Chapter 5

Understanding the VMM Library

The VMM library is a catalog that provides access to all the resources you need to support a cloud, whether they are stored on library shares or in the VMM database. The library can also store virtual machines when they are not in use; therefore it is effectively a resource for everything deployed to the private cloud.

This chapter covers all aspects of setting up, configuring, and maintaining the VMM library, including the following:

  • Understanding the requirements for building a library
  • Deploying library servers and shares
  • Associating library servers with particular host groups
  • Keeping resources such as VHDs, ISOs, and templates in the library and using them to create and deploy virtual machines
  • Installing and configuring fabric patching within the environment
  • Scanning for compliance and remediating the server fabric

Introducing the Library Role in VMM

The VMM library acts as a central resource for all that is deployed to the private cloud. Leveraging the library will help you promote a consistent set of standards as you build out your private cloud; it will also encourage the reuse of IT-approved configurations and images.

A default library share is created as part of the VMM installation process. During the installation, the default is to create a library share on the VMM management server. This is located on the system drive in

%systemroot%ProgramDataVirtual Machine Manager Library Files

and the default share name is MSVMMLibary. Additional library servers and library shares can be added post-installation, via the VMM Administration console.

Certain considerations need to be made as to the design of your library-server architecture. During a proof of concept or for a small production implementation, leveraging the default library share might be appropriate; however, as you move to a mid-to-large-scale production environment, concerns over scalability and high availability will drive the design of your library-server architecture, as shown in Figure 5.1.

Figure 5.1 Sample library- server architecture

5.1

As a best practice, Microsoft recommends that you make the library server highly available by using a file share managed by a Windows failover cluster. This library share might reside on an existing Windows failover cluster that might host other services and applications, or it might reside on a dedicated Windows failover cluster as either a guest cluster running within the private cloud-management fabric or as a dedicated, physical Windows failover cluster outside of the management fabric.

VMM supports adding a file share on a Windows failover cluster using the following operating-system versions and editions:

  • Windows Server 2008 SP2, Enterprise Edition, x86 or x64
  • Windows Server 2008 SP2, Datacenter Edition, x86 or x64
  • Windows Server 2008 R2 SP1, Enterprise Edition
  • Windows Server 2008 R2 SP1, Datacenter Edition

Library-Server Hardware Requirements

A number of factors influence the hardware requirements for your library servers. However, the library server is a repository; its main tasks are to store and retrieve content. Therefore, storage capacity and Input/Outputs per Second strongly influence your library design, the level of change within the environment, the number of library servers, and their geographical placement all are factors.

There are no hard and fast answers here. Chapter 4, “Setting Up and Deploying VMM 2012,” lays out the requirements for a library server.

Real-World VMM Library-Server Sizing
Sizing any type of server can be a challenge; and while there is no one single answer, we want to give you some insight into the hardware sizing for our production library servers.
We have at present around 45 cloud-based projects, and each cloud project has an average of 10 virtual machines running on the server fabric.
Because each of our library servers runs within a virtual machine, we have allocated two logical processors and a dedicated 1 GbE network adapter. The memory allocation for this virtual machine is 2 GB. The disk capacity is approximately 1 TB.
UnFigure
The 1 TB of disk space accommodates approximately 240 virtual hard disks (VHDs), which are base operating-system images and approved patches, totaling around 700 GB. Another 290 GB contains approximately 250 CD/DVD images (ISO files), which mainly contain Windows distributions that are locale/Multilingual User Interface-specific.

Adding Library Servers

VMM is not limited to a single library server. In designing the logical architecture for your VMM implementation, you might decide to add additional library servers because your implementation spans more than one data center or because you need to support one or more remote sites. Having all the required files available locally enhances the performance of your virtual environment and reduces network traffic.

Use the following procedure to add a library server to VMM:

1. In the VMM console, select the Library workspace (Figure 5.2).

Figure 5.2 Library servers and shares

5.2
2. On the Home tab, in the Add group, click Add Library Server. The Enter Credentials screen appears.
3. Enter the username and password for a domain account that has administrative rights on the server you intend to add as your library server, and click Next.
You can use a Run As account or you can manually specify a set of credentials in the format domainuser. If you need to create a Run As account, you can do so from the Select Run As Account screen.
The Select Library Servers screen appears.
4. Enter the domain and computer name of the server you want to add, and click Add.
If you don't know the server name, you can use the Search button to help you find it. By default VMM does not perform Active Directory name verification, but you can require verification by unchecking the check box.
5. When the intended server's fully qualified domain name appears in the Selected Servers box, click Next. The Add Library Shares screen appears.
Adding a Highly Available Library Server
If you plan to implement a highly available library server, select the Client Access Point that is associated with the file server. An informational pop-up message indicates the VMM agent will be installed on all nodes in the cluster.
6. Select the check box next to each library share you want to add, and optionally select the check box in the Add Default Resources column. Click Next.
If you ask for default resources, VMM adds the ApplicationFrameworks folder to the library share. Resources in the ApplicationFrameworks folder include x86 and x64 versions of the Server App-V agent and sequencer, Windows PowerShell cmdlets for Server App-V, and Microsoft web deployment tools. The folder also includes scripts that add application profiles in a service template or install virtual applications and web applications during service deployment.
The Summary screen appears.
7. Review the settings and click Add Library Servers.
The Jobs window opens, enabling you to follow the progress and ensure that the library server and share are added successfully. You should see them in the Library Servers node of the VMM console (Figure 5.2).

