Sandbox means SCVMM
With the release of System Center Virtual Machine Manager 2012 we have the opportunity to create so-called services: i.e. clone the virtual machine, not alone and not even from templates, and to combine different profiles, templates, machines, and then configure the relationship between the virtual equipment. After watching performances at TechEd'e, having read articles and books, and, of course, received from his superiors a magical job on one of the projects, I decided that the SCVMM is enough money to create a full service solution, i.e. set of virtual machines that are isolated from the rest of the enterprise infrastructure, but harmoniously interacting with each other.
But it was not as good as ashapo the demonstrations, therefore welcome under kat behind a dose of processing a file.
Let's start with the fact that the service-oriented cloud Microsoft ideology is almost perfectly placed on the task of creating a sandbox: here you are, you pool of resources, here, please, you sandbox, sandbox run in the cloud people, for example the developers themselves via the self-service portal the sandbox create, delete, scale if necessary, receive reports on the consumption of resources, they don't care what kind of equipment a sandbox is running, do not care if she is reserved or who is controlled by the hypervisor.
But when it comes to practice, to actually automate the deployment of the service, then there are limitations. To explain bangladehi me to get famous and dying at the same time, educational app from Microsoft — Pet Shop .Net, by the way is the 4th version.
Pet Shop — normal transverese client-server application: the server DBMS is an application server, and web-face, which allows potential buyers to come and choose parrots through the browser. So when we deploy this application as a cloud service, we:
1. Deploy three virtual machines, a few empty, one with SQL server, they would later become our the links;
2. SQL server ustanavlivaem database application prescribed users;
3. On the application server roll out App-V package with the app store, configurable connection string to the SQL server;
4. On a web a muzzle-installed web pages configurable web application to connect to the application server.
How do I deploy? First thing, when deploying the Virtual Machine Manager creates a virtual floppy disk, and floppy disk writes response file and when you deploy the VM, it reads the response file and assigns a name for himself, sets network interface parameters and even includes Active Directory domain. In the second stage, SCVMM installs on virtual machines, his agent and integration services, and the third creates an ISO image of c applications, databases, and other configuration scripts that mounts this ISO image in a virtual drive and runs with it installing apps. As you can see, the interaction with the virtual machine only happens with primitive things: of the virtual floppy disk and virtual DVD-ROM for installation of the agent, as well as the installation of integration services is also the unit with the appropriate ISO image in the drive.
All right? So, Yes not so. The fact that in order to assemble the connection string to the SQL server, you need the name of this SQL server at least know. In order to assemble the connection string to the application, you also need to know the server address for this app. Meanwhile, System Center Virtual Machine Manager 2012 there are three ways to specify the name of the server:
1. Ask him a simple text, for example "SQLServer";
2. Set its template with numbers, for example "SQLServer##", in this case, when it created the first server, SCVMM will give him the name SQLServer01, the second — SQLServer02, etc.;
The first variant is swept aside at once, because we believe that services we have many, and therefore many machines with the same name, and the machine with the same filename to be bad. The second option is good, but the appearance of numbers at the end eliminates the determinism of the server. In other words, on level 2 we don't know what kind of figure SCVMM assigned to link 1. In fact, we know that there at the beginning of the SQLServer, and then 01? 05? Or maybe 25? The third option is good, no doubt, but in this case, the administrator himself has to take care of first, the uniqueness of server names, and secondly, the matching server names naming conventions adopted in the organization. In General, it appears that all three options there, and all three are bad. As Microsoft recommends to get out of this kind of situation? And did.
Here is a picture with 245 pages of the book Aidan Finn Microsoft Private Cloud Computing Sybex publishing clearly shows that to expand the service, and Petshop', need to see the eyes in the upper part of the screen to see MidSvr01 and pens to write these words down in a field lobComputerName.
And this here is the re-writing of letters with the screen on the same screen apparently, the official position of Microsoft, which is repeated, for example, SDAsblogs on Technet.
That is, again: they offered to see on the screen the line and drive handles that line on the same screen.
Is this acceptable for us? Well, of course not! Information occurs in only one place, the unwarranted duplication of information is fraught with errors, and use this approach we will be a little less than never in life.
Back to our sandbox. Suppose we have a domain controller in an Active Directory forest and server member of the domain. Theoretically, this is enough provided the scalability of the service i.e. duplication this server is a domain member again, again, and again.
In formulating the terms of reference to the system of the sandbox, we can say that the system must contain an Active Directory domain controller that is not associated with other forests any, including trust, relationships, and the system must contain a server included in an Active Directory domain, which effortlessly could be replicated. In this case, if you wish, we can roll on an Exchange server, SQL Server, and much, much more.
To create a domain controller from Active Directory SCVMM is not easy: the domain controller is not amenable to application virtualization App-V, so the domain controller we will install from the command line. There is such utility dcpromo, which creates a domain though, even the woods, though even the universe, and let me tell you, despite the various articles from the category "came to an end dcpromo, long live PowerShell!" saved dcpromo in Windows Server 2012, but only as a command-line tool. You can read about it, for example, here. Note the line:
If you run dcpromo /unattend from a command prompt, you can still perform unattended installations that use Dcpromo.exe
That is, unattend-installation can be used in Windows Server 2012, and that is what we need. Although, of course, we all love PowerShell, unfading love, and Casabella innovations in 12 server I even have a couple of articles. But for compatibility we use the answer file, because it works in 2008R2, and 2012. So, in order to raise the Active Directory domain controller, we run this. cmd file linked to the profile application in the service of the sandbox:
the
Please note, from the outset, start
the
For the simple reason that next I have an unsigned PowerShell scripts. PowerShell scripts need to sign: it affects your safety, the safety of your organization. How to sign already seems to be flying here a couple of topics, but if not, I would describe this funny, but informative process.
Now, look, a script is called CreateAnswerFile.ps1, which as input parameter domain is given. Here is the script:
the
Just again, please note that I have %windir% as C:\windows, it is unlikely that you will be different, but I have to warn you.
OK, the domain controller we have raised, we like. But in order for a server to include in the members of that domain, he must first obtain the address of this domain controller, and second, to the setting on your network interface: it as a DNS server needs to be installed this domain controller, and thirdly, to the team for inclusion in the domain. And how do we get the ip address of the DNS server? After all, the problem statement, we are in an isolated network from anywhere and don't know anything, not even the name of the domain controller that unfolds in parallel with us.
There is a way. Remember that once deployed SCVMM guest agent? Now, during the deployment of this guest agent, inside of a quite magical way there is a configuration file with the configuration of the service. This file contains information first, terribly circumcised, and secondly, available only to the system account (SYSTEM). But this, as you know, the file will not save, because if the information is revealed, it is not destroyed. From this file, which is very similar to XML, except for the first 16 bits, we extract the name of the domain controller. Yes, Yes, the one that was dynamically generated at deployment time of the service. Having the name, we can name to resolve to an ip address, right?
No, not right, because we don't have a DNS server that would answer us, we just don't know who to ask. So we to help call on good old NetBIOS Protocol that understands what a network broadcast name resolution. In other words, we, knowing the name of the server, shouting a loud cry to the network: "well, so-and-so, respond!" And he answers: "Here I am, just don't hurt me please!". We take its address as a DNS server, and then include ourselves in the domain. Mission Accomplished.
Given that this script is executed every time the scaling service, we can run it endlessly and thus, our sandbox will turn into a "domain controller + (Postoico x N)".
Now, please here is the script:
the
Please note, I have a login/password is specified. It is obvious that you security for will have to hide them.
So, by including this script in the application profile, and running it when deployed on N servers, we get our sandbox.
We can now make our sandbox to modify anything to write programs, remove from there programs, create users, delete, modify the schema, attributes, to do what our heart desires. Well, if suddenly it will spoil, then delete the sandbox and in half an hour to create a new one! Or even two sandboxes to create us is not difficult. It's simply Paradise for the developer and tester!
Blog ID Finn still recommend you to read, he writes very lovely things.
Article based on information from habrahabr.ru
But it was not as good as ashapo the demonstrations, therefore welcome under kat behind a dose of processing a file.
Let's start with the fact that the service-oriented cloud Microsoft ideology is almost perfectly placed on the task of creating a sandbox: here you are, you pool of resources, here, please, you sandbox, sandbox run in the cloud people, for example the developers themselves via the self-service portal the sandbox create, delete, scale if necessary, receive reports on the consumption of resources, they don't care what kind of equipment a sandbox is running, do not care if she is reserved or who is controlled by the hypervisor.
But when it comes to practice, to actually automate the deployment of the service, then there are limitations. To explain bangladehi me to get famous and dying at the same time, educational app from Microsoft — Pet Shop .Net, by the way is the 4th version.
Pet Shop — normal transverese client-server application: the server DBMS is an application server, and web-face, which allows potential buyers to come and choose parrots through the browser. So when we deploy this application as a cloud service, we:
1. Deploy three virtual machines, a few empty, one with SQL server, they would later become our the links;
2. SQL server ustanavlivaem database application prescribed users;
3. On the application server roll out App-V package with the app store, configurable connection string to the SQL server;
4. On a web a muzzle-installed web pages configurable web application to connect to the application server.
How do I deploy? First thing, when deploying the Virtual Machine Manager creates a virtual floppy disk, and floppy disk writes response file and when you deploy the VM, it reads the response file and assigns a name for himself, sets network interface parameters and even includes Active Directory domain. In the second stage, SCVMM installs on virtual machines, his agent and integration services, and the third creates an ISO image of c applications, databases, and other configuration scripts that mounts this ISO image in a virtual drive and runs with it installing apps. As you can see, the interaction with the virtual machine only happens with primitive things: of the virtual floppy disk and virtual DVD-ROM for installation of the agent, as well as the installation of integration services is also the unit with the appropriate ISO image in the drive.
All right? So, Yes not so. The fact that in order to assemble the connection string to the SQL server, you need the name of this SQL server at least know. In order to assemble the connection string to the application, you also need to know the server address for this app. Meanwhile, System Center Virtual Machine Manager 2012 there are three ways to specify the name of the server:
1. Ask him a simple text, for example "SQLServer";
2. Set its template with numbers, for example "SQLServer##", in this case, when it created the first server, SCVMM will give him the name SQLServer01, the second — SQLServer02, etc.;
The first variant is swept aside at once, because we believe that services we have many, and therefore many machines with the same name, and the machine with the same filename to be bad. The second option is good, but the appearance of numbers at the end eliminates the determinism of the server. In other words, on level 2 we don't know what kind of figure SCVMM assigned to link 1. In fact, we know that there at the beginning of the SQLServer, and then 01? 05? Or maybe 25? The third option is good, no doubt, but in this case, the administrator himself has to take care of first, the uniqueness of server names, and secondly, the matching server names naming conventions adopted in the organization. In General, it appears that all three options there, and all three are bad. As Microsoft recommends to get out of this kind of situation? And did.
Here is a picture with 245 pages of the book Aidan Finn Microsoft Private Cloud Computing Sybex publishing clearly shows that to expand the service, and Petshop', need to see the eyes in the upper part of the screen to see MidSvr01 and pens to write these words down in a field lobComputerName.
And this here is the re-writing of letters with the screen on the same screen apparently, the official position of Microsoft, which is repeated, for example, SDAsblogs on Technet.
That is, again: they offered to see on the screen the line and drive handles that line on the same screen.
Is this acceptable for us? Well, of course not! Information occurs in only one place, the unwarranted duplication of information is fraught with errors, and use this approach we will be a little less than never in life.
Back to our sandbox. Suppose we have a domain controller in an Active Directory forest and server member of the domain. Theoretically, this is enough provided the scalability of the service i.e. duplication this server is a domain member again, again, and again.
In formulating the terms of reference to the system of the sandbox, we can say that the system must contain an Active Directory domain controller that is not associated with other forests any, including trust, relationships, and the system must contain a server included in an Active Directory domain, which effortlessly could be replicated. In this case, if you wish, we can roll on an Exchange server, SQL Server, and much, much more.
To create a domain controller from Active Directory SCVMM is not easy: the domain controller is not amenable to application virtualization App-V, so the domain controller we will install from the command line. There is such utility dcpromo, which creates a domain though, even the woods, though even the universe, and let me tell you, despite the various articles from the category "came to an end dcpromo, long live PowerShell!" saved dcpromo in Windows Server 2012, but only as a command-line tool. You can read about it, for example, here. Note the line:
If you run dcpromo /unattend from a command prompt, you can still perform unattended installations that use Dcpromo.exe
That is, unattend-installation can be used in Windows Server 2012, and that is what we need. Although, of course, we all love PowerShell, unfading love, and Casabella innovations in 12 server I even have a couple of articles. But for compatibility we use the answer file, because it works in 2008R2, and 2012. So, in order to raise the Active Directory domain controller, we run this. cmd file linked to the profile application in the service of the sandbox:
the
%systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe Set-ExecutionPolicy Unrestricted
%systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe .\CreateAnswerFile.ps1 -Domain %1
dcpromo /unattend:%systemroot%\Temp\dcpromo.ini
shutdown-r -t 30
Please note, from the outset, start
the
Set-ExecutionPolicy Unrestricted
For the simple reason that next I have an unsigned PowerShell scripts. PowerShell scripts need to sign: it affects your safety, the safety of your organization. How to sign already seems to be flying here a couple of topics, but if not, I would describe this funny, but informative process.
Now, look, a script is called CreateAnswerFile.ps1, which as input parameter domain is given. Here is the script:
the
Param ([string]$Domain)
[Reflection.Assembly]::LoadWithPartialName(“System.Web”)
Enable-PSRemoting -force
import-module servermanager
add-windowsfeature DNS
$RandPassLength = [int] 30
$DSRMPass = [System.Web.Security.Membership]::GeneratePassword($RandPassLength,2)
$SafeModePWD = $DSRMPass
$NetBIOSName=($Domain.Split(".")[0]).ToUpper()
$DCPromoFile = @"
[DCINSTALL]
ReplicaOrNewDomain=Domain
NewDomain=Forest
NewDomainDNSName=$Domain
ForestLevel=4
DomainNetBIOSName=$NetBIOSName
DomainLevel=4
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
DatabasePath=`"C:\Windows\NTDS`"
LogPath=`"C:\Windows\NTDS`"
SYSVOLPath=`"C:\Windows\SYSVOL`"
RebootOnCompletion=No
SafeModeAdminPassword=$SafeModePWD
"@
$DCPromoFile | out-file C:\windows\temp\dcpromo.ini -force
Just again, please note that I have %windir% as C:\windows, it is unlikely that you will be different, but I have to warn you.
OK, the domain controller we have raised, we like. But in order for a server to include in the members of that domain, he must first obtain the address of this domain controller, and second, to the setting on your network interface: it as a DNS server needs to be installed this domain controller, and thirdly, to the team for inclusion in the domain. And how do we get the ip address of the DNS server? After all, the problem statement, we are in an isolated network from anywhere and don't know anything, not even the name of the domain controller that unfolds in parallel with us.
There is a way. Remember that once deployed SCVMM guest agent? Now, during the deployment of this guest agent, inside of a quite magical way there is a configuration file with the configuration of the service. This file contains information first, terribly circumcised, and secondly, available only to the system account (SYSTEM). But this, as you know, the file will not save, because if the information is revealed, it is not destroyed. From this file, which is very similar to XML, except for the first 16 bits, we extract the name of the domain controller. Yes, Yes, the one that was dynamically generated at deployment time of the service. Having the name, we can name to resolve to an ip address, right?
No, not right, because we don't have a DNS server that would answer us, we just don't know who to ask. So we to help call on good old NetBIOS Protocol that understands what a network broadcast name resolution. In other words, we, knowing the name of the server, shouting a loud cry to the network: "well, so-and-so, respond!" And he answers: "Here I am, just don't hurt me please!". We take its address as a DNS server, and then include ourselves in the domain. Mission Accomplished.
Given that this script is executed every time the scaling service, we can run it endlessly and thus, our sandbox will turn into a "domain controller + (Postoico x N)".
Now, please here is the script:
the
Start-Sleep 90
$scvmmGuestAgentProcess = Get-Process ScvmmGuestService
$guestDirectory = $scvmmGuestAgentProcess.Path
$settingsDirectory = (Split-Path $guestDirectory -Parent)+"\Settings"
$uname = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
takeown /F $settingsDirectory /A /R /D Y
$goalStateFile = $settingsDirectory + "\DesiredGoalState.dat"
$rule = $uname+":(R)"
icacls $goalStateFile /grant $rule
$goalStateText = [string](Get-Content $goalStateFile)
$goalState = [xml]($goalStateText.Substring($goalStateText.IndexOf("<")))
$computerNames=($goalState.GuestGoalState.ServiceSettings.ServiceSetting | Where-Object {$_.name-eq "ServiceVMComputerNames"}).value
$namesArray = $computerNames.Split("[]")
$dCName = $namesArray[[array]::IndexOf($namesArray,"Domain controller")+1]
$dCIP = (([System.Net.Dns]::gethostentry($dCName)).AddressList | Where-Object {$_.AddressFamily -eq "InterNetwork"}).IPAddressToString
$wmi = Get-WmiObject win32_networkadapterconfiguration -filter "ipenabled = 'true'"
$wmi.SetDNSServerSearchOrder($dCIP)
$domain = ($goalState.GuestGoalState.ServiceSettings.ServiceSetting | Where-Object {$_.name-eq "Domain"}).value
$domainUserName = $domain+"\administrator"
$domainPassword = "Pa`$`$w0rd"
$credentials = new-object -typename System.Management.Automation.PSCredential -ArgumentList $domainUserName,($domainPassword | ConvertTo-SecureString -AsPlainText-Force)
Add-Computer -Credential $credentials -DomainName $domain
Restart-Computer
Please note, I have a login/password is specified. It is obvious that you security for will have to hide them.
So, by including this script in the application profile, and running it when deployed on N servers, we get our sandbox.
We can now make our sandbox to modify anything to write programs, remove from there programs, create users, delete, modify the schema, attributes, to do what our heart desires. Well, if suddenly it will spoil, then delete the sandbox and in half an hour to create a new one! Or even two sandboxes to create us is not difficult. It's simply Paradise for the developer and tester!
Blog ID Finn still recommend you to read, he writes very lovely things.
Comments
Post a Comment