User State Virtualization

What the hell is USV?  It’s simple; it’s using technologies to unbind user data from the PC.  You’re talking about features like roaming profiles, redirected folders and offline files.

Believe it or not, most companies I encounter have not done this.  For them, a PC repair is the timely process.  A PC upgrade is a potentially nasty piece of work to use USMT to capture a user state and restore it.

That’s why MS has released a Planning and Designing Guide for Windows User State Virtualization (USV).  Reading this, you can enjoy the tech that the rest of us have been using since the mid 1990’s.  Some of us stated using redirected folders and offline files back with W2003 and XP.  Admittedly, I disabled Offline Files when managing XP because it was a royal PITA (not a good thing).  Vista/Windows 7 appear to have solved that.

Getting the user state off of the PC is invaluable:

  • Windows upgrades are simple and quick.
  • PC repair which might take more than 10 minutes can be replaced by PC rebuild.
  • User data is centralized and easier to back up.
  • Those worried about regulators can do archiving.

KB976323 Wipes the SMTP Configuration

The Windows update MS10-24 for SMTP will wipe the SMTP configuration on Windows Server 2008.  I discovered this today when we found SMTP was no longer relaying email (or accepting local connections) on a couple of servers.  One server and I was scratching my head.  The second one and I knew there was only one common denominator.

It took me a couple of different search attempts to find the culprit.  Even then, I went to the official page for this update and I had to click through 3 pages to find a warning that there might be an issue (I linked the eventual page above).

The developer of this automatic update expects you to magically script a solution to run before the update and after it.  This will backup your SMTP configuration and restore it.  That’s even assuming that your crystal ball has warned you of a problem.  The next time I hear a MS security evangelist talk about instant approval and deployment of updates … …

I know the issue with this update is an exception.  But I am not impressed.  Believe me – I am holding back on how unimpressed I am.

*counting down from 10, 9, 8 …*

Windows Server 2008 R2 Hyper-V VHD Performance White Paper

Microsoft has published a whitepaper on VHD performance.  It talks about raw disk, pass through, fixed and dynamic.  It’s must reading if you’re in a Hyper-V engineering/design role.

To be honest, it is more than just a Hyper-V document.  It does talk about VHD in general.  Windows Server 2008 is also included.

Burn The Witch! Hyper-V Security Fix And Hyperventilating

Ah, it takes a patch to find out who’s really thinking what :)  As you are now aware, Hyper-V had it’s very first (ever) security patch this week.  Not bad (typical Irish understatement) after a year and a half of being the most accessible hypervisor ever.  Just think of how many volume license, OEM, TechNet, MSDN, evaluation and pirated copies of Windows Server 2008 and Windows Server 2008 R2 must be out in the world, not to mention the free to download Hyper-V server, and that it can run on most hardware around in the last few years.  I’m betting people in parent’s basements were attempting to find vulnerabilities since the emergence of the first beta for Hyper-V, around 2 years ago.

And after all that time and opportunity, 1 security hole was found.  It isn’t even the dreaded “break out” where a VM is capable of reaching out and accessing the host and other VM’s.  No, it was a DOS attack where the hypervisor would shut down.  And you had to be logged into a VM on the host with admin rights!

I’ve noticed a lot of tweets in the last 48 hours of people writing with glee about a dreaded problem, implying that Hyper-V is inferior.  Oh, get over it!  I can think of another hypervisor from a certain company that has suffered from a break out attack.  Its patches are a complete OS upgrade and they break the host on a way too frequent basis.  So much so, in fact, that experts in that technology run 1 “service pack” behind the latest release to stay safe.

It’s a secure platform.  Think of all those attackers who hate Microsoft and have the chance to attack the most available hypervisor around and we get 1 patch in 2 years (since beta).  That’s unbelievable.  The basic architecture requirements (DEP) prevent buffer overrun attacks on the host from a VM.  The German government has certified it as being secure … trust me if you are unfamiliar with working in Germany … that doesn’t happen by accident.  Every piece of complex software has vulnerabilities and bugs.  If you didn’t learn that in programming classes in college then you need to ask for a refund.  The fact is that Hyper-V is so well designed and implemented that it’s taken quite some time for one to be found.  And Microsoft reacted perfectly about it.

So before you go running to the woods to get some kindling for the witch burning, sit back, breath into a brown paper bag and realise that this is not the end of the world for Microsoft virtualisation.  It’s actually not bad at all.  It was one small patch that was quick and easy to download and installed reliably. 

KB977894: VERY Important Hyper-V Security Update

One of the patches released by Microsoft is a critical security fix for Hyper-V.  It affects all installation types on both Windows Server 2008 and Windows Server 2008 R2.

“This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users”.

Basically, if a person has rights to log into a VM hosted on a vulnerable server, then they could cause a Denial-of-Service (DOS) attack. 

The update is supplied via Windows Update.  Check your updates either on the host, Configuration Manager, WSUS or whatever your update service is.

I’ll be pushing it out first thing tomorrow morning.  Live Migration with VMM 2008 R2 maintenance mode makes it really easy to update clustered hosts.  Standalone hosts will have some downtime for their VM’s.  Most VM’s will be set up to go into a saved state when the host shuts down.  That limits interruption to them in a way.

Use NVSPBind To Manage TCP Bindings on Core

Are you using the Server Core installation alternative for Windows Server 2008, 2008 R2 or Hyper-V server?  Want to managing the TCP protocol bindings?  It’s the sort of thing Hyper-V administrators will do with NIC’s dedicated for virtual networking.

John Howard has discussed how to use a free tool called NVSPbind to do just this.

My First Book Hitting The Shelves Soon

It’s taken quite some time and amount of work but my first book is hitting the shelves soon.  When I say “my” I should clarify that I’m just one of the many contributors, with me having 4 chapters to my name.


I got an email from the publishers (Sybex) to say that “Mastering Windows Server 2008 R2” was shipping from the warehouses this week.  I’m told that it will be available from retail outlets within the next month.  Localised versions (if there will be any) will take longer.  I’m supposed to be getting my 2 free copies this week.  Of course, being a good mama’s boy the first one will be going down home.

It was expected to be 1200 pages.  We tried to include W2008 and W2008 R2.  That was because we didn’t produce a W2008 book as planned originally.  That was the original project I was working on in 2007/2008.  There would be 3 W2008 books, the first being very basic, the second covering the 80% of stuff that we all need to know and the third covering the advanced stuff.  Things happened and there were delays.  Eventually it became a pointless task because R2 was coming and it was probably going to have a bigger place in the market than the original Windows Server 2008, thanks to things like Hyper-V and “better together”.  It was decided to focus on W2008 R2 in a single book but also draw in W2008 because it is still out there.  R2 brought us so much new material that the pages kept flowing.  Eventually 1200 pages became 1500 pages.

You should start seeing it on the shelves soon in all good book stores and a few rubbish ones too.  If you have ordered from Amazon then your poor postman will be dragging it to your door quite soon.  I’ve read that Sybex are now selling soft versions of their books rather than “treeware” so that might be an option for you mobility aware folks.

Hyper-V: Can I Virtualise Everything: Domain Controllers?

I’ve seen this one a few times on forums and I’ve been asked it at sessions I’ve presented at.  People are deploying Hyper-V in medium and large businesses and they are wondering if they should virtualise absolutely everything in their data centre.

The answer is no. 

Let’s start with the obvious.  Some applications or operating systems may not have vendor support for virtualisation.  If that’s the case then you shouldn’t virtualise them.  However, many still do and they get by with no negative impacts.  Okey dokey.

Some servers just require too many resources to consider for virtualisation.  Consider a data warehouse application.  If you virtualise it, it might require a 1 VM per host deployment.  For the vast majority of us that’s a bad idea.  However some might like it because it means the machine is abstracted from the hardware.  But remember that you can only have a maximum of 4 virtual processors in a Windows Server VM on Hyper-V.  That likely won’t be enough for any machine that needs 32GB or 64GB RAM.

Then there’s domain controllers.  You can virtualise domain controllers but you have to be very careful.  Basically you have to treat them as you would physical domain controllers.  Checkpoints/saved states and host level backup is a bad idea for domain controllers because of the risks of AD corruption, e.g. USN rollback.  Microsoft takes the idea of virtual domain controllers very seriously and has a very long support article on it.

Should you virtualise all of your domain controllers?  Typically I will say no to this.  There’s a few exceptions, e.g. virtualised SBS running on a workgroup member Hyper-V host.  But take a Hyper-V cluster.  The presence of AD is a requirement of a Hyper-V cluster.  What happens if you need to power down your entire cluster for maintenance or power suddenly cuts out.  These things happen.  Electricians might need to work on power board or a UPS/generator might fail to kick in.  I’ve seen both take place in the past.  What happens to that cluster if all of the DC’s are virtualised on the cluster?  The cluster relies on AD for authentication/authorization.  Things will fail.  It’s a chicken and egg scenario.

Microsoft recently blogged about this.  The workaround solution is to find the LUN where the VHD(s)  for a DC with DNS role installed and configured is located, copy that to a temporary workgroup Hyper-V server and set it up to boot up.  Now you can power up the cluster.  But you have to be really careful and make sure that original DC VM doesn’t start up and cause a mess.

The advice is to have at least one physical DC.  When I did my ESX 3.X training a few years ago the advice was the same when running Virtual Center.  I recommend having 2: Murphy tends to like to mess up plans and wouldn’t it be a bad day if both the cluster powered down and your lone physical DC wouldn’t start up?  Alternatively you can run those DC’s on a separate workgroup host but that just complicates things in terms of virtualisation management.  I like to keep things simple so I’d go the 2 physical DC route.  Then you can safely virtualise other DC’s while sticking to Microsoft’s advice on the subject.