Export (0) Print
Expand All

Migrating a Business-Critical Application to Windows Azure

Technical Case Study

Published: August 2012

The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.

Microsoft Information Technology (Microsoft IT) used the Windows Azure operating system to create a cloud computing–based replacement for a 10-year-old, business-critical licensing application. The new solution uses Remote Desktop Licensing Manager (RD Licensing Manager) to take advantage of the scalability and extensibility benefits of Windows Azure, and to provide increased speed, business continuity capabilities, and cost-effectiveness.

Download

Download Technical Case Study, 619 KB, Microsoft Word file

Situation

Solution

Benefits

Products & Technologies

Microsoft IT wanted to replace TS Licensing Manager, an application responsible for critical business processes. TS Licensing Manager was hosted entirely in Microsoft corporate data centers, on hardware that was approaching the end of its life cycle. TS Licensing Manager also had several business-use gaps and performance issues that needed to be addressed.

Microsoft IT replaced TS Licensing Manager with Remote Desktop Licensing Manager, a Windows Azure–based application. The project team used Windows Azure to provide a more scalable, extensible, reliable, and cost-effective solution.

  • Increased performance and scalability
  • An improved user experience
  • Increased security and data protection
  • Support for new and upcoming licensed products
  • A more extensible and manageable application environment
  • Significant cost savings
  • Windows Azure
  • Windows Azure SQL Database
  • Microsoft System Center Operations Manager
  • Microsoft System Center AVIcode
  • Microsoft .NET Framework 4.0
  • Microsoft Silverlight 4.0
  • Active Directory Federation Services

Introduction

RD Licensing Manager is used to manage licensing for the Remote Desktop Services server role in a Windows Server infrastructure. It enables customers to activate their Remote Desktop license servers and manage the Remote Desktop Services client access licenses (RDS CALs) that are required for each device or user to remotely access Windows Server and virtual-desktop infrastructures.

RD Licensing Manager is a customer-facing application. It communicates directly with customer infrastructures to help ensure Remote Desktop Licensing (RD Licensing) compliance and functionality throughout Windows environments on a global scale. RD Licensing Manager has thousands of users, and it processes an average of 1,000 requests per hour.

Situation

Microsoft implemented the predecessor to RD Licensing Manager, TS Licensing Manager, more than 10 years ago to manage Terminal Server Licensing in Windows operating systems. (The Terminal Services server role was renamed to Remote Desktop Services in Windows Server 2008 R2.)

TS Licensing Manager Architecture

TS Licensing Manager was based on a data-center-oriented architecture, and it consisted of several different components that combined to provide overall TS Licensing Manager functionality:

  • An ActiveX and Internet Information Services (IIS)–based web front end, accessed by Microsoft customer service representatives, the Terminal Services Licensing Activation Site, and the Terminal Services Licensing Request (LR) wizard

  • A certification authority (CA) server, responsible for issuing certificates that helped secure data throughout the application

  • A Hardware Security Module (HSM) service, responsible for cryptography throughout the solution

  • A Microsoft SQL Server database that stored application data

The solution also communicated with Commercial Web Services (CWS), an on-premises application service used to validate volume agreement details through Volume Licensing (VL) servers hosted by the E-Commerce IT (ECIT) division of Microsoft IT.

Figure 1 illustrates the architecture of the TS Licensing Manager solution.

Figure 1. TS Licensing Manager architecture

Figure 1. TS Licensing Manager architecture

The architecture was built on several older and end-of-life products. It posed issues related to performance, maintenance, and feasibility that MSIT needed to resolve:

  • The solution was based on, and dependent on, Microsoft Windows 2000 as the core infrastructure operating system. This resulted in the following problems:

    • The process of supporting an end-of-life operating system required significant overhead and management.

    • Server resources were used inefficiently. Servers that supported TS Licensing Manager needed to be deployed to dedicated servers running Windows 2000, preventing these resources from being shared with other applications.

  • The application contained a large C++ code base, which was difficult and time-consuming to manage and maintain.

  • The application used Product Identification Keys 3.0 and earlier. However, the upcoming versions of the Windows operating system would be using a new product ID format.

  • The cryptographic design was tightly coupled with an HSM crypto-processor, which introduced the following issues:

    • The cryptography process was tied to a hardware component that was a single point of failure.

    • The tight coupling made it difficult to scale out the application.

  • The application used an encryption algorithm that did not use industry best-practice standards.

  • The user interface was developed through ActiveX technology, which caused the following issues:

    • To install the ActiveX components, the Internet Explorer browser needed to run in low-security mode.

    • Managing and maintaining the ActiveX components required a significant investment by the engineering team.

    • Every time that the ActiveX component changed, the end user had to download and install it. This process required elevated credentials and caused the involvement of additional IT resources.

  • TS Licensing Manager was designed with limited capability for scalability and extensibility, which made it difficult to respond to changes in application demand or requirements.

Suitability of TS Licensing Manager for Windows Azure

As part of a continuing commitment to cloud-based computing, Microsoft IT identified TS Licensing Manager as a suitable candidate for migration to Windows Azure. Several parts of the TS Licensing Manager functionality and architecture made it an excellent fit for Windows Azure:

  • It needed to be removed from an end-of-life platform (Windows 2000).

  • It required scalability, but current capability was insufficient.

  • It required a better and more extensible maintenance process than was currently available.

  • It had a web-based front end hosted in IIS.

The project team realized that the key application components for TS Licensing Manager all translated well to Windows Azure, and it investigated a complete migration of the application to Windows Azure.

Solution

The project team elected to migrate TS Licensing Manager to a new solution based on RD Licensing Manager on Windows Azure. The initial design of RD Licensing Manager addressed several key changes that were required for the application.

Design Goals

Early on, the project team established goals for the design of RD Licensing Manager on Windows Azure that would overcome the shortcomings of the earlier solution and provide a better solution overall.

The project team established the following design goals for RD Licensing Manager on Windows Azure:

  • Host the whole RD Licensing Manager application on Windows Azure. Hosting the whole solution on Windows Azure meant that interaction between application components would occur within the same platform, decreasing latency and points of failure, while increasing performance and manageability.

  • Enable support for new products. The team needed to integrate support for the new product ID keys being used with the upcoming release of Windows Server 2012.

  • Enable the new solution to scale up or down in order to meet spikes in application demand. The launch of new products would significantly increase usage of RD Licensing Manager. The team wanted RD Licensing Manager to be able to scale up available resources to handle high demand, and then to scale back down when demand is lower.

  • Decrease maintenance and support investment. The team recognized that the move to Windows Azure should decrease the overall requirement for application maintenance and support, as well as increase availability during application upgrades and changes.

  • Reduce costs. Maintaining the previous solution was costly. The team believed that it could significantly reduce ongoing costs by implementing the Windows Azure–based solution.

Design Implementation

After the project team established goals, it added RD Licensing Manager into a high-level architecture design. The team used the following Windows Azure roles and services in the design:

  • Windows Azure Compute web and worker roles
    The team used Windows Azure Compute roles for most components of the RD Licensing Manager architecture, including:

    • The web-based front-end (web role).

    • CA components (web role).

    • Middle-tier components, including Windows Communication Foundation (WCF), data-caching services, cryptography management, and other components that provide the link between front-end and back-end components (web role).

    • Database backup and archival processes (worker role).

  • Windows Azure storage
    The team used Windows Azure storage to store operational application information, such as diagnostic and backup-related information.

  • Windows Azure SQL Database
    All the databases previously hosted on-premises in SQL Server with the TS Licensing Manager solution were migrated to SQL Database.

The project team also identified specific design details that would help achieve the initial design goals for RD Licensing Manager.

Designing for Scalability

The demand for RD Licensing Manager services increases when a new version of Windows that supports Remote Desktop Services is released. The capability to increase application resources to meet user demand was not possible with TS Licensing Manager, but the team was able to take advantage of the multiple-instance capability of the Windows Azure roles. Roles can scale up to several instances of the same role that perform the same function, in order to distribute traffic and avoid poor performance or lost data. Because Windows Azure is natively scalable, this change was not complex to implement.

Designing for Extensibility and Ease of Development

The project team made changes and implemented features to make the new solution easier to update and maintain:

  • The team removed ActiveX from the solution and replaced it with Microsoft Silverlight 4.0 on the user interface. This simplified the user experience and removed the maintenance overhead required to maintain the ActiveX-based front-end components.

  • The native capability of the Microsoft .NET Framework 4.0 enabled the team to avoid maintaining a large code base to manage the application.

  • The team based the whole application on a modular design approach. In this approach, somewhat self-contained components (like the web front end or the database backup component) work together to provide the overall capability of the application, but they can be added, modified, or replaced without detrimentally affecting the whole application.

Designing for Security and Protection of Information

The project team targeted several security features of TS Licensing Manager for modification or removal because of changes in corporate security standards, advances in technology, or dependencies on older technologies—or to improve the overall application experience and performance. The team made the following changes for security:

  • Removed the dependency on the HSM from the application

  • Configured CAs in Windows Azure web roles to provide digital certificates for the whole solution

  • Implemented Active Directory Federation Services (AD FS) to interact with the application and Active Directory Domain Services (AD DS) information from the Microsoft corporate network

Windows Azure offers two roles for administration: admin and co-admin. Both roles have full access to the Windows Azure subscription. Microsoft IT works with multiple external vendor teams to manage their infrastructure. These teams are aligned in multiple tiers that sometimes contain more than 100 members. Giving every member full access to the Windows Azure portal did not meet Microsoft IT's security design.

To address this issue, the project team created a hosted service (known as Windows Azure Toolkit Service) that provides the flexibility to give role-based access based on a user's credentials. This service enabled the team to abstract all the secret keys, subscription IDs, and certificates from external partners and to log the activities for troubleshooting. In addition, when users leave the team, the access can be removed to prevent misuse.

Designing for Resiliency

Application availability and resiliency was an important aspect of the solution design, because of the critical nature of RD Licensing Manager and the impact that its unavailability would have on its customer base. The built-in multiple-instance capability instantly provided real-time resiliency for any of the components hosted in web or worker roles.

Additionally, application databases that were moved to SQL Database bore the same resiliency as the web and worker roles. However, to ensure the availability of data at all times, the project team established and implemented a process to back up SQL Database. By using a worker role, the project team implemented an automated database backup process that transferred data in SQL Database to a blob file in Windows Azure storage.

For high availability, the team used SQL Database Datasync to synchronize the information that is stored in SQL Database to another instance. If either of the SQL Database instances is unavailable, the application can maintain its functionality.

Solution Challenges and Design Refactoring

The project team encountered challenges that it needed to overcome during the development process.

Integrating with On-Premises Components

Commercial Web Services is an on-premises application service that is used to validate volume agreement details with Microsoft Volume Licensing. The project team decided to use direct Internet routing to create the connection from RD Licensing Manager to CWS in order to provide the most efficient communication between the components.

Another connection to external services was required for email services. In TS Licensing Manager, email was sent thorough an on-premises Simple Mail Transfer Protocol (SMTP) server. Because SMTP functionality is not part of the feature set of the Windows Azure web role, the project team devised another solution. The team used Microsoft Exchange web services to connect to RD Licensing Manager and used an internal, dedicated corporate email account for facilitating email delivery of beta license keys.

Migrating Data from the Earlier Solution to the New Solution

Application migration from operating platform to operating platform was a workable process because much of the code in TS Licensing Manager can be reused or refactored for use in RD Licensing Manager, if necessary. The project team significantly refactored many components for increased performance. One of the most significant refactoring tasks was for the databases.

The database redesign enabled the team to reduce the size of the databases from 280 gigabytes (GB) to 18 GB. One of the main contributions to this decrease was the storage of certificate thumbprints in the database, instead of the whole certificate blob.

For the initial data migration, the team performed a large part of the data processing and transformations offline on a recent backup of the database while application was live. The team created tools to detect and process just the delta during application downtime for the initial migration to Windows Azure.

All utilities and packages that the team implemented were designed to restart exactly from where it stopped to withstand failures without increasing the downtime.

Providing End-to-End Solution Monitoring

To monitor the new application in Windows Azure, the project team turned to the comprehensive capabilities of Microsoft System Center 2010. By using Microsoft System Center AVIcode for .NET and the Windows Azure Management Pack, in tandem with custom-designed monitoring components, the team provided a monitoring solution that assessed functionality and performance for the whole application.

New Solution Architecture

The RD Licensing Manager architecture hosts its application infrastructure on Windows Azure, as follows:

  • Front-end components are housed in two Windows Azure web roles:

    • The LR wizard, CSR site, and Activate site are housed in one web role.

    • The LIC Code site is housed in another web role.

  • All middle-tier components are housed in one Web role. The middle tier consists of:

    • WCF endpoints. Enables communication between different web roles.

    • Business access layer (BAL). Holds business rules and logic.

    • Data access layer (DAL). Enables connectivity to SQL Database.

    • Cache management. Improves performance by caching master user data to validate a user.

    • Cryptography manager. Manages token and CA exchange.

    • Key Check Tool (KCT). Contains native Component Object Model (COM) components and is used to open product keys to check validity.

  • CA-related components are housed in two web roles.

  • Database backup components are hosted in a worker role. This role uses Import/Export Service for SQL Database to perform daily database backup.

  • A direct Internet connection is established between the on-premises CWS service and the middle-tier components.

Figure 2 illustrates this architecture.

Figure 2. RD Licensing Manager application architecture on Windows Azure

Figure 2. RD Licensing Manager application architecture on Windows Azure

With the new solution in place, Microsoft IT now has RD Licensing Manager functioning as a 100 percent Windows Azure application and operating as part of the corporate infrastructure.

Benefits

Microsoft IT realized many important benefits from the migration of RD Licensing Manager to Windows Azure, including:

  • Increased performance and scalability. RD Licensing Manager on Windows Azure can now scale to meet peaks in application demand and overall performance.

  • An improved user experience. The migration of the user interface from ActiveX–based components to Silverlight has provided an improved and streamlined user interface, with less maintenance required.

  • Increased security and data protection. By implementing CA components in RD Licensing Manager, Microsoft IT was able to replace outdated algorithms and HSM dependencies.

  • Support for new and upcoming licensed products. The inclusion of PID 6.0 in RD Licensing Manager means that Microsoft IT's licensing solutions are now prepared for future products.

  • A more extensible and manageable application environment. Using the development capabilities of Windows Azure and implementing a modular application platform greatly decreased work required for updates and maintenance to RD Licensing.

  • Optimized application and database design. Migrating to Windows Azure enabled the project team to optimize the application and database design in RD Licensing Manager to provide a solution that was more efficient and easier to maintain.

  • Cost savings. RD Licensing Manager cost less to develop than TS Licensing Manager did, and it has reduced ongoing operations costs by 40 percent.

Lessons Learned

Because this was the first complete migration to Windows Azure for Microsoft IT, several challenges that the project team experienced have become valuable lessons learned:

  • Using host headers enables an organization to combine multiple websites on a single web role.

  • An organization must supply email functionality in Windows Azure externally. There is no native SMTP support.

  • The performance of connections to on-premises components can vary from solution to solution, even when an organization uses the same connection tool (such as Windows Azure Service Bus).

  • An organization should build retry logic into connection code, to enable the solution to recover from potential transient faults.

  • An organization can use Microsoft System Center Operations Manager to provide comprehensive monitoring capabilities, but custom code will likely be necessary.

  • Connections to on-premises components are prone to connection-related bandwidth bottlenecks, especially through proxy servers.

  • Performance testing before putting an application in the production environment is very important.

Best Practices

Based on lessons learned, Microsoft IT has adopted the following best practices that an organization should consider when it develops applications in Windows Azure:

  • Involve security and support teams early in the project to ensure that these aspects are addressed early in the design and development process.

  • Design and develop for Windows Azure from the beginning, instead of building Windows Azure into a pre-existing solution. Take advantage of cloud-based functionality as much as possible.

  • In migrating code and data to Windows Azure and SQL Database, take the time to optimize code and data structures.

  • In designing custom code, make it reusable for future implementations.

  • Perform application testing in a live Windows Azure environment.

  • Cover various deployment scenarios (for example, role sizes, number of roles, and location of roles) during performance testing.

  • If the user base is global, use a performance test environment built in Windows Azure virtual machine or worker roles.

  • Use System Center Operations Manager together with the Windows Azure Management Pack for monitoring.

  • Evaluate database requirements against SQL Database capabilities before establishing a migration scenario.

  • Be aware of network bottlenecks through proxies or firewalls. Route traffic directly to the Internet from SQL Database for enough throughput, if necessary.

Conclusion

RD Licensing Manager was Microsoft IT's first complete migration of a business-critical application to Windows Azure. By refactoring the application for Windows Azure and designing for a cloud-based platform, Microsoft IT developed a less expensive solution that provided more scalability, performance, extensibility, and reliability. Microsoft IT also learned valuable lessons about the Windows Azure development process and developed best practices to apply to future migrations.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information on the World Wide Web, go to:

http://www.microsoft.com

http://www.microsoft.com/technet/itshowcase

© 2012 Microsoft Corporation. All rights reserved.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, ActiveX, Internet Explorer, Silverlight, SQL Server, Windows, Windows Azure, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft