Creating Generic Linux VMM Template for Azure pack

VMM/Hyper-v supports various Linux&BSD distributions and here is the quick guideline how you can offer them through Windows Azure pack with one Generic Linux VM template and a lot of ISO images in your VMM library.

Creating Linux VMM template

First of all we need to create VM template in VMM. I have decided to use Debian 8.0 as my generic Linux OS. You can download Netinst CD Image here:

http://cdimage.debian.org/debian-cd/8.0.0/amd64/bt-cd/debian-8.0.0-amd64-netinst.iso.torrent

Once downloaded, create new Virtual Machine in VMM and install Debian OS. (Debian installation is not covered here) Debian includes Linux Integration Services, so you don’t have to install them. (for example in CentOS you need to install them)

Installing VMM agent for Linux:

Syspreping Linux VM is possible through VMM agent for Linux and here is how you can install it. Connect to your Debian VM (for example with WinSCP) and copy all files from c:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\agents\Linux (located on VMM server) to TMP directory via SFTP protocol.

Login to Debian VM as root,  go to TMP folder and run following commands:

chmod +x install
./install scvmmguestagent.1.0.0.544.x64.tar

Go to VMM and confirm that VM Additions are detected:

Creating VMM template

Nest we are going to create VM template in VMM. Shutdown Debian VM and copy VHDX file to VMM library. (Note that I have renamed VHDX to Generic Linux x64.vhdx, looks better in Azure pack 🙂 ) Go to Library/Templates/VM Templates and Create VM Template

Name the template Generic Linux x64 and configure Operating system profile. Finish the Wizard.

Azure pack configuration

Go to your hosting plan and add new template:

Login to Azure pack Tenant Portal and you should see new template available. Deploy test VM:

Once deployed, attach ISO:

I have decided for Oracle Linux:

Login via Console Connect and confirm that your VM is booting from attached ISO:

Last thing you need to do is to populate your VMM library, first I would start with all supported distributions: https://technet.microsoft.com/en-us/library/dn531030.aspx

„No Virtual Machine Cloud provider was found“ error after installing System Center rollups

After installing System Center rollups (in my case UR6) I lost connection between Azure pack and SPF, getting „No Virtual Machine Cloud provider was found“ error in Azure pack management portal.

First, I tested my SPF site

https://spf.myclouddomain.com:8090/SC2012R2/VMM/Microsoft.Management.Odata.svc/

which was not responding. When I logged in to my SPF server, all services were running, so I opened IIS manager and found that SPF website was stopped.

When I opened Bindings, I found two Site Bindings to port 8090, so I removed one and made sure that proper certificate is selected. Then I started IIS website and went back to Azure Pack Management portal to confirm that connection with SPF is working fine.

Upgrading Windows Server 2012 R2 Evaluation into a full version

Windows Server 2012 R2 Evaluation edition lasts for 180 days, but if you wish to keep using it after eval period, you have to simply activate it with right product key.

First, lets find out what target editions we can upgrade to: dism /online /get-targeteditions

So, based on above, I can upgrade to Datacenter edition, and here is how:

dism /online /set-edition:ServerDatacenter /ProductKey: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx /AcceptEula

Internet access not working for your Tenant VMs through NVGRE Gateway NAT – Configuring Bridge on your firewall

First of all, do not try to PING internet servers, for example Google’s DNS 8.8.8.8 as this will not work. Try to open your web browser and browse to your favorite website to test internet access.

In my scenario, I have public internet IP addresses assigned on NVGRE Gateway server FrontEnd interface. I have created rules on my firewall to pass all traffic to my public IP addresses. After that I could immediately ping my public IPs from outside world, but my internet access in Tenant VM’s was still not working.

So I was digging deeper and found that I need to configure Interface Bridge on my firewall.

In my lab, I am using PFsense Firewall and here are the steps:

  • On Firewall, create new virtual interface, do not configure any IP/subnet on it
  • Create Bridge between new interface and WAN interface.
  • Add firewall rule for new interface allowing Any to Any network traffic
  • Create Outbound NAT rule allowing traffic out.
  • Start testing

Creating new Virtual Machine Role in Azure Pack – „Operating system disk none“

In my previous article, I have described how to import WS Domain Controller gallery item.  I have experienced one problem which I am going to describe.

After I finished all recommended steps, I logged in as tenant administrator and tried to provision new VM role, but system was not able to pull my VHDX file.

 

After some digging, I found that my VHDX was not copied into a correct VMM Library as I had two: VMMUserlibrary and VMMLibrary. VHDX was copied only in VMMlibrary, but my Cloud resource was attached to VMMUserlibrary and only this library was also available to my VM Cloud.

So if you are experiencing similar issue, just double check this as well.

 

 

Importing Domain Controller 2012 Gallery item into Azure pack

Downloading Gallery resource files from Codeplex

Login to your VMM server

Install WebPI: http://www.microsoft.com/web/downloads/platform.aspx

Click the „Options“ and in the custom feed field add http://www.microsoft.com/web/webpi/partners/servicemodels.xml

Click „Add Field“ and close the dialog.

Now go to Service Models, Add Domain Controller – Windows Server 2012 Gallery Resource and then Install.

 

Once downloaded, you should see following files:

 

Preparing VHDX file with syspreped WS2012

I have sysprepred Windows Server 2012 R2 image WS2012_R2_Gen1.vhdx and stored it in my VMM Library VMMUserlibrary

Now we are going to set parameters required for WS2012 Domain controller resource with below powershell script:

$VHDName = „WS2012_R2_Gen1.vhdx“
$FamilyName = „Windows Server 2012 R2 DataCenter“
$Release = „1.0.0.0“
$Tags = „WindowsServer2012“
$AVMAKey = „Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW“
$MyVHDX = Get-SCVirtualHardDisk | where {$_.Name –eq $VHDName}
$2K12DC = Get-SCOperatingSystem | where { $_.name –eq ’64-bit edition of Windows Server 2012 Datacenter‘}
$oTags = $myVHDX.Tag
if ( $otags -cnotcontains $Tags ) { $otags += @($Tags) }
Set-scvirtualharddisk –virtualharddisk $myVHDX `
–OperatingSystem $2K12DC `
-FamilyName $FamilyName `
-Release $Release `
-Tag $oTags `
-ProductKey $AVMAKey

Here is how it looks like:

Importing Cloud Resource Extension

With following powershell script:

$LibraryShareName = „VMMUserLibrary“
# Specify the path to resextpkg file
$resextpkg = „C:\Gallery Resources\DomainController_WS2012_VMRole_Pkg\DomainControllerWindows2012.resextpkg“
$Library = Get-SCLibraryShare | Where-Object {$_.Name -eq $LibraryShareName}
Import-CloudResourceExtension -ResourceExtensionPath $resextpkg -SharePath $Library -AllowUnencryptedTransfer

 

IMPORTANT: My vhdx file WS2012_R2_Gen1.vhdx is stored in my VMM Library VMMUserlibrary and this library is configured in my VM cloud in VMM.

Windows Azure Pack Service Administrator Portal

  • Open the Admin Portal and navigate to the VM Clouds
  • Click the Gallery tab /Import and select DomainControllerWindows2012.resdefpkg
  • Last step is to make your Gallery item Public and add it to your Hosting Plan.

Now you can start testing 🙂

 

Configuring RD Gateway for Azurepack Console connect with public certificate

The RDS Gateway is crucial component for VM Clouds in Azure pack and gives your tenants option to connect to their VMs console. I found many guides how to configure it either with selfsigned certificate or certificates from internal CA.  For production use,  RDS Gateway needs to be published externally with Trusted certificate. Note that for Azurepack console connect we need second certificate from internal CA. Here is my approach.

Requirements:

  • Internal Windows Certificate authority
  • Dedicated server for RDS gateway (or two for HA)
  • Functional VM Cloud infrastructure (Azurepack, VMM, SPF and Hyper-V hosts)
  • Public certificate from trusted Certificate authority (I will use wildcard certificate from Godaddy)
  • Public DNS and public IP pointing to your RDGW server

 

Design Overview:

 

 

RDS Gateway installation

Run following in powershell:

Install-WindowsFeature -Name RDS-Gateway  -IncludeManagementTools

RD Gateway Console Connect Installation

Insert System Center 2012 R2 VMM installation media into RDGW server and install the RD Gateway Console Connect pluggable, here is the path:

AMD64\Setup\msi\RDGatewayFedAuth\RDGatewayFedAuth.msi

Import Public Certificate into RD Gateway Console

Next open the RDS Gateway console. Right click on the server name and select Properties.

In SSL Certificate, import your Public certificate(in my case wildcard certificate from Godaddy)

Internal Certificate Preparation

An internal certificate is needed to establish trust between VMM, RDS Gateway and Hyper-V hosts.

Create Certificate Template:

  • Open the certificate template console, click Manage find Workstation Authentication template and duplicate it.
  • Rename template to WapConsole. And change validity period to 2 years.
  • On Request Handling tab, select Allow private key to be exported.
  • On Cryptography tab, set the minimum key size to 4096. Next in Providers, you have to choose Microsoft Enhanced RSA and AES Cryptographic Provider.
  • In Security tab, be sure that your servers and you can make enrollment. To make things simple, add the group Domain Computers and grant it Read and Enroll rights.
  • Click on apply and close the certificate template console.

In the Certification Authority console, right click on Certificate TemplatesNew and Certificate Template to Issue. Select the WapConsole template and click OK.

Enroll Internal Certificate

  1. On the VMM Server, open a mmc and add the Local Certificate computer console. Navigate to Personal and right click on Certificates. Select All Tasks and Request New Certificate.
  2. On request certificates screen, select WapConsole template that you have just created and click on Click here to configure settings.
  3. In Subject Name, choose Common Name as type. In value I have specified rdgw.bkgcloud.sk
    In Alternative name, I have added these DNS values: rdsgw01.cloud.local (I have added also rdsgw02.cloud.local as I will install second GW server later)
  4. Click on apply and click on Enroll.

Export Certificate as PFX and CER

Once you enrolled the certificate, we need to Export it as PFX and CER (with and without private key)

Import Certificate to VMM Database and Hyper-V hosts

Run below script on VMM server (make sure all Hyper-V hosts are reachable)

# Path to PFX certificate
$MyPFX = Get-ChildItem „c:\temp\rdgw.bkgcloud.sk.pfx“
# Password of the PFX
$PWD = Read-Host –AsSecureString
# VMM FQDN server name.
$VMM = „vmm01.cloud.local“
## Main Code
Set-SCVMMServer -VMMServer $VMM `
-VMConnectHostIdentificationMode FQDN `
-VMConnectGatewayCertificatePath $MyPFX `
-VMConnectGatewayCertificatePassword $PWD `
-VMConnectHyperVCertificatePath $MyPFX `
-VMConnectHyperVCertificatePassword $PWD `
-VMConnectTimeToLiveInMinutes 1

Get-SCVMHost -VMMServer $VMM | Read-SCVMHost

Import internal certificate to RDS Gateway Server (CER)

Copy the CER certificate to RDS Gateway server and import it.

Add Certificate to Trusted Issuer Certificate

On RDS Gateway server, run following script (update your RDGW server name and CER certificate thumbprint):

$Server = “rdsgw01.cloud.local”
$Thumbprint = “9938B72078CE897466EFDSF69F78239FA5D30C6B3”
$Tsdata = Get-WmiObject –computername $Server –NameSpace “root\TSGatewayFedAuth2” –Class “FedauthSettings”
$TSData.TrustedIssuerCertificates = $Thumbprint
$TSData.Put()

IIS Reset on RD Gateway server

Creating Internal DNS zone for bkgcloud.sk

I had to create internal DNS zone for bkgcloud.sk and add RDGW.bkgcloud.sk record pointing to RDS Gateway internal IP.

Publishing RDGW to the internet

  • Updating public DNS record for RDGW.bkgcloud.sk, pointing to Public VIP assigned on my firewall
  • Creating FW rules, NAT, allowing 443 from internet to my RDS Gateway server

Azure pack integration with RD Gateway

  • Login to Azure pack admin portal, go to VMM properties and add the Remote Desktop Gateway FQDN, in my case rdgw.bkgcloud.sk
  • Update your hosting plans and check the box Connect to the console of virtual machines

Once you finish all above, you can start testing your Console connect 🙂

 

 

Configuring RD Gateway certificate – Exception calling „Put“ with „0“ argument(s): „Invalid parameter “

I’m was trying to configure the TrustedIssuerCertificate on my RD gateway and experiencing following problem:

$Server = “myrdgw.domain.com”
$Thumbprint = “thumbrpint of my certificate”
$Tsdata = Get-WmiObject –computername $Server –NameSpace “root\TSGatewayFedAuth2” –Class “FedauthSettings”
$TSData.TrustedIssuerCertificates = $Thumbprint
$TSData.Put()

It returned an error:

I tried to reinstall VMM Console plugin with no luck. So I opened new power-shell window and typed all commands manually.

Once successful, script will give you following output: