Tuesday, 6 August 2013

SPF Part 7 - Register Service Management Automation with Windows Azure Pack


In the last post we installed Service Center 2012 R2 - Service Management Automation. In this post we'll register it with the Windows Azure Pack management site.

Other posts in this series are


Unfortunately I forgot to get screenshots for this step, so it's going to be a bit short, but basically, start up the management site on the Windows Azure Pack management server (VAMGT01 in our environment), and navigate to https://vamgt01:30091/#Workspaces/SystemCenterAdminExtension/quickStart.

From there, click the link directly underneath "Register Service Management Automation for VM Clouds" and enter the url for System Mangement Automation endpoint we installed on VASCM01, i.e. https://vascm01:9090.

Once that's complete, it should look like below.


SPF Part 6 - Installing System Management Automation


In the previous few posts we installed System Center 2012 R2 Service Provider Foundation and registered it with the Windows Azure Pack admin site. Now that's complete we also need to install and register another additional System Service Center 2012 R2 component, namely Service Management Automation.

Other posts in this series are:

System Prerequisites

Having installed all the prerequisites for Virtual Machine Manager and Service Provider Foundation, there's still one more system feature we need to install on VASCM01 for Service Management Automation, as follows:

  Add-WindowsFeature -Name "Web-Url-Auth"

We also need to create another app pool account:

      New-ADUser -Name "SMAAppPool" -SamAccountName "SMAAppPool" -DisplayName "SMA App Pool Service Account" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "mypassword" -AsPlainText -force) -PasswordNeverExpires $true

      $admins = [ADSI]"WinNT://./Administrators,group"

      New-ADGroup -Name "SMAAdminSiteUsers" -SamAccountName "SMAAdminSiteUsers" -GroupCategory "Security" -GroupScope "Global" -DisplayName "SMA Admin Site Users" -Path "CN=Users,DC=va,DC=local" -Description "Members of this group can access the SMA Admin Site"

      Add-ADGroupMember -Identity "SMAAdminSiteUsers" -Members "Domain Admins" 


Monday, 29 July 2013

SPF Part 5 - Registering the Service Provider Foundation Endpoint


This is the final step in registering the System Center 2012 R2 Service Provider Framework endpoint with the Azure Pack management server. Compared to the previos steps, it's a much smaller piece of work so it should be over quickly.

Other posts in this series are



Note: The username is potentially case-sensitive. We had a few problems here registering the endpoint, and we used the following troubleshooting steps as follows to try to identify the problem. However, once we used the correct case in the username (i.e."va\Administrator" instead of "va\administrator") the endpoint registered successfully. We're not sure if this was just a concidence, but since it resolved the issue we were unable to investigate further.
  • First, enable Failed Request Tracing in IIS on the Service Provider Framework server (VASCM01 in this case). Configure a tracing rule for the SPF website in Internet Information Services Manager, for all content with status codes 200-999 and for all providers. Then, enable Failed Request Tracing from the Actions pane for the SPF website.
  • Next, try to configure the endpoint again in the Azure Pack management server. If this still fails, check the failed request trace log folder on the SPF server ("%SystemDrive%\inetput\logs\FailedReLogFiles\W3SVC2" by default). This should contain some "fr######.xml" files. Open the highest-numberer file in Internet Explorer and check if you see the following error:
          ModuleName - ManagedPipelineHandler
          Notification - EXECUTE_REQUEST_HANDLER
          HttpStatus - 401
          HttpReason - Unauthorized
          HttpSubStatus - 0
          ErrorCode - The operation completed successfully. (0x0)

  • Check the "Compact View" on the trace, and check the RequestURL in the first trace event is "https://vascm01.va.local:8090/SC2012R2/Admin/Microsoft.Management.Odata.svc/"

  • Open Event Viewer and check the "Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> ManagementOdataService -> Operational channel" log. We saw an error logged with the following details:
          - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
            - <System>
                <Provider Name="Microsoft-Windows-ManagementOdataService" Guid="{60B4C807-9E58-40D0-A608-9A60DFFDD6B9}" />
                <Version>1 </Version>
                <TimeCreated SystemTime="2013-07-29T20:39:07.612582900Z" />
                <Correlation ActivityID="{7212F460-8C7E-0000-C85B-13727E8CCE01}" />
                <Execution ProcessID="2392" ThreadID="3568"/>
                <Security UserID="S-1-5-20" />
            - <EventData>
                <Data Name="userName">va\Administrator</Data>
                <Data Name="authenticationType">Basic</Data>

  • On the Azure Pack management server, open Internet Explorer and try to navigate to the url in the error (i.e. "https://vascm01.va.local:8090/SC2012R2/Admin/Microsoft.Management.Odata.svc/"). This should load an document containing an OData xml document as per the screenshot below.

SPF Part 4 - Installing Service Provider Foundation 2012 R2


This post documents the last major piece of installation for the System Center 2012 R2 Service Provider Foundation. 

Other posts in this series are:


Service Provider Foundation is a component of System Center 2012 R2 Orchestrator. If you haven't already unpacked this from the System Center 2012 R2 Preview download, run "SC2012_R2_PREVIEW_SCO.exe" now to prepare the installation source.

Disable Internet Explorer Enhanced Security Configuration

Disable IE Enhanced Security Configuration using a script to from this Stack Overflow post. This is required as the System Center 2012 R2 Orchestrator installer displays the landing page an IE control, which will warn if enhanced security is enabled.
    function Disable-InternetExplorerESC
        $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
        $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
        Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
        Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0
        Stop-Process -Name Explorer
        Write-Host "IE Enhanced Security Configuration (ESC) has been disabled." -ForegroundColor Green
    function Enable-InternetExplorerESC
        $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
        $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
        Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
        Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 1
        Stop-Process -Name Explorer
        Write-Host "IE Enhanced Security Configuration (ESC) has been enabled." -ForegroundColor Green
    function Disable-UserAccessControl
        Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 00000000
        Write-Host "User Access Control (UAC) has been disabled." -ForegroundColor Green

System Prerequisites

Service Provider Foundation has some additional prerequisites above and beyond those we've already installed for Virtual Machine Manager. These are listed in the Service Provider Foundation installer as follows:
  • Operating System - Windows Server 2012 R2
  • IIS Version 7.5 or grater
  • IIS Management Scripts and Tools role service
  • IIS Security Basic Authentication
  • IIS Security Windows Authentication
  • IIS Application Development ASP.NET 4.5
  • WCF Data Services 5.0 for OData V3
  • .Net Features 4.5 WCF Services HTTP Activation
  • Management OData IIS Extension
  • Virtual Machine Manager 2012 R2 Administrator Console
We've already satisfied the first two and the last one, so we need to run some scripts to install the rest.
      Add-WindowsFeature "Web-WebServer" -IncludeManagementTools
      Add-WindowsFeature "Web-Scripting-Tools"
      Add-WindowsFeature "Web-Basic-Auth"
      Add-WindowsFeature "Web-Windows-Auth"
      Add-WindowsFeature "Web-Asp-Net45"
      Add-WindowsFeature "NET-WCF-HTTP-Activation45"
      Add-WindowsFeature "ManagementOdata"
This will leave two components remaining - "WCF Data Services 5.0 for OData V3" and "ASP.NET MVC 4 RC". These can be downloaded from the links in the list above. It's not clear how to script the WCF Data Services install, so we'll just do that the old fashioned way for now, but MVC 4 can be installed using the commands below.

      md c:\logs
      set downloads=\\nas1\downloads\Microsoft
      "%downloads%\Desktop Software\ASP.NET MVC 4\AspNetMVC4Setup.exe" /quiet

Domain Objects

Run the following script to create some Active Directory user groups to manage security permissions for the Service Provider Foundation web services:

      Add-WindowsFeature -Name "RSAT-AD-PowerShell"

      New-ADGroup -Name "SPFAdminSiteUsers" -SamAccountName "SPFAdminSiteUsers" -GroupCategory "Security" -GroupScope "Global" -DisplayName "SPF Admin Site Users" -Path "CN=Users,DC=va,DC=local" -Description "Members of this group can access the SPF Admin Site"
      New-ADGroup -Name "SPFProviderSiteUsers" -SamAccountName "SPFProviderSiteUsers" -GroupCategory "Security" -GroupScope "Global" -DisplayName "SPF Provider Site Users" -Path "CN=Users,DC=va,DC=local" -Description "Members of this group can access the SPF Provider Site"
      New-ADGroup -Name "SPFVMMSiteUsers" -SamAccountName "SPFVMMSiteUsers" -GroupCategory "Security" -GroupScope "Global" -DisplayName "SPF VMM Site Users" -Path "CN=Users,DC=va,DC=local" -Description "Members of this group can access the SPF VMM Site"
      New-ADGroup -Name "SPFUsageSiteUsers" -SamAccountName "SPFUsageSiteUsers" -GroupCategory "Security" -GroupScope "Global" -DisplayName "SPF Usage Site Users" -Path "CN=Users,DC=va,DC=local" -Description "Members of this group can access the SPF Usage Site"

