I know lots of people who rave about Sophos Anti-Virus.  I decided to give it a go in my lab.  Both of the servers are firewalled and hardened.  Nothing crazy, just some standard stuff which I won't go into here.  Anyway, I filled in the evaluation form and downloaded the package.  I started the install and was greeted by about a dozen crash/debug requests.  Installing the package causes the package to crash!  Okey-dokey then.  I won't be installing that on our server deployment.

I just did a quick evaluation of Kaspersky's Anti Virus for Business suite.  Based on "bang for the buck" I don't think it's up there with AVG.  It's got a bit of the "Sinmantec" about it's interface.  It doesn't seem well thought out.  The agent deployment is a 2 phase process.  There's a network agent that must be installed and then you install the anti-virus software.

The price is pretty good though, especially compared to Trend Micro!  And Kaspersky's engine does tend to rate very highly on the charts.

I like that it has a dedicated Windows Event log.  That'll make monitoring using something like SCOM a heck of a lot easier.  However, when I dropped Eicar onto my test agent I was disappointed by the results.  It prevented IE from saving the file which was good.  It sent details to the central administration server.  But there was no event recording this occurrence in either the Kaspersky or the Windows Event Logs.

A feature pack that adds new functionality to DPM 2007 has been released for x86 and x64:

Issues Fixed:

• 946647 Description of the Data Protection Manager 2007 hotfix package: January 9, 2008
• 948373 The backup image may be corrupted if you use System Center Data Protection Manager 2007 to perform an online backup of a virtual machine that is running in Virtual Server 2005
• 950082 Description of the Data Protection Manager 2007 hotfix package rollup 2
• 948936 When synchronization runs in Data Protection Manager 2007, the DPM service may unexpectedly crash
• 951557 getKB -Data Protection Manager 2007 - Hotfix

Features Added:

• Support for backing up virtual machines on clustered Virtual Server 2005 R2 SP1 hosts
• Support for sharing tape libraries between multiple DPM servers
• Better tape utilization of tape capacity by co-locating data from multiple protection groups with similar retention range
• System state protection for Windows Server 2008

Note: Backup of SQL 2008 (Katmai) is not supported until the released version is publicly available.

John Howard has started documenting how to "slipstream" Hyper-V into the install image for Windows Server 2008.  That'll be pretty handy if you want to be able to rapidly deploy Hyper-V hosts, e.g. a rapidly growing farm of hosts.

Credit: John Howard.

If you are installing the RTM of Hyper-V then you really should read the release notes.  There's information in there relevant to backup, security and operations.

If you're like me, you like to restrict as much as possible and delegate selected rights where possible.  I've only just found out that this is possible with Hyper-V without using VMM 2008.

The Virtual PC's Guy describes the process in his blog.  This will allow you to grant selected rights to VM's and Hyper-V to non-administrators on the Hyper-V server.  To do this you edit an Authorisation Store using the Authorisation Manager.

Note that this is in the Hyper-V release notes:

"If the Hyper-V authorization store is located in Active Directory, then the removal of a user from a role does not take immediate effect. Either the server running Hyper-V (the computer that runs the Virtual Machine Management Service (VMMS)) or Active Directory needs to be rebooted to apply the changes. To avoid this issue, use an XML file as the store type. To fix this issue, reboot the Hyper-V server hosting VMMS, restart VMMS and Network Virtual Service Provider Windows Management Instrumentation (NVSPWMI) services or reboot Active Directory".

Lesson: Use groups, not users to grant rights.

Credit: Virtual PC Guy.

I just found a few links on adding the Integration Components to WinPE.  Why would you want to do this?  Simple; say you want to deploy operating systems to VM's via SCCM, WDS or ImageX.  There's a lot more tools out there that will use a WinPE boot image too.  You will need drivers, especially for the NIC to work.  To get those, you'll need the Integration Components.  Mike Sterling has documented the process.

Credit: Mike Sterling.

EDIT:

Mike has updated the script that he used in the original post.

The links on how using Hyper-V are now live.  This is a good place to start if you are new to Hyper-V.  Quite honestly, it's really easy to use.

Step-by-Step Guide to Getting Started with Hyper-V

I've previously talked about my observations of how my 9GB RAM Hyper-V lab box used it's memory and how Hyper-V has a RAM overheard and how you can calculate the maximum.

Last night I upgraded the lab box from RC1 to RTM.  Today, I've noticed that I have a whole lot more of RAM to play with!  In fact, 1.5GB of RAM was freed up on my 9GB RAM server.  Before I could only get 7GB worth of VM's up.  Today, Hyper-V is looking much more efficient. 

I've just upgraded my Hyper-V lab box to RTM.  It took maybe about 10 minutes (most of that was POST during reboots) to install the update and another 5 to install the updated enhancements in 8 VM's.  It's a very easy process as John Howard describes on his blog.

EDIT:

Snapshots are supported between RC1 and RTM.  They are not support between either beta or RC0 and RTM.

Bink is reporting that Hyper-V has been released to manufacturing.  You can expect it to be available as a download and via Windows Updates.  There should be a smooth migration from the RC1 release to RTM.

Credit: Bink.

EDIT:

This has been confirmed.

Credit: Willem Kasdorp.

EDIT

The Hyper-V team has released some details.  The update will be available via Windows Updates on July 8th.  The direct download will be available from sometime later today (probably midday Seattle time or 20:00pm GMT).

I've gotten around to writing a script that will allow you to automatically put managed agents into maintenance mode for SCOM 2007 using the AgentMM utility.  Download the file and follow the embedded instructions:

• Edit a CSV that defines what servers and when they will be put into maintenance mode.
• Set up agentmm.bat, agentmm.exe, your CSV file and the script in a folder.
• Schedule the script to run at 5 minutes to the hour, every hour.

The script will then put your servers into maintenance mode according to the instructions in the CSV, for 1 hour starting at approximately 5 minutes to the hour.

WAIVER: This script is provided as is.  There is no support for it.  I have no responsibility for what the script does.  You are 100% responsible for using the script and what it does or any related side-affects if you choose to download and use it.  Read through the script and understand exactly what it does before you even test it.  Then test it thoroughly before you put it into production.

In true David Letterman style ... This page lists the top 10 issues encountered by users of the beta/RC versions of Hyper-V.  There are links to the solutions.

I just saw this link on the Virtual PC Guy blog on how to use a Windows Server 2008 file server to store the VHD's of your file server.  Crazy but true!

In fairness, 10GB networks, dedicated NIC's, NIC TOE and Windows Server 2008.

Credit: Jose Barreto.

EDIT:

This is in the Hyper-V release notes:

"You may encounter issues when attempting to attach virtual hard disks (VHDs) and ISOs to a virtual machine from a network share. To avoid this issue, ensure that both the Hyper-V server and the network server are members of the same domain. The network share requires read access for ISOs and read/write access for VHDs for both the user and computer account of the server running Hyper-V. If you are attempting this from a third computer (not utilizing the user interface on the server running Hyper-V), constrained delegation for Server Message Block (SMB) between the server running Hyper-V and the network file server must be enabled".

Yeah ... MS licensing is nuts.  There's no getting around it.  They must have way too many lawyers on staff.  Nothing is simple and often you find things are contradictory.

If you are a normal consumer of licenses then you should regularly download and review the Product Usage Rights (PUR) document.  It explains everything about how you need to license your products and how you can use them.

If you are a service provider such as a hosting or SAAS company then you should download and review the Service Provider Usage Rights (SPUR) document on a regular basis.  Here's the reason why.  Under MS's licensing terms, the only way to provide these sorts of services is via a SPLA agreement.  This is where you lease MS licenses every month.  This scheme is very complicated and I'm pretty sure some hosting companies are using the scheme illegally.  There's 3 types of license in SPLA:

• SAL: This is where you license a server product (Windows, SQL, System Center, etc) by the number of users using the product.  You don't have to purchase a license for the server product with this scheme.  It's great if you have a known, fixed and small number of clients - not concurrent but potential!
• Unauthenticated Server: This is for something like a dumb web server with static content.  Windows plays absolutely no role in authenticating any users of the service provided by the server.  This is per CPU.  At the moment, this is available for Web and Data Center editions only and it's quite cheap.  That's a clue as to the purpose of this operating system.
• Authenticated Server: This is a per CPU license for any server where Windows does play a role in authenticating the user, e.g. Active Directory, Terminal Services, etc.  This SKU is very expensive compared to the unauthenticated server license.  This is because you do not need to purchase CAL's.  You can support an unlimited number of clients.  For any hosting company, it is critical that your sales people get to know how your customer is authenticating their users before you give and quotes or sign any contracts; this means getting the techies talking to each other - contrary to the processes of some companies I've encountered.

SPLA lets a hosting company purchase 50% of the number of leased-to-customer licenses for internal usage.  Great - but do you really want to spend hundreds per month per CPU on a Windows Server when you can purchase one for 3 times that monthly lease price?  You probably already have the CAL's.  Sometimes it's a cost saver but not always.

In these documents you'll find all the licensing nastiness associated with VDI/VECD, virtualisation, CAL's and all that fun stuff.

Have a read, have a weep and then get legal.  Breaking the conditions of PUR or SPUR can get your directors thrown in prison.

It's been discussed quite a lot (and still some plead ignorance or stupidity) but if you have sensitive information on a computer (laptop, desktop or server) then you should encrypt the disk.  Guess what?  This applies to VM's too!

VM's are mobile.  The are very mobile.  To steal a VM and all of it's data, all you have to do is copy the virtual disk file.  It doesn't matter if you're talking about VMware or Hyper-V.  Sure ESX is a little trickier because the VM is on a less common file system but a determined thief won't let that stop them.

You need to consider encrypting the contents of that virtual disk.  Windows Server 2008 includes BitLocker and that can encrypt the entire file system for you.  Microsoft allegedly published a document on how you could use BitLocker with Hyper-V but the download link appears to be dead.  I'm hoping they'll rectify that.

Once you encrypt that VM, it doesn't matter how mobile it is.  The contents of the virtual disk are protected and you're safe.

Microsoft has released lots of information on DPM 2007:

• System Requirements
• Deploying DPM 2007
• DPM 2007 Operations Guide
• Planning a DPM 2007 Deployment
• DPM 2007 Troubleshooting Guide

There is a publicly available beta release of URLScan V3.0 for x86 and x64.

"UrlScan version 3.0 Beta is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by web applications on the server".

There is a publicly available beta release of URLScan V3.0 for x86 and x64.

"UrlScan version 3.0 Beta is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by web applications on the server".