Adding a GUI Back to Windows Server Core

The other day I had the occasion where I wanted to add back the Windows Server 2012 R2 GUI to a server core installation. This was a test environment, and for what I was testing I felt the GUI provided a more streamlined experience. Server core certainly has its places, and is great as a hypervisor, appliance, or in high security environments. Installing the GUI, while not difficult, it look quite a bit of Googling and trial and error to find a command that actually worked.

1. RDP into your Core install or use your server’s IPMI/VM console feature, and a command prompt should open. Type powershell.

2. From your original install ISO, copy the \sources\install.wim to your core server.

3. Type the following command and wait several minutes for the install to complete. Include the full path to where you copied your install.wim file.

install-windowsfeature -name server-gui-shell -includemanagementtools -source:wim:c:\install.wim:2



4. After the installation is complete, reboot the server. The reboot process will be quite slow, as it will be configuring the new features for several minutes. Be patient.


Windows Server 2012 R2 Two-Tier PKI CA Pt. 3

1-10-2014 6-57-56 AMNow that we have our Windows Server 2012 R2 certificate authority configured in Part 1, and our subordinate setup in Part 2, now we should setup autoenrollment and secure the subordinate’s web certificate services with SSL. Autoenrollment is where domain joined Windows computers are automatically issued a computer certificate. Services such as IIS and Microsoft SCCM can take advantage of these certificates. Finally, I’ll show you how to configure certificate delegation so authorized administrators in your organization can submit certificate requests for certain templates. This is a short series, at just three installments. But this should point you in the right direction for thinking about how to deploy your two-tier Certificate Authority on Windows Server 2012 r2.

Autoenrollment Configuration

1. Open your domain level GPO (Default Domain Policy in my case) and navigate to Public Key Policies as shown in the figure below. Double click on the highlighted policy.

1-4-2014 8-51-24 PM

2. Enable the policy and check the two options below.

1-4-2014 8-51-07 PM3. On your subordinate CA, open the CA snap-in and manage the Certificate Templates as shown below.

1-4-2014 8-54-37 PM4. Scroll down and locate Workstation Authentication. Right click and Duplicate the template.

5. Click on the General tab and enter a template name (any name). I’ll use Client-Server Authentication. I also changed the validity period to 2 years.

1-4-2014 8-58-07 PM

6. Click on the Extensions tab. Highlight Application Policies and click Edit. Add Server Authentication.

1-4-2014 9-00-46 PM

7. Click on the Security tab and modify the Domain Computers group to enable Autoenroll. Close out the template and template window.

1-4-2014 9-01-46 PM

8. Back in the issuing CA console right click on Certificate Templates, select New, then Certificate Template to Issue. Select the template name you just created. Wait a few minutes for the settings to simmer a bit. If you want you could also publish the Domain Controller template. This will enable the DCs to offer LDAPS services. If the template you just created is not listed, you can simply wait a bit or restart the CA services and that should kick it in the pants.

windows server 2012 r2 certificate authority

Autoenrollment Validation

1. Open an elevated command prompt or Powershell and type gpupdate /force. Wait a couple of minutes, as certificate enrollment is not always instant.

2. Open a blank MMC console and add the Certificates snap-in. Manage the Computer account.

1-4-2014 9-14-11 PM

3. On your subordinate CA you should now see two certificates. In my case the top certificate was the one issued by the autoenrollment policy.

1-4-2014 9-16-20 PM

4. You can verify the certificate was issued from the proper template by opening the properties then on the Details tab look for the Certificate Template Information property. It will clearly state the template name used to create the certificate.

1-4-2014 9-17-29 PM

5. As the GPO refreshes on other computers in the domain, they should also be issued a certificate as well. Autoenrollment can run into snags, so I have seen cases where everything has been configured properly but for some reason a certificate is not issued.

Configure CA Web Services for SSL

1. After the autoenrollment certificate has been validated on the subordinate CA, open the IIS Manager on your subordinate CA.

2. In the left pane select Default Web Site. In the right pane select Bindings.

3. Click on https then click Edit.

4. Select the SSL certificate that was created from the client-server template. You can view the certificate in the GUI if you aren’t sure which one to pick.

1-4-2014 9-35-37 PM

5. Open IE and navigate to the FQDN of your subordinate CA and to the certsrv site (e.g. https://D002Misc01.contoso.local/certsrv). You will likely be prompted for credentials, then presented with the standard ADCS home page. You should not have any SSL errors or warnings.

1-4-2014 9-39-32 PM

Template Delegation

1. On your subordinate CA and open the Certificate Template manager as shown below.

1-10-2014 7-26-06 AM

2. Locate the certificate template which you want to delegate. In my case I have a VMware-SSL template that I want to delegate to the group we created earlier in this series. Open the properties for the certificate template and select the Security tab. Add the Role_Issue Certificates group (or whatever your group is called) and give it the Enroll permission.

1-10-2014 7-28-14 AM

3. Optionally you configure the CA to allow requests to be submitted, but require a CA administrator to approve the certificates before they can be issued. If you want to do this, open the Issuance Requirements tab and check to the CA certificate manager approval box. This would defeat the purpose of autoenrollment certificates, such as those for computers, so generally this would be for certificates that users are requesting.

1-10-2014 7-32-51 AM

What’s Next?

If you want to issue SSL certificates for your VMware infrastructure, then you can check out my post here for the template requirements. Although that article is for vSphere 5.5, the template will also work for vSphere 4.x and 5.x. Now you have a fully functional, for lab/home usage, offline root and online subordinate CA. As I stated in Part 1, this guide just shows you the general technical steps for a two-tier Certificate Authority. There’s a lot of processes and procedures that an organization needs to flesh out and document before deploying PKI in the environment. There could be legal or other consequences if you just throw this on a production network and then down the road experience security issues which can be traced back to a poorly implemented CA.

Windows Server 2012 R2 Two-Tier PKI CA Pt. 2

1-5-2014 2-43-05 PMNow that our root Windows Server 2012 R2 certificate authority is installed and published to Active Directory from Part 1, it is time to bring online our subordinate CA. The subordinate CA will be our online issuing CA, since it will be the CA which issues all certificates, be they for users, computers, ESXi hosts, etc. The VM will be joined to the domain, and be online 100% of the time.

As with the offline root, you should perform hardening of this VM as well. Enabling the Windows firewall (or a third party one), anti-virus software, Microsoft EMET, and following Microsoft security baseline settings are all strongly recommended. If you have security software that can monitor file changes or system integrity, that too would be a great idea. Auditing tools such as Splunk, for real time alerting, would be ideal for defense in depth.

Install Windows Server 2012 R2 Subordinate CA

1. Use Notepad and create a file called CAPolicy.inf in C:\Windows on your subordinate VM. Use the code snippet below, but change the URL to match that previously used in configuring your offline root.

Signature="$Windows NT$"
Notice="Legal Policy Statement"

4. Run the following PowerShell command. Change the CACommonName as needed. The command will completely instantly.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Add-WindowsFeature Adcs-web-enrollment
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "IssuingCA-D002MISC01" -KeyLength 2048 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"

5. Copy the resulting request (see the yellow information text from the last command for the path and file name) to the offline CA.

6. On the offline CA type the following command, using your filename:

certreq -submit D002MISC01.contoso.local_IssuingCA-D002MISC01.req

7. You will now see that the request is pending. Take note of the RequestId, as it will be unique to you.

1-4-2014 7-47-29 PM

8. Open the CA Manager snap-in on your offline root and issue the pending certificate.

1-4-2014 7-48-25 PM9. While still on the offline CA, enter the following command to download the new certificate. Replace “2” with your request ID, and change the filename as you see fit.

certreq -retrieve 2 c:\D002MISC01.contoso.local_IssuingCA-D002MISC01.crt

10. Copy the certificate file to the online subordinate CA. Note: Do NOT place it in the pki directory. Run the commands below to install the new certificate. Once the certificate is installed, delete the file and empty the trashcan.

Certutil –installcert a:\ D002MISC01.contoso.local_IssuingCA-D002MISC01.crt
start-service certsvc
copy c:\Windows\system32\certsrv\certenroll\*.cr* d:\pki\

Configure Subordinate CDPs

1. Next up we need to configure the proper CRLs for our subordinate CA. Enter the following commands in an elevated Powershell on your subordinate CA.

$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Add-CACRLDistributionPoint -Uri http://www.contoso.local/pki/%3%8%9.crl">http://www.contoso.local/pki/%3%8%9.crl -AddToCertificateCDP -Force
Add-CACRLDistributionPoint -Uri file://\\D002Misc01.contoso.local\pki\%3%8%9.crl" file://\\D002Misc01.contoso.local\pki\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Add-CAAuthorityInformationAccess -AddToCertificateAia http://www.contoso.local/pki/%1_%3%4.crt" http://www.contoso.local/pki/%1_%3%4.crt -Force
Certutil -setreg CA\CRLPeriodUnits 2
Certutil -setreg CA\CRLPeriod "Weeks"
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 5
Certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\AuditFilter 127
restart-service certsvc
certutil -crl

CA Delegation

1. Now that our online subordinate CA is up and running, for the most part, it is a good idea to delegate who has rights to manage the CA and issue certificates. I’m going to create two roles: One that can manage all aspects of the CA, and another that can just mint specific certificates. In AD create two groups: Role_CA Manager and Role_Issue Certificates. Or use whatever names you like.

2. On your subordinate CA, launch the CA MMC Snap-in. Right click on the CA name, open the properties, and select the Security tab, and add the Role_CA Manager group. Give it Manage CA permissions. If you want, you can remove rights from Domain Admins or Enterprise Admins, should you want to more tightly control CA access (which you should).

windows server 2012 r2 certificate authority


At this point in the configuration there are no published templates. So in the following post we will configure a couple of templates, and I’ll show you how to delegate permissions so that other administrators can mint their own certificates. In this installment we’ve done the bulk of the subordinate CA configuration. At this point the CA is now functional, although no templates have been configured. So coming up in the next installment is, among other things, the process to configure templates and computer autoenrollment. Check out Part 3 here.

Windows Server 2012 R2 Two-Tier PKI CA Pt. 1

windows server 2012 R2 certificate authorityWhile I have written a number of articles focused on SSL certificates and templates, I have not done a mini-series on how to actually install a Windows Certificate Authority. For this series I’m using Windows Server 2012 R2, but the steps are pretty much identical for Windows Server 2012. Microsoft blogs have several PKI configuration series, which directly guided the content of this series. But I always have my own spin, so I think its worthwhile to do yet anther blog post on configuring a MS CA…the “Mr. SSL” way.

Windows Server 2012 R2 Certificate Authority

The process is fairly simple: Build an offline root, create an online issuing CA, setup a couple of templates, setup auto-enrollment, then do a little post setup configuration. This requires two VMs, each running Windows Server 2012 R2 (or plain 2012 if you wish).

Building an enterprise CA is non-trivial, and should be highly process oriented. While this short series will provide the steps how to configure a two tiered hierarchy, it alone is not enterprise grade and ready for a fortune 500 company. Many operational procedures, access controls, etc. need to be defined by the organization. For example, who can issue certificates? Who can revoke them? Do users need PKI certificates or just computers? How about key recovery? Disaster recovery? Do you need a hardware security module (HSM)? Do you require FIPS compliance? What ciphers and hashing algorithms will you allow? Where do you store the offline CA?

As you can see, there are many questions and processes that need to be well documented for a solid PKI solution. However, for a lab environment where you want to test out a two-tiered model, then this short series is for you. Please don’t take this solution as-is and throw it into production. You will have a false sense of security and possibly do more harm than good.

The Microsoft CA issues industry standard certificates (x.509), and thus will work with third party hardware and software. For instance, they will work perfectly fine on the Linux vCenter appliance, or your hardware load balancers. You just need to use the proper certificate template, and verify compatible algorithms.

Offline Root CA Hardening

1. Provision a standalone Windows Server 2012 R2 server. I used vCenter 5.5 with customization specifications to create the VM. You can use the ‘standard’ edition of the OS since all SKUs in 2012 have the exact same feature set, unlike 2008 R2 and earlier. For security purposes I would not provision a NIC, or remove the NIC after you’ve built the CA to prevent future network attacks.

2. Configure a virtual floppy for the offline CA VM. This is a good way to transfer data between the offline CA and the subordinate, which is required during the configuration process. Yes you could connect a NIC, but then your offline CA is no longer offline and exposed to network attacks. Media needs to be read/write, so an ISO image will not suffice. You can use a tool like WinImage to create a floppy image.

3. Open the local security policy and modify the Audit Object Access to record Success and Failures. This is needed to audit certain CA actions, in conjunction with a CA flag we will set later on.

1-5-2014 1-18-44 PM

4. Depending on your VM template hardening, you may or may not need to modify the password policy. Again in the Local Security editor. Modify to meet your organization’s security requirements.

1-5-2014 1-23-08 PM

5. You should also rename the Administrator account, if that’s not already built into your templates. Make sure to record the new name, or you could be in a pickle. For good measure I’d rename the guest account, although it should be disabled.

1-5-2014 1-25-28 PM

6. Obviously you should change the administrator password and not use your template default. Be sure to record the password in a secure location.

7. You should also think about where you will store the offline CA VM once it is build and this project is complete. If you leave it sitting on a production ESXi host, then it would be fairly trivial to power on the VM and compromise it. I would not call storing your “offline” CA in a powered off state on a production ESXi host “offline”. I would look at exporting the VM to an OVF file, then storing that file on removable media in a very secure location. You could use a DVD, Blu-Ray, or USB stick.

Install Offline Root CA

1. After your VM is provisioned and hardened, make sure the computer name is configured. In my case the offline CA is name D002CA01. Reboot if you changed the name.

2. Use Notepad and create a file called CAPolicy.inf in C:\Windows. Use the code snippet below, but change the URL. This URL is where your Certification Practice Statement (CPS) is located. It will also be where the CRL (certificate revocation list) will be published. For a production deployment you’d want to create a CPS, but for this exercise we will skip it, however the URL will be configured for future usage. For additional details see this TechNet link. You probably want to use a different URL like CA.yourdomain or PKI.yourdomain since we will be publishing other data to this address such as the CRL. For simplicity I stuck with www.contoso.local. Make sure the filename does not have any extra extensions like .txt. Verify from the command line.

Signature="$Windows NT$"
Notice="Legal Policy Statement"

3. Run the following PowerShell command. Change the CACommonName as needed. The command will complete instantly. I would make it clear in the name that this is the Root CA. This name will be present in all issued certificates, so make it obvious what it is and not just some generic hostname that is not meaningful. Notice that we are using SHA256 here, since SHA1 is no longer considered secure. You could also use SHA512.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName "ContosoRootCA" –KeyLength 2048 –HashAlgorithm SHA256 –CryptoProviderName "RSA#Microsoft Software Key Storage Provider"

1-4-2014 2-05-36 PM

4. Run the following commands, using the appropriate URL for your organization. We aren’t using HTTPS here, because that requires SSL and certificate validation. This is just used to download the CPS and CRLs, so don’t get clever and use HTTPS here. We will configure SSL for the web enrollment module, though.

$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force
Add-CACRLDistributionPoint -Uri http://www.contoso.local/pki/%3%8.crl -AddToCertificateCDP -Force
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 10
Certutil -setreg CA\ValidityPeriod "Years"
Certutil -setreg CA\AuditFilter 127
restart-service certsvc
certutil -crl

5. Verify that two and only two CRL distribution points are configured.

Get-CACRLDistributionPoint | format-list

1-4-2014 3-12-39 PM6. Navigate to C:\Windows\System32\CertSrv\CertEnroll. You should see two files, one ending in CRL and another ending in .CRT. These two files need to be copied to what will be the online subordinate CA.

1-4-2014 4-17-37 PM

Publish Root CA to the Forest

1. Provision a Windows Server 2012 R2 VM which will be your online CA. Join it to the domain. In my case the VM is named D002MISC01. Do not try and be clever and use a Domain Controller. The server will later need IIS installed and access to local accounts, which is not possible on a DC. So use a member server for your online CA, even in a home lab.

2. Login to what will be your online subordinate CA with an account that is a member of both Domain Admins and Enterprise Admins. Mount the media which has the two files copied from your offline CA. Open an elevated Powershell and enter the following commands, using the file names for your instance. This will publish the offline root CA information to AD, just as if it were an online CA. By doing this all domain joined clients will automatically trust your root CA. If you have standalone computers, then you can import the .crt file into their trusted certificate store.

certutil –dspublish –f D002CA01_ContosoRootCA.crt RootCA
certutil –addstore –f root D002CA01_ContosoRootCA.crt
certutil –addstore –f root ContosoRootCA.crl

1-4-2014 4-19-11 PM

CPS and CRL Distribution

1. Now you need create a DNS record for the host that will be publishing your online CA information. In this case it’s D002MISC01, and per my previous steps I stuck with ‘www’ as the site name. I’m assuming the proper DNS zone already exists, since you have a domain with Active Directory up and running. This must be configured prior to continuing, as the subordinate will fail to properly configure if the CRL file is not available.

1-4-2014 4-25-31 PM

2. We need to install IIS, since we will be distributing the CPS and CRL via the HTTP. On the VM which will be your online CA, run the following command:

Install-WindowsFeature Web-WebServer -IncludeManagementTools

3. Open an elevated PowerShell and enter the following commands. If you have an official CPS, then you can skip the second command and just copy your cps.txt file to the directory. For security purposes I’d recommend putting the files on the D: drive, so you aren’t serving content from the OS drive.

new-item -path D:\pki -type directory
write-output "This is a sample CPS. Modify as needed." | out-file D:\pki\cps.txt
new-smbshare -name pki D:\pki -FullAccess SYSTEM,"Contoso\Domain Admins" -ChangeAccess "Contoso\Cert Publishers"

4. Open the IIS Manager and add a Virtual Directory as shown below.

1-4-2014 7-19-27 PM

1-4-2014 7-20-39 PM

5. Verify pki is selected in the left pane, then single click Authentication in the middle pane, and in the right Actions pane click on Edit Permissions.

6. Select the Security tab and select Edit. Add the Cert Publishers group with Modify permissions (which will add several others under it).

1-4-2014 7-10-14 PM

7. In the same dialog box, click add but change the from this location to the local computer. Manually enter IIS AppPool\DefaultAppPool. Leave the default permissions. If you use the user/group browser this will not be listed, so please manually enter it.

8. At this point any anonymous browser can now read your CPS statement and see the public root certificate. You can test this by going to http://www.yourdomain/pki/cps.txt and verify the sample file opens.

9. In the middle pane, with pki still selected, click once on Request Filtering. In the right pane click on Edit Feature Settings and check the box next to Allow double escaping.

1-4-2014 7-12-45 PM

10. Run iisreset from an elevated Powershell command.


In this installment we’ve configured our offline root CA, performed some hardening, and published the root CA information to the domain. All computers in the domain will now trust your root CA. We also configured IIS to serve up your CPS and CRLs to anonymous users. Next up is configuring the online subordinate CA. Check out the next installment in Part 2.

Download Windows Server 2012 R2 Preview Now!

Windows Server 2012 R2

TechEd 2013 had a bunch of great sessions on Windows Server 2012 R2, which has a boatload of new features. You can now download Windows Server 2012 R2 Preview version now. Pick up your copy here. Windows 8.1 release preview will come out tomorrow, but you can get a jump start on seeing the new start button and other changes with Windows Server 2012 R2.

I have nine articles from TechEd 2013 that cover a wide range of new features in Windows Server 2012 R2, which should RTM later this year. Read up on many of those new features here. I’m really excited about this release, and will be beating up on the preview version in the coming weeks. And yes, you can now shutdown directly from the new start button!

You can check out more of the features in WS2012 R2 here.

Windows Server 2012 R2

TechEd: IaaS with the Azure Pack (MDC-B364)

This session covers how to develop on-prem IaaS (Infrastructure as a service) using the Azure pack for Windows Server 2012 R2 and VMM 2012 R2. The session was more developer oriented than I thought from the description, so I ended up leaving a bit early since I’m not a developer. However, in the beginning the speaker did several demos of what the Azure pack does, which I found very useful. He then dove into the back-end details on how it all worked and what you have to do to build your own on-prem Azure VM gallery.

Hinted at in this session, and other sessions, is a possible roadmap feature where Microsoft would provide pre-configured gallery templates for certain Microsoft products like System Center and SQL. You would then be able to tweak the config, and easily built up a service catalog, and deploy MS services on Hyper-V in a highly controlled, standardized, and automated way. The R2 Windows Server and System Center release have a lot of the building blocks to enable those features in the future. Given the accelerated release cadence of MS’s cloud platform, customers will get new features much faster than they historically have.


  • MS is hyper-focused on consistent cloud experience across the clouds (on-prem, Azure, service provider) at all layers (UX, APIs, PowerShell)
  • IaaS (Infrastructure as a service) – Elastic tiers
  • Customer requests: Enable templates to be deployed to any cloud, Provide a gallery of applications, Provide console access to remote VMs, anaging standalone VMs is not enough
  • Vision (not 100% delivered in R2): A consistent service model amongst Windows Server, System Center and Windows Azure for composing, deploying and scaling virtualized applications and workloads.
  • Four pillars: Portal User experience, deployment artifacts, management APIs, on-prem, hosted clouds and Azure
  • Consistent IaaS Platform: Delivered on portal user experience (Azure Pack), deployment artifacts, management APIs, Clouds

Demo #1

  • Showed a gallery for the VM role (new to Azure). Lists various services (SQL srever, IIS web server, SharePoint, etc.) that the admin has configured and curated. Gallery shows different versions of the same template, and can be tied to a subscription. When deploying a VM you can define the number of instances, for scale-out.
  • VM container, and Application container concepts (application payload is delivered into an OS)
  • The Gallery wizard prompts for a number of service properties (website name, admin names, VM sizes, etc.).
  • Shows a usage portal, which lists cores, RAM, storage, and VM usage. Also lists instances, IP address, disks, subscription, VM operations (power, stop, reset, etc.). Scale slider for increasing VM count.
  • Shows the ability to create a virtual network  (e.g. creating a site-to-site VPN) in the Azure pack.
  • Shows the ability to open a console to a Linux VM, or a VM without a network or OS

Iaas Architecture

  • Stack is: Hyper-V, VMM, Orchestrator, Operations manager, and two portals (tenant and service admin)
  • Steps to setup:
  • Load application extensions to VMM
  • Create a gallery item (VMM role template)
  • Create a service admin
  • Expose to tenant

Remote Console

  • Requires a new RDP client to support the new console version
  • Trust is established between all components (Azure Pack, Hyper-V, RDS gateway)
  • RDPTLSv2 is the new protocol

How to Build your Gallery

  • Definitions: VIEWDEF, RESDEF, RESEXT (consistent naming across Azure and on-prem/service provider)
  • REDEF: Virtual machine role resource definition (VM size, OS settings, OS image reference)
  • RESEXT: Your Application (roles, features, OS image requirements, etc.)
  • VIEWDEF: User GUI experience definition (parameters, grouping, ordering, validation, etc.)
  • RESCONFIG: RESDEF parameter values, single deployment, versioned (e.g. hard coded port number, etc.)
  • Uses JSON not XML files (make it more REST and portal friendly format)
  • Good support for command line installers/scripting (integrate PowerShell desired state, Puppet, etc.)
  • First class support for SQL deployments, IIS, etc. to make it very easy to configure
  • Built-in full localization support with a default language (which you can change)

TechEd: Windows Server 2012 R2 IPAM for Clouds (MDC-B376)

Starting off Day 3 of TechEd 2013 is a session on Windows Server 2012 R2 networking for cloud services. He covers what’s new in Windows Server 2012 R2 IPAM (and touching on DNS and DHCP). Windows Server 2012 shipped with major new features, and R2 builds on those features and better integrates them. IPAM in WS2012 was pretty bare bones, but far better than not managing your address space or using Excel spreadsheets that are never up to date.

IPAM in R2 gets a lot of major new features, and deep integration with VMM 2012 R2 to manage virtualized multi-tenant datacenters.  Some features like GUI-based scheduled DNS/DHCP record import are still missing, but are fully exposed through powershell for easy scripting. If you aren’t using an IPAM tool today, take a good look at Windows Server 2012 R2. The preview version will be out later this month, so you don’t have to wait long to try it out.

Windows Server 2012 ReCap

  • Existing IPAM options: Spreadsheets, in-house tools, commercial appliances
  • In-box IPAM: Compliments DNS and DHCP services. Ability to organize, assign and monitor IPv4 and IPv6 addresses.
  • Automatic discovery of DC, DHCP and DNS servers dynamic IP addresses
  • Track and audit changes and provide real-time view of service status
  • Multi-server management to manage all DNS and DHCP servers
  • DHCP and DNS have major new features: DHCP failover (active/active config), DHCP policies (group difference devices and assign different address to them (e.g. printers, phones for proxy settings, etc.). DNSSEC cache poisoning protection.

R2 Address Space Demo:

  • Shows IPAM DHCP scope utilization and health status
  • Shows you can now group IP address blocks by geographic regions. You can then filter views by region and drill down into countries or regions and see all scopes and IP address assignments.

Server 2012 R2 Enhancements

  • WS 2012 R2 Network environment: Host or Enterprise, multi-tenant and multiple datacenters with virtual networks
  • Ability to setup DHCP failover across datacenters
  • Supports virtual networks (administered by Fabric administrators)

IPAM 2012 R2 Enhancements

  • IPAM now manages and monitors both physical and virtual addresses
  • Integrated with VMM 2012 R2 and makes all address info available to VMM
  • All-new role based access control in IPAM. Granular control over what admin tasks people can perform.
  • Plan, design and administer IP address schemes of virtualized datacenters
  • Support network isolation WNV, VLAN
  • Enhanced service monitoring
  • Single and multi-entity configuration of reservations, scopes, failovers, policies, filters, etc.
  • External database support (SQL)
  • CIM based PowerShell – 100% parity with GUI

Virtualized Networks

  • Provider address space: Physical network address space
  • Logical networks in VMM are customer address space
  • Customer can bring in their own address space, which may overlap with other address spaces
  • Must deploy network virtualized networks (e.g. NVGRE) to keep address spaces isolated

IPAM-VMM Integration

  • IPAM has a view of both physical and virtualized address space
  • Network admin tasks (fabric layer): Configure address space, subnets, pools, VLANs. Then creates subnets, pools and logical networks, and then the config is pushed to VMM. Changes in VMM are pushed back to IPAM. Conflict detection, notification and updates, changes and meta-data are all synchronized. All configuration is done in IPAM by the network admin.


  • New “Virtualized Address Space” node in IPAM
  • “Managed by Service” column that shows VMM or IPAM service that controls the subnet config
  • “Service instance” column shows which VMM instance is assigned that subnet. Subnet now appears in VMM console.
  • Shows VMM synchronization with IPAM when subnets are pushed to VMM
  • When creating a VM network in VMM, he shows that the config is pushed to IPAM as a customer network

Role Based Access Control

  • Granular admin control within IPAM, DNS, DHCP. Five step process:
  • 1) Define a user role (operations an admin can perform)
  • 2) Define business hierarchy model based on the desired administration levels and controls
  • 3) Define access policy based on configured use role and access scope and associate users or groups
  • 4) Set/associate access scope to objects in IPAM
  • 5) New access control for leaf nodes or inherited from parent

DHCP/DNS Integration

  • Monitoring: Server availability, DHCP scope utilization, DNS zone health, DHCP failover health
  • Management: DHCP server, scopes, properties, options, filters, policies, classes, DNS records, etc.

DHCP Management and RBAC Demo

  • Shows the ability in IPAM to configure DHCP scope failover on remote DHCP servers
  • Shows the new “Access control” node in IPAM. 12+ pre-configured roles. Shows the ability to create a new custom role. Dozens of operations available to delegate and add to a custom role.
  • Shows the ability to create network hierarchies (e.g. in a city you can create a building).
  • Shows the ability to create an “Access Policy”, then bind the access policy to a DHCP scope for delegation
  • Shows the creation of a new R2 “FQDN” DHCP policy in the IPAM tool. Able to specify that all clients that do NOT contain * in their hostname get registered in DNS with instead.

External System Integration

  • IPAM PowerShell interface facilitates integration with other external systems like SCCM and MAP toolkit
  • Integration with AD Directory Services enables synchronization of site and services and subnets information

TechEd: Storage Management with VMM 2012 R2 (MDC-B344)

This session focused on both the platform storage enhances in Windows Server 2012 R2 in addition to VMM 2012 R2. Microsoft was very up front that the 2012 release baked in a huge amount of technology into the platform (OS), but not all of it was exposed through VMM 2012 and even in SP1. In the R2 release both the platform and VMM have been more fully integrated and a lot of new features added. Going forward Windows and System Center will ship on the same schedule. Within Microsoft the OS and System Center teams have been re-aligned into the same org. Just like VMware ships the hypervisor and the mangement suite at the same time, Microsoft is now on the same cadence.

I didn’t get a screenshot, but the presenter had a slide showing the storage features in every version of VMM dating back to 2007. Starting with 2012 there was an explosion in features, with more added in SP1 (shipped in January 2013) and a lot more in R2. The pace at which Microsoft is enhancing the hypervisor and management stack is pretty astounding.

This session was supposed to be heavy on demos, but the speaker’s VPN connection back to the mother ship was not behaving. For his storage demos he was going to use a 3PAR to demonstrate the fibre channel LUN provisioning features in VMM 2012 R2, and NetApp for the SMB 3.0 file share demo. VMM has a lengthy list of storage arrays which are natively supported. If you are a 3PAR customer, you will need 3.1.2 MU1 for full VMM 2012 R2 support.

Storage Management Pillars

  • Insight: end to end mapping, pool, volume and file share classification, monitoring, standards based
  • Flexibility: Provisioning of pools, LUNs, file shares, scalable, allocation and assignment, FC zoning, zone aliases
  • Automation: Rapid provisioning, scale out file server, disaster recovery, bare metal Hyper-V host provisioning, ODX

R2 Enterprise Storage Management

  • More optimized storage discovery (e.g. a 3PAR with hundreds of disks) or VMAX with thousands of LUNs
  • Real-time updates for out of band changes using CIM indications
  • Fibre channel fabric discovery and zone provisioning and activation of zone sets
  • Support for Hyper-V virtual fibre channel
  • ODX optimized virtual machine deployments (copy VM from library)
  • Rapid provisioning using difference disks

Storage Provisioning for Tier 1 Application Demo

  • Fibre Channel switches
  • Hyper-V Host with 2 FC ports
  • Service template to model computer with two virtual HBAs

New to VMM 2012 R2

  • 10x faster SMI-S enumeration
  • Management of scale-out file server underlying spaces storage
  • Added remoting and cluster-awareness for managing storage spaces
  • Abilitity to assign storage and fabric classification at the volume or SMB share level. Allows finer grain SLA control.
  • Fully support iSCSI targets for storage
  • Support for SMB 3.02 (new to WS2012 R2)
  • Spaces provisioning: Discovery of physical spindles, storage pool creation and deletion, mirror and parity spaces creation and deletion
  • Capacity management: pool/volume/file share classification; file share ACL management
  • Scale-out file server deployment: bare metal deployment, creation of scale-out file server cluster, add/remove nodes, file share management

TechEd: Building Clouds on Server 2012 R2 (MDC-B312)

This session was a firehose of information on the design considerations when building your private cloud based on Server 2012 R2. There are ton of new features in WS2012 and R2, so this was a high level roadmap on how to figure out what you want to implement. Bottom line is that with WS2012 R2 and System Center 2012 R2, you have a full Cloud stack available. The 2012 releases built the foundation, but had some missing pieces. The R2 release rounds out those holes, and unifies the release schedule and simplifies the experience.


  • Windows Server 2012 is Cloud optimized
  • Clouds are dynamic, multi-tenant, high scale, low cost, manageable and extensible
  • Major new cloud enabling features in Server 2012, released last year
  • 2012 built  a strong platform, but was not a full cloud solution

WS2012 R2 Improvements

  • Live migration is much faster
  • Live migration from 2012 servers
  • Shared VHDX clustering
  • Automated block-level storage tiering
  • write-back cache
  • Per-share auto-redirection to scale-out file servers
  • Dedupe of VDI workloads
  • iSCSI target VHDX support
  • Multi-tenant site-to-site VPN gateway
  • Hyper-V NAT and forwarding gateway
  • vRSS
  • NIC teaming dynamic-mode
  • Desired state configuration
  • Datacenter abstraction layer
  • All aligned with System Center 2012 R2

Blueprint for a Cloud

  • Build your managment stack
  • Start provisioning compute nodes and storage
  • Then you scale out as needed
  • This is a cloud “stamp”
  • Publish a self-service portal or APIs
  • Add network gateways
  • Add users


  • Think about: workloads, networking, storage, resiliency

Designing for the workload

  • Cloud-aware stateless apps or stateful apps?
  • IaaS cloud can support both but with different design considerations
  • What are the workloads performance requirements
  • 2 socket servers offer the best ROI
  • Some workloads will benefit from hosts with SR-IOV
  • Are workloads trusted? Think about level of isolation between workloads and QoS policies
  • Keep it simple and manageable
  • Can’t optimize a unified infrastructure for all possible workloads
  • Standardize VMs, self-service based, managed to an SLA

Network Design

  • Traffic isolation considerations (tenant generated traffic) and hoster/datacenter traffic (cluster traffic, storage, live migration mgtmt, etc.)
  • Use physical isolation as needed, port ACLs, QoS & VM QoS
  • Between tenants and datacenter: separate networks
  • Between tenant VMs of different tenants: Hyper-V network virtualization & VM QoS
  • Hardware offloads for NICs: HW QoS (DCB), RDMA, RSC, RSS, VMQ, IPsecTo, SR-IOV
  • For storage, if using SMB 3.0, then the NIC would benefit from RDMA feature
  • R2: can also use RDMA for Live Migration
  • Look at RSS and RSC for the NIC which support management (Live Migration, management)
  • Look at IPsecTO and VQM for VM guest NICs
  • SR-IOV bypasses the extensible switch
  • R2: vRSS (spreads NIC traffic load across multiple VM cores

Storage Design

  • Hyper-V servers with internal SAS disks is a perfectly acceptable if you don’t need super high HA
  • 2012: Can pool shared JBOD SAS array for some good HA
  • Scaling options: Block based FC or iSCSI or file based (lower cost w/ high performance)
  • Block based enables storage offload with ODX, and high IOPS

Resiliency Approaches

  • Infrastructure – VMs not designed to handle failures, HA at server level, failover clustering as another layer of protection. High end servers, redundant power and apps.
  • App-Level Resiliency – Cloud-aware apps can sustain failures without infrastructure dependency

WS2012 Representatitve Configurations

  • Three different approaches are fully documented and validated by Microsoft:

How do you deploy and configure?

  • In 2012 it was a mixture of GUI and a lot of PowerShell
  • With R2 and aligning with system center 2012 R2, it is much much easier
  • “Physical computer profile” is new in SC2012R2 – Deploy Hyper-V to bare metal
  • Demo showed provisioning a new scale out file server and creating a file share, all from a GUI

Scaling Considerations

  • Compute (Hyper-V) cluster size
  • Larger clusters improve overall efficiency
  • Consider clustering across failure domains (e.g. cross-rack)
  • Storage: Need JBODs with appropriate number of SAS interfaces

Management Stack Improvements In R2

  • Provides a unified Powershell method to manage physical devices, such as switches
  • MS created a logo program that vendors can certify against
  • MS open sourced the OMI standard for anyone to use
  • Desired State Configuration (DSC) MDC-B302 session

Windows Azure Pack

  • Same self-service portal as Azure
  • Common management experience
  • Workload portability
  • As future services are delivered in Azure, they will transfered into the private cloud

TechEd: What’s new in SC VMM 2012 R2 (MDC-B357)

This session was mostly a demo of VMM 2012, where the speaker also covered some enhancements in the upcoming R2 release. Many of the Hyper-V 2012 R2 features have already been covered in other sessions, so there wasn’t a lot of new content. But he did a good walk through of several scenarios using VMM. I had forgotten that VMM can also provision storage from a physical array, automate SAN switch zoning, and present storage to a Hyper-V host, all within the VMM GUI. So you no longer have to pull out SAN tools, then your SAN switch GUI, then your virtualization management tool.

One thing to note is that the Azure Pack and the System Center App controller product are different products. A question was asked whether they would be merged down the road, and the speaker could not comment about futures. But one would hope they unify the provisioning portals and experience, and I expect they will down the road.


  • Cloud OS: Three datacenters: On-prem, Windows Azure, Service Provider
  • Many customers will have assets across all three clouds
  • Customers need a consistent set of building blocks
  • The hyper-v that ships to customers is the same version that powers all of Azure
  • This session will focus on the on-prem and service provider clouds

What is the Cloud?

  • Term is way over used and misunderstood
  • Pool compute, storage and networking
  • Allocatable on demand
  • Automate everything – In VMM everything is Powered by PowerShell (500+ commandlets)
  • Metered
  • self-service

VMM – Enabling the Cloud

  • Storage – Can use any kind of storage you wish – SAN (iSCSI, FC), or SMB 3.0
  • Networking – In R2 VMM can manage physical switch configuration. NVGRE, PVLANs, etc.
  • Compute – Intel and AMD processor support
  • Virtualization Support – Hyper-V, VMware, Citrix XenServer
  • Do not name your cloud after a department, it is a pool of compute power. Cloud is an SLA construct.
  • User roles can be departments (Finance, HR, etc.). Construct an AD group, assign people, and assign access to appropriate cloud resources.
  • Model your application you are deploying so you can enable self-service

Announcing the Cisco Nexus 1000v for Hyper-V is now available for production usage.

VMM Investments in 2012 R2

  • Services, VMs, Clouds, Networking, Storage, Infastructure
  • Think of a “stamp” as a consistent configuration of Storage, compute, edge components and management
  • Later this year: All System Center components will be available a service template for fast and standard deployment
  • Physical Computer profile is a new feature for a scale-out file server Hyper-V host
  • 2012: VMM can appropriately zone SAN switches and provision storage from an array, such as 3PAR
  • Enables ODX to copy VMs from the library to production
  • Guest clustering using a shared VHDX file. No iSCSI or FC required.
  • Service template supports first node having a different configuration from other nodes, so you can automate cluster builds
  • VMM integrates with IPAM, so you can push/pull network configs with each other
  • VMM will warn on physical switch VLAN misconfigurations with switches that support OMI management
  • VMM can remediate network config problems on physical switches, if the network team allows it
  • Directly deploy and configure gateway (site-to-site VPN, NAT, or virtual to physical gateway) settings
  • Site-to-site VPN optionally supports iBGP
  • Site-to-site VPN supports third party devices such as Juniper or Cisco concentrators, or another Windows server
  • Delegation: Per-cloud delegated permissions
  • New and very rich SCOM management pack for VMM