Updates on Hyper-V Server? How to see what had been installed?

When do you need to see what updates had been installed on your Hyper-V server, you can use this PowerShell cmdlet to list all the updates.

Get-WmiObject -Class Win32_QuickFixEngineering | select description,hotfixid,installedon

clip_image002

Then if you need to compare if all the nodes of your cluster or if your Hyper-V server have the same patch level just run this cmdlet remotely through PowerShell ISE.

If you need help run remotely PowerShell cmdlet, just see one of my previous post (Managing Hyper-V Server remotely through PowerShell)

Integration between Hyper-V Network Virtualization and Windows Server Gateway

One of features on Windows Server 2012 R2 that was improved since the last version is network virtualization. Virtual networks are created by using Hyper-V Network Virtualization, which is a technology that was introduced in Windows Server 2012.

In Windows Server 2012 R2 have now a service that help enable datacenters and clouds networks traffic been routed between virtual and physical networks, including the Internet. The service responsible for routing all the traffic is Windows Server Gateway. Windows Server Gateway is a vm-based software router that is able to route network traffic effectively between different datacenters or between datacenters and cloud.

How it works

Hyper-V Network Virtualization provides the concept of a virtual machine (VM) network that is independent of the underlying physical network. With this concept of VM networks, which are composed of one or more virtual subnets, the exact physical location of an IP subnet is decoupled from the virtual network topology. As a result, organizations can easily move their subnets to the cloud while preserving their existing IP addresses and topology in the cloud. This ability to preserve infrastructure allows existing services to continue to work, unaware of the physical location of the subnets. That is, Hyper-V Network Virtualization enables a seamless hybrid cloud.

In both private and hybrid cloud environments using Windows Server 2012, however, it was difficult to provide connectivity between VMs on the virtual network and resources on physical networks at local and remote sites, creating a circumstance where virtual subnets were islands separated from the rest of the network.

In Windows Server 2012 R2, Windows Server Gateway routes network traffic between the physical network and VM network resources, regardless of where the resources are located. You can use Windows Server Gateway to route network traffic between physical and virtual networks at the same physical location or at many different physical locations.

One example is, if you have both a physical network and a virtual network at the same physical location, you can deploy a server running Hyper-V that is configured with a Windows Server Gateway VM to act as a forwarding gateway and route traffic between the virtual and physical networks.

Another example is, if your virtual networks exist in the cloud, your cloud can deploy a Windows Server Gateway so that you can create a virtual private network (VPN) site-to-site connection between your VPN server and the cloud’s Windows Server Gateway; when this link is established you can connect to your virtual resources in the cloud over the VPN connection.

Integration between Hyper-V Network Virtualization and Windows Server Gateway

Windows Server Gateway is integrated with Hyper-V Network Virtualization, and is able to route network traffic effectively in circumstances where there are many different tenants – who have isolated virtual networks in the same datacenter.

Multi-tenancy is the ability of a cloud infrastructure to support the virtual machine workloads of multiple tenants, but isolate them from each other, while all of the workloads run on the same infrastructure. The multiple workloads of an individual tenant can interconnect and be managed remotely, but these systems do not interconnect with the workloads of other tenants, nor can other tenants remotely manage them.

How to use

There are different way that you can use Windows Server Gateway in your organization. It will depend what is overall solution that you want to achieve. You can use Windows Server Gateway in this situation:

  • Windows Server Gateway as a forwarding gateway for private cloud environments
  • Windows Server Gateway as a site-to-site VPN gateway for hybrid cloud environments
  • Multitenant Network Address Translation (NAT) for VM Internet access
  • Multitenant remote access VPN connections

Windows Server Gateway as a forwarding gateway for private cloud environments

For Enterprises that deploy an on-premises private cloud, Windows Server Gateway can act as a forwarding gateway and route traffic between virtual networks and the physical network.

If you have created virtual networks for one or more of your clouds, but many of your key resources (such as Active Directory Domain Services, SharePoint, or DNS) are on your physical network, Windows Server Gateway can route traffic between the virtual network and the physical network to provide users working on the virtual network with all of the services that they need.

In the illustration below, the physical and virtual networks are at the same physical location. Windows Server Gateway is used to route traffic between the physical network and virtual networks.

clip_image001

Windows Server Gateway as a site-to-site VPN gateway for hybrid cloud environments

If your infrastructure is a hybrid cloud, Windows Server Gateway provides a multitenant gateway solution that allows your tenants to access and manage their resources over site-to-site VPN connections from remote sites, and that allows network traffic flow between virtual resources in your datacenter and their physical network.

In the illustration below, a Cloud Service Provider (example Azure) provides datacenter network access to multiple tenants, some of whom have multiple sites across the Internet. In this example, tenants use third party VPN servers at their corporate sites, while the CSP uses Windows Server Gateway for the site-to-site VPN connections.

clip_image002

Multitenant Network Address Translation (NAT) for VM Internet access

In the illustration below, a home user running a Web browser on their computer makes a purchase on the Internet from a Contoso Web server that is a VM on the Contoso Virtual Network. During the purchasing process, the Web app verifies the credit card information provided by the home user by connecting to a Financial Services company on the Internet. This ability to connect from the virtual network to Internet resources is provided when NAT is enabled on the CSP Windows Server Gateway.

clip_image003

Multitenant remote access VPN connections

In the illustration below, Administrators use VPN dial-in connections to administer VMs on their corporate virtual networks. The Administrator from Contoso initiates the VPN connection from an Internet-enabled branch office, and connects through the CSP Windows Server Gateway to the Contoso Virtual Network.

Similarly, the Northwind Traders Administrator establishes a VPN connection from a residence office to manage VMs on the Northwind Traders Virtual Network.

clip_image004

MPIO on Hyper-V Server

On the previous version of Windows Server (prior Windows Server 2012) you have to download and install MultiPath I/O (MPIO). Since Windows Server 2012 MPIO is a feature that you can enable. Because it’s a feature that comes with the server, means that you will have the PowerShell cmdlets available.

Use of the MPIO module in Windows PowerShell requires an “elevated” PowerShell window, opened with Administrator privileges.

How to do it

 

Installing MPIO using the GUI

If you have Hyper-V Servers, you don’t have GUI on the server, but you can do it remotely from other server or from you RSAT installed on Windows 8.1, using the Server Manager Console. Just follow the steps.

1. Open Server Manager Console

2. Browse the Hyper-V Server that you want to enable the MPIO. To do that click on All Servers and then click on the Hyper-V Server.

image

3. Right-Click on the Hyper-V Server and click on Add Roles and Features

4. Click 4 times Next (to go to features windows)

image

5. On the Select features window, select Multipath I/O and click next.

image

6. Click Install to enable the feature.

Installing and Managing MPIO using PowerShell

Enable or Disable the MPIO Feature

If the MPIO feature is not currently installed, use the following command to enable the MPIO feature:

Enable-WindowsOptionalFeature –Online –FeatureName MultiPathIO

clip_image007

To disable the MPIO feature, use the following command

Disable-WindowsOptionalFeature –Online –FeatureName MultiPathIO

Listing commands available in the MPIO module

The commands available in the MPIO module can be listed using get-command as shown below

clip_image009

Full help and example content for the MPIO module is available via the following method:

  • In PowerShell, after importing the MPIO module or using any MPIO cmdlet, updated help can be downloaded from the internet by running the following command:
    • Update-Help

Tips and Tricks

Configuring MPIO using PowerShell

If these steps are performed prior to connecting devices of the desired BusType, you can typically avoid the need for a restart.

  • Install the MPIO feature on a new Windows Server 2012 installation.
  • Configure MPIO to automatically claim all iSCSI devices.
  • Configure the default Load Balance policy for Round Robin.
  • Set the Windows Disk timeout to 60 seconds.

Here is what this script would look like:

# Enable the MPIO Feature

Enable-WindowsOptionalFeature –Online –FeatureName MultiPathIO

# Enable automatic claiming of ISCSI devices for MPIO

Enable-MSDSMAutomaticClaim -BusType iSCSI

# Set the default load balance policy of all newly claimed devices to Round Robin

Set-MSDSMGlobalLoadBalancePolicy -Policy RR

# Set the Windows Disk timeout to 60 seconds

Set-MPIOSetting -NewDiskTimeout 60

Hyper-V Best Practices Analyzer

Sometimes when you deploy an Hyper-V Server you don’t know if you miss any configuration or if you are following the best practices regarding security, configuration or even supportability of Hyper-V Server in case you need some help from Microsoft Support. To help us Microsoft has created a few rules to help us improve our environments — these are referred to as best practices. However, it is not easy to know all of them and to make sure your Hyper-V servers are compliant with all of these practices.

