I spent some time in the lab today playing with Windows Vista hardware Assessment Tool (WVHA) 2.0. WVHA is an awesome utility from the Solution Accelerator team that allow you to scan a network (of both AD-joined and workgroup computers) and report on what machines in your network are capable of being upgraded to Vista, and which ones will need upgrades or replacement.
There is a ton of good information on how to setup and use WVHA here, hear an interview with the WVHA Program Manager (Baldwin Ng) here, or see it in action here.
After playing with WVHA today, however, I realized that it is much more powerful than advertised, as long as you don't mind getting your hands dirty.
Although it is technically limited to scanning 25,000 computers per domain, that is actually 25,000 computers per domain per scan... You can actually scan the domain more than once, and WVHA will add more computers in increments of 25,000 to the database (not re-scanning computers that have already been scanned). A couple of caveats however... If you are actually scanning a domain with more than 25,000 computers, you are probably in the market for SMS (aka System Center Configuration Manager), which has enterprise-class scanning and reporting. Also, you end up adding more than 65,000 computers, you will run into problems with the generated Excel report (Excel prior to Office 2007 only supported 65,536 rows). The scanning is agentless, utilizing remote WMI queries, so you will need to have ports 135 and 139 opened up between the scanning computer and the targets.
If you look at the sample report for Lucerne Publishing (or perhaps your own), you may notice that the report may list some computers with an "unknown" status. There are a few reasons why the WMI query may have failed:
You can resolve the underlying issues (ie supply additional admin credentials), rescan, and the computers will be added back into the report. What happens if you cannot resolve the issue? Perhaps you have a workgroup of computers that are connected to the LAN via a 28.8k modem at a remote site (crazier things have happened!). Since WVHA exports the report information into Excel, you can go into the data, slice and dice at will, and generate new pie-charts to past into your report. This will also allow you to add in custom charts and graphs that will be helpful for your client. If you are using Office 2007, then you can make them extremely pretty as well ;)
Now... for the REALLY deep part. WVHA exposes approximately 26 pieces of information about each scanned computer (Amount of RAM, BIOS Vendor, etc). Behind the scenes, WVHA has actually collected a TON of information that is not surfaced in the Excel report. This information is stored in the SQL Express back end. How would you use this? You could use WVHA to scan a network, populate all of the computer information into the SQL database, and then manually query the data with T-SQL, throw it at SQL Reporting Services, generate charts, graphs, reports, and then export it into any format SQL supports (PDF, Excel, etc...) the options are limitless. Not bad for a free tool from Microsoft :)
While learning about the changes in Active Directory on Windows Server 2008 at a recent conference, the presenters casually mentioned a new feature as an aside that is actually quite exciting!
If you have ever had a Domain Controller stolen or experience catastrophic hardware failure, then you are familiar with the joy that is manually cleaning up the DC metadata in Active Directory with NTDSUTIL. (This KB article has all the steps in case you have trouble going to sleep. Daniel Petri also has a good write-up here). It is a painful experience to say the least.
With the advent of the Read-Only Domain Controller role with Windows Server 2008, the Active Directory team has planned for the eventuality that a Domain Controller at a branch office (where it is likely stuck in the Janitor's closet or under a desk) will be stolen. As the RODC only caches the credentials of the users at the branch office, there is no need to reset every password within the Enterprise, you can simply reset the passwords for the few users at the branch office.
You open up Active Directory Users and Computers
Right click on the stolen DC
Delete
You will be given the option to reset the passwords of the Users that were present on the RODC, export the user list to a file, and then the wizard will clean up all references to that RODC FOR you. No messy ntdsutil work.
I checked with the presenters after the session, and this server cleanup also works swimmingly on a writeable Domain Controller. If you have a catastrophic hardware failure and the Domain Controller has died for all time, you can go into the ADUC GUI and delete the diseased DC. You will not receive the option to reset user accounts (as you would on the RDC), but all lingering metadata in AD relating to that server will be gone.
Making your life as a Windows Server Administrator easier... one feature at a time :)
For more reading, I would recommend:
With every new OS, there are a few "Must Have" features that make the upgrade worthwhile. For Vista, it was the security and reliability features, with recent Linux distributions, it has been the addition of Compiz. The addition of Time Machine to Mac OS X 10.5 was the feature that caused me to pre-order Apple's latest release for my MacBook Pro.
Since the beginning of time, Apple Backup solutions have, for lack of a better word, sucked. I have had nothing but back luck with Dantz's Retrospect, and Apple's own (aptly named) "Backup" utility should be taken out back and shot. Not only are you required to purchase an annual $99 subscription to their .Mac subscription to even backup to a local drive, but the functionality and UI at version 3 resembles a midterm project by a college student straight out of "Introduction to programming in C 101". A decent list of backup clients for OS X can be found here.
But with two-and-a-half years of development, Apple has surely gotten backup right in Leopard, right? Time machine certainly demos well... Having installed it tonight, however, I can tell you that Apple's advertising is correct. Time Machine is a "giant leap backward".
Why?
Time machine supports a ridiculously limited ability to backup to a network share. Specifically, the ONLY network shares that Leopard will backup to are:
You bought a Buffalo Terastation NAS? Too bad. You're using Windows Home Server? Apple doesn't care. Bought an Airport Extreme FROM APPLE with an attached USB Hard Drive? Don't expect Time Machine to recognize it. Want to keep a second Mac running Tiger (10.4)? Also a non starter for Time Machine...
Mac OS X can mount these remote hard drives with no problem (the SMB support is actually quite robust), and reading/writing files is a breeze. You just cannot backup with Time Machine unless the target hard drive is hooked up to Leopard.
You can also not backup your home directory if it is encrypted with FileVault.
ARRRRGGGHHHH!
So, long story short: If you want to backup your unencrypted Leopard install to a local USB/FireWire hard drive, you are good to go. If you want to backup multiple Macs to a central file share, you could just pickup an XServe RAID. Who doesn't need Fibre Channel in the home? If you want to have files that are both encrypted and backed up... well that's just asking too much.
Other than the shortcomings of Time machine, the OS itself is quite nice. I will post some more thoughts once I have had a chance to play with it a bit.
Taken near North Bend, WA last night with my new Canon S5 IS :)
Now with support for SuSE Linux Enterprise Server 10! I see that version 2.0 of the VM Additions for Linux have been uploaded, and you can now get them directly from the MS Download site instead of Connect. While they are designed for Virtual Server 2005 R2 SP1, they should probably work in Virtual PC. Your mileage may vary... try at your own risk.
From the download site:
Virtual Machine Additions informationTo improve the interoperability between virtual machines running Linux guest operating systems and Virtual Server 2005 R2, Virtual Machine Additions are available for Linux guest operating systems. You can install these Virtual Machine Additions components in your Linux guest operating systems to improve the following operating system capabilities:
Download them here: http://www.microsoft.com/downloads/details.aspx?familyid=bf12642f-77dc-4d45-ae4e-e1b05e0a2674&displaylang=en&tm
A new release of Ubuntu has just come out, so let's put it through the paces in Virtual PC 2007!
First of all, the old install problems (chronicled here) still exist. The Ubuntu installer boots up into 24-bit color, which is not supported by Virtual PC. If you start with the Start Ubuntu in safe graphics mode option, you will be able to see the installer screen just fine (with some ginormous icons), but unfortunately, the mouse is not recognized at all. I really had hoped this would be fixed!
That's fine... Mike has the fix here: http://blogs.msdn.com/mikekol/archive/2007/08/06/making-ubuntu-7-04-work-under-virtual-pc-2007.aspx
Once Ubuntu finishes booting, the graphics will be... completely screwed up.
After doing the above, Ubuntu is actually quite usable! Out of the box, it is has OpenOffice, GIMP, a PDF Reader, and some games. What more could you need?
I noticed that Thunderbird is not included, in favor of the Evolution Mail client. Normally, I prefer Thunderbird, but my work email lives on Exchange, and Thunderbird only works with POP/IMAP. I was pleasantly surprised, then, to see that "Microsoft Exchange" was listed as a server type. I entered my username and the Outlook Web Access (OWA) URL, and hit Authenticate. After typing in my password, I hit "ok", and Evolution disappeared. I've tried twice with the same result... must be a bug. Oh well.
Strangely enough, Thunderbird is not even available under "Add/Remove Applications". That having been said, "Add/Remove Applications" is REALLY slick. It is an installer for various packages that live on the internet. The UI is very intuitive and well laid out. I wouldn't mind having an equivalent to this program in either Vista or OS X.
I spent some time in GIMP, which works fine, although I was somewhat overwhelmed by the options. Maybe it would make more sense after spending a few hours with Gimp for Dummies ;) In the meanwhile, I MUCH prefer Paint.Net, the best free photo editor out there.
I also tried the new Desktop Search feature (which you bring up by clicking the icon in the menubar that looks like a magnifying glass with an arrow coming out of it. The search results are more focused towards finding web results (which are at the top) than programs or files on the local computer. I happen to prefer the Vista search results in this regards, as Vista Search is the quickest way to launch a program via the keyboard.
I also happen to notice that the Linux distribution of "Freedom" and "Choice" does not have Live.com as a search provider. Too bad... with the recent refresh, I actually prefer live.com to Google or Yahoo...
You have several options you can setup regarding indexing speed, ignored files, etc...
There is also an RDP client included out of the box, which would be great for connecting to my Windows Home Server box. For some reason, just like Evolution, when I hit the "connect" button, the Terminal Server Client just disappeared. Weird!
All-in-all, this is quite a solid release. OpenOffice works just fine, although it is not in the same league as Office 2007. Much nicer/snappier/usable than Google Docs though... some things work well in AJAX, and other things do not. Office applications are much more usable as fat clients. Add in the ability to save to "the cloud" and have versioning/collaboration, and you have a killer combo. We'll see who gets that out the door first. But I diverge... this is the first version of Ubuntu that I find to be quite usable. As I am running in a Virtual PC image, I can't try out Compiz, but I hear good things. I also have Kubuntu downloading right now (Ubuntu with KDE), and we'll see if there are any changes in that version worth talking about. It happens to weigh in at 4.3 GB (compared to Ubuntu's 712MB), so we'll find out what KDE does with that extra 3.5 Gigabytes of space. :)
Pretty cool opportunity if you live in the Seattle/Redmond area...
Attention AD people!! Microsoft Learning needs your help! Pilot runs October 31st –November 16th Please forward to anyone local to Seattle area that may be interested.
Free pilot exam, be the first to experience it, and provide your valuable feedback!
Microsoft is looking for volunteers who know Active Directory to participate in a pilot of our new, innovative MCP emulation lab exam technology. During this pilot, you will take an exam in which you will perform a variety of tasks using Active Directory, answer multiple choice questions, and provide feedback about your experience with this new technology. The purposes of this pilot are to: 1) understand how emulation lab-based items function in relation to multiple choice items, 2) determine how much time is needed to complete each lab, and 3) evaluate our scoring strategy.
As an incentive, all participants will receive a thank you gift after completing the exam as well as breakfast or lunch. To encourage you to do your best on the exam, the top 5 highest scorers will receive a 100 GB USB 2.0 external hard drive. Additionally, participants who demonstrate their expertise on Active Directory may be invited to future (paid) MCP exam development events.
We will be conducting this pilot project from October 31 through November 16 on Microsoft’s main Redmond campus. To ensure that all participants have sufficient time to complete both sections of the exam and provide feedback, each slot is scheduled for 4 hours. However, we anticipate that most participants will finish in less time. Two time slots are available per weekday (Monday – Friday from 8:30am-12:30pm and 1:00pm-5:00pm). To register for the exam:
1) Go to: https://www.pickatime.com/client?ven=11601148
2) Create a ‘pickatime.com’ account if you do not have one. This information is used solely to send you a confirmation and reminder email. Microsoft will not use it to contact you in any way.
3) Select the location where you want to take the exam.
a. Microsoft employees should register for sessions at Building 25 unless all slots for your desired date and time are filled.
b. Non-Microsoft employees must register for sessions in Building 40.
4) Select a day and time for your appointment.
5) Click “Confirm.” A confirmation message containing specific details about the location of the exam and other relevant information will be sent to the email address provided when you created your account.
If you know others who are familiar with Active Directory, please feel free to forward this email.
Your participation is critical to the successful implementation of our emulation lab exam technology. Thank you, in advance, for your assistance with this project.
Microsoft’s MCP Emulation Exam Team
Quick Disclaimer: Although this post is intended to be humorous, the following examples are all based off of actual resume problems I have seen. Numerous times. On multiple resumes. Good grief.
Before I get started, if you are actually working on your resume, I strongly recommend the two following articles/blog posts. The advice they give (including the fact that no hiring manager cares about your "Career Objective" statement) are spot on.
In no particular order, I give you:
Programs Used: HP Photosmart Print Driver 5.2.1.63, Windows 3.1, Windows 3.1.1, Windows 95, Windows 95b, Windows 97, Office 4.2.1, Mac OS 6, Oregon Trail, Sheet Metal Scrappings Collector 6.9.1, Adobe Reader, America Online 4.5.6, Prodigy 2.1, CompuServe 3.5, eWorld, Novell Netware 1.6.8, Packard Bell Software Updater 4.3
Where do these lists even come from? Are you running an inventory on the broken computer in the garage? If you haven't used a computer since 1997, maybe Microsoft isn't the place to apply.
However, if you have never actually installed a copy of Windows Server, but you list your experience as "Senior Architectural Consultant who singlehandedly designed an international multi-site Active Directory and Exchange deployment for a Fortune 100 company, with a fault-tolerant backup plan and a 5-nines uptime SLA"… Odds are that the discrepancy will come up in the interview. You will look pretty silly at that point.
When hiring for a position, I want you to succeed. I really do. Stay away from the above mistakes, run the 'ol resume through a spell-check before submitting, and let me see a well-rounded individual with a clear record of career progression and passion for technology. That is the best way to get a follow-up phone call from the recruiter.
After approximately 6 months on a waiting list, a seat has opened up on the vanpool that drives between my home and work. Finally, I will be able to do something during the 90-minute commute (each way) other than stare at tail-lights and try to stay awake.
I shared the news with my wife, and when my kids overheard, they were incredibly excited and happy to hear the news.
"Wow!" I thought... "they sure teach kids to be environmentally conscious these days. I don't think I even knew what a vanpool was when I was seven years old!"
"Daddy?" my daughter asked, "do we have to wear seatbelts while we are swimming in the vanpool and you are driving?"
Time for part two of my DPM 2007 Series (Part 1 showed installation), Protecting Exchange 2007 with DPM 2007... Let's Go!
Let's start with required reading, and then I'll walk through the process with screenshots:
How does Exchange Server protection with DPM work? DPM uses a combination of transaction log replication and block-level synchronization in conjunction with the Exchange VSS Writer to help ensure your ability to recover Exchange Server databases. After the initial baseline copy of data, two parallel processes enable continuous data protection with integrity: · Transaction logs are continuously synchronized to the DPM server, as often as every 15 minutes. · An “express full” uses the Exchange Server VSS Writer to identify which blocks have changed in the entire production database, and send just the updated blocks or fragments. This provides a complete and consistent image of the datafiles on the DPM 2007 server. DPM 2007 maintains up to 512 shadow copies of the full Exchange Server database(s) by storing only the differences between any two images. Assuming one “express full” per week, stored as one of 512 shadow copy differentials between one week and the next, plus seven days x 24 hours x 4 (every 15 minutes), DPM 2007 provides over 344,000 data consistent recovery points for Exchange.