Adding a Library Share

Your VMM library server is composed of one or more file shares, which are either local to the management server or are located over the network, on file shares managed by VMM.

Before a library share can be added to the library server, you must manually create the shared folder on the intended server, in advance of adding the library share to VMM.

Use the following procedure to add an additional library share to VMM:

1. In the VMM console, select the Library workspace.
2. Expand the Library Servers node, and select the library server where you want to add the share.
3. On the Library Server tab, click Add Library Shares. The Add Library Shares screen appears.
4. Select the check box next to the library share you want to add, optionally select the check box in the Add Default Resources column, and click Next. The Summary screen appears.
5. Review your settings and click Add Library Shares.

The Jobs window opens, enabling you to follow the progress and ensure that the share is added successfully. You should see it in the Library Servers node of the VMM console.

Associating Library Servers to a Host Group

Library servers can be added to host groups to further organize them. This is accomplished by modifying the properties of a library server in the VMM console. During placement, VMM uses this association as an input to help determine where to obtain library resources.

Use the following procedure to associate a library server with a host group:

1. In the VMM console, select the Library workspace.
2. In the Library pane, expand the Library Servers node, and select the library server you want to associate with a specific host group.
3. On the Library Server tab, click Properties. The General Properties dialog box opens.
4. In the Host Group drop-down list, click the host group with which you want to associate the library server. Optionally check the Allow Unencrypted Transfers check box. Click OK.
By default, all file transfer operations into and out of the library use SSL encryption (MPPE and RC4). This is enabled by default in VMM and nothing specific needs to be configured to make this work.
If you have already implemented another form of encryption within your environment (for example, IPSec) or have otherwise secured your environment, you can use unencrypted file transfers to improve performance during virtual-machine creation and migration.
Associating Library Servers
You can associate a library server with only one host group, as defined in your host-group hierarchy. However, child host groups (host groups below the main host group you select during association) are automatically associated with the library server. It is also possible to associate more than one library server with a single host group.

Adding Resources to the Library

Before the library can function and serve a purpose, you must add content to it. Content resides either in files or in the VMM database. This section shows you how to add content of each type.

Adding File-Based Resources

Adding file-based resources like VHDs, ISOs, and deployment scripts must be done manually, outside of VMM. When you add files to a library share, the files do not appear in the library until after the next library refresh. The default and minimum library refresh interval value is 1 hour.

To make files available immediately, you must manually refresh the library server or share. If you move files within or between library shares, you must manually refresh the destination shares. During a library refresh, VMM indexes the files stored on the library share and then updates the Library workspace with the resource listings.

To add file-based resources to the library, do one of the following:

  • Without using the VMM console, browse to the library share and then manually copy the files you need.
  • In the VMM console, in the Library workspace, expand Library Servers, right-click a library share, and click Explore. Again manually copy the files you need.
  • In the VMM console, on the Home tab, use the Import Physical Resource and Export Physical resource options to move file-based resources between library shares.

Use the following procedure to refresh the library server:

1. In the VMM console, select the Library workspace.
2. In the Library pane, expand the Library Servers node, right-click the library server you want to refresh, and select Refresh.

During a library refresh, VMM indexes the files stored on the library share and then updates the Library workspace and resource listings. Not all files are indexed, and not all indexed files are displayed in the Library workspace. The following file types are the ones added as library resources during library refreshes:

  • Virtual hard disks— .VHD files (Hyper-V and Citrix XenServer) and .VMDK files (VMware)
  • ISO image files— .ISO files
  • PowerShell scripts— .ps1 files
  • SQL Server scripts— .sql files
  • Web Deploy (MSDeploy) packages— .ZIP files
  • SQL Server data-tier applications (DACs)— .dacpac files
  • Server App-V packages— .osd files
  • Driver files— .inf files
  • Answer files— .inf and .xml
  • Custom resources folders—those with a .cr file extension
  • Virtual floppy disks— .vfd (Hyper-V) and .flp (VMware)

The following configuration-file types are indexed but are not added to the Library workspace as library resources:

  • Virtual machine export files— .EXP (Hyper-V) .VMX (VMware)
  • Virtual machine saved-state files— .VSV (Hyper-V)
  • Virtual machine memory files— .BIN (Hyper-V)
  • Virtual machine configuration files— .VMTX (VMware)
  • VHDs, ISOs, and VFDs that are attached to a virtual machine

Adding Templates and Profiles

A template is a library resource that consists of a number of other configuration components. Typically, these components are stored in the VMM database (with the exception of the virtual hard disk) and are not represented as physical files in the Library workspace. They include the following:

  • Hardware profile
  • Guest operating-system profile
  • Capability profile
  • Application profile (which is part of a service template)
  • SQL server profile (which is part of a service template)
  • Virtual hard disk

Templates provide a standardized group of hardware, software, and application settings you can consistently reuse to create multiple new virtual machines configured with those settings applied. VMM supports two types of templates:

  • virtual-machine template
  • Service template (which is covered in Chapter 8, “Understanding Service Modeling”)

Creating a Hardware Profile

A hardware profile is a library resource that contains the hardware specifications that will be applied to a new virtual machine or to a virtual-machine template. A hardware profile contains specifications for things like the CPU, memory, floppy drive, COM ports, video adapter, DVD drive, and network adapters; it also contains the priority given to the virtual machine when resources are allocated on a virtual-machine host and specifies which capability profile to leverage when validating your hardware profile.

After specifying a hardware profile for a specific virtual machine, you can go back and change the settings that were imported. These changes do not affect the hardware profile, nor is any association maintained with the hardware profile after the virtual machine is created.

Use the following procedure to create a new hardware profile:

1. In the VMM console, select the Library workspace.
2. On the Home tab, in the Create group, click Create and select Hardware Profile. The New Hardware Profile screen appears.
3. Enter a name and description for your hardware profile.
4. Click the Hardware Profile tab (Figure 5.3) and configure your hardware profile as appropriate.

Figure 5.3 Hardware profile properties

5.3

Creating a Guest Operating-System Profile

A guest operating-system profile is a collection of operating-system settings and values that can be imported into a virtual-machine template to provide a consistent operating-system configuration for virtual machines that are deployed from that template.

A guest operating-system profile contains specifications for things like computer name, administrative password, time zone, which roles and features to install (in the case of deploying Windows Server 2008 or above), and which workgroup or domain to join. You can attach a dedicated answer file to apply additional settings outside of the guest operating-system profile.

Guest operating-system profiles are database objects that do not have physical files associated with them within the library. The profiles are configured in the Library workspace, where they are displayed under the Profiles node.

Use the following procedure to create a new guest operating-system profile:

1. In the VMM console, select the Library workspace.
2. On the Home tab, in the Create group, click Create and select Guest OS Profile. The New Guest OS Profile screen appears.
3. On the General tab, enter a profile name and description.
4. On the Guest OS Profile tab (Figure 5.4), configure your guest OS profile as appropriate.

Figure 5.4 Guest OS profile properties

5.4

Creating a Virtual Machine Template

Virtual-machine templates are used to create new virtual machines, providing a repeatable way of deploying standardized hardware and software settings. A virtual-machine template is a library resource that consists of the following components:

  • Virtual hard disk
  • Hardware profile
  • Guest operating-system profile

Use the following procedure to create a new virtual-machine template:

1. In the VMM console, select the Library workspace.
2. On the Home tab, in the Create group, click Create VM Template. The Select VM Template Source screen appears.
3. Using the Search box, browse to a virtual hard disk or template to be used as the starting point for the new template. Click OK, and click Next. The VM Template Identity screen appears.
4. Enter a name and description for the VM template, and click Next. The Configure Hardware screen appears (Figure 5.5).

Figure 5.5 Configuring hardware

5.5
5. Select your predefined hardware profile or configure a new hardware profile and click Next. The Configure Operating System screen appears (Figure 5.6).

Figure 5.6 Configuring an operating system

5.6
6. Select your predefined guest OS profile or configure a new guest OS profile, and click Next. The Configure Applications screen appears.
7. Click Next.
Note that application configuration is available only for Windows Server guest operating systems. Chapter 8 discusses application profiles in more detail.
The Configure SQL Server screen appears.
8. Click Next.
Note that SQL configuration is available only for Windows Server guest operating systems. Chapter 8 discusses SQL profiles in more detail.
The Summary screen appears.
9. Review your choices and click Create.

Creating a Virtual Machine from a Template

Creating a virtual machine is one of the main tasks that a VMM administrator will perform, and configuring the multitude of hardware and software settings available can be a fairly repetitive task. The virtual-machine template provides a repeatable way to deploy standardized hardware and software settings.

Use the following procedure to create a virtual machine from a template:

1. In the VMM console, select the VMs And Services workspace (Figure 5.7).

Figure 5.7 Creating a VM

5.7
2. On the Home tab, in the Create group, click Create Virtual Machine and select Create Virtual Machine. The Select Virtual Machine Source screen appears.
3. Use the search box to browse to the VM template on which to base the new virtual machine. Click OK, and click Next. The Specify Virtual Machine Identity screen appears.
4. Enter a name and description for the virtual machine. Click Next. The Configure Hardware screen appears.
5. Select a predefined hardware profile or configure a new hardware profile. Click Next. The Configure Operating System screen appears.
6. Select a predefined guest OS profile or configure a new guest OS profile. Click Next.
The Select Destination screen appears with the To Place The Virtual Machine On A Host option already selected because it is the only option.
7. Click Next. The Select Host screen appears.
8. Select the host best suited for the workload rated by intelligent placement. Click Next. The Configure Settings screen appears.
9. Review the values that will be used to create your new virtual machine. Click Next. The Select Networks screen appears.
10. Select the logical network for your virtual machine to use, the virtual network to bind to, and any VLAN settings to be applied. Click Next. The Add Properties screen appears.
11. Specify the automatic actions for your virtual machine when the virtualization host is either started or stopped. Include or exclude this virtual machine from optimization actions. Click Next. The Summary screen appears.
12. Review the configuration summary and click Create.

Storing Virtual Machines in the Library

At some point, you may want to store a previously running virtual machine in the library. By doing so, you can preserve the state of the virtual machine for later use. There are many reasons to preserve a VM. For example, you can use your stored VM to make multiple copies to run several other virtual desktops.

Use the following procedure to store a running virtual machine in the library:

1. In the VMM console, select the VMs And Services workspace, right-click the virtual machine, and select Store In Library. The Select Library Server screen appears.
2. Select the library server you want to use to store the virtual machine, and click Next. The Select Path screen appears.
3. Click Browse, expand the library share, select the directory where you want to submit your virtual machine, and click OK. Then click Next. The Select Library Server screen reappears.
4. Select the library server you want to use to store the virtual machine, and click Next. The Summary screen appears.
5. Review your choices and click Store.

Equivalent Objects

If your VMM library has multiple locations, you'll want users to be able to use resources without regard to location, but you'll want VMM to supply those resources from a local library share if possible. To support this ability, you can define sets of library objects as equivalent. If users request one resource in a set of equivalent objects, VMM can substitute any other resource in that set to satisfy the request.

In previous versions of VMM, the only way to do that was to create different VM templates referring to different library shares. With equivalent objects, you can use a single template and let VMM access the resources from the most convenient location. That is, VMM is location-aware so that you don't have to be.

The resources that you call equivalent must be of the same file type, either virtual hard disk (VHD) or image file (ISO).

Note
By default during VMM installation, the custom resources of Server App-V and Web Deployment Framework are automatically added to the library as equivalent objects. If you add multiple library shares and choose to add default resources, when creating a new library share the custom resources are all automatically marked as equivalent.

Use the following procedure to mark file-based resources in the library as equivalent:

1. In the VMM console, select the Library workspace.
2. In the Physical Library Objects pane, click the Type column header to sort the contents of the library by resource type.
3. Select the file-based resources that you want to mark as equivalent.
Use the Ctrl and Shift keys according to the usual Windows conventions for specifying disjointed selections and ranges.
4. Right-click the selected resources, and click Mark Equivalent. The Equivalent Library Objects screen appears.
5. Specify the Family Name and Release Value, and click OK.
The objects you marked as equivalent should appear in the Equivalent Objects node of the Library pane in the console (Figure 5.8).

Figure 5.8 Equivalent objects

5.8

Use the following procedure to modify equivalent file-based resources in the library:

1. In the VMM console, select the Library workspace.
2. In the Library pane, expand the Equivalent Objects node, expand the Family Name and Release Value, right-click the resource object, and select Properties.
3. On the General tab, modify the values as appropriate. To remove an object from a set of equivalent objects, delete the Family Name and Release Value.

Removing Resources from the Library

Library resources can be removed from the Library workspace, and specific library object files that are stored on a library share can be disabled.

When you no longer need a file in the VMM library, Microsoft recommends that you remove the file through the VMM console. If you remove the file from a library share outside the console, any library resources that use that file must be repaired and references to the deleted file must be removed. If you use the Remove option (Library Server tab → Remove Group) to remove the object, VMM lists any dependencies that reference the file; and if you proceed, VMM removes the reference to the deleted file from the library resource that used it.

Disabling Library Resources

Only file-based resources can be disabled in VMM. Use the following procedure to disable a resource in the library:

1. In the VMM console, select the Library workspace.
2. Select the Library Servers node to get an entire view of what file-based resources are available across your entire library infrastructure, or select the library server that hosts the library object you want to disable (Figure 5.9).

Figure 5.9 Disabling file-based resources

5.9
3. Select the library object in question, and from the Library Object tab in the Action group, click Disable.
The library object's status changes from OK to OK (Disabled). To re-enable the object, select the library object and from the Action group and click Enable.

Deleting Files from the Library

File-based resources can be deleted from the library server. Use the following procedure to delete a resource from the library:

1. In the VMM console, select the Library workspace.
2. Select the Library Servers node to get an entire view of what file-based resources are available across your entire library infrastructure, or select the library server that hosts the library object you want to delete (Figure 5.9).
3. Select the library object and from the Object tab in the Delete group, click Delete.
VMM warns you that it will delete the associated file from the library share, not just remove the resource from management.
4. Click Yes to delete the library object.

Removing a Library Share or Server

Use the following procedure to remove a library server or share from management:

1. In the VMM console, select the Library workspace.
2. Expand the Library Servers node and select the library server from which you want to delete the share. On the Folder tab, click Remove.
VMM informs you that the library share will be removed from management, but that no files will be deleted.
3. Click Yes to remove the library share from management.

Use the following procedure to remove an entire library server from management:

1. In the VMM console, select the Library workspace.
2. Expand the Library Servers node, and select the library server you want to remove.
3. On the Library Server tab, in the Remove group, click Remove.
4. Enter the necessary credentials to connect to the library server.
Specify an account manually or use an existing Run As account. Either account must have Administrator rights on the library server.
5. Click OK to remove the server from management.

Updating the Catalog and Baselines

With VMM, Microsoft provides the ability not only to build and cluster the virtualization fabric but also to maintain and optimize that fabric, all from a single pane of glass.

VMM requires the x64 version of Windows Server Update Service (WSUS) 3.0 SP2. The WSUS server role can be installed on the VMM management server or on a remote server. Because VMM places an agent on the WSUS server, the supported operating-system version is limited by the VMM Agent prerequisites. The remote server must be running Windows 2008 or higher. No support for Windows 2003 is provided. Chapter 4 describes the requirements for an update server.

Benefits of Managing Fabric Updates with VMM

Managing the server fabric, which includes Hyper-V hosts, Hyper-V clusters, and VMM server roles (i.e., the management server, library servers, Preboot Execution Environment (PXE) servers, and WSUS servers) can be a challenge in terms of compliance and remediation.

VMM supports on-demand compliance scanning and server-fabric remediation. VMM administrators can monitor the update status of the server fabric, scan for compliance, and remediate updates for a selected group of servers. They can also exempt specific servers within the fabric from installing specific updates.

VMM supports orchestrated updates of Hyper-V host clusters. When a VMM administrator performs update-remediation tasks on a host cluster, VMM places one Cluster node at a time into maintenance mode and then installs the selected updates.

If the cluster supports live migration, intelligent placement is used to live-migrate the virtual machines off the Cluster node. If the cluster does not support live migration, as is the case for Windows 2008, then VMM will put the virtual machine into a saved state.

Managing the WSUS Server

After you add a WSUS server under the control of VMM, you should not continue to manage the WSUS server with the WSUS console; this may be one of the reasons you decide to implement a dedicated WSUS server to patch your server fabric.

In VMM, an administrator updates the properties of the update server to configure a proxy server for synchronization and to change the update categories, products, and any supported languages that are to be synchronized by the WSUS server. If you add the update server to VMM in Single Sockets Layer (SSL) mode, you can update the proxy-server credentials for synchronization in the update server's properties. If the update server is not added to VMM in SSL mode, the proxy-server credentials are managed in the WSUS Administration console.

In VMM, administrators and delegated administrators can manage fabric updates. Only administrators can manage the update server and synchronize updates. Delegated administrators can scan and remediate updates on machines that are within the scope of their defined user role. Delegated administrators can use baselines created by administrators and other delegated administrators. However, delegated administrators cannot modify or delete baselines created by others.

Deploying a WSUS Server

To manage updates in VMM, you must either install a dedicated WSUS server or use an existing WSUS server. VMM uses the WSUS Windows Update/Microsoft Update catalog, Windows Update Agent (WUA) integration in Windows Server, and a WSUS server for binary distribution to managed computers.

You can install the WSUS server on the VMM management server. However, Microsoft recommends using a remote WSUS server, especially if the VMM management server is managing a large number of computers. If you install WSUS on a remote server, you must install a WSUS console on the VMM management server and then restart the VMM service.

Should You Use a Remote WSUS?
If you are managing a large enough environment, you may want to consider implementing a remote WSUS server. A good rule of thumb is to offload the WSUS server away from VMM when the VMM management server is managing more than 150 hosts.

If you plan to use a highly available VMM management server, Microsoft recommends that you use a remote WSUS server. With a highly available VMM management server, you must install a WSUS console on each node of the cluster to enable the VMM service to continue to support fabric updates.

WSUS Server Prerequisites

Before you install the WSUS server, ensure that the intended server meets all WSUS prerequisites. You must install the Web Server (IIS) role in Windows Server. In addition to the roles or services that are added by default, WSUS requires the following role services:

  • ASP.NET
  • Windows authentication
  • Dynamic content compression
  • IIS 6 management compatibility

Installing a WSUS Server

Use the following procedure to install a dedicated WSUS server to your environment running on Windows 2008 R2 SP1:

1. Launch Server Manager, select the Roles node, and then click Add Roles. The Add Roles Wizard appears.
2. Click Next. The Select Server Roles screen appears.
3. Select Windows Server Update Service, and click Install. The Add Role Services Required For Window Server Update Services screen appears.
4. Note which additional roles are required as a dependency and click Add Required Role Services.
5. Click through the following pages:
  • On the Web Server (IIS) page, click Next.
  • On the Select Role Services page, click Next.
  • On the Windows Server Update Services page, click Next.
6. On the Confirm Installation Selections page, click Install.
7. Click through the following screens:
  • On the Welcome To Windows Server Update Services Wizard page, click Next.
  • On the License Agreement page, click Agree.
  • On the Required Components To Use the Administration UI page, click Next.
  • On the Select Update Source page, accept the default storage location.
  • On the Database Options page, accept the default.
  • On the Website Selection page, accept the default.
  • On the Ready To Install Windows Server Update Services page, click Next.
  • On the Completing The Windows Server Update Services Setup page, click Next.
  • On the Windows Services Update Configuration Wizard page, click Next.
  • On the Join The Microsoft Update Improvement Program page, click Next.
The Choose Upstream Server screen appears (Figure 5.10).

Figure 5.10 Choosing an upstream server

5.10
8. Select Synchronize from Microsoft Update, and click Next. The Specify Proxy Server screen appears.
9. Enter the details of your proxy server (if applicable), and click Next. The Choose Languages screen appears.
10. Select the update languages you require, and click Next. The Choose Products screen appears.
11. Select the products for which you want to download updates, and click Next. As a best practice, only synchronize the languages, products, and classifications associated with your server fabric.
The Choose Classifications screen appears.
12. Select the classifications for which you want to download updates, and click Next. The Set Sync Schedule screen appears (Figure 5.11).

Figure 5.11 Setting the sync schedule

5.11
13. Select manual or automatic synchronization. For automatic synchronization, specify the synchronization schedule. Click Next.
14. Click through the remaining screens:
  • On the Finished Configuration screen, click Next.
  • On the What's Next screen, click Finish.
  • On the Installation Results screen, click Close.
15. To verify that WSUS has been installed successfully, use the Windows Start menu and navigate to Administrative Tools → Windows Server Update Services. You should see the Update Services screen (Figure 5.12).

Figure 5.12 Windows Server Update Services

5.12
16. Click the server name to expand it, and then click Synchronizations to verify that the initial synchronization was successful.

Installing the WSUS Console

Use the following procedure to install the WSUS console on your VMM management server. This step is required when the WSUS server is installed on a remote server:

1. Download the x64 version of WSUS 3.0 SP2 (WSUS30-KB972455-x64.exe) from the following location:
www.microsoft.com/download/en/details.aspx?id=5216
2. Run the downloaded program. The Windows Server Update Services 3.0 SP2 Wizard appears.
3. Click through the screens:
  • On the Welcome screen, click Next.
  • On the Installation Mode Selection screen, select only the Admin console.
  • On the License Agreement screen, click Accept.
  • On the Required Components screen, click Next.
  • On the Completing screen, click Finish.
4. On the VMM management server, open a command window. From the Start menu, navigate to Accessories → Command Prompt.
5. Enter net stop scvmmservice to stop the VMM service.
6. Restart the VMM service by entering net start scvmmservice.
The VMM service starts, and the WSUS console is available.

Adding the WSUS Server to VMM

Use the following procedure to add a remote WSUS server to the server fabric and enable update management:

1. In the VMM console, select the Fabric workspace (Figure 5.13).

Figure 5.13 Updating the server

5.13
2. On the Home tab, in the Add group, click Add Resources and then click Update Server. The Add Windows Update Server Services screen appears.
3. In the Computer Name field, enter the fully qualified name of the WSUS server (for example, wsus1.private.cloud).
4. In the TCP/IP Port field, specify the port number that the WSUS website uses to listen for connections.
If you installed WSUS with default values and are using the default website, the TCP/IP port should be 80.
5. Enter the necessary credentials for connecting to the WSUS server.
Either specify an account manually or use an existing Run As account. Either account must have administrator rights on the WSUS server.
6. Optionally, check the Use Secure Sockets Layer (SSL) check box and click Add.
The WSUS server is added to VMM. It begins to synchronize the updates catalog. Depending on how many update classifications and products you chose when you installed the WSUS server, this operation can take a reasonable amount of time.

Use the following procedure to verify that the remote WSUS server has been added to the server fabric successfully:

1. In the VMM console, select the Fabric workspace.
2. On the Fabric pane, expand the Servers node, and click Update Server. The Results pane shows the recently added WSUS server.
3. In the Library workspace, on the Library pane, expand Update Catalog And Baselines and then click Update Catalog. The Results pane shows the updates downloaded during WSUS synchronization.

Configuring Update Baselines

After you add your WSUS server to VMM, you can prepare to manage updates for the server fabric by configuring update baselines. An update baseline contains a set of required updates that is then scoped to an assignment. This assignment can be a host group, a standalone host, a cluster, or a VMM management-server role.

During a compliance scan, servers that are assigned to a baseline are graded for compliance with their assigned baselines. After a server is found to be noncompliant, an administrator can bring the server into compliance through update remediation.

Update baselines that are assigned to a host group are applied to all standalone hosts and clusters in that host group, as well as the standalone hosts and clusters in child host groups.

If a host is moved from one host group to another, the baselines for the new host group are applied to that host and the previous baseline will no longer apply, unless that baseline is assigned to both host groups. Explicit baseline assignments to a host stay with that host when it is moved from one host group to another. It is only when the baseline is assigned to a host group that baseline assignments are revoked during the move. You can use either of the following methods to prepare update baselines for remediation:

  • Use one of the built-in update baselines that VMM provides.
  • Create your own custom update baseline.

VMM provides two built-in sample update baselines you can use to apply security updates and critical updates to the computers in your VMM environment:

  • Sample Baseline For Security Updates
  • Sample Baseline For Critical Updates

Before you can use a baseline, you must assign it to host groups, clusters, or standalone hosts. Use the following procedure to assign servers to the sample security baseline.

1. In the VMM console, select the Library workspace.
2. On the Library pane, expand Update Catalog And Baselines, and then click Update Baselines.
3. On the Baselines pane, right-click Sample Baseline For Security Updates, and select Properties. The Sample Baseline For Security Updates Properties screen appears.
4. On the Updates tab, optionally add or remove update baselines from the baselines that are listed. The Sample Baseline For Security Updates includes all security updates. To ensure that all security updates are applied, do not remove any baselines.
5. On the Assignment Scope tab, select host groups, host clusters, or standalone hosts to add to the baseline. Click OK to save your changes.

Use the following procedure to create a new custom update baseline that you can then assign:

1. In the VMM console, select the Library workspace.
2. On the Library pane, expand Update Catalog And Baselines, and then click Update Baselines.
3. On the Home tab, in the Create group, click Create and then select Baseline.
4. On the General page, enter a name (for example, My Company Critical Updates Baseline) and a description for the update baseline, and click Next.
5. On the Updates page, click Add to include the updates that you want to be in your custom baseline. Enter security updates in the Search box to filter the selection, and click Next.
6. On the Assignment Scope page, select the host groups, cluster, or standalone host that you want to apply the baseline to, and click Next.
You can apply a baseline to servers that are performing any of the VMM roles.
7. On the Summary page, review your settings and click Finish.
Some updates require that you accept a Microsoft license agreement.
8. To verify that your update baseline was created successfully, on the Library pane expand Update Catalog And Baselines, and click Baselines. The new baseline appears in the Results pane.

Scanning for Update Compliance

Now that you have assigned servers to an update baseline in VMM, you can scan those servers to determine their compliance status against that baseline.

When it scans a server for compliance, WSUS checks the assigned update baselines to determine whether applicable updates are installed. After a compliance scan, each update has a compliance status of Compliant, Non Compliant, Error, or Unknown.

The compliance scan focuses on the updates included in the baseline because you deemed them important for your environment.

The following changes can cause a server's update status to change to Unknown. When one of them occurs, you should perform a scan operation to assess the server's compliance status.

  • A host is moved from one host group to another host group.
  • An update is added to or removed from a baseline that is assigned to a server.
  • A server is added to the scope of a baseline.

Use the following procedure to verify the update-compliance status of your server fabric:

1. In the VMM console, select the Fabric workspace.
2. On the Fabric pane, select the Servers node and click Compliance.
The Results pane displays the compliance status of the servers in the VMM fabric (Figure 5.14). Because you have not yet scanned the server fabric for compliance, the servers that you added to your baseline have a compliance status of Unknown and an operational status of Pending Compliance Scan.

Figure 5.14 Viewing the compliance status

5.14

Use the following procedure to scan the server fabric and determine the compliance status against your assigned baseline:

1. In the VMM console, select the Fabric workspace.
2. On the Fabric pane, select the Servers node, click Compliance, and select the server you want to scan.
3. On the Home tab, in the Compliance group, click Scan.

Performing Update Remediation

The task of bringing a server into compliance is known as update remediation. In VMM you can choose to remediate all update baselines that are assigned to a server, all noncompliant updates in a single update baseline, or a single update.

Use the following procedure to remediate updates for a nonclustered Hyper-V host that is managed by VMM:

1. In the VMM console, select the Fabric workspace.
2. On the Fabric pane, select the Servers node, click Compliance, and select the server you want to remediate.
3. On the Home tab, in the Compliance group, click Remediate.
The Remediate task is available only when the selected objects are noncompliant. The Update Remediation screen appears (Figure 5.15). If you selected a server to remediate, all updates are initially selected.

Figure 5.15 Remediating the update baselines

5.15
4. Optionally clear specific update baselines, or even individual updates, to determine which updates will be applied.
5. If you prefer to restart the servers manually after remediation, check the “Do not restart the servers after remediation” check box.
6. Click Remediate to start the update remediation process.

There are times when you might not want to apply a specific update even though that update is part of your baseline. When an administrator creates an update exemption for a managed server, that server still remains accountable to an assigned baseline while it is exempted from a particular update in the baseline.

The most common reason for creating an update exemption is that a specific update has placed a managed server in an unhealthy state. The administrator uninstalls the update, which returns the server to a healthy state, and then wants to prevent that update from being reinstalled until the issues around that update have been identified and resolved.

Because the update was uninstalled out of band, the server's update status in VMM remains Compliant until the server is scanned again. The next scan will change the server's status to Non Compliant. To prevent an accidental reinstallation of this update before the issues are resolved, and to provide a valid business justification, the administrator can add an update exemption to the baseline. After the issues are resolved on the server, the administrator can remove the exemption so that the update will be reinstalled during the next update remediation.

Use the following procedure to create an update exemption for a specific server within the server fabric that is managed by VMM:

1. In the VMM console, select the Fabric workspace.
2. On the Fabric pane, select the Servers node, click Compliance, and select the server to which you want to apply an exemption.
3. In the Results pane, expand the appropriate update baseline and click the update you want to exempt.
4. On the Home tab, in the Compliance group, click Compliance Properties. The Compliance Properties screen appears.
5. Select the update or updates to include in the exemption, and click Create. The Create Exemption dialog box appears.
6. In the Notes field, enter information about the exemption, its duration, and the person who authorized it.
7. Click Create.
The Compliance Properties screen reappears. The status of the update or updates now says Exempt. The update will not be applied to the fabric resource during update remediations until the exemption is removed.

Use the following procedure to remove an update exemption for a specific server within the server fabric that is managed by VMM:

1. In the VMM console, select the Fabric workspace.
2. On the Fabric pane, select the Servers node, click Compliance, and select the server from which you want to remove an exemption.
3. In the Results pane, expand the appropriate update baseline and click the update from which you wish to remove the exemption.
4. On the Home tab, in the Compliance group, click Compliance Properties. The Compliance Properties screen appears.
5. Select the exemption or exemptions to be removed, click Delete, and then click Yes to confirm.
6. Click OK to dismiss the Compliance Properties screen.
7. To perform a compliance scan on a server, in the Results pane click the server to select it. Then, on the Home tab, in the Compliance group, click Scan. The statuses of the update, the update baseline, and the server change to Non Compliant.
8. To return the server to a compliant state, in the Results pane select the update, the update baseline, or the server that is in a Non Compliant state. Then, on the Home tab, in the Compliance group, click Remediate.

Performing On-Demand Update Synchronizations

To get updates, the WSUS server contacts Microsoft Update. WSUS determines whether new updates have been made available by Microsoft since the last synchronization. WSUS downloads the new metadata, and VMM imports the changes into the VMM update catalog.

When the update server is added to VMM, an initial synchronization is performed. VMM does not perform automatic synchronizations after that point. You should perform on-demand synchronizations on a schedule that meets your company's requirements. As a best practice, synchronization should occur at least every 15 to 30 days in accordance with Microsoft security and update release cycles.

Use the following procedure to synchronize updates in VMM with your Microsoft Update:

1. In the VMM console, select the Fabric workspace.
2. On the Fabric pane, expand Servers, click Update Server, and then click Fabric Resources.
3. On the Update Server tab, in the Update Server group, click Synchronize.

Use the following procedure to manage configuration changes with the WSUS server:

1. In the VMM console, select the Fabric workspace.
2. On the Fabric pane, expand Servers, click Update Server, and then click Fabric Resources.
3. On the Update Server tab, in the Update Server group, click Properties.
4. On the Proxy Server tab, if applicable, configure WSUS to use a proxy server when synchronizing updates, or update the port for a proxy server that is already in use.
5. On the Update Classifications tab, select each update classification you want to synchronize.
6. On the Products tab, select each product to include in update synchronizations.
7. On the Languages tab, select each supported language to include in update synchronizations.
8. Click OK to apply any changes you make.

Summary

This chapter covered all aspects of setting up and configuring the VMM library, installing and configuring fabric patching, scanning for compliance, and remediating your server fabric. Now that you understand the factors behind the installation options VMM provides, you should be prepared to make optimal decisions for your own unique situation. In the next chapter you will learn about additional aspects of your private cloud environment: networking and storage.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.21.30