October 17th, 2019 | Tags:

Shared Nothing Live Migration requirements:

  1. Migration is possible between the servers running the following OSs: Windows Server 2012 R2 or Windows Server 2016
  2. Virtual machine version has to be 5 or higher
  3. Both computers must be located in the same Active Directory domain or in trusted domains
  4. A user performing the configuration must have Hyper-V administrator privileges. While configuring Kerberos constrained delegation, a user must have the domain administrator privileges (or server account privileges)

Suppose, we have 2 servers running Windows Server 2016 with the Hyper-V role: Srv01 and Srv03. Both servers are members of the Active Directory domain and are not clustered (Windows Server Failover Clustering). Start Hyper-V Manager console on any of the servers and add both servers to it.

hyper-v 2016 manager

Then enable Live Migration in the settings of both servers. To do it, right-click a Hyper-V server and select Hyper-V Settings. Go to the Live Migration section and check Enable incoming and outgoing live migrations. Restrict the list of migrations to the IP addresses of two Hyper-V hosts.

Enable incoming and outgoing live migrations

Then select Use Kerberos as the authentication protocol in the Advanced Features section. Use Kerberos as the authentication protocol for live vm migration

You can do the same things using the following PowerShell commands:

Enable-VMMigration
Set-VMMigrationNetwork 192.168.10.41 192.168.10.21
Set-VMHost -VirtualMachineMigrationAuthenticationType

Note. VM Live Migration is also possible using CredSSP protocol, but in this case the administrator will have to sign in (using RDP) on the server that is a source of migration or connect to it remotely using PowerShell Remoting.

To migrate a VM using Kerberos authentication, the administrator doesn’t need to sign in on the server, but the constrained delegation in Active Directory (KCD — Kerberos constrained delegation) has to be configured.

Start the ADUC snap-in, find the account of the first Hyper-V server, open its properties and go to the Delegation tab.

Check Trust this computer for delegation to specified services only and Use Kerberos only and click Add. Trust this computer for delegation to specified services only -> Use Kerberos only

In the next window, click Users and Computers and specify the name of the second Hyper-V server. In the list of available services, select Microsoft Virtual System Migration Service.

Microsoft Virtual System Migration Service

Tip. If you also have to migrate the VM storage, select cifs protocol as well.

Save the delegation settings. Configure the same settings for the second Hyper-V server.

It remains to wait for the replication of the changes in AD and re-issue of the Kerberos ticket, then you can perform live migration of the VM. Right-click the virtual machine and select Move.

hyper-v 2016 - move vm

Select Move the virtual machine as the type of migration.

Move the virtual machine wizard

Specify the name of the Hyper-V host to which you want to migrate VM.

Then select the folder on a target host to move the VM files to (the folder must exist already).

vm location

Click Finish and wait till the Live Migration process of the virtual machine to the second Hyper-V server is over.

Tip. You can start the VM migration using the following PowerShell command:Move-VM srvapp1 Srv01 -IncludeStorage -DestinationStoragePath c:\hyperv\vm

If the processor compatibility isn’t turned on in the VM settings, the migration will be interrupted with the following error:

The virtual machine cannot be moved to the destination computer. The hardware on the destination computer is not compatible with the hardware requirements of this virtual machine.

To solve this problem, you will have to shut down the VM and enable CPU compatibility for it:

Set-VMProcessor srvapp1 -CompatibilityForMigrationEnabled $true

October 17th, 2019 | Tags:

In this article, we’ll look on licensing features of the Windows Server 2019, 2016 and 2012 R2 operating systems from the point of view of new Microsoft licensing model. Also, we’ll tell about the rules and licensing procedures when using Windows Server as a guest OS in a virtual machines, including the HA clusters with the ability to migrate virtual machines between hypervisors (VMWare VMotion, Hyper-V Live Migration, etc). Read more…

October 15th, 2019 | Tags:

灾备

灾备即灾难备援,它是指利用科学的技术手段和方法,提前建立系统化的数据应急方式,以应对灾难的发生,包括数据备份和系统备份,业务连续规划、人员架构、通信保障、危机公关,灾难恢复规划、灾难恢复预案、业务恢复预案、紧急事件响应、第三方合作机构和供应链危机管理等等。

灾备等级

根据恢复的目标与需要的成本投入,灾备大体可以分为三个等级,如图-1可以用三个嵌套的同心圆表示,从数据级灾备、应用级灾备到业务级灾备,业务恢复等级逐步提高,而需要的投资费用也相应增长。

Read more…

September 24th, 2019 | Tags:

Server 2016 默认远程桌面连接数是 2 个用户,如果多余两个用户进行远程桌面连接时,系统就会提示超过连接数,可以通过添加远程桌面授权解决:

1、添加远程桌面授权服务

第一步:服务器管理 - 添加角色和功能打开添加角色和功能向导窗口,选择基于角色或给予功能安装

Windows Server 2016 远程桌面服务配置和授权激活

第二步:添加远程桌面会话主机和远程桌面授权功能:
Read more…

September 18th, 2019 | Tags:

Sources of Free S/MIME Certificates

Free certificates usable for S/MIME are available from:

  • Actalis
  • CAcert (CAcert is NOT one of the trusted authorities built-in to FireFox and ThunderBird. The connection is also untrusted)
  • Comodo (They’ve changed their name to Sectigo and no longer offer free S/MIME certificates/)
  • GlobalSign (No longer offer free certificates)
  • InstantSSL (free certificate is now a 30 day trial)
  • Secorio (Affiliated Partner of Sectigo (formerly called Comodo) that links to InstantSSL if you want a free certificate)
  • StartCom (StartCom certificates have been revoked by Mozilla) [1]
  • Wosign (WoSign certificates have been revoked by Mozilla)

Currently only Actalis seems to offer a free S/MIME certificate for personal use that is good for one year. Everybody else appears to offer a free certificate for personal use for only 30 days, or require you to buy one. It can also cost money to revoke a free certificate. [2]

Let’s Encrypt does not currently offer S/MIME certificates. See https://community.letsencrypt.org/t/s-mime-certificates/153 for a thread explaining why you can’t use their SSL/TLS certificates for S/MIME.

September 18th, 2019 | Tags:
If you would like to restrict Remote Desktop access to your Dedicated server to an IP address or range of IP addresses, you can do so by following the instructions below.
Edit Existing Firewall Rule

Read more…

September 18th, 2019 | Tags:

https://gallery.technet.microsoft.com/Windows-Backup-wbadmin-2014479e

September 18th, 2019 | Tags:

Block 1: Connect to the WSUS server and set the configuration.
We are first going to set the property “Download update files to this server only when updates are appoved”, turn off all update languages, and then set the only update language to English. At the end, this would all be pointless if we didn’t commit our changes with .Save.

Of course there are a lot more things you can do, just let intellisense go to work for you.

$wsus = Get-WSUSServer -Name wsus.domain.local -PortNumber 8530
$wsusConfig = $wsus.GetConfiguration()
$wsusConfig.DownloadUpdateBinariesAsNeeded = $True
$wsusConfig.AllUpdateLanguagesEnabled = $false
$wsusConfig.SetEnabledUpdateLanguages("en")
$wsusConfig.Save()

Block 2: Verifying an Auto-Approval rule is set and enabled.
In this example, we are simply going to check and see if “My Approval Rule” is created, and enabled. Read more…

September 18th, 2019 | Tags:

This script will look for GPOs which have no settings at all and delete them.

Import-Module GroupPolicy
$GPOs = Get-GPO -All
foreach ($GPO in $GPOs)
{
if (($GPO.Computer.DSVersion -eq 0) -and ($GPO.User.DSVersion -eq 0)) {
    write-host $GPO.DisplayName is an empty GPO.
    $GPO.DisplayName | Remove-GPO
    }
}
September 18th, 2019 | Tags:

These policies generally are meant for just computer or user settings. This script will disable the empty settings (for example, if a GPO has only computer setttings, it will disable user settings). This is important as it does speed up performance by not having to process empty policies.

Import-Module GroupPolicy
$GPOs = Get-GPO -All
foreach ($GPO in $GPOs)
{
if (($GPO.Computer.DSVersion -eq 0) -and ($GPO.GpoStatus -ne "ComputerSettingsDisabled")) {
    write-host $GPO.DisplayName has no computer settings and not disabled.  Disabling...
    $GPO.GpoStatus="ComputerSettingsDisabled"
    }
 
if (($GPO.User.DSVersion -eq 0) -and ($GPO.GpoStatus -ne "UserSettingsDisabled")) {
    write-host $GPO.DisplayName has no user settings and not disabled.  Disabling...
    $GPO.GpoStatus="UserSettingsDisabled"
    }
}