Difference between revisions of "Red Cloud Windows Instances"

From CAC Documentation wiki
Jump to navigation Jump to search
m
 
(24 intermediate revisions by 4 users not shown)
Line 7: Line 7:
 
Currently Red Cloud offers VM images running the following versions of Windows:
 
Currently Red Cloud offers VM images running the following versions of Windows:
  
 +
:* Windows Server 2019
 
:* Windows Server 2016
 
:* Windows Server 2016
  
 
=== Steps ===
 
=== Steps ===
 
# Log in to the [https://redcloud.cac.cornell.edu OpenStack Web Interface] (check out [[OpenStack#Logging_In|how to log in]] if you need to)
 
# Log in to the [https://redcloud.cac.cornell.edu OpenStack Web Interface] (check out [[OpenStack#Logging_In|how to log in]] if you need to)
# If you have not already, create a [[OpenStack#Key_Pairs|Key pair]]
+
# If you have not already, [[OpenStack Key Pairs#Creating_a_Key_Pair|create a key pair]]
# If you have not already, create a [[OpenStack#Security_Groups|Security group]].  Note that your security group should include the inbound RDP port (3389) rule from at least your current IP address so you can connect to it.
+
# If you have not already, [[OpenStack Security Groups#Creating a Security Group|create a security group]].  Note that your security group should include the inbound RDP port (3389) rule from at least your current IP address so you can connect to it.
# '''Optional:''' [[OpenStack#Private Network|Set up a Private Network]]
+
# '''Optional:''' [[Networks#Private Networks|Set up a Private Network]]
 
# Select <tt>Launch Instance</tt> from the [https://redcloud.cac.cornell.edu/dashboard/project/instances/ Instances] page
 
# Select <tt>Launch Instance</tt> from the [https://redcloud.cac.cornell.edu/dashboard/project/instances/ Instances] page
 
# Follow the instructions about [[OpenStack#Launch an Instance|launching a new instance]], and select one of the Windows [[Images|images]] under the <tt>Source</tt> tab
 
# Follow the instructions about [[OpenStack#Launch an Instance|launching a new instance]], and select one of the Windows [[Images|images]] under the <tt>Source</tt> tab
# '''Optional:''' [[OpenStack#Create and Attach a Volume|Create and attach a Volume]]
+
# '''Optional:''' [[Volumes#Create and Attach a Volume|Create and attach a Volume]]
# '''Optional:''' [[OpenStack#Floating IP|Associate a Floating IP address]]
+
# '''Optional:''' [[Networks#Floating IP Addresses|Associate a Floating IP address]]
  
Now that you have created and launched an instance, your next steps will be to [[Connect to Windows|connect to it]] and set up a new user account.  See the [[#To Do On First Login|To Do On First Login]] section for more information on how to set up a new user, update, and other useful information.  Also, consult the [[#Working with Windows Instances|Working with Windows Instances]] section.
+
Now that you have created and launched an instance, your next steps will be to [[#Accessing_Instances|connect to it]] and set up a new user account.  See the [[#To Do On First Login|To Do On First Login]] section for more information on how to set up a new user, update, and other useful information.  Also, consult the [[#Working with Windows Instances|Working with Windows Instances]] section.
  
 
== Accessing Instances ==
 
== Accessing Instances ==
  
 +
:* Windows instances are accessible via the Remote Desktop Protocol. You can then log in to the Windows instance using Microsoft's Remote Desktop program for Windows or Mac, or with rdesktop for Linux. The name of the computer in Red Cloud is simply the public IP address of the instance (e.g., 128.84.8.42).
 
:* Make sure your security group allows access to RDP port (3389) from your current IP address.
 
:* Make sure your security group allows access to RDP port (3389) from your current IP address.
 +
:* '''[[Connect to Windows]]''' - This page details how to connect to Windows Instances using remote desktop.
 +
 +
=== Initial access for new server setup ===
 +
Follow these steps to login to a Windows instance for the first time. After completing the setup checklist, these steps will no longer be required.
 
:* The first time you start a Windows instance it may take up to 10 minutes or more from pushing the start button, depending on the size of the instance, before you can log in.
 
:* The first time you start a Windows instance it may take up to 10 minutes or more from pushing the start button, depending on the size of the instance, before you can log in.
 
:* After your instance is running you should be able to Remote Desktop into it.
 
:* After your instance is running you should be able to Remote Desktop into it.
Line 29: Line 35:
 
:*# Wait until the OpenStack Web Interface says the instance is running
 
:*# Wait until the OpenStack Web Interface says the instance is running
 
:*# Select instance -> Actions -> Retrieve Password
 
:*# Select instance -> Actions -> Retrieve Password
:*# Select your Private Key File (that you created when you created a [[OpenStack#Key Pairs|Key Pair]]) and select <tt>Decrypt Password</tt>.  The password for user Administrator will be displayed.
+
:*# Select your Private Key File (that you created when you created a [[OpenStack#Key Pairs|Key Pair]]) and select <tt>Decrypt Password</tt>.  The password for user named "Administrator" will be displayed.  
:*# You can then log in to the Windows instance using Microsoft's Remote Desktop program for Windows or Mac, or with rdesktop for Linux. The name of the computer in Red Cloud is simply the public IP address of the instance (e.g., 128.84.8.42).
 
 
:* We '''highly recommend''' you create a new Administrative account.  For more information, see the [[#Create New Users|Create New Users]] section below.
 
:* We '''highly recommend''' you create a new Administrative account.  For more information, see the [[#Create New Users|Create New Users]] section below.
  
'''[[Connect to Windows]]''' - This page details how to connect to Windows Instances using remote desktop.
+
=== After user accounts are setup ===
 +
:* You will probably need to be connected to the [https://it.cornell.edu/cuvpn Cornell VPN] in order to connect to the instance unless it was specifically configured to allow non-Cornell access.
 +
:* The username and password to connect via Remote Desktop will correspond to the user accounts created on the Windows Server during or after the initial connection and server setup. Though your netID may be used for both your CAC and Windows server account name, these accounts are distinct --- the Windows account will not use your CAC password.
  
 
== To Do On First Login ==
 
== To Do On First Login ==
Line 40: Line 47:
  
 
=== Create New Users ===
 
=== Create New Users ===
 +
Create at least one new account with Administrative privileges. While it is possible to retrieve the default "Administrator" account password using the procedure described above, the default Administrator account password will change each time the instance is stopped and restarted and you will need to retrieve it each time you want to connect. If you create a new Admin or user account on the machine, the account and password are retained when stopping and starting the instance.
  
We '''highly recommend''' you at least create a new Administrative account which will persist if you stop and restart an instance. The default Administrator account password will change each time the instance is stopped and restarted. Accounts for users can also be created as you would normally do in Windows:
+
You can create accounts for users and administrators on a Red Cloud-hosted Windows Server instance using the account management tools in the Windows Server OS. In general, user accounts should not have administrative privileges and even project personnel with administrative access should consider creating and using a separate non-administrator user account for non-administrator tasks.
  
# Go to Control Panel > User Accounts > Add or remove user accounts
+
==== Create user accounts ====
# Create accounts for all desired users as administrators using Cornell NetIDs
 
# For each account, assign a temporary password, such as "changeme"
 
  
If you create a new Admin or user account on the machine, the account and password are retained when stopping and starting the instance. If you stop the instance, the default Administrator account password gets reset when you start the instance. You can get the password the same way as previously described.
+
# Go to Control Panel and follow this sequence of links: User Accounts,  User Accounts, Manage another account.
 +
#* The heading will show Control Panel > User Accounts > User Accounts > Manage Accounts.
 +
# Create accounts for all desired users using Cornell NetIDs as the username.
 +
#* Click "Add a user account"
 +
#* Assign a temporary password, such as "ur2.Change.Me" and securely communicate this password to the user.
 +
#* The password complexity requirements stipulate that passwords must contain capital and lowercase letters, numerals and special characters.
 +
 
 +
==== Promote user to administrator (most users should not be administrators) ====
 +
# Only if this account should have administrator privileges:
 +
#* Click the newly created account in the Control Panel > User Accounts > User Accounts > Manage Accounts
 +
#* Click "Change the account type"
 +
#* Click the radio button for "Administrator"
  
 
=== Windows Activation ===
 
=== Windows Activation ===
  
The Windows instance is '''not activated''' by default, but it can be done for free through Cornell. Cornell provides free Windows license keys to members of its community via a server. You must tell Windows which server to use and then ask it to go get a license. If you attempt to activate Windows without using a Cornell license, you will most likely receive the following error: <tt>Activation Error: Code 0x8007232b</tt>. To avoid this, follow these steps:
+
The Windows instance is '''not activated''' by default, but it can be done for free through Cornell. Cornell provides Windows license keys to members of its community via a server. You must tell Windows which server to use and then ask it to go get a license. If you attempt to activate Windows without using a Cornell license, you will most likely receive the following error: <code>Activation Error: Code 0x8007232b</code>. To avoid this, follow these steps (which are also [https://it.cornell.edu/software-licensing/using-kms-manually-activate-software#section-1 documented at the CIT website]):
:* To find a KMS server, from a windows computer in your current domain (not the instance), start the command prompt as administrator and issue the command: <br /><code>nslookup -type=all _vlmcs._tcp>kms.txt</code>
+
:* On the Windows instance, open a command prompt (cmd) as Administrator and switch to the <code>system32</code> folder: <br /><code>cd \Windows\system32</code>
:* The kms.txt file contains the information you need to activate windows in Red Cloud; there should be one or more entries for KMS servers.
+
:* Enter the following command to specify the server you will use for activation: <br /><code>cscript slmgr.vbs /skms kms01.cit.cornell.edu</code>
:** Pick one entry and use the '''svr hostname''' and '''port''' in the next step.  It will probably be something like <code>kms01.cit.cornell.edu and 1688</code>
+
:* Enter the following command to activate Windows: <br /><code>cscript slmgr.vbs /ato </code>
:* Open a command prompt as administrator on the Windows instance and use the information from the kms.txt as follows: <br /><code>cscript \windows\system32\slmgr.vbs /skms <svr hostname>:<port></code>
+
After you have activated Windows, it does stay activated through stops and starts of an instance.   
:** For example, you might enter the following: <br /><code>cscript \windows\system32\slmgr.vbs /skms kms2.xyz.cornell.edu:1688</code>
 
:* At this point, you should right click on Computer and select 'Properties' in your Windows instance, then activate it. Alternatively, you can enter the following command: <br /><code>cscript \windows\system32\slmgr.vbs /ato</code>
 
 
 
If you have Activated Windows it does stay activated on stop and start of an instance.   
 
  
 
'''Note:''' Please refer to [//support.microsoft.com/kb/929826 Microsoft support] for more information on activating Windows
 
'''Note:''' Please refer to [//support.microsoft.com/kb/929826 Microsoft support] for more information on activating Windows
Line 67: Line 80:
 
These steps help to keep your system up-to-date and secure, and are '''strongly recommended'''.
 
These steps help to keep your system up-to-date and secure, and are '''strongly recommended'''.
  
 +
'''On Windows Server 2016'''
 
:* Turn on Automatic Updates in Settings > Updates & security and Check Updates
 
:* Turn on Automatic Updates in Settings > Updates & security and Check Updates
 
:* Turn on Real-time protection in Settings > Updates & security > Windows Defender
 
:* Turn on Real-time protection in Settings > Updates & security > Windows Defender
 
:* Open Windows Defender and Update definitions under the Update tab to get the latest virus definitions
 
:* Open Windows Defender and Update definitions under the Update tab to get the latest virus definitions
 +
 +
'''On Windows Server 2019'''
 +
:* Turn on Automatic Updates in Settings > Updates & security and Check Updates
 +
:* Turn on Real-time protection in Settings > Updates & security > Windows Security
 +
:* Open Windows Security and choose "Check for updates" under the "Virus & threat protection"
  
 
=== For Convenience ===
 
=== For Convenience ===
Line 78: Line 97:
 
== Working with Windows Instances ==
 
== Working with Windows Instances ==
  
'''Note:''' Anything installed or stored on the C: drive will be retained. If you want data other than the C: drive kept then use a [[OpenStack#Volumes|storage volume]].
+
'''Note:''' Anything installed or stored on the C: drive will be retained. If you want data other than the C: drive kept then use a [[Volumes|storage volume]].
  
 
=== Creating a Windows instance with a larger C: drive ===
 
=== Creating a Windows instance with a larger C: drive ===
Line 84: Line 103:
 
If you're running Windows, you probably know the C: drive can fill up quickly with Windows security patches, etc. so you may want your Windows instance to have a larger C: drive than the default, which is 30GB.  Before proceeding to do this, be sure to check the Red Cloud storage limit for your project.
 
If you're running Windows, you probably know the C: drive can fill up quickly with Windows security patches, etc. so you may want your Windows instance to have a larger C: drive than the default, which is 30GB.  Before proceeding to do this, be sure to check the Red Cloud storage limit for your project.
  
This may be done in the OpenStack web portal when launching a new instance on the Source tab by setting the Volume size to a larger amount.
+
This may be done in the OpenStack web portal when launching a new instance on the Source tab by setting the [[Volume]] size to a larger amount.
  
 
OR
 
OR
  
If the instance has already been created and is currently running, this may be done by creating a new [[Volume]] and attaching it to the instance.
+
If the instance has already been created and is currently running, this may be done by [[Volumes#Create|creating a new volume]] and [[Volumes#Attach|attaching]] it to the instance.
 +
 
 +
== Instance Maintenance ==
 +
 
 +
All self-managed desktops, laptops, servers, and Red Cloud instances, both Windows and Linux, should be updated with Operating System and Adobe Acrobat Reader critical and security updates on a '''''monthly''''' basis. 
 +
 
 +
* Open Settings and search for "Check for updates". Click "Check for updates" and verify that you are up to date.
 +
* If Adobe Reader is installed, open it and click the Help menu bar item. Choose "Check for Updates..."
 +
* Run updater applications or checks for other third-party software you may have installed on your instance (e.g. Java).
 +
 
 +
Before rebooting make sure to save all active work.  Rebooting will disconnect you from the instance.  Wait a minute or two to allow the instance to restart before reconnecting.  When you reconnect, you should verify that the updates were applied by repeating step 1.
 +
 
 +
== Initialize and Mount a Volume ==
 +
 
 +
WARNING: FILE SYSTEM INITIALIZATION OVERWRITES AND DESTROYS PREVIOUS DATA.
 +
 
 +
The instructions here are for formatting and mounting [[Volumes|attached volumes]], though steps like these can only be performed if you have [[Volumes#Create_and_Attach_a_Volume|allocated and attached the volume]] through OpenStack, which can be done while the instance is running.
 +
 
 +
First, [[#Accessing_Instances|logon to your instance]], then follow the steps below for using either a [[#GUI|GUI]] or [[#PowerShell|PowerShell]] depending on your preference.
 +
 
 +
=== GUI ===
 +
 
 +
# Open command prompt (run as administrator)
 +
# Type <code>diskmgmt</code> and press Enter
 +
# Right-click on <tt>Unknown Disk</tt> and select <tt>Online</tt>
 +
# Right-click again on <tt>Unknown Disk</tt> and select <tt>Initialize Disk</tt>
 +
#* Check Disk you want to add, Check GPT select <tt>Next</tt>
 +
# Right-click on <tt>Unallocated Disk</tt> (area has a black strip over it), select <tt>New Simple Volume</tt>
 +
# Take all defaults unless you want to change drive letter and/or add volume label
 +
# Select <tt>Finish</tt>
 +
# Open File Explorer and verify that the new drive is there
 +
 
 +
=== PowerShell ===
 +
 
 +
# Open PowerShell (run as administrator)
 +
# Type the following:
 +
  get-disk #write down number of the offline disk you will need it
 +
  Initialize-Disk -Number 1
 +
  New-Partition -DiskNumber 1 -UseMaximumSize -AssignDriveLetter #write down the number of the partition number will be using this for formatting
 +
  Get-Partition -DiskNumber 1 -PartitionNumber 2 | Format-Volume -FileSystem NTFS -NewFileSystemLabel temp #For New label you can name it whatever you want or you don’t need to add it if you don’t want disk label.
 +
 
 +
{{Migrate leadout}}

Latest revision as of 17:22, 21 October 2021

Windows Instances can be created and maintained on Red Cloud using the OpenStack Web Interface. This documentation assumes a basic understanding of OpenStack, so please review that page as needed.

Creating A New Windows Instance

Currently Red Cloud offers VM images running the following versions of Windows:

  • Windows Server 2019
  • Windows Server 2016

Steps

  1. Log in to the OpenStack Web Interface (check out how to log in if you need to)
  2. If you have not already, create a key pair
  3. If you have not already, create a security group. Note that your security group should include the inbound RDP port (3389) rule from at least your current IP address so you can connect to it.
  4. Optional: Set up a Private Network
  5. Select Launch Instance from the Instances page
  6. Follow the instructions about launching a new instance, and select one of the Windows images under the Source tab
  7. Optional: Create and attach a Volume
  8. Optional: Associate a Floating IP address

Now that you have created and launched an instance, your next steps will be to connect to it and set up a new user account. See the To Do On First Login section for more information on how to set up a new user, update, and other useful information. Also, consult the Working with Windows Instances section.

Accessing Instances

  • Windows instances are accessible via the Remote Desktop Protocol. You can then log in to the Windows instance using Microsoft's Remote Desktop program for Windows or Mac, or with rdesktop for Linux. The name of the computer in Red Cloud is simply the public IP address of the instance (e.g., 128.84.8.42).
  • Make sure your security group allows access to RDP port (3389) from your current IP address.
  • Connect to Windows - This page details how to connect to Windows Instances using remote desktop.

Initial access for new server setup

Follow these steps to login to a Windows instance for the first time. After completing the setup checklist, these steps will no longer be required.

  • The first time you start a Windows instance it may take up to 10 minutes or more from pushing the start button, depending on the size of the instance, before you can log in.
  • After your instance is running you should be able to Remote Desktop into it.
  • To log in to a Windows instance:
    1. Wait until the OpenStack Web Interface says the instance is running
    2. Select instance -> Actions -> Retrieve Password
    3. Select your Private Key File (that you created when you created a Key Pair) and select Decrypt Password. The password for user named "Administrator" will be displayed.
  • We highly recommend you create a new Administrative account. For more information, see the Create New Users section below.

After user accounts are setup

  • You will probably need to be connected to the Cornell VPN in order to connect to the instance unless it was specifically configured to allow non-Cornell access.
  • The username and password to connect via Remote Desktop will correspond to the user accounts created on the Windows Server during or after the initial connection and server setup. Though your netID may be used for both your CAC and Windows server account name, these accounts are distinct --- the Windows account will not use your CAC password.

To Do On First Login

After you have launched a Windows Instance, there are a few recommended steps you take when you first log in, which are included in the below sections: Create New Users, Windows Activation, and Security and Updates. The For Convenience section should also be considered as helpful suggestions, but not essential.

Create New Users

Create at least one new account with Administrative privileges. While it is possible to retrieve the default "Administrator" account password using the procedure described above, the default Administrator account password will change each time the instance is stopped and restarted and you will need to retrieve it each time you want to connect. If you create a new Admin or user account on the machine, the account and password are retained when stopping and starting the instance.

You can create accounts for users and administrators on a Red Cloud-hosted Windows Server instance using the account management tools in the Windows Server OS. In general, user accounts should not have administrative privileges and even project personnel with administrative access should consider creating and using a separate non-administrator user account for non-administrator tasks.

Create user accounts

  1. Go to Control Panel and follow this sequence of links: User Accounts, User Accounts, Manage another account.
    • The heading will show Control Panel > User Accounts > User Accounts > Manage Accounts.
  2. Create accounts for all desired users using Cornell NetIDs as the username.
    • Click "Add a user account"
    • Assign a temporary password, such as "ur2.Change.Me" and securely communicate this password to the user.
    • The password complexity requirements stipulate that passwords must contain capital and lowercase letters, numerals and special characters.

Promote user to administrator (most users should not be administrators)

  1. Only if this account should have administrator privileges:
    • Click the newly created account in the Control Panel > User Accounts > User Accounts > Manage Accounts
    • Click "Change the account type"
    • Click the radio button for "Administrator"

Windows Activation

The Windows instance is not activated by default, but it can be done for free through Cornell. Cornell provides Windows license keys to members of its community via a server. You must tell Windows which server to use and then ask it to go get a license. If you attempt to activate Windows without using a Cornell license, you will most likely receive the following error: Activation Error: Code 0x8007232b. To avoid this, follow these steps (which are also documented at the CIT website):

  • On the Windows instance, open a command prompt (cmd) as Administrator and switch to the system32 folder:
    cd \Windows\system32
  • Enter the following command to specify the server you will use for activation:
    cscript slmgr.vbs /skms kms01.cit.cornell.edu
  • Enter the following command to activate Windows:
    cscript slmgr.vbs /ato

After you have activated Windows, it does stay activated through stops and starts of an instance.

Note: Please refer to Microsoft support for more information on activating Windows

Security and Updates

These steps help to keep your system up-to-date and secure, and are strongly recommended.

On Windows Server 2016

  • Turn on Automatic Updates in Settings > Updates & security and Check Updates
  • Turn on Real-time protection in Settings > Updates & security > Windows Defender
  • Open Windows Defender and Update definitions under the Update tab to get the latest virus definitions

On Windows Server 2019

  • Turn on Automatic Updates in Settings > Updates & security and Check Updates
  • Turn on Real-time protection in Settings > Updates & security > Windows Security
  • Open Windows Security and choose "Check for updates" under the "Virus & threat protection"

For Convenience

  • Select "Work Network" when prompted by the network dialog
  • Turn off messages about not having performed a backup in Control Panel > System and Security > Action Center

Working with Windows Instances

Note: Anything installed or stored on the C: drive will be retained. If you want data other than the C: drive kept then use a storage volume.

Creating a Windows instance with a larger C: drive

If you're running Windows, you probably know the C: drive can fill up quickly with Windows security patches, etc. so you may want your Windows instance to have a larger C: drive than the default, which is 30GB. Before proceeding to do this, be sure to check the Red Cloud storage limit for your project.

This may be done in the OpenStack web portal when launching a new instance on the Source tab by setting the Volume size to a larger amount.

OR

If the instance has already been created and is currently running, this may be done by creating a new volume and attaching it to the instance.

Instance Maintenance

All self-managed desktops, laptops, servers, and Red Cloud instances, both Windows and Linux, should be updated with Operating System and Adobe Acrobat Reader critical and security updates on a monthly basis.

  • Open Settings and search for "Check for updates". Click "Check for updates" and verify that you are up to date.
  • If Adobe Reader is installed, open it and click the Help menu bar item. Choose "Check for Updates..."
  • Run updater applications or checks for other third-party software you may have installed on your instance (e.g. Java).

Before rebooting make sure to save all active work. Rebooting will disconnect you from the instance. Wait a minute or two to allow the instance to restart before reconnecting. When you reconnect, you should verify that the updates were applied by repeating step 1.

Initialize and Mount a Volume

WARNING: FILE SYSTEM INITIALIZATION OVERWRITES AND DESTROYS PREVIOUS DATA.

The instructions here are for formatting and mounting attached volumes, though steps like these can only be performed if you have allocated and attached the volume through OpenStack, which can be done while the instance is running.

First, logon to your instance, then follow the steps below for using either a GUI or PowerShell depending on your preference.

GUI

  1. Open command prompt (run as administrator)
  2. Type diskmgmt and press Enter
  3. Right-click on Unknown Disk and select Online
  4. Right-click again on Unknown Disk and select Initialize Disk
    • Check Disk you want to add, Check GPT select Next
  5. Right-click on Unallocated Disk (area has a black strip over it), select New Simple Volume
  6. Take all defaults unless you want to change drive letter and/or add volume label
  7. Select Finish
  8. Open File Explorer and verify that the new drive is there

PowerShell

  1. Open PowerShell (run as administrator)
  2. Type the following:
 get-disk #write down number of the offline disk you will need it
 Initialize-Disk -Number 1
 New-Partition -DiskNumber 1 -UseMaximumSize -AssignDriveLetter #write down the number of the partition number will be using this for formatting
 Get-Partition -DiskNumber 1 -PartitionNumber 2 | Format-Volume -FileSystem NTFS -NewFileSystemLabel temp #For New label you can name it whatever you want or you don’t need to add it if you don’t want disk label.

Migrate an Instance to a New Project

Occasionally, you may have an instance in one Red Cloud project that you would like to migrate to a different project. If you have been working in an exploratory project and are transitioning to using a permanent project, you may want to bring along the instances you have created. Or, you may want to share an instance with someone who is working in another project. The steps to perform such migrations are not difficult and can be performed through the Red Cloud (Horizon) web interface.