my personal blog about systemcenter

All posts in Hyper-V

Deduplication and Compression vs Encrypted VM’s

Categories: Bitlocker, Compression, Deduplication, Hyper-V, Windows Server 2016
Comments Off on Deduplication and Compression vs Encrypted VM’s

So with 2016 server we now have the ability to enable virtual TPM inside fhe VM to help protect data from threats from anywhere to a rouge san snapshots to a stolen backup tape.

D:\New folder>ddpeval.exe “D:\UNSECURE”
Data Deduplication Savings Evaluation Tool
Copyright (c) 2013 Microsoft Corporation.  All Rights Reserved.

Evaluated folder: D:\UNSECURE
Evaluated folder size: 17,38 GB
Files in evaluated folder: 6

Processed files: 6
Processed files size: 17,38 GB
Optimized files size: 4,52 GB
Space savings: 12,87 GB
Space savings percent: 74

Optimized files size (no compression): 7,93 GB
Space savings (no compression): 9,46 GB
Space savings percent (no compression): 54

Default VM 54% deduplication with 2 default installed guests , sure this number will screw when data is added but just to give a small example

D:\New folder>ddpeval.exe “D:\SECURE”
Data Deduplication Savings Evaluation Tool
Copyright (c) 2013 Microsoft Corporation.  All Rights Reserved.

Evaluated folder: D:\SECURE
Evaluated folder size: 20,41 GB
Files in evaluated folder: 6

Processed files: 6
Processed files size: 20,41 GB
Optimized files size: 19,36 GB
Space savings: 1,06 GB
Space savings percent: 5

Optimized files size (no compression): 19,46 GB
Space savings (no compression): 981,13 MB
Space savings percent (no compression): 4

Files excluded by policy: 0
Files excluded by error: 0

The same 2 VM now with inguest bitlocker , almost all of the effect from deduplication is now gone , so secured VM’s will hurt storage cost if you rely on array based compression and or deduplication.

Sure not all VM’s will be encrypted but seeing this from a hoster perspective I can see all VM’s being encrypted

Shielded VM’s a new era for secured VM

Categories: Hyper-V, Windows Server 2016
Comments Off on Shielded VM’s a new era for secured VM

With the preview of Windows Server 2016 , we have a new feature that can help improve security.

With Shielded VM’s we can add a Virtual TPM module to each VM and use that to encrypt the content of the Virtual Machine.

The step by step guide to add this is provided by Microsoft here https://aka.ms/shieldedVMs

Its supported for VM’s and VM’s managed by Windows Azure Pack

For deployment there is supported for a dedicated AD forest or using hardware with TPM2.0 but the servers that support this as if this writing is hard to find (Surface works for testing) , so this have been testing in our playground using a dedicated AD forest

After initial setup of the dedicated forest and installation of the Host Guardian Server we need to add protection to the VM’s

So here we have a dedicated forest that holds the Host Guardian Servers and have a oneway trust to the forest where our Hyper-V hosts and VM’s are located , this will enable us to secure the VM in the hosted environment , this will prevent a Hyper-V administrator to access data within a VM , this is also the same for Backup Operators

For compliance and in environments where encryption is a requirement this is a very big step to ensuring security across the hypervisor

PS C:\> $KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian –AllowUntrustedRoot ( this is due to no dedicated PKI testing only)

PS C:\> Add-VMTPM -VMName SECURE01
PS C:\> Add-VMTPM -VMName SECURE02
PS C:\>
PS C:\> Set-VMTPM -vmname SECURE01 -Enabled $true -KeyProtector $KP.RawData
PS C:\> Set-VMTPM -vmname SECURE02 -Enabled $true -KeyProtector $KP.RawData

image

This add TPM information to the Virtual Machine and enforces Secure Boot , this works with Gen2 VM’s only

image

This is our VM before we enable vTPM

image

And this is our VM after vTPM have been enabled

If we then encrypt our VM with bitlocker and then try to open a “stolen” copy of the VM

image

We cant Smile

This was just a small teaser to show a area of Hyper-V 2016 Security Enhancements will dive a little deeper in the securing the enviroment using ShieldedVM’s later

Error 25250 Unable to find Adapter

Categories: Hyper-V, Virtual Machine Manager, Windows Server 2012 R2
Comments Off on Error 25250 Unable to find Adapter

clip_image002

clip_image003

Error (25240)

Adding a member to the adapter team Applications failed with error Unable to find Adapter HP FlexFabric 20Gb 2-port 650FLB Adapter #2 in Team after addition

Recommended Action

Ensure the team is functioning correctly and retry the operation.

I ran into the following problem applying a Logical Switch to a some shiny new hyper-v hosts , i could select the adapters and create the Logical Switch , but appyling it ended up in a rollback after it tried to add the 2nd adapter to the team

clip_image005

After looking around for a bit i saw that the 2nd network card was disabled in Windows


clip_image006

And after enbling the network card everything was green again

So always check the cable Smiley err i mean the network card

‘VMNAME’ could not initialize. (Virtual machine ID GUID)

Categories: Hyper-V, NetApp
Comments Off on ‘VMNAME’ could not initialize. (Virtual machine ID GUID)

Recently ran into a issue where i couldnt start a VM located on a NetApp Running SMB 3.

Rights on the filesystem looked without issue , opening the vhd over the network worked but anything manipulated from HYper-V failed with a resource attached to the system failed.

After digging around a bit i found that the time was shifted on the NetApp box so any kerebous authentication failed

image

And the culprint on the NetApp was

secd.kerberos.clockskew: Kerberos client or node clock skew error (-1765328351). 

Description :

This message occurs when there is a “time error”(clock skew, time skew, time out of bounds). This error indicates that there is a time discrepancy between client and node or client and Key Distribution Center (KDC). The kerberos authentication request from the client was forwarded to the KDC and it failed because the timestamp encrypted in the client’s kerberos ticket was different by more than the maximum time difference that is configured on the KDC.

Action :

Ensure that the clock time of the node is identical to that of the client and to that of the KDC. Ensure that the correct time zone setting is selected on the node. To keep the node and KDC time clocks in synchronization automatically, configure Network Time Protocol (NTP) services on the node. You might also want to increase the clock skew interval. To do so, modify the kerberos-realm configuration clock-skew (“Maximum tolerance for computer clock synchronization” in Windows(R) Active Directory) parameter from the default 300 seconds to 600 seconds or more. Note: Increasing the clock-skew interval makes the client protocols less secure against network replay attacks.

and then setting a NTP server that actually worked then everything was working again after a few minutes.

And then setting a NTP server on the NetApp box that are in sync with ActiveDirectory = Sucess.

This post will cover the basics for settings up integration with Amazon Virtual Tape Library with AWS/Glacier as target

Microsoft have a competing solution that integrations Azure into the Data Protection Manager Console , that have been covered in earlier post and will be covered more in a post where the two solutions is being compared

Amazon Virtual Tape library is a low cost highly flexible solution and below if their own description of the device

Gateway-Virtual Tape Library (Gateway-VTL): With Gateway-VTL you can have a limitless collection of virtual tapes. Each virtual tape can be stored in a Virtual Tape Library backed by Amazon S3 or a Virtual Tape Shelf backed by Amazon Glacier. The Virtual Tape Library exposes an industry standard iSCSI interface which provides your backup application with on-line access to the virtual tapes. When you no longer require immediate or frequent access to data contained on a virtual tape, you can use your backup application to move it from its Virtual Tape Library to your Virtual Tape Shelf in order to further reduce your storage costs.

Pricing is difference from each region , and long term storage cost is alot cheaper than “near” online storage.

So its time to grab a excel jedi and calculate the cost vs Azure vs Tape

image

image

Amazon have a very good guide to setup a new gateway , suppport requirement for Hyper-V is right now 2008 R2 , this test is on 2012 R2 so unsupported and not usable for production until Amazon gets the VTL upgraded.

image

The gateway have 3 modes , this post will cover the Virtual Tape Library mode and not the other operations.

Supported Hypervisors and Host Requirements

You may choose to run AWS Storage Gateway either on-premises, as a virtual machine appliance, or in AWS, as an Amazon EC2 instance.

AWS Storage Gateway supports the following hosts for deployment on your premises:

VMware ESXi Hypervisor (version 4.1 or 5.0). A free version of VMware is available on the VMware website. You will also need a VMware vSphere client to connect to the host.

Microsoft Hyper-V 2008 R2. A free, standalone version of Hyper-V is available at the Microsoft Download Center. You will need a Microsoft Hyper-V Manager on a Windows client computer to connect to the host.

Supported Backup Software (Gateway-VTL Only)

Typically, you will use a backup application to read, write, and manage tapes with a gateway-VTL.

The following lists the third-party backup software that Gateway-VTL supports.

Microsoft System Center 2012 R2 Data Protection Manager

image

I want to run the AWS Storage Gateway on Microsoft Hyper-V

image

Download the AWS Storage Gateway Virtual Machine (VM) software. Unzip the downloaded file and make note of the location of the folder that was created.

image

Using Microsoft Hyper-V Manager client, connect to the host hypervisor that you will be using to run the AWS Storage Gateway.

image

Since we cant use the template out of the box we create a new machine

image

Select name and location

image

and Generation 1

image

for testing purpose i set the vm to 8gb of memory and 4 cpu’s

image

And added a nic , this test uses one nic both for iscsi to the VTL and to transfer to the internet this can be seperated

image

Use the VHD supplied from the image from Amazon

image

Your gateway prepares and buffers your application data for upload to AWS by temporarily storing this data on disks referred to as upload buffer.

Using your Hyper-V Manager client, allocate one or more local disks to your gateway VM for your gateway’s upload buffer. To estimate the amount of upload buffer your gateway requires, use the approximate data you plan to virtual tape cartridges on a daily basis. It is strongly recommended that you allocate at least 150 GBs of upload buffer. You can refer to our documentation for a more precise calculation.

image

for testing i added a small workload so we didnt need large cache files locally

image

image

image

image

So 2 files og 256GB was added to the VM

image

time to power on the VM

image

hit 2 Static Ip Address

image

image

add the ip address on the gateway activation

image

Select the Medium Changer STK-L700 for Data Protection Manager Support

image

Its time to create some virtual tapes

image

First step is to setup the Upload and Cache on the 2 drives created on the VM

image

image

100GB tapes with a prefix for TEST

image

And we now have a virtual tape libray and LTO drives

image

On the DPM server connect through ISCSI to the VTL VM

image

image

Connect the 10 drives and the media changer

image

In device manager update the unknow media changer to Sonly A500C

http://docs.aws.amazon.com/storagegateway/latest/userguide/backup-DPM.html

image

image

in DPM hit Rescan under Library

image

You will see the Libray and 10 stand alone drives

image

Hit “Add Tape” to impor the virtual tapes

image

image

net stop DPMLA

The DPMLA service is stopping..
The DPMLA service was stopped successfully.

STOP the loader service

C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin>DPMDriveMappingTool

.exe
Performing Device Inventory …
Mapping Drives to Library …
Adding Standalone Drives …
Writing the Map File …
Drive Mapping Completed Successfully.

Run the DPMDriveMappingTool

C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin>net start dpmla

Start the Loader service

The DPMLA service was started successfully.

C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\bin>

image

Rescan the library again

image

And you should see a loader with 1600 slos and 10 drives

image

Run a detailed inventory, note since its 1600 slots its takes 10-15 minutes on my test machine

image

And we now have something to backup to

image

Modify the protection group to add Long Term Storage

image

Select a fitting schedule

image

For testing i only uses one drive and compression not encryption , security will be convered in a future post

image

Create Recovery Point

image

And select long term recovery

image

and we know have backup to cloud instead of local tape drive.

Next post will cover more detailed monitoring of cache/buffer and tape handling in Amazon