VMM tricks:VMM implementation in cross-domains topology
My team were trying to implement VMM R2 in multiple domains topology. They installed VMM R2 on windows 2008 R2. We start by implementing VMM 2008 R2 and SSP (Self Service Portal)on Domain A.
We have users from domain A and B. Ans one way trust relationship between those domain from domain A to B. i.e Domain A trust users from domain B.
This scenario was designed so that users from Domain A, B would have the capability to deploy new VMs using Web interface (SSP).
The installation went fine with local admin account (Domain user from domain A with local admin privilege) and I am able to see all users from Domain A and B and add them to Self Service portal users role.
The problem that users from domain B can’t log in to SSP while users from domain A can.
As per Microsoft Technet
Does VMM support cross-domain authentication?
Yes. Kerberos authentication is a prerequisite for VMM. To configure your environment to allow users in one Active Directory Domain Services (AD DS) domain to access VMM resources in another domain, you can either ensure that both domains are in the same forest or configure a forest-level trust relationship and use Kerberos authentication. To set up a forest-level trust relationship, both domains must be in Windows Server 2003 forest mode. Windows 2000 Server does not support forest-level trusts.
So this was the first problem.. VMM should use Kerberos authentication while my one way trust was External ( NTLM ).. My domain are above 2003 so I delete my old trust and create new forest one way trust again.
Now VMM should work but Opsssss it did not ?!!!!!!
As per Microsoft technet it should work fine but nothing worked at all. After some digging with the trust we found it. it has to be 2-way forest level trust between the two domains. :S
And we got confirmation from Microsoft:
Based on this finding, I fully analyze all internal Kerberos traffic again and the two trust is required from SSP.
1. if we only configure one-way trust from SCVMM server domain to user domain, the DC in SCVMM domain will be able to establish secure channel with user domain and get the trust TGT ticket. Thus we can configure SSP and choose user from trusted domain.
2. However, when user accesses SCVMM portal from trusted domain, because it is one way and there is no trusted account for user domain in SCVMM domain, the user cannot get trusted TGT ticket and thus the user cannot get session ticket to access SSP. The accessing will fail back to NTLM by SCVMM DC contacts DC in user domain for NTLM authentication.
According to authentication requirement for SCVMM, we need configure two-way trust so that user can get session ticket to access SSP in other domain.
So… to have users from different domain we need configure two-way trust so that user can get session ticket to access SSP in other domain.
VMM tricks: Installing SCVMM on a host with a name containing “-SCVMM-” fails with Error 257
This one is funny..Source
Well, the title says it all. If the host you’re trying to install SCVMM on has a name that contains “-SCVMM-” in upper case letters, setup fails with Error 257.
Example: MUC-SCVMM-1
Resolution: Use a slightly different name, like “MUC-SCVMMR2-1″ or “MUC-SCVmm-1″,
The reason is that the uppercase string “-SCVMM-” is used internally for host cummincation by SCVMM.
Cheers
Robert
Re-blog: Microsoft Site Recovery Solution Launch
I’m re-blogging here. Over at Virt Planet blog, Jim wrote the following:
This week Microsoft is launching a comprehensive solution to help customers implement cost effective, end-to-end site recovery programs. Built on proven capabilities in Windows Server 2008 R2 and the System Center management suite, Microsoft is helping IT Professionals leverage Windows Server Hyper-V and Failover Clustering along with tools like Virtual Machine Manager to deliver cost effective site recovery.
The Microsoft Site Recovery Solution ecosystem is ramping with a broad range of storage replication partners like Double-Take Software, EMC, HDS, HP delivering solutions that take advantage of the Microsoft Cluster Resource DLL. With cluster integration IT Professionals can deploy streamlined and operationally effective site recovery.
You can learn more about the Microsoft Site Recovery Solution by joining the Microsoft team and Enterprise Strategy Group on Thursday, November 5th at 10:30am Pacific for a webcast Building Effective and Highly Available Disaster Recovery Solutions Using Microsoft Virtualization This webcast looks at key drivers for site recovery solutions and reviews practical deployment considerations (you can view the recorded version of the webcast after the 5th). Microsoft and select partners will also be demonstrating Site Recovery Solutions at TechEd, so if you plan to be in Berlin during the week of November 9th, make sure to stop by the Virtualization Solutions kiosk in the Technical Learning Center.
Patrick
VMM tricks: Force remove of Failed VM (WAIK dll error)
Sometimes you may face a problem like failed job of VM creation, like this One
Hello everyone,
I created 2 Ms in windows 2008 R2 (Core and full installs). After that I used SCVMM 2008 R2 to sysprep and save the VMs in the library. The process ended ok. After that I tested the deployment process which fails with an weird error (something like it is not possible to access the WAIK dll… or something like that), after this error I tested WAIK and everything appeared ok, so I decided to remove the 2008 R2 VMs from the library and then try repeat the process, now I get the Job error for each machine in the sysprep faze:
Error (802)
The VirtualHardDisk file W2008r2disk1 is already in use by another VirtualHardDisk.
Recommended Action
Wait for the object to become available, and then try the operation again.
In SCVMM I see the machine with the icon as if it was in progress but the only option that I have is to retry the job that also fails with the error:
Error (682)
A template cannot be created from virtual machine W2008r2.
Recommended Action
Stop or shut down the virtual machine, and then try the operation again.
Since that I know that I don’t have any VDH with the same name in the library, I guess this is information is on the DB somewhere
Any clues where this may be??
This was solved by using Windows Powershell commands
Try going into powershell interface and running the following command:
PS C:\> $VM = Get-VM -VMMServer VMMServer1.Contoso.com | where { $_.VMHost.Name -eq “VMHost01.Contoso.com” -and $_.Name -eq “VM01″ }
PS C:\> Remove-VM -VM $VM -Force
VMM tricks: SCVMM Service may take up lots of memory
Source: Hyper-V notes from the field
In a large SCVMM environment we noticed that the SCVMM Service (vmmservice.exe) allocates lots of memory (>4GB). You may notice that you are unable to create new console sessions or existing sessions lose their connection when all available memory is used. This is not a leak as the memory is freed over time.
The reason for this allocations was the large number of jobs that had run in the past. By default SCVMM keeps the last 90 days in the Database and the Console shows this in the Jobs pane. In the title area you can see the number of jobs in brackets. In the customer case we had almost 10.000 jobs.
The problem can be solved by setting a shorter history with the following registry key:
HKLM\Software\Microsoft\Microsoft System Center Virtual Machine Manager Server\settings\sql
DWORD Value: TaskGC
Enter the history length in days. (e.g. 7)
SCVMM starts a maintenance procedure with this number of days every 20h. You may not see a complete reduction immediately, as the maintenance procedure limits itself in the number of objects it deletes in one run. So you may need to monitor this for some days.
Cheers
Robert
Micorosft Lab Validation Report for Hyper-V
Microsoft Hyper-V : Scalable, Native Server Virtualization for the Enterprise
Microsoft just published a Lab Validation Report for Windows Server 2008 Hyper-V, which was written by Enterprise Strategy Group. This report goes over the installation and configuration of Windows Server 2008 Hyper-V and management of those servers with Virtual Machine Manager 2008.
The report reviews the performance of Windows Server 2008 Hyper-V in comparison with physical systems.
Performance
In this section, we’ll take a look at the results of ESG Lab testing of the performance of applications running on a physical server and on a Hyper-V virtual machine.
ESG Lab Testing
ESG Lab used four real-world application workloads to evaluate the physical and virtual performance of Microsoft Windows 2008 Data Center Edition R1:
1. Application Install: a timed installation of Visio 2007 using a distribution image stored on a network
attached shared drive within a private network.
2. Directory level copy: a timed copy an 860 MB directory with 2,014 files to a temporary directory. The c:\windows\win32 directory was copied to a temporary directory on the same C: drive.
3. Subsequent copies: the directory level copy was repeated with much of the IO activity happening in cache. The average of three cached copy operations was recorded.
4. SQL query: a long running SQL select statement using a 25,000 row production database from ESG’s
internal IT operation was timed. The SQL query performed a join of three tables. The average duration of three select statements was recorded.
The HP blade server used for this test was equipped with four 2.2 GHz dual-core AMD Opteron processors and eight gigabytes of RAM. Comparing physical and virtual performance on the same server was accomplished after a reboot with Hyper-V role enabled and disabled. During the virtual server testing, the server was configured with a single virtual server, which used nearly all of the physically available hardware resources (all eight CPU cores, seven out of eight GB of RAM).
Physical and virtual testing was performed within a 40 GB logical C: drive. The C: drive was built using a single LUN presented by a FC attached HP MSA storage array with six 15K SAS drives configured as a single RAID-5 group (5+1).
