P2V SQL 2008 failover cluster using vSphere

•October 24, 2009 • Leave a Comment

So I tried a rather untypical SQL cluster installation. Moreover I was tempted by all the new versions. So my target configuration was this:

  • DELL Equallogic iSCSI SAN
  • 1 node a physical machine
  • 2nd node a virtual machine on VMWare vSphere4
  • Windows Server 2008 R2 Failover Cluster
  • SQL Server 2008 SP1 installation in cluster

As expected such a bundle of new products worked less than great together. You can make it work but, there are many tweaks needed. I ended up with the same configuration but running on WS2008SP2 instead R2. Here are a couple of tips:

  • If you want to use VMWare in a P2V cluster, VMWare does not support MPIO in such a configuration when using VMWare’s Raw Device Mapping. So we decided just to expose iSCSI directly to the VM by using Windows iSCSI initiator inside the VM (maybe less performing, but a more robust approach)
  • Secondly, if you want an “aggregation” rather then HA-only iSCSI MPIO setup, then you need to install DELL’s Equallogic Host Integration Toolkit available from https://www.equallogic.com/support. Note: to run on WS2008R2 you need v3.3 which is an early production version (but worked for us OK).
  • Next, if you want to install SQL Server 2008 on Windows 2008 Failver cluster you should slipstream the SQL installation with SP1  (on R2 it won’t install at all, on Standard WS08 cluster I had and error and had to reinstall with a slipstreamed version)
  • On vSphere4 Windows 2008 R2 is incompatible with VMWare Tools (you can omit installing them or install them but WITHOUT the video driver – it will freeze your VM).

So my recommendation is to go for fully physical clusters, or fully virtual and stay away from P2V configurations. Additionally wait for full SQL2008 on WS2008R2 and WS2008R2 on VMWare (supposed to be some patch available soon) support.

Import users from CSV file into Active Directory – the easy way

•October 19, 2009 • 4 Comments

OK, this is a task that probably everyone been faced with… Kinda boring.. There’s a lot of ways and tools to do it: ldifde, csvde, powershell, vbscript…

However my favorite is this one-liner with the help of Joe’s admod tool:

admod -csv -add -import -unsafe -cont < .\UserImport.csv

(unsafe to import a lot of objects, cont to continue importing if an entry fails)

It will create disabled users, with blank password, and change password at first logon attribute set. It seems the fastest and easiest method (thanks to Tomek for pointing this out to me).

Your CSV just needs to have DN as the first value. If you are wondering what attributes to add to the file, there’s a ton…

My sample is:


Oh, and if you are adding manager attribute, of course you need to make sure the manager account is on the list before the “managed” person.

If you are wondering what else to add, whole list of attributes for your reference is attached here.

If you want to modify your users after that use Tomek’s tip with adfind, admod combination.

P2V for end-user scenarios?

•October 14, 2009 • Leave a Comment

I am definitely far from gadgets fan, and new things reach me last;) But finally I decided to upgrade my laptop from Vista to Win7. Vista is a disaster of an OS, but since I do not like reinstallations, I managed to tune it so it worked. A notebook is my tool, just like a hammer:0 so I didn’t bother until I had to: I simply had to run a VM from Windows Virtual PC (which runs only on Win7 and is not backwards compatible with VPC2007).

Since I work in DELL, and to have access to mail (except OWA) I need a domain joined laptop I had figured out such configuration: I will install physical machine from corporate DELL image, P2V this to a VM, and run my corporate VM on  Win7 x64 workgroup computer (I don’t like all these agents, scripts and policies;))

I had to install on physical first, because DELL does not allow joining to domain non-corporate images, and moreover has a strict policy on hardware – to user binding via the service tag. Its not possible to install the image directly in a VM – it will attempt to read a service tag. All this is performed by SCCM Task sequences (looking at it from end-user perspective it must be huuge..).

Anyway the process looked easier then it was in fact, but I finally managed. This is how it went – in case you ever stumble upon such issues it may be handy:

  1. Install Win7 on physical machine. Lengthy but easy process, Dell IT automated.
  2. Disconnect the machine as soon as possible from the network so that the safeboot agent does not have enough time to get pushed and encrypt the drive.
  3. P2V using a great sysinternals tool disk2vhd:Disk2vhd. I love their tools for their simplicity.
  4. The VHD created is a dynamically expanding VHD with max size that of original physical disk.
  5. Attempting to start the VM in Windows Virtual PC failed. The IDE bus implemented there supports disks only up to 127 GB (mine was 136). That limitation is not present in Hyper-V.
  6. I tried using VHDResizer. No luck. Again this seemed not to support such large files.
  7. So I mounted the VHD under Win7 – YES, you can do that now out of the box in Win7. And shrunk the LOGICAL partition below 127GB.
  8. I still could not start the VM in Windows Virtual PC, but I managed to use VHDResizer to resize the VHD to the amount I specified when shrinking the logical partition.
  9. Now I could start the VM, but… “OS boot could not be found”.
  10. A Windows repair (insert Win7 DVD iso, boot VM, do a repair) finally helped (I think shrinking the logical volume caused deletion of some boot information – which is fixed with bcdedit by the repair action automatically).
  11. Finally clean up physical devices from devmgmt.msc so that the VM boots faster: VMware KB Article.
  12. Ta..da.. in the end I can have my desired setup: separated VM for corporate stuff, boots much faster, encrypt all with BitLocker.

I am longing to see a day when IT will really be easier than THAT. However I sense that soon we will have bare metal hyper-visors on desktops, so that your WORK, HOME vms do not interfere and you can use one HW for many purposes. That is a solid security boundary, however I am in doubt when I see that I can save a report in IE to PDF on my HOST, without having Acrobat Reader installed there (by using the instance in my VM). This is a fascinating approach, but gives me some security shivers (imagine a virus – how easy can it then spread from your VMs to host…)

It’s been a long time – what’s new???

•October 12, 2009 • 1 Comment

It’s been a very long time since I wrote anything on my blog. Lots of things have changed during the last half year – both in my private and professional life. The original reason why I started this blog is “gone with the wind”… Meanwhile I have lost a lot of my original passion for technology, luckily not altogether and most important not for life in general. The spectrum of activities a human can engage in is so huge, that I think I will keep myself busy in this life:)

Back to some news: first off I started my company with a couple of friends – working “after hours” (big challenge). You can see our website: www.predica.pl. We focus on IT systems and applications developed in hosted scenarios: we cover business analysis, software development, hosting, maintenance etc. taking the headache of IT away from you:)

I also did a presentation on virtualization (Microsoft+DELL add-ons) during Microsoft Technology Summit 2009 in Warsaw. You can grab PPT from it here: MTSDemoAlipka. You want see much since 50% of it were demos. But at least you can get the gist of it..

I will be at TechEd 2009 in Berlin (next month), but as attendee not presenter, so if you’ll be there – ping me and we can meet for a beer for sure:)

Besides, I started climbing again, and its been great. Finding back old friends still doing it, visiting some new places (Indian Creek, US is a must! and Labak in Czech Republic – all you will ever want in crag climbing), and finding out that I still have lots of fun climbing. Ran two marathons – originally supposed to be one, but I needed to improve my time:)

I will try to improve my “post rate”. My blogging guru Tomek (http://www.w2k.pl/, http://blogs.dirteam.com/blogs/tomek/) is not letting his guard down, even though having a lot on his shoulders lately:)

Physical with virtual machine Windows Server cluster [updated]

•February 16, 2009 • Leave a Comment

You probably have wondered on whether it would be possible to run a Windows Server failover cluster where 1 machine would be physical, and another virtual. It would be a kind of P2V cluster. The concerns it raises are obvious: different CPU count, model, could be different amount of memory. However you should be able to pull it off, even though I would still recommend against it due to:

  • No support from Microsoft (such configuration is not on HCL, and HCL – qualified cluster solutions are the only ones MS supports)
  • When the VM node is ‘weaker’ then it could have problems with handling the load.

In that case it might be possible to work around it this way:

  • If you have a MS support case, just remove the VM node from the cluster and run a single node physical cluster – that (provided your HW is on cluster HCL) would give you an MS supported config
  • Size and configure your VM to be able to handle the load that runs on the physical node.

VMWare has a paper that discusses this configuration: [update] http://www.vmware.com/pdf/vi3_35/esx_3/vi3_35_25_u1_mscs.pdf. Remember to use RAW device mapping if you are connecting the LUN through the host or direct iSCSI to VM.

For Hyper-V the only option for shared storage is to use iSCSI storage with initiator inside the VM.

This blog post is valid for Windows Server 2003. For 2008 I guess it would be the same, but I have not tried it. Basically the prerequisite would probably throw a warning, but it should pass (I have tried doing clustering between different editions and versions (core/full) of WS2008 and it worked, I think that if NIC and SCSI tests pass, the CPU count should not be a total stopper). If you have experiences with that, please share.

Remember that CPU architectures (32 bit x86, AMD64, IA64) must be the same across all nodes.

Delegate permissions to specific VM in Hyper-V hosts

•February 10, 2009 • 2 Comments

Microsoft recently released beta of Hyper-V Security Guide (https://connect.microsoft.com/content/content.aspx?SiteID=715&ContentID=10340). Unfortunately when it comes to permission delegation it only tells you how to do this on a per HOST basis.

Doing it on a per VM basis (like allow user1 stop and start and remote control VM1 but not VM2 on HOST1) is a bit tricky. Dung talks about it here: http://dungkhoang.spaces.live.com/blog/cns!31A50D02D661C816!305.entry, but there is not much more information about it on the web.

For initial steps refer to Dung’s blog – it details the XML files and the model of permissions. Now if you want to delegate permissions per VM you need to:

  1. SET a unique ScopeOfResidence http://msdn.microsoft.com/en-us/library/cc136939(VS.85).aspx) property on a VM. This can only be done by a script. I attach all scripts in a link below.
  2. That scope is stored in the XML config file of the VM in Global_Settings/security/scope section.
  3. Next, take that unique SCOPE name and set it in azman.msc as a new scope. Then assign permissions as you would normally do. the permissions within that scope will only apply to the VM with the same ScopeOfResidence.

If you use unique naming of scopes across all your host, you can then move the Hyper-V AzMan store from XML files (local) to Active Directory (sample script also attached). This will allow you to make changes centrally for all hosts:

  1. The data cannot be moved to an application partition; it must be stored in a Windows 2003 (minimum) domain.
  2. Create the Hyper-V AzMan Store in AD. This can be done using the script CreateVMAzStoreinAD.js: cscript CreateVmAzStore.js “msxml://<path to InitialStore.xml>” “msldap://CN=VmAzStore,CN=Windows,CN=Program Data,DC=test,DC=com” Where the first parameter is the path to the Hyper-V AzMan store and second is the DN of the target container for the store.
  3. Verify that the store was created by using Active Directory Users and Computers (dsa.msc), enable Advanced Features in View):
  4. Using AzMan.msc, open the AD store and assign the Administrator and User roles (created by the script) to users defined in the domain as desired. Also change the security properties of the store, and add “Domain Computers” to the Reader role.
  5. On each hyper-v host point the server to the new location of the store: Path=HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization
    Value=msldap://CN=VmAzStore, CN=Windows,CN=Program Data,DC=test,DC=com
  6. Restart the VMMS and NVSPWMI services.

It should also be possible to move the store to SQL instead of AD. I have not tried it, but be aware that SQL would be more chatty on the network, and would not re-use the site-aware AD structure that AD store can use. AzMan is frequently accessed by Hyper-V whenever checking user permissions to Hyper-V objects.

NOTE that you cannot manage your Hyper-V hosts this way if you are using VMM agent on them. The agent will overwrite your modifications on a refresh basis, and use those that are specified in VMM 2008 (unfortunately no per-VM delegation there…)

Sample scripts: http://cid-fded5c90960743bd.skydrive.live.com/self.aspx/Public/AzManHyperV.zip 

UPDTE: FYI, I just noticed TonySo posted some scripts as well on MS forums: http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/3d0888e2-7538-4578-b16c-97b73c8e0f96/.

Exchange 2007 double HA with VMWare and CCR?

•January 30, 2009 • Leave a Comment

During an internal discussion we came upon a very interesting doc/internal case study of Exchange 2007 deployment in VMWare:


One HA/DRS cluster is deployed in both of the VMware datacenters. The CCR design used at VMware populates each HA/DRS clusters with eleven CCR cluster-nodes. In the event of an unscheduled ESX host outage, the CCR cluster will automatically move the clustered mailbox role to the passive node in the second datacenter and continue to provide email services. Due to the VMware HA cluster, the failed active clusternode will be restarted on any remaining available ESX host, and CCR will initiate reverse replication to ensure that the cluster is in sync. The same methodology would be used in the case of a total site failure. To achieve complete autonomy between datacenters, a third site was chosen to house the file-share witnesses used by the CCR clusters to maintain quorum.

The paper provides a very interesting highly available design of Exchange 2007 with VMWare Cluster+ Exchange CCR. It would be tempting to go this way, as it allows to achieve a fairly high availability and site resilience w/o the need for expensive SAN metro-site mirroring.

However according to MS support policy this is unsupported (http://technet.microsoft.com/en-us/library/cc794548.aspx):

Microsoft does not support combining Exchange clustering solutions (namely, cluster continuous replication (CCR) and single copy clusters (SCC)) with hypervisor-based availability or migration solutions (for example, Hyper-V’s quick migration). Both CCR and SCC are supported in hardware virtualization environments provided that the virtualization environment does not employ clustered virtualization servers

Another thing that came up is that one of the reasons not to virtualize Exchange mailbox is of course performance: VMWare and Hyper-V still have the maximum of 4 vCPUs. Whats more due to the way VMWare does CPU virutalization the more vCPUs are assigned to a VM the bigger the processing overhead. This is due to the fact that the VM must wait until there will be 4 physical cores available. It takes of course longer to wait for four cores then 2 or 1. Moreover if you have on the same host not only 4 vCPU but also mix that with 1 or 2 vCPU machines you will see more penalty (the 1-2 vCPU VMs will have a shorter time to wait, so might “clog” processors cycles of the 4 vCPU VM). This is due to the scheduling of vCPUs in VMWare virtual SMP. Some of it is described here: http://www.vmware.com/pdf/vsmp_best_practices.pdf. so basically it would be better to consolidate 2 vCPU machines on 1 host, and for large Exchange deployments with CCR/SCR opt for physical mailbox servers. I couldn’t find any information on how this problem is approached in Hyper-V, I imagine the situation is similar, but any feedback is appreciated!