jump to navigation

Preparação de VM para upload no Azure August 31, 2016

Posted by Samuel RIbeiro in Uncategorized.
trackback

Prepare Windows configuration for upload

  1. Remove any static persistent route on the routing table:
    • To view the route table, run route print.
    • Check the Persistence Routes sections. If there is a persistent route, use route delete to remove it.
  2. Remove the WinHTTP proxy:
    Copy to clipboardCopy
    netsh winhttp reset proxy
  3. Configure the disk SAN policy to Onlineall:
    Copy to clipboardCopy
    diskpart san policy=onlineall
  4. Use Coordinated Universal Time (UTC) time for Windows and set the startup type of the Windows Time (w32time) service to Automatically:
    Copy to clipboardCopy
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v RealTimeIsUniversal /t REG_DWORD /d 1
    sc config w32time start= auto

Configure Windows services

  1. Make sure that each of the following Windows services is set to the Windows default values. They are configured with the startup settings noted in the following list. You can run these commands to reset the startup settings:
    Copy to clipboardCopy
    sc config bfe start= auto
    
    sc config dcomlaunch start= auto
    
    sc config dhcp start= auto
    
    sc config dnscache start= auto
    
    sc config IKEEXT start= auto
    
    sc config iphlpsvc start= auto
    
    sc config PolicyAgent start= manual
    
    sc config LSM start= auto
    
    sc config netlogon start= manual
    
    sc config netman start= manual
    
    sc config NcaSvc start= manual
    
    sc config netprofm start= manual
    
    sc config NlaSvc start= auto
    
    sc config nsi start= auto
    
    sc config RpcSs start= auto
    
    sc config RpcEptMapper start= auto
    
    sc config termService start= manual
    
    sc config MpsSvc start= auto
    
    sc config WinHttpAutoProxySvc start= manual
    
    sc config LanmanWorkstation start= auto
    
    sc config RemoteRegistry start= auto

Configure Remote Desktop configuration

  1. If there are any self-signed certificates tied to the Remote Desktop Protocol (RDP) listener, remove them:
    Copy to clipboardCopy
    REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash”

    For more information about configuring certificates for RDP listener, see Listener Certificate Configurations in Windows Server

  2. Configure the KeepAlive values for RDP service:
    Copy to clipboardCopy
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v KeepAliveEnable /t REG_DWORD  /d 1 /f
    
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v KeepAliveInterval /t REG_DWORD  /d 1 /f
    
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v KeepAliveTimeout /t REG_DWORD /d 1 /f
  3. Configure the authentication mode for the RDP service:
    Copy to clipboardCopy
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD  /d 1 /f
    
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD  /d 1 /f
    
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD  /d 1 /f
  4. Enable RDP service by adding the following subkeys to the registry:
    Copy to clipboardCopy
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD  /d 0 /f

Configure Windows Firewall rules

  1. Allow WinRM through the three firewall profiles (Domain, Private and Public) and enable PowerShell Remote service:
    Copy to clipboardCopy
    Enable-PSRemoting -force
  2. Make sure that the following guest operating system firewall rules are in place:
    • Inbound
    Copy to clipboardCopy
    netsh advfirewall firewall set rule dir=in name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (LLMNR-UDP-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (NB-Datagram-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (NB-Name-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (Pub-WSD-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (SSDP-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (UPnP-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (WSD EventsSecure-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Windows Remote Management (HTTP-In)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Windows Remote Management (HTTP-In)" new enable=yes
    • Inbound and outbound
    Copy to clipboardCopy
    netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
    
    netsh advfirewall firewall set rule group="Core Networking" new enable=yes
    • Outbound
    Copy to clipboardCopy
    netsh advfirewall firewall set rule dir=in name="Network Discovery (LLMNR-UDP-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (NB-Datagram-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (NB-Name-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (Pub-WSD-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (SSDP-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (UPnPHost-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (UPnP-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (WSD Events-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (WSD EventsSecure-Out)" new enable=yes
    
    netsh advfirewall firewall set rule dir=in name="Network Discovery (WSD-Out)" new enable=yes

Additional Windows configuration steps

  1. Run winmgmt /verifyrepository to confirm that the Windows Management Instrumentation (WMI) repository is consistent. If the repository is corrupted, see this blog post.
  2. Make sure the Boot Configuration Data (BCD) settings match the following:
    Copy to clipboardCopy
    bcdedit /set {bootmgr} device partition=<Boot Partition>
    
    bcdedit /set {bootmgr} integrityservices enable
    
    bcdedit /set {default} device partition=<OS Partition>
    
    bcdedit /set {default} integrityservices enable
    
    bcdedit /set {default} recoveryenabled Off
    
    bcdedit /set {default} osdevice partition=<OS Partition>
    
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  3. Remove any extra Transport Driver Interface filters, such as software that analyzes TCP packets.
  4. To make sure the disk is healthy and consistent, run the CHKDSK /f command.
  5. Uninstall all other third-party software and drivers.
  6. Make sure that a third-party application is not using Port 3389. This port is used for the RDP service in Azure.
  7. If the Windows VHD that you want to upload is a domain controller, follow these extra steps to prepare the disk.
  8. Reboot the VM to make sure that Windows is still healthy can be reached by using the RDP connection.
  9. Reset the current local administrator password and make sure that you can use this account to sign in to Windows through the RDP connection. This access permission is controlled by the “Allow log on through Remote Desktop Services” policy object. This object is located under “Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.”

Install Windows Updates

  1. Install the latest updates for Windows. If that is not possible, make sure that the following updates are installed:
    • KB3137061 Microsoft Azure VMs don’t recover from a network outage and data corruption issues occur
    • KB3115224 Reliability improvements for VMs that are running on a Windows Server 2012 R2 or Windows Server 2012 host
    • KB3140410 MS16-031: Security update for Microsoft Windows to address elevation of privilege: March 8, 2016
    • KB3063075 Many ID 129 events are logged when you run a Windows Server 2012 R2 virtual machine in Microsoft Azure
    • KB3137061 Microsoft Azure VMs don’t recover from a network outage and data corruption issues occur
    • KB3114025 Slow performance when you access Azure files storage from Windows 8.1 or Server 2012 R2
    • KB3033930 Hotfix increases the 64K limit on RIO buffers per process for Azure service in Windows
    • KB3004545 You cannot access virtual machines that are hosted on Azure hosting services through a VPN connection in Windows
    • KB3082343 Cross-Premises VPN connectivity is lost when Azure site-to-site VPN tunnels use Windows Server 2012 R2 RRAS
    • KB3140410 MS16-031: Security update for Microsoft Windows to address elevation of privilege: March 8, 2016
    • KB3146723 MS16-048: Description of the security update for CSRSS: April 12, 2016
    • KB2904100 System freezes during disk I/O in Windows
  2. If you want to create an image to deploy multiple machines from it, you need to generalize the image by running sysprep before you upload the VHD to Azure. For more information about how to create a generalized image, see the following articles:

Suggested extra configurations

The following settings do not affect VHD uploading. However, we strongly recommend that you have them configured.

  • Install the Azure Virtual Machines Agent. After you install the agent, you can enable VM extensions. The VM extensions implement most of the critical functionality that you want to use with your VMs like resetting passwords, configuring RDP, and many others.
  • The Dump log can be helpful in troubleshooting Windows crash issues. Enable the Dump log collection:
    Copy to clipboardCopy
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 2 /f`
    
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpFolder /t REG_EXPAND_SZ /d "c:\CrashDumps" /f
    
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpCount /t REG_DWORD /d 10 /f
    
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /t REG_DWORD /d 2 /f
    
    sc config wer start= auto
  • After the VM is created in Azure, configure the system defined size pagefile on drive D:
    Copy to clipboardCopy
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: