Installing & using the Windows Server Migration Tools To Migrate Local Users & Groups

Introduction

I was working on a little project for a company that was running TS Gateway on 32bit Windows 2008. The reason they did not go for x64 at the time was that they used Virtual Server as their virtualization platform for some years and not Hyper-V. One of the drawbacks was that they could not use x64 guest VMs. Since then they have move to Hyper-V and now also run Window Server 2012. So after more than 5 years of service and to make sure they did not keep relying on aging technology it is time to move to Windows Server 2012 RD Gateway and reap the benefits of the latest OS.

All in all the Microsoft documentation is not too bad, all be it that the information is a bit distributed as you need to use various tools to complete the process. Basically, depending on the original setup of the source server you’ll need to use the TS/RD Gateway Export & Import functionality, Web Deploy (we’re at version 3.0 at the time of writing) and the Windows Server Migration Tools that were introduced with Windows 2008 R2 and are also available in Windows Server 2012.

In a number of posts I’ll be discussing some of the steps we took. You are reading the second post.

1. x86 Windows Server 2008 TS Gateway Migration To x64 Windows Server 2012 RD Gateway
2. Installing & using the Windows Server Migration Tools To Migrate Local Users & Groups
3. TS/RD Gateway Export & Import (Fixing Event ID 2002 “The policy and configuration settings could not be imported to the RD Gateway server "%1"" because they are associated with local computer groups on another RD Gateway server”)

As discussed in the first part we need to migrate some local users & groups on the TS Gateway (source) server as they are also being used for some special cases of remote access, next to Active Directory users & groups for the Remote Access Policies (RAPs) & Connection Authorization Policies (CAPs). The tool the use is the Windows Server Migration Tools. These were introduced with Windows 2008 R2 and are also available in Windows Server 2012.

Some people seem to get confused a bit about the installation of the Server Migration Tools but it’s not that hard. I have used these tools several times before in the past and they work very well. You just need to read up a bit on the the deployment part and once you have it figured out they work very well.

Installing the Windows Server Migration Tools on the DESTINATION Server

First we have to install the on the DESTINATION host (W2K12 in our case, the server to which you are migrating)). For this we launch Server Manager and on the dashboard select Manage and choose Add Roles & Feature.

Navigate through the wizard until you get to Features. Find and select Windows Server Migration Tools. Click Next.

Click Install to kick of the installation.

After a while your patience will be rewarded.

Installing the Windows Server Migration Tools on the SOURCE Server

To install the Windows Server Migration Tools on the SOURCE server, you need to run the appropriate PowerShell command on the DESTINATION server. This is what trips people up a lot of the time. You deploy the correct version of the tools from the destination server to the source server, where you will than register them for use. Do this with an admin account that has admin privileges on both the DESTINATION & SOURCE Computer.

Start up the Windows Server Migration Tools from Server Manager, Tools.

This launches the Windows Server Migration Tools PowerShell window.

Our SOURCE server here is the32 bit (X86)  Windows 2008 TS Gateway Server. The documentation tells us the correct values to use for the parameters /architecture and /OS to use.

SmigDeploy.exe /package /architecture X86 /os WS08 /path \\SourcerServer\c$\sysadmin

Now before you run this command be sure to go to the ServerMigrationTools folder as the UI fails to do that for you.

Also this is PowerShell so use .\ in front of the command otherwise you’ll get the error below.

While you want this:

Now you have also deployed the correct tools to the SOURCE server, our old legacy TS Gateway Server. Next we need to register these tools on the SOURCE Server to be able to use them. You might have gotten the message already you need PowerShell deployed on the SOURCE Server as documented.

If you have PowerShell, launch the console with elevated permissions (Runs As Administrator) and run the following command: .\SmigDeploy.exe

Congratulations you are now ready to use the Windows Server Migration Tools! That wasn’t so hard was it?

Using the Windows Server Migration Tools To Migrate Local Users & Groups

To export the local users and groups from the source TS/RD Gateway server you start up the Windows Server Migration Tools on the SOURCE server (see the documentation for all ways to achieve this) and run the following PowerShell command:
Export-SmigServerSetting -User All  -Group –Path C:\SysAdmin\ExportMigUsersGroups –Verbose

As you can see I elected to migrate all user accounts not just the enabled or disabled ones. We’ll sort those out later. Also note the command will create the folder for you.

To import the local users and groups to the target RD Gateway server you start up the Windows Server Migration Tools on the Destination server (see the documentation) , i.e. our new Windows Server 2012 RD Gateway VM.

and run the following PowerShell command:

Import-SmigServerSetting  -User Enabled  -Group -Path C:\SysAdmin\ExportMigUsersGroups -Verbose

Do note that the migrated user accounts will be disabled and have their properties set to "Next Logon". This means you will have to deal with this accordingly depending on the scenarios and communicate new passwords & action to take to the users.

Do note that the local groups have had the local or domain groups/users added by the import command. Pretty neat.

You’re now ready for the next step. But that’s for another blog post.

x86 Windows Server 2008 TS Gateway Migration To x64 Windows Server 2012 RD Gateway

Introduction

I was working on a little project for a company that was (still) running TS Gateway on a 32 bit  x86) version Windows 2008. The reason they did not go for x64 at the time of deployment was that they then used Microsoft Virtual Server as their virtualization platform and had been for some years.

In a number of posts I’ll be discussing some of the steps we took. You are reading the first one.

1. x86 Windows Server 2008 TS Gateway Migration To x64 Windows Server 2012 RD Gateway
2. Installing & using the Windows Server Migration Tools To Migrate Local Users & Groups
3. TS/RD Gateway Export & Import (Fixing Event ID 2002 “The policy and configuration settings could not be imported to the RD Gateway server "%1"" because they are associated with local computer groups on another RD Gateway server”)

In those early days of W2K8 they had not yet switched to Hyper-V. As an early adopter I was able to show the the reliability of Hyper-V, so later they did.

One of the drawbacks of using Microsoft Virtual Server was that they could not use x64 guest VMs and that’s how they ended up with x86, which was still available for a server OS for W2K8. Since then they have move to Hyper-V and now also run Window Server 2012. Happy customers! So after more than 5 years of service and to make sure they did not keep relying on aging technology it is time to move to Windows Server 2012 RD Gateway and reap the benefits of the latest OS.

The Migration

Their is no in place upgrade from a x86 to an x64 OS. So this has to be a migration. No worries this is supported. With some insight, creativity and experience you can make this happen. The process reasonably well documented on TechNet, but not perfectly, and your starting point is right here RD Gateway Migration: Migrating the RD Gateway Role Service. These docs are for Windows Server 2008 R2 but still work for Windows Server 2012. Another challenge was we needed to also migrate their custom website used for the employees to check whether their PC is still on and if not wake it up or start it up remotely.

There are some things to take care of and I’ll address these I some later blog posts but I want you to take to heart this message. While an in place upgrade of an 32 bit X86 operating system to X64 version of that OS is not possible that doesn’t mean you’re in  a pickle and will have to start over from scratch. For many scenario’s there are migration paths and this is just one example of them, or better two combined,TS Gateway and a Website.

The Dilbert Life Series – A Bad Manager’s Priorities

As usual the normal disclaimer applies: don’t take yourself to seriously. Relax

Where great managers can make a serious difference in many ways to both the success of a company and to the personal achievements of their employees the opposite also happens. Many types of managers exist. Dealing with or even controlling them, depending on whether you live above or under them is well documented. The aim of that is to get the best out of the resources and people available. The better the managers, the better this will work out. Perfection is not of this world and you won’t have the best possible manager for every possible position. That’s a given, just like they won’t have the best possible employee or consultant for every job or project. So there is no need to get emotional about it or expect perfection before calling something good. There is however one type, the bad manager, that should not be controlled. They should be dealt with in only one way which is termination. If that’s not possible you need to get as far away from them as possible. Mind you the latter is only an option if you’re a subordinate employee. If, as a boss you run away from bad subordinate manager than you really need to reconsider your career choices.

