Today’s tip…
While it still requires administrative privileges to configure BitLocker, with Windows 8, standard users can now by default change their own PIN/Password. It is recommended that this be used in conjunction with the ‘Configure use of passwords’ GPO setting to enforce length and complexity.
One thing this means for enterprises is that they will be able to do their Windows deployments all with the same PIN/Password and allow their users to change it post-installation.
By default, this feature is included in Windows 8.
If you do not want this feature, then you can enable a GPO to Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Operating System Drive \Disallow Standard Users to change PIN or Password.
Server Performance Advisor 3.0. We love it, we hate it, we didn’t want to watch the video on Channel9….
So the Dude was kind enough to blog about it. This is a tool, that is still sort of new, but can provide some valuable information into what is going on inside a a host that is an IIS or Hyper-V or Windows machine….
So without further adieu I give you SPA 3.0….
Well, actually, there is some adieu, because I need to show you how to properly install it yet…in my domain…named Peaches.
So, the idea here is as follows. To use SPA one must provide a host to collect and analyze data to. We have targets we want to collect performance information about, but we need a spot to throw it all. That host in my example is named 2008R2-MON.
You build it up, give it some space, some CPU, memory, network, get it on the domain, install .NET Framework 4.0, service pack it up and then install SQL 2008 Express Edition….as follows:
And then…
and then…
(assuming we’re just being boring and installing to C:, which is what I did…)
I switched to ‘Default Instance’ to make things easier on myself later on. In case they got difficult anyway. (they didn’t)…
(Yes, my domain name is ‘peaches’ in my test lab…)
(I gave myself SQL Admin rights, in production you should consult a quality DBA for this really)
I opted out of SQL Error Reporting and Feature Usage this time, but really you should opt in for production, that way when something is on the code chopping block, the PM can know to not chop the feature you always use…
Woot it passed..
It’s alive!
(I love that movie)
So, now that you have SQL installed, what about SPA 3.0? (this is a blog post about SPA 3.0 after all…)
Download SPA 3.0 from here: http://msdn.microsoft.com/en-us/windows/hardware/hh367834
Run it:
and then
Here we connect to SQL…
And we now are using these APs…
Create a share (I named mine ‘share’) and make sure you have rights to write to it, alright?
Pick your poison, er, AP for use, and how long to collect data…
Check the boxes and click “Run Analysis” at the bottom right.
Once data is gathered, the machine you are running this on will get busy with its bad self as it parses the data:
Results look like this…
Hope this helps you with your visits to the SPA…
Applies to: Exchange 2000/2003
This may seem like a basic thing to some people, but for those who don't know, here goes. This can be easily done by running Exmon, available here.
So download Exmon and fire it up on your Exchange Server.
Go to the By Clientmon tab, and in there you'll see a column named "Cached Mode Sessions". If you have something other than 0 in that field, then your user is connecting over Cached mode.
Hope that helps, I've had the question a few times before.
Edited!
So someone had this question. It’s a good one. I didn’t know the answer so I found out….
Articles here and here would indicate that network traffic should be both intermittent and light. So….lets check it out.
The Test: I built a Windows 8 VM in my lab. Updated it, updated default Windows Store Applications, created a new user account that I had never logged in as and then setup a netsh trace session from an elevated command prompt:
mkdir c:\trace cd c:\trace netsh trace LAN capture=yes report=yes tracefile=c:\trace\file.etl
mkdir c:\trace
cd c:\trace
netsh trace LAN capture=yes report=yes tracefile=c:\trace\file.etl
And then I logged out and logged into the new ID. The plan was to run it for 20-30 minutes but I went downstairs to talk to the wife and you know how that goes so an hour or so later I remembered my test! Went upstairs and logged out, logged in as my administrator user and opened an elevated command prompt and did:
cd c:\trace netsh trace stop
netsh trace stop
It looked like this:
Which isn’t horribly exciting, but the etl file and file.cab file are
So I put them on my debugging machine via SkyDrive and went to town.
The Results:
Very little traffic, most of it in spurts, every 5 minutes as expected.
You can see it in the graphic above. I’ll actually need to do a longer trace to get a better feel for statistics, but I wouldn’t sweat a Windows 8 RT or Pro device on your network.
This update comes to us from Chuck Timon, a SSEE in CTS…
In PowerShell, run –
Get-BPAResult –ModelId Microsoft/Windows/Hyper-V > c:\temp\hyper—vbpa.txt
Or to get a filtered output
Get-BPAResult –ModelId Microsoft/Windows/Hyper-V | fl ComputerName,Severity,Category,Title,Compliance > c:\temp\hyper-vbpa_formatted.txt
How cool is that?!
I did a few talks at TechEd (and TechReady for that matter) this year. And this is the one I was happiest with. I hope you enjoy/enjoyed it.
Jeff
http://channel9.msdn.com/Events/TechEd/Europe/2012/AAP303
“Well the high sheriff, told his deputy, won’t you go out and bring my Lazarus?”
Why am I quoting the Po Lazarus tune, the opening song of “O Brother Where Art Thou?” when I’m supposed to be talking about the Exchange Server that doesn’t? It’s the Chewbacca defense! This Exchange Server is so hosed I can comfortably quote an old folk song instead of talking about the server…
Ok ok, I’ll talk about the server:
This server is a Windows Server 2008 R2 SP1 Server running 10G E cards to talk to storage and it performs like it shouldn’t.
And Holy Moly! DPCs consume more CPU than any one thread on the box. Googly moogly! We’ve got a problem here. But why? What does it mean?
Right Click this graph and select Summary Table:
Here we go, our DPCs are in SYSTEM (4), module elx_octeamvlan.sys. But wait, there’s more, why?
Seems this driver in SYSTEM is spending a lot of DPC time on cores 6, 0 and 4. Odd. Lets see what else we can find to help them write a better driver:
DPCs are high, way too high:
Observe, DPC count is low on 6/4/0 cores, but waits are um, not low:
Huh, lets see what it is (symbols didn’t resolve sorry, but its NDIS. The Driver / Hardware is a 10G E adapter:
Same function call in each of the three cores, lots of wait times. We’re having trouble with the drivers implementation of how they talk on the network via NDIS. They are aware and I believe have already fixed the problem. Woot! Another happy customer.
PAL (http://pal.codeplex.com/) is a favorite tool of mine, written by Clint Huffman. I’ve written about it a few times but maybe you weren’t aware that the newest release has multi-threading capability?
It’s no in your face though really, just an option on the last page, the Execute page:
If you assign more than you have cores, your machine will be pretty unusable during the processing of a BLG, but it cuts time down significantly on complex traces. Give it a shot!
Much like the Operating System area, in the Application area we want to create a logical folder structure. These are applications we may want to cook into our reference image.
In the end, mine looks something like this (I’m building out a new MDT 2012 site here at home, so these are apps I install on my home machines).
But these are just folders! Where are the APPS?!!?1111!bbqlazers!
Ehm, Ok, here they are, we’ll start with Office 2010:
Right click the folder and select New Application.
Select the default radio button:
Fill in the fields in the next screen:
and hit next. For Office, mount the ISO of Office 2010 and point it to the architecture you want to install. I’m picking x86. For other applications, pointing to the directory with Setup or the root of the CD should work mostly.
Hit Next and note the directory its creating, make sure it makes sense.
Then hit next. On the next screen, the command line is where you’re going to want to put in the silent and whatnot install switches. Office though, MDT will do for us, so I’m going to be lazy and just put in setup.exe.
For other apps, you can contact the vendor to get the silent switches, or use the awesome website www.appdeploy.com.
Next will show you the summary of what you’ve picked. Then next and it will copy from the DVD.
Office and MDT are pretty integrated. So you can go to the properties of it and there is an extra tab from all the other applications. This will let you do your office customizations and whatnot.
So after yours is done, wack apply.
After hitting apply, then doing the drop down at the top to None and Apply, and then ProPlusr and apply, Details should look like this:
See, the switches are now in place. We have an application. Now import the rest of your applications (with silent switches if possible) and continue to the next blog post.
To quickly start your Windows8/Server 2012 machine - Bring up Charms (Winkey+I OR mouse around in bottom-right corner to bring up Charms) – Settings which brings up the below screens (at the regular desktop OR at the Modern Desktop)
I started an article on Disk performance and characteristics for the PFE Performance Wiki a while back. I had actually forgotten about it (those who know me know my memory is Swiss Cheese sometimes). Anyway, here is a link to the article:
http://social.technet.microsoft.com/wiki/contents/articles/disk-in-depth-pfe-performance-guide.aspx
If you are a disk expert, feel free to critique and/or update
Cheers,
jeff
So one of the trends I’ve been seeing in WDRAPs I’ve performed is that companies are making use of older hardware for newer tasks on a much more frequent basis than before. Budgets seem to mandate a 4-5 year (or longer) pc recycle timeframe and the net result of this is companies are running their new image of Windows 7 on hardware that in some cases is over 7 years old (personal experience talking here, no statistics to back it up sorry, though that might be interesting).
