Month: April 2012

MMS Day 2 Keynote

I am live blogging from the keynote which is titled as something like “a world of connected devices”.  I’m expecting Intune V3, ConfigMgr, etc to be the focus. Would be nice if they briefed us on how Windows RT (aka Windows on ARM) will be manageable (am thinking some Intune upgrade).

Work/life blur is a theme, so are application deliver, continuous service, people centric, control and governance.  Out comes Brad Anderson.

IDC: the past was one desktop = one user.  In 2011, users have between 5 and 7 Internet connected devices.  They want to use the right device for the job … have a choice.  MSFT want to say “yes, bring your device”.  916million smart connected devices shipped in 2011.  That will double in 2016.  34% of corporations are currently enabling users to access corp apps.  69% of their users are already doing it!!!! Most corps aren’t aware of this usage.  Where there’s a will, there’s a way.

New concepts: corporate controlled devices (traditional) and user controlled devices (BYOD – bring your own device).  In recent past, that was all PC based.  In the near future, we see this changing with lots of smart phones and tablets, all being bought and controlled by the user.  Corp has no control over these with traditional methods.  Ownership not that relevant … control is the important factor, e.g. end user having admin rights over their laptop.

The past has been agent focused control.  That doesn’t work on iOS; no app can control another app because of sandboxing.  The user will never accept an agent that controls their device.  We want to enable the user to be productive on their devices, but we need to control how corporate assets are accessed (governance)

The spoiler is out.  MSFT marketing has issued a press release with the content of the keynote.

Control and governance are two important concepts in enabling BYOD.

Infrastructure considerations

  • Intelligent app infrastructure
  • Security and access
  • Control and governance across all devices
  • User centric

Your opportunity

  • Broaden your impact – don’t be just another guy, another admin, another consultant
  • Enable users to work how/when and where they want.  Good luck with the HR department and the old school managers.  See Lync
  • Differentiate your organization, e.g. why do you rent office space?  Are you a property company?  Why can’t an office worker work from home and do the same job?

Celebrating ConfigMgr 2012 and Endpoint Protection 2012

  • All about the user
  • Unified device management infrastructure
  • Much simplified administration

175,000 registered downloads of the beta.  500,000 production devices.  307,000 Endpoint Protection deployments in TAP.  280,000 devices managed by MSIT.

Intelligent App Infrastructure

The user is at the centre.  They have lots of devices.  We have lots of apps for those lots of apps, with the user in the middle.  VDI is being pushed here.  They are announcing deep integration with with iOS and Android.  Hmm, it’s been referred to as light management up to now.  How are they getting over the app store locks on consumer devices?  Is there a side load aka Jail break.  Ah!  They are integrating with Apple App Store, Microsoft Store, by linking apps.  Is this an SP1 feature?  They are going to side-load apps onto iOS, Windows, and Android without using the app store!!!!!  THIS IS NEW.  Users can roam across different devices and find their apps on those devices.  They’ll have a consistent app experience.  And this is done with a single solution – no point solutions for the device types.

Demo

ConfigMgr app deployment to Windows by Bill Anderson (System Center).  He’s got 5 deployment types for Adobe Reader in his demo in ConfigMgr.  He wants to build intelligence and predictability into this.  We can simulate a deployment.  Each deployment type has rules like prereqs, etc.  The simulation is a real test against client devices – it evaluates the rules on the clients, not in the database.  You get real results.  We’re shown the results of this simulations.  We see the success and, more importantly, the machines with it already installed and where there were failures.  We can then use that data to clean up the actual deployment.  This is a pre-flight test in the air without flying.

Deliver Applications To Employee Controlled Devices

This is possible with the new V3 version of Windows Intune.  The non-domain joined devices, e.g. Windows RT, are managed via SSL. 

Demo

Self service management of user controlled consumer devices by Bill Anderson.  ConfigrMgr 2012 SP1 to add support for deploying Metro style apps.  They can be built and delivered in house and delivered by ConfigMgr or via the Windows Store via a link.  In the latter it uses a link instead of a distribution point.  For the former, you can distribute that Metro Style app in the DP and deploy from there as you normally would.  In the demo, he makes it available via the ConfigMgr app catalog, so a user can request it via the portal. 

Now we go into Windows Intune.  We see support for iOS.  Android is supported too.  We get the option to make an app available for install rather than push.  Now Brad comes out with an iPhone.  Demo gods kill the projector connection.  Instead we get a Windows 8 device.  There is a self-service app for ConfigMgr vNext and Intune.  It’s an alternative to the MSFT Store.  We can push out MSFT Store linked apps (jumps into a Store deployment).  We can also side load an app for bespoke apps and bypass the MSFT store.  I haven’t seen any of the competition do this on iOS, etc.  At least I haven’t seen it, even if it exists.  In this Center app, you can see your devices and their health status.  We see the Windows Phone location on a Bing Map in the Center.  They can’t get the iPhone on the projector.  We get a similar experience on the iPhone via Intune apparently.  These devices can’t join a domain but they are “domain trusted”.

VDI

Going to explode because of BYOD.  App V5.0 is live.  Now App-V apps can interoperate with each other for the first time.  App-V packages can be streamed to a VDI without being committed to disk.  Can have a single cache on a VDI host to save space.

UE-V is user state virtualisation, abstracting the user state from the machine.  Their settings/data move around freely.  The user gets a single working environment across VDI devices.

Windows Server 2012 Reduces VDI Costs

App-V 5.0 reduces cost by using less disk. 

Demo

Fast and easy VDI.  Bill is back.  UE-V configured by GPO.  He specifies a server share with a user variable.  He specifies templates for app settings.  In the user side of the policy, he can specify which parts of the state should roam. 

MMS 2013 will be happening: Brad opens a MMS 2013 planning PDF file.

Brad logs into a machine and changes some Adobe Reader settings.  He logs out of his domain joined machine.  Bill is going to set up Windows Server 2012 VDI as part of the demo because it’s quick simple and easy.  He times it and starts up Server Manager.  He’s done in a minute, then the system does the rest of the work in the background.  Brad logs into a VDI VM and his Adobe settings followed him thanks to UE-V.

A camera man comes up so we can get the iPhone demo working.  There we see the Intune center which is an app.  Bill browses available apps and installs one.  And now it installs on the iPhone, and it appears like a normal app install. 

MMS  2013

It will in New Orleans in June 2013.  Hmm, what about TechEd NA. 

Operations Manager 2012: Network Monitoring

Speaker: Vishnu Nath, PM for Network Monitoring feature in OpsMgr 2012.

Discovery, monitoring, visualisation and reporting.  Key takeaway; OpsMgr will help IT Operations gain visibility into the network layer of service to reduce meantime to resolution.  All the required MPs, dashboards, and reports are built in-box.  Server to network dependency discovery with support for over 80 vendors and 2000+ devices certified.  It supports SNMP V1, v2c and V3.  There is support for IPv4 and IPv6 endpoints. 

Supported devices:

  • Bridges
  • Firewalls
  • Load balancers
  • Switches
  • Routers

Discovery

Process of identifying network devices to be monitored.  Designed to be simple, without the need to call in network admins.

Demo

You can run the normal discovery wizard to discover network devices.  There is also a Discovery Rule that you can configure n Administration/Network Management.  This can run on a regular schedule.  You can pick a management or gateway server to run the rule, and you set the server resource pool for the monitoring.  Note that the design guide prefers that you have a dedicated network monitoring resource pool (min 2 Mgmt servers) if doing this at scale.

There are two discovery types, which are like the types of customer MSFT has encountered.  You list the IPs of devices and do explicit discovery.  Alternately, you can do a recursive discovery which crawls the network via router ARP and IP tables.  That’s useful if you don’t know the network architecture.

You’ll need runas accounts for he community strings … read only passwords to MIBS and SNMP tables in the network devices.  It does not need read-write private strings.  Using a runas account secures the password/community string.  You can have a number of them for complex environments. 

You can import a text file of device IP addresses for an explicit discovery.  You can use ICMP and/or SNMP access mode to monitor the device.  ICMP gives you ping up/down probe monitoring.  SNMP gives you more depth.  An ISP won’t give you SNMP access.  A secure environment might not allow ICMP into a DMZ.  You can set the SNMP version, and the runas account for each device.  During discovery, OpsMgr will try each community string you’ve entered.  It will remember which one works.  In some environments, devices can send trap alerts if they have failed logins and that can create a storm of alerts … SO BEWARE.  You can avoid this by selecting the right runas account per device.

