Lukas Beeler’s IT Blog

I’m not exactly what one would call an “Enterprise” Admin - so i don’t really know all that much about WMI.

We first started our internal virtualization stuff when both VMware GSX and Virtual Server 2005 still cost money. So we used VS2005 because we could get it for free since we were in the Microsoft Partner Program.

So, with the release of Hyper-V we finally had a chance to move to a more robust and faster virtualization solution - however, not everything has improved with Hyper-V, for example delegating permissions which was easy in VS2005 has now become much more complex. Probably because Microsoft wants to sell SCVMM 2008 that will automate a lot of this.

We have a few development VMs that are used for QA purposes by our development team - and we just have a single machine running Hyper-V. So i want to delegate a few of the VMs to the development team, without them being able to manage the Hyper-V server or virtual machines that do not belong to the development team.

I’ve found an excellent resource regarding setting up remote management for Hyper-V from John Howard. He has an excellent 5 Part series on how to enable remote management.

Part 1 Part 2 Part 3 Part 4 Part 5

What is not described in these links is how to delegate specific VMs. For doing this, you’ll need a script from Andrzej.

Hyper-V Azman Scope Scripts

Here’s a basic rundown of the general steps you’ll need to do:

• Create an appropriate Active Directory group for the users you want to give access to. If necessary, nest the groups according to your organizations group strategy
• The following two steps are detailed in Part IV from John Howard
  • Add to the group to the local “Distributed COM Users” group on the Hyper-V host
  • Grant the group permissions on the Root\CIMV2 and Root\Virtualization WMI Namespaces
• For detailed instructions for these three steps, see below.
  • Run azman.msc and create a new scope
  • Use the SetScope VBS script to assign the VM to scopes.
  • Run azman.msc and delegate appropriate permissions to Windows Groups using newly created scope

Creating scopes in AzMan and assigning VMs to scopes

First, you’ll need to start azman.msc and open to following Authorization Store: C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml

Then, you’ll need to right click “IntialStore.xml” and choose “New Scope”. In my case, i named the new scope “Dev”.

Next, you will need to create a role in the top-level of the authorization store. This role is needed so that the Hyper-V Management tool can even connect. I called mine “View Only”, as it does not grant any specific permissions. It should look like this:

You’ll also need to add the Windows Group to this azman role in order for it to be of any use:

Next, we need to create a role that grants the necessary VM management skills to the Dev scope. It should look like this:

You’ll also need to add a Windows Group to this role.

After you’ve come so far, we will need to assign the VMs to the newly created scope. You can find the scripts here: Andrzej’s Hyper-V Scripts.

Assigning a VM to a scope is simple.

For example, if you want to assign the VM “dev-hdi-xp-01″ to the scope “Dev”, use this command.

setscope.vbs dev-hdi-xp-01 Dev

There will be three popup Windows - the first two don’t matter, and the latter will contain a single number. If the number is 4096 (or anything else), it failed. If the number is “0″, it succeeded.

You can verify scope membership using getscope.vbs

getscope.vbs dev-hdi-xp-01

The result should look like this:

If my posting is entirely correct, and you followed it correctly, the end result should look like this:

Here, we’re logged on as an admin. All VM’s are visible:

Here, we’re logged on as a normal user. It does not have any special privileges on the Hyper-V box, except the WMI / DCOM and AzMan changes. You’ll only see the two Development VMs.

So, this is quite a bit more complex than VS2005. But also a lot more cool.

I hope there are no mistakes in this post. If you find any, please tell me. If you found this post helpful, tell me too. Thanks for reading!

SonicWALL recently launched a new SMB Firewall Appliance - the NSA 2400. Pictured to the right is an NSA 3500 - the look mostly similar, and have the same number of ports (i couldn’t find a high-res image of the NSA 2400).

So far, we have mostly used ZyXEL’s ZyWALL products to serve our Small Business customers, however the ZyWALL Line wasn’t always very satisfying when moving to the upper end of the Small Business spectrum. Thus, we had a look at SonicWALL - i’ve been using them for quite some time.

There are a few things about SonicWALL that is different about people which are used to the low-end market (like the ZyXEL products).

• You’ll need to purchase Software Maintenance in order to be able to download newer Firmware versions
• The old SonicWall Hardware Generations (TZ / PRO) have “Standard” and “Enhanced” Firmware images - the Standard versions are stripped down and less flexible - the NSA Models just have “Enhanced”
• Registration on MySonicWall is mandatory

One of the things fixed with the release of SonicOS 5.0 was the graphical user interface - the new GUI is completely revamped, and looks like something that belongs to the Year 2008. Other improvements include a completely redesigned hardware, that uses multi-core CPUs to provide real-time traffic analysis.

The NSA Series ship with basic Firewall/VPN features that are licensed as part of the base hardware. Additional features like Anti-Virus Scanning, Content Filtering, Anti-Spam, Intrusion Detection and Prevention all require extra expenses. This model is similar to what other UTM appliances like the ZyWALL 5 UTM uses.

SonicWALL Global VPN Client is a IPsec compatible VPN client, that works pretty well. There is not 64bit Version yet, and it doesn’t work with other VPN Clients running on the same PC. If you do not want to use SonicWALLs GVC, the SonicWALL also offers the ability to use L2TP and your Operating Systems native VPN functionality. While L2TP connections are mostly unrestricted, the number of GVC Licenses can be pretty low (e.G. 10 for the NSA2400).

One of the main advantages over the ZyWALL Line of products is the object-based configuration, and the ability to have multiple, Gigabit interfaces on the hardware - the NSA 2400 offers 6 Gigabit interfaces with the ability to use 802.1q VLANs to create even more logical interfaces. Even the low-end NSA 2400 can offer quite a lot of throughput (I’ve measured up to 30 Megabyte / s), which is important if you have Servers deployed in your DMZ.

Other cool features include the “SonicPoint” Management, which is basically the same as Symbol’s or Cisco’s Lightweight Wireless Access Points. This is a very cool feature in Smaller Businesses that do not want to buy separate Hardware to maintain their Wireless Infrastructure.

You can even access Live Demo of the SonicWALL Web Interface to see for yourself.

Advantages

• Very flexible configuration
• Streamlined GUI with useful features like Packet Capturing and self updating Log views
• Lightweight VPN Client and the ability to use Standard L2TP
• Lightweight Access Point Deployment using the NSA as a base
• LDAP Integration, preconfigured for Active Directory
• 6 Gigabit Interfaces
• High Performance

Disadvantages

• High price of Hardware (List: 2700 CHF)
• High price of mandatory service contracts for Firmware updates (List: 1300 CHF for 3Y 7×24 and HW Advance Replacement)
• High price of UTM features licenses (List: Starting at 1700 CHF for 3Y AS/AV/IPS)
• Incomplete user authentication solution (based on an Agent using WMI to query logged on userinstead of using secure Kerberos authentication)
• No redundant PSU or Fans to compensate for high hardware price (the NSA 7500 has redundant Fan/PSU)

Last Friday i received a new toy. An IBM BladeCenter S, with two HS21, one HS21 XM and a JS12 Blade.

The BladeCenter S

The BladeCenter S i received came with 10 500GB SATA Disks and two DSMs, four power supplies, an Advanced Management Module, a Server Connectivity Module and a SAS Connectivity Module. The power supplies use standard 230V type 23 plugs, which do require a little special installation, but much less so than industrial plugs used with the bigger BladeCenters.

The big point about the BladeCenter S is that it does not require an external SAN to provide Storage to the Blade - an integrated SAS Switch that allows very flexible disk configurations is integrated. Configuration can be done using a Webbrowser against the SAS Connectivity Web Interface, using SSH/Telnet to access the SAS Connectivity Commandline, or using a fully graphical interface using IBM’s Storage Configuration Manager. There are some predefined configurations, but none of them suited my configuration - creating new configurations using SCM is easy enough though.

The disks in the BladeCenter’s DSMs (Disk Storage Module) are hot swappable - currently, only 3.5″ DSMs are available, with a 2.5″ DSM in the pipeline. Most of the blades support one or two internal disks, but the problem here is that these disks are not hot swappable. Depending on your Blade loadout, 12 disks might not be enough. For example, the HS21 XM Blades only fit one internal disk, and running without RAID on the System partition seems pointless, so you would be using at least 6 disks (without hotspares) for a basic Exchange deployment.

The Webinterface on the AMM is nicely done, although it lacks a bit of flashiness. That’s not a requirement though, it does a very solid job at what it needs to do.

After powering up the BladeCenter S for the first time, i connected to it using a web browser and upgraded all the firmwares. There are quite a lot of them (AMM, SAS, Server Connectivity), but it all worked out flawlessly. Time to move on to the real course: the Blades.

The HS21 and the HS21 XM

Starting with the familiar first, i started with the HS21 Intel Blades first. The two HS21 Blades both had a 2.66 Ghz Quadcore and 4GB RAM, the HS21 XM Blade had a 2.5 Ghz Quadcore and 9GB of RAM (more about that later).

When starting the first HS21 Blade, after configuring all the storage using SCM, it failed to POST it’s LSI Logic SAS/RAID Controller. I searched for the error message on the net, assuming that i screwed up the configuration. I didn’t find anything meaningful, so i tried to do what everyone else would do in this situation: Apply every Firmware update for the Blade i could find.

Of course it wasn’t as easy as i wanted it to be. The controller not POSTing was an endless loop, i couldn’t get the machine to start from the AMM virtual floppy drive. I used SCM to disconnect the storage (by disabling the Blade’s SAS port). Now, the blade booted flawlessly, indicating that i probably had a problem with my disks. When browsing the IBM website, it became obvious that only newer firmwares support SATA drives. After upgrading the SAS Firmware, i was able to boot the blade without disabling the Blade’s SAS port. Unfortunately, the onboard SAS controller only supports RAID level 1 and 10. Probably owed to the fact that most blades are using SAN storage - IBM promised that there would be SAS RAID adapter that supports other RAID levels - these are especially important for the cost-conscious SMB market.

I booted a Windows PE 2.0 using WDS, and was able to install Windows Server 2008 x64 without any issues.

The HS21 XM blade on the other hand complained when booted for the first time that it’s memory configuration was invalid - it only supports 2, 4 and 8 DIMM configurations - 6 DIMM configurations are not supported. I removed two 512MB modules and booted the Blade with 8GB - it worked flawlessly and without complaining.

The JS12

First, read this document about i on Blade. It explains everything better than i ever could.

The JS12 is a POWER6 based blade that is able to run IBM i. The first time i turned on the blade, all the HS21 blades (already running Windows Server 2008) crashed hard. When rebooting, they no longer found their drives. I turned off all the blades, disconnected the JS12’s SAS port and turned everything on again. The Intel blades booted, and after i was sure that they’re up and running again, i powered on the JS12 again. This time, no issue arised. I tried to reproduce the behaviour i’ve seen before, and the same thing happened again.

My current assumption is that the issues were caused by the SAS Controller which does not have a Firmware update yet, and can’t deal with the SATA drives located in the DSMs. Further investigation told me that there’s no firmware upgrade for the SAS Controller in the POWER6 blade, and that SATA drives are not supported when running IBM i on the blade anyway. I ordered 4 147GB SAS drives, disabled the SAS port on the blade, and tried booting the POWER6 blade again. It booted flawlessly again.

The next step was to install VIOS - this is a rather complicated multi-step process. First, you have to turn on “Serial over LAN” aka SOL, then logon to the AMM using SSH, connect to the POWER blade using serial passthrough and then boot the blade from the VIOS CD. The install is pretty self explanatory.

Next is connecting to the Integrated Virtualization Manager (IVM) running on the VIOS partition. The IVM is basically a HMC light minus the console functionality. The only way to get a console on the JS12 blade is using a LAN console (which can only run on consumer versions of Windows, and is not supported on most of the Blades).

I installed the latest VIOS patches (around 4GB) and enabled mirroring on the two 147GB SAS disks in the blade itself. The next step will be installing IBM i, with which i have to wait until i receive the ordered SAS Disks.

Preliminary Summary

The BladeCenter S is great. Yep, not everything ran flawlessly from the start, but nobody’s perfect from the beginning. The BladeCenter brings an innovative new perspective to the SMB market. The problems that IBM needs to address are the addition of 2.5″ DSMs (already in the works) and more capable RAID controllers (also in the works). A BladeCenter S with the ability to use around 20-40 disks could prove interesting.

The POWER6 Blade is interesting, and while VIOS adds complexity, it is as streamlined as possible. I’m interested about seeing IBM i running on the machine.

If you have any other question about the BladeCenter S - or anything you would like to see in detail, post a comment. I’ll try to figure it out.

I’m at the Digicomp testing center right now and waiting for my collegue to finish the exam too.

In General, my impression was that the exam was pretty solid but certainly “Enterprise Heavy” in focus. There were a lot of questions regarding appropriate configurations for failover clustering, and also several pieces of SCVMM 2008 (the latter though were never hard - anyone who has toyed with SCVMM and browsed through the main functionality should be able to answer them).

I’ve seen a few questions that weren’t worded 100% precisely, but that can always happen - the quality was generally high.

Other areas that were featured heavily:

• Clusters (as mentioned above)
• Snapshots - especially pay close attention on how Snapshots can be reverted, reused, etc. Snapshots can also be used in deployment scenarios
• Integration between SCOM and SCVMM
• Disk configuration - the available options for VHD files, their advantages and disadvantages, the usage of physical disks from the host and of course the use of iSCSI disks that are directly attached in the VM
• Hardware requirements and configuration requirements when setting up Hyper-V - pay close attention on how you configure the Windows Bootloader, and what necessary steps need to be taken when enabling hardware assisted virtualization in the BIOS
• Proper VM hardware configuration - remember which controllers in Hyper-V are bootable and which are not. Also, think about very old legacy applications that might have problems with newer CPU features available on modern CPUs and about the implications of running an OS that does not support synthetic hardware
• Network configuration - pay close attention to bigger scenarios involving the cluster heartbeat link, iSCSI connections from the host, iSCSI connections from the VMs themselves, Quorum disks in cluster scenarios. Also, remember the difference between internal and private network interfaces

Did i pass? I’m not sure. There were many cluster questions, and i never had much contact with those since i primarily work with Small Business customers.

So if you intend to go at this exam, make sure you’ve toyed around with SCVMM (SCOM knowledge not necessary, just look up on how these two can be integrated). Also, make sure you’ve setup a Hyper-V cluster at least once. You can emulate an iSCSI SAN by using an open source appliance like FreeNAS that can export disks using iSCSI. None of the questions i’ve seen seemed “hard” to me, but i was guessing at a few because i didn’t know about the topic.

Good luck!

So yesterday i ranted about being unable to register for exam 70-652, and not getting any help from Prometric.

I have to remedy that - when i checked my email this morning, i already got notice from Prometric asking for my MCP and Testing ID - i replied quickly, and got a an answer back in just a few minutes. This is good!

I’ll be going this Friday and see how it was.

I received this nice mail from Microsoft learning:

You are invited to take beta exam 70-652: TS: Windows Server Virtualization, Configuring. You were specifically chosen to participate in this beta because of your current Microsoft Certification status or previous participation with Microsoft Learning. If you pass the beta exam, the exam credit will be added to your transcript and you will not need to take the exam in its released form. The 71-xxx identifier is used for registering for beta versions of MCP exams, when the exam is released in its final form the 70-xxx identifier is used for registration.

By participating in beta exams, you have the opportunity to provide the Microsoft Certification program with feedback about exam content, which is integral to development of exams in their released version. We depend on the contributions of experienced IT professionals and developers as we continually improve exam content and maintain the value of Microsoft certifications.

70-652: TS: Windows Server Virtualization, Configuring counts as credit towards the following certification(s).
• TS: Windows Server Virtualization, Configuration

So i tried to sign up for the exam. But i wasn’t even able to logon to my Prometric account.

Got the following error message:

Duplicate emails. Please call customer service.

So, i tried calling customer services. It’s a toll free Swiss number in a call center located at some other part of the earth. Unfortunately, i wasn’t even able to place a call

The number you’re calling is currently unavailable. Please check the number and dial again

So i mailed Prometric support and i’m hoping for an answer now.

If Prometric won’t fix it, at least i can ask Helmer what was in the exam. If you have a working Prometric account, you can get the invite code for the exam from Trika’s Blog

Update: Prometric fixed the problem quickly

Microsoft released the Windows Small Business Server 2008 RC0 today.

For those of you who do not know SBS: SBS has traditionally been a single server setup with Exchange, SQL Server and ISA Server. It consolidates all “big” Microsoft technologies on a single server. This contradicts most “Best Practices” published by Microsoft, and as such SBS has always been seen as the red-headed stepchild in the Windows Server Family. SBS 2008 aims to improve several of these points (especially with the Premium Edition shipping with TWO server licenses).

After a 6 hour downloaded that trickled in at a few meager 200kbyte/s, i was finally able to get started with it.

SBS 2008 now demands x64 hardware - so for testing i used an IBM x3650 running Windows Server 2008 Enterprise with the Hyper-V RC1. Hyper-V supports 64bit guests. Other hardware requirements have also gotten steeper - you’ll need 4GB RAM minimum (though i launched the VM with only 2GB). The Premium Edition now comes with licenses for two servers - finally making it possible to have redundant domain controllers even in a Small Business setup without paying for full server licenses.

The first half of the setup is similar to what you know from Windows Server 2008 and Windows Vista - you boot, select the disk, have the chance to enter a product key, and finally start the installation. After that, the WIM image is expanded to the harddrive. The machine reboots after installation, and this is where things get different.

After booting, you’ll land in “Install Windows Small Business Server 2008″ Wizard. This can be mostly automated using an Answer file, which is mandatory when migrating from earlier versions. I will check that out later and proceed with a simple installation without using an Answer file.

I get nagged by a “Insufficient Hardware Screen”, reminding me that my (virtual) machine only has 2GB RAM. After acknowledging the warning, i can setup my date and time. I choose the CEST timezone, and move onwards.

Next, a screen confronts me with the fact that i don’t have a NIC - which is true. The machine is running on Hyper-V RC1, and i wasn’t able to install the integration components yet. Luckily, there is a “Browse” Button, where i can launch the Integration Services setup. Installation of the Integration Components worked fine, the machine rebooted. I hope Microsoft packs the Hyper-V RTM bits into SBS RTM. This would make it easier to install it into a VM, but as you can see, it’s not much of a hassle.

I was back at the beginning, at the start of the SBS Wizard. Luckily, i was now able to use the mouse after installing the Hyper-V IC. Next, i get an Update Dialog, asking me if i want to update my server. I choose yes and have to wait.

Next, i was asked to enter my company information. Next, i was able to name my server and the NETBIOS name of the Domain. I was not able to choose a DNS Name for the Domain (This is only possible if using an Answer File). Interestingly, Dashes “-” were not accepted as part of the server name. I wonder why - our production setup uses dashes extensively in server names, and so does Microsoft (judging from their Mail headers).

Then i was asked to create an an administrative account - a good idea. The “Administrator” account shouldn’t be used in a production setup, instead each user with administrative rights should have their own account. SBS enforces this - a very good idea.

After confirming Server name, Domain name and Company name, the installation continued on it’s own. This took a good amount of time, during which the server restarted several times - of course completely unattended. No need to play disc jockey or logon - much better than SBS 2003.

After the installation, i was greeted with a screen that told me that it was unable to install some critical updates. Clicking on that bar revealed an IE7 404. I checked the IP configuration - the server was configured to use 192.168.0.2, and didn’t have a DHCP server installed. There was no default gateway set yet.

Next, i launched the “Connect to the Internet Wizard” which told me that i was already running a DHCP server - which makes sense. After choosing “Postpone”, the Wizard aborted. That wasn’t quite what i was hoping for.

I shut down the VM and reconfigured it to use a private LAN. That way, it wouldn’t have a connection to the internet, but it wouldn’t have to deal with a DHCP Server either. But SBS didn’t like that either - it wanted a router. So i setup a second VM running IPcop (which works flawlessly on Hyper-V using Legacy NICs and a small virtual hard drive).

It was interesting to see using “tcpdump” what SBS did under the covers to detect the router. ARP scanning, IPv6 Discovery, Everything. This seems rather well designed. It was sucessfully able to detect my IPcop VM which didn’t have a DHCP server.

Next, i started the wizard to enable my domain name. It seems that SBS will be able to do some of these things automatically if you live in the US. Here of course we have to do things manually.

So far i don’t like that SBS tells me very very few technical details. But this might be because Microsoft somehow thinks that a Small Business Owner will setup SBS on their own (which just seems a horribly stupid design decision).

Next, it told me that i couldn’t configure my Internet Router properly (my IPcop instance didn’t have UPNP support enabled). It’s interesting to see that it wants to forward port 25 to the server. It looks like the POP3 Connector was finally killed off for good. That’s very good to hear!

I also had to configure outbound email properly, with the ability to configure a smarthost or use direct sending. There is also a wizard to easily create a properly signed official SSL certificate - nicely done and will surely improve the security of the many SBS setups that are out there.

SBS 2008 also ships with OneCare for Servers already preinstalled. You can just activate it with a few clicks. I don’t see this very positively - I’ve made a few bad experiences with ForeFront Client Security, which OneCare is based on. We’ve been using McAfee for the past. So in the future for SBS setups we will have to either remove OneCare from the SBS, or deal with having multiple virus scanners on the network (a management nightmare).

Another interesting tidbit is that UAC is enabled in approval mode, just like on standard Windows Server 2008 installations when not using the Administrator account. This is annoying, IMHO. I don’t have a problem with UAC on my desktop because i usually use my desktop to work and not change settings - but when i’m logged onto a server, i want to change settings all the time.

That’s it for the first impressions. I will have a closer look at SBS 2008 over the following days and will keep you all updated.

Pictures are here:

The past few months have been busy, very busy.

Mergers and acquisitions have always been a big part of what the important people do.

Of course, theoretically, that wouldn’t be my problem. However, one wouldn’t believe on how much work it is to get rid of an old name throughout a whole network.

First comes Active Directory - it uses DNS as a primary means of identification. Renaming an Active Directory domain is purely theoretical, e.G. it doesn’t work and it’s not supported if you’re running Exchange 2007.

Then there’s numerous other stuff that depends on DNS, names and everything. But in the end, i did my part of this deal. It has been an interested time and now i really wonder how big companies like Swissair handled their renames - or are they still running their infrastructure under the old name?

My employer is now called Acommit AG.

Of course, the whole rename proved to be a really good argument to buy new servers and upgrade straight to Windows Server 2008 - that means on my side the renaming thing has worked rather well. I still don’t know a lot about the company we bought (Futura Retail Solution GmbH), but their main market is selling POS related products.

If you need the full details, you can get them here:

Futura Retail Solution GmbH
Acommit AG (soon to be updated)

Outlook Anywhere / Outlook Autodiscovery on Windows 2008 still has some problems.
Read this most excellent post that has all the details.

Long story shorts: Modify the hosts file, remove the IPv6 localhost (::1) and then add hosts entries for your server. I would recommend against disabling IPv6 on the Exchange server, as this is probably not a recommended or supported configuration.

The root cause is that Outlook 2007 can’t contact a DC/Domain Controller using RPC over HTTP/Outlook Anywhere when used on Windows Server 2008.

Also note that NTLM Authentification for Outlook 2007/Outlook Anywhere is broken on Windows Server 2008.

I’ve participated at a game at the TechDays Switzerland, and didn’t win an X-Box.

Well, at least i got my picture and story published on the Microsoft Learning Website.

(Still happy, still not better than you)