vcloudnine.de https://www.vcloudnine.de ... virtualization on cloud 9 Fri, 01 Nov 2019 14:02:49 +0000 en-US hourly 1 https://wordpress.org/?v=5.2.4 VCAP6.5-DCV Design – Objective 2.2 Map service dependencies https://www.vcloudnine.de/vcap6-5-dcv-design-objective-2-2-map-service-dependencies/ https://www.vcloudnine.de/vcap6-5-dcv-design-objective-2-2-map-service-dependencies/#respond Fri, 01 Nov 2019 14:02:47 +0000 https://www.vcloudnine.de/?p=4486 This blog post covers objective 2.2 (Map service dependencies) of the VCAP6.5-DCV Design exam. It is based on the VMware Certified Advanced Professional 6.5 in Data Center Virtualization Design (3V0-624) Exam Preparation Guide (last update August 2017).

The necessary skills and abilities are documented in the exam prep guide for the older VCAP6-DCV Design exam (3V0-622). I think they also apply to the current version of the exam:

  • Evaluate dependencies for infrastructure and application services that will be included in a vSphere design
  • Create Entity Relationship Diagrams that map service relationships and dependencies
  • Analyze interfaces to be used with new and existing business processes
  • Determine service dependencies for logical components
  • Include service dependencies in a vSphere 6.x Logical Design
  • Analyze services to identify upstream and downstream service dependencies
  • Navigate logical components and their interdependencies and make decisions based upon all service relationships

Let’s start with the first topic of this objective.

Evaluate dependencies for infrastructure and application services that will be included in a vSphere design

This topic covers two different parts of our vSphere design:

  • infrastructure, and
  • application services

You should clarify what components of your design depend on each other, or if they depend on components, that are not part of your design. VMware HA needs a shared Storage, or VMware ESXi needs NTP and DNS to work properly.

The same applies to the application services (or applications) that are part of your design. What dependencies do they have. Imagine a three-tier application with database, application logic and web frontend.

You must be able to identify and describe these dependencies.

Create Entity Relationship Diagrams that map service relationships and dependencies

If you are able to identify and describe the dependencies, you also must be able to create a Entity Relationship Diagrams (ER-Diagram) to visualize these dependencies.

Do your homework and try to identify these dependencies at the beginning. Tools like the vRealize Infrastructure Navigator can help you to identify them.

Analyze interfaces to be used with new and existing business processes

It is pretty important to understand how systems interact. To gain this knowledge, you have to analyze the interfaces of business processes. This doesn’t mean that you have to click through ERP applications, but you should get familiar with how processes are tight together.

Determine service dependencies for logical components

You also have to identify the service dependencies for the logical components in your design. You can use tools like vRealize Operations Manager or the Infrastructure Navigator to get the necessary information.

Include service dependencies in a vSphere 6.x Logical Design

The identified service dependencies have to be included into the logical design. This is a pretty important step and you should pay it the necessary attention. Tables and ER diagrams will help you at this step.

Analyze services to identify upstream and downstream service dependencies

An upstream service is a service, which is mandatory for another service, because it relies on it. Downstream services need upstream services to work properly. For example: DNS is an upstream service for Active Directory.

The understanding of up- and downstream services is important for things like startup/ shutdown plans.

Navigate logical components and their interdependencies and make decisions based upon all service relationships

You should visualize the service dependencies. This will help you to evaluate the impact if a service fails or how service are interact with each other.

Summary

Most of the topics in this objective overlap. Quite basic everything is about the understanding how things are connected and interact. This will help you to get a better understanding of dependencies and what services are crucial for the business or your solution.

Think again on DNS. No one of us will ever build a solution with a single DNS server, because nearly everything will melt down if DNS is not available. DNS is a perfect example for an upstream service.

]]>
https://www.vcloudnine.de/vcap6-5-dcv-design-objective-2-2-map-service-dependencies/feed/ 0
Load balancing ADFS and ADFS Proxy using Citrix ADC https://www.vcloudnine.de/load-balancing-adfs-and-adfs-proxy-using-citrix-adc/ https://www.vcloudnine.de/load-balancing-adfs-and-adfs-proxy-using-citrix-adc/#respond Mon, 21 Oct 2019 09:00:24 +0000 https://www.vcloudnine.de/?p=4471 Last week I had to setup a small Active Directory Federation Services (ADFS) farm that will be used to allow Single Sign-On (SSO) with Office 365.

Active Directory Federation Services (ADFS) is a solution developed by Microsoft to provide users an authenticated access to applications, that are not capable of using Integrated Windows Authentication (IWA).

Required by the customer was a two node ADFS farm located on the internal network, and a two node ADFS Proxy farm located at the DMZ.

An ADFS Proxyserver acts as a reverse proxy and it is typically located in your organizations perimeter network (DMZ).

This picture shows a typical ADFS/ ADFS Proxy setup:

ADFS/ WAP Design/ Citrix/ citrix.com

My customer has decided to use Citrix ADC (former NetScaler) to load balance the requests for the ADFS farm and the ADFS Proxy farm. In addition to load balancing, this offers high availability in case of a failed ADFS server or ADFS Proxy server. Please note that Citrix ADC can act as a ADFS Proxy, but this requires the Advanced Edition license. My customer “only” had a Standard License, so we had to setup dedicated ADFS Proxy servers on the DMZ network.

Citrix ADC setup

The ADFS service name is typically something like adfs.customer.tld. This farm name has to be the same for internal and external access. For internal access, the ADFS service name must be resolved to the VIP of the Citrix ADC. The same applies to external accesss. So you have to setup split DNS.

ADFS uses HTTP and HTTP, so my first attempt was to use this Citrix ADC Content Switch based setup:

add server srv_adfs1 x.x.x.x
add server srv_adfs2 x.x.x.y

add cs vserver cs_vsrv_adfs SSL x.x.x.x 443 -cltTimeout 180 -caseSensitive OFF
add lb vserver lb_vsrv_adfs SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180

add cs action cs_action_adfs -targetLBVserver lb_vsrv_adfs
add cs policy cs_pol_adfs -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"adfs.customer.tld\")" -action cs_action_adfs
bind cs vserver cs_vsrv_adfsL -policyName cs_pol_adfs -priority 100

add serviceGroup svcgrp_adfs SSL -maxClient 0 -maxReq 0 -cip ENABLED X-MS-Forwarded-Client-IP -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED

add lb monitor mon_adfs HTTP-ECV -send "GET /federationmetadata/2007-06/federationmetadata.xml" -recv "adfs.customer.tld/adfs/services/trust" -LRTM ENABLED -secure YES

bind serviceGroup svcgrp_adfs srv_gk-adfs1 443 -CustomServerID "\"None\""
bind serviceGroup svcgrp_adfs srv_gk-adfs2 443 -CustomServerID "\"None\""
bind serviceGroup svcgrp_adfs -monitorName mon_adfs

bind lb vserver lb_vsrv_adfs svcgrp_adfs

bind ssl vserver lb_vsrv_adfs -certkeyName cert-key-pair
bind ssl vserver cs_vsrv_adfs -certkeyName cert-key-pair

set ssl vserver lb_vsrv_adfs -ssl3 DISABLED
set ssl vserver cs_vsrv_adfs -ssl3 DISABLED

This is a pretty common setup for HTTP/ HTTPS based services. But it doesn’t work… Mainly because the monitor was not getting the required response. So the monitored service was down for the ADC, and therefore the service group, the load balancing virtual server and the content switch won’t came up.

The reason for this is Server Name Indication (SNI), an extension to Transport Layer Security (TLS). SNI is enabled and required since ADFS 3.0. The monitor tries to access the URL http://x.x.x.x/federationmetadata/2007-06/federationmetadata.xml, but the ADFS service won’t answer to those requests, because it includes the ip address, and not the ADFS service name.

But there is a workaround for everything on the Internet! You can change the binding on the ADFS server nodes using netsh.

netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid=<appid> certstorename=MY

I will not add the necessary options to this command, because: DON’T DO THIS!

Yes, the service group, the load balancing virtual server and the content switch will come up after this change. But you will not be able to enable a trust between your ADFS Proxy servers and the ADFS farm.

Microsofts requirements on Load Balancing ADFS

Microsoft offers a nice overview about the requirements when deploying ADFS. There is a section about the Network requirements. Below this, Microsoft clearly documents the requirements when load balancing ADFS servers and ADFS Proxy servers.

The load balancer MUST NOT terminate SSL. AD FS supports multiple use cases with certificate authentication which will break when terminating SSL. Terminating SSL at the load balancer is not supported for any use case.

Requirements for deploying AD FS/ microsoft.com

Okay, with this in mind, the you can’t use a ADC Content Switch as described above. Because it will terminate SSL. You have to switch to a load balancing virtual server and a service group with SSL bridge . Citrix describes SSL bridge as follows:

A SSL bridge configured on the NetScaler appliance enables the appliance to bridge all secure traffic between the SSL client and the SSL server. The appliance does not offload or accelerate the bridged traffic, nor does it perform encryption or decryption. Only load balancing is done by the appliance. The SSL server must handle all SSL-related processing. Features such as content switching, SureConnect, and cache redirection do not work, because the traffic passing through the appliance is encrypted.

But there is a second, very interesting statement:

It is recommended to use the HTTP (not HTTPS) health probe endpoints to perform load balancer health checks for routing traffic. This avoids any issues relating to SNI. The response to these probe endpoints is an HTTP 200 OK and is served locally with no dependence on back-end services. The HTTP probe can be accessed over HTTP using the path ‘/adfs/probe’http://<Web Application Proxy name>/adfs/probe
http://<ADFS server name>/adfs/probe
http://<Web Application Proxy IP address>/adfs/probe
http://<ADFS IP address>/adfs/probe

Requirements for deploying AD FS/ microsoft.com

This is pretty interesting, because it addresses the above described issue with the monitor. The solution to this is a HTTP-ECV monitor with on port 80, a GET to “/adfs/probe” and the check for a HTTP/200.

A working Citrix ADC setup

This setup is divided into two parts: One for the ADFS farm, and a second one for the ADFS Proxy farm. It uses SSL bridge and HTTP for the service monitor.

Load balancing the ADFS farm

add server srv_adfs1 x.x.x.x
add server srv_adfs2 x.x.x.y

add serviceGroup svcgrp_adfs SSL_BRIDGE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver lb_vsrv_adfs SSL_BRIDGE x.x.x.z 443 -persistenceType SSLSESSION -cltTimeout 180
add lb monitor mon_adfs_http HTTP -respCode 200 -httpRequest "HEAD /adfs/probe" -LRTM ENABLED -destPort 80

bind serviceGroup svcgrp_adfs srv_adfs1 443
bind serviceGroup svcgrp_adfs srv_adfs2 443
bind serviceGroup svcgrp_adfs -monitorName mon_adfs_http
bind lb vserver lb_vsrv_adfs svcgrp_adfs
set ssl vserver lb_vsrv_adfsproxy -ssl3 DISABLED

Load balancing the ADFS Proxy farm

add server srv_adfsproxy1 y.y.y.y
add server srv_adfsproxy2 y.y.y.x

add serviceGroup svcgrp_adfsproxy SSL_BRIDGE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
add lb vserver lb_vsrv_adfsproxy SSL_BRIDGE y.y.y.z 443 -persistenceType SSLSESSION -cltTimeout 180
add lb monitor mon_adfs_proxy_http HTTP -respCode 200 -httpRequest "HEAD /adfs/probe" -LRTM ENABLED -destPort 80

bind serviceGroup svcgrp_adfsproxy srv_adfsproxy1 443
bind serviceGroup svcgrp_adfsproxy srv_adfsproxy2 443
bind serviceGroup svcgrp_adfs -monitorName mon_adfs_proxy_http
bind lb vserver lb_vsrv_adfsproxy svcgrp_adfsproxy
set ssl vserver lb_vsrv_adfsproxy -ssl3 DISABLED

I have implemented it on a NetScaler 12.1 with a Standard license. If you have feedback or questions, please leave a comment. :)

]]>
https://www.vcloudnine.de/load-balancing-adfs-and-adfs-proxy-using-citrix-adc/feed/ 0
vCenter Migration from 6.0 to 6.7 fails due to missing user role https://www.vcloudnine.de/vcenter-migration-from-6-0-to-6-7-fails-due-to-missing-user-role/ https://www.vcloudnine.de/vcenter-migration-from-6-0-to-6-7-fails-due-to-missing-user-role/#respond Wed, 09 Oct 2019 14:03:02 +0000 https://www.vcloudnine.de/?p=4462 Actually, yesterday should be the day at which I migrate one of the last physical Windows vCenter servers installed in my customer base. Actually… the migration failed twice. And each time I had to rollback, power-on the old physical server, reset the computer account etc.

The update was from VMware vCenter Server 6.0 Update 3d (7462484) on a Windows 2012 R2 server to vCenter Server 6.7 Update 3 (Appliance). The migration failed at 62% with the following message:

Traceback (most recent call last):
  File "/usr/lib/vmware-content-library/firstboot/content-library-firstboot.py", line 219, in Main
    vdc_fb.register_cis()
  File "/usr/lib/vmware-content-library/firstboot/content-library-firstboot.py", line 77, in register_cis
    self._reg_info.registerAll(self.get_soluser_id(), self.get_soluser_ownerId())
  File "/usr/lib/vmware-content-library/install_lib/cis_register.py", line 368, in registerAll
    self.registerUserAndService(user_name, user_id, service)
  File "/usr/lib/vmware-content-library/install_lib/cis_register.py", line 395, in registerUserAndService
    add_vmtx_privileges(self.vdc_cfg_dir)
  File "/usr/lib/vmware-content-library/install_lib/add_vmtx_privileges_after_fb.py", line 105, in add_vmtx_privileges
    log("Adding privileges [%s] to role %s" % (' '.join(VMTX_SYNC_PRIVILEGES), cls_admin_role.name))
AttributeError: 'NoneType' object has no attribute 'name'

I found the same error in the content-library-firstboot.py_9150_stderr.log file of the downloaded log bundle.

Okay, that’s a pretty long error message and I had no idea where I should start searching. But it seems related to the Content Library of the vCenter. And it looks like it is related to the privileges.

log("Adding privileges [%s] to role %s" % (' '.join(VMTX_SYNC_PRIVILEGES), cls_admin_role.name))

A forum post led me to the content library administrator role. The author had to deal with a failed migration (6.5 to 6.7), but his conten administrator role was missing. In my case, the role was existent.

Sorry for the german translation. As you can see, the role was existent… Obviously. I tried to add a new role with the name com.vmware.Content.Admin, as mentioned in the forum post, and… a new role appeared.

You might notice the “Beispiel” or “Example”. That’s the difference. Whatever the other role is or what its look like, it is definitely not the original content library administrator role.

And to make a long story short: The migration was successful after this small change.

]]>
https://www.vcloudnine.de/vcenter-migration-from-6-0-to-6-7-fails-due-to-missing-user-role/feed/ 0
VCAP6.5-DCV Design – Objective 2.1 Map business requirements to a vSphere 6.x logical design https://www.vcloudnine.de/vcap6-5-dcv-design-objective-2-1-map-business-requirements-to-a-vsphere-6-x-logical-design/ https://www.vcloudnine.de/vcap6-5-dcv-design-objective-2-1-map-business-requirements-to-a-vsphere-6-x-logical-design/#respond Fri, 04 Oct 2019 17:57:53 +0000 https://www.vcloudnine.de/?p=4442 The last few weeks have been quite busy. Time to focus on exam preparation again. Let’s start with the first objective of the second section.

This blog post covers objective 2.1 (Map business requirements to a vSphere 6.x logical design) of the VCAP6.5-DCV Design exam. It is based on the VMware Certified Advanced Professional 6.5 in Data Center Virtualization Design (3V0-624) Exam Preparation Guide (last update August 2017).

The necessary skills and abilities are documented in the exam prep guide for the older VCAP6-DCV Design exam (3V0-622). I think they also apply to the current version of the exam:

  • Analyze requirements for functional and non-functional elements
  • Build non-functional requirements into a specific logical design
  • Translate stated business requirements into a logical design
  • Incorporate the current state of a customer environment into a logical design

Let’s start with

Analyze requirements for functional and non-functional elements

Functional and non-functional elements sounds familiar. I wrote about functional and non-functional requirements in the previous objective 1.3 (Determine risks, requirements, constraints, and assumptions). When we talk about requirements, we have to differ between functional (WHAT) and non-functional (HOW) requirements. Some examples:

  • Solution must comply with ISO standards
  • The uptime must be at a minimum of 99,9%
  • Users must be able deploy new virtual machine within 15 minutes after approval

This step is about analyzing the requirements and check if it is a functional or a non-functional element. Check this examples:

Requirementfunctional/ non-functional
Solution must comply with ISO standardsfunctional
The uptime must be at a minumum of 99,9% functional
Existing contracts must be used for purchasing server hardwarenon-functional
PowerShell has to be used for automation tasks non-functional

Remember: We have to differ between WHAT (functional) and HOW (non-functional).

Build non-functional requirements into a specific logical design

A logical design is more detailed compared to the conceptual design. A conceptual design is an abstract or high level design. The logical design contains more information, is more low-level than a conceptual design. The purpose of a logical design is refine the conceptual design and add more details and information.

With the determined and categorized requirements we can start to add more details to our design, for example we can define, that server hardware will be purchased from DELL or HPE. Or that we don’t need traditional, dedicated shared storage, because the solution must be hyper-converged.

Pretty important: A requirement is a requirement, regardless how dumb it is. This is pretty important for the exam – and your job. ;)

Translate stated business requirements into a logical design

This is pretty similar to the written above. You have to take the business requirements into account. Similar to the section above, business requirements can also be categorized into functional or non-functional elements.

Incorporate the current state of a customer environment into a logical design

If your customer is not asking for a greenfield deployment, you have to take the current environment of the customer into account. The solution must fit into the current environment. Of course, this results in further requirements that have to be fulfilled.

Summary

The main aspect of this objective is to review all requirements, determine if they are functional or non-functional, and use them to create a logical design. A logical design does not contain IP addresses or VLANs. But it contains all major components and their relationships, like data flows and connections.

Links

]]>
https://www.vcloudnine.de/vcap6-5-dcv-design-objective-2-1-map-business-requirements-to-a-vsphere-6-x-logical-design/feed/ 0
Supported Active Directory environments for Microsoft Exchange https://www.vcloudnine.de/supported-active-directory-environments-for-microsoft-exchange/ https://www.vcloudnine.de/supported-active-directory-environments-for-microsoft-exchange/#respond Sat, 07 Sep 2019 07:34:28 +0000 https://www.vcloudnine.de/?p=4451 It is time for some words of wisdom, in regard to Exchange and the supported Active Directory environments. It is the same as with the supported. NET Framework releases: Latest release does not automatically mean “supported”.

To be honest: I nearly nuked a customer environment with ~ 300 users yesterday by preparing the domain for the first Windows Server 2019 Domain Controller.

First things first: Everything is fine! I did not prepared to forest schema for Windows Server 2019.

The support for Windows Server 2008 R2 comes to an end and some customers are still running it. Like my customer yesterday. Some application servers are still on 2008 R2… and the Domain Controllers. The customer is also running Exchange 2013 on Windows Server 2012 R2.

The customer has decided to go to Windows Server 2019 wherever possible. This includes file servers, application servers, and the Domain Controllers. On of the first steps was the deployment of Active Directory-Based Activation. The AD schema needs to be prepared for this and I decided to prepare the schema for Windows Server 2019. I already copied the adprep folder from the Server 2019 ISO and openened a PowerShell. And then I paused. Something felt odd. I wanted to take a look at the Exchange Server supportability matrix.

Exchange 2013 does NOT supported Windows Server 2019 Domain Controllers! Uhh… that was unexpected.

Lessons learned

Always check the Exchange Server supportability matrix. Always! Regardless if it’s because of .NET Framework, Active Directory, Outlook Clients etc. Just check it every time you plan to change something in your environment.

Especially in regard to Microsoft Exchange “newer” does not automatically mean “supported”. Most times the opposite is true.

]]>
https://www.vcloudnine.de/supported-active-directory-environments-for-microsoft-exchange/feed/ 0
Microsoft Exchange 2013/ 2016/ 2019 shows blank ECP & OWA after changes to SSL certificates https://www.vcloudnine.de/microsoft-exchange-2013-2016-2019-shows-blank-ecp-owa-after-changes-to-ssl-certificates/ https://www.vcloudnine.de/microsoft-exchange-2013-2016-2019-shows-blank-ecp-owa-after-changes-to-ssl-certificates/#respond Sat, 07 Sep 2019 06:28:21 +0000 https://www.vcloudnine.de/?p=4446 EDITThis issue is described in KB2971270 and is fixed in Exchange 2013 CU6.

I published this blog post in July 2015 and it is still relevant. The feedback for this blog post was incredible, and I’m not joking when I say: I saved many admins weekends. ;) It has shown, that this error still occurs with Exchange 2016 and even 2019. Maybe not because of the same, with Exchange 2013 CU6 fixed bug, but maybe for other reasons. And the solution below still applies to it. Because of this I have decided to re-publish this blog post with a modified title and this little preamble.

Feel free to leave a comment if this blog post worked for you. :)

I ran a couple of times in this error. After applying changes to SSL certificates (add, replace or delete a SSL certificate) and rebooting the server, the event log is flooded with events from source “HttpEvent” and event id 15021. The message says:

An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.

If you try to access the Exchange Control Panel (ECP) or Outlook Web Access (OWA), you will get a blank website. To solve this issue, open up an elevated command prompt on your Exchange 2013 server.

C:\windows\system32&gt;netsh http show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : 1ec7413b4fb1782b4b40868d967161d29154fd7f
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    IP:port                      : 0.0.0.0:444
    Certificate Hash             : a80c9de605a1525cd252c250495b459f06ed2ec1
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    IP:port                      : 0.0.0.0:8172
    Certificate Hash             : 09093ca95154929df92f1bee395b2670a1036a06
    Application ID               : {00000000-0000-0000-0000-000000000000}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    IP:port                      : 127.0.0.1:443
    Certificate Hash             : 1ec7413b4fb1782b4b40868d967161d29154fd7f
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

Check the certificate hash and appliaction ID for 0.0.0.0:443, 0.0.0.0:444 and 127.0.0.1:443. You will notice, that the application ID for this three entries is the same, but the certificate hash for 0.0.0.0:444 differs from the other two entries. And that’s the point. Remove the certificate for 0.0.0.0:444.

C:\windows\system32&gt;netsh http delete sslcert ipport=0.0.0.0:444

SSL Certificate successfully deleted

Now add it again with the correct certificate hash and application ID.

C:\windows\system32&gt;netsh http add sslcert ipport=0.0.0.0:444 certhash=1ec7413b4fb1782b4b40868d967161d29154fd7f appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}"

SSL Certificate successfully added

That’s it. Reboot the Exchange server and everything should be up and running again.

]]>
https://www.vcloudnine.de/microsoft-exchange-2013-2016-2019-shows-blank-ecp-owa-after-changes-to-ssl-certificates/feed/ 0
What’s new in Vembu BDR Suite v4.0.1 https://www.vcloudnine.de/whats-new-in-vembu-bdr-suite-v4-0-1/ https://www.vcloudnine.de/whats-new-in-vembu-bdr-suite-v4-0-1/#respond Sun, 01 Sep 2019 12:06:48 +0000 https://www.vcloudnine.de/?p=4439 Vembu Technologies was founded in 2002, and with 60.000 customers and more than 4000 partners, Vembu is a leading provider with a comprehensive portfolio of software products and cloud services to small and medium businesses.

In December 2018, Vembu announced the fourth major release of their BDR Suite. Vembu BDR Suite 4.0.1 is now out for production setups with enhanced performance and bug fixes. Vembu BDR Suite v4.0.1 is an intermediate patch update that addresses the customers reported issues and other support issues on the previous build of v4.0. Vembu BDR Suite v4.0.1 also features a large number of enhancements and significant of those are listed below.

Vembu Technologies/ Vembu BDR Essentials/ Copyright by Vembu Technologies

What’s new?

Beside of bug fixes, BDR Suite v4.0.1 also includes some new enhancements. In my opinion, the most significant enhancements are:

  • Significant performance improvement in Quick VM Recovery on VMware environments
  • Rescan option is introduced in Hyper-V Manager Servers page, which allows you to install Vembu Integration Service on the newly added node of the Hyper-V cluster (or if it’s not available on the existing node)
  • Backups configured through BDR Server console will run in parallel (Default parallel backup count is set to 5 and it is configurable)
  • Ability to add new Hyper-V hosts or choose existing hosts while performing Live Recovery to Hyper-V host

Interested in trying Vembu BDR suite? Try the 30-day free trial now! For any questions, simply send an e-mail to vembu-support@vembu.com or follow them on Twitter.

If you are a small or mid-sized businesses, check out the Vembu BDR Essentials package!

]]>
https://www.vcloudnine.de/whats-new-in-vembu-bdr-suite-v4-0-1/feed/ 0
VCAP6.5-DCV Design – Objective 1.3 Determine risks, requirements, constraints, and assumptions https://www.vcloudnine.de/vcap6-5-dcv-design-objective-1-3-determine-risks-requirements-constraints-and-assumptions/ https://www.vcloudnine.de/vcap6-5-dcv-design-objective-1-3-determine-risks-requirements-constraints-and-assumptions/#respond Fri, 30 Aug 2019 09:17:02 +0000 https://www.vcloudnine.de/?p=4425 This blog post covers objective 1.3 (Determine risks, requirements, constraints, and assumptions) of the VCAP6.5-DCV Design exam. It is based on the VMware Certified Advanced Professional 6.5 in Data Center Virtualization Design (3V0-624) Exam Preparation Guide (last update August 2017).

The first objective of the exam prep guide has covered the business requirements. Now we have to do similar for the affected applications.

The necessary skills and abilities are documented in the exam prep guide for the older VCAP6-DCV Design exam (3V0-622). I think they also apply to the current version of the exam:

  • Differentiate between the concepts of risks, requirements, constraints, and assumptions
  • Given a statement, determine whether it is a risk, requirement, constraint, or an assumption
  • Analyze impact of VMware best practices to identified risks, constraints, and assumptions

Differentiate between the concepts of risks, requirements, constraints, and assumptions

I wrote a couple of times about risks, requirements, constraints and assumptions, but I missed to explain the meaning of each of these terms. I will use the following order:

  • requirements
  • risks
  • constraints
  • assumptions

So let us start with “What is a requirement“? A requirement is something that a has to be achieved. This can be applied to business or technical things. Without defined requirements, you would have no clue what your design should cover. If you define a requirement, you should test it with the following question: Is the defined requirement

  • specific
  • feasable
  • verifiable
  • traceable
  • unambiguous

When we talk about requirements, we have to differ between functional (WHAT) and non-functional (HOW) requirements. Some examples:

  • Solution must comply with ISO standards
  • The uptime must be at a minumum of 99,9%
  • Users must be able deploy new virtual machine within 15 minutes after approval

A Risks is a potential event, that might prevent us from achieving the defined project goals, or which can cause that the project completely fails. They are often common points in every projekct. The best we can do is to identify and list every risk that might prevent us from successfully finish the project. Some examples:

  • Missing the delivery date
  • Vendor discontinued parts of the solution
  • Hidden incompatibility with currently used frameworks

Constraints can be a limiting factor when we design our solution. They can be understood as cornerstones that set the borders of our solution. Contraints are always very specific. Examples:

  • The costs per user must not exceed 5 €
  • The project has to be finished withing 9 months
  • The solution must include servers from HPE

In opposite to constraints, which are very specific, assumptions are considered to be true without proof in the planning phase. This is pretty important! We are talking about the time, when we put our design together. Examples:

  • Rackspace will be available when the HW needs to be deployed
  • A MS SQL database server will be available at the installation date
  • A specific decision is made when needed

Summary

As I wrote at the beginning of this article: It is important to understand these terms. In simple words:

  • requirements: Things that have to met to successfully finish the project
  • risks: Things that might happen and that put our project at risk
  • constraints: Limiting factors to our project design
  • assumptions: Things that are considered to be true, but that are not proofed during the planning phase

That is a pretty simple summary, but it should be good enough to be memorized. :)

Links

]]>
https://www.vcloudnine.de/vcap6-5-dcv-design-objective-1-3-determine-risks-requirements-constraints-and-assumptions/feed/ 0
NetScaler Gateway – Cannot complete your request https://www.vcloudnine.de/netscaler-gateway-cannot-complete-your-request/ https://www.vcloudnine.de/netscaler-gateway-cannot-complete-your-request/#respond Wed, 28 Aug 2019 11:51:13 +0000 https://www.vcloudnine.de/?p=4430 A customer reported a weird problem with his NetScaler Gateway. Upon the first load of the website, they got an error “Cannot complete your request”. After clicking OK the error disappeared and does not occured again after reloading the website. Only after closing and re-opening the browser. I got this message in Firefox and Internet Explorer, but not from a remote machine, e.g. my PC at the office.

I found no configuration error or something, that would have explained this message. Finally, I found something that caught my attention:

HTTP/1.1 412 Precondition Failed

I found this using the Firefox Web Development Tools (I only had a Firefox and IE on my remote machine). With this message I found CTX244520 which also explained this error. The issue is caused by a hidden feature for caching web site data of the Gateway vServer. If you don’t have Integrated Cache feature licensed or enable, this feature failes. It is called Static Page Caching.

My customer is currently running NS12.0 60.10, and this issue is fixed in 12.0 61.8. And the customer is using a custom theme, which is based on one of the included themes.

If possible you can enable Integrated Caching. If you can’t enable Integrated Caching, you can simple disable this feature:

show aaa parameter
   Configured AAA parameters
           <strong>EnableStaticPageCaching: YES</strong>
           EnableEnhancedAuthFeedback: NO
           DefaultAuthType: LOCAL  MaxAAAUsers: 1000
           AAAD nat ip: None
           EnableSessionStickiness : NO
           aaaSessionLoglevel : INFORMATIONAL
           AAAD Log Level : INFORMATIONAL
           Dynamic address: OFF
           GUI mode: ON
           Max Saml Deflate Size: 1024
    Done
   set aaa parameter -enableStaticPageCaching NO
    Done
]]>
https://www.vcloudnine.de/netscaler-gateway-cannot-complete-your-request/feed/ 0
VCAP6.5-DCV Design – Objective 1.2 Gather and analyze application requirements https://www.vcloudnine.de/vcap6-5-dcv-design-objective-1-2-gather-and-analyze-application-requirements/ https://www.vcloudnine.de/vcap6-5-dcv-design-objective-1-2-gather-and-analyze-application-requirements/#respond Mon, 19 Aug 2019 20:12:37 +0000 https://www.vcloudnine.de/?p=4420 This blog post covers objective 1.2 (Gather and analyze application requirements) of the VCAP6.5-DCV Design exam. It is based on the VMware Certified Advanced Professional 6.5 in Data Center Virtualization Design (3V0-624) Exam Preparation Guide (last update August 2017).

The first objective of the exam prep guide has covered the business requirements. Now we have to do similar for the affected applications.

The necessary skills and abilities are documented in the exam prep guide for the older VCAP6-DCV Design exam (3V0-622). I think they also apply to the current version of the exam:

  • Gather and analyze application requirements for a given scenario
  • Determine the requirements for a set of applications that will be included in the design
  • Collect information needed in order to identify application dependencies
  • Given one or more application requirements, determine the impact of the requirements on the design

Gather and analyze application requirements for a given scenario

As a result of our already done work, we should know with what applications we have to deal in our project. Now ee have to gather the requirements of those applications. The necessary techniques are already known to us:

  • interviews with the relevant stakeholders and/ or developers or engineers
  • existing documentation about the deployment
  • our documented baseline from objective 1.1
  • vendor documentation/ support/ knowledge base articles

It is pretty important to understand what requirements these applications have. It depends on the workload and the applications itself. Tools like perfmon or capacity planning tools can help us to get a solid knowledge about the current and planned capacity/ performance requirements.

But we should not only focus on performance. There is much more to take into account, to be more specific: AMPRS

It stands for

  • Availability
  • Manageability
  • Performance
  • Recoverability, and
  • Security

You can read an detailed explanation here.

Determine the requirements for a set of applications that will be included in the design

This is similar to the written above. When we talk about a set of applications, we have to take the dependencies between these applications into account.

Collect information needed in order to identify application dependencies

To gain the necessary information, we have to talk to the right people, which means that we have to talk to developers, engineers and/ or end-users. We have to deep dive into existing customer and/ or vendor documentation. And we need to use the right tools to map the found dependencies. This can be done with Microsoft Visio, OmniGraffle or similar.

Given one or more application requirements, determine the impact of the requirements on the design

With the knowledge about the applications and the dependencies between them, it is time to make some design decisions. These decisions must support the documented requirements, especially when we think about the requirements in regard of availability, manageability, performance, recoverability, and security.

The key is to understand the impact of the made decisions for the rest of the design.

Summary

I will try to summarize this objective. The last blog post has covered the business requirements and the process from gathering the required information, over the documentation, until the point at which we can start creating a design. This blog post covers the same, but not for the business requirements, but for the applications and the requirements of these applications.

We can gather the necessary information by talking to the relevant stakeholders, engineers, developers etc. Customer and/ or vendor documentation and other sources can be used to get a better understanding of the different application requirements. We also need to understand the dependencies between the different applications, especially if only a subset of applications is virtualized. Our work is supported by different tools, especially for performance analysis, capacity planning and documentation.

With the gathered information we will able to make design decisions that fulfill the requirements (Think about AMPRS).

Links

]]>
https://www.vcloudnine.de/vcap6-5-dcv-design-objective-1-2-gather-and-analyze-application-requirements/feed/ 0