Aidan Finn

I'll be off the air for a week after a hectic period at work ... and before an even more crazy couple of months!

I'll be in northern Norway dodging Scandinavian gods and demons.  The purpose of the few days is to photograph White-Tailed Sea Eagles while they hunt for fish.  In my spare time I like to get out and do a little bit of photography ...

Osprey, Virginia Beach, USA

Southeast Motocross, Ferns, Ireland

So I'll be offline and sat somewhere in a Fjord waiting for raptors with an 8 foot wingspan to come calling.  Hopefully I'll make it back in one piece.

Why do I prefer Hyper-V, a version 1.0 hypervisor, over the more mature VMware ESX?  It's quite simple; management.  This is where the "religious" VMware nutters scream about Virtual Center and ESXi web consoles - hold on to your hats, girls, this ones gonna be a bone shaker!

I am a "laxy admin".  I do not like to be poking and prodding in machines and consoles on a constant basis to do repetitive work.  There's better things that I can be doing such as actual engineering projects or working on the business side of things.  I also like to know when something has gone wrong, either before it happens or before the customer calls us up.  The traditional solution seems to be to have lots of management consoles all over the place.  Honestly, that doesn't work.  Once server and application crawl takes over, there's too much fire fighting involved in working with lots of management solutions.

Here's why I like HP (Dell play nice too AFAIK) and Hyper-V.  The fit in nicely with the concept of Optimised Infrastructure by being very manageable, more than their competition.  The idea is that you design your network, servers and applications so that they are easy to manage.  This means using integration and automation so there is less manual work to be done, the service is fault tolerant and reliable, you can focus on developing/enabling the business and the service that IT provides can be counted on.  We also reduce our operating costs.  Understanding these concepts and being able to use them is the difference between employing 15 IT staff and 77 IT staff (based on a real-world example).

So back on point ... what's all this got to do with Hyper-V?  MS's System Center family of products are an integrated set of management tools to designed to build that automation and expertise into your network.  Yes, in the past they were MS centric but partners did expand them to include 3rd party solutions, e.g. *NIX and Cisco.  Now, MS is even doing this themselves.  One of the core products they sell is OpsMgr 2007, the monitoring solution.  Using an OpsMgr agent with management packs, I have expertise on different products that knows what to monitor, what is acceptable, what faults to watch for, best practices, etc.  I can even extend this or tweak it with exceptions.  This allows me to sit back and know that someone ... or something ... is watching my hardware, OS and applications. 

Here's the fun bit.  There's soon going to be a management pack for Hyper-V.  That means we get in-depth expertise for monitoring the health and performance of the virtualisation platform using the same single pane of glass that I use to monitor everything else.

So those VMware marketing types who try to sell ESXi off as being equal to Hyper-V, answer me this?  Where do I install an agent on a machine with no OS?  I've heard that I can monitor the hardware using cards in the server; what good is that for monitoring the hypervisor?  You answer me that the hypervisor has a web console.  Fantastic!  Do I really want to log into lots of little web consoles?  Ah ... Virtual Center ... so now I need to use it and my console that manages everything else?  Virtualisation is meant to be good for a lazy admin like me ... you know .. less work, put my feet up, more time for playing games, etc. 

Microsoft's answer to Virtual Center is Virtual Machine Manager 2008 which is being launched on September 8th.  VMM 2008 gives us management over the VM's on our Hyper-V servers or cluster.  It includes the ability to audit physical machines to see if they're candidates for virtualisation (don't even have to pay for that agent license!) and a P2V conversion tool.  VMM 2008 integrates with OpsMgr 2007 SP1 via PRO or Performance and Resource Optimization.  You can read much more about that here.  The idea is simple.  OpsMgr monitors performance/health and understands the relationship between VM's and hosts.  VMM 2008 manages VM creation and placement.  PRO links the two to share that knowledge and act on it.  What's really cool is that we're getting cradle-grave management of hosts and VM's.  But not only at the hypervisor, but all the way through the "stack" from the hardware, the host virtualisation, the VM and the VM's OS and applications.

That means I have a single integrated management solution for my entire network.  I'm a big believer in infrastructure optimisation.  I've witnessed it working and making my life easier.  I've also witnessed the opposite where there was no management despite there being lots of junkware being installed to "manage" points of the infrastructure.  Automation, expertise and integration are the keys to success.  For me, that's why I like HP servers/storage and Hyper-V because they can be easily managed using Microsoft System Center.

There's an interesting entry on the TechNet blogs about how to further reduce the amount of disk required for running Server Core.

Server Core is tiny compared to a full installation of Windows Server 2008, sacrificing the GUI and .NET to reduce RAM & disk requirements as well as reducing the attack surface.  It supports a number of roles whose install files are on the hard disk.  You can uninstall those packages using the instructions on the linked blog entry.

This is a one-way deal.  You cannot re-install those packages.  To get them back you have to re-install the OS.  You will no longer be able to install the functionality of the packages once you remove them.

Why would you consider this?  If you're installing Core, you've probably got a very set idea of what the server will do, e.g. it will be nothing but a file server, or a DC, or maybe even a Hyper-V host.  In fact, a Hyper-V host is a perfect example.  It should be nothing but a Hyper-V host.  Uninstalling the other packages will guarantee that and you'll have minimised how much disk the OS needs, thus freeing up space for VM's ... although it's not going to all that much!

Microsoft has released a document detailing common scenarios for System Center Configuration Manager 2007.  As you'll soon see, ConfigMgr is very scalable.  They are rating a single site server with dual CPU and 4GB RAM for up to 10,000 manage clients.  That might be a small site by MS/USA standards but that's a pretty large deployment by mine!

It's official.  Hyper-V and System Center Virtual Machine Manager 2008 will be launched on September 8th.  MS is having a big launch event in the USA.  Microsoft Desktop and Application Virtualization, AKA SoftGrid and probably still only for Software Assurance customers (BOOOOOOO!) is also being launched.

Microsoft has released a ConfigMgr Desired Configuration Management template pack for auditing the energy saving settings of your computers.  Whether you believe in global warming or not, there's no denying that oil reserves are reducing and energy costs are rocketing.  Governments are also considering carbon footprint charges.  Anything you can do to reduce energy costs, i.e. reducing that carbon footprint, will save the business money.

Make use of the power control settings in Vista (via group policy) and make use of Configuration Manager DCM to monitor them and you might just reduce the operating costs of your business.

I'm delighted to announce that Alex Yushchenko will be giving another Windows 2008 Terminal Services Class in association with Windows Server 2008 Users Group Ireland.  Like the previous one in May this one will be completely free.  However, Alex can cover a lot more and get into much more detail this time around because he's doing the event for an entire day! 

Agenda

Alex will be including the following subjects during the day:

• Windows 2008 Terminal Services what's new
• RDP Client
• TS Gateway
• TS Session Broker
• TS Easy Print
• TS Remote App's
• TS WebAccess
• TS & Windows System Resource Manager
• Terminal Services Licensing
• Troubleshooting Terminal Services
• Terminal Services with 64 Bit - benefits & design
• Profile and User management
• TS & Softgrid 4.5 Virtualization
• Get the best out of it with Free Tools
• And More!

Prerequisites

This is a "Level 200" event so some knowledge of Terminal Services on Windows 2000/2003 is required.

Where and When

The event will take place in Guinness Storehouse on October 3, 2008 from 9.30 to 16.30 with lunch.  We're restricting this to 50 people so book your place as early as possible.  There will also be free admission to the Guinness Store House as well a free pint of Guinness in the upstairs Gravity bar :-)

Attending The Event

The class is free to attend for members of the Windows Server 2008 Users Group.  Membership and joining the group are free.  Once you are joined, we will send an invite out to you - assuming there are places still free. 

This event is a "must attend" if you run or are planning to run Terminal Services on Windows Server 2008.  Alex is a world recognised expert on the subject.  I'd also recommend that you check out the next PubForum event (Nice, 7-9 Novemeber 2008) that Alex is organising.

ALEX YUSHCHENKO

Better known as "Dr. Conti" to his peers, Alex is one of the top posters to the official Citrix support forum.  He's also the organiser and host of the server-based computing technology experts conference called "PubForum" held annually in different locations throughout Europe – London, Dublin, Paris, Amsterdam, Brussels, Lisbon, Nice.  Alex has over 9 years of Citrix and Microsoft Terminal Services experience and is a true Microsoft Technologies evangelist.  Alex holds a Citrix Technology Professional designation and was awarded the Microsoft Terminal Services MVP designation in 2006 and 2007.

Cancellations

We'd ask that you please let us know if you cannot attend so that we can free up spaces for others.

Credit

A big thank you must go out to Alex for arranging this event!

The Windows Server 2008 User Group (Ireland) will be running an event on Hyper-V and System Center VMM 2008.  There will be 3 sessions:

• Dave Northey (Microsoft): Hyper-V - we can get a little deeper on this topic now that the product has been released.
• Aidan Finn (ME) (C Infinity): Lessons I've learned about Hyper-V - Aidan will share his experiences with the product and things you should be aware of when setting up a lab or production environment.
• Mark Gibson (Microsoft): Virtual Machine Manager 2008 - System Center VMM2008 is due to be released in Q3 2008.  It is Microsoft's answer to VMware's Virtual Center and will be an essential tool for managing production Hyper-V deployments.

Attending The Event

The session is free to attend for members of the Windows Server 2008 Users Group.  Membership and joining the group are free.  Once you are joined, we will send an invite out to you - assuming there are places still free. 

Places are limited to 20 so book now while you can.

I was told a little while ago to watch out for this patch from Microsoft.  It improves how Hyper-V works in a clustered host environment.  KB951308 can be downloaded once you accept a EULA.  You should have a read because there is a long list of improvements.

Note that:

• If you apply this update to a computer that is functioning as a Windows Server 2008 failover cluster, the failover cluster service must be restarted before the changes will take effect.
• If you apply this update to a system that is running the Failover Cluster Management console (the Cluamin.msc file), any open versions of this management console be closed and reopened before the changes will take effect.

Make sure you test this update before you or your company decide to install this update.

Microsoft released SQL Server 2008 yesterday evening.  This is a big release for MS.  SQL is used in just about everything they release and it's a focal point for Windows application developers. 

There's lots of new features which MS has categorised.  I won't go into them all here.  However, there are some key additions worth looking at.  Modern business and the need for regulators has required MS to add new compliance and security features:

• Encryption of databases, data files and log files.
• Extensible key management for 3rd party solutions.
• Auditing of data usage

If you're in finance, medical, pharmaceutical, SOX, etc, then you'll want to look at these features.

Anyone using SQL for a MS application such as Configuration Manager 2007 should wait for official support of those applications.  MS will have to certify the product pairing and may need to release patches for support.

Microsoft has just released this very handy utility for SCCM 2007.  It previously was released for SMS 2003.

Imagine this scenario.  You've got a HQ running System Center Configuration Manager 2007.  You've got a series of branch offices with limited bandwidth and local distribution points.  You want to deploy your latest build of Office 2007.  Now that is a big package.  You could let it replicate over the WAN at the weekend but maybe your business is open 7 days a week.  I've seen this scenario where SMS controlled the PC's in a retail operation whose market was 7 days a week.  Using this tool, you could conceivably distribute the package via DVD and manually load it into your distribution points.  Sure, this is manual work but it's meant to be used in only those exceptional circumstances where there are huge packages to replicate.  Once you've imported the package on the distribution point, you add the site to the package properties in the SCCM console.

Here's how MS describes it:

"When software distribution packages are created, information about them is sent to child sites in the hierarchy. If a child site has a distribution point installed that is listed in the package properties to host the content, the content is transferred over the network and uses available network bandwidth sending compressed copies of all required package source files. To avoid using network bandwidth, the Preload Package Tool can be used to copy compressed software distribution package source files to the remote child site before assigning the child site distribution point to host the package source files".

This Solution Accelerator provides a set of System Center Ops Manager 2007 Management Packs for Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 (including SP1). The Toolkit also includes user documentation for each of the Management Packs.

1 month ago, we sent out a job offer to an Irish guy who was raised in mid-west America.  He accepted the job and was excited about it.  It was a permanent role (of value in a slowing economy) and would offer him the chance to get into server administration in an advanced infrastructure (it's pretty leading edge).  We would expose him to lots of stuff and he was bringing some valued skills, i.e. Linux.

In the meantime we made plans for him.  He was going to have lots of interesting work, not just "pressing buttons".  I spent time preparing his laptop, getting his accounts ready in our data centre, and planning his induction.

"Heavy-D" was due in the office yesterday morning.  Nothing.   No sign of him.  I tried to ring but his phone rang out.  I mailed him to let him know that we were assuming he didn't want to join the company.  Then he decided to call our MD.  He claimed that he got his dates mixed up.  Huh!?!?  That seems like a lack of attention to detail because it was clearly printed in his employment contract.  He was told to be in today at 9 sharp.

10:00am comes and goes and "Heavy-D" still didn't turn up.  OK, I was done with this chump.  I wasn't having some one start their job reporting to me like this.  I reported it to the MD.  My opinion of Heavy-D now is that he has a lack of attention to detail, is unprofessional and unreliable, i.e. I deem him to be unemployable.  The only excuse is if he fell under the #72 bus.

If you're not from Dublin or not experienced it then here's the crux of the story.  Dublin may have 1+ million residents but it is a small town.  No one in business is more than 1 or 2 degrees away from anyone else (like the Kevin Bacon game), e.g. if you want to know about someone then you ask around a little and you find someone who has worked with them, sold to them or bought from them.  Ruining your reputation with one person is not a good career move because people in Dublin like to talk.  Example, I had looked into "Heavy-D" through a friend.  I'm now telling that friend about "Heavy-D" who'll probably tell "Heavy-D's" former workmates about the story.

So, "Heavy-D", you've lost out on the chance to work on a super infrastructure.  You've also gone and shot your career in Dublin.  Maybe you should go click your heels like Dorothy and vamoose back from whence you came.

The Operations Manager 2007 agent and management server communicate with each other and perform mutual authentication using Kerberos.  They're in the same forest and hence in the same Kerberos domain.  But what happens if you have agents outside the forest?  If you read anything from Microsoft (or the OpsMgr book I just bought) you'd be left under the impression that you must install the OpsMgr gateway.  You'd then install a custom X.509 cert (requiring a cert server running on Windows Enterprise Edition) on that machine and on the OpsMgr server.  There's two problems with this:

• What if the un-trusted network is a workgroup, e.g. a DMZ?  There's no Kerberos domain for the agents on the network to authenticate with the Gateway.
• What if you are monitoring many networks with only one or two agents on each network?  Are you going to install lots and lots of Gateways?

If you are persistent with your searches you will find that:

• There is one mention by Microsoft in a downloadable Word document that you can install agents with the X.509 cert so that the agents can communicate directly with the management server.
• There is an almost complete guide by Duncan McAlynn on how to install the certs using MOMCERTIMPORT /SUBJECTNAME (the subject name is the name of the cert in the certificate store).

Duncan appears to be the only person to have attempted to document this process so he deserves credit for it.  The MS documentation folks have done a poor job with OpsMgr, e.g. failing to cover this subject and failing to document complete management pack authoring.  The instructions for setting up the CA are in the OpsMgr 2007 Security Guide and Duncan walks you through installing the agent.  The only missing step is you need to install and import CA and agent certs on the OpsMgr management server(s) so that they have a means for mutual authentication with the agents.

I'd been doing this successfully on servers and then I hit one server where the agent could not use the cert.  I saw the following in the Operations Manager Event Log:

Source: OpsMgr Connector

Type: Error

Event ID: 21036

The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication.  The error is The credentials supplied to the package were not recognized
(0x8009030D).

I reissued that cert, re-imported it, re-installed the agent half a dozen times.  I'd opened a call with MS (thanks to IT Pro Momentum) but the first PSS agent was not the Mae West to deal with.  He kept claiming the my CA was at fault but I knew it wasn't - other agents were fine.  Finally the ticket got reassigned to Brian who was a pleasure to work with.

He started coming up with some new ideas straight away.  The first was maybe the cert store was corrupt.  I tried a fix for that (CERTUTIL -F -REPAIRSTORE MY “<thumbprint of agent cert>”) but that didn't fix the problem.  Brian asked if we could look at the server together using "EasyAssist" ... it's MS's answer to WebEx or LogMeIn so they can get Remote Assistance over web friendly protocols.  We poked around and saw something interesting.

• The CA cert in Computer\Trusted Root Authorities was fine.
• The agent cert in the Computer\Personal store was fine.  The certification path was fine.
• When you run MOMCERTIMPORT it copies the cert into Computer\Operations Manager in the certificate store.  I had overlooked this.  Here, the certification path was invalid.  Weird, because it was fine in the Computer\Personal store.

We manually imported the cert into there and the certification path was still screwed.  We re-imported the CA cert but it was still screwed.  We re-imported the CA cert and the operations manager copy of the cert.  The certification path was fine but the agent didn't appear to be using it.  We re-ran MOMCERTIMPORT and the certification path was invalid again.  OK ... I thought we'd try this:

• Delete all copies of the agent and CA certs from the certificate store.
• Brian suggested restarting the cryptography and the OpsMgr Health service.
• I went through the process of re-importing: Import the CA cert into Computer\Trusted Root Authorities, import the agent PFX into Computer\Personal, re-run MOMCERTIMPORT /SUBJECTNAME and restarted the OpsMgr Health service.

Lo and behold ... it worked!  In fact, it worked so well that we detected a hardware fault on the server that we hadn't known about.  Sweet; OpsMgr rules!

A big "Thank You" to Brian for helping out on that one.  For the most part, I've always had good dealings with MS PSS agents going back to 2003.  It was good to see this one being rescued so professionally.

Microsoft has released a new Operations Manager 2007 management pack for managing group policy on Windows Server 2008 and Windows Server 2003.

Microsoft has just given us the green light to install OpsMgr 2007 on W2008.  We've been waiting since February but we finally have support and as I mentioned earlier today, we saw the first few management packs hit the streets. 

It's a complicated process to be compliant before installing SCOM 2007 on Windows 2008.  You have to first install 3 updates:

• 951327 (http://support.microsoft.com/kb/951327/)
• 952664 (http://support.microsoft.com/kb/952664/)
• 951116 (http://support.microsoft.com/kb/951116/)
• 953290 (http://support.microsoft.com/kb/953290/)

Then you need to install a hotfix rollup.