So when I go into a company to do a WDRAP I am often evaluating the security and performance of an older chassis. Something I’m frequently running into is that some models of desktop have Automatic Acoustic Management (AAM) enabled by default to a value of 128 (quiet). Sometimes, the BIOS is actually set to ‘Bypass’ which at first blush might make the user or administrator think the BIOS has this feature disabled. Incorrect in my experience! Bypass actually seems to let the disk decide, so if the manufacturer of a disk set the disk to prefer quiet mode, Bypass will let the disk run at a slower rotational speed to keep the head quiet.
This increases the seek time noticeably, as well as overall transfer time. (You can go over more blocks in a minute if you are spinning at 7200 RPMs than if you are spinning at say, 5400 RPM, same goes here for AAM).
Setting the BIOS to Performance (forcing the drive to run at the 254 level of performance instead of 128/quiet) has caused some boot times of older XP images to speed up by over 100 seconds in the field.
So really, check out this setting. You might also note that some hardware vendors in later/modern disables this setting and sells it as a performance gain, rightfully so. Most drives are fairly quiet these days anyway, so much so that most models of hardware I’ve changed this on the end user doesn’t notice the difference in noise levels, only performance.
Of course your mileage will vary by model of drive, motherboard, and BIOS.
Additional links that you might find interesting on the topic are listed here.
The dude did a recording on VDI for RunAsRadio with Richard Campbell. Link below.
http://runasradio.com/default.aspx?showNum=289
Why? VMware template. Awwww yeah, the Dude strike again. If you are running in VMware, we can capture the memory ballooning driver and real processor util in the guest and publish it to a PAL report.
This release delivers!
http://pal.codeplex.com/
So, I’ve been working on some MDT 2010 work for various customers for about six months or so, but I finally found something that struck me as sort of odd and blog-worthy.
So I created this big long involved task sequence for a customer and they attempted to lay it down over some older server installs in their lab and ran into errors. The errors were generic 80004005 errors as seen below, along with DiskPart errors:
Since the drive hasn’t been setup, I frankly wasn’t sure where to look for logging information to be honest. No MININT directory when the drive isn’t formatted you know?
So, I sat and thought for a moment. What could make my C: not present? Something in the diskpart command. But what? As I sat pondering it, I went back over my task sequence in my head (I didn’t have access to the console at the time).
One thing we had done, was specified larger drives for C: (they were moving from 2003 images to 2008 R2, and 2008 R2 requires a larger footprint on the disk). The disks for the old system were likely setup in the SCSI RAID controller for the local machine. Which means from WinPEs’ view, it’s a drive right. So I looked in diskpart after hitting F8 here and look what I saw:
Sure enough, disk 0 is 15 gig, my task sequence is configured to format the 1st disk to a 50 gig C: partition and then carve out the rest for D:.
Disks re-configured in the SCSI controller to one big fat disk and viola, everything works.
My buddy Clint Huffman, performance expert and all around great guy, has just released PAL 2.1!
Pick it up, give it a whirl.
It includes a threshold file for FAST search for SharePoint.
Anyway, more coming from me soon.
So mount an ISO of the OS you want to capture and deploy into Hyper-V as the DVD drive of the MDT-Console VM.
Then in the MDT workbench, right click the folder “Operating Systems” and create a folder for that OS. Then right click that folder and select import.
Make sure you keep it on the “Full set of source files” and hit Next.
Then select the root of your mounted ISO as your source.
The destination directory name is NOT the name you set for the folder in MDT workbench, but is the flat file system directory.
Then we are at the Summary, which should be fairly logical and look something like this:
Then it will import:
When its done, it gives a summary and a finish button. Click it and witness the power of this fully operational MDT Reference Share! Muwauahahahah
Er, sorry, yeah, so note that I imported Ultimate, but look what I get:
Multiple OS’s. Anyone know why? That’s right, the Ultimate WIM has the previous editions in it. Do they take up extra space? No, not really.
So now we have an OS. Rinse and repeat for all your OS’s you want to service in the reference area.
Then, lets Right Click the MDT Reference Share in the tree and select “Update Deployment Share” so we can create the initial WinPE isos.
