Month: November 2008

The speaker is Mark Minasi.  This is the 3rd time I’ve seen this talk and I’ve heard it twice before on Mark’s security audio book.  It’s impossible to take notes … trust me; this one is complex.  This is the basis of everything with do in Windows (see my previous SharePoint post) and a refresher is very valuable.

After this, I’ll be off to the Auditorium for Mark Russinovich’s boot from VHD talk on Windows Server 2008 R2.  That’s one seriously powerful feature.

I had problems working with and Internet based SharePoint server with Internet based clients.  I was talking to Mark Minasi about this (Kerberos talk) and a kind stranger came in with a fix.

• Patch for SharePoint (KB number unknown at the moment – released this past Summer).
• Enable forms based authentication for the application.
• Enable delegation for the SharePoint server.  Need to create 2 SPN’s: one for machine name and a domain based server account with no user rights.

Thanks to Graeme Hill (CT, Chalmers University of Technology).

The speakers are Gordon McKenna (MVP OpsMgr) and Justin Kimber.  Both from Inframon.  The subject is very interesting to me and I’d consider it.

Oh man!  This is a small world.  The guy sat beside me twisted his laptop around to show me he was reading one of the whitepapers from my blog.  That is totally cool!  If you’re reading … Thank you!

These guys have P2V’d their own System Center servers at the office.  They’re doing a live demo of it here.  Very brave!  If I was wearing a hat, I’d tip it.  They’re doing the MS styled one asks a question and the other answers as a consultant.

My concern is disk performance.  They’ve brought up I/O for things like ACS.  We know SQL performs well on fixed size VHD, but is ideal on pass through disks.  Fixed size VHD is more flexible but they recommend (correctly IMO) pass through.  This is not a solution for huge deployments.  Remember that virtualisation is not for everyone.  Use System Center to analyse the appropriateness of virtualisation for each candidate machine.

Self Service Portal

The self service portal is brought up as being nakedly presented to the Internet via SSL.  This allows remote console access to the VM.  Combined with roles and you have a nice SSL based KVM for the virtual machines.  Combine this with VLAN tagging (see my Hyper-V subject posts from a few months back) and you have a good combination for Hyper-V security.  What I like about the web site is the simplicity.  Very cleanly laid out and makes it ideal for delegated operators to manage machines they are responsible for.

For remote access, I’d alternatively suggest TS Web and TS Gateway.  Publish a shortcut to MSTSC.EXE and you can bounce to any internal server without VPN.  Haven’t tried it with TS but I did do it with Citrix Metaframe years ago.

Backup

Interesting point, they do bare metal backups of the VM’s using DPM 2007 and replicate the backup to a DR location.  That simplifies backup recovery.  The normal is to have alternative OpsMgr servers and sacrifice a goat for ConfigMgr.  The DPM solution allows for much simpler and rapid recovery.

Tips

• System Centre is fully compatible (not fully supported) on Hyper-V.

OK, these guys are light on facts and there’s a purely 100% wrong statement on their slides for RAM requirements.  They’ve suggested dynamic disks for some production usage.  Don’t tell PSS!  Every MS document I’ve read says fixed size and pass through are the only supported disks in production.  I’ve had enough.  Time to leave this room.  These guys are guessing.

My Advice

Be careful about what consultants you hire when you want System Center work done in the UK and watch out for MCS subcontracting to others.  Ask loads of questions that you’ve already researched.

I caught the end of Steve Riley talking about the urgency of patching and a solution for VM’s.  He recommended patching as soon as possible.  His thoughts were the risks of not patching while waiting for testing were greater than the risks of something going wrong with a patch.  Rather simplistic point of view.  If an admin follows process of testing then he won’t get fired for an attack.  If he deploys an update without testing then …. ouch.

Steve’s suggested process was:

• Snapshot your VM’s.
• Patch
• If something goes wrong, rollback the VM.
• If it goes well, remove the snapshot.

