You have a large VMware App Volumes environment and have backed up your writable volumes using the capabilities provided in the App Volumes Manager. (You are doing the right thing!)
AV Manager – WV Backup Config
We decided to perform an audit on the backup of the writable volumes within the App Volumes Manager 2.18.10 and the VSAN Datastore. You can export all the writable volumes to a CSV using the API. My script here will provide you with a complete outlook for conducting your analysis. Now exclude your group entitlements from the list, leaving you with the total number of writable volumes within your environment. Ideally, you are after the same number of writable volumes on the VSAN datastore. (Of course, if everything is going well in the backup world!)
In my case, we observed more than 300+ missing writable volumes between the exported CSV and the VSAN datastore. Let the investigations begin – within the production.log, we could see the backup was happening, but the challenge of a large environment is impossible to track all the backup occurring just by looking at the logs. Feature request to VMW – A dedicated backup log showcases the entire environment’s status. We eventually ended up with a GSS case after few months of back and forth and the logs exchange, we finally got a working solution. This closed the mystery of the missing backup of the writable volumes.
Solution
Go the the SQL database of the App Volumes Manager. Select the DB and New Query.
AV Database – Microsoft SQL
Enter the following query and hit execute. Now this will change the default writable volumes batch size(writables_backup_batch_size) from 5 to 25. Note the value of the batch size was tweaked multiple times, we first went with 10, which drastically reduced the missing backup. However, a few were still missing and not getting backup. The final number for our environment was 25 got all the writable volumes backup.
Disclaimer – This tweak was required for a large App Volumes environment. Please consult with VMware Support before making any changes to your setup or Database. If it works for me doesn’t mean it will work for you. The value can differ based on the size of the enivronment.
I hope you will find this helpful information on your VMware App Volumes backup strategy. Please let me know if you have observed any issues like these, and would like to share your story?
This post is in continuation of my part 1 – Mindmap – Part 1 – Horizon Cloud on Microsoft Azure (HCoA) – Quick start guide where we look at pre-requisites and the initial deployment of the HCoA solution. In this post, I want to share my learnings about the configuration of Images, Virtual Desktops, Farms and Assignments. We shall take a look into the following topics:
Mind map for Horizon Cloud on Microsoft Azure – Part 2 – Configuration of Images – Desktops – Farms – Assignments
Creating a Virtual Desktop or RDSH Image
Import VM
Create Image (Converting VM to Image)
Farms (Published Applications)
Create Desktop Farm
Add Applications to the Farms
New Applications – Auto-Scan from Farm
Create an Application Assignment
Create an Assignment for Multi-session or Hosted Shared Desktop
Create a Virtual Desktop Assignment (Persistent – Full Clone)
Create a Virtual Desktop Assignment (Non-Persistent – Floating)
AppStacks
In the second part of this series, the mindmap acts as an visual representation of all the configurations to be performed post the initial deployment of the Horizon Cloud Pod. It also helps during customer discussions and allows everyone to be on the same page. You can figure out in advance the pre-requisites, deployment details, and requirements for performing the next steps in your HCoA journey.
HCoA – Part 2
Disclaimer – This guide is a deployment/configuration guide, and the production settings, configuration, and use-cases might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –
Horizon Cloud POD Managers + Unified Access Gateways
Note everything is deployed keeping in mind High availability.
2 x Horizon Cloud Pod Managers
2 x External Unified Access Gateways (Public IP)
2 x Internal Unified Access Gateways (Internal on-premise network)
Azure – Virtual Machines
Azure Load Balancers
1 x Horizon Cloud Pod Managers
1 x Public UAG Appliances
1 x Internal UAG Appliance
Azure – Load Balancers
Azure Virtual Network
I have created the vNet as part of pre-requisites in Part 1 series
1 x Subnet for DMZ (Unified Access Gateway)
1 x Subnet for Mgmt (Pod Managers)
1 x Subnet for Workload (Desktop/Farms)
Azure – vNet
Azure Resource Groups
Note these are auto-created during the Pod deployment.
Azure – Resource Groups
I hope you will find this helpful information on your HCoA journey. Please let me know if I have missed any steps in the mindmap, and I will be happy to update the post.
This will be a two part blog series on VMware Horizon Cloud on Microsoft Azure (HCoA). My aim is to get you started off the ground on HCoA, and I have a fair understanding of Azure due to my past certifications on AZ-140 and AZ-104(prep). I high recommend acquiring the Azure skills to make your life easier.
In part one, we shall take a look into the following topics:
Mind map for Horizon Cloud on Microsoft Azure – Part 1 – Getting started
Getting Started
Azure pre-requisites
Horizon Cloud Account
Configure the Azure Pod
Subscription
Pod Setup
Gateway Settings
General Setup
Domain Bind
Domain Join
Administrative Group
Universal Broker
The idea here is that the mindmap acts as an excellent visual representation of what to do during the end-2-end cycle of the project. It also helps during customer discussions and allows everyone to be on the same page. You can figure out in advance the pre-requisites, deployment, and requirements for the initial setup.
HCoA – Part 1
Disclaimer – This guide is a get you started guide, and the production settings, configuration and usecases might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –
I hope you will find this helpful information on your HCoA journey. Please let me know if I have missed any steps in the mindmap or reference links, and I will be happy to update the post.
We were exploring the feature Privilege Elevation – VMware Dynamic Environment Manager (DEM) within our development environment, and for some odd reason, a specific feature and configuration wouldn’t work in our setup.
Disclaimer
The windows registry mentioned within this blog post is used within enterprise-grade secure environments. The hardening measure is part of CIS Benchmarks on Windows 10. If your machines aren’t hardened, the feature typically works out of the box. For example, in my home lab, I had no issues with the Privilege Elevation feature working.
Issue
Whenever we enable the feature and apply any settings, it will not work. It didn’t matter which configuration you picked. The error within the logs remains constant.
Provided by VMware – The additional configuration on LSA Protection causing issues with the VMware DEM agent (2103 Version). The windows registry key – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
RunAsPPL=1
Resolution
My team managed to open a VMware GSS case handled by GuruKripal (A very helpful support engineer), we had to provide numerous amount of logs, procmons and group policy export of the enivornment. After giving them the export of our CIS Benchmarked group policies, they could reproduce the issue. In the end, the VMware engineering team provided us with a newer build of DEM Agent (10.2.4.1023 x64.msi).
If you encounter a similar issue, you can raise a VMware support case to obtain the fix or/else, I was assured all future releases of DEM Agent would include the fix. I hope you will find this information useful if you encounter the issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 6+ months.
In this blog post, we shall take a deeper look into the Azure VMware Solution network connectivity between the Azure VNet for accessing Azure native services such as Bastion, Azure AD, SQL etc. and further connectivity to the On-premise network to migrate virtual machines or hyrbid setup.
AVS Networking – Image courtesy @Microsoft
Step 1 & 2 – Connectivity between Azure VMware Solution (AVS) – Express Route to Azure VNet
After the deploying the AVS we need to connect it to the Azure VNet for consuming Azure Native Services such as Bastion, SQL, AAD etc.
Note AVS pre-deploys the ExpressRoute for you (AVS – Manage – Connectivity – Express Route).
We need to have a Virtual Network Gateway (VNG) existing on Azure VNet, or we need to create one. All steps to be performed under portal.azure.com
Deploy the Virtual Network Gateway (VNG) on Azure subscription
Make sure you have a VNG created on Azure VNET
Give it a name – AZ104-VNG01
Resource Group – Select New or existing
Location – Australia East
SKU – Standard (for demo and testing purposes)
Virtual Network – Select the existing VNET (E.g. 10.0.0.0/16) for Azure. Note it will create the Gateway Subnet automatically (10.x.x.x/24)
Type – ExpressRoute
Public IP Address – Create New (It will auto assign a public IP)
Optional Create Tags
Save and Create
Under AVS – Connectivity – Express Route
Request the Authorization key
Name – ToAzureVNET
Copy the Key and Express Route ID
Open the VNG (AZ104-VNG01) and Settings – Connections
Click on Add
Name – FromAVSPrivateCloud
Connection Type – Express Route
Enter the Authorization Key and Express Route ID and paste them here
Click OK
The Status will change from Updating to Succeeded
Now we have the connectivity between the AVS and Azure VNet.
Step 1 & 3 – Connectivity between Azure VMware Solution – ExpressRoute Global Reach to On-premise networks
Now we will establish the connectivity between AVS and On-premise networks
ExpressRoute Circuits – This is the coming from On-premise into Azure VNet
This will depend upon the partner network (Equinix, Telstra etc.)
I hope you will find this helpful information on your AVS Networking journey. Please let me know if I have missed any steps or good reference links, and I will be happy to update the post.
The MP4H (Management Pack for Horizon) 2.0 was recently released – Release Notes. It was time to give it a go, and the best place IMHO is VMware Test Drive, as they have a larger environment and there is alot of data for simulation compared to our small homelab.
Let’s take a look at the following information from the vRealize Operations – MP4H:
New engaging Dashboards and View
Observations and thoughts
Where to download the MP4H 2.0 pack?
New engaging Dashboards and Views
Service Monitoring for Unified Access Gateway (UAG) and Connection Server (CS) – Using the Telegraf Agent, you can monitor the Tomcat services and HTTP Health Checks against the UAG and CS web services. The step by step configuration details can be found here.
Connection Server certificate validation – There are new properties around CS certificate validation. This way, you can an dashboard based on the view – Availability \ Horizon Connection Server Certificate.
Unified Access Gateway Session – There are views on UAG Session Disparity amongst different UAG Appliances and session split across internal and external UAG appliances. The UAG Overall experience widget gives a high-level overview. Note the HTTP check is using the Telegraf agent to perform the checks (It’s empty, but you get the point there is capability.)
Horizon Client Versions and Horizon User Agent Version – These dashboards are not new and were present in the previous MP4H, but these are so important to get an overview of the Client and Agent versions within the environment.
Observations and thoughts
Very excited to see the UAG Appliances inclusion as a first class citizen into monitoring & alerting. One can tell looking at the MP4H 2.0 has come a long way since its previous releases. I am personally looking forward to the built-in reports to come back in future releases, along with the inclusion of VMware App Volumes and VMware Workspace ONE alerting and reporting. If the VMware product team considers my recommendation, it can start to differentiate itself against other players within the same market segment.
Features wishlist:
HTTP Check and Service monitoring for App Volumes and Workspace ONE Access
Certificate validation for UAG, App Volumes and Workspace ONE Access
Builtin Reports – Previous Horizon Reports, App Volumes – AppStacks, App Volumes – Wrtiable Volumes, Workspace ONE Access – User Sessions etc.
I can’t wait to see what the next release of the vRealize Operations – Horizon Management pack beholds.
Where to download the MP4H 2.0 pack?
You can download the pack from VMware Marketplace, and the following versions of vRealize Operations are supported.
Disclaimer – All the screenshots are from VMware Test Drive Portal. All credits to them for their hardwork.
I hope you will find this helpful post about the latest release of MP4H 2.0. I highly recommend giving it a go on Test Drive and a small request if you find anything interesting. I hope you can share it back with me?
Automatically Power ON the Session host Virtual Machines
Monitoring Azure Virtual Desktop
Mindmap for Managing Azure Virtual Desktop (AVD)
I have managed to document all the high-level steps involved in managing the AVD on an ongoing basis. The idea here is that the mindmap acts as an excellent visual representation of what to do during ongoing maintenance activities. You can figure out in advance the requirements/steps and pre-requisites.
Managing Azure Virtual Desktop
Disclaimer – This guide is a get you started guide, and the production management may vary. Please make sure you always reference Microsoft documentation. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –
I hope you will find this helpful information on your Managing Azure Virtual Desktop journey. Please let me know if I have missed any steps in the mindmap, and I will be happy to update the post.
It was an honour to come and speak at the podcast with host Eric L Nielsen and co-host Matt Langguth. A treat to watch and speak live, and catch-up on the signature Eric’s introduction of “Across the nation or around the world” and the “color of the bay”. The entire overall experience on the podcast was outstanding and I hope to come back again soon. Following is the Audio/Video version on Youtube the podcast is available on leading platform such as Apple, Google, Spotify etc.
I hope you find our conversation useful and feel free to revert if you have further questions.
Often within the VMware App Volumes Manager (AVM), Writable Volumes will show up as Status – Orphaned. Let’s take a look at the following topics:
What is Orphaned Writable Volumes?
Script to delete them from the App Volumes Managers
What is Orphaned Writable Volumes?
App Volumes Manager is integrated with Microsoft Active Directory (AD), and it’s in continuous synchronization. Whenever an end-user account gets disabled into the AD during the next sync activity of App Volumes Manager, it will mark the writable volumes with Writable Status = Orphaned.
Now in the ideal world, these accounts have been disabled and should be okay to delete? Maybe, if you don’t have the obligation of data retention, then you are ready to delete them. If you need to retain them, keep them as-is for compliance purposes.
Script to delete them for App Volumes Manager
Before we talk about the script, the deletion is very straightforward within the App Volumes Manager. Select the volumes with Status = Orphaned and select the Delete button. However, when you have to do the same against multiple POD, which becomes challenging, and as always, if it’s not automated, there is the scope of human error.
Pre-requisites
You need the App Volumes Manager URL
You need the username and password of the App Volumes Manager
You need to enter y/Y to proceed further with the deletion
The script was tested on PowerShell V5.x with App Volumes Manager version 2.18.10 (The logic will be the same however, the API call for App Volumes 4.x will be different)
###########################################################################
# Get List of Wrtiable Volumes from AppVolumes Manager for Status=Orphaned
# Delete the Orphaned Wrtiable Volumes
# You need username and password for the App Volumes Manager
# Author - Aresh Sarkari (Twitter - @askaresh)
# Version - V5.0
###########################################################################
#App Volumes Manager Name or IP Address
$AVManager = "https://avm001.askaresh.local"
# Run at the start of each script to import the credentials
$RESTAPIUser = "domain\username"
$RESTAPIPassword = "enteryourpassword"
#Ignore cert errors
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
#Login AV Manager Body
$body = @{
username = “$RESTAPIUser"
password = “$RESTAPIPassword”
}
#Login API call to the AV Manager
Invoke-RestMethod -SessionVariable DaLogin -Method Post -Uri "$AVManager/cv_api/sessions” -Body $body
#Get the list of Writbale Volumes from the AV Manager
$output = Invoke-RestMethod -WebSession $DaLogin -Method Get -Uri "$AVManager/cv_api/writables" -ContentType "application/json"
#Selecting the WV with status Orphaned into a variable
$WVouput = $output.datastores.writable_volumes | Select-Object id, owner_name, owner_upn, title, status | Where-Object {[string]$_.status -match "Orphaned"}
#Output on the console (Validate carefully before proceeding ahead)
$WVouput | Format-Table | Out-String | % {Write-Host $_}
#Confirmation logic to proceed with the deletion
$confirmation = Read-Host -Prompt "Are you Sure You Want To Proceed with the deletion:"
if ($confirmation -match "[yY]" ) {
# proceed
# The WV Deletion API call only looks for IDs. We are filtering the ids only
$WVOutputIDs = $WVouput.id
#Looping to delete each Writable Volumes via its ID
foreach ($WVOutputIDss in $WVOutputIDs) {
# Writable Volumes deletion Parameters body
$jsonbody = @{
bg = "0"
volumes = "$WVOutputIDss"
} | ConvertTo-Json
#API call to delete the Wrtiable Volumes
#We are using Invoke-webrequest for getting the Content of the deletion (Success) in oneline
$WVdeletecall = Invoke-WebRequest -WebSession $DaLogin -Method Post -Uri "$AVManager/cv_api/volumes/delete_writable" -Body $jsonbody -ContentType "application/json"
}
#Dig into the exception to get the Response details.
Write-Host $WVdeletecall.StatusCode
Write-Host $WVdeletecall.StatusDescription
Write-Host $WVdeletecall.Content
}
When you run the script, it will identify all the end-users with Status = Orphaned. If you like, you can copy and paste the output in an editior (Notepad++) to verify the output.
Once you press y/Y it will go ahead and delete the Orphaned writable volumes.
I hope you will find this script useful to bulk delete orphaned Writable Volumes in App Volumes Manager. A small request if you further enhance the script or make it more creative, I hope you can share it back with me?
Mind map for Azure Virtual Desktop – Getting started
Getting started with Azure Virtual Desktop (AVD)
Deployment – Pre-requisites for AVD
Master Images – (Windows 10 Multi-Session, Windows 10 1909 Enterprise or Windows Server 2019 DC)
Template and Shared Image Gallery
Host Pools
Application Groups
Workspaces
Windows Desktop Client
Quick Start Links
Mindmap for Azure Virtual Desktop (AVD) – Getting started
Managed to put together a mindmap on the AVD getting started from zero to a working desktop or application. The idea here is the mindmap acts as an excellent visual representation of what to do during pre-requisites, deployment and you can figure out in advance the requirements/steps and pre-requisites.
Azure Virtual Desktop
Disclaimer – This guide is a get you started guide, and the production settings and configuration might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –
I hope you will find this helpful information on your Azure Virtual Desktop journey. Please let me know if I have missed any steps in the mindmap, or reference links, and I will be happy to update the post.
Recent Comments