Intro

As you may have guessed from the title, this post contains information I've pulled together from multiple resources and also custom configurations I've built myself in order to design and build an autonomous development environment/service to our user base. To the user the solution probably looks somewhat like a Cloud or SaaS solution, since it appears as a website and they never see the underlying infrastructure which supports it.

In order to make this work, multiple different pieces of software and infrastructure are linked together, including:

• System Center Configuration Manager.
• System Center Operations Manager.
• System Center Virtual Machine Manager.
• Hyper-V
• WSUS
• DHCP
• Active Directory
• DNS
• PKI
• Physical Switches and Firewalls.

Detailing the full setup and configuration of each piece of technology is not the aim of this post, and where relevant I've supplied links to supporting documents for those purposes. This post has simply been created to detail key parts I think are important to achieve the end goal of creating an environment where a developer can browse to a web site (VMM Self-Service Portal), deploy a Virtual Machine (with little effort), log in and easily install software via pre-configured scripts or using software advertisements (SCCM).

SCCM Build

Some of the things I noted during the SCCM build:

• How to Configure Windows Server 2008 for Site Systems - technet.microsoft.com/en-us/library/cc431377.aspx
  • When following this you only need to do the IIS steps, make sure you check WebDav Publishing
  • Under the install and configure WebDAV for IIS 7.0 to support management point and BITS-enabled start at step 3.
• When I upgraded the AD schema, using the LDIF method didn't work correctly (althought stating it did) I recommend following the procedure here using the ExtADSch method - Upgrade the AD schema - How to Extend the Active Directory Schema Using ExtADSch.exe - http://technet.microsoft.com/en-us/library/bb680608.aspx

Active Directory Configuration

To allow greater control I've changed the default location for computers joined to the AD domain to a custom OU using the redircmp command:

redircmp ou=build,DC=dev,DC=domain,DC=local

By doing this we can assign GPO's straight away to machines joined to the domain. This is important as it allows us to deploy the SCCM Agent while SCVMM deploys the VM via a request generated from the Self-Service Portal.

GPO Configuration

In order to make the environment as autonomous as possible, I've implemented certain Group Policy Objects.

• At current, the domain profile of the Windows firewall is set to off. In order for the GPO settings of the windows firewall to be applied to the client I found I also had to configure the other profiles as well. Only then would a computer apply the firewall GPO settings.
• Enable file and print sharing.
• Restricted Groups. Using restricted groups, I added the SCVMMSelfServiceUsers and the SCVMM Agent accounts into the Local Administrators group.
• In order to push the SCCM Agent out automatically I've opted to use a GPO Software Installation method.

Collection Group Design and Configuration

To Handle the initial build of the servers, there are a few key installations which need to occur automatically:

1. The SCCM agent must be installed, which is handled by the GPO.
2. The SCOM agent must be installed and configured.
3. The DPM agent must be installed and configured.

With these in mind and the fact that we must limit the installations specifically to servers, the collection group has been built as shown in this figure:

• DEV Build Systems uses a simple query to identify clients in the Build OU (detailed here: www.networkfoo.org/server-infrastructure/microsoft/sccm/query-detect-clients-specific-domain-ou)
• Dev Servers uses another relatively simple query to identify clients that are running a Server OS, note the query is limited to clients currently in the DEV Build Systems collection (detailed here: http://www.networkfoo.org/server-infrastructure/microsoft/sccm/query-detect-clients-running-server-os)
• Deploy DPM and Deploy SCOM both use a combination of queries to determine if systems from the DEV Servers collection require the installations or not (detailed here: http://www.networkfoo.org/server-infrastructure/microsoft/sccm/query-detect-if-software-installed)

Post Install

Post installation configuration tasks that I set specifically with this environment in mind (In addition to the GPO Configuration and the Collection Group Design and Configuration above):

• Set the discovery methods I'm using to poll more often.
• Set the collection group properties to increase the frequency that members will poll for policy changes.
• Manually added "Everyone" with read permissions to the Systems Management OU in AD. Without this clients received the automatic site code discovery was unsuccessful error message, which I've detailed here - www.networkfoo.org/server-infrastructure/sccm-2007-r2-automatic-site-code-discovery-was-unsuccessful

WSUS Config

WSUS Config is pretty simple, following your standard deployment. One thing I did want to note during intial testing is the command required to force a client to poll the WSUS server for updates:

wuauclt.exe /detectnow

The log file for verification is in C:\Windows\WindowsUpdate.log

Tools and Additional Items:

The following are a list of tools and other information to help you install, configure and troubleshoot the SCCM installation:

• System Center Configuration Manager 2007 Toolkit - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=948e477e-fd3b-4a09-9015-141683c7ad5f
• Log Files for Managing Configuration Manager Clients - http://technet.microsoft.com/en-us/library/bb693897.aspx
• Ports Used During Configuration Manager Client Deployment - http://technet.microsoft.com/en-us/library/ff189805.aspx
• Servicing Offline VMs with SCVMM and SCCM - http://blogs.technet.com/umeno/archive/2008/03/25/servicing-offline-vms-with-scvmm-and-sccm.aspx
• Microsoft Office Visio 2007 Professional - System Center Operations Manager & System Center Configuration Manager Add-In - http://www.microsoft.com/downloads/details.aspx?FamilyID=33A8EFDE-D72F-4BBB-A353-A1F2833FD2D5&displaylang=en&displaylang=en
• SCCM Client Center (I highly recommend this one) - http://sourceforge.net/projects/smsclictr/

SCOM AD Integration

By integrating SCVMM and SCOM we get some nice reporting relating to the performance of our virtual machines and Hyper-V hosts. Knowing that SCOM relies on an agent (this includes an agent within each virtual machine) to collect and report on those values tells us we need a way to automatically installed (SCCM) and configure the agents every time a virtual machine is deployed. To achieve this we integrate SCOM with Active Directory. By doing so allowing the agents to configure themselves automatically.

• How to Create an Active Directory Domain Services Container for an Operations Manager 2007 Management Group - http://technet.microsoft.com/en-us/library/bb309685.aspx
• How to Deploy the Operations Manager 2007 Agent Using MOMAgent.msi from the Command Line - technet.microsoft.com/en-us/library/bb309553.aspx
• Using Active Directory Domain Services to Assign Computers to Operations Manager 2007 Management Groups - technet.microsoft.com/en-us/library/bb309470.aspx
• How to Use Active Directory Domain Services to Assign Computers to Operations Manager 2007 Management Servers - http://technet.microsoft.com/en-us/library/bb381226.aspx

Essentially all you need to do to configure the AD side of things is run the following command:

MoMADAdmin.exe MGMTGROUP DOMAIN\SCOM_Admins DOMAIN\SCOMSERVER dev.domain.local

As mentioned at the start of this section we get some useful reports by integrating SCCM and SCVMM, here is an example of the utilization report:

SCVMM Self Service Portal

The SCVMM Build for the environment is a single server utilising local storage. Steps to configure:

1. Install VMM - http://technet.microsoft.com/en-us/library/bb740750.aspx
2. Install the VMM Self-Service Portal - http://technet.microsoft.com/en-us/library/bb740747.aspx
3. Configure the Self-Service Portal - http://technet.microsoft.com/en-us/library/bb894362.aspx
4. Configure Integration with Operations Manager - http://technet.microsoft.com/en-us/library/ee236428.aspx
5. Build Virtual Machine Templates.

Configure the Self-Service Portal

1. Create an AD Security Group SCVMMSelfServiceUsers.
2. In the VMM MMC create a new Profile with the Self-Service User role and then add the security group as a member. Limit the scope to your development Hyper-V group.
3. Create a Host A DNS entry on your DNS infrastructure with a friendly name and point it at the VMM Server.
4. Modify your development Hyper-V Server hosts:
   1. In order for Self-Service to correctly identify the development virtual network, the templates need a way to identify this across all your hosts in the group.
   2. In the VMM MMC, click Hosts.
   3. Right Click the Development Hyper-V server, Click Properties.
   4. Click the Networking Tab.
   5. Locate your development virtual network and click it.
   6. On the right hand pane, enter a Network Tag. For example DevLan.
   7. Click OK.

Build Virtual Machine Templates

To suffice the needs of our developers I've created a universal template virtual machine, consisting of the following:

• Windows Server 2008 R2 Standard, fully patched.
• The following Windows Features Pre-Installed:
  • Remote Server Administration Tools (AD DS & DNS). This is so the users are able to connect to AD and create service and test accounts where required via the delegated OU. And also to create new DNS entries where required via delegated DNS zone.
  • Telnet Client. Comes in handy for troubleshooting.
  • Windows Server Backup Features. This is required by Data Protection Manager.
  • .NET Framework 3.5.1 Features.
• To make it easier for users to see key server information, and easy for them to pass it on to the support team if support is required. The template has BgInfo installed. http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx.
  • Download the files and put the executable in C:\Program Files\Bginfo\
  • In order to start BgInfo on startup you must create a bat file in: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. To see this folder you must change the folder options settings from control panel to show hidden files, folders and drive.
  • Create a bat file with something similar to the following in it: "C:\Program Files\Bginfo\bginfo.exe" "C:\Program Files\Bginfo\bgconfig.bgi" /timer 0 /silent
• The template also has a shortcut to a folder on the C drive added to the start menu. Inside the folder is shortcuts to network shares for software installations the developers will need. Including batch scripts for unattended SQL server 2005 and 2008 installs built specifically for the template.

When creating series of templates EG a (1)Base, (2)ProdBuild, (3)ProdUpdated etc etc. The sysprep portion of the Template creation process has a max rearm limit of 3, so you would not be able to update the ProdBuild again using the existing (3), you would have to start from scratch. SCVMM will give you the following error during the Template creation process if this occurs:

Error (706) Sysprep failed for virtual machine XXX.

During the template creation in VMM, ensure you set the network adapter on the hardware profile to use the Network Tag setup earlier:

Bginfo:

(Update:1)SelfService Menu:

I've modified the way the SelfService Menu was setup so instead of the menu item opening a folder on the local file system in now opens the shortcuts directly from the start menu. Due to the change the SQL unattended install scripts failed to run correctly. To get around this problem, I now utilise two batch scripts.

Batch script 1, creates a temp folder and copies the SQL install script to the server from the network share. Batch script 2 is then called via batch script 1 which contains the SQL unattended installation instructions.

Outstanding Issues

There is an intermittent issue with the "Remote Desktop" option from the self service portal:

Cannot connect to this virtual machine because Virtual Guest Services is not available.Ensure that Virtual Guest Services is installed on the virtual machine. If the services have not been installed, attach the file VMGuest.iso (added to the VMM library during VMM Setup) to a virtual CD/DVD drive on the virtual machine. The installation of Virtual Guest Services will begin when you start the virtual machine. If Virtual Guest Services is already installed, ensure that the component has not been disabled.

It Seems to resolve its self at different points, so I'm still looking into it.

Hyper-V Configuration

The Hyper-V configuration for this environment is rather simple consisting of the following elements:

• A Windows Server 2008 R2 DHCP Server (virtual). Which is connected to the management network and the development network.
• Hyper-V Networks for management and development.
• The Hyper-V hosts have multiple connections to the physical network, with traffic being segregated by VLAN's and Firewalls.