Windows Server 2012 for SQL Server DBAs

Windows Server 2012 for SQL Server DBAs Andrew Fryer Microsoft http://Blogs.technet.com/b/Andrew @deepfat Andrew.fryer@Microsoft.com

Hyper-V Scalability

Expanded Processor & Memory Support

Shared Nothing Live Migration

Shared Nothing Live Migration The ability to move a virtual machine while it is running from one host to another without requiring shared storage Faster and simultaneous migration Entire VM moved with no downtime VHD, configuration files, snapshots, etc. Improved performance and flexibility No longer requires a clustered environment or shared storage* * Live Migration can be done with shared storage and clustered VMs, but “Shared Nothing” does not require either

Live Migration – Moving a Running VM without Shared Storage Live Migration setup occurs Memory pages are transferred from the source server to the destination server Modified pages are transferred to destination server State is transferred to destination server VM brought online on destination server Network cleanup occurs standard Ethernet connection

Enabling Hyper-V over SMB

Common Configurations Single-Node File Server Lowest cost for share storage Shares not continuously available Dual-Node File Server Low cost for continuously available shared storage Limited scalability (up to a few hundred disks Multi-Node File Server Highest scalability (up to thousands of disks) Higher cost, but still lower than connecting all Hyper-V hosts with FC

Creating an SMB Share From Server Manager: Log on or connect to a Windows Server 2012 computer on which the File and Storage role is installed. Open Server Manager and navigate to File and Storage Services In Server Manager, start the New Share Wizard 2 1 With PowerShell: # Create folder MD X:\VMS # Create file share New-SmbShare -Name VMS1 -Path X:\VMS -FullAccess Domain\HVAdmin, Domain\HV1$, Domain\HV2$, Domain\HVC$ # Set NTFS permissions from the file share permissions (Get-SmbShare VMS1).PresetPathAcl | Set-Acl

Hyper-V Replica

Installation and Configuration Add Hyper-V role on Primary and Replica servers Add Role and Feature Wizard (ARFW) in Server Manager Deployment Image and Service Management (DISM) dism /online /enable-feature /featurename:Microsoft-Hyper-V Server Manager Powershellcmdlet Install-WindowsFeature –Name Hyper-V –IncludeManagementTools 3 Run Best Practices Analyzer to confirm installation and verify functionality Configure Replication Standalone Failover Cluster Enable each Virtual Machine for replication (Enable Replication Wizard) Or use PowerShell Set-VMReplicationServer -ReplicationEnabled $true -AllowedAuthenticationType Integrated -IntegratedAuthenticationPort $RecoveryPort -DefaultStorageLocation $ReplicaStorageLocation -ReplicationAllowedFromAnyServer $true 4

Architectural Components

Windows Server 2012 User Interface

MinShell Minimal User Experience option Server Core with GUI tools Server Manager and cmd.exe launch by default when server is booted Allows other GUI tools to be loaded Enabled through Add Roles and Features wizard, or with PowerShell

Enabling/Disabling MinShell Install-WindowsFeatureServer-Gui-Mgmt-Infra Install-WindowsFeature Server-Gui-Shell Install-WindowsFeature Desktop-Experience Uninstall-WindowsFeature Server-GUI-Shell Uninstall-WindowsFeature Server-GUI-Shell -remove

Interface Feature Sets

Server Manager

Multi-Machine Management Glanceable

Multi-Machine Management Directly actionable

Multi-Machine Management Multi-select and start all services together

Multi-Machine Management Custom Server Groups 1 2 3

Remotely Add Roles Local server Remote server (including Server Core) Offline VHD

Windows PowerShell

PowerShell Built-in Cmdlets Windows Server 2012, Windows 8, PowerShell 3.0

Show-Command Cmdlet Lets beginners run cmdlets from a dialog box Running without parameters displays a list of available cmdlets, functions, aliases and scripts installed on the system Can filter by Module Can search by Name

Robust Sessions Allow for reconnection to disconnected remote sessions This example creates a new session on a remote server, stores data in that session, and then disconnects it while leaving the session running. The name of the running session is Server1Session. The local connection variable is $RemoteSession. The following commands reconnect to the remote session (in this example, from the server where the session is still running) ↪ Enable-PSRemoting –Force ↪ $RemoteSession = New-PSSession –Name Server1Session –ComputerNameServer1 ↪ Invoke-Command –Session $RemoteSession –ScriptBlock {$date = Get-Date } ↪ Disconnect-PSSession –session $RemoteSession ↪ Exit ↪Get-PSSession –ComputerNameLocalhost ↪$LocalSession = Connect-PSSession –ComputerNamelocalhost –Name Server1Session ↪ Invoke-command –Session $LocalSession –Scriptblock { $date }

Workflows ↪ Workflow MyWorkflow {Write-Output -InputObject "Hello from Workflow!"} ↪ Get-Command –Name MyWorkflow –Syntax ↪ MyWorkflow The workflow keyword adds more than 20 new parameters, allowing users to specify such items as: A list of target machines for the workflow (-PSComputerName) Credentials to use for running the workflow (-PSCredential) Quotas to manage the workflow as the work scales (-PSRunningTimeoutSec) Ability to retry the whole workflow or specific activities in case there are connection issues (-PSConnectionRetryCount) Ability to persist or checkpoint some or all workflow activities, which will save the workflow metadata, output and errors to disk and enable you to resume workflow execution at given points during the execution (-PSPersist, -PSPersistInterval) Are typically started from a client computer Are ideal for executing long-running tasks across multiple target computers, usually gathering data from or make changes to managed nodes Are just like any other Windows PowerShell command, which means that you can use Get-Command to discover them and Get-Help to learn how to use them Can survive machine and network interruptions such as reboots.

Windows Server 2012 PowerShell Web Access Configure Web Access ↪ Install-PswaWebApplication –useTestCertificate ↪ Get-PswaAuthorizationRule ↪ Add-PswaAuthorizationRule –ComputerName * -UserName * -ConfigurationName * ↪ Get-PSWAAuthorizationRule Allows management of multiple computers from a web browser Enable through Add Roles and Features wizard in Server Manager Log in to gain full PowerShell access thru the browser

Delegated Permissions Allow for the use of alternate credentials during a Workflow Type the following command, and press Enter. When prompted, type the password for the referenced account. To set the RunAsUser property, use the Set-Item cmdlet with the $cred parameter as the value for the Value parameter. To make the change effective, type the following: To see the effects of the change, type the following: ↪ $Cred = Get-Credential –Credential contoso\administrator ↪ Set-Item WSMan:\localhost\Plugin\Microsoft.Powershell.Workflow\RunAsUser -Value $Cred ↪ Restart-Service WinRM ↪ Get-ChildItemWSMan:localhost\Plugin\Microsoft.Powershell.Workflow

Snippets Displays code snippets for selected commands Enabled in ISE by selecting Start Snippets from the Edit Menu Get-IseSnippet New-IseSnippet

Active Directory Enhancements

Active Directory Administrative Center Enhancements Active Directory Recycle Bin Fine Grained Password Policy Management PowerShell History Viewer Dynamic Access Control deployment

Active Directory Recycle Bin - Restoration of AD Objects 3 3 1 2 In ADAC, select Deleted Objects container Select item(s) to be restored Select Restore or Restore To

Windows PowerShell History Viewer Records underlying PowerShell commands when action is taken in the ADAC Administrator can copy/reuse in a PowerShell script 2 1 Deleted DHCP Users group Required Administrator account to use smart card for interactive login 4

Dynamic Access Control Allows Administrators to create and manage Central Access and Audit Policies in Active Directory, which can be managed through the ADAC Policies are based on conditional expressions that take into account who the user is, what device they are using and what data is being accessed Organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control

Group Policy Enhancements Group Policy Management Console includes new capabilities that allow administrators to more easily track SYSVOL replication as it relates to Group Policy, as well as force Group Policy updates from a central location

Kerberos Constrained Delegation Changes Kerberos Constrained Delegation (KCD) permits a service’s account (front-end) to act on the behalf of users in multi-tier applications for a limited set of back-end services The challenge in earlier versions of Windows The front-end is configured with the service (by SPN) to which it can impersonate users Setup/administration requires Domain Admin privileges Only works for back-end services in the same domain as the front-end service accounts The solution in Windows Server 2012 Authorization decisions are moved to the resource owners Permits back-end to authorize which front-end service-accounts can impersonate users against their resources Supports cross-domain, cross-forest scenarios No longer requires Domain Admin privileges Requires only administrative permission to the back-end service-account

AD Deployment Enhancements Active Directory Domain Services (AD DS) deployment in Windows Server 2012 is simpler and faster than previous versions of Windows Server The new AD DS installation process is now built on Windows PowerShell and is integrated with Server Manager Includes prerequisite validation The wizard opens a PowerShell script containing all the options that were specified during the graphical installation ADPrep is now integrated into the AD DS installation process The AD DS server role can be installed on multiple servers at the same time AD DS installation wizard can be run remotely on an individual server AD DS installation and removal can be performed entirely with PowerShell (new forests, domains, DCs, etc.) Install-ADDSDomainController [SkipPreChecks] –SafeModeAdministratorPassword <SecureString> [-ADPrepCredential <PS Credential>] [-AllowDomainControllerReinstall] [-ApplicationPartitionsToReplicate <string[]>] [-ConfigureGlobalCatalog] [-CreateDNSDelegation] [-Credential <PS Credential>] [-CriticalReplicationOnly] [-DatabasePath <string>] [-DNSDelegationCredential <PS Credential>] [-DNSOnNetwork] [-DomainName <string>] [-InstallationMediaPath <string>] [-InstallDNS] [-LogPath <string>] [-MoveInfrastructureOperationMasterRoleIfNecessary] [-RebootOnCompletion] [-ReplicationSourceDC <string>] [-SiteName <string>] [-SkipAutoConfigureDNS] [-SYSVOLPath] [-WhatIf] [-Confirm] [<CommonParameters>]

Virtualized AD DS Windows Server 2012 includes enhancements that improve the administrative experience when virtualizing domain controllers Safe virtualization of domain controllers AD DS relies on the hypervisor platform to expose an identifier called VM GenerationID to detect if a virtual machine has been rolled back in time. The design uses a hypervisor-agnostic mechanism for surfacing the VM GenerationID in the virtual machine. Virtualized domain controller cloning Administrators can now promote a single virtual domain controller per domain and rapidly deploy all additional replica virtual domain controllers through cloning. Administrators no longer have to repeatedly deploy a sysprepped server image, promote the server to a domain controller and then complete additional configuration requirements for every replica domain controller. AD Snapshots Windows Server 2012 domain controllers detect snapshot restoration and non-authoritatively synchronize the delta of changes for AD DS and SYSVOL, making domain controller virtualization safer.

Active Directory Based Activation (ADBA ) Existing Active Directory environment can be used for activation of clients No additional machines required Uses LDAP exclusively; no RPC requirement Includes RODCs Beyond activation, no data written back to the directory Activation object maintained in Configuration Partition Represents proof of purchase Computers can be a member of any domain in the Forest Leveraged only by Windows 8 computers Requires Windows Server 2012 AD Schema, not Windows Server 2012 domain controller Can coexist with KMS KMS is still required for down-level volume licensing

Continuously Available File Shares

Continuously Available Scale Out File Server Architecture Cluster platform for a continuously available scale out file server Cluster-wide client access point Consistent cluster-wide file server configuration CSV cluster-wide file system Zero client downtime failover – both planned and unplanned downtime Accessing VHDs over SMB Hyper-V Cluster Single Logical Server (\\Foo\Share) Single File System Namespace Cluster Shared Volumes File Server Cluster

Storage Spaces and Thin Provisioning

How does Storage Spaces Work? An example… Disk Management show the 4 disks online and initialized Primordial Pool is populated in the File and Storage Services Interface Drive array presenting 4 100GB LUNs

Deduplication Capacity Optimization Scale and Performance Reliability and Data Integrity Start-DedupJob –type optimization –Volume E: Enable & Configure Deduplication on volume Saved Space

Managing Storage with PowerShell PowerShell is required to access many of the advanced features afforded by the new Storage Management application programming interface (API) Example: New-StoragePool Parameters configured with GUI and PowerShell Underlying storage pool name Virtual disk name Resiliency setting (Simple, Mirror, or parity) Provisioning type (Thin or Fixed) Virtual disk size Parameters configured only with PowerShell Number of columns: the number of columns the virtual disk contains Number of data copies - number of complete copies of data that can be maintained Disk interleave - number of bytes forming a stripe Physical disks to use - specific disks to use in the virtual disk

Integrating Storage Pools with Failover Clustering Clustered Storage Spaces require fixed provisioning Clustered virtual disks require underlying hardware to support persistent reservations

NIC Teaming with Load Balancing

Architectural Components 2 basic sets of algorithms for NIC teaming Switch-dependent modes Require the switch to participate in the teaming Types Generic or static teaming Dynamic teaming (LACP) Switch-independent modes Do not require the switch to participate in the teaming Traffic distribution methods Hyper-V switch port Address Hashing (TransportPorts) Requirements 1 NIC to be used for VLAN traffic At least 2 NICs for all modes that provide fault protection through failover Up to 32 NICs per team

NIC Teaming in VMs NIC Teaming in Windows Server 2012 is supported in a VM Virtual network adapters that are connected to more than one Hyper-V switch can still have connectivity even if the network adapter under that switch gets disconnected Useful when working with SR-IOV Each Hyper-V switch port associate with a VM that is using NIC Teaming must be set to allow Teaming in the host (parent partition) using PowerShell with administrative permissions: Teams created in a VM can only run in Switch Independent configuration, Address Hash distribution mode Only teams where each of the team members is connected to a different Hyper-V switch are supported Each Hyper-V switch port that is associated with a virtual machine that is using Teaming must be set to allow MAC spoofing Hyper-V NICs exposed in the parent partition (vNICs) must not be placed in a Team Set-VMNetworkAdapter -VMName <VMname> -AllowTeaming

Interactions with Distribution Modes

Interaction with 3rd-Party Teaming Solutions STRONGLY RECOMMENDEDthat no system administrator ever run two teaming solutions at the same time on the same server. The teaming solutions are unaware of each other’s existence resulting in potentially serious problems. x If the system administrator attempts to put a NIC into a 3rd party team that is presently part of a Microsoft NIC Teaming team the system will become unstable and communications may be lost completely If the system administrator attempts to put a NIC into a Microsoft NIC Teaming team that is presently part of a 3rd party teaming solution team the system will become unstable and communications may be lost completely

Updated Windows Server 2012 Licensing Editions Features License Type Virtualization Rights Each license covers up to Two physical processors Provide all the capabilities to enable any private cloud workload Private cloud technology offered in two editions (Standard, Datacenter) differentiated only by virtualization rights Two virtual instances Unlimited Windows Server 2012 Standard Standard Low density or no virtualization Microsoft System Center 2012 Standard Enrollment for Core Infrastructure (ECI) Standard Core Infrastructure Suite (CIS) Standard Windows Server 2012 Datacenter Datacenter High density virtualization Microsoft System Center 2012 Datacenter Enrollment for Core Infrastructure (ECI) Datacenter Core Infrastructure Suite (CIS) Datacenter Notes: Windows Server continues to require Client Access Licenses (CALs) Enrollment for Core Infrastructure (ECI) has a 25 license minimum and includes a 20% discount on new purchases Core Infrastructure Suite (CIS) has no minimum purchase and includes a 5% discount on new purchases

SMB 3.0 Multichannel

Installation and Configuration Prerequisites At least two computers running Windows Server 2012 or Windows 8. At least one of the configurations below: Multiple network adapters One or more network adapters that support RSS (Receive Side Scaling) One of more network adapters configured with NIC Teaming One or more network adapters that support RDMA (Remote Direct Memory Access) Sample Configurations that do not use SMB Multichannel Single non-RSS-capable network adapters Network adapters of different speeds Installation None Enabled by default in Windows Server 2012 and Windows 8 Can be disabled, re-enabled and configured with PowerShell

Multichannel, RDMA and NIC Teaming Compatibility

Windows Server 2012 for SQL Server DBAs