Month: June 2008

I’ve gotten around to writing a script that will allow you to automatically put managed agents into maintenance mode for SCOM 2007 using the AgentMM utility.  Download the file and follow the embedded instructions:

• Edit a CSV that defines what servers and when they will be put into maintenance mode.
• Set up agentmm.bat, agentmm.exe, your CSV file and the script in a folder.
• Schedule the script to run at 5 minutes to the hour, every hour.

The script will then put your servers into maintenance mode according to the instructions in the CSV, for 1 hour starting at approximately 5 minutes to the hour.

WAIVER: This script is provided as is.  There is no support for it.  I have no responsibility for what the script does.  You are 100% responsible for using the script and what it does or any related side-affects if you choose to download and use it.  Read through the script and understand exactly what it does before you even test it.  Then test it thoroughly before you put it into production.

In true David Letterman style … This page lists the top 10 issues encountered by users of the beta/RC versions of Hyper-V.  There are links to the solutions.

I just saw this link on the Virtual PC Guy blog on how to use a Windows Server 2008 file server to store the VHD’s of your file server.  Crazy but true!

In fairness, 10GB networks, dedicated NIC’s, NIC TOE and Windows Server 2008.

Credit: Jose Barreto.

EDIT:

This is in the Hyper-V release notes:

"You may encounter issues when attempting to attach virtual hard disks (VHDs) and ISOs to a virtual machine from a network share. To avoid this issue, ensure that both the Hyper-V server and the network server are members of the same domain. The network share requires read access for ISOs and read/write access for VHDs for both the user and computer account of the server running Hyper-V. If you are attempting this from a third computer (not utilizing the user interface on the server running Hyper-V), constrained delegation for Server Message Block (SMB) between the server running Hyper-V and the network file server must be enabled".

Yeah … MS licensing is nuts.  There’s no getting around it.  They must have way too many lawyers on staff.  Nothing is simple and often you find things are contradictory.

If you are a normal consumer of licenses then you should regularly download and review the Product Usage Rights (PUR) document.  It explains everything about how you need to license your products and how you can use them.

If you are a service provider such as a hosting or SAAS company then you should download and review the Service Provider Usage Rights (SPUR) document on a regular basis.  Here’s the reason why.  Under MS’s licensing terms, the only way to provide these sorts of services is via a SPLA agreement.  This is where you lease MS licenses every month.  This scheme is very complicated and I’m pretty sure some hosting companies are using the scheme illegally.  There’s 3 types of license in SPLA:

• SAL: This is where you license a server product (Windows, SQL, System Center, etc) by the number of users using the product.  You don’t have to purchase a license for the server product with this scheme.  It’s great if you have a known, fixed and small number of clients – not concurrent but potential!
• Unauthenticated Server: This is for something like a dumb web server with static content.  Windows plays absolutely no role in authenticating any users of the service provided by the server.  This is per CPU.  At the moment, this is available for Web and Data Center editions only and it’s quite cheap.  That’s a clue as to the purpose of this operating system.
• Authenticated Server: This is a per CPU license for any server where Windows does play a role in authenticating the user, e.g. Active Directory, Terminal Services, etc.  This SKU is very expensive compared to the unauthenticated server license.  This is because you do not need to purchase CAL’s.  You can support an unlimited number of clients.  For any hosting company, it is critical that your sales people get to know how your customer is authenticating their users before you give and quotes or sign any contracts; this means getting the techies talking to each other – contrary to the processes of some companies I’ve encountered.

SPLA lets a hosting company purchase 50% of the number of leased-to-customer licenses for internal usage.  Great – but do you really want to spend hundreds per month per CPU on a Windows Server when you can purchase one for 3 times that monthly lease price?  You probably already have the CAL’s.  Sometimes it’s a cost saver but not always.

In these documents you’ll find all the licensing nastiness associated with VDI/VECD, virtualisation, CAL’s and all that fun stuff.

Have a read, have a weep and then get legal.  Breaking the conditions of PUR or SPUR can get your directors thrown in prison.

It’s been discussed quite a lot (and still some plead ignorance or stupidity) but if you have sensitive information on a computer (laptop, desktop or server) then you should encrypt the disk.  Guess what?  This applies to VM’s too!

VM’s are mobile.  The are very mobile.  To steal a VM and all of it’s data, all you have to do is copy the virtual disk file.  It doesn’t matter if you’re talking about VMware or Hyper-V.  Sure ESX is a little trickier because the VM is on a less common file system but a determined thief won’t let that stop them.

You need to consider encrypting the contents of that virtual disk.  Windows Server 2008 includes BitLocker and that can encrypt the entire file system for you.  Microsoft allegedly published a document on how you could use BitLocker with Hyper-V but the download link appears to be dead.  I’m hoping they’ll rectify that.

Once you encrypt that VM, it doesn’t matter how mobile it is.  The contents of the virtual disk are protected and you’re safe.

Microsoft has released lots of information on DPM 2007:

• System Requirements
• Deploying DPM 2007
• DPM 2007 Operations Guide
• Planning a DPM 2007 Deployment
• DPM 2007 Troubleshooting Guide

There is a publicly available beta release of URLScan V3.0 for x86 and x64.

"UrlScan version 3.0 Beta is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by web applications on the server".

This is a common question I’ve seen on IT boards.  Is there any anti-malware with support for Windows Server 2008?  I’ve certainly not done an extensive search but I saw that AVG does have support for Windows Server 2008 with their server product range.  The price isn’t too bad either!

EDIT:

I installed and ran it on a locked down test W2003 network today and I was impressed.  It’s simple just like Trend Micro OfficeScan.  The only downside is that it appears to keep events in a SQL database where they are tougher to get at with something like System Center Operations Manager 2007.