Virtualization, Cloud, Infrastructure and all that stuff in-between
My ramblings on the stuff that holds it all together
Category Archives: Windows 2008
Redesigning Active Directory for 2010 and on..
Posted by on October 3, 2009
Active Directory has been implemented as part of Windows since approx 1998 when the betas of the initial Windows 2000 version were circulating. At the time directory services was Microsoft’s answer to all NT4 scalability woes and the superior management that Novell offered in Netware 4.x, that was a radically different IT world {cue Waynes world flash back}
- Most people worked in a set of fixed locations, mobile workers were by far the minority
- Those fixed locations had full all-ports network access to corporate resources internal network and/or personal firewalls were unheard of.
- People who needed remote access to the network came in by dial-up or VPN type access with token or user/password type authentication
- Starbucks was NOT your office 🙂
- your PC/laptop was owned by the company and you had less need to keep your personal on-line life running during work time or using work-resources (you shopped in real shops and people still used the phone to communicate)
- Viruses were there but the most prevalent forms propagated by infected documents and emails.
- Network connectivity was slow and/or expensive from remote locations
I’ve worked with Active Directory in a lot of depth during this time and it’s an excellent and flexible tool, however it’s now 2009 and whilst Active Directory has been enhanced over this time it isn’t radically different in terms of supporting the way we work today.
There is still a very tight integration* between a workstation (domain member) and the Domain/Forest – this relies on periodical machine account password changes.
- All authentication and group policy type activities like interactive logon, policy downloads etc. still require a large number of ports and RPC services to function – this makes firewalls like swiss-cheese, and doesn’t work well in locations with latent or slow network connections (although there are tweaks; most of these involve turning off GPO processing on slow links).
- To provide remote access to domain and corporate services a VPN layer is required to provision access, this is ok but a large part of the Windows interactive logon process still requires access to a domain controller at the CTRL-ALT-DEL logon screen – support for this is hacky at best when you are not on a full all-ports open network connection to the corporate domain – 3rd parties have custom GINA code that allows you to initiate a VPN connection before the logon is processed but it’s not a one-stop shop and users still *just don’t get it*.
- Disconnected machines (like roaming sales people) rely heavily on cached credentials, these credentials are only refreshed when you make an interactive logon to the corporate network – which requires VPN, large number of port rules; machine hygiene routines etc.
- User profiles/folder redirections don’t work particularly well in long-term disconnected scenarios and it’s difficult to maintain a consistent user profile environment for these users.
If you’ve ever had to re-build a user’s machine whilst disconnected from the network this can be a real issue.
*Machines can only be part of one domain at a time, they rely heavily on it for authentication and control.
Building standalone/workgroup machines is one answer but you have no way of managing any of the machines, tracking them, distributing configurations etc. – there is too much all or nothing and there is no middle ground in Active Directory at present – and this also makes multi-tier firewalled application platforms problematic – do you put in multiple domains to support tiers/DMZ’s or compromise security and use a single domain and wider firewall rules? if you put in workgroup machines manging security across all of them is problematic, some Microsoft products (Exchange, etc.) require an Active Directory domain and change is difficult.
In addition, high-speed Internet access is now very common and the move to “the cloud” is underfoot, with end-user devices being little more than very clever terminals.
Microsoft have made moves to support single sign on through web applications with the Active Directory Federation Services (AD-FS) in Windows 2008 but this is still geared at web applications rather than the core authentication and application services Microsoft’s desktop and server OS relies on for normal operations.
This is a list of the things I would like to see in future Active Directory and/or add-on endpoint security checkers to better support the upcoming generations of users who won’t always be on the corporate LAN, or purchase and use their own PC/laptop as well as the needs that virtualization and dynamic scaling infrastructure requires.
- Move authentication services to HTTP/S interfaces and away from RPC and dynamic ports.
- Make the group policy services available over the same HTTP/S interfaces
- This has already been done for Outlook/Exchange via the RPC over HTTP/S interface – Active Directory could use a similar concept for allowing access from external/edge services.
- Introduce a further class of machine to compliment the traditional “computer” account; an “external managed machine” (or similar) – where it isn’t necessarily a direct member of the domain but you allow a degree of trust – maybe leveraging the AD Federation Services, no local passwords held but hashed with the core AD service with an intermediate service (or core-OS component) to facilitate authentication between applications and the AD to maintain backwards compatibility for anything that runs locally and relies on traditional Windows authentication.
- Allow all communication between these external managed devices and core infrastructure over HTTP/S – so as to be tolerant of latent connections and carried over common network services.
- Allow those managed external machines to be locally administered/installed/maintained etc. (think of the Windows Mobile Phone or iPhone model that is used to allow access to Exchange email but give it a representative object in Active Directory that can be managed through policies or even disabled – even if that object is just a certificate for the device or some other representation it should be accessible through the AD tools and scripting interfaces.
- Add support for configuration compliance scanning for external managed devices (end-point security) and centralised reporting – some of this is in next gen ISA tools.
- Support for transient (often virtual..) machines that are dynamically added to a domain and removed – think of the VDI model where hundreds of machines could be created and destroyed automatically – leaving hundreds of “dead” machine accounts and reboots to support the domain join operations.
- Support and manage a corporate PC “out on the Internet" as if it were in the office (..using web services/HTTP wrappers) much like we can with Outlook 2003+ and Exchange 2003+ using RPC over HTTP/s – no complicated and difficult to use local VPN client
What would you like to see?
As an addendum; Apologies for the lack of posting recently on vinf.net which has been due to the arrival of our second child, which as you might imagine has taken up a lot of my blogging time! hopefully will get a bit more time in the coming months to support my habit!
ExPrep – Script to Automate Exchange 2007 Pre-Requisite Installation
Posted by on May 13, 2009
If you have ever had to install Exchange 2007 on a Windows 2008 (and 2003) server you will know that there are a number of pre-requisites that need to be installed from the OS for each role; for example IIS web services and metabase compatibility components.
You have two choices, do this via the UI using the add/remove features and roles Wizard in Server Manager or using the ServerManagerCmd.EXE command line utility – either way it’s pretty tedious to do if you have several servers to install.
Based on this handy reference from Microsoft I have built a very basic batch file that automates the installation of the pre-req components for you.
It only works on Windows 2008 (sorry no 2003 equivalent) and you use it entirely at your own risk – there are much cleverer ways of scripting this but I’m a pretty old skool DOS person, this works for me and is easy for me to maintain – feel free to re-write in something more modern and post it back here this code is probably quite hacky.
The contents of the file are here (just cut & paste into a .bat file)
|
@echo off REM ExPrep.bat by Simon Gallagher, ioko (http://vinf.net) REM YOU USE THIS SCRIPT ENTIRELY AT YOUR OWN RISK SET %EXPREP%=999 echo Preparing for base pre-req install ServerManagerCmd -i Web-Metabase echo you chose %EXPREP% if %EXPREP%==1 goto MBX goto end :MBX goto end :MBX-CLUSTER ServerManagerCmd -i Failover-Clustering goto end :CAS ServerManagerCmd -i RPC-over-HTTP-proxy goto end :HT :END |
Instructions:
1) Copy the script (ExPrep.bat) to your would-be Exchange server (remember Windows 2008 x64 is the only supported OS for Exchange 2007).
2) Run ExPrep.bat
3) Choose the appropriate role from the menu (note: there is no clever input validation – make sure you choose the correct one, there are pause statements before it actually does anything so you can CTRL-C to break out.
4) Sit back and wait for it to complete.
5) then run the Exchange 2007 installer from your DVD or network share as normal.
If you need to install multiple roles on a single server you can run the script multiple times, all changes are cumulative and if a component is already installed ServerManagerCmd.EXE (which the script calls) will just skip it.
If you wanted to take it further there is some excellent information about the setup process, failures and doing full unattended installations of Exchange 2007 here and here
Remember you use this entirely at your own risk, and you assume full responsibility for checking its suitability for your environment; the batch file is easy to read and customize for your own use, although I ask that if you do make changes link back here via a comment or trackback so that other people can benefit.
How to Administer a Windows 2008 Server from a Vista Client
Posted by on February 11, 2009
This confused me for a while, up until now I’ve been using Windows 2008 inside a VM, so have had little need to remotely administer it other than via the console.
As you all know it’s better practice to use the MMC tools to admin remote servers rather than use terminal services to the actual server (uses less resources, no chance you can hit shutdown rather than logoff etc!).
In the old days you installed adminpak.msi on your XP machine and off you went, this has now been renamed to RSAT (Remote Server Administration Toolkit) – you need Vista SP1, download the appropriate update package from here.
Install the appropriate version of the update (x64 or x86) but don’t worry – you can still admin both x64 and x86 servers from an x86 client using the same tools.
Now at this point I was a bit confused (and I hadn’t read the KB article in full…tsk) but there were no handy admin tools in my start menu anywhere.
To get them installed you actually need to add a Windows “feature” via the “Programs and Features” control panel applet (I assume the update adds them there, I didn’t look beforehand).
Then scroll down and choose the appropriate tools that you need, I’ve expanded out the relevant sections and I’ve chosen to install them all.
Waiting…(no need to provide any CD’s or anything as Windows Vista has the whole OS image on-disk in a .WIM file by default, which is handy.
it did take several minutes 🙂
All done, and my workstation now has a full compliment of Windows 2008 admin tools
Note if you want to administer a Hyper-V server, then you need to download and enable these tools separately – details here, the link in the article is broken but you can download the appropriate update from Microsoft here.
If you run a corporate domain environment, its probably worth bundling these into a GPO or SMS installed package for your administrative machines, as it takes a little while to do by hand (as I did) and you have to jump through the WGA hoops to get the downloads from Microsoft.
Hyper-V Management Tools install (Vista x86 SP1)
On the subject of Hyper-V – there is an article about a beta version of a solution accelerator/guide to securing and hardening Hyper-V here
Misc bits of Useful, Recent VMWare News
Posted by on May 12, 2008
I’ve been really busy the last couple of weeks and I’ve had to trim down my incoming RSS feeds, as there was too much noise and I was missing important things like the following;
- Scott Lowe’s summary of sessions from VMWare’s partner Exchange, some useful information on Site Recovery Manger
- The new VMWare Certified Design Expert (VCDX) certification – next step up from VCP, will have to have a look into it now I’ve finally managed to re-schedule my cancelled QA course – official VM announcement here.
- Official Microsoft Clustering Support with ESX 3.5 Update 1 here
- Some workarounds for deploying Windows Server 2008 with virtual center here – would have been nice if support was in an official update from VMWare soon; it’s not like it’s been beta’ing for a while is it (errr!)
HP Rapid Deployment Pack – PXE Settings for Deploying Windows OS
Posted by on April 17, 2008
The followign screens show a working configuration from the RDP 3.80 PXE Configuration Manager
Have had lots of problems with this deploying Windows OS’es and VMWare ESX 3.5 onto an HP c7000 Blade chassis, still not resolved all the problems, but this definitely works for deploying Windows!
The documentation reads like you should always use the Linux PE configuration and it handles switching between WinPE/LinuxPE depending on which OS job you drop on a target. in my experience this doesn’t work and you need to manually change the PXE configuration to default to LinuxPE or WinPE depending on the OS you want to target.
And
Still a work in progress as I have a c7000 to which I want to deploy a mix of Windows and ESX/Redhat OS’es….
I did get a previous installation to install ESX 3.5 by hacking the default ESX 3.02 job, but its since been re-installed and I can’t do it now
RDP 6.90 seems to list Windows 2008 and ESX 3.5 in the quickspecs, but I’ll be damned if I can find where to download it, going to have to call HP methinks!
As I’ve posted before installing via iLo is just a non-starter if you really do want a flexible and fast deployment configuration – so it has to be RDP.
More later…
Hyper V Release Candidate is Available Today
Posted by on March 19, 2008
I’m at the Windows 2008 Launch event in the Birmingham, UK today. It has just been exclusively announced that the Hyper V Release Candidate is available for download from 5pm (UK time) Today, 19th March.
Go download and try it out… full RTM is still promised 180 days from the Feb RTM release of Windows 2008 which I blogged about here
Windows Server 2008 Posters..
Posted by on February 20, 2008
/CONSOLE switch Goes away in Windows 2008/Vista SP1/XPsp3 versions of MSTSC.EXE
Posted by on February 18, 2008
Post here on the terminal services team blog, about why they’ve changed this switch to /ADMIN in Windows 2008/Vista SP1/XPSP3.
This is the first I’ve heard of it, not a huge issue but I can see a potential problem where the /console switch is ignored, again not huge but a bit of an annoyance just to change a bit of syntax?
if you have device CAL’s and normally use the /console switch to remotely administer a machine to my understanding that doesn’t allocate a device CAL to your admin machine (or whatever machine you are admin’ing from at the time)
What if you use this method to administer terminal servers, doesn’t this silently ignoring just eat one of your device CALs (permanatly if you do it often enough from a machine)?
The article says:
The /console switch is silently ignored. You will be connected to a session to remotely administer the server.
The /console switch is silently ignored. You will be connected to a standard Remote Desktop session that requires a Terminal Services client access license (TS CAL).
Windows Server 2008 RTM’s Also…
Posted by on February 5, 2008
Must be the day for it! I’m looking forward to Server 2008 and have a couple of projects lined up to try and take advantage of the new terminal services functionality.
Hyper-V will follow within 180 days… MS have a long way to go to win ground from VMWare but will have the usual single-vendor support argument so it’s going to be an interesting 18 months.
Performance on a cheap ESX PC
Posted by on February 1, 2008
I thought I’d post some performance graphs from my cheap HP D530 ESX server using the Virtual Centre console (which incidentally, is good for getting this info quickly and simply).
Screenshot of the UI for querying performance stats.
View of currently running VMs – a mix of Windows 2003/2008 VMs
Current Overall ESX Host statistics (with a clone from template going on)
As I noted elsewhere on my blog it has 4Gb RAM and a single 2.8GHz HT CPU – and with this VM load it gives an average CPU load of 25-30%. Almost all of these VM’s are idling but all respond in good time to network access/TS etc- not bad at all for a desktop PC!
CPU usage for the last 24 hours
The big spike around 22:00 was when I cloned up a whole load more VM’s – seems to have upset the stats so need to try and have a look at that..
It’s also interesting to note that I added 4 Windows 2003 VM’s last night but that hasn’t actually increased the overall CPU average – ESX must be quite efficient at time-slicing all those idle VMs.
I had 3-4 “deploy from template..” operations going on at the same time and it really bogged down the performance of the VM’s (usable, but only just..) but it is just a single SATA disk drive so I can live with that.
Deploying 1 VM at a time had little or no impact – slight CPU spike to ~50% as you’ll see to the far right of the chart as I kicked off another one just now.
When i get time I’m going to drop some jobs into the VM’s that will tax the virtual CPUs a bit more and compare results – maybe some Folding@Home activity Mmmmm that would definitley tax it.
Virtualization, Cloud, Infrastructure and all that stuff in-between 