Manage a Configuration Server

Configuration Server acts as a coordinator between the Site Recovery services and your on-premises infrastructure. This article describes how you can set up, configure, and manage the Configuration Server.

Note

Capacity planning is an important step to ensure that you deploy the Configuration Server with a configuration that suites your load requirements. Read more about Sizing requirements for a Configuration Server.

Prerequisites

The following are the minimum hardware, software, and network configuration required to set up a Configuration Server.

Important

When deploying a Configuration Server for protecting VMware virtual machines, we recommend that you deploy it as a Highly Available (HA) virtual machine.

Hardware
Number of CPU cores 8
RAM 12 GB
Number of disks 3

- OS disk
- Process server cache disk
- Retention drive (for failback)
Disk free space (process server cache) 600 GB
Disk free space (retention disk) 600 GB
Software
Operating system version Windows Server 2012 R2
Windows Server 2016
Operating system locale English (en-us)
VMware vSphere PowerCLI version PowerCLI 6.0
Windows Server roles Do not enable the following roles:
- Active Directory Domain Services
- Internet Information Services
- Hyper-V
Group Policies The following Group policies should not be enabled on the server
- Prevent access to the command prompt
- Prevent access to registry editing tools
- Trust logic for file attachments
- Turn on Script Execution
Note: More information about these group policies can be found here
Internet Information Service(IIS) Configuration - No pre-existing Default WebSite
- Enable Anonymous Authentication
- Enable FastCGI setting
- No pre-existing websit/application should be listening on port 443
Network
Network interface card type VMXNET3
IP address type Static
Internet access The server should be able to access the following URLs either directly or through a proxy server:
- *.accesscontrol.windows.net
- *.backup.windowsazure.com
- *.store.core.windows.net
- *.blob.core.windows.net
- *.hypervrecoverymanager.windowsazure.com
- https://cdn.mysql.com/archives/mysql-5.5/mysql-5.5.37-win32.msi (not required for Scale-out Process Servers)
- time.nist.gov
- time.windows.com
Ports 443 (Control channel orchestration)
9443 (Data transport)

Downloading the Configuration Server software

  1. Log on to the Azure portal and browse to your Recovery Services Vault.
  2. Browse to Site Recovery Infrastructure > Configuration Servers (under For VMware & Physical Machines).

    Add Servers Page

  3. Click the +Servers button.
  4. On the Add Server page, click the Download button to download the Registration key. You need this key during the Configuration Server installation to register it with Azure Site Recovery service.
  5. Click the Download the Microsoft Azure Site Recovery Unified Setup link to download the latest version of the Configuration Server.

    Download Page

    Tip

    Latest version of the Configuration Server can be downloaded directly from Microsoft Download Center download page

Installing and Registering a Configuration Server from GUI

  1. Run the Unified Setup installation file.
  2. In Before You Begin, select Install the configuration server and process server.

    Before you start

  3. In Third Party Software License, click I Accept to download and install MySQL.

    Third-party software

  4. In Registration, select the registration key you downloaded from the vault.

    Registration

  5. In Internet Settings, specify how the Provider running on the configuration server connects to Azure Site Recovery over the Internet. Make sure you've allowed the required URLs.

    • If you want to connect with the proxy that's currently set up on the machine, select Connect to Azure Site Recovery using a proxy server.
    • If you want the Provider to connect directly, select Connect directly to Azure Site Recovery without a proxy server.
    • If the existing proxy requires authentication, or if you want to use a custom proxy for the Provider connection, select Connect with custom proxy settings, and specify the address, port, and credentials. Firewall
  6. In Prerequisites Check, Setup runs a check to make sure that installation can run. If a warning appears about the Global time sync check, verify that the time on the system clock (Date and Time settings) is the same as the time zone.

    Prerequisites

  7. In MySQL Configuration, create credentials for logging on to the MySQL server instance that is installed.

    MySQL

  8. In Environment Details, select whether you're going to replicate VMware VMs. If you are, then Setup checks that PowerCLI 6.0 is installed.

    MySQL

  9. In Install Location, select where you want to install the binaries and store the cache. The drive you select must have at least 5 GB of disk space available, but we recommend a cache drive with at least 600 GB of free space.

    Install location

  10. In Network Selection, specify the listener (network adapter and SSL port) on which the configuration server sends and receives replication data. Port 9443 is the default port used for sending and receiving replication traffic, but you can modify this port number to suit your environment's requirements. In addition to the port 9443, we also open port 443, which is used by a web server to orchestrate replication operations. Do not use port 443 for sending or receiving replication traffic.

    Network selection

  11. In Summary, review the information and click Install. When installation finishes, a passphrase is generated. You will need this when you enable replication, so copy it and keep it in a secure location.

    Summary

After registration finishes, the server is displayed on the Settings > Servers blade in the vault.

Installing and registering a Configuration Server using Command line

UnifiedSetup.exe [/ServerMode <CS/PS>] [/InstallDrive <DriveLetter>] [/MySQLCredsFilePath <MySQL credentials file path>] [/VaultCredsFilePath <Vault credentials file path>] [/EnvType <VMWare/NonVMWare>] [/PSIP <IP address to be used for data transfer] [/CSIP <IP address of CS to be registered with>] [/PassphraseFilePath <Passphrase file path>]

Sample usage

MicrosoftAzureSiteRecoveryUnifiedSetup.exe /q /xC:\Temp\Extracted
cd C:\Temp\Extracted
UNIFIEDSETUP.EXE /AcceptThirdpartyEULA /servermode "CS" /InstallLocation "D:\" /MySQLCredsFilePath "C:\Temp\MySQLCredentialsfile.txt" /VaultCredsFilePath "C:\Temp\MyVault.vaultcredentials" /EnvType "VMWare"

Configuration Server installer command-line arguments.

Parameter Name Type Description Possible Values
/ServerMode Mandatory Specifies whether both the configuration and process servers should be installed, or the process server only CS
PS
/InstallLocation Mandatory The folder in which the components are installed Any folder on the computer
/MySQLCredsFilePath Mandatory The file path in which the MySQL server credentials are stored The file should be the format specified below
/VaultCredsFilePath Mandatory The path of the vault credentials file Valid file path
/EnvType Mandatory Type of envrionment that you want to protect VMware
NonVMware
/PSIP Mandatory IP address of the NIC to be used for replication data transfer Any valid IP Address
/CSIP Mandatory The IP address of the NIC on which the configuration server is listening on Any valid IP Address
/PassphraseFilePath Mandatory The full path to location of the passphrase file Valid file path
/BypassProxy Optional Specifies that the configuration server connects to Azure without a proxy To do get this value from Venu
/ProxySettingsFilePath Optional Proxy settings (The default proxy requires authentication, or a custom proxy) The file should be in the format specified below
DataTransferSecurePort Optional Port number on the PSIP to be used for replication data Valid Port Number (default value is 9433)
/SkipSpaceCheck Optional Skip space check for cache disk
/AcceptThirdpartyEULA Mandatory Flag implies acceptance of third-party EULA
/ShowThirdpartyEULA Optional Displays third-party EULA. If provided as input all other parameters are ignored

Create a MySql credentials file

MySQLCredsFilePath parameter takes a file as input. Create the file using the following format and pass it as input MySQLCredsFilePath parameter.

[MySQLCredentials]
MySQLRootPassword = "Password>"
MySQLUserPassword = "Password"

Create a proxy settings configuration file

ProxySettingsFilePath parameter takes a file as input. Create the file using the following format and pass it as input ProxySettingsFilePath parameter.

[ProxySettings]
ProxyAuthentication = "Yes/No"
Proxy IP = "IP Address"
ProxyPort = "Port"
ProxyUserName="UserName"
ProxyPassword="Password"

Modifying proxy settings for Configuration Server

  1. Log in to your Configuration Server.
  2. Launch the cspsconfigtool.exe using the shortcut on your.
  3. Click the Vault Registration tab.
  4. Download a new Vault Registration file from the portal and provide it as input to the tool.

    register-configuration-server

  5. Provide the new Proxy Server details and click the Register button.
  6. Open an Admin PowerShell command window.
  7. Run the following command

    $pwd = ConvertTo-SecureString -String MyProxyUserPassword
    Set-OBMachineSetting -ProxyServer http://myproxyserver.domain.com -ProxyPort PortNumber – ProxyUserName domain\username -ProxyPassword $pwd
    net stop obengine
    net start obengine
    

    Warning

    If you have Scale-out Process servers attached to this Configuration Server, you need to fix the proxy settings on all the scale-out process servers in your deployment.

Modify user accounts and passwords

The CSPSConfigTool.exe is used to manage the user accounts used for Automatic discovery of VMware virtual machines and to perform **Push install of Mobility Service on protected machines.

  1. Log in to your Configuration server.
  2. Launch the CSPSConfigtool.exe by clicking on the shortcut available on the desktop.
  3. Click on the Manage Accounts tab.
  4. Select the account for which the password needs to be modified and click on the Edit button.
  5. Enter the new password and click OK

Re-register a Configuration Server with the same Recovery Services Vault

  1. Log in to your Configuration Server.
  2. Launch the cspsconfigtool.exe using the shortcut on your desktop.
  3. Click the Vault Registration tab.
  4. Download a new Registration file from the portal and provide it as input to the tool. register-configuration-server
  5. Provide the Proxy Server details and click the Register button.
  6. Open an Admin PowerShell command window.
  7. Run the following command

    $pwd = ConvertTo-SecureString -String MyProxyUserPassword
    Set-OBMachineSetting -ProxyServer http://myproxyserver.domain.com -ProxyPort PortNumber – ProxyUserName domain\username -ProxyPassword $pwd
    net stop obengine
    net start obengine
    

    Warning

    If you have Scale-out Process servers attached to this Configuration Server, you need to re-register all the scale-out process servers in your deployment.

Registering a Configuration Server with a different Recovery Services Vault.

Warning

The following step disassociates the Configuration from the current vault, and the replication of all protected virtual machines under the Configuration server is stopped.

  1. Log in to your Configuration Server.
  2. from an admin command prompt, run the command

    reg delete HKLM\Software\Microsoft\Azure Site Recovery\Registration
    net stop dra
    
  3. Launch the cspsconfigtool.exe using the shortcut on your.
  4. Click the Vault Registration tab.
  5. Download a new Registration file from the portal and provide it as input to the tool.

    register-configuration-server

  6. Provide the Proxy Server details and click the Register button.
  7. Open an Admin PowerShell command window.
  8. Run the following command $pwd = ConvertTo-SecureString -String MyProxyUserPassword Set-OBMachineSetting -ProxyServer http://myproxyserver.domain.com -ProxyPort PortNumber – ProxyUserName domain\username -ProxyPassword $pwd net stop obengine net start obengine

Upgrading a Configuration Server

Warning

Updates are supported only up to the N-4th version. For example, if the latest version in the market is 9.11, then you can update from version 9.10, 9.9, 9.8, or 9.7 directly to 9.11. But if you are on any version less than or equal to 9.6 then you need to update to at least 9.7 before you can apply the latest updates on to your Configuration Server. Download links for previous version can be found under Azure Site Recovery service updates

  1. Download the update installer on your Configuration Server.
  2. Launch the installer by double-clicking the installer.
  3. The installer detects the version of the Site Recovery components present on the machine and prompt for a confirmation.
  4. Click on the OK button to provide the confirmation & continue with the upgrade.

Delete or Unregister a Configuration Server

Warning

Ensure the following before you start decommissioning your Configuration Server.

  1. Disable protection for all virtual machines under this Configuration Server.
  2. Disassociate and Delete all Replication policies from the Configuration Server.
  3. Delete all vCenters servers/vSphere hosts that are associated to the Configuration Server.

Delete the Configuration Server from Azure portal

  1. In Azure portal, browse to Site Recovery Infrastructure > Configuration Servers from the Vault menu.
  2. Click the Configuration Server that you want to decommission.
  3. On the Configuration Server's details page, click the Delete button.

    delete-configuration-server

  4. Click Yes to confirm the deletion of the server.

Uninstall the Configuration Server software and its dependencies

Tip

If you plan to reuse the Configuration Server with Azure Site Recovery again, then you can skip to step 4 directly

  1. Log on to the Configuration Server as an Administrator.
  2. Open up Control Panel > Program > Uninstall Programs
  3. Uninstall the programs in the following sequence:
    • Microsoft Azure Recovery Services Agent
    • Microsoft Azure Site Recovery Mobility Service/Master Target server
    • Microsoft Azure Site Recovery Provider
    • Microsoft Azure Site Recovery Configuration Server/Process Server
    • Microsoft Azure Site Recovery Configuration Server Dependencies
    • MySQL Server 5.5
  4. Run the following command from and admin command prompt. reg delete HKLM\Software\Microsoft\Azure Site Recovery\Registration

Delete or Unregister a Configuration Server (PowerShell)

  1. Install Azure PowerShell module
  2. Login into to your Azure account using the command

    Login-AzureRmAccount

  3. Select the subscription under which the vault is present

    Get-AzureRmSubscription –SubscriptionName <your subscription name> | Select-AzureRmSubscription

  4. Now set up your vault context

    $vault = Get-AzureRmRecoveryServicesVault -Name <name of your vault>
    Set-AzureRmSiteRecoveryVaultSettings -ARSVault $vault
    
  5. Get select your configuration server

    $fabric = Get-AzureRmSiteRecoveryFabric -FriendlyName <name of your configuration server>

  6. Delete the Configuration Server

    Remove-AzureRmSiteRecoveryFabric -Fabric $fabric [-Force]

Note

The -Force option in the Remove-AzureRmSiteRecoveryFabric can be used to force the removal/deletion of the Configuration server.

Renew Configuration Server Secure Socket Layer(SSL) Certificates

The Configuration Server has an inbuilt webserver, which orchestrates the activities of the Mobility Service, Process Servers, and Master Target servers connected to the Configuration Server. The Configuration Server's webserver uses an SSL certificate to authenticate its clients. This certificate has an expiry of three years and can be renewed at any time using the following method:

Warning

Certificate expiry can be performed only on version 9.4.XXXX.X or higher. Upgrade all the Azure Site Recovery components (Configuration Server, Process Server, Master Target Server, Mobility Service) before you start the Renew Certificates workflow.

  1. On the Azure portal, browse to your Vault > Site Recovery Infrastructure > Configuration Server.
  2. Click the Configuration Server for which you need to renew the SSL Certificate for.
  3. Under the Configuration Server health, you can see the expiry date for the SSL Certificate.
  4. Renew the certificate by clicking the Renew Certificates action as shown in the following image:

    delete-configuration-server

Secure Socket Layer certificate expiry warning

Note

The SSL Certificate's validity for all installations that happened before May 2016 was set to one year. you have started seeing certificate expiry notifications showing up in the Azure portal.

  1. If the Configuration Server's SSL certificate is going to expire in the next two months, the service starts notifying users via the Azure portal & email (you need to be subscribed to Azure Site Recovery notifications). You start seeing a notification banner on the Vault's resource page.

    certificate-notification

  2. Click the banner to get additional details on the Certificate expiry.

    certificate-details

    Tip

    If instead of a Renew Now button you see an Upgrade Now button. The Upgrade Now button indicates that there are some components in your environment that have not yet been upgraded to 9.4.xxxx.x or higher versions.

Revive a Configuration server if the Secure Socket Layer (SSL) certificate expired

  1. Update your Configuration Server to the latest version
  2. If you have any Scale-out Process servers, Failback Master Target servers, Failback Process Servers update them to the latest version
  3. Update the Mobility Service on all the protected virtual machines to the latest version.
  4. Log in to the Configuration server and open a command prompt with administrator privileges.
  5. Browse to the folder %ProgramData%\ASR\home\svsystems\bin
  6. Run RenewCerts.exe to renew the SSL certificate on the Configuration Server.
  7. If the process succeeds, you should see the message "Certificate renewal is Success"

Sizing requirements for a Configuration Server

CPU Memory Cache disk size Data change rate Protected machines
8 vCPUs (2 sockets * 4 cores @ 2.5 GHz) 16 GB 300 GB 500 GB or less Replicate fewer than 100 machines.
12 vCPUs (2 sockets * 6 cores @ 2.5 GHz) 18 GB 600 GB 500 GB to 1 TB Replicate between 100-150 machines.
16 vCPUs (2 sockets * 8 cores @ 2.5 GHz) 32 GB 1 TB 1 TB to 2 TB Replicate between 150-200 machines.

Tip

If your daily data churn exceeds 2 TB, or you plan to replicate more than 200 virtual machines, it is recommended to deploy additional process servers to load balance the replication traffic. Learn more about How to deploy Scale-out Process severs.

Common issues

Installation failures

Sample error message Recommended action
ERROR Failed to load Accounts. Error: System.IO.IOException: Unable to read data from the transport connection when installing and registering the CS server. Ensure that TLS 1.0 is enabled on the computer.

Registration failures

Registration failures can be debugged by reviewing the logs in the %ProgramData%\ASRLogs folder.

Sample error message Recommended action
09:20:06:InnerException.Type: SrsRestApiClientLib.AcsException,InnerException.
Message: ACS50008: SAML token is invalid.
Trace ID: 1921ea5b-4723-4be7-8087-a75d3f9e1072
Correlation ID: 62fea7e6-2197-4be4-a2c0-71ceb7aa2d97>
Timestamp: 2016-12-12 14:50:08Z
Ensure that the time on your system clock is not more than 15 minutes off the local time. Rerun the installer to complete the registration.
09:35:27 :DRRegistrationException while trying to get all disaster recovery vault for the selected certificate: : Threw Exception.Type:Microsoft.DisasterRecovery.Registration.DRRegistrationException, Exception.Message: ACS50008: SAML token is invalid.
Trace ID: e5ad1af1-2d39-4970-8eef-096e325c9950
Correlation ID: abe9deb8-3e64-464d-8375-36db9816427a
Timestamp: 2016-05-19 01:35:39Z
Ensure that the time on your system clock is not more than 15 minutes off the local time. Rerun the installer to complete the registration.
06:28:45:Failed to create certificate
06:28:45:Setup cannot proceed. A certificate required to authenticate to Site Recovery cannot be created. Rerun Setup
Ensure you are running setup as a local administrator.