May 2017 will be a travelling month

Introduction

In ICT, you never stop learning. Changes come and go fast. Navigating through these turbulent times of rapid change, short value cycles in order to provide continuity in both services & value without falling behind or being held back is a challenge we all face every day. If you hire or employ technologists, please take a moment to consider what they pull off for you every day. It helps to be realistic on what to expect from and to achieve with them. For that a solid understanding of the technology ecosystem and good doctrine to achieve your goals are necessary. For that to really happen and for their efforts to pay off we need to make sure politics and bureaucracy are kept under control. Let your people shine and move ahead. Long term planning does not equate a strategy and you might find yourself out paced & maneuvered by the industry and your competitors. That’s a reason why you see technologist move up the ladder and take on the leadership role inside many companies. They tend to be better placed to see the opportunities and what these require. In that respect, it pays off to walk out of your office every now and then in order to prevent tunnel vision and echo chambers. That’s one of the reasons that for me May 2017 will be a travelling month.

May 2017 will be a travelling month

Cloud & Datacenter Conference Germany

First, I’ll be in Munich, Germany, fort he Hyper-V community day and to both attend / speak at the Cloud & Datacenter Conference Germany 2017. That’s a conference for and by the community and the speakers are all highly experienced people who talk the talk and walk the walk.

clip_image002

I you can grab a ticket asap. From the very 1st edition the Cloud & Datacenter Conference Germany has set the standard for what a conference should be like.  I’ll be talking about SMB Direct / RDMA on the Hyper-V community day and about Windows Server 2016 Failover Clustering & Hyper-V at the conference. Please feel free to come over an chat.

Dell EMC World 2017

After that I’m off to DELL EMC World 2017 where I’ll be diving into the offerings that exit today and in the near future. As you might have guessed I’m very interested in the DELL Storage Spaces solutions, there take on and use of ReFSv3 and Windows Server 2016. Next to that, I would not be nick named RoCE Balboa if I was not interested in networking. Hardware wise I have my eye on the S-Series S6100-ON as that is one versatile piece of equipment. Man, I imaging having a lab with a 6 of those to test and play around with. No to mention the S2D clusters & backup targets to hammer them with a nice workload. Throw in the Mellanox cards for good measure. I can dream right ? As I’m a realist I’m also very interested in their servers and still, the Compellent offerings, which as far as traditional SANs go is one easy to manage & leverage piece of gear. It goes without saying I’ll be taking a look at what the EMC addition to the portfolio can achieve for us as well as the DELL EMC 3rd party offerings

clip_image004

VeeamOn 2017

After that I continue on to VeeamON 2017 which makes a great addition to the two above. The Windows Server 2016 core stack as the basis for Azure Stack, S2D running on that great DELLEMC hardware. Now have that protected and made continuous available by the Veeam Availability Suite 9.5. That’s how you get an amazing stack of technologies on which to build, support amazingly good services.

clip_image005

At VeeamON 2017 I’ll be joining two big names in the industry Luca Dell’Oca and Carsten Rachfahl to talk about ReFSv3. We’ll be attending sessions and “hanging out” at the MSFT boot as well.

So, no rest for a Microsoft MVP, Microsoft Extended Experts team member, Azure Advisor, a DELL Community Rockstar and a Veeam Vanguard. We’re always reading up, learning, investigating, sharing experiences & insights with our peers and learning from them. Conferences done right are very valuable and a great networking / leaning opportunity. Make the most of them when you can.

My value is your value

These conferences together with our focus on some very innovative and promising public and hybrid cloud technologies in Azure will keep me busy contemplating designs, testing the concepts of solution I have in my mind and delivering very efficient and effective solutions both in functionality as well as in TCO and ROI. That (and caffeine) combined with working with great and smart people is what makes me run. So for that reason alone I do not mind that May 2017 will be a travelling month.

VeeamOn 2017 Call for Presentations

Veeam will be holding its annual conference VeeamOn 2017 in New Orleans, Louisiana on May 16th – 18th. You can actually already pre-register for the conference today. Just follow this link. This qualifies you for a 200$ discount.

image

But don’t stop there. When you work with Veeam products you might have some interesting solutions and experiences to share. Maybe you got creative and designed a smart solution to you needs. That’s something that can inspire people to think about how they use the products. So please, don’t be shy. Consider submitting your proposal for a presentation at VeeamOn 2017. Help your peers to achieve their needed availability in an always-on world. Go to https://www.veeam.com/veeamon/call-for-presentations and share your experience, knowledge and insights.

I hope to see you there to learn form and be inspired by you, my peers and colleagues from all over the world!

Heading Home after Ignite 2016

While traveling back home here are some musings on Microsoft Ignite 2016. I’m not going to regurgitate all the news and announcements here.

Image result

There were many and they were divers. Azure Identity, Security, storage, management, Windows Server 2016, Hyper-V, Storage Spaces, Storage Replica … are all offering a wide variety of new capabilities and options. It’s impressive now and it will be even more impressive in the future. When I connect the dots and look at the opportunities my take on what the future roadmap can and might be visualizes in front of my eyes. That’s the value I can add to an organization that’s committed to its future and realizes it needs to leverage IT to it’s fullest potential. That means you cannot treat IT as a facility because we build it on commodity products. Every success is build on creative and well directed use of the components and the capabilities. This requires a lot more than lip service or merely covering up bad choices and political ambitions with a thin layer of “big principles”. The key to success is speed, agility, insight in a world where mobile and cloud offer tremendous new opportunities. Large, long term, centralized projects have their place but sticking to them by default in the wrong place, the wrong way and manner will lead to failure in a 24/7/365 mobile world where federation, collaboration across boundaries are paramount. The small, cost effective and efficient projects delivering real value with a purpose will make giants, bot in government and the private sectors stumble and even fall.

We have so much opportunity here that many cannot see the trees through the forest anymore. This will lead to many failed projects, ambitions and organizations in combination with a waste of time and money. That’s were we can make the difference.

As an attendee and MVP I was very happy to be able to attend in order to calibrate my compass and correct course. In good tradition I signed the billboard for attending MVPs at Ignite 2016  I’m already looking forward to heading back to Redmond for the MVP Global Summit and continue the discussion at the Microsoft Head Quarters.

MVPIgnite

To me, the Ignite 2016 edition was one of intensive networking with Microsoft experts and management. This extended to 3rd party vendors and partners of Microsoft. This, in combination with the discussions with my peers  to discover their views and insights have given me a very up to date view on where we are at and where things are going. That’s the value I’m taking back home to work with and help people reach their full potential. That’s not an easy task as many today are or feel at least a bit out of balance to completely lost. Technologists are the one to step up all the way to the board level and steer their organizations towards a successful future.  Many companies are not ready for this and some management feels threatened by this. There’s basically no need for that fear as we are technologists, not politicians. We solve problems, we don’t create them. We drive companies towards success, if you let us.

A First look at Cloud Witness

Introduction

In Windows Server 2012 R2 Failover Clustering we have 2 types of witness:

  1. Disk witness: a shared disk that can be seen by all cluster nodes
  2. File Share Witness (FSW): An SMB 3 file share that is accessible by all cluster nodes

Since Windows Server 2012 R2 the recommendation is to always configure a witness. The reason for this is that thanks to dynamic quorum and dynamic witness. These two capabilities offer the best possible resiliency without administrator intervention and are enabled by default. The cluster dynamically assigns a quorum vote to node when it’s up and removes it when it’s down. Likewise, the witness is given a vote when it’s better to have a witness, if you’re better off without the witness it won’t get a vote. That’s why Microsoft now advises to always set a witness, it will be managed automatically. The result of this is that you’ll get the best possible uptime for a cluster under any given circumstance.

This is still the case in Windows Server 2016 but Failover clustering does introduce a new option witness option: cloud witness.

Why do we need a cloud witness?

For certain scenarios such a cluster without shared storage and especially when a stretched cluster is involved you’ll have to use a FSW. It’s a great solution that works as well as a disk witness in most cases. Why do I say most? Well there is a scenario where a disk witness will provide better resiliency, but let’s not go there now.

Now the caveat here is that you’ll need to place the FSW in a 3rd independent site. That’s a hard order for many to fulfill. You can put in on the desktop of the receptionist at a branch office or on a virtual machine on the cluster itself but it’s “suboptimal”. Ideally the FSW is independent and high available not dependent on what it’s supposed to support in achieving quorum.

One of the other workarounds was to extend AD to Azure, deploy a SOFS Cluster with an non CA file share on a cluster of VMs in Azure and have both other sites have access to it over VPN or express route. That works but in a time of easy, fast, cheap and good solutions it’s still serious effort, just for a file share.

As Microsoft has more and more use cases that require a FSW (site aware stretched clusters, Storage Spaces Direct, Exchange DAG, SQL Availability Groups, workgroup or multi domain clusters) they had to find a solution for the growing number of customers that do not have a 3rd site but do need a FSW. The cloud idea above is great but the implementation isn’t the best as it’s rather complex and expensive. Bar using virtual machines you can’t use Azure file services in the cloud as those are primarily for consumption by applications and the security is done via not via ACLing but access keys. That means the security for the Cluster Name Object (CNO) can’t’ be set. So even when you can expose a cloud file to on premises to Windows 2016 (any OS that supports SMB 3 actually) by mapping it via NET USE the cluster GUI can’t set the required security for the cluster nodes so it will fail. And no you can’t set it manually either. Just to prove this I tried it for you to save you the trouble. Do NOT even go there!

clip_image002

So what is possible? Well come Windows Server 2016 Failover Clustering now has a 3rd type of witness. The cloud witness. Functionally wise it’s like a FSW. The big difference it’s a dedicated, cloud based solution that mitigates the need and costs for a 3rd data center and avoids the cost of the workarounds people came up with.

Implementing the cloud witness

In your Azure subscription you create a storage account, for this purpose I’ve create one named democloudwitness in my resource group RG-Demo. I’m using a separate storage account to keep thing tidy and separated from my other demo storage accounts.

A storage account gets two Access keys and two connection strings. The reason for this is that we you need to regenerate the keys you can have your workloads use the other one this can be done without down time.

clip_image004

In Azure the work is actually already done. The rest will happen on premises on the cluster. We’ll configure the cluster with a witness. In PowerShell this is a one liner.

clip_image006

If you get an error, make sure the information is a correct and you can reach Azure of HTTPS over the internet, VPN or Express Route. You normally do not to use the endpoint parameter, just in the rare case you need to specify a different Azure service endpoint.

The above access key is a fake one by the way, just so you know. Once you’re done Get-ClusterQuorum returns Cloud Witness as QuorumResource.

clip_image008

In the GUI you’ll see

clip_image010

When you open up the Blobs services in your storage account you’ll see that a blob service has been created with a name of msft-cloud-witness. When you select it you’ll see a file with a GUID as the name.

clip_image012

That guid is actually the same as your cluster instance ID that you can find in the registry of your cluster nodes under the HKLM\Cluster key in the string value ClusterInstanceID.

Your storage account can be used for multiple clusters. You’ll just see extra entries each with their own guid.

clip_image014

All this consumes so few resources it’s quite possibly the cheapest ever way of getting a cluster witness. Time will tell.

Things to consider

• Cloud Witness uses the HTTPS REST (NOT SMB 3) interface of the Azure Storage Account service. This means it requires the HTTPS port to be open on all cluster nodes to allow access over the internet. Alternatively an Azure Site-2-Site VPN or Express Route can be used. You’ll need one of those.

• REST means no ACLing for the CNO like on a SMB 3 FSW to be done. Security is handled automatically by the Failover Cluster which doesn’t store the actual access key, but generates a shared access security (SAS) token using the access key and stores it securely.

• The generated SAS Token is valid as long as the access key remains valid. When rotating the primary access key, it is important to first update the cloud witness (on all your clusters that are using that storage account) with the secondary access key before regenerating the primary access key.

• Plan your governance between cluster & Azure admins if these are not the same. I see Azure resources governance being neglected and as a cluster admin it’s nice to have some degree of control or say in the Azure part of the equation.

For completeness I’ll mention that the entire setup of a cloud witness is also very nicely integrated in to the Failover Cluster GUI.

Right click on the desired cluster and select “Configure Cluster Quorum Settings” from menu under “More Actions”

clip_image015

Click through the startup form (unless you’ve never ever done this, then you might want to read it).

clip_image017

Select either “Select the quorum witness” or “Advanced quorum configuration”

clip_image019

We keep the default selection of all nodes.

clip_image021

We select to “Configure a cloud witness”

clip_image023

Type in your Azure storage account name, your primary access key for the “Azure storage account key” and leave the endpoint at its default. You’ll normally won’t need this unless you need to use a different Azure Service Endpoint.

clip_image025

Click “Next”to review what you’re about to do

clip_image027

Click Next again and let the wizard run.

clip_image029

You’ll get a report when it’s done. If you get an error, make sure the information is a correct and you can reach Azure of HTTPS over the internet, VPN or Express Route.

Conclusion

I was pleasantly surprised by how it easy it was to set up a cloud witness. The biggest hurdle for some might be access to Azure in secured environments. The file itself contains no sensitive information at all and while a VPN or Express Route are secured connectivity options this might not be allowed or viable in certain environments. Other than this I have found it to be very reliable, effective cheap and easy. I really encourage you to test it and see what it can do for you.