Month: September 2010

Defining Cloud Computing

One of the most infuriation things about cloud computing has been the marketing that wraps it up.  There are a couple of international service providers (both having datacenters here in Ireland) who pretend that they invented “the cloud” when they sell it.  There are plenty of marketing people who try to define “the cloud” as being what they sell.  It’s one of those fluffy things that is constantly changing shape as it floats past us.

I was reading a story on Network World where a BMC executive said “It’s fundamentally that the cloud focuses on delivering services. I think this sometimes gets lost in a lot of the discussion around cloud computing. Everybody’s talking about infrastructure and hypervisors and virtualization, all of the components. At the end of the day, what customers really care about is getting secure, reliable, trusted services, whether that’s from their internal IT department or from the external broker to their IT department, or from an external provider directly”.

I like that comment.  He also said that he likes the American National Institute of Standards and Technology (NIST) definition.  It’s a simple 2 page document that starts with: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.  It goes on to list different components, architectures and delivery models that could be considered a part of or type of cloud computing.

What we need to remember is:

  • It’s all about delivering a service.
  • There are many varieties.
  • Don’t get caught up in the marketing crappola.

Release Details for Mastering Hyper-V Deployment

Sybex passed on the release dates for my book, Mastering Hyper-V Deployment, overnight.

  • Paperback: October 25th
  • Kindle, ePDF, ePub: November 9th

I’m quite looking forward to getting my copy of the book and seeing it for the first time.  Then I need to find a store where it’s on the shelf, stand in front of it and do my happy dance (kinda like I did in Belleview at the MVP summit earlier this year when I saw Mastering Windows Server 2008 R2 (with my name on the cover) in Barnes & Noble.

Internet Explorer 9 Beta

The IE9 beta has been launched by Microsoft.  I just read a review that says it brings features that have been long needed.  One of those si a download manager.  Yup, IE badly needed this.  In the age of wifi networking (prone to interruption) and mobile computing (who hasn’t had to hibernate the laptop in the middle of a download) IE has needed this since … well … 1996 maybe?  Plenty of people have used other browsers or independent download managers to compensate.

I’m told the UI is smaller because, like with Office, many of the browser features aren’t used by most people.  That gives more viewing space for the content.  I’ll wait and see.

A nice new bit takes advantage of the way people work with Windows 7.  You can grab a tab, apparently, and drag it to a location where the shortcut can be tabbed.  Lots of people do this with programs so they can be quickly launched.  We’re moving to browser based SaaS so this makes sense.

Something very cool was demonstrated by MS Ireland’s DPE, Martha Rotter, at our user group event last week.  IE9 can use a graphics card in a client machine to process graphics.  You can see this in action using the test drive website.

Stuck on XP?  Sorry folks, MS aren’t exactly going to be developing much (if anything) new for you folks anymore.  You’ll need Vista or Windows 7 for IE9.

I’m hoping to download and install IE9 on my Windows 7 netbook today.

A Cloudy Outlook

Just a few musings …

I was talking about a potential cloud migration from on-site the other day.  The first question I was asked was “would you move everything?”.  No.  In reality I don’t think I would.  Some systems or applications work best in an on-site environment.  I might advise tweaking how things are done to improve them, but some systems aren’t suited for the cloud right now.

“Would you use “thin” PC’s and an online version of Office?”  Definitely not.  Some SaaS applications are perfect as an online only solution.  Take an online helpdesk.  All I need to use it is a web browser.  What about office productivity?  I am a firm believer that Office (or whatever) needs to remain on the PC.  You can easily integrate with something like a BPOS.  Some solutions work best with an installed client.  For example, I use TweetDeck for Twitter but I can fallback to the featureless Twitter site.  I also use FeedDemon for RSS via Google Reader (No MS Live alternative).  My “data” is online and accessible using a client from any of my PC’s.  I can also go directly online to use the service and “data”.

“Should work practices remain the same or change?”.  It depends.  No easy answers here.  Look at how you work.  Does a process involve multiple applications and spreadsheets?  Maybe there is a SaaS solution that wraps that all into one tidy package.  You might have been doing something a certain way for 10 years but that doesn’t mean it is the only way or even the right way.  Analysis of procedures and applications is required on a case-by-case basis.

“We want to use an online version of the EMail product that we use now”.  Ugh.  Email is email.  It’s a message that is wrapped up and shoved out a pipe on TCP 25.  Focus on what client you will use, how you will configure it, and how it will integrate with the other online solutions.  For example, BPOS has integrated mail/SharePoint/online communications.  I’m told that SakesForce GMail integrates with GMail but nothing else (strategic alliance).

Like I said, just some musings.

KB2308590: Hotfix Rollup for VMM 2008 R2

Microsoft has released a new hotfix rollup package for System Center Virtual Machine Manager 2008 R2.  There are 3 included fixes:

Issue 1

Duplicate virtual machines (VMs) may appear in the SCVMM Administrator Console window after a Hyper-V VM in a cluster fails over to another cluster node. Additionally, the status for one of the duplicate VMs is set to Missing. If you try to remove the missing VM from the SCVMM Administrator Console window, the VM is not removed.

Issue 2

Consider the following scenario:

  • You install the Hyper-V role on a computer that is running Windows Server 2008 R2.
  • You configure the computer to start from a virtual hard disk.
  • The computer is part of a Hyper-V failover cluster. The cluster is configured to use cluster shared volumes.
  • You try to create a VM on a cluster shared volume by using SCVMM 2008 R2.

In this scenario, the operation fails together with the 2912 (0x8004232C) error code.

Issue 3

The Virtual Machine Manager service (Vmmservice.exe) crashes if the following conditions are true:

  • System Center Operations Manager 2007 integration is enabled.
  • A Performance and Resource Optimization (PRO) feature-enabled management pack is imported into Operations Manager.
  • The PRO settings for a host group are changed on the SCVMM server.

The package also includes 3 previous hotfix rollup packages:

CA Report on Downtime

I’ve just read a news story on Silicon Republic that discusses a CA press release.  CA are saying that European businesses are losing €17 billion (over $22 billion) a year in IT down time.  I guess their solution is to use CA software to prevent this.  But my previous experience working for a CA reseller, being certified in their software, and knowing what their pre-release testing/patching is like, I would suspect that using their software will simply swap “downtime” for “maintenance windows” *ducks flying camera tripods*.

What causes downtime?

Data Loss

The best way to avoid this is to back up your data.  Let’s start with file servers.  Few administrators know about or decided not to turn on VSS to snapshot the volumes containing their file shares.  If a user (or power user) or helpdesk admin can easily right-click to recover a file then why the hell wouldn’t you use this feature?  You can quickly recover a file without even launching a backup product console or recalling tapes.

Backup is still being done direct to tape with the full/incremental model.  I still see admins collecting those full/incremental tapes in the morning and sending them offsite.  How do you recover a file?  Well VSS is turned off so you have to recall the tapes.  The file might not be in last night’s incremental so you have to call in many more tapes.  Tapes need to be mounted, catalogued, etc, and then you hope the backup job ran correctly because the “job engine” in the backup software keeps crashing.

Many backup solutions now use VSS to allow backups to disk, to the cloud, to disk->tape, to disk->cloud, or even to disk->DR site disk->tape.  That means you can recover a file with a maximum of 15 minutes loss (depending on the setup) and not have to recall tapes from offsite storage.

High Availability

Clusting.  That word sends shivers down many spines.  I starting doing clustering on Windows back in 1997 or thereabouts using third party solutions and then with Microsoft Wolfpack (NT 4.0 Advanced Server or something).  I was a junior consultant and used to set up demo labs for making SQL and the like highly available.  It was messy and complex.  Implementing a cluster took days and specialist skills.  Our senior consultant would set up clusters in the UK and Ireland, taking a week or more, and charging the highest rates.  Things pretty much stayed like that until Windows 2008 came along.  With that OS, you can set up a single-site cluster in 30 minutes once the hardware is set up.  Installing the SQL service pack takes longer than setting up a cluster now!

You can cluster applications that are running on physical servers.  That might be failover clustering (SQL), network load balancing (web servers) or us in-built application high availability (SQL replication, Lotus Domino clustering, or Exchange DAG).

The vast majority of applications should now be installed in virtual machines.  For production systems, you really should be clustering the hosts.  That gives you host hardware fault tolerance, allowing virtual machines to move between hosts for scheduled maintenance or in response to faults (move after failure or in response to performance/minor fault issues).

You can implement things like NLB or clustering within virtual machines.  They still have an internal single point of failure: the guest OS and services.  NLB can be done using the OS or using devices (use static MAC addresses).  Using iSCSI, you can present LUNs from a SAN to your virtual machines that will run failover clustering.  That allows the services that they run to become highly available.  So now, if a host fails, the virtualization clustering allows the virtual machines to move around.  If a virtual machine fails then the service can failover to another virtual machine.

Monitoring

It is critical that you know an issue is occurring or about to occur.  That’s only possible with complete monitoring.  Ping is not enterprise monitoring.  Looking at a few SNMP things is not enterprise monitoring.  You need to be able to know how healthy the hardware is.  Virtualisation is the new hardware so you need to know how it is doing.  How is it performing?  Is the hardware detecting a performance issue?  Is the storage (most critical of all) seeing a problem?  Applications are accessed via the network so is it OK?  Are the operating systems and services OK?  What is the end user experience like?

