Month: March 2012

Windows Server 2008 R2 Hyper-V Achieves BSI EAL 4+ Security Certification

Windows Server 2008 R2 Hyper-V has just achieved EAL 4+ security certification from the Federal Office for Information Security (Bundesamtes für Sicherheit in der Informationstechnik – BSI) in Germany.  According to Wikipedia:

EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Thanks to Dariusz Porowski (@DariuszPorowski) for the heads up on this news.

Configuration Manager 2012 Error, Past Due – Will Be Retired

I just had a bit of a head scratcher while building my ConfigMgr 2012 lab.  I had created an application to deploy Lync 2010 by policy to a collection of devices.  The “mandatory assignment” (this is old terminology for legacy packages/advertisements) was to install the Lync 2010 client as soon as possible.

I refreshed policy on my test machine and got this error in Software Center:

Past Due – Will Be Retired

Huh?!?!  I didn’t set an expiration on the deployment.  I could not figure this out.  The AppEnforce log in C:WindowsCCMLogs held the clue to this mysterious error:

Command Line: setup.exe /install /silent

The installer is called LyncSetup.exe, not Setup.exe.  I corrected the Deployment Type in my application for Lync 2010 and reran machine policy on the client machine.  The install now worked.  Then the real test: I manually uninstalled Lync, and ran the Application Deployment Evaluation Cycle on the client.  The reinstall (by policy) worked perfectly.

Windows 8 GA in October 2012

Bloomberg is reporting that Windows 8 will be generally available in October of this year.  That’s not so different to the Windows 7 schedule:

Windows 7 was released to manufacturing on July 22, 2009, and reached general retail availability worldwide on October 22, 2009.

Therefore I won’t be surprised to see Windows 8 (client and server) RTM in July or August.

Technorati Tags: ,

Microsoft Assessment and Planning Toolkit 6.5.4228.0 Released

A new release of MAP is out

The Microsoft Assessment and Planning (MAP) Toolkit is an agentless, automated, multi-product planning and assessment tool for quicker and easier desktop and server migrations. MAP provides detailed readiness assessment reports and executive proposals with extensive hardware and software information, and actionable recommendations to help organizations accelerate their IT infrastructure planning process, and gather more detail on assets that reside within their current environment. MAP also provides private and public cloud planning assessments, and server utilization data for Hyper-V server virtualization planning; identifying server placements, and performing virtualization candidate assessments, including ROI analysis for server consolidation with Hyper-V. Other significant new features in MAP 6.5 include the discovery of active Windows devices, Software Usage Tracking for Forefront Endpoint Protection (FEP), and the discovery of Oracle instances on Itanium-based servers with HP-UX to assist in the planning of migration to SQL Server.

I’ve said plenty about MAP in the past.  Here’s how I sum it up now: when people come to me with stupid questions or design issues, I already know what their answer will be when I ask for their assessment data – there will be none.  If you can’t figure that logic out, then you should go pick fruit instead of working in IT.

Technorati Tags:

My Configuration Manager 2012 Demo Lab on Windows 8 (Client) Hyper-V

I am one of a number of guest presenters at the Microsoft Ireland System Center 2012 launch events in Dublin (this Thursday) and Belfast (next Tuesday).  Each of the 4 guests are presenting different aspects of System Center in the afternoon with 40-45 minute slots for each of us. 

I have a background in SMS/Configuration Manager (I was an MVP for 1 year before switching to Hyper-V) and the others tend to focus on VMM/OpsMgr/Service Manager/Orchestrator so I decided I’d go for the product that I happen to love most of the lot … the one that lets an IT megalomaniac have his/her way with a network.  OpsMgr might be the product that I would always put in 3rd in a new network (DCs first, Hyper-V second), but ConfigMgr would never be far behind because I can get so much information from it and use it to deploy and control the entire lifecycle of the PCs.  So that’s what I’ll be focusing on in my presentation.

The lab “looks” something like this:

image

The “beast” laptop is booting from Windows 8 (the client OS) Consumer Preview and Hyper-V is enabled.  I have my VMs stored on the SSD.  The laptop is connected to Wi-fi with DHCP enabled, making it mobile – perfect for demos.  I need to be able to demo OS deployment with my lab so I need DHCP that is insulated from the physical world.  Therefore my lab guests are running on an internal virtual switch rather than an external one.

I still need Internet access.  That’s why I have an external virtual switch.  It is configured to enable the parent (the Win 8 OS on the laptop) to share the Wi-fi connection.  I have set up a virtual proxy server to enable the isolated guests to have Internet access – the Configuration Manager Primary Site Server needs to download updates from Microsoft. 

I also need the parent partition to access the internal virtual switch (to copy files to machines and to RDP into VMs for the demo – RDP performs better than Virtual Connect) and to simultaneously access the Wi-Fi network.  DNS was an issue.  The solution?  I have configured the Internal local area connection on the parent partition with an IP config for the Internal network.  The browser is also configured to use the guest proxy.  Problem solved and I’ve accelerated browser performance.

I have to set the presentation in stone still.  I got the lab 95% to where I want it but the presentation will be demo-centric:

  1. Talk about ConfigMgr
  2. The new approach of ConfigMgr and new features, then switch to demo
  3. OS deployment
  4. Security (Endpoint Protection, patching and firewall policy)
  5. End user experience – solve a problem using the Application Catalog
  6. Admin experience – New console, s/w deployment, custom policy, auditing, reporting, dashboards, etc.

Considering the focus of Configuration Manager 2012 is controlled, secure, and audited empowerment of the end user then I want to show as much of that as possible.  That’s the goal anyway Smile

Hey Ken Hess of ZDNet; You’re a FUD Feeding Fool! Yes, VMware Release Fixes Too

I’ve just read Dear Hyper-V fans, I’ll take that apology now by apparent VMware apologist Ken Hess on ZDNet.  I guess this fanboy who poses as a journalist is upset over the recent hypervisor vote on ZDNet where Hyper-V beat vSphere.

In his article, Hess says:

If you used VMware, you wouldn’t have to reboot your vulnerable systems after patching for the RDP Worm today. Sure, you’ll still have to patch all of your Windows VMs that ride on top of your VMware hosts but at least you don’t have to patch and reboot the VMware host system.

Huh!  Strange that.  Is Hess saying that VMware never releases patches for vSphere?  I think if you follow that link then you might find a different answer to that.  Or maybe the almighty VMware never have to release a security fix for vSphere?  Woops, wrong again Kenny-boy.  Maybe vSphere security fixes don’t require a host reboot?

Host Reboot Required

Yes

Oh it appears they do. 

OK, we don’t have downtime for VMs then?

Virtual Machine Migration or Shutdown Required Yes

Damn.  Ken must have seen something.  I know; patching vSphere must be easy just like it is for Hyper-V (where Automatic Updates, WSUS, System Center Configuration Manager, System Center Virtual Machine Manager 2012, or Windows 8 Cluster Aware Update are all options):

ESXi hosts can be updated by manually downloading the patch ZIP file from the VMware download page and installing the VIB by using the esxcli software vib command. Additionally, the system can be updated using the image profile and the esxcli software profile command

Dagnammit, that sounds like a lot of work to me.  At least the patch is probably small.

297.7 MB

OK, so is Ken Hess just a fill of it, so-called-journalist, FUD fool, or is he just an uneducated moron?  Hey real journalists, I respect your ability to report news fairly, but guys like this do your trade no good.  But I guess maybe Hess isn’t a journalist. 

Maybe he’s a consultant or admin – I’d sure hate to be his client or employer because it appears that Kenny-boy has never checked the vSphere site for patches.  The fact is that any complex piece of code requires bug fixes and security patches.  To deny that … well … to deny that makes you moron.

Me wonders if Windows Server 8 Hyper-V has ‘em scared? Winking smile

Technorati Tags: ,

KB2686812 – W2008 and W2008 R2 May Hang On Boot With Hyper-V Role Enabled

A new Hyper-V KB article appeared online overnight for a situation where Windows Server 2008 and Windows Server 2008 R2 may hang on boot with the Hyper-V role enabled. 

“Consider the following scenario:

  • Install Windows Server 2008 or Windows Server 2008 R2.
  • Enable the Hyper-V Role under Server Roles.
  • The machine hangs or encounters a 0x3E bugcheck  (MULTIPROCESSOR_CONFIGURATION_NOT_SUPPORTED) after you restart the machine.

On a system with Mixed Processor Steppings, the Memory type range registers are not consistent across all the processors. When the Hyper-V role is enabled, this can cause system instability.

Ensure that all Processor Steppings are consistent (MTRR Capabilities) across all processors that are installed on the system. 

This has been reported to occur with the following combination of processors/Server hardware:
– HP BL460G1/G5 with Intel Xeon 5110 and E5310 processors installed”.

Personally, I thought people would know better than to mix processors in a single host like this.

A Visit To The Bill & Melinda Gates Foundation

Before the MVP Summit, a few of us were lucky enough to receive an invitation, via Didier Van Hoye,  to visit with the IT team in the Bill & Melinda Gates Foundation in Seattle.  It was a pleasure to spend a few hours with them, tour their facility, and chat about tech.

Didier has the details and photos in his blog post on the visit so please head on over to check it out. 

Windows Server 2012 Hyper-V Dynamic Memory Changes

The memory optimization mechanism that was added in Windows Server 2008 R2 Service Pack 1 Hyper-V, Dynamic Memory (DM), improves with WS2012.

Minimum Memory

Windows 8/WS2012 are doing some really clever things; you might have heard of MinWin. That was an effort by Microsoft to reduce the footprint of Windows 8. The primary beneficiary was Windows On ARM (WOA) where tablets may have lesser resources than a normal PC. A second beneficiary is virtualisation; memory is a bottleneck in dense virtualisation, such as VDI or VM hosting, and being able to squeeze down the run-size of Windows 8 so we can squeeze even more running Windows 8 VMs onto a host. That means that Windows 8 can actually use less than 512 MB RAM that is listed as a system requirement. In fact, when idle, it can drop well below 512 MB RAM. In the lab at work, I’ve observed Windows Server 2012 VMs with requiring as little as 312 MB RAM without being manually squeezed.

But there’s a catch: Windows boot requires 512 MB RAM. If we set Startup Memory to 512 MB then how could we get those savings if we couldn’t balloon down?

A “new” feature of DM is Minimum Memory. I say “new” because it actually existed under the covers in W2008 R2 SP1 but Microsoft really didn’t want us to use it. And that’s why the majority of us never knew it was there. Minimum Memory allows you to specify an amount of memory, which is smaller than Startup Memory, and allows an idle VM to balloon down to at least the Minimum Memory amount if there is unused memory in the VM. For example, a VM would start with 512 MB RAM. Once it is booted, and the integration components are started, if the VM is idle, it might balloon down from 512 MB to whatever it requires plus the buffer (20% by default).

Using Minimum Memory, we can allow idle VMs to throttle back their memory consumption to below their Startup Memory requirement. In a small farm, this might never happen. But in a large farm, such as VDI, hosting, or in a large private cloud, there very well may be many VMs that do little 90% of the time. Their freed up RAM can be used to service the needs of other VMs that do need the memory or to increase VM density on a host.

Smart Paging

Let’s get this clear before the FUD starts and the VMware fanboys wet themselves: Hyper-V does not do second level paging (like VMware does because it overcommits memory) for VMs. Second level paging is considered inefficient because no hypervisor can have no vision into a VMs memory use and prioritise/page it effectively.

But … there is a situation where Hyper-V could do with a little bit more memory. Let’s consider those idle VMs that have ballooned down to their minimum memory. What if we had a host with a LOT of RAM, and we patched/rebooted a large percentage of VDI VMs, maybe even all of them. We’d go from a situation where we had lots of VMs using their Minimum Memory to a lot of VMs using their Startup Memory. What if we had to reset a lot of those VMs? Or what if we rebooted a host and the VMs set to auto-start required their Startup Memory and it wasn’t available?

There are very rare occasions where Hyper-V will need to provide more memory than is available. How rare will these occasions be? Very: if a host is running happily along with VMs idled down to their Minimum Memory, and they only reason they need more than that is to start up, then you actually have a pretty healthy host with a very brief requirement for more memory. In the real world, things like Failover Clustering, VMM Dynamic Optimization, VMM/OpsMgr PRO, and Live Migration will mitigate this squeeze on memory by moving running VMs. But Hyper-V must do something for those rare occasions where a normally non-contended host temporarily requires memory to service boot up for those otherwise idle VMs.

That’s where Smart Paging comes in. Smart Paging is engaged in one of these, and only one of these scenarios if there is not enough host memory for a VM to meet its Startup Memory requirement:

  • A host reboot
  • A VM reboot
  • A VM reset

A Smart Paging file is created (by default) in each VMs’ storage location. This paging file will temporarily provide additional memory to the VMs. I stress “temporarily” because you will get alert if a VM is still using the Smart Paging file after 30 minutes. Eventually each previously idle VM will balloon back down below their Startup Memory and alleviate the temporary pressure.

Disk Requirements

If you’ve read my Dynamic Memory paper or heard me speak on the topic then you know that I’ve advised you to consider the amount of available physical memory when sizing VM storage because of the need for varying sized BIN files. This could be complicated by having many CSVs in a cluster and require some conservative estimates.

We are seeing some changes with the BIN file. You will only need to reserve disk space now if your VMs are set to automatically save their state during a clean host shutdown. This save state action is exactly why the BIN file was required. No auto-save state, no need for BIN file.

MemoryReserve

Another thing you should know about after hearing me speak or reading my guide is MemoryReserve. This is the automatically calculated setting that conserves memory for the parent partition so it has enough resources for its own operations, e.g. doing a backup of VMs, monitoring, AV scans, servicing administrator logons, etc. In Windows Server 2012, Microsoft has changed this automatic calculation so that more memory is reserved for the parent partition, thus better enabling management components to work more effectively with less memory pressure caused by expanding VMs. I don’t know the details of the algorithm, and I’m still in favour of manually configuring this setting to something that I know, control, and can change if required (registry or custom GPO).

Minasi Conference 2012

Mark Minasi’s mini-IT conference is back in action in 2012.  It might be mini in size, but it swings a big game in content.  The speakers include big conference names like Mark Minasi and Don Jones.  You’ll also find a bunch of MVPs, Microsoft employees, and industry experts speaking and attending.  Being a mini-conference, this is a place where you can get to spend time with these people without the having to run away to some meeting or their next session.

This is the first Minasi Conference I won’t be able to attend.  Unfortunately my calendar is nuts and a few things, like this and the Vienna PubForum, have had to be dropped Sad smile

Sunday – April 29th 2012

  • 12:00 – Conference Registration Begins
  • 1.00 – Opening Session led by Mark Minasi + Don Jones, What has changed in the last 3 years, how to stay on TOP!
  • 2.00 – Session 1: Mark Minasi – 10 (or more) things that you don’t know about Windows Server 8
  • 3:15 – Break
  • 3:30 – Don Jones
  • 4:00 – Ed Wilson – Microsoft Scripting guy on everything but PosH 3
  • 4:30 – Break
  • 4:45 – Mark Minasi
  • 6:00 – Welcome Reception

Monday  – April 30th  2012

  • 9:00 – Jimi Vigotti – how I do it and how you can to (with the right kit).
  • 10:15 – Dave Bisson – Enterprise App Store
  • 11:30 – Break
  • 11:45 – Stacy Hein – SQL Server at scale. Office 365 style
  • 1:00 – Lunch (Provided)
  • 1:45 – Todd Lammle – The next step.
  • 3:00 – James Summerlin – SQL Server Integration Services – More in-depth than last time!
  • 4:15 – Break
  • 4:30 – James Adgate – Security in The Enterprise in 2012:  Managing DLP Programs and Driving Standards for Secure Coding of Home Grown Web-Facing Enterprise Applications.
  • 5:45 – Offsite Dinner Organized with Transportation

Tuesday – May 1st 2012

  • 9:00 – James Summerlin – Juniper, Life after TMG/ ISA
  • 10:30  –Scott Calvet – TBC Desktop Virtualization VMware View 5
  • 11:00 – Dennis Olidis – Free Tools to Troubleshoot and Diagnose your Windows System
  • 12:30 – Lunch (Provided)
  • 1:00 – Eric Rux  – TBC– Using Windows in your Home!
  • 2:15 – Break
  • 2:30 – A N Other – Microsoft Conferencing, Skype and Lync
  • 3:45 – Break
  • 4:00 – Curt Spanburg – Microsoft Business Application Survival Skills for the IT Admin
  • 5:30 – Dinner (on your own) at a local restaurant. Last chance to rub elbows.

Wednesday -  May 2nd 2012

  • 9.00  – Ultan Kinahan – Fixing the big stuff!
  • 10:00 – Ton Siemons – Comparing Hypervisors, VMware, HyperV and Xen
  • 11:15 – Break
  • 11:30 – Michael Ferguson – Managing Security
  • 12:45 – Closing and Lunch
  • 2:00 – Unofficial Round Table

You can learn more about the registration on the official site, and on-going conversation regarding the event can be found on Mark’s forum.

Technorati Tags: