Dirteam.com/ActiveDir.org Blogs

Hyper-V RC1 Released

Sander Berkouwer — Wed, 21 May 2008 07:24:12 GMT

Microsoft is definitely making progress on its Virtualization line-up. Yesterday they released the Release Candidate 1 (RC1) bits for Windows Server 2008 Hyper-V to supersede the Release Candidate 0 (RC0) bits, many of us might already be running.

Now is the right time to start testing Hyper-V if you haven't already begun doing so. This release Microsoft states is feature complete. You might also recall Microsoft stating upgrading from RC builds of Hyper-V RC to RTM would be seamless. I guess August 2nd is also still in the picture.

Just like with the release of the RC0 bits, Microsofts announcement follows on a VMWare announcement. VMWare announced stating that they've created a certification program for thin client vendors and expanded their offerings for the virtual desktop market. They also introduced a new joint desktop WAN solution for thin clients in conjunction with Sun Microsystems.

What's new

I feel Microsoft really listened to feedback from people working with the Beta and RC0 bits, because RC1 now supports Windows 2000 (with Service Pack 4) as guest operating system. A feature much of our Penguin-loving friends will like is the mouse integration support, which is available for Hyper-V RC1 as a separate download from connect.microsoft.com.

Furthermore

Taylor Brown posted some issues you might encounter when installing RC1. I suggest you read them before upgrading and/or before expecting to much. (most notable: SCVMM2008's incompatibility)

Download

Update for Windows Server 2008 x64 Edition (KB950049)

To manage Windows Server 2008 Hyper-V from Windows Vista install the updated Management Console to enable remote management of a Windows Server 2008 computer running the Hyper-V RC1 role:

Denying the change of password related bits on user objects

Jorge — Tue, 20 May 2008 19:24:15 GMT

In every AD domain it is possible to implement one or more password and account lockout policies. In W2K/W2K3 AD domains you can only define one password and account lockout policy and in W2K8 AD domains you can define multiple password and account lockout policies. For more info about that see:

So, as a domain admin you set up one or more password and account lockout policies, you delegate either the creation of user accounts or write permissions for the "userAccountControl" attribute (for example to disable user accounts) and you are good to go! The delegated admins that create user accounts should use passwords according to the definitions in the password policies. That is true, but there is a small "but…" here you might have missed.

Because the delegated admins either have full control over user objects or at least write permissions on the "userAccountControl" attribute, they are allowed to change each single bit that is represented by that attribute. For more info also see: "userAccountControl" attribute - It can be a pain to delegate!

Everyone that is allowed at least write permissions on the "userAccountControl" attribute is able to change the bits it represents and therefore also the password related bits like configuring a password never to expire or configuring a password with reversible encryption or configuring the account without the need of a password.

I'm talking about the following bits:

"Password Never Expires" which can be configured with ADUC
"Store password using reversible encryption" which can be configured with ADUC
"Enable Password Not Required" which can be configured from the command line using NET USER….

Remember the password policy you just created that everyone MUST use? Because of the permissions on the "userAccountControl" attribute might go down the drain and you might still end up with accounts that do not comply with the password policies that are configured

So, is it possible to prevent this? Yes!

In W2K you can only prevent this by using a third party proxy tool to manage user objects. In W2K3 and later you can use three new extended permissions to prevent those bits from being edited, even if the admin has the permissions mentioned earlier. The three (new) "Extended Rights" are:

"Enable per user reversible encryption"
"Unexpire password"
"Update password not required bit"

These need to be configured at the domain level (required!) for "This Object only" with either ALLOW or DENY for a certain group. By default "Authenticated Users" have permissions for those three extended rights. But, it does not mean authenticated users can screw around with the password related bits in the "userAccountControl" attribute. You still need to have at least the permissions mentioned earlier. So, what you can do is create ONE group in AD for ALL three extended rights or ONE group in AD for EACH of the mentioned extended rights and configure it at domain level with a DENY ace and put everyone in the corresponding group(s) that has at least Full Control on user objects or write permissions on the "userAccountControl" attribute, BUT should not be able to screw around with the password related bits on the "userAccountControl" attribute. In the picture below you will find an example of such configuration

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Virtualization - is it only a sweet?

tomek — Mon, 19 May 2008 20:51:00 GMT

Probably we all use virtualization which in past few years has become new holy grail of personal computing and not only. We all use them (VMs), basically those of us who are working as developers, consultants or sys admins can't live without them. So it is only good about virtualization ... ? It is cheap, it is handy ... what can be wrong ?

Probably nothing and this is probably only my thought going around my head but some incidents with a network from past Friday and Brian Puhl's blog about problems with networking and IP addresses makes me think that maybe for corporate environments we are missing one piece of a puzzle - CONTROL.

Maybe it isn't so important if we think about VMWare ESX and Hyper-V closed in a data centers and hosting our main business services. Both technologies provides a way to control who can do what on given instance. However what we can't control is hundreds or maybe thousands of VMs running on desktops and laptops here and there in our networks.

As far as I know any of current virtualization products available on a desktop machine is not providing easy way to control simple things like:

how many virtual machines is running on a host
how many VMs user actually CAN run on host
can user attach VMs to physical interface and in result to our network
how many software licenses are being used in VMs.
etc.

This is aspect which completely missing form these products, which may be result of a fact that there is no need for such mechanisms and my thoughts around this are completely incorrect. What I know now is that if we will look at a clash of two sides which are "Administrator" and "User running VMs" the former is standing on a loose position.

From my perspective, what I'm thinking about as a solution on a Windows platform is:

WMI interface which will allow to query for different aspects of virtualization running on a host (I'm not referring here to hypervisor based virtualization, but Hyper-V has some WMI interfaces built-in)
GPO for controlling some of aspects of virtualization products, like:

allow to use virtualization on a host
if VMs can be connected to physical network interfaces

What could be also nice addition would be easy to use interface to distinguish if OS is running inside of VM, for Windows platform preferable as a WMI interface. When I wrote about it on my Polish blog my friend Pawel, who is very skilled guy when it comes to security pointed me out that in security world this isn't something you want to have as malware is checking if it is running in VMs to make analysis a bit harder. However I might think about interface which can be switched on\off by administrator as a solution.

So ... this is something which was going around my head last Friday and maybe I'm completely wrong on this while thing. But ... yes, there is but which makes mi think that I would be very glad to find a bit of more control over virtualization in my network.

Looking for .Net and Powershell on Server Core?

Sander Berkouwer — Mon, 19 May 2008 07:14:53 GMT

Look no further. Quest Software’s Dmitry Sotnikov has got .Net Framework 2.0 and Powershell 1.0 running on Server Core installation of Windows Server 2008. I know this is something a lot of people have been asking for, but the best way to describe my feelings at this moment is ambiguous.

Why it's been left out in the first place

There are reasons Microsoft didn't include the Visual C++ Redistributable Package, the .Net Framework and Powershell in Server Core. I've described these reasons before.

It compromises the small footprint and the lightweightedness of the system. Since 1 GB is the goal for the hard disk footprint the .Net Framework is out of the question. Besides: Server Core is supposed to be the low-maintenance Server Operating System. I don't want it to reboot every second Sunday night of the month to install yet another Hotfix, Rollup, Service Pack or any other newer version of the .Net Framework...

Why this is not a good thing

First, this is an unsupported configuration. Running an unsupported configuration of software components might get you in problems pretty fast. Let's take a look on Jeffrey Snover's point of view:

Just to be clear, this is not a MSFT supported configuration. That does NOT mean that we think it won't work. What it means is that if it doesn't, you have to leverage the community to help you figure it out instead of Microsoft support. [Insert your favorite snarky remark here] :-)

Second, since Dmitri's main focus was to make Powershell running most of the actual .Net Framework functionality is missing. Server Core doesn't offer all the Win32 API's needed all the .Net classes. Powershell indeed runs without errors

Third, making the .Net framework available on Server Core installations of Windows Server 2008 doesn't begin to unlock the potential of the .Net framework. You still can't get ASP.Net running within Internet Information Services (Who's up for that challenge?) and you still can't utilize Server Core in more advanced Infrastructure scenario's, like anExchange Server 2007 Edge Transport server...

Four, there is no indication (at all!) you will actually receive updates for .Net framework on Server Core installations of Windows Server 2008. I don't know the flowchart for the Windows Update processes for Server Core, but I don't expect a check for the installation of the .Net framework. In my opinion the .Net framework is the most cumbersome component of Windows to keep up-to-date... Good luck with that!

Why this is a good thing

Having Powershell on Server Core installations of Windows Server 2008 provides an unified way of managing your Windows systems throughout your complete environment.

Backward Compatible Networking with Server Core

Sander Berkouwer — Thu, 15 May 2008 09:54:26 GMT

It's more likely you're going to implement your Server Core boxes inside a legacy environment, than implement them inside a new Windows Vista, Windows Server 2008 only environment.

I'll try to explain the 'Next Generation IP Stack' which was introduced with Windows Vista and is also present in Windows Server 2008, both in Full and Server Core installations. I'll show you how to tweak down some default global TCP settings, that are part of what Microsoft calls the "Scalable Network Initiative".

Tweaking down will ensure you can access your Server Core boxes without delays from Windows 2000, Windows XP and Windows Server 2003.

The stuff in this post will also be very useful when you deploy Server Core inside a networking environment based on 100Mb/s (or slower) infrastructure, since most of the default tweaks in the "Scalable Network Initiative" assume you have a Gigabit Network Interface Controller.

Note:
For copper-based Network Interface Controllers Windows Server 2008 ships with Gigabit Network Interface Controller drivers only. When you want to use your 10Mb/s or 100Mb/s Network Interface Controllers with Windows Server 2008 you need to manually add drivers.

Default settings

The default settings for the Transmission Control Protocol (TCP) part of TCP-IP are easily readable in Server Core installations of Windows Server 2008.

The command to use is:

netsh interface tcp show global

This will show you the settings for:

Parameter	Default value
Receive-Side Scaling State	enabled
Chimney Offload State	enabled
Receive Window Auto-Tuning Level	normal
Add-On Congestion Control Provider	ctcp
ECN Capability	disabled
RFC1323 Timestamps	disabled

Receive-Side Scaling

Receive-Side Scaling is a technology which allows a Windows Vista and later Microsoft Operating Systems to utilize multiple processors to handle the network stack. Technically it allows large file transmissions to be processed in a parallel manner. Packets are balanced between your processors (or cores) through the use of a software hash codes and hardware hash codes for each connection.

The origin or Receive-Side Scaling

In our multi-core and even multi-processor systems not having Receive-Side Scaling might mean one processor would be utilizing 100% CPU, while the other would be virtually doing nothing. In the case of a File Server you might want both processors to be used and the load to be balanced.

The problem with Receive-Side Scaling

The problem with Receive-Side Scaling is it's susceptible to packets that were changed before they were received. The hashes don't match in that case and the connection is dropped. Microsoft acknowledges this is a problem when NAT, ICS, ISA Server or other firewall products are used. If your anti-virus software includes a firewall (and most do) this might present a problem.

How to turn of Receive-Side Scaling

Using the command line

To turn off Receive Side Scaling on your Server Core installation of Windows Server 2008 simply type the following command:

netsh interface tcp set global rss=disabled

Using the registry

Alternatively you can edit the settings for Receive-Side Scaling in the registry, although this will require a reboot, since the values to modify exist or need to exist in the following place in the registry:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

By default you wouldn't find a REG_DWORD value for EnableRSS in this registry key. If you want to disable Receive-Side Scaling though, you need to create it manually. After you created the new value you can set the data to 0, which means disabled. If the value is not present, create it. If you decide to enable it afterwards you can change the value to 1, which meant enabled.

For more information on Receive-Side Scaling please read the Scalable Networking with RSS Whitepaper on the Microsoft Website.

Chimney Offloading

TCP-IP Chimney Offloading is a pretty neat technology that takes advantage of the current generation (Gigabit) Network Interface Controllers that have been equipped with a TCP Offload Engine (TOE). These Network Interface Cards are capable of managing connections and traffic on their own. By offloading a lot of calculations of this traffic from the CPU to the Network Interface Card (NIC) you can use your CPU to calculate other things.

The word chimney is derived from the Chimney Architecture and finds its origin in the (OSI) Stack. The purpose of the chimney is to isolate traffic between the top and the bottom of the chimney. Vents in the chimney (that is, special function calls for manipulating the offloaded control plane) allow the host stack to query, update, invalidate, and terminate the offload state.

Microsoft has acknowledged some problems with Chimney Offloading.

How to turn off Chimney Offloading

Using the command line

If you don't have a Network Interface Card with a TCP Offload Engine (TOE) or just want to ensure proper network traffic flow you can disable TCP Chimney Offloading using the following command:

netsh interface tcp set global chimney=disabled

Using the registry

To disable Chimney Offloading using the registry you can browse to the following key:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

You should see a REG_DWORD registry value named EnableTCPChimney. The data for this registry entry would read 1 by default, which would mean enabled. To disable TCP Chimney Offloading change the data to 0, which resembles disabled. If the value is not present, create it.

You need to reboot your Server Core box to make your registry changes take effect.

Receive Window Auto-Tuning

When you have a broad network connection you might want to use it efficiently and that is exactly what the IETF had in mind when they worked on RFC 1323 back in 1992. One of the new things in RFC 1323 is Receive Window Auto-Tuning, which allows the receiving end of a TCP connection to advertise a larger 'window' in TCP-IP packets to transmit data in. This allows for a higher percentage of data in relation to headers in TCP-IP packets, increasing the effective bandwidth on these connections.

There are 5 modes for Receive Window Auto-Tuning:

Disabled
Fix the receive window at its default value. (65535 bytes)
HighlyRestricted
Allow the receive window to grow beyond its default value, but do so very conservatively.
Restricted
Allow the receive window to grow beyond its default value, but limit such
growth in some scenarios.
Normal
Allow the receive window to grow to accomodate almost all scenarios.
Experimental
Allow the receive window to grow to accommodate extreme scenarios.
WARNING: This can dramatically degrade performance in common scenarios and should only be used for research purposes.

Unfortunately not every device has RFC 1323 implemented in a way that allows compatibility. Microsoft mentions examples of these devices inside KnowledgeBase Article 934430.

How to turn of Auto-Tuning

To disable Receive Window auto-Tuning on your Server Core installation of Windows Server 2008 type the following command:

netsh interface tcp set global autotuning=disabled

Alternatively you can choose one of the remaining 3 modes for Receive Window Auto-Tuning to change the default 'normal' setting. Setting Receive Window Auto-Tuning to 'Restricted' should best fit your situation.

Concluding

In Windows Server 2008 the Network Interfaces are tweaked by default. You can change a couple of global settings to undo these tweaks so you can enjoy Windows Server 2008 inside legacy networks. To do so, issue the following commands:

netsh interface tcp set global rss=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global autotuning=disabled

Giant baby bull

Jorge — Tue, 13 May 2008 17:26:11 GMT

9 years, more than 1000 kg, 6 ft 6 inches…. Wow!

SOURCE: http://www.dailymail.co.uk/pages/live/articles/technology/technology.html?in_article_id=565909&in_page_id=1965

Cheers,

Jorge

The myth of the ICT-professional

Paul — Sat, 10 May 2008 09:07:00 GMT

With a pointedly 'Do you know which month it is ?', Sander reminded me that it was time for another blogpost. Not that I had forgotten, but the past weeks have been busy enough. That, and I wasn't 100% sure on which to write. Admittedly, an article had been brooding in the back of my mind for some time, but the shape and form had been eluding me for some time now. It's an article that may or may not offend some people while reading it, but quite frankly, I don't care.

So, here it is, my monthly contribution to the world of blogging..

Introduction

Lately, I've received quite a few job-offers. Once every while, when you update profiles on websites, the hordes of headhunters seem to spring into attention and jump for the bait. Quite frankly, I've felt tempted to add a PhD, Master-degree and a certification in advanced Yoga to the list, just to see what happens. Who knows.
Every mail I receive seems to contain the sentence 'We're looking for ICT-professionals who... [fillinofferedjobhere]'. At first, this seemed flattering. 'Look at me', I thought, 'I'm an ICT-professional'. A bit of pride swelled up inside of me, and I'd have to take a quick nap to make the feeling go away.

Then, one day, I was browsing through a few profiles on LinkedIn and their connections, and I didn't feel so special anymore. It seems that everyone is an ICT-professional these days. People who answer the phone at a call-center at your local DIY-computershop have now been named 'Customer Experience Management Professional'. Keith, the guy who waters the plants in your office, is now a Climate Management Professional.
And for the job roles that you possibly couldn't match with anything like 'Management' or 'Professional', we'll just have our wicked way with the term 'Consultant'. Everybody wants to feel special. The result is that everyone is now so special, that it's not too special anymore.

Classification

So what makes someone an ICT-professional ? Well, judging from the enormous selection of titles on vacancy-sites and such, moving your little home-PC from the cellar to your new study would just about do it. If you also manage to install a wireless router (consulting the manual is optional, but probably earns you the title 'Jr'), you're just fit about to be a consultant.
The only conclusion that I can draw from this that the term ICT-professional has been completely and utterly raped. It may be just my humble opinion, but having worked at an ICT-call center for three months, patching through customers to in-house technical specialists, does not make you an ICT-professional. It makes you a secretary, and you deserve a cuddle from your boss and a bouquet of flowers once a year at Secretary Apprecation Day.

But, let us for the sake of argument, classify an ICT-professional as someone who earns their living by performing ICT-related duties on a somewhat daily basis. I fully realise that this puts the true technical specialists on the same heap as Bob the one-day fly system administrator who couldn't open up a PC to save his life, but it seems that the job market has made it so.

Distinction

However, if we do that, how do we distinguish between aforementioned Bob and a technical expert ? Surely, I hear the masses cry 'Certifications!'. Ah. Yes. Certifications.
Let us have a look at those certicifations, shall we ?
A few days ago, I enjoyed a nice dinner in Eindhoven (where I live) with a group of co-workers. A part of the group had just attained the MCP-certification, another part of the group had earned themselves the chance to try again, and yet another part of the group consisted of general hangers-on (including myself and blogmeister Sander Berkouwer). As the formal spokesperson of all things Microsoft-related at our company, Sander made a short speech to rally the spirits into more development, search for wisdom and ambition. After the applause had died away, I too delivered a short speech, in which I stated that certifications were all nice and well, but did not determine if you're any good at your job. (One of the lads who had failed to pass the exam works for me at a customer, and does a great job, regardless of the MCP-shaped hole in his resume).
This little statement did not fall well with one of the accountmanagers present, who asked me if I thought that was a smart thing to say. I was happy to respond that, yes, I thought it was. I explained to him that I believe that letting people pursue certifications just to get the certifications is not a true worthwhile goal. As an example, I described an excellent servicemanager with extensive knowledge and experience in the field of ITIL and making things happen, who was forced to pass his MCSA as part of his yearly evaluation. As he rarely got into the nitty-gritty of servers, he had a particular tough time attaining this certification. This, I pointed out, was a perfect example of the 'Get them papers even if you don't need them'-mentality that seems to thrive in ICT-companies these days.
'But surely certifications are also meant to display your knowledge and capabilities in a field of expertise ?', he replied. My only response to that was the example of the paper-MCSE, a symptom that was suffered greatly during the Windows NT4 period, in which any complete twit could pass the NT4 exams with flying colours without even ever having touched a server. To this day, I believe that certifications are very poor indications of knowledge and experience; it only shows you either knew enough theoretical information on the morning of your exam, or that you were lucky enough to guess the correct answers.

Let us also not forget the excellent technical experts amongst us who could pass all MCSE-examens in less than a day's work, if only a) their boss would pay for it or b) they'd be bothered.

Don't get me wrong, I am not saying that certifications are pointless, but they are completely useless in determining a person's capabilities.If you're not convinced, have a look at the Certified Novell Sales Exams 2008 and get yourself a Novell-certification with no effort whatsoever. Go ahead. I dare ya.

Experience

So, if certifications are not a viable option to determine one's worth as an ICT-professional, what is ? Surely experience must provide a way out ?
True, experience gives away more than certification, but there is a catch. How is experience displayed ? Through resumes. A piece of paper. Written and judged by the same person who tries to sell himself to the world. Well, there is definitely a bit of a catch there, isn't it ? Ever seen a truly objective resume ? If you have, please frame it and hang it on the wall, because they are truly rare. Why, I fondly remember my time as an Interior Maintenance Professional, during which period I was personally responsible for the customer experience of over 500+ students, striving to perfect all bathroom-, hallways- and floral experience while not neglecting the wishes of 20+ employees whose joy of work solely depended on my performance! (This little example of resume-decoration refers to the time when I got to work at 6 in the morning to wipe the floors, clean the bathrooms and extract rather dried-up pieces of gum from underneath desks at a local university..)
When I conducted an interview at a customer to determine a candidate's suitability for the vacancy of systemadministrator, I first read his resume which looked impressive. Knowledge and experience with security appliances, management of a servicedesk, extensive systemadministration-skills..
At the interview, it turned out that the resume had neglected to mention that the 'security appliances' was a small Soho-firewall he had set up at home (once), managing the servicedesk consisted of getting in on time in the mornings so he could answer the one phone that the ICT-department had and his system administration-skills boiled down to double-clicking a script that reset several services on a server (a script written by someone who had left the company years ago). Candidate denied.

Talk the talk, walk the walk

Once again, let us make an assumption for the sake of argument. Bob is a candidate for the job of technical consultant at your company. Bob passed his certifications because he found the exams a challenge, and he passed them because of studying hard and having massive experience in the curriculum. Bob also doesn't know how to lie, so his resume truly displays what his career has looked like so far. Bob seems, in every way, the perfect match!

Then Bob comes in. He can't seem to take his eyes off the floor, looks like a big runny egg on legs dressed in an oversized parka, has the charisma of a piece of roadkill and when, by chance, his eyes do meet yours, you have trouble resisting shaking him while shouting 'Make some human contact, curse you!!'. Yep. Bob's definitely perfect for the job.. provided you put him in a dark room somewhere with a lot of TFT-screens and toss some food inside every once in a while. He won't join anyone for lunch, because in his breaks he's rewriting mathematical algorithms for fun. When it comes down to it, Bob is a complete and utter stereotype nerd. Even though he'll do his work just fine, it's impossible to send Bob to any customer.

Thankfully, the clever people who write job advertisements have circumvented this possibility by stating that candidates need to have excellent social skills.. yeah. Right.

Appreciation

Of course, HR-departments throughout time have understood that measuring and appreciating people is a complex matter, and a solution was found. Using lists of levels and competencies, ICT-professionals are swiftly classified by using criteria such as 'Must have a pro-active attitude towards commercial opportunities at customers' and 'Is capable to establish social contact between co-workers easily'. Apparently, the clever people at HR seem to think that a person can be judged solely by numbers and standard classifications, which is, of course, a load of nonsense. I've met plenty of excellent people who, because of these criteria, never got further in the direction they wanted because they lacked (sometimes by choice) the qualification for some of the criteria. Only the reincarnation of Mother Theresa, after years and years of training and practice in the field of IT, management and psychology, could perhaps hope to ever comply with these ridiculous demands.

Conclusion

As some of you may know, I study musictheory in my spare time, hoping to become a better composer of music. A little while, I read an interview with a composer who stated that anyone who had not graduated from the conservatory is not a true composer or musician. Oddly enough, I've played with many excellent musicians who couldn't even read a sheet of music. In his world, these people should not be allowed near a musical instrument; yet, even though they knew nothing of theory, had no certification, never passed exams that said 'Hey, you're a musician!', they played with a feeling and passion that would shame even the most avid graduated musician.

Personally, I feel that there is only one way to truly judge a person's qualification for their job, and that is the judgement of their peers. In the same ways that musicians recognize fellow musicians and their skills, people in ICT recognize the skills in their peers. It's not unthinkable that a group of experienced ICT-consultants would gladly choose someone as their colleague who doesn't possess the slightest certification or even has a career in ICT on their resume, just because they've all seem him or her at work. This person, however, could only hope to be given a chance of becoming a call-center support employee if the industry itself had any say in it.

The greatest appreciation is a pat on the back by someone you look up to, a fellow administrator, developer or architect (let's just use the real terms, shall we, instead of titles that consist of five words with four syllables each), saying 'Great job!' and mean it. Only a peer can judge your worth, and the bigger the group of peers, the more accurate the judgement will be.

Now, if you will excuse me, all this ranting has made me thirsty, and it's time to contact my local Beverage Distribution Management Center and make some coffee..

PS: If you've actually read this entire rant to the end, you might get the impression that I believe myself to be an expert on ICT. I don't. I do, however, get fed up with complicated, meaningless titles, ridiculous methods of trying to ascertain one's skills and other ways to insult the complexity of the human mind. I've seen plenty of it throughout the years and it just seems to get worse now that ICT begins to take an even more prominent role in our everyday lives. There is no such thing as 'The ICT-professional', because that'd require the existence of a perfect, serene person who has complete control over their emotions at all times, while having studied every single scrap of information on every aspect of ICT ever, who is also fun to be around, trustworthy and all those other things we appreciate in other human beings.
It seems, however, that with the ICT-hype taking off again full flight, that a lot of people think themselves to be just a bit more than they are, simply because the sign by their office door has to have two lines to display their full title. Not to mention the presence of no less than two real plants in their office, watered by Bob, the Senior Floral Management Executive on a day-to-day basis..(Keith, mentioned earlier in this post, has become a gardener at the local park and is quite content with it).

Monitoring Server Core from the command line

Sander Berkouwer — Thu, 08 May 2008 14:05:05 GMT

A server running a Server Core installation of Windows Server 2008 could behave flaky from time to time. Monitoring it gives clues towards this behavior and/or provides insight in why it behaves flaky. I've taken a closer look at monitoring Server Core boxes from the command line and want to share my experiences with you on this matter today.

Task Manager

The Task Manager is a perfect utility to monitor your Server Core in a way that has been familiar since Windows 95. You can start it in any of three ways:

Press the Ctrl, Alt and Del keys at the same time and select Start Task Manager from the list.
Press the Ctrl, Alt and Esc keys at the same time
Type taskmgr.exe on the command prompt

It can be used to monitor:

Running applications and tasks
Processes
Services
Performance (CPU and RAM usage)
Networking
Logged on users

The Task Manager is perfect, but unfortunately it lacks on a couple of points:

It has no logging
It doesn't include disk space monitoring

This is on full installations of Windows Server where the Performance Monitor comes in.

Performance Monitor

The graphical version of the Performance Monitor is not part of Server Core. Fortunately there is a command line driven version available, which can be used to monitor your Server Core box from the command line. It's called logman.exe

Even though logman.exe is a command line tool it's a really impressive monitoring tool, since it can collect counter, trace, alert, configuration and API tracing collectors. It supports many functions of Performance Monitor from the command line. The two great things logman.exe lacks are the ability to draw graphs and to point-and-click your queries together.

Selecting counters

To select a counter to monitor using logman.exe you need to know the name of the counter to add. logman.exe however doesn't provide this functionality. Fortunately typeperf.exe does.

To find a performance counter to monitor type the following command: typeperf.exe /q This will display a list with (installed) counters without instances. To list the performance counters with their instances type: typeperf.exe /qx

The list of performance counters is extensive, but using the find command on the output might help narrowing down what you're looking for. For instance, when you're looking for performance counters related to disk, type the following command to display disk-related performance counters:

typeperf.exe -q | find "Disk"

Narrowing down my search criteria, by executing find commands consecutively on the -qx option for typeperf.exe, I finally found the disk-related performance counter instance I was after (\PhysicalDisk(0 C:)\Disk Transfers/sec) using the following command:

typeperf.exe -qx | find "PhysicalDisk" | find "Disk Transfers/sec"

Building the data collector

Now that I found the performance counter I was after I can build the data collector.
My intention is to have a csv file with transfers/sec for the last few days, collected every 5 seconds. Your needs may vary, but the process to build your data collector would be identical.

logman.exe create counter DiskTransfers -f csv -c "\PhysicalDisk(0 C:)\Disk Transfers/sec" -max 10 -si 5

Where:

DiskTransfers is the name of the data collector within logman.exe
-f csv specifies the file format of the log for the data collector
-max 10 specifies the maximum file size of the log file in MB
-si 5 specifies the sample interval in HH:mm:ss format

Viewing the data collector

Now that we created the data collector we can view the collector. When you start logman.exe without any command line switches it will output defined data collectors and their state. As you'll find out freshly created data collectors are not started automatically.

The properties for a data collector (besides whether it is actually doing anything) can be viewed using the query command line switch. To view the properties of my freshly created data collector (the first on my Server Core box) I used the following command:

logman.exe query DiskTransfers

Starting the data collector

What use is a data collector when it's sitting idle on your box? Let's start it up, so it starts collecting the stuff it is supposed to be collecting by using the following command:

logman.exe start DiskTransfers

Modifying the data collector (if need arises)

After you've created a data collector you can edit its properties by using the update command line switch. Deleting can be done using the delete switch. Both commands use the name of the data collector within logman.exe as their starting point for modification.

Using collected data

While working in black prompt windows might be enough to baffle your co-workers it won't impress your boss much. What will really impress him (or her) is showing you're on top of things by staring endlessly at nifty excel graphs you created within seconds.

In my case I pulled the DiskTransfer_000001.csv file from the C:\Perflogs\Admin folder of my Server Core box and worked some Microsoft Office Excel magic on it.

Other tools and products

Disk usage (du.exe)

One of the many useful free Windows SysInternals tools is Disk usage (du.exe), which is currently at version 1.3.1. This tool is capable of reporting disk space usage for the directory you specify. By default it recurses directories to show the total size of a directory and its subdirectories.

Using du.exe is as simple as downloading the zip file and unzip it to a location where your Server Core box can reach it. There are several ways to accomplish this. After you've copied it to the hard disk of your Server Core box you can use it in the following manner:

du.exe [[-v] [-l ] | [-n]] [-q] FileOrDirectoryPath

Where:

-l specifies the subdirectory depth of information
-n tells du.exe not to recurse folders (only information on current folder)
-q specifies not to print the banner
-v specifies to show information in intermediate directories

Examples:

du.exe -v -q C:\Perflogs

Note:
The first time you run the utility you need to agree with the End User License Agreement (EULA) before you can use this tool.

While this command will output its information to the prompt it can be told to output to a file. Scheduling the command then might prove useful to monitor disk usage and act proactively on disk usage trends.

Process Explorer

The built-in Task Manager has evolved over the past years. It now includes networking information for instance. Process Explorer is a free Windows SysInternals tool that offers even more realtime monitoring functionality. It can be used to search for thread handles and running DLLs and can explore individual processes: You can see events, files, devices, and registry keys being accessed.

If Process Explorer is one of your favorite tools you can trade in your Task Manager for Process Explorer in the following manner:

Download Process Explorer (1.6 MB) (currently at version 11.13)
Unpack the zip file and get the executable onto your Server Core box.
Open Process Explorer by typing procexp.exe
Click the button 'Agree' when presented with the End User License Agreement (EULA)
In the Process Explorer window open the Options menu
Select Replace Task Manager.

You can now start procexp.exe the same way you would start taskmgr as described at the beginning of this post.

Concluding

The Task Manager (taskmgr.exe) and the Performance Monitor are perfect tools to monitor a Windows installation locally, but unfortunately the latter is not part of Server Core. You can find another tool on your Server Core hard disk that's useful for monitoring though: logman.exe

The Mystery of Hyper-V's Limit Processor Functionality? (Part 2 - Final)

natasham — Sat, 03 May 2008 20:04:00 GMT

In this post I discuss how you can determine: 1. If your operating system is running on a hypervisor, 2. The processor feature differences presented for an operating system running directly on hardware versus a parent partition operating system on a hypervisor, 3. The processor feature differences presented for a child partition operating system running without LPF set versus one that does. ...(read more)

Installing Windows Server 2008

Sander Berkouwer — Thu, 01 May 2008 09:57:59 GMT

There are a couple of ways to install Windows Server 2008. When you're lucky enough to get your hands on a physical copy of a Windows Server 2008 DVD you can use that, but what if your target system doesn't have a DVD player? What if you want to install it in a different way? What if you wanted to save some time? Read on!

Installation methods

You can install Windows Server 2008 using the following media:

A physical DVD
A DVD image (an *.iso file)
A Bootable USB stick
Your TCP-IP enabled network

Using the physical DVD

Installing Windows Server 2008 using the Physical DVD is the most reliable, but also the hardest and slowest way to get the Operating System on your box.

It's the most reliable way when you have a pressed (instead of burned) DVD copy of Windows Server 2008 and you received the copy from a legitimate source, for instance your reseller or a MSDN, TechNet, Select or other subscription box. There's only a negligible chance a malicious person would have been able to modify the bits and bytes on the disc.

It's also the hardest way to get the Operating System on your boxes, since you won't have the ability to change the bits and bytes on the media (without getting it off the disc first) which is what you would want to be doing when you know your way around the Windows Automated Installation Kit (WAIK)

I don't recommend using this method when you need to install a lot of Windows Server 2008 machines. I think it's the slowest way to install dozens of servers. If you need to install these amounts of server I suggest you read along.

Using an image

There are multiple ways to get your hands on a Windows Server 2008 image. Microsoft offers a download of Windows Server 2008 in *.iso format with certain subscriptions, such as MSDN, TechNet and Volume License subscriptions. On the other hand you could also rip your Windows Server 2008 DVD to an image with Alex Feinman's ISOBurner. (I use and recommend this tool. Some people seem to prefer WinImage)

Microsoft also offers the bits for evaluation.
While this doesn't sound very appealing to IT Pros who have been around long, let me clarify: Microsoft no longer works with specific media types, bound to specific product key families. In the past you'd need OEM media to work with your OEM product key, VLK media with your VLK product key and trial media were only usable with trial keys. Now you can simply download the media and use any product key to activate it for the scenario the product key allows. (Some minor differences still exist)

An image file can be mounted (for instance with Daemon Tools lite) and burned to physical media.

Virtual deployments

Images are perfect for virtual deployments. You can use the free Virtual PC or Virtual Server products from Microsoft, Microsoft Hyper-V products, Citrix' XenServer products, VMWare Server and VMWare ESX products (among others) to make a virtual box on which you can mount the image file as a virtual DVD and install from there. Since the host machine can read the image from the hard disk this will significantly bring down install times in virtual deployments.

Physical deployments

Having an ISO file of Windows Server 2008 instead of having a physical copy could actually save you a lot of work if you need to deploy dozens of boxes. Using the Windows Automated Installation Kit (WAIK) you can edit the unattend.xml file on the DVD to reflect the input you either need to input manually at every installation. Information you could set in the unattend.xml file include (but are not limited to):

Administrator password
Domain Name or Workgroup Name to join
Computer name
Drivers
Installed server roles and features

A complete list is available. After making your own unattend.xml you can easily copy your version over the version in the image. You can then choose to either burn the image or use it for other purposes, like virtual installations.

Hardware redirection

Another way to utilize an image file is to use it with hardware redirection. Dell Remote Access Controller (DRAC), HP Integrated Lights-Out (iLO) and IBM's family of Remote Supervisor Adapters (RSA) are perfect examples. They allow you to connect an image file to the server to function as a virtual CD or DVD drive. The server can then boot from the image file stored locally on your workstation or available remotely on a central resource. You can also insert the DVD disc into your workstation’s optical drive and tell it to use your drive by drive letter. This is one of the preferred ways to install Windows Server 2008 on blade systems without DVD drives.

Using a bootable USB device

If you really need speed to install a couple of Windows Server 2008 boxes I recommend placing the installation files on a high-speed USB Stick.

Hard drives are usually connected to one Host device and USB channels are connected to another host device chip on your motherboard. Installing from an USB device therefor won't hog the host devices for your hard drives (like when using an image) and won't lag like a normal DVD player would do while spinning up and spinning down. When you choose to use an USB flash drive (called an USB stick around here) instead of an USB hard disk (slower) you can achieve lightning speeds. To make your bootable USB device, simply type the following commands on a system with the image mounted or physical DVD copy in the drive and the USB device plugged in:

diskpart.exe

DISKPART> list disk

     Select the USB device from the list and substitute the disk number below
     when necessary

DISKPART> select disk 1
DISKPART> clean
DISKPART> create partition primary
DISKPART> select partition 1
DISKPART> active
DISKPART> format fs=fat32
DISKPART> assign
DISKPART> exit

xcopy X:\*.* /s/e/f Y:\

     where X:\ is your mounted image or physical DVD and Y:\ is your USB
     device

Now all you need to do is plug the device into your target box' USB slot and boot it.
(The target system will need to have USB slots and be able to boot from USB devices)

Using the network

There are a couple of ways to install Windows Server 2008 using the plumbing of your internal TCP-IP infrastructure.

Using Windows Deployment Services

Windows Deployment Services is the successor to Remote Installation Services. (RIS)
It was introduced with Windows Server 2003 Service Pack 2. Windows Deployment Services in Windows Server 2008 in contrast to Windows Deployment Services in Windows Server 2003 knows how to multicast, which is a pretty neat feature, which in my opinion makes using Ghost, TrueImage and other imaging solutions obsolete.

The only drawback to using Windows Deployment Services (WDS) is you need an Active Directory environment. While this sounds unlikely even in 2008 you might find networks without Active Directory.

Using the Microsoft Deployment Toolkit

On top of using the Windows Automated Installation Kit (WAIK) and Windows Deployment Services you can use a Solution Accelerator for further guidance. Microsoft offered the Business Desktop Deployment Solution Accelerator (BDD) for clients and is now offering the Microsoft Deployment Toolkit 2008 as a sort of umbrella over the existing deployment tools for Windows Vista with Service Pack 1 and Windows Server 2008. (More information on centrally deploying Windows Vista can be found here)

When used in conjunction with Systems Management Server (SMS Server) or System Center Configuration Manager (SCCM) you can achieve deployments without touching client machines, (zero touch) while preserving client settings and user experience.

Using 3rd party solutions

You can use 3rd party imaging solutions to install Windows Server 2008 over the network. Symantec Ghost for instance offers the ability to image Windows installations, but it doesn't need a Directory solution. It helps when you have a DHCP server though. Using a 3rd party solution might require you to purchase licenses, which might prove costly.

Concluding

This page shows how to install Windows Server 2008 on almost every imaginary box. Not having a DVD player and not having USB ports is no longer an excuse not to install it on a box that meets the minimum requirements.

I've showed you how to do it. I'll finish up with a nice table when to use a specific method:

Installation method	Use when:
Physical DVD	Installing one or two boxes, nothing too fancy...
Image file	Installing virtual servers Installing blade servers Transition and Alteration of media
USB device	Installing virtual servers or installing multiple servers fast Installing on servers without DVD drives
TCP-IP network (WDS)	Installing loads of servers ( > 10) in an Active Directory
TCP-IP network (Ghost)	Installing loads of servers ( > 10) in any environment

Microsoft Protocol Documentation

Jorge — Tue, 29 Apr 2008 09:54:14 GMT

A while ago Microsoft started publishing protocol documentation about their products. In time more and more protocol documentation is becoming available that contains a lot of information about the corresponding products. One thing to note, be careful when pressing the print button! It contains TONS and TONS of information to print/read that would take ages to get through and it would probably cost a rain forest somewhere!

Protocol Documentation:

Discussion Forums about the Protocol Documentation (Tech Stuff):

More information: Microsoft Protocol programs

Press release: Microsoft Publicly Posts Additional Protocol Documentation

Cheers,

Jorge

All the information about designing, implementing, using and troubleshooting Group Policy

Jorge — Tue, 29 Apr 2008 09:32:11 GMT

Always wanted to have all the information about designing, implementing, using and troubleshooting Group Policy in one place? Well, here it is then. Go and get the Group Policy Survival Guide (HTML) and (PDF)!

Cheers,

Jorge

Dirteam.com/ActiveDir.org Blogs

Hyper-V RC1 Released

What's new

Download

Further reading

Denying the change of password related bits on user objects

Virtualization - is it only a sweet?

Looking for .Net and Powershell on Server Core?

Why it's been left out in the first place

Why this is not a good thing

Why this is a good thing

Backward Compatible Networking with Server Core

Default settings

Receive-Side Scaling

The origin or Receive-Side Scaling

The problem with Receive-Side Scaling

How to turn of Receive-Side Scaling

Using the command line

Using the registry

Chimney Offloading

How to turn off Chimney Offloading

Using the command line

Using the registry

Receive Window Auto-Tuning

How to turn of Auto-Tuning

Concluding

Further reading

Giant baby bull

The myth of the ICT-professional

Monitoring Server Core from the command line

Task Manager

Performance Monitor

Selecting counters

Building the data collector

Viewing the data collector

Starting the data collector

Modifying the data collector (if need arises)

Using collected data

Other tools and products

Disk usage (du.exe)

Process Explorer

Concluding

Further reading

The Mystery of Hyper-V's Limit Processor Functionality? (Part 2 - Final)

Installing Windows Server 2008

Installation methods

Using the physical DVD

Using an image

Virtual deployments

Physical deployments

Hardware redirection

Using a bootable USB device

Using the network

Using Windows Deployment Services

Using the Microsoft Deployment Toolkit

Using 3rd party solutions

Concluding

Further reading

Related reading

Microsoft Protocol Documentation

All the information about designing, implementing, using and troubleshooting Group Policy