There are retry attempts, ICMP timeout, SNMP timeout.  You also can set a max device number discovery cap.  This is to avoid discovering more than you need to in a corporate environment.

You can limit the discovery to Name, OID, or IP range.  And you can exclude devices.

You can also do the discovery on a regular basis using a schedule.  Not important in static environment.  Maybe do it once a week in larger or more fluid environments.  You can run the discovery rule manually.  When you save the rule, you have the choice to run the rule right then.

What’s Discovered

  • Connectivity of devices and dependencies, servers to network and network to network
  • VLAN membership
  • HSRP for Cisco
  • Stitching of switch ports to server NICs
  • Key components of devices: ports/interfaces/processor/ and memory I think

The process:

Probing (if not supported, it’s popped in pending management for you to look at. If OpsMgr knows it then they have built in MIBS to deal with it) –> Processing –> Post Processing (what VLANs, what devices are connected, NIC stitching mapping).

  • Works only on Gateway/management server
  • Single rule per gateway/management server
  • Discovery runs on a scheduled basis or on demand
  • Limited discoveries can be triggered by device traps – enabled on some devices. Some devices detect a NIC swap, and the device traps, and OpsMgr knows that it needs to rediscover this device.  Seamless and clever.

Port/Interface Monitoring

  • Up/down
  • Volumes of inbound/outbound traffic
  • % utilization
  • Discards, drops, Errors

Processor % utilization

Memory counters (Cisco) and free memory

Connection Health  on both ends of the connection

VLAN health based on state of switches (rollup) in the VLAN

HSRP Group Health is a rollup as well

Network Monitoring

  • Supports resource pools for HA monitoring
  • Only certain ports monitored by default: ports connecting two network devices together or ports that the management server is connected to
  • User can override and monitor other ports if required

Visualisation

4 dashboards:

  • Network summary: This is the high level view, i.e. top 10 nodes list
  • Network node: Take any device and drill down into it.
  • Network interface: Drill into a specific interface to see traffic activity
  • Vicinity: neighbours view and connection health.

Reporting

5 reports:

  • Memory utilisation
  • CPU utilisation
  • Port traffic volume
  • Port error analysis
  • Port packet analysis

Demo

Behind the scenes they normalise data, e.g. memory free from vendor A and memory used from vendor B, so you have one consistent view.  You can run a task to enable port monitoring for (by default) un-monitored discovered ports (see above).  

End

You can author custom management packs with your own SNMP rules.  They used 2 industry standard MIBS and it’s worked on 90-95% of devices that they’ve encountered so far.  Means there’s a good chance it will work on future devices.

A Geek’s Guide To The Galaxy Building A ConfigMgr 2012 OS Deployment Solution

Speaker: Johan Arwidmark @jarwidmark, Chief Technical Architect, Knowledge Factory

Agenda: hydration, create  reference image, setup ConfigMgr 2012 for deployment.

Free hydration kit, based o n MDT 2012 Lite Touch, fully automated build of entre labs.  Download from www.deploymentresearch.com  When your run it, it allows you to copy your media into a folder structure.  Then you get an easy deployment solution.  It does an unattended install of ConfigMgr.  It even installs a DC for your labs!

He’s enabled deduplication on his Windows Server 2012 MDT machine, saving a lot of disk space.

The kit creates a 10 GB ISO file, which you mount on a VM and start from.  You are asked if you want the domain controller (1st) or the ConfigMgr site server (2nd).  There is a customsettings.ini file for each server, with their build confgs, e.g. IP address.

Johan recommends Lite Touch to create ConfigMgr reference images.  He reckons it’s twice as quick.  Plus, a ConfigMgr reference image is specific to ConfigMgr, whereas an MDT one is generic and can be used in WDS, ImageX, etc. 

Create a reference image

Doing this in MDT 2012 Workbench.  Import OS image and create task sequence.  Always use VMs for reference images.  He puts a suspend in the task sequence so he can snapshot the VM before the sysprep.  That means he can apply the snapshot to change the macine and recapture the reference image.

Infrastructure Management: Configure and Deploy

Speakers: Kenon Owens, Senior Product Marketing Manager, Microsoft and Fahad Ahmed, Infrastructure Architect, Microsoft.

This is a VMM 2012 session on building the private cloud fabrics.  Or you could read Microsoft Private Cloud Computing to learn all this.

You create pools of physical resources, aka, clouds, give users access to them, define resources that they can use, and give them a quota.  The physical resources in question are compute, storage, and network.

You can attach Configuration Manager to do additional management such as patching, DCM, auditing, compliance, security, etc.

Host deployment:

  1. WinPE downloads and prepares a partition
  2. Downloads a VHD from VMM for boot to VHD
  3. Does Plug and Play for the system
  4. Boot the machine into OOBE
  5. Join domain and enable Hyper-V
  6. Reboot – and it’s now in a VMM host group

Storage Management

Uses SMI-S.  Storage vendors still slow to implement.

  • End to end mapping = create associations between storage and VM. ID storage consumed by VM, host and cluster
  • Capacity management: add storage to a host or cluster through masking operations.  Add capacity dring a new cluster creation
  • Rapid provisioning: create new VMs leveraging SAN LUN cloning.

Can tier storage via classification pools using labels of your choice.

Demo

In Fabric: storage is a fabric.  They’ve deployed 3 NetApp arrays via SMI-S providers.  They have created 3 tiers of storage pools based on quality of disk, picked from the various arrays.  In the VMM console, they create LUNs that will be used as a cluster witness disk and a CSV in a later cluster build. 

Logical Abstraction for the network fabric

  • Logical networks: Classify networks for VMs to access, map to network topology, allocate to hosts and clouds.
  • Address pools: allocate static IP to VMs from a preconfigured pool, create and IP pool as a manage range of IPs, create a MAC address pool
  • Load Balancers: apply settings for LB capability in service deployment, control LB through vendor provider

You can allocate logical networks to physical NICs, e.g. create Prod and DMZ networks, and allocate those logical networks to hosts in different clouds as appropriate. 

  • IP pools: assigned to VMs, hosts, and virtual IPs (LBs), specified use in VM template creation, checked out at VM creation, returned on VM deletion
  • MAC pools: same as with IP pools, but for MAC assignment
  • Virtual IP pools: assigned to service tiers in a service template that use a LB.  Assigned to clouds.  Checked in/out on creation/deletion.  Reserved within IP pools

Supported LB: MSFT NLB, Citrix NetScaler, F5 Big IP, Brocade ServerIron ADX.  Each requires a provider.  Specify type of LB, e.g. round robin, etc.

Demo of Cluster Creation

2 Nodes, A and B.  They are discovered in VMM, using a RunAs account.  Creates a new cluster in Fabric.  Adds the two hosts from the host group – must be in a single host group like in 2008/R2.  Can optionally do the cluster validation tests (recommended).  Assign a cluster IP.  Now allocate the previous storage to the cluster.  Checkbox to enable CSV in the disk selection.  And that creates the cluster – some simplification of the networking story here.

Can manage Hyper-V, vSphere 4.1 (via vCenter only) and XenServer 6.0. 

Demo of Cloud Creation

Create a cloud in VMs And Services.  Select a host group or VMware resource pools.  Select logical networks.  Select LB VIP profiles.  Any additional storage to allocate?  You can set quota on CPU, RAM, storage, custom quota points, and VM number.  You can control which type of hypervisor can be used. 

Creates a new role in Settings/Security. Select from admin, read only, or self-service for a cloud.  Select the clouds to assign to the role.  You can override the previous quotas, e.g. for the role or for the entire role, as a subset of the cloud’s quotas.  Add resources to the role, e.g. templates they can see.  Then you specify actions they can do. 

In App Controller, we see the delegated rights this role has, e.g. what they can deploy, how much, and what actions they can do.  The Self-Service Portal is there only for backwards compatibility, it’s been deprecated.

Typically people make a few clouds, e.g. Prod and Test, and then use roles to divide up the shared pool of resources.

They aim to support vSphere 5.0 with System Center 2012 VMM SP1.

Why We Fail–Or How An Architect Learned To Stop Worrying And Love The Cloud

Alex Juch, Architect, NetApp

Everyone wants cloud. No one knows what cloud is.

  • Gartner: 78% of IT shops will deploy a private cloud computing strategy by 2014.
  • CIO.COM: “62% of all IT projects fail”

You will fail if you approach this project as a technology project.  The architect needs to sell this as a business solution.  Architecture is the intersection between technology and business.

Reduce your risk:

  • Business risk: people and process, managed portfolios, IT/business alignment.
  • Technical risk: use reference architecture, platform bundles.

The customer must want to do this, you cannot coax/tease them into it.  Too much change in mindset and established process.

Abandon hope all ye who enter here.  I gave up listening, VPNed into the lab, and continued building a lab for work, happily finding that my COnfigMgr clients were pushed out, updates were downloading, Endpoint was deployed and updated, and I build a few collections and deployed some AV policy.

It’s Official: Windows Server 2012

I am one to say I told you so.  Microsoft released a press release:

Anderson provided a preview of how Microsoft’s private cloud will become even more powerful with Windows Server “8” and announced that the operating system will officially be named Windows Server 2012. The new “cloud-optimized OS” is due out later this year.

Strangely the release was issued before he actually announced this at the keynote; I’m about 10 rows from Anderson now.

Technorati Tags:

MMS Keynote Day 1: Are You Ready For The Future, Now?

It opens with a movie trailer about the IT Pro, and up jumps Brad Anderson.

Continuous services and connected devices.  For every 600 phones, 1 server is stood up to support them.  It’s 100/1 for desktops.

This year, the number of virtual OS instances will be double the number of physical instances.  The industry needs to get better and managing these rapidly deploying virtual instances.  This is a shift beyond virtualisation to cloud computing.

Their cloud definition is:

  • Pooled resources
  • Self-service
  • Elastic
  • Usage-based

Similar to NIST definition.  Cloud is not defined by location, e.g. there is public, private, and hybrid cloud.  See chapter 1 of Microsoft Private Cloud Computing for more.  If there is 1 tenant, it is private.  If there >1 tenant then it is a public cloud …. not strictly true on NIST definition, but close.

Drivers of cloud:

  • Economy
  • Flexibility
  • Scalability

No substitute for experience.  MSFT is the only company operating public and a private cloud services for their customers.

The 4 common techs are:

  • Identity
  • Virtualisation
  • Management
  • Development

Rest of session is focusing on Private Cloud = Windows Server and System Center.  We get the announcement of GA for System Center …. 2 weeks after the actual GA.  Simplification was a big focus, from licensing, to deployment, to administration. 

100,000 servers were managed by the release candidate of System Center 2012.

Fast Track

Private Cloud configurations that are certified by MSFT, provided as out of the box solutions by the likes of HP.

Agile Resource Management

Vijay Tewari comes out to demo.  vSphere 4.0 and XenServer are managed by VMM 2012.  Multi-platform clouds.  He goes through the process of doing a bare metal Hyper-V deployment on some HP DL servers via iLO.  Funny video of Vijay going to Blue Man Group and swimming while his hosts build – automation takes care of the time consuming repetitive work.

Agile Service Level Delivery

Ryan O’Hara is on stage.  We get some smooth does some demos with Service Manager reaching into the rest of System Center to deploy a service, and then OpsMgr detecting a breach of SLA so it can scale out the service automatically via VMM service template.

Back to Brad.  System Center understands the environment thanks to partner extensions.  Application monitoring gives deep insight into J2EE and .Net apps to avoid the admin VS dev finger pointing when there is a problem.

Ryan demos an app breaching SLA in OpsMgr.  Then he goes into App Monitoring to diagnose where in the code the problem is.

Certification

The MCSE is back. Ugh!  Private cloud certification. 

Windows Server 2012

Here comes the announcement.  Want to learn more

Jeff Woolsey comes out.  He’s the head PM for Hyper-V.  This is a cloud platform release.  Lots of stuff that I previously blogged.  We see shared nothing live migration in VMM 2012 SP1.  There’s a problem in the demo … the memory LM takes waaay too long for a 2 GB RAM VM.  No one seems to notice.

Now we see network virtualisation where 2 VMs have the same IP on the same cloud, but are still routing.

App Controller

A new SP1 feature where you can integrate with any hoster that offers the service.  You can integrate your cloud with their private cloud and deploy services in their public cloud.

The Microsoft Private Cloud

  • All about the app
  • Cross platform from the metal up
  • Foundation for the future
  • Cloud on your terms

Winners lead, don’t follow.

Microsoft Deployment Toolkit (MDT) 2012 Download

Microsoft has released the new 2012 download for the free task sequence based imaging solution for deploying Windows (and it integrates into System Center 2012 Configuration Manager).

Deploy Windows 7, Office 2010 and 365, and Windows Server 2008 R2 with the newly released Microsoft Deployment Toolkit 2012. MDT is the recommended process and toolset for automating desktop and server deployment. MDT provides you with the following benefits:

  • Unified tools and processes, including a set of guidance, for deploying desktops and servers in a common deployment console.
  • Reduced deployment time and standardized desktop and server images, along with improved security and ongoing configuration management.

Some of the key changes in MDT 2012 are:

  • Comprehensive tools and guidance to efficiently manage large-scale deployments of Windows 7 and Microsoft Office 365.
  • An enhanced user-Driven Installation (UDI) deployment method that utilizes System Center Configuration Manager 2012. UDI lets end users initiate and customize an OS deployment on their PCs—via an easy-to-use wizard.
  • Ease Lite Touch installation through integration with Microsoft Diagnostics and Recovery Toolkit (DaRT).
  • This release provides support for deploying Windows 8 Consumer Preview in a lab environment.

Top 10 Production Experiences With Service Manager and Orchestrator

Speaker: Nathan Lasnoski, MVP

Focus is on Service Manager and Orchestrator.

Yu can transform a business in a way that other technology projects cannot.  These two products are transformative technologies.  Leads to process definition, cut through sacred cows, improve efficiency, and enable users to do what they are really interested in.

Results:

  • Processes are more clear
  • Common tasks are automated
  • People do tasks that use their skills
  • Time and resource spend is transparent

1) How to get started

Include the right people.  This is not just an IT project.  Examples of people to include: service desk manager, system center tech lead, IT leadership …. need a champion in the business with some influence.  Including the right people = success.  Not just a tech project and not just an ITIL project. 

2) Choose processes strategically

Look for the processes that have the biggest payoff.  They are the quick and influential wins.

  • Incident management
  • Service request management
  • Change management
  • Risk and compliance

3) Plan to transform process

A great tool doesn’t make a bad process better.  This is an opportunity to improve processes.

4) Plan requests first

Plan first, build later.

what are the questions you need to ask in the forms?  What data do you need to automate a process?  Organize the components and responsibilities.

5) Create a service catalogue

Everything IT does should end up in the service catalogue.  Use it to service both IT and end user requests.  Use service manager roles to constrain access.

SharePoint choices:  Enterprise edition gives PerformancePoint, but Foundation doesn’t. 

6) Don’t forget abut BI and reports

This might be the only view that the decision maker has of the system.  Ask the business decision maker (BDM) what it is they want to know.

7) Size your environment correctly

This requires big iron.  Minimum deployment is 4 servers.  Service Manager management server, datwarehouse + SQL, web server, and Orchestrator.  Can have additional management servers and web portals.  Could cluster datawarehouse. 

8) Have a development environment

Build and test in here.  Check performance!  Version control your management packs. 

9) Don’t Forget Training

Get buy-in by including people early in the planning.  Show ROI and why this system is good for them.  Train on what is relevant to them in the system.  ITIL/MOF important for implementers. 

10) Use a phased approach

Don’t try to do the whole thing at once.  Succeed end-to-end on each process.  Something always comes up; plan for that.  Check your can-do attitude – new requests can be done later.  Watch out for “tangents”.  Small chunks of measured and planned work are the key to success.

Adobe Acrobat Update Service And Adobe Flash Player Update Service, You Gotta Be Kidding Me!

When you did the recent update for Adobe products, did you require a reboot?  Wonder why? 

image

Look what’s turned up on my PC at work!  I’ve now got two services for updating a minor utility and a plugin that I cannot wait for HTML5 to kill off.

Think about it: Adobe is one of the most attacked software vendors out there, and probably their products are the ones that I update most often on my own and work machines.  Why the hell would I trust them to run a service on my computer?  Hackers must love the presence of these services.

I have uninstalled Adobe Reader (removed the Adobe Acrobat Update Service) from my work computer and switched to Foxit, a product that understands that it is a minor utility.  I’ve also disabled the Adobe Flash Player Update Service.

BTW, we don’t need an Adobe update service at work – we’ve been pushing out Adobe updates via System Center.

Technorati Tags: