Bringing Legacy Blog Back to Cover Legacy Products

Just about a year ago, I moved all new posts over to Technet.com. In spite of that, this blog still continues to get much attention due to a lot of the existing content proving to be very useful for users. For that I am extremely happy to help and it recently gave me an idea. I have been mulling over how I should focus my current blog over at Technet with regards to information, guidance, and support tips. While I have a lot of great information coming (a lot of new products/product versions in the pipeline) I also have a wealth of information I’ve been needing to post tat was related to existing products and legacy products (Softgrid/App-V 4.x/MED-V V1, etc.) I also realize there is a strong user community and install base still present who may not be moving off until the products get closer to end of life.

– Steve Thomas

With this said, I decided that I would use this blog on WordPress in the future for legacy product information (App-V 4.x/Softgrid/MED-V V1/VMM 2008/VPC) while keeping my blog over at Technet more related to current and forward technologies (App-V 5.0/UE-V/Hyper-V 2012/Win8/Win2012.)

SCVMM: Service Principal Names (SPNs) Required for Proper SCVMM 2008 Functionality

SCVMM 2008, 2008 R2, as well as future versions of SCVMM rely on kerberos and kerberos delegation functionality for its security and authentication model. You may encounter various problems with SCVMM related to authentication and authorization if the underlying platform service principal names (SPNs) are not properly set.

There are all sorts of problems ranging from console authentication, to SQL access, or even host access for the purposes of accessing virtual machines managed by SCVMM. All of these problems cann be caused when delegation is failing possibly due to incorrect or missing SPNs (Service Principal Names.)

 

The resolution is to verify and correct any configuration issues with kerberos delegation, often correcting problems related to SPNs not being registered – or even duplicate SPNs.

 

You can use the SETSPN command to check for duplicate SPNs and to create missing ones if needed. Please note not all SPNs may be required as that will vary based on what server roles are installed. SETSPN is a default external command in both Windows Server 2008 and 2008 R2. For Windows Server 2003, I would recommend downloading the SETSPN update for Windows Server 2003. More information and download links are found here:

 

http://support.microsoft.com/kb/970536

 

The following list below lists all of the SPNs that may be required relating to their corresponding components. Since SCVMM is a management interface that sits on top of so many different platform components, incomplete or improper delegation at these component layers will cause problems in SCVMM functionality.

 

Hyper-V Virtual Consoles:

For Virtual Console Support for Hyper-V Hosts (VMCONNECT.EXE) – This will be required on Hyper-V Hosts. Use the following command to set and verify SPNs.

setspn -s "Microsoft Virtual Console Service/HOSTNAME" computername 
setspn -s "Microsoft Virtual Console Service/hostname.fqdn.etc" computername 

For P2V Support.

Use the following command to set and verify SPNs.

setspn -s "Microsoft Virtual System Migration Service/hostname.fqdn.etc" computername 
setspn -s "Microsoft Virtual System Migration Service/hostname" computername 

 For VS2005 Hosts and the VMRC utility

– This will be required on Virtual Server 2005 Hosts. Use the following command to set and verify SPNs.

setspn -s vmrc/hostname.fqdn.etc:5900 computername 
setspn -s vmrc/hostname:5900 computername 
setspn -s vssrvc/hostname.fqdn.etc computername 
setspn -s vssrvc/hostname computername 

For RDP Support.

Use the following command to set and verify SPNs.

setspn -s TERMSRV/hostname.fqdn.etc computername 
setspn -s TERMSRV/hostname computername 

 For all Hosts.

Use the following command to set and verify SPNs.

 setspn -s HOST/hostname computername 
setspn -s HOST/hostname.fqdn.etc computername 

 HTTP (may needed for authentication on SSP if VMM server is using Remote SQL.)

Use the following command to set and verify SPNs.

setspn -s HTTP/hostname.fqdn.etc computername 
setspn -s HTTP/hostname computername 

 SQL VMM Database

Depends on port and instance type: 

Named Instance.

Use the following command to set and verify SPNs.

 setspn -s MSSQLSvc/hostname.fqdn.etc:Port computername

setspn -s MSSQLSvc/hostname.fqdn.etc:InstanceName computername 

 Default Instance.

Use the following command to set and verify SPNs.

setspn -s MSSQLSvc/hostname:1433 computername 
setspn -s MSSQLSvc/hostname.fqdn.etc:1433 computername 
 

Here are some links to some excellent articles:

http://msdn.microsoft.com/en-us/library/ee191523.aspx

http://support.microsoft.com/kb/929650

Planning for a Microsoft VDI Deployment

In the past, desktop virtualization administrators have used Microsoft for only part of their VDI (virtual desktop infrastructure) while using solutions from VMWare of Citrix as the primary basis.

You may be already familiar with Microsoft’s client-hosted enterprise desktop virtualization solution – MED-V. VDI is Microsoft’s server-based desktop virtualization solution combining all of the following for engine support all the way to complete end-to-end management:

• Hyper-V
• Windows 7
• Windows Server 2008 R2
• System Center Virtualization Manager
• Remote Desktop Services
• RemoteFX

Windows Server 2008 R2 Service Pack 1 adds two new components (RemoteFX and Dynamic Memory) that fill two holes related to management flexibility and user experience that now make Microsoft almost a non-brainer choice for your VDI solution.

Microsoft’s virtualization main page is found here:

http://www.microsoft.com/virtualization/en/us/products-desktop.aspx

First things first,

Licensing Information regarding VDI. One of the first things customers want to know is what are the costs and the potential cost savings:

http://blogs.technet.com/b/virtualization/archive/2009/07/13/microsoft_1920_s-new-vdi-licensing_3a00_-vdi-suites.aspx

In terms of how it works, here is Microsoft’s VDI solution at a high level:

http://blogs.msdn.com/b/rds/archive/2009/08/19/microsoft-vdi-overview.aspx

The next items of concern are often what infrastructure changes will need to be made. Moving to a VDI environment will require the presence of a Windows 2008 or Windows 2008 R2 domain controller (depending on the Hyper-V/RDS platform being used.) You will also need to update the schema accordingly to support these domain controllers and subsequent services required for the VDI environment.

Here are the outlines of the Windows 2008 and Windows 2008 R2 Schema changes:

Windows 2008:

http://technet.microsoft.com/en-us/library/cc730930(WS.10).aspx

Windows 2008 R2:

http://technet.microsoft.com/en-us/library/dd378828(WS.10).aspx

You will need to have Windows 2008 Schema changes minimally however, the minimum AD domain level supported is Windows 200 native. Windows 200 mixed or Windows 2003 interim are not supported.

From: http://technet.microsoft.com/en-us/library/dd883277(WS.10).aspx

The following are important considerations about assigning a personal virtual desktop to a user in AD DS:

• To deploy personal virtual desktops, your schema for the Active Directory forest must be at least Windows Server 2008. To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, you must run Active Directory Users and Computers from a computer running Windows Server 2008 R2 or a computer running Windows 7 that has Remote Server Administration Tools (RSAT) installed.
• You must use a domain functional level of at least Windows 2000 Server native mode. The functional levels Windows 2000 Server mixed mode and Windows Server 2003 interim mode are not supported.
• Ensure that the RDVH-SRV computer meets the Hyper-V installation prerequisites (http://go.microsoft.com/fwlink/?LinkId=122183).
•  The user account and the virtual machine must both be members of an Active Directory domain.
• Personal virtual desktops can only use Windows client operating systems. You cannot install Windows Server® 2008 R2 on a virtual machine and assign it as a personal virtual desktop.
• A user can be assigned only one personal virtual desktop at a time.
• A virtual machine can be assigned as a personal virtual desktop to only one user at a time.
• The name of the virtual machine in the Hyper-V Manager tool must match the fully qualified domain name (FQDN) of the computer.

 Sizing Concerns:

Alongside of instructure changes and concerns is capacity planning. Here is a good webcast on planning and sizing session virtualization and bandwidth for VDI:

 http://www.microsoft.com/showcase/en/us/details/5e9fe509-a9e2-43a0-99e9-c79b655a3412

 And a good document as well:

 http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=bd24503e-b8b7-4b5b-9a86-af03ac5332c8

 RD Web Access Information:

 http://technet.microsoft.com/en-us/library/dd883265(WS.10).aspx

 RD gateway Information:

 http://technet.microsoft.com/en-us/library/dd560672(WS.10).aspx

 Why VDI for Hyper-v Whitepaper:

 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f0533021-ca5a-4330-b839-1efedad14479

 Windows 2008 R2 SP1’s RemoteFX feature for Hyper-V

 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5F630FFC-5F30-4B5F-8B2B-8AFB42E14D35&displaylang=en

 If you have time, also check out the VDI videos on technet Edge:

 http://technet.microsoft.com/en-us/edge/ff832960.aspx?query=1&Category=virtualboy