Month: April 2012

Patching A Windows Server 2012 Failover Cluster, Including Hyper-V

Cluster Aware Updating (CAU) is a new feature that makes running Windows or Automatic Updates on a Hyper-V cluster easier than ever, as well as any other WS2012 cluster.

If you currently have a Windows Server 2008/R2 Hyper-V cluster, then you have a few options for patching it with no VM downtime:

  • Manually Live Migrate VM workloads (Maintenance Mode in VMM 2008 R2makes this easier), patch, and reboot each host in turn, which is a time consuming manual task.
  • Use System Center Opalis/Orchestrator to perform a runbook against each cluster node in turn that drains the cluster node of it’s roles (VMs), patches it and reboots it.
  • Use the patching feature of System Center 2012 Virtual Machine Manager – which is limited to Hyper-V clusters and adds more management to your patching process.

CAU is actually pretty simple:

  1. Have some patching mechanism configured: e.g. enable Automatic Updates on the cluster nodes (e.g. Hyper-V hosts), approve updates in WSUS/ConfigMgr/etc.  Make sure that you exempt your cluster nodes from automatic installation/rebooting in your patching policy; CAU will do this work.
  2. Log into Failover Clustering from a machine that is not a cluster node (Hyper-V host) member.  Run the CAU wizard.
  3. Here, you can either manually kick off a patching job for the cluster nodes or schedule it to run automatically.  The scheduled automatic option requires that you have deployed a CAU role on the cluster in question to orchestrate the patching.

When a patching job runs the following will happen:

  1. Determine the patches to install per node.
  2. Put node 1 in a paused state (maintenance mode).  This drains it of clustered roles – in other words your Hyper-V VMs will Live Migrate to the “best possible” hosts.  Failover Clustering uses amount of RAM to determine the best possible host.  VMM’s advantage is that it uses more information to perform Intelligent Placement.
  3. Node 1 is removed from a paused state, enabling it to host roles (VMs) once again.
  4. CAU will wait then patch and reboot Node 1.
  5. When Node 1 is safely back online, CAU will move onto Node 2 to repeat the operation.

VMs are Live Migrated throughout the cluster as the CAU job runs and each host is put into a paused state (automatically Live Migrating VMs off), patching, rebooting, and un-pausing.  It’s a nice simple operation.

The process is actually quite configurable, enabling you to definite variables for decisions, execute scripts at different points, and define a reboot timeout (for those monster hosts).

Something to think of is how long it will take to drain a host of VMs.  A 1 GbE Live Migration network will take an eternity to LM (or vMotion for that matter) 192 GB RAM of VMs, even with concurrent LMs (as we have in Windows Server 2012).

Sounds nice, eh?  How about you see it in action:

 

 

 

I have edited the video to clip out lots of waiting:

  • These were physical nodes (Hyper-V hosts) and a server’s POST takes forever
  • CAU is pretty careful, and seems to deliberately wait for a while when a server changes state before CAU continues with the task sequence.

 

 

Why Hyper-V Fixed VHD Creation Takes “So Long” – Preventing A Genuine Security Risk

Every now and then I hear someone complaining about how long it takes to create a fixed VHD/VHDX.  There’s a very good reason, as this story on NetworkWorld shows:

A forensic IT study by a U.K. security consultancy found that some multi-tenant public cloud providers have "dirty disks" that are not fully wiped clean after each use by a customer, leaving potentially sensitive data exposed to other users.

FYI, AFAIK most of the mentioned companies are using some variant of Xen or vSphere.  The issue here is that Customer A buys a VM and uses it to store data in a virtual disk.  That virtual disk is a file that is stored on physical disk.  Customer A eventually decommissions the VM or their storage is relocated.  Now think about what a delete really is; it’s not a secure delete.  Deleting a file simply removes the entries from the file system table.  The 1’s and 0’s are still there, waiting to be read.

Now along comes Hacker B who buys a VM and deploys it.  Their VHD is placed over the same location of physical disk as Customer A’s old VM.  Without any security measures, Hacker B can simply run a disk scan tool, from within their VM, and find those 1’s and 0’s, pretty much doing some disk forensics to restore the “deleted” data that Customer A previously stored in their VM.  And that’s exactly what that study found was possible with a number of public cloud providers:

… Rackspace and VSP.net had the vulnerability.

The Microsoft developers VHD/VHDX were aware of this and took measures to prevent it.  When you create a VHD/VHDX it securely wipes the contents of the file as it is created.  This prevents access to data that was previously on the underlying physical disk.  Disk forensics will get you nowhere.

A number of 3rd party tools are out there to instantly create fixed VHDs but they fail to implement this secure wipe so the process can be speeded up, thus putting the hosting company at risk of this threat.  In this case, it is a matter of balancing a genuine security risk (especially in a public cloud) versus performance (of deploying new virtual machine storage while the customer watches a progress bar on a web portal).

The story continues to report that the mentioned affected hosting companies resolved the issue after they were informed.

Ubuntu 12.04 With Built-In Hyper-V Guest Support Is Available

The 12.04 LTS (long-term support) version of Ubuntu has been released overnight and it includes the Linux kernel with full built-in support for running on Hyper-V.  That means that you should be able to:

  • Mount a Ubuntu ISO in a Hyper-V VM
  • Install the OS
  • Avail of all the Hyper-V devices and integrations that are supported by Linux with no extra IC installations required

Nice!  In fact, The Register agrees with that assessment too.  I hope that the other Linux distro’s catch up with Ubuntu.

Congrats Mike & the team!

Technorati Tags: ,,

Please Welcome CSVFS

If you’re using Windows Server 2012 Failover Clustering for Scale Out File Server or for HA Hyper-V then you’ve created one or more Cluster Shared Volumes (CSV).  This active-active clustered file system (where orchestration is performed by the cluster nodes rather than the file system to achieve greater scalability) is NTFS based.  But wander into Disk Management and you’ll see a different file system label:

image

This label has two purposes:

  1. You can tell from admin tools that this is a CSV volume and is shared across the nodes in the cluster
  2. It allows applications to know that they are working with a CSV rather than a simple single-server volume.  This is probably important for applications that can use the filter extensibility of Windows Server 2012 Hyper-V, e.g. replication or AV.

BTW, this screenshot is taken from the virtualised scale-out file server that I’m building with a HP VSA as the background storage.

Microsoft Updates The Free Security Essentials Antivirus

According to Neowin, Microsoft has released a new version of Microsoft Security Essentials (MSE), their free antivirus protection for PCs.  It supports:

  • Windows XP Service Pack 3 (SP3)
  • Windows Vista (Service Pack 1, or Service Pack 2)
  • Windows 7

Yes, Windows XP and Windows Vista are both still supported for this new development, even though they are both in extended support.  You can understand this exception when you consider the reason for MSE’s existence.  It exists to help prevent the spread of malware on PCs that otherwise would not be protected:

  • People who get free 90 days of AV with an OEM PC but never buy the subscription
  • People who can’t afford to or won’t buy AV

One of the best stories we have of MSE locally was when we did a community launch event for Windows 7 in Belfast.  We talked about MSE and how it could help defend against Conficker which was all the rage with unpatched PCs at the time (and unfortunately still is thanks to negligent [IMO] admins/managers).  Irish DPE, Dave Northey, saw a photographer was taking photos on behalf of the venue and asked for a copy of some of the photos.  The photographer came over at the end of the event with a USB stick.  Dave joked that he hoped that Conficker wasn’t on the stick – MSE was on Dave’s laptop and screamed about finding Conficker on the photographer’s USB device Smile

You might ask about support for Windows 8.  Good question.  Windows 8 comes with Defender built in (more later).  Defender in Windows 8 is not the Defender of old.  It actually is anti-spyware and antivirus, meaning that you don’t need to download/install MSE on it.

Built-in AV, eh?  Imagine what Symantec’s lawyers, the EU, and so on will think of that!  Many of us are presented with a browser chooser when we setup Windows 7 for the first time.  I wouldn’t be surprised if we see something similar for AV.  Personally, I’d stick with Windows 8 Defender, but there’s nothing to stop you from choosing an alternative.  I wouldn’t be surprised if OEMs continue to ship subsidised trial copies of AV and retail stores continue to push AV boxes on customers with their PC/laptop/tablet purchase.  You still have a choice, but at least with Windows 8, you have protection by default.

Mark Your Calendar: Windows 8/Server 2012 RC In The First Week of June

Jeffrey Snover of Microsoft has confirmed yesterday’s news (which was heavily retweeted) that Windows 8 Release Preview and Windows Server 2012 Release Candidate will be released to the public in the first week of June 2012.

I’ve been saying for a while that the Windows 8 schedule looks very like the one for Windows 7.  It’s a little  different (one month behind) but not that different.  My gut is saying it’s an August RTM (on MSVL, MSDN, and TechNet soon after) and an October launch/GA (LAR/distributor pricelist for new volume license purchases, OEM machines, on the shelves).

It won’t be long after that when we have SP1 for System Center with support for Windows Server 2012 and Windows 8.

Download RunAs Radio Podcast – I’m Talking About Windows Server 2012 Hyper-V

If you wander over to RunAs Radio (also on iTunes) you’ll be able to download their latest episode where I was a guest and talked about Windows Server 2012 Hyper-V.  In it myself and the host, Richard Campbell, take a quick tour around some of the highlight features of Microsoft’s newest version of their virtualisation hypervisor.

We recorded the podcast a few weeks ago when we still referred to Windows Server 2012 by it’s beta codename of Windows Server “8”.

Thanks to the folks at RunAs Radio for asking me on as a guest!

Windows 8 Enterprise Mobility Rights

I’ve just followed a link that Mary Jo Foley tweeted and that lead me to a broader Windows 8 licensing article called “Introducing Windows 8 Enterprise and Enhanced Software Assurance for Today’s Modern Workforce”.  That article had a section that I found interesting, detailing how companies with Software Assurance for the desktop would be getting additional mobility and usage rights:

  • “Windows To Go Use Rights: Windows To Go will allow companies to support Bring Your Own PC scenarios and will give employees who need to work from home more secure access to their full corporate environment. With Windows To Go use rights under Software Assurance, an employee will be able to use Windows To Go on any company PC licensed with Windows SA as well as from their home PC. Additionally, through a new companion device license for SA, employees will be able to use WTG on their personal devices at work.
  • Windows RT Virtual Desktop Access (VDA) Rights: When used as a companion of a Windows Software Assurance licensed PC, Windows RT will automatically receive extended VDA rights. These rights will provide access to a full VDI image running in the datacenter which will make Windows RT a great complementary tablet option for business customers.
  • Companion Device License (CDL): For customers who want to provide full flexibility for how employees access their corporate desktop across devices, we are introducing a new Companion Device License for Windows SA customers. For users of Windows Software Assurance licensed PCs this optional add-on will provide rights to access a corporate desktop either through VDI or Windows To Go on up to four personally owned devices”.

Windows To Go is a pretty cool feature.  Long-story-short: you can install Windows 8 Enterprise onto a USB 3.0 stick and then plug that into any USB 3.0 capable machine (assuming the drivers are there for PNP) to boot that machine up.  The idea is that a business can build these sticks and give them to employees to enable bring your own device (BYOD) while still using a corporate build of Windows.  Teamed up with Network Access Protection (NAP), you could isolate the non-corporate OEM Windows installs on the network (should the employee boot from the on-disk install instead of the USB 3.0 one) and give “unrestricted” access to the USB 3.0 boot image (for normal corporate resource access).

At the moment, setting up Windows To Go and deploying it is command line messing with WAIK.  I’d suspect MSFT will give us an updated deployment tool that enables driver and update injection so we can automatically handle many models of hardware.

Windows RT is what we briefly called Windows on ARM (WOA), the OEM-only build of Windows 8 for ARM based tablets.  If you use one of these as a secondary device to a SA covered desktop then you’ll get VDI rights for this device.  That’s cool!  Windows 8 Enterprise (SA) per desktop (not for the RT tablet) gives that PC rights to access VDI.  Without SA for the tablet, the company would have had to license it with the per-device VDA which would be very costly.

For non-Windows companion devices, such as the iPad, there will be an optional add-on called CDL.  We don’t know the price of that – I suspect GA for Windows 8 will be October so I’d expect LARs and distributors will have updated price lists on October 1st.  When you attach CDL to a PC’s software assurance, you will entitle up to 4 personally owned companion devices (iPad, iPhone, etc) of that PC to access Windows based VDI or Windows To Go.  This is an improvement … right now personally owned devices probably should have VDA.  With the estimate being that tech savvy employees personally own 4-5 of these devices, that could be very expensive for the company.  CDL will greatly reduce that cost.

It sounds to me that corporate owned devices will still require VDA.

Right now, all we have is a single light on detail blog post to go on.  We’ll have to wait until MSFT updates their licensing training and Product Usage Rights (PUR) for Windows 8 to get the specifics.

Technorati Tags: ,

Want to Consult on System Center 2012? Then You Cannot Avoid Service Manager or Orchestrator

In the “2007” generation of System Center (how I refer to the last generation of the suite including the 2010 and 2008 R2 products), I quite happily avoided Opalis (which I was quite vocal about not liking) and Service Manager (which was quite rightly a niche product).  I put my focus on VMM, ConfigMgr, OpsMgr, and a little DPM.

Folks, the game has changed.  It’s one thing to hear MSFT marketing talk about it, or to hear it for 5 days straight at a conference.  But it’s something completely different when customers are demanding it.  Organisations want a service centric IT department with self-service, automation, governance, deep monitoring, and …. and … you get the picture. 

That means 2 things:

  • You need System Center 2012 Orchestrator for the automation and deep integration into the rest of System Center, AD, and 3rd party products
  • You need System Center 2012 Service Manager as a portal to the IT department and the service catalogue that it provides

At MMS we just had one session after another that illustrated how some business scenario could be dealt with using some component(s) of System Center in combination with the above two products.  Every time, the user would request a service in Service Manager, Orchestrator would orchestrate the tasks, and the rest of System Center would implement the desired changes, possibly requiring some manual approval via a service ticket.

With this huge increase in demand, I’ve come to the conclusion that I cannot avoid Service Manager or Orchestrator anymore.  They’re very different to the “2007” generation of the same products, and people are aware of the need for solutions that do what these products do.  With those two products gluing the rest of System Center together, you can have an incredible service delivery from your (or your customers’) IT organisation.  I will have to learn these two products.  Damn you Microsoft!  Now I need to learn:

  • Windows 8
  • Windows Server 2012 Hyper-V
  • Pretty much all of System Center 2012
  • And let’s not forget that Office wave 15 beta is around the corner

Ugh!

MMS 2012 – What Happens In Vegas, Stays in Vegas … Unless It Itches

As you might have noticed by the glut of MMS 2012 blog posts, I’ve spent the last 7 days in Las Vegas at the Microsoft Management Summit 2012 conference.  It was a good week.  I mostly hung out with the small group of Irish delegates but it was good to meet many folks from around the world that I regularly communicate with, as well some of you readers. 

The content of the week was interesting.  The majority of it was level 100 or introductory show-and-tell.  For me and the role I do in technical sales, I valued the sessions that gave real world examples.  The best of those was the one on Thursday evening that was delivered by the Inframon guys, looking at real world examples of where they’ve deployed integrated System Center 2012 solutions with automated remediation.

Another interesting sessions was the one on the Visio Management Pack Designer (VMPD).  The MP authoring tool is dreadfully documented in my opinion and hard to get into, so a visual tool that’s easy to pick up and create custom MPs from is greatly appreciated.

The keynotes were interesting, as long as you hadn’t read the spoiler press releases by MSFT marketing.  MSFT marketing does something good from time to time, such as Tad, but most of the time they … well … you know that 200 people that were let go from MSFT marketing recently?  Maybe they let the wrong people go. 

Keynotes are usually aimed at people who don’t keep up with events, and those of us who do are usually bored silly.  But we all got something this week.  In day one we got the new name of Windows Server 2012 and a funny video with Vijay Tewari making the most of his free time thanks to automation.  In the day 2 keynote we got a real surprise.  The day before I was talking about the deep versus light management of mobile devices in ConfigMgr 2012 and joking how one was better off with a Windows Mobile 6.5 phone if deep management was their goal.  But damn, did they come through with the vNext (aka 2012 SP1) news.  Side loading of apps onto Android and iOS is a BIG deal.  And to be able to do that with both ConfigMgr 2012 SP1 and Intune vNext is very cool.  The demo was a little ropey thanks to a projector cable malfunction but the keynote team adapted and overcame the problem on the fly – well done!

You may not have read between the lines: Windows Phone 7.x cannot be side loaded with apps like Android and iOS because of its security model.  I was told this at the Intune booth in the Expo hall.

Overall, we had a blast this week.  But I am glad to be leaving the 90F temperatures, the perfumed air conditioning, and the constant ding-ding-ding of the slot machines behind.  Now if only I was allowed to bring this Heckler & Koch G36 home … Winking smile 

IMG_0508