What if my VirtualCenter server crashes?

When your vCenter server needs an upgrade or maintenance, or when it suffers a crash, it’s important to know what pieces of the environment can and will function without the benefit of a vCenter server orchestrating and managing the various resources within the environment.

When the vCenter server is offline, your virtual machines will continue to function, along with HA. However, other key pieces will be unavailable or will work in a degraded mode. Tables Table 4-1 through Table 4-8 list the impacts that a vCenter server outage can have on an environment.

Table 4-1. vCenter server outage effects on VMware HA

VI function	Available	Comment
Restart virtual machine	Yes	No impact
Admission control	No	vCenter is required as the source of the load information
Add new host to cluster	No	vCenter is required to resolve IP addresses of cluster members
Allow hosts to rejoin the cluster	Yes	Resolved host information is stored on the ESX host itself in /etc/FT_HOST

Table 4-2. vCenter server outage effects on VMware DRS

VI function	Available	Comment
Manual	No	Requires vCenter to manage
Automatic	No	Requires vCenter to manage
Affinity rules	No	Requires vCenter to manage

Table 4-3. vCenter server outage effects on resource pools

VI function	Available	Comment
Create	No	Requires vCenter to manage
Add VM	No	Requires vCenter to manage
Remove VM	No	Requires vCenter to manage

Table 4-4. vCenter server outage effects on VMotion

VI function	Available	Comment
VMotion	No	Requires vCenter to manage

Table 4-5. vCenter server outage effects on ESX host

VI function	Available	Comment
Shutdown	Degraded	Through a direct connection to the ESX host server only
Startup	Yes	Expires within 14 days
Maintenance mode	Degraded	Requires vCenter to manage
Deregister	No	Requires vCenter to manage
Register	No	Requires vCenter to manage

Table 4-6. vCenter server outage effects on virtual machine

VI function	Available	Comment
Power on	Degraded	Expires in 14 days; direct connection to ESX host server only
Power off	Degraded	Direct connection to ESX host server only
Register	No	Requires vCenter to manage
Deregister	No	Requires vCenter to manage
Hot migration	No	Requires vCenter (VMotion)
Cold migration	Degraded	Within the same ESX host only

Table 4-7. vCenter server outage effects on templates

VI function	Available	Comment
Convert from virtual machine	Degraded	Direct connection to host only; requires vCenter to manage
Convert to virtual machine	Degraded	Direct connection to host only; requires vCenter to manage
Deploy virtual machine	No	Requires vCenter to manage

Table 4-8. vCenter server outage effects on virtual machine (guest)

VI function	Available	Comment
Guest OS (virtual machine)	Yes	No impact, will run without vCenter

DirectAccess

DirectAccess is the new feature from Microsoft windows server 2008 R2, if you every struggled with windows VPN access then DirectAccess is going to change the way you interact or connect with the intranet from internet (from the public network to private network)

Normally we use VPN for accessing the intranet or office network from internet or home, VPN has its limitations, I will discuss about the Direct Access features and difference between DirectAccess and VPN


DirectAccess features for Administrator

• As an administrator you can’t manage the user and the computers if they are connecting through VPN, what I means to say is you can’t update the windows and security patches and Group policy settings and distributing the software updates

• Using DirectAccess feature you can manage remote users very effectively, you can update the windows and security patches and Group policy settings and distributing the software updates

• You can manage the DirectAccess client like a local system and always manageable 

• When ever the user connect the DirectAccess client to internet, you can manage like update the antivirus definitions and update the security patches and keep the DirectAccess client within security compliance

• You can check and troubleshoot the DirectAccess client if require, since connection between DirectAccess client and corporate network is bidirectional

• And one more important feature is DirectAccess client uses the separate tunnel to access the internet, yes DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the intranet by sending only traffic destined for the intranet through the DirectAccess server

• If require you can configure DirectAccess clients to send all traffic through the DirectAccess server.

• DirectAccess more secure then VPN


DirectAccess features for User 

• No need for VPN, without VPN connection you can access the intranet network (office network)

• If your system is DirectAccess enabled then you can access the office network without doing any addition task (VPN you have to dial and connect to intranet network after the login) 

• Through DirectAccess you can access the files, intranet websites, applications 

• There is no difference if you are in office or roaming some ware, you just require a internet connection to access the office network

• With the DirectAccess feature, it’s like working in office no mater where you are 

• Most of the limitation are removed just connect to internet and access the corporate network


Pre-request to configure DirectAccess

You should have the Windows Server 2008 R2 and Windows 7 to configure the DirectAccess feature


How to configure DirectAccess

I will explain how to configure DirectAccess in my upcoming article, please check back

Difference between windows 2003 and windows 2008

Difference between windows 2003 and windows 2008

• Windows 2008 gives you two installation types, Full installation and Server Core installation, to know more
• Windows server 2008 Installation is faster because it’s 32 bit where as 2003 it is 16 bit as well as 32 bit, to know more
• Windows deployment services (WDS) instead of RIS in 2003 server
• Services are known as role in windows server 2008, like Active Directory has been renamed to Active Directory DomainServices (AD DS)
• Windows server 2008 Boot sequence is changed
• Virtualization (Hyper-V) is the main difference between windows 2003 and windows 2008
• PowerShell been fully supported, you can manage easily using PowerShell script and PowerShell commands
• Difference between Group Policy 2003 and 2008, please see my previous article Group Policy 2008 Features
• Group Policy slow link detection process change on windows server 2008
• New power-saving features been introduced in windows server 2008. It includes updated support for Advanced Configuration and Power Interface (ACPI) processor power management (PPM) features, including support for processor performance states (P-states) and processor idle sleep states on multiprocessor systems. These features can be managed through Group Policies.
• Security has been Improved, features like Bitlocker
• IIS updated version
• Difference between Active Directory 2003 and Active Directory 2008
• Difference between Windows DNS server 2003 and 2008
• Difference between Sysvol Replication in Windows 2003 and 2008
• Difference between windows 2008 and r2
• DirectAccess

Sysvol Replication change in Windows 2008

Group Policy replication change
Before I start the SYSVOL replication changes in windows server 2008, I would like to explain how the GPO has been replicated in windows server 2003 and earlier versions


Understanding SYSVOL/GPO replication
Group policy template (GPT) and group policy container (GPC) are two types of Group policy settings, Its stored in two different locations and uses different replication technology to replicate the changes, however both should be available up-to-date on domain controller to function properly

Group policy templates are stored in SYSVOL, it’s a folder structure in SYSVOL share on a domain controller, if you create a new Group Policy it will create a Group policy templates folder on SYSVOL share for the new policy that contain the group policy setting related to this policy, GPT folder name would be Globally Unique Identifier (GUID) of the GPO that you created, you can view all the GPT folders from the below Path (it’s a default GPT path)

C:\Windows\Sysvol\Sysvol\DomainName\Policies

Group Policy template (GPT) is replicated by SYSVOL through FRS, FRS uses state-based replication. As soon as there is a change to any file under the Sysvol folder structure, replication is triggered and entire file get replicated

Group policy containers are stored in Active Directory, mostly all the GPO setting are stored in GPT (Group policy templates), GPC only have the reference information of the corresponding GPO, like GPT path, GUID of the GPO, version information, WMI filter information, and a list of components that have settings in the GPO, you can view the GPC from Active Directory Users and Computers (ADUC)

\System\Policies

Group policy container (GPC) is replicated through Active Directory replication

Note: By default the Group Policy Management Editor console (GPME) uses the PDC Emulator so that all administrators can work on the same domain controller, if you want a different Domain controller you can change through Group Policy Management console (GPMC)

File Replication Services (FRS)
I will try to explain step by step, let say you modify the Policy A from Server001 and how this change get replicated to Server002 (Server002 is a downstream replication partner for server001)

• Once you modify the Policy A from server001, the corresponding GPT folder on SYSVOL gets updated on the server001 (also updates the Group policy containers in Active Directory on server001)

• NTFS will change the USN journal according to the file and folder change.

• FRS monitors the USN journal for changes on the SYSVOL folder

• FRS updates the inbound log on server001, FRS not only updates the local changes on inbound log, also updates the inbound log for the changes from entire upstream replication partner (all inbound partners)

• FRS creates a file in staging folder on server001 by using APIs (backup application programming interfaces) based on the change.

• This change has been updated on outbound log on server001 by FRS. And also send change notification to entire downstream replication partner about the change (all outbound partners)

• Server002 get the change notification from Server001 and store the change order in inbound log, Server002 copies the staging file from Server001 to the staging folder on Server002. Server002 then update outbound log so other outbound partners can pick up the change

• Using Restore APIs, Server002 reconstructs the file and folder in the preinstall folder, and then FRS renames the file or folder into the replica tree

In FRS replication process the entire changed file and folder get replicate to source to destination server

What is NTFS USN journal?
Logs all the changes to an NTFS volume, including file creations, deletions, and changes, Separate log on each NTFS volume and it has a size limit (Windows server 2003 SP2 & Windows server 2008 is 128 MB) if require you can increase the size up to 2 TB, however MS Recommends increasing by 128 MB for every 100,000 files/folders

What happens when the NTFS USN change journal fills up?
If the USN journal log fills up then NTFS will be overwrite the old entry’s, that’s why in some scenarios before the change get updated, NTFS delete the entries in USN journal log, it’s called journal_wrap

USN journal wrap Error
An error that occurs when large numbers of files change so quickly that the USN journal must remove the oldest changes (before FRS has a chance to detect the changes) to stay within the specified size limit, to resolve this issue you have to perform a non-authoritative restore also called D2

Morphed folder
Replication conflict will occur if identically named directories are created in different servers, to resolve this conflict FRS create a folder and this folder called morphed folder

Let’s say two identical directories are created in different replication members, FRS identifies the conflict during replication, and the receiving member protects the original copy of the folder and renames (morphs) the later inbound copy of the folder. The morphed folder names have a suffix of “_NTFRS_xxxxxxxx,” where “xxxxxxxx” represents eight random hexadecimal digits.

Version vector join (vvjoin)

Till now we are discussing about the SYSVOL replication, how the SYSVOL replication works for the newly added replication partner, newly added replication member doesn’t have any updates, and it should build the folder structure from the beginning, this process is called vvjoin, in which a downstream partner joins with an upstream partner for the first time.

Vvjoin is a CPU-intensive operation that can affect the performance of the server and increase the replication traffic

Distributed File System (DFS)
Now we are coming to the point, how the SYSVOL replicating using DFS and how it’s been improved to provide better replication performance, to use this feature you should have Windows Server 2008 domain functional level that means all the domain controller has to be Windows Server 2008

SYSVOL replication using DFS is called DFS-Replicated SYSVOL (DFSR)

DFSR is a multimaster replication engine and changes that occur on one of the replication member are then replicated to all of the other servers in the replication group

DFSR also monitors the NTFS for the update sequence number (USN) journal to detects changes on the volume, and then DFSR replicate the changes only after the file closed

And before sending or receiving a file, DFSR uses a staging folder to stage the file

If any changes in SYSVOL share, FRS replicate the entire file unlike the DFSR, DFSR replicates only the changes blocks and not the entire file, sounds like a attribute level Active Directory replication, it compare the source and destination file using remote differential compression (RDC), it reduce the SYSVOL replication traffic

Other improvements are… (Difference between DFRS and FRS)
• DFSR and Journal Wraps, DFSR also monitors the NTFS change journal, but DFSR always heals itself hence no Journal Wrap error

• Morphed files and folders automatically taken care of

• FRS silently fails if the volume SYSVOL resides on < 1GB of free space

• Copies the changes on files and folder not entire files and folder

• Uses Version Vector tables to confirm the changes, also to resolve the conflicts

• Support read-only replication on a particular members in which users cannot add or change files

• You can also make the changes to the SYSVOL folder of an RODC

• DFSR does not require the version vector join (vvjoin) operation

Windows 2008 DNS features

Compare to windows 2003, Windows 2008 have more features and improvement, I will discuss the improvement related to DNS in this article, Microsoft done the improvement that really required for the IT environment, Windows 2008 DNS features are listed below

Background zone loading: If you are an administrator for an large environment you would have seen this issue, after the DNS server restart it take some time to load the DNS zones, till that time server will not respond to an DNS query from client (even server will not respond to the nslookup) you have to wait for the server to load the zones, this issue has been rectified in Windows 2008 DNS server, since zone data loaded in the background while the time of DNS server restart and DNS server respond to the client query very quickly.

IP version 6 support: The Windows 2008 DNS Server fully supports the longer addresses of the IPv6 specification.

Support for read-only domain controllers (RODCs): We able to modify the Primary DNS zone, what about the primary zone in read only domain controller, we can’t modify or update the primary zone on read only domain controller, yes Windows 2008 server provides primary read-only zones on RODCs.

Global single names: Not required to add DNS suffixes for the name resolution for the various domain names, GlobalNames zone provides single-label name resolution for large enterprise networks, if your environment doesn’t have WINS or planning on deploying IPv6-only in your environment then you Need to Deploy the GlobalNames Zone, it’s useful when using DNS name suffixes to provide single-label name resolution is not practical.

Global query block list: Clients of such protocols as the Web Proxy Auto-Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) that rely on DNS name resolution to resolve well-known host names are vulnerable to malicious users who use dynamic update to register host computers that pose as legitimate servers. The DNS Server role in Windows Server 2008 provides a global query block list that can help reduce this vulnerability.

DNS Security Extensions (DNSSEC): DNSSEC works by digitally signing these records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via achain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party.

The following DNSSEC related features are introduced in Windows Server 2008 R2:

• The ability to sign a zone (that is, to provide the zone a digital signature)
• The ability to host signed zones
• New support for the DNSSEC protocol
• New support for DNSKEY, RRSIG, NSEC, and DS resource records.

A key feature of DNSSEC is that it enables you to sign a DNS zone – which means that all the records for that zone are also signed.The DNS client can take advantage of the digital signature added to the resource records to confirm that they are valid. This is typical of what you see in other areas where you have deployed services that depend on PKI. The DNS client can validate that the response hasn’t been changed using the public/private key pair. In order to do this, the DNS client has to be configured to trust the signer of the signed zone.

The new Windows Server 2008 R2 DNSSEC support enables you to sign file-based and Active Directory integrated zones through an offline zone signing tool. I know it would have been easier to have a GUI interface for this. When configured with a trust anchor, a DNS server is able to validate DNSSEC responses received on behalf of the client. However, in order to prove that a DNS answer is correct, you need to know at least one key or DS record that is correct from sources other than the DNS. These starting points are called trust anchors.

Another change in the Windows 7 and Windows Server 2008 R2 DNS client is that it acts as a security-aware stub resolver. This means that the DNS client will let the DNS server handle the security validation tasks, but it will consume the results of the security validation efforts performed by the DNS server. The DNS clients take advantage of the NRPT to determine when they should check for validation results. After the client confirms that the response is valid, it will return the results of the DNS query to the application that triggered the initial DNS query.

DNS Cache Locking: Using the DNS Cache locking in Windows Server 2008 R2 enables you to control the ability to overwrite information contained in the DNS cache. If you turned on the DNS cache locking then DNS server will not allow cached records to be overwritten for the duration of the time to live (TTL) value. This helps protect your DNS server from cache poisoning. 

Whats new in windows 2008 Active Directory

As an Active Directory administrator very curies about the windows 2008 features compare to the earlier version like windows 2003, Windows 2008 comes with the whole bunch of features, and am going to discuss specific about the features of Active Directory server roles in Windows 2008

First I will list the features of windows 2008 Active directory and will discuss in detail of each in my upcoming article

Auditing

Now you can know the previous and present values for the changed attributes of the active directory object using the new auditing feature in windows 2008, as per the windows 2003 auditing you will only know the present values of the changed attribute

This is very useful features in windows 2008 since you can revert back the changes using the previous value of the attribute

Fine-Grained Passwords

By default in windows 2003 all the user account in the domain should use the same password policy configured in domain level, thats why we called domain is a security boundary, if you require a different password policy then you have to create new domain

In windows 2008 password policy can be configured for specific group of peoples with in the domain 

Read-Only Domain Controller

Every one know about the BDC (backup domain controller) and it’s a same as the BDC but it only take the advantages from the BDC and it’s specifically designed for the today’s requirements like branch office setup and to managing the branch office

We all know how difficult to design and manage the domain controller from the branch office, some time it lead to the lingering object, but using the Read-Only Domain Controller
In the branch office where the physical security of the domain controller is in question, or domain controllers that host additional roles, requiring other users to log on and maintain the server

In any Active Directory environment if one Domain Controller not replicated with the partner Domain Controller more then one month, then it’s a very critical issue you have to rectify the replication problem as soon as possible or the Domain Controller needs to be decommissioned with in the tombstone lifetime, since its read-only domain controller no worries about the tombstone time. 

Restartable Active Directory Domain Services

Hey good new, now no need to restart the domain controller for every time for the active directory maintenance.

In windows 2008 active directory is a services, you can stop or restart the services for maintenance without restarting the domain controller and restarting it in Directory Services Restore Mode is not required for most maintenance functions, however still some maintenance function require Directory Services Restore Mode

Database Mounting Tool

Active Directory Database mounting tool in Windows Server 2008 to create and view snapshots of data that is stored in Active Directory Domain Services, and no need to restart the domain controller. A snapshot is a shadow copy created by the Volume Shadow Copy Service, at different times so that you can better choose which data to restore after object deletion. This reduces the administrator time and no need to restore multiple backups to compare the Active Directory data.

Active Directory Database mounting tool can be called Snapshot Viewer, Snapshot Browser, and Active Directory data mining tool.

Active Directory Recycle Bin

You can restore the accidentally deleted Active Directory object, without Active Directory authoritative restore, this can be used for single object restore like a accidental deletion of user or OU and you can reduce the domain controller downtime

Active Directory module for Windows PowerShell

PowerShell available on windows 2003 itself, however it’s not fully supported for Active Directory, you can’t manage the Active Directive using the PowerShell in windows 2003

In windows 2008 Windows PowerShell provides command-line scripting for administrative, configuration, and diagnostic tasks

You can manage the Active Directory with Exchange Server, Group Policy, and other services and it’s very easy to use like a windows commands, you can easily pipe cmdlets to build complex operations

Active Directory Administrative Center

It’s new tool in windows 2008 R2 to manage active directory, we already have active directory users and computer to manage the active directory, using this new tool you can manage active directory in a new way

As an administrator you perform most of the task commonly that is daily, some how it’s hard to open an active directory user and computer and find the object and do the task, in this new tool Active Directory Administrative Center it’s very easy to do a common task like password reset and search the Active Directory object and others

Active Directory Best Practices Analyzer


This can be helped to identify and implement the best practices in the configuration of your active directory environment, this will scan your network and find the best practice violations,
Then you can correct that, to get the best out of Active Directory services in windows 2008.

Active Directory Web Services

Active Directory Web Services is give you the Web service interface to Active Directory domains and AD LDS instances (Active Directory Lightweight Directory Services)

Active Directory Database Mounting Tool uses the Active Directory Web Services as a front end, like that Windows PowerShell and Active Directory Administrative Center is used the Active Directory Web Services to access the directory service instances.

Offline domain join

Offline domain join makes to join a member server to the domain even the domain controller not reachable from the member server

And this can be very useful for bulk deployment, when the system starts, it will automatically joined to the domain, this will reduce the administrative effort

Managed Service Accounts

Normally applications and services uses the Local Service and Network Service and Local System accounts, it’s easy to configure and shared among multiple applications and services and cannot be managed on a domain level

You can use the domain account for the application (services), this can isolate the privileges for the application, but it’s very hard to manage these domain accounts like password management 

We have two new types of accounts, Managed service accounts and virtual accounts in windows 2008, now you can easily manage the service principal names (SPNs), it will provide Automatic password management

Active Directory Management Pack

You can monitor the Active Directory service on windows 2008 using the Active Directory Management Pack (MOM, SCOM)

Designed specifically to monitor the performance and availability of Active Directory Domain Services (AD DS), also monitors the overall health of AD DS and alerts you to critical performance issues.