Nutanix NOS 4.1.4 Features

If you are Nutanix customer, you know that we release new version of our NOS platform on a very frequent basis. Release timing varies, but every 2-3 months you will see releases pop up. Some are major with a boatload of new features, and some are more bug fixes with a few minor features. I’m proud to announce that NOS 4.1.4 is now shipping! This is a minor update, but does have the following features: In NOS 4.1.x metro availability is synchronous replication between two sites, with no more 5ms latency between sites. NOS 4.1.4 brings some enhancements to metro availability:

  • Ability to take snapshots of a metro protection domain
  • Snapshot creation is driven from primary and performed on both primary and secondary
  • Only protection domain metadata replication is performed to complete the snapshot (minimal data transfer)
  • Interoperability with conventional async tertiary site.
  • User can create a schedule to replicate to async site from GUI
  • Metro configuration is a starting point for 3-site DR, with tertiary replication as an add-on

2015-07-20_13-11-34 Over the last year Nutanix has released a number of new models, to satisfy certain requirements such as compute heavy, cold storage IOPS heavy, all SSD (AFA), etc. We don’t stand still, and constantly listen to customers. So with NOS 4.1.4 will debut support for the Nutanix NX-1065s.

  • Replacement/Upgrade from NX-1020
  • Single CPU Socket (E-2630v2 or E5-2680v2)
  • Ivy Bridge CPU
  • 3.5″ 2TB, 4TB, 6TB drives
  • SSDs can be 480GB, 800GB or 1.2TB
  • Supports self-encrypting drive
  • Up to 256GB DDR3 RAM
  • 2x 10Gb NICs (or 2x 1Gbps)
  • SATADOM upgraded to 6Gbps

2015-07-20_13-58-59-aThere is also an enhance to our Acropolis hypervisor.  When an Acropolis host enters maintenance mode, VMs are moved to a temporary host. After the host exits maintenance mode, the VMs are automatically returned to the original host, eliminating the need to manually move them. Restore VM Locality also occurs when a failed node is restored on a cluster that was configured with Best Effort High Availability (HA).

This version also includes a number of security updates, to address several CVEs, such as TLS issues, DoS, and memory corruption.

NOS 4.1.3 and later support the NX-6035c platform mixed with other blocks in a cluster running the Acropolis, Hyper-V, and ESXi hypervisors.

Nutanix Engineering has significantly improved the performance of the disk firmware upgrade process, so you might observe better results when upgrading

And there you have it! Enhanced Metro availability, a new low-end block, enhancements to Acropolis and other new features. You can download 4.1.4 directly from the support portal. Not to far around the corner is a MAJOR NOS upgrade, with a list as long as my arm of new features. I won’t spill the beans, but stay tuned for some really cool enhancements. Also expect another minor release in August, with yet more features. And for those of you wanting full ‘legacy’ Microsoft clusters on Nutanix, stay tuned for good news on that front.

Injecting KVM VirtIO Drivers into Windows

When dealing with hypervisors it is not uncommon to be required to supply specific drivers in order to recognize the virtual hardware, such as NICs and SCSI controllers. A while back I wrote blog articles on how to inject VMware drivers (PVSCSI and VMXNET3) into a Windows Server 2008 R2, Windows 7 image and Windows Server 2012. You can check out those articles here and here. But if you use the Nutanix Acropolis hypervisor (based on KVM), you will need a different set of drivers.

This article will show you how to inject the VirtIO drivers into your Windows Server 2012 R2 ISO, so that it will recognize the virtual KVM hardware. Do keep in mind that in the future Nutanix will be redistributing the Fedora VirtIO drivers, after we get them WHQL signed by Microsoft. So while this article uses unsigned Fedora drivers, in the future you can use fully signed and supported drivers. Stay tuned for that release!

The process below injects the required drivers into the Windows Server 2012 R2 installation boot files, and the actual Window Server operating system, for a fully KVM aware image. The drivers include Balloon, NetKVM, serial, rng, SCSI, and stor.

1. Download the Windows 8 ADK (Assessment and Deployment Kit) from here. Never mind that it says Windows 8, as it will work with Windows Server 2012 R2.

2. Start the installation process and after a long download select the two options below (Deployment Tools and Windows Preinstallation Environment (Windows PE)). WinPE is optional, but in case you need it in the future, I’d install it anyway. If you are in a hurry and won’t ever use WinPE, just select Deployment tools.

3. Mount the Windows Server 2012 R2 ISO. Navigate to the Sources directory and copy boot.wim and install.wim to your computer, say on the C: drive under C:\WIM.

