Category Archives: 14580

4th Generation Hyper-V 2012 R2 Server for Around $1,200 USD – Parts List and Video!

In honor of the release of Windows Server 2012 R2, I’ve updated my latest server build using the latest components. You can use this home Hyper-V server to create your own private cloud, prototype design solutions, test new software, or run your own network like I do . Nothing provides a better learning tool than hands-on experience!



My last build used a third-generation Intel I5-3470S Ivy Bridge Quad-Core CPU. My G4 build uses a fourth-generation Intel I5-4570S Haswell Quad-Core CPU and a larger faster 360GB SSD to run active Hyper-V virtual machines. The new components result in a super-fast 7.5 second boot time!



My Design Requirements

This design is a little less cost-focused so I can use the latest Intel processor, faster SSD drives, and a sleek high-performance micro-ATX case. These new components currently add about $200 to the base $1,000 price, but as usual for high-end technology, those costs will go down.  You can probably build it for less even now.

  • Minimum of 4 cores
  • Windows Server 2012 R2 capable. Hyper-V for Windows Server 2012 R2 requires hypervisor-ready processors with Second Level Address Translation (SLAT).
  • 32GB of fast DDR3 RAM
  • Must support SATA III 6Gb/s drives
  • Must have USB 3.0 ports for future portable devices
  • Low power requirements
  • Small form factor
  • Budget: Around $1,200 USD

The processor I chose is the new Intel I5-4570S Haswell Quad-Core CPU. Even though all four cores run at a quick 2.9 GHz, it only uses 65W. The beautiful aluminum heatsink and fan included with the processor keep the CPU running at a cool 25° Celsius (77° F) at room temperature.



As before in my previous builds, RAM requirements drove most of this design. Memory is single most important component in a Hyper-V host. Pairing up a super-fast processor with quick reliable RAM is the key to a good design.



Gigabyte Motherboard – Durable enough to cut a steak on it! J

Overclocking is not longer only used by gearheads and has moved to the mainstream. Most desktop motherboards include self tuning overclocking to get every gram of power out of their rig. I don’t use any of these features, even though they’re available. I prefer stability over speed – and this server is plenty fast enough!



I’ve also found that while all SSD are fast, some are faster. Drives with high IOPS provide a noticeably faster computer especially during bootup and long drive operations, like copying ISOs and VHDXs.



This build is more stylish than previous builds, using a sleek high quality Rosewill Slim MicroATX case. Most µATX cases are designed for desktops and, as such, they usually have small 250W-300W power supplies. The included Rosewill 300W µATX power supply works just fine for my build since all the components have low power requirements. Peak power requirements for this build is only 186W, giving me plenty of power to spare. This PSU is also designed to keep the case cool by exhausting warm air at the back along with another built-in 80mm on top of the case.



I ordered everything from Amazon because they had the lowest prices. And with Amazon Prime it was all delivered in just two days. Gotta love that! You can even join Prime for free for 30 days and cancel if you want after you get your gear.



Here’s the entire parts list for this server:



QuantityItemDescription
1

Intel Core i5-4570S Quad-Core Desktop Processor 2.9 GHZ 6MB Cache- BX80646I54570S

This is a 4th generation Haswell Intel processor. It includes the newest Intel HD graphics and runs at a very low 65W. 3 year limited warranty.
1Gigabyte GA-B85M-D3H LGA 1150 Intel B85 HDMI SATA 6Gbps USB 3.0 Micro ATX DDR3 1600 Intel Motherboards GA-B85M-D3H

I chose this LGA 1150 Micro ATX motherboard over Intel because it has 4x SATA 6Gb/s and 2x SATA 3Gb/s connectors. It also uses the Intel B85 Express chipset, has an UEFI BIOS, has 2x PCI and 2x PCI-Express slots, and USB 3.0 ports. 3 year limited warranty.
2Corsair Vengeance 16GB (2x8GB) DDR3 1600 MHz (PC3 12800) Desktop Memory (CMZ16GX3M2A1600C10)

1.5V 240-pin dual channel 1600MHz DDR3 RAM with built-in heat spreaders. Lifetime warranty. 10-10-10-27 CAS Latency. Great RAM at a great price. Each package contains 2x 8GB DIMMs (16GB). Be sure to buy two packages.
1Kingston Digital 120GB SSDNow V300 SATA 3 2.5 (7mm height) with Adapter Solid State Drive 2.5-Inch SV300S37A/120G

