Adding workgroup HYPER-V host to SCVMM console

I have been actively engaging with a customer for a HYPER-V project. One of the key requirements is to test the features in the SCVMM. So first task is to install the SCVMM. Piece of cake went smoothly inside a HYPER-V guest OS.  Now adding the physical host to the SCVMM console. Well it supposed to be few easy clicks and finish the job right?…..well no it isn’t if you have your HYPER-V host in a workgroup environment.  In my scenario customer had several HYPER-V guest pc’s in domain environment but the physical PC itself in workgroup environment.

Finally found workgroup mode HYPER-V host can be added to the SCVMM console by selecting perimeter network mode. Under this mode you’ll need to create a secret shared key between the host and the SCVMM console. This might be a typical scenario if a customer wants to host several HYPER-V guests in DMZ zone. (Eg: WEB servers, DNS servers…etc)

The step by step guide article is located here

SCVMM 2012 setup

Greetings for everyone for the New Year. This is a great year for Microsoft System Center product family. As for the Virtualization point of view this would be a significant year around VM management. I do believe lot of customers will move ahead and adopt the hybrid HYPER VISOR solution.

SCVMM 2012 has a big role play this year. During my lab setup I’ve captured very high level how you can setup the SCVMM 2012. Click the VMM 2012 logo to access the video.

Apart from that I found below mention urls are really valuable through your journey of learning SCVMM 2012.

SCVMM Blog: http://blogs.technet.com/b/scvmm/

SCVMM 2012 on TechNet: http://technet.microsoft.com/en-us/library/gg610610.aspx

SCVMM 2012 error codes: http://social.technet.microsoft.com/wiki/contents/articles/4906.aspx

Note: Adding a existing HYPER-V host to SCVMM 2012 video cast can be viewed here.

How to solve Error 10436 in SCVMM

I was testing SCVMM with few host machines located in Domain environment and also in workgroup environment. After applying latest updates to the SCVMM I found out the host computers in the workgroup environment giving an error saying unable to update the SCVMM agent installed in those servers. Exact error is as follows,

“Error (10436) Virtual Machine Manager does not support updating an agent on a host that is in a non-trusted domain or on a perimeter network

Recommended Action
If the host is in a non-trusted domain, remove Xxxxhost01 from VMM in Hosts view of the VMM Administrator Console. Then use the Add Hosts Wizard to add the host and automatically install a new agent.
If the host is on a perimeter network, after you remove the host from VMM, you must manually uninstall the VMM agent from the host computer, install a new agent locally on the host, and then add the host to VMM.”

According to the recommended action when tried to remove the Remote agent from the host computer and removing from the SCVMM console didn’t work.

Found the the main problem is due to the SCVMM agent latest version is not exist in the CD but in the SCVMM machine itself. Located the path to the Remote agent path in CVMM console,

clip_image002

Took a copy of the amd64 folder to the host computer in the perimeter network and apply the agent. During this update process I didn’t remove the host computer from the SCVMM and found out it work without any problems. Didn’t had to reapply the security file either Smile

ERR9999 appears when you try to open the SSP 2.0 site

If you’ve been setup the SSP 2.0 for the first time and try to open the web site you might come up with the above mention error message on the web site. This is something I came across during my testing on SSP 2.0 setup.

clip_image001

Initially my concern has been the SQL setup, I’ve used SQL 2008 setup on Windows 2008 R2 Ent SP1 machine where are not supported! At least I need to setup the SP2 for the SQL. Never the less after applying the SQL SP2 I found out it is not the case.

According to the SSP documentation you’ll have to create service accounts as follows,

Account Name

Requested during

Used for

Prerequisites

High Security

Service Account

VMMSSP server component setup

Running the Windows Service implementation of the VMMSSP server component, the Virtual Machine Manager Self-Service Portal 2.0 service, and underlying services and processes. The server component also uses this account for external communication, such as:

· Communicating with the VMM server and performing tasks that require interacting with the VMM server.

· Communicating with the VMMSSP database.

Make sure this is an Active Directory domain account.

