We are currently planning the next set of IT Pro Camps and are looking for your input.
What cities would you like to see the camps run in. We’ve posted the poll on our Facebook Page.
Get your voice heard and vote now!
I’m excited to announce the most recent free e-book offered by Microsoft Press. Introducing Windows Server 2012, by Mitch Tulloch, is now ready for free download! Please see the links below to download one or all of the available formats.
PDF: Introducing Windows Server 2012 PDF ebook
EPUB: Introducing Windows Server 2012 EPUB ebook
MOBI: Introducing Windows Server 2012 MOBI ebook
If you prefer a hard copy of the book, you can order it here for $14.99.
Introducing Windows Server 2012 is 256 pages and includes 5 chapters loaded with insider information from the Windows Server Team.
Chapter 1 The business need for Windows Server 2012 The rationale behind cloud computing Making the transition Technical requirements for successful cloud computing Four ways Windows Server 2012 delivers value for cloud computing Foundation for building your private cloud
Chapter 2 Foundation for building your private cloud A complete virtualization platform Increase scalability and performance Business continuity for virtualized workloads
Chapter 3 Highly available, easy-to-manage multi-server platform Continuous availability Cost efficiency Management efficiency Chapter 4 Deploy web applications on premises and in the cloud Scalable and elastic web platform Support for open standards Chapter 5 Enabling the modern workstyle Access virtually anywhere, from any device Full Windows experience Enhanced security and compliance
To read more about the latest news on Windows Server 2012 and to download the release candidate, go here.
In case you weren’t following yesterday’s Worldwide Partner Conference announcements over in Toronto yesterday here’s what was announced.
Windows 8 and Windows Server 2012 will be released to manufacturing (RTM) during the first week of August. This will be made available to hardware partners at this time. General availability (GA) will be by the end of October.
If you would like more information on this please take a look on the Windows Team Blog where they share the announcement.
Need to find out more about Windows Server 2012? You can read all about it here.
Need Windows Server 2012 RC Resources? You can get all you need from here.
Need Help? Windows Server 2012 RC Forum is here, or prefer Social Media? Join Windows Server Facebook Group here.
Need to learn more about Windows Server 2012? You can register for the free MVA (Microsoft Virtual Academy) here for online learning courses.
* Did you know that you can try Windows Server 2012 on Windows 8 via Virtualization? Windows 8 now comes with Hyper-V, which originally came with Windows Server 2008 (reference). However, Windows 8 now uses the same new and latest Hyper-V 3.0 that’s found on Windows Server 2012. The latest version of Windows 8 is RP (Release Preview = RC), but even the earlier version, Windows 8 CP (Consumer Preview = Beta), also came with Hyper-V version 3.0. Need more information about Hyper-V on Windows 8? You can find it here. You can get Windows 8 RP ISO (x86 or x64) from here.
Need Help? Windows 8 Forum is here.
As you know, System Center 2012 has been available for a few months now. As always Microsoft partners are crucial in the success of our solutions and Veeam Software is one of those important partners
Veeam is an ISV specialising in virtualization management and backup. In particular, Veeam Management Pack (MP) enables SCOM users to monitor their VMware hardware infrastructure directly from System Center.
If System Center is your management platform of choice, then you’ll be able to monitor ALL your infrastructures (physical and virtual – Hyper-V and VMware) and manage your alerts from a single tool, with no need to multiply your management systems. You’ll make one more step toward ending the complexity of heterogeneous environments. As part of the System Center 2012 Launch, Veeam now offers 10 free perpetual licenses of the Veeam Management Pack to any System Center 2012 customer.
Got System Center? Got VMware? Just ask for your free Veeam MP licenses now and link them together!
For more information, please visit: http://www.veeam.com/sc2012 .If you have any questions, please speak to Nicolas Savides (nicolas.savides@veeam.com) and Julie Caulfield (julie.caulfield@veeam.com).
When we were at TechEd Europe we were looking for those things that some of you may have missed and the things that were a bit out of the ordinary.
We managed to persuade one of the Office 365 team to take us on a virtual tour of their data centre which they had in Lego format at the event. This is probably as close to a real tour of a Microsoft data centre as you can get as camera’s are not allowed inside the real ones!
