Deploy Windows Admin Center in HA through Kemp Load Balancer

Windows Admin Center (formerly Honolulu Project) was released in April 2018 by Microsoft. WAC is a web-based management tool to help to administrate Windows Server and hyperconverged cluster. In part of my job, I use primarily Windows Admin Center for Storage Spaces Direct Cluster and to manage Windows Server in Core edition especially drivers. Since the release of Windows Admin Center, Microsoft provides the capability to deploy it in high availability. In this topic we’ll see how to deploy Windows Admin Center in this manner. Moreover, some of customers want to connect to WAC through a load balancer such as Kemp to avoid private certificate management and to be able to connect from the Internet. So, we’ll see also how to connect to WAC through a Kemp load balancer.

Requirements

To follow this topic, you need the following:

  • 2x virtual machines
    • I set 2vCPU, 4GB of memory, a dynamic OS disk of 60GB
    • I deployed Windows Server 2016 in Core edition
    • 1x Network Adapter for management
    • 1x Network Adapter for cluster
    • The VM must be joined to the Active Directory domain
  • 1x shared disk of 10GB for these two VMs. You can use traditional iSCSI, FC LUN or shared VHDX / VHD Set
  • 1x IP in management network for the cluster
  • 1x IP in management network for Windows Admin Center cluster resource
  • 1x Name for the cluster (in this example: Cluster-WAC01.SeromIT.local)
  • 1x Name for Windows Admin Center cluster resource (in this example: WAC.SeromIT.local)

You need also to download the latest Windows Admin Center build from this link and the script to deploy WAC in high availability from this link.

Deploy the cluster

First of all, we have to deploy features on both virtual machine. I install Failover Clustering and its PowerShell module with these cmdlet:

Install-WindowsFeature RSAT-Clustering-PowerShell, Failover-Clustering -ComputerName "Node1"
Install-WindowsFeature RSAT-Clustering-PowerShell, Failover-Clustering -ComputerName "Node2"

Then I initialize the shared disk. First, I show disks connected to the VM. The disk 0 is for operating system and disk 1 is the shared disk. Then I initialize the disk and I create a NTFS volume:

Initialize-Disk -Number 1
New-Volume -DiskNumber 1 -FriendlyName Data -FileSystem NTFS

Once the volume is created, I run a test cluster to check if nodes are compliant to be part of a cluster. To execute this validation, I run the following cmdlet:

Test-Cluster -Node Node1,Node2

N.B: My test reports an issue related to software update levels: it is because I have not the last Windows Defender signature on one node.

Once you have validated the report, you can create the cluster by running the following cmdlet. I specify NoStorage option to avoid that my shared disk is taken by the cluster for witness usage.

New-Cluster -Node Node1, Node2, -Name ClusterName -StaticAddress ClusterIPAddress -NoStorage

Once the cluster is created, I move the Cluster Name Object (CNO) to a specific OU. Then I add the permission to this CNO to create computer object in this OU.

Next I rename cluster network to Management and Cluster. The network cluster with Cluster and Client role is renamed Management and the one with the cluster role is called … cluster.

(Get-Cluster -Name ClusterName | Get-ClusterNetwork -Name "Cluster Network 1").Name="Management"
(Get-Cluster -Name ClusterName | Get-ClusterNetwork -Name "Cluster Network 2").Name="Cluster"

Then I add a file share witness. For that I have created a share on my domain controller server called Cluster-WAC$:

Get-Cluster -Name ClusterName | Set-ClusterQuorum -FileShareWitness "\\path\to\the\file\share\witness"

To finish I add a the Cluster Shared Volume (CSV):

Get-Disk -Number 1 | Add-ClusterDisk
Add-ClusterSharedVolume -Name "Cluster Disk 1"
(Get-ClusterSharedVolume -Name "Cluster Disk 1").Name="Data"
Rename-Item C:\ClusterStorage\Volume1\ Data

As you can see in the failover clustering console, the file share witness is well configured.

The cluster network are renamed to Management and Cluster.

The CSV is present in the cluster and it’s called Data.

(Optionnal) Get a certificate from enterprise PKI

If you want to use your own enterprise PKI, you can follow these steps. Connect to an enterprise CA and manage the template. Duplicate the Web Server template. In the Subject Name, choose Supply in the request. Allow also the private key to be exportable.

Then request a certificate from the MMC or from the web interface and specify the following information:

  • Subject Name: Common Name as the Windows Admin Center cluster resource Name
  • Subject Alternative Name:
    • DNS: Windows Admin Center Cluster resource name
    • DNS: first node FQDN
    • DNS: second node FQDN

Then export the certificate and its private key in a PFX file.

Deploy Windows Admin Center

In a folder on a node of the cluster, you should have the following files: (WAC.pfx only if you have created your own certificate from the enterprise PKI)

Run the following cmdlets to deploy Windows Admin Center in the cluster:

$CertPassword = Read-Host -AsSecureString
.\Install-WindowsAdminCenterHA.ps1 -ClusterStorage c:\ClusterStorage\Data -ClientAccessPoint WACClusterResourceName -MSIPath c:\path\to\WAC\build.msi -CertPath c:\path\to\pfx\file.pfx -CertPassword $CertPassword -StaticAddress IPAddressForWAC

N.B: If you have no enterprise PKI, you can deploy the service by running the following cmdlet:

.\Install-WindowsAdminCenterHA.ps1 -ClusterStorage c:\ClusterStorage\Data -ClientAccessPoint WACClusterResourceName -MSIPath c:\path\to\WAC\build.msi -StaticAddress IPAddressForWAC -GenerateSSLCert

After some times, the service is deployed in the failover clustering and you have now Windows Admin Center in high availability.

If you specify the name of the WAC cluster resource as below, you can connect to Windows Admin Center.

Configure Kemp Load Balancer

First of all, I create a rule to redirect the traffic to the right service. Because this is a reverse proxy, a single IP address is used for several web services. In this configuration I use the web service URL to redirect traffic to the right web server. To make it work, a rule as the following must be created.

Then I create a Sub Virtual Service in my reverse proxy virtual service. I name it Windows Admin Center and I specify the name of the WAC cluster resource.

Then I map the rule I have previously created with the Windows Admin Center Sub Virtual Service:

To finish, verify that the SSL Acceleration is activated with the right public certificate as below:

Then I connect to Windows Admin Center through the Kemp Load Balancer. As you can see, the certificate is validated without any warning and I can get access to WAC. Thanks to these settings, you can access to WAC through the Internet.

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

2 comments

  1. I start executing the script, simply execution stops at node 1. What can it be?

    To be able to help me, I thank you very much.

Leave a Reply