Creating Windows VM on AWS and Storage Pool

Services-EC2-Instances-Launch Instance-choose appropriate image

Optionally, add tags

Enable RDP access

Choose whether to create new key pair or use existing one-then launch instance and download it

Connecting to Windows server VM

Actions-Get Windows Password

Browse to downloaded file

Click Decrypt password

Now we have credentials to log in to Windows server

Creating software RAID

Because i added additional 4 disk,i can create RAID 1,for example

Bring disk on-line and initialize it:

Get-Disk | Where-Object IsOffline –Eq $True | Set-Disk –IsOffline $False
Get-Disk | ?{$_.number -ne 0}| Initialize-Disk -PartitionStyle GPT

Create storage pool

New-StoragePool -FriendlyName 'pool' -PhysicalDisks (Get-PhysicalDisk -CanPool $true) -StorageSubSystemFriendlyName (Get-StorageSubSystem).FriendlyName

Create new virtual disk:

New-VirtualDisk -FriendlyName "mydisk"  -StoragePoolFriendlyName "pool" -Size 16GB -ProvisioningType Thin -ResiliencySettingName Mirror

Initilize and format virtual disk:

Initialize-Disk -Number (Get-VirtualDisk -FriendlyName "mydisk" | Get-Disk).Number
New-Partition -DiskNumber (Get-VirtualDisk -FriendlyName "mydisk" | Get-Disk).Number -UseMaximumSize –AssignDriveLetter
Format-Volume -DriveLetter D -FileSystem NTFS -NewFileSystemLabel "DataStore"

 

DeployingWindows container on Nano Server

In one of my previous posts i installed nano server.Now we’ll deploy Windows container to Nano server.

A container is an isolated place where an application can run without affecting the rest of the system, and without the system affecting the application.Container shares OS kernel so it can be seen as “isolated” part of guest OS.

Windows Containers include two different container types

Windows Server Containers – A Windows Server container shares a kernel with the container host and all containers running on the host.

Hyper-V Containers – expand on the isolation provided by Windows Server Containers by running each container in a Hyper-V virtual machine. In this configuration the kernel of the container host is not shared with other Hyper-V Containers.

Connecting to Nano Server

Set-Item WSMan:\localhost\Client\TrustedHosts 192.168.1.20 -Force
Enter-PSSession -ComputerName 192.168.1.50 -Credential Administrator

Updating Nano Server

#Scan for updates

$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
$result = $ci | Invoke-CimMethod -MethodName ScanForUpdates -Arguments @{SearchCriteria="IsInstalled=0";OnlineScan=$true}
$result.Updates

# Install all updates

$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
Invoke-CimMethod -InputObject $ci -MethodName ApplyApplicableUpdates

Restart-Computer

# List Installed Updates

$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
$result = $ci | Invoke-CimMethod -MethodName ScanForUpdates -Arguments @{SearchCriteria="IsInstalled=1";OnlineScan=$true}
$result.Updates

Installing Container

#Install the OneGet PowerShell module,it's container provider

Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
#Use OneGet to install the latest version of Docker.
Install-Package -Name docker -ProviderName DockerMsftProvider
Restart-Computer

Afrer rebooting start Docker service and install base image

Start-Service docker
docker pull microsoft/nanoserver

Enabling remote access to docker host (Nano Server)

netsh advfirewall firewall add rule name="Docker daemon " dir=in action=allow protocol=TCP localport=2375
Stop-Service docker
dockerd --unregister-service
dockerd -H npipe:// -H 0.0.0.0:2375 --register-service
Start-Service docker

Connecting to Windows container from remote computer

#Download docker client
Invoke-WebRequest "https://download.docker.com/components/engine/windows-server/cs-1.12/docker.zip" -OutFile "$env:TEMP\docker.zip" -UseBasicParsing

#extract it
Expand-Archive -Path "$env:TEMP\docker.zip" -DestinationPath $env:ProgramFiles

# For quick use, does not require shell to be restarted.
$env:path += ";c:\program files\docker"

# add docker directory to system path
[Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\Program Files\Docker", [EnvironmentVariableTarget]::Machine)

Connect to docker container hosted on Nano Server (192.168.0.20),this command will create container from microsoft/nanoserver image with name nano and container hostname nano

docker -H tcp://192.168.0.20:2375 run -it --name nano --hostname nano microsoft/nanoserver cmd

Storage Spaces Tiering in Windows Server 2016

The goal of Storage Spaces is to create highly available storage solution that has all the advantages of SAN (power and flexibility),but is significantly cheaper.Storage spaces “virtualizes” storage (which consist of HDD and SSD.A storage pool is a container that is used to group physical disks (mixing SSD and HDD).It provides the ability to store more frequently accessed data on SSD media,with both types of media used as block based storage for the same virtual disk: the best of both types of storage

In this lab i used machine VMWare workstation VM with 4 HDD and 2 SSD disks (each with 10 GB)

To simulate SSD disk in VMWare,we need to edit virtual machine’s vmx file

scsix:y.virtualSSD=1,where x:y is scsi disk number

Check VM configuration:

Get-PhysicalDisk -CanPool $true | sort size |ft deviceid,friendlyname,canpool,size,mediatype -AutoSize

As we can see,non-SSD disks are specified as “unspecified”,we need to set its media type as HDD,in order to avoid errors

Get-PhysicalDisk | where MediaType -EQ unspecified | where Size -LT 60GB | Set-PhysicalDisk -MediaType HDD

i used filter to exclude system disk (60 GB) because that disk won’t be member of storage pool

Get-PhysicalDisk | sort size |ft deviceid,friendlyname,canpool,size,mediatype -AutoSize

Create storage pool

$pool=Get-StorageSubSystem
New-StoragePool -StorageSubSystemUniqueId $pool.UniqueId -FriendlyName mypool -PhysicalDisks (Get-PhysicalDisk -CanPool $true)

Get-StoragePool mypool | Get-PhysicalDisk | ft FriendlyName,MediaType,Size

Configuring Tiers

As we mentioned before,we need to create storage tiers to group SSD and HDD media types

Get-StoragePool mypool | New-StorageTier –FriendlyName HDDTier –MediaType HDD
Get-StoragePool mypool | New-StorageTier -FriendlyName SSDTier -MediaType SSD

Get Pool capacity

Get-StoragePool mypool | fl Size,AllocatedSize

Storage Spaces reserves 256 MB for each disk (6×256=1,5 GB)

Get Tier capacity

HDD tier (mirror):

Get-StorageTierSupportedSize hddtier -ResiliencySettingName mirror | ft -AutoSize

If we want to use tier in “mirror” mode,maximum space is 8 GB (10+10)/2

SSD tier 

Get-StorageTierSupportedSize ssdtier -ResiliencySettingName mirror | ft -AutoSize

Maximum free space is 16 GB

Configuring resilency settings

Storage Spaces offers increased performance by striping data across multiple disks,these disks are named NumberOfColumns.NumberOfDataCopiesDefault parameter specifies on how many disks data will be stripped across

Get-StoragePool mypool | Set-ResiliencySetting -Name mirror -NumberOfDataCopiesDefault 2

 Creating mirrored spaces with tiering

$ssd=Get-StorageTier -FriendlyName ssdtier
$hdd=Get-StorageTier -FriendlyName hddtier
Get-StoragePool mypool | New-VirtualDisk -FriendlyName space1 -ResiliencySettingName mirror -StorageTiers $ssd,$hdd -StorageTierSizes 16gb,8gb -WriteCacheSize 1gb
Get-VirtualDisk | ft -AutoSize

Creating Partition and Volume

Get-VirtualDisk Space1 | Get-Disk | Set-Disk -IsReadOnly 0
Get-VirtualDisk Space1 | Get-Disk | Set-Disk -IsOffline 0
Get-VirtualDisk Space1 | Get-Disk | Initialize-Disk -PartitionStyle GPT
Get-VirtualDisk Space1 | Get-Disk | New-Partition -DriveLetter "F" -UseMaximumSize
Initialize-Volume -DriveLetter “F” -FileSystem NTFS -Confirm:$false

 

Running Ubuntu Server 16.04.1 LTS as Hyper-V guest

In this article we’ll install Ubuntu Server 16.04.01 as Hyper-V VM with 2 CPU’s,1 GB of RAM and 20 GB HDD (Note machine is Generation 1,with Gen 2 it didn’t work for me)

new-vm -Name 'ubuntu' -MemoryStartupBytes 512MB -NewVHDPath 'c:\ubuntu\ubuntu.vhd' -SwitchName 'new virtual switch' -NewVHDSizeBytes 20GB -Generation 1 -MaximumBytes 2GB
set-vm -VMName 'ubuntu' -ProcessorCount 2
Get-VM -Name 'ubuntu' | Add-VMDvdDrive
Set-VMDvdDrive -VMName 'ubuntu' -Path 'C:\Users\dragan\Downloads\ubuntu-16.04.1-server-amd64.iso'

 

 

 

Enabling SSH access on Ubuntu

I don’t know for you,but it’s very uncomfortable to work from Hyper-V console,that’s why i prefer SSH access

apt-get install openssh-server -y
service sshd restart

Allow ssh traffic to your Ubuntu server (192.168.0.48)

ufw allow proto tcp from 192.168.0.0 to 192.168.0.48 port 22

Download and install Putty.You should be able now to make connection to Ubuntu Server via port 22

 

Installing integration services

Hyper-V Integration Services allow a virtual machine to communicate with the Hyper-V host .(Think of it as equivalent of VMWare tools).These services enables,for example,guest file copy, while others are important to the virtual machine’s ability to function correctly, such as time synchronization.

apt-get install --install-recommends linux-tools-virtual-lts-xenial linux-cloud-tools-virtual-lts-xenial linux-virtual-lts-xenial

Reboot the Ubuntu Server

If we want to copy files to VM we need to enable Guest Service interface (disabled by default)

On Hyper-V host check current status:

Get-VMIntegrationService -VMName 'ubuntu'

 

Enable-VMIntegrationService -VMname 'ubuntu' -Name 'guest service interface'

Copying file from Hyper-V host to Ubuntu VM:

echo 'This file is about to be copied to ubuntu server'>c:\file.txt
Copy-VMFile -name 'ubuntu' -SourcePath 'C:\file.txt' -DestinationPath '/root/' -FileSource Host

 

Creating a New NIC Team in a VM-Windows Server 2016

NIC Teaming, also known as load balancing and failover (LBFO), allows multiple network adapters on a computer to be placed into a team for the following purposes:

• Bandwidth aggregation
• Traffic failover to prevent connectivity loss in the event of a network component failure

In this example we’ll create virtual switch,add this switch to VM and enable NIC teaming for new switch:

On Hyper-V console click Virtual Switch Manager

Create Virtual switch

Choose Switch type

External:Gives virtual machines access to a physical network to communicate with servers and clients on an external network,also it communicates connections between Hyper-V VM’s on the same Hyper-V server

Internal:Allows communication between virtual machines on the same Hyper-V server, and between the virtual machines and the management host operating system.

Private:Only allows communication between virtual machines on the same Hyper-V server.

And click create Virtual Switch

Choose adapter,click apply and ok

Now when we added Neywork adapter to Hyper-V switch,let’s add it to VM

Right-Click VM-Settings

Add Hardware-Network Adapter-Add

Specify Virtual Switch-Apply-Ok

Select adapter-Advanced-Enable this network adapater to be part of team

Powershell:

Creating new Switch:

New-VMSwitch -Name External -NetAdapterName 'ethernet'

Adding New Network adapter to VM:

get-vm -VMName dc | Add-VMNetworkAdapter -SwitchName 'external'

Enabling NIC teaming for VM:

Set-VMNetworkAdapter -VMName dc -AllowTeaming on

Deploying VPN Server on Windows Server 2016

In this blog we’ll create VPN server wich will be leveraging IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2).With the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE), this tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN).For example, this permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user.

 

 

Installing Certificates to VPN server and VPN client 

Creating certificate templates

In Certification Authority (CA),from CA console,right click Certificate Templates-Manage

 

 

Right-Click IPSec template-Duplicate template

 

On Request Handling tab click Allow private key to be exported

 

Click Extension tab-Application Policies-Edit

 

 

Remove IP Security IKE intermediate

 

 

then click Add and choose Server Authentication

 

 

Click Key Usage-Edit

 

Ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.

In the security tab-click Object Types-Computers-Add Domain Computers

 

Make sure Read,Enroll and Auto-Enroll is selected

 

In General tab give template a name

 

Now,right click Certification Template-New-Certificate Template to issue

 

 

Choose new template

 

 

Enrolling certificate on VPN server

On VPN server:start-run-mmc-Add/remove snap-in

 

Click Certificates-Add-Computer Account

 

 

Right click Personal-All tasks-Request New Certificate

 

 

Check certificate templates-Properties

 

Click Subject tab-Subject Name-Common name (from drop-down menu)-FQDN for VPN server-Add

Alternative Name-choose DNS-set FQDN for VPN server-ADD

 

New certificate should be created

 

 

This certificate should be exported and then imported to client machine

 

Exporting certificate

Right-click certificate-All tasks-Export

 

 

Export private key

 

 

Set password and specify file in which certificate should be saved.

Copy file to client computer

 

Importing file on client machine

This certificate should be imported to Trusted Root Certification Authority on client.

Start-run-mmc-add Certificate snap-in-local computer

Right click Trusted Root Certification Authorities-All task-import

 

 

Browse to copied file and enter password

 

Installing Roles

 

On Server install Network Policy Server and Remote Access roles

 

Open Routing and Remote Access console-right click server icon-Configure and Enable Routing and Remote Access

 

 

Remote access (dial-up or VPN)

 

 

Check VPN

 

 

Select internet facing interface

 

 

Define VPN address pool

 

 

 

We are not using RADIUS,intead we’ll use NPS

 

 

Right click Remote Access Logging-Launch NPS

 

Click Network Access Policies

 

Right click Connections to Microsoft Routing and Remote Access Server-Properties

Check Grant access

Click Constraints-Select Microsoft:Secured password (EAP-MSCHAP v2)

 

If it’s not selected add it

 

 

Enable user VPN access

In ADUS right click user-Dial-in-Allow access

 

 

Client setting

In hosts file add entry for VPN server (name must be equal to one specified in SSL certificate)

Creating VPN client connection

 

 

Use my insternet connection (VPN)

 

 

I’ll set up an internet connection later

 

In Internet address type VPN server name

 

Specify username/password

 

In Security tab,for Type of VPN select IKEv2-Data encryption-Require encryption-Authentication:Microsoft:Secured password (EAP-MSCHAP v2)

 

We can see that IKEv2 is used,client got address from our VPN pool (10.10.10.3)

 

 

 

 

Deploying Windows DNS feature on Nano Server

Nano Server is a remotely administered server operating system optimized for private clouds and datacenters,it  has no local logon capability.In this post we create basic nano server image,without going deep in configuration,in this one we’ll configure DNS server in Nano server

Import nano server CMD-lets

From Windows Server 2016 installation disk browse to NanoServer\NanoServerImageGenerator,

Set-ExecutionPolicy RemoteSigned
Import-Module .\NanoServerImageGenerator.psm1

Create Nano Image (with DNS packages) 

New-NanoServerImage -MediaPath d:\ -BasePath C:\nano\ -TargetPath C:\nano\nano_dns.vhdx -Package microsoft-nanoserver-dns-package -InterfaceNameOrIndex ethernet -Ipv4Address 192.168.0.20 -Ipv4SubnetMask 255.255.255.0 -Ipv4Gateway 192.168.0.1 -DeploymentType guest -E
nableRemoteManagementPort -Ipv4Dns 127.0.0.1 -Edition Datacenter -MaxSize 10GB -ComputerName nano_dns -AdministratorPassword (ConvertTo-SecureString "Pass
word01" -AsPlainText -Force)

All available packages are available in Windows Server 2016 installation DVD,Nanoserver\Packages folder

Create Hyper-V VM and start it

New-VM -Name 'nano-dns' -MemoryStartupBytes 1gb -VHDPath 'C:\nano\nano_dns.vhdx' -Generation 2 -switchname 'new virtual switch'

start-vm nano-dns

Establish connection to Nano Server and Extract the DNS Role

set-item wsman:\localhost\client\trustedhosts "192.168.0.20"
Enter-PSSession -ComputerName 192.168.0.20 -Credential administrator
Enable-WindowsOptionalFeature -Online -FeatureName dns-server-full-role
Import-Module DnsServer

Creating Forward lookup zone and A record

Add-DnsServerPrimaryZone -ZoneName test.com -ZoneFile test.com.dns
Add-DnsServerResourceRecordA -Name www -ZoneName test.com -IPv4Address 192.168.0.21

From client computer (where Preferred DNS server is set as Nano Server),test DNS resolution: