my personal blog about systemcenter

Update Rollup 4 for System Center 2012 R2 Virtual Machine Manager

Important Before Update Rollup 4, you had to run an SQL script after you installed an update package to make sure Update Rollups function correctly. As of Update Rollup 4, this step is no longer required.

http://support2.microsoft.com/kb/2992024

Besides all the great fixes we no longer need to run SQL scripts manually

YEAH , so many missed this requirement

With the release of update rollup 4 for Data Protection Manager 2012 R2 , it is now supported to protect a remote SQL server running SQL 2014 (about time)

http://blogs.technet.com/b/dpm/archive/2014/10/29/protect-sql-server-2014-using-dpm-2012-r2.aspx

There are still some features that isnt supported to test and verify , v.next will support/require SQL 2014 as DPM database target but in 2012 R2 UR4 its protected data only

Install is pretty straight forware as usual

Push the agent , will require a reboot due to updated filter driver

clip_image002

After server have been reboottet verify that SYSTEM have sysadmin rights on the SQL server you want to protect

image

Create new protection group

image

Select Servers

image

browse the SQL instance , and select auto to ensure that all databases will be added

image

Name the protection protectoin group , in the demo setup there is no tape libarary so short term only

image

And a hourly backup

image

Sucess ! Smiley

image

and a few minutes later we now have a valid backup , ready for first restore test

HP have 2 integrations with Virtual Machine Manager , this post will cover the basic install of the HP Storage UI Add-In for System Center , this tool provides a overview of the storage connected to the Microsoft Hyper-V / Microsoft Virtual Machine Manager Installation , 2nd a post will cover SMI-S integration for assigning storage to Hyper-V hosts

 

This post will cover the install and a few screen shots of the UI integration with Virtual Machine Manager

 

 

image

Start the installer

image 

This is the install on the Virtual Machine Manager server so we will select HP Storage UI Add-In Server

image

Select path for install

image

Go Go

image

Install should not take more than a few minutes

image

DO NOT use a domain admin for this purpose , testing with the Hyper-V management account , not sure why HP wants to use a domain admin seems like a terrible idea

image

So i will use the Hyper-V account used in VMM again needs further testing

image

Go to Settings Console Add-Ins , ensure that you did a run as administrator when launching the VMM console

image

Import the add-in

image

Go Go

 

image

Add the HP 3PAR storage systems through VMM

image

Set the IP address on the 3PAR’s and select the action account

 

image

 

image

Just for testing i added the FC and NL for provisioning in a later post

image

Go Go

image

In the VMM console select HP Storage Management , and select Authorize on the storage systems , this will prompt for credentials

image

And we now can see what LUN on the 3PAR a VM is located on and what paths/speed is used

image

And a general overview of the 3PAR

So one of the news in UR3 to Data Protection Manager 2012 R2 is the Scalable VM Backup

This adds more scale to each DPM server ensuring backup of the VM on each host

http://support.microsoft.com/kb/2966014

Features that are implemented in this update rollup
  • Scalable VM backup
    This update rollup improves the reliability at scale for Virtual Machine (VM) backups on Hyper-V and Windows Server 2012 R2 infrastructures. This feature is supported on both Cluster Shared Volumes (CSV) and scale-out file server (SOFS) storage configurations for VMs.
    Prerequisites

 

Ensure April Update on Everything

image

So patch your test dpm servers and update the agents

image

Reboot is NEEDED even on 2012 R”

image

Sucess Smiley

 

image

You will need to run a consistency check of all VM’s

image

image

DPM issues a checkpoing before the CC

image

After checkpoint is complete we can create a recovery point

image

image

And we can see the snapshot being created and the deltas moved.

image

and on the plus side , no more errors on the VDS Basic Provider after the upgrade , and from the testing so far no issues with ODX enabled

PATCH TEST WAIT DEPLOY in PRODUCTION

One of the steps in creating a secure PKI infrastructure is protecting the Root CA from attacks when its not used , normally we see people exporting VM’s with the Offline Root CA to multiple external drives and then storing them in a secure location and then out of the safe once a year to refresh the CLR or whenever a Issuing CA needs to be “killed” or renewed

But often in midsize installations the Offline Root CA stays in the environment making it subject for offline attacks and loss of control of the PKI environment

In the perfect world the CA root would be secured properly or might even be a physical HSM but sometimes ease of access and reduced complexity / cost wins

This is a attempt to meet in the middle , keeping a higher security level than just leaving the VM around , and easier to manage than VM exported to a removable media

There been multiple articles on how to use Bitlocker in a hypervisor where we don’t have access to the TPM chip that might reside in the server

This example follows 2012/2012R2 VM as generation 1 , the VM was created as a gen1 to ensure that potential problems with secureboot when moving the VM through Hypervisor lifecycle would prevent a boot

http://blogs.msdn.com/b/mszcool/archive/2010/02/03/bitlocker-in-a-windows-7-guest-running-on-a-hyper-v-r2-environment-or-any-environment-without-a-tpm.aspx

The above article is a example on how to enable Bitlocker on a Windows 7 Guest and we follow the same procedure

 

 

image

Through gpedit.msc enable Allow Bitlocker without a compatible TPM

 

image

Create a new virtual floppy

 

image

And attach it to the VM , this floppy files needs to be preserved in a safe as it will have the bitlocker recovery keys

image

Enable the bitlocker role on the VM

image

start manage-bde –on C: –rp –SK A: , this will enable the encryption after next reboot ,

the recovery password needs to be printed and secure with the virtal floppy ,

as this is a test enviroment created for this blog the password/key isnt pixelated

image

After reboot we can see that bitlocker is enabled

image

And verified from the gui

image

image

If we remove the virtual floppy

image

the VM wont boot so we need to virtual floppy to continue

 

Its a improvement over having a VM locally that can just be copied or stated up ,

scrubbing the data area where the virtual floppy is created to will improve further as changing encryption levels on the bitlocker drive

This is not a prefect implementation but over a VM just sitting there offline this wins every time.