mcs.ireland.blog/infrastructure

Virtualisation - A few notes

The last week we had some interesting notes related with the Virtualisation topic that I thought it would be worth sharing.

First Microsoft IT Showcase has published its Guide to select loads candidates for virtualisation

Microsoft IT Showcase is pleased to announce the publication of Identifying Server Candidates for Virtualization, which discusses how Microsoft IT identified virtualization as one of the prime strategies to address the issues of server underutilization and data-center capacity.  Many thanks to Rich Baker,  Devin Murray and Dodd Willingham for their expertise, knowledge, and dedication in developing this comprehensive technical case study.

Identifying Server Candidates for Virtualization

Published: 06/17/2008
For several years, Microsoft IT was aware that the number of servers in its data centres was growing rapidly, while utilization of these servers was very low. Microsoft IT identified virtualization as one of the prime strategies to address the issues of server underutilizations and data-center capacity. This study describes how Microsoft IT developed the RightSizing initiative to identify servers that could be virtualized.
Technical Case Study

To learn more about how Microsoft does IT, please visit us!

External:  www.microsoft.com/technet/itshowcase

Second we've included System Center Virtual Machine Manager in the latest beta version for IPD - Infrastructure Planning and Design Guides - (www.microsoft.com/IPD)

RELEASE UPDATE

Infrastructure Planning and Design Guides

Beta Release Announcement

System Center Virtual Machine Manager, System Center Operations Manager, Internet Information Services,  Selecting the Right NAP Architecture

We are pleased to announce the  introduction our new Infrastructure Planning and Design guides (IPD).  We have added System Center Virtual Machine Manager and System Center Operations Manager as the first guides in our series for System Center.  We added the new Internet Information Services Guide to our Windows Server 2008 offerings and finally, we’ve released Selecting the Right NAP Architecture.

All of our released guides can be found in the download center. 

Infrastructure Planning and Design streamlines the planning process by:

· Defining the technical decision flow through the planning process.

· Listing the decisions to be made and the commonly available options and considerations.

Join the Beta for Future IPD Guides

Additional Infrastructure Planning and Design series guides are available as beta releases on the Connect Web site. These are open beta downloads. See below for instructions on how to access the beta guides.

To join the Infrastructure Planning and Design Beta, follow these steps:

1. Visit the Infrastructure Planning and Design Beta on the Microsoft Connect Web site.

2. Sign in using a valid Windows Live ID to continue to the Invitations page.

3. Scroll down to Infrastructure Planning and Design.

If you have not previously registered with Microsoft Connect, you might be required to register before continuing with the invitation process.

If the link in step 1 does not work for you, copy the link and paste it into the Web browser address bar.

Related Resources

System Center Operations Manager on Microsoft TechNet

System Center Operations Manager evaluation software on Microsoft TechNet

Internet Information Services Online (iis.net)

CIO's sharing their experieces

And last but not least a Webcast from CIO Insight - CIO Livecast Encore Presentation Is Online Now
"Virtualization: The Price & The Payoff" - Event URL: http://ciolivecast.stream57.com

Three CIOs discuss their experiences at various stages of Virtualization implementation:

1800Flowers.com – SVP & CIO, Steve Bozzo talks about the concerns that a $1 billion company doing well over half their business online has to consider before moving into Virtualization. With over 3,000 agents, 3 data centers and 700 servers, 1800Flowers’ Bozzo views virtualization as a business mandate that can’t be avoided.

Hudson Valley Bank – CIO, Howard Bruck sees massive benefits in the amount of control he now has over what used to be hundreds of scattered devices. Bruck talks about the steps that he’s taken over the last three years to optimize the bank’s processes by testing and deploying virtualization. Beginning with successful desktop virtualization, he sees virtualization as a holistic way of redoing the Windows environment.

Sesame Workshop – CIO, Noah Broadwater is balancing the media company’s massive data storage needs and server sprawl while containing costs at the non-profit home of the Muppets. Increasing the capacity of Sesame’s data centers would have been a multi-million dollar project but Broadwater found his answer with Open Source.

CIO Livecast is a complimentary event. Registration is required.

Hope you enjoy.

Regards

The MCS Infrastructure team @ Microsoft Ireland

ILM "2" Beta 3 is now available for download

ILM "2" Beta 3 has recently been posted for download on the connect website. This beta release is a major milestone in the release roadmap for the product and contains most of the features of the product that a lot of people have been waiting to get a play with. Crucially, you can download a full VPC demo image and start having a look at the product today!

Included in this beta release:

• ILM "2" Beta 3 package
• ILM "2" Beta 3 Release notes
• ILM "2" Beta 3 IT Pro documentation set
• ILM "2" Beta 3 SDK
• ILM "2" Beta 3 ready to use VPC

In this release you can work with:

• Workflow integration with Office and Outlook
• Self Service Password Reset
• Codeless user provisioning

The VPC image comes with a full lab and documentation set so you can work through the scenarios and get an understanding of how the new features can work in you environment and start delivering higher ROI and lower TCO

The timeline for ILM "2" is as follows:

• Release candidate: Q4 2008
• RTM Q1 2009

If you're interested in Identity Management I would strongly recommend that you subscribe to the program today, download the content, get the VPC image up and running and find out what everyone's talking about with ILM "2"

You can subscribe to the beta program at:

www.connect.microsoft.com

You can also join the beta newsgroup and subscribe to training Webcasts as and when they become available

More information on ILM 2 can be found at:

 http://www.microsoft.com/windowsserver/ilm2/default.mspx

Configuration Manager 2007 - 32-bit or 64-bit OS?

As I'm sure most of you are already aware, System Center Configuration Manager (SCCM) 2007 is a 32-bit application.

Installing SCCM SP1 on 64-bit Windows 2003 and 64-bit Windows Server 2008, is of course fully supported. However, given that SCCM is still a 32-bit application, performance will not be as great on 64-bit hardware as a native 64-bit application would be. Therefore the recommendation to ensure best results, is to install 32-bit versions of Windows Server even when working with 64-bit capable hardware.

The sole exception to the 32-bit OS rule is the SCCM site database server. As there are no SCCM components required and as SQL 2005 SP2 is available as a 64-bit application it makes sense to install this on a 64-bit OS for enhanced performance.

Traditionally, with SMS 2003, best practice was to utilise a local copy of SQL to host the SMS database on the primary site server. When SMS 2003 was released disk performance well exceeded that of the network. Today this is no longer the case. Additionally SCCM now makes considerable more use of the CPU. Based on these to facts using remote SQL for SCCM is now a viable option.

I took this approach recently on a large SCCM implementation with the following benefits -

1. Significantly increased SQL performance (x64 SQL + x64 Windows + x64 hardware)
2. Moving the database to a remote server reduces the processing load on the primary site server
3. I installed 2 instances of SQL -
• default instance = SCCM database
• named instance = WSUS database (host database for SCCM software update point)

PXE Boot Problems with Configuration Manager 2007

One of the most impressive features of System Center Configuration Manager (SCCM) 2007 is Operating System Deployment (OSD) which began life as a feature pack for SMS 2003. An integral component of OSD is a new site role in SCCM called the PXE service point that responds to PXE requests from computers that have been imported into SCCM database.

The PXE service point site role is used to initiate the operating system deployment process and must be configured to respond to PXE boot requests made by client computers. Installation of the PXE service point requires Windows Deployment Services (WDS) to be installed on the computer assigned to host the role.

SCCM effectively adds another provider on top of the existing WDS providers. The SCCM PXE service provider will process a request if there is a record for the device (MAC address or SMBIOS GUID) in the SSCM database. The request is serviced by SCCM, even is there is no current advertisement for the device, as long as it is in the database. If no client record is found in the SCCM database WDS will fall back to its default provider.

In theory this is simple enough and provides a great new way to deploy operating systems but I wish to share a few PXE boot problems that I observed on a recent deployment project and how to resolve them.

IMPORTANT - please bear in mind that these problems must be placed within the context of my customer's environment and the issues observed may not necessarily relate to the same root cause on another site.

To put the problems into the context of the customer's infrastructure -

• SCCM Infrastructure
  • SCCM 2007 SP1
  • Central / primary site server
  • Separate SQL server hosting SCCM database
  • Separate server hosting the PXE service point & state migration point
• Windows 2003 Active Directory
• Network
  • Centralised DHCP - Cisco Network Registrar
  • Cisco switches

Problem 1

PXE error = PXE-E32: TFTP open timeout

Issue = the PXE client was able to get a DHCP address and a boot file name, but timed out when attempting to download the boot file using TFTP or MTFTP

Cause = port security was enabled on the Cisco switch ports. Switch off port security to resolve.

Problem 2

PXE error = PXE-E3B: TFTP error - File not found

Issue = the requested file was not found on the TFTP server

Cause = DHCP option 67 (Bootfile Name) was not added to the DHCP scope options. Add option 67 to resolve.

Problem 3

PXE error = this problem is not really a PXE problem as the client successfully boots and the fails when trying to process the SCCM task sequence.

Issue = negotiation between the Cisco switch port and the client causes a timeout

Cause = PortFast is not enabled on the Cisco switch. Enable PortFast to resolve.

As an aside, the fix for a lot of PXE boot problems make reference to the fact that WDS should be installed but NOT configured in any way prior to installing the SCCM PXE service point - simply install WDS reboot, leave well alone and install the PXE service point. On my PXE service point server I created a small NTFS volume specifically to host WDS and so broke with convention by initialising WDS upon reboot to point the components to this particular drive. With the exception of the issues listed above, which are not WDS related, my PXE service point functions just fine!

OCS 2007 Enterprise Edition - Certificate & DNS Requirements

Having just deployed Office Communication Server (OCS) 2007 into a customer site, I thought I would share some of my experiences, specifically around DNS and Certificate requirements.

OCS Features Installed

• Audio & video conferencing
• Web conferencing
• NO federation or external user access

OCS Infrastructure Components

• Software - OCS OCS 2007 Enterprise Edition
• Hardware
  • 2 x Front End Servers - OCSSRV01 & OCSSRV02
  • 1 x SQL Back End SQL Server (clustered)
  • Load balancer

AD / Mail / Enterprise Pool

• Windows 2003 AD single forest / single domain
• Exchange 2007
• FQDNs
  • AD domain name = company.local
  • Mail domain name = company.com
  • OCS pool = ocspool.company.local

For the customer in question we deployed OCS 2007 Enterprise Edition in a consolidated topology. This creates an Enterprise pool and installs all Enterprise Edition components on each physical server in the pool. When you deploy an Enterprise pool, you install all the servers in the pool as well as the load balancer that distributes traffic to the servers in the pool. You also configure the DNS that enables servers and clients to automatically locate one another. Additionally, as was the case with this customer, other DNS records were required to allow automatic client sign in.

One other important consideration is to determine which SIP domains are to supported by OCS.

SIP domain refers to the host portion of the SIP URIs assigned to users. For example, if SIP URIs are of the form *@company.com, then company.com is the SIP domain. The SIP domain is often different from the internal Active Directory domain, as in the vast majority companies where the email domain name is different to the internal AD domain name.

In my example, I wish to enable users for OCS by using the user's email address to generate the SIP URI, therefore company.com is the preferred SIP domain. The following steps outline how to configure DNS to support this configuration.

Note - As there is currently NO requirement for federation or external user access we are only concerned with internal DNS at this stage.

Required DNS Records

• An internal DNS record that resolves the FQDN of the pool to the virtual IP address of the load balancer used by the Front End Servers in the pool
• An internal DNS record that resolves the internal Web farm FQDN from the pool to the virtual IP address of the load balancer used by the Web Components Servers in the pool

Required DNS Records for Automatic Client Sign In

• An internal DNS record that maps _sipinternaltls._tcp.<domain> the FQDN of the pool (for internal TLS connections - TCP can also be used but is not the preferred choice)

To place these requirements in the context of my example:

To configure the DNS records for both SIP domains do the following -

(Refer to http://technet.microsoft.com/en-us/library/bb663654(TechNet.10).aspx for detailed instructions)

In the forward lookup zone for company.local -

1. Create a DNS A record
• Name = ocspool
• FQDN = ocspool.company.local
• IP = <VIP address of load balancer>
2. Create a DNS SRV record
• Service = _sipinternaltls
• Protocol = _tcp
• Port number = 5061
• Host offering this service = ocspool.company.local

In the forward lookup zone for company.com -

1. Create a DNS A record
• Name = ocspool
• FQDN = ocspool.company.com
• IP = <VIP address of load balancer>
2. Create a DNS SRV record
• Service = _sipinternaltls
• Protocol = _tcp
• Port number = 5061
• Host offering this service = ocspool.company.com

The above steps assume that DNS has a primary zone for company.com has been created on the internal DNS server - if none exists create one as this will provide internal name resolution company.com SIP domain. Use nslookup to verify successful creation of the SRV records for both company.local and company.com

Certificate Creation & Assignment

OCS requires certificates on each Enterprise Edition server in order to use MTLS (TLS with mutual authentication) in order for the servers to communicate with one another. Additionally