Virtualization, Cloud, Infrastructure and all that stuff in-between

Final day of this TechEd.

First-up a session with Mark Minasi on 2 of Vistas least understood security features, User Account Control (UAC) and Windows Integrity Levels (WIL)

Mark is another of the popular TechEd regulars and always gives a good show, he’s written many good books which I own 🙂

the key points for me were;

UAC – User Account Control

• much maligned but still a good protection tool, Mark did a good overview of how it works.
• Windows 95 is the root of all problems, the design principal that system/app configuration only went into HKEY_LOCAL_MACHINE and all per-user configuration should go into HKEY_CURRENT_USER was never adhered to by developers as there was no real requirements to do so, thus Windows has been lumbered with maintaining backward compatibility for generations so as not to upset the user experience.
• Interesting/geeky point for me was that when the screen grey’s for the UAC prompt it’s actually a terminal services based session that presents the UAC dialog and places a grey’d out screenshot of the users desktop as wallpaper.
• When running with UAC enabled, user accounts (even administrators) are run with least privelidge by splitting the authentication token in two, standard and administrative. this breaks some applications that need administrative access, so this is controlled by prompting for credentials (elevation) that run just that process with the required administrative credentials, this requires an application restart if it does not do it at start-up.
• you can manually specify which applications should run with Administrative rights, most built in Vista applications are provided with an compiled in manifest resource record that marks them as requiring UAC elevation.
• Your own or 3rd party apps that do not have this manifest available can be given the same functionality either by marking the file by looking at its compatability settings or using a corresponding .manifest file if you have to distribute the file (if you rename or move the .exe the former method stops applying).
• The built-in Administrator account never sees any UAC prompts regardless of how it’s configured.

WIL – Windows Integrity Levels (formerly Mandatory Integrity Controls)

• WIL was of much more interest to me – it is a core part of Vista protection and works on the basis of assigning integrity levels to files and processes, an integrity level overrides traditional ACL’s and permissions and is on the basis that you cannot change an integrity level unless you have an equal or higher integrity level.
• It was designed to prevent alteration of critical system components (and thus stability/security) even by inattentive administrators or malware that has tricked the user into running it with elevated permissions – it placed several hurdles that administrators must clear to make changes and discouraged casual/badly thought tinkering… which is one of my main bug-bears with Windows, the server OS looks too much like the desktop OS, familiarity breeds contempt in my book.
• It proved controversial/unpopular with the technical community during early betas and was removed at the RC stage; however as Mark put it “they took the sinks away but left the plumbing”, which means its still there and could be exploited by someone building root-kits/malware as it would be very hard to remove or detect without some expert knowledge.
• Mark hinted that he’s been flagging this with Microsoft security for a while and they’ve not made a satisfactory response or mitigation, so in the interest of no security through obscurity he’s giving an overview… positive sign that it made it onto the TechEd agenda I guess – but it’s “in the wild” now and Mark has already written a book covering this during the Vista beta phase.
• Process Explorer can show the Integrity level of a process and Mark Minasi’s tools here can manipulate & view settings

Next up was DS Geek notes from the field, this was a good technical session where Ulf ran through some interesting scenarios and issues he’s encountered working with Active Directory, I’ve seen a lot of these myself as well – but the key points for me were;

• 280 domain admins reduced to 3 with fully delegated model, always a difficult discussion to manage with customers and staff (I have scars to prove it!) his approach was to break each task out and ensure there is only 1 owner – this reduces ambiguity and ensures accountability – with the handy side-effect of demonstrating that 277 of those people didn’t really need to be domain admins to do their day-jobs
• If you accidentally change any properties of a site connection/replication object in AD Sites & Services it changes from being dynamically generated to static without a warning, 2008 now has a dialogue box warning of the change.
• You can change a static connection object back to dynamic by adjusting the “options” attribute for the object in ADSIEDIT from 0x4 (static) to 0x5 (dynamic) rather than deleting and re-creating.
• Virtual Machines are good for DS-Lag sites, where an AD site has one or more domain controllers but where the site replication connector is a day or so behind the rest of the AD, this allows for a simpler restore of deleted objects by marking the object as authorative on the lag site and forcing replication into the production AD – this will bring the object back.
• VM’s lend themselves to this as you can script enabling/disabling the NIC to avoid the situation where there is an accidental (or malicious) deletion followed by a forced replication across all sites.
• LDIFDE import/export can be used to bring back object attributes from a restored AD snapshot (nice functionality that Ulf discusses here).
• Ulf also had an interesting script based solution for a single site (and domain) DC restoration where there is a simple local PC infrastructure like a branch office; where rather than maintaining and copying over the WAN, large system state backups he leveraged LDIFDE in export mode to take a backup of AD and xcopy of files, restoring such a DC after failure can be end-end automated through an unattended OS onto new/replacement hardware and scripts to import and re-ACL the DS objects and file system and re-join machines to the new domain.

Next up was one of two further sessions with Mark Russinovitch, the case of the unexplained – as ever this was informative and he has good coverage of this on his blog which I’d encourage you to check out in hunting down bad/buggy 3rd party driver software which is at fault a large portion of the time, rather than core Windows itself – I have a number of thoughts on why this is the case and will blog those later.

• One useful tidbit that I didn’t know is that Process Monitor can show you what TCP/IP sessions a particular process is using – nice.
• and you can suspend individual threads whilst you investigate what they do or to see if that improves overall performance.

The 2nd of Marks sessions and the final session of TechEd 2008 was on Windows security boundaries; which Microsoft define as an access policy between code and data which describes what if anything is allowed to be shared between the two, anything that could allow access between the two is not a hard security boundary – it is capable of being exploited.

• Mark covered several of the technologies in Windows Vista and 2008 (PatchGuard, UAC, Protected mode IE etc.) and the conclusion is that the only real security boundaries are System & Java Virtual Machines, .NET Code Access Security (CAS) as they are deliberately architected not to allow communication between processes or users and data.
• Didn’t realise this but x64 PatchGuard can blacklist drivers from a list provided by Microsoft.
• As ever, it was an excellent technical session and Mark provided several demos of how the isolation technology works along with some exploits demonstrating why certain types of isolation technology are not hard security boundaries. There is a US version of his presentation which I would encourage you to check out here

All in, it was a good week at TechEd it does feel a bit scaled back from previous years but the technical content of sessions was better at the end of the week – I don’t know if that was deliberate.

One notable omission this year was an equivalent of Andrew Cheeseman’s session on how they built the TechEd infrastructure – this was always a fascinating and entertaining session, I note he has moved on since last year but an equivalent session would have got a good attendance.

As I’ve said many times over, it’s still excellent value for money and I would recommend it to anyone – if you want to know more about my experiences please comment away and I’ll try to answer whatever I can.

You may also want to visit Techhead as he has also been blogging extensively about the sessions this year as has Geert Baeke.

Hope you found these posts useful – feel free to feedback via the comments!

Penultimate day at TechEd, still get the feeling its scaled down this year, but still some good content and some of the best sessions so far today. It was a slightly earlier start and late finish due to the 2pm finish tomorrow, today’s hilights as follows.

Note to Microsoft – early start following the country drinks probably not the wisest move 🙂 1st sessions were pretty quiet this morning 🙂

First session was Migrating and co-existence with Microsoft Online; looking at the steps involved with integrating with Microsoft hosted Exchange services which were shown on Monday’s keynote

Key points for me were;

• This is for Microsoft’s hosted Exchange service only, other providers of managed Exchange like Fasthosts and 1&1 don’t have the same facilities
• Tools support import from a variety of sources, Exchange 200x, Domino, POP3/IMAP, Yahoo mail etc.
• Migration & co-existence tools and documentation are downloadable from the online configuration pages, the tools provided are modified versions of the Exchange Transporter/Migration suite.
• Push-based Dirsync to Microsoft online via dirsync tool which is a packaged up version of the ILM product.
• Co-existence is supported through the use of alias domains, disabled target objects and alternative recipients; basically the same method as the Quest tools use to do a cross-forest migration.
• Don’t have to move all  – can operate a mix of local and hosted mailboxes.
• Because co-existence is basically cross-forest free/busy and delegation do not work across the internal/hosted boundary – Microsoft are hoping to address this; but it’s an inherent issue with this type of co-existence.
• Mailbox ACL’s delegates and rules and RSS feeds are not migrated – user will need to re-create.
• Passwords are not migrated/sync’d so users will need to create a new password via online sign-on wizard.
• Can choose to migrate all or a rule based subset of the mailbox contents
• Clients are not automatically redirected once it’s migrated – need to follow sign-on wizard via Microsoft online service which downloads a new MAPI profile to Outlook