Before you install the VMMSSP server component, make sure this account has administrative permissions on the VMM Administrator Console.

You must also make sure that this account is granted Local Administrator permissions on the computer where you plan to install the server component.

Use a low-privilege domain account

Application Pool Identity

VMMSSP website component setup

Running the application pool used for the VMMSSP website component. The VMMSSP website component also uses this account for external communication, such as:

· Communicating with the VMMSSP server and database components.

· Running tasks that require interacting with the other self-service portal components.

This account can be a domain account.

Use a low-privilege domain account.

Taken from official documentation on SSP 2.0

For both service account and the application pool identity I’ve used the same account. It seems like with Application Pool Identity has not accepted the created service account with the lease privilege given to it. Even after adding the service account to the local Administrator group of the SSP setup server problem still exist. Bit of web search and TechNet forums found out the issue related to the Application Pool Identity service is not having enough permission with the service account. To narrow the issue I’ve assigned the Domain Administrator account for the VMSSP Application Pool,

clip_image003

After that recycle the Application pool and tried to access the SSP site and what do you know it solve the problem!

clip_image005

But the actual question remains why it didn’t work with the least privilege which needs further investigation.

User role customization in scvmm self service portal

One of my colleague brought a question for me which was interesting to consider and do some solution lookup. His requirement is to assign virtual pc’s to selected users and and only allow them to see the necessary virtual pc’s assigned to them. Of course this seems to be an easy task under the SCVMM but things didn’t went as smooth as I try to explain him when it comes to practical world 🙂

Below is the steps we carried out first,

1. Assign a user account certain rights under the SCVMM – Under this I have taken one domain user account and then assign the particular user with the relevant permissions.

1 2

3 4

Select the actions user can carry out in the VPC. In this scenario I have kept him all the action which is possible under SCVMM console.

5 6

2. In order to make this VPC visible in his Self User Portal I had to give ownership of this VPC to relevant user,

7 8

Once that part is completed, our selected user can see the relevant VPC under his SCVMM.

9

All are fine when we ran into next issue. What is this user is absent and we need to do some maintenance or overlook this VPC for a troubleshooting purpose? VPC ownership can be given for only one user at a time so another use won’t see this VPC under his Self Service Portal. Finally we managed to solve the problem by assigning the ownership of the VPC’s to a GROUP instead of user accounts. Funny this remind me the fundamentals of the Windows ACL. (Accounts into Groups and then provide Permission to that)

Same theory we managed to apply over here as follows,

First create a relevant service level groups in the Active Directory database, and then add the relevant user.

b5

Move to SCVMM server and under the Administration section add the Group and provide the same permission provided as above for a single user,

b1 b2

b3

next under the Virtual Machines section select each VPC and select the group we created as the owner.

b4

Once that completed and log in using one of the user account in that group we’ll be able to see the virtual Pc’s assigned to particular Group,

b6 b7

In a scenario when the relevant users does not exist Administrator still have the privilege of logging in and do the necessary modifications to VPC’s. Even though it would be ideal if we can have the option of assigning permission for each VPC and still allow other users to access the same VPC though User Portal.

System Center Virtual Machine Manager 2012 beta

Microsoft has released the public beta of the next wave of System Center Virtual Machine Manager (SCVMM). This time VMM management console has significant changes compared to VMM 2008 R2. More weight has been given on Private and Public Cloud management apart from the in-house VM management capability.

Some of the new changes or rather I’d say add-on to the VMM 2012 are,

· Support for Xen hyper-visor apart from VMware

· Identify bare metal machines in the network and push OS to those machines.

· Use the VMM console to create a Hyper-V cluster from two or more stand-alone Hyper-V hosts that are managed by VMM 2012

· Create a private cloud by combining hosts and networking, storage, and library resources together

· Create a Read-Only Administrator user role

Complete list of new changes can be found over here. What is interesting is how VMM has been designed to combine with the Cloud adoption and management capabilities. If you’re coming from VMM 2008 R2 still you have plenty to catch over.

Next few weeks will be spending on delivering the new capabilities of the SCVMM in short videos. The first attempt of how to install the SCVMM video can be access from here.