Select the defaults, next next and let it run.
Once this is done, we’ll be able to craft a task sequence and do some customizations.
In the Vital Signs workshop, we touch upon the tool SPA (Server Performance Advisor). This unsung hero of performance evaluation deserves some love, which is why I'm writing about it over 5 years after its last update was published and made available on the downloads site, here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-47b9-901b-cf85da075a73&displaylang=en
So, Clint Huffman, creator of PAL, wrote up this excellent article on how to troubleshoot server performance problems...
So, check it out here:
http://channel9.msdn.com/Wiki/PerformanceWiki/HowToIdentifyBottleneckSPATool/
It's the bomb, and it's free as in beer.
So now with Operating Systems and Applications added to the console, it’s time to add a Task Sequence or three…
I always give my Task Sequences an ID of a number. You can use anything, but I like the numeric relevance, and its easier to type if you end up specifying a TS later…
Anyway, fill in the wizard already!
This is a “Standard Client Task Sequence”
Pick an Operating System…
No point in specifying a product key, we’re going to sysprep this image…
None of these fields really matter, this is for the reference image, and our specifications on the Deploy side will overwrite this stuff…
Doesn’t matter what local admin is, again, we’re sysprepping this and everything will be overwritten by Deployment…
Next, Finish, and done!
But that was just creating the TS, not modifying it, which is much more interesting. But, time to get the kids to bed first…
Look for the Dudes’ interview with Richard Campbell on RunAsRadio, where I get into a discussion on Slow Boot/Slow Logon scenarios, tools to use and common culprits. The spot appears on May the 18th!
Links discussed on the interview are:
http://social.technet.microsoft.com/wiki/contents/articles/10130.root-causes-for-slow-boots-and-logons-sbsl.aspx
http://blogs.technet.com/b/yongrhee/archive/2012/02/19/list-of-performance-hotfixes-post-sp1-for-windows-7-sp1.aspx
Thanks!
Jeff Stokes
Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’. Just like it sounds, this option allows us to encrypt only the parts of the volume that are currently in use. As files are added to the volume, they are encrypted as well.
To the end-user this means a much shorter time for BitLocker to complete the initial encryption process for new volumes. For volumes that already have data on them, it is recommended that the ‘Encrypt entire drive’ option be used.
There is a GPO, which you can use to enable Used Space Encryption for Windows 8.
Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Operating System Drive\Enforce Drive Encryption type on Operating System Drive:
This GPO is also available for Fixed Data Drives and Removable Drives.
Manage-bde Command:
 
Hope you enjoy.
Applies to Exchange 2003
I had a case a couple weeks ago I thought I'd write about. What was happening is the Version Store would run out of memory and a 623 error would throw. Version Store buckets allocated would climb from 4 to over 2000 in less than 5 minutes. The store would then rollback its transactions for a bit, recover, run for 10-15 minutes and repeat the whole cycle over.
This is atypical 623 behavior to say the least.
What we ended up doing to fix it was capture an adplus dump, 3 actually, triggered at Version Store buckets allocated crossing 1600. We captured 3 dumps at 1 minute intervals.
The 1st dump caught the problem transaction, the last 2 were both capturing rollbacks, so this was a quick ramp up.
Turns out the problem was being caused by a bad meeting request being processed over and over again. We tried all kinds of ways to delete the message, all of which caused Version Store buckets allocated to climb. A MFCMapi hard delete ended up doing the trick.
Dan and I and some other engineers wrote up a blog post you can find here on how to recover from a smashes schema scenario on your Exchange Servers.
It's pretty succinct so I don't have anything to add to it, it's an interesting read though.
And it wasn't half bad. At this customer site I am at currently doing MDT 2010 deployment creation for a Windows Server 2008 R2 rollout, WSUS was breaking for the desktop deployment folks.
WSUS was enabled on a Windows 2008 R2 server. The website couldn't be accessed, giving a server 500 error. When I looked in the Application and System event logs, two things stood out at me.
The first thing that caught my eye was in the System event log. A 2025, from SRV stating that the MDT reference machine in a VM on the 2008 R2 host was doing a possible Denial of Service attack against the 2008 R2 server and the connection was closed.
Odd.
Second was that in the logs for WSUS, 13042, could not self update. Strange. I started messing around with it, and long story short of it, the service that the Application Pools in IIS were running under did not have any rights to the IIS folders. Restoring rights to the IIS folders resolved the issue and WSUS happily patched the MDT Reference image.