Next up was a journey to the centre of a terminal server; a level 400 technical session on the internals of terminal server logons and processes; there was far too much technical information for me to blog so I’ll provide some links.

• Terminal services has now officially been renamed to Remote Desktop Services see here
• A comprehensive Whitepaper on tuning terminal services has been released here
• Terminal Services in Windows 2008 is much more modular with 3 component services, this separation enables much better separation of session management behind the scenes.
• New TS app analyser has been released, which can examine applications and determine their suitability for use on a terminal server looking for common permissions/file issues.
• One thing to watch with RemoteApp sessions is that a full desktop is rendered in the background, if that user profile or application spawns a window-less UI it can become a stuck zombie process when the user closes the RemoteApp session, Acrobat Reader updater (AcroTray) is a common culprit.
• There is a complicated issue with registry profile time stamps in a TS farm which to be honest I don’t fully understand – but Immidio have some free tools to assist with this, Tritsch is an excellent presenter and certainly knows his material

Next was Anatomy of a hack 2008 by Jesper Johansson, showing how malware is being pimped in the guise of anti-malware software!

key points were;

• It’s all about the money – organised crime running the same sort of bait and switch scams as they always did, but now on a massive, easy to do scale.
• Malware developers are getting good, and well organised with some innovative and well thought out lures.
• Some Malware now alter their behaviour if it detects that it is running inside a VM to avoid security researchers usual MO.
• Fraudulent transactions are going to Eastern Europe and infrastructure is distributed around the globe to handle transactions and Malware distribution
• They are definitely targeting layer 8 issues rather than technical steps to compromise systems through vulnerabilities; preying on the naive, careless or less informed.
• difficult to prevent, education and caution the key

Last session of the day was with Mark Russinovitch (of Sysinternals.com fame) on Windows 2008 R2 Virtualization and native VHD support.

How Mark manages to keep all the encyclopedic amount of internal Windows information inside his normal sized head  I don’t know – but his sessions are always very detailed and thorough.

Key points for me were;

• This was the 1st session I attended that Windows 2008 Hyper V has been referred to as Hyper V 2.0.
• there are comprehensive power management improvements in R2 which are propagated through to Hyper V; allowing suspend “parking” of individual CPU cores and consolidating CPU core workload to the minimum required to provide service – thus reducing overall power requirements.
• Intel and AMD have EPT and NPT technology embedded into new CPUs which will handle shadow page table mapping in hardware delivering significant performance improvements and reducing host OS usage.
• VHD (Virtual Hard Disk format) is a strategic direction for Microsoft, intended to replace all other container formats (CAB, ZIP, WIM etc.).
• VHD is an open, documented file format – open to 3rd party solutions and integrations.
• Windows Backup in Vista and 2008 already write backup data out to a VHD file.
• Improved Windows 7 / Server 2008 R2 boot manager will support boot from VHD, BCEDIT is used to point at a file system mounted VHD file rather than the traditional partition.
• Pagefile and boot loader need to remain on a physical partition.
• This enables some highly flexible multi-boot scenarios and makes P2V, V2P much easier.
• Mark showed his laptop which was booting Windows 7 from a VHD file.
• Boot from VHD also supports differential disks, this enables some very cool scenarios where the root disk is a known good/safe image with all changes being written into a differential VHD – allows for neat roll back to a standard condition (Internet kiosk type scenario) or protection from patching etc.
• Also allows for offline servicing of OS through patching too.
• Allows ISV’s to deliver apps or even whole OS/VM installations ready to use (appliances).
• nesting VHD files inside each other is not recommended and >2 levels is not supported.

A final thought from me on this is that if they were to integrate the SIS (Single Instance Storage) features of the .WIM format into VHD files then that would be a very compelling solution for VDI farms, VM terminal servers, and would make the download/streaming of VM images (via MED-V) very efficient, you could distribute a single VHD with multiple variations of a Vista or XP OS build in a very storage efficient manner.

Ok, so that was day 4 – last day tomorrow!

3rd day out at TechEd, sorry for the delay in posting – have had lots of session time and work to slot in either side, plus it takes quite a long time to write this up, I hope you’re finding it useful.

I attended a number of sessions around SCVMM and Hyper V today, as well as some good chats with some people from the product teams. – the “ask the expert” booths are brilliant for this kind of thing as they are usually well staffed with people from the development or PS teams so you can usually get an answer to a complicated question; or be pointed in the right direction.

First session was Windows vista to Windows 7 desktop virtualization roadmap with Fei Lu, key points for me were;

• Microsoft are investing significant effort in application and desktop virtualization, the driver for this is that it makes it easier for people to deploy newer OS’es by de-coupling/virtualizing the integration between hardware/OS/applications/data – the pay-off for Microsoft is that they sell more licences and speed up adoption, to my mind this helps keep the traditional rich OS/app desktop in the game with adopters of Web 2.0 type on-line applications
• Wide range of products in this space now, Terminal Service/Desktop VM/central VDI and application virtualization which can all be mixed & matched to provide the required solution.
• Folder redirection/roaming profiles with good off-line caching is being positioned as data virtualization.
• VM Mobility and DR are popular scenarios for MS customers
• Windows 7 will provide even more off-line caching features for data and settings – data virtualization.
• The Kidaro acquisition becomes MED-V “Microsoft Enterprise Desktop Virtualization” which manages distributing VMs to PCs and provides offline use and desktop integration (more on this in a later session)
• VDI is also a popular scenario, Microsoft will not write an enterprise scale connection broker, they have partnered with Citrix to deliver this, Microsoft may provide a small scale connection broker in future.
• VDI and APP-V is nice solution for simple centralised desktop management, (I did hear later than there is no x64 support for APP-V as far as I know though)
• New VDI scenarios with Windows 7 RDP protocol support multi-monitor and bi-directional audio.
• Fei ran a very brave demo of speech recognition over RDP to a beta version of a Windows 7 VDI farm.. worked pretty well, and also played back some HD quality video which was pretty impressive (no details on bandwidth available/used though).
• In future Microsoft are considering a pure hypervisor based client device, and the ability to download a VM image and run it and support portability of the image to/from a VDI farm.
• Windows 7 will be able to boot a VHD directly, which must use the same code/logic as Server 2008 and Hyper V use to manage the parent partition.

Next up was a more detailed look at MED-V (Microsoft Enterprise Desktop Virtualization) this is the Kidaro product, integrated as part of the MDOP licencing programme, key points.

• It Manages and distributes virtual machines to client devices for local execution (think: running  Virtual PC on a Vista machine with centralised management and distribution of the .VHD files.
• PC needs MED-V client  (.MSI installer).
• Integrates start menu and seamless windows from the guest OS to the host like you get with VMWare Workstation’s Unity feature
• capable of distributing VMs over the network (delta based replication) or on media like USB/DVD.
• Policy control for expiry of a provided virtual machine; managing when it can be used etc.
• Maps printers back to local host
• Didn’t mention clipboard redirection explicitly but I assume it’s there?
• Configure which guest OS applications are published to the host OS start menu (nice)
• Integrated support for sysprep and setup scripts for things like domain membership if you have transient or persistent VMs.
• A very clever feature can redirect a MED-V presented IE window back to the guest OS instance of IE via an internal VPN tunnel (pretty sure that was what was said); based on the URL they are trying to reach. Which is good for a scenario where you are using a company supplied and secured MED-V VM on a home PC – ensuring that personal browsing does not traverse a company VM or VPN connection.
• MED-V isn’t available yet; beta out early Q1 2009 and RTM likely to be available 1st half of 2009.

Next up was a session on System Center Virtual Machine Manager (SCVMM) which is used to manage virtual machines on both Hyper-V hosts and VMWare ESX (Xen maybe too in the future)

• VMWare Virtual Center is required to manage ESX hosts and clusters, SCVMM proxies control requests for ESX hosts via virtual center (using the API and PowerShell it would seem).
• SCVMM can manage multiple VMWare Virtual Center instances as well as Hyper-V and present a single pane of glass across the whole estate with centralised provisioning etc.
• SCVMM provides a Performance & Resource Optimisation feature (PRO) which is similar to VMWare’s DRS functionality
• PRO Can distribute VM load across multiple Virtual Center instances; which VMWare VC can’t do itself (but assume can’t vMotion this way so would have to shutdown and move).
• Can only use DRS or PRO – not both as they will fight each other.
• Can use SCVMM without SCOM but it can’t do the PRO stuff without SCOM as it doesn’t have performance data.
• There SCVMM is available now will be a new release to support Server 2008r2 and Hyper-V quick migration (vMotion equivalent).
• All in, looks to be a good product with some nice integrations but until Hyper-V is more prevalent managing mixed environments isn’t a huge requirement (to me) it’s not necessarily anything you can’t do out of the box now with VMWare Virtual Centre and some Windows VM monitoring via SCOM but definitley worth having in the arsenal for when Server 2008r2 brings live migration to Hyper V as adoption will pick up.

Next session was on connecting Active Directory to cloud services; this focused on the work Microsoft have done to build a hub and spoke federation architecture to allow cross-authentication between internal directory services (in this case Active Directory) and external service providers.

• the core of this is Microsoft Live ID, this service is essentially a broker hub for passing around authentication tokens and requests.
• Will be released in 2009; CTP available now, beta early 2009.
• Built on “Geneva” technology which seems to be a wider development of AD-FS
• Key point is tokens/claims are passed around the cloud and your service providers but authentication is always done via your home directory (i.e AD)
• Wizard based setup to enroll users/groups to the Federated Hub service.
• Release will be targeted at Active Directory as the authentication source, but framework is open so other vendors could write providers (Netware, Linux etc).
• Need to find out more about “Geneva” which is geared to complex enterprise scenarios.
• Will maybe build in more granular control for your administrators to specify what service providers your credentials can be used on, you never send passwords etc. just tokens but you may not want your internal users using this service to authenticate to non-business (i.e dating/social networking) sites that also participate in the Live ID federation hub.

Last session of the day was on the new Server 2008r2 Cluster Shared Volume (CSV) feature.

• Disks on traditional windows clusters could only be owned and accessed by one host over the storage area network (FC/iSCSI etc.) at a time; if other nodes try to mount the disk they can’t and there can be a risk of corruption.
• This is a multi-access shared disk volume, a bit like VMFS or ZFS.
• Hyper V is the only supported workload (but others may work)
• This is how they will enable live migration in Server 2008 R2 Hyper V
• 1 co-ordinator node manages access to the CSV and owns it.
• nodes send their read/write data to the CSV volume by the most efficient path (determined by the controller node?) this can be down the storage path or over a Ethernet network between the nodes (using faster Win2008 R2 SMB protocols)
• Can provide an extra degree of fault tolerance for access to the volume if a FC-path or network fails as it can route around it.
• you can assign priorities to certain paths to the storage.
• It’s still NTFS, all the tools chkdsk etc. still work and ACL’s etc.
• Supports MPIO, Fibre channel, iSCSI.
• This looks promising but I’m not sure about this data routing idea – surely you’d rather keep your server, storage and networking separate for security and performance reasons… but it is a clever idea and I can see that it could provide burst capacity if you were to saturate a storage path on an individual host, you could hand it off to another host to proxy it for you via an alternative path.

During the day we also got to speak to some of the Ask the Expert people around Hyper V – we discovered

• They’re unsure if Hyper V supports Windows Network Load Balancing
• You can’t do NIC trunking with Hyper V like you can with ESX; it’s 1 NIC — 1 vSwitch which means you can’t consolidate your VM network traffic into a pool.

