Deploying ADFS on Nutanix – Installing and Configuring – Part 2

Deploying and configuring Active Directory Federation Services (ADFS) 2012 R2 for Office 365 can be broken down into 4 blog posts:

  1. Install and Configuring ADFS (this post)
  2. Configuring Name Resolution and additional nodes (Coming Soon)
  3. Install ADFS Proxy (Coming Soon)
  4. Leverage ADFS with Office 365 (Coming Soon)
  5. New automated methods of setting up ADFS with Office 365 (Coming Soon)

Planning And Prerequisites, and Other Fun Details

Prerequisites

Here are is the list of prerequisites from TechNet. But in general, you need to make sure you have a SSL certificate. The certificate must be trusted publicly (chained to a public root certification authority) or explicitly trusted by all computers that require access to the federation service. A wildcard certificate would work or a standard web certificate with the name you desire (i.e. fs.example.com – FS = federation service)
For this lab, you will need a Windows 2012 R2 Server with 4 cores, 4 Gigs of RAM and 100 Gig OS drive.

ADFS Role Planning

The ADFS role should be deployed within the corporate network, and not in the DMZ.  The ADFS proxy role is intended to be installed into the DMZ.
The default topology for Active Directory Federation Services is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. In this topology, ADFS uses WID as the store for the configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.

Since the availability of Office 365 relies upon the availability of ADFS when the domain is federated there is a strong recommendation to have at least two ADFS servers with a redundant proxy infrastructure. On Nutanix, make sure the ADFS servers are running on different nodes and/or cluster’s for complete site resilience. Running Active Directory Federation Services on Windows 2012 R2 is fully supported across all hypervisors including Acropolis Hypervisor (AHV).

For more information on different designs, please review the design guidance information on TechNet.

Step by Step Install Guide

ADFS is installed as a role as shown below:ADFS-step1 ADFS-step2 ADFS-step3 ADFS-step4 ADFS-step5

Ok, that’s the easy part, now on to configuration.;)

Step by Step Configuration Guide

Welcome Active Directory Federation Services Configuration Wizard…!!
Before you begin your configuration, you must have the following:

  • An Active Directory domain administrator account.
  • A publicly trusted certificate for SSL server authentication installed in IIS before starting wizard.

AD FS prerequisites

ADFS-config-step1 ADFS-config-step2 ADFS-config-step3 ADFS-config-step4 ADFS-config-step5

This server will be configured as the primary server in a new AD FS farm ‘fs.poc.lan’. The configuration will be stored in Windows Internal Database. Windows Internal Database feature will be installed on this server if it is not already installed. All existing configurations in the database will be deleted. A group Managed Service Account POC\adfs$ will be created if it does not already exist and this host will be added as a member. Federation service will be configured to run as POC\adfs$.

ADFS-config-step6
If you click on View script, you can see the automated version:

# Windows PowerShell script for AD FS Deployment
Import-Module ADFS
Install-AdfsFarm
-CertificateThumbprint:"3923273B4862WEE0CBAF3WEWE99125EDBWEWEWC0C5"
-FederationServiceDisplayName:"ADFS POC" `
-FederationServiceName:"fs.poc.lan" `
-GroupServiceAccountIdentifier:"POC\adfs`$" `
-OverwriteConfiguration:$true
ADFS-config-step7%MINIFYHTML5715b221c46736989f86b5dcbec80dab13%%MINIFYHTML5715b221c46736989f86b5dcbec80dab14%%MINIFYHTML5715b221c46736989f86b5dcbec80dab15%%MINIFYHTML5715b221c46736989f86b5dcbec80dab16%%MINIFYHTML5715b221c46736989f86b5dcbec80dab17%
The root key for the group Managed Service Account was created just before running the wizard.. If you have more than one domain controller in your Active Directory forest, the key may not yet have replicated to all domain controllers and therefore the service may not successfully install or start. To avoid service startup problems, wait 10 hours to ensure the key has replicated to all DCs before completing the Active Directory Federation Services Configuration Wizard, executing Install-AdfsFarm or Add-AdfsFarmNode on any other servers in your network, or restarting any AD FS service.

ADFS-config-step8

Verifying that AD FS is working fine:

Checkout your (IdentityProvider) IdP Sign-on landing page by navigating to https://fs./adfs/ls/IdpInitiatedSignon.aspx

ADFS-test-step1

ADFS-test-step2

And that’s how the is ADFS is initially setup, no matter you are a large or small environment, …Next up….Configuring Name Resolution and additional nodes…

Until next time….Rob

Exchange Server 2016 RTM Released: Forged in the cloud. Built for Web-Scale

Exchange Server 2016 is here and available to download!!!

What sets this version of Exchange apart from the past, is that it was forged in the cloud. This release brings the Exchange bits that already power millions of Office 365 mailboxes to your on-premises environment. And deploying Exchange 2016 on Nutanix, you can truly create the ultimate email web-scale environment.

Email remains the backbone of business communication and the one that workers consider the most essential tool for getting things done. Because of this, it’s vital to have a modern messaging infrastructure that meets today’s business expectations of scale. With the volume of email and other communications continuing to grow, people need tools that help them focus on what’s most important in their inboxes, schedules and interactions with others at work. And as the quantity of email data grows, so do the demands on IT to manage, preserve and protect it. This is why Web-Scale so important in an Exchange 2016 environment.

Web-Scale Fundamentals  
Exchange Server 2016
To help you meet these challenges with Exchange Server, Microsoft has deepened the integration between Exchange and other Office products, so your organization can be more productive and collaborate more effectively. They’ve made it easier to manage your email with new ways to focus on what’s important, work more efficiently, and accomplish more with your devices. Microsoft has also simplified the Exchange architecture and introduced additional recovery features.

Exchange 2016 builds on and improves features introduced in Exchange 2013, including Data Loss Prevention, Managed Availability, automatic recovery from storage failures, and the web-based Exchange admin center.

  • Better collaboration: Exchange 2016 includes a new approach to attachments that simplifies document sharing and eliminates version control headaches. In Outlook 2016 or Outlook on the web, you can now attach a document as a link to SharePoint 2016 (currently in preview) or OneDrive for Business instead of a traditional attachment, providing the benefits of coauthoring and version control.
    Exchange Server 2016
  • Improved Outlook web experience: Continuing our effort to provide you with a first class web experience across devices, Microsoft has made significant updates to Outlook on the web. New features include: Sweep, Pin, Undo, inline reply, a new single-line inbox view, improved HTML rendering, new themes, emojis, and more.
    Exchange Server 2016
  • Search: A lightning-fast search architecture delivers more accurate and complete results. Outlook 2016 is optimized to use the power of the Exchange 2016 back-end to help you find things faster, across old mail and new. Search also gets more intelligent with Search suggestions, People suggestions, search refiners, and the ability to search for events in your Calendar.
    Exchange Server 2016
  • Greater extensibility:  An expanded Add-In model for Outlook desktop and Outlook on the web allows developers to build features right into the Outlook experience. Add-ins can now integrate with UI components in new ways: as highlighted text in the body of a message or meeting, in the right-hand task pane when composing or reading a message or meeting, and as a button or a dropdown option in the Outlook ribbon.
    Exchange Server 2016
  • eDiscovery: Exchange 2016 has a revamped eDiscovery pipeline that is significantly faster and more scalable. Reliability is improved due to a new search architecture that is asynchronous and distributes the work across multiple servers with better fault tolerance. You also have the ability to search, hold and export content from public folders.
  • Simplified architecture: One Role…!  Exchange 2016’s architecture reflects the way we deploy Exchange in Office 365 and is an evolution and refinement of Exchange 2013. A combined mailbox and client access server role makes it easier to plan and scale your on-premises and hybrid deployments. Coexistence with Exchange 2013 is simplified, and namespace planning is easier.
  • High availability: Automated repair improvements such as database divergence detection make Exchange easier than ever to run in a highly available way. Stability and performance enhancements from Office 365, many of which were so useful that Microsoft shipped them in Exchange 2013 Cumulative Updates, are also baked into the product.

That’s just quick list of highlights; I encourage you to get a full view of what’s new by reviewing the Exchange 2016 documentation on TechNet.
Or, if you are in the mood for something more bite-sized, check out these short demo videos in which a few members of the Exchange team show off their favorite features:

Exchange 2016 will follow the same servicing rhythm as Exchange 2013, with Cumulative Updates (CUs) released approximately every three months that contain bug fixes, product refinements, and selected new investments from Office 365. The first CU is expected to arrive in the first quarter of 2016.

I just started playing with the RTM and will update on under the hood changes in a future blog post.  Stay Tuned…

Until next time, Rob….

Nutanix NOS 4.5 Released…

Hello all…It’s been a few weeks since my last blog post. I’ve been busy with some travel to Microsoft Technology Centers and working on the Nutanix Ready Program.  Yesterday, Nutanix released NOS 4.5.  This exciting upgrade adds some great features..  Sit back and get ready to enjoy the ride…release notes below.

customLogo NOS 4.5

Table 1. Terminology Updates
New TerminologyFormerly Known As
Acropolis base softwareNutanix operating system, NOS
Acropolis hypervisor, AHVNutanix KVM hypervisor
Acropolis APINutanix API and Acropolis API
Acropolis App Mobility FabricAcropolis virtualization management and administration
Acropolis Distributed Storage Fabric, DSFNutanix Distributed Filesystem (NDFS)
Prism ElementWeb console (for cluster management); also known as the Prism web console; a cluster managed by Prism Central
Prism CentralPrism Central (for multicluster management)
Block fault toleranceBlock awareness

What’s New in Acropolis base software 4.5

Bandwidth Limit on Schedule

  • The bandwidth throttling policy provides you with an option to set the maximum limit of the network bandwidth. You can specify the policy depending on the usage of your network.

Note: You can configure bandwidth throttling only while updating the remote site. This option is not available during the configuration of remote site.

Cloud Connect for Azure

  • The cloud connect feature for Azure enables you to back up and restore copies of virtual machines and files to and from an on-premise cluster and a Nutanix Controller VM located on the Microsoft Azure cloud. Once configured through the Prism web console, the remote site cluster is managed and monitored through the Data Protection dashboard like any other remote site you have created and configured. This feature is currently supported for ESXi hypervisor environments only.

Common Access Card Authentication

  • You can configure two-factor authentication for web console users that have an assigned role and use a Common Access Card (CAC).

Default Container and Storage Pool Upon Cluster Creation

  • When you create a cluster, the Acropolis base software automatically creates a container and storage pool for you.

Erasure Coding

  • Complementary to deduplication and compression, erasure coding increases the effective or usable cluster storage capacity. [FEAT-1096]

Hyper-V Configuration through Prism Web Console

  • After creating a Nutanix Hyper-V cluster environment, you can use the Prism web console to join the hosts to the domain, create the Hyper-V failover cluster, and also enable Kerberos.

Image Service Now Available in the Prism Web Console

  • The Prism web console Image Configuration workflow enables a user to upload ISO or disk images (in ESXi or Hyper-V format) to a Nutanix AHV cluster by specifying a remote repository URL or by uploading a file from a local machine.

MPIO Access to iSCSI Disks (Windows Guest VMs)

  • Acropolis base software 4.5 feature to help enforce access control to volume groups and expose volume group disks as dual namespace disks.

Network Mapping

  • Network mapping allows you to control network configuration for the VMs when they are started on the remote site. This feature enables you to specify network mapping between the source cluster and the destination cluster. The remote site wizard includes an option to create one or more network mappings and allows you to select source and destination network from the drop-down list. You can also modify or remove network mappings as part of modifying the remote sites.

Nutanix Cluster Check

  • Acropolis base software 4.5 includes Nutanix Cluster Check (NCC) 2.1, which includes many new checks and functionality.
  • NCC 2.1 Release Notes

NX-6035C Clusters Usable as a Target for Replication

  • You can use a Nutanix NX-6035C cluster as a target for Nutanix native replication and snapshots, created by source Nutanix clusters in your environment. You can configure the NX-6035C as a target for snapshots, set a longer retention policy than on the source cluster (for example), and restore snapshots to the source cluster as needed. The source cluster hypervisor environment can be AHV, Hyper-V, or ESXi. See Nutanix NX-6035C Replication Target in Notes and Cautions.

Note: You cannot use an NX-6035C cluster as a backup target with third-party backup software.

Prism Central Can Now Be Deployed on the Acropolis Hypervisor (AHV)

  • Nutanix has introduced a Prism Central OVA which can be deployed on an AHV cluster by leveraging Image Service features. See the Web Console Guide for installation details.
  • Prism Central 4.5 Release Notes

Prism Central Scalability

Simplified Add Node Workflow

  • This release leverages Foundation 3.0 imaging capabilities and automates the manual steps previously required for expanding a cluster through the Prism web console.

SNMP

  • The Nutanix SNMP MIB database includes the following changes:
    • The database includes tables for monitoring hypervisor instances and virtual machines.
    • The service status table named serviceStatusTable is obsolete. Analogous information is available in a new table named controllerStatusTable. The new table has a smaller number of MIB fields for displaying the status of only essential services in the Acropolis base software.
    • The disk status table (diskStatusTable), storage pool table (storagePoolInformationTable), and cluster information table include one or more new MIB fields.
  • The SNMP feature also includes the following enhancements:
    • From the web console, you can trigger test alerts that are sent to all configured SNMP trap receivers.
    • SNMP service logs are now written to the following log file: /home/nutanix/data/logs/snmp_manager.out

Support for Minor Release Upgrades for ESXi Hosts

  • Acropolis base software 4.5 enables you to patch upgrade ESXi hosts with minor release versions of ESXi host software through the Controller VM cluster command. Nutanix qualifies specific VMware updates and provides a related JSON metadata upgrade file for one-click upgrade, but now customers can patch hosts by using the offline bundle and md5sum checksum available from VMware, and using the Controller VM cluster command.

Note: Nutanix supports the ability to patch upgrade ESXi hosts with minor versions that are greater than or released after the Nutanix qualified version, but Nutanix might not have qualified those minor releases. Please see the the Nutanix hypervisor support statement in our Support FAQ.

VM High Availability in Acropolis

  • In case of a node failure, VM High Availability (VM-HA) ensures that VMs running on the node are automatically restarted on the remaining nodes within the cluster. VM-HA can optionally be configured to reserve spare failover capacity. This capacity reservation can be distributed across the nodes in chunks known as “segments” to provide better overall resource utilization.

Windows Guest VM Failover Clustering

  • Acropolis base software 4.5 supports configuring Windows guest VMs as a failover cluster. This clustering type enables applications on a failed VM to fail over to and run on another guest VM on the same or different host. This release supports this feature on Hyper-V hosts with in-guest VM iSCSI and SCSI 3 Persistent Reservation (PR).

Tech Preview Features

Note: Do not use tech preview features on production systems or storage used or data stored on production systems.

File Level Restore

  • The file level restore feature allows a virtual machine user to restore a file within a virtual machine from the Nutanix protected snapshot with minimal Nutanix administrator intervention.

Note: This feature should be used only after upgrading all nodes in the cluster to Acropolis base software 4.5.

What’s New in Prism Central

Prism Central for Acropolis Hypervisor (AHV)

Nutanix has introduced a Prism Central VM which is compatible with AHV to enable multicluster management in this environment. Prism Central now supports all three major hypervisors: AHV, Hyper-V, and ESXi.

Prism Central Scalability

The Prism Central VM requires these resources to support the clusters and VMs indicated in the table.

 
Prism Central vCPU
Prism Central Memory (GB, default)Total Storage Required for Prism Central VM (GB)Clusters SupportedVMs Supported (across all clusters)Virtual disks per VM
482565050002

Release Notes | NCC 2.1

Learn More About NCC Health Checks

You can learn more about the Nutanix Cluster Check (NCC) health checks on the Nutanix support portal. The portal includes a series of Knowledge Base articles describing most NCC health checks run by the ncc health_checks command.

What’s New in NCC 2.1

NCC 2.1 includes support for:

  • Acropolis base software 4.5 or later
  • NOS 4.1.3 or later only
  • All Nutanix NX Series models
  • Dell XC Series of Web-scale Converged Appliances

Tech Preview Features

The following features are available as a Tech Preview in NCC 2.1.

Run NCC health checks in parallel

  • You can specify the number of NCC health checks to run in parallel to reduce the amount of time it takes for all checks to complete. For example, the command ncc health_checks run_all –parallel=25 will run 25 of the health checks in parallel.

Use npyscreen to display NCC status

  • You can specify npyscreen as part of the ncc command to display status to the terminal window. Specify –npyscreen=true as part of the ncc health_checks command.

New Checks in This Release

Check NameDescriptionKB Article
check_disksCheck whether disks are discoverable by the host. Pass if the disks are discovered.KB 2712
check_pending_rebootCheck if host has pending reboots. Pass if host does not have pending reboots.KB 2713
check_storage_heavy_nodeVerify that nodes such as the storage-heavy NX-6025C are running a service VM and no guest VMs.
Verify that nodes such as the storage-heavy NX-6025C are runningthe Acropolis hypervisor only.
KB 2726
KB 2727
check_utc_clockCheck if UTC clock is enabled.KB 2711
cluster_version_checkVerifiy that the cluster is running a released version of NOS or the Acropolis base software. This check returns an INFO status and the version if the cluster is running a pre-release version.KB 2720
compression_disabled_checkVerify if compression is enabled.KB 2725
data_locality_checkCheck if VMs that are part of a cluster with metro availability are in two different datastores (that is, fetching local data).KB 2732
dedup_and_compression_enabled_containers_checkChecks if any container have deduplication and compression enabled together.KB 2721
dimm_same_speed_checkCheck that all DIMMs have the same speed.KB 2723
esxi_ivybridge_performance_degradation_checkCheck for the Ivy Bridge performance degradation scenario on ESXi clusters.KB 2729
gpu_driver_installed_checkCheck the version of the installed GPU driver.KB 2714
quad_nic_driver_version_checkCheck the version of the installed quad port NIC driver version.KB 2715
vmknics_subnet_checkCheck if any vmknics have same subnet (different subnets are not supported).KB 2722

Foundation Release 3.0

This release includes the following enhancements and changes:

  • A major new implementation that allows for node imaging and cluster creation through the Controller VM for factory-prepared nodes on the same subnet. This process significantly reduces network complications and simplifies the workflow. (The existing workflow remains for imaging bare metal nodes.) The new implementation includes the following enhancements:
    • A Java aplet that automatically discovers factory-prepared nodes on the subnet and allows you to select the first one to image.
    • A simplified GUI to select and configure the nodes, define the cluster, select the hypervisor and Acropolis base software versions to use, and monitor the imaging and cluster creation process.

Customers may create a cluster using the new Controller VM-based implementation in Foundation 3.0. Imaging bare metal nodes is still restricted to Nutanix sales engineers, support engineers, and partners.

  • The new implementation is incorporated in the Acropolis base software version 4.5 to allow for node imaging when adding nodes to an existing cluster through the Prism GUI.
  • The cluster creation workflow does not use IPMI, and for both cluster creation and bare-metal imaging, the host operating system install is done within an “installer VM” in Phoenix.
  • To see the progress of a host operating system installation, point a VNC console at the node’s Controller VM IP address on port 5901.
  • Foundation no longer offers the option to run diagnostics.py as a post-imaging test.  Should you wish to run this test, you can download it from the Tools & Firmware page on the Nutanix support portal.
  • There is no Foundation upgrade path to the new Controller VM implementation; you must download the Java aplet from the Foundation 3.0 download page on the support portal. However, you can upgrade Foundation 2.1.x to 3.0 for the bare metal workflow as follows:
      • Copy the Foundation tarball (foundation-version#.tar.gz) from the support portal to /home/nutanix in your VM.
      • Navigate to /home/nutanix.
      • Enter the following five commands:
        • $ sudo service foundation_service stop
        • $ rm -rf foundation
        • $ tar xzf foundation-version#.tar.gz
        • $ sudo yum install python-scp
        • $ sudo service foundation_service restart
    • If the first command (foundation_service stop) is skipped or the commands are not run in order, the user may get bizarre errors after upgrading. To fix this situation, enter the following two commands:
  • $ sudo pkill -9 foundation
  • $ sudo service foundation_service restart

Release Notes for each of these products is located at:

Download URLs:

Until next time, Rob…