Part 9: Deploy and Configure SDN Network Controller Service

Previous Post in Series: Part 8:  Server 2016 Software Defined Networking Overview

Welcome to part 9 in the series folks, if you’ve not read the overview guide (at the link above), it’s worth doing that before continuing on to the deployment phase as reading it may shape some of your design decisions etc.

Here is a list of the main steps that we’ll be covering in this guide:

Prerequisites

This guide assumes you have deployed a Server 2016 Hyper-V cluster made up of at least 3 nodes. This cluster will need access to enough storage to hold 6 VMs using the VHDx we’ll discuss a little later in the guide (link above).

NOTE:  If you’ve completed parts 3 and 4 of this blog series, you’re covered Smile

As we’re using SCVMM to deploy our Network Controller service, you need to download the template from GitHub

Click on “Clone or download”, “Download ZIP” and “Save”

clip_image001

Open the ZIP archive you just downloaded and navigate to VMM\Templates

Now copy the folders named “NC” and “SLB” to C:\Temp\ on your SCVMM server

Prepare a Template VHDx for your SDN VMs

During the deployment of our Network Controller Service Template, we’ll be asked to provide a generalised VHDx disk for the OS drive. If you’ve completed part 6 of this series, you can use the one you created there, otherwise follow the steps below:

  • Create a new VM from using a Server 2016 ISO
  • Apply all available Windows Updates
  • Enable Remote Desktop and associated Windows Firewall rules (PowerShell below)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
Get-NetFirewallRule -DisplayName "Remote Desktop*" | Enable-NetFirewallRule
  • Run Sysprep to generalise the OS to be used as a template disk

Press “Windows Key + R” and type “sysprep”

Run the sysprep application

Select “Enter System Out-of-Box Experience…”, tick “Generalize” and select “Shutdown”. Now click “OK”

clip_image002

Once SysPrep has completed and the VM has shut down, we’ll want to take a copy of the VHDx and import it into our SCVMM library (instructions below):

Copy the VHDX to your SCVMM library share folder, this could be local on the server or if you used this guide a dedicated share on your SOFS cluster.

Refresh the SCVMM library. Navigate to “Library”, right-click on your library server object and select “Refresh”.

Set up Active Directory Users and Groups

Our Network Controller deployment requires us to create two groups in AD, with that in mind, create these groups as follows:

Create a domain local security group for Network Controller Management, I called mine “NetworkControllerAdministrators”

Create a user and add it to this group – this is the user we’ll tell SCVMM to use when interacting with our Network Controller Service. As such, I called mine “NCAdmin”

Create a domain local security group for Network Controller Clients, I called mine “NetworkControllerClients”…inventive eh Smile

Add the “NCAdmin” account you created above to this group also.

Create SCVMM Run As Account for NC Admin User

Now that you’ve created the “NCAdmin” (above) account in Active Directory, we have to give SCVMM the ability to use that account. This is done by creating a “Run As Account” for the user.

Within your SCVMM console, navigate to “Settings”, right-click on “Run As Accounts” and select “Create Run As Account”

clip_image003

Type a name, a description (optionally )and a password for your NC Admin user.

Leave the tick in “Validate domain credentials” and click “Finish”

clip_image004

Now repeat the above process to create a Run As Account for the local administrator user (if you haven’t done this previously).

Untick “Validate domain credentials” this time though as it’ll fail otherwise because it’s not a domain account Smile

clip_image005

Set up SCVMM Host Group

If you’re managing multiple Hyper-V clusters from you SCVMM instance, create a new host group for the Hyper-V hosts you plan to manage via SDN and move your host cluster into it. I covered this is an earlier guide, you can find it HERE

Create Management Logical Networking

Again, this was already covered in an earlier part of this series, located HERE. If you didn’t follow this guide when building you’re hosts, have a look through it before proceeding as it was done with SDN in mind. If you created your logical switch without disabling all extensions then it’ll block your Network Controller deployment. If that’s the case, remove and redeploy your networking following the guide linked above Smile

Create and Set up SSL Certificates

We will need an SSL certificate to securely communicate with the Network Controller service. If you’re deploying this for testing purposes, then using a self-signed certificate will suffice.

Using a Self-signed Certificate

The following PowerShell will generate an appropriate SSL certificate, add a friendly name and the FQDN for your NC service.

New-SelfSignedCertificate -KeyUsageProperty All -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "MultiNodeNC" -DnsName @("MultiNodeNC.domain.com")

NOTE:  You can use an IP address instead of a DNS name for the Network Controller service but this is not recommended as it will restrict it to a single subnet.

Now you’ll need to export your new certificate with its private key.

Open the “Certificates” MMC. Press WinKey + R and type “certlm.msc”. Browse to “Personal” then “Certificates”

Right-click the certificate you just created and select “All Tasks”, “Export”

clip_image006

Click “Next” on the welcome screen

Select “Yes, export the private key” and click “Next”

clip_image007

On “Export File Format”, click “Next” to accept the defaults

clip_image008

Enter a password for the private key and click “Next”

clip_image009

Enter a save location and filename for your certificate and click “Next” and “Finish”

clip_image010

You’ll also need the certificate in the .CER format, so run through the above process again but when asked if you want to export the private key, choose “No, do not export the private key”

Using a Certificate Authority Certificate

As the aim of this guide is to get you as close to a production deployment as possible, I’m also going to run through the process for obtaining a suitable certificate from your own internal CA. If you haven’t yet deployed a CA, I’ve covered it in an earlier guide, you can find it HERE

Create SDN Network Controller Certificate Template

Before requesting a certificate from our CA, we’re going to create a custom template to make that request against.

On the domain controller (if it happens to be one) that holds your new CA, click on the Start Menu and type “certtmpl.msc” and press enter to launch the “Certificates Template Console”

We’ll start by duplicating an existing certificate template to work as our base, I used the “Computer” template.

Right-click the “Computer” template and select “Duplicate Template”

clip_image011

On the “General” tab, change the “Template Display Name” to something that makes more sense, I went with “SDN NC Certificate”

Change the “Validity period” to something that works for your organisation, I went with 2 years.

clip_image012

On the “Request Handling” tab, make sure purpose is set to “Signature and encryption” and that “Allow private key to be exported” is ticked

clip_image013

On the “Security” tab, give “Authenticated Users” “Enroll” permissions

clip_image014

On the “Subject Name” tab, select “Supply in the request” and click “OK”

clip_image015

Now we have to issue the certificate to the Certificate Authority

Click on the start menu and type “certsrv.msc” and press enter to launch the “Certification Authority” console

Right-click on “Certificate Templates”, click “New” and “Certificate Template to Issue”

clip_image016

Select the template you just created and click “OK”

clip_image017

Nice, we can now issue our certificates Smile we’re getting there.

On your SCVMM server, click start and type “certlm.msc” and press enter.

Right-click on “Certificates” and select “All Tasks”, “Request New Certificate”

clip_image018

Click “Next” on the “Before You Begin” screen.

Make sure “Active Directory Enrollment Policy” is selected and click “Next”

clip_image019

Tick “Computer Template for SDN NCs” template (or whatever you named your new template) Now click the “More information is required…” link

clip_image020

Select “Common Name” from the “Subject Name” drop-down. Type “NCServiceName.FQDN” in the “Value” field and click “Add”

Select “DNS” from the “Alternative Name” drop-down. Type “NCServiceName.FQDN” in the “Value” field and click “Add”

clip_image021

On the “General” tab, type a “Friendly name” for your certificate. I went with “MultiNodeNC.domain.com2017”. Now click “OK”

clip_image022

Making sure your certificate template is ticked, click “Enroll”, then click “Finish”

clip_image023

Now we want to export the certificate with its private key (.PFX)

Still within the Certificates – Local computer console, navigate to “Personal”, “Certificates”

Right-click on the certificate you just created and select “All Tasks”, “Export”

clip_image024

Click “Next” on the welcome screen.

Select “Yes, export the private key” and click “Next”

clip_image025

Accept the defaults on the next screen and click “Next”

clip_image026

Tick the “Password” box and enter a password for your certificate and click “Next”

clip_image027

Type a file path to save your .PFX file to and click “Next” and “Finish”

clip_image028

You’ll also need the certificate in the .CER format, so run through the above process again but when asked if you want to export the private key, choose “No, do not export the private key”

Use the same method to export your CA root certificate (as a .CER). You’ll find it in the “Trusted Root Certification Authorities”, “Certificates” folder.

It’ll be named like this: domain-CAServerName-CA e.g. “contoso-Server1-CA”

Now, you’ll remember that earlier you downloaded the SDN Service Templates from GitHub and copied two folders “NC” and “SLB” to C:\Temp\ on your SCVMM server.

  • Copy the .PFX file you just created to the C:\Temp\NC\ServerCertificate.cr folder
  • Copy the .CER file you just created to the C:\Temp\NC\NCCertificate.cr folder
  • Copy the CA root certificate you just exported to the C:\Temp\NC\TrustedRootCertificate.cr folder
  • Copy the following folders to your SCVMM library share:
    • C:\Temp\NC\Edgedeployment.cr
    • C:\Temp\NC\NCCertificate.cr
    • C:\Temp\NC\NCSetup.cr
    • C:\Temp\NC\ServerCertificate.cr
    • C:\Temp\NC\TrustedRootCertificate.cr

Now refresh your SCVMM library

clip_image029

Import, Configure and Deploy Network Controller Service Template

OK, we can finally start working on the actual deployment of our NC Service template. Let’s import the template we downloaded from GitHub into SCVMM.

Within your SCVMM console, navigate to “Library” and click “Import Template” on the ribbon at the top of the screen

clip_image030

Click “Browse” and navigate to C:\Temp\NC\Network Controller Production Generation 2 VM.xml and click “Next”

clip_image031

On the “Configure References” page, we’re marrying up the custom resources (.cr folders) you copied to your SCVMM library share earlier.

Click the “Pencil” icon next to “TrustedRootCertificate.cr”, select the same from the list and click “OK”

clip_image032

Do the same for “WinServer.vhdx”, “NCSetup.cr” and “ServerCertificate.cr”.

  • For “WinServer.vhdx”, select the VHDX you prepared earlier in this guide.
  • For “NCSetup.cr”, select the custom resource of the same name.
  • For “ServerCertificate”, select the custom resource of the same name

Your screen should now look something like this:

clip_image033

Now click “Next” and “Import”

Now that our template is imported, we need to customise it for our environment.

Navigate to “Library”, “Service Templates” right-click the template you just imported and click “Properties”

clip_image034

Have a look at the “Service Settings” tab. These settings can be configured at the point of template deployment but if we do it here we can save them which means we don’t have to re-enter them if we do something wrong or have to reuse the template Smile

You can modify each value by highlighting it, clicking “Properties” and populating its “Value” field

clip_image035

clip_image036

I’ve created a table below that what value you should be setting against each item:

SettingWhat to Configure
ClientSecurityGroupEnter the "Network Controller Clients" group you created in AD earlier in this guide. It should be in the following format: DOMAIN\NetworkControllerClients
DiagnosticLogShareI didn't bother with this as I've written a script that grabs these logs if I need them, more on that later.
DiagnosticLogSharePasswordAs above
DiagnosticLogShareUsernameAs above
LocalAdminBrowse and select a "Run As" account that will be the local administrator account for the SDN VMs you deploy. If you don't have a Run As account for "Administrator" yet, create it 🙂
ManagementSelect the "Management" VM network you created earlier
MgmtDomainAccountSelect the Run As Account for the Network Admin user you created earlier
MgmtDomainAccountNameEnter the NC Admin user in the following format: DOMAIN\Username e.g. CONTOSO\NCAdmin
MgmtDomainAccountPasswordIgnore this field as we'll insert this at the point of service deployment
MgmtDomainFQDNEnter the FQDN of the domain the above account sits on e.g. CONTOSO.com
MgmtSecurityGroupEnter the "Network Controller Administrators" group you created in AD earlier in this guide. It should be in the following format: DOMAIN\NetworkControllerAdministrators
RestEndPointEnter the FQDN you want to use for targeting your Network Controller server e.g. MultiNodeNC.domain.com
ServerCertificatePasswordEnter the password you used to export your .PFX certificate earlier in this guide

NOTE:  Do not create the RestEndPoint in DNS before running your deployment as doing this will cause it to fail. It’ll be added for you. You had to do this in earlier versions but this requirement was removed.

Now we’re going to modify a few of the settings specific to the roles we’re about to deploy.

Right-click your service template and select “Open Designer”

clip_image037

Click “Windows Server Network Controller” to highlight it and select “View All Properties” in the bottom right

clip_image038

On the “Hardware Configuration” tab change “Availability” to high.

This isn’t strictly required as the Network Controller service will continue to function when a node goes down. At the very least though, it’ll save you having to power a node down during maintenance of the host it sits on. Much more elegant to just migrate it to another host in the cluster.

NOTE:  You’ll receive a warning when trying to migrate an NC node to a Hyper-V node that already hosts one. Not an issue if your Hyper-V host count is greater than your NC nodes. It will let you manually migrate two NC nodes to the same host (overruling the Availability Set), I suggest only doing this for maintenance windows and only if it cannot be avoided.

clip_image039

Make sure that if you’ve set a “Classification” for your shared storage in SCVMM that you assign this classification to the VMs disk as not doing so will cause you problems during the deployment.

clip_image040

On the “OS Configuration” tab, modify the “Identity Information” field to something that makes sense for your organisation. This is the name convention used for deploying your NC nodes. So using Blog-NC# will name your NC nodes, Blog-NC1, 2 and 3. Using Blog-NC## will name them Blog-NC01, 02 and 03…dealers choice Smile

Now click “OK”

clip_image041

Now click “Configure Deployment”

clip_image042

Enter a name for your NC Service and choose the host group that contains the Hyper-V hosts you’re deploying your NCs to.

If you’ve followed all the above steps correctly, “Network Settings” should be pre-populated.

Now click “OK”

clip_image043

When you’re first presented with the “Deploy Service” screen your Hyper-V host status will show as “No suitable host”, don’t worry about this, it’s perfectly normal.

Under “Settings”, everything other than “MgmtDomainAccountPassword” and “ServerCertificatePassword” should be pre-populated. Enter the relevant passwords now.

Now click “Refresh Preview”. This will validate the deployment including checking that the Hyper-V hosts are suitable for hosting your NC VMs

clip_image044

You should now be looking at a screen similar to the following (stars are a good sign):

clip_image045

If you receive any errors at this point, it’s likely that one of the previous steps has been missed and you’ll be provided with an error message to help you troubleshoot the cause. Assuming all is as above though, click “Deploy Service” and select “OK”

clip_image046

The deployment will take a good while (upwards of an hour), so go grab yourself a coffee. All going well you should see the following when you get back:

clip_image047

It’s worth noting that if your deployment fails and the error doesn’t really mean a great deal to you, right-click the failed job and select “Restart”. The job will try to continue from the point it failed. It’s amazing how many times this actually works. If this fails again though, it’s troubleshooting time. Feel free to post a comment on this guide if you get stuck and I’ll do my best to assist (time permitting).

Add Network Controller Service to SCVMM

So we’ve successfully deployed our Network controller service, at this point though it’s sitting there doing nothing. After all this hard work, we’re not having that Smile

Browse to “Fabric”, “Networking”, right-click “Network Service” and select “Add Network Service”

clip_image048

Click “Next” on the “Getting Started” screen.

Enter a name for your new network service and click “Next”

clip_image049

Makes sure “Manufacturer” and “Model” show as “Microsoft” and “Microsoft Network Controller” respectively and click “Next”

clip_image050

Select the Run As Account you created earlier for your Network Controller admin user and click “Next”

clip_image051

In the “Connection string” box, enter the following (modified for your environment):

“serverurl” should be the Rest DNS FQDN you entered into the “RestEndPoint” field when deploying the service template (highlighted in green in the screenshot below):

clip_image052

“servicename” should be the name you gave your Network Controller service at the point of deployment (highlighted in green in the screenshot below):

NOTE:  If you put spaces in your “servicename” (I didn’t), these will be accepted in the connection string without quotes and without issue.

clip_image053

So for this deployment, that would look like:

serverurl=https://MultiNodeNCService.domain.com;servicename=MultiNodeNetworkControllerService

Now click “Next”

clip_image054

Unfortunately, I don’t have screenshots for the next couple of tasks so we’ll have to go old school Smile (and from memory):

On the “Certificates” screen a connection if made to one of your network controller VMs to retrieve the certificate that was configured during the deployment. Being that we used a CA issued certificate, select the following options and click “Next”:

  • These certificates have been reviewed and can be imported to the trusted certificate storebox
  • This certificate was issued from a Certification Authority…words to that effect, I can’t currently check it 🙁  It’s the only other checkbox there though Smile

On the “Gather Information” tab, click “Scan Provider”. This will connect to your NC service to list its properties and list their status.

If you can see the following “isNetworkController = true”, everything should be working as intended and you can click “Next”

On the “Host Group” tab, make sure you have the correct host group selected (the one you selected when deploying the NC service, marked in green in the screenshot below).

clip_image055

Now click “Next” and “Finish”

The job shouldn’t take long to complete and should look something like this:

clip_image056

Nice one, we’re getting there. Now to check that it does what it’s supposed to do Smile

Validate your Network Controller Deployment

Now that we’ve got our Network Controller service in and configured, there is one last thing to do before we can create our tenant VM networks and do some cross VM testing. As you will have read in my SDN overview post, encapsulated traffic is carried over the Provider Address network, so we’re going to go create that now. As per the overview, you should have already configured the Provider Address on your Top of Rack switches.

Within your SCVMM console, navigate to “Fabric”, “Networking”, right-click “Logical Networks” and select “Create Logical Network”

clip_image057

Give your logical network a name and click “Next” e.g. “Provider Address Network”

clip_image058

Select “One connected network”, “Allow new VM networks created on this…”, “Managed by the network controller” and click “Next”

clip_image059

  • Under “Network Sites” click “Add” and select the host group that contains your SDN enabled Hyper-V hosts.
  • Click “Insert row” and enter the “VLAN” and “IP subnet” (using CIDR notation e.g. 10.10.10.0/24) you configured on your TOR switches for your Provider Address network.
  • Now click “Next” and “Finish”

clip_image060

Now we need to give our new logical network a static IP pool to work with as IPs on this network are allocated to Hyper-V hosts and the SLB/MUXes automatically.

Right-click your “Provider Address” logical network and select “Create IP Pool”

clip_image061

Give your IP Pool a name that makes sense, I usually type the name of the logical network – IP Pool e.g. “Provider Address Network – IP Pool”

Confirm that the logical network selected in the drop-down is your Provider Address network and click “Next”

clip_image062

The default settings should be correct, and read as follows:

  • “Use an existing network site”
  • Network Site: “Your Provider Address network”
  • IP Subnet: “The IP subnet you configured in the network site for your logical network”
  • VLAN: “The VLAN you configured in the network site for your logical network”

Click “Next”

clip_image063

In “Starting IP address” enter the 4th IP address in your chosen range. For me this will be .4, you can leave the “Ending IP address” at its default.

Now click “Next”

clip_image064

Click “Insert” and type the default gateway configured on your Provider Address network, for me this will be .1

Now click “Next”

clip_image065

Click “Next” past DNS and WINS as they’re not required for this network.

Now click “Finish”

clip_image066

So we now have our Provider Address logical network and associated static IP pool, all that’s left to do is allow it to make use of the Uplink port profile on the logical switch that’s deployed to our Hyper-V hosts.

Navigate to “Fabric”, “Networking”, “Port Profiles” and right-click the uplink port profile configured on your Hyper-V hosts logical switch and select “Properties”

clip_image067

On the “Network configuration” tab, place a tick in the “Provider Address” network site you created earlier and click “OK”

clip_image068

So you should now have a Provider Address logical network with static IP pool that is available to all hosts in your Network Controller managed SCVMM host group.

Now for the fun bit, making sure all this work got us a working network controller Smile

Create Tenant Virtual Networking

To test that everything is working as it should be, we’re now going to create a Tenant VM network (backed by the Provider Address logical network we just created) with an IP pool, spin up two VMs and attach them to said network. We will then enable ping through Windows Firewall on both VMs and try to ping between them…exciting stuff Smile

If you’ve done this before, you can skip to the bottom where I’ve got some Powershell that does the same thing with a lot less effort.

Within your SCVMM console, navigate to “VMs and Services”, right-click on “VM Networks” and select “Create VM Network”

clip_image069

Enter a name for your tenant VM network.

Make sure you’ve selected your Provider Address network from the “Logical Network” dropdown and click “Next”

clip_image070

Select “Isolate using Hyper-V network Virtualization” and click “Next”

NOTE:  At the time of writing this, you cannot select “No isolation” for Network Controller managed logical networks.

clip_image071

  • Click “Add” to add a VM subnet to the network.
  • Enter a name and a subnet in CIDR notation e.g. 10.10.10.0/24 – As this subnet is virtualised, it can be anything. You could use the same subnet for every tenant if you wished.
  • Now click “Next”

clip_image072

Being that we’ve not yet deployed and configured the SLB/MUX service yet, leave the “Connectivity” page at its defaults and click “Next” and “Finish”

clip_image073

Create Tenant VM Network Static IP Pool

Now we need to add a static IP pool to our tenant network.

Right-click the VM Network you just created and select “Create IP Pool”

clip_image074

Enter a name for the IP Pool, “VM network” and “VM subnet” will be auto-populated with the correct values.

Now click “Next”

clip_image075

Enter a “Starting IP address” within your subnet range, I suggest starting at .4

Leave “Ending IP address” as it’s default and click “Next”

clip_image076

Click “Insert” and add a default gateway for the IP Pool, .1 is usually the go to here.

Now click “Next”

clip_image077

Insert appropriate DNS servers and suffix for your IP Pool and click “Next”

clip_image078

Click “Next” to skip WINS, or populate as required.

Now click “Finish”

clip_image079

 

Validation Time

Now that we’ve got our tenant networking configured, we’ll want to deploy two VMs and attach them to this network. I won’t go into detail on how to deploy VMs as I expect you’ve got that nailed by now Smile

Once you’ve got two VMs up and running, let’s attach them to your new tenant VM network:

Navigate to your first tenant VM, right-click it and select “Properties”

clip_image080

  • On the “Hardware Configuration” tab, click on the VMs network adapter
  • Select “Connected to a VM network”
  • Click “Browse”
  • Select the VM network you created earlier and click “OK”
  • Select the VM subnet from the drop-down
  • Click “OK”

clip_image081

Repeat the same steps for your 2nd VM.

With both VMs now attached to the same network, log onto them both and give them an IP from the static pool you configured earlier (.4 and above remember).

Run the following PowerShell on both VMs to allow ICMP requests (Ping) through Windows Firewall:

New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4

You should now be able to ping across both VMs you just connected to your Network Controller managed VM network…congratulations.

 

Create Tenant Networking Using PowerShell

The following PowerShell will do exactly what you’ve done above but with significantly less legwork Smile

Here’s a breakdown of what steps it takes:

  • Get your Provider Address network
  • Asks user to input a name for the new VM network
  • Creates new VM network
  • Asks user to input a subnet for the new VM network
  • Creates new subnet for VM network
  • Configures starting, ending IP and default gateway based on subnet entered above
  • Sets Google DNS server (this can be changed in the script as required)
  • Creates new static IP pool
  • Asks users to enter SCVMM displayed computer name for both VMs that we want to attach to new VM network
  • Attaches both VMs to new VM network, this also configures both VMs with an IP from the new static pool

Log onto your SCVMM server and open an elevated PowerShell ISE console.

Paste the following code into the editor and run it:

Clear-Host
# Create Tenant VM Network
$PA_Network = Get-SCLogicalNetwork | ? NetworkVirtualizationEnabled -eq true | ? IsManagedByNetworkController -eq true
$VMNetName = Read-Host "Please enter a name for your new Tenant VM Network"
$VMNetwork = New-SCVMNetwork -Name $VMNetName -LogicalNetwork $PA_Network.Name -IsolationType "WindowsNetworkVirtualization" -CAIPAddressPoolType "IPV4" -PAIPAddressPoolType "IPV4"

# Create Tenant VM Subnet
$SubnetRequest = Read-Host "Please enter a subnet for your new VM Network using CIDR notation e.g. 10.10.10.0/24"
$Subnet = New-SCSubnetVLan -Subnet "$SubnetRequest"
$VMSubnet = New-SCVMSubnet -Name ($VMNetName + " - Subnet 1") -VMNetwork $VMNetwork -SubnetVLan $Subnet

# Create Tenant VM Network IP Pool
$SubnetGW = $SubnetRequest.Replace("0/24","1")
$SubnetStart = $SubnetRequest.Replace("0/24","4")
$SubnetEnd = $SubnetRequest.Replace("0/24","254")
$DefaultGateway = New-SCDefaultGateway -IPAddress $SubnetGW -Automatic
$DNSServer = "8.8.8.8" # Configured to use a Google DNS server, change this as required.
New-SCStaticIPAddressPool -Name ($VMNetName + " - IP Pool") -VMSubnet $VMSubnet -Subnet $SubnetRequest -IPAddressRangeStart $SubnetStart -IPAddressRangeEnd $SubnetEnd -DefaultGateway $DefaultGateway -DNSServer $DNSServer -RunAsynchronously

# Attach VMs to new Tenant VM Network
$VMSwitch = Get-SCLogicalSwitch | ? VirtualSwitchExtensions -like "*Microsoft Network Controller"
$VM1Nic = Get-SCVirtualMachine -Name (Read-Host "Please enter the name of your first VM to add to your new Tenant network") | Get-SCVirtualNetworkAdapter
$VM2Nic = Get-SCVirtualMachine -Name (Read-Host "Please enter the name of your second VM to add to your new Tenant network") | Get-SCVirtualNetworkAdapter
Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $VM1Nic -VMNetwork $VMNetwork -VMSubnet $VMSubnet -VirtualNetwork $VMSwitch -IPv4AddressType Dynamic -IPv6AddressType Dynamic -NoPortClassification
Set-SCVirtualNetworkAdapter -VirtualNetworkAdapter $VM2Nic -VMNetwork $VMNetwork -VMSubnet $VMSubnet -VirtualNetwork $VMSwitch -IPv4AddressType Dynamic -IPv6AddressType Dynamic -NoPortClassification

Now log onto both VMs and run the following from an elevated PowerShell console:

New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4

You should now be able to ping between both VMs.

OK, so that was another long one folks, but you do now have the start of a working SDN deployment Smile

Join me in part 10 when I’ll run through a Software Load Balancer service deployment. Hope to see you then!

17 Replies to “Part 9: Deploy and Configure SDN Network Controller Service”

  1. I ‘m follow your step to install, but I cannot find RESTENDPOINT in DNS and add NC into VMM fail. because DNS cannot resolve. whats wrong? thanks for your help

    1. Hi Ken,

      Just to confirm, you’re not adding the RESTENDPOINT into DNS yourself, as this is something that’s done as part of the Service Template deployment. When configuring the NC template, what are you entering for the RestEndPoint, an IP address or hostname?
      How far into the deployment are you getting? Are the NC VMs up and running? Can you log on and make sure that their DNS servers have been set correctly and that they can connect out to a domain controller (again, this is something that would be done by the template providing the logical/VM Network has been set up correctly).

      1. Hi david,
        speaking about this, let say the MultiNodeNC.domain.com is the RESTENDPOINT. how does it appear in dns list in active directory ?

        I did stuck at deploying script number 6, the error stated that “there was a problem connecting to the network controller at ……….”

        any idea on the cause of this ?

    1. Hi Munir,

      My understanding is that the “ServiceVMComputerNames” parameter will be expecting the hostnames of your Network Controller VMs.

      Best regards,
      David

  2. When i deploy the service template i get the following error.

    Error (22631)
    The script command exit code 2148734209 matched the failure policy setting “Match any value other than zero.” Standard output log data: “rectory. ‘C:\NCInstall\certificate-ssl\’
    [2017-11-14T16:37:48.0447213+07:00]Found certificate at path: C:\NCInstall\certificate-ssl\MultiNodeNC.fabric.cloud.cer
    [2017-11-14T16:37:48.0447213+07:00]Adding certificate to personal store..
    [2017-11-14T16:37:48.0759794+07:00]Saving SSL thumbprint to registry: 73D3C97FBE5674CD45F882F6972FB09D0E3A348E.
    [2017-11-14T16:37:48.1540958+07:00]Retrieved SSL thumbprint from registry: 73D3C97FBE5674CD45F882F6972FB09D0E3A348E.
    [2017-11-14T16:37:48.2947259+07:00]Checking if subject name of the provided certificate matches Rest End Point
    [2017-11-14T16:37:48.2947259+07:00]Adding read permission to NetworkService account
    [2017-11-14T16:37:48.3259712+07:00]Caught an exception:
    [2017-11-14T16:37:48.3415965+07:00] Exception Type: System.Management.Automation.ParameterBindingValidationException
    [2017-11-14T16:37:48.3415965+07:00] Exception Message: Cannot bind argument to parameter ‘Path’ because it is null.
    [2017-11-14T16:37:48.3572225+07:00] Excepti”

    Recommended Action
    If the script command’s job restart action is set to restart, then the script will be re-executed. Otherwise, the script command will be skipped when the job is restarted, in which case corrective action should be taken to mitigate the effects of the script command failure.

    1. Hi Sarin,

      That error usually relates to an issue with the SSL certificate the install script picks up. From memory, it should be picking up the .PFX certificate file and from the error output you provided, it’s actually getting the .CER.

      Can you check to make sure you’ve put the correct certificate formats in the correct folder:

      “Copy the .PFX file you just created to the C:\Temp\NC\ServerCertificate.cr folder
      Copy the .CER file you just created to the C:\Temp\NC\NCCertificate.cr folder
      Copy the CA root certificate you just exported to the C:\Temp\NC\TrustedRootCertificate.cr folder
      Copy the following folders to your SCVMM library share:
      C:\Temp\NC\Edgedeployment.cr
      C:\Temp\NC\NCCertificate.cr
      C:\Temp\NC\NCSetup.cr
      C:\Temp\NC\ServerCertificate.cr
      C:\Temp\NC\TrustedRootCertificate.cr”

      I hope this helps…good luck 🙂

      David

  3. Thank you David, I got the placement of the certificate corrent now.
    But again a get new error, which i can’t understand it. This only happen on one of network controller node.

    The script command exit code 1 matched the failure policy setting “Match any value other than zero.” Standard output log data: “6T09:54:20.9549965+07:00]Checking if node ‘fabric-nc02.fabric.cloud’ is ready for NC deployment..
    [2017-11-16T09:54:20.9549965+07:00]Caught an exception:
    [2017-11-16T09:54:20.9706175+07:00] Exception Type: System.Management.Automation.Remoting.PSRemotingTransportException
    [2017-11-16T09:54:20.9706175+07:00] Exception Message: Connecting to remote server fabric-nc02.fabric.cloud failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer fabric-nc02.fabric.cloud. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information, see the about_Remote_Troubleshooting Help topic.
    [2017-11-16T09:54:20.9764167+07:00] Exception HResult: -2146233087
    [2017-11-16T09:54:20.9804432+07:00]Exceeded timeout when waiting for node ‘fabric-nc02.fabric.cloud’ to become ready.
    [2017-11-16T09:54:20.9804432+07:00] Please check the state of “

    1. Hi Sarin,

      Unfortunately, the Service Template deployment can be a little flaky at times, have you tried right-clicking the failed job in VMM and selecting restart? If that doesn’t work and fails with the same error, it may be quicker just to remove the service and restart. However, I’m pretty sure that error refers to the fact your 2nd NC didn’t join the domain for some reason. You can try logging on via the Hyper-V console, manually adding it to the domain, updating DNS and then try restarting the VMM job. As I said above though, it’s sometimes just makes more sense to delete and restart.

      I hope that helps,
      David

      1. Thank you David, I have the nc didn’t received an static IP address. So it didn’t join the domain
        I have deleted the service and restart deployment the process.
        Then I’m stuck at another type of error, restart the deployment still get the same error. Also totally deleting and deploying the service template still have the same error.

        Error (22631)
        The script command exit code 1 matched the failure policy setting “Match any value other than zero.” Standard output log data: “:00:03.3562165+07:00]Checking if network controller is finished..
        [2017-11-17T12:01:16.8544202+07:00]Checking if network controller is finished..
        [2017-11-17T12:02:30.3601200+07:00]Checking if network controller is finished..
        [2017-11-17T12:03:43.8456982+07:00]Checking if network controller is finished..
        [2017-11-17T12:04:57.3462149+07:00]Checking if network controller is finished..
        [2017-11-17T12:06:10.8510346+07:00]Checking if network controller is finished..
        [2017-11-17T12:07:24.3456066+07:00]Checking if network controller is finished..
        [2017-11-17T12:08:37.8608701+07:00]Checking if network controller is finished..
        [2017-11-17T12:09:51.3509259+07:00]Checking if network controller is finished..
        [2017-11-17T12:11:04.8569094+07:00]Checking if network controller is finished..
        [2017-11-17T12:11:18.3504628+07:00]There was a problem connecting to the network controller at MultiNodeNC.fabric.cloud.
        [2017-11-17T12:11:18.3504628+07:00]Please check the status of the controller and restart the ”

        Recommended Action
        If the script command’s job restart action is set to restart, then the script will be re-executed. Otherwise, the script command will be skipped when the job is restarted, in which case corrective action should be taken to mitigate the effects of the script command failure.

        1. Hi Sarin,

          I’d check to see if MultiNodeNC.fabric.cloud exists in DNS and that it’s pointing to the correct IP address. If you’re redeploying from scratch, you’ll also need to delete this record from DNS as they deployment creates this entry itself. Can you ping MultiNodeNC.fabric.cloud from the VMM server? If you change the IP address for MultiNodeNC.fabric.cloud between deployments, you’ll also need to clear out your DNS cache (I’m sure you know that though 🙂 )

          Microsoft also have a documented removal process that may help: https://docs.microsoft.com/en-gb/system-center/vmm/sdn-remove?view=sc-vmm-1711#remove-the-network-controller

          I hope that helps.

          David

  4. The dns host record was pointing to the wrong ip. I deleted the record and restart the deployment. Then it’s successful 🙂

  5. Hi, David,

    The deployment completed successfully, but I am getting Is Network Controller = False when I try to add the service to VMM.

    Event ID 151 API service failed to configure the virtual IP address WeirSDN.cloud.weir on the network interface Ethernet.

    Event ID 131 Error during primary loss of service fabric:/NetworkController/SlbManagerService on node NC02.

    Event ID 129 Could not promote instance of service fabric:/NetworkController/ApiService on node US159PH-NC02.cloud.weir to primary

    Thank you,
    Karen

    1. Hi Karen,

      When adding the NC service to SCVMM, are you using the FQDN and the Service name you used during the deployment…looking at the errors you posted, it looks like you are but thought I’d better double check. Have you checked the status of all 3 NC VMs, as it looks like NC2 is having an issue. You can try logging into one of the other NC VMs, and running the following from an elevated PowerShell console: Get-NetworkControllerNode. If everything is working as expected, all 3 nodes should report a “Status” of “Up”. That’s the best place to start your troubleshooting though, unfortunately I no longer have a lab environment up and running to check things against so am having to work from memory here 🙂

      Best regards,
      David

Leave a Reply

Your email address will not be published. Required fields are marked *