      Add-ADGroupMember -Identity "SPFAdminSiteUsers" -Members "Domain Admins"
      Add-ADGroupMember -Identity "SPFProviderSiteUsers" -Members "Domain Admins"
      Add-ADGroupMember -Identity "SPFVMMSiteUsers" -Members "Domain Admins"
      Add-ADGroupMember -Identity "SPFUsageSiteUsers" -Members "Domain Admins"

Installing Service Provider Foundation

Navigate to the folder you unpacked SCO2012_R2_PREVIEW_SCO.exe into, and launch SetupOrchesrator.exe, then follow the installation wizard as per below:

On the next page for the "Admin web service", change the security groups to the "va\SPFAdminSiteUsers" group we created earlier. Leave the application pool credentials to Network Service, although we'd specify individual domain groups and users for these purposes in a full production environment.

Do the same for the "Provider web service":

And the "VMM web service":

And finally, the "Usage web service":

This completes installation of the System Center 2012 R2 Service Provider Foundation. The final step in the next post will be to register the Service Provider Foundation endpoint with the Azure Pack mangement site.

SPF Part 3 - Installing Virtual Machine Manager 2012 R2


Continuing the adventure of trying to get the Virtual Machine Cloud working with the Azure Pack, we need to install Virtual Machine Manager for System Center 2012 R2. This post will lead us through the process of installing the prereequisites and then Virtual Machine Manager itself.

Other posts in the series are:


Service Center 2012 R2 is currently available as a free 180 day trial from the TechNet Evaluation Center. Once you've registered and downloaded the payload you'll have a set of *.exe files which unpack individual parts of Service Center 2012 R2. Run "SC2012_R2_PREVIEW_SCVMM.exe" and specify a folder to unpack to.


Configure SQL Server Instance

For the sake of seeing what databases get created where, we're going to run each separate component of the environment in a separate database instance on our SQL Server. The first thing we'll do to is create a new database instance for Virtual Machine Manager.

To do this, get a remote desktop session to the SQL Server (VASQL01.va.local in this case) and run the SQL Server 2012 setup program again. At the SQL Server Installation Center dialog, click "Installation" and then "New SQL Server stand-alone installation or add featires to an existing installation". Step through the wizard as per normal, selecting the following options on the appropriate dialogs:

  • Installation Type - select "Perform a new installation of SQL Server 2012"
  • Feature Selection - check "Database Engine Services"
  • Instance Configuration - specify the named instance as "VAVMMDB"
  • Database Engine ConfigurationI - select "Mixed Mode" authentication, specify an sa password, and add Domain Admins to the SQL Server administrator list.
Finally, we'll bind the new instance to a static port and open that port in the Windows Firewall to allow incoming connections.

    $key = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL11.VAVMMDB\MSSQLServer\SuperSocketNetLib\Tcp\IPAll"
    Set-ItemProperty -Path $key -Name "TcpDynamicPorts" -Value ""
    Set-ItemProperty -Path $key -Name "TcpPort" -Value "1435"

    New-NetFirewallRule -DisplayName "VASQL01\VAVMMDB Database Engine" -Direction Inbound -Protocol TCP -LocalPort 1435 -Action Allow

    Restart-Service "MSSQL`$VAVMMDB"

Virtual Machine Configuration

Virtual Machine Manager requires at least 4000Mb of RAM allocated to the host machine in order to install, and the installer will refuse to install if you have below this threshold, so make sure your VM has at least that much RAM before you start.

Windows Server 2012 R2

Service Center 2012 R2 requires Windows Server 2012 R2, which you can find instructions for in a previous post - Installing Windows Server 2012 R2. Once we've got the base virtual machine installed, run the following scripts to rename the computer and join to the domain:

    Rename-Computer "VASCM01"
    New-NetIPAddress -IPAddress -InterfaceAlias "Ethernet" -DefaultGateway -AddressFamily IPv4 -PrefixLength 24
    Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses @("", "")

    $username = "VA\Administrator"
    $password = "myPassword"
    $passwordSecure = ConvertTo-SecureString $password -AsPlainText -Force
    $credential = new-object System.Management.Automation.PSCredential($username, $passwordSecure)

    Add-Computer -DomainName "va.local" -Credential $credential

Windows Assessment and Deployment Toolkit

See the Installing Windows Assessment and Deployment Toolkit 8.1 Preview post for details of how to download and install the ADK.

SQL Server Utilities

To install the SQL Server Command Line Utilities for SQL Server 2008 R2 or SQL Server 2012. This is part of the SQL Server 2012 Feature Pack and can be downloaded from http://go.microsoft.com/fwlink?linkid=253555.

To find the links, expand the "Install Instructions" section of the page and scroll down to the "Microsoft SQL Server 2012 Command Line Utilities" link. Note: You'll also need to download and install the "Microsoft SQL Server 2012 Native Client" as a prerequisite to the command line utilities. To install them, use the following commands:
      md c:\logs
      set msiexec=%SystemRoot%\System32\msiexec.exe
      set downloads=\\nas1\downloads\Microsoft\Server Software\SQL Server 2012 Feature Pack\x64

      "%msiexec%" /i "%downloads%\sqlncli.msi" /norestart /passive /l*v "c:\logs\sqlncli.log" IACCEPTSQLNCLILICENSETERMS=YES
      "%msiexec%" /i "%downloads%\SqlCmdLnUtils.msi" /norestart /passive /l*v "c:\logs\SqlCmdLnUtils.log"

      shutdown /r /t0

Domain Objects

Finally, we'll also need to run a couple of scripts to create a domain account for the Virtual Machine Manager service and an Active Directory container to store encryption keys:
      Import-Module ServerManager
      Add-WindowsFeature -Name "RSAT-AD-PowerShell"

      New-ADUser -Name "VMM Service" -SamAccountName "VMMService" -DisplayName "VMM Service Account" -Enabled $true -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString "mypassword" -AsPlainText -force) -PasswordNeverExpires $true

      $admins = [ADSI]"WinNT://./Administrators,group"

      New-ADOrganizationalUnit -Name "Encryption Keys"

Virtual Machine Manager

The full warning on the final wizard page reads as follows:

The Service Principal Name (SPN) could not be registered in Active Directory Domain Services (AD DS) for the VMM management server.

1) Use setspn.exe to create SPN for vmmserver using following command "C:\Windows\system32\setspn.exe -S SCVMM/VASCM01.va.local va\VMMService".

2) Add SPN values to following registry key "Software\Microsoft\Microsoft System Center Virtual Machine Manager Server\Setup\VmmServicePrincipalNames".

3) Run "C:\Program Files\Microsoft System Center 2012 R2\Virtual Machine Manager\setup\ConfigureSCPTool.exe -install" to configure SCP.

If SPN and SCP are not registered, VMM consoles on other computers will not be able to connect to this VMM management server and deploying a Hyper-V host to a bare-metal computer will not work.

Running Virtual Machine Manager

To start Virtual Machine Manager, click the Start button (which is back in Windows Server 2012 R2), click the white "down arrow", and then click "Virtual Machine Manager Console" under the "Microsoft System Center 2012 R2" section.

To make it quicker to launch in future, you can also right-click Virtual Machine Manager Console and click the "Pin to Start" icon or "Pin to taskbar" icon.

We still don't have any resources to add to Virtual Machine Manager - that's coming a bit later. The next step will be to install Service Center 2012 R2 Service Provider Foundation, which we'll do in th enext post.

SPF Part 2 - Installing Windows Assessment and Deployment Toolkit 8.1 Preview


This post is part 2 of a series describing how to instal Service Provider Foundation 2012 R2 for registration in the Windows Azure Pack. In this post we'll be documenting the installation for the Windows Assessment and Deplotment Tookit 8.1 for Windows.

Other posts in the series are:


The Windows ADK 8.1 Preview needs the .Net Framework 4.5 installed as a prerequisite

Add-WindowsFeature AS-NET-Framework


The download from the Windows Assessment and Deployment Kit (Windows ADK) for windows 8.1 Preview page is a 1.3Mb kicker which downloads a much larger 3.4Gb payload. However, the installer allows the creation of an admin install point, which we're going to do as we may need to rebuild the server one or more times while we work.

Note that version 8.1 of the toolkit is designed for Windows Server 2012 R2. 

To do this, download the adksetup.exe file from the page above, and walk through the following steps:


When the download has completed, locate the folder you selected to download to, and run adksetup.exe again. It will detect that the files are already stored locally and install from there. When prompted for the components to install, select "Deployment Tools" and "Windows Preinstallation Environment (Windows PE)".

Alternatively, the following commands perform the same installation:

      md c:\logs
      set downloads=\\nas1\downloads\Microsoft\Server Software\Windows ADK
      "%downloads%\adksetup.exe" /ceip off /norestart /quiet /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment /log "c:\logs\adksetup.log"
(see Installing the Windows ADK for the complete list of adksetup command line options)