How does Exchange Server protection with DPM work?
DPM uses a combination of transaction log replication and block-level synchronization in conjunction with the Exchange VSS Writer to help ensure your ability to recover Exchange Server databases. After the initial baseline copy of data, two parallel processes enable continuous data protection with integrity:
· Transaction logs are continuously synchronized to the DPM server, as often as every 15 minutes.
· An “express full” uses the Exchange Server VSS Writer to identify which blocks have changed in the entire production database, and send just the updated blocks or fragments. This provides a complete and consistent image of the datafiles on the DPM 2007 server. DPM 2007 maintains up to 512 shadow copies of the full Exchange Server database(s) by storing only the differences between any two images.
Assuming one “express full” per week, stored as one of 512 shadow copy differentials between one week and the next, plus seven days x 24 hours x 4 (every 15 minutes), DPM 2007 provides over 344,000 data consistent recovery points for Exchange.
Designed for Exchange Server Because DPM was designed specifically for Exchange Server, DPM understands the advanced configurations of Exchange Server that often cause other data protection tools to fail: Designed for Exchange Server clusters, DPM is not only “Exchange-savvy,” but “cluster-competent.” During deployment, DPM 2007 is aware of the physical nodes, the cluster’s identity, and the virtual servers running within it. DPM 2007 will help you ensure that the DPM agent is on all clustered nodes to maximize protection of the Exchange data. And when Microsoft Cluster Services changes the Exchange Server to a different clustered-node, DPM 2007 will continue to help protect the virtual Exchange server without administrator intervention. Cluster support includes Exchange 2003 and Exchange 2007. Designed for Exchange 2007 LCR (Local Continuous Replication), DPM is LCR aware and protects the active database. Designed for Exchange 2007 CCR (Clustered Continuous Replication), DPM is CCR aware and enables “Preferred Node Backup” — allowing the active node, the passive node or a particular geographically desirable node to be protected – to eliminate I/O impact during backups. Designing for Exchange 2007 SCR (Standby Continuous Replication) with Exchange Service Pack 1, DPM 2007 will be there to protect and add value to those environments too. DPM 2007 protects a storage group; but can restore a storage group, a database, or even a single mailbox.
Designed for Exchange Server
Because DPM was designed specifically for Exchange Server, DPM understands the advanced configurations of Exchange Server that often cause other data protection tools to fail:
DPM 2007 protects a storage group; but can restore a storage group, a database, or even a single mailbox.
Let's get started! Before you can start protecting storage groups on your computer running Exchange Server, you must install the agent on the server to be managed.
Click on Management --> Agents, and then select "Install..." in the action pane.
Servers in the same domain as DPM should show up automagically. If you want to protect a computer from a trusted domain, you will need to type the Fully Qualified Domain Name of that server. In my case, Exchange is in the same domain, so I can simply select it and add.
Hit "next", enter local admin credentials for the server to be protected, and then select whether that server should be restarted immediately, or manually restarted later. It goes without saying that you should be doing this work during your scheduled maintenance window. 9:00 AM on a Monday morning is probably not the best time to start this process :)
You can go grab coffee if you'd like, or watch the status on the Agent screen:
Once the agent has finished installing, and your Exchange Server rebooted, it is time to create a protection group. The protection group is a collection of data sources that share the same protection configuration (retention range, time between backups, etc). You start the Create New Protection Group Wizard in DPM Administrator Console.
To start the Create New Protection Group Wizard
1. On the DPM server (DPM) virtual machine, in DPM Administrator Console, click Protection on the navigation bar.
2. On the Actions pane, click Create protection group.
The Create New Protection Group Wizard appears.
3. Review the Welcome page, and then click Next.
Select the Exchange Server, and you will be able to drill down and select the Exchange Storage Groups, any shares on the server, and volumes or directories on the server, and System State.
I ran into an interesting error when selecting one of the checkboxes above:
Adding the text so that the Search Engines grab it ;)
-------------------
Microsoft System Center Data Protection Manager 2007
This item cannot be protected because some prerequisite software is missing. Ensure that all prerequisite software is installed and then protect this item. (ID: 31008)
Click Help to view the list of prerequisite software for the selected item
What does this error mean? It means "Read the instructions, dummy!". As you can guess, I did not bother to do so... ;) All protected servers require installation of Knowledge Base article 940349, "Hotfix rollup of VSS reliability, scalability, and memory optimization". Beyond that, protected servers have prerequisites that are specific to their workload. Exchange 2007, for example, requires Update Rollup 4 for Exchange 2007. Most of the other workloads have an update or two that must be loaded before they can be protected by DPM.
All prerequisites for protected servers can be found here: http://technet.microsoft.com/en-us/library/bb808827.aspx
Once you are complete, you will be able to proceed, give your Protection Group a name, and select Disk as your short-term method (and tape as long-term if you have a tape drive attached to your DPM Server.
For Exchange specifically, you will be given the option of running Eseutil to check data integrity. Note: You will need to manually copy ese.dll and esetutil.exe from your Exchange server into %programfiles%\Microsoft DPM\DPM\bin\. If you have not done so, you will receive a prompt reminding you.
Next you get to specify your short-term recovery goals. Specifically the retention range and synchronization frequency. Don't be scared by the "Every 15 minutes". In practice, once the initial synch is done, very little data needs to traverse the wire every 15 minutes. This of course depends on your actual environment and how heavily Exchange is used.
Next, you get to choose where everything is saved. By default, you will be backing up to the DPM Storage pool, although you can choose a custom volume if desired (perhaps if you have a spare Lun on a SAN. In our case, we are just going to go with the defaults.
We're getting close here! Next, you get to choose when/how DPM will create the initial replica of the protected server. You can choose to copy the data now, at a scheduled time, or manually. The last option is nice if your protected server has a lot of data, and is on the other side of a WAN. It can be faster to initially back up the media to removable media and hand it off to FedEX for the initial sync. In our case, we are just going to replicate automatically.
Voila! We are done. Depending on how much data there is on the protected server (along with speed of your protected server, DPM, your network...) it may take a while to replicate everything over. Don't be concerned by the red "X"s below, they are just telling us that the DPM backup is not consistent with the source data (as it has not finished initial replication).
You can always switch over to the "Monitoring" tab to receive more information about the error
And with that, Exchange is backed up. Continuously. I can archive to tape if I want later, I have the benefit of Disk-to-Disk Continuous Data Protection, and can recover to Bare-Metal, System State, Storage Group, or even individual mailboxes. Nice!!!
Just saw the following over on the Virtualization Blog. I have read a few of them, and they are REALLY good!
We finally managed to get the last of the Virtual Server SP1 cookbooks live. Take a look - there is excellent step-by-step details on Virtual Server + Data Protection Manager + Systems Center Virtual Machine Manager, Quick Migration, Terminal Server virtualization. Microsoft Virtual Server 2005 R2 Service Pack 1 and Microsoft System Center Virtual Machine ManagerThe goal of this cookbook is to provide the steps and guidance necessary for you to successfully install and configure Virtual Server 2005 R2 SP1 and System Center Virtual Machine Manager. You may then create and manage virtual machines, and perform P2V migration.http://download.microsoft.com/download/2/b/9/2b99fd0d-5437-40d7-a430-23e31cac7ece/Deployment_Cookbook.SCVMM_FINAL.doc Backup and Recovery using Microsoft Virtual Server 2005 R2 Service Pack 1 and Acronis True Image 9.1 Enterprise EditionThe goal of this cookbook is to guide you through installing Acronis server imaging solutions for workgroups and installing Microsoft Virtual Server 2005 R2 SP1. The cookbook covers creating a virtual machine (to serve as a standby for recovery) and restoring the contents of a server representing your production workload to the waiting virtual machine. http://download.microsoft.com/download/2/b/9/2b99fd0d-5437-40d7-a430-23e31cac7ece/Deployment_Cookbook.VS_Acronis_FINAL.doc Microsoft System Center Data Protection Manager 2007, Microsoft Virtual Server 2005 R2 Service Pack 1, and Microsoft System Center Virtual Machine ManagerThe scenario presented in this cookbook will take you through the steps necessary to install Virtual Server and SCVMM, and then convert a workload to a virtual machine. This cookbook also includes the steps necessary to install DPM and to back up a running virtual machine, as well as information about monitoring and reporting using DPM.http://download.microsoft.com/download/2/b/9/2b99fd0d-5437-40d7-a430-23e31cac7ece/Deployment_Cookbook.SCVMM_DPM_FINAL.doc Quick Migration with Virtual Server Host Clustering Windows Server 2003 Enterprise Edition & Microsoft Virtual Server 2005 R2 Service Pack 1This cookbook describes a simple configuration in which you use Virtual Server 2005 R2 to configure one guest operating system, and configure a server cluster that has two servers (nodes). With this configuration, you can migrate workloads easily from one node to the otherhttp://download.microsoft.com/download/2/b/9/2b99fd0d-5437-40d7-a430-23e31cac7ece/Deployment_Cookbook.Quick_Migration_FINAL.doc Mobile User Access of Applications. Terminal Server running on virtual machines using Microsoft Virtual Server 2005 R2 Service Pack 1In this cookbook we will install Terminal Server on a virtual machine and access the terminal server remotely. We will also show how to install Remote Desktop Web Connection and how to configure Windows® Firewall to allow remote clients to access the terminal server.http://download.microsoft.com/download/2/b/9/2b99fd0d-5437-40d7-a430-23e31cac7ece/Deployment_Cookbook.Terminal Services Presentation Virtualization_Final.doc Hosted Backup and Recovery Solutions for Service Providers using Data Protection Manager (DPM) and Virtual Server (VS)This cookbook will provide procedural, step-by-step guidance to an IT Generalist audience providing data backup and recovery to customers as a hosted solution using Virtual Server and System Center Data Protection Manager 2007http://download.microsoft.com/download/5/0/4/5049f4b0-7ad1-4f34-8018-ef96af052a2c/Deployment_Cookbook.DPM_hosted_solution_FINAL.docx Simple Offsite Backup and Recovery of virtual machines using DPM and VSThis cookbook will provide procedural, step-by-step guidance to an IT Generalist audience for backing up and restoring virtual machines running in an offsite location using Virtual Server and System Center Data Protection Manager 2007http://download.microsoft.com/download/2/4/0/240c1b94-d2ed-45b6-b821-9d8cd792c22b/Deployment_Cookbook.DPM_offsite_backup_FINAL.doc Simple Onsite Backup and Recovery of virtual machines using DPM and VSThis cookbook will provide procedural, step-by-step guidance to an IT Generalist audience for backing up and restoring running virtual machines using Virtual Server and System Center Data Protection Manager 2007http://download.microsoft.com/download/f/b/d/fbd28458-c41c-4414-b530-869af4e49014/Deployment_Cookbook.DPM_onsite_backup_FINAL.doc High Availability with VS and WS03R2 Enterprise Server ClusteringThis cookbook will provide procedural, step-by-step guidance to an IT Generalist audience for implementing high availability of server workloads using Windows Server 2003 Server Clustering and Virtual Server using Intel-based hardware. http://download.microsoft.com/download/4/9/e/49e943a6-060b-4a1b-89eb-3962b748d200/Deployment_Cookbook.Host_Clustering_FINAL.doc Application Isolation and Operation in BO Using VSThis cookbook will provide procedural, step-by-step guidance to an IT Generalist audience for isolating and operating applications on separate virtual machines in branch offices using Microsoft Virtual Server 2005 R2 SP1, in an Intel-based hardware environment for regulatory compliance and improved legacy workload performance.http://download.microsoft.com/download/4/d/b/4db13d05-f000-46c9-9767-5d07b3ad8609/Deployment_Cookbook.VS_branch_office_FINAL.doc
We finally managed to get the last of the Virtual Server SP1 cookbooks live. Take a look - there is excellent step-by-step details on Virtual Server + Data Protection Manager + Systems Center Virtual Machine Manager, Quick Migration, Terminal Server virtualization.
Data Protection Manager (hereafter DPM) is an awesome addition to the System Center suite of management products. While DPM 2006 worked well for backing up file servers, DPM 2007 now handles:
I am by no means a marketing person, so I'll try to stay away from bulleted lists, but for more information you are going to want to hit up:
If you want to follow along, I will be installing the 120-day evaluation version of DPM 2007. In future posts, I will show how to back of SQL Server, Exchange, and SharePoint. When you extract the eval version, make sure you extract to a folder, and not to your desktop. It unpacks a ton of files and folders, and you will rapidly fill up your desktop :)
Starting the installer starts an easy to follow wizard, and the first step is the Prerequisites check. There is nothing worse than getting halfway through and install and then finding out that you were supposed to already have something (like SQL server or PowerShell) preinstalled.
You can end up with either a green check (indicating you meet the requirement), a yellow warning (indicating that you should fix something), or a red x (which hard blocks installation until you have solved the problem. In my case, I am missing a required hotfix (relating to the VSS Writer), have some sort of problem with Active Directory, and do not have the recommended amount of memory. I'm okay with the last one (this is a Virtual PC Image in a test environment), but the "next" button will remain grayed out until I resolve the other two issues.
After installing the Hotfix (and changing the IP settings of my DPM server so that they actually reflect the subnet of my test domain) and rebooting, I am back in business. I happen to have been running DPM Beta 2 on this server earlier, so the other prerequisites had already been installed. You will need to make sure you have IIS, SQL Server, Single Instance Store, and Powershell loaded. Complete prerequisites can be found here: http://technet.microsoft.com/en-us/library/bb808800.aspx
Next comes the SQL Location. I am going to use the default MS$DPM2007EVAL$ instance on the local machine, but you can use a different local or remote instance if you would like. The version of SQL Server that comes with DPM is only licensed to be used with DPM. Don't go off and use it to host the backend for www.contoso.com ;)
If you are using a remote instance, it can NOT reside on a Domain Controller. You aren't running combining your SQL Servers and Domain Controllers are you? Next comes the accounts that will be used to run the SQL Server Instance used by DPM, and to generate reports. You'll want to choose something other than "password123" here.
You can decide whether or not to enable Microsoft Update on the next screen, and then comes the "Customer feedback option". I would STRONGLY recommend selecting "Yes, I want to participate anonymously in this program". Microsoft really does aggregate any crash reports, usage patterns, hardware/software configurations and uses that data to improve the next version. All those security and reliability updates that recently came out for Vista? That was all based off of information received from the Customer Experience Improvement Program...
You can go grab some coffee now... install takes a while (especially if you do not have the prerequisites already loaded)
After a reboot, we should be all set to go! Let's add some disks to the storage pool. With DPM 2006, any disks you added would be formatted as dynamic disks, and added to the storage pool. With DPM 2007, only unallocated space is formatted and added. Make sure to delete any existing volumes before adding a disk to the pool. Also, I have heard people ask if protected servers (SQL, Exchange, File Share, etc) must have their drives formatted as dynamic disks in order to be protected. The answer is NO! DPM just uses dynamic disks for it's storage pool.
