Cluster Aware Updating (CAU) is a new feature that makes running Windows or Automatic Updates on a Hyper-V cluster easier than ever, as well as any other WS2012 cluster.

If you currently have a Windows Server 2008/R2 Hyper-V cluster, then you have a few options for patching it with no VM downtime:

  • Manually Live Migrate VM workloads (Maintenance Mode in VMM 2008 R2makes this easier), patch, and reboot each host in turn, which is a time consuming manual task.
  • Use System Center Opalis/Orchestrator to perform a runbook against each cluster node in turn that drains the cluster node of it’s roles (VMs), patches it and reboots it.
  • Use the patching feature of System Center 2012 Virtual Machine Manager – which is limited to Hyper-V clusters and adds more management to your patching process.

CAU is actually pretty simple:

  1. Have some patching mechanism configured: e.g. enable Automatic Updates on the cluster nodes (e.g. Hyper-V hosts), approve updates in WSUS/ConfigMgr/etc.  Make sure that you exempt your cluster nodes from automatic installation/rebooting in your patching policy; CAU will do this work.
  2. Log into Failover Clustering from a machine that is not a cluster node (Hyper-V host) member.  Run the CAU wizard.
  3. Here, you can either manually kick off a patching job for the cluster nodes or schedule it to run automatically.  The scheduled automatic option requires that you have deployed a CAU role on the cluster in question to orchestrate the patching.

When a patching job runs the following will happen:

  1. Determine the patches to install per node.
  2. Put node 1 in a paused state (maintenance mode).  This drains it of clustered roles – in other words your Hyper-V VMs will Live Migrate to the “best possible” hosts.  Failover Clustering uses amount of RAM to determine the best possible host.  VMM’s advantage is that it uses more information to perform Intelligent Placement.
  3. Node 1 is removed from a paused state, enabling it to host roles (VMs) once again.
  4. CAU will wait then patch and reboot Node 1.
  5. When Node 1 is safely back online, CAU will move onto Node 2 to repeat the operation.

VMs are Live Migrated throughout the cluster as the CAU job runs and each host is put into a paused state (automatically Live Migrating VMs off), patching, rebooting, and un-pausing.  It’s a nice simple operation.

The process is actually quite configurable, enabling you to definite variables for decisions, execute scripts at different points, and define a reboot timeout (for those monster hosts).

Something to think of is how long it will take to drain a host of VMs.  A 1 GbE Live Migration network will take an eternity to LM (or vMotion for that matter) 192 GB RAM of VMs, even with concurrent LMs (as we have in Windows Server 2012).

Sounds nice, eh?  How about you see it in action:




I have edited the video to clip out lots of waiting:

  • These were physical nodes (Hyper-V hosts) and a server’s POST takes forever
  • CAU is pretty careful, and seems to deliberately wait for a while when a server changes state before CAU continues with the task sequence.




Every now and then I hear someone complaining about how long it takes to create a fixed VHD/VHDX.  There’s a very good reason, as this story on NetworkWorld shows:

A forensic IT study by a U.K. security consultancy found that some multi-tenant public cloud providers have "dirty disks" that are not fully wiped clean after each use by a customer, leaving potentially sensitive data exposed to other users.

FYI, AFAIK most of the mentioned companies are using some variant of Xen or vSphere.  The issue here is that Customer A buys a VM and uses it to store data in a virtual disk.  That virtual disk is a file that is stored on physical disk.  Customer A eventually decommissions the VM or their storage is relocated.  Now think about what a delete really is; it’s not a secure delete.  Deleting a file simply removes the entries from the file system table.  The 1’s and 0’s are still there, waiting to be read.

Now along comes Hacker B who buys a VM and deploys it.  Their VHD is placed over the same location of physical disk as Customer A’s old VM.  Without any security measures, Hacker B can simply run a disk scan tool, from within their VM, and find those 1’s and 0’s, pretty much doing some disk forensics to restore the “deleted” data that Customer A previously stored in their VM.  And that’s exactly what that study found was possible with a number of public cloud providers:

… Rackspace and VSP.net had the vulnerability.

The Microsoft developers VHD/VHDX were aware of this and took measures to prevent it.  When you create a VHD/VHDX it securely wipes the contents of the file as it is created.  This prevents access to data that was previously on the underlying physical disk.  Disk forensics will get you nowhere.

A number of 3rd party tools are out there to instantly create fixed VHDs but they fail to implement this secure wipe so the process can be speeded up, thus putting the hosting company at risk of this threat.  In this case, it is a matter of balancing a genuine security risk (especially in a public cloud) versus performance (of deploying new virtual machine storage while the customer watches a progress bar on a web portal).

The story continues to report that the mentioned affected hosting companies resolved the issue after they were informed.


The 12.04 LTS (long-term support) version of Ubuntu has been released overnight and it includes the Linux kernel with full built-in support for running on Hyper-V.  That means that you should be able to:

  • Mount a Ubuntu ISO in a Hyper-V VM
  • Install the OS
  • Avail of all the Hyper-V devices and integrations that are supported by Linux with no extra IC installations required

Nice!  In fact, The Register agrees with that assessment too.  I hope that the other Linux distro’s catch up with Ubuntu.

Congrats Mike & the team!

Technorati Tags: ,,

If you’re using Windows Server 2012 Failover Clustering for Scale Out File Server or for HA Hyper-V then you’ve created one or more Cluster Shared Volumes (CSV).  This active-active clustered file system (where orchestration is performed by the cluster nodes rather than the file system to achieve greater scalability) is NTFS based.  But wander into Disk Management and you’ll see a different file system label:


This label has two purposes:

  1. You can tell from admin tools that this is a CSV volume and is shared across the nodes in the cluster
  2. It allows applications to know that they are working with a CSV rather than a simple single-server volume.  This is probably important for applications that can use the filter extensibility of Windows Server 2012 Hyper-V, e.g. replication or AV.

BTW, this screenshot is taken from the virtualised scale-out file server that I’m building with a HP VSA as the background storage.


According to Neowin, Microsoft has released a new version of Microsoft Security Essentials (MSE), their free antivirus protection for PCs.  It supports:

  • Windows XP Service Pack 3 (SP3)
  • Windows Vista (Service Pack 1, or Service Pack 2)
  • Windows 7

Yes, Windows XP and Windows Vista are both still supported for this new development, even though they are both in extended support.  You can understand this exception when you consider the reason for MSE’s existence.  It exists to help prevent the spread of malware on PCs that otherwise would not be protected:

  • People who get free 90 days of AV with an OEM PC but never buy the subscription
  • People who can’t afford to or won’t buy AV

One of the best stories we have of MSE locally was when we did a community launch event for Windows 7 in Belfast.  We talked about MSE and how it could help defend against Conficker which was all the rage with unpatched PCs at the time (and unfortunately still is thanks to negligent [IMO] admins/managers).  Irish DPE, Dave Northey, saw a photographer was taking photos on behalf of the venue and asked for a copy of some of the photos.  The photographer came over at the end of the event with a USB stick.  Dave joked that he hoped that Conficker wasn’t on the stick – MSE was on Dave’s laptop and screamed about finding Conficker on the photographer’s USB device Smile

You might ask about support for Windows 8.  Good question.  Windows 8 comes with Defender built in (more later).  Defender in Windows 8 is not the Defender of old.  It actually is anti-spyware and antivirus, meaning that you don’t need to download/install MSE on it.

Built-in AV, eh?  Imagine what Symantec’s lawyers, the EU, and so on will think of that!  Many of us are presented with a browser chooser when we setup Windows 7 for the first time.  I wouldn’t be surprised if we see something similar for AV.  Personally, I’d stick with Windows 8 Defender, but there’s nothing to stop you from choosing an alternative.  I wouldn’t be surprised if OEMs continue to ship subsidised trial copies of AV and retail stores continue to push AV boxes on customers with their PC/laptop/tablet purchase.  You still have a choice, but at least with Windows 8, you have protection by default.


Jeffrey Snover of Microsoft has confirmed yesterday’s news (which was heavily retweeted) that Windows 8 Release Preview and Windows Server 2012 Release Candidate will be released to the public in the first week of June 2012.

I’ve been saying for a while that the Windows 8 schedule looks very like the one for Windows 7.  It’s a little  different (one month behind) but not that different.  My gut is saying it’s an August RTM (on MSVL, MSDN, and TechNet soon after) and an October launch/GA (LAR/distributor pricelist for new volume license purchases, OEM machines, on the shelves).

It won’t be long after that when we have SP1 for System Center with support for Windows Server 2012 and Windows 8.


If you wander over to RunAs Radio (also on iTunes) you’ll be able to download their latest episode where I was a guest and talked about Windows Server 2012 Hyper-V.  In it myself and the host, Richard Campbell, take a quick tour around some of the highlight features of Microsoft’s newest version of their virtualisation hypervisor.

We recorded the podcast a few weeks ago when we still referred to Windows Server 2012 by it’s beta codename of Windows Server “8”.

Thanks to the folks at RunAs Radio for asking me on as a guest!


I’ve just followed a link that Mary Jo Foley tweeted and that lead me to a broader Windows 8 licensing article called “Introducing Windows 8 Enterprise and Enhanced Software Assurance for Today’s Modern Workforce”.  That article had a section that I found interesting, detailing how companies with Software Assurance for the desktop would be getting additional mobility and usage rights:

  • “Windows To Go Use Rights: Windows To Go will allow companies to support Bring Your Own PC scenarios and will give employees who need to work from home more secure access to their full corporate environment. With Windows To Go use rights under Software Assurance, an employee will be able to use Windows To Go on any company PC licensed with Windows SA as well as from their home PC. Additionally, through a new companion device license for SA, employees will be able to use WTG on their personal devices at work.
  • Windows RT Virtual Desktop Access (VDA) Rights: When used as a companion of a Windows Software Assurance licensed PC, Windows RT will automatically receive extended VDA rights. These rights will provide access to a full VDI image running in the datacenter which will make Windows RT a great complementary tablet option for business customers.
  • Companion Device License (CDL): For customers who want to provide full flexibility for how employees access their corporate desktop across devices, we are introducing a new Companion Device License for Windows SA customers. For users of Windows Software Assurance licensed PCs this optional add-on will provide rights to access a corporate desktop either through VDI or Windows To Go on up to four personally owned devices”.

Windows To Go is a pretty cool feature.  Long-story-short: you can install Windows 8 Enterprise onto a USB 3.0 stick and then plug that into any USB 3.0 capable machine (assuming the drivers are there for PNP) to boot that machine up.  The idea is that a business can build these sticks and give them to employees to enable bring your own device (BYOD) while still using a corporate build of Windows.  Teamed up with Network Access Protection (NAP), you could isolate the non-corporate OEM Windows installs on the network (should the employee boot from the on-disk install instead of the USB 3.0 one) and give “unrestricted” access to the USB 3.0 boot image (for normal corporate resource access).

At the moment, setting up Windows To Go and deploying it is command line messing with WAIK.  I’d suspect MSFT will give us an updated deployment tool that enables driver and update injection so we can automatically handle many models of hardware.

Windows RT is what we briefly called Windows on ARM (WOA), the OEM-only build of Windows 8 for ARM based tablets.  If you use one of these as a secondary device to a SA covered desktop then you’ll get VDI rights for this device.  That’s cool!  Windows 8 Enterprise (SA) per desktop (not for the RT tablet) gives that PC rights to access VDI.  Without SA for the tablet, the company would have had to license it with the per-device VDA which would be very costly.

For non-Windows companion devices, such as the iPad, there will be an optional add-on called CDL.  We don’t know the price of that – I suspect GA for Windows 8 will be October so I’d expect LARs and distributors will have updated price lists on October 1st.  When you attach CDL to a PC’s software assurance, you will entitle up to 4 personally owned companion devices (iPad, iPhone, etc) of that PC to access Windows based VDI or Windows To Go.  This is an improvement … right now personally owned devices probably should have VDA.  With the estimate being that tech savvy employees personally own 4-5 of these devices, that could be very expensive for the company.  CDL will greatly reduce that cost.

It sounds to me that corporate owned devices will still require VDA.

Right now, all we have is a single light on detail blog post to go on.  We’ll have to wait until MSFT updates their licensing training and Product Usage Rights (PUR) for Windows 8 to get the specifics.

Technorati Tags: ,

In the “2007” generation of System Center (how I refer to the last generation of the suite including the 2010 and 2008 R2 products), I quite happily avoided Opalis (which I was quite vocal about not liking) and Service Manager (which was quite rightly a niche product).  I put my focus on VMM, ConfigMgr, OpsMgr, and a little DPM.

Folks, the game has changed.  It’s one thing to hear MSFT marketing talk about it, or to hear it for 5 days straight at a conference.  But it’s something completely different when customers are demanding it.  Organisations want a service centric IT department with self-service, automation, governance, deep monitoring, and …. and … you get the picture. 

That means 2 things:

  • You need System Center 2012 Orchestrator for the automation and deep integration into the rest of System Center, AD, and 3rd party products
  • You need System Center 2012 Service Manager as a portal to the IT department and the service catalogue that it provides

At MMS we just had one session after another that illustrated how some business scenario could be dealt with using some component(s) of System Center in combination with the above two products.  Every time, the user would request a service in Service Manager, Orchestrator would orchestrate the tasks, and the rest of System Center would implement the desired changes, possibly requiring some manual approval via a service ticket.

With this huge increase in demand, I’ve come to the conclusion that I cannot avoid Service Manager or Orchestrator anymore.  They’re very different to the “2007” generation of the same products, and people are aware of the need for solutions that do what these products do.  With those two products gluing the rest of System Center together, you can have an incredible service delivery from your (or your customers’) IT organisation.  I will have to learn these two products.  Damn you Microsoft!  Now I need to learn:

  • Windows 8
  • Windows Server 2012 Hyper-V
  • Pretty much all of System Center 2012
  • And let’s not forget that Office wave 15 beta is around the corner



As you might have noticed by the glut of MMS 2012 blog posts, I’ve spent the last 7 days in Las Vegas at the Microsoft Management Summit 2012 conference.  It was a good week.  I mostly hung out with the small group of Irish delegates but it was good to meet many folks from around the world that I regularly communicate with, as well some of you readers. 

The content of the week was interesting.  The majority of it was level 100 or introductory show-and-tell.  For me and the role I do in technical sales, I valued the sessions that gave real world examples.  The best of those was the one on Thursday evening that was delivered by the Inframon guys, looking at real world examples of where they’ve deployed integrated System Center 2012 solutions with automated remediation.

Another interesting sessions was the one on the Visio Management Pack Designer (VMPD).  The MP authoring tool is dreadfully documented in my opinion and hard to get into, so a visual tool that’s easy to pick up and create custom MPs from is greatly appreciated.

The keynotes were interesting, as long as you hadn’t read the spoiler press releases by MSFT marketing.  MSFT marketing does something good from time to time, such as Tad, but most of the time they … well … you know that 200 people that were let go from MSFT marketing recently?  Maybe they let the wrong people go. 

Keynotes are usually aimed at people who don’t keep up with events, and those of us who do are usually bored silly.  But we all got something this week.  In day one we got the new name of Windows Server 2012 and a funny video with Vijay Tewari making the most of his free time thanks to automation.  In the day 2 keynote we got a real surprise.  The day before I was talking about the deep versus light management of mobile devices in ConfigMgr 2012 and joking how one was better off with a Windows Mobile 6.5 phone if deep management was their goal.  But damn, did they come through with the vNext (aka 2012 SP1) news.  Side loading of apps onto Android and iOS is a BIG deal.  And to be able to do that with both ConfigMgr 2012 SP1 and Intune vNext is very cool.  The demo was a little ropey thanks to a projector cable malfunction but the keynote team adapted and overcame the problem on the fly – well done!

You may not have read between the lines: Windows Phone 7.x cannot be side loaded with apps like Android and iOS because of its security model.  I was told this at the Intune booth in the Expo hall.

Overall, we had a blast this week.  But I am glad to be leaving the 90F temperatures, the perfumed air conditioning, and the constant ding-ding-ding of the slot machines behind.  Now if only I was allowed to bring this Heckler & Koch G36 home … Winking smile 



Speaker: Saud Al-Mishari, MSFT PFE – think he’s based in the UK

The session is on the new replication model: RCM, DRS, and SEDO.

Key Concepts

  • SQL replication in ConfigMgr 2012 is nothing do do with SQL Server Transaction Replication
  • Data Replication Service (DRS)


  • Stored procedure: sproc
  • SSB: SQL Service Broker
  • Change Tracking: SQL Server Change Tracking


  • RCM: Replication Configuration Management/Monitoring
  • Replication Pattern: a set of rules on what will replicate
  • Replication group: a set of tables that are monitored and replicated together
  • Replication Link: a replication connection between two SQL servers for a particular RG
  • Backlog: Unable to write data t the SQL Server DB after being received in the SSB Queue (usually SQL Server write performance)

New Replication Model

  • Global data is anything an admin creates and is replicated everywhere, e.g. collection rules
  • Site data is stuff like status, collection membership results, replicated up to parent site.

Client generates XML file and copies to management point.  MP copies MIF to the site server.  Site server process it.  DRS replicates the changed data to the parent  CAS contains the discovery data.

SQL Server Change Tracking

  • Change tracking allows application to keep a record of rows in a table that have been changed: insert/update/deete
  • Does not track changed data – obtained directly each sync
  • Added in SQL Server 2008 … not to be confused with Change Data Capture
  • Is enabled at the DB level and at the table level.


SQL Service Broker

Messaging service:

  • Asynchronous queue based service
  • Guaranteed delivery (not infrastructural guarantee – developer guarantee)
  • Allows messages to be grouped into a conversation … messages processed in order, allows for multiple threads to process queue


  • Allows scalability

Replication Patterns

  • Global data flows in both directions.  CAS and primaries all have the same data, e.g. collections and package meta data.
  • Site data flows up.
  • Global-proxy is admin and control data for secondary sites.  A primary and secondary sites all have the same data.  Subset of global data that secondary sites needs.  Leverages SQL 2008 R2 Express at the secondary site with 10 GB limit.

Select * from vReplicationData to find all RGs and their sync schedules

ID is the key field in here.

Provider Access

SMS_ReplicationGroup is a new WMI class that supports replication.  1 instance per RG.  Status propert allow you to determine the sttus of the RG.

What’s in an RG?

Select * from vArticleData where ReplicationID = XX  …. using ID from above query

How big is the RG?

EXEC spDiagGetSpaceUsed

If a site goes down for a week or two, how much data must you send across?  Use the above query to figure out how much data must be replicated by the RG.


In the SQL Management Studio.  Select * from vReplicationData. Can see all the patterns for global, site and global-proxy.  SyncInterval is the number of minutes between replications.  DRS runs every 5 minutes .. no control over that. 

Select * from vArticleData where ReplictionID = 7.  Looks like Endpoint Protection data being replicated here.

Runs spDiagGetSpaceUsed .. takes a while.  Returns the size of the tables.  Replication Pattern shows the amount of data to replicate if you lose a site for the 3 patterns (global, site, global_proxy).

DRS Architecture

  • RCM handles replication link setup, maintenance and monitoring – command and control.  It’s a thread of SMSEXEC.
  • SSB is the transmission engine of replication
  • The Sender still lives and is used for bulk copy for initialization and re-init.
  • 5 day limit on DRS for outages – Due to the need to retain changes.  It retains 5 days of data.  Try to expand this for a 30 day outage and ConfigMgr needs to maintain 30 days of data.  It’s 5 days to handle a long weekend apparently – site breaks at start of holiday, come back 4 days later and fix it. 


  1. BCP: to extract table data
  2. Sender: SMS EXEC sender thread
  3. SMB/CIFS: copy data to the destination

On-going replication

  1. SQL Server Change Tracking
  2. DRS sprocs and SQLCLR
  3. SQL Server Service Broker
  4. XML

Demo – Break replication

SQL DBA has a bad day and disables dbo.ConfMgrDRSQueue.  CMTrace is started from DVD.  Opens rcmctrl log on site server.  See that the queue not running causes and error.  We can see that ConfigMgr actually reached out into SQL and re-enabled the queue. 

In CMconsole , we have send demo.  The link is degraded in one direction but not the other under Database Replication.  Looks like TCP 1433 connectivity issue.

Site Initialisation

  1. Setup start
  2. Setup asks CAS for site number.  If you have more than 50,000 clients, then you need SQL Enterprise Edition to chunk up data in the DB and partition it.
  3. Setup finished and waits for replication to initialise.
  4. The replication configuration data is requested.  This group tells RCM as the primary how replication should be setup
  5. CSA receives request and BCPS out the data and sends it via sender back to the primary
  6. Primary now request remaining Global Replication Groups.  CAS creates the BC packages and send them back to the primary.  Primary then applies the new data from the CAS.
  7. Primary site receives BCP fles and inserts all the data from the CAS>  The primary can now switch to normal replication.

DRS Message Replication

  • Provider executes query that modifies table
  • SQL Server writes entries into change tracking table
  • On DRS sync: changes are packages up and inserted into SQL Server message queue sing a stored proc.
  • Message Broker transmits the message to the receiving site.
  • RCM monitors the queue launching activation stored procs to process
  • And more on receiving side to insert modifications on receiving side

WARNING: When A CAS Goes Offline

When the CAS goes offline for more than 5 days, don’t make changes on the Primary as a substitute as the CAS.  The CAS will re-initialise the primaries after more than 5 days outage, thus wiping the Primary’s changes.

DRS Troubleshooting

  • The Replication Link Analyser RLS should be yur first stop.  It’s predictable and can do some fairly complex remediation
  • RCM Log should be the follow up.  But this is just a summary of what has happend.
  • For transmissions layer errors, the SSB queue is sometimes the most immediate source for error messages (of this type)

Views for Detailed Info

  • The main logging view: vLogs.  They log into the DB.  Select top 1000 * from vLogs order by LogTime desc.  Limit that number.  DO not select everything.  Will hammer prod environment and compund the issue.
  • SMS_Replication_Configuration_Monitor registry key to configure logging

DRS Troubleshooting

  • Ensure that TCP 1433 exception is there for SQL Service and 4022 for SQL Broker.
  • SSB keys transmitted through setup – monitoring with Hman.
  • spDiagDRS will give you an overview of the state of DRS replication at the site.  SiteStatus (coded), Replication Group Initialization Status, DRSQueueStates, QueueLenghts (ideally 0 and 0 or you have a backlog), Replication Group Status deltails the last time messages sent

Demo: View Queues

Click on the queues in SQL under service broker under CM database.

Procedural troubleshooting of DRS DEMO

Turns of SQL Broker. Makes a change to Client Policy.

  1. Run spDiagDRS: EXEC spDiagDRS in SQL MS.  We see messages jammed in the outbound queue.
  2. SSB transmission_queue: 
  3. Service broker queues: We see connection failed errors.  Telnet to the port and we see it fails.
  4. vLogs: select * from vLogs ORDER BY LogTime DESC (beware * in real world … too much data)
  5. RCM_ReplicationLinkStatus

The Database Replication link in CM console will flip to degraded and then flip to fail after about 25 minutes.  Can run Replication Link Analyzer (RLA).  In the demo it shows that there’s a network connectivity issue.

Invoke-WmiMethod –namespace rootrootsmssite_CAS –path SMS_ReplicatinGroup –Name InitializeData = arguementlist “20”, “CAS”, “PR1” to reinitialize a RG.  RLA should do this for you if required.

SEDO – Why do we need a way of controlling changes?

  • As global data is replicated everywhere, a user on a primary site culd change an object at the same time as a user on the CAS or another primary.
  • This is an unavoidable consequence of multi-master replicated data model – ask AD.
  • SEDO is the solution to this.

What is SEDO?

  • SEDO = Serialized Editing of Data/Distributed Objects
  • Provides a way to enforece a single user editing of an object at any one time.
  • A lock request round trip can take less than 200ms from Primary to CAS to Primary
  • Default Timeout is 5 minutes.
  • Only SEDO enabled objects require users to get a lock
  • Supports explicit and implicit lock handling.
  • This is all transparent to admins.  Important for devs building extensions to CM.

Speakers: Orin Thomas and Mike Ressler

Replication is not the same as backup.  Lose it in site A = lose it in site B.  Backup is still required.  And backup provisioning in the private cloud is a challenge cos admins don’t know what’s being deployed.

DPM is a part of system center, a part of a holistic integrated solution.  Makes it perfect for provisioning in the private cloud.

How Will The Agent Get Deployed?

  • Make it part of image
  • GPO for an OU
  • Scripting or manually
  • Use Configuration Manager
  • And probably lots more options, e.g. a runbook fired off from Service Manager

Their solution is user goes to Service Manager, creates a request, and Orchestrator runs a runbook.  Their is a DPM Integration Pack.  It’s a confusing IP apparently. 

  1. Initialize Data: Add parameters – ServerName, DatabaseName, and Type (3 types of protection group in DPM such as gold, silver, and bronze for recovery points, retention, etc).
  2. Get Data Source (renamed as Get Protection Group): Data Source Location set as protection group and select Type
  3. Get Data Source (get server ID) – choose protection server and select ServerName
  4. Get Data Source (renamed as Get Data Source ID) – DPM, Get protection server name and filter to DatabaseName to protect a single DB, could have said type = SQL to protect all DBs.
  5. Protect Data Source: Protection Group = Get Protection Group
  6. Create Recovery – Something.

Yup, it’s confusing.  Go look at the videos when the guys tweet the link.

Keep the self-service simple.  If there’s more than a few questions, the user won’t do it and they’ll blame you when data isn’t protected and it’s lost.

There’s a bunch of Service Manager stuff after this.


Speaker: Gordon McKenna and Sean Roberts, Inframon

I’m live blogging this session so hit refresh to see more.

Private Cloud MOC and Certification

New exams and certifications.  70-246 Monitoring and Operating a Private Cloud.  70-247 Configuring and Deploying a Private Cloud.

  • MCSA + 70-246 + 70-247 = MCSE: Private Cloud
  • 70-640 + 70-642 + 70-646 = MCSA

The two training courses are available now.

10750 – Module 4: Monitoring Private Cloud Services

To do J2EE APM you download an opensource Java bean.  OpsMgr network monitoring is network monitoring for server guys. Existing solutions for network guys won’t be replaced.  OpsMgr network monitoring gives the server guys the tools to find a troublesome link/device and enable them to tell the n/w guys.  Port stitching figures out what ports your monitored servers are talking to and shows that to you.

MP Templates are a good starting point.  Check out the new Visio tool and the MP Authoring tool (latter requires significant time investment). 

Distributed Application Monitoring

A new distributed application monitoring tool.  3 types of line:

  • Reference relationship: no impact … dotted line
  • Hosted relationship, e.g. database hosted by database instance.  Health will roll up.
  • Containment: Group of servers.  With aggregate rollup monitor, server goes red, group goes red.

Note that default management pack is no longer there!  Forces you to save your authoring in a suitable MP.  Yay!

Health rolls up to 1 of 4 things:

  • Availability
  • Performance
  • Configuration
  • Security

We can configure the rollup to go up to a level of our choice, e.g. don’t roll up or roll up to top level of distributed application.

  • Presentation Tier – anything user sees
  • Business Tier: back or middle tiers.

Creates a service level dashboard for the new MP based on the distributed app model.  Add the OpsMgr dashboard viewer and adds the webpart into SharePoint.  Grab the URL of the dashboard link in OpsMgr and edit the web part properties to paste the Dashboard link.  Now the SLA dashboard appears in SharePoint.


  • Always build out service models in the DAD (distributed application developer).  Good eye candy wins prizes!  I concur – have personal experience of that.
  • Use three tier service models that match your business functions
  • Use MP templates for true pro-active monitoring
  • Use APM to stop developer VS IT Pro arguments
  • Create a dedicate SharePoint portal for dashboard and reports

10750 – Automating Incident Creation, Remediation, and Change Requests

Orchestrator components:

  • Orchestration console on IIS (Silverlight)
  • Runbook server(s): usually local to servers
  • Management server running Runbook designed and deployment manager
  • SQL DB

Download integration pack, register it with management server, deploy IP to runbook servers, open Runbook Designer to use it.

Install OpsMgr R2 integration pack  Define a connection to the OpsMgr server.  You then have the actions available to use.  Do the same for Service Manager.

Demo with web service crashing and auto remediation.  OpsMgr detects event.  Orchestrator waits for that event.  It tries to restart the event.  Creates ticket to auto restart IIS.  If that fails, it lodges a ticket in Service Manager for manual OK to reboot the server.

Opens up Runbook designer.  Browses into Runbooks and we see the book in question.  Runs the runbook tester, toggles break point, and runs it.  Now he stops the website.  The runbook kicks off, and they step through the actions.  We get into Service Manager where there’s a change request for a reboot.  That’s approved and the web server is rebooted.

Note: there is a maximum of 50 running runbooks on a Runbook Server.

When configuring a runbook

  • Handle failure and warning links
  • Replace the default strings
  • Change link colours
  • Limit the number of activities for each Runbook
  • Enable runbook logs to an external file

10750 – Module 7: Problem Management In The Private Cloud

Incident = one time occurrence that can be handled by an operator.  Problem is more complex, e.g. engineering issue that requires escalation.

Information stored in Problem Log in Service Manager.  Another demo of automated problem record creation.  An alert will come in in OpsMgr for a DB that goes offline.  The alert auto pipes in as an incident in Service Manager.  Many instances of it in the demo.  It’s a problem.  A problem record is manually created from these incidents.  He fills in information in the New Problem form. 

Now he kills the DB again. 

There’s a runbook that is looking for occurrences of that incident.  It’ll get the service details and the incidents for this service, output data to text file, count lines, if there’s more than X occurrences then it will create a problem based on the data in the file.  This workflow replaces the above manual task for this particular incident.

Hints and tips

  • Target object and classes and use groups to override
  • Be aware of the inheritance for each class
  • Limit the size and activity of a runbook
  • Download and use the Cloud Processes Pack.  Create request driven processes for many cloud services functions such as project, capacity pools, and virtual machines.  Can introduce the concept of charge back billing.  Supplies cloud service runbooks.  Project = collection of capacity pools.



Speaker: Pete Zerger and a Dude Who Was WIth Avicode

APM was Avicode, and allows .NET and J2EE application monitoring from the inside.  Help IT isolate the issue.  Provide the app team with the info they need to fix the app.

Teams you might have involved in app troubleshooting:

  • Operations: Runs the infrastructure n a day-day basis
  • Support and development: writes it and fixes bug
  • QA/Testing: tests it
  • DevOps: owns the production code


  • Troubleshooting
  • Daily/weekly app health analysis
  • Fixing top issues
  • Next application release scope
  • Improve monitoring configuration


Start with Top reports

Figure out how often to send reports, who to send them to, and what apps to include.

Problems distribution analysis is a good high level report of all apps.  Application status gives you a week-week report on app performance/health.  Run it weekly and send to an active/involved supervisor.  Application CPU utilization should be run weekly/monthly.

Make a note of http://dinnernow.codeplex.com/ for testing/demo.


Filter out noise, e.g. non-actionable alerts .. maybe fixed in next release, etc.  Use rules everyday.  Start with top level problems, create rules for exception events.

Using REGE Sensitive Data Filters

You can use expressions to find and mask sensitive data that you don’t want out in the wild, e.g. social security number, credit card number, etc.


There’s a lot more demo after this.  Best you watch the video when it’s made available in a few days.


Speakers: Hector Linares, Senior Program Manager and Susan Hill, Senior Technical Writer, MSFT

Went from 162 cmdlets in VMM 2008 R2 to 438 in VMM 2012.  They maintained backwards compatibility through aliases.  The cmdlets got renamed so they don’t conflict with the new Windows Server 2012 Hyper-V cmdlets.

POSH is the driving force for the UI.  Cmdlets are executed as jobs in VMM so there’s an audit trail.  Other partners, e.g. TFS or XenDesktop, integrates with VMM cmdlets for deployment.

Overview of VMM 2012 system

  • Infrastructure: HA VMM Server, PowerShell, Upgrade, Custom Properties
  • Fabric: Server lifecycle management, multiple hypervisors, network management, storage management, dynamic optimisation.
  • Clouds: An abstraction of fabrics.  Application ower usage, capacity and capability, delegation and quota.
  • Services: Service templates, application deployment, customer command execution, image-based servicing.

Cmdlet groups: 46 nouns

  • get-command –module VirtualMachinemanager –commandtype cmdlet
  • get-scvirtualmachine
  • Now you run read-SCvirtualmachine to do a refresh
  • Repair-scvirtualmachine wil do the repair action.
  • Stop-scvirtualmachine takes more parameters, e.g. stop (cold), save state, or clean shutdown
  • Register-sCVMHost to register a bare metal host.
  • Restart-SCVMHost to reboot a host.
  • Test-SCVMHostCluster to run a cluster validation.

Domain Join for VM

You can use –DomainJoinOrganizationalUnit “ou=, dc=” to set where a new VM joins in a domain.

-AutolongCredential to  set autologon account and –AutoLogonCount to say how many times that will run.

These must be set at the same time.  You can clean up with disableautologon.


Looks like we can use this to customise an unattend.xml for Specialize (3) and OOBE (6) passes.  Use Add)key,value) to add settings.

  • $unattend.add
  • $unattend.remove

Your settings will override settings in GuestOSProfile or VMTemplate.  You have to commit the settings with set-scvmtemplate (I think – quick slides) to use them.


In the demo, he wants to override a template.  He gets the template.  Now he creates a new temporary template.  He sets the OU for it to join to.  He creates runas account as the account he’ll use for building the VM.  He uses that for autologon.  He get’s the unattend object.  No he adds a bunch of overrides to the template using $unattend.add().  set-scvmtemplate – vmtemplate $template –UnanntedSettings $unattend) | Out-Null commits the overrides.  They create a $vmconfig using new-scmconfiguration –vmtemplate $template –Name ($vmNamePrefix + @_config@)) | fl Name. 

VMM still doesn’t have the ability to create differencing disks so you have to use WMI to do it instead.  Apparently this has been blogged. 

He sets the disk name and location.  This can be done on a per disk basis.  In this cmdlet he’s told it to use an existing VHD he just created using WMI. 

Virtual Machine Configuration

You can create a VM config so you can deploy very specific VM configs, different from the defaults.  $VHD to get-scvirtualharddisk from the library.  Then set$storageclass viariable with get-scstorageclassification.  Now $ComputeTier with get-sccomputertier.  Then $VMconfig with new-scvmconfiguration and the $computertier variable.  $vhdconfig and get-scvirtualharddiskconfiguration and $vmconfig.  setscvirtualharddiskconfiguration and $vhdconfig and $vhd and $storageclass. 

Now $virtualnetworkadatperconfig = get-scvirtualnetworkadapterconfiguration.  Setscvirtunetworkadapterconfiguration with $virtualnetadapterconfiguration.  And then more stuff.  Download the slide deck when it comes out in a few days.

Basically you build up a VM config and then you create a VM from that config.

There is a script on the net that will automatically sign the scripts in your VMM library.  It was written for 2008 R2.

We’re shown a demo where a script checks for expired (by date) VMs and stores them in the VMM library.

Hyper-V Data Exchange

Can read and set the KVPs in the VM.  Can read data from a VM without using the network via read.  Can pass in string values to a VM regardless of power state with Set.  A Key is a registry VALUE create to store DATA.  The value is the DATA.  And a KVPMAP is a hash table is one ore more VALUEs or DATA.

Cool demo where Hector writes to the registry of the VM in different power states (on, off, paused, save state).


Jobs submitted to VMM using –RunAsynchronously from one or more runspaces.  Hundreds of parallel jobs.  Typically used in the morning bootstorm in VDI.

VMM 2012 has a concept of threadpools.  By default it handles 25 threads per core in the VMM server with a max of 150 (requires a monster VMM server).  High number of context switches can slow performance of the VMM server.  The WCF timeout is configurable (default of 120 seconds).  Monitor the performance of jobs if you increase threadpools.

If you run asynchronously then query the job object for status.  For higher throughput, use multiple threads with multiple runspaces.

Make sure you tune the VMM refreshers in VDI, and also in very large static environments.  4000 VMs doing a light refresh every 2 minutes and a ful refresh every 30 minutes will hammer the VMM server. 



Speaker: Brian Wren, Principle Knowledge Engineer, Microsoft.

This is a packed room, and it’s one of the bigger rooms.  Obviously a very popular topic.  A quick poll by the speaker: Very few people in here with Opalis/Orchestrator knowledge.  Most of the audience are OpsMgr experienced.

Quick run through of the two products (skipping OpsMgr in my notes)

Orchestrator has Orchestrator Database and Runbook Server.  Runbook runs actions across applications.  Workflows process on runbook server.  Requires access to remote machines – very difficult for OpsMgr MP to do.  Relatively few complex workflows.  So OpsMgr monitors and Orchestrator does stuff.

We can integrate the two products.

Operations Manager Integration Pack

A runbook can use OpsMgr.  Standard activities:

  • Get Alert
  • Get Monitor
  • Create Alert
  • Update Alert
  • Monitor Alert
  • Monitor State
  • Start Maintenance Mode
  • Stop Maintenance Mode

The monitor action in a runbook causes the executing runbook to sit there waiting for something to happen, e.g. if an alert of certain criteria appears, then continue execution of the runbook.

There is also a Start SCOM Task action.  These are the actions you see in the Tasks pane in the OpsMgr console.

Orchestrator Management Pack

Allows OpsMgr to reach into Orchestrator.


  • General health monitoring
  • Create Alert activity for runbook failures


  • Start a runbook
  • Get information about a runbook

This is made possible by a MP by Infront Consulting.

Extension and Automation Options

http://orchestrator.codeplex.com/releases/view/82959 has a library of cmdlets for Orchestrator because it doesn’t have any apparently.


Using his own MP instead of the Infront one.  He shows two runbooks that are being monitored by OpsMgr.  The Infront MP checks the last execution of a runbook for its health.  You can launch a runbook via an OpsMgr task. 


  • Working with alerts
  • Recoveries
  • Tasks and Runbooks

Monitor Alert

A runbook monitors OpsMgr for an alert(s).  When the alert comes in, Orchestrator does something.  For example, a critical alert comes in and Runbook can do some complex notification tasks, e.g. if nobody responds in 20 minutes, then do something. 

MSFT no longer investing in connectors for OpsMgr.  Instead they are investing in Integration Packs for Orchestrator to implement this functionality instead – allows more complex tasks.

Monitor State

Expected you won’t use it much.  Monitors the state of objects in OpsMgr.  One scenario: an error occurs to a DB in a distributed application.  With that rolled up state change, we can kick off a runbook in Orchestrator.


He forces an error to happen.  Now we look at the runbook.  We’re looking for new alerts that come from the MP that will soon detect the error and create an alert.  Now he detects who owns the faulting app.  This could be a query of the Service Manager CMDB.  It’s a SQL query.  He now automatically sets the owner of the alert in OpsMgr using that data and the ID of the alert.  He now checks what time of day it is, and then sends out the appropriate notification.  This is actually another runbook. 

He pulls in data from the 1st runbook.  It send an email.  If that fails, it will create an alert in OpsMgr to say that there’s a problem with the notification system.

In theory, you could then track the alert to see if anyone does work on it in a predefined time.  If not, you could escalate the alert.


Be careful of automated actions that do recoveries.  You don’t want to blindly reboot some machine every time it does X, e.g. bouncing machine, someone disables an app without maintenance mode, etc.  What if the thing autoresolves during the runbook execution?  The runbook will continue to run.

Automated recovery option 1

Runbook monitors for alert in OpsMgr.  Beware of having lots of concurrently running monitor runbooks because it won’t scale out that way.

Create the recovery in the OpsMgr MP to run the runbook in Orchestrator as required.  It’ll use the Orchestrator web service to start the runbook over the network.  It’s more difficult to set up than the monitor alert runbook.

Wow, this room is 95% full.  Very popular topic.


There’s a distributed app. Any time there’s an error, he wants to send a notification to his helpdesk.  He loses me here with XML MP authoring – a pity.  Interesting, he appears to check the health of the object in OpsMgr from the runbook before bouncing the failed service.  He then checks the state of the object after a 5 minute wait.  If not healthy … there’s more.

Running Tasks From a Runbook

Runbooks run across the network.  OpsMgr tasks run on the local agent.  Runbook couldn’t do IPConfig but a task could.  You can run an OpsMgr task from a runbook, wait for execution, and suck in the resulting data into the runbook.


Back to before.  Now the runbook is going to reset a cache in the app to fix the issue.  It’ll be done using an OpsMgr task.  The task is actually a POSH script. 


Back in 2009, Elias Khnaser posted a very badly informed article on InformationWeek with on why you shouldn’t deploy Hyper-V.  I gave it a good bashing, tearing down his points one by one with actual facts.  Well, just in time to be hired by Tad, Elias is back and at it again!

First off, let’s look at the title of the article:

Shared-Nothing Live Migration: Cool, But Not a Game-Changer

Hmm, I have to disagree.  No one else does this right now and it’s a real problem for some.  Think of a large data centre going through a hardware or network refresh.  They can’t afford down time while the export, carry, and import VMs.  They want to be able to move those VMs with the minimum of downtime, and maybe even eliminate downtime.  Shared Nothing Live Migration achieves this.

… entertain this scenario for me: a VM with 1 TB virtual disk … wait, Eli, you are not realistic, you might be thinking … fair enough — what about a VM with 500GB virtual disks? Moving that amount of data over a 1 GB Ethernet or even a 10 GB Ethernet is not quick or feasible in most environments …

Firstly, the vast majority of VMs are small.  And while Windows Server 2012 Hyper-V can support 64 TB VHDX, they will the tiny minority.  And to be honest, not only will these size VMs be few and far between, but I’d expect them to run on clustered hosts with shared storage so Share Nothing Live Migration wouldn’t be needed … except for well planned and scheduled migrations to another part of the data centre.

If you do have lots of 1 TB VMs to move around, then you’re a very large data centre and you’ll have lots of budget for big networking such as Infiniband with RDMA to speed things along.  For the rest of us:

  • DCB and converged fabrics
  • Everything from 1 GbE to Infiniband
  • RDMA
  • QoS
  • Many ways to architect our networking based on our needs

In my opinion, the market that will make most use of Shared Nothing Live Migration are the public clouds or hosting companies.  To keep costs down, many of them are using non-clustered hosts.  And from time to time, they want to replace hardware … a planned operation.  They can do this with this new Hyper-V feature.  And I can speak from experience: most hosted VMs are very small and would cause no issue to move, even over a 1 GbE network.

… this would only be used as a maintenance technique which is what it was slated for anyway.

Of course!  As a virtualisation expert, Elias, I’d trust that you know the difference between high availability (HA – normally reactive) and LIve Migration (LM – normally proactive and planned).  But if one is stuck with working with vSphere standard, then one probably never gets to implement these features because of their high vTax.

To think that you will constantly be copying large virtual disks between hosts is not practical and is not scalable.

Really?  Elias have you even looked at why Shared Nothing Live Migration exists?  It’s not there for load balancing or as an alternative to Failover Clustering HA.  It is there to allow us to do strategic moves of virtual workloads from one cluster to another (or a standalone host), one standalone host to another (or a cluster), from one part of the data centre to another, or even from a private cloud to a public one.  If you’re doing this all of the time with all of your VMs then you need to take a long look at yourself and your planning.

… you cannot use high availability with this feature, and that makes sense since you need a point of reference for HA to work. How can you recover a VM when its files are on the host that failed?

You’re confused and you’re wrong:

  1. You don’t need Shared Nothing Live Migration within a cluster because, strangely enough, there is shared storage in a cluster. With the VMs storage on a CSV, you don’t need to move the VHD(X) from one host to another, or from one storage device to another, to LM a VM from one host to another.
  2. You can use Shared Nothing Live Migration to move a workload from/to a cluster.

Live Migration (proactive VM move) is not HA (reactive failover).  Yes, LM has been separated from Failover Clustering, but they are certainly not mutually exclusive.  And anyone who sees Shared Nothing Live Migration as an alternative to HA needs to reconsider their career path.

I expect that when VMware does feature catch up with Windows Server 2012 Hyper-V, Elias might have a change of heart regarding Shared Nothing vMotion Winking smile  But until then, I expect we need to beware of bogus nastiness and stay vmLimited.

Technorati Tags: ,

Microsoft confirmed the names of the Windows 8 desktop and server this week, as well and confirming the name of the server operating system (Windows Server 2012).

As expected, the desktop OS will be called Windows 8.  There will, in fact, be four/4, editions of Windows 8, and not three as the media are proclaiming:

  • Windows 8: The home edition of the operating system.
  • Windows RT: Formerly known as Windows on ARM (WOA), this is the OEM only OS that you well get prebuilt on an ARM tablet
  • Windows 8 Pro: The edition of Windows 8 that you will buy for a business
  • Windows 8 Enterprise: This is the edition with all the business features that is available to those who license their desktops with Software Assurance (SA)

A few thoughts:

  • Thankfully MSFT has consolidated Starter, Home Basic, and Home Premium into Windows 8, and they’ve done that with Ultimate into the Pro edition.
  • Windows 8 is an edition of Windows 8.  Really!?!?!  That won’t be confusing, not one bit! (there is some sarcasm in there)
  • What does Windows RT mean?  It’s named after the WinRT development subsystem in Windows 8 that enables Metro apps.  It would be like calling it Windows .Net or Windows Javascript.  To me, it’s a bit techie for the targeted consumer audience.

Microsoft gave us a table to compare the features of Windows 8, Windows RT, and Windows 8 Pro:

Feature name

Windows 8

Windows 8 Pro

Windows RT

Upgrades from Windows 7 Starter, Home Basic, Home Premium




Upgrades from Windows 7 Professional, Ultimate




Start screen, Semantic Zoom, Live Tiles




Windows Store




Apps (Mail, Calendar, People, Messaging, Photos, SkyDrive, Reader, Music, Video)




Microsoft Office (Word, Excel, PowerPoint, OneNote)



Internet Explorer 10




Device encryption



Connected standby




Microsoft account








Installation of x86/64 and desktop software




Updated Windows Explorer




Windows Defender








Windows Update




Enhanced Task Manager




Switch languages on the fly (Language Packs)




Better multiple monitor support




Storage Spaces




Windows Media Player




Exchange ActiveSync




File history




ISO / VHD mount




Mobile broadband features




Picture password




Play To




Remote Desktop (client)




Reset and refresh your PC








Touch and Thumb keyboard




Trusted boot




VPN client




BitLocker and BitLocker To Go




Boot from VHD




Client Hyper-V




Domain Join




Encrypting File System




Group Policy




Remote Desktop (host)




A few thoughts on the features:

  • BitLocker and BitLocker To Go are in the Pro edition for the first time.  Excellent!  This has been badly needed for years.  Now disk encryption will be built-in and available to all Windows 8 desktops and laptops in the business. 
  • However, BitLocker and BitLocker To Go are not in the ARM tablet (Windows RT).  That clearly says to me that Windows RT is not suitable for an organisation that needs encrypted mobile devices.  The ball is firmly in Intel’s court, where you’ll probably be able to run either the Pro or Enterprise editions.
  • Client Hyper-V is in the Pro edition.  You have no excuses not to try it now!  It’s great news for admins, developers, and testers.

Last night Microsoft gave us some more detail on Windows 8 Enterprise features.  This list is not complete:

  • Windows To Go: Boot Windows 8 on a USB 3.0 stick.  It gives you a portable operating system/environment that you can use at home, on the go, and enables BYOD with a corporate build on the stick.
  • DirectAccess VPN without a VPN client, that enables a user to access Internet/local resources as well securely using as remote corporate resources.
  • BranchCache allows users’ PCs to cache files, websites, and other content from central servers, so content is not repeatedly downloaded across the wide area network (WAN). When used with Windows Server 2012, Windows 8 brings several improvements to BranchCache to streamline the deployment process, optimize bandwidth over WAN connections and ensure better security and scalabilty.
  • AppLocker can help mitigate issues by restricting the files and apps that users or groups are allowed to run.
  • VDI enhancements: Enhancements in Microsoft RemoteFX and Windows Server 2012, provide users with a rich desktop experience with the ability to play 3D graphics, use USB peripherals and use touch-enabled devices across any type of network (LAN or WAN) for VDI scenarios.
  • New Windows 8 App Deployment: Domain joined PCs and tablets running Windows 8 Enterprise will automatically be enabled to side-load internal, Windows 8 Metro style apps.  This will be important in an enterprise environment.

You can only access Windows 8 Enterprise if your existing Windows 8 Pro is covered by Software Assurance (included in some programs such as OVS).  Licensing benefits include:

  • Windows To Go Use Rights: With Windows To Go use rights under Software Assurance, an employee will be able to use Windows To Go on any company PC licensed with Windows SA as well as from their home PC. Additionally, through a new companion device license for SA, employees will be able to use WTG on their personal devices at work.
  • Windows RT Virtual Desktop Access (VDA) Rights: When used as a companion of a Windows Software Assurance licensed PC, Windows RT will automatically receive extended VDA rights. These rights will provide access to a full VDI image running in the datacenter which will make Windows RT a great complementary tablet option for business customers.  This is not new, but a continuation of an existing right.
  • Companion Device License: For customers who want to provide full flexibility for how employees access their corporate desktop across devices, MSFT are introducing a new Companion Device License for Windows SA customers. For users of Windows Software Assurance licensed PCs this optional add-on will provide rights to access a corporate desktop either through VDI or Windows To Go on up to four personally owned devices.
Technorati Tags: ,

Import Management Packs

  • Service Manager CMDB can become aware of your environment from OpsMgr if:
  • You import MP in OPsMgr
  • AND import MP in Service Manager
  • ConfigMgr data is pulled in, including primary devices for users
  • AD
  • Orchestrator runbooks are also importable: LOB and 3rd party management tools

Other options:

  • Import files
  • Write/buy 3rd party connectors

Some sets of data can come from multiple sources.  All that’s mapped into one object in the CMDB. 

Self Service Portal Features

Service Catalog, Silverlight web part hosted in SharePoint:

  • Role based access
  • Users fill forms to create service requests
  • Dynamic forms

Help Articles and more

Supported Configurations:

  • SharePoint site and WCS (web content server) co-located with SM management server
  • SharePoint site and/or WCS remote from SM management server

Can use SharePoint Foundation 2010 or Enterprise.  Can reuse existing SP farms.


A user wants access to an app and fills out a form requesting it and gives a business case.  A ticket is created, and awaits an approval/rejection.  The helpdesk admin can see the ticket with available actions in the portal.  Click approve and the automated activity does the work, in this case adding the requestor to a security group in AD.

He browses the now accessible web app.  But it crashes.  So now he opens an incident ticket. 

SLA Capabilities

  • Features calendars, business hours, holidays.  SLA metrics in the box.
  • Service level objects are supported for all work items.  Specify target and warning thresholds. 
  • Notifications when you are about to or have breached SLAs.


He opens the previous incident.  We can see there is an SLO (service level objective) in the form of time left until SLA is breached.  This is defined in Administration, Service Level Management, Service Level Objectives. 




Speakers: Brian Wren and Baelson Duque, MSFT.

This is a new way to author management packs for System Center 2012 Operations Manager. 


  • Creating MPs takes too long
  • Difficult to maintain best practices
  • Difficult to create a model to manage an app

The old R2 Authoring Console was a dog IMO.


  • Create custom monitoring with minimal effort
  • Solution for offline management pack creation
  • Visual design tool

What the VMPD is Not For

  • Editing existing management packs
  • Deeply advance customer scenarios

VMPD Shape Types

  • MP Modelling: Represent components of your app
  • MP Rollup: Connect components and monitors
  • MP Monitoring: Monitors and rules


  • MP modelling a single server patterns: application components with a single type of server
  • MP modelling distributed patterns: Multiple types of server


Prereq: It requires Visio 2012 Premium edition. 

You start off with a blank diagram with a management pack shape.  A shape data sheet gives you properties of the shape – visible when you click on the shape.  Here we can specify what versions of Windows the MP will support.  This is a discovery.

In MP modelling we have things like server component (e.g. SQL Server Reporting Services) shape.  It’s data sheet allows us to do discovery using “how to find”: registry key, vale, Windows Server Role, and WMI query.  The Affect Computer Health setting allows you to roll the health of this server component up to the computer, e.g. the server role is red therefore the computer is red.  RunOn allows you to optionally schedule when the discovery runs. 

Under a server role, you place a server component(s).  You can use lines/arrows to dictate health roll up, e.g. “worst of this component”. 

A Windows Performance Counter Monitor is added.  You specify the object and counter as well as the instances of that counter.  You can alert or you can alert and collect data.  You can create a performance view for the console.  You can optionally save your data to the data warehouse.  And you can create a linked report!  This is nice. Me want now.  Can even set the monitor to only run on a schedule, e.g. why monitor LOB app performance during down hours.  Can copy/paste the monitors to quickly expand the MP.

An event monitor is created for an event ID and source.  You can set it to trigger after X occurrences in Y seconds. 

You can use patterns to create a composite shape.. a set of shapes that you are frequently reusing.  You can add your own ones via a stencil 

You can then generate an MP and that does all the XML in the backgrouond for you.


CTP very soon.


I am live blogging from the keynote which is titled as something like “a world of connected devices”.  I’m expecting Intune V3, ConfigMgr, etc to be the focus. Would be nice if they briefed us on how Windows RT (aka Windows on ARM) will be manageable (am thinking some Intune upgrade).

Work/life blur is a theme, so are application deliver, continuous service, people centric, control and governance.  Out comes Brad Anderson.

IDC: the past was one desktop = one user.  In 2011, users have between 5 and 7 Internet connected devices.  They want to use the right device for the job … have a choice.  MSFT want to say “yes, bring your device”.  916million smart connected devices shipped in 2011.  That will double in 2016.  34% of corporations are currently enabling users to access corp apps.  69% of their users are already doing it!!!! Most corps aren’t aware of this usage.  Where there’s a will, there’s a way.

New concepts: corporate controlled devices (traditional) and user controlled devices (BYOD – bring your own device).  In recent past, that was all PC based.  In the near future, we see this changing with lots of smart phones and tablets, all being bought and controlled by the user.  Corp has no control over these with traditional methods.  Ownership not that relevant … control is the important factor, e.g. end user having admin rights over their laptop.

The past has been agent focused control.  That doesn’t work on iOS; no app can control another app because of sandboxing.  The user will never accept an agent that controls their device.  We want to enable the user to be productive on their devices, but we need to control how corporate assets are accessed (governance)

The spoiler is out.  MSFT marketing has issued a press release with the content of the keynote.

Control and governance are two important concepts in enabling BYOD.

Infrastructure considerations

  • Intelligent app infrastructure
  • Security and access
  • Control and governance across all devices
  • User centric

Your opportunity

  • Broaden your impact – don’t be just another guy, another admin, another consultant
  • Enable users to work how/when and where they want.  Good luck with the HR department and the old school managers.  See Lync
  • Differentiate your organization, e.g. why do you rent office space?  Are you a property company?  Why can’t an office worker work from home and do the same job?

Celebrating ConfigMgr 2012 and Endpoint Protection 2012

  • All about the user
  • Unified device management infrastructure
  • Much simplified administration

175,000 registered downloads of the beta.  500,000 production devices.  307,000 Endpoint Protection deployments in TAP.  280,000 devices managed by MSIT.

Intelligent App Infrastructure

The user is at the centre.  They have lots of devices.  We have lots of apps for those lots of apps, with the user in the middle.  VDI is being pushed here.  They are announcing deep integration with with iOS and Android.  Hmm, it’s been referred to as light management up to now.  How are they getting over the app store locks on consumer devices?  Is there a side load aka Jail break.  Ah!  They are integrating with Apple App Store, Microsoft Store, by linking apps.  Is this an SP1 feature?  They are going to side-load apps onto iOS, Windows, and Android without using the app store!!!!!  THIS IS NEW.  Users can roam across different devices and find their apps on those devices.  They’ll have a consistent app experience.  And this is done with a single solution – no point solutions for the device types.


ConfigMgr app deployment to Windows by Bill Anderson (System Center).  He’s got 5 deployment types for Adobe Reader in his demo in ConfigMgr.  He wants to build intelligence and predictability into this.  We can simulate a deployment.  Each deployment type has rules like prereqs, etc.  The simulation is a real test against client devices – it evaluates the rules on the clients, not in the database.  You get real results.  We’re shown the results of this simulations.  We see the success and, more importantly, the machines with it already installed and where there were failures.  We can then use that data to clean up the actual deployment.  This is a pre-flight test in the air without flying.

Deliver Applications To Employee Controlled Devices

This is possible with the new V3 version of Windows Intune.  The non-domain joined devices, e.g. Windows RT, are managed via SSL. 


Self service management of user controlled consumer devices by Bill Anderson.  ConfigrMgr 2012 SP1 to add support for deploying Metro style apps.  They can be built and delivered in house and delivered by ConfigMgr or via the Windows Store via a link.  In the latter it uses a link instead of a distribution point.  For the former, you can distribute that Metro Style app in the DP and deploy from there as you normally would.  In the demo, he makes it available via the ConfigMgr app catalog, so a user can request it via the portal. 

Now we go into Windows Intune.  We see support for iOS.  Android is supported too.  We get the option to make an app available for install rather than push.  Now Brad comes out with an iPhone.  Demo gods kill the projector connection.  Instead we get a Windows 8 device.  There is a self-service app for ConfigMgr vNext and Intune.  It’s an alternative to the MSFT Store.  We can push out MSFT Store linked apps (jumps into a Store deployment).  We can also side load an app for bespoke apps and bypass the MSFT store.  I haven’t seen any of the competition do this on iOS, etc.  At least I haven’t seen it, even if it exists.  In this Center app, you can see your devices and their health status.  We see the Windows Phone location on a Bing Map in the Center.  They can’t get the iPhone on the projector.  We get a similar experience on the iPhone via Intune apparently.  These devices can’t join a domain but they are “domain trusted”.


Going to explode because of BYOD.  App V5.0 is live.  Now App-V apps can interoperate with each other for the first time.  App-V packages can be streamed to a VDI without being committed to disk.  Can have a single cache on a VDI host to save space.

UE-V is user state virtualisation, abstracting the user state from the machine.  Their settings/data move around freely.  The user gets a single working environment across VDI devices.

Windows Server 2012 Reduces VDI Costs

App-V 5.0 reduces cost by using less disk. 


Fast and easy VDI.  Bill is back.  UE-V configured by GPO.  He specifies a server share with a user variable.  He specifies templates for app settings.  In the user side of the policy, he can specify which parts of the state should roam. 

MMS 2013 will be happening: Brad opens a MMS 2013 planning PDF file.

Brad logs into a machine and changes some Adobe Reader settings.  He logs out of his domain joined machine.  Bill is going to set up Windows Server 2012 VDI as part of the demo because it’s quick simple and easy.  He times it and starts up Server Manager.  He’s done in a minute, then the system does the rest of the work in the background.  Brad logs into a VDI VM and his Adobe settings followed him thanks to UE-V.

A camera man comes up so we can get the iPhone demo working.  There we see the Intune center which is an app.  Bill browses available apps and installs one.  And now it installs on the iPhone, and it appears like a normal app install. 

MMS  2013

It will in New Orleans in June 2013.  Hmm, what about TechEd NA. 


Speaker: Vishnu Nath, PM for Network Monitoring feature in OpsMgr 2012.

Discovery, monitoring, visualisation and reporting.  Key takeaway; OpsMgr will help IT Operations gain visibility into the network layer of service to reduce meantime to resolution.  All the required MPs, dashboards, and reports are built in-box.  Server to network dependency discovery with support for over 80 vendors and 2000+ devices certified.  It supports SNMP V1, v2c and V3.  There is support for IPv4 and IPv6 endpoints. 

Supported devices:

  • Bridges
  • Firewalls
  • Load balancers
  • Switches
  • Routers


Process of identifying network devices to be monitored.  Designed to be simple, without the need to call in network admins.


You can run the normal discovery wizard to discover network devices.  There is also a Discovery Rule that you can configure n Administration/Network Management.  This can run on a regular schedule.  You can pick a management or gateway server to run the rule, and you set the server resource pool for the monitoring.  Note that the design guide prefers that you have a dedicated network monitoring resource pool (min 2 Mgmt servers) if doing this at scale.

There are two discovery types, which are like the types of customer MSFT has encountered.  You list the IPs of devices and do explicit discovery.  Alternately, you can do a recursive discovery which crawls the network via router ARP and IP tables.  That’s useful if you don’t know the network architecture.

You’ll need runas accounts for he community strings … read only passwords to MIBS and SNMP tables in the network devices.  It does not need read-write private strings.  Using a runas account secures the password/community string.  You can have a number of them for complex environments. 

You can import a text file of device IP addresses for an explicit discovery.  You can use ICMP and/or SNMP access mode to monitor the device.  ICMP gives you ping up/down probe monitoring.  SNMP gives you more depth.  An ISP won’t give you SNMP access.  A secure environment might not allow ICMP into a DMZ.  You can set the SNMP version, and the runas account for each device.  During discovery, OpsMgr will try each community string you’ve entered.  It will remember which one works.  In some environments, devices can send trap alerts if they have failed logins and that can create a storm of alerts … SO BEWARE.  You can avoid this by selecting the right runas account per device.

There are retry attempts, ICMP timeout, SNMP timeout.  You also can set a max device number discovery cap.  This is to avoid discovering more than you need to in a corporate environment.

You can limit the discovery to Name, OID, or IP range.  And you can exclude devices.

You can also do the discovery on a regular basis using a schedule.  Not important in static environment.  Maybe do it once a week in larger or more fluid environments.  You can run the discovery rule manually.  When you save the rule, you have the choice to run the rule right then.

What’s Discovered

  • Connectivity of devices and dependencies, servers to network and network to network
  • VLAN membership
  • HSRP for Cisco
  • Stitching of switch ports to server NICs
  • Key components of devices: ports/interfaces/processor/ and memory I think

The process:

Probing (if not supported, it’s popped in pending management for you to look at. If OpsMgr knows it then they have built in MIBS to deal with it) –> Processing –> Post Processing (what VLANs, what devices are connected, NIC stitching mapping).

  • Works only on Gateway/management server
  • Single rule per gateway/management server
  • Discovery runs on a scheduled basis or on demand
  • Limited discoveries can be triggered by device traps – enabled on some devices. Some devices detect a NIC swap, and the device traps, and OpsMgr knows that it needs to rediscover this device.  Seamless and clever.

Port/Interface Monitoring

  • Up/down
  • Volumes of inbound/outbound traffic
  • % utilization
  • Discards, drops, Errors

Processor % utilization

Memory counters (Cisco) and free memory

Connection Health  on both ends of the connection

VLAN health based on state of switches (rollup) in the VLAN

HSRP Group Health is a rollup as well

Network Monitoring

  • Supports resource pools for HA monitoring
  • Only certain ports monitored by default: ports connecting two network devices together or ports that the management server is connected to
  • User can override and monitor other ports if required


4 dashboards:

  • Network summary: This is the high level view, i.e. top 10 nodes list
  • Network node: Take any device and drill down into it.
  • Network interface: Drill into a specific interface to see traffic activity
  • Vicinity: neighbours view and connection health.


5 reports:

  • Memory utilisation
  • CPU utilisation
  • Port traffic volume
  • Port error analysis
  • Port packet analysis


Behind the scenes they normalise data, e.g. memory free from vendor A and memory used from vendor B, so you have one consistent view.  You can run a task to enable port monitoring for (by default) un-monitored discovered ports (see above).  


You can author custom management packs with your own SNMP rules.  They used 2 industry standard MIBS and it’s worked on 90-95% of devices that they’ve encountered so far.  Means there’s a good chance it will work on future devices.


Speaker: Johan Arwidmark @jarwidmark, Chief Technical Architect, Knowledge Factory

Agenda: hydration, create  reference image, setup ConfigMgr 2012 for deployment.

Free hydration kit, based o n MDT 2012 Lite Touch, fully automated build of entre labs.  Download from www.deploymentresearch.com  When your run it, it allows you to copy your media into a folder structure.  Then you get an easy deployment solution.  It does an unattended install of ConfigMgr.  It even installs a DC for your labs!

He’s enabled deduplication on his Windows Server 2012 MDT machine, saving a lot of disk space.

The kit creates a 10 GB ISO file, which you mount on a VM and start from.  You are asked if you want the domain controller (1st) or the ConfigMgr site server (2nd).  There is a customsettings.ini file for each server, with their build confgs, e.g. IP address.

Johan recommends Lite Touch to create ConfigMgr reference images.  He reckons it’s twice as quick.  Plus, a ConfigMgr reference image is specific to ConfigMgr, whereas an MDT one is generic and can be used in WDS, ImageX, etc. 

Create a reference image

Doing this in MDT 2012 Workbench.  Import OS image and create task sequence.  Always use VMs for reference images.  He puts a suspend in the task sequence so he can snapshot the VM before the sysprep.  That means he can apply the snapshot to change the macine and recapture the reference image.


Speakers: Kenon Owens, Senior Product Marketing Manager, Microsoft and Fahad Ahmed, Infrastructure Architect, Microsoft.

This is a VMM 2012 session on building the private cloud fabrics.  Or you could read Microsoft Private Cloud Computing to learn all this.

You create pools of physical resources, aka, clouds, give users access to them, define resources that they can use, and give them a quota.  The physical resources in question are compute, storage, and network.

You can attach Configuration Manager to do additional management such as patching, DCM, auditing, compliance, security, etc.

Host deployment:

  1. WinPE downloads and prepares a partition
  2. Downloads a VHD from VMM for boot to VHD
  3. Does Plug and Play for the system
  4. Boot the machine into OOBE
  5. Join domain and enable Hyper-V
  6. Reboot – and it’s now in a VMM host group

Storage Management

Uses SMI-S.  Storage vendors still slow to implement.

  • End to end mapping = create associations between storage and VM. ID storage consumed by VM, host and cluster
  • Capacity management: add storage to a host or cluster through masking operations.  Add capacity dring a new cluster creation
  • Rapid provisioning: create new VMs leveraging SAN LUN cloning.

Can tier storage via classification pools using labels of your choice.


In Fabric: storage is a fabric.  They’ve deployed 3 NetApp arrays via SMI-S providers.  They have created 3 tiers of storage pools based on quality of disk, picked from the various arrays.  In the VMM console, they create LUNs that will be used as a cluster witness disk and a CSV in a later cluster build. 

Logical Abstraction for the network fabric

  • Logical networks: Classify networks for VMs to access, map to network topology, allocate to hosts and clouds.
  • Address pools: allocate static IP to VMs from a preconfigured pool, create and IP pool as a manage range of IPs, create a MAC address pool
  • Load Balancers: apply settings for LB capability in service deployment, control LB through vendor provider

You can allocate logical networks to physical NICs, e.g. create Prod and DMZ networks, and allocate those logical networks to hosts in different clouds as appropriate. 

  • IP pools: assigned to VMs, hosts, and virtual IPs (LBs), specified use in VM template creation, checked out at VM creation, returned on VM deletion
  • MAC pools: same as with IP pools, but for MAC assignment
  • Virtual IP pools: assigned to service tiers in a service template that use a LB.  Assigned to clouds.  Checked in/out on creation/deletion.  Reserved within IP pools

Supported LB: MSFT NLB, Citrix NetScaler, F5 Big IP, Brocade ServerIron ADX.  Each requires a provider.  Specify type of LB, e.g. round robin, etc.

Demo of Cluster Creation

2 Nodes, A and B.  They are discovered in VMM, using a RunAs account.  Creates a new cluster in Fabric.  Adds the two hosts from the host group – must be in a single host group like in 2008/R2.  Can optionally do the cluster validation tests (recommended).  Assign a cluster IP.  Now allocate the previous storage to the cluster.  Checkbox to enable CSV in the disk selection.  And that creates the cluster – some simplification of the networking story here.

Can manage Hyper-V, vSphere 4.1 (via vCenter only) and XenServer 6.0. 

Demo of Cloud Creation

Create a cloud in VMs And Services.  Select a host group or VMware resource pools.  Select logical networks.  Select LB VIP profiles.  Any additional storage to allocate?  You can set quota on CPU, RAM, storage, custom quota points, and VM number.  You can control which type of hypervisor can be used. 

Creates a new role in Settings/Security. Select from admin, read only, or self-service for a cloud.  Select the clouds to assign to the role.  You can override the previous quotas, e.g. for the role or for the entire role, as a subset of the cloud’s quotas.  Add resources to the role, e.g. templates they can see.  Then you specify actions they can do. 

In App Controller, we see the delegated rights this role has, e.g. what they can deploy, how much, and what actions they can do.  The Self-Service Portal is there only for backwards compatibility, it’s been deprecated.

Typically people make a few clouds, e.g. Prod and Test, and then use roles to divide up the shared pool of resources.

They aim to support vSphere 5.0 with System Center 2012 VMM SP1.


Alex Juch, Architect, NetApp

Everyone wants cloud. No one knows what cloud is.

  • Gartner: 78% of IT shops will deploy a private cloud computing strategy by 2014.
  • CIO.COM: “62% of all IT projects fail”

You will fail if you approach this project as a technology project.  The architect needs to sell this as a business solution.  Architecture is the intersection between technology and business.

Reduce your risk:

  • Business risk: people and process, managed portfolios, IT/business alignment.
  • Technical risk: use reference architecture, platform bundles.

The customer must want to do this, you cannot coax/tease them into it.  Too much change in mindset and established process.

Abandon hope all ye who enter here.  I gave up listening, VPNed into the lab, and continued building a lab for work, happily finding that my COnfigMgr clients were pushed out, updates were downloading, Endpoint was deployed and updated, and I build a few collections and deployed some AV policy.

Get Adobe Flash player