Find out more about Office 365 or and try out the new Office release.
Colin Chaplin is a freelance IT Consultant specializing in IT transformation projects involving Microsoft software, and very occasional blogger (http://colinchaplin.wordpress.com/). If you cut him in half, it would probably say 'infrastructure'
Microsoft do a pretty good job of getting knowledge ‘out there’ to us techs; there’s formal documentation, blogs direct from the people that put it together, quick-start documentation – in just about any format you want. Best of all, it’s not hidden away behind a support contract login, It’s one Search away from locating it.
So, if you’re planning an Exchange 2010 migration, you’re probably familiar with the term ‘you had me at ehlo’ and various books with a blue/black cover.
But there’s no substitute for experience, and although no two migrations are ever the same, here’s my top list of my ‘surprises’ from an email migration running into the tens of thousands of mailboxes. You may never encounter them, nor may I again, but maybe, just maybe it’ll save you a 1AM conference call…
1) You really, really need to understand your user profile Don’t rely on the Microsoft defaults provided with the Calculator. You have, I assume, an Exchange environment already, and that you can go out there and measure. Once you have these stats, you might find that the idea of hosting 20,000 mailboxes on the old P3 laptop you’ve found in the corner of the office isn’t going to fly. Or more likely, you will find that your initially generous assumptions about deleted item retention and mailbox recovery might need to be trimmed a bit, and log file disks and required IOPS bumped a little. Or a lot.
2) Firewalls need love, too.
Traditionally, a firewall would be put between the bad guys on the internet, and the internal network, and perhaps some partner organisations. However, in a diverse network arrangement, it’s quite common that there might be a firewall between your internal client machines and your CAS’. Your firewall guys will be wise to the fact that a ‘traditional’ outlook client connection uses MAPI based on RPC, in which we’ll look to use TCP/135 and high ports. So, bang the protocols and destination IP addresses in the firewall, and away we go?!
Not so.
Modern firewalls can determine exactly what is the nature of the RPC traffic and allow/deny access based on the specific nature of the protocol. So they can allow outlook MAPI traffic, but deny the pointing of a compmgmt.msc at your CAS machines. This is done by specifying the UUID of the MAPI communication protocol.
When your client machine initially connects on port 135 there’s a conversation with the server about the desired universally unique identifier your client is looking for. The firewall, being piggy-in-the-middle sees this communication then allows on going communication based on it not only ‘liking’ the UUID but also the destination and ports discussed in the connection with the RPC server
Firewalls being things that like order and predictability will then seek to statefully inspect these communications, and make sure everything is just so.
And herein lies some fun.
Your firewall might boast big numbers like “10GBit throughput” but that’s only half the story. Doing such analysis as described above is expensive in terms of firewall resources, and you may find you quickly run out of CPU capacity, and the default-size state table sizes aren’t big enough. And whilst, we’re here, you might find that one packet in a million isn’t liked by the stateful inspection on the firewall.
3) If you’re migrating from Exchange 2003, you’re really migrating to Exchange 2007 too I don’t mean you’re doing some kind of painful two step migration. Naturally, a lot of the literature about Exchange 2010 is comparing it to Exchange 2007.
That’s great if that’s your source platform is exchange 2007 but I bet many of you reading this are planning a migration away from Exchange 2003. During your preparations, you should read all the Exchange 2007 upgrade guidance too. Then you might figure things out like:
4) Storage also needs love Now, you’re a switched on chap/ lady (you’ve read this far!) so you know that Exchange 2010 is putting to bed the notion that a big, expensive SAN is not necessary and good old DAS is the way forward. That’s great, but it doesn’t always play well in large organisations who have certain ways of doing things and storage teams looking after spinning disk. Plus, with large re-seed times, it can sometimes make sense to avail the services of a SAN.
If your lovely Exchange 2010 databases with their low IO requirements are set to nestle on a SAN, don’t just assume that because you’re using an army of super-expensive disks, all will be well. These disks connect through a fabric, and a storage controller, which all need to be up to the task of handling at least twice the load (or whatever your DR scenario is)
Sometimes, the more things change, the more they stay the same. Jetstress is still a critical tool in your arsenal whilst testing your change environment. Make sure you plan for it, and use it. It’s possibly a good idea at this moment to have a frank chat about jetstress, and day-to-day Exchange load on a SAN with your storage vendor, because you might find their interpretation of what’s required and what Microsoft produce out of the calculator (which you feed in to JetStress) might differ. Before you have that chat, have a look at the ESRP website, too. This provides paradigms of Storage designs that are certified to work in particular use cases. Chances are it might not fit your environment perfectly, but it provides a goo exemplar of what your design should achieve.
So, a few late nights then?
I’ve been involved with Exchange in one form or other since Exchange 4.0 and it’s probably my favourite Microsoft product. Whilst it is scalable and more robust than ever, the complexity has ratcheted up a few notches too and if nothing else I hope I’ve convinced you that you cannot be resourced, planned and prepared enough when if comes to an Exchange 2010 rollout and migration.
Useful Links
The last time I tried to write a program was when I was at university using a program called Delphi. I knew back then that I wasn’t going to set the world on fire with my jqueries and there was nothing rapid about my application development. My peers in our software development team tell me that technology has moved on since then and the whole process is much faster. They are working with people wanting to develop applications for Windows 8 and you could be one of them.
The team has set up a series of camps to help individuals develop their first Windows 8: The Windows 8 Camps have been designed to show you how to build a Windows 8 app. You can tailor the day to make it as personally productive and rewarding as possible. You can work on your own projects with assistance from Windows 8 experts, network with others and also have the option of attending short tutorial sessions on Windows 8 related topics.
Win 8 Agenda:
08:30
Registration
09:00
Welcome & Explanation of the Day’s Format
Presentation Room
Work Room
09:15
Windows 8 Overview – UX, Store & Opportunity
Hands On Labs
(.NET and HJC)
App Migrating and UX Reviews
10:30
Break
10:45
Windows 8 App Features 1
11:45
12:00
Windows 8 App Features 2
13:00
Lunch
14:00
15:00
16:00
17:00
18:00
19:00
For the committed only to continue their labs/migrating.
21:00
Close
These events are hands-on and flexible so you can tailor the day to suit what you need; from working on your own project with assistance from our Windows 8 experts to networking with others and attending short tutorial sessions. Our tutorial sessions will include topics such as the ‘Basics of the OS and interaction with the OS’, ‘Metro style UX’
Find out more and book your place:-
Thursday 19th July, London: Windows 8 DevCamp
Friday 20th July, London: Windows 8 DevCamp
Saturday 21st July, London: Windows 8 DevCamp
Tuesday 24th July, London: Windows 8 DevCamp
Wednesday 25th July, London: Windows 8 DevCamp
Thursday 26th July, London: Windows 8 DevCamp
To help get a headstart before attending these events why not try out Windows 8 Release Candidate for free now and get the tools onto your machine to get started writing Windows 8 Applications here – these are also free!
Geoff Evelyn is a Microsoft MVP and has an active interest in SharePoint security and the consumerization of IT. He recently attended an event and has put together an article that moves beyond that event.
The article talks about how personal devices as part of Consumerization have impacted SharePoint, some features available to mobile users, what implications are there in terms of security and finally a look at what Support needs to address.
The article is pretty long but includes a lot of detailed and interesting information covering the broad range of subject areas shown below:
Here’s the article: http://www.sharepointgeoff.com/consumerization-and-sharepoint-security-challenges/
Empower all users to gain breakthrough insights as a natural part of their day-to-day activities using PowerPivot and PowerView, now in Excel.
User created, IT managed - Enable enterprise grade IT governance for your BI solutions via SQL Server and SharePoint
Download links
Chris Testa-O'Neill is a Senior Consultant for Coeo Ltd, a leading provider of SQL Server Managed Support and Consulting in the UK and Europe. He is a Microsoft Most Valuable Professional (MVP) for SQL Server, sole author of the MCTS SQL Server 2008 Microsoft E-Learning courses and technical reviewer for SQL Server 2012 BI Official Microsoft courses for Microsoft Learning. He is heavily involved with the SQL Server community as a speaker and an organiser of SQLBits, a Regional Mentor for SQLPASS and he runs his own user group in Manchester, UK. As well as being certified as a SQL Server MCDBA, MCTS and MCITP in all tracks. Chris is also a Microsoft Certified Trainer, and a Microsoft Certified Systems Engineer in Windows 2000 and Windows 2003. In his spare time Chris loves playing in a band as a guitarist/lead vocalist. You can contact Chris at chris@coeo.com or on twitter as @ctesta_oneill.