To add a disk to the storage pool
1. In DPM Administrator Console, click Management on the navigation bar, and then click the Disks tab.
2. In the Actions pane, click Add.
The Add Disks to Storage Pool dialog box appears. The Available Disks pane lists the disks that are available to add to the storage pool.
3. Select the first available disk, and then click Add.
The disk appears in the Selected disks pane.
4. Click OK.
The disk is added to the storage pool.
Now that you have disks in your storage pool, you are ready to start protecting your servers. I will follow up with posts showing how to protect Exchange, File Shares, SQL Server, and SharePoint.
Back in March, I wrote about one of the important new features in Windows Server 2008, the Fine-grained password policy (also a great post for learning more about passwords in general). In any case, there has been an increase in available documentation and tools relating to FGPP (I don't know if that's a real acronym, I just wanted to save myself some typing ;)
Some Microsoft MVPs have also created some nice GUI tools to configure Fine Grained Password Policies:
As I am busy procrastinating (and avoiding work on a presentation I need to give on Monday), I thought I would walk through the official Microsoft way of creating the password policies. In case you have installed the Release Candidate of Windows Server 2008 and plan on following along, you will want to make sure that you are running at the 2008 functional level, and that you have the Active Directory Domain Services role loaded.
Let's go...
Here you can see your default domain-wide password policy.
Now let's create a custom password policy that can be assigned directly to a user or group. We're going to be using adsiedit, so prepare to roll your sleeves up! Close out of all open windows, and:
1. Start --> Run --> adsiedit.msc
2. Right-click on ADSIEdit, connect to:
3. Hit Ok.
4. Expand to Default Naming content\DC=yourdomain,DC=com\CN=System\CN=Password Settings Container\
3. Right-Click Password Settings Container and click New – Object.
4. Select msDS-PasswordSettings, click next.
5. Value: SeansPasswordSettings, click next. (or whatever you want to name your Password Settings Object (PSO)
The next set of options are all EXTREMELY cryptic. I will put a brief explanation next to each, but if you are doing this in real life, you will want to consult the settings reference on step 1 of the Step-by-Step Guide.
6. Under msDS-PasswordsSettingsPrecedence set the value of 10, click next. (This value needs to be a number larger than zero. If you have multiple PSOs, the PSO with the lowest priority takes precedence).
7. Fill in the following attributes for password settings:
· msDS-PasswordReversibleEncryptionEnabled (self explanatory) Value = False
· msDS-PasswordHistoryLength (Also self explanatory... you can keep up to 1024) Value = 15 (domain default: 24)
· msDS-PasswordComplexityEnabled (Upper, lower, number, blah blah blah) Value = True
· msDS-MinimumPasswordLength (If only everyone were using pass-phrases instead of passwords)
Value = 12 (domain default(chars): 7)
Now we get into crazy land. MinimumPasswordAge, MaximumPasswordAge, LockoutObservationWindow, and LockoutDuration must all be entered in I8 format.
To quote from TechNet:
When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format. When you use the ldifde command to create PSOs, you must enter the values of these attributes in I8 format, which stores time in the intervals of -100 nanoseconds. (Schema: attributeSyntax = 2.5.5.16 (I8).) Windows Server 2003 Default Domain Policy employs this exact time unit for its corresponding time-related attributes. To set these attributes to appropriate values, convert time values in minutes, hours, or days to time values in the intervals of 100 nanoseconds, and then precede the resultant values with a negative sign. You can use the following conversion guide and multiplication factors to obtain the corresponding I8 values. Time unit Multiplication factor m minutes -60*(10^7) = - 600000000 h hours -60*60* (10^7) = -36000000000 d days -24*60*60*(10^7) = -864000000000 For example, if you want to set the msDS-MaximumPasswordAge to 10 days, multiply 10 by -864000000000 and apply the resulting I8 value to the msDS-MaximumPasswordAge attribute (in this example, -8640000000000). If you want to set msDS-LockoutDuration to 30 minutes, multiply 30 by -600000000 to get the corresponding I8 value (in this example, -18000000000).
When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.
When you use the ldifde command to create PSOs, you must enter the values of these attributes in I8 format, which stores time in the intervals of -100 nanoseconds. (Schema: attributeSyntax = 2.5.5.16 (I8).) Windows Server 2003 Default Domain Policy employs this exact time unit for its corresponding time-related attributes. To set these attributes to appropriate values, convert time values in minutes, hours, or days to time values in the intervals of 100 nanoseconds, and then precede the resultant values with a negative sign.
You can use the following conversion guide and multiplication factors to obtain the corresponding I8 values.
Time unit
Multiplication factor
m minutes
-60*(10^7) = - 600000000
h hours
-60*60* (10^7) = -36000000000
d days
-24*60*60*(10^7) = -864000000000
For example, if you want to set the msDS-MaximumPasswordAge to 10 days, multiply 10 by -864000000000 and apply the resulting I8 value to the msDS-MaximumPasswordAge attribute (in this example, -8640000000000). If you want to set msDS-LockoutDuration to 30 minutes, multiply 30 by -600000000 to get the corresponding I8 value (in this example, -18000000000).
· msDS-MinimumPasswordAge Value = -864000000000 (Nine zeroes) (domain default: 1 day = -864000000000)
· msDS-MaximumPasswordAge Value = -36288000000000 (Nine zeroes) (domain default: 42 days = -36288000000000)
8. Fill in the following attributes for account lockout settings:
· msDS-LockoutThreshold
Value = 0 (domain default: 0 = don‘t lockout accounts after invalid passwords)
· msDS-LockoutObservationWindow
Value = -18000000000 (Nine zeroes) (domain default: 6 min = -18000000000)
· msDS-LockoutDuration
9. Click Finished.
If you get an error message about improper values, you probably forgot to add a "-" before some of the numbers listed above. Don't feel bad if you did, I manage to do it every time I run through this :) If you did everything right, it should look something like this:
Go ahead and hit "OK" and then close out of all open windows. Now that you have created a password policy, we need to apply it to a user/group. In order to do so, you must have "write" permissions on the PSO object. We're doing this in a lab, so I'm Domain Admin. Write permissions are not a problem :)
7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.
To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list.
Voila! Hit "OK" a couple of times, and your users/groups now have a custom password policy assigned to them. No longer do you have to have separate domains for your developers and standard users. Good times :)
Well, not open source per se, but courtesy of Scott Guthrie's Blog:
One of the things my team has been working to enable has been the ability for .NET developers to download and browse the source code of the .NET Framework libraries, and to easily enable debugging support in them. Today I'm excited to announce that we'll be providing this with the .NET 3.5 and VS 2008 release later this year. We'll begin by offering the source code (with source file comments included) for the .NET Base Class Libraries (System, System.IO, System.Collections, System.Configuration, System.Threading, System.Net, System.Security, System.Runtime, System.Text, etc), ASP.NET (System.Web), Windows Forms (System.Windows.Forms), ADO.NET (System.Data), XML (System.Xml), and WPF (System.Windows). We'll then be adding more libraries in the months ahead (including WCF, Workflow, and LINQ). The source code will be released under the Microsoft Reference License (MS-RL). You'll be able to download the .NET Framework source libraries via a standalone install (allowing you to use any text editor to browse it locally). We will also provide integrated debugging support of it within VS 2008.
One of the things my team has been working to enable has been the ability for .NET developers to download and browse the source code of the .NET Framework libraries, and to easily enable debugging support in them.
Today I'm excited to announce that we'll be providing this with the .NET 3.5 and VS 2008 release later this year.
We'll begin by offering the source code (with source file comments included) for the .NET Base Class Libraries (System, System.IO, System.Collections, System.Configuration, System.Threading, System.Net, System.Security, System.Runtime, System.Text, etc), ASP.NET (System.Web), Windows Forms (System.Windows.Forms), ADO.NET (System.Data), XML (System.Xml), and WPF (System.Windows). We'll then be adding more libraries in the months ahead (including WCF, Workflow, and LINQ). The source code will be released under the Microsoft Reference License (MS-RL).
You'll be able to download the .NET Framework source libraries via a standalone install (allowing you to use any text editor to browse it locally). We will also provide integrated debugging support of it within VS 2008.
More information (including screenshots) after the jump.
Well, today is my 1 year anniversary as a Full Time Employee (FTE) at Microsoft, which also happens to the Indian holiday of Gandhi Jayanti (commemorating the birth of Mahatma Ghandi), and is the International Day of Non-Violence. In other words, it's a good day :)
Scott Hanselman has a great write-up of his first few weeks at Microsoft, and his impressions complement mine (I had a bit longer to drink the kool-aid). Scott mentions "emptying the ocean with a teaspoon", and I have heard of drinking from a firehose, but the concept is the same. When you are changing the world, there is significantly more in the "to do" pile than there are hours in the day. I wouldn't have it any other way ;)
So what have I done in the last year? In no particular order:
All-in-all, it was a very good year, and I love working for Microsoft even more than I did a year ago. Here's to the next one!
I see that we released the Microsoft Active Directory Topology Diagrammer today. I'm working from home today, so I can't run it in AD and attach a screenshot, but this should be helpful for documenting your AD infrastructure. According to the product description:
The Microsoft Active Directory Topology Diagrammer reads an Active Directory configuration using ActiveX Data Objects (ADO), and then automatically generates a Visio diagram of your Active Directory and /or your Exchange 200x Server topology. The diagramms include domains, sites, servers, administrative groups, routing groups and connectors and can be changed manually in Visio if needed. With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX® Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microft Office Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization. With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Office Visio.
The Microsoft Active Directory Topology Diagrammer reads an Active Directory configuration using ActiveX Data Objects (ADO), and then automatically generates a Visio diagram of your Active Directory and /or your Exchange 200x Server topology. The diagramms include domains, sites, servers, administrative groups, routing groups and connectors and can be changed manually in Visio if needed.
With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX® Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microft Office Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization. With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Office Visio.
This feature used to exist in Visio many years ago, so I'm glad it's available again (even if not built directly into Visio). Actually, I see that this is version 2.0.2745. Maybe it previously existed and I just didn't know about it. Hmmm... Try it out and let me know how well it works!
*Update: Björn has posted some screenshots on his blog.