Doing IT Virtual

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Virtual Machine in Saved State Fails to Restart After a Change in Hardware-Assisted Virtualization State

If you enable hardware-assisted virtualization in your computer BIOS and try to start a virtual machine that was previously in a saved state, the virtual machine will not start up.

When hardware-assisted virtualization is enabled, Virtual Server internal data structures differ. Therefore, saved state files that are created when hardware-assisted virtualization is disabled cannot be used to restore a virtual machine after hardware-assisted virtualization is enabled.

Resolution

In this case, the only solution is to ensure that you shut down all virtual machines prior to switching the hardware-assisted virtualization setting in your computer BIOS.

Virtual Machine in Saved State Fails During Start Up on a Different Virtual Server Host

If you move a virtual machine that is in a saved state to another Virtual Server host, your virtual machine might fail at startup. Saved state files are not compatible when moving between different processor brands (Intel, AMD) or processor steppings (Intel Northwood, Intel Prescott).

Resolution

If you need to move a virtual machine to a Virtual Server host whose motherboard contains a different processor manufacturer or processor stepping than the originating Virtual Server host, you must completely shut down the virtual machine prior to moving the files.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Duplicate MAC Addresses

Of course, errors are generated when you configure and start two virtual machines with identical static media access control (MAC) addresses on the same Virtual Server host and virtual network.

If you use a single staging server to build a large number of virtual machines and change the MAC address configuration to static from dynamic for tracking purposes, the dynamic MAC address allocation system could generate a duplicate MAC address. If the Virtual Server host contains only a single physical network adapter, Virtual Server 2005 R2 assigns MAC addresses to virtual network adapters in the 00-03-FF-xx-xx-xx range, where the last two octets match the last two octets of the physical network adapter MAC address. For example, if the MAC address of the physical network card on your staging server is 00-16-31-53-32-68, Virtual Server will assign virtual network adapters a MAC address in the range 00-03-FF-xx-32-68.

If there are multiple network adapters in the physical server, the first 256 MAC addresses are allocated using the primary network adapter octet values, the next 256 MAC addresses are allocated from the second network adapter octet values, and this process continues until Virtual Server 2005 R2 has iterated through all the physical network adapters. If all network adapter octet values are exhausted, Virtual Server re-uses the first network adapter octet values.

Resolution

In general, there is no guarantee that dynamic MAC address allocation will be unique, even across multiple Virtual Server hosts. If you use a single staging server to generate virtual machines configured with static MAC address, you must institute a process to ensure that duplicate MAC addresses are identified and reconfigured prior to deployment. If you copy a virtual machine with a static MAC address to another computer that already has a virtual machine with an identical static MAC address, you must either manually or programmatically change the static MAC address of one of the virtual machines, or configure one or more of the virtual machines to use a dynamic MAC address. Virtual Server allocates a new dynamic MAC address in the following circumstances:

· A virtual machine is created.

· A virtual machine MAC address conflict is detected.

· A virtual machine is registered on a Virtual Server host.

Follow these steps to modify the virtual machine configuration to use a dynamic MAC address:

• Open the Virtual Server Administration Website.
• In Virtual Machines, click Configure and select the virtual machine from the list.
• In the virtual machine Configuration pane, click Network Adapters.
• In Ethernet (MAC) Address, select Dynamic.
• Click OK.

More Info: For additional information regarding the Virtual Server dynamic MAC address allocation algorithm, refer to http://support.microsoft.com/default.aspx/kb/888030.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Stop 0x7B Error Booting from a Virtual SCSI Disk

If you reconfigure a virtual machine VHD that contains a bootable guest operating system from a virtual IDE controller to a virtual SCSI controller, you will experience a blue screen when trying to start the guest operating system. Basically, if you simply just change the virtual machine configuration by switching the VHD from IDE to SCSI-attached, the guest operating system cannot find a valid SCSI controller driver during boot. This results in a STOP: 0x0000007B error message, followed by a virtual machine restart.