Part III of a highly available business intelligence environment deals with the important consideration of configuring authentication mechanisms within the infrastructure.
Detailed information can be found in the Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products white paper. This article deals with the key concepts and considerations that need to take place when planning authentication, delegation and impersonation.
Authentication is the process of verifying the identity of a user on a network.
Three forms of authentication can be configured when building a SharePoint farm which supports a SQL Server 2012 highly available BI environment. Kerberos, NTLM and Claims Based authentication. PowerPivot for SharePoint at the moment does not support Claims Base Authentication. For brevity, this authentication method in not explored.
The differences between Kerberos and NTLM are analogous to a scenario such as visiting a theme park like Blackpool Pleasure beach or Disneyworld.
NTLM (NT Lan Manager)
When I was a young lad, my parents would take me for a day trip to Blackpool Pleasure Beach. In those days, you were free to walk around the theme park. If you wanted to go on a ride, you were challenged. Meet the height requirement for the ride, pay your cash and you were allowed to enjoy what the ride had to offer. Once completed, you could then go to another ride where once again you were given the same challenge. Meet the height requirement and pay your cash. If you could not meet this challenge you were unable to get on the ride.
This is similar with NTLM authentication, except the challenge is to provide a correct user name and password to gain access to a network resource. The process of repeating authentication challenges can be cumbersome to users. This is where Kerberos can help.
Kerberos
Kerberos is an authentication protocol that is designed to provide a single sign-on environment to reduce the repetitive nature of NTLM authentication.
Today, Blackpool Pleasure Beach is enclosed within a security fence. As a result, when you go to a theme park such as Blackpool Pleasure Beach or Disneyworld, the authentication takes place at the entrance of the theme park, or the ticket booth. It is here where you are challenged. Pay your cash and the ticket booth operator will provide you with a ticket (or wristband) that is valid for the day. Adults will receive a different ticket to children.
The result of receiving the ticket means that should you wish to go on a ride, then all you have to do is show your ticket at the entrance of the ride. The ride is programmed to accept the correct tickets and reject tickets that are not valid.
Kerberos works in a similar way. You authenticate against a Domain Controller (ticket booth) in a domain (Blackpool Pleasure Beach/Disneyworld), which will issue you a session ticket (ticket) should you meet the challenge (username and password). Once you have this ticket, you will present it to network resources such as SQL Server or a File Server (a ride). If you are in the list on the resource then you will get access.
*Note I am ignoring resource permissions here as that is a separate topic known as authorisation.
Kerberos provides convenience in that you only have to authenticate once, the session ticket that you are presented with contains information that will be presented to the resource when you access it and is valid for 8 hours. And Kerberos provides additional capabilities that are very important when setting up a highly available BI environment:
Delegation Kerberos delegation is the process of giving an Active Directory account permissions to perform a task. An example could be the ability to impersonate another user account.
Impersonation
Kerberos impersonation is the process of one account impersonating the credential of another account. Delegation of this permission must be done first for impersonation to work.
So back at Blackpool Pleasure Beech, my entire family have got their tickets and are enjoying the rides. When it comes towards lunch time we need to get cash out of the cash machine to pay for lunch. What normally happens is that while I take my kids on another ride, I will give my wife my cash card. This very act is delegation, as I am giving my wife permission to be me when she goes to the cash machine on my behalf. When she gets to the cash machine and types in the four digit PIN code to access my account. The very act of her typing in the PIN code is impersonation as she is impersonating my credentials
So how does this apply to a highly available BI environment?
Let’s remind ourselves of the environment we discussed in the second part of this series of blog posts
This software and hardware is collectively used together to create the following environment.
Should a user want to access a PowerPivot, Report Builder or PowerView report that uses a back end source databases shown at the bottom of the diagram. Kerberos, delegation and impersonation will be required if you must retain the identity of the user who originally made the request for the report. The steps of maintaining the users credentials over two or more connections is referred to as a double hop and there becomes a requirement to delegate the rights to authenticate as a given users identity. Kerberos works with this scenario as a user authenticates using their password only once when they log onto the domain. After that it is the session ticket that is used to authenticate. As a result we have the ability to delegate control of a user’s or even workstations session tickets.
Therefore, should a user connect to an application such as PowerPivot, Report Builder or PowerView that accesses data in a backend database, by default a connection will be made using the service account of the application. If there is a need to audit access against the backend database. It will audit the fact that the service account accessed the backend and not the user who made the request for the report.
In order to retain the identity of the user who originally made the request for the report, we have to perform a number of tasks:
Exposing Applications as Active Directory objects
When a computer is joined to an Active Directory domain, this process will create an object within Active Directory automatically. When a person joins a company, an account will be manually created in Active Directory to provide a logical representation of the individual as a user object. The purpose of doing this is so that these objects can be secured within the organisation’s domain.
Like user accounts, applications are not necessarily registered within Active Directory automatically. As a result, we must manually register an application within Active Directory. This is done using the setspn command line tool. SPN is a service principal name and is the name by which a Kerberos client uniquely identifies an instance of an application for a given target computer. There are many ways that SetSPN can be used. However, in the context of exposing SQL Server 2012 BI applications in Active Directory, the following syntax is used:
Setspn –S <service class>/<host>:<port> <service account name>
<service class> denotes the name of the service or application. If it is SQL Server then the <service class> is MSSQLSvc. Analysis Services is MSOLAPSvc.3 and Reporting Services would be HTTP
<host> is the fully qualified domain name or netbios name an which the application is running. The recommended practice is that each application should have two entries: one for fully qualified domain name and one for NetBIOS.
<port> is optional and is used to define the port on which the service is running. This should be used when multiple instances of an application is running
<service account name> is the service account that is defined for the application
As a result, If there is a default SQL Server instance running on a computer named CoeoSQL.Coeo.Local under the service account Coeo\SQLService, two spn’s would be registered as follows
For the fully qualified domain name it would be:
Setspn –S MSSQLSvc/CoeoSQL.Coeo.Local:1433 Coeo\SQLService
For the NetBIOS name it would be:
Setspn –S MSSQLSvc/CoeoSQL:1433 Coeo\SQLService
If it was a default Reporting Services instance on the same computer using the service account Coeo\RSService it would be:
Setspn –S HTTP/CoeoSQL.Coeo.Local: Coeo\RSService Setspn –S HTTP/CoeoSQL:1433 Coeo\RSService
Setspn –S HTTP/CoeoSQL.Coeo.Local: Coeo\RSService
Setspn –S HTTP/CoeoSQL:1433 Coeo\RSService
These will register service principal names within Active Directory that can then be delegated. As a result, start to draft up a list of applications, fully qualified domain name and their associated service accounts for any applications that will be subjected to the double hope issue
Using Delegation to setup impersonation
The act of creating SPNs will enable a new tab in the user account properties in Active Directory named Delegation. It is here that you will be able to setup delegation so that credentials can be forwarded from one service to another. However, make sure in the user account properties in the Account tab that the option “Account is sensitive and cannot be delegated” is not selected as this means delegation cannot be setup. Within the Delegation tab, the check box must be selected for “Trust this user for delegation to the specified service only”. This is known as constrained delegation. Once selected, choose Kerberos and click on ADD to add the service to which the account can be delegated to as shown in the following graphic.
Setting up SPNS and delegations will need to be done for all applications that will subject to the double hop issue that was outlined earlier.
So now we have an understanding of the key concepts of authentication, delegation and impersonation; and have an understanding on the impact of these concepts on a SQL Server 2012 Highly Available environment. The key considerations when dealing with this setup is provided by the best advice I received from Adam Saxton (Twitter | Blog), Senior Escalation Engineer based at the Microsoft CSS.. He states that when undertaking this activity, you should come up with a checklist:
Once you have answered these questions you will be able to set up the right SPNs and Delegation to ensure that a user’s credential is passed through to back end data sources.
Disclaimer: You should not hand over your cash card as it will compromise your security. And no children or partners were harmed in the making of this blog J
Some additional useful resources: