Thursday, September 24, 2009

Windows 2008 license saving with Hyper-V

A friend of mine (a Server Manager in a large MNC) shared with me that I can potentially save more Windows 2008 licenses using Hyper-V. Before Hyper-V, you would need to purchase a server license for each VM. For example, if your host contains 4 VMs running Windows server 2003 using VMWare, you would need to purchase 4 copies of 2003 server license.

With the introduction of Hyper-V, each edition of Windows 2008 server comes with a certain number of free VMs (with server license included!).

Number of free Hyper-V VM for each edition:
  • Standard Edition: 1 free VM
  • Enterprise Edition: 4 free VMs
  • Data Center Edition: Unlimited
For example, an Enterprise edition comes with 4 free VMs. That would mean you can have 4 instances of Windows 2008 enterprise servers for the price of a single enterprise server license, as compared to 3 additional enterprise licenses purchase if you use VMWare ESXi instead.

Look like Microsoft is "out" to kill VMWare with this huge carrot dangling. Another business partner from Dell also shared with me that he can bundle a much cheaper OEM Data Center edition if I buy new hardware from him.

With a little planning, we can actually save more on licensing if we use Hyper-V. VMWare indeed has wonderful features like v-motion - live migration, bare-metal performance etc. But not sure if we really need that, esp when 2008 also supports quick migration and R2 has improved performance significantly; AND these additional features I heard are not cheap. To me, Hyper-V is probably good enough for most pure Microsoft shops. For environment mixed with non-microsoft platforms, VMWare has cool P2V and V2V tools for Linux/Unix migration when Microsoft is still seriously lacking in this aspect (only Suse Linux is supported at this point). Conversely, one may argue that none of the Fortune 500 has deployed Hyper-V in production yet - but hey Hyper-V is only available in 2008, most servers today are still running 03.

What’s New in Windows Server 2008 R2?

Monday, September 21, 2009

Openfiler on Hyper-V

It's pretty cool to build a virtual iSCSI SAN built on RAID array of Virtual Hard Disks (VHDs) using Hyper-V. Download the ISO image of Openfiler and create a new VM to be installed from this image. Something to note for OpenFiler + Hyper-V combo: (1) choose text based installation on OpenFiler; (2) use only virtual IDE hard disks (OpenFiler doesn't detect iSCSI on Hyper-V); (3) use legacy network adaptor on Hyper-V settings. As for the rest, follow this installation guide (which used VMWare ESX instead). After setting up a iSCSI target on OpenFiler, use iSCSI initiator on Windows 2008 to connect and initialize the virtual storage on "Computer Management" as shown below.

Posted by Picasa

Running Windows 2008 R2 on Home PC

Windows 2008 R2 (64-bit only) is now available for download. I downloaded it to get rid of my old WinXP and is trying out many new features. And it's free for 180 days, which mean I could also further delay (or even skip) my Windows 7 upgrade. What more - you can also experience new Windows 7 features by adding a new feature "Desktop Experience"on the server manager.

Add Hyper-V role and build a "Contoso.com" domain at home, which is ideal for the new MCTS (Active Directory) and even MCITP (Server Admin/Enterprise) wannabes. My "Contoso.com" is built on several VMs with two domain controllers (one full + one server core), one file server, one terminal server (now renamed remote desktop services), one Vista client and one Windows 7 client. Add another free linux-based OpenFiler VM for iSCSI SAN storage that is built on a RAID array of Virtual Hard Disks (VHDs). The outcome is a full scale of virtual enterprise infrastructure running on a single dual-core PC with just 4GB RAM.

Monday, September 14, 2009

Group Policy Preferences

You may want to do these for all your corporate desktops: Want to modify the registry settings? Need to lock down all USB device storage? Want to copy or delete certain files? Want to do all these without writing logon scripts? All these are now possible with Group Policy Preferences. Preferences are new feature, along side, with policy settings on the Group Policy Objects (GPOs). Using Group Policy preferences comes at no added cost but provides several advantages. It improves IT productivity. It reduces deployment costs by helping organizations reduce image count and reduce the cost of maintaining images. It reduces configuration errors during and after deployment. It reduces, if not eliminates the need for complex logon scripts. It allows you to fine-tune settings for users and computers throughout your organization. Preferences are available since the release of the new Group Policy Management Console (GPMC) on Windows Server 2008. Note: you need not raise the domain functional level to Windows 2008. New Client Side Extensions (CSEs - the enforcers on the clients) have to be installed for clients, in order for the preferences to be effective.

1) Group Policy Preference Client Side Extensions for Windows XP (KB943729)
2) Group Policy Preference Client Side Extensions for Windows Vista (KB943729)

It is recommended that you modify or manage a GPO from a Windows 2008 or Vista SP1 with Remote Server Administration Tools (RSAT). If you try to modify the GPO from a Windows Server 2003 or XP workstation, you will not see the new Preference capability.

References: http://www.microsoft.com/grouppolicy/

Saturday, September 12, 2009

Microsoft Virtual Desktop Infrastructure (VDI)

Besides RemoteApp, Microsoft Virtual Desktop Infrastructure (VDI) is introduced as part of Remote Desktop Services (RDS) in Windows Server 2008 R2. User sessions are executed on the client VMs (i.e. Windows Vista or Win7) residing on backend infrastructure i.e. Hyper-V hosts.

MS VDI comes in 2 variants: (1) static 1 user to 1 specific VM, (Personal Virtual Desktop); OR (2) many users share a pool of VMs (Virtual Desktop Pool) with common image.

For the former (personal virtual desktop), each user is assigned to a fixed client VM that can be personalized and customized by the users. These changes are available to users each time that they log on to their personal virtual desktop. For the latter (virtual desktop pool), a single image is replicated across many virtual machines. As users connect to the shared virtual desktop pool, they are dynamically assigned with any client VMs. Because users may not always be assigned to the same client VMs whenever they connect, any personalization and customization made by the users are not saved. If you choose dynamic virtual desktop pool and users still need their personalization and customizations, you have to consider roaming profiles and folder redirection as well.



Present-V Smart Card & Printer Redirection

Present-V supports smart card & printer redirection, even though the application is running on the backend server and the smart card/printer is located at the client desktop.

The same device middleware (or drivers) must be installed on both the server and the client. If you use ActivClient smart cards, ActivIdentity must be installed on both server and client, so that the server can locate the matching device driver. Whenever the application requires smart card access, TS would re-direct the I/O to the client local devices. Also, ensure that the Device and Resource Redirection is enabled, which is allowed by default.

Overall, it is how device redirection work:

Present-V Single Sign On (SSO)

Recently, I have worked with the interns to setup a cross domain Present-V POC, with the Exchange infrastructure on one domain and the windows clients & terminal server on another. Initially, winxp users need to keep logging in with password to launch remoteapp, while win7/vista users are able to launch remoteapp with Single Sign On (SSO). A deeper search reveals that SSO to Terminal Services 2008 uses the Credential Security Service Provider (CredSSP). CredSSP delegates credentials to defined target servers and is native to Windows Vista. Windows XP SP3 includes CredSSP but it is not enabled by default.

To enable SSO, here is the solution. Take note that SSO can only be used for password authentication (i.e. not smart card authentication)

Present-V Introduction

Microsoft Server 2008 Terminal Services offers a new feature. Instead of showing entire server desktops to the users, it can just present the application GUI. (Otherwise, showing multiple desktops can be confusing.) Hence, you can now have individual virtualised applications running on the backend terminal service, as if they were local applications running on your PC. Microsoft called it Presentation Virtualization (Present-V in short). The virtual application is known as "RemoteApp".

Step-by-Step guides are available here.

Typical deployment scenario that allows remote access over the Internet:

Thursday, September 10, 2009

OSPF stub behavior for Multi-VRF router

In an earlier post "Multi-VRF OSPF router becomes ABR automatically, even when it is not", the sub-command "capability vrf-lite" is added to the OSPF router process for Multi-VRF routers. This works perfectly fine when it is not supposed to be an Area Border Router (ABR).

When new OSPF stub or totally stub area is added to this router, the multi-vrf router will not inject any default route to new stub areas. As it is effectively an ABR, remove the the "capability vrf-lite" command. Do "sh ip ospf process" to verify that it is injecting default route into the stub area.

Wednesday, September 9, 2009

New T1/E1 card not detectable

When I slot in a new Cisco MIX-enabled T1/E1 Port Adapter into my new C7206VXR router, the card is not detected. The command "show controller" does not reveal the port adaptor.

As the card can be either T1 or E1 (i.e. there is no default), I have to use the card type command in global configuration mode:
(config)# card type {t1 | e1} slot subslot

Multi-VRF OSPF router becomes ABR automatically, even when it is not

Once I enabled vrf-aware OSPF (e.g. Router OSPF 1 vrf TEST), it made the router an Area Border Router, even though it was simply an area router (area 1) and didn't have a network statement for area 0.

Remote_R3#sh ip ospf 1
Routing Process "ospf 1" with ID 191.200.9.2
Domain ID type 0x0005, value 0.0.0.1
Start time: 00:17:34.712, Time elapsed: 00:26:21.840
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Connected to MPLS VPN Superbackbone, VRF TEST
It is an area border router
<--- cut off -->

As a result, none of my area 1 routers were accepting routes to the backbone subnet from the real ABRs (configured for area 0 and area 1).

To resolve it, I have to apply "capability vrf-lite" under the OSPF router process on all my area 1 vrf-aware routers. This command tell the router not to perform PE specific check.

Wednesday, September 2, 2009

Understanding Active Directory Groups

In the world of Active Directory, there are various types of groups. Group is used to group up individual objects, which otherwise would be difficult to manage. The first type is the Local group, which only applies within a single computer - this should not be used in a domain. The next type is the Domain Local (DL), which is used to manage permissions or ACLs to resources e.g. confidential folders that can only be accessed by HR group. Global Group (GG) is used to define business roles, such as HelpDesk, Sales, Marketing etc. However, GG membership is only contained within a single domain. To workaround this constraint, Universal Group (UG) is introduced to cross multi-domain within the same forest. For example, an MNC has 3 different domains and each domain has a GG named Managers. Let's say there is a big project that requires collaboration among the different domain Managers GG. A new UG named "Big_Project" can be created to include the 3 GG within forest.

To manage numerous groups, a process called nesting (or adding groups to other groups) can be used to create a hierarachy of groups. For single domain, AGDLA is recommended: Accounts are members of Global Group, which in turn, are members of Domain Local groups, which are added to Access Control Lists (ACL) to provide the level of access granted to various resources. For example, assign Sales accounts to the Sales GG and Audit accounts to Auditors GG. Both global groups are assigned to a DL called ACL_Sales_Read. This DL can be assigned with read permission to access a folder that contains all Sales information.

For cross-forests, note that only Domain Local (DL) may include memberships of any domains outside a forest. If you need to assign permission to users at trusted forests, use DL to assign the ACLs.