The Hyper-V C: drive was configured as a basic virtual hard disk (VHD). The results are shown in Table 1.
Table 1. ESG Lab Performance Results
| Operation | Physical | Virtual | Difference |
| Application install | 00:05:52.000 | 00:06:09.000 | 4.8% |
| Directory level copy | 00:00:41.680 | 00:00:33.660 | 7.1% |
| Subsequent copies | 00:00:05.660 | 00:00:05.830 | 3.0% |
| SQL query | 00:00:47.566 | 00:00:53.630 | 12.7% |
What the Numbers Mean
It took five minutes and 52 seconds to install an application on the physical server running Windows 2008 Data Center Edition SP1 It took six minutes and nine seconds to install the same application on the same hardware running the same operating system running within a Hyper-V enabled virtual machine The difference in performance is relatively low (4.8%) The directory level copy and subsequent copies were also relatively low (7.1% and 3.0% respectively) A long running Microsoft SQL query took 12.7% longer when running in a virtual server The manageably low performance impact of Hyper-V won’t be detected by the vast majority of end-users and applications
Quick Tip: Query Active Directory Functional Levels
To determine the domain functional level, Windows Server 2003 uses a combination of two attributes stored in Active Directory. To determine the forest functional level, Windows Server 2003 uses a single attribute.
To verify the forest and domain functional level by using ADSIEdit.msc:
- Open a Run command, and type ADSIEdit.msc
- Expand the Domain object, right-click domainname (where domainname is the distinguished name of the domain that you want to check), and then click Properties.
- Under the Attribute column, scroll until you locate the msDS-Behavior-Version attribute. Check the value of this attribute.
- Check the value of the nTMixedDomain attribute on the domain object. The following table provides the details for both attributes for the domain functional level.
| Domain functional level | msDS-Behavior-Version attribute | nTMixedDomainattribute |
| Windows 2000 mixed | 0 | 1 |
| Windows 2000 native | 0 | 0 |
| Windows Server 2003 | 2 | 0 |
To verify the forest functional level, expand the Configuration object, and then expand the CN=Configuration,forestname object (where forestname is the distinguished name of the forest).
Right-click the Partitions container, and then click Properties. Locate the msDS-Behavior-Version attribute, and check the value of this attribute. The following table provides the details for the attribute for the forest functional level.
| Forest functional level | msDS-Behavior-Version attribute |
| Windows 2000 | 0 |
| Windows 2000 interim | 1 |
| Windows Server 2003 | 2 |
Source: Microsoft Corporation
Hyper-V Domain Controller Negative Ping Results
This one was a little bit new for me, About 6 months ago one of my customers told me that some times his new virtual Domain Controller is giving a negative ping results.
This DC was working fine and it was new installation Windows server 2003 Domain Controller. Every 5 minutes it reports an event 1054 saying that it cannot find the domain controller name.
Event ID: 1054
Source: Userenv
Type: Error
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted). Group Policy processing aborted.
everything was fine and SRV and DNS records are created fine, Clients can logon and access the server with no problem and the group policy is being applied correctly.
As per Microsoft KB This behavior may occur if the address for the configured preferred DNS server on the client is invalid or unreachable. but everything from the client side is fine as expected.
That is odd. I was sure that no problem with the system at all. After some time searching for that I start to suspect the hardware or the network and Bingoooo I was right
Problem now resolved via a HP support article below
SUPPORT COMMUNICAT
Version: 2
Advisory: (Revision) HP ProLiant Servers Using Dual-Core or More Than One Single-Core AMD Opteron Processor May Experience Incorrect Operating System Time When Running Systems That Use the System Time Stamp Counter
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.
Release Date: 2007-07-16
Last Updated: 2007-07-16
HP ProLiant servers configured with Dual-Core or with more than one single-core AMD Opteron processor may encounter Time Stamp Counter (TSC) drift in certain conditions. The TSC is used by some operating systems as a timekeeping source. Each processor core, whether it is a single-core processor or a dual-core processor, includes a TSC. The condition where the TSC for different processor cores becomes unsynchronized is known as TSC drift.
Note : The potential for TSC drift if the proper recommendations are not applied when using AMD Opteron 200-series, Opteron 800-series, Opteron 1200-series, Opteron 2200-series and Opteron 8200-series processors is not specific to HP ProLiant servers.
Whether or not the system is affected by TSC drift depends on the specific ProLiant server generation, the number and type of AMD Opteron processors installed, the operating system, and whether the AMD PowerNow! feature is being utilized. TSC drift can result in different symptoms and behaviors based on the operating system environment, as detailed below:
Microsoft Windows Server 2003
This condition affects operations such as network communications and performance monitoring tasks that are sensitive to system time. For example, Microsoft Active Directory domain controllers can report an Unexpected Network Error (Event ID 1054) with the following description:
Event Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred.). Group Policy processing aborted.
In addition, a negative PING time or larger than actual PING time may be returned after issuing the PING command. The negative PING time occurs because of a Time Stamp Counter drift occurring on AMD Opteron platforms which include more than one processor core.
SCOPE
Any HP ProLiant server configured with more than one single-core AMD Opteron processor or configured with one (or more) dual-core AMD Opteron processors running the following operating systems:
Microsoft Windows Server 2003 (any edition)
Microsoft Windows Server 2003 x64 Edition (any edition)
Red Hat Enterprise Linux 4(x86) or earlier
Red Hat Enterprise Linux 4 (AMD64/EM64T) or earlier
SUSE Linux Enterprise Server 9 32-bit (x86) or earlier
Note : The issue does not affect systems with only one single-core processor installed.
The following servers are affected when running an affected operating system:
HP ProLiant BL465c Blade Server
HP ProLiant BL685c Blade Server
HP ProLiant BL25p G2 server
HP ProLiant BL45p G2 server
HP ProLiant DL145 G3 server
HP ProLiant DL385 G2 server
HP ProLiant DL585 G2 server
HP ProLiant DL365 server
HP ProLiant ML115 server
The following servers are affected ONLY when using the AMD PowerNow! feature and running an affected operating system:
ProLiant BL25p Blade Server
HP ProLiant BL45p Blade Server
HP ProLiant DL145 G2 server
HP ProLiant DL385 server
HP ProLiant DL585 server
The following operating systems are not affected by TSC drift because these operating systems do not use the TSC as a timekeeping source:
Microsoft Windows Server 2008 (codename Longhorn)
Red Hat Enterprise Linux 5 (x86)
Red Hat Enterprise Linux 5 (AMD64/EM64T)
SUSE Linux Enterprise Server 10 (x86)
SUSE Linux Enterprise Server 10 (AMD64/EM64T)
VMware ESX Server 3.0.0 (or later)
RESOLUTION
To ensure proper operation of tasks sensitive to system time, perform either of the following actions, based on the operating system environment:
Microsoft Windows Server 2003 (any edition)
Edit the BOOT.ini file and add the parameter “/usepmtimer,” then reboot the server. Adding the “/usepmtimer” parameter to the BOOT.INI file configures the Windows operating system to use the PM_TIMER, rather than the Time Stamp Counter.
So the final solution was that
To resolve this problem, install the new AMD CPU driver. To do this, visit the following AMD Web site:
After you install the new driver, you must restart your computer.
Note The driver installation adds the /usepmtimer switch in the Boot.ini file. This switch is discussed in the above section.
Quote of the Month
“Intelligence is the ability to hold two opposed ideas in the mind at the same time” –F. Scott Fitzgerald
XenServer: Why?
There have been lots discussions lately about what’s happening around Citrix XenServer. Perhaps too many. For what it is worth, I was one of the people discussing this on the net (Twitter, Blogs etc) with some other folks. I originally drafted a blog post when Citrix bought XenSource but it never made it (officially because I was busy, unofficially because I couldn’t figure out “why”).
I think that what it is happening is pretty clear at this point. The market landscape is being consolidated with Oracle acquiring VirtualIron as well as the “Sun Xen thing” within the overall grand plan of the acquisition (of the remaining) of Sun. All these solutions have hardly, in the past few years, managed to make a difference in the industry and their names were floating around more with the hope that VMware could feel more pressure and competition, and hence lower the prices. In the meanwhile, VMware increased their price which speaks for itself.
This is leaving (apparently) the x86 virtualization market with 3 relevant viable alternatives that are VMware, Microsoft and Citrix. I have always said this is going to be a two-horse race and I still stand behind this statement. The first horse is VMware and the second horse is what I call Microtrix ™. There have been a nice Twitter discussion a few days ago on why Citrix bought XenSource and the future of it etc. This was my tweet in the discussion which, in a way, summarizes my thinking:
