Month: August 2010

HP CloudStart

HP has launched a new “cloud” bundle.  It appears to be based on ProLiant and Integrity blade servers to allow you to build a private cloud.  It comes with the usual options such as Virtual Connects with Flex-10.  The bundle can include VMware or Hyper-V for ProLiants.  HPs own system will be used for Integrity servers.  So far, it just sounds like any old server/storage kit.  Where’s the cloud?  That comes with a software product called Cloud Service Automation.  There’s little info on it that I can find quickly.  I guess it’s some virtualization agnostic job engine for automating the deployment of resources, etc.

The suite is available in Asia and will slowly be made available around the rest of the world by the end of the year.

An Example of Varying Employment Law and IT

I’ve had some interesting conversations with folks from North America in the past about how different regions in the world have different laws.  You might come up with a corporate “acceptable IT usage policy” over in New York but that document’s restrictions or contents might be completely illegal in somewhere like Germany or Italy, even if the employee has to sign it in order to keep/get a job.

I picked those countries because of my experience in running a multinational system that included offices there.  We had to set up proxy services just for them that had no content logging.  We also had different rules for PC’s in Germany so that admins could only log into them with the user’s permission!!!

I just saw another example of how things are different.  We all know how people who are recruiting will google for the person they are looking at.  I do it.  I once found that a candidate was a raving loony Nazi.  That and his “I want to kill everyone” demeanor in the interview put us wa-ay off him.  Silicon Republic has published an article that reports on Germany considering a new law to ban recruiters from looking up candidates for jobs in personal social networking sites such as Facebook (a common practice).  They will be able to use LinkedIn.  I have no idea how this can be enforced – considering that you can’t log web activity on the proxy in Germany!

As always, consult the appropriate legal experts in the remote region before applying some law that is fine in your own jurisdiction.

Companies Delaying on Windows 7 Will Face Staff Shortages

TechCentral has posted a story where Gartner is advising companies not to delay on the deployment of Windows 7.

Gartner says that “”We estimate that large and mid-size organisations worldwide will migrate approximately 250 million PCs to Windows 7” between 2011 and 2013.  They think this will drive up demand for OS deployment skills, not seen with Vista, and will lead to a shortage of those skills.  That will drive up staffing prices, and force laggards to hire lesser skilled people who will perform a lower quality job.

Nice timing!  It just so happens that my current (already!) writing project is centred in this space.  I’ll talk more about that later when I can.

CAO Calls in the Cops Over DDOS Attack

The Irish Independent is reporting that the CAO has called in the Gardaí (Irish police force) to investigate the repeat DDOS attacks.  Logs have been handed over.  The Gardaí actually don’t do any investigation; it’s done by one of the universities (UCD I think).  Maybe they should run Windows Server 2008 R2 for their web servers and add the beta of Dynamic IP Restrictions Extension for IIS.

Hyper-V Host Freezes When Dynamic Memory VM’s Use All RAM

This is a scenario I saw today when I configured a pair of virtual machines with Dynamic Memory and used up all available RAM.  The Hyper-V parent partition locked up and became non responsive.  The VM’s were fine; they continued working away.

The fault as I found, was mine, and mine alone.  Virtual Machines with Dynamic Memory enabled could consume all memory on the host, leaving nothing for the parent partition.  That’s why we have a new registry key:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion Virtualization
  • RED_DWORD value
  • Name = MemoryReserve
  • Setting = amount of MB to reserve for the parent partition, e.g. 2GB RAM (search my blog for details on memory for the parent partition).

You must reboot the host after setting this registry value.  I forgot to do this and the setting did not become effective.

My host has 8GB RAM.  Both VM’s were configured with 512-4096MB RAM.  The parent was using around 1.5GB.  You can do the maths: 4096 + 4096 + 1536 > 8192.  Every byte of RAM appeared to be consumed when I pushed the VMs to their achievable maximum.  The parent partition was locked up because it had no RAM to do anything.  The only recourse was to do a hard reset.

BTW, the tool I used to force the VMs to consume memory was consume.exe from the Windows SDK.  It’s a free download.

EDIT #1

Just to repeat: the problem was caused by my mistake.  I should have rebooted after setting the registry value.  And thanks to Serdar who has patiently answered a whole bunch of questions.

Dynamic IP Restrictions Extension for IIS Beta

DDOS was the topic of the week with the CAO office in Ireland being repeatedly attacked.  Microsoft released a beta of a new IIS module, called Dynamic IP Restrictions Extension for IIS.  The idea is that the web server will deny connection requests from detected DDOS and brute force password attackers.  I don’t know how automated this is: remember that DDOS attackers tend to be botnets of infected PC’s that will have DHCP addresses on the net.  I really like the brute force attack defence.  I can tell you that this is a huge problem for web hosting companies; I’ve seen it myself on a pretty large shared web hosting farm.  I’d like to see this followed up with similar feature for SQL: those farms present TCP 1433 naked to the net … I can hear the shrieks from enterprise DBA’s now. 

This module is a very cool development from the impressive IIS group.

Reduce the chances of a Denial of Service attack by dynamically blocking requests from malicious IP addresses

Dynamic IP Restrictions for IIS allows you to reduce the probabilities of your Web Server being subject to a Denial of Service attack by inspecting the source IP of the requests and identifying patterns that could signal an attack. When an attack pattern is detected, the module will place the offending IP in a temporary deny list and will avoid responding to the requests for a predetermined amount of time.

Minimize the possibilities of Brute-force-cracking of the passwords of your Web Server

Dynamic IP Restrictions for IIS is able to detect requests patterns that indicate the passwords of the Web Server are attempted to be decoded. The module will place the offending IP on a list of servers that are denied access for a predetermined amount of time. In situations where the authentication is done against an Active Directory Services (ADS) the module is able to maintain the availability of the Web Server by avoiding having to issue authentication challenges to ADS.

Features

  • Seamless integration into IIS 7.0 Manager.
  • Dynamically blocking of requests from IP address based on either of the following criteria:
    • The number of concurrent requests.
    • The number of requests over a period of time.
  • Support for list of IPs that are allowed to bypass Dynamic IP Restriction filtering.
  • Blocking of requests can be configurable at the Web Site or Web Server level.
  • Configurable deny actions allows IT Administrators to specify what response would be returned to the client. The module support return status codes 403, 404 or closing the connection.
  • Support for IPv6 addresses.
  • Support for web servers behind a proxy or firewall that may modify the client IP address.
Technorati Tags: ,,

Lots of People to Thank!

We’re getting to the end of the production phase (reviewing the final PDF versions that go to the printer) of Mastering Hyper-V Deployment, the Hyper-V book that I have written.

There’s a bunch of people to thank:

We’ll start with Sybex … you all know who you are.  From helping me with the original proposal, keeping the project on schedule, to keeping the quality high, and fixing my many grammatical mistakes (should I now reveal that I got a lower D in English in secondary school?), everyone has been of great help.

My co-author was Patrick Lownds, another virtual machine MVP in the UK.  Patrick came in late on the project and bailed me out on a couple of chapters, taking on one particular chapter that I would not have been able to do in time, but that I thought was central to the story: DPM 2010.

The technical editor was Hans Vredevoort, a clustering MVP (and honorary virtual machine MVP) in the Netherlands.  Hans made this a better book, spotting mistakes and providing new ideas.

Mark Minasi was kind enough to contribute a foreword to the book.  Mark gave me my first opportunity with Mastering Windows Server 2008 R2, and he’s taught me a lot over the last 5 years.

Wilbour Craddock in Microsoft Ireland helped me out at a crucial point in the project.  I hit a pretty big snag at one point and things got delayed.  Will helped out, not to mention providing a lot of help to me over the last few years.  He, Dave Northey and Enda Flynn have given me some opportunities over the past 2 years that have made a huge difference, and helped me get to a position where I could write this book.

Then there’s my friends in the MVP program.  I’ve learned a lot from those folks, including the MVPs, leaders, and various people in the product groups, the Virtual Machine and Failover Clustering groups in particular.  A lot of what I learned, be it new ideas, configurations, etc, have shaped my view of Hyper-V and System Center (nothing under NDA, honest!).

Finally, a lot of folks I know online supported and encouraged me over the last 5 months: my friends on the Minasi forum, and words of encouragement from folks by email or on Twitter.

Thank you all!

Aidan.

Citrix XenClient

Citrix has announced/released a type 1 (bare metal) hypervisor for the PC, called XenClient.  This is a product with a very small set of supported hardware.  It must have one of a few Intel processors (AMD not supported) and the machine must have drivers included in XenClient … that’s because it is a monolithic hypervisor like ESX, instead of being a paravirtualized hypervisor like XenServer or Hyper-V.

The obvious benefit for the user over hosted solutions such as VMware Workstation is performance.  I saw a quick demo of it at PubForum 2010 Frankfurt.  It did look cool but the very limited set of supported hardware was offputting.  Speaking of which:

General Requirements

  • CPU: Intel Core 2 Duo, Intel Core i5, Intel Core i7
  • Graphics: Intel integrated graphics GMA 4500, Intel HD Graphics
  • Memory: 4GB RAM recommended
  • Disk: 160GB recommended
  • Wireless Lan: Intel WiFi Link 5100/5300, Intel Centrino Advanced-N 6200, Intel Centrino Ultimate-N 6300
  • Intel vPro: Highly Recommended
      

Hardware Compatibility List (HCL)  

  • HP EliteBook 6930p, 2530p, 8440p*
  • Dell Latitude E4300, E6400, E4310*, E6410*, E6500, E6510*
  • Dell Optiplex 780
  • Lenovo ThinkPad X200, T400, T500

* Standby and external monitors are not fully supported on these systems. This will be addressed in a near term update.

Heh – My Dell Latitude is supported.  I’m tempted!

Some nice features when combind with a server infrastructure:

  • To enable local virtual machine desktops for laptop users, download and install XenClient and Citrix Receiver™ for XenClient. To enable centralized management of XenClient devices, download and install the Synchronizer for XenClient virtual appliance.
  • Create multiple desktops locally by installing each operating system into a new local virtual machine. Connect to the Synchronizer to download predefined virtual machines hosted by IT
  • Use XenClient to switch instantaneously between multiple secure desktops, run high-performance graphics, and access business and personal applications. Whether for business or personal use XenClient delivers flexibility and mobility for users with control and security for IT.

There will be two versions.  “XenClient is going to be available in an Express freebie edition that individuals or companies can download and put on as many as ten machines … a fully supported XenClient hypervisor for PCs will only be available in the XenDesktop 4 Enterprise and Platinum Editions … The freebie XenClient Express will have support only through the Web forums at Citrix”.

Now all we need is a client hypervisor from Microsoft that we can optionally synchronise with Hyper-V hosted VDI machines.  That would be cool.  Manage the sucker with ConfigMgr, deploy the VHD’s with WDS, control and secure using BitLocker, AD and Group Policy, etc.

Credit: The Register

Hyper-V: Blue Screen & Unable to Access Data Folder

I am doing some work on my Hyper-V lab machine at home that requires a lot of VM’s and a lot of disk space.  My eSATA disk just does not have the space so I had to do the unthinkable: use a 1TB USB 2.0 drive that I had sitting spare to store some VM’s (please do not ever do this in production).  It will be slow but I can live with that for some lab stuff.

I attached the drive, cleared off a few bits and pieces, and used VMM Quick Storage Migration to move a bunch of VM’s over.  I deployed a new VM and started working on it.  It blue screened soon after boot up.  Strange!  I haven’t seen that before.  I worked on it again and *bang* it was gone again.

My first suspect was W 2008 R2 SP1 beta, but I soon had a clue that it wasn’t at fault.  In event viewer, under Hyper-V-VMMSAdmin I saw a bunch of errors telling me that Hyper-V could access various folders, including snapshots (I know I tell you not to use them in production but I use them in a lab) and data folders.  The alerts associated with my new VM cooincided with the crash.

I appeared to have a permissions issue.  I didn’t have time to figure out exactly what was at fault.  Instead I moved the VMs, formatted the volume, and moved the VMs back again.  Everything is working perfectly.

I reckon the info on this post has the answer.