I have been using OHours.org to schedule virtual and in-person office hours to meet with folks from the community, user groups leaders, IT Pros, and just about anyone else that is interested in technology. This is a casual meeting where we can discuss anything that is on your mind. I have a widget on the right side of my blog where you can schedule hours or click the link below.

Don’t limit yourself to just the office hours though. Feel free to email or call anytime!

eMail – chris.avis@microsoft.com

Twitter - @chrisavis

Cell: 425-647-3440

LinkedIn: Chris Avis

 

 

-Cheers!

 

 

Folks, If you have been to any of my live presentations, recently, you have probably hear m get super jazzed about Windows Azure Infrastructure as a Service. I truly think this is the future of infrastructure for all businesses. I envision a world where new businesses starting up don’t have to invest in any server infrastructure at all and simply create everything they need in the cloud.

 

If you would like to learn more about Windows Azure IaaS and how Windows Azure Cloud Computing can transform your IT Department, check out this Microsoft Virtual Academy Jump Start: Windows Azure for IT Pros!

This fast-paced MVA Jump Start is designed to help IT departments understand why it's time to start the process of extending infrastructure to the cloud. Microsoft Technical Evangelist David Tesar and Azure Group Technical Product Manager David Aiken will leverage a demo-rich and engaging team-teaching style to illustrate how Windows Azure Infrastructure Services (e.g., Virtual Machines, Virtual Networks, Storage, Active Directory) makes it easy to safely migrate, extend, run, manage and monitor common workloads in the cloud.

Additionally, they'll cover SharePoint and extending System Center 2012 SP1 during this course. This is one Jump Start you don't want to miss!

 

Cheers!

For more details and to register, please go to the App Factor main site!

Home

Have app ideas?  Have software development skills?  If so, that’s all you need to learn, compete and win! 10 Cities, 100’s of developers and 1000’s of great ideas. The opportunity is NOW! Don’t miss another chance to get in on the next great marketplace! Get your competitive juices flowing and participate in a FREE Windows 8 App Factor event.

THE MAIN EVENT

WINDOWS 8 APP FACTOR LEARN

Part one of the series, Windows 8 App Factor Learn is a fun day of “training and auditions” where you will learn what you need to know to take your skills and ideas into a new economy. 

· Form a team where you can use your skills and compete to win. 

· Learn how to build an app from idea to store submission. 

· Start from scratch or use a beautiful sample to get started.

· Free consulting from the local evangelist team (in person or online). 

Special Note: Attendance of ‘Windows 8 App Factor Learn’ is required to compete in ‘Windows 8 App Factor Compete’ and ‘Windows 8 App Factor Online’.

MEET YOUR COMPETITION

WINDOWS 8 APP FACTOR COMPETE

Part two of the series, Windows 8 App Factor Compete will provide you with an opportunity to show off your app (in-person) and hard work to the world and potentially win. Prizes will be awarded for best app (determined by judges), and peoples’ choice (determined by live audience).

WINDOWS 8 APP FACTOR ONLINE

If you don’t have time to attend ‘Windows 8 App Factor Compete’, no big deal, just submit your work of art online to be eligible to win fabulous prizes. Submission guidelines will be provided in-person at ‘Windows 8 App Factor Learn’. Prizes will be awarded for best app (determined by judges).

 

For more details and to register, please go to the App Factor main site!

 

Cheers!

 

With the introduction of Boot To VHD in Windows 7 and Windows 2008 R2, we have an excellent way of cleanly booting to multiple Windows OS versions (Windows 7 and later only). Traditional dual-boot scenarios required us to load different version of Windows in a specific order to ensure we could dual-boot properly. Even worse, if something caused a system wide failure, dual-boot systems are more difficult to troubleshoot and restore.

Boot to VHD cleans all of this up, though it does restrict us to using certain Windows versions and, unlike dual-boot, does not allow us to use non-Windows OSes in the mix (unless you are dual-booting *and* using Boot to VHD in which cas4e, you are entirely on your own!)

While there are many articles out there on how to get started with Boot to VHD, I would like to provide some additional information to help you set up images that can be re-used. And I want to show you a way to use a trial version to do this!Perhaps you do a lot of testing in a lab, or maybe you are a teacher or instructor that is setting up a large number of identical workstations. Using a few of the built in tools for Windows, it is very easy to create re-usable images for these scenarios. In a nutshell, this is what we will be doing in this article

Create the reference Virtual Machine/VHD

Create a VHD file

Create a new Virtual Machine

Attach VHD file

Install OS/Patch

Install Applications/Patch

Package the reference Virtual Machine/VHD

Sysprep

.ZIP or .RAR (optional)

Make copies of the VHD file

Configure Boot to VHD

Copy file to workstation

Extract (optional)

Use BCDEIT or BCDBOOT to configure Boot to VHD

Test!

Here we go!

Preparation

You will need access to a Windows Server 2008 R2 or Windows Server 2012 Server with the Hyper-V role enabled. You can use the CMD line to create VHD files or even create them in Disk Manager. However, the simplest way I have found to do this is to using Hyper-V in Windows Server. Since you will have to use this console at some point anyway for managing the virtual machine, it provides one stop shopping for everything we need.

Download Windows Server 2012 Trial here (get the .ISO version!)

You can use the same trial above as your re-usable server image, or you can download a trial of Windows 8 and use it as the re-usable trial

Download Windows 8 Enterprise Trial here (get the .ISO version!)

 

Creating the Virtual Hard Disk (VHD) file

You can use Hyper-V in Windows Server 2008 R2 or Windows Server 2012 to do this.

1) In the Hyper-V management console, create a new virtual hard drive using the wizard

2) Select the type of virtual hard disk - Recommendation – Use a Dynamically Expanding VHD – Why? Much faster to create and smaller file size means less to copy onto individual workstations!

Fixed – This will create a VHD file of the same size you specify in the wizard. This takes longer to create because we are basically formatting the VHD file (the larger the allotted size, the longer it takes). Pros – Slightly better performance, and the VHD can be expanded (offline only) if you need more space.

Dynamically expanding – This will create a very small initial file that will expand to the maximum size you specify in the wizard. I recommend using a dynamic disk for our scenario as we will be copying it to multiple workstations. Pros - The smaller size means less copy time. Can be compacted to remove white space if you delete data from the VHD file.

 

3) Follow the rest of the wizard to select location to store the file (remember where you store it!) and the maximum capacity you need for the virtual hard drive.

Create a New Virtual Machine & Attach the VHD

Next we will create a new virtual machine and attach the VHD file we created above

1) In the Hyper-V management console, create a new virtual machine using the wizard

2) Follow the wizard to provide a name and storage location for the virtual machine (the storage location can be removed after we complete the process to get space back)

3) Specify the amount of RAM for the virtual machine

This is only important for this initial phase. I recommend using 2GB minimum for this part of the setup. If you have >4GB in the host where you are creating the Virtual Machine, use as much memory as you can to speed up the setup. Once we perform the actual Boot to VHD process, the VHD operating system will recognize the amount of RAM in the host system and adjust accordingly.

4) Configure networking – I recommend attaching to an existing virtual network so you can patch the system or install other components over the network.

5) Connect Virtual Hard Disk – Select “Use an existing virtual hard disk” and then browse to where you stored the VHD file above.

6) Attach Trial version .ISO – in the Preparation section above, you were instructed to download a .ISO image for Windows 2012 Server of Windows 8. Either one can be used depending on what you need to accomplish. Browse to the appropriate .ISO image

7) Complete the Wizard!

Start the Virtual Machine / Install Windows / Patch / Install Applications / Patch

Now that we have created a new Virtual machine, attached the VHD we created and configured a .ISO to load windows from, we just have to start the VM and load Windows.

Now we get to the hurry up and wait part. Once the virtual machine spins up, you will install Windows just as you would on a physical box including adding any Windows Features you want in the final image. You will want to go to Windows Update to patch Windows up to the current date as well. You will then install any applications you want to the image then patch those applications as well.

Recommendation – Don’t download install files to virtual machine – Anything you download directly to the virtual machine will increase the size of the VHD file. Instead, install applications and other components from network shares instead of downloading the installation files to the virtual machine.

Once you have completed this, head out to Windows Update one last time to make sure you have everything updated.

Once you have everything installed and patched, I recommend that you reboot the image one last time just to make sure all apps and updates have written everything to the registry and so we have a clean startup before we package the VHD.

 

Package the reference Virtual Machine/VHD

Now that we have a completely built Windows OS with everything we want installed, we are going to sun SYSPREP to create a distributable package that can be used for Boot to VHD.

1 ) On the virtual machine, run SYSPREP with administrative privileges

Windows 7/2008 R2 – Click Start, type CMD, right click CMD, select Run as Administrator

Windows 8/2012 – From the Start screen, type CMD, right click Command Prompt, select Run as Administrator (bottom of screen)

This will open a CMD prompt window and drop you at the c:\windows\system32 directory

 

2) Change to the \sysprep directory and run SYSPREP.EXE

This will open SYSPREP and allow you to select some options.

3) Select the following options for SYSPREP

System Cleanup Action:  Enter Out-of-Box Experience (OOBE)

Check the “Generalize” box

Shutdown Options:  Shutdown

When you click OK, SYSPREP will remove the current user profile, set Windows to run the Out-of-Box experience on startup (will ask for very basic information on startup), and best of all…..Stop the clock on the trial version!! How long SYSPREP takes is dependent on the speed of the host you are working on, and what applications you installed to Windows. Usually it takes no more than 5-10 minutes for SYSPREP to complete and shutdown the virtual machine.

Trial Versions

If you use a trial version of Windows, the SYSPREP process stops the clock on the data you perform the SYSPREP. Which means if you use a trial version to create the VHD file then immediately SYSPREP, you have almost the full duration of the trial left. if you make copies of the SYSPREP’d VHD, each of this will also have the remainder of the trial period left. This make for an excellent FREE resource to learn Windows or doing testing over an extended period of time.

 

Makin’ Copies

Once the virtual machine shuts down, you can store a master copy of the VHD file in safe location that you can make copies of to distribute. The key is to retain a master image that can be replicated to multiple systems. For our IT Camps that we deliver across the US, we compress the VHD file with WinZip or WinRAR and place the file on a USB memory stick. This helps the image fit in a smaller space and speeds up file copies.

Now that we have copies, it is a simple matter to configure Boot to VHD to use the VHD file.

 

Configure Boot to VHD

Almost there!   Most of the hard and time consuming stuff is complete. All we have to do now is copy the VHD file and do a few simple steps to complete the Boot to VHD process. But before we get there, lets review some system requirements for Boot to VHD.

Boot to VHD Host System Requirements

Boot to VHD can only be enabled on the following Windows Operating Systems:

Client – Windows 7 or later

Server - Windows Server 2008 R2 or later

Additional Restrictions:

Encryption – The drive where you will place the .VHD file you will boot from must not be encrypted. This includes all 3rd party encryption as well as Windows BitLocker. (in the case of Windows BitLocker enabled machines, attempting to configure Boot to VHD will trip BitLocker recovery and require you to enter your BitLocker Recovery key. This is a tedious process that you really don’t want to deal with….trust me!)

Hard Drive Space – Even though I recommend using Dynamic Expanding VHD drives, you must have enough free space on the host drive to allow for the VHD file to fully expand or Boot to VHD will fail to work (ie, if you created a 100GB Dynamic Expanding VHD, it may only take up 30GB of space after you have installed all applications and patches. Boot to VHD looks ahead to see if there is enough free space to fully expand. If not, then it fails with a “not enough space error”. So you must have at least 100GB *before* you copy the VHD file to the target machine.

The Final Stretch! – Configuring Boot to VHD

1) Copy the VHD file to the target machine

a) create the following folder on the target machine

     c:\vhd

b) copy your .VHD file to c:\vhd

2) Use Disk Management to Attach VHD and obtain drive letter -

Windows 7/2008 R2 – Click Start, type Computer, right click Computer, click Manage Computer

Windows 8/2012 - From the Start screen, type Computer, right click Computer, select Manage (bottom of screen)

This open the Computer Management Console. 

Navigate to Storage –> Disk Management

 

Right Click Disk Management, Select Attach VHD

Browse to C:\VHD, double click on the .VHD file you copied there (make sure the Read Only box is NOT selected), Click Ok

 

This will attaché the VHD and assign drive letters to any partitions that are in the VHD. You can identify the newly attached VHD file by the light blue icon next to the Disk # designation.

In my example below, I created a 20GB VHD file that I installed Windows 8 to. You will note that I have two partitions, a small System partition, and the remaining space in the main partition.

You will need to make note of the drive letter assigned to the LARGER partition (not the System Reserved partition). This will the partition where the \windows directory resides. You can confirming this using explorer by navigating to the drive letter and looking for the \windows directory

Important – Do not delete or modify any files!!!

 

Once you have confirmed the drive letter where the \windows directory resides you have to open another administrative CMD prompt to execute one final command and then we are done!

1 ) Open a CMD prompt with administrative privileges

Windows 7/2008 R2 – Click Start, type CMD, right click CMD, select Run as Administrator

Windows 8/2012 – From the Start screen, type CMD, right click Command Prompt, select Run as Administrator (bottom of screen)

Once you have the CMD prompt open, type the following -

bcdboot ?\:windows             <do NOT press enter yet!!!>

You replace the  ?  with the drive letter you identified above. After you have comfirmed your drive letter and syntax, press Enter.

You should see – Boot files successfully created.

 

If you get ANY other message, the most likely cause is that you did not open the CMD prompt with Administrative privileges. Simply close the CMD prompt, re-open as an administrator and attempt the command again.

Reboot! And walk through Windows Setup

Once you receive the “successfully” message above, you are done!  All that is left to do is reboot your system and select the appropriate version of Windows to boot to.  By default, the newly added Boot to VHD will become the default Operating System. So if you simply reboot and walk away, it will reboot to the VHD file. You can of course change this by using MSCONFIG to set your preferred OS to be the default.

Removing Boot to VHD

Removing Boot to VHD is super simple.

1) If you are in your Boot to VHD operating system, restart your PC and select a different OS.

2) Open MSCONFIG, select the Boot Tab, highlight the Boot to VHD OS you wish to remove, click delete

This will remove the entry from the Operating System selection screen at bootup.

3) Navigate to where you stored the .VHD file used for Boot to VHD

Copy or move the file if you wish to save it

Delete the file to recover hard drive space

Done!   That simple!

 

Wrapping up Boot to VHD

One of my favorite things about Boot to VHD is that you are only constrained by disk space as far as the number of operating systems you can configure for Boot to VHD. A single 1 Terabyte drive can hold 10, 20, or more .VHD files that are all configured for Boot to VHD. All of them can be stored in the c:\VHD directory without fear of operating systems stepping on each other because they are all self contained in the respective VHD files.

If you are CAREFUL, you can even attach the other .VHD files to access data in the operating systems.

Each Boot to VHD image has full access to all hardware resources on the host PC. There is no virtualization layer that blocks access to Firewire, USB, etc. You have full hardware access.

Finally, it is possible to move the /VHD files back into Hyper-V, but there are some steps that have to take place and that I will leave for another blog post!

 

Cheers!

My friends over at the PacIT Pros User Group are holding another Tech Days event in a few weeks. I will be presenting a couple of sessions on Windows Azure IaaS at the event. There are also a lot of other great speakers that will be in attendance. if you will be in the area, check out the info on the event below!

----------------------------------------------------------------------

Do you ask yourself if your job skill sets are current? Do you wonder what changes are happening in the industry that you must know? Are you nervous about starting to learn something outside of your core skills but need a bit of help to get started? This is WHY we put together TechDays and WHY you should register.

Learn IT today, use IT tomorrow

TechDays-SF has an awesome lineup of speakers and you can't beat the price given the quality of such presenters as Mark Minasi, Jeff Hicks, Darren Mar-Elia, Steve Evans, Laura Hunter, Christa Anderson, Kevin Remde + many more we have lined up so please help us spread the word and max out the events 200 attendee capacity. It will again be $300 for the two days and the registration page is up and available. In addition, we have added the event to Lanyrd - a popular site for listing and interacting with conferences in a social way. Plus this year we will be utilizing EventBoard to host the Mobile app and allow you to provide feedback on the sessions.

Please plan on attending and register at the website. Also, please pass this on and invite a friend or colleague to join us! Remember, you only get out of user group events what you put into it!

Conference Date: May 2nd, 2013 – May 3rd, 2013

Cost: $300US for two days (multiple tracks)

REMINDER: Register so we can continue to support our excellent user group content and events throughout the year!

Location:
Microsoft, San Francisco Office
835 Market Street, Suite 700
San Francisco, CA 94103

Follow us on Twitter, LinkedIn and Facebook!

Cheers!

TechTrax Train the Trainer System Center 2012 SP1: Application & Infrastructure Management Join us on May 2nd and May 9th for two TechTrax Train the Trainer sessions on System Center 2012 SP1 led by Microsoft Senior Technical Evangelist Symon Perriman. System Center 2012 SP1 provides the industry's best infrastructure and application management solutions using Virtual Machine Manager (VMM), App Controller (SCAP), Operations Manager (SCOM), Orchestrator (SCO), Service Manager (SCSM) and Data Protection Manager (DPM). Symon will focus on Infrastructure Management on May 2nd and Application Management on May 9th and will walk you through the key messages, features and demos as you learn how to provision infrastructure and private clouds. Understand how developer and operations ("DevOps") can enhance the application development lifecycle and how to deploy and manage applications, understanding how to operate this private cloud infrastructure. About Microsoft Senior Technical Evangelist Symon Perriman As Microsoft's corporate Senior Technical Evangelist covering Private Cloud, Virtualization & System Center, Symon Perriman is a recognized industry expert in datacenter management, cloud, virtualization, high-availability, disaster recovery, mobile technologies and social media. Previously he spent four years as a Program Manager on the Server Clustering & High-Availability team and has been working in the technology industry since 2002. Symon holds several patents and industry certifications, including Microsoft Certified Trainer (MCT), MCSE Private Cloud, and VMware Certified Professional (VCP). Find out more & connect with Symon: - TechNet - Channel 9 - Twitter - LinkedIn About TechTrax Train the Trainer The TechTrax Train the Trainer series, sponsored by Microsoft Technical Communities (MSTC) features webcasts and content for IT professionals on Microsoft products. The series delivers technical content and guidance to help speakers and leaders inform user group communities about practical applications of Microsoft solutions. Community leaders that are registered and approved in the MSTC portal have the opportunity to request funding to support events based on the Microsoft products featured in the TechTrax series.   Event: System Center 2012 SP1: Infrastructure Management Date: May 2nd  Event Time: 8:00 AM PDT (click here to convert time) Length: 60 minutes Location: Lync Online Event: System Center 2012 SP1: Application Management Date: May 9th Event Time: 8:00 AM PDT  (click here to convert time) Length: 60 minutes  Location: Lync Online Microsoft respects your privacy. Review our online Privacy Statement. If you would prefer not to receive communications from Microsoft Technical Communities (MSTC), please email techcoms@microsoft.com to unsubscribe. You must be subscribed to receive communication from MSTC to benefit from the services provided by the MSTC program. Unsubscribing from MSTC will not affect other communications, requested newsletters or any mandatory service communications that are considered part of certain Microsoft services and programs. To set your contact preferences for Microsoft newsletters, see the communications preferences section of the Microsoft Privacy Statement. This email was sent by: Microsoft Corporation One Microsoft Way Redmond, WA, 98052, USA

To my faithful readers – My Apologies. In my previous articles on Active Directory: Differences Between On Premise and In the Cloud, I neglected to include the single biggest (and most obvious) difference between traditional, on-premise Active Directory and Windows Azure Active Directory.

I touched briefly on Authentication and Authorization in the previous article, but I failed to point out that Windows Azure Active Directory is not designed to nor will it handle Authentication of machine and computer accounts for workstations logging on to a Windows network.

One of the ways in which Active Directory integrates the identity of network objects with network security is by managing logon authentication as well as authorization to network resources. Active Directory is designed to be capable of authenticating user identity and authorizing or blocking user access to network resources for users of computers that run not only Windows operating systems but also operating systems other than Windows. The following diagram lays out much of what Active Directory is capable of and responsible for.

 

 

What we have to keep in mind though is that Active Directory started out as an on-premise directory service. Some of the most common things we do with Active Directory are -

Authenticate/Authorize User Accounts

Authenticate/Authorize Computer Accounts

Manage Security Group Memberships

This in turn allows us to apply Group Policy to Computer and User accounts based upon whether they authenticate, what groups they are members of, and what they are authorized to do. THIS is the key difference I failed to call out. Do not expect Windows Azure Active Directory to be a replacement for on-premise Active Directory when it comes to authenticating, authorizing and applying Group Policy.

When a computer is on the local network, connected via RAS/VPN, or even connected via Direct Access, the computer gets information (usually from DHCP) about the location of DNS servers on the local network which in turn provide information about the location of various network services, including the location of Domain Controllers. Of course, Domain Controllers are the masters of the Active Directory implementation and manage the authentication/authorization/group policy for the computers and users that make requests. All of this is built into the clients for how they ask for permission to access resources on the network. Windows client OSes are built to use the local network to query DNS for a DC to provide access and to find out what they can and cannot do. Windows Client OSes also leverage certain protocols like RPC which are not transportable over the open internet without first being packaged or encapsulated. In other words, there would have to be modifications made to the Windows Client OS to specifically point to Windows Azure Active Directory.

Windows Azure Active Directory also performs Authentication and Authorization, but it is not applying Group Policy to computer and user accounts. In my previous article we configure directory synchronization, but noticeably absent is the replication of group policy. WAAD in it’s current state is primarily used to provide users with a more seamless authentication experience as they access Microsoft cloud services while logged on to the corporate network. It is also not a primary end-point for authorizing computer and user account looking to get Group Policy.

WAAD is currently design so application developers can integrate their applications with Windows Azure AD to provide single sign-on functionality for their users. This enables enterprise applications to be hosted in the cloud and to easily authenticate users with corporate credentials. It also enables SaaS providers to provide easier authentication for users in Windows Azure AD organizations when authenticating to their services. In other words, it is at the application layer that we are looking at WAAD for authentication and authorization so we can tell the application what it is allowed to do.

 

I hope this clears up any confusion I may have left from my previous article!

 

There are an excellent set of articles on the MSDN site that go into detail about WAAD protocols, WAAD API’s, and more information on AD integration and SSO.  I have linked those here -

 

Supporting Information:

TechNet Article: Active Directory Concepts

MSDN Articles: Windows Azure Active Directory

MSDN Article: Windows Azure Active Directory Authentication Protocols

 

Cheers!

The US IT Pro Evangelism Team has been working on another series of content!  This set is designed to help you learn to guild out a cloud computing environment in a one month span. There is already some great content online with more to come!

Week 1 – Build Your Private Cloud Foundation with Windows Server 2012

• What is a Private Cloud? ( Video )
• Why Private Cloud? by Yung Chou
• Build a Private Cloud Foundation - Overview ( Video )
• Build a Private Cloud Foundation – Storage by Matt Hester
• Build a Private Cloud Foundation – Networking
• Build a Private Cloud Foundation – Compute / Virtualization

Week 2 – Building Your Private Cloud Fabric with System Center 2012 SP1

• Understanding Virtual Machine Manager ( VMM 2012 SP1 ) Fabric and Service Templates by Yung Chou
• Deploy & Upgrade System Center 2012 SP1 Virtual Machine Manager ( Video )
• Step-by-Step: Deploy System Center 2012 SP1 Virtual Machine Manager by Tommy Patterson
• Build Private Cloud Storage Fabric ( Video )
• Build Private Cloud Data Center & VM Network Fabric ( Video )
• Intro to Hybrid Cloud for Private Cloud IT Pros by Tom Shinder and Michael Lubanski
• Extend Your Private Cloud Network Fabric with Windows Azure Virtual Networks ( Guided Hands-on Lab )

Week 3 – Configuring and Optimizing Your Private Cloud with System Center 2012 SP1

• Configure Private Cloud VM Compute Fabric ( Video )
• Zero-to-Cloud: From Bare Metal to Private Cloud Fabric by Matt Hester
• Optimize Workload Placement with Dynamic Resource Optimization and Power Optimization ( Guided Hands-on Lab )
• Creating Private Clouds with System Center 2012 SP1 Virtual Machine Manager ( Video )
• Delegating Access to Private Clouds and Deploying Application Services by Yung Chou

Week 4 – Deploying and Servicing Applications in Your Private Cloud with System Center 2012 SP1

• Define VM Hardware Profiles by Kevin Remde
• Define VM Guest OS Profiles by Kevin Remde
• Define Application Profiles by Kevin Remde
• Define and Deploy VM Templates by Tommy Patterson
• Define and Deploy Application Service Templates

Week 5 – Extending and Protecting Your Private Cloud

• Scaling Private Cloud Applications
• Protect Your Private Cloud Workloads with System Center 2012 SP1 Data Protection Manager
• Step-by-Step: Enable Business Continuity for Private Clouds with Windows Azure Hyper-V Recovery Manager ( Guided Hands-on Lab )
• Manage your Hybrid / Private Cloud Infrastructure with System Center 2012 SP1 App Controller

Get ready to follow along!

Get prepared to follow along with our article series this month by downloading Windows Server 2012, the FREE Hyper-V Server 2012, System Center 2012 SP1, and Windows Azure.  Once you have these components, you’ll be ready to follow along with us as we build your Private Cloud together!

• DO IT: Download Windows Server 2012
• DO IT: Download the FREE Hyper-V Server 2012
• DO IT: Download System Center 2012 SP1
• DO IT: Activate your FREE Windows Azure 90-Day Subscription

Want to get certified on Private Cloud?

Prepare for the MCSE: Private Cloud certification exams with these popular FREE exam study guides:

• DOWNLOAD: Study Guide for Exam 70-246, Monitoring and Operating a Private Cloud
• DOWNLOAD: Study Guide for Exam 70-247, Configuring and Deploying a Private Cloud

-Cheers!

Two days ago, I wrote up a post called - Getting Started with Windows Azure Active Directory – Setting up the Windows Azure AD Tenant – In that post, I walk through how to configure the Windows Azure Active Directory tenant, but I don’t spend any significant time on why you would want to do this.

It is important to understand the difference between Active Directory Domain Services that you run on a Domain Controller on-premise, and Windows Azure Active Directory running in the Azure cloud. Even though we connect them, and share information between the two, they serve different purposes and possibly even different users. This post intends to clarify this.

Active Directory Domain Services

The current name of “Active Directory” is called Active Directory Domain Services, but I am going to use Active Directory and AD for this article. Active Directory has been the Microsoft directory service used in your on-premise infrastructure since the release of Windows 2000 Server. We use AD as a means of organizing objects in a hierarchical format that makes it easier for administrators to perform tasks. We should all be familiar with the basic AD structure at the point. From the top down we have -

Forests

Trees

Domain

Organizational Units

Groups

Resources & Security Principals

For the most part, any object higher in the hierarchy can contain objects lower in hierarchy. We use these object to define our network both geographically and logically. Active Directory allows us to group related objects together for management and/or to apply security permissions to. There is more that can and is done, but on a day-to-day basis, this is what most admins spend their time doing.

Active Directory on-premise is the means by which we authenticate and authorize users when the logon to a workstation, when they attempt to run an application, when the attempt to access a local web based portal, and even when they attempt to connect to a mail server to send/receive email. Active Directory contains objects that define the user, any groups they are a member of, and what rights and permissions they have as a user or members or a groups or groups.

One of the primary benefits of Active Directory is Single Sign-On. Because of the centralized administration and the organization of all AD objects with a single forest (and through the use of trust relationships), a user can logon to their workstation once at the beginning of a work day, and never be presented with additional userID and password prompts. This makes for a more seemless experience for end-users while unifying the security contexts and control for administrators.

The key thing to understand here is that Active Directory Domain Services was developed for and is primarily used for managing on premise resources. These are resources and objects that are typically 100% under the control of company administrators. As the industry continues to shift to a more cloud based model, we need to extend Active Directory into the cloud.

 

Windows Azure Active Directory

With the recent announcement of the general availability of Windows Azure Infrastructure Services, we will see more businesses putting classic infrastructure components in the cloud. In fact, It is entirely possible for a new startup to be born in the cloud and live in the cloud while having no on-premise infrastructure (they may not even have premise to be on”!).

For more established companies, they will already have a significant investment in on-premise hardware and the infrastructure services used to make it all work. These companies will be looking at Windows Azure as a means of reducing future capital investment in hardware and other physical infrastructure or to simply existing infrastructure. One of the components of Windows Azure that should be looked at is Windows Azure Active Directory (WAAD). It is important to understand the difference between WAAD and Active Directory Domain Services running on a Domain Controller.

First, WAAD is not a stand-alone Active Directory service. in it’s current form, you will not be creating forests, domains, etc in WAAD. WAAD is an extension of your existing on-premise AD structure. In fact, the article I wrote 2 days ago - Getting Started with Windows Azure Active Directory – Setting up the Windows Azure AD Tenant – we prepare, configure and establish replications from your on-premise AD environment to WAAD. If you walk through this process, you will see a couple of notifications that once replication is established, you will still be using your on premise tools like Active Directory Users and Computers (ADUC) as the primary management tools to manage objects in Active Directory. Right now, the only objects you can manipulate are Users created in the WAAD portal and specifically only those created as WAAD User types (more on this below).

Let’s breakaway for a moment to see what we can do with users -

Add new User to WAAD

Once you have established replication between on premise AD and Windows Azure AD, select the Users tab and you will see a list of users. Pay close attention to the Sourced From column as it will tell you where the object actually lives. In my example below, some of the objects are Microsoft Accounts (@live.com, @outlook.com, etc based addresses), Local Active Directory (your on-premise AD), and Windows Azure Active Directory accounts.

Let’s add a new user in WAAD and see what happens. At the bottom of the admin portal, select Add User. On the first page of the wizard, we are prompted for the basics -

Type of User -

New user in your organization – this type of user account will be managed within your directory.

User with an existing Microsoft account – select this type if the user needs to collaborate on Windows Azure resources with a co-administrator who accesses Windows Azure with a Microsoft account.

User name – Provide a user name and then the drop down will be populated with any Windows Azure AD domains you have configured.

 

On the next page, we have the User Profile for which everything is self-explanatory except -

Role -

User – Basic users that will be accessing services

Global Administrator – The all powerful admin. Global Administrators can do anything they want, including delete all Windows Azure services.

(More on User Roles here - Assigning administrator roles)

 

The final screen has us set a temporary password and optionally send it in email -

Once we are finished, the new user will be listed in the User tab of the Windows Azure admin portal. Since this user was created in the WAAD admin portal, and we did not specify it as having an existing Windows Account, it is listed in the Sourced From column as a Windows Azure Active Directory account type.

The only accounts you can actually “manage” or delete through the WAAD portal are those that are designated as Windows Azure Active Directory Type. The only “management” you can do with these types of accounts is to change passwords, modify the options you specified during the Add User Wizard, and add some data to the Work Info tab.

You will notice though that there is no info for Domains, Organization Units or other logical groups that we are familiar with from ADDS in on-premise AD.

The REAL difference between WAAD and ADDS

As I mentioned before, WAAD is an extension of the on-premise Active Directory that we have used for years. I also mentioned that as business start to put more and more services and applications into the cloud, we have to have a way of connecting the two realms. Windows Azure Active Directory allows us to replicate user accounts from on-premise AD which also extends Single Sign-On capabilities to cloud based applications. Now, as users logon to their workstations, we can offer cloud based services that have access to use information in WAAD that allow user to connect without being prompted for additional information. This provides seamless access to the end-user and administrators don’t have to maintain separate user account databases. Administrators can also use the same set of on-premise tools to make changes to user accounts in both places to maintain centralized administration. But, we allow for some new user account types that may have special use, or don’t have an on-premise equivalent. This provides flexibility for Administrators and Developers while maintaining centralized control.

I hope this sheds some light on Windows Azure Active Directory, it’s differences, and how it compliments what you are already running!

 

Cheers!

 

hfhfhfh

Just an update to let you know that I am available for in person or virtual Office Hours. I have posted my office hours through Ohours.org so please feel free to block off a time slot.

 

 

-Cheers!

Windows Azure Active Directory (WAAD) is a new Windows Azure service that provide Identity and Access management capabilities via the Windows Azure cloud. It is primarily designed for providing this service for cloud/web based applications that need to access your local Active Directory information. But it can also be integrated directly with your on-premise Active Directory to enable single sign-on capabilities through directory synchronization. This allows your application developers to integrate their applicatons with your existing Windows Active Directory without having to maintain a separate unique user base for identity management.

In this post, I am going to walk through the process of

 

Creating a Windows Azure account

Create a new directory in Windows Azure Active Directory

Preparing for Directory Synchronization

Configuring Directory Synchronization

 

Creating a Windows Azure account

If you do not have an account, you can get one here – Sign up for a Free 90 Day Windows Azure Account

 

Create a new directory in Windows Azure Active Directory

Once you have logged into the Windows Azure Admin portal, you will need to create a new directory -

 

You will be prompted to create a new directory name. By default, this will reside in a “.onmicrosoft.com” domain space, but you will be given the opportunity later on to join to an existing, on-premise AD domain (like “mycompany.local”)

Once you continue from this screen, Windows Azure will begin provisioning the AD Name space provided. In my experience, this usually takes no more than 1-2 minutes.

Once it has been provisioned, click on the name space. here you will have several options -

Users - Allows you to add users to the default name space we just created

Integrated Apps – Allows you to enable single sign-on for web based applications that require access to your Active Directory data. This requires you to register the application with AD. To register the app you have to tell WAAD the name of the application and the type of access it needs to AD – Single Sign-On, Single Sign-On + Read Directory Data, or Single Sign-On +Read/Write Directory Data. in all cases, you will also have to provide the URL endpoint for the application and a unique App ID URI. The APP URI is a logical application identifier (app developers should read the following - Application Objects and Service Principal Objects)

Domains – Allows you to add custom internet domains to the Windows AD administration. This is NOT you on-premise domain for Active Directory. This is your public facing, custom domain name (ie, mycompany.com). You can add multiple domains to Windows Azure AD. However, you can’t add the same domain to multiple Windows Azure AD tenants. As such, for testing, I would NOT recommend that you start with your active production company domains. You can delete domains though so it is simple enough to delete a domain, then add it to another Windows AD Tenant.

Directory Integration – This is where we can synchronize our on-premise active directory with Windows Azure AD

 

Preparing for Active Directory Synchronization

 

NOTE - Activating directory synchronization should be considered a long-term commitment. After you have activated directory synchronization, you can only edit synchronized objects by using your on-premises Active Directory management tools. Before you start this process, I highly encourage you to read this article on – Preparing for Directory Synchronization.

One of the key elements to setting up Directory Synchronization between your on-premise active directory and Windows Azure AD is having a designated directory synchronization computer. This machine will have the Directory Synchronization tool installed to it which allows local AD to synchronize with WAAD.

The directory synchronization computer must meet the following requirements:

• It must run Windows Server as operating system. The following versions of the Windows Server operating system are supported:
  • 64-bit edition of Windows Server 2008 Standard or Enterprise, Windows Server 2008 R2 Standard or Enterprise, or Windows Server 2008 Datacenter or Windows Server 2008 R2 Datacenter.
  • 64-bit edition of Windows Server 2012 Standard or Datacenter.
• It must be joined to Active Directory. The computer must be joined to the Active Directory forest that you plan to synchronize. For the rich co-existence scenario, this is a requirement because the DirSync server explicitly enumerates and reaches out to all domain controllers in the forest in order to set permissions for writeback. This is not the case if you do not have rich co-existence enabled.
  The computer also must be able to connect to all the other domain controllers for all the domains in your forest. A forest is one or more Active Directory domains that share the same class and attribute definitions, site and replication information, and forest-wide search capabilities.
• It cannot be a domain controller. The Directory Sync tool cannot be installed on Active Directory domain controllers.
• It must run Microsoft .NET Framework 3.x. If you are running Windows Server 2008, the .NET Framework will already be installed; if not, you can download it from the following locations:
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5 Service Pack 1
• It must run Windows PowerShell: If you are running Windows Server 2003, you need to download Windows PowerShell. If you are running Windows Server 2008, you need to enable Windows PowerShell. For more information, see Install Windows PowerShell on the directory sync computer.
• It must be located in an access-controlled environment. Access to the computer that is running the Directory Sync tool should be limited to those users who have access to your Active Directory domain controllers and other sensitive network components. Only users or administrators that have the necessary permissions to make changes to domain controllers in Active Directory should have access to this computer.

 

 

Once you have identified a machine to use as the Directory Synchronization machine, there are a series of items to walk through -

Add and verify domains – If you will be enabling single sign-on for applications, you will need to add at least one custom domain. This is performed on the Domains tab in the Windows Azure admin portal. In my example, I have added my public facing domain. It is listed as unverified. To verify it, click the Verify button at the bottom of the page. In my case, I was instructed to go back to the Directory Integration Page and follow the direction there.

Depending on how you have added your custom domain, you will have to verify it. in most cases, verification will be handled on the Directory Integration page

Note: You made need to force a refresh of the admin portal to see the verification steps. To force a refresh, hold the CTRL key on the keyboard while refreshing the page in your browser.

Each of the items links to necessary resources you should review.

 

 

Prepare for directory sync - Next, you should verify that your AD environment is properly configured and that any issues you have are resolved. You can verify this easily using the Microsoft Deployment Readiness Tool. This tool inspects your Active Directory environment, and then provides a report that includes a prerequisite check and an attribute assessment that are specific to the Directory Sync tool requirements. If your environment doesn’t meet these requirements, the tool lists the changes you have to make before you can begin directory synchronization. It’s much easier to make directory changes before you activate and install the Directory Sync tool than to troubleshoot configuration errors after you have activated directory synchronization.

Install and Run the Microsoft Deployment Readiness Tool

One of the more common issue you will need to address is the addition of User Principal Names

Add User Principal Name Suffixes

Once you have addressed any issues revealed by the Microsoft Deployment Readiness Toolkit, you can move on to setting up directory synchronization.

Prepare for Single Sign-On – Follow the guidance in these articles if you will be performing SSO with Office365, Windows InTune, or other applications -

TechNet: Prepare for Single Sign-On

TechNet: Plan your AD FS Deployment

Download and install the prerequisites for Windows PowerShell cmdlets for Windows Azure AD

Note – these require that you have the .NET framework 3.5 SP1 or later enabled on the machine

Download 32 Bit prerequisites

Download 64 Bit prerequisites

Download and install the Windows PowerShell cmdlets for Windows Azure AD

Download 32 Bit cmdlets

Download 64 Bit cmdlets

Configure Domains for Single Sign-On

TechNet: Set up a trust between AD FS and Windows Azure AD

Verify Single Sign-On - Verify Single Sign-On is working between your on-premise AD and WAAD

TechNet: Verify and manage single sign-on with AD FS

Finally, activate directory synchronization in Windows Azure Active Directory by clicking on “Activated” next to Directory sync on the Directory Integration page, then click “Save” at the bottom of the page -

Windows Azure Active Directory is now enabled for directory synchronization. The next step is to make sure you have the Directory Sync tool installed to a capable machine then run it to synchronize from your local AD to WAAD.

Download and Install the Directory Synchronization tool

The tool must be installed with LOCAL administrative rights. The only item to configure during the install is the install path. Be patient when you get to the “Installing Components” screen. It may take up to 10 minutes for this to complete.

 

 

Once setup is complete, click Finish to start the Configuration Wizard and start your first Sync.

 

The first thing you will be prompted for is the credentials the DirSync tool needs to connect to your Windows Azure Active Directory. Provide the credentials then click next -

 

Next, you will be prompted for the credentials for an on-premise Active Directory Enterprise Administrator. Enter the credentials then click next -

If you have Exchange in your environment, the tool will detect it in Active Directory and allow you to enable an Exchange Hybrid Deployment. In my case, I no longer have Exchange deployed locally and instead use Office365 (which is why I am configuring all of this!) – Click Next

The next screen shows the progress for the tool configuration. Click Next when it finishes -

This final screen prompts you to synchronize your directories. Click Finish to start the sync. the amount of time it will take to synchronize will depends on how many objects you have in your local AD.

 

Next, we need to verify synchronization.

TechNet: Verify directory synchronization

The simplest means of verifying is to just login to the Windows Azure portal, select Active Directory, then select the Users tab. You should see users from your local active directory begin to get populated in Windows Azure AD. In my example, all of the on-premise AD domain accounts for users have now been synchronized with Windows Azure Active Directory -

 

From here you have some additional options.

Manage Service Account – The Directory Sync tool creates and uses a service account called - MSOL_AD_SYNC – which will be subject to password policies set by your administrators and Group Policy.

TechNet: Manage Directory Sync Tool Service Account

Add a new custom domain with single sign-on - Use Windows PowerShell cmdlets to add a custom domain for federation to Windows Azure AD

TechNet: Adding a new custom domain

Configure an existing custom domain for single sign-on - Use Windows PowerShell cmdlets to convert an existing standard domain to a federated domain

TechNet: Convert a domain to single sign-on

Convert to a standard domain - Use Windows PowerShell cmdlets to convert an existing federated domain to a standard domain

TechNet: Using the Convert-MsolDomainToStandard cmdlet

 

I hope this information helps you with getting Active Directory configured in Windows Azure!

 

 

Additional Resources:

Identity and Windows Azure Active Directory

WAAD – Integrated Applications

TechNet: Windows Azure Active Directory

TechNet: Prepare for directory synchronization

Cheers!

SITPUG - The Seattle IT Pro User Group (Formerly WNUG – Windows Networking User Group) is one of the sponsors of the upcoming IT Summit taking place next week. The SITPUG folks are a great user group that meets on the first Wednesday of every month over at the Microsoft Lincoln Square building in Bellevue, WA. I invite you to check out their monthly meetings as well as support the IT Summit next week.

SITPUG’s Founder and UG Leader – Zubair Alexander – will be delivering a presentation on “Active Directory Changes in Windows Server 2012” at the summit.

Landmark Leadership Conferences for IT Executives

2^nd Annual Executive Forum Invitation

The IT Summit

Wednesday, April 24, 2013

8:00 - 4:30

Safeco Field

Intended for IT Leaders

CIOs, CISOs, VPs of IT, Directors of Technology, IT Managers, and other decision makers and their trusted advisors with management responsibility for information technology

Why You Should Attend

In a single day, The IT Summit creates a focused environment for IT professionals to share experiences, learn from your peers, and interact with those organizations that create new technologies. We provide real-world educational resources for you to deploy within your organization. You are welcome to share your invitation with coworkers and associates so they, too, may register and enjoy the benefits of The IT Summit.

http://www.theitsummit.com/registration/?id=1165

REGISTER NOW! Registration Code: SE3115

Powerful Speakers

Bill Kehoe, CIO, King County

Bryant Bradbury, Deputy CISO, City of Seattle

Ralph Johnson, President, Holistic Information Security Practitioners Institute

and many, many others

REGISTER NOW! Registration Code: SE31115

 

-Cheers!

For the past year, our Worldwide IT Pro Evangelism teams have been speaking to customer’s about Windows Azure Infrastructure as a Service. We have been showing off preview versions of Windows Azure Active Directory Services, Windows Azure Virtual Machines and more.

Today we move from “preview” to general availability! What this really means is that we have moved from “beta” to “production” and these services are now fully ready for prime time!

Not only have we made these services available for production, we have also added some new features and enhancements -

New high memory VM instances (28GB/4 core and 56 GB/8 core) to run your most demanding workloads.

New Microsoft validated instances including SQL Server, SharePoint, BizTalk Server, and Dynamics NAV (and more!)

More competitive pricing (21% – 33% reduction for IaaS and PaaS workloads)

Windows Azure Virtual Networks – to securely connect on premise to Windows Azure

Default OS disk size increase

Remote PowerShell commands enabled by default

Get your Windows Azure 90 Day Free Trial NOW! 

 

 

If you haven’t tested out Windows Azure Infrastructure as a Service yet, now is the time to do so! The Windows Azure 90-day Trial is FREE! Within minutes you can get signed up and have your first virtual machines provisioned in the cloud. From there it is easy to start testing out all of the new features!

 

Get your Windows Azure 90 Day Free Trial NOW! 

Windows Azure Infrastructure Services Landing Page

Windows Azure Infrastructure Services Support Forums

ScottGu’s Blog - Windows Azure: General Availability of Infrastructure as a Service (IaaS)

Windows Azure Developer Center

The official announcement is posted here – Windows Azure Team Blog – The Power of ‘And’

 

-Cheers!

My friends over at the PacIT Pros User Group are holding another Tech Days event in a few weeks. I will be presenting a couple of sessions on Windows Azure IaaS at the event. There are also a lot of other great speakers that will be in attendance. if you will be in the area, check out the info on the event below!

----------------------------------------------------------------------

Do you ask yourself if your job skill sets are current? Do you wonder what changes are happening in the industry that you must know? Are you nervous about starting to learn something outside of your core skills but need a bit of help to get started? This is WHY we put together TechDays and WHY you should register.

Learn IT today, use IT tomorrow

TechDays-SF has an awesome lineup of speakers and you can't beat the price given the quality of such presenters as Mark Minasi, Jeff Hicks, Darren Mar-Elia, Steve Evans, Laura Hunter, Christa Anderson, Kevin Remde + many more we have lined up so please help us spread the word and max out the events 200 attendee capacity. It will again be $300 for the two days and the registration page is up and available. In addition, we have added the event to Lanyrd - a popular site for listing and interacting with conferences in a social way. Plus this year we will be utilizing EventBoard to host the Mobile app and allow you to provide feedback on the sessions.

Please plan on attending and register at the website. Also, please pass this on and invite a friend or colleague to join us! Remember, you only get out of user group events what you put into it!

Conference Date: May 2nd, 2013 – May 3rd, 2013

Cost: $300US for two days (multiple tracks)

REMINDER: Register so we can continue to support our excellent user group content and events throughout the year!

Location:
Microsoft, San Francisco Office
835 Market Street, Suite 700
San Francisco, CA 94103

Follow us on Twitter, LinkedIn and Facebook!

Cheers!

(Note – Repost from Windows Azure Blog - http://aka.ms/y4b3yc)

Windows Azure Active Directory: Ready for Production with over 265 Billion Authentications & 2.9 Million Organizations Served!

Last week we shared how Enterprises can benefit by integrating Windows Azure into their business strategy.  Having a strong enterprise identity strategy is a key component for enabling new applications and infrastructure in the cloud. Today, we’re excited to share that Windows Azure Active Directory (AD) has reached general availability and is now ready for production use!  

Windows Azure Active Directory is the world’s largest cloud based, enterprise quality, internet scale Identity and Access Management Solution.  Today over 2.9 million businesses, government bodies and schools are already enjoying the benefits of Windows Azure Active Directory, using it to manage access to Office365, Dynamics CRM online, Windows Intune and Windows Azure.

Windows Azure AD is a cloud based Identity Service built to support global scale, reliability and availability for our customers and comes at no cost for the base directory. This cloud based directory makes it easy to: 

• Manage employee access to cloud based line-of-business apps, Microsoft cloud services like Office 365, and third party SAAS applications.
• Deliver a Single Sign-On experience for cloud applications eliminating the need for multiple usernames and passwords and limiting helpdesk calls and password resets.
• Revoke access to cloud based business applications when an employee leaves the company or changes jobs.
• Manage federation and access to cloud facing services for partners and customers.

Windows Azure AD is an enterprise grade, high availability cloud service run from 14 datacenters spread across the United States, Europe and Asia.  Over the last 90 days, Windows Azure AD has processed over 65 billion authentication requests while maintaining 99.97% or better monthly availability. No other cloud directory offers this level of enterprise reliability or proven scale.

For companies who already run Windows Server Active Directory on-premises, Windows Azure AD is a natural extension for enabling existing identities in the cloud.  Based on open standards including SAML, OData and WS-FED, Windows Azure AD works with any modern browsers running on a PC, tablet or mobile device and can be easily integrated into applications running on a multitude of platforms from Microsoft and 3^rd parties.

In making Windows Azure AD available for production usage, we’ve also made two feature improvements Windows Azure Customers and cloud application developers will be interested in:

• Ability to add a Windows Azure Active Directory to your Azure subscription for customers who use Microsoft accounts for logging into Azure.
• Granting and revoking application directory access permissions have been greatly simplified.

With this latest release, existing Windows Azure customers who log in using a Microsoft account can now add a Windows Azure AD tenant and use it to manage access to Azure for their employees with either Microsoft accounts or Azure AD accounts.

We’ve also updated our samples and developer documentation with the biggest updates to the application registration process, so if you are a developer, you’ll definitely want to read up on that. You can find all of our documentation including step by step guides protocols and APIs, how to manage your tenant including managing users, setting up 2FA, and extending your on-premises AD to AAD.

Throughout the developer preview over 3500 companies tried Windows Azure Active Directory. I’d like to thank all of you who participated for your interest, participation and feedback – your efforts have been invaluable to us!

Finally, I’d like to close by inviting all of you to get your own Windows Azure AD cloud directory today.  All you have to do is sign up for Windows Azure Trial.

Best Regards,

Alex Simons
Director of PM
Active Directory

 

Reprinted from

CPU Performance and Monitoring is one of the most important aspects for what we do in computing every day. End users and information workers want a performant system, the help desk doesn’t want “my machine is running slow” calls, and the IT staff has to manage power consumption to keep operating costs in check. In this post I am going to discuss how was can satisfy all three groups using some of the built in tools on our Windows Systems.

Of course we are also going to address this from a virtualization aspect as that is the direction of this series. Fortunately for us though, monitoring CPU Performance across virtualized workloads is almost identical to monitoring physical machines. We still leverage Task Manage and Performance Monitor as our primary tools. If you have a System Center Operation manager install, then you have the additional benefit of very granular monitoring, reporting and alerting features

Let’s start with the basics….

The most basic form of monitoring comes from the Task Manager. The Task Manager has seen many improvements over the years. In Windows Server 2012 and Windows 8, we now have a very detailed and robust, built-in means of monitoring many performance aspects in real time. As you can see from the screen shot below, the new Task Manager has a significantly different look to it. We now list all Applications, Windows Processes, and Background Processes and allow each item to be expanded out for more detail. In the screen shot below, you can see that we have expanded out the Internet Explorer process so that it shows each window or tab that is open. This allows us to see what CPU resources are being utilized be each open windows or tab. This is very useful for troubleshooting an web page or app that may be frozen or causing a performance on a machine.

When we select the Performance tab in Task manager, we also have a new view into the big 4 items. For CPU monitoring, the default view consolidates all physical and logical CPU’s into a single CPU view. in the sample from my machine, the default view shows the cumulative performance across all CPU’s. Even though it only shows a single CPU in this view, my machine is actually a quad-processor machine. To change the view to chow all logical CPU’s, right click in the main window, and select Change graph to –> Logical Processors

Default View

Showing all Logical Processors

Another feature we have in the Task Manager is access to the Resource Monitor. It is the link at the bottom of the previous screen shot. When you open the Resource Monitor we cab get a detailed real time view of CPU usage across any process. You can check the box to the left of a process to add/remove it from the graphed processes on the far right hand side.

 

 

On Windows 8 client machines, here is also an App History tab where we can find historical CPU performance of the apps on our systems. This data is reflected for the previous 30 days and can manually be reset at anytime from this screen. Double-clicking an application in the list will launch that application.

Finally, we have a Users Tab that allows us to get information about what apps and processes are consuming resources in different user sessions. Below we see my active session as well as another user that logged in but is currently disconnected.

 

 

Now….if we really want to dig into CPU performance monitoring, we need to leverage Performance Monitor and the new Hyper-V counters. However, we have to be careful to select the appropriate counters. When the Hyper-V role is enabled on a Windows Server, there are a whole host of new PerfMon counters and objects that are added to allow us to monitor performance of the virtualized workloads. These can be found in PerfMon by selecting to add counters then scrolling to the “Hyper-V” section where you will see a large number of new Hyper-V related counters. What you choose to monitor will depend on what information you are trying to retrieve.

 

Processor:

Once you have an idea of the overall system capabilities and configuration though the “Hyper-V Hypervisor” counter set you will want to monitor the processors on the system. The most important counter set to monitor is the “Hyper-V Hypervisor Logical Processor”. This counter set allows you to determine how much of the physical processor are being used. The virtual processor counter sets only show a slice of the “Hyper-V Hypervisor Logical Processor”.

• Hyper-V Hypervisor Logical Processor
• Hyper-V Hypervisor Root Virtual Processor
• Hyper-V Hypervisor Virtual Processor

The Hyper-V Hypervisor Logical Processor - The most useful counters in this counter set are the following;

• %Guest Run
• %Hypervisor Run Time
• %Idle Run Time
• %Total Run Time

There is one logical processor that that carries more load than the rest and that is LP0. This LP is where all interrupts in the system are directed and if there is too much load you can see this LP hit 100% which likely means IO is a bottleneck in the system.

The “Hyper-V Hypervisor Root Virtual Processor” and “Hyper-V Hypervisor Virtual Processor” are just slices of the LP counter and can help you understand how much total CPU the root and guests are using on the system. There are real no limits one should expect for these counters however I generally expect to see the “% Hypervisor Time” be below 25%. Any higher and this could indicate you are not running with integration services installed. You should always make sure you have Integration Services installed for the best performance.

You should also monitor the “Processor” counter set. This counter set is only for the root CPU and does suffer from skew as detailed here - http://blogs.msdn.com/tvoellm/archive/2008/03/20/hyper-v-clocks-lie.aspx. Even with the skew this counter set is useful because it gives you an idea of how busy the root is. Remember the root is involved in all IO. This means that when the root CPU’s are saturated your whole system is likely saturated. In general you want to see the root CPU lower than 10% utilization and over 50% might indicate an issue.

 

Over all, the counters you will be interested in for CPU monitoring are -

Hyper-V Hypervisor Logical Processor – This one lets us select stats for each logical processor available to Hyper-V.

· %Guest Run Time – This is the percentage of time guest code is running on an LP or for the _Total the average percentage across all LP. For example if you have 2LP and one VM running CPU tests you might see the value be 95% for LP(0), 0% for LP(1) and 47.5% for the _Total. For this you can see you VM is running on LP(0).

· %Hypervisor Run Time – This is the percentage of time the Hypervisor is running on an LP or for _Total the average percentage across all LP. This is similar to % Kernel Run Time in the Processor counter set.

· %Idle Run Time – This is the percentage of time the LP is waiting for work for _Total the average percentage across all LP. This is similar to % Kernel Run Time in the Processor counter set.

· %Total Run Time – This is a sum of %Guest Run Time + % Hypervisor Runtime.

· %C1 Time – C1 is a power saving mode in a CPU. This counter keeps track of how often the process is able to enter a power saving state when idle. So %C1 Time is the percentage of time the LP is in the C1 state and for _Total the average percentage across all LP. If you want to know more about C state and other power modes in windows check out - Processor Power Management in Windows Vista and Windows Server 2008

· %C2 Time – Similar to %C1 Time. C2 is a deeper power state than C1.

· %C3 Time – Similar to %C1 Time. C3 is a deeper power state than C2.

· C1 Transitions / Sec – The is the number of times the LP has entered the C1 state in one second or for _Total the number of C1 transitions across all LP.

· C2 Transitions / Sec – Similar to C1 Transitions / Sec. C2 is a deeper power state than C1.

· C3 Transitions / Sec – Similar to C1 Transitions / Sec. C3 is a deeper power state than C2.

· Hardware Interrupts / Sec – Number of hardware interrupts per second the LP is processing. _Total is the total for all LP. Hardware interrupts are delivered to the root VP’s corresponding the LP on which it was received. For example a network card will create and interrupt when a packet is received.

· Total interrupts / sec – Total number of interrupts of all kinds the LP is processing. For _Total this is the total number of interrupts happening on the system per second.

· Monitor Transition Cost – This is a measure of the cost to enter the Hypervisor via an Intercept on a Logical Processor (LP). For _Total it is the total cost across all processors. Intercepts are like User mode to Kernel Mode context switches except here is User/Kernel Mode to Virtual Machine Monitor (VMM) aka Hypervisor mode. The smaller this value the better. The only real use it has is to figure out the relative performance of processors.

· Context Switches / sec – These are the number of times a new Virtual Processor (VP) had been scheduled to a particular Logical Processor (LP). For _Total it is the total number of VP to LP switches. Ideal time context switches of around 1000 for a single guest running are not uncommon. This is due to the fact the VP will “Halt” and allow something else to run if it has no work to do.

· Scheduler Interrupts / sec – These interrupts are sent by the Hypervisor scheduler from one Logical Processor (LP) to another to reevaluate their runlist. The runlist is the list of Virtual Processors (VP) waiting to run on a given LP. This is also a “wake-up” mechanism for an LP that might be sitting idle in a lower power state. _Total is the total number of scheduler interrupts happen per second across all LPs.

· Inter-processor interrupts sent /sec – These interrupts are from one processor to another to get the processor to do memory coherency (like TLB, cache, …). High counts > 20ish per Logical Processor (LP) can indicate lots of guest pages modification (like page access). _Total is the total number of Inter-processor interrupts (IPIs) set per second.

· Inter-processor interrupts /sec – This counters is the total number of Inter-processor interrupts (IPI)received per second of a give Logical Processor (LP). _Total is the total number of IPI’s received by all LP.

· Timer interrupts / sec – There are a number of timers that the Hypervisor supports – APIC timer, PM Timer, … This is the number of times an LP is interrupted to service a timer interrupt. )

 

Hyper-V Hypervisor Root Virtual Processor – Details on what the root Virtual Processors. There is one root VP for every Logical Processor. You can think of a logical processor as similar to a core on a physical processor.

· %Guest Run Time – For guest VM’s this is the percentage of time the guest VP is running in non-hypervisor code on an LP or for the _Total the total across all guest VP’s. For the root this is the percentage of time the root VP is running in non-hypervisor code on an LP or for _Total the total across all root VP’s. If you sum the _Total for both the guest VP’s and root VP’s this will equal the % Guest Run Time _Total of the Logical Processor counter set.

· %Hypervisor Run Time – For guest VM’s this is the percentage of time the guest VP is running in hypervisor code on an LP or for the _Total the total across all guest VP’s. For the root this is the percentage of time the root VP is running in hypervisor code on an LP or for _Total the total across all root VP’s. If you sum the _Total for both the guest VP’s and root VP’s this will equal the % Hypervisor Run Time _Total of the Logical Processor counter set.

· %Total Run Time – This is just a sum of %Guest Run Time + % Hypervisor Runtime on a per VP basis. If you sum the %Total Run Time across the Root Virtual Processor and Virtual Processor counter sets it will equal  the sum of %Total Run Time from all the Logical Processor counters.

· Total Intercepts/sec – Whenever a guest VP needs to exit is current mode of running for servicing in the hypervisor this is called an intercept. Some common causes of intercepts are resolving Guest Physical Address (GPA) to Server Physics Address (SPA) translations, privileged instructions like hlt / cupid / in / out, and the end of the VP’s scheduled time slice.

· Total Intercepts Cost – This is a relative measure of cost of intercepts. The cost can vary based on the types of intercepts and the machine architecture.

· Hypercalls/sec – Hypercalls are one form of enlightenment. Guest OS’s use the enlightenments to more efficiently use the system via the hypervisor. TLB flush is an example hypercall. If this value is zero and says zero this is an indication that Integration Components are not installed. New OS’s like WS08 can use hypercalls without enlightened drivers so it is only a prereq. not a guarantee of having Integration Components installed.

· Hypercalls Cost – This is a relative measure of cost of hypercalls. The cost can vary based on the types of calls and the machine architecture.

· HLT Instructions/sec – Number of CPU halts per second on the VP. A HLT will cause the hypervisor scheduler to de-schedule the current VP and move to the next VP in the runlist.

· HLT Instructions Cost - This is a relative measure of cost of halt. The cost can vary based on the machine architecture.

· IO Instructions/sec – Number of CPU in / out instructions executed per second. Many older or low bandwidth devices use “programmed I/O” via in / out instructions.

· IO Instructions Cost - This is a relative measure of cost of the in / out instructions. The cost can vary based on the machine architecture.

· Page Fault Intercepts/sec – Whenever guest code accesses a page not in the CPU TLB a page fault will occur. This counter is the number of Page Faults per second. This counter is closely correlated with the Large Page TLB Fills /sec Small Page TLB Fills / sec counters.

· Page Fault Intercepts Cost - This is a relative measure of cost of a page fault. The cost can vary based on the machine architecture.

· Large Page TLB Fills/sec – There are two types of TLB entries (and some three). Small TLB which generally means a 4K page and Large Page which generally means 2MB. There are fewer Large TLB entries on the order of 8 – 32. This counter is the number of Large Page TLB fills / second. A non-zero value indicates the guest OS is using large pages.

· Small Page TLB Fills/sec – There are two types of TLB entries (and some three). Small TLB which generally means a 4K page and Large Page which generally means 2MB. There are fewer Large TLB entries on the order of 64 – 1024+. This counter is the number of Small Page TLB fills / second.

· Emulated Instructions/sec – Some instructions require emulation to complete in the Hypervisor. One such example is APIC access. This counter is the number of emulated instruction completed per second.

· Emulated Instructions Cost - This is a relative measure of cost of emulation. The cost can vary based on the machine architecture.

· CPUID Instructions/sec – The CPUID instruction is used to retrieve information on the local CPU’s capabilities. This counter is the number of CPUID instructions calls per second. Typically CPUID is only called when the OS / Application first start so this value most likely will be 0 most of the time.

· CPUID Instructions Cost - This is a relative measure of cost of the CPUID instruction. The cost can vary based on the machine architecture.

· MSR Accesses/sec – Machine specific register instruction calls per second. There are many types of MSRs such as C-state config, Synthetic Interrupt (Synic) Timers, and control functions such as shutdown.

· MSR Accesses Cost - This is a relative measure of cost of the MSR instruction. The cost can vary based on the machine architecture.

· Control Register Accesses/sec – Number of CPU Control Register accesses per second. Control registers are used to set up address mapping, privilege mode, etc.

· Control Register Accesses Cost - This is a relative measure of cost of changing the control register. The cost can vary based on the machine architecture.

· MWAIT Instructions/sec – Number of MWAIT Instructions per second. MWAIT is the monitored wait instruction where the CPU waits for a memory location between a and b to change.

· MWAIT Instructions Cost - This is a relative measure of cost of the MWAIT instruction. The cost can vary based on the machine architecture

 

Hyper-V Hypervisor Virtual processor - This allows us to retrieve stats on logical processors assigned to individual running VM instances

Resources:

Processor Power Management for Windows 7 and Windows Server 2008 R2

View CPU Utilization and other Performance Information

MSDN Blogs – Monitoring Hyper-V Performance

-Cheers!

For those of you have taken part in the recent IT Camps, you know that we attempt to cover a LOT of information during this camp. It can be a little overwhelming so I have sorted through the content and provided some links to further reading on the topics that may be more interesting to your particular role.

I have included links to all the slides, Hands-On-Lab documentation and download links to the appropriate lab files if you would like to recreate the HoL outside of the IT Camp classroom. I very highly recommend that if you only do a single lab, that it be the Windows Azure IaaS lab. I believe Cloud based Infrastructure as a Service to be the future of infrastructure deployments.

 

Why is Azure IaaS so important?

I bring up this same point in out IT Camps.  Think back to 1995 when the Internet really started to take off. Windows 95 has been on the market for about a year at this point and the everyday computer user is connecting to the Internet is droves. Businesses are taking notice but they are wondering – Is the Internet safe? Is it secure? Is my data protected? What about downtime? – These are the exact same question businesses are asking about “cloud computing” today. The very same cloud computing that we have been doing on the Internet for the past 15+ years.

Virtualization has reduced our infrastructure deployment, configuration and maintenance times to a fraction of what we used just 10 years ago. With Azure IaaS, we optimize these even further by eliminating the need to acquire and provision the base Hyper-V server that is required to run all of the Infrastructure components. It is conceivable for a startup to simply use a credit card to sign up for Azure, then start building servers and services within Azure to support their entire development, test, and production environments – all without buying any hardware to support their infrastructure. Established companies with a robust on-premise infrastructure can reduce future hardware acquisitions by planning future deployments in Azure IaaS. the ease with which we can migrate workloads between Azure IaaS and on-premise makes it a perfect scenario for proof of concept development that can easily be rolled directly into production.

IT departments have already reduced their hardware costs dramatically by becoming highly virtualized. This also provides for a tremendous amount of flexibility in placing and moving workloads as necessary. now with the option of placing the workloads directly within the Azure fabric and securely connecting Azure IaaS to existing infrastructure, IT Departments will be able to further reduce hardware costs and extend the mobility and flexibility of their virtual infrastructure.

**Do the Azure IaaS Lab!**

I promise you it will be worth your time!

 

Cheers!

Slides -

Download Slides for all 3 sessions here

Hands-on-Labs -

Download Hands-On-Labs Manuals here

Downloads LAB Virtual machines here

Download BootToVHD Image here – Be sure to select the VHD file, not the .ISO

Download Base Image for Lab Virtual machines here - – Be sure to select the VHD file, not the .ISO

SC2012 SP1 and Azure IaaS Links -

Activate an Windows Azure 90 Day Trial Account

Download Windows Azure PowerShell Tools

Download System Center with SP1

Upgrading/Migrating with Windows Server 2012 Links -

Understanding Domain and Forest Functional Levels

Active Directory Services Deployment CMDlets in PowerShell

Migrate Active Directory Federations Role Services to Windows Server 2012

Migrate Health Registration Authority to Windows Server 2012

Migrate Hyper-V to Windows Server 2012

Manage IP Configuration in Windows Server 2012

Migrating Network Policy Server to Windows Server 2012

Migrate Print and Document Server to Windows Server 2012

Migrate Remote Access Services to Windows Server 2012

Migrate Windows Server Update Services (WSUS) to Windows Server 2012

 

Deploying Windows 8 Links -

Download the Microsoft Deployment Toolkit and Technical Information

Download the Windows Assessment and Deployment Kit

User State Migration Tool (USMT 5.0 Technical Reference

Windows Performance Toolkit Technical information

Windows Assessment Toolkit Technical information

Internet Explorer Administration Kit Download and Technical Information

This week we kick off a new series of IT Camps in the Western US. We still have a handful of seats available at select venues. If you would like to get some FREE hand-on training on Windows 8 Deployment, Azure IaaS, and Upgrading to Windows Server 2012, find a city near you then get yourself registered. Be sure to read the requirements for the hands-On-Lab section to ensure you have a proper machine configuration and ample space for images.   -Cheers!

You're invited. Select a date below to register online or call 1-877-MSEVENT Location                Date Mountain View, CA 3/13 San Francisco, CA 3/14 Bellevue, WA 3/19 Tempe, AZ 3/20 Portland, OR 3/21 Los Angeles, CA 3/26 Irvine, CA 3/27 San Diego, CA 3/28 Boise, ID 4/2 Denver, CO 4/4   If you are unable to attend in person, you may be interested in a Hands-on Lab Online (HOLO) on Windows 8 or Windows Azure. If you cannot make one of these events, you may be able to find a similar event at a New Horizons learning center here.   Please join us at a Microsoft IT Camp as we dive into how to get your datacenter ready for the cloud and beyond Join us at a FREE Microsoft IT Camp for hands-on labs, demos, and interactive discussions with Microsoft technical experts. Here's your chance to learn more about getting your datacenter ready for the cloud, whether you want to upgrade your on-premise datacenter or get connected to the cloud. This IT Camp will showcase the next generation of datacenter technologies featuring Windows Server 2012, System Center 2012 SP1, and Windows Azure IaaS. According to a recent IDC report commissioned by Microsoft, an estimated 1.7 million cloud-related IT jobs are open worldwide right now and there will be as many as 7 million cloud computing jobs available by 2015. Attending an IT Camp in your local area is the perfect way to elevate your IT skills, build your cloud knowledge and propel your career to new heights. To participate in the afternoon hands-on lab session, you will need to bring your own computer (laptop preferred) with the following minimum configuration: 4 GB RAM (8 GB preferred) At least 70 GB of free disk space (75 GB preferred) x64 compatible processor with hardware assisted virtualization (Intel VT or AMD-V technology) Installed OS of Windows Server 2012 (Preferred), Windows 7, Windows Server 2008 R2 or Windows 8 NO Drive encryption technology (Bitlocker or 3rd party) Required: Come with a Windows Azure subscription Download free 90-day trial Download Windows Server 2012 Trial (both ISO and VHD) Download Windows 8 Enterprise Trial Download the free 180 day Private Cloud or System Center 2012 SP1 trial Recommended: Although wireless internet access will be available, you may find that bringing your own mobile connectivity (MiFi™, phone data tethering, etc.) will be desirable. FREE Events Seating is limited, so register today. Events run from 8:30am - 4:00pm. For more information or to register, visit > www.technetevents.com OR CALL 1-877-MSEVENT

 

-Cheers!

Question – How do you determine how much memory to assign to a virtual machine?

Real Answers from Administrators -

“We add up the recommended memory on the box for all the apps that will run then assign that to the VM”

“We add up the recommended memory on the box for all the apps that will run, add 25%, then assign that to the VM”

“Every VM gets <insert number here> gigs of RAM. We don’t change it unless someone complains”

“We only virtualize Exchange….so it gets all of the available RAM”

I have asked this question many times since the introduction of Dynamic Memory several years ago. I almost never hear the following -

“We use Operations Manager or Performance Monitor to track usage over time, establish a baseline, then adjust the memory of the VM. We then continue to monitor over time to see if there are trends that warrant adjustments.”

I know that is exactly what IT Pros do though. Because you are Pros. But maybe you are new to Windows, new to the IT field, or just trying to correct some bad behavior in your department. For those scenarios, I want to give you the tools you need to do things the right way.

---------------

With the release of Windows Server 2008 R2 SP1, Microsoft introduced a new feature called Dynamic Memory for Hyper-V hosts. Prior to this feature being introduced, all guest virtual machines were give a static assignment for memory. To change the memory allocation required administrators to shut down the guest VM, change the memory assignment, then restart the VM. This of course is inefficient and requires downtime.

Dynamic Memory allows Hyper-V administrators to assign a dynamic allocation of memory to a VM that draws from a pool of memory on the host. The goal of Dynamic Memory is to optimize memory utilization without sacrificing performance. This also opens the door to greater virtual machine density per host which allows for a lower TCO.

In this post we will walk through the options for Dynamic Memory and investigate how we can further optimize memory using monitoring. Let’s lay the groundwork….

Hyper-V Host Requirements -

Windows Server 2008 R2 + SP1 (or later) or Windows Server 2012

Guest VM Requirements – See Chart Below

 

There are no global configuration for Dynamic memory at the Hyper-V host level. All of the settings are managed on a per VM basis. Once you have created a virtual machine, you can look at the settings of the VM and see the Dynamic Memory options. However, there are some subtle differences in the options between versions of Hyper-V. Let’s do Windows Server 2008 R2 + SP1 first.

Windows Server 2008 R2 + SP1 Hyper-V (below)

Note that we can still specify a Static amount of memory for a VM. Dynamic memory is not a requirement. We can also have a mix of static and dynamic memory VM’s on the same host.

When we enable Dynamic memory we get some additional options -

Startup RAM – The amount of memory required to start the virtual machine. There needs to be enough here to allow the VM to start up. But you don’t want to over-allocate because the memory will be wasted and reduce the total number of VM’s you can run on the host.

Maximum RAM – The maximum amount a RAM a VM can request and be assigned. Can be a low as the Startup RAM value or up to a max of 64GB or the max of what the Guest VM O/S Supports. (ie, 4GB for a 32 bit Windows 7 Guest)

Memory Buffer – Specifies how much memory Hyper-V will attempt to assign to the virtual machine compared to the amount of memory actually needed by the applications and services running inside the virtual machine. Not to exceed the Maximum RAM amount.

Memory Weight – Tell Hyper-V which VM’s have a higher or lower priority for dynamic memory allocations.

 

The settings used in Windows Server 2012 are a tad bit different.

Windows Server 2012 Hyper-V (below)

 

 

 

Startup RAM – Serves double duty in Windows Server 2012 Hyper-V

1) If Dynamic Memory is NOT enabled, Startup RAM acts as the “Static” memory value

2) If Dynamic Memory IS enabled, it represents the amount of memory required to start the virtual machine. (same as Windows 2008 R2 + SP1)

Minimum RAM – *NEW* This is the minimum amount of RAM that must be assigned to the VM at all times. This number must be less than or equal to the Startup RAM value. It effectively lets Hyper-V reduce the amount of memory assigned to the VM if it requires less and another VM requests more.

Maximum RAM – The maximum amount a RAM a VM can request and be assigned. Can be a low as the Startup RAM value or up to a max of 64GB or the max of what the Guest VM O/S Supports. (ie, 4GB for a 32 bit Windows 7 Guest)

Memory Buffer – Specifies how much memory Hyper-V will attempt to assign to the virtual machine compared to the amount of memory actually needed by the applications and services running inside the virtual machine. Not to exceed the Maximum RAM amount.

Memory Weight – Tell Hyper-V which VM’s have a higher or lower priority for dynamic memory allocations.

Windows Server 2012 Hyper-V also introduces a feature called Smart Paging. Prior to Windows Server 2012, if you attempt to start a guest VM when all available memory is assigned to other VM’s, you receive an error message and the VM fails to start. With Smart Paging, we allow the VM to start using a page file on a hard drive as virtual memory. This allows the VM to start up and for Hyper-V to manage memory allocations. There is a significant reduction in performance because hard disk paging operations take much greater time then RAM paging operations, but it does allow for the VM to start. After it comes up, Hyper-V will begin re-allocating memory to reduce the usage of the Smart Paging feature.

There is no GUI configuration for Smart Paging other than where to place the Smart Paging file location. This should be a low I/O spindle to reduce the impact of paging operations as much as possible.

Now What?

Note – For the remainder of this article, I will be using Windows Server 2012 Hyper-V/Dynamic Memory. The concepts apply to Window Server 2008 R2, but the location of the information on screen is different.

Now that you are familiar with the settings, how do we determine how much memory to allocate to a VM then monitor it over time?  For the initial configuration of memory, you will just have to use your own best judgment for the values based on the workloads you are running. A good baseline to start with is to consider what you would run in a physical implementation then measure that out for a virtual. if you are running an Exchange Server role with 16 GB of memory on a physical machine, use that 16 GB value as the initial Maximum RAM entry. The Minimum RAM could be the amount of RAM recommended for running Windows Server + Microsoft Exchange. The memory Buffer can be left at 20% for now and the Memory Weight should be adjusted based on the priority you specify for your server roles.

Once this has been configured, you can monitor ongoing performance and changes in two different ways -

Monitoring Virtual Memory in Real Time –

Using the Hyper-V MMC, you will see that we display some information about memory in real time -

Assigned Memory – This is how much memory is allocated to the Guest VM at this time.

When you select a VM, you will also have an info pane below the list of VM’s with more specific information about memory for the selected VM -

Memory Demand – Derived from performance counters, this is the amount of memory required at this time to fulfill the requirements of what is going on in the running VM.

Memory Status – There are only 3 things that will display here -

OK – Hyper-V has enough memory to provide a full memory buffer to the selected VM

Low – Hyper-V is reporting that it does not have enough memory to satisfy the memory buffer in full

What this really means - Generally not a critical issue. Some attention should be paid to how much memory is allocated across all guest VM’s and possible changes made to adjust for proper buffer allocations.

Warning – Hyper-V is reporting that it does not have any available memory to dedicate to the memory buffer

What this really means – There isn’t enough memory to allocate to the memory buffer. This means that you will possibly end up using Smart Paging and thus take a performance hit, or, based on Weight, you may starve another lower priority machine of memory. You should evaluate how much memory is allocated across all VM’s and adjust accordingly. The only solution may be to migrate some of the VM’s to a different Hyper-V server or add more physical RAM to the Host Hyper-V server.

 

Monitoring Virtual Memory with Performance Counters -

Dynamic Memory has a collection of Performance Monitor Counters and Objects for digging deep into what is really going on with memory allocations.

The Memory Balancer is the process that handles allocation of memory to the guest VM’s. It relies on other performance counters information to determine when, where, and how much memory to move around at any given time.

Available Memory – Exactly that, how much memory we have available right now.

Average Pressure – Pressure is synonymous with availability. This is a calculation of how much memory the VM wants divided by the amount of memory the VM currently has and then multiplied by 100 [ie; (Mem Wanted/Mem allocated)*100  ]   Average pressure at this level is the average pressure of all VM’s at any given time. As long as this number stays under 100, you have enough available memory to service all virtual machines. If you go over 100, then you have VM’s that are doing paging operations with the VM itself and you will see performance degradation. For best performance with less risk of paging operations, this number should consistently be below 100 with no spikes above. Ideally around 80, though highly tuned systems that are very dense may run higher.

These counters allows you to choose individual VM instance objects by name as they appear in the Hyper-V Manager.

Average Pressure – Same as above but for a specific VM

Current Pressure – This is the current available memory for a VM instance

Guest Visible Physical Memory – The amount of memory visible within a VM instance

Maximum Pressure – Maximum memory available to the VM instance

Minimum Pressure – Minimum memory available to the VM instance

Physical Memory – Current amount of memory in the VM instance

Smart Paging Working Set – The size of the Smart Paging Working Set for a VM Instance

---------------

Of all the counters listed here, the ones you will likely spend the most time monitoring are - 

Hyper-V Dynamic Memory Balancer –> Average Pressure – This will allow you to see what the average available memory is at the host level over a period of time. This is great for establishing a baseline and continued monitoring over time to determine if workloads need to be shifted or more memory should be added to the host.

Hyper-V Dynamic Memory VM –> Average Pressure, Maximum Pressure, Minimum Pressure – These will allow you to look at the memory performance of individual VM instances. Again to establish a baseline as well as ongoing monitoring for future optimizations.

To monitor this with performance Monitor, you can make a Collector Set

 

To create a Data Collector Set to monitor memory allocation

1. Start Performance Monitor and add one or more of the new performance counters.
   1. Click Start, right-click Computer, and click Manage. In the Microsoft Management Console navigation tree, click Reliability and Performance.
   2. In the navigation tree, expand Reliability and Performance, expand Monitoring Tools, and click Performance Monitor.
   3. In the menu bar above the Performance Monitor graph display, either click the Add button (+) or right-click anywhere in the graph and click Add counters from the menu. The Add Counters dialog box opens.
   4. In the Available Counters section, scroll through the list to find Hyper-V Dynamic Memory VM and then click the plus (+) sign to expand the group. Select one or more counters from this group.
2. On the left hand side, right click on Performance Monitor, point to New, and click Data Collector Set. The Create New Data Collector Set Wizard starts. The Data Collector Set created will contain all of the data collectors selected in the current Performance Monitor view.
3. Type a name for your Data Collector Set and click Next.
4. The Root Directory will contain data collected by the Data Collector Set.  Change this setting if you want to store your Data Collector Set data in a different location than the default.  Browse to and select the directory, or type the directory name.
5. Note: If you enter the directory name manually, you must not enter a back slash at the end of the directory name.
6. Click Next to define a user for the Data Collector Set to run as, or click Finish to save the current settings and exit.

You now have a Data Collector Set that you can run in the background to collect performance data for the Hyper-V Counters and Objects you have selected. This will let you establish baselines, monitor ongoing performance of the Hyper-V Host as well as the VM’s and ultimately give you the answer to “How much memory should I assign to a virtual machine?”. Additionally, you can use this data to increase the density of VM’s on a per host basis without compromising on performance. This leads to more VM’s per host which hopefully means fewer hosts needed and ultimately a lower TCO across the board.

 

 

References  and Additional Resources -

Hyper-V Dynamic Memory Configuration Guide (2008 R2)

Hyper-V Dynamic Memory Overview

Tracking Hyper-V Dynamic Memory (So Many Questions. So Little Time. Part 6.)

Looking at Dynamic Memory Performance Counters

A Guide to Hyper-V Dynamic Memory – Aidan Finn

Looking at Dynamic Memory Performance Counters

 

Cheers!

Yesterday, Kevin Remde posted the 2nd in our March series of blog posts on Virtualization. Kevin talks about this different virtualized components of a hyper-V virtual machine and which pieces can be added and removed while the VM is up and running.

 

“For Part 2 of our “20+ Days of Server Virtualization” series, we wanted to give you an overview of what is allowed, and what’s not, with regard to making “hot add” or removal (or configuration) of a virtual machine’s settings.  To do this, I’m going to use a picture of the Virtual Machine Settings dialog, and walk right down the list…”

And that he does!  If you are new to Hyper-V, this is a great way to familiarize yourself with the components that make up a VM, the configurations that can be made, and what you can do with them while a VM is running.

Check out his blog post here -

You Want to Hot-Add What?! : 20+ Days of Server Virtualization (Part 2 of 20)

You Want to Hot-Add What?! : 20+ Days of Server Virtualization (Part 2 of 20)

Cheers!

First of all, YOU have made our blog series from January and February very successful!  We often wonder if what we write will get read and you have proven to us that it is a fruitful endeavor. Thank you very much for taking the time to read and provide feedback on these series.

The first post for our March series – The Hyper-V Primer – 20+ Days of Server Virtualization (Part 1 of 20) – by Kevin Remde is up on his blog.

 

WHAT IS IT HYPER-V?

Hyper-V is just a part of the full Microsoft virtualization solution.  It is the engine that supports running multiple virtualized installations of operating systems on top of a single physical operating system.  Hyper-V is a “microkernalized hypervisor”, which is fancy-talk for “it’s a very thin layer that runs underneath the installed operating system”, to support many “machines” (including the main OS) running on and sharing the resources of the hardware.  Even though your Windows Server 2012 or even Windows 8 with Hyper-V enabled is installed on hardware, virtualization is actually even supporting that main operating system as what is known as the “Parent (or Root) Partition”; still running on top of virtualization, but having higher-priority than the “child partitions” that are the virtualized machines.

 

 

The Hyper-V Primer – 20+ Days of Server Virtualization (Part 1 of 20)

 

 

The Hyper-V Primer – 20+ Days of Server Virtualization (Part 1 of 20)

The IT Pro Evangelism team, Microsoft Learning and the Microsoft Virtual Academy are pleased to announce the next Jump Start course Microsoft Tools for VMware Integration & Migration on Thursday, March 14^th from 8am – 12pm PST. 

This is a live, public, free, online event so ask your customers to sign up today: http://aka.ms/vmtools.  This event will be recorded and available on the Microsoft Virtual Academy (MVA) several weeks later, so even if you cannot make the live event, sign up so that you receive a notification once the course is available on the MVA.

This course is designed for IT professionals who need to manage, monitor and automate VMware in their datacenter using System Center 2012 SP1.  During this half-day Jump Start, Microsoft Technical Evangelist Symon Perriman (MCSE and VMware Certified Professional) will be joined by four different Microsoft and VMware experts during the team-taught learning experience.  First, Eric Winner will share how Virtual Machine Manager (VMM) and App Controller can run VMware infrastructure, hypervisor and VMs.  Next Michael Stafford from Veeam will show how the Veeam Management Pack for Operations Manager monitors and reports on the VMware infrastructure.  Third, Justin Incarnato demonstrates how VMware can be integrated and automated using Orchestrator.  Finally, Anupama Vedapuri walks through the Microsoft Virtual Machine Converter (MVMC), a free Solution Accelerator that converts VMware-based VMs and disks to Hyper-V.

Agenda

· 8am – 9am | Manage VMware with SC2012 SP1 Virtual Machine Manager

· 9am – 10am | Monitor VMware with SC2012 SP1 Operations Manager and Veeam

· 10am – 11am | Automate VMware with SC2012 SP1 Orchestrator

· 11am – 12pm | Migrate VMware VMs using Microsoft Virtual Machine Converter (MVMC)

 

Sign Up Here - http://aka.ms/vmtools

Cheers!

One of the Technologies we introduced with Windows 7 was AppLocker.  AppLocker presented a great new way to control what applications could run on your desktop environments.  Now if this sounds familiar to what Software Restriction Policies (SRP) do for your environments, it is important to understand the difference between the two.  SRP are still supported and still helps to control applications in your environment.  They approach the challenge differently.

Matt Hester goes into further detail on AppLocker in our final post for the February series -

Migration and Deployment: A look at Windows 8 AppLocker

 

Cheers!

Windows 8 gives us the awesome Windows Store where we can find and install Windows 8 applications that use the new Modern UI. It is pretty intuitive to find and install the applications. But I have had a few questions from folks about how to update and/or upgrade Windows 8 applications after they are installed.

One of the first things to consider is whether you as an Administrator will even allow access to the Windows Store by your end-users or if you will block it and only sideload LOB apps. If you decide to block access all together, this can be accomplished easily using Group Policy (for more information see – TechNet: Managing Client Access to the Windows Store).

If you grant access to the Windows Store, you should first plan out your update and upgrade strategy for Windows 8 Applications.

You can let end-users do all of their own updating

You can manage it yourself

Or you can do a combination of both.

In this article I am going to focus on end-user management (with a small piece of IT management at the end). I am working on a more detailed posting focusing on how System Admins can fully manage Windows 8 apps that I will get posted at a later date)

-------------------

The simplest way for end-users to update Windows 8 applications is through the Windows Store itself. When on the start screen, users will see the Store tile and, if there are updates to applications, they will see a number on the live tile -

The number indicates the number of applications for which updates exist. To update the apps, simply go into the Store and look in the upper right hand corner where users will see the corresponding number of applications with available updates -

Tap or click on this item and you will see the individual applications that are available for updating -

By default, all applications are automatically selected for updating. The end-user can tap or click on “Install” and all applications will get updated (must have an Internet Connection). User cans also deselect individual applications and choose to only update specific ones if they like -

Once the applications are selected, click “Install” and they will get updated. A progress meter will show the status of the update for each application -

As apps finish updating, they will disappear from the update screen until they are all complete -

At this point, all Windows 8 applications are updated and the Store tile on the Start screen should no longer display a number (unless more updates have become active) -

System Administrators can also control what Windows 8 Store applications can be installed and provide limited control over updates using AppLocker.

AppLocker is a feature in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7 that advances the functionality of the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as executable files, scripts, Windows Installer files, and DLLs. By using AppLocker, you can:

• Define rules based on file attributes that persist across application updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
• Assign a rule to a security group or an individual user.
• Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries except the Registry Editor (Regedit.exe).
• Use audit-only mode to deploy the policy and understand its impact before enforcing it.
• Create rules on a staging server, test them, export them to your production environment, and then import them into a Group Policy Object.
• Simplify creating and managing AppLocker rules by using Windows PowerShell cmdlets for AppLocker.
• Manage .mst and .appx files with AppLocker. (Windows 8 and Windows Server 2012 only)

For more detailed information on AppLocker including a Step-by-Step Guide for Administrator, see the follow – TechNet Guide to AppLocker

 

Cheers!