That wrapped up day 3 and was followed by the UK TechEd party at Opium Cinema; it was a pretty good turn-out and the drinks flowed into the small hours.

Today was a full compliment of sessions, with some good sessions on Hyper V, Windows 2008 failover clustering and Forefront.

Steve Riley started off the day with a session on virtualization and security, whilst pretty high-level without getting into too many specifics he did a good job of expressing Microsoft’s view on Hyper V security.

the key points for me were;

• Each VM has a 1:1 connection to the hypervisor; there is no sharing of memory or VM-bus connections.
• Microsoft will not be opening the hypervisor kernel to 3rd party developers to provide IPS/IDS/malware type functionality as other vendors are (i.e VMWare) as they believe this to be a more flexible approach (despite being panned by analysts over this).
• The interfaces to/from enlightenments are well documented and public, no security by obscurity.

Then there was a session on Hyper V architecture, where Jeff Woolsey demonstrated building virtual machines.

There were some cost comparisons between VMWare and Hyper V; I’ve skipped over these as like any vendor the numbers were somewhat skewed.. you can easily make your own comparisons, Hyper V will probably be cheaper – but when you pick the numbers apart they’re not as far away as Microsoft say – VMWare are just as guilty of doing this, so I’ll move on.

Key points for me were;

• IDC say by 2010 there will be just 17% virtualized servers in the world, Microsoft want to drastically increase this
• HyperV comes with Win2008 x64 edition only (std/ent/DC all have the same Hyper V instance – only difference is the RAM/CPU limits in the host OS)
• 1Tb physical memory supported, 64Gb per VM (x64)
• supports 24 logical CPUs and 192 running VMs on a single server
• Hardware AMD-V/HT/DEP is required to run Hyper V
• TAP/RDP/MSIT customers are all running Hyper V – “the red phone never rang” and they didn’t have any critical issues; I’ve participated in TAP programmes in the past and true to their word Microsoft provide excellent, direct developer support to TAP participants.
• Hyper V is running 50% of current microsoft.com; and in middle of HW refresh to complete the change over – 1Bn hits/day that’s impressive.
• MSIT now have a VM 1st policy previous 10-14 day SLA for server provision is now down to minutes/hours – storage provisioning is the only delay internally.
• TechNet.microsoft.com is 100% Hyper V since beta 1M hits/day
• MSDN, 100% Hyper-V 3M hits/day
• Hyper V role – swaps boot WinOS for Hypervisor (slides underneath)
• Hyper V supports standard windows driver model for HV (better than ESX) and more flexible.
• WMI providers for management built in allows remote mmc’s and SCVMM etc.
• I/O is traditionally virtualization biggest headache (with Virtual PC, Virtual Server)
• No emulation for I/O  (as per Virtual Server) anymore
• Driver enlightenment is the solution VMBus/Virtual Service Provider [VSP]/Virtual Service Client [VSC]
• VSC – guest OS enlightenment/driver
• VSP – server side driver/assistant

All in, an interesting session; I can see where Microsoft are going with the product and I like it – they have a good end-end solution with the System Centre integration and are heavily pushing this at the moment as the hypervisor is less established than VMWare.

VMWare have some other good complimentary tools like site recovery manager, lab manager, stage/lifecycle manager that Microsoft still have to catch up with, but they’re definitely getting there, for me an equivalent HA/DRS functionality is missing for hyper V in production now and by the time WS2008 R2 is out I would expect ESX4 to debut and move the game on further.

The lack of 3rd party direct integration to the hypervisor disappoints me, to my mind that would prevent some comprehensive IPS and networking solutions (like the Cisco NX1000 vSwitch) although it does keep control entirely in the Microsoft camp.

I attended a good technical session on Windows Server 2008 fail-over cluster troubleshooting, key points for me were;

• Support is now less driven by the HCL. but a configuration validator that ships with Windows, similar to other best-practice analyser tools  (exBPA etc.) provides a supported/not support statement; there is a new FCCP programme which certifies vendor solutions for Win2008 clustering – which seems the same as the previous HCL approach.  HP were missing from the list of partners, but it is being worked on. otherwise all the usual suspects were there.
• Full validation of a cluster requires downtime as it needs to take disks offline to analyse – which could be a bit of an issue; if you need to make a change you then need to schedule downtime to run the analysers and get the warm and fuzzy supported feeling.
• Microsoft are building a shared clustered file system like ZFS/VMFS
• No longer a requirement to power down/mask a node when adding disks – they don’t auto-mount/signature
• NIC teaming is supported on any interface
• cluster debug logs have moved to the Event Tracing for Windows (ETW) framework – binary format, queried by tools or event viewer.
• No event log replication; cluster manager aggregates log info
• 2008 R2 will supplement cluster.exe with a PowerShell equivalent, and that will be the way forward.
• Cluster Logs are always in local time (as determined by control panel) cluster logs are always in GMT – useful to know!
• configurable debug/informational levels for cluster service
• No cluster service account any more; runs as Local System – excellent.

Finally there was a technical session around the new developments in ForeFront for Exchange/Stirling.

Stirling is a codename for a development of the Antigen acquisition a few years ago into a full security suite – edge/internal protection although multiscan engines and SSL VPN type services, this session focused on the developments for Forefront for Exchange.

Key points for me were;

• Exchange hosted services to provide a MessageLabs equivalent type service – large distributed spam/AV scanning at the network edge, being extended to sync up with on-site Exchange services and infrastructure
• Microsoft are deploying infrastructures in several geographic locations, sometimes to meet local legal/compliance reasons – for example Germany/Canada
• Back-scatter protection – tagging legitimate outbound mail with a rotating cryptographic key, if NDR’s are received from spam sent illegitimately on your behalf they will not have this tag so will be dropped by the spam/AV filter.
• Can sync spam/AV policy between in-house/cloud/hosted Exchange services to keep a uniform protection policy

All in, a good 2nd day, looking forward to day 3.

Sorry for the delayed posting; I didn’t take my laptop on the 1st day and I twittered my thoughts thoughts the day – hopefully you can see them on my home page but here is a more considered version of my experiences so far..

The wireless is not as good this year – I’m struggling to get a connection and have had to resort to a wired connection in the work area which is a shame.

The keynote had a lot of Green IT and virtualization messages, VMWorld had almost exactly the same message (and a mature product 🙂 ) at VMWorld last year – there were some interesting parallels.

As usual, well organised and easy to move around the conference centre, good facilities – I note TechEd will be moving to Berlin next year, will be interesting as the Barcelona site seems ideal, Amsterdam was too big but this feels about right – but bit of variety can’t do any harm!

VMWare have a stand in the exhibitors hall, sadly they don’t have their ESX4 demo available – they are hoping to be able to have it running by Weds.

Reading between the lines from sessions like the keynote and OS deployment tool schedules – I strongly suspect that Windows 2008 R2 will be released with Windows 7 between June 09 and June 2010 – yeah, it’s a big window… but it seems to be consistent.

Windows Server 2008 R2 is currently under development, beta out shortly

Interesting new Server 2008 r2 features:

• Will support Hyper V live migration of VMs
• 2008 R2 will be x64 only, no x86 version
• Branch Cache – file and http cache for branch offices – hope to catch some more details on this, as I assume it needs client-side support – Windows 7 seems to be mentioned in conjunction with it
• BitLocker to go – encryption for removable volumes (HDD based backups etc.)

Interesting new tech from the keynote

• Exchange online – the ability to {seamlessly} migrate users from your internal Exchange 2007 server to one hosted within Microsoft’s cloud (is this Azure? – I’ll try to find out) works by setting up an AD sync job and then can move the mailbox out/back again – clever, launching spring 2009
• System Center Configuration Manager 2007 R2 will beta at the end of November 2009 – looks to bring good SLA and cross-platform (Linux etc.) support
• SQL Gemini – fast and flexible client side BI analysis tools – looked very clever from the demo
• App-V (think SoftGrid for servers) will be coming, more info in 2009 – virtualized Exchange/SQL etc. would be interesting

In general, it does seem a bit toned down from the last time I came in 2006, less big announcements but I think that’s a hangover from the lessons learnt around the Vista hype machine and still a lot of good technical content.