Me, Myself and I

A bad manager will never choose you over his or her own priorities, nor will they put the organizations needs first. The first is by definition. Don’t take it personal. The company does not exist for your needs. The second is more problematic as the organization’s needs are priority one. Let’s take a look their priorities in order of declining importance as determined by experience.

1.  Me, myself and I. This is normal and it applies to everyone. But there is more to this than just plain self-interest. People who are given or rise to power, have a strong tendency to put their own needs and interests above those of others. Your manager’s ambitions & agenda (professional, personal and financial) will always take precedence of any need you might have. They need to fill their treasury and the pressure to “live up to expectations” of their overlords is on.
2. Reputation. Managers need to be seen & act as very reliable, trustworthy persons who can get results. With some luck they are. But we all know about “perception is reality”. This is true until you hit the ground after jumping of the 36 floor because you pretend you can fly. Whether a bad manager actually delivers anything is irrelevant as long as the perception is there. Office politics are part of the game and they don’t take prisoners. Your boss is going to be more prone to protect his or her reputation than to protect yours. That’s why managers get pissed off about even only a perceived loss of reputation. In the dog eat dog world they’ll even ruin your reputation if and when needed as they can’t be seen as the root cause of problems. They’ll blatantly steal your work and take credit for all that goes well in the same way. You’re an expendable asset and you should never forget it.
3. Their superiors. This is both hierarchical and functional. It’s not only the fact that a lot of people feel the need to please others for whatever reason. It is also just self-interest (promotions, ego) and self-preservation. So realize that your managers will almost always choose to follow their bosses or the peers they fear or need in order to gain a stronger or more favorable position with them. Yes, they will do so even if it is bad for the company or organization. This holds a warning: if you’re a functional superior to your managers than you’re a threat and they might try to get rid of you.
4. Customers. You can forget about being more important than the needs of the customers. Whether these are external or internal customers is irrelevant. Your managers job is to serve the need of the customers. Your managers will not get ahead if he doesn’t serve their needs.
5. The team. Yes the team, the assets are more important than you. As long as managers can have the team do what needs to be done, they have a way of serving the above priorities, which are more important. In that respect the ability of a manager to keep the team running is paramount. They’ll feed the teams just enough to keep them alive, hopeful enough to carry on and will challenges them to keep them sharp. Keep ‘m mean, lean & hungry.
6. You. Sure you have some skills they needs. If not they might keep you around just to add another FTE to the head count in order to proof the importance or the weight of their jobs. So he won’t kick you most of the time and will even throw you a bone every now and then. Good doggy. But you know that saying “People are our biggest asset?” It’s a lie, especially to them.

How to deal with this?

The above is always true in a lesser way for all individuals and as such also for managers. The big difference is that the balance has totally shifted to the dark side with really bad ones. In essence you have a couple of options. Grow a pair of balls and make sure you have some power as well, play the same game and get them terminated. If your upper management is worth their pay they might be way ahead of you and that will bet the end of it for you. If it has to come from the bottom realize that this is not easy. Terminating a manager from lower in the hierarchy always upsets the powers that be. To them such an event is highly disconcerting and visions of guillotines, tar, feathers and pitch forks pop up. Another option is to take evasive maneuvers. You could do so by moving laterally or vertically in the organization out of harm’s way. Last but not least. Leave. Yes, that might not be fair on you and what you already accomplished at the company but life is not fair and is certainly too precious to put up with the above. In the end you must know your opponent and know yourself. Perhaps you can live with them and there are various ways of dealing with various types of managers, who all have their weaknesses and strengths. It’s a personal decision, but a real bad manager, that’s something you really can do without and shouldn’t tolerate ever, for your own health and well-being.

If You Can, You Should Attend TechEd 2013 Europe

It’s that time of the year again, when TechEd is coming closer. I’m attending the European Edition in Madrid, Spain. But I can guarantee you I will be on line a lot during the USA edition as well. At be attending the USA edition this year if I could but work, time and budget wise I can’t make that happen. This isn’t because the European edition is less, absolutely not. The reason is that at MMS2013 in Las Vegas last month we got the heads up that Microsoft will start talking publicly about the new version of Windows and I’m game for that. Windows Server 2012 is the best Windows version ever but I know what I’d like to see in there to make it even better. I’m kind of curious if anyone at MSFT follows my thinking on this subject. I hope so!

So yes I’m a TechEd advocate, you bet! If you want to know why, read my blog post here on http://workinghardinit.wordpress.com/2010/06/05/why-i-find-value-in-a-conference/.

Come and learn amongst your peers, network with them and industry experts. To become competent and gain expertise you are going to have to get out there and expose your ideas, insights and thinking to your peers around the globe. That’s how it works. To those who dismiss quality conferences like this I can only say that you are wrong. To those who claim it’s a paid holiday I can only say that to a liar all other men are liars and to a thief all other men are thieves.  Enough said. Invest in knowledge and competence development, it will pay of better than some extra thousands of € in the bank!

So if you can please join me and attend TechEd. It’s a blast and a tremendous learning experience. I never ever miss attending TechEd, not even at times it wasn’t easy for me to do so. You can register here. I hope to see you there!

SMB Direct RoCE Does Not Work Without DCB/PFC

Introduction

SMB Direct RoCE Does Not Work Without DCB/PFC. “Yes”, you say, “we know, this is well documented. Thank you.” but before you sign of hear me out.

Recently I plugged to RoCE cards into some test servers and linked them to a couple of 10Gbps switches. I did some quick large file copy testing and to my big surprise RDMA kicked in with stellar performance even before I had installed the DCB feature, let alone configure it. So what’s the deal here. Does it work without DCB? Does the card fail back to iWarp? Highly unlikely. I was expecting it to fall back to plain vanilla 10Gbps and not being used at all but it was. A short shout out to Jose Barreto to discuss this helped clarify this.

DCB/PFC is a requirement RoCE

The more busy the network gets the faster the performance will drop. Now in our test scenario we had two servers  for a total of 4 RoCE ports on the network consisting of a beefy 48 port 10Gbps switches. So we didn’t see the negative results of this here.

DCB (Data Center Bridging) and Priority Flow Control are considered a requirement for any kind of RoCE deployment. RDMA with RoCE operates at the Ethernet layer. That means there is no overhead from TCP/IP, which is great for performance. This is the reason you want to use RDMA actually. It also means it’s left on it’s own to deal with Ethernet-level collisions and errors. For that it needs DCB/PFC other wise you’ll run into performance issues due to a ton of retries at the higher network layers.

The reason that iWarp doesn’t require DCB/PCF is that it works at the TCP/IP level also offloaded by using a TCP/IP stack on the NIC instead of the OS. So errors are handled by TCP/IP at a cost: iWarp results in the same benefits as RoCE but it doesn’t scale that well. Not that iWarp performance is lousy, far form! Mind you, for bandwidth management reasons,you’d be better of using DCB or some form of QoS as well.

Conclusion

So no, not configuring  DCB on your servers and the switches isn’t an option, but apparently it isn’t blocked either so beware of this. It might appear to be working fine but it’s a bad idea. Also don’t think it defaults back to iWarp mode, it doesn’t, as one card does one thing not both. There is no shortcut. RoCE RDMA does not work error free out of the box so you do have the install the DCB feature and configure it together with the switches.

Using RAMDisk To Test Windows Server 2012 Network Performance

I’m testing & playing different Windows Server 2012 & Hyper-V networking scenarios with 10Gbps, Multichannel, RDAM, Converged networking etc. Partially this is to find out what works best for us in regards to speed, reliability, complexity, supportability and cost.

Basically you have for basic resources in IT around which the eternal struggle for the prefect balance finds place. These are:

• CPU
• Memory
• Networking
• Storage

We need both the correct balance in capabilities, capacities and speed for these in well designed system. For many years now, but especially the last 2 years it very save to say that, while the sky is the limit, it’s become ever easier and cheaper to get what we need when it comes to CPU, Memory. These have become very powerful, fast and affordable relative to the entire cost of a solution.

Networking in the 10Gbps era is also showing it’s potential in quantity (bandwidth), speed (latency) and cost (well it’s getting there) without reducing the CPU or memory to trash thanks to a bunch of modern off load technologies. And basically in this case it’s these qualities we want to put to the test.

The most trouble some resource has been storage and it has been for quite a while. While SSD do wonders for many applications the balance between speed, capacity & cost isn’t that sweet as for our other resources.

In some environments were I’m active they have a need for both capacity and IOPS and as such they are in luck as next to caching a lot of spindles still equate to more IOPS. For testing the boundaries of one resource one needs to make sure non of the others hit theirs. That’s not easy as for performance testing can’t always have a truck load of spindles on a modern high speed SAN available.

RAMDisk to ease the IOPS bottleneck

To see how well the 10Gbps cards with and without Teaming, Multichannel, RDMA are behaving and what these configuration are capable of I wanted to take as much of the disk IOPS bottle neck out of the equation as possible. Apart from buying a Violin system capable of doing +1 million IOPS, which isn’t going to happen for some lab work, you can perhaps get the best possible IOPS by combining some local SSD and RAMDisk. RAMDisk is spare memory used as a virtual disk. It’s very fast and cost effective per IOPS. But capacity wise it’s not the worlds best, let alone most cost effective solution.

I’m using free RAMDisk software provided by StarWind. I chose this as they allow for large sized RAMDisks. I’m using the ones of 54GB right now to speed test copying fixed sized VHDX files. It install flawlessly on Windows Server 2012 and it hasn’t caused me any issues. Throw in some SSDs on the servers for where you need persistence and you’re in business for some very nice lab work.

You also need to be aware it doesn’t persist data when you reboot the system or lose power. This is not an issue if all we are doing is speed testing as we don’t care. Otherwise you’ll need to find a workaround and realize those ‘”flush the data to persistent storage” isn’t full proof or super fast, the SSDs do help here.

You have to register but the good news is that they don’t spam you to death at all, which I find cool. As said the tool is free, works with Windows Server 2012 and allows for larger RAMDisks where other free ones are often way to limited in size.

It has allowed me to do some really nice testing. Perhaps you want to check this out as well. WARNING: The below picture is a lab setup … I’m not a magician and it’s not the kind of IOPS I have all over the datacenters with 4 Cheapo SATA disks I touched my special magic pixie dust.

Some quick tests with a 52GB NTFS RAMDisk formatted with a 64K NTFS Allocation unit size.

I also tested with another free tool from SoftPerfect ® RAM Disk FREE. It performs well but I don’t get to see the RAMDisk in the Windows Disk Management GUI, at least not on Windows Server 2012. I have not tested with W2K8R2.

NTFS Allocation unit size 4K	NTFS Allocation unit size 64K

Best of MMS 2013 – SCUG Belgium

Earlier this month I attended MMS2013 in Las Vegas. Today the Belgian System Center Community let’s us know about a live event “Best of MMS” they organize in order to share in-depth System center knowledge/presentations along with their impressions.

No one les than Wally Mead, the Senior Program Manager for System Center Configuration Manager who’s perhaps better know as The Godfather of Configuration Manger, will be joining the event. Wally is presenting twice along side the Belgian SCUG members, many of which belong to Microsoft Extended Experts Team (MEET) and/or are MVPs in Enterprise Client Management, Cloud & Datacenter & Virtual machine.

Grab a seat for "Best of MMS 2013” right here on Eventbrite

You can find the (non final) agenda on the SCUGBE web site http://scug.be/events/2013/04/27/best-of-mms-19062013/. As you can see I have an early morning session at 09.15  – 10.15 on “Availability Strategies for a Resilient Private Cloud”. This provides the foundation for a high to continuous available private cloud my fellow speakers will be presenting on.

There will be opportunities to network, talk shop, learn and last but not least to win a TechEd Europe 2013 ticket in a lottery!