Resolution

Before you can switch a bootable VHD from virtual IDE to virtual SCSI, you have to first load the SCSI controller drivers in the guest operating system. Once the guest operating system is properly configured, you can shut down the virtual machine and reconfigure the VHD to attach to a virtual SCSI controller. The following procedure assumes the Virtual Machine Additions are installed in a Windows Server 2003 guest operating system prior to performing the installation of the SCSI controller drivers:

• Open the Virtual Server Administration Website.
• In the Master Status pane, click the icon to connect to the target virtual machine.
• Once you are logged in, shut down the guest operating system and return to the Virtual Server Administration Website.
• Under Virtual Machines, click Configure and select the new target virtual machine.
• In the Virtual Machine Configuration pane, click SCSI adapters.
• Click Add SCSI Adapter (ID 7), and then click OK.
• Do not change the configuration of the bootable VHD; leave it as a virtual IDE disk.
• In the virtual machine Status pane, point to the virtual machine name and select Turn On.
• Click the icon to connect to the virtual machine and log in to the guest operating system.
• The “Found new hardware: Adaptec AIC-7870 PCI SCSI Adapter” message will display. Windows Server 2003 comes packaged with a driver for the emulated Adaptec 7870 SCSI controller, so you will need a CD or ISO to load the aic78xx.sys driver file.
• When the driver is installed, the virtual machine is configured to boot from SCSI, but the driver is a slow SCSI driver.
• To load an accelerated SCSI controller driver, open Device Manager in the guest operating system.
• Expand the SCSI and RAID controllers section.
• Right-click the SCSI Controller and choose Update Driver.
• On the Welcome To The Hardware Update Wizard page, click No, Not This Time and then click Next.
• On the next page, select Install From A List Or Specific Location (Advanced) and then click Next.
• Select Don’t Search, I Will Choose The Driver To Install, and then click Next.
• Click Have Disk.
• Browse to C:\Program Files\Virtual Machine Additions, click Open, and then click OK.
• Under Model, highlight the Microsoft Virtual Machine PCI SCSI Controller driver and then click Next to install the optimized SCSI controller driver.
• On the Completing The Hardware Update Wizard page, click Finish.
• Shut down the guest operating system.
• Back in the virtual machine configuration pane, click Hard Disks.
• In the Attachment drop-down list, select SCSI 0 ID 0 and then click OK.
• Turn on the virtual machine.

Note: A virtual machine can boot only from a VHD attached to the first virtual SCSI adapter. This adapter is identified as SCSI 0.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Stop Error on x64 Windows Operating System with AMD-V

If you are installing Virtual Server 2005 R2 SP1 on a computer with AMD-V, AMD’s hardware-assisted virtualization, which uses an x64 version of Windows Server 2003 or Windows XP as the host operating system, you will experience a stop error and restart of the host operating system. This occurs because the x64 versions of these Windows operating systems protect a critical system register that Virtual Server 2005 R2 SP1 attempts to modify during installation to enable hardware-assisted virtualization support.

Resolution

This issue is resolved by installing a hotfix prior to beginning the setup procedure for Virtual Server 2005 R2 SP1. A link to download the hotfix can be found at http://support.microsoft.com/kb/924131.

Common Administration Website Issues

One of the problems often encountered after installation of Virtual Server 2005 R2 is denied access to the Administration Website. Most common issues are easily resolved by modifying Internet Explorer options or security settings.

Blank Screen Display

One of the common issues encountered when you launch the Administration Website using the fully qualified domain name (FQDN) of the Virtual Server host (for example, http://hostname.domain.com:1024) and enter your credentials at the prompt is that only a blank screen is displayed. The FQDN is the format used in the Virtual Server Administration Website Uniform Resource Locator (URL) shortcut created under Microsoft Virtual Server in the All Programs menu. When the FQDN of the Virtual Server host name is used, Internet Explorer interprets the destination as being outside of the local intranet and does not load the page.

Resolution

This problem can be easily resolved by adding the Virtual Server Administration Website URL to the Trusted Sites zone in the Internet Explorer configuration settings. Follow these steps to modify the Internet Explorer settings:

• Open Internet Explorer and on the Tools menu, click Internet Options.
• Click the Security tab, and then click the Sites button.
• In the Add This Website To The Zone text box, type (or cut and paste) the Virtual Server Administration Website URL and then click Add.
• If it is selected, deselect the Require Server Verification (https:) For All Sites In This Zone check box.
• Click Close, and then click OK.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Service Principal Name Registration Failures

A service principal name (SPN) allows Kerberos authentication to be used for services running on servers distributed across an Active Directory domain. An SPN is stored in a multivalued attribute, called servicePrincipalName, of an Active Directory computer account. At minimum, the information encapsulated in a registered SPN is the service name and the NetBIOS name, fully qualified domain name, or alias assigned to the computer that hosts the service. An SPN can also explicitly define the port number for the service and the account name under which the service runs, if it is different from the Local System or Network Service accounts. A separate SPN must be set for each host name by which the computer can be referenced. For a client machine to identify, mutually authenticate, and connect to a service, the service must have properly registered SPNs in Active Directory.

During Virtual Server 2005 R2 installation on a host that is a member of an Active Directory domain, the following SPN registrations are attempted:

· vmrc/hostname:VMRC Port

· vmrc/fully qualified hostname:VMRC Port

· vssrvc/hostname

· vssrvc/fully qualified hostname

If a Virtual Server host is unable to successfully register its SPNs in Active Directory, you will experience connection failures to the VMRC server and Administration Website on that host. When the Administration Website application attempts to connect to the Virtual Server service on another physical host, user credentials must be passed from the Administration Website to the remote Virtual Server service. This depends on the proper configuration and function of constrained delegation. Constrained delegation is the mechanism that enables an Active Directory computer or service account to perform Kerberos delegation to a well-defined and limited set of services. Because constrained delegation depends on access to properly registered SPNs in Active Directory, successful authentication to the remote Virtual Server service will fail if the SPNs are not registered. In addition, you might also encounter denied access to virtual machine resource files stored on a separate file server, since this access also depends on constrained delegation.

Resolution

If Virtual Server SPNs are not successfully registered in Active Directory, you can manually register the missing SPNs with Setspn.exe, a free utility available from Microsoft. Using Setspn.exe, you can manually add, delete, or view SPNs stored in Active Directory.

Basic Setspn.exe Commands for Virtual Server Services

View registered SPNs

• setspn -L hostname

Add Virtual Server SPNs

• setspn -A vmrc/hostname:5900
• setspn -A vmrc/fully qualified hostname:5900
• setspn -A vssrvc/hostname
• setspn -A vssrvc/fully qualified hostname

Note: If you have changed the default VMRC Server port, replace 5900 with the new port number.

Delete Virtual Server SPNs

• setspn -D vmrc/hostname:5900
• setspn -D vmrc/fully qualified hostname:5900
• setspn -D vssrvc/hostname
• setspn -D vssrvc/fully qualified hostname

Note: If you have changed the default VMRC Server port, replace 5900 with the new port number.

Note: The Setspn command-line tool is included in the Microsoft Windows Server 2003 Support Tools that can be found on the product CD or downloaded from http://www.microsoft.com/downloads. For more information on installing Windows Support Tools, see “Install Windows Support Tools” at http://go.microsoft.com/fwlink/?LinkId=62270.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Problems Connecting a Virtual Network to a Physical Network Adapter

After completing an installation of Virtual Server 2005 R2, you might find that your physical network adapter is not available within Virtual Server to connect to a virtual network. If the Virtual Machine Network Services driver is not installed or bound to the network adapter on the physical host, it will not appear as an available network adapter within Virtual Server.

Resolution

To resolve this issue, you must install the Virtual Machine Services driver, if it is missing, and bind it to the physical network adapter. Follow these steps if you are running either Windows XP or Windows Server 2003:

• Click Start, and then click Control Panel.
• With Control Panel configured in classic view, click Network Connections.
• Right-click the target network adapter, and then select Properties.
• If Virtual Machine Network Services appears in the items list but is not selected, choose the associated check box to bind the driver to the network adapter and then click OK.
• If Virtual Machine Network Services does not appear in the items list, click Install.
• In Select Network Component Type, click Service and then click Add.
• In Select Network Service, click Virtual Machine Network Services and then click OK.
• Ensure that Virtual Machine Network Services is selected, and then click Close.
• Follow these steps to install and bind the Virtual Machine Network Services driver to a network adapter in Windows Vista:
• Click Start, and then click Control Panel.
• Double-click Network And Sharing Center.
• In the Task menu, click Manage Network Connections.
• Right-click the target network adapter, and select Properties. If UAC is enabled, click Continue when the dialog box appears.
• If Virtual Machine Network Services appears in the items list but is not selected, choose the associated check box to bind the driver to the network adapter and then click OK.
• If Virtual Machine Network Services does not appear in the items list, click Install.
• In Select Network Component Type, click Service and then click Add.
• In Select Network Service, click Virtual Machine Network Services and then click OK.
• Ensure that Virtual Machine Network Services is selected, and then click Close.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Always Prompted for Credentials

Another common problem is that you are prompted to enter your credentials every time you access the Administration Website using the FQDN of the Virtual Server host, even after it has been added as a trusted site. This is another issue that is related to the baseline configuration of Internet Explorer. By default, user credentials are automatically submitted for authentication only to sites that are interpreted to be in the Intranet zone. For all other zones, including Trusted Sites, the user authentication dialog box is displayed and credentials must be entered manually.

Resolution

To resolve this problem on Windows Server 2003, you can modify the Internet Explorer configuration to automatically submit user credentials for authentication regardless of the zone. Follow these steps to change the Internet Explorer user authentication settings:

• Open Internet Explorer and on the Tools menu, click Internet Options.
• Click the Security tab, and then click the Custom Level button.
• Scroll down to the User Authentication section, and click the Automatic Logon With Current User Name And Password option button.
• Click OK twice.

The drawback of this method is that you might encounter authentication failures if you have configured other trusted sites for which you need to present a separate set of user credentials. Alternatively, if you are accessing a local instance of the Administration Website (running on the computer that you are logged in on), you can use a non-FQDN for the Virtual Server host in the URL (for example, http://localhost:1024).

When you are running Windows Vista, you have the added complexity of having to run the Administration Website in Internet Explorer as administrator when User Account Control (UAC) is enabled. If you are running in an isolated test environment, you can avoid this additional step by disabling UAC. Otherwise, follow these steps to grant your user account full administrative privilege in Virtual Server and eliminate the need for UAC:

• Right-click the Internet Explorer icon in the Quick Launch section of the task bar, and choose Run As Administrator from the menu.
• In the User Access Control dialog box, click Allow.
• In the Internet Explorer address bar, type in the URL to the Administration Website.
• In the Virtual Server navigation menu, click Server Properties.
• Click the Add Entry button.
• In the new Permission Entry, type in your account name in the User Or Group text box.
• In Permissions, select the Full check box to give your account full control.
• Click OK.

Important: In Internet Explorer 7, you must also ensure that the Enable Protected Mode option remains disabled for Trusted Sites. If Protected Mode is enabled, you will receive the following error when you attempt to access the Administration Website: “Could not connect to Virtual Server. Please add the Virtual Server administration Website to the Internet Explorer trusted sites list. You can specify an alternate Virtual Server below.” To learn more about Internet Explorer 7 Protected Mode, review the blog entry written by a member of the Internet Explorer security team at http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Blank Screen Display

One of the common issues encountered when you launch the Administration Website using the fully qualified domain name (FQDN) of the Virtual Server host (for example, http://hostname.domain.com:1024) and enter your credentials at the prompt is that only a blank screen is displayed. The FQDN is the format used in the Virtual Server Administration Website Uniform Resource Locator (URL) shortcut created under Microsoft Virtual Server in the All Programs menu. When the FQDN of the Virtual Server host name is used, Internet Explorer interprets the destination as being outside of the local intranet and does not load the page.

Resolution

This problem can be easily resolved by adding the Virtual Server Administration Website URL to the Trusted Sites zone in the Internet Explorer configuration settings. Follow these steps to modify the Internet Explorer settings:

• Open Internet Explorer and on the Tools menu, click Internet Options.
• Click the Security tab, and then click the Sites button.
• In the Add This Website To The Zone text box, type (or cut and paste) the Virtual Server Administration Website URL and then click Add.
• If it is selected, deselect the Require Server Verification (https:) For All Sites In This Zone check box.
• Click Close, and then click OK.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Guest Operating System Installation Is Slow

When you install Windows Server 2003, Windows 2000 Server, or Windows XP Professional as a guest operating system in a virtual machine, the installation process can take several hours to complete if the virtual hard disk is attached to a virtual SCSI adapter and the default Adaptec driver (aic78xx.sys) is installed in the guest operating system.

Resolution

Virtual Server 2005 R2 includes a virtual floppy disk image file named SCSI Shunt Driver.vfd that can be used to load the optimized Microsoft Virtual Machine PCI SCSI Controller driver (also referred to as the accelerated SCSI driver) when you are prompted to hit F6 during the guest operating system installation. Using the accelerated SCSI driver can significantly increase the speed of the guest operation system installation.

Follow these steps to load the accelerated SCSI driver using the SCSI Shunt Driver.vfd floppy disk image:

• Open the Virtual Server Administration Website.
• In the Master Status pane, click the virtual machine thumbnail to start the guest operating system installation.
• Click the virtual machine thumbnail again to connect using the VMRC ActiveX client.
• When the guest operating system installation prompts you to load a third-party SCSI or RAID driver, press F6. The F6 prompt displays at the bottom of the Setup screen.
• When the guest operating system Setup screen displays a message indicating that Windows could not determine the type of mass storage device on your system, click Master Status in the navigation pane below the virtual machine VMRC display.
• In Virtual Machines, click Configure and then select the virtual machine from the list.
• In Configuration, click Floppy Drive.
• In Floppy Drive Properties, click Known Floppy Disks, select the SCSI Shunt Driver.vfd floppy disk image file, and click OK.
• In Status, click the virtual machine thumbnail to reconnect to it.
• In the guest operating system Setup screen, type S and then press Enter.
• Scroll to and select the accelerated SCSI driver entry that matches the guest operating system that is being installed, and then press Enter.
• Press Enter to continue, and complete the guest operating system installation.

Note: The SCSI Shunt Driver.vfd does not include an accelerated SCSI driver for Windows NT 4.0 Server. If your installation of Windows NT 4.0 Server on a VHD that is connected to a virtual SCSI adapter is progressing slowly, terminate the installation and connect the VHD to a virtual IDE adapter. Restart and complete the Windows NT 4.0 guest operating system using this configuration before reconnecting the VHD back to a virtual SCSI adapter.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Access Is Denied Using Virtual Server Manager

When you use Virtual Server Manager from a centralized Administration Website to attempt to manage a remote Virtual Server that is a member of a different Active Directory domain, forest, or workgroup, you might receive an “Access was denied” error message when using the Switch Virtual Server option to connect to the remote Virtual Server. During the connection attempt, the local Administration Website application passes the account credentials of the context under which it is running to the remote Virtual Server. If authentication is successful, the Virtual Server target is added to the Virtual Server Manager list. If authentication fails, you will receive an "access was denied" error.

Resolution

If you need to manage Virtual Server hosts across domain or forest boundaries using Virtual Server Manager from a centralized Administration Website, you must configure domain-level or forest-level trusts, and then grant permissions to manage each Virtual Server host to the user account under which context the Administration Website application will run.

If you must manage Virtual Server hosts across workgroups using Virtual Server Manager, you have to create a local user account on each Virtual Server host with the same user name and password to allow successful authentication during the connection process. You must also grant permissions to manage the Virtual Server host to the local user account on each server and use this “common” user account to run the centralized Administration Website. Although this solution works, it is not recommended because of user account management and security implications. If possible, you should deploy Virtual Server hosts within more secure and manageable Active Directory domains.

Note:  Chapter 6 of the Microsoft Virtual Server Resource Kit titled “Security in Depth,”  includes a review of common Virtual Server management roles and associated set of permissions needed to manage Virtual Server.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.
 

Missing or Incompatible IIS Configuration

One of the most common issues that occurs during installation of Virtual Server 2005 R2 involves the configuration of Internet Information Services (IIS) to support the Virtual Server Administration Website on the host operating system.

Resolution

There are two basic ways to address this issue. If you do not intend to manage any Virtual Server hosts from the physical server, go back and deselect the installation of the Administration Website. If you do plan to use the Administration Website to manage Virtual Server hosts from the physical server, you must cancel the Virtual Server 2005 R2 installation and install Internet Information Services (IIS) on the host operating system. Once the IIS installation is complete, you can restart the Virtual Server 2005 R2 setup. In Virtual Server 2005 R2 SP1, the setup process will make modifications to the IIS configuration required to properly integrate with the Virtual Server Administration Website.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Broken Differencing Disk After Parent VHD Is Moved or Renamed

A differencing disk uses file path and name information stored in its dynamic disk header to locate and open its parent VHD. If the parent VHD is renamed or moved, the file path and name reference stored in the differencing disk header becomes invalid. This causes any virtual machine that uses a VHD in the differencing disk chain to fail at startup. Figure 11-3 shows the error (in bold text) that is captured in the Virtual Server Event Viewer log when a virtual machine is started after the differencing disk parent VHD is moved.

Note:  Detailed information on the format and use of differencing disks can be found in Chapter 5 of the Microsoft Virtual Server 2005 R2 Resource Kit, “Virtual Server 2005 R2 Advanced Features.”

Resolution

To resolve this issue, you simply have to update the parent VHD path and file name reference in the differencing disk. You can accomplish this through the Administration Website or using a script. Follow these steps to inspect and modify the differencing disk through the Administration Website:

• Open the Virtual Server Administration Website.
• In the Virtual Disks navigation menu, click Inspect.
• In Inspect Virtual Hard Disk, select the differencing disk from the Known Virtual Hard Disks pull-down menu. If the differencing disk does not appear in the list, enter the fully qualified path in the Fully Qualified Path To File text box.
• Click Inspect.
• Under the differencing disk Virtual Hard Disk Properties, click the link to the right of Parent Virtual Hard Disk(s).
• Select the parent VHD from the Parent Virtual Hard Disk Path pull-down menu. If the parent VHD does not appear in the list, enter the fully qualified path to the parent VHD in the text box.
• Click Update Parent Path.

If you plan to use the Remote Desktop Protocol (RDP) to connect to a remote Virtual Server host, you must use the /console switch. Otherwise, when you launch the Administration Website site on the remote machine, you might be presented with “The Parameter is incorrect.”

Use one of the following methods to launch an RDP connection to a remote Virtual Server host console session:

· Create a shortcut on your desktop and modify the shortcut target entry to reflect %systemroot%\system32\mstsc.exe /console.

· Launch the RDP connection from the Start menu and specify “mstsc /console”.

This post is content adapted from Chapter 11 of the Microsoft Virtual Server 2005 R2 Resource Kit.

Virtual Machine Registration Fails After Previous Removal

If you remove a virtual machine through the Virtual Server Administration Website, and you later attempt to create or add a virtual machine of the same name, an error is generated stating that the virtual machine configuration file (.vmc) already exists. When you use the “remove” option, none of the virtual machine files is deleted off the server—only the shortcut entry that points to the location of the virtual machine configuration file is deleted.

Resolution

If you need to “remove” and “re-create” a virtual machine during testing or other activity, you have to either manually or programmatically delete all the virtual machine files. Once these files are deleted, you can create or add a virtual machine using the same name.