Home  Tutorials  Active Directory


How to Manage your AD-Integrated Servers Life Cycle in Virtualized Environments by using Powershell (EN)

One of the advantages of virtualized environments is the ease of management ofservers. A virtualization administrator can easily provision new virtual machines but, if this is not well controlled and maintained, it might finish with overloading your host machines and storage equipment. Having a clear Life Cycle ofVMs in your virtualization environment helps avoiding similar situations and this Wiki article provides one way to implement it by using your Active Directory and PowerShell scripts.

Scenario

CONTOSO is a Web Applications development company that does development for its customers. CONTOSO developers frequently request for new servers to develop or test developed applications. CONTOSO is using a virtualized server environment where they have:
  • Hyper-VHosting servers
  • SCVMM2012 to manage their Hyper-V servers and VMs
CONTOSO Hyper-V administrator provides new virtual machines when developers request for them. However, he has difficulties to follow-up with the developers if they still use the provided VMs or not and Hyper-V Hosting servers became overloaded due to the increasing number of provisioned virtual servers.

CONTOSO Hyper-V administrator would like to implement a Life Cycle management where a virtual machine will be automatically deprovisioned at the end of its Life.

Below are the requirements:
  • When a virtual machine is about to reach its end of life, an e-mail notification will be sent to the virtual machine owner informing that the virtual machine will be switched off soon
  • When a virtual machine reaches its end of life, the virtual machine will be stopped through SCVMM and an e-mail notification will be sent to the virtual machine owner
  • When a virtual machine exceeds one (1) month after its end of life and the owner have not requested for an extension, the virtual machine will be removed through SCVMM and an e-mail notification will be sent to the virtual machine owner
Below is a figure for the Life Cycle to implement forAD-integrated development and test VMs:


Solution

One of the solutions that can be used to implement an automatic Life Cycle management of AD-integrated virtual machines is to use:
  • Active Directory to store the end date of usage of virtual machines
  • Powershell to set end date of usage of virtual machines
  • Powershell to send mail notifications to the virtual machines’ owners
  • Powershell to stop the machines when the end date is reached
  • Powershell to remove the virtual machines one month after the end date is reached
Use of Active Directory to store the end date of usage of virtual machines

accountExpires
is an Active Directory attribute that is used to store the expiry date of an Active Directory user account. This attribute can be re-used for computer accounts to store their end date. Below are the steps about how to proceed to linkaccountExpiresattribute tocomputerclass:
  • Use CMD to installActive Directory Schemaadministrative tool by runningregsvr32 schmmgmt.dll

  • Use MMC to openActive Directory Schemaadministrative tool, do a right-click oncomputerclass and then selectProperties

  • Click onAdd

  • SelectaccountExpiresand then click onOK


  • Click onOK
 
Another alternative would be to use a custom Active Directory attribute with Large Integer/Interval as syntax instead.

How to Create a Custom Attribute in Active Directory:
Use of Powershell to manage the Life Cycle of virtual machines and the notifications

After linkingaccountExpiresattribute tocomputerclass in your Active Directory, the following list of Powershell scripts can be used to manage the virtual machines Life Cycle and notifications.
Storing the owner and the end date for virtual machines

The following Active Directory attributes will be used to store the needed information:
  • accountExpires: The attribute is now ready to be used to store the end date of usage of a virtual machine
  • info: This attribute will be used to store the e-mail address of the virtual machine owner using the following format “Computer Owner:
The following script can be used by the virtualization administrator to update the AD attributes of a virtual machine AD computer account. The script will ask for the virtual machine name and owner e-mail address.


---------------------------------------------------------------------------------------------------------------------------------
cls

import-module activedirectory

$computername = Read-Host 'What is the computer name?'

$owner = Read-Host 'What is the e-mail address of the computer owner?'

$owner = "Computer Owner: " + $owner

$extradays = Read-Host 'After how many Days the computer should be no longer active?'

$expirydate = ((Get-Date).AddDays($extradays)).ToFileTime()

Set-ADComputer -Identity $computername -Replace @{AccountExpires=$expirydate}

Set-ADComputer -Identity $computername -Replace @{info=$owner}
---------------------------------------------------------------------------------------------------------------------------------

Below is a screen capture of the updated AD attributes of the computer account after running the script:


Sending e-mail notifications to virtual machines’ owners when their end of life are about to be reached
The following script queries Active Directory to get the list of virtual machines that will reach their end of life in less than fourteen (14) days. A mail notification will be sent to the virtual machines’ owners to inform them that the VMs will be switched off soon.

The script can be scheduled to run on Weekly basis and you need to update the values for the following variables:
  • $noreplymail: You need to update the value to specify the e-mail address that will be used to send the mail notifications
  • $smtpServer: You need to update the value to specify theDNSname or IP address of your SMTP server
  • $globalVMadminmail: You need to update the value to specify the e-mail address of the virtualization administrator
---------------------------------------------------------------------------------------------------------------------------------
import-module activedirectory

$noreplymail = "no-reply@contoso.com"

$smtpServer = "mail.contoso.com"

$globalVMadminmail = "ahmed.malek@contoso.com"

#Identify Stamp

$Stamp = ((get-date).adddays(-14)).ToFileTime()

$LDAPFilter = "(&(info=Computer Owner: *)(accountExpires>=" + $Stamp + "))"

foreach ($computer in (Get-ADComputer -LDAPFilter $LDAPFilter -properties info))

{
                $computerownermail = ($computer.info -replace "Computer Owner: ","") 

        $msg = new-object Net.Mail.MailMessage 

        $smtp = new-object Net.Mail.SmtpClient($smtpServer)

        $msg.From = $noreplymail 

        $msg.To.Add($computerownermail) 

        $msg.cc.Add($globalVMadminmail) 

                $mailbody = "The VM "+ $computer.name + " will be switched off soon. Please ask for the VM expiry date extension if you would like to keep using it."

        $msg.Subject = "[IMPORTANT] The VM "+ $computer.name + " will be switched off soon" 

        $msg.Body = $mailbody 

        $msg.Priority = [System.Net.Mail.MailPriority]::High 

        $smtp.Send($msg)

}
---------------------------------------------------------------------------------------------------------------------------------

Stopping the virtual machines through SCVMM

The following Powershell script identifies the virtual machines that reached their end of life, stops them by using Stop-VM SCVMM cmdlet and notifies their owners about the operation.

The script can be scheduled to run on daily basis and you need to update the values for the same variables described previously.

---------------------------------------------------------------------------------------------------------------------------------
import-module 'C:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\bin\psModules\virtualmachinemanager'

import-module activedirectory

$noreplymail = "no-reply@contoso.com"

$smtpServer = "mail.contoso.com"

$globalVMadminmail = "ahmed.malek@contoso.com"

#Identify Stamp

$Stamp = (get-date).ToFileTime()

$LDAPFilter = "(&(info=Computer Owner: *)(accountExpires<=" + $Stamp + "))"

foreach ($computer in (Get-ADComputer -LDAPFilter $LDAPFilter -properties info))

{

If ((Get-VM TestVM).VirtualMachineState -ne "PowerOff")

{

                Stop-VM -VM $computer.name

                $computerownermail = ($computer.info -replace "Computer Owner: ","") 

        $msg = new-object Net.Mail.MailMessage 

        $smtp = new-object Net.Mail.SmtpClient($smtpServer)

        $msg.From = $noreplymail 

        $msg.To.Add($computerownermail) 

        $msg.cc.Add($globalVMadminmail) 

                $mailbody = "The VM "+ $computer.name + " was switched off soon. The complete removal of the VM will be done after one month."

        $msg.Subject = "[IMPORTANT] The VM "+ $computer.name + " was switched off" 

        $msg.Body = $mailbody 

        $msg.Priority = [System.Net.Mail.MailPriority]::High 

        $smtp.Send($msg)

}

}
---------------------------------------------------------------------------------------------------------------------------------

Removing the virtual machines through SCVMM

The following Powershell script identifies the virtual machines that reached one month after their date of end of life, stops them by using Remove-VM SCVMM cmdlet and notifies their owners about the operation. It also removes the VM AD account.

The script can be scheduled to run on daily basis and you need to update the values for the same variables described previously.

---------------------------------------------------------------------------------------------------------------------------------
import-module 'C:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\bin\psModules\virtualmachinemanager'

import-module activedirectory

$noreplymail = "no-reply@contoso.com"

$smtpServer = "mail.contoso.com"

$globalVMadminmail = "ahmed.malek@contoso.com"

#Identify Stamp

$Stamp = (get-date).ToFileTime()

$LDAPFilter = "(&(info=Computer Owner: *)(accountExpires<=" + $Stamp + "))"

foreach ($computer in (Get-ADComputer -LDAPFilter $LDAPFilter -properties info))

{

                Remove-VM -VM $computer.name -Force

                Remove-ADComputer $computer.name -confirm:$false

                $computerownermail = ($computer.info -replace "Computer Owner: ","") 

        $msg = new-object Net.Mail.MailMessage 

        $smtp = new-object Net.Mail.SmtpClient($smtpServer)

        $msg.From = $noreplymail 

        $msg.To.Add($computerownermail) 

        $msg.cc.Add($globalVMadminmail) 

                $mailbody = "The VM "+ $computer.name + " was removed."

        $msg.Subject = "[IMPORTANT] The VM "+ $computer.name + " was removed" 

        $msg.Body = $mailbody 

        $msg.Priority = [System.Net.Mail.MailPriority]::High 

        $smtp.Send($msg)

}
---------------------------------------------------------------------------------------------------------------------------------

Conclusion

This Wiki article shared one of the solutions that can be used to automatically manage the Life Cycle of AD-integrated virtual machines by using Active Directory to store their end date and Powershell to automatically execute the required tasks through SCVMM. The shared scripts can be updated to be compatible with your environments (Example: If you have only Hyper-V servers, you can use Hyper-V Powershell cmdlets instead of SCVMM ones) and you can use other solutions other than Powershell to perform the same: Microsoft System Center Orchestrator is one of these solutions.