Asked today at work: “What qualities would make you an exceptional leader and role model for your employees?”
My answer: Transparency
wikipedia says: Transparency, as used in the humanities, implies openness, communication, and accountability. It is a metaphorical extension of the meaning used in the physical sciences: a "transparent" object is one that can be seen through.
Two years ago, this meant "thou shalt blog." Although blogging is a good first step, it is not sufficient. It does help you "get" transparency - blogs are useless if not regularly updated. The daily pressure to find something others will find interesting puts your daily focus where it should be - customers/employees needs.
Engagement in the customer's/employees community (wherever that is) "shoulder to shoulder" with them will encourage and engender transparency.
Are you a role model of transparency?
Have a different answer to the question? Leave feedback.
Video presos on Hyper-V From TechEd 2008 are now posted on TechNet, check these out:
Hyper-V Architecture, Scenarios and Networking, Jeff Woolsey, Mike Sterling
Deploying Windows Server 2008 Hyper V and System Center Virtual Machine Manager 2008 Best Practices Edwin Yeun, Alan Stewart
Virtualization and Security: What Does it Mean For Me? Steve Riley
Microsoft System Center Virtual Machine Manager 2008: Overview, Edwin Yeun
Windows, PowerShell, and Windows Management Instrumentation: Unveiling Microsoft's Best Kept Secret, Ben Pearce
Virtualization and your Infrastructure, John Weston
Securing your IT Infrastructure with Windows Server 2008, John Weston
The Hyper-V Planning and Deployment Guide is live in the download center today.
30 pages, covers:
TechNet Edge has posted a series of videos with the Hyper-V PMs, and various other folks involved in virtualization, such as Managing Hyper-V with PowerShell.
How Microsoft IT does server Virtualization and Hyper-V
Hyper-V Part 1 - Architecture - Interview with PMs
Hyper-V Part 2 - VM Snapshots - Interviews with PMs
Hyper-V Part 3 - TAP and VSS Snapshots - Interview with PMs
Hyper-V Part 4 - Disks and iSCSI - Interview with PMs
Hyper-V Part 5 - High Availability - Interview with PMs
Windows Server 2008 Virtualization Bryon Surace in the Fish Bowl
Interview with Windows Server 2008 Virtualization program managers
System Center Virtual Machine Manager
Hyper-V PowerShell Management tools
James O'Neill's blog Power Gadgets PowerShell scriptomatic
WMI Code Creator v1.0
Joeelway's blog links to a handy Hyper-V RAM Calculator you can use to plan your Hyper-V deployment. Easy to use:
You can download a free third-party tool to help you identify if your server hardware supports the required features for Hyper-V and BitLocker:
If your processor is Intel, you can use their free Intel Processor Finder tool. Read more about it on their forum: http://communities.intel.com/openport/message/4575
SecurAble probes the system's processor to determine the presence, absence and operational status of three modern processor features:
This Windows Server Catalog site shows what servers are certified for Hyper-V and Windows Server.
If you need to produce diagrams as part of your Hyper-V deployment planning, you can download Hyper-V stencils for Visio and simultaneously using the free Microsoft Office Visio 2007 Professional Add-In for Rack Server Virtualization (Virtual Rack). Installing this add-In adds a new template called “Rack Server Virtualization“ under the “Connectors” Templates category. You can use this template without running the tool.
NOTE: this tool requires local admin privileges on every server you run it on, as well as:
1. .NET Framework 2.0
2. Microsoft Office Visio 2007
3. Microsoft VSTO 2005 SE Runtime
Running the inventory and analysis tool (if your datacenter allows it) gives you a visual picture of Power Drop and Rack space saved according the target virtualization consolication factor you entered (by default 3:1):
You can set the consolidation criteria based on several factors:
1. Power Rating: The server with higher Power Rating is considered to be a better candidate than server with lower Power Rating.
2. Rack Space Used: A Server that occupies more space is merged into the Server that occupies less space to minimize the space occupied by the Servers within a Rack.
3. CPU Utilization: A Server with lower CPU Utilization is merged into the Server with higher CPU Utilization.
4. Physical Memory: Server with lower Physical Memory will be merged into the Server with higher Physical Memory.
It gets a bit confusing if you want to improve the security of your Windows Server 2008 virtualization server and the VMs on it by running BitLocker Drive Encryption. Windows BitLocker Drive Encryption is a feature that encrypts one or more volumes (drives) attached to your computer and that can use a Trusted Platform Module (TPM) to verify the integrity of early startup components. Because BitLocker encrypts the entire volume of data, it requires the computer to be configured with an active partition, used for startup, which is separate from the operating system volume.
If you didn't set up BitLocker when you set up the machine, before you started running VMs, you'll need to download the BitLocker Drive Preparation Tool and run it to configure BitLocker. If you read the KB930063 "Description of the BitLocker Drive Preparation Tool" you can learn a lot about the tool, except where to download it! And that you'll need to verify that you have the hardware support (TPM) to make it work. The Windows Server 2008 Hyper-V and BitLocker Drive Encryption white paper also says "Obtain the BitLocker Drive Preparation Tool and install it."
After you get the drive prepared, and start the tool (Start>All Programs>Accessories>System Tools>BitLocker>BitLokcer Drive Preparation Tool - easy, right?) you can click the "What should I know about BitLocker Drive Encryption before I turn it on?" help link to learn: "During computer startup, if BitLocker detects a system condition that could represent a security risk (for example, disk errors, a change to the BIOS , or changes to any startup files), it will lock the drive and require a special BitLocker recovery password to unlock it. Make sure that you create this recovery password when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files." A little farther on, a warning states "BitLocker Drive Encryption reduces disk throughput. It should be used on high performance servers only if the computer is not in a physically secure location."
Best to first read the Windows BitLocker Drive Encryption Design and Deployment Guides that describe the various aspects of planning for deploying Windows BitLocker Drive Encryption. The document is organized in two guides, and you should carefully consider each guide before you deploy BitLocker Drive Encryption. If your virtualization server is encrypted, and you don't have the recovery credentials, all your VMs are offline till you do. Ponder that before you enable BL. You can read more here about the BitLocker Drive Encryption Algorithm.
If you do get into trouble with a domain-joined machine, you'll need the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
Hope you never need the BitLocker Repair Tool: This tool helps access data encrypted with BitLocker if the hard disk has been physically damaged. This tool attempts to reconstruct critical data from the drive and salvage any recoverable data. To decrypt the data, a recovery password or recovery key is required. In some cases, a backup of the key package is also required. Use this command-line tool if the following conditions are true:
Installing Hyper-V on a Server Core installation of Windows Server 2008 makes sense from a supportability and improving security perspective. It can be a challenge, here are some procedures, tips and resources to help you.
You can use unattended setup to configure a server running a Server Core installation and Hyper-V. For more information about unattended setup settings, see the Windows Automated Installation Kit (AIK). You can find more information and a sample unattend.xml file in the Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
NOTE: There is no way to upgrade from a full installation of Windows Server 2008 or a previous version of Windows Server to a Server Core installation. Only a clean installation is supported. There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows user interface or a server role that is not supported in a Server Core installation, you should install a full installation of Windows Server 2008.
If you close all local command prompts while installing the Hyper-V role, you will have no way to manage the Server Core installation. If this happens, press CTRL+ALT+DELETE, click Start Task Manager, click File, click Run, and type cmd.exe. Alternatively, you can log off and log on again.
You must perform a Server Core installation before you install the Hyper-V role. For instructions, see the Server Core Installation Option of Windows Server 2008 Step-By-Step Guide, and complete the following tasks:
You cannot activate a Server Core installation through a firewall that requires users to log on because there is no Web browser on a Server Core installation. Instead, you can activate by phone, using a Key Management Service (KMS) server, or remotely by typing the following command at a command prompt of a computer that is running Windows Vista or Windows Server 2008:
cscript windows\system32\slmgr.vbs <ServerName> <UserName> <password>:-ato
If you are going to join a server running a Server Core installation to an existing Windows domain, you need a user name and password for an account that has the administrative credentials to join a computer to the domain.
After you have installed Windows Server 2008, you must apply the Hyper-V update packages for Windows Server 2008 (KB950050). NOTE: Once you install these server updates, you will not be able to remove them. You should also apply any other require updates before you install the Hyper-V role.
To view the list of software updates and see if any are missing, at the command prompt, type:
wmic qfe list
If you do not see “kbid=950050”, download the Hyper-V updates and then type the following command at a command prompt:
wusa.exe Windows6.0-KB950050-x64.msu /quiet
There are three update packages. The Update for Windows Server 2008 x64 editions (KB 950050), and Language pack for Hyper-V (KB951636) must be installed on the parent partition of the Server Core installation. After you install the server update you must restart the server.
The Update for Windows Server 2008 (KB952627) is for remote management of the Server Core installation if you are managing the server from a computer running Windows Vista Service Pack 1 (SP1), and must be installed on the computer running Windows Vista SP1.
Before you enable the Hyper-V role, ensure that you have enabled the required hardware-assisted virtualization and data execution prevention BIOS settings. Checks for these settings are performed before you enable the Hyper-V role on a full installation, but not on a Server Core installation.
After you make the BIOS configuration changes to enable the required hardware features, you must complete a full power-cycle before proceeding. If you enable the Hyper-V role without modifying the BIOS settings, the Windows hypervisor may not work as expected. If this happens, check the event log for details, modify the BIOS settings according to the server hardware manufacturer instructions, complete a full power-cycle to restart the Server Core installation, and then install Hyper-V again.
To check if your server hardware is compatible, see http://windowsservercatalog.com/. Click on the list of Certified Servers, and then click By additional qualifications – Hyper-V. For instructions about how to enable the BIOS settings, check with your hardware manufacturer.
The syntax for Ocsetup.exe is case sensitive. To install the Hyper-V role, at a command prompt, type:
start /w ocsetup Microsoft-Hyper-V
Rename the server, if required. If your computer is joined to a domain, at a command prompt, type:
netdom renamecomputer %computername% /NewName:<newname> /UserD:<domainusername> /PasswordD
If your computer is not joined to a domain, at a command prompt, type:
netdom renamecomputer %computername% /NewName:<newname>
You must supply a value for placeholder text in angle brackets (<>)—do not type the brackets.
Enable Remote Desktop for Administration if you want to manage the server running a Server Core installation remotely. At a command prompt, type:
cscript c:\windows\system32\scregedit.wsf /ar 0.
If you are running the Terminal Services client on a previous version of Windows, you must turn off the higher security level that is set by default in Windows Server 2008. To do this, at a command prompt, type:
cscript C:\Windows\System32\Scregedit.wsf /cs.
Add a user or group to the local Administrators group so that they can manage the Server Core installation remotely. To add a user to the local Administrators group, you must first add the user. At a command prompt type:
net user <username> * /add
To add a user to the local Administrators group, at a command prompt, type:
net localgroup administrators /add <user>
You cannot perform all management and configuration tasks at a command prompt or remotely through an MMC snap-in. A server that is running a Server Core installation does not generate any notifications for activation, new updates, or password expiration because these notifications require the Windows Explorer shell, which is not part of the Server Core installation. You can use the Scregedit.wsf script included with the Server Core installation to configure the following settings:
The script is located in the \Windows\System32 folder of a server running a Server Core installation. At a command prompt, open the folder, and then use the following command to display the usage instructions for these options:
cscript scregedit.wsf /?
You can use this command with the /cli option to display a list of common command-line tools and their usage. To view your current Remote Desktop for Administration Settings, use the /v option. A "1" in the script output (without the quotes) means that remote connections are denied. A "0" means that remote connections are allowed.
If you wish to improve security by using BitLocker Drive Encryption to protext the server and VMs running on it, you should install the BitLocker feature before running any VMs. To install the BitLocker feature, at a command prompt type:
start /w ocsetup BitLocker
The BitLocker Drive Encryption feature requires additional hardware and BIOS configuration. For more information about using BitLocker with Hyper-V see Windows Server 2008 Hyper-V and BitLocker Drive Encryption.
Reboot the server by to make the changes take effect. At a command prompt type:
shutdown /r /t 0
The remote management tools are designed to manage one server running the Hyper-V role and the virtual machines on that server. To manage multiple servers running Hyper-V you can use System Center Virtual Machine Manager (SCVMM).
You can use the Manage-bde.wsf script to encrypt data volumes. To view more detailed Help for this script, type the following command:
cscript.exe %windir%\system32\manage-bde.wsf -h
If your server is domain-joined implement the guidelines in Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information, so that BitLocker recovery information (such as recovery passwords) will be automatically backed up to Active Directory whenever this information is created and changed.
You can manage your Hyper-V server and the VMs running on it from a Vista SP1 machine. To manage multiple machines, use System Center Virtual Machine Manager (SCVMM).
Download the Windows Vista x64 Edition (KB949587) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=C420D8A3-F0A7-415A-B748-3726D66BF0C3)
After you have downloaded the package, you will need to modify the start menu to find them (Administrative Tools>Hyper-V Manager).
To start the Hyper-v Manager click Start>Administrative Tools> Hyper-V Manager
For more information about SCVMM see the System Center Virtual Machine Manager TechCenter.
It is a security best practice recommendation to ensure that all your VMs are fully patched before they are turned on in production.
One way you can do this is to create a designated "maintenance host" that is off the production network, but has access to the needed software updates. Migrate your VMs to the maintenance host, turn them on, patch them up, then migrate them to production. Virtual Machine Manager makes this easy.
Another way to accomplish this is to patch all your offline or stored VMs at the same time as you patch all your running machines. You can use the free Offline Virtual Machine Servicing Tool for this.
Download the Offline Virtual Machine Servicing Tool, which combines the Windows Workflow programming model with the Windows PowerShell interface to bring groups of virtual machines online just long enough for them to receive updates from either System Center Configuration Manager 2007 or Windows Server Update Services. As soon as the virtual machines are up-to-date, the tool returns them to the offline state in the Virtual Machine Manager library.
The download includes:
Windows Server 2008 Hyper-V and BitLocker Drive Encryption was recently published to the download center, but some folks are having trouble accessing it (it seems there is a lot of interest in all things Hyper-V). Here are the procedures in the doc to tide you over till your download comes through:
For more information on to partition a hard disk drive for BitLocker Drive Encryption, see http://technet2.microsoft.com/WindowsServer2008/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx#BKMK_S1. NOTE: BitLocker requires that your TPM module is enabled and working. See Windows Trusted Platform Module Management Step-by-Step Guide.
Install Windows Server 2008.
Install the Hyper-V role and the BitLocker feature.
NOTE: After reboot, log on and Server Manager will be automatically started to complete the BitLocker Drive Encryption installation.
Now you must configure the system volume for BitLocker before turning on the installed BitLocker Drive Encryption from Control Panel.
Download and read detailed information and instructions for the BitLocker Drive Preparation Tool at: http://support.microsoft.com/default.aspx/kb/930063.
Download and install the installation kit from the Microsoft download center at: http://www.microsoft.com/downloads/details.aspx?FamilyID=320b9aa9-47e8-44f9-b8d0-4d7d6a75add0&DisplayLang=en
Note: After reboot, the system volume (drive S) and the operating system volume (drive C) are separate, as shown in the following screenshot.
Turn on BitLocker and encrypt the operating system and data volumes.
NOTE: If you have many data volumes to encrypt, consider using the manage-bde.wsf script. The manage-bde.wsf syntax is included in the "Windows BitLocker Drive Encryption Design Guide" and the "Windows BitLocker Deployment Guide," which are available from the Microsoft Download Center at go.microsoft.com/fwlink/?LinkId=115215.
For example, to mark data volume P: so that it must be manually unlocked, use the following command:
manage-bde.wsf –autounlock –disable P:
To turn autounlock back on for P:, use:
manage-bde.wsf –autounlock –enable P:
To view more detailed Help for this script, type the following command:
cscript.exe %windir%\system32\manage-bde.wsf -h
Create new virtual machines.