Category: Hyper-V

What’s new with Hyper-V 2016? (Shielded VMs)

Not too long ago, I was fortunate enough to attend the MMS 2016 (Midwest Management Summit). During one of the presentations, I learned some pretty neat things about Windows Server 2016 especially around Hyper-V. One cool feature, “Shielded Virtual Machines“.

What shielded VMs ensures that Hyper-V administrators do not have the ability to alter and/or view the VM settings/data/contents, unless specified. This is great for environments, ie. Banks/Financial Institutions, Governments, Education, etc. environments to ensure their data is protected, even from the ones that administer their environments.

There are a few catches:

  • VM must be a Gen-2 (Generation 2)
  • VM must be Windows Server 2012 or higher, or
  • VM must be Windows 8 or higher

When creating the VM, the shielded VM has a virtual TPM (Trusted Platform Module) assigned and BitLocker encryption is applied to only allow designated owners to access the VM. The shielded VM will not run unless the Hyper-V host is on the Host Guardian Server. All of the VMs data and state information is encrypted, and cannot be accessed.

For more information on Shielded VMs, please visit Microsoft’s post HERE.

Advertisements

Creating a Converged Network Fabric with SCVMM 2012R2

This blog post should have been posted quite some time ago, however, after numerous revisions and the details in the post, you’ll understand why.

In this post I will demonstrate creating a converged network fabric in SCVMM 2012R2. This converged network will consist of logical network adapters, QoS, NIC (vNIC) teaming, and network adapters.

Step 1, Understand your infrastructure

To begin, my environment is using a Cisco UCS (B200 M4) back end, with Cisco Nexus 9K switches and of course Hyper-V (Windows 2012R2) as its hypervisor. The UCS profile used here, has been provisioned with 7 vNICs and dedicated VLANs for each vNIC to isolate the traffic between the networks. The 7 vNICs for the following jobs (see below). All vNICS have a 10GB interface.

  1. iSCSI-A (traffic to the SAN controller 1)
  2. iSCSI-B (traffic to the SAN controller 2)
  3. CSV-Heartbeat
  4. Live Migration
  5. Management
  6. Server-A (VM Production traffic)
  7. Server-B (VM Production traffic)

Server-A and Server-B vNICs we will team, but we will get into that later.

Step 2, we need understand what all these vNICs are intended for. The logical networks below illustrate the purpose of each network.

  1. SAN/Storage (1) (iSCSI-A) – This network will be for access storage via iSCSI on SAN controller 1. In this environment, we will have two VLANs for redundancy, thus two iSCSI networks.
  2. SAN/Storage (2) (iSCSI-B) – see above. This network will be for access storage via iSCSI on SAN controller 2.
  3. Live Migration – This network will be communication between the hypervisors to transfer VM memory, states, etc.
  4. CSV/Heartbeat – This network will be used by the cluster to communicate a healthy (online) state of the environment.
  5. Management – This network will be used to manage the Hyper-V/hypervisors. SCVMM will make use of this network to communicate to the Hyper-V nodes.
  6. VM Traffic (Server-A + Server-B) – This network will be intended communication for VMs and VMs only. This will be not only a redundant network, but a teamed network to allow additional I/O throughout. As mentioned, all vNICs are on a 10GB interface, teaming these two vNICs/networks will allow I/O to operate at 20GB/s.

Please refer to Microsoft article further details, HERE.

Step 3, SCVMM – Create Logical Network(s)

Within SCVMM, you will now need to create your logical networks within the Fabric pane. As mentioned, I am using VLANs to isolate my traffic. I am also planning to have 15 VM network environments with each having its own dedicated VLAN, VLAN 101 through 116, ie. 10.47.101-116.x. Likewise, dedicated VLANs for iSCSI, Live Migration, etc.

1

Here you need to specify the IP subnet and VLAN ID, and apply it to your Host(s) group.

2

3

Step 4, SCVMM – Create IP Pool(s)

Once you create all of your logical networks, you can now create IP Pools. IP Pools will allow you to manage your logical network, and ensure there are no duplicate IPs consumed. You can also reserve IPs for VIPs, etc. In the screenshot below, as you can see, within my “Production” VM network traffic, my IP range states at 10.47.101.100/24 and ends at 10.47.101.252. This allows 155 IPs to be used. If the IP Pool is soon to be exhausted, this setting configuration can be changed to increase the scope. But for now, I know 155 IPs is more than enough.

By right-clicking on the Logical Network you just created, select “Create IP Pool“.

4

You will need to bound the IP Pool to the Logical Network.

5

Choose, “Use an existing network site” and ensure the right network site and IP subnet populated.

6

Here, I am defining a range of IPs for my Pool. Although I know 155 IPs are more than enough, and will never need all 254 IPs, I am comfortable with the range starting at 100.

7

As you can see here, I have also specified the Gateway and provided 2 DNS servers for the IP Pool. When a new VM will be created, all of the IP Properties will be pulled from here and populated once the VM has been built.

8

At the end of all this, your Logical Network Fabric could look something like this, with your Logical Networks and IP Pools per network.

1

Step 5, SCVMM – Create VM Networks + IP Pools

Within the VMs and Services pane, we will now need to create VM networks. This will be assoicated to our Logical Networks we just created. Within the creation process, we will need to specify the Logical network bound to this VM network. Here I created IP Pools again. I find this process of IP Pools a bit odd/redundant. I have IP Pools in both the Logical Network and the VM Network.

9 10

2

Step 6, SCVMM – Creating Uplink Port Profile

Now we need to create the Uplink Port Profile for our VM Production Traffic. Unfortunately with SCVMM 2012 R2 UR8, SCVMM does not come with a default Uplink port profile, so we must create one. Microsoft best practice indicates using a Dynamic and Switch Independent for the Hyper-V workload.

3

Now we will need to bound all the networks we previous created to the Uplink Port Profile. Here VMM will tell the hypervisors how they are connected and mapped to the network fabric. iSCSI traffic, Live Migration, VM Production, CSV-Heartbeat, etc.

4

 

5

Step 7, SCVMM – Create Logical Switch

Now we will create the logical switch, or also known as a vSwitch. The logical switch is the last part of the fabric puzzle. This logical switch will contain the Uplink Port Profile along with the Virtual port profiles (if we chose to manage QoS via SCVMM).

Within the Logical Switches – Fabric, we will create a new Logical switch. In my scenario, I have not made use of SR-IOV (Single Root – Input Output Virtualization).

6

We will use the default Microsoft Windows Filtering Platform for our vSwitch extension.

7

Here will will specify the uplink port profile(s) that will be associated to the logical switch.  We will Team the mode, and add our Production Uplink/Network sites.

8

We will need to specify the port classifications for each virtual port for the logical switch. Here you can see we are using three classes, high, medium and low bandwidth. 9

Step 8, SCVMM – Assign Logical Switch to Hypervisor

Finally, we now need to assign the logical switch to our hypervisor(s). Navigate to (each) the host group within the fabric work-space and within each hypervisors properties, navigate to the Virtual Switches. Select “New Virtual Switch“. Here we will specify which (in our case only 1) Uplink port profile to use on the physical adapter. Since my two vNICs will be teamed, I will have two (2) adapters bound to the same Uplink port profile.

10

 

Now you are ready to start building machines, making use of your network fabric, and maximizing System Center Virtual Machine Manager 2012R2’s  power.

 

If you have any questions, please drop me a line, and/or need some guidance.

 

Cheers!

SCVMM 2012R2 – Error 25100 – Unable to Delete Logical Network

SCVMM 2012R2 – Error 25100 – VMM is Unable to delete the logical network

This error will occur when you are trying to delete a logical network which still has resources bound to it.

After creating some virtual machines that were bound to this logical network, I realized there was no communication between the VMs. This was a result of not selecting the VLAN-based independent network  as I chose “one connected network”. I went back to each VM and removed the network adapter/logical network. I then tried to delete the logical network and was presented with this error.

Error

Within the SCVMM Fabric and right-clicking the Logical Network in question and viewing its Dependent Resources, I was able to view that there were numerous “Temporary Templates” still associated to the Logical Network. Since time was not of the essence, I could not wait for SQL and/or SCVMM to flush the data on its own time/interval. So, therefore I forcefully removed the dependencies. Here is how:

As mentioned, if you right-click on the Logical Network and view its Dependent Resources, you will get something similar to this. Take note of the name of the string.

List of Dep Resources

Now, launch the SCVMM PowerShell Console (Run as Administrator), and run the following cmdlet, “Remove-SCVMTemplate -VMTemplate “<templateID>“.

PSCode

If the template ID was inputted correctly, you should have got the following output:

PSResult

You will need to repeat this cmdlet for all of the dependent template IDs.

 

Hope that helps!

Exporting and Importing VMs in Hyper-V 2012R2

Let’s say you have a Virtual Machine on one Hyper-V server, and need to migrate it over to another Hyper-V server. For whatever reasons, end of life on the existing server, different data center, etc. Of course this is one of the many good reasons why having a clustered Hyper-V environment is the way to go, but this post is not about that. So, let’s get to it.

 

  • First, shutdown your VM and determine a destination to store the VM. Simply shutdown the VM within the Hyper-V console, and right-click and select Export. Once you define this, you can track its progress. Depending on your storage, how big the VM is, Hyper-V server specs, etc. this could take a few minutes…

1

2

3

  • Next, copy the VM data (you just exported) to the new Hyper-V server or some storage location. Again, based on your environment, network, server etc., this could take a few minutes.

4

  • Next, on your (new) Hyper-V server, launch the Hyper-V console, and select Import. Browse to the location where the VM being imported resides.

5

6

  • When selecting the Import Type, I chose the third option (Copy the virtual machine (create a new unique ID))

8

  • Now you can set the location of the VMs properties, or leave them defaulted to your Hyper-V servers settings.

9

  • Depending on your VM/Hyper-V server, you may have had some fancy properties, like a virtual switch. In my case I did, and on the new Hyper-V server I did not have the same virtual switch, or at least not the same name. You can either create the Network Switch your VM requires, or select “Not Connected” and finish this task later.

10

  • Now you can go ahead and finish the import process, and allow the new machine to be officially imported on your new Hyper-V hypervisor. Again, based on your environment, this may take a few moments, so go get another coffee, and enjoy!

11

 

 

Hyper-V Network Virtual Switches

So you’ve spun up a Windows 2012R2 machine with Hyper-V installed and ready to go. However, now you’re stuck and not sure which type of  Network Virtual Switch (vSwitch) applies to your environment(s)…

In Windows 2012R2, Hyper-V’s network virtual switch runs at Layer 2 (Data Link layer). If you are unfamiliar with this, or either terms, I suggest good old Wikipedia. 🙂 Layer 2 maintains a MAC address table contains the MAC addresses of all the virtual machines (VMs) connected to it. The switch determines where to direct/redirect the packets to based on MAC addresses. It should be noted, in Hyper-V, you can have an unlimited amount of VMs connected to this vSwitch.

In Hyper-V you have three types of Network Virtual Switches: External, Internal and Private. All have similar functions but are disgustingly different.

  1. External vSwitch allows communication between the VMs running within the Hyper-V hosts, the Hyper-V parent partition, and between all VMs on the remote host server. The External vSwitch does require a network adapter on the host (that is not mapped to any other Hyper-V External vSwitch). You can also tag to a VLAN ID.
  2. Internal vSwitch allows communication between all VMs that are connected to the vSwitch and also allows communication between the Hyper-V parent partition. You can also tag to a VLAN ID.
  3. Private vSwitch allows communication between all VMs that are connected to the vSwitch, and that is it. (Note, no communication between the VMs and its Hyper-V parent partition. Also no VLAN ID tagging can occur on the vSwitch)

Without the use of SCVMM (System Center Virtual Machine Manager), I have found there are two ways to go about creating a vSwitch, one via Hyper-V GUI and second via PowerShell.

Let’s start with the GUI:

Launch the Hyper-V console, and right-click on the Hypervisor’s Virtual Switch Manager. Now selecting New virtual network switch, you can specify your properties here. Name your vSwitch, associate to the correct vNIC, tag to the appropriate VLAN ID, etc.

1 vSwitch HyperV Host

You can now specify which vSwitch for your guest VM to use. Within the VMs properties, you will have the option to chose within the Virtual Switch (you will need to create a Network Adapter if not already done). Once selected you can specify your VLAN ID here. (I am finding you cannot specify the VLAN within the Management vSwitch, but it must be done on the client VM’s end) *Again, this is without the use of SCVMM..yet*

2 vSwitch client OS

 

The same process above can be automated via PowerShell. If you’re like me and need to provision a few dozen Hyper-V hosts, creating vSwitches via the GUI is rather tedious. This can be automated with PowerShell (and SCVMM). Please see the code below:

First you will need to get a list of all the Network Adapters your Hyper-V host has to offer. Hopefully you have named them, if you have not, I highly suggest doing this, and considering this best practice and keeping your sanity.

3 Get Adapter names via PS

Once you have the list of vNICs and their names, you can go ahead and start creating vSwitches.

4 Create vSwitch via PS Code 5 Output Create vSwitch via PS

If the code below worked (note only Line 6 is needed to create the External vSwitch) your Hyper-V host should have the vSwitch, or something similar:

1 vSwitch HyperV Host

 

(more…)