We’re changing the IP address range on the firewalls so we’re adding in the new NAT rules in addition to the old ones for a smooth transition. 

We started with a web server.  The site uses DotNetNuke.  We tested the new IP and the server wouldn’t load the page on clients.  Luckily we’d kept the old IP and could confirm the site was OK on that.  I ran Network Monitor 3.3 on the server (NetMon part of my standard server installation package) and on my client to check things out.  Our network engineer started looking at router and firewall traces.  I could see traffic coming into TCP 80 but the conversation was short.  On the client end I could see the same.  I compared with a working conversation on the old IP address and saw that there was a different HTTP status code at the start.  The failing server was giving me a 302.  In fact, my client was loading localhost instead of the site on the new IP address; that was the 302 code redirect.

I swapped in a default IIS7 site and tested.  It worked perfectly.  The site bindings were the default norms on the hosted site so it wasn’t that.

I decided to google (I cannot bring my self to say I binged or bonged something, Microsoft) for DotNetNuke redirecting to localhost.  Badda-bing!  It appears DotNetNuke has it’s own site binding configuration in a SQL table called PortAlias.  I added in a row and added in the new IP address to test.  That worked perfectly.

I now need to have a long shower after doing developer work ;-)

AppLocker is a feature available to administrators of Windows 7 Ultimate and Enterprise (Software Assurance) editions only.  It allows administrators to use group policy to define what applications can be run on Ultimate and Enterprise computers.  Obviously these policies won’t work on Vista or the other editions of Windows 7, e.g. Business.

Microsoft has released some technical documentation on the feature:

“The AppLocker Technical Documentation for Windows 7 and Windows Server 2008 R2 provides technical guidance about understanding how AppLocker works and how to effectively plan and deploy AppLocker policies.

AppLocker in Microsoft Windows Server 2008 R2, Windows 7 Ultimate, and Windows 7 Enterprise helps administrators control which applications are allowed to run in their organizations. These documents provide technical guidance about understanding how AppLocker works and how to effectively plan and deploy AppLocker policies”.

MS Ireland is opening the new data centre in Dublin tomorrow (July 1st 2009).  It’s down the Nangor Road, near the Air Corps base, and across from the Grange Castle golf course.  Why there?  That’s the most connected road in Ireland, thanks mainly to the presence of DataElectronics (DEG).  DEG is an Irish colo hosting facility and just so happens to be the one we use at work.

This data centre will host MS internal service but also the hosted services.  Being American, it’s subject to the Patriot Act so companies worried about the European/Irish data protection directive might not be able to consider those services.  Otherwise, there’s some seriously cool offerings for small, medium and large businesses.

Grangecastle is “is the first “mega-data center” Microsoft has built outside the U.S. The 303,000 square foot first phase of the building will be supported by 5.4 megawatts of electricity and have a Power Usage Effectiveness (PUE) rating of 1.25, the company said. The $500 million project will eventually include about 550,000 square feet of space”.  This data centre will run “hot”, i.e. not at the usual 19C or 21C but at 30C.  This saves a fortune on air conditioning power consumption and is fully supported by HP, MS’s (and mine) preferred supplier of servers and storage.

A Chicago data centre will also be opening.  This is the first of MS’s next generation data centres based on a fault tolerant, scalable, economic and power efficient container model.  Each module is a pre-build container that is dropped into place and connected to a permanent corridor.

EDIT#1:

PS Microsoft, I'll be just around the corner if you feel like giving me a tour tomorrow ;-)

I’ve just been doing some P2V work when I encountered the below warning for the first time.  I had just run a system scan:

“There is already an SSL certificate associated with port 443 on machine MachineToP2v.yourdomain.com.

Ensure that no application on machine MachineToP2v.yourdomain.com listens for HTTP traffic on TCP port 443 during the conversion. Alternatively use registry key HKLM\Software\Microsoft\Microsoft System Center Virtual Machine Manager Server\Settings\P2VBITSTcpPort on the VMM server to change the P2V transfer port number and add the necessary firewall rule for TCP port 443 on machine MachineToP2v.yourdomain.com.

ID: 13252”

The physical server I am going to convert to virtual (P2V) is running an IIS site on TCP 443 or SSL.  This would interfere with the P2V conversion because it runs on 443 by default.

The solution was simple:

• Identify an alternative port that you figure is free on your entire network, e.g. I picked 30666.
• Ensure that there are no communication problems between the physical machine and the VMM 2008 server on your alternative port.  Check physical and Windows firewalls.
• Add a REG_DWORD called “P2VBITSTcpPort” to “HKLM\Software\Microsoft\Microsoft System Center Virtual Machine Manager Server\Settings”.  Set the decimal value to your alternative port number.
• Restart the Virtual Machine Manager Service on the VMM 2008 server.
• Start the P2V all over.

That worked fine for me.

Clive Watson posted on his blog about the performance increase SLAT can give to Remote Desktop Services (the renamed and expanded Terminal Services) on Hyper-V running on Windows Server 2008 R2.

SLAT (Second-Level Address Translation) is available on the newest processors from Intel (EPT feature) and AMD (RVI feature) offer this functionality, e.g. Nehalem.  It optimises memory management on Hyper-V, i.e. it offloads the mapping of physical to virtual memory to the CPU so that the parent partition is not involved.  That reduces RAM overhead on heavily loaded hosts.

According to a quote that Clive posted for RDS virtual machines running on Hyper-V 2008 R2: “SLAT enabled processors increased the number of sessions by a factor of 1.6x to 2.5x compared to non-SLAT processors”.  That’s a significant workload improvement.

I’ve been looking at pricing for new HP servers and components.  At least when it comes to shelf prices the G6 chassis is more expensive but their processors are much cheaper than G5 ones.

Johan Arwidmark, another Minasi forum poster, has posted about the latest beta (2) build of the MDT 2010 (Microsoft Deployment Toolkit).  It is available now to download on Connect.  MDT is the free toolkit from MS that you can use to optimise your Windows 7 and Windows Server 2008 R2 deployments.  Johan, a deployment MVP, is one of the gurus on this stuff and a regular source of answers on the trickier side of deployment; I think he has some training media coming out soon so watch out for that.

There’s a new SKU in the July price list for SPLA (Service Providers Leasing Agreement – AKA hosting licensing) called DataCenter Per Processor Outsourcer.

One of the perks for retail/volume licensing (non-hosted) was that you could by DataCenter edition for each of your hosts physical processors.  That gives you unlimited free Windows Server licensing for VM’s running on that host.  That’s a major money saver on hosts with lots of VM’s.

In SPLA up to now, we only had a SKU for anonymous DataCenter.  This only allows anonymous free licensing for VM’s.  Anonymous means that Windows can play no role in authenticating the users, e.g. SharePoint, Exchange, Active Directory, etc.  You cannot run authenticated (those where Windows plays a role in user authentication) licenses on VM’s on this host, even if you pay for them!  This meant that you either:

• Ran 2 Hyper-V clusters: 1 using Enterprise for authenticated and one running DataCenter for anonymous in larger installations.  This doubled your hardware costs.
• Or just run 1 Hyper-V cluster: running Enterprise where you didn’t get the benefits for anonymous licensing.  This put smaller companies at a pricing disadvantage to larger companies.  It was also pretty expensive compared to the new model.

The new Outsourcer SKU’s replace the authenticated licensing model.  It also adds DataCenter to the list, fixing a major flaw with SPLA licensing for hosting companies using Hyper-V for virtualisation.  There is also a new 3 year license which saves a bit of money over the per month model.

EDIT #1:

Our SPLA LAR called me up to ask a technical question.  Then he warned me not to go making plans on the Outsourcer SKU.  He's seen an issue in the text that MS needs to rectify immediately before the July price list takes effect.  Hopefully it will be sorted out soon.

Virtual Boy posted about some free training that’s going for Hyper-V:

“Microsoft is offering some free Hyper-V training. You will need to enter a specific access code 9350-Y2W6-3676 and sign in with your Live ID.  The course “Collection 6319 - Configuring Hyper-V in Windows Server 2008” includes the following modules:

1. An overview of the Hyper-V technology
2. Creating a virtual environment
3. Deploying systems in a virtual environment
4. Configuring high availability in a virtual environment
5. Administering a virtual environment with SCVMM”

You can sign up here.

MS announced the Windows 7 pricing for the USA market:

Remember that European customers will get a version of Windows 7 with no IE in it?  That means we can’t do an upgrade so there won’t be an upgrade edition.  MS are promising us Full installation media at upgrade prices.  I’ve got to think they will check for a pre-existing license some how.

European prices?  I’ve no idea.  I guess the price will be similar to above but will swap the $ for a €.  That’s what they did with Vista with the reason being “exchange rates”.  It made no sense to us because the price was way higher for us, e.g. back then €1 = $1.25.  Now it’s bouncing around €1=$1.35.  Hopefully they won’t make that mistake again.  I’ve read the prices are around 10% less than the original Vista pricing.  That’s good.

PC’s bought from June 26th get a free upgrade.  There’s also an early adopter price for upgrades.  That looks to be around half price and start on June 15th.

One of the nice new additions in VMM 2008 R2 is Quick Storage Migration or QSM.  This allows you to migrate a VM from one storage device to another, e.g. from one SAN to another, one LUN to another or from a per LUN installation to a CSV (Cluster Shared Volume).

Edwin Yuen (senior dude at Microsoft on virtualisation), talks about the mechanics of QSM in an excellent blog post.  The short story is:

• A Hyper-V snapshot is taken by VMM 2008 R2 of the VM.
• This means our VM is running from AVHD’s, a form of differencing disk.  All writes now happen to the AVHD’s.
• VMM 2008 R2 is free to copy the original VHD(s) to the new destination.
• The VM is put into a saved state and the AVHD’s are merged into the VHD’s at the destination.  This takes probably around a minute, depending on how long the VHD copy took and how much data was written to the AVHD’s.
• The VM starts up on the destination, running only from the VHD’s.

There’s something to watch out for here in moving from “1 VM/1 LUN” installations.

Imagine you have a VM with 100GB of disk and 2GB RAM.  How big do you think the LUN will be for that on a Hyper 2008 cluster?  Probably only around 113GB ( (VHD+RAM)*1.1 = (100+2)*1.1 = 113 ).  That’s because you can’t waste disk.  You’ve just enough space for your VHD’s, the config files and a save state for the RAM.  If you snapshot that VM it will (by default) create a snapshot in the same location.  That AVHD will start out small but will grow.  If the file VHD copy takes a while and there’s lots of write activity to the AVHD then there will be an issue.  Your LUN will fill and your VM will pause during quick storage migration (QSM).

I don’t have the gear to test VMM 2008 R2 so I’m going to ask about this.  VMM 2008 doesn’t have a field to specify an alternate LUN for snapshots but the Hyper-V console does.  Maybe you could use that to relocate the snapshot AVHD’s in advance of a QSM from a per-LUN installation to a CSV?  I suspect this should work … you can change that Hyper-V setting while a VM is running.  It’s times like this I wish I had €20-€30K of gear to test with!!!!

EDIT #1:

I contacted Ben Armstrong (Virtual PC Guy) via the MVP newsgroups and he got onto the VMM team.  The answer is "yes" to the problem and solution.

If you’ve ever seen the back of a server rack that I’ve cabled then you’d never let me even plug in a power lead to a kettle.  I am horrible at cabling.  Simply awful at it.  Those probably aren’t strong enough phrases to be honest.  That’s one of the reasons I like blade/SAN technology; there’s a minimal amount of cabling and it’s all usually done by an expert engineer who’s installing the blade chassis and the SAN.  When we put in our gear, I made sure it was!

The engineer did a nice job at labelling everything.  All lead placements were planned.  We’ve a network mesh going back to our access switches from the blade Ethernet virtual connects.  There’s a divergent path between the blade fibre virtual connects, the fibre switches and the SAN chassis units.  Each server has dual channel HBA mezzanine cards And power is split between circuit A and B in each rack.  That means we can lose a circuit and still be operational.  Adding servers doesn’t require more cabling – only adding a chassis does and then I’ll get the engineer to do the work :)

Note: We went with Brocade mezzanine cards instead of the Emulex ones.  At my last job we had 128 HP BL460C’s with Emulex HBA’s.  I’d say at least a quarter of the HBA’s had to be replaced in the month before we went into production.  I spoke with an engineer from the reseller recently and he said they were still regularly failing.  We haven’t had any issues with the Brocade ones.

We put the power and fibre channel fault tolerance to test today.  We needed to replace 2 Power Distributions Units (PDU’s).  They have management boards on them that the data centre doesn’t use.  Instead they have an out-of-band management system.  The management boards faulted so we had annoying alarm lights and sirens.  We often bring people in for a show’n’tell during pre-sales so alarms are not good, even if they mean nothing, which they did.  The data centre power management system and our OpsMgr 2007 HP Management Packs would have told us if we had a power issue.

We scheduled the replacement for this afternoon.  Outages are out of the question for the mission critical services we provide to our managed server hosting customers.  We swapped out the PDU’s with the alarms.  Not a single flicker of a problem was seen.  I watched the OpsMgr console for alerts while I was logged into a few VM’s (stored on the SAN) running tests.  The MPIO fault tolerance (Windows Server 2008 SP2) and the power fault tolerance of the SAN/Blades worked.

I was pretty confident of there not being an issue.  Everything was tested by the HP engineer when we did the installation last year.  All the hardware was looking healthy and the “board” was green in OpsMgr 2007.  This just shows how a little bit of planning before you plug things in and a little testing afterwards works in your favour.

Emma Healey (Licensing Escalations Manager at MS UK) did an online session on licensing in the virtual world at the recent TechNet online event.

• A volume license for Windows Server is assigned to hardware.  You could only reassign (move to different machine) it once every 90 days.  This is an installation, not a VM migration.
• From Sept 1st 2008, we’ve been able to move CAL licensed applications from one host to another within a “server farm” as often as required.  The 90 day minimum rule does not apply. 
• Only the Enterprise editions of Per Processor SKU’s have free mobility.  The 90 day rule does not apply.
• The free virtual operating system environment licenses cover legacy Windows OS’s.
• We CAN freely move VM’s from one host to another.  This is NOTHING to do with reassigning licenses.  You need to be sure the host can sufficient licensing.  There are no timing issues.  The 90 day rule does not apply.

Oh yeah, the licensing for SPLA is still punitive, i.e. DataCenter only exists as an anonymous SKU and authenticated SKU’s cannot be run (even if paid for) on it.

I’ve been an MVP now for 51 weeks.  I’m up for review and I’ll know if I’m renewed or not next week, probably Wednesday.  I know that it won’t be for Configuration Manager again.  As fate would have it, I haven’t work with ConfigMgr in a while.  That means I’ve nothing to blog about on that scene.  I found myself working with Hyper-V early last Summer and I deployed VMM 2008 the week it was released … from a hotel room in Barcelona at TechEd EMEA.  It consumed a lot of my time.  I learned a lot about those products.  I’ve done my best to share that here on the blog and by speaking at events here in Ireland, UK and the USA.  That’s set to continue this year; we’ll be upgrading to W2008 R2 once VMM 2008 R2 is released.  That’ll give me more things to learn and share.

Being an MVP has been cool.  I’ve access to great sources of information, some of which I can share and some which remain under NDA for some time.  The perks have been cool.  My only regret was being unable to go to the MVP summit.  I’ll see how the budget is for that next year.  And who knows what surprises lie ahead at work for me to learn/blog about!

A month after buying virtualisation provider, Virtual Iron, Oracle has decided to shut it down.  Sales of further licensing are allegedly to stop.  I’m sure the Virtual Iron customers will be real happy with that!  Oracle also bought Sun at around the same time.

Bink is reporting that July13th will be when Windows 7 and Windows Server 2008 R2 is RTM’d.  As I’d previously said, that ties in perfectly with the WPC09 conference (MS partners); it’s starts on the 13th in New Orleans.

I had to satisfy my curiosity this morning so I went and had a look.  I checked out 2 of the main recruitment sites that are used in Ireland.  Key words I was looking for were Sysinternals, 24*7*365 and Exchange 2007.  Easily half the adverts were for one job with the aforementioned Internet gaming company in south Dublin, just off the M50.  They have just about every recruitment agency in Ireland trying to find staff for this role with no joy.  Seriously people, if you’re offering a great package (which they most certainly are), there’s an abundance of available skills (12% unemployment, half of which are skilled professionals) and you still can’t fill that role – don’t you think you need to look at yourself and ask some serious questions?

Another recruiter rang me today about the role.  It was a quick “thanks but no thanks” conversation.  He sounded exhausted with this one.  I can’t blame him.

Nathan Winters just tweeted about a whitepaper on the Microsoft site.  It compares physical with virtual Exchange implementations. 

“Reducing or controlling the high cost of the power to run and cool computer hardware is a top priority for many organizations throughout the world. Many organizations are considering server virtualization solutions to reduce their server footprint and the associated power and cooling costs. Because the virtualization of Microsoft Exchange servers rarely results in a reduction of physical processors, there is some question whether there is significant hardware, power, cooling, or space savings from virtualizing correctly sized Exchange Server 2007 server roles. This study compared the power utilization of native and virtual Exchange server environments in a scenario in which the number of physical servers was reduced from eight to two, but the total number of logical processors and the amount of memory remained the same.

When you consider virtualization of an Exchange environment, power savings is only one of many factors to consider. Depending on your requirements, virtualization may not be a good fit for your Exchange environment. For more information, see the Exchange Team Blog article Should You Virtualize Your Exchange 2007 SP1 Environment?”

I’ve just set up TS Web (Windows Server 2008 Terminal Services web interface) on 2 XP machines.  Both were running IE7, the latest RDP client and XP Service Pack 3.  When I fired up the URL I got the following: “ActiveX not installed or enabled”.  The ActiveX plug-in for RDP wouldn’t work.

I did a quick Bing – OK I Googled.  Binging still sounds wrong – and found a fix.  I needed to delete a couple of registry keys from HKCU:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}
• HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2}

I refreshed the page and all was well.  I was now asked (using the yellow bar) if I wanted to enable the ActiveX plug-in, which I did.

There’s an Internet gaming company here in Ireland, just off the M50 in south Dublin, that’s been recruiting for a senior Windows engineer for at least 4 or 5 months.  I’ve been contacted several times by agencies but I’ve no interest in them.  Normally it’s a place I would have been interested in: massive numbers of mission critical Windows servers including Windows 2008.  Tip off words in their adverts mention car parking, gym membership, 24*7*365, Exchange 2007 and Sysinternals.  That last one’s a dead give away :-)

I blogged about them back in mid 2007.  I had some experience of how they advertised for an architect and the opening was really for a break-fix engineer.  I found that out in the last of 4 interviews. 

So why are they having trouble filling this job?  That last thing I mentioned is a clue of what they’re like.  I know some people who’ve interviewed there in the past and came out feeling bitter like I did.  I know someone (let’s call him Bob) who did their phone interview and was then asked to come in for 4 in-person interviews … at 2PM on the following Monday.  Bob couldn’t do it.  He has to give 1 months notice for time off.  Skiving off from work isn’t in his nature but the HR person was insistent that the interview would not be after hours.  It seems she wanted to recruit someone for their senior position who had no problem dossing from work.  When the Monday plan wasn’t going to work (after 1 month notice being explained).  Here’s what she offered: “OK, we’ll interview everyone else.  If nothing works out then we’ll call you in for the following Monday”.  The only response Bob could give her “Fine, we’ll then book the day off 1 month from the point you call me to say that no one else was suitable”.  Stupid, eh?  All because Ms. Thing wanted to finish work at 17:30.  That brought an end to his dealings with the company.

Unemployment is at over 12% in Ireland right now.  We have a 4 million population.  Lots of those have been skilled employees with great skills.  There’s no shortage of available people and others who are hunting for more secure work.  Any company that’s been failing to fill a position after 4 or 5 months must look at itself and ask some serious questions. 

• Advertise the job that really is open.  Don’t back load the surprises that spring up in the last interview, the contract or the first day of work.
• A person cannot know everything.  You have a laundry list of requirements so look for people who have similar skills that can transfer, e.g. they can learn new skills.  A handful of people in Ireland know the HP RDP stuff.  Consider people who know WDS because they aren’t too different.
• Be flexible.  Asking people to take a risk by dossing from work in the middle of the day is ridiculous.  People are in fear for their jobs so make allowances.  Do you really want to hire someone who will doss from your company?  Are you going to “change them”?  LMAO!  I suspect in this case that the HR person was at fault.  We IT people are used to working late.  HR … well they clock out at 17:30 (oh that’s 5:30PM, dear).

Microsoft has just released the newest version of System Center Operations Manager, 2007 R2. OpsMgr, AKA SCOM, allows an enterprise to monitor the health and performance of the IT infrastructure from hardware all the way to the applications. Component monitoring, audit logging, service delivery monitoring and performance monitoring have been with us since 2007. SLA monitoring has been enhanced in 2007 R2 and Cross Platform Extensions add the ability to natively monitor UNIX and LINUX from the Microsoft platform

This session by expert Paul Keely will introduce you to OpsMgr and to the new features added in OpsMgr 2007 R2.

Agenda

09:30 Introduction
09:45 The monitoring story
10:00 Operations Manger Whistle Stop tour
10:40 Breakout
10:50 Monitoring deep dive, Monitors, Rules, Synthetic Transactions and Service level dashboards all from the field.
11:50 Q&A

The Speaker

Paul Keely has been working for Microsoft Consultant Services for the last number of years doing enterprise deployments of most of the System Center products, but mostly focusing on SCOM. Paul is back working for himself, is deeply engaged in a number of large SCOM deployments right now and is full of lessons learned and helpful information for anyone thinking about deploying SCOM, and for those working on it right now.

Where And When

Registration is mandatory for attending the in-person event at Microsoft.

The event will be held in Building 2 at the Microsoft European Development Centre (EDC), South County Business Park, Leopardstown, Dublin 18. 

Registration: 09:00

Event: 09:30 until 12:00

Registration

To attend in person you must register.

Webcast

Registration is not required to join the online webcast. You can join the web cast by:
1) Installing the free Live Meeting Client
2) Clicking on this link: https://www.livemeeting.com/cc/usergroups/join?id=OpsMgr2007R2&role=attend