There’s two problems here:

• In my fun’n’games with PSS, I’ve learned that PSS do not support snapshots in a production environment in Hyper-V.  You must use bare metal backups using a Hyper-V VSS writer certified backup solution, e.g. DPM 2007.
• You need to be careful about rollbacks to snapshots/bare metal backups.  Active Directory domain controllers should never be recovered in this manner in a network with more than one domain controller.  There is a risk of a USN rollback.

Personally, I won’t be giving up my 3 phase process: virtual lab test, pilot deployment and live deployment.

Speaker Idol is kind of like Pop/American Idol except its for technical presentation speakers.  The final was held today and my friend, the "queen of deployment" Rhonda Layfield won it.  Her prize is a paid for trip to TechEd EMEA next year and a slot as a session speaker.

It was interesting.  Each speaker gets 5 minutes to talk about a subject of their choice.  Their judged on the quality, speaking style, presentation skills, accuracy and the slide deck.  The judges are very picky and the final judges included Mark Russinovich and Steve Riley.  Rhonda won with a session on Network Monitor 3.x.  Other presentations included Powershell performance improvement, MS Desktop Optimisation Pack for Software Assurance *phew* and a dodgy session on "hacking" Win7 to get something called Superbar. The sessions were recorded so they could be put online.  I’m left wondering if the Win7 session will be online – it did talk about downloading dodgy tools and the judges were not impressed.

Muggins here was askedon Sunday if I’d participate.  I got together a session on Monday morning on Hyper-V and rehearsed.  I never got called in despite hearing I was in.  As an apology, I got a voucher which was spent on a Geek-Shirt and a guaranteed slot next year in Berlin if I’m a delegate.

Afterwards I went wandering around the stands in the exhibitors hall. It was cool to look at the HP storage blades (a blade that only hosts disks).  Right now they take up to 6 * SFF 146GB drives.  In January or thereabouts, they increase to 300GB drives.  There’s also some new G6 stuff on the way.  I’ve got an invite into an NDA room to see the stuff in action tomorrow.

I caught up with TS guru Alex Yushchenko.  He was unfortunately able to confirm that the thin terminals that are currently available don’t support XPS drivers => no TS 2008 Easy Print.  We need to wait for updates from MS for XPe.  That’s rather unfortunate.  I love how EasyPrint works and performs: zero configuration and LAN-like printing over latent links.

The speaker is Mark Minasi.  I will only blog a few points on this presentation only because it’s material that Mark make’s a living from.  Despite the data here, I really recommend you attend Mark’s sessions of you get a chance … there’s always much more to be learned from him in person.

• DNS is the cause of most Active Directory issues.  True enough based on my experiences.
• WINS is not dead.  Still used by many technologies.  Try disabling it in a lab first.  WINS is a W2008 feature.  IPv6 is not WINS aware. 
• Computer Browser (network neighbourhood service) is turned off by default.  Network Discovery (multicast instead of broadcast) is disabled by default.  Uses UDP 3702, TCOP 5357 (HTTP) and 5358 (HTTPS).  Based on WS-Discovery.  Removing legacy (pre Vista/W2008) machines reduces LAN traffic.
• Background zone loading: LOTS (thousands) of AD integrated zones can take 1 hour to boot a DC – DNS loads and checks all zones before completing service startup.  Now, DNS fires up and loads zones, thus allowing DC to boot faster.  DNS multithreaded.  DNS can do LDAP query to another DC while the AD-I zone is unavailable.  Not able to accept updates until all zones are loaded.

Administration

• Can install DNS and/or ADDS on Server Core.  Use DNSCMD to manage DNS.  Now in the OS, not in resource kit.
• For your first zone create on Core using DNSCMD, restart the DNS service to make it work.  There’s a weirdness there in the DNS service.  After first zone, everything is fine.
• Keep reverse zones to facilitate site based GPO and to quell DNS chatter on PTR records.  All computers attempt to register PTR records even if you have no ADI PTR zone.  In that case, the registration attempt can go out onto the Internet.  Not nice at all!  See "prisoner.iana".  Or use GPO to disable PTR registration.
• Beware the dodgy DCPROMO DNS wizard trying to create a delegation of .com, etc for your root domain.  Just say "no".  And even if things are OK, you get a warning about the zone already existing.  It’s a nonsense error.
• RODC’s cannot accept changes to AD-I zones.  That DNS traffic will want to go to a read/write copy of AD across the WAN.  Use ADSIEdit to modify the permissions of that zone to allow the group of RODC’s to write to the zone.
• Branch Office DC offline => PC’s in the branch office will hit any random DC on the WAN for logon.  We now have "Rediscover".  Automatic on W2008 and Vista.  KB939252 for XP and W2003.  GPO: Computer ConfigurationAdministrative TemplatesSystemzNetlogonDC Locator DNS RecordsForce Rediscovery Internal.  The default value is 12 hours (measured in seconds).  Vista and W2008 will operate differently – uses site links to find the next nearest site.  Another reason to put in sites and site links – DO NOT USE DEFAULT SITE LINK!  It’s lazy and leaves other things unprepared for other services, e.g. Exchange 2007.

IPv6 and Name Resolution

• Uses LLMNR 0 link local multicase name resolution.  Requestor multicasts to UDP 5335.  Answerer unicasts to requestor on UDP 5335. 
• AAAA (quad-A) gives name-IPv6 name resolution.  Vista and 2008 automatically registers AAAA.  Link local addresses that start with FE80 don’t register in DNS.  W2003 DNS handles AAAA.

New DNS Record Types

• DNAME: map nasty long DNS names to short friendly ones.  It’s similar to CNAME, just for domain names.  Handy in migration scenarios.  It’s an RFC record type.  Example.  Move A or AAAA records to new zone.  Create a DNAME record in the old zone.  You cannot do this in the GUI – use DNSCMD.  dnscmd /recordadd oldzone.com  @ DNAME newzone.com.  The response is like "Oh sorry that doesn’t exist.  Did you mean this instead?".  Records in the old zone then DNAME stops working … leave the defaults there, e.g. SOA, NS, etc.
• Post-WINS single label names: Use NetBIOS style names for DNS lookups, e.g. myserver instead of myserver.myzone.com.  Requires 2008 be on all DNS server.  Use a zone called "GlobalNames".  Enable global name resolution on all DNS servers with that zone.  Now add CNAME’s in this zone, e.g. myserver maps to myserver.myzone.com.  Best to use AD integrated zones.  Put it in ForestDNSZones makes sense for this – it’s a global zone.  You can use it for WINS replacement for manageable numbers of records; they’re manually created.

Michael Nystrom is the speaker.

I arrived in 5 minutes to late (work interfering!).  This guy needs to realise he has an audience.  He was muttering away to himself while using WSIM and MDT on a huge resolution screen.  These tools have tiny writing to begin with and are already confusing even for someone familiar with them.  I was half way down the room and couldn’t make out what he was doing.  A smaller resolution, some step-by-step bullet points in a powerpoint and a zoom utility would help – and stop muttering to yourself.  This is unfortunate because he appears to know this stuff inside/out but he’s not good at getting it across to a large room.

Hyper-V point: Make sure the time zone is set correctly on the VM.  Even if you disable all integration services, the VM will synch the clock with the host when it boots up.

It appears the concept he’s trying to get across is that you can have many machine profiles that specify virtual machine specifications.  You can use answer files created in WSIM to configure Vista or Windows Server 2008 installation and configuration.  Deployment of the VM’s and configuration of the OS would be almost completely automated.  These can be made available via the self-service portal in VMM 2008.  Non-host administrators can select the "templates" to deploy new VM’s.  The resources available to them are controlled by a quota.  VMM 2008 Intelligent Placement will pick a VM to locate the VM on a host. 

There’s no discussion here of the storage  side of things – Windows 2008/Hyper-V really relies on individual LUN’s per VM that must be sized appropriately for the individual VM.  W2008/VMM 2008 cannot deploy that storage for you.  This is a nice idea but for me, it won’t be a viable solution until Windows Server 2008 R2.  R2 will have a storage solution similar to VMware VMFS: a single LUN is accessible to multiple hosts and therefore can host many virtual machines.  LUN assignment is no longer an issue and doesn’t require SAN/server admin for each VM to be deployed.

Also, this solution appears to be a fresh install every time.  I think I’d prefer sysprepped VHD/template deployment because it would be slightly quicker.  This would be followed by "RunOnce" to run a script(s), e.g. unattended servermanagercmd.exe scripts.  However, Core does not really work well with RunOnce.

I think I’ll be waiting until the video is available to download and try this out myself  before I even attempt to discuss it further.  This guy’s presentation skills are pretty poor and he needs to get some training.

Installation

• Integrated into 2007 R2
• New pre-req checker for WS-Management 1.1
• Unix/Linux agents are copied to the OpsMgr server

Configuration

• Import management packs for the OS’s you use.
• Limitation in the beta: the profile user account can only support 1 user in OpsMgr 2007 – Fixed in R2.  This account uses SSH for discovery and 1 diagnostic.  Monitoring is done through WS-Management.  You can limit this account to certain hosts to prevent crack attempts with unauthenticated health service installations.  This can even be filtered to objects or groups or classes in the OpsMgr database.
• Create Run As Accounts
• Create profiles

Discovery Wizard

• Built on OpsMgr discovery framework
• Fully integrated – choose between windows, Unix/Linux and network devices.
• The discovery is moved inR2 into the Administration space of the console.  This was done to hide functionality from the operators.
• For Unix we can search by IP, DNS name or IP range.  SSH is required on the box for this discovery otherwise it fails.  SSH not used if an agent already exists. 
• There is functionality to allow for SSH via low privilege user and SU to root – tick box and an extra password.
• Now we import the management packs – downloaded from the catalogue (when published).

What Can We Do Now?

• We can monitor Application/Service, hardware, operating system (including daemons) and heartbeat.
• Note only 6 daemons are monitored by default because every Unix/Linux box is different.  Bespoke discovery available.
• Heartbeat: alert if machine down, DNS name changes or agent cert expires.
• Discovers logical disks, NIC’s, processors, etc.
• Monitors health, performance, utilisation, availability, etc.
• Seems identical to Windows  monitoring on the face of it.   Completely integrated.
• Knowledge is integrated in the MP.  The CPE team has Unix/Linux background and they hired real *nix administrators.
• Log file (text search) monitoring: SU usage, root logon failure, critical authentication failures, break-in attempts, SSH authentication failure, successful login to root.  Completely extensible beyond this, e.g. you do this or third party.
• New MP templates: log file and service (daemon).  You use these to create custom *nix monitoring.
• Rails proved to be a PITA to monitor via text log.  A tool MS used to test is included in the rule wizard.
• Using a template you can monitor process or daemons not included in the default set of 6.  You have to apply this to a server and maybe a group of servers.
• Daemon checking happens every 5 minutes.
• The fault resolution includes a hyperlink for applying the fix via Tasks; just like Windows.
• If the WS-Man daemon (the "agent") goes offline then it can be restarted via SSH

Reporting

• There are reports.
• If you import reports but they’re not visible then refresh the site.
• Reporting works just like with Windows, i.e. seamless.

How It Works

• This works via a polling mechanism.
• You can customise the polling times for different systems.
• The providers on the monitored box filter events and then share with the polling management server.
• The unofficial scalability: 200 Unix per management server was the aim.  They hit 600 before optimising the code.  No application management packs in that test.

Beta

• Out now.
• New one in a couple of weeks.

Application Monitoring

• MS are not writing Oracle management packs, MySQL, etc.
• MS leaving this to partners or vendors.
• Authoring of management packs is the same as with Windows.
• Discovery, scripting and data extraction is dependant on the application/OS.
• Partners: Novell for SUSE – Samba, DNS, DHCP, etc.  Xandros – (lots of stuff including TomCat, MySQL, DB2, Sendmail, Oracle, Websphere and Apache.  Also building some Windows ones too). 

Notes

• MS Serious about this.  2 people 18months ago.  37 now.
• Note: F5 has management packs.
• OpsMgr 2007 R2 RTM in Q2 2009 with CPE.

There are 5 sessions that I’d like to go to at the same time during this time slot!!! Luckily the attendees get to download videos of the session.

I won’t be blogging this session because Mark makes a living from his copyrighted sessions – and he’s a friend.  Sorry!

Anyway – you should install SP1 because MS stats show crashes reduced since it was deployed.

The speaker is Edwin Yuen, Senior Technical Product Manager from MS.  This is a level 300 session compared to yesterday’s level 200.  See that post.

The vast majority of people in the room are running VMware.  Maybe 20% of those are looking at using VMM 2008 to manage ESX – hence get a better management experience, not necessarily as complete as with Hyper-V.

Here we go again on Powershell 😉  See previous posts.

The focus here will be on the management of Virtual Center using VMM 2008.  High Availability for Hyper-V using VMM – you need to know what to do in storage/Windows and what to do in VMM.  VMM can’t do everything, e.g. provision LUN’s.

VMware

Support for VMware covers:

• VC 2.5
• VC 2.0.1
• ESX 3.5
• ESX 3.0.2
• ESX 3i *new to RTM*

VMM will be the manager of managers.  You can have many VC instances managed by a single VMM 2008.  Uses:

• VI SDK API’s.
• SFTP: File operations on ESX 3.5 and 3.0.2.
• HTTPS: File operations on 3i

More features:

• Secure mode is on my default.  This uses SSL for management using the VI SSL cert.
• Host credential operations requires root SSH to be enabled. to move certain operations from "OK (Limited)" to "OK" (status of ESX host in console): power state, VM configuration, VMotion, Checkpoint, save state and migration.  Add credentials into the properties (security tab)  of the host in VMM to complete the configuration of the host.
• Enabling PRO on ESX is possible – that surprises me to be honest and is impressive. You should not turn on PRO and DRS.  They will definitely conflict with each causing constant VMotion of VM’s.
• There is a new network diagram view in the RTM release for 2008.
• Do your host/VM installs in VC and then do day-day operations in VMM 2008.  Resource Pools are manageable within VMM.
• You can do P2v and V2V of a VMware VM to Hyper-V.
• Powershell can be used to manage VMware.
• Do your VMware trouble shooting from within VC.
• VMotion is referred to as Live Migration in VMM 2008.  Usable from within the console.  VC is still a requirement for VMotion.

Clustering Hyper V Step by Step

In server:

• Configure Node (BIOS, Ent/DC per node), add failover clustering.
• Storage: (iSCSI or Fibre Channel, Storage must suppoort persistent reservations, recommended 1 GUID LUN per VM).
• Networking: 2 NIC’s recommended.
• Add/remove nodes to/from cluster.

In VMM:

• Add host cluster
• VMM handles all future node additions/removals
• Surface available disk

Clustering the VM i now a tick box in the properties of the VM.  Use intelligent placement strategy to place it on a suitable host.  A VM can be moved to a library but it retains the HA property for when you return it to the cluster, e.g. a template of a highly available VM.  If you tick the box on a VM that’s not on a cluster then you’re prompted by intelligent placement (IP) to move the VM to a suitable host.

Refresh the cluster in VMM after adding storage.