Preparation for CCNP Cloud Certification

Today (19/06/2017) I passed Cisco 300-465 exam so I want to share how to prepare to it without taking any external training. Only self-study, hope someone will find it useful. In this post I will provide the list of preparation materials and resources, which will help to pass Designing the Cisco Cloud exam (CLDDES).

First of all you need to check exam topics on Cisco Learning Network - CLDDES Exam Topics I recommend also to look at authorized training. Partners provide official training, just find any through the partner locator and copy study topics, it will be useful to have.

Practice part. Register on dCloud portal using your Cisco ID. Complete all UCS, IAC, PSC labs. Very important to complete them if you don't work with these products. Additionally it is recommended to download and install trial versions of UCS Director, UCS Manager, IAC and Intercloud Fabric software in Lab environment.

Below are the topics that must to be studied before taking an exam (most of them from Study Materials with my amendments). In conjunction with labs above they will provide the best experience and understanding the material. I do not provide the links because it seems that Cisco doesn't treat links properly (many broken links, removed, non available links, to be honest a sad story). So just search or google search the information on Cisco site by the following topics:
1. Get Started with Cisco UCS Director.
2. Introducing Cisco Intelligent Automation for Cloud.
3. Cisco Intelligent Automation for Cloud.
4. Cisco Intelligent Automation for Cloud Data Sheet.
5. Cisco Intelligent Automation for Cloud 4.3.2 Installation Guide.
6. Cisco UCS Director Fundamentals Guide, Release 6.0
7. Cisco UCS Director Administration Guide, Release 6.0.
8. Cisco Prime Service Catalog.
9. Cisco Prime Service Catalog datasheet.
10. Cisco Prime Service Catalog Plan and Build Service datasheet.
11. Cisco Prime Network Services Controller.
12. IT as a Service with Cisco Prime Service Catalog and UCS Director.
13. Cisco Cloud Accelerators.
14. Enterprise Platform as a Service.
15. Understanding Cisco Cloud Fundamentals.
16. FlexPod Overview.
17. FlexPod at a glance - Simplified Multivendor Support for Your FlexPod.
18. FlexPod Infrastructure Automation.
19. FlexPod Datacenter with VMware vSphere 6.5 Design Guide.
20. FlexPod Data Center with Cisco Nexus 7000 and NetApp MetroCluster for Multisite Deployment.
21. FlexPod Data Center with Microsoft Fast Track Private Cloud 3 Design Guide.
22. FlexPod Data Center with Microsoft Private Cloud v3 Design Guide.
23. Vblock Systems.
24. Cisco Solutions for VSPEX.
25. Cisco Solutions for EMC VSPEX.
26. Cisco UCS Director VSPEX Implementation Guide.
27. Cisco Intercloud Fabric Security Features Technical Overview.
28. Cisco Intercloud Fabric Architectural Overview.
29. Cisco Intercloud Fabric Provider Platform Architecture.
30. Cisco VMDC Cloud Security 1.0 Design Guide.
31. Cisco Cloud Security Solutions.
32. Cisco Secure Network Container Multi-Tenant Cloud Computing.
33. Cisco Cloud Security Architecture: Un-Cloaking Invisible Threats.

Additionally you should be able to understand the following (it includes some tips after passing the exam):
1. Difference and case usage of VXVLAN and OTV.
2. VMware VM migration procedure and requirements (hot, cold, vMotion etc).
3. Deep Packed Inspection (DPI) principles and usage.
4. Context aware infrastructure.
5. Cisco Virtual WAAS (vWAAS) is a virtual appliance
6. Pay attention on on Stack Designer.
7. WMware datastores, VM disk formats (thin, thick etc).
8. File-level and block lever storage, usage and difference.
9. Application Centric Infrastructure 
10. Pay attention on multi-site HA/DRS solutions, license requirements etc.
11. Integration part of PSC with UCS director.

Overall impression after passing an exam is a bit frustrated as documentation and study material is not up to date and spread across so it was wasted much time just trying to find information.

Installing OpenVAS on Ubuntu 16.04

sudo apt update && sudo apt upgrade
sudo apt install software-properties-common
sudo add-apt-repository ppa:mrazavi/openvas
sudo apt update
sudo apt install openvas
sudo apt install sqlite3
sudo openvas-nvt-sync
sudo openvas-scapdata-sync
sudo openvas-certdata-sync
sudo service openvas-scanner restart
sudo service openvas-manager restart
sudo openvasmd --rebuild --progress
sudo openvasmd --user=admin --new-password=PASSWORD

PowerShell - Send email on behalf

$EmailFrom = "User One <>"
$EmailTo = "Vyacheslav Fedenko <>"
$Subject = "Email Subject"
$body = "Email Body"
$Smtp = new-object Net.Mail.SmtpClient($SmtpServer)
$MailMessage = new-object Net.Mail.MailMessage($EmailFrom, $EmailTo, $Subject, $body)
$MailMessage.Sender = ""

Get Calendar Permissions report - Exchange 2010/2013/2016 and Exchange Online

This PowerShell script gets Calendar Permissions report within your Exchange organization. It also can get a report from Office 365.
Usage examples:
.\Get-CalendarPermissionsReport.ps1 -Version 2010
Exchange 2010 Calendar Permissions report.

.\Get-CalendarPermissionsReport.ps1 -Version 2010 -File FileName.csv
The same as above but the results will be exported to FileName.csv file. 

.\Get-CalendarPermissionsReport.ps1 -Version 2013-2016 -File FileName.csv
Gets calendar permissions report for Exchange 2013 or 2016 and exports the results to FileName.csv file. 

.\Get-CalendarPermissionsReport.ps1 -Version O365 -File FileName.csv
Gets calendar permissions report for Exchange Online and exports the results to FileName.csv file. It will ask an Office 365 admin credentials.

.\Get-CalendarPermissionsReport.ps1 -Version O365
Connects to Exchange Online and prints calendar permissions to console. 

The script can be downloaded from TechNet Gallery.

Ubuntu 16.04 - Failed to start LXD

root@hostname:~# systemctl status lxd-containers.service
● lxd-containers.service - LXD - container startup/shutdown
   Loaded: loaded (/lib/systemd/system/lxd-containers.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2017-03-21 13:33:45 EDT; 3min 15s ago
     Docs: man:lxd(1)
 Main PID: 852 (code=exited, status=1/FAILURE)

Mar 21 13:33:45 hostname systemd[1]: Starting LXD - container startup/shutdown...
Mar 21 13:33:45 hostname lxd[852]: error: open /var/lib/lxd/containers: no such file or directory
Mar 21 13:33:45 hostname systemd[1]: lxd-containers.service: Main process exited, code=exited, status=1/FAILURE
Mar 21 13:33:45 hostname systemd[1]: Failed to start LXD - container startup/shutdown.
Mar 21 13:33:45 hostname systemd[1]: lxd-containers.service: Unit entered failed state.
Mar 21 13:33:45 hostname systemd[1]: lxd-containers.service: Failed with result 'exit-code'.

The fix:
root@hostname:~# sudo su
root@hostname:~# service lxd restart
root@hostname:~# reboot

root@hostname:~# systemctl status lxd-containers.service
● lxd-containers.service - LXD - container startup/shutdown
   Loaded: loaded (/lib/systemd/system/lxd-containers.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2017-03-21 13:37:14 EDT; 2min 4s ago
     Docs: man:lxd(1)
 Main PID: 857 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/lxd-containers.service

Mar 21 13:37:13 hostname systemd[1]: Starting LXD - container startup/shutdown...
Mar 21 13:37:14 hostname systemd[1]: Started LXD - container startup/shutdown.

Exchange - Connect a disabled mailbox

Easy way to restore a mailbox if you accidentally removed it. Simply reconnect it back using steps described here.

But sometime a removed mailbox doesn't show up as a disconnected one. In this case you need to synchronize the mailbox state with its AD account using Update-StoreMailboxState cmdlet.

First of all find a MailboxGuid and Database name of removed mailbox:
Get-MailboxDatabase | Get-MailboxStatistics | Where { $_.DisplayName -eq "Display Name" } | ft DisplayName,Database,MailboxGuid 

Then update the mailbox state:
Update-StoreMailboxState -Database DBNAME -Identity MailboxGUID

Then the mailbox will show up in disconnected mailboxes as well as DisconnectReason attribute will be updated. The mailbox will be ready to reconnect.

Installing Hyper-V on ESXi

Validation Results: The validation process found problems on the server to which you want to install features. 
The selected features are not compatible with the current configuration of your selected 
server. Click OK to select different features.

Shutdown the VM.
Add vhv.allow = "TRUE" to vmx file of VM. 
Amend guest operating system string so it looks like - guestOS = "winhyperv"
Upgrade Virtual Hardware. 
Enable Intel VT-x/AMD-V for intrusion set virtualization in VM CPU Options.

Notes: Works with ESXi 5.1, ESXi can be installed as well, Hyper-V can be installed and run even with 1 vCPU. 

SMB v1 GPO adm



KEYNAME "SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"

KEYNAME "SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"


SMB_Version="SMB Version"
SMB1="SMB v1"
SMB1Help="Enable/Disable SMB version 1 by changing the value of 'SMB1' REG_DWORD in SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters."
SMB2="SMB v2"
SMB2Help="Enable/Disable SMB version 2 by changing the value of 'SMB2' REG_DWORD in SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. Caution - SMB v3 works on the same stack as v2 (don't touch it)."

adm file can be easilly converted to admx via ADMX Migrator

Exchange setup error

"A reboot from a previous installation is pending. Please restart the system and then rerun Setup." 

If you are getting the error again after reboot (do it twice), clean up the values in REG_MULTI_SZ below: 

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations 

Sure thing backup registry first.

RDS connection issue

"The task you are trying to do can't be completed because Remote Desktop Services is currently busy".

In this case you need to reset your session. 

Connect to remote server via psexec tool.
psexec \\Server1 cmd

Optionally you can connect with different credentials by specifying -u key. 

Find out your session ID by running:
query session

Reset your session
reset session ID

Now you should be able to logon with no issue.

Update 25/05/2017: No need to use psexec as query/reset commands have /server parameter. :/ 

Exchange 2013 - IMAP Health

Check components by running:
Get-ServerComponentState -Identity CASServer1

If ImapProxy component has inactive state run the command below:
Set-ServerComponentState -Identity CASServer1 -State Active -Requester HealthAPI -Component ImapProxy

For more deep troubleshooting you can refer to the following KB - Troubleshooting IMAP Health Set.

#Connection Closed Gracefully.

PRTG - VMware datastore latency monitoring

Here is an example how to monitor individual ESXi datastores read/write latency through vCenter and PRTG. Tested with PRTG V16.4.28.7421 and ESXi 5.1. "VMware vSphere PowerCLI" is required on Probe server.

# "DataStoreName - totalWriteLatency.ps1" file
Add-PSSnapin VMware.VimAutomation.Core
$a=Connect-VIServer vCenterServer -User "Domain\User" -Password "UserPassword" -WarningAction SilentlyContinue
$p=Get-Datastore DataStoreName | foreach {$dsName = $_.Name; $uuid = $_.ExtensionData.Info.Url.Split('/')[-2]; Get-VMHost -Datastore $_ | Get-Stat -Stat "datastore.totalWriteLatency.average" -Realtime | where {$_.Instance -eq $uuid} | sort Timestamp -descending | select -first 1 | select -expand Value}
echo $p':ok'

# "DataStoreName - totalReadLatency.ps1" file.
Add-PSSnapin VMware.VimAutomation.Core
$a=Connect-VIServer vCenterServer -User "Domain\User" -Password "UserPassword" -WarningAction SilentlyContinue
$p=Get-Datastore DataStoreName | foreach {$dsName = $_.Name; $uuid = $_.ExtensionData.Info.Url.Split('/')[-2]; Get-VMHost -Datastore $_ | Get-Stat -Stat "datastore.totalReadLatency.average" -Realtime | where {$_.Instance -eq $uuid} | sort Timestamp -descending | select -first 1 | select -expand Value}
echo $p':ok' 

Put both files into "PRTG Installation folder\Custom Sensors\EXE" and create EXE/Script sensors.

Get-UPDReport - User Profile Disks report

This PowerShell script generates a report about User Profile Disks including accounts information from Active Directory.

The report contains the following attributes:
FullName - full path to UPD file.
LastWriteTime - time when UPD was last modified.
Size - file size in MB.
SID - Active Directory account security identifier.
AD_Account_Name - Active Directory account name.
AD_Account_UPN - Active Directory account user principal name.
AD_User_Enabled - information if account is enabled or disabled.
AD_User_LastLogon - Active Directory account last logon time.

Access to UPD path and Active Directory PowerShell module.

Usage examples:
# Gets report where UPD files location is “\\Share\UPDs\”.
.\Get-UPDReport.ps1 -UPDPath "\\Share\UPDs\"

# The same as above but an output will be saved in Report.csv file.
.\Get-UPDReport.ps1 -UPDPath "\\Share\UPDs\" | Export-Csv Report.csv

Compare-GPOs.ps1 - comparing GPO version numbers across Domain Controllers

This PowerShell script compares Group Policy Objects versions between specified Domain Controllers. It is used to identify GPOs, which are not replicated properly or have versions mismatch.

As example I will use Active Directory domain called "AD.FEDENKO.INFO" and 2 domain controllers "DC01"and "DC02".

I will create a test Group Policy called "Test_GPO" shows below.

After some GPO settings amendments you can see that User and Computer versions are changed. 

To simulate replication issue I will go to second domain controller and remove GPT.ini file.

As result you will see User and Computer versions are not available in Group Policy Management console of DC02.

Compare-GPOs PowerShell script can help to identify such Group Policy objects.


DCName                : DC02.AD.FEDENKO.INFO
Id                    : c1acca94-7078-403b-b636-7f9916aa4665
DisplayName           : Test_GPO
Path                  : cn={C1ACCA94-7078-403B-B636-7F9916AA4665},cn=policies,cn=system,DC=AD,DC=FEDENKO,DC=INFO
Owner                 : AD\Domain Admins
CreationTime          : 7/24/2016 4:41:12 PM
ModificationTime      : 7/24/2016 5:04:34 PM
UserDSVersion         : 2
UserSysvolVersion     :
ComputerDSVersion     : 1
ComputerSysvolVersion :
GpoStatus             : AllSettingsEnabled

DCName                : DC01.AD.FEDENKO.INFO
Id                    : c1acca94-7078-403b-b636-7f9916aa4665
DisplayName           : Test_GPO
Path                  : cn={C1ACCA94-7078-403B-B636-7F9916AA4665},cn=policies,cn=system,DC=AD,DC=FEDENKO,DC=INFO
Owner                 : AD\Domain Admins
CreationTime          : 7/24/2016 4:41:12 PM
ModificationTime      : 7/24/2016 5:03:00 PM
UserDSVersion         : 2
UserSysvolVersion     : 2
ComputerDSVersion     : 1
ComputerSysvolVersion : 1
GpoStatus             : AllSettingsEnabled

Also there is optional "-DelayInMilliseconds" parameter, which can be used for CPU usage throttling. The script can be downloaded from TechNet Gallery.

Group Policy - Processing Order

I think one of the most important things in administering Active Directory (AD) is the understanding of Group Policy processing order. In this blog post I will highlight this process and provide some examples. Also it will include an explanation of Loopback processing and Group Policy enforcement. 

I will create the following Organizational Unit (OU) structure for tests.

There will be Group Policy objects (GPO's) for each Organizational Unit including Domain and Site.

As result TestSubOU Organizational Unit will have the following GPO's assigned. 

The client workstation will be located in TestSubOU and called CLIENT01. It will be located in Active Directory Site called Users. GPO will also be assigned to this AD Site.

Just to summarize the list of GPO's used:
TestGPO_Domain - policy which is assigned to the domain. 
TestGPO_TestOU - OU policy.
TestGPO_TestSubOU - child OU policy.
TestGPO_Site - AD Site policy.

The Group Policies are processed in the following order:
1. Local Computer Group Policy (can be edited by running Local Group Policy Editor - gpedit.msc) 
2. Site Policy.
3. Domain Policy.
4. Organizational Unit policy. 

According to that information GPO settings on our test workstation will be processed in the following order:
1. Local Policy of CLIENT01. Note: Processing of Local GPO's can be disabled by "Turn off Local Group Policy Objects processing" settings, which can be found under "Computer Configuration - Policies - Administrative Templates - System - Group Policy".
2. TestGPO_Site
3. TestGPO_Domain
4. TestGPO_TestOU
5. TestGPO_TestSubOU

It means if for example TestGPO_TestSubOU and TestGPO_TestOU (even if domain and site GPO's) have the same settings, TestGPO_TestSubOU will take precedence over all of them. One interesting fact that TestGPO_TestOU will be still listed in Applied GPOs output from Group Policy Results wizard even if no settings were applied form that GPO. 

GPO's have Computer and User configuration sections. You should remember that Computer settings from GPO's which are applied to User account never take effect. One exception can be User settings from GPO's which are applied to Computer account. By default they are not being applied. It can be changed by configuring Loopback Processing. 

Loopback processing allows controlling Group Policy settings depending on which computer user authenticates to. Loopback processing has two modes: Merge or Replace. In first mode it applies User settings from all GPO's which are assigned to both Computer and User accounts. You should remember that if there any GPO settings conflicts (the same user settings), settings from GPO which is assigned to Computer object will take precedence. Another mode is Replace. It means that User account GPO's are ignored completely and not being applied. 

Loopback processing can be enabled by amending "Configure user Group Policy loopback processing mode" settings in "Computer Configuration - Policies - Administrative Templates - System - Group Policy".

Another topic which I would like to highlight is Group Policy enforcement. It allows you to enforce GPO to be applied last and in fact have precedence over all GPO's. For example if I mark Enforced  TestGPO_Domain Group Policy. Its settings will have precedence over all GPO's. 

Something not obvious will happen if you Enforce AD Site Group Policy Object, In our case it is TestGPO_Site.

You will not see it in Group Policy Inheritance tab but it is Enforced and take precedence over all Group Policy Objects so pay attention here. 

Another not obvious thing will happen if you enforce all GPO's. Actually I expected to see TestGPO_TestSubOU with Precedence #1 but in fact I see the following picture. 

Yes, that's correct. In my opinion it is not logically but anyway pay attention on it as well. I have not highlighted blocking inheritance. I believe the screenshot below will explain it very well. 

Hyper-V Replica with self-signed certificates

I have two standalone non-domain joined Hyper-V servers - HV01 and HV02. I need to configure Hyper-V replica between them. Many blog post and guides provide syntax for MakeCert tool. Interesting thing is that MakeCert is deprecated and it is recommended to use New-SelfSignedCertificate cmdlet instead. Of course it is great but there are some limitations of this cmdlet in PowerShell 4.0. Actually there is huge difference between New-SelfSignedCertificate cmdlet in PowerShell 4.0 and 5.0. I will create self-signed certificate using new cmdlet that's why I use Windows 10 with PowerShell 5.0. The name of Windows 10 workstation will be ADMIN01.

1. Go to ADMIN01 and generate root certificate. It will be used to sign certificates for HV01 and HV02. Sure you can use -NotAfter setting to specify certificate expiration date but this property was omitted here:

New-SelfSignedCertificate -Type "Custom" -KeyExportPolicy "Exportable" -Subject "" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "Signature" -KeyUsage "CertSign"

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------

2. Create and sign certificates for HV01 and HV02. Make sure that you specify thumbprint of certificate above. 

New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=HV01" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("{text},") -Signer "Cert:LocalMachine\My\2752C9823DBE015B60F4C5558DBB7CFEF1FD80AB" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

New-SelfSignedCertificate -type "Custom" -KeyExportPolicy "Exportable" -Subject "CN=HV02" -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec "KeyExchange" -TextExtension @("{text},") -Signer "Cert:LocalMachine\My\2752C9823DBE015B60F4C5558DBB7CFEF1FD80AB" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

As result you will see 3 certificates in Local Computer certification store.

3. Export certificates and copy to Hyper-V servers:
On HV01/02 click export - Yes, export the private key - Next (Unselect Include all certificates in the certification path if possible. We will copy root certificate manually) - Specify the password and click Next - Specify path location and click Next - Complete the certificate export wizard by clicking Finish.

Repeat the same for HV02 certificate. Then export root certificate ( in my case). With root certificate there is no need to export private key. 

4. Import certificates to the Hyper-V servers. HV01/02 into personal store of Local Computer on each server respectively. And Root certificate into Trusted Root Certification Authorities store. Check the certificate status afterward.

5. Last trick with Certificate Revocation Lists. On each Hyper-V server add the following registry key:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

6. Once all certificates are imported on servers Hyper-V Replica can be configured. 

On second server PowerShell script can be used to achieve the same configuration as above. 

PS C:\> Get-ChildItem Cert:LocalMachine\My | fl Subject,Thumbprint

Subject    : CN=HV02
Thumbprint : A03A46DE4085F7EE53D5B3451363AE0B73328F43

Set-VMReplicationServer –ReplicationEnabled $true -AllowedAuthenticationType Certificate -CertificateThumbprint "A03A46DE4085F7EE53D5B3451363AE0B73328F43" –ReplicationAllowedFromAnyServer $true –DefaultStorageLocation "D:\Hyper-V\Virtual Hard Disks"

7. Then enable Replication on VM level. 

SQL Server 2016 - Always On Availability Groups

In this blog post I will provide basic step by step guide how to install and configure SQL Server 2016 with Always On Availability Groups. Migration WSUS from Windows Internal Database to Availability Group will be as example.

This guide has the following steps:
1. Preparation.
2. Installing SQL Server 2016 on both SQL servers.
3. Installing Failover Clustering Feature on SQL servers and enable AlwaysOn.
4. Working with WSUS.
5. Create Availability Group.
6. Create logins and grant permissions.
7. Create Availability Group Listener.
8. Finish WSUS server reconfiguration.

Two Windows Servers 2012 R2 - SQL01 and SQL02.

Each SQL server has the following drive mapping:
C - System
D - SQL Installation
E - Database volume
F - SQL Logs
G - Backups

WSUS server is Windows Server 2012 R2 with default configuration.

Dedicated Active Directory Organizational Unit for SQL servers computer objects.

Opened firewall TCP ports on both SQL servers - 1433, 1434, 5022.

Installing SQL Server 2016 on both SQL servers. 
From SQL Server Installation Center click Installation then "New SQL Server stand-alone installation or add features to an existing installation".

Enter Product Key or select Evaluation, then click Next.

Accept the license terms and click Next.

Select Microsoft Update options and click Next.

On Install Rules page check all warnings. Then click Next.

On Feature Selection page select "Database Engine Services" and "SQL Server Replication". In my case I changed Directories paths to dedicated D: drive. Click Next to Proceed.

Leave default instance name and click Next.

Specify service accounts and collation settings. In my case I left it default and clicked Next.

On "Database Engine Configuration" page specify SQL Server administrators. In my case I selected domain administrator account.

Go to "Data Directories" tab and specify paths. Then click Next.

On Ready to Install page click Install.

Repeat the same steps on second SQL server.

Installing Failover Clustering Feature on SQL servers and enable AlwaysOn.

Open Server Manager - Manage - Add Roles and Features - Next - Role-Based or feature-based installation - Next - Select a server from the server pool - Next - Next - Select "Failover Clustering" checkbox (It will popup with additional features required) - Add Features then Next - Install

Repeat the same steps on second SQL server.

Open Failover Cluster Manager, right click on it and "Create Cluster..."

On Before You Begin page click Next.

On Select Servers page add SQL01 and SQL02 servers. Click Next to proceed.

Run validation tests by clicking Next.

Run all tests then Next. Wait until validation completes. Once all tests are passed specify Cluster Name and IP, then click Next. In my case it is SQL-CL01 with as IP.

Confirm configuration and click Next.

Then configure quorum settings.

Enable Always On Availability in SQL Server Configuration Manager on each SQL Server.

Restart SQL servers. Download and install SQL Server Management Studio.

Working with WSUS.

Download and install on WSUS server: "Microsoft® SQL Server® 2012 Native Client" and "Microsoft® SQL Server® 2012 Command Line Utilities".

Stop "IIS Admin Service" and "WSUS Service"

Run command line tool as administrator:
cd C:\Program Files\Microsoft SQL Server\110\Tools\Binn
sqlcmd -S \\.\pipe\MICROSOFT##WID\tsql\query
use master
alter database SUSDB set single_user with rollback immediate
sp_detach_db 'SUSDB'

Then copy SUSDB.mdf and SUSDB_log.ldf from "C:\windows\WID\Data" to SQL01.

Working with WSUS database: 
Attach database on SQL01.

Go to Database Properties - Options. Amend Recovery model to Full. Then backup the database, copy SUSDB.bak file to SQL02 and restore it with "RESTORE WITH NORECOVERY" option.

Create Availability Group on SQL01.

In SQL Server Management Studio - AlwaysOn High Availability - Availability Groups - New Availability Group Wizard... - Next.

Specify AG name and click Next. In my case it is WSUSAG.

Select SUSDB and click Next.

Add SQL02 as replica. Do not configure listener for now. Click Next and Yes on endpoint popup.

On Initial Data Synchronization page select Skip initial data synchronization and click Next. On validation page click Next then Finish.

Create logins and grant permissions.

On SQL01:
use master

On SQL02:
use master

Remove and add back SQL02 from replicas.

Create WSUSDB computer object in SQL OU and grant full access permissions to SQL-CL01 object.

Create Availability Group Listener.

Specify listener settings and click OK. In my case it is, 1433 port and WSUSDB (computer object which I created earlier).

On SQL02 join SUSDB to Availability Group.

The state of database will be changed to Synchronized.

Finish WSUS server reconfiguration.

Replace "MICROSOFT##WID" with "WSUSDB" in "SqlServerName" of in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup"

Change WSUS Service to logon as Local System and grant dbo rights on SUSDB for WSUS01 computer.

Start "IIS Admin Service" and "WSUS Service".

Uninstall WSUS and Windows Internal Database features:
Uninstall-WindowsFeature UpdateServices-WidDB
Uninstall-WindowsFeature Windows-Internal-Database

Restart WSUS server.
(c) 2016 - Vyacheslav Fedenko