To make this job easier, Windows Server comes with the Best Practices Analyzer (BPA). It has a set of best practices and rules which it will compare against all the components of your server and it will then generate a report with all the problems that are found during the scan. The report will provide helpful details such as problems, impact, and resolutions for possible issues.

Windows Server comes with best practices for almost all the roles as well as a specific one only for Hyper-V with all the practices to analyze your host server, configuration, and virtual machines.

The Hyper-V Best Practices Analyzer works only with the pre-installed Hyper-V Role. Make sure that Hyper-V is installed and as a best practice, run the BPA after every server installation and configuration is performed.

How to do it

By following these steps, you will see how to run the best practices analyzer for Hyper-V and explore its results:

1. Open the Server Manager from the Windows Taskbar.

2. From the Server Manager window, click on Hyper-V on the pane on the left-hand side. Then use the scroll bar on the right-hand side to scroll down until the best practices analyzer option can be seen.

3. Under Best Practices Analyzer, navigate to Tasks | Start BPA Scan, as shown in the following screenshot:

clip_image002

4. In the Select Servers window, select the Hyper-V servers that you want to scan and click on Start Scan.

5. The scan will start on all the selected servers. When the scan has finished, the BPA results will be shown in Server Manager, under Best Practices Analyzer.

6. When completed, the scan results will be listed in three columns—Server Name, Severity, and Title. Use the filters above each column to organize the information based on your queries.

7. Click on one of the results to see the information provided by BPA. The following screenshot shows an example of a warning scan result and its description:

image

8. Open the results and analyze the problem, impact, and resolution for each server.

9. Use the filter at the top to find only warnings and errors.

10. After identifying the results, you can apply the resolutions provided by the Hyper-V BPA.

BPA on PowerShell

All of Windows Best Practices are available through PowerShell as well. You can scan, filter, get the results, and extract reports using the PowerShell commandlets. To start a scan using the Hyper-V BPA, type the following command:

Invoke-BpaModel –BestPracticesModelId Microsoft/Windows/Hyper-V

After invoking the Hyper-V BPA, you can use the Get-BPAResult command to analyze the results. The following command shows the BPA scan results:

Get-BpaResult –BestPracticesModelId Microsoft/Windows/Hyper-V

The following screenshot is an example of how the Get-BPAResult output could look:

clip_image006

If you want to filter only the warnings and the errors by using PowerShell, you can also use the following command:

Get-BpaResult -BestPracticesModelId Microsoft/Windows/Hyper-V | Where-Object {$_.Severity –eq “Warning” –or $_.Severity –eq “Error”}

Summary

The Best Practice Analyzer for Hyper-V has 74 scans to identify which settings are not configured, based on the Microsoft documentation and practices. It is enabled automatically when the Hyper-V role is installed.

When BPA scans the servers, it shows the results for every scan, providing helpful details about what was scanned, the impact, and even how to resolve any problems it finds. It will also give you the option to apply the necessary changes for your server in compliance with the best practices.

BPA is available through Server Manager and can be used at any time. The recommendation is to scan every server after their final configurations and also on a monthly basis after that.

Hyper-V BPA will also display information about Microsoft Support. If the server has a configuration that is not supported by Microsoft, it will inform you of this through the reports.

After running and applying the recommended settings, you can then be sure that your servers have all the best practices, currently recommended by Microsoft.

 

Tips and Tricks

Using PowerShell to create HTML reports with the BPA results to improve the PowerShell results it is possible to produce a BPA HTML report using the following command. This following script uses the previous Get-BpaResult filter example to show only the warning and the error results:

$head = ‘<style>

BODY{font-family:Verdana; background-color:lightblue;} TABLE{border-width: 1px;border-style: solid;border-color: black;bordercollapse: collapse;} TH{font-size:1.3em; border-width: 1px;padding: 2px;border-style: solid;border-color: black;background-color:#FFCCCC} TD{border-width: 1px;padding: 2px;border-style: solid;border-color: black;background-color:yellow}

</style>’

$header = “<H1>Hyper-V BPA Errors and Warnings Results</H1>”

$title = “Hyper-V BPA”

Get-BpaResult -BestPracticesModelId Microsoft/Windows/Hyper-V | Where-Object {$_.Severity -eq “Error” -or $_.Severity -eq “Warning”} | ConvertTo-HTML -head $head -body $header -title $title |

Out-File report.htm .report.htm

The following screenshot shows the output file that is created after running the script:

clip_image008

How to delegate access in Hyper-V

In some medium/large organizations, it is common practice to have different access levels for systems, such as administrator, help desk, support and auditor. When implementing virtual machine using Hyper-V Servers, it is also important to reflect these access levels as well.

Since Hyper-V 2012 makes this task easier when you need to specify particular users or groups to be Hyper-V Administrators, but you also might face scenarios where different levels are required. During the task, to add advanced permissions to a user, you will need to use groups (and recommended). You can create and use local groups or Active Directory groups.

NOTE: Make sure you have created them before you start.

How to do it

The following steps show how to delegate control for a user by using the local Hyper-V Administrators group and by using Authorization Manager (AzMan) for advanced delegations:

1. To add users or groups as members of the local Hyper-V Administrators, open the Start menu and type computer. From Search Results, click on Computer Management.

2. In the Computer Management console, expand System Tools > Local Users and Groups and click on Groups.

3. In the group list, double-click on the Hyper-V Administrators group, as shown in the following screenshot:

clip_image002

4. In the Hyper-V Administrators Properties window, click on Add, type the groups or users you want to add into the group, and click on OK twice.

5. To add advanced permissions for a group in Hyper-V, open the Start menu and type AzMan.msc to open the Authorization Manager console.

6. In the Authorization Manager console, right-click on Authorization Manager and select Open Authorization Store.

7. In the Open Authorization Store option, under Store Name, type the path C:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml and click on OK.

8. Under the Authorization Manager console, expand Hyper-V services > Definitions, right-click on Role Definitions, and select New Role Definition.

9. In the New Role Definition window, specify the name of the role you want to use.

10. Then, under Description, specify the role description and click on OK. Role Definitions will be listed as shown in the following screenshot:

clip_image004

11. In the Authorization Manager console, right-click on Task Definitions and select New Task Definition.

12. In the New Task Definition window, under Name, specify the task name.

13. Then, under Description, add a description for your task and click on OK. The tasks will be listed in the right-hand pane, as shown in the following screenshot:

clip_image006

14. To add a definition into a task, click on Task Definition and double-click on a task.

15. Click on the Definition tab and select Add.

16. In the Add Definition window, select the Operations tab.

17. Select the operations you want from the list, as shown in the following screenshot, and click on OK:

clip_image008

18. To add a Task Definition into a Role Definition, click on Role Definitions and select the role you want to change.

19. In the Role Definition properties, click on the Definition tab.

20. Under the Definition tab, click on Add.

21. In the Add Definition window, select the Tasks tab, select the tasks you want to link to the Role Definition, and click on OK.

22. To assign a role, right-click on Role Assignments and select New Role Assignment.

23. In the Add Role window, select the Role Definition you want to add, and click on OK.

24. To assign a user or a group to a role, right-click on the group you want, select Assign Users and Groups, and click on From Windows and Active Directory…, as shown in the following screenshot:

clip_image010

25. In the Select Users or Groups window, enter the object names and click on OK.

After that, you can log in to Hyper-V as a user who is member of a group that was assigned to a role, to check the permissions that have been added.

IMPORTANT: In Windows Server 2008, 2008 R2 and 2008 R2 SP1, there is no local group to administer Hyper-V. Normally, to be able to manage Hyper-V, users are added into the local administrator group.

Summary

Since Windows Server 2012, during Hyper-V installation, a new group is created, named Hyper-V Administrators. When a user is added to this group, they can do anything regarding Hyper-V, but they don’t have any other rights on the local server.

Even with the local Hyper-V group, sometimes different access levels are required. For those scenarios, you have to use Authorization Manager (AzMan). AzMan is a framework that is used to manage the authorization policy that allows applications to perform access control. Hyper-V uses AzMan to grant access based on roles and tasks. Hyper-V authorization policies are stored in a file named InitialStore.xml, located by the path C:ProgramDataMicrosoftWindowsHyper-V. Once loaded through AzMan, you can create and delete the access policies or apply them to groups and users.

The first things to be created on AzMan are Role Definitions. These are roles that are used to receive access policies named Operations. Hyper-V has 34 operations used to grant permissions, such as to create virtual machines, allow virtual machine snapshots, and stop virtual machines. Applying these policies to many groups can be a tough job, that’s why AzMan uses Task Definitions.

Tasks Definitions can group operations in common, so that you can apply them to more than one Role Definition, making the modifications easier to make.

Using the operations and tasks, you can grant only the necessary access for users to access Hyper-V with more security and control.