A blog covering Azure, Hyper-V, Windows Server, desktop, systems management, deployment, and so on …
That’s the last of my blog entries on the week. My battery is at 3% and I don’t have an adaptor. Thanks to Enda and Dave from MS Ireland and Nathan for the loan of a power adapter. And thank you too to my work who made it possible for me to take another week for this sort of thing. I learned loads and hopefully you did too from my posts.
I will be returning to normal service again next week once I’ve gotten home, had a chance to recharge the batteries and I’ve caught up on work.
Speaker: Miha Kralj, Senior Architect Microsoft in Redmond. Let’s just say he won’t have gotten that title by accident. It’s a repeat session and the room is full. I think everyone heard about the first run of the session.
Facts:
This session will not be technical. It’s about trends and where we think they’re going, i.e. the future isn’t what it used to be, i.e. where’s my hover car and personal jet pack that the BBC promised me when I was a child? I’m quite irate! Seriously, some of this session will work out, some not.
Change Is Inevitable
Story: IBM was the IT giant and nearly disappeared because they didn’t evolve through research and development to match future requirements. From what I saw in a documentary, it was Lotus Notes that saved them. That’s sad (just joking Declan). IBM did not have stupid people – they did eventually get out of the hole. They did have good technology (mainframes) – a "sacred cash cow", i.e. once you achieve it you don’t mess with it. Everything was built around the mainframe. MS nearly killed the mainframe (and IBM) with DOS and Windows and client/server computing.
Once things change history you can’t go back. IT changes more quickly than anything else. Trends are unstoppable. You must be prepared: research-wise and in terms of agility and flexibility. Key to success is identifying the right things and preempt them; once the trend arrives, it’s too late to change. You probably need to get on the next trend. For example, the Dot-Bomb boom. I was employed by a data centre firm that started too late and was competing with every other IT company … everyone who had a modem started a hosting company back in 2000/2001. Those who survived either started before the data centre boom or just after the dot.bomb crash with a new market of web service hosting.
People
The current generation of graduates expect huge Internet access, large cheap storage, etc. Using restricted computing, e.g. GPO, mail controls, browser controls, etc, might send them to other companies, leaving you with lesser quality staff.
Peripherals
Look at input devices. They’re all changing. The Wii is a good example. Input and output devices will change. This could have the biggest impact in terms of universal accesability.
Communications
We’re in the communication era. What method of communication do you use to talk to someone? Phone, email, IM, video, etc? Upgrade the technology and then upgrade the people is the advice … sound like license sales for unified messaging 😉
Vendors
They’re all disappearing. Where’s Wang and Compaq and Amdahl and Olivetti and Tandem and … they’re merged. In 1997 there were 24 major server/PC vendors. Now there are 6 major vendors left. It happened in IT and cars and air transport, etc. Will this change? No. It will happen with the different industries within IT. In fact, we can see it already happening in web hosting in Ireland. The numbers are consolidating. This is inevitable in competitive environments.
What are we buying? A chassis with some management. The components from all brands are pretty much the same.
Carbon Footprint
The IT is as inefficient as aviation. We’ll be targeted by taxation inevitably. Fuel/power costs and taxes are only going one way. Where does the power go? Cooling, power, server components and the CPU. Applications actually use 0.001% of the power generated in the power plant that started out travelling to your data centre. 50% of it is lost before it even gets to the data centre. MS deliberately tries to place data centres near efficient power plants. I posted earlier about on Swedish firm that has 3 of its own wind turbines at their plant.
I posted yesterday how W2008 R2 will make changes. Blade servers and SAN use less power. Virtualisation further reduces the amount of hardware you need.
And the speaker says what I’ve been saying… how green is IT? The components are built globally and shipped to China for assembly. Then the built servers and disks are shipped around the world.
He reckons Iceland is the ideal place to build a data centre. Reasons? Lots of power coming straight out of the ground (steam), they need immigration and external investment, cheap land and it’s cold (good for cooling).
Past Success Is Your Worst Enemy
The new player is desperate and has nothing to loose. They also started because they have a new idea. They’re smaller so they are more agile and can quickly implement new innovations.
As A Service
Software as a Service, e.g. a taxi. It’s not about selling servers. That’s not SaaS. Do you ask for a Ford Mondeo with a 2.5litre engine? No, you ask to go to Leeson Street. The customer doesn’t care about Hyper-V, VMware, VMM, Virtual Centre, etc. They care about service, availability, access, etc.
Cloud Promotes New Relationships
Right now we sell technology and buy assets from. That will change to selling and buying services on a recurring unit basis, e.g. a hotel chain. Right now we thing, CRM server, database server, AD server, etc. It will change to protocols. The boxes and their locations will not be as important in the future.
Transition To Utility Computing
Technology:
Providers:
Consumers:
Regulation and Legislation
No one trusts an unregulated supplier. What’s to stop anyone from setting up and providing a cheap service that is unreliable, insecure, unstable and not highly available. Your data is moving into a cloud so you need regulation to control this. Eventually, someone will be sued for not meeting their SLA.
Social Web
The 2008 USA election has shown the arrival of the social web. It’s true that it impacts hosted IT now. Web developers blog like crazy about the tiniest of issues and make a huge deal from them. Major issues are like atomic explosions. Be aware of social web activity as both a positive and negative thing.
Web.Next
There will be pervasive and ubiquitous networking. Identity, privacy and trust are the key issues.
Will people in the future care about physical presence? 20-somethings consider MySpace and SecondLife to be the same as in-person interaction. Your digital identity will be very important. See the previous point.
How do you target people? How do you know what/who they are? Marketing uses demographics. If you’re in a digital world you can be anything you want to be, e.g. a 2 foot green dwarf.
Purchasing
There’s the future, emerging, wide application and obsolete stages in a product. The best value is in the mid-end of the emerging phases.
Sell The Sizzle, Not The Steak
Everyone has steak. Make it sparkle. Be different. Find out what the others are doing. Don’t do it better, do something else.
Globalisation
IT is available everywhere. As a graduate, how do you start? It’s all outsourced to low cost countries where there is more motivation to succeed. Will China, India, etc, dominate the cloud?
Jobs Of The Future
PHD educated staff won’t be important anymore. 7 year old knowledge is useless. We live in a current knowledge and skill economy. In house IT jobs will be rare when cloud computing. There will be more automation and less humans (already happening with optimised IT). Those humans are split between a few architects and a few junior operators. The IT career of today will not exist in 10 years time. You will need to be a dual identity person, e.g. IT/Sales, IT/management, IT/marketing.
Advice
Summary Of My Thoughts
This is not the first time I’ve heard this message. The operator/architect thing is a common theme. I’m in the hosting industry and I know these trend has already started.
I don’t necessarily agree with everything:
This is the only session in the early slot this morning that interests me. It’s the traditional post Tech-Ed party morning. However, there was no traditional Tech-Ed party… it was an invite only affair. I didn’t bother going because I was shattered. A Mickie-Dee burger and an early night to catch up on sleep was enough for me.
This presentation is by Mark Minasi. Again, just the highlights here. Attending Mark’s sessions is highly recommended. There’s much more content than shown here.
UAC
Originally intended as a security solution to protect you against accidental malware installation. It failed. MS "lied" about the original intention.
UAC is still good, not as good as it should be. You normally run as non-admin, even if not admin. Prompted to elevate when you need it. Avoids the other solution: admin has two accounts, admin and non-admin. When you logon as administrator you get two tokens: standard and administrative. Default token used for the admin’s new processes is the standard. When you try to run some programs, you’re prompted to use the admin token. How does Vista know? The program is coded to say it needs elevation. Once a process starts, you cannot change the associated token is to restart the process. If a program isn’t coded, you can do "run as administrator".
Even if this isn’t a 100% secure anti malware solution, it allows admins to have the recommended dual ID solution with a single admin account.
Run As is still there but … when you run as you run as there standard token.
You can disable this prompt but still have UAC. Use GPO to : elevate without prompting, prompt for consent (default), prompt for credentials.
The secure desktop is where the screen grays out when the prompt comes up. It’s a special session with your desktop as a screenshot. You can configure this but it’s best left as default.
Tip: to configure a program to prompt automatically, edit the properties of the exe to "run as administrator". That’s OK but not built into the program. It doesn’t travel when you copy the file, etc. Vista catches anything called setup, install or update in the file name it knows to prompt for elevation. That’s a "sometimes" workaround.
Proper solution for dodgy applications is to use a manifest. You can simply place it in the same folder as the exe. If the file is called myexe.exe then the manifest is called myexe.exe.manifest. There’s some caching behaviour with this so it may fail if you’ve been testing. Create test folders when experimenting to avoid this. There’s also a bug where you set it not to prompt but it can still prompt. Might be fixed in SP2.
Best way is to build the manifest into the exe. You use a tool called MT (in visual studio including the free Lite edition): mt /manifest <my.manifest> -outputsource:<myexe>;#1.
Windows 7 has a different UAC control, kind of like the IE security slide controls, varying from maximum to minimum/off.
Windows Integrity Levels
Every user token, object and process has an integrity level (IL). One object cannot change another unless it has an IL greater than or equal to the subject’s IL. This is also known as "mandatory integrity controls" or "windows integrity controls".
MS didn’t really use it in RTM but they left the mechanisms in place. It is possible for a user/attacker to create a file that even an administrator cannot delete.
3 types of WIL label:
Two tools you can use to see these:
Use "icacls <file> /setintegritylevel <level>" to set a WIL label on a file.
As an admin, you cannot set a WIL level as system. Icacls won’t do it. Use chml instead:
If you cannot delete a file you have permission for:
Use whoami /groups /fo list to see your session’s WIL label.
Those are the highlights. Much more in Mark’s Vista security book.
The speaker was Mark Russinovich, Microsoft Fellow and former owner of Sysinternals and Winternals.
This was a very exciting session with lots of news. Anyone attending was left quite geeked out by what’s happening with Microsoft Windows Server.
VM Migration
Live Migration is Microsoft’s answer to VMware VMotion. At a high level it seems quite similar. It requires a shared cluster file system between hosts and gradual memory transfer before switching VM’s over.
How it works:
The goal is that this entire process complete in less than 20 milliseconds.
The RAM transfer works as follows:
At this point the VM the VM is suspended (frozen). The remaining state (CPU and the few dirty pages) are copied to the target host where it can be reanimated.
Clustered Shared Volumes (CSV)
How it works:
Network Virtual Machine Queues
Right now, processing network packets for VM’s requires:
This requires 2 context switches by the host CPU.
Microsoft has worked with NIC hardware vendors to introduce Network VM Queues. The VMQ works as follows:
NIC Embedded Switch:
Hyper-V Power Management
Windows 7 (and 2008 R2) brings:
VM Memory Management
Native VHD
This is easily the most exciting development I’ve heard this week and will change server computing in the data centre over the next few releases of Windows Server.
The aim of Microsoft is to increase the usage of the published format of VHD:
Remember that we have 3 types of VHD:
Notes on VHD:
The purpose of native VHD is that you can mount a VHD file from a physical server. You can use it as an ordinary volume or you can use BCDEDIT to boot the physical machine from the VHD file. In this scenario there are two volumes. A small volume has the minimum boot files and the paging file for the server. A storage volume contains the VHD file that contains the operating system.
We get a demonstration showing the disk management in operation. Mark is actually running his demonstration operating system from a differencing disk. The clean demonstration is in VHD file 1. VHD file 2 is a differencing disk that points to VHD1 as it’s source. The machine boots from VHD2. Anything new that stores data to its disk stores the data on VHD2.
Requirements:
There is a requirement that Hyper-V is installed before you "surface" a VHD. You can only boot from VHD if you surface it. The paging file must exist on the physical boot disk.
Here’s the strategy:
How Is It Deployed?
Limitations:
Other Hyper-V Improvements
The speaker is Mark Minasi. This is the 3rd time I’ve seen this talk and I’ve heard it twice before on Mark’s security audio book. It’s impossible to take notes … trust me; this one is complex. This is the basis of everything with do in Windows (see my previous SharePoint post) and a refresher is very valuable.
After this, I’ll be off to the Auditorium for Mark Russinovich’s boot from VHD talk on Windows Server 2008 R2. That’s one seriously powerful feature.
I had problems working with and Internet based SharePoint server with Internet based clients. I was talking to Mark Minasi about this (Kerberos talk) and a kind stranger came in with a fix.
Thanks to Graeme Hill (CT, Chalmers University of Technology).
The speakers are Gordon McKenna (MVP OpsMgr) and Justin Kimber. Both from Inframon. The subject is very interesting to me and I’d consider it.
Oh man! This is a small world. The guy sat beside me twisted his laptop around to show me he was reading one of the whitepapers from my blog. That is totally cool! If you’re reading … Thank you!
These guys have P2V’d their own System Center servers at the office. They’re doing a live demo of it here. Very brave! If I was wearing a hat, I’d tip it. They’re doing the MS styled one asks a question and the other answers as a consultant.
My concern is disk performance. They’ve brought up I/O for things like ACS. We know SQL performs well on fixed size VHD, but is ideal on pass through disks. Fixed size VHD is more flexible but they recommend (correctly IMO) pass through. This is not a solution for huge deployments. Remember that virtualisation is not for everyone. Use System Center to analyse the appropriateness of virtualisation for each candidate machine.
Self Service Portal
The self service portal is brought up as being nakedly presented to the Internet via SSL. This allows remote console access to the VM. Combined with roles and you have a nice SSL based KVM for the virtual machines. Combine this with VLAN tagging (see my Hyper-V subject posts from a few months back) and you have a good combination for Hyper-V security. What I like about the web site is the simplicity. Very cleanly laid out and makes it ideal for delegated operators to manage machines they are responsible for.
For remote access, I’d alternatively suggest TS Web and TS Gateway. Publish a shortcut to MSTSC.EXE and you can bounce to any internal server without VPN. Haven’t tried it with TS but I did do it with Citrix Metaframe years ago.
Backup
Interesting point, they do bare metal backups of the VM’s using DPM 2007 and replicate the backup to a DR location. That simplifies backup recovery. The normal is to have alternative OpsMgr servers and sacrifice a goat for ConfigMgr. The DPM solution allows for much simpler and rapid recovery.
Tips
OK, these guys are light on facts and there’s a purely 100% wrong statement on their slides for RAM requirements. They’ve suggested dynamic disks for some production usage. Don’t tell PSS! Every MS document I’ve read says fixed size and pass through are the only supported disks in production. I’ve had enough. Time to leave this room. These guys are guessing.
My Advice
Be careful about what consultants you hire when you want System Center work done in the UK and watch out for MCS subcontracting to others. Ask loads of questions that you’ve already researched.
I caught the end of Steve Riley talking about the urgency of patching and a solution for VM’s. He recommended patching as soon as possible. His thoughts were the risks of not patching while waiting for testing were greater than the risks of something going wrong with a patch. Rather simplistic point of view. If an admin follows process of testing then he won’t get fired for an attack. If he deploys an update without testing then …. ouch.
Steve’s suggested process was:
There’s two problems here:
Personally, I won’t be giving up my 3 phase process: virtual lab test, pilot deployment and live deployment.
Speaker Idol is kind of like Pop/American Idol except its for technical presentation speakers. The final was held today and my friend, the "queen of deployment" Rhonda Layfield won it. Her prize is a paid for trip to TechEd EMEA next year and a slot as a session speaker.
It was interesting. Each speaker gets 5 minutes to talk about a subject of their choice. Their judged on the quality, speaking style, presentation skills, accuracy and the slide deck. The judges are very picky and the final judges included Mark Russinovich and Steve Riley. Rhonda won with a session on Network Monitor 3.x. Other presentations included Powershell performance improvement, MS Desktop Optimisation Pack for Software Assurance *phew* and a dodgy session on "hacking" Win7 to get something called Superbar. The sessions were recorded so they could be put online. I’m left wondering if the Win7 session will be online – it did talk about downloading dodgy tools and the judges were not impressed.
Muggins here was askedon Sunday if I’d participate. I got together a session on Monday morning on Hyper-V and rehearsed. I never got called in despite hearing I was in. As an apology, I got a voucher which was spent on a Geek-Shirt and a guaranteed slot next year in Berlin if I’m a delegate.
Afterwards I went wandering around the stands in the exhibitors hall. It was cool to look at the HP storage blades (a blade that only hosts disks). Right now they take up to 6 * SFF 146GB drives. In January or thereabouts, they increase to 300GB drives. There’s also some new G6 stuff on the way. I’ve got an invite into an NDA room to see the stuff in action tomorrow.
I caught up with TS guru Alex Yushchenko. He was unfortunately able to confirm that the thin terminals that are currently available don’t support XPS drivers => no TS 2008 Easy Print. We need to wait for updates from MS for XPe. That’s rather unfortunate. I love how EasyPrint works and performs: zero configuration and LAN-like printing over latent links.
The speaker is Mark Minasi. I will only blog a few points on this presentation only because it’s material that Mark make’s a living from. Despite the data here, I really recommend you attend Mark’s sessions of you get a chance … there’s always much more to be learned from him in person.
Administration
IPv6 and Name Resolution
New DNS Record Types