Get-VMHostSupportedVersion Windows Server 2016 Hyper-V

Posted on March 7, 2016 by workinghardinit

Windows Server 2016 Technical Preview 4 has this great PowerShell command to check what virtual machine versions the Hyper-V host supports: Get-VMHostSupportedVersion

When you run this the output on Windows Server 2016 TPv4 is as below.

As you can see it supports 5.0 (which translates to the version on Windows Server 2012 R2). That’s logical, it’s the version your migrated VMs will have when you move them to Windows Server 2016 as the VM version is no longer automatically updated. You can read more about this here: https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/user_guide/migrating_vms

You must also realize that updating from 5.0 to higher means moving to the newer Virtual machine configuration file format, which is way better for performance and is a binary format and not longer XML.

6.2 is the version a VM had in the Technical Preview 3 era. Which is cool as when you move your VMS between TPv3 and TPV4 they still worked and were supported. Now in reality you want to be either at 5.0 so you can still move VMs back to a W2K12R2 host or at 7.0 to have all new features and capabilities that come with W2K16 at your disposal.

7.0 is also the current default and are the version any newly created VMs or any VM you update via Update-VMVersion will be at.

Now don’t panic, if you need to stay at version 5.0 even for newly created VMs for backward compatibility in mixed Hyper-V Windows Server 2012 R2 / Windows Server 2016 environment. You can specify this with the –version parameter of New-VM

New-VM -Name “IChooseMyVersion-5.0” -Version 5.0

To know what version you can pass to that parameter you only have to look at the output of Get-VMHostSupportedVersion: 5.0, 6.2, 7.0 at the time of writing (on TPv4).

You can see the result of some fun with this in the below screenshots:

I fully expect Microsoft to keep this up for TPv5 or perhaps even with RTM to allow a smooth transition for VMs running on preview editions to RTM. We’ll see. At RTM time I can see them removing the ability to create a new VM that’s still at 6.2 or so as It’s a “intermediate” work in progress version or so on the way to the final default version number at RTM (see Windows Server 2016 TPv4 Hyper-V brings virtual machine configuration version 7). We’ll see!

Storage-level corruption guard

Posted on March 3, 2016 by workinghardinit

One of the many gems in Veeam Backup & Replication v9 is the introduction of storage-level corruption guard for primary backup jobs. This was already a feature for backup copy jobs. But now we have the option of periodically scanning or backup files for storage issues.It works like this: if any corrupt data blocks are found the correct ones are retrieved from the primary storage and auto healed. Ever bigger disks, vast amounts of storage and huge amounts of data mean more chances of bit rot. It’s an industry wide issue. Microsoft tries to address this with ReFS and storage space for example where you also see an auto healing mechanism based on retrieving the needed data from the redundant copies.

We find this option on the maintenance tab of the advanced setting for the storage settings of a backup job, where you can enable it and set a schedule.

The idea behind this is that this is more efficient than doing periodical active full backups to protect against data corruption. You can reduce them in frequency or, perhaps better, get rid of those altogether.

Veeam describes Storage-level corruption guard as follows:

Can it replace any form of full backup completely? I don’t think so. The optimal use case seems to lie in the combination of storage-level corruption guard with periodic synthetic backups. Here’s why. When the bit rot is in older data that can no longer be found in the production storage, it could fail at doing something about it, as the correct data is no longer to be found there. So we’ll have to weigh the frequency of these corruption guard scans to determine what reduction if making full backups is wise for our environment and needs. The most interesting scenario to deal with this seems to be the one where we indeed can eliminate periodic full backups all together. To mitigate the potential issue of not being able to recover, which we described above, we’d still create synthetic full backups periodically in combination with the Storage-level corruption guard option enabled. Doing this gives us the following benefits:

We protect our backup against corruption, bit rot etc.
We avoid making periodic full backups which are the most expensive in storage space, I/O and time.
We avoid having no useful backup let in the scenario where Storage-level corruption guard needs to retrieve data from the primary storage that is no longer there.

To me this seems to be a very interesting scenario. To optimize backup times and economies. In the end it’s all about weighing risks versus cost and effort. Storage-level corruption guard gives us yet another tool to strike a better balance between those two. I have enabled it on a number of the jobs to see how it does in real life. So far things have been working out well.

On premises access to Azure files services

Posted on March 1, 2016 by workinghardinit

Today we’ll have some fun with an Azure storage account and file services. We’ll show that you can actually get on premises access to Azure files services. You might not have tried this yet but you can expose this file share to your on premises physical or virtual machine as long as it’s an operating system supporting SMB 3.X. That means, Windows 8/8.1/10 and Windows 2012/2012R2 and 2016.

Realize that this is just a demo. Exposing an Azure File Services share to “and users” is not the primary use case for an Azure file service. It meant for applications in both public and hybrid cloud scenarios.

You set up an Azure file service (a file share) in a storage account. just like you do blobs, tables or queues.

What you need to access such a file share is the path to the share on your storage account on Azure and an access key

All you need to do is open up a command prompt and type

net use T: \\democloudwitness.file.core.windows.net\cloudsmb /u:democloudwitness Qzd4/fhHrt!45f*5652ddehse4qfjfqsfpKDMP45Hdg8etDlg2fyr8dtR^_pmL9QzedtrMhLcxo7Rsdew4U4E7A==

It’s a FAKE access key people, don’t bother. If you did not make a mistake it will report success and you have access to the Azure file share via letter T: from any interface that supports them.

But even if you did not, you can just enter the storage account and the access key to get access just like any other file share.

Voila, you have mapped that cloud share to your on premises machine. There’s no local users or AD based security settings so you can do whatever you want in regards to adding or deleting data. The storage account access key are literally the keys to the kingdom.

That’s right. It’s not limited to virtual machines or services in Azure nowadays. No need for a VPN or Express Route to Azure any more. Just an internet connection that allows you to connect remotely to port 445.

Pretty cool. Sure, end users are not the primary use case for this feature but it’s certainly nice to see what the capabilities are.

Security wise you might have some objections. In reality it’s just another way people don’t realize yet that data might be leaving the organization. No need to panic or to create a fuzz. Chances are most people have a dozen more popular and better known ways of getting data in and out in many environments. But if you have a dreamy eyed security officer whose mainly in place because they’re convenient, you can scare him/her a little with this. Let’s imagine you’re working at one of those <sarcasm> rare </sarcasm> companies where the firewall only seems to works in one way, for the ingress traffic. Egress is free fire zone as it avoids many support tickets and issues. That it opens the gates to others is another issue, but hey, the firewall is dead in the brave new world of BYOD and IoT anyway. What if you need some extra storage, temporarily, but you can’t get it on the file servers? Nor do they want to give you an external disk, a large thumb drive, or let you bring one in yourself. Maybe they’ve even spent money on disabling some of the USB ports or glued them up. Well get a trial account for Azure, set up the above. You’ll have a temp data dump that you can access from another location just as easily. I actually had more issues at home with my UTM firewall than in the few business settings where I tested this. Some ISPs do block this port outbound. So be ware when testing at home

Now forget about the security officer bashing and FUD. The real take away here is that you can expose a file share for an application easily both inside of Azure and on premises. That’s a powerful thing to do and it’s actually documented. It helps in new cloud service development, hybrid scenarios, migration or transition scenarios etc. All this highly available with the benefits SMB 3.x offers or over REST API. Now, imagine the possibilities! As said, for now there is no Active Directory authentication support, but who knows what the future brings? You can read more about getting started with Azure file services here.

Azure AD Connect 1.1.105.0 is GA

Posted on February 23, 2016 by workinghardinit

On February 18th 2016 Microsoft released a significant update to Azure AD Connect, version 1.1.105.0. It adds some capabilities and improves on others. For me this is a core piece of the puzzle today and in the future for many of my plans to optimize the future IT Infrastructure & DevOps. Even when politics seem hell bound on slowing you down and cause a serious delay and missed opportunities this piece of technology is key in breaking through those barriers and keep moving ahead.

So what’s in the box with version 1.1.105.0

Automatic upgrade feature for Express settings customers.
Support for the global admin using MFA and PIM in the installation wizard.
We can change the user’s sign-in method after initial install.
We can now set Domain and OU filtering in the installation wizard. As a secondary benefit this means we can now connect to forests where not all domains are available.
We get a Scheduler is built-in to the sync engine.

Some preview features are now GA:

We get one new preview features which is going to be a hit in world where patience disappeared from the equation:

The default sync interval is now 30 minutes instead of 3 hours before. this is configurable now in the scheduler.

It also fixes the following issues:

The verify DNS domains page didn’t always recognize the domains.
Prompts for domain admin credentials when configuring ADFS.
On-premises AD accounts are not recognized by the installation wizard when they are in a domain with a different DNS tree than the root domain.

Grab the latest version of Azure AD Connect here.

Working Hard In IT

My view on IT from the trenches

Category Archives: IT Pro

Get-VMHostSupportedVersion Windows Server 2016 Hyper-V

Storage-level corruption guard

Azure AD Connect 1.1.105.0 is GA