Support for Windows Active Directory 2022 Environments

As Scott Schnoll mentioned at MEC 2022, Microsoft now supports Active Directory environments running on Windows Server 2022 beginning with Exchange Server 2013 CU23 and Exchange Server 2016 CU23.

It's interesting to note that Exchange 2013 CU23 does not support Windows Server 2019 Active Directory, so if you're running Windows Server 2016 AD or earlier you should plan accordingly. There are no issues upgrading AD directly from a previous version to 2022, bypassing 2019 AD.

The highest Active Directory forest functional level supported by all supported versions of Exchange Server is still Windows Server 2016.

View the Exchange Server supportability matrix | Microsoft Learn here.

Read more ...

How to migrate AAD Connect to a new server

As I posted earlier, Microsoft has released Azure Active Directory Connect version 2.0.3, which now requires Windows Server 2016 or later. Customers running AAD Connect on Windows Server 2012 or Windows Server 2012 R2 will need to install a new copy of AADC on new Windows Server 2016 computer or later.

In this walk-through I will show you how to do this and migrate all your current settings to the new Windows 2016 server. These same steps can be used whenever you wish to move AADC to a new server.

The high-level steps are:

• Export the existing AAD Connect configuration from the current server.
• Install the latest version of AADC on a new or existing Windows Server 2016 computer.
• Import the AADC configuration, put it into staging mode, and sync.
• Uninstall AADC from the old server.
• Remove the new server from staging mode.

Begin by exporting the AADC configuration on the current server. Open Azure AD Connect and select View or export current configuration.

Select View or export current configuration and click Next

Click the Export Settings button

The settings will be exported as a single JSON file in C:\ProgramData\AADConnect by default.
Copy this file to the new AAD Connect server.

Now login to the Windows Server 2016 or later computer where you want to install AADC. This can be either a new or existing domain-joined server.

Download the latest version of AAD Connect from https://www.microsoft.com/en-us/download/details.aspx?id=47594 and install it.

Start the AADC installer.

Select Customize since we're going to import the existing config.

Check Import synchronization settings and browse to the JSON file you copied from the old server.
Click Install to begin the installation.

The installer will walk you through setup using the existing config, similar to a manual upgrade.

Make sure Enable staging mode is checked, then click Install.

Installation will take a few minutes to complete and should look like this. Click Exit.

Open Computer Management on the new server and add the domain's Enterprise Admins group to the local ADSyncAdmins group so they can manage AAD Connect. Log off and back on to get the new management permissions.

You will notice that the two Azure AD Connect Health Sync services and the Microsoft Azure AD Sync service are now installed and running on the new server.

Open the Synchronization Service Manager client located at "C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe". You will see that the initial full sync occured on the new server.

Now you're ready to complete the AAD Connect migration by uninstalling AADC from the old server and disabling staging mode on the new server.

Login to the old AADC server, open Programs and Features, and uninstall Microsoft Azure AD Connect.

Make sure to check "Also uninstall supporting components" and click Remove.

AADC is successfully uninstalled from the old server.

Now login to the new AADC server again and run Azure AD Connect to disable staging mode.

Select Configure Staging Mode and click Next.

Enter the tenant credentials for an admin who has Hybrid Identity Administrator or Global Admin rights.

Clear the checkbox to Enable staging mode and click Next.

Click Configure to disable staging mode and start the sync process.

Click Exit. The migration to the new AAD Connect server is now complete!

The final step is to delete the old MSOL_<guid> user account from Active Directory. You will find one MSOL_<guid> user account for each AADC installation. Uninstalling AADC does not remove the old account from AD.

Using Active Directory Users and Computers, find the MSOL accounts. They will be normally in the Users container by default. Examine the Description which will tell you which computer created each account.

Delete the MSOL_<guid> account that was created by the old AADC server.

Read more ...

Important updates to AAD Connect

AAD Connect is used to synchronize Active Directory with Azure Active directory and is a critical component in a Exchange hybrid configuration. It's very important for admins to keep AAD Connect up-to-date with the latest build for security and feature enhancements.

Microsoft just released AAD Connect version 2.0.3.0, which includes a number of significant changes and new features. At top of the list is that AADC is no longer supported on Windows Server 2012 R2 or earlier. This is because the built-in database, LocalDB, is now using components from SQL Server 2019 which requires Windows Server 2016 or later.

If you're currently running AADC on Windows Server 2012 or Windows Server 2012 R2, auto upgrade will not happen, for obvious reasons.

Customers running AADC on earlier OS's will need to install a new copy of AADC on new Windows Server 2016 computer or later. I wrote a step-by-step walkthrough of that process here.

Other significant changes in this version include:

• TLS 1.2 is enforced in this build. If TLS 1.2 is disabled in the OS, will you will see an error message when attempting to install AADConnect and the installation will not continue until you have enabled TLS 1.2.
• Added two new cmdlets to the ADSyncTools module to enable or retrieve TLS 1.2 settings from the Windows Server:
• Get-ADSyncToolsTls12
• Set-ADSyncToolsTls12
• You no longer need to be a Global Admin to install or manage AADC. The "Hybrid Identity Administrator" user role can now be used.
• AAD now honors the "User must change password at next logon" flag when set in AD.

For a full list of the all the new features and big fixes visit Azure AD Connect: Version release history.

Read more ...

New Article: How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync

I just published an article describing the differences between using Azure AD Connect and Microsoft's new Azure AD Connect Cloud Sync service. In it, I give the information you need to decide if the new Cloud Sync service is right for you. (Spoiler alert: If you run Exchange hybrid, it isn't.)

Please read How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync on the Practical 365 website.

Read more ...

Why AAD Connect auto upgrade doesn't always upgrade

Azure AD Connect is a crucial component used to sync user accounts and enable mailboxes on-premises to be migrated to Microsoft 365. Not only does it synchronize accounts from Active Directory to Azure Active Directory, it also is used to configure authentication, provides ways for you to filter objects to sync, enables Exchange hybrid, allows for self-service password reset, enables seamless single sign-on, and more.

AAD Connect receives regular updates that include bug and security fixes as well as feature enhancements. Updates are normally delivered using AAD Connect's auto upgrade feature which is normally enabled by default. You can easily check to see if auto upgrade is configured by running the following cmdlet from your AAD Connect computer:

Get-ADSyncAutoUpgrade

Auto upgrade may be disabled if your deployment is more complicated (i.e., if you're using SQL Server instead of localDB, etc.) or if your admin has manually disabled it.

If AAD Connect auto upgrade is enabled, you may assume that it will automatically upgrade your AADC instance whenever a new version is released. That's not always the case. Clarification about this was recently added to the Azure AD Connect: Version release history website:

To clarify the use of Auto Upgrade, it is meant to push all important updates and critical fixes to you. This is not necessarily the latest version because not all versions will require/include a fix to a critical security issue (just one example of many). An issue like that would be addressed with a new version provided via Auto Upgrade. If there are no such issues, there are no updates pushed out using Auto Upgrade, and in general if you are using the latest auto upgrade version you should be good. However, if you’d like all the latest features and updates, the best way to see if there are any is to check this page and install them as you see fit.

Please follow this link to read more about auto upgrade.

In other words, auto upgrade will only upgrade if your version of AAD Connect needs it. This is similar to the way that Microsoft Update only applies updates for roles and features that are installed in Windows.

If you still want to manually install the latest version, simply download it from the Microsoft Azure Active Directory Connect website and install it. The current version number is listed in the Details section.

Read more ...

AAD Connect version 1.5.18.0 is available now

Microsoft released AAD Connect version 1.5.18.0, which is a major version upgrade. Most AADC implementations should automatically upgrade to the latest version. Run Get-ADSyncAutoUpgrade to ensure automatic upgrade is enabled.

The most important functional change is that group objects now use mS-DS-ConsistencyGuid as the source anchor. This helps in multi-forest scenarios.

Read the Azure AD Connect: Version release history here.

1.5.18.0

Release status

04/02/2020: Released for download

Functional changes ADSyncAutoUpgrade

• Added support for the mS-DS-ConsistencyGuid feature for group objects. This allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed, e.g. when an AD server is rebuilt after a calamity. For more information see Moving groups between forests.
• The mS-DS-ConsistencyGuid attribute is automatically set on al synced groups and you do not have to do anything to enable this feature.
• Removed the Get-ADSyncRunProfile because it is no longer in use.
• Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context.
• Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it is replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.

 Note

The old CSDelete.exe tool has been removed and replaced with the new Remove-ADSyncCSObject cmdlet

Fixed issues

• Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature.
• Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files.
• Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account has not propagated across all service replicas before attempted use.
• Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
• Fixed a bug in the auto upgrade which left the server in the scheduler suspended state.

Read more ...

How to Delete a Directory from AAD Connect

You can use Azure Active Directory Connect (AADC) to synchronize one or more on-premises Active Directories to Azure Active Directory. Once additional directories are added to AADC, it may not be obvious how to remove a directory. Here's how to do it.

First, let's look at our example which syncs two directories, theguillets.com and contoso.com to the same AAD tenant.

Here's what it looks like from the View current configuration option in AADC:



And here's what it looks like from Customize synchronization options in AADC. Notice that you can only add directories, not remove them.



In this example, I want to remove the contoso.com directory from AADC so it will no longer sync to Azure AD. Before we can remove the directory we need to disable the AADC sync scheduler. Run the following PowerShell cmdlet:

Set-ADSyncScheduler -SyncCycleEnabled $false

Next, open the AADC Synchronization Service Manager located at C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe. This tool is useful to see the synchronization process and confirm that syncs are happening error-free.



Click the Connectors button at the top and you will see the directories that are currently configured to sync.



Select the directory you want to remove and click Delete. I'm deleting the contoso.com directory.



Select Delete Connector and connector space and click OK. Click Yes on the following prompt to delete the directory from AADC and Azure AD:



It will take a few seconds to delete the contoso.com directory objects from Azure AD and the AADC metabase.



After the directory has been removed from AADC, re-enable the AADC sync scheduler and perform a delta sync using PowerShell:

Set-ADSyncScheduler -SyncCycleEnabled $true
Start-ADSyncSyncCycle

Click the Operations button at the top and you will see that the contoso.com directory is no longer listed in the sync cycles.



 The directory is now removed from the AADC configuration.

Read more ...

Congratulations 2018-2019 Microsoft MVP!

I'm very pleased to announce that I have been given the Office Servers and Services Microsoft MVP Award again for 2018-2019. I have been awarded every year since 2009, so this will be my 10th consecutive year.

The MVP Award is an important recognition to me and I'm honored to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to test new software, and solicit our MVP feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This has been somewhat of a nerve-racking award cycle. As Microsoft truly morphs into a cloud services company, its priorities are changing faster than ever before. Longtime MVPs have been notified that they were not going to be awarded this year because their community events do not align with Microsoft's vision. Entire groups that focus on on-premises technologies have been cut from the MVP program. I understand why, but I am sorry to see them go.

Another program change is that the re-award cycle changed from quarterly to yearly. I used be awarded on April 1 every year (I always worried that my award email was an April Fool's joke), but now all MVPs are awarded the same date, July 1. That means that the MVP leads have to review hundreds or thousands of MVPs at the same time. That takes a lot of work by them and I appreciate it.

If you think that you or someone you know deserves to be an MVP, you can learn what it takes to be an one and nominate them from the Microsoft MVP Site. Microsoft reviews and awards new MVPs every month, with a renewal cycle on July 1.

The MVP Award adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my leadership in the community and real-world experience, which I bring to each and every engagement. Customers know that I provide the best results as their trusted advisor.

I feel great!

Read more ...

Important notice for Azure AD Connect customers running on SQL Server

Microsoft updated the AAD Connect release notes with an important warning for customers who use a full SQL Server deployment for Azure AD Connect.

Important
Starting with build 1.1.484, Azure AD Connect introduced a regression bug which requires sysadmin permissions to upgrade the SQL database. This bug is still present in the latest build 1.1.614. If you are upgrading to this build, you will need sysadmin permissions. Dbo permissions are not sufficient. If you attempt to upgrade Azure AD Connect without having sysadmin permissions, the upgrade will fail and Azure AD Connect will no longer function correctly afterwards. Microsoft is aware of this and is working to correct this.

This does not affect customers running localDB instances of SQL. The current version of AAD Connect is 1.1.614.0. 

Customers running SQL Server back ends are currently excluded from automatic upgrades, so it always requires a manual upgrade to a newer version of AAD Connect. That means (for now) you don't need to be worried about an auto-upgrade automatically breaking AAD Connect functionality.

Read more ...

Congratulations 2017-2018 Microsoft MVP!

I'm pleased to announce that I have been given the Office Servers and Services Microsoft MVP award again for 2017-2018. I have been awarded every year since 2009, so this will be my ninth consecutive year.



The MVP Award is an important recognition to me and I'm very pleased to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to try out new software, and solicit our feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This also adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my technical leadership and real-world experience, which I bring to each and every engagement, and customers know that I provide the best results as their trusted advisor.

I feel great!

Read more ...

AAD Connect Version 1.1.486.0 Released

Well that was quick. This update comes only 6 days after Microsoft released version 1.1.484.0. It only includes the one fix below, but it's large enough to affect enough users to warrant a new release.

• This version fixed the issue where Azure AD Connect will not install successfully on localized version of Windows Server.

Download the latest version of AAD Connect here.

Read more ...

AAD Connect Version 1.1.484.0 Released

Azure Active Directory Connect version 1.1.484.0 has been released, which includes several fixes and service account improvements. It also simplifies the port architecture required during the setup of Pass-Through Authentication.

Proper directory synchronization is key to a healthy hybrid environment, so it's important to keep on top of upgrades to your directory synchronization infrastructure.

Download the latest version of AAD Connect here.

Version 1.1.484.0

Released: April 2017

Fixes

Azure AD Connect sync

• Fixed an issue where the sync scheduler skips the entire sync step if one or more connectors are missing run profile for that sync step. For example, you manually added a connector using the Synchronization Service Manager without creating a Delta Import run profile for it. This fix ensures that the sync scheduler continues to run Delta Import for other connectors.

• Fixed an issue where the Synchronization Service immediately stops processing a run profile when it is encounters an issue with one of the run steps. This fix ensures that the Synchronization Service skips that run step and continues to process the rest. For example, you have a Delta Import run profile for your AD connector with multiple run steps (one for each on-premises AD domain). The Synchronization Service will run Delta Import with the other AD domains even if one of them has network connectivity issues.

• Fixed an issue that causes the Azure AD Connector update to be skipped during Automatic Upgrade.

• Fixed an issue that causes Azure AD Connect to incorrectly determine whether the server is a domain controller during setup, which in turn causes DirSync upgrade to fail.

• Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Azure AD Connector.

• Fixed an issue where the Synchronization Service Manager user interface becomes unresponsive when trying to configure Generic LDAP Connector.

AD FS management

• Fixed an issue where the Azure AD Connect wizard fails if the AD FS primary node has been moved to another server.

Desktop SSO

• Fixed an issue in the Azure AD Connect wizard where the Sign-In screen does not let you enable Desktop SSO feature if you chose Password Synchronization as your Sign-In option during new installation.

New features/improvements:

Azure AD Connect sync

• Azure AD Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group Managed Service Account as its service account. This applies to new installation of Azure AD Connect only. When installing Azure AD Connect:

• By default, Azure AD Connect wizard will create a Virtual Service Account and uses it as its service account.

• If you are installing on a domain controller, Azure AD Connect falls back to previous behavior where it will create a domain user account and uses it as its service account instead.

• You can override the default behavior by providing one of the following:

• A Group Managed Service Account

• A Managed Service Account

• A domain user account

• A local user account

• Previously, if you upgrade to a new build of Azure AD Connect containing connectors update or sync rule changes, Azure AD Connect will trigger a full sync cycle. Now, Azure AD Connect selectively triggers Full Import step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes.

• Previously, the Export Deletion Threshold only applies to exports which are triggered through the sync scheduler. Now, the feature is extended to include exports manually triggered by the customer using the Synchronization Service Manager.

• On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it is easy for the service configuration to be incorrectly configured by Azure AD Connect when you have an active and a staging server. Now, Azure AD Connect will attempt to keep the service configuration consistent with your active Azure AD Connect server only.

• Azure AD Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin enabled.

• Previously, Export to Azure AD times out and fails if the combined size of the objects in the batch exceeds certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if the issue is encountered.

• The Synchronization Service Key Management application has been removed from Windows Start Menu. Management of encryption key will continue to be supported through command-line interface using miiskmu.exe. For information about managing encryption key, refer to article Abandoning the Azure AD Connect Sync encryption key.

• Previously, if you change the Azure AD Connect sync service account password, the Synchronization Service will not be able start correctly until you have abandoned the encryption key and reinitialized the Azure AD Connect sync service account password. Now, this is no longer required.

Desktop SSO

• Azure AD Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop SSO. Only port 443 is required.

Read more ...

Important AD FS Update for Azure AD Connect

Microsoft has released Azure Active Directory Connect 1.1.443.0 which includes several bug fixes and new features that your environment will need, especially if you use AD FS:

• Added support for updating AD FS Farm SSL Certificate
• Added support for managing AD FS 2016
• You can now specify existing gMSA (Group Managed Service Account) during AD FS installation
• You can now configure SHA-256 as the signature hash algorithm for Azure AD relying party trust.

That last bullet point is very important now that the SHA1 algorithm has been cracked, as I wrote last month.

Azure AD Connect makes on-premises and Office 365 directory integration easy and simplifies the management of your on-premises and cloud identity infrastructure.


EXPTA Consulting can help your organization move to the Microsoft cloud or upgrade your existing hybrid infrastructure. Contact us today!

Read more ...

How to Trigger an AAD Connect Sync from a Remote Computer

If you use AAD Connect to synchronize on-premises Active Directory with Azure AD, you may find it more convenient to trigger an AAD sync from a remote domain-joined computer or server. I frequently do this when I make a change to an on-prem AD object from my Windows 10 workstation or Exchange server. Remote PowerShell to the rescue!

Copy the following Sync-AAD.ps1 script to your Windows path (I put it in C:\Windows) on the computer or server where you want to run it.

$AADComputer = ((Get-ADUser -Filter 'Name -like "AAD_*"' -Properties Description).Description).split(" ")[13].trim(".") + "." + (Get-WmiObject win32_computersystem).Domain
$session = New-PSSession -ComputerName $AADComputer
Invoke-Command -Session $session -ScriptBlock {Import-Module -Name 'ADSync'}
Invoke-Command -Session $session -ScriptBlock {Start-ADSyncSyncCycle -PolicyType Delta}
Remove-PSSession $session

Sync-AAD.ps1 output

I haven't found a better way to determine where AAD Connect is installed than the way I'm doing it in the first line. It uses the AD PowerShell module to parse out the AAD Connect computer name listed in the description property of the AAD_***** computer account. This assumes, of course, that the AD PowerShell module is installed on the local computer, and the description property is filled out correctly in AD. AAD Connect sets the description for this account to something like, "Service account for the Synchronization Service with installation identifier 16e45891... running on computer DC1." If that doesn't work for you for some reason, simply change the first line to your AAD computer FQDN, for example:

$AADComputer = "aad.contoso.com"

The second line, $session = New-PSSession -ComputerName $AADComputer,creates a new remote PowerShell connection to the computer where AAD Connect is installed.

The third line invokes a command to import the AAD Connect PowerShell module on the local computer.

The fourth line invokes a command to start the delta AD sync cycle.

The final line removes the remote PowerShell session.

Easy peasy!

Read more ...

Intel NUCs - Another Take on EXPTA Home Lab Servers. Builds and Parts Lists.

Own a blistering fast two-node Hyper-V lab cluster for under $1,680!

Today, I'm doing another take on my well-know home Hyper-V lab server series. My latest Gen7 builds are single-server builds with 64GB-128GB ranging from $920-$1,915 per server. That gives you super-high density in a single small, but powerful, server. In this article I'll show you how to create a two-node Hyper-V cluster using Intel NUC servers so you can learn how to use Hyper-V replication and provide true high availability and fail-over.

The Intel NUC (Next Unit of Computing) is a Mini PC with the power of a desktop, packing powerful productivity in a tiny 4x4 form factor. Small enough to fit in your hand, each NUC is silent and stackable. They can sit on a bookshelf, or be mounted to a wall with the VESA bracket or directly on the back of a monitor.

I've always thought these NUCs would make great Hyper-V clusters, but until just recently they were under powered and could only hold a maximum of 16GB RAM. Now there are two brand new Intel 32GB models that make this a really exciting Hyper-V lab possibility:

• Intel NUC Kit NUC6i5SYH - Features a 6th generation dual core Intel Core i5-6260U with Intel Iris 540 graphics; Up to 32GB DDR4 RAM; Up to one M.2 and one 2.5" internal drives
• Intel NUC Kit NUC6i7KYK - Features a 6th Generation quad core Intel Core i7-6770HQ with Intel Iris Pro 580 graphics; Up to 32GB DDR4 RAM; Up to two M.2 internal SSD drives

Both NUCs use the same storage format -- a 256GB M.2 SSD for the OS, and a 512GB SSD to run high performance VMs. With disk deduplication enabled, you can host many VMs on each node. When configured as a Hyper-V cluster, you can enable true high availability and enable new scenarios, like Hyper-V Live Migrations and Hyper-V Replication.

I also recommend using a portable 1TB USB3 external hard drive that you can share out for storing ISOs, software applications, and base images (see below). Each NUC has 2x USB 3.0 and 2x USB 2.0 ports for fast I/O performance, dual-band wireless-AC networking, 1GB NIC, Bluetooth, and built-in audio.

All you need to get started is buy the parts listed below and plug them in. They work pretty much straight of the box - no real assembly required. You'll only need to plug in the RAM and drives.

As usual, I link to Amazon for components and prices. Amazon does a very good job of maintaining stock, has an excellent return policy, and most of these items are eligible for free two-day shipping via Amazon Prime. If you don't have Prime, you can sign up for a free Amazon Prime trial here and cancel after you order the equipment if you want. Please note that it's normal for Amazon prices to fluctuate (usually down) over time.

NUC i5 Build #1 -- Intel Core i5 Dual-Core, 32GB RAM, SSD for $837 each

Component	Description
	Intel NUC Kit NUC6i5SYH (BOXNUC6I5SYH) Silver/Black This is a 6th generation Intel Core i5-6260U dual core processor with Intel Iris graphics 540 (1.9GHz up to 2.8 GHz Turbo, 4MB Cache, 15W TDP). Supports 1x M.2 Type M SSD and 1x 2.5" SSD. 1x full-size HDMI 1.4b and 1x Mini DisplayPort 1.2 ports. 7.1 surround audio via HDMI and Mini DisplayPort. Headphone and mic jacks. 2x USB 3.0, 2x USB 2.0, and SDXC slot with UHS-I support. Dimensions: 115mm x 111mm x 48mm (roughly 4.5" by 4.5" x 1.8" - super tiny!). 19V, 65W wall-mount multi-country AC-DC power adapter (IEC types A/C/G/I). 3 year limited warranty.
	CRUCIAL TECHNOLOGY 32GB Kit (16GBx2) DDR4 2133 MT/s (CT2K16G4SFD8213) 1.2V quad channel 2133MHz DDR 400 SODIMM memory with low CL15 latency. Great RAM at a great price. Each package contains 2x 16GB SODIMMs (32GB total). Lifetime warranty.
	Samsung 950 PRO Series - 256GB PCIe NVMe - M.2 Internal SSD (MZ-V5P256BW) The next-generation Samsung 950 PRO delivers uncompromising power and performance. Next Generation M.2 SSD Based on NVMe Protocol (PCIe, Gen. 3, x4). Ultra-fast Sequential Read/Write Performance: Up to 2,200MB/s and 900MB/s Respectively. Random Read/Write IOPS Performance : Up to 270K and 85K Respectively. Ultimate Performance, Reliability, & Efficient Power Management Powered by Samsung V-NAND Technology. 5 year limited warranty.
	Samsung 850 EVO 500GB 2.5-Inch SATA III Internal SSD (MZ-75E500B/AM) 500GB SATA III 6Gb/s SSD used for active VMs (the VMs I normally have running, like a Domain Controller, Exchange servers, Skype/Lync servers, etc.). Enabling Windows Server 2012R2 disk deduplication provides even more storage capacity! Delivers up to 98K IOPS 4KB random read / 90K IOPS 4KB random write speed. Mwahaha!! 3 year limited warranty.

Obviously, you'll need two of these NUCs if you want to cluster them and you can always choose to buy one now and cluster them later.
I always update the BIOS from the Internet before installing the OS. Once you install the OS, install and/or upgrade the drivers (especially the NIC) from the manufacturers' websites. Then install the Hyper-V role and you're off to the races!
You can host quite a few VMs on this system. As an example, my Gen6 32GB server runs Windows Server 2012 R2 with the Exchange 2013 Edge Transport role and the Hyper-V host server role. This server has been running 24x7 for over a year with the following virtual machines:

• 1x Domain Controller (2GB dynamic RAM)
• 2x Exchange 2016 servers in a DAG (4-6GB each)
• 1x Exchange 2013 server (4GB)
• 1x Exchange 2010 server (4GB)
• 1x Lync 2013 server (4GB)
• 1x Application server (2GB)

I run these VMs off the 500GB SSD with Windows Server 2012 R2 disk deduplication enabled for Virtual Desktop Infrastructure (VDI). This allows me to put 669GB of data on this 500GB drive and I still have 145GB free space left! See Windows Server 2012 Deduplication is Amazing! for information about configuring this.


Now if you're looking for the ultimate in NUC performance check out this Intel i7 quad-core NUC:

NUC i7 Build #2 -- Intel i7 Quad-Core, 32GB RAM, 2x M.2 SSD for $1,316 each

Component	Description
	Intel NUC Kit NUC6i7KYK Mini PC (BOXNUC6I7KYK1) This is a 6th generation Intel Core i7-6770HQ quad core processor with Intel Iris graphics 580 (2.6GHz up to 3.5 GHz Turbo, 6MB Cache, 45W TDP). Supports 2x M.2 Type M SSDs. 1x full-size HDMI 2.0 and 1x Mini DisplayPort 1.2, Thunderbolt 3 ports. 7.1 surround audio via HDMI and Mini DisplayPort. Headphone and mic jacks. 2x USB 3.0, 2x USB 2.0, and SDXC slot with UHS-I support. Dimensions: 211mm x 116mm x 28mm (roughly 8.3" by 4.5" x 1" - the size of a small paperback book!). 19V, 120W wall-mount AC-DC power adapter. 3 year limited warranty.
	CRUCIAL TECHNOLOGY 32GB Kit (16GBx2) DDR4 2133 MT/s (CT2K16G4SFD8213) 1.2V quad channel 2133MHz DDR 400 SODIMM memory with low CL15 latency. Great RAM at a great price. Each package contains 2x 16GB SODIMMs (32GB total). Lifetime warranty.
	Samsung 950 PRO Series - 256GB PCIe NVMe - M.2 Internal SSD (MZ-V5P256BW) 256GB for OS. The next-generation Samsung 950 PRO delivers uncompromising power and performance. Next Generation M.2 SSD Based on NVMe Protocol (PCIe, Gen. 3, x4). Ultra-fast Sequential Read/Write Performance: Up to 2,200MB/s and 900MB/s Respectively. Random Read/Write IOPS Performance : Up to 270K and 85K Respectively. Ultimate Performance, Reliability, & Efficient Power Management Powered by Samsung V-NAND Technology. 5 year limited warranty.
	Samsung 950 PRO Series - 512GB PCIe NVMe - M.2 Internal SSD (MZ-V5P512BW) 512GB for VMs. The next-generation Samsung 950 PRO delivers uncompromising power and performance. Next Generation M.2 SSD Based on NVMe Protocol (PCIe, Gen. 3, x4). Ultra-fast Sequential Read/Write Performance: Up to 2,500MB/s and 1,500MB/s Respectively. Random Read/Write IOPS Performance : Up to 300K and 110K Respectively. Ultimate Performance, Reliability, & Efficient Power Management Powered by Samsung V-NAND Technology. 5 year limited warranty.

This NUC just SCREAMS performance! If it was available with 64GB of RAM this would be my go-to build, hands down. Maybe next year. :)

I also recommend the following to complete your NUC Hyper-V lab builds:

NUC Server Build Recommended and Optional Components

Component	Description
	*Highly Recommended* Western Digital 1TB Black My Passport Ultra Portable External Hard Drive - USB 3.0 - (WDBGPU0010BBK-NESN) Secure portable USB 3.0 storage with optional 256-bit AES hardware encryption. Available up to 3TB. Pre-formatted with NTFS. No power supply required. Use this to store software installs, ISOs, golden masters of your VM images, etc. 3-year limited warranty.
	Samsung 850 Pro 1 TB 2.5-Inch SATA III Internal SSD (MZ-7KE1T0BW) Upgrade your 500GB SATA III 6Gb/s SSD used for active VMs to the 850 Pro 1TB SSD. Delivers up to 90K IOPS 4KB random read / 100K IOPS 4KB random write speed. 10 year limited warranty.
	VicTsing Gold-Plated HDMI to VGA Converter Adapter for PC, Laptop, DVD, Desktop (VS1-VC38BVT-VD) Ultra-mini HDMI to VGA converter converts video from HDMI to any monitor or projector with a VGA port. Useful if you have an old-school KVM that doesn't support HDMI or DisplayPort.
	Cable Matters Mini DisplayPort (Thunderbolt™ 2 Port Compatible) to HDMI/DVI/VGA Male to Female 3-in-1 Adapter in Black - Supporting 4K Resolution via HDMI Lightweight and portable adapter for connecting a Mini DisplayPort (Mini DP or mDP)/Thunderbolt 2 port compatible computer to an HDTV, monitor, or projector with HDMI/DVI/VGA; A separate HDMI/DVI/VGA cable is required. Transmits both audio and video from computer or tablet to HD display via HDMI; Supports video resolutions up to 4K via HDMI or 1920x1200 and 1080p (Full HD) via VGA/DVI and flawless audio pass-thru for uncompressed digital 7.1, 5.1 or 2 channels.

I hope these NUC builds give you the confidence to build your own Hyper-V home cluster. I'm interested to hear your experiences in the comments section below. Happy building!

Read more ...