Building Nutanix Ready…What does it mean to be “Ready”?

Before we go into what “Ready” really means.  Every great journey has a story behind it. This will be a multi-part series starting with how I joined Nutanix and evolved myself to build a world-class program called “Nutanix Ready”. Stay Tuned, Part 1 coming very soon!  RobNutanix Ready

Microsoft Exchange Best Practices on Nutanix

To continue on my last blog post on Exchange...

As I mentioned previously, I support SE’s from all over the world. And again today, I got asked what are the best practices for running Exchange on Nutanix. Funny enough, this question comes in quite often.  Well, I am going to help resolve that. There’s a lot of great info out there, especially from my friend Josh Odgers, which has been leading the charge on this for a long time.  Some of his posts can be controversial, but truth is always there.  He’s getting a point across.

This blog post will be updated on a regular basis as things change. It will also be moved to a permanent part of the netwatch.me resources section.  This is meant to be a general best practice guide to help with planning and maintaining a healthy Exchange environment on Nutanix.  I will specify hypervisor specifics when required.  Now on the post…..

msexchange.

Let’s start out with the basics…

MS Exchange on Nutanix Support

Nutanix provides a 100% supported solution for MS Exchange running on vSphere, Hyper-V or Acropolis Hypervisor using iSCSI (Block storage)
Here is a breakdown of supported configurations by hypervisor:

vSphere (ESXi) Use In-Guest iSCSI (Volume Groups) for full support
Hyper-V Use SMB 3.0
AHV Use native vDisks (iSCSI) – SVVP Certification for AHV

Also, check out Josh’s post “Fight the FUD – Support for MS Exchange on Nutanix” that outlines this very topic.  In summary, the customer has the choice to deploy in multiple configurations to suit their needs. But, one of the most often questions I get is, “does your SVVP Certification cover running Exchange on all your supported hypervisors?”  The answer is not simple.  The SVVP was submitted for the Acropolis Hypervisor, while this does not cover all of them, we technically are supported for all hypervisors as per Microsoft supported storage architectures.  Microsoft does not specifically mention Hyperconverged, it only mentions ISCSI in regards to SAN.  IMO, that covers ESXi and AHV.

Now let me explain….SAN’s are one of the biggest modern datacenter bottlenecks. Data has gravity, so co-locating storage and compute eliminates network bottlenecks = Hyperconverged is way better than SAN and hence SUPPORTED IMO 😉

To end this topic and move on, a Nutanix customer has the choice to deploy in multiple configurations to suit their needs.  Being pushed to one particular hypervisor for a customer is not always in their best interest.  Having choices now and later is a much better approach with the overall goal of simplifying the datacenter.   As Josh said in one of his blog posts ,”Running a standard platform and storage protocol for all workloads is a simple model which reduces the unnecessary complexity of multiple protocols and/or in-guest storage configurations”, I can’t agree more with that statement. 🙂

Exchange Performance on Nutanix

Now this subject will always be controversial and potentially subject to criticism.  Internal testing performed by the Nutanix Performace and Engineering team shows that AHV and Hyper-V performance are roughly the same from a hypervisor perspective and ESXi was 10% higher. That being said, usually, the next question is how is performance versus traditional SAN/NAS.  And again, I have to point out, it’s all about Data Locality. Can’t change the laws of physics. Data has gravity, hence we will always beat traditional SAN architecture.

Check out Josh’s posts on “Peak Performance vs Real World – Exchange on Nutanix Acropolis Hypervisor”.  It gives you a better understanding of are realistic benchmarks of Exchange in general and on Nutanix. I wholeheartedly agree with Josh when he says “Benchmarks are of little value without context specific to customer requirements!”  Spending close to over 15 years building and maintain Exchange systems, I learned one hard fact, no generic simulator (like JetStress) can show real world metrics.

Data Reduction Technologies with Exchange on Nutanix

Recommendation:
1 vDisk per Database, 1 vDisk per DB Logs
1 Container with RF2, In-Line Compression & EC-X for Databases
1 Container with RF2 for Logs
Do not use Dedupe with MS Exchange!
Reference: https://technet.microsoft.com/en-us/library/ee832792(v=exchg.150).aspx
Microsoft does not support Data deduplication (Note: Underlying storage deduplication such as Nutanix dedupe is not mentioned, but implied)

Data Reduction Estimates:

Rule of thumb: Always size without data reduction if possible.
Conservative assumption for compression for Exchange = 1.3:1
Aggressive assumption for compression for Exchange = 1.6:1
Conservative assumption for EC-X for Exchange = 1.1:1
Aggressive assumption for EC-X for Exchange = 1.25:1

Questions to ask yourself when planning an Exchange Environment:

How many Users? e.g.: 10000, 10000, etc.
How many user profiles do you need? e.g.: 2 , Standard and Executives
How large Mailbox (excluding archiving) per User? e.g.: 1GB, 2GB , 5GB
How many messages per day do you want to support per user? Light = 50 , Medium = 100 , Heavy = 150+

Do you require site resiliency?

These are among some of the basic questions you need to answer.  This is where the Exchange Server Role Calculator comes in. It’s a great tool, but like any tool, you do need to give it good input to get out good output. The function of the tool is as the name implies.

Exchange Server Role Calculator Defined

Now, at the time of this writing, version 7.8 is the latest and greatest. Now, do note, I would not call this tool perfect, but its gets you pretty close. Like anything else, the Exchange team is still learning real world behavior and this is where a good experienced Exchange engineer comes into play.

IMO..there is an Art and Science to sizing Exchange.  The days of Exchange just being a simple mail server are far over. These days, it’s much more complex with supporting multiple forms of ingress and egress traffic for different functions (Mobile, Web, SMTP, Skype Integration, etc.). Each of these different functions has varying load considerations and supports more visible features like Outlook Web Access and Exchange Activesync. Also, I still am of the opinion that it does not take into consideration the number of devices that 1 mailbox services.
exchangecomplex
Considering this complexity, you can see that undersizing or oversizing can happen easily.  If you size correctly at the beginning with Nutanix, then it just an easy scale out, buy as you need it situation. Then you know what happens, finally for the first time, predictability in your budgets.  I remember the days, not that long ago, when I had to have a client retire a SAN, not for space constraints, but for IO constraints.  And at the time, all I got from the client was “can’t we use it for something else” and ya, I’ve replied with “use it as a WSUS repository for patching the Exchange environment” 😉

During my next post, I will dive into the Exchange Role Calculator much more and go over some examples of sizing on Exchange. We’ll mainly focus on mailbox storage and then move on to other role sizing considerations.  I also plan to cover the other aspects to maintain a healthy Exchange environment (i.e. Message Hygiene, Global and Local Load balancing, Integrations and End User Experience) in subsequent posts.
Below are the Office Best Practices Guides from Nutanix and some public case studies.

Until next time, Rob…..

Nutanix Offical Best Practice Guides
MS Exchange on Nutanix / vSphere Best practice guide: http://go.nutanix.com/VirtualizingMicrosoftExchangeonWeb-ScaleConvergedInfrastructure.html

Public Case Studies for Nutanix customers using Exchange
Richter: http://go.nutanix.com/rs/nutanix/images/Nutanix-Case-Study-Richter.pdf
Riverside: http://www.nutanix.com/resource/riverside-for-riversides-server-and-storage-consolidation-nutanix-fits-like-a-glove/

Nutanix App for Splunk – Just Released

nutanix-US Nutanix App for Splunk

Nutanix App for Splunk

A Video Walkthrough on installation, configuration and demo of the Nutanix App for Splunk.  Also, included is demo of Splunk Mobile running the Nutanix App versys Safari running Prism. To learn more about Splunk, and details on this app, check out Andre’s Leibovici @andreleibovici blog post.  Happy Splunking 🙂

Until next time, Rob…

Nutanix NOS 4.6 Released….

On February 16, 2016, Nutanix announced the Acropolis NOS 4.6 release and last week was available for download. Along with many enhancements, I wanted to highlight several items, including some tech preview features.
Also, checkout this excellent video with Nutanix’s Tim Isaacs and Raghu Nandan in which they go into more detail on the updates included in Acropolis 4.6 and the interviewer is my buddy Chris Brown.
Tim Isaacs and Raghu Nandan from Nutanix HQ about some of the important updates in Acropolis 4.6.

1-Click Upgrades – BIOS and BMC Firmware
The 1-Click upgrade for BIOS and BMC firmware feature is available for Acropolis hypervisor (AHV) and ESXi hypervisor host environments running on NX-xxxx G4 (Haswell) platforms only.
Acropolis App Mobility Fabric: Windows or Linux Guest Customization
Customize or clone Windows or Linux guest VMs hosted by AHV. Includes automated OS installation and custom ISOs by using sysprep (Windows) or cloudinit (Linux).
Acropolis Drivers for OpenStack
These drivers facilitate consuming the Nutanix Acropolis infrastructure as a cloud service or for use in a data center. For example, an OpenStack implementation might require using features such as single sign-on, orchestration, role-based access control, and so on. Drivers include Acropolis compute, image, volume, and network drivers.
Convert Cluster Redundancy Factor from RF-2 to RF-3
Convert a cluster created with redundancy factor 2 (RF-2) to RF-3 through the ncli cluster set-redundancy-state command. This increases the cluster fault tolerance.
Cross Hypervisor Disaster Recovery
Cross-hypervisor disaster recovery provides an ability to migrate the VMs from one hypervisor to another (ESXi to AHV or AHV to ESXi) by using the protection domain semantics of protecting VMs, taking snapshots, replicating the snapshots, and then recovering the VMs from the snapshots. To perform these operations, you need to install and configure NGT on all VMs.
Guest VM VLAN Trunking
AHV supports guest VM VLAN tagging, where the tag passes through a single port from the physical network to a VM. It allows the VLAN ID tags to be included in an Ethernet packet to be passed to the guest VM. Guest VM operating systems can use this feature to enable Virtual Guest Tagging (VGT) and simulate multiple virtual NICs.
More Backup and Data Recovery/Replication Features

  • Snapshot and Async DR for volume groups.
  • Application-consistent snapshots on AHV and ESXi by using the Nutanix native in-guest Volume Shadow Copy Service (VSS) agent for all VMs that support Microsoft’s VSS. Nutanix Guest Tools provides application-consistent snapshot support for Linux VMs by running specific pre-freeze and post-thaw scripts on VM quiesce.
  • Integrated snapshot management from an AHV cluster to a CommVault solution

Nutanix Guest Tools

  • Nutanix Guest Agent (NGA) service. Communicates with the Nutanix Controller VM.
  • File Level Restore (FLR) CLI. Performs self-service file-level recovery from the VM snapshots.
  • Nutanix VM Mobility Drivers. Facilitates distribution of drivers required for VM migration between ESXi and AHV, in-place hypervisor conversion, and cross-hypervisor disaster recovery (CH-DR) features.
  • VSS requestor and hardware provider for Windows VMs. Enables application-consistent snapshots of AHV or ESXi Windows VMs.
  • Application-consistent snapshot for Linux VMs. Supports application-consistent snapshots for Linux VMs by running specific scripts on VM quiesce.

Self-Service Restore
Self-service restore allows a user to restore a file within a virtual machine from the Nutanix protected snapshot with minimal Nutanix administrator intervention. This feature is supported on Nutanix clusters running the ESXi and Acropolis hypervisors only.

Tech Preview Features
In-Place Hypervisor Conversion
This 1-click feature available through the Prism web console allows you to convert your cluster from using ESXi hosts to using AHV hosts. Guest VMs are converted to the hypervisor target format, and cluster network configurations are stored and then restored as part of the conversion process.
Native File Services
Provides file server capability within a Nutanix AHV cluster, as one or more network-attached VMs, to form a virtual file server.
To download the update, you can go to my.nutanix.com and go to support, downloads section or you can upgrade to 4.6 within Prism.  Until next time, Rob

Understanding Windows Azure Pack – Reconfigure portal names, ports and deploy certificates – Part 6

happynewyear1 Windows Azure Pack
Happy New Year Everyone!!!  I know Azure Stack is just around the corner, but I still get lots of questions around configuring WAP and portals. So to follow-up my Windows Azure Pack (WAP) series, I am going to talk about reconfiguring server names and ports as well as assigning trusted certificates to my WAP Portals.

If you missed other parts of the series, check links below:
Part 1 – Understanding Windows Azure Pack
Part 2 – Understanding Windows Azure Pack – Deployment Scenarios
Part 3 – Understanding Windows Azure Pack – How to guide with Express Edition on Nutanix – Environment Prep
Part 4 – Deploying Service Provider Framework on Nutanix
Part 5 – Understanding Windows Azure Pack – How to guide with Express Edition on Nutanix – Windows Azure Pack Install

In this blog post, we will look at how you can change portal names and ports for the Tenant and Admin portals in WAP.

Once we are done with that, we are going to issue certificates from an Enterprise CA to the Admin portal as well as issuing a certificate to the Tenant Portal. As I don’t have a Public CA Certificate,  I’m going to use one from my Enterprise CA, but the concept for a Public CA is exactly the same as if I was using certificates from a trusted CA like VeriSign, DigiCert or similar.
wap-reconfig1 Windows Azure Pack
Windows Azure Pack Tenant Portal


Architecture:

Windows Azure Pack has different components which serve various functions as I mentioned in previous blog posts.
By looking at the roles being installed on a WAP Server for an express install, we can see a long list of Web Services running on the WAP Server. These different Web Services provide various roles within the WAP Infrastructure
In this lab scenario, we will be working with the following Web Services:

  • WAP Tenant Portal Service (MgmtSvc-TenantSite): Hosts the WAP Tenant Portal
  • WAP Tenant Authentication Service (MgmtSvc-AuthSite): Hosts the authentication for tenants
  • WAP Admin Portal Service (MgmtSvc-WindowsAdminSite): Hosts the Admin Portal
  • WAP Admin Authentication Service (MgmtSvc-WindowsAuthSite): Hosts the Admin Authentication

wap-config2 Windows Azure Pack

When a tenant accesses the WAP Tenant portal (exposed to the Internet) they will be redirected to the WAP Tenant Authentication Service to validate if the user is allowed to access the system, once the WAP Tenant Authentication service has validated the user, it will be redirected back to the WAP Tenant portal with access to WAP services. The tenant authentication service uses claim based authentication and can use different authentication methods like Active Directory Federation Services (ADFS) or .Net. In this scenario we are using default authentication (.Net), in the future blog post, I will tie in ADFS.

In the my lab setup these services are running on the same server (WAP01.contoso.com) as shown above..

A similar scenario happens when a WAP Administrator accesses the WAP Admin portal (only accessible on the internal network), the WAP admin portal will redirect the admin to the WAP Admin Authentication service which by default uses Windows Authentication. Once Windows Authentication service has authenticated the user, the user is redirected back to the WAP Admin portal with access to WAP.


Scenario:

After Installing and configuring Windows Azure Pack with the basic settings for the Contoso.com lab setup, the next steps are to configure the following:

  • Change WAP portal name.
  • Configure tenant and admin portals to run on port 443 (Https).
  • Replace the self-signed certificates with certificates provided by the enterprise CA (and consequently remove the warnings displayed in Internet Explorer due to the self-signed certificates).
  • Change the WAP Tenant Portal to use an internet facing url.
  • Change the WAP Tenant Authentication site to use the public web address that is also used by the WAP Tenant Portal.

The servers for this lab are configured as follows:

Role Name Function
Active Directory DC01.contoso.com Active Directory, ADFS, Certificate Server
Windows Azure Pack WAP01.contoso.com Windows Azure Pack Express Install
Service Provider Foundation SPF01.contoso.com Service Provider Foundation
SQL Server DB02.contoso.com SQL Instance hosting the WAP databases
Virtual Machine Manager VMM01.contoso.com Virtual Machine Manager 2012 R2 managing one Nutanix Hyper-V Cluster

The portals DNS names will be renamed to the following:

  • WAP Admin Portal: wapadmin.contoso.com port 443
  • WAP Tenant Portal Internal: WAPCloud.contoso.com port: 443
  • WAP Tenant Auth: wapcloud.contoso.com port: 444

Disclaimer: This environment is meant for testing only. This should not be considered guidance for production use, as several decisions made in this blog post are not targeting a production environment.

Reconfigure portal names for Windows Azure Pack

As the two WAP Portals by default (in our lab setup) are installed with https://wap01.contoso.com:30081 for the Tenant Portal and https://WAP01.contoso.com: 30091 for the Admin Portal we want to change these to use more portal friendly names.

To accomplish this, we need to do the following:

  • Create a DNS record for the new portals.
  • Install and configure an enterprise CA.
  • Request certificates for WAP Web Services from the CA.
  • Change ports and assign certificates for WAP Services.
  • Update Windows Azure Pack with the new web service modifications.

Create a DNS record for the new portals

  1. Logon to the DNS server.
  2. Start DNS Manager
  3. Expand dc01 > Forward Lookup Zone > <Yourdomain> (e.g. contoso.com)
  4. Right click on <Yourdomain> and select New Host (A-Record)
  5. Provide the DNS name and the IP address of the WAP Admin Server (e.g. Name: wapadmin, IP: 192.168.1.40)
    wap-reconfig4 Windows Azure Pack
  6. Create the other DNS name for the remaining portal (e.g. wapcloud,) and provide the WAP01 IP address as all roles are installed on the same server in the lab setup.
  7. Verify that the DNS records shows in the list.
    5wap-reconfig4 Windows Azure Pack
  8. Close the DNS Manager.

Use trusted certificates for the Windows Azure Pack

In order to use CA signed certificates in our Lab environment we need to do the following:

  • Install a CA Server
  • Configure the CA Server
  • Request Web Server certificates from the CA Server
  • Change Web Sites to use certificate.

Install a CA Server

  1. Logon to the server that will be running the CA Server (e.g. DC01)
  2. Start Server Manager.
  3. Select Dashboard on the left.
  4. Click Add roles and features.
  5. Click next to: before you begin, Installation type and server selection.
  6. In Server Roles select Active Directory Certificate Services under Roles.
  7. Click next to features.
  8. Under Role Services Select the following: Certification Services, Certificate Enrolment Policy.., Certificate Enrolment Web, Certification Authority..
  9. Accept the add-ons and click next to Web Role Services.
  10. Click Install.
  11. Verify that the install finishes with success.

Configure CA Server

  1. On the CA Server start Server Manager as a user that is member of Enterprise Admins.
  2. Select AD CS on the left.
  3. A message will show in the main window:
    wap-reconfig6 Windows Azure Pack
  4. Click on More.
  5. In the server task details click on Configure Active Directory Cert.
  6. Select All Roles to configure except for Web Service and click Next.
  7. Select Enterprise CA.
  8. Select Root CA.
  9. Select Create a new private key and click next.
  10. Click next to cryptography.
  11. Click next to CA Name and keep default. wap-reconfig8 Windows Azure Pack
  12. Keep 5 years and click next
  13. Click next to Certificate Database
  14. Select Windows Integrated auth.. and click next
  15. Under Server Certificate Select Choose and assign a certificate for SSL later and click next
  16. Click Configure
  17. Click Close

Change WEB Sites to use Certificate

Issue Certificate for the WAP Admin Portal

  1. Logon to the WAP Server as an administrator (e.g. wap01.contoso.com)
  2. Open IIS Manager on the WAP Portal Server
  3. Select the IIS server under connections
  4. In the main window select server certificates under IIS
  5. In the right windows select create a domain certificate
  6. Specify the following:
  7. WAPAdmin FQDN under common name (e.g. wapadmin.contoso.com)
  8. Organization: Contoso
  9. Organ unit: NA
  10. City NA
  11. State NA
  12. Click Next
  13. Select a CA and provide the friendly name for the certificate (e.g. wapadmin.contoso.com) wap-reconfig9 Windows Azure Pack
  14. Click Finish
  15. Verify that the certificate shows in the list of certificate wap-reconfig10 Windows Azure PackWe now have a web certificate, which we can use for the WAP Admin Portal.
  16. Request two more certificate following the same procedure:
    1. WAP Authentication: wap01.contoso.com
    2. WAP Tenant Portal Internal: WAPCloud.contoso.com
  17. There should now be three certificates in the Web Server Certificate list from Contoso CA. wap-reconfig11 Windows Azure Pack

Change ports and certificates for the WAP Admin Portal

  1. Logon to the WAP server as Administrator (This assumes it’s an express install).
  2. Start ISS Manager.
  3. Expand IIS Server > Sites.
  4. Right click on MgmtSvc-AdminSite and select edit bindings.
  5. Select https 30091 and select edit.
  6. Change port to 443.
  7. Set hostname to wapadmin.contoso.com.
  8. Select the certificate from the drop down list which was created earlier from the CA. wap-reconfig12 Windows Azure Pack
  9. Click Ok.
  10. Restart the Web Site.
  11. Right click on MgmtSvc-WindowsAuthSite and select edit bindings.
  12. Select the certificate from the list wap01.contoso.com.
  13. Click Ok.

Change ports and certificates for the WAP Tenant Portals

The following steps needs to be done in order to change ports and certificates for the tenant portal.

  1. Logon to the WAP server as Administrator (This assumes it’s an express install).
  2. Start ISS Manager.
  3. Expand IIS Server > Sites.
  4. Right click on MgmtSvc-TenantSite and select edit bindings.
  5. Select https 30081 and select edit.
  6. Change port to 443.
  7. Set hostname to wapcloud.contoso.com.
  8. Select wapcloud.contoso.com in the drop down list for certificates
  9. Click Close
  10. Right click on MgmtSvc-AuthSite and select edit bindings
  11. Select https 30071 and select edit.
  12. Change port to 444.
  13. Select wapcloud.contoso.com in the drop down list for certificates.
  14. Restart the MgmtSvc-TenantSite Web Site from the action menu.
  15. Restart the MgmtSvc-AuthSite Web Site from the action menu.

Update Windows Azure Pack with the new settings

Updating the Windows Azure Admin Portal

The TechNet documentation can be found here: Reconfigure FQDNs and Ports in Windows Azure Pack
To update WAP with our modifications the following commands needs to be executed, where we will use the values used in the scenario.

  • Set-MgmtSvcFqdn: This command will update the FQDN names for the modified services in the WAP Database.
  • Set-MgmtSvcRelyingPartySettings: This command will set the relay location for the WAP authentication service (Tenant or Admin)
  • Set-MgmtSvcIdentityProviderSettings: This command will update the authentication service where redirects will be redirected once verified.
We will be using the following arguments while executing the commands:
WAP Database Server:  db02.contoso.com
WAP Database user:    sa
Admin Portal FQDN:    wapadmin.contoso.com
Admin Portal Port:    443
Admin Auth Service:   wap01.contoso.com:30072
To update the modification made to WAP Services in the WAP database do the following.

  1. Logon to the WAP Server as a WAP Administrator.
  2. Start a PowerShell window.
  3. Import the WAP PowerShell module:

    Import-Module -Name MgmtSvcConfig

  4. Update WAP Admin Portal with the updated FQDN settings by running the following command:

    Set-MgmtSvcFqdn -Namespace “AdminSite” -FullyQualifiedDomainName “wapadmin.contoso.com” -Port 443 -Server “db02”
    3wap-reconfig12 Windows Azure Pack

  5. To set the WAP authentication service FQDN for the admin portal run the following command.Set-MgmtSvcRelyingPartySettings –Target Admin –MetadataEndpoint ‘https://wap01.contoso.com:30072/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString “Data Source=db02.contoso.com;User ID=sa;Password=*******”
    wap-reconfig2 Windows Azure Pack
  6. To set the authentication service redirection location to the admin portal run the following command:Set-MgmtSvcIdentityProviderSettings –Target Windows –MetadataEndpoint ‘https://wapadmin.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString “Data Source=db02.contoso.com;User ID=sa;Password=********”
    wap-reconfig17 Windows Azure Pack

Updating the Windows Azure Tenant Portal

The following attributes are used for configuring the WAP Tenant Portal.
WAP Database Server: db02.contoso.com
WAP Database user: sa
Tenant Portal FQDN: wapcloud.contoso.com
Admin Portal Port: 443
Admin Auth Service: wapcloud.contoso.com:444
To update the tenant portal do the following:

  1. Logon to the WAP Server as an Administrator.
  2. Start PowerShell.
  3. Import the WAP PowerShell module:
    Import-Module -Name MgmtSvcConfig
  4. Update WAP Tenant Portal with the updated settings by running the following command:

Set-MgmtSvcFqdn -Namespace “TenantSite” -FullyQualifiedDomainName “wapcloud.contoso.com” -Port 443 -Server “db02”
wap-config1 Windows Azure Pack

5. Update WAP Tenant Auth Site with the updated settings by running the following command:

Set-MgmtSvcFqdn -Namespace “AuthSite” -FullyQualifiedDomainName “wapcloud.contoso.com” -Port 444 -Server “db02”
wap-config2 Windows Azure Pack

6. To set the WAP authentication service FQDN for the tenant portal run the following command.

Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint ‘https://wapcloud.contoso.com:444/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString “Data Source=db02.contoso.com;User ID=sa;Password=********”
wap-config3 Windows Azure Pack

7. To set the authentication service redirection location to the admin portal run the following command.

Set-MgmtSvcIdentityProviderSettings –Target Membership –MetadataEndpoint ‘https://wapcloud.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString “Data Source=db02.contoso.com;User ID=sa;Password=********”wap-config4 Windows Azure Pack

Verify the WAP modification works.

Pre-requisite: As we don’t have a public certificate for my lab setup we are going to install the CA certificate on the computers in the Trusted Certificates store from where we will access the WAP Portals.

  1. Login to a computer as a user that has WAP Admin Portal access.
  2. Start a browser.
  3. Type the URL that the WAP Admin Portal was changed to (E.g. https://wapadmin.contoso.com)

    Verify that the WAP Admin Portal loads using the new URL

wap-config5 Windows Azure Pack
Verify that the tenant portal works by opening a browser and go to https://wapcloud.contoso.com.
During the authentication sign-in process note the redirection to the wapcloud.contoso.com:444 authentication site.
wap-config6 Windows Azure Packwap-config7 Windows Azure Pack

Verify that after login the login redirects you back to the WAP Portal.

wap-config8 Windows Azure Pack

Summary

The goal with this blog post was to show how it’s possible to reconfigure portal names, ports and use certificates after deploying the Windows Azure Pack and I think I’ve done that.  But, as always, if you have any questions or comments, let me know…..

Until next time, Rob.

Exchange Backup Craziness – Log File Cleanup

Exchange Backup Craziness

“Often, you hear about something weird and un-supported, and feel like you have to share it”.

I often get calls and questions regarding backups and Exchange Server, and most backup technologies are not always working as required or as you would expect, but that’s off-topic.

One of the most common stories is that without a working Exchange Server backup, when you perform massive mailbox moves or no backup at all, the transaction logs will get piled and fill up the volume that they reside in. and then panic starts, “hey my databases were dismounted…” then of course the administrator realizes that the space on the log drive or volume has indeed ran out and now he needs to figure out what to delete. On Nutanix, we simply can solve this by extending the container that the logs live in, but what if you rely on snapshots for backups.

I had a customer reach out to me running Exchange 2007 with CCR ( Cluster Continuous Replication) on Nutanix. Yes, you heard me right, Exchange 2007 ;).  They are planning on migrating to Exchange 2013 in the next year or so, but need to get from A to B for budgetary reasons until then.  The only form of backup the customer has is to use Nutanix daily snapshots.  The customer understands the painful process of restoring an individual mailboxes from snapshots and not having up to date recovery that logs provide along with the point in time database backup, but its a risk they are willing to take as opposed to having nothing. They reached out to me and asked, how do cleanup logs that are piling up. And so here’s where this post comes in…

My blog article suggests that you cannot sustain downtime or interruption for your users while battling with deleting log files or restoring your working backup solution. If you can sustain a downtime (should be around minutes or so) the easiest method will be to enable Circular Logging on your database / storage group – see more here –

The customer needs to be able to purge the committed logs so they don’t fill up their disk space.  So how can you delete or purge Exchange server logs without any risk? well, in simple – you cannot, its built-in by design, because the whole idea of restoring an Exchange or for this matter any transnational database requires you to have a first – “full” backup of the database itself and all transaction logs that were generated since the date of the database creation date, or the last “successful” “full backup”.

Now here’s a nice method to “fake” a “full backup” or an on-demand transaction logs purge when you see you will be soon out of space, using the Exchange VSS writers and the diskshadow utility (available with Server 2008R22012R2) . This procedure also “proves” that a VSS backup for your Exchange Server will work normally.

Please note: This method was tested on an Exchange 2010 server with using a Nutanix block NX-3460-G4. Use this method on your risk.  This is not supported by Nutanix or Microsoft.. You should perform a “Snapshot” before and right after this process is done.

How to manually purge Exchange server logs – with ease

This example will show you how to purge the logs for a database that is located on Drive D, the log files of the databases are also located in Drive D. we will “fake backup” drive D and this will trigger the logs to be purged.Note: If you have separated your log files and database file in different drives, or you want to include additional databases in the “backup” you must include the additional drives in the process, so in the example below, you will “Add volume e:” after “Add volume drive d:” and so on…

  1. Open Command prompt
  2. Launch Diskshadow
    1. Add volume d:
    2. (optional, add one line for each additional drive to include) Add volume X:
    3. Begin Backup
    4. Create
    5. End Backup
  3. At this step you should notice the following events in the application log indicating that the backup was indeed successful and logs will now be deleted.

Here’s some screenshots of the process:Exchange Backup Craziness
The Diskshadow example screenshot.

ESE – Event ID 2005 – Starting a Full Shadow Copy Backup

MSexchangeIS – Exchange VSS Writer preparation.
ESE Event ID 224 – Logs are now purged

MSExchangeIS Event ID 9780 – Backup is now complete.

Final Note: although this example was tested against Exchange 2010, it should work just as fine with Exchange 2016/2013 & 2007

Until next time, Rob.