Installing Windows Azure Pack on Multiple Virtual Machines

Introduction

Last time we looked at installing the Windows Azure Pack for Windows Server "Express" edition on a single VM. We only got as far as installing the management utilities because we didn't have any cloud resources to assign to the machine.

In this post we're going to start to build out a full environment to run the Windows Azure Pack in.

First Steps

Before we start to look at the Windows Azure Pack installation we need to spin up a new Active Directory domain to host all of the security objects, as it's going to get tricky if all our VMs are member servers. We also need to build a dedicated SQL Server to move data storage off of the Service Management box.

Domain Controller

Create a new VM and install a fresh Windows Server 2012 instance, and assign a fixed IP address to the primary network card. You can use the following PowerShell commands to rename it and assign a static address:

New-NetIPAddress -IPAddress 192.168.100.170 -InterfaceAlias "Ethernet" -DefaultGateway 192.168.100.254 -AddressFamily IPv4 -PrefixLength 24

Rename-Computer "VADOM01"
Restart-Computer

Next promote it to a domain controller. Note that dcpromo has been deprecated in Windows Server 2012 in favour of PowerShell cmdlets, so start a PowerShell command prompt and run the following commands:
 
Import-Module ServerManager
Add-WindowsFeature AD-Domain-Services -IncludeManagementTools
Import-Module ADDSDeployment

$domainName = "va.local"
$netbiosName = "VA"
$adminPassword = "mypassword"
$adminPasswordSecure = ConvertTo-SecureString $adminPassword
-AsPlainText -Force

Install-ADDSForest -DomainName $domainName -DomainNetBIOSName $netbiosName -SafeModeAdministratorPassword $adminPasswordSecure -ForestMode Win2012 -DomainMode Win2012 -Force

This will create a new Active Directory forest and automatically reboot the server when the installation is complete.

See AD DS Deployment Cmdlets in Windows PowerShell for help with these commands.

SQL Server

Create another VM, assign a fixed IP address again, and join it to the new domain:

Rename-Computer "VASQL01"
Restart-Computer

New-NetIPAddress -IPAddress 192.168.100.171 -InterfaceAlias "Ethernet" -DefaultGateway 192.168.100.254 -AddressFamily IPv4 -PrefixLength 24

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses @("192.168.100.170", "192.160.100.80")

$username = "VA\Administrator"
$password = "mypassword"
$passwordSecure = ConvertTo-SecureString $password -AsPlainText -Force
$credential = new-object System.Management.Automation.PSCredential($username, $passwordSecure)


Add-Computer -DomainName "va.local" -Credential $credential
Restart-Computer

Then install the .Net Framework 3.5. You need to have the Windows Server 2012 disc available (or mount the iso image to your VM) because the installation files aren't deployed onto the local hard disk by default:

Import-Module ServerManager
Add-WindowsFeature Net-Framework-Core -Source "D:\sources\sxs"

Once that's done we're going to configure the instance to run on a static port, and we'll also need to open the local firewall to allow inbound connections to the SQL Server instance.  The SQL Server service will need a restart after we've configured it for the changes to take effect.

The script below was adapted from Ryan Mangan's IT Blog.
  

$key = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL11.VAMGTDB\MSSQLServer\SuperSocketNetLib\Tcp\IPAll"

Set-ItemProperty -Path $key -Name "TcpDynamicPorts" -Value ""

Set-ItemProperty -Path $key -Name "TcpPort" -Value "1434"

New-NetFirewallRule -DisplayName "VASQL01\VAMGTDB Database Engine" -Direction Inbound -Protocol TCP -LocalPort 1434 -Action Allow

Restart-Service "MSSQL`$VAMGTDB"

Now we can install SQL Server 2012. Use the default settings for each dialog, except where listed below:

• Feature Selection - check "Database Engine Services" and "Management Tools - Complete"
• Instance Configuration - select "Named instance" and enter "VAMGTDB"
• Database Engine Configuration - select "Mixed Mode" authentication, specify an sa password, and add Domain Admins to the SQL Server administrator list.

The Windows Azure Pack wants to use a SQL login when we configure it, hence the Mixed Mode authentication. In addition, we're going to isloate the databases for each service into separate instances for the time being to ensure there's no conflicts with multiple services sharing the same instance. There's nothing explicitly stated in th eAzure Pack documentation that requires or recommends this, but we're playing safe while we install it the first time around.

Management Portal

Create another new VM, join it to the domain and install the Windows Azure Pack for Windows Server Express edition. This will be the starting point for the administration components. We'll split this out into separate VMs for "internal" and "customer facing" features later so that we can better secure critical features such as the Admin API and Tenant API.

Rename-Computer "VAMGT01"
Restart-Computer

New-NetIPAddress -IPAddress 192.168.100.172 -InterfaceAlias "Ethernet" -DefaultGateway 192.168.100.254 -AddressFamily IPv4 -PrefixLength 24

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses @("192.168.100.170", "192.160.100.80")

 
$username = "VA\Administrator"
$password = "myPassword"
$passwordSecure = ConvertTo-SecureString $password -AsPlainText -Force
$credential = new-object System.Management.Automation.PSCredential($username, $passwordSecure)


Add-Computer -DomainName "va.local" -Credential $credential
Restart-Computer

Next, use the instructions from last time to install the Windows Azure Pack "Express" edition on the management machine. When it comes to configuring the SQL Instance to use for management data, enter the name of the VM we build in the previous step, and enter a fully qualified domain name for the server.

Note that if you try to access the Service Management Portal immediately afterwards you'll get this rather stark error message, which is because the account you installed with needs to be in an additional local security group called "MgmtSvc Operators":

Access Denied - The user does not have permissions to access the Service Management API

The fix is pretty simple - just log off and back on again to get the new security group added to your account. In a production environment you'd want membership of this group to be managed via Active Directory, but we'll come back to that another day.

After logging off and back on again you should be able to get to the home page for the Service Management Admin Site (MgmtSvc-AdminSite in IIS).

Service Management Portal home page

Summary

We've started to build up a full infrastructure to host the Windows Azure Pack for Windows Server on, including an Active Directory domain, a dedicated SQL Server and a management server which is running all of the management sites and APIs, as per below:

We still don't have any resources to connect to the Service Management Portal, but that's coming next, and we'll eventually need to separate out the individual sites onto separate boxes in order to satisfy security best practice.

The next step will be to install and configure a Web Site Cloud and connect it up to the Service Management Portal.