4. Download the Fedora VirtIO Drivers from here, or when they are released, the Microsoft-signed Nutanix Acropolis driver bundle. Fedora packages the drivers as an ISO, so mount that ISO to your VM. I’m using the Z drive for my CD-ROM.

5. Create a folder on the C: drive called Mount. This will be the WIM mounting target.

6. Depending on your Windows Server 2012 R2 ISO image, it may have varying amounts of images included in the WIM. The VL ISO I have contains four indexes, or images. You can list the indexes with the following command:

dism /get-wiminfo /wimfile:C:\WIM\install.wim

2015-07-17_13-22-44Decide which index you want to inject the drivers in. Open the provided batch file found here and modify the IDX variable as needed. You could run the script multiple times and do all indexed images, if you wish.

7. Run the batch file and wait for it to complete. It should take a few minutes, depending on the speed of your disks. Make sure you monitor the output for any errors, in case you messed up the paths to the files.


8. Now you can re-build the Windows ISO with the updated WIM files, and you are set. Just create a VM shell on Nutanix Acropolis, then mount the updated ISO, and it will be all set for a smooth installation. If you don’t have an ISO building tool, I recommend UltraISO. It’s not free, but I’ve exceptionally good luck with it for many years.

Download the batch file here.

vSphere 6 Hardening Guide GA

During much of my career, I’ve been in the Government space and had to implement DISA STIGs for a variety of products including hypervisors. If you are a VMware customer and plan on using vSphere 6.0, you will be pleased to know that the vSphere 6.0 hardening guide is now GA. Some big changes were made in this version versus previous versions, so it should be more usable. You can find the full VMware blog post here.

I never saw this before, but VMware has a great landing page for security guides. From this page you can download a variety of guides and spreadsheets, very easily. That landing page is here.

What I’d really like to see from VMware is the majority of the security settings baked into the hypervisor with automated reporting. It can take weeks or months of STIG testing to get all of the settings right, run reports, etc. I hope that VMware will make hardening the hypervisor even easier, and take away much of the pain.

VMTurbo in the Cloud is here

The SaaS market is becoming very popular, and software that was once only on-prem is now migrating to the cloud. I’m excited to announce that with VMTurbo 5.2, it is now offered as SaaS deployment through AWS. This means you can now control your on-prem environment with VMTurbo in the cloud. That sounds like a great combination to me. VMTurbo claims deployment is less than 3 minutes in AWS.

And better then deploying it in 3 minutes, is that for a limited time it is completely free. AWS will still charge you for running the VM, but the VMTurbo license is free. You can check out their full blog post about it here.

I also have it on good authority that an Azure SaaS option is in the works, but not quite ready for GA. So if you are an Azure customer and love VMTurbo, just hold on a bit longer and you will also have a solid deployment option.

On a side note, VMTurbo is also a strong partner with Nutanix. And in fact, a version of VMTurbo that has deep Nutanix support is in early adopter (EA) phase. GA of the Nutanix-aware version is due out in August 2015. So if you are a Nutanix customer and use AWS, shortly you can control your Nutanix clusters from the cloud! Read all about it here.


New Veeam v8 Nutanix Guides Available

Last year I blogged about the creation of Veeam v7 best practice guides for Nutanix plus VMware and Hyper-V. Those guides have been very popular, and helped a number of our customers and SEs. One of the number one compliments of Veeam that I hear from the field is now simple it is to install and configure, just like Nutanix. No professional services are needed, or days long installs. Click through the install wizard, and you are practically ready to do backups. Competing products can be vastly much more complicated to install and configure.

I’m proud to announce that both guides (VMware and Hyper-V) have been refreshed for some of the new features in Veeam v8. Veeam v8 was a major release, with hundreds of new features and enhancements. Luca Dell’Oca from Veeam spearheaded the updates, which are now available for immediate download.

Veeam and Nutanix Best Practice Guide for VMware

Veeam and Nutanix Best Practices Guide for Hyper-V

So if you are a Nutanix customer and either currently use Veeam, or are looking at Veeam, please downloads the guides and review the contents. I’d also like to take a minute to address one point of discussion brought up in the guides. The VMware guide recommends the use of ‘network mode’ backups versus hot-add. There’s a common misperception that network mode is somehow dog slow, and only hot-add should be used. When using 10G NICs, backup speeds with network mode should not be a problem. In fact, hot-add mode can take 2-3 minutes per VM just to perform the hot-add operation and multiply that by hundreds of VMs and that’s hours of waiting. For quick incremental backups, that can dramatically slow down the job progress.

Thus after in house testing and collaboration with Veeam, we are recommending network mode backups. If you are having backup performance issues even after following the guides, I encourage you to open a support ticket with either Nutanix or Veeam, and our support professionals can get to the bottom of your particular issue. Backups are complicated and everyone’s infrastructure is different, so minor tweaks may be needed to optimize backup throughput. Also, keep up to date with the latest Veeam updates, as newer updates are faster and more stable. The same applies to keeping up with Nutanix NOS updates, as we’ve seen significant performance increases with many of our releases. The beauty of software defined storage!

vSphere Install Pt. 16: User Solution Certificates

Now that we have vCenter installed, it’s time to update our User Solution certificates for the vCenter services. This is a fairly straight forward process, using the combination of the VMware Certificate Manager tool and my vCenter 6.0 Toolkit. The VMware Certificate manager tool will automatically create the private keys and CSRs for each user solution certificate. My toolkit will then take the CSRs and submit them to your enterprise CA and also create the chained PEM files the VMware toolkit needs to install the certificates. Then we flip back to the VMware tool to let it actually install the certificates. I decided against duplicating functionality between my Toolkit and the VMware tool, so there’s  little flipping back and forth.

If you are using the VMCA, then that’s even easier, as we can fully rely on the VMware tool to update the required certificates. I’ll go over all of the scenarios here.

Also take note that you need at least version 0.85 of my vCenter toolkit for this article to work properly. So download it, or a newer version, from the permalink below.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install
vSphere 6.0 Install Pt. 15: VCSA vCenter Install
vSphere 6.0 Install Pt. 16: User Solution Certificates

Permalink to this series:
Permalink to my Toolkit script:

User Solution Certificates with VMCA

1. Open a command prompt and run the ‘certificate-manager’ tool from C:\Program Files\VMware\vCenter Server\vmcad. If you are using the VCSA, open a bash shell and go to the /usr/lib/vmware-vmca/bin directory.

2. Select Option 6, Replace Solution user certificates with VMCA certificates.


3. Enter your SSO password.

4. Enter the IP address of your external PSC. Confirm you want to replace the certificates using the VMCA. Wait a couple of minutes for the procedure to complete.


User Solution Certificates with Custom Certificates

1. Open a command prompt and run the ‘certificate-manager’ tool from C:\Program Files\VMware\vCenter Server\vmcad. If you are using the VCSA, open a bash shell and go to the /usr/lib/vmware-vmca/bin directory.

2. From the main menu select Option 5. Enter your SSO password and PSC IP address.

3. Select Option 1 from the sub menu, to generate CSRs and keys. Enter a directory path of C:\Certs. If you are using the VCSA, enter an appropriate local directory.


4. If you look in the C:\Certs directory you will see a bunch of files created. If you are using the VCSA, copy all of the created files down into C:\Certs.


5. Open a new PowerShell window and launch my vCenter 6.0 Toolkit. Select Option 5 from the main menu, “User Solution Certificate Menu”.

6. If you are using an Online Microsoft CA then select Option 1, Mint User Solution certificates with an online Microsoft CA. Wait a few seconds, and all of the CSRs will be submitted to your online CA and the certificates downloaded. If your CA requires certificate approval, go to your CA approve the certificates, then select Option 2 to resume the download.

7. If you look at the C:\Certs directory you will now see several subdirectories, one for each corresponding CSR. Skip to Step 10 if you are an online Microsoft CA user. 2015-04-25_13-05-578. If you need to manually submit all of the CSRs to your CA (offline Microsoft CA, or third-party CA), then save each minted certificate as a base-64 encoded non-chained file with the following names in the C:\Certs directory:


9. From my User Solution Certificate menu select option 3, which will create your PEM files and move your certificate files into their own directory. Only use this option if you manually downloaded your CRT files from your CA.

10. If you are using the VCSA, copy the new folders in C:\Certs up to the appliance. Also, upload the chain.cer file as well.

10. Back in the VMware Certificate Manager tool select Option 2, Import Custom certificates… Input all of the requested file names, using the “.cer” and “.key” filenames for the corresponding option. Note: Due to a bug, if you try and use the “chain.cer” file for the signing certificate, the operation may fail at 0% and rollback. So until they fix the bug, use the “root64.cer” file for the last response. 2015-05-02_17-22-32

11. Type Y to continue with the replacement. Wait until the process is completed.


Replacing the user solution certificates is not a difficult process, if you combine my Toolkit script with the VMware certificate manager. Even with the multiple CA VMware bug, there’s an easy workaround .

VMworld Ticket Sweepstakes

Just like last year, VMTurbo is giving away a select number of free tickets to VMworld. They cover the conference fee, you cover travel and hotel. A great deal for those where your company won’t send you, or you are an independent consultant. There are three drawings, one each on May 29, June 19, and July 10th. Entry is free, so try to secure yourself a ticket today! Use this link for entry.

Channel 9 Ignite 2015 Session Downloader

As you know if you’ve been following my blog this week, Ignite 2015 took place in Chicago with hundreds of great sessions. In fact, this year all but one or two sessions were spot on. You can easily download all of the great Channel 9 recordings using the PowerShell script you can download here. The conference just ended today, so it might take a few days before Channel 9 gets all of the recordings up. Happy downloading!

Ignite 2015: Encryption, Certificates and PKI

Session: BRK3130

Note: This was a great beginner level session for those not familiar with encryption, certificates or PKI. If you are in that boat, I would urge you to find the session video and watch the whole presentation. If you are a security professional and already know about these topics, then the content is probably too basic. I didn’t capture all the content below, but just took down some highlights what was covered.

Why am I here? Thanks to the NSA. Thanks to Edward Snowden. SharePoint, Lync, Exchange all  need to be secure.

Shows screens of RDP SSL warnings, and browser SSL warnings.

Are you still using passwords? Phishing and fraud, password fatigue, pass the hash attacks

IoT (Internet of things) is adding new concerns of authentication (connected cars, medical, industrial sensors)

Non-repudiation – Ability to bind a human to a digital document

Privacy – Hot topic over the last 2 years due to NSA and Snowden. Challenges are not new.

Encryption – Encryption at rest, in transit, challenges: weak algorithms

Encryption at rest – Bitlocker, EFS, SQL TDE

Encryption in transit – SSL/TLS, IPsec, Office 365 message encryption

Azure RMS – AD RMS for On-Premises. Protect documents from Birth to end of life. Protection regardless of location.

Speaker goes over symmetrical, asymmetrical encryption, hardware security modules (HSM) technologies such as AES and shows how they work.

What is hashing? Uniquely identify a stream of data. It’s a one way function.IMAG0425

Use the tool IIS Crypto to disable/enable and change the order that ciphers are use. FREE.

Good ideas: Remove RC4, reorder suites, Update to 2012 R2, research ECC vs. RSA

Talks about Certificate Authorities, certificates, and their basic properties. Also discusses path of trust, and where to find certificates in Windows.

CA Lifetime planning: End certs – 2 years, intermediate CA – 4 years, root CA – 8 years. Renew certificates when 50% of their life has expired.

S/MIME – For Email encryption and digital signatures

Ignite 2015: Windows Hello

Session: BRK2324

  • Shared secrets are easily breached
  • Passwords are easily replayed and phished
  • See previous “Microsoft Passport” session I blogged about for more info
  • Security without convenience is dead in the water
  • Keys are ideally generated in hardware TPM, software as last resort
  • Single unlock gesture provides access to multiple credentials
  • Browser support via JS/Webcrypto APIs to create and use Passport users

Windows Hello

  • Supports biometric authentication
  • Convenient device logon and strong user authentication
  • Enterprise level security and access to high impact data and resources via Microsoft passport
  • Consistent inbox user enrollment

Biometric Steps

  • Enrollment Steps – Face, iris, and fingerprint share the same design
  • Usage – Authentication
  • Recovery – User can delete enrollment data. Stored strictly on local device.

Enrollment – Find a face, discover landmarks, detect head orientation, build & secure vector based template

Recovery – After 5 failures it falls back to PIN or another auth method. After 32 failures the TPM is locked.

There’s an option to improve face recognition where it will take additional data points

It can also use fingerprints and will use between 21 and 40 points, all stored locally on the device

Only supports a single face mapped to a single account. No multiple faces for a single account.

Authentication vs. Identification

  • Not every biometic modality is created equal
  • False acceptance rate
  • False rejection rate
  • Liveness and anti-spoofing – Can detect dead fingers and high res photos
  • Windows hello demonstrates false rejection rate of 1/100000
  • Windows Hello False rejection rate is 2-4%
  • Windows Hello requires liveness detection and anti-spoofing
  • Microsoft has captured 13K faces for a representative sample

Microsoft Hello Camera can work without visible light. It operates on IR. Speaker demod showing a picture and phone to the camera and it did not work.

Microsoft goal is to make biometics non-susceptible to spoofing, offline attacks, etc.



© 2015 - Sitemap