120GB SATA 6Gb/s (SATA 3) SSD used for the Windows Server 2012 R2 operating system. 85,000 IOPS 4KB random read / 55,000 IOPS 4KB random write. 3 year warranty.
1Corsair Force Series GS Red 360GB (6Gb/s) SATA 3 SF2200 controller Toggle SSD (CSSD-F360GBGS-BK)

360GB SATA 6Gb/s (SATA 3) SSD used for active VMs (the VMs I normally have running, like a domain controller, Exchange servers, Lync servers, etc.). Toggle NAND for up to 90K IOPS random write speed. 3 year limited warranty.
1
2.5-inch SSD/Hard Drive to 3.5-inch Bay Plastic Tray Mount Adapter Kit

Plastic mounting kit for 2.5″ SSD drives. Holds two SSD drives, stacked on top of each other in the left drive bay.
1WD Green 2 TB Desktop Hard Drive: 3.5 Inch, SATA III, 64 MB Cache – WD20EZRX

2TB Western Digital Green (low power) SATA 6Gb/s (SATA 3) drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after one hour to save even more power. 2 year warranty.
1Lite-On Super AllWrite 24X SATA DVD+/-RW Dual Layer Drive – Bulk – IHAS124-04 (Black)

Great quality DVD burner. It’s cheap, too. I connect this to one of the SATA2 ports on the motherboard. 1 year limited warranty.
1TRENDnet 32-Bit Gigabit Low Profile PCI Adapter, Retail (TEG-PCITXRL)

The Gigabyte motherboard includes one gigabit NIC. It’s best practice to add another gigabit NIC for Hyper-V so you can separate host and VM traffic.
1C&E CNE11445 SATA Data Cable (2pk.)

I need 4x SATA cables for this build. The Gigabyte motherboard comes with two black 18″ SATA cables. Flat (not L shaped) connectors work best for this build. FYI there’s no technical difference between SATA2 and SATA3 cables.
2StarTech 6in 4 Pin Molex to SATA Power Cable Adapter (SATAPOWADAP)

The micro ATX PSU in the Rosewill case has four power connectors for drives, which is just enough — 2x SATA and 2x Molex connectors. Use these adapters to convert the two Molex connectors to SATA. Be sure to buy two.
1Rosewill Slim MicroATX Computer Case with ATX12V Flex 300W Power Supply, Black/Silver R379-M

Sleek mirror-finished micro ATX case with removable drive bay cage for easy access. Includes quiet 300W PSU, 80mm cooling fan on top, 2x front USB 2.0, and audio ports. Excellent quality.



It took about 90 minutes to assemble everything and take these pictures. The following slideshow shows how I put it all together. Click the slideshow to open the hi-res slideshow in a new page.






The first thing you’ll need to do after building your server is install the Windows Server 2012 R2 operating system. This will take a total of about 8 minutes from DVD. Amazing!

Windows Server 2012 R2 will install default drivers for all the server components. Next, you’ll want to update the BIOS to the latest version and install the optimized drivers available for some components. The Gigabyte GA-B85M-D3H motherboard includes a utilities and drivers disk. Pop the disk in and run setup.exe in <DVD Drive>:\Utility\GIGABYTE\AppCenter.  This will install the Gigabyte AppCenter utility on Windows Server 2012 R2.

Use AppCenter to download and install the latest drivers and utilities. AppCenter can be accessed using the icon in the notification area near the clock. Select Live Update and choose the following updates:

First half of the utilities and updates to install.

Second half of the updates to install.

It will take a few minutes to download and install the software and updates. You may need to restart a couple of times to complete the installation. Live Update in AppCenter makes it a lot easier to install the necessary utilities and drivers to keep your hardware up to date.

Installing utilities and updates.
My motherboard shipped with version F4 of the BIOS. At the time of this article, the latest BIOS version is F7. The @BIOS utility in AppCenter was unable to download the latest version for some reason, so I went to http://www.gigabyte.com/products/product-page.aspx?pid=4567#bios and downloaded the F7 BIOS manually, then used the @BIOS utility to install it from the file.

Updating and flashing the BIOS.
Now you can run Windows Disk Management to initialize, format, and label your Corsair 360GB SSD and Western Digital 2TB drives. Be sure to check my article about Windows Server 2012 deduplication to increase your Hyper-V server density. Now you’re ready to install the Hyper-V role and start making VMs!

Here’s a short video of the beast in action!




I’ll be doing a demo of this home Hyper-V server at the MVP Showcase at the MVP Summit, November 17th, 2013.  If you’re an MVP and will be going to the Summit, please drop by the MVP Showcase to see the server in action.

As usual, if you have any questions or comments please leave them below. I hope you enjoy reading about these server builds and take the opportunity to make this investment in your career.



How to Configure an Internal SMTP Relay Server for Office 365

Most organizations have internal application servers and appliances that send emails to users or groups. Examples include copier/scanners and application servers, such as backup servers that notify admins of a completed or failed backup job.



If the organization has Exchange on-prem you would normally configure an internal relay send connector in Exchange and configure the internal resources to send emails to Exchange. But what do you do when you’ve migrated all your mailboxes to Office 365 and have decommissioned your Exchange servers?



The solution is to install an IIS SMTP relay server in your internal network, configure it to accept email from specific IP addresses, and forward emails to Office 365. You can also configure the SMTP relay for external domains, if necessary.



Here’s how to do it:



  • Install the SMTP Server feature and its dependencies to a new or existing Windows server. This will be your relay server and your firewall needs to allow it to send SMTP traffic (TCP port 25) outbound to the Internet. I typically use the DirSync server, if there is one.

Adding the SMTP Server feature and its dependencies to Windows Server 2012

  • Open Internet Information Services (IIS) 6.0 Manager to configure the SMTP relay.
  • Configure the properties of [SMTP Virtual Server #1] as follows:
    • On the Access tab:
      • Authentication: Only Anonymous access is checked.
      • Relay: Only the list below. Add IP addresses or ranges of servers allowed to relay.
      • Note – It’s important to only allow IP addresses you trust to relay through this server. Any IP address you enter here will be allowed to send emails on behalf of your domain.
    • On the Messages tab:
      • Adjust message size limits. The default message size limit is 2048 KB (2 MB).  You may want to change it to 10240 KB (10 MB) or more to allow for larger messages from copier/scanners, etc.
    • On the Delivery Tab:
      • Outbound Security: Anonymous access only and no TLS encryption.
      • Outbound Connections: Port 25
      • Advanced: Leave the Smart Host field blank
  • Add new remote domains:
    • Right-click Domains > New > Domain and add the domain(s) hosted in Exchange Online.
    • If the relay server is allowed to relay emails to other external domains add a new *.com remote domain. Repeat for *.org, *.net, etc. as necessary.

    Add Office 365 and other remote domains if required for external relay
    • For properties of each domain hosted in Exchange Online:
      • Check Allow incoming mail to be relayed to this domain
      • Forward all mail to this smart host: smtp.office365.com
      • Outbound Security: Check Anonymous access and TLS encryption
    • For properties of all other remote domains (if any):
      • Check Allow incoming mail to be relayed to this domain
      • Outbound Security: Check Anonymous access and do not check TLS encryption.
  • Restart IIS.  Be aware that whenever you restart IIS, the SMTP virtual server usually stays stopped – start it.



Notes/Troubleshooting:


  • The SMTP Server feature can be added to any Windows 2003 or better server. I usually use the DirSync server if there is one.
  • Unlike Exchange, TLS for IIS 6 SMTP servers is not opportunistic. If the virtual server or a remote domain is configured to use TLS email will not be sent if the remote domain does not support TLS. Office 365 offers TLS, so we can use it.
  • The configuration above allows the IIS 6 SMTP server to send emails to the Internet for the remote domains configured, so you should add the public NAT IP address for this server to your existing SPF record to prevent non-delivery. Use http://whatismyip.com from the SMTP server to determine the NAT IP address.
  • Monitor the %systemdrive%\Inetpub\mailroot\Queue folder to ensure that emails are being delivered.
    • If emails are not being delivered to Office 365 users, test sending email via Telnet. The IP address may be blocked by an Exchange Online Protection (EOP) blocklist and you will see that response from EOP. If so, send a delist request from your Office 365 admin account to delist@messaging.microsoft.com letting them know the IP address that should be delisted. In my experience it takes up to 36 hours for Microsoft to delist it.
    • If emails are not being delivered to external domains, ensure that you have a remote domain type (*.com, *.eu, etc.) configured for those email addresses.
  • You can enable logging in the properties of the SMTP virtual server for further troubleshooting. Use the NCSA Common Log File Format. IIS does not automatically groom or delete logs like Exchange does, so turn logging off when you’re done troubleshooting.
  • The best practice is to create an A record in internal DNS for smtp.yourdomain.com using the SMTP relay server’s IP, and configure all application servers and appliances to use that FQDN for email forwarding. That makes it easier to update in the future.






Getting to Know IPv6




My good friend Mark Morowczynski, Microsoft PFE for Active Directory, wrote a three-part series on the Ask Premier Field Engineering (PFE) Platforms blog about IPv6 that is well worth reading.






You can follow Mark on Twitter @markmorow.






UPDATED Blistering Fast Hyper-V 2012 Server – Parts List and Video!

Over a year ago I wrote an article detailing how to build a Blistering Fast Windows Server for about $1,000 USD.  At that time “Windows Server 8″ hadn’t even been released yet, but I wanted to build a server that would work with “future generations” of Hyper-V.  The article proved to be extremely popular and paved the way for many fellow technologists to build their own lab servers.



Now that Windows Server 2012 has been out for a while I wanted to update that article to incorporate newer technologies, like 3rd generation Intel processors and faster DDR3 RAM.  I also made some tweaks to my initial server over the year, adding another SSD drive for active VMs and enabling sleep mode on my physical storage hard drive to save more power.  I’m including those items in this build, while maintaining the same price point as over a year ago.



Lessons Learned

I modified a few things since I built the original lab server I documented in January 2012.  Here are the lessons I learned:

  • If RAM is king, IO is queen.  The two most important things for a Hyper-V 2012 server are RAM (VM capacity) and IO (VM performance).  IO becomes even more important as you add more concurrently running VMs, which you can easily do with 32GB of RAM!
  • SSD = IO. My original design used a single SSD for the operating system and binaries.  I soon learned that VM performance was pretty poor running off a traditional mechanical hard drive, even though I was using a fast SATA III 6Gbps drive.  I ended up buying another 250GB SSD drive to host my active VMs.
  • CPU isn’t as important as I thought.  It’s important to have enough cores to share with your VMs, but most of the time my CPU is idling at 10% utilization even with 8 VMs running simultaneously.
  • Deduplication is amazing! You can increase the VM density on an SSD drive using Windows Server 2012’d built-in deduplication feature.
  • You can never have enough SATA III ports.  My first build used an Intel motherboard with two SATA III 6Gbps and two SATA II 3Gbps ports.  I ended up having to buy another SATA III controller when I added the other SSD drive.  Better to have at least 4 SATA III ports to begin with.



My Design Requirements

This build has an emphasis on cost.  Even though my budget is the same as the earlier build, I have to make it work with two SSD drives instead of one.

  • Minimum of 4 cores
  • Windows Server 2012 capable.  Hyper-V for Windows 8 requires hypervisor-ready processors with Second Level Address Translation (SLAT).
  • 32GB of fast DDR3 RAM
  • Must support SATA III 6Gb/s drives
  • Must have USB 3.0 ports for future portable devices
  • Low power requirements
  • Small form factor
  • Budget: Under $1,000 USD

As before, the RAM requirements drove most of this design.  Interestingly, I found that the newer technologies (3rd generation Intel Core I5 Ivy Bridge and DDR3 1600 RAM) actually cost less than the 2nd gen I5 and DDR3 1066 RAM in my last build.

Unlike last year’s build, I discovered that Amazon usually has the lowest price for everything.  This makes it a  lot easier to order and receive since all the components come from one place.  This should also make it easier for my European friends since they can source it all from Amazon, as well.  Another big bonus is that I have Amazon Prime which gives me free 2-day shipping on all the components.  I could even choose to spend $3.99 more to get it next day!  I love this service!

Here’s the entire parts list for this server:



Quantity Item Description
1   Intel Core i5-3470S Quad-Core Processor 2.9 GHz 6 MB Cache LGA 1155 – BX80637I53470S

This is a 3rd generation Ivy Bridge Intel processor. It includes Intel HD 2500 graphics and runs at a low 77W. 3 year limited warranty.
1   AS Rock PRO4-M LGA1155 Intel H77 Quad CrossFireX SATA3 USB3.0 A V GbE MATX Motherboard H77

I chose this LGA 1155 Micro ATX motherboard over Intel because it has 4x SATA3 and 2x SATA2 connectors. It also uses the Intel H77 chipset, supports RAID 1, 5 and 10, has 4 PCI-Express slots, USB 3.0, and has a great BIOS. See the video below. 3 year limited warranty.
2   Corsair Vengeance 16GB (2x8GB) DDR3 1600 MHz (PC3 12800) Desktop Memory (CMZ16GX3M2A1600C10)

240 pin dual channel RAM with built-in heat spreaders.  Lifetime warranty.  Latency is 10-10-10-27.  Each package contains 2x 8GB sticks (16GB).  Be sure to buy two packages.
1   Kingston SSDNow V200 128GB Bundle SV200S3B7A/128G

SATA3 SSD used for the Windows Server 2012 operating system. The package includes the drive and SATA3 cable, an external enclosure, and cables. 3 year warranty.
1   Samsung MZ-7TD250BW 840 Series Solid State Drive (SSD) 250 GB Sata 2.5-Inch

SATA3 SSD used for active VMs (the VMs I normally have running, like a domain controller, Exchange servers, Lync servers, etc.). Super-fast drive. 3 year limited warranty.
1 Kingwin 2.5 Inch to 3.5 Inch Internal Hard Disk Drive Mounting Kit

Metal mounting kit for 2.5″ SSD drives. Holds two SSD drives, stacked on top of each other.


1   WD Green 2 TB Desktop Hard Drive: 3.5 Inch, SATA III, 64 MB Cache – WD20EARX

2TB Western Digital Green (low power) SATA3 drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after one hour to save even more power. 2 year warranty.
1   Lite-On Super AllWrite 24X SATA DVD+/-RW Dual Layer Drive – Bulk – IHAS124-04 (Black)

Great quality DVD burner. It’s cheap, too. I connect this to one of the SATA2 ports on the motherboard. 1 year limited warranty.
1   SATA Data Cable (2pk.)

I need 4x SATA3 cables for this build. The ASRock motherboard comes with a black one and the Kingston 128GB SSD comes with another read one.
1   Rosewill 40-In-1 USB 2.0 3.5-Inch Internal Card Reader with USB Port / Extra Silver Face Plate (RCR-IC001)

This is just a handy cheap addition. It slides into the floppy drive tray of the case and adds another USB 2.0 connector, SD card reader, and lots of other reader slots to the front of the computer.
1   APEX TX-381-C Black Steel Micro ATX Tower Computer Case USB/Audio/Fan

Mini ATX tower case for Micro ATX motherboards, like the ASRock. It includes a carrying handle and 2x USB 2.0 ports and audio jacks under a small door on top of the case. It comes with a fairly quiet 80mm rear case fan and clear instructions.
1   Rosewill Stallion Series 400W ATX 12V v2.2 Power Supply RD400-2-SB

Dual 12V rails. Nearly silent 120mm fan and mesh cable sleeving. Includes 4x SATA power connectors and 1x PCI-Express. 1 year limited warranty



Click the video below to hear a description of the parts I ordered for this beast:








It took about 90 minutes to assemble everything and take these pictures. The following slideshow shows how I put it all together:








Once assembled, I updated the BIOS online (very cool – see the video below) and installed Windows Server 2012 Datacenter Edition.  Installation took only 4 minutes, 50 seconds!  Amazing.



Windows Server 2012 recognized all but two of the computer’s components, but some required updating so Windows Server can use their advanced capabilities.  Do NOT install the drivers using the setup program on the included ASRock H77 Pro-4M DVD.  The ASRock setup programs will BSOD the server since they are written for a different OS.  Instead, open Device Manager, right-click the following devices, and update the driver software using the ASRock DVD.



Here are the devices that need to be updated, in this order:


System devices
  • Xeon(R) processor E3-1200 v2/3rd Gen Core processor DRAM Controller – 0150
  • PCI Express Root Complex (Becomes “PCI bus”. Requires a restart)
  • Intel(R) H77 Express Chipset LPC Controller – 1E4A (Requires a restart)
  • Intel(R) 7 Series/C216 Chipset Family SMBus Host Controller – 1E22
  • Intel(R) 7 Series/C216 Chipset Family PCI Express Root Port 8 – 1E1E (Requires a restart)
  • Intel(R) 7 Series/C216 Chipset Family PCI Express Root Port 6 – 1E1A
  • Intel(R) 7 Series/C216 Chipset Family PCI Express Root Port 1 – 1E10

Universal Serial Bus controllers
  • Standard Enhanced PCI to USB Host Controller (Becomes “Intel(R) 7 Series/C216 Chipset Family USB Enhanced Host Controller – 1E26″)
  • Standard Enhanced PCI to USB Host Controller (Becomes “Intel(R) 7 Series/C216 Chipset Family USB Enhanced Host Controller – 1E2D”)

Other devices
  • Unknown device  (Becomes “Intel(R) Smart Connect Technology Service”)

Sound controllers
  • High Definition Audio Device (Becomes “Realtek High Definition Audio”)
  • High Definition Audio Device (Becomes “Intel(R) Display Audio”)

Network adapters
  • Realtek PCIe GBE Family Controller

IDE ATA/ATAPI controllers
  • Standard SATA AHCI Controller (Becomes “Intel(R) 7 Series/C216 Chipset Family SATA AHCI Controller”. The DVD drive will probably change drive letters after this update.)
  • Standard SATA AHCI Controller (Becomes “Asmedia 106x SATA Controller”.  This one is tricky.  Restart and press F8 to boot in Safe Mode. Restart again into normal mode. You will now see new “ATA Channel 0″ and “ATA Channel 1″ controllers.)

Display adapters
  • Microsoft Basic Display Adapter (Becomes “Intel(R) HD Graphics”.  The screen flashes during installation.)

Install Intel Management Engine Components from the ASRock DVD
  • Run <DVD Drive>:\Drivers\ME\Intel\(v8.1.2.1318_1.5M)\Setup.exe
  • Accept the Intel Manageability Engine Firmware Recovery Agent license agreement
  • Check for updates. This takes a few minutes.
  • This will fix the unknown PCI Simple Communications Controller device.

I also recommend that you update the Samsung SSD 840 firmware, which includes better TRIM support:
  • Download and install the Samsung Magician 4 software.
  • Click Firmware Update and Update. Reboot to finish the firmware upgrade.



Finally, run Windows Disk Management to initialize, format and label your Samsung 250GB SSD and Western Digital 2TB drives.




Here’s a video of the Windows Server 2012 Hyper-V server in action:








I hope this article, slideshow and videos are helpful to you in your quest to build the perfect Hyper-V lab server.  This is a great investment in your IT career!



Special thanks to my ExtraTeam colleague, Aman Ayaz.  It was his need for a new Hyper-V lab server (and his Visa card) that made this article possible.  :)






How to Enable Notifications for Pending Certificate Requests

You can configure a Windows Certification Authority certificate template to require CA certificate manager approval, as shown below. 






With this configuration autoenrollment is disabled and the CA Manager must approve the certificate request before the certificate is issued.





Normally, CA managers need to check in periodically to see if there are any pending requests to approve or decline.  This article discusses how to enable email notifications when a certificate request is generated that requires approval.



First, my best practice is to create a mail-enabled security group in Active Directory called CA Managers.  Add the appropriate user objects to this group and assign that group Issue and Manage Certificates and Manage CA rights on the Certification Authority, as shown below:






Now we need to configure event logging for Certificate Services for verbose logging.  Run the following command from a CMD prompt on the CA:

certutil -setreg ca\loglevel 4

You must restart the Active Directory Certificate Services service (CertSvc) to affect the logging level change.  The CA will now log event ID 54 from source CertificationAuthority in the Application event log whenever a certificate request is generated.  For example,



Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          7/12/2012 8:16:29 AM
Event ID:      54
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      dc1.companyabc.com
Description:
Active Directory Certificate Services left request 51 pending in the queue for C=US, S=CA, L=Pacifica, O=Expta, OU=IT, CN=Admin,
E=admin@companyabc.com.  Additional information: Taken Under Submission




All we need to do now is create an Event trigger on this event.  The easiest way to do that is to create a certificate request so we can attach a task to the event it logs.  Once you create the certificate request, find the event ID 54 in the Application event log on the CA.  Right-click the event and select Attach Task To This Event.








This will open the Create Basic Task Wizard which we will use to configure the email notification.  Give the task a name and description, as shown below, and click Next:








The specific event details are prepopulated from the event we selected.  Click Next:








Select Send an e-mail from the Actions list and click Next:








Complete the details for the email, as shown below.  Enter the valid SMTP address for the CA Managers group (created above) in the To: field.  I include the URL to the CA approval page in the message text for easy access by the CA Managers.  Ensure that your CA server is allowed to send SMTP email to the SMTP server you designate in the wizard.  I use Telnet to test that.








Review the summary.  Select the check box to Open the Properties dialog for this task when I click Finish and then click Finish.







By default this task will only run when the user who created it is logged on.  Change the task to run under the NT Authority\SYSTEM account by clicking the Change User or Group button and entering the local SYSTEM account.  This will also configure the task to run whether the user is logged on or not.  Now click OK to complete the task.






You can view, change or delete this task in the Event Viewer Tasks in the Task Scheduler Library.



Test the new configuration by generating another certificate request.  All members of the CA Managers group should receive an email indicating that a new certificate request is pending, along with a link to the CA’s web approval page, as shown below:





 


Fixing Time Errors on VMware vSphere and ESX Hosts

Time synchronization across a Windows domain is very important.  If a member server’s clock varies more than 5 minutes from other domain servers, Kerberos tickets will fail.  This causes random authentication errors for users and/or applications which are sometimes difficult to troubleshoot.



Normally, time is synchronized in a Windows domain using the domain hierarchy.  The domain controller holding the PDC Emulator FSMO role is normally configured to get time from an authoritative NTP time source, and syncs time with all the other DCs in the domain.  The domain clients in each site sync time from the DCs in their local site, maintaining a relatively close synchronization of time across the domain.



Virtual machines are no different than physical computers and normally sync time using the same domain hierarchy.  Lately, however, I’ve seen VMs running on VMware vSphere boot up with random time differences from the domain.  I’ve seen this problem with three different clients lately, so I figured this might be a pervasive enough issue to blog about.



The trouble happens when the VMware vSphere, ESX or ESXi host does not have an accurate source of time, or time “drifts” due to an inaccurate system clock module.  vSphere and ESX hosts run a proprietary operating system and are not domain member servers, therefore they do not participate in domain hierarchy time synchronization. 



Most companies that use VMware hosts use vCenter to manage these hosts and their VMs.  Often, the servers that run vCenter are domain member computers and administrators think that since the vCenter syncs time with the domain, the hosts and VMs do, too.  Not true.  You need to configure the vSphere or ESX hosts to sync time from an accurate time source, otherwise the VM guests may start up with the wrong time – this can happen even if time synchronization between the virtual machine and the ESX server in VMware Tools is not enabled.







Here’s how to configure your vSphere or ESX hosts to get time from an authoritative source.

  • Logon to vCenter and select your vSphere or ESX host.
  • Click the Configuration tab and then Time Configuration under the Software heading.  Notice that the time on the vSphere host does not match the domain time shown on the Windows client running vCenter .




  • Click Properties in the top left of the Configuration tab.  This opens the Time Configuration window.




  • Click the Options button and add a new NTP server that is the accurate source of time.  I recommend using the PDC emulator, since it should already be configured as an authoritative time source. 




  •  Select the checkbox to Restart NTP service to apply changes and click OK twice to close the Time Configuration window.  You will see that the vSphere/ESX host now has the correct time and is configured to use dc01.companyabc.com as its time server.





You may need to restart the VM guests running on that VMware host to have them sync time with the domain.  The Windows Time service will not correct the time on the VMs if it varies too much from domain time.  All domain computers sync time when they start up on the domain, regardless of how far out of sync they were.



I have not seen this type of behavior with Hyper-V, only vSphere, ESX and ESXi hosts.

Get a Free Windows Azure One Month Pass


Microsoft is offering a free one month trial of their Windows Azure platform for you to use with no credit card required.  This is a great way to experience Microsoft’s Platform as a Service (PaaS) to see what it is and what it can potentially do for you.

PaaS delivers a computing platform (Windows) and a solution stack (your application) from the cloud for your business and/or customers.  Microsoft Azure offers both Windows and SQL as PaaS offerings.

The free offer website also has links to videos about the Azure cloud computing platforms, virtual labs, demos and more.