I’ve said it before and I’ll say it again.  Knowing that there is a problem, knowing what it is, and telling the users this will win you some kudos from the business.  Immediately identifying a root cause will minimize downtime.  Ping won’t allow you to do that.  Pulling some CPU temperature from SNMP won’t get you there.  You need application, infrastructure and user intelligence and only an enterprise monitoring solution can give you this.

Core Infrastructure

We’re getting outside my space but this is the network and power systems.  Critical systems should have A+B power and networking.  Put in dual firewalls, dual paths from them to the servers.  Put in a diesel generator (with fuel!), a UPS, etc.  Don’t forget your Aircon.  You need fault tolerance there too.  And it’s no good just leaving it there.  They need to be tested.  I’ve seen a major service provider have issues when these things have not kicked in as expected due to some freak simple circumstances.

Disaster Recovery Site

That’s a whole other story.  But virtualisation makes this much easier.  Don’t forget to test!

Last Friday’s User Group Event, Including Dynamic Memory

We ran our first Windows User Group event for quite some time last Friday.  It was a full day, with about 45% of the 138 registrants turning up.  The other 55% missed out on an excellent day that was stuffed full of information.

I kicked off with the intro.  Dave Northey (MS Ireland DPE) stepped in with a quick few slides on how MS Ireland is getting even more involved with the community, including a new feedback tool based on Silverlight.  I talked about Service Pack 1 beta release for Windows 7 and Windows Server 2008 R2.  This featured a live demo of Dynamic Memory being configured, pushed to the extremes of my demo laptop, and handling things quite well.  It was quite an interactive session.  The question of the morning was:

“Would a virtual machine that has expanded from 2 GB RAM up to 8 GB and then ballooned back to 2GB take longer to live migrate than a VM with a static 2 GB of RAM?”  I didn’t for certain so I checked with product group.  The answer is: live migration only has to handle whatever memory is physically assigned so the answer is the times should be identical.  Somehow, I screwed up the audio of my webcast but some people stayed tuned in anyway.

The coffee break came a little late.  Martha Rotter (MS Ireland DPE) did a quick session to demo Windows Phone 7 and IE9.  I think everyone was impressed with IE9 being able to use a client’s GPU to process graphics.

Nathan Winters (Exchange MVP, Gray Convergence) did a session that covered Exchange 2010 SP1.  There was a little info on Exchange 2010 and tonnes of new info.  Nathan reckons you could probably have an entire day on just SP1!

Lunchtime – and MS Ireland has especially set up a demo booth with the Xbox 360 Kinect device (that’s the one where you become the controller).  It was difficult bringing people back into the auditorium after that!

There was a session swap because of schedule conflicts.  Wilbour Craddock (Partner team, MS Ireland) did a session on SCE 2010.  Most MS Ireland customers fall into the small & medium business bracket so this was of great interest to people.  It’s still surprising how many people have not heard of SCE because it solves many problems that are not being resolved by the usually deployed free/crap-ware.

The sessions ended with John McCabe (Unified Communications MVP, CDsoft Ltd) presenting on UC (Live Communications) “wave 14”.  We now know this as Lync Server 2010 (Hmm, interesting name).  This one isn’t that widely adopted in Ireland which is odd; it solves many problems but I think the ability to telecommute is held back more by employers attitudes rather than technology at this point.

We wrapped up the day by giving away lots of goodies.  Books, Arc mice, XBox games, stress balls, all went out.  We ended up running out of questions to ask the audience for the prizes – the last question was “who wants to go home now?”.

Feedback was positive.  We’re already planning the next session.  The original plan was to have it in February.  That might be brought forward but that depends on a few things.  Details will be communicated asap.

Windows Server 2008 R2 Hyper-V CSV and NTLM

I went to my first IT conference in April 2004 – it was WinConnections in Vegas.  It was there I heard people like Mark Minasi, Steve Riley, and Jeremy Moskowitz speaking for the first time.  It was there that I started thinking beyond the off-the-shelf text book and training course.  One of the things that came up was authentication security.  Active Directory could use NTLM, NTLMv2, or Kerberos, with the latter being the most secure, and the former being not so good (I think they put it in stronger terms).

The advice was to disable NTLM authentication across the network using GPO.  I’ve heard it dozens of times since.  It seems to be accepted best practice.  I’ve seen it deployed countless times.

We Hyper-V engineers/administrators are going to have a problem with that.  Cluster Shared Volume (CSV, the Windows Server 2008 R2 shared file system for clustered Hyper-V hosts) uses NTLM authentication between the hosts.  Enabling a policy to disable NTLM will break CSV and cause the following alert:

  • ID: 5121
  • Source: Microsoft-Windows-FailoverClustering
  • Version: 6.1
  • Symbolic Name: DCM_VOLUME_NO_DIRECT_IO_DUE_TO_FAILURE
  • Message: Cluster Shared Volume ‘%1’ (‘%2’) is no longer directly accessible from this cluster node

This is another situation where security auditors will try to enforce policy that will break things for us (the other is antivirus on the host).  You will need an exception to this policy for all clustered Hyper-V computer objects.  You can do this by using a security group to filter the offending policy in question.  That will require a single GPO to apply this one setting.  Alternatively you can create and link another GPO that applies just to the clustered hosts.  This GPO will enable NTLM.

Network Security in the Hypervisor

I just read an interesting article that follows up some presentations at VMWorld.  It discusses the topic of security in the Hypervisor (ESX in this case) – the author is actually focusing solely on network security.  Other aspects such as policy, updating, etc, are not discussed. 

The author asks 4 questions:

Q) Security is too complicated, and takes too many separate devices to configure/control.
A) Yes – and I agree, sort of.

Security should be simple.  It isn’t.  It requires too many disparate point solutions.  Let me step back a moment.  Why do I like Windows, AD, System Center, Hyper-V, etc?  It’s because they are all integrated.  I can have one tidy solution with AD being the beating heart of it all.  And that even includes security systems like WSUS/ConfigMgr (update management), NAP (policy enforcement), BitLocker/BitLocker To Go, device lock downs on personal computers, remote access (DirectAccess or VPN via RADIUS/IAS) etc.

Things start to fall apart for network security.  Sure you can use whatever ISA Server is called these days (Sorry ForeFront; you are the red headed stepchild in Redmond, locked away where no one knows you exist).  Network security means firewall appliances, IDS systems, VPN appliances, VPN clients that make every living moment (for users and admins) a painful existence, etc.  None of these systems integrate.

To VMware’s credit, they have added vShield into their hypervisor to bring firewall functionality.  That would be find for a 100% virtual or cloud environment.  That’s the sort of role I had for 3 years (on ESX and Hyper-V).  I relied on Cisco admins to do all the firewall work in ASA clusters.  That’s way out of my scope and it meant deployments took longer and cost more.  It slowed down changes.  It added more systems and more cost.  A hypervisor based firewall would have been most welcome.  But I was in the “cloud” business.

In the real world, we virtualization experts know that not everything can be virtualized.  Sometimes there are performance, scalability, licensing, and/or support issues that prevent the installation of an application in a virtual machine.  Having only a hypervisor based firewall is pretty pointless then.  You’d need a firewall in the physical and the virtual world.

Ugh!  More complications and more systems!  Here’s what I would love to see (I’m having a brainfart) …

  • A physical firewall that has integration in some way to a hypervisor based firewall.  That will allow a centralized point of management, possibly by using a central policy server.
  • The hypervisor firewall should be a module that can be installed or enabled.  This would allow third parties to develop a solution.  So, if I run Hyper-V, I’d like to have the option of a Checkpoint hypervisor module, a Microsoft one, a Cisco one, etc, to match and integrate with my physical systems.  That simplifies network administration and engineering.
  • There should be a way to do some form of delegation for management of the hypervisor firewall.  In the real world, network admins are reluctant to share access to their appliances.  They also might not want to manage a virtual environment which is rapidly changing.  This means that they’ll need to delegate some form of administrative rights and limit those rights.
  • Speaking of a rapidly changing virtual environment: A policy mechanism would be needed to allow limited access to critical VLANs, ports, etc.  VMs should also default to some secure VLAN with security system access.
  • All of this should integrate with AD to reuse users and groups.

I reckon that, with much more time, this could be expanded.  But that’s my brain emptied after thinking about it for a couple of minutes, early in the morning, without a good cup of coffee to wake me up.

Q) Security now belongs in the hypervisor layer.
A) Undecided – I would say it should reside there but not solely there.

As I said above, I think it needs to exist in the hypervisor (for public cloud, and for scenarios where complicated secure networks must be engineered, and to simplify admin) and in the physical world because there is a need to secure physical machines.

Q) Workloads in VMs are more secure than workloads on physical systems.
A) Undecided – I agree with the author.

I just don’t know that VM’s are more secure.  From a network point of view, I don’t see any difference at all.  How is a hypervisor based firewall more secure than a physical firewall?  I don’t see the winning point for that argument.

Q) Customers using vShield can cut security costs by 5x compared to today’s current state-of-the-art, while improving overall security.
A) Undecided – I disagree with VMware on this one.

The need for a physical environment is still required to protect physical infrastructure.  That cost is going nowhere.

This is all well and good, but this all forgets about security being a 3D thing, not just the signle dimension of firewall security.  All those other systems need to be run, ideally in an integrated management, authentication/authorisation environment such as AD.