggest problem was that I didn't follow the article exactly. I had actually built the cluster through the GUI initially rather than running the PowerShell commands.. Only other difference I can think of is that I never installed the File Services role like the article suggested.. Anyhow, I went back and blew up the cluster and ran through the article again exactly. One command had changed completely since it was posted...

    Reference article:
    https://www.virtualtothecore.com/en/build-a-microsoft-storage-spaces-direct-cluster-using-vmware-virtual-machines/

    Command difference:
    Article says to run:

    Enable-ClusterS2D -CacheMode Disabled -AutoConfig:0 -SkipEligibilityChecks
    

    Actually had to run:

    Enable-ClusterS2D -AutoConfig:0 -SkipEligibilityChecks
    set-ClusterStorageSpacesDirect -CacheState Disabled
    

    For Reference:
    I am running Server 2016 10.0.14.393 N/A Build 14393

    I'm not sure if that set command actually does the same thing as the above "-CacheMode" switch, but it doesn't seem to be supported any longer on my build.

    So, S2D lab built, only one problem... Well one problem and one question... First, there's this...
    alt text

    I am able to build new volumes manually with commands like this:

    New-Volume -StoragePoolFriendlyName Pool01 -FriendlyName Volume2 -PhysicalDiskRedundancy 1 -FileSystem CSVFS_ReFS -Size 10Gb
    

    I don't really get the redundancy setting above. No idea what 1 vs another number would do. Need to research more.

    Also not sure why the GUI things the pool isn't configured correctly. So this is unsupported Microsoft territory then? Can't use Storage Spaces Direct in this manner at the guest and call Microsoft if there is a problem?

    We use a replication technology for DR purposes that simply doesn't support volumes that aren't in a VMDK file. So I haven't been able to use Windows Clustering yet. Would really be cool not to patch things at midnight. :)

    ~
    Another question. Can you not use an S2D volume as a witness disk?! why!?

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Mr. Gordon, thanks for your quick reply!

    Yes, I did use the ".virtualHDD = 1" option within the VMX as I do not have SSD drives installed into the server. Speaking of the server, this happens to be an HP DL360 G7 server with a p420i RAID controller. It has 4 physical drives that are in a RAID 10 array presented to the ESXi OS as a single VMFS datastore.

    So, not JBOD. I guess I thought this would definitely not work for a bare metal install of Windows Server and S2D, but I thought after watching the show you could do this at the VM level and not care about the underlying storage system? The "option 2" deployment in cloud infrastructure or on premise virtualized environments.

    Ps.. I also did use Thick provisioned eager.

    I notice I am using the VMware paravirtual scsi controller within the VM, I will try and switch that back to the LSI default and see what I get.

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Hello ITPro! So I just sat through the S2D class for 70-740 exam prep and it totally blew me away. I immediately ran to my lab and tried to get this going. I've got like 3 hours wrapped up into it now and am not having any luck. So I have a cluster built with two Datacenter 2016 servers. I added two additional virtual hard drives each 40Gb in size. Attempted to enable S2D for the cluster and I get this error:

    alt text

    In looking at the drives a bit more closely I see this:

    alt text

    I have been following this article and made the necessary changes to the VMX file as well as deployed the drives and thick like suggested. I was interested in testing the 2 node mirror option for VMs. In cloud scenarios...

    https://www.virtualtothecore.com/en/build-a-microsoft-storage-spaces-direct-cluster-using-vmware-virtual-machines/

    What am I missing?

    I am running ESXi 6.5..

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Thanks for your response Mike. I actually deployed a new domain in a lab just to play with this. Currently just using the default domain\Administrator account to play around. Just checked and the PowerShell session I used to run this script is in the "Administrator: Windows PowerShell" Context... Hmm.

    What happened in your environment when you tried to re-create this? At this stage I am just creating the script to deploy this "server" side of Desired State Configuration.. So I don't really need to store the MOF for reference and continual execution correct? That's more for the next phase when the clients are configured to check in with this web service.....?

    In your example you had a pretty clean folder structure that looked like this for your client:
    c:\Configs\TargetNodes\WindowsBackup\

    I believe the MOF and the hash would go here for clients to continually check in. Why the "WindowsBackup" subfolder though? Could you not put all MOFs in the TargetNodes folder directly? Is this folder path called out somewhere within the server configuration? How does IIS know to serve this folder path up for DSC requests?

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Okay, had a chance to test this while I was at the office... So I am using this script:

    C:\Configs\Sample_xDscWebServiceREgistrationWithSecurityBestPractices.ps1

    I made the following changes.

    # ======================================== Arguments ======================================== #
    $certificateThumbPrint = "AD45081CCC1564FA06AA39F760BC3D01888CC381"
    $registrationkey = "74d16e84-5bd4-4c7a-80d2-b438fb29d0c9"
    # ======================================== Arguments ======================================== #
    
    # =================================== Section DSC Client =================================== #
    configuration Sample_xDscWebServiceRegistrationWithSecurityBestPractices
    {
        param 
        (
            [string[]]$NodeName = 'localhost',
    
            [ValidateNotNullOrEmpty()]
            [string] $certificateThumbPrint,
    
            [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
            [ValidateNotNullOrEmpty()]
            [string] $RegistrationKey # A guid that clients use to initiate conversation with pull server
        )
        
        Import-DSCResource -ModuleName xPSDesiredStateConfiguration
    
        Node $NodeName
        {
            WindowsFeature DSCServiceFeature
            {
                Ensure = "Present"
                Name   = "DSC-Service"            
            }
    
            xDscWebService PSDSCPullServer
            {
                Ensure                  = "Present"
                EndpointName            = "PSDSCPullServer"
                Port                    = 8080
                PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
                CertificateThumbPrint   = $certificateThumbPrint         
                ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
                ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"            
                State                   = "Started"
                DependsOn               = "[WindowsFeature]DSCServiceFeature" 
                RegistrationKeyPath     = "$env:PROGRAMFILES\WindowsPowerShell\DscService"   
                AcceptSelfSignedCertificates = $true
                UseSecurityBestPractices = $true
            }
    
            File RegistrationKeyFile
            {
                Ensure          = 'Present'
                Type            = 'File'
                DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
                Contents        = $RegistrationKey
            }
        }
    }
    Sample_xDscWebServiceRegistrationWithSecurityBestPractices -RegistrationKey $registrationkey -certificateThumbPrint $certificateThumbPrint
    # =================================== Section Pull Server =================================== #
    
    # =================================== Section DSC Client =================================== #
    [DSCLocalConfigurationManager()]
    configuration Sample_MetaConfigurationToRegisterWithSecurePullServer
    {
        param
        (
            [ValidateNotNullOrEmpty()]
            [string] $NodeName = 'localhost',
    
            [ValidateNotNullOrEmpty()]
            [string] $RegistrationKey, #same as the one used to setup pull server in previous configuration
    
            [ValidateNotNullOrEmpty()]
            [string] $ServerName = 'localhost' #node name of the pull server, same as $NodeName used in previous configuration
        )
    
        Node $NodeName
        {
            Settings
            {
                RefreshMode        = 'Pull'
            }
    
            ConfigurationRepositoryWeb CONTOSO-PullSrv
            {
                ServerURL          = "https://$ServerName`:8080/PSDSCPullServer.svc" # notice it is https
                RegistrationKey    = $RegistrationKey
                ConfigurationNames = @('ClientConfig')
            }   
    
            ReportServerWeb CONTOSO-PullSrv
            {
                ServerURL       = "https://$ServerName`:8080/PSDSCPullServer.svc" # notice it is https
                RegistrationKey = $RegistrationKey
            }
        }
    }
    

    Now, if I run this script from a PowerShell window using zero options/switches, I end up with a new folder path:

    C:\Configs\Sample_xDscWebServiceREgistrationWithSecurityBestPractices\localhost.mof

    So it looks like the script completed without any errors. Here was the output I got when running.

    PS C:\Configs> .\Sample_xDscWebServiceRegistrationWithSecurityBestPractices -outputpath c:\Configs\PullServer
    WARNING: The configuration 'Sample_xDscWebServiceRegistrationWithSecurityBestPractices' is loading one or more built-in resources without
    explicitly importing associated modules. Add Import-DscResource –ModuleName 'PSDesiredStateConfiguration' to your configuration to avoid this
    message.
    
    
        Directory: C:\Configs\Sample_xDscWebServiceRegistrationWithSecurityBestPractices
    
    
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----       12/22/2017  12:13 PM           5402 localhost.mof
    
    
    PS C:\Configs> .\Sample_xDscWebServiceRegistrationWithSecurityBestPractices -outputpath c:\Configs\PullServer
    

    So that's good stuff. No errors this time around. I'm a little confused as to why it created the folder under configs... Did I not use the "outputpath" switch correctly?

    Regards,
    Adam Tyler

    posted in Microsoft read more
  • A
    Adam Tyler

    Mike, thanks for your effort here! I will give this a shot over the weekend and let you know how things go.

    Regards,
    Adam Tyler

    posted in Microsoft read more