I’m on an engagement with a client that includes a dozen or so hard-to-p2v physical servers. I’m sure I’ll have other posts as I work through the issues, but one of the Jr. Administrators on their staff asked if I had a best practices or how to guide for successful P2V’s.
So to add to the web pile of guides on this subject, I bring you my take on virtualizing existing servers!
I apologize for the lack of post frequency at the moment – I’m in hard study mode for two certifications concurrently:
MCSA (So the 70-412 exam) and the Appsense Certified Professional exam.
We’ll certainly get to end user profile management and VDI layering at some point soon in this blog!
Speaking of VDI, Teradici released new firmware for zero client endpoints for both the Tera 1 and Tera 2 chipsets. This is a pretty important release if you’re running Horizon View 6 or playing with Amazon Workspace. TEST it in your environment before release though, as I’ve heard of performance problems if you haven’t upgraded to Horizon View 6 yet… and some connection problems if you load balance your connection servers via NLB or a hardware loadbalancer.
Link to the firmware: https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileNum=1504&deptID=15164
One of my colleagues (And pretty swell guy overall) has had some fantastic results using EMC’s all-flash XtremIO Array and compression/deduplication- A linked clone pool of 1050 desktops was only using 690G of storage… a compression/dedup ratio of 5.1:1 … pretty nifty.
Of course, that’s just initial pool creation. I’m curious to see what the storage utilization looks like after it goes into production.
I’m building a physical server for my current client- and not one that runs a hypervisor. It feels weird. I’ve been such a pro virtualization guy for so long that the last server that I popped a Windows Server installation disk in was destined to be a SQL super computer maybe 24+ months ago. Oh well.
For the record, while the task is pretty specialized I’m pretty sure it could be virtualized. The limiting factor here is the server requires a pretty huge PCI-E card, and the client is running Cisco UCS blades that can’t handle it.
Speaking of UCS: I’m not more than entry-level skilled on the ways of Cisco UCS hardware – The team at Varrow have some UCS superstars that I rely on to get the hardware set up right. I’m going to lean on them a little bit as I learn because my current client is running 1 or 2 nics in each blade for ESXi (I would expect at least 6- 2 for management, 2 for vMotion and 2 for VM traffic) and no QoS. I want to try to take care of those issues before I leave or there will be some network bottlenecking as they grow to their intended scale. Infrastructure plan and designs are important!
If a user doesn’t have access to a network resource, a file server has not historically given the most user-friendly response: an Access Denied message and an OK button. OK? No, this is not okay for the user and we can do better.
One of the improvements in Server 2012 is Access-Denied Assistance. When a user tries to access a resource that they don’t have access to, they can receive a custom message that can explain WHY they don’t have access as well as who to contact for further help…. or even a Request Assistance button to save the user from typing out an email.
This can be configured individually using File Server Resource Manager or centrally using Group Policy.
Setting Access-Denied Assistance with File Server Resource Manager
- Open up File Server Resource Manager, right-click on local (or connect to another server first) and select Configure Options.
- On the dialog that opens, select the Access-Denied Assistance tab on top:
- Check the box next to Enable access-denied assistance
- If desired, you can configure email requests by selecting the button toward the top:
- Notice the item Generate an event log entry for each email sent. This is checked by default, and we can use it to look for (and remediate) access issues.
Setting up Access-Denied Assistance using Group Policy
- Open Group Policy Management. In Server Manager, click Tools, and then click Group Policy Management.
- Right-click the appropriate Group Policy, and then click Edit.
- Click Computer Configuration, click Policies, click Administrative Templates, click System, and then click Access-Denied Assistance.
- Right-click Customize message for Access Denied errors, and then click Edit.
- Select the Enabled option.
- Configure the following options:
- In the Display the following message to users who are denied access box, type a message that users will see when they are denied access to a file or folder.
You can add variables customized text:
- [Original File Path] The original file path that was accessed by the user.
- [Original File Path Folder] The parent folder of the original file path that was accessed by the user.
- [Admin Email] The administrator email recipient list.
- [Data Owner Email] The data owner email recipient list.
- Select the Enable users to request assistance check box.
This section is a bit confusing, mostly because I don’t see the exact phrasing used in relation to Dynamic Access Control.. So:
Not too sure what is being asked here. The only relevant thing I could find on TechNet was the below:
You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under Advanced Audit Policy Configuration in the Security Settings of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network.
If you have any idea what’s being asked here, please let us all know in the comments!
A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. These are very often attributes that you find if you open the properties of an object in Active Directory – things like a user’s title, department or location are claims that you can define, so is the department classification of a file, or the health state of a computer. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:
- User claims Active Directory attributes that are associated with a specific user.
- Device claims Active Directory attributes that are associated with a specific computer object.
- Resource attributes Global resource properties that are marked for use in authorization decisions and published in Active Directory.
Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.
Creating a Claim:
- Open up the Active Directory Administrative Center. Select Dynamic Access Control from list on left:
- Right-Click on Claim Types and select New:
- Select the attribute you want to use for the claim – If we keep the example used when I introduced Dynamic Access Controls, we should create a claim based on the department the user works in…. Finance.
- To keep with the scenario, I’m going to add a claim for office location (Office) and the AD VDI container:
You would create claims to meet the business objectives for securing data- the actual attributes that you use to achieve that goal will likely be very different than what I’m using in this scenario, but I hope I’m showing you the power and flexibility afforded with setting up claims.
The relevant PowerShell cmdlet for setting/reading/creating/deleting claims is ADClaimType:
Dynamic Access Control is the story of file access rules (called..access rules believe it or not) based on user and device criteria (Called claims).
These rules function as logical if-then statements built on the attributes of files, users, and devices. An example:
“IF a user is an employee in the finance department AND has an office at the main campus AND is connecting from a device that is located on the main campus, then s/he can access the Payroll directory”
In order to lock down access with DAC in the above scenario, the administrator will need to set up claims for each of the objects, and a corresponding access rule on the Payroll folder.
1) Configure user and device claim types
2) Implement policy changes and staging
3) Perform access-denied remediation
4) Configure file classification
5) Create and configure Central Access rules and policies
6) Create and configure resource properties and lists
I received some pretty insightful feedback on my 70-412 exam prep blueprint series, as well as my frequency in posting for those studying for the MCSA/MCSE (Sorry again for the hiatus!).
Based on both the Extra-Large size of taking the certification study by section (3200+ words) being harder to study from, as well as Epic length posts taking much longer to lab out and write up on my end, I’m changing the format to 1 post per exam topic.
Thanks for the feedback guys!
You can reach me via email: peteDOTflutyATgmail.com
Via Twitter: @petefluty
Or the new Facebook page: https://www.facebook.com/EnterpriseEngineer
Hey there Sportsfans!
Phew. I apologize for the hiatus if you’ve been following my Microsoft 70-412 blueprint series- The topics are getting intense and mentally draining which makes my desired 3 posts a week cadence pretty difficult. I could just send links to content, but I feel like that would cheat my readers a bit as I’m striving for original content.
The other hangup is technical – during the last series, I did bad things to my Lab AD Domain. Trying to leverage Dynamic Access Groups on top of it proved too much… I was getting all sorts of unexpected results.
Tonight I’m rebuilding my domain controllers, so hopefully I’ll be getting this show back on the road in the very near future.
Thanks for your emails and support!
Hey everyone! I’m just getting over a few days of being pretty sick, so I apologize for the delay in getting the next post of the series out to you. The content in this post was pretty deep, so it was a good post to get back in the swing of things!
Table Of Contents
1) Configure Network File System (NFS) data store
2) Configure BranchCache
3) Configure File Classification Infrastructure (FCI) using File Server Resource Manager (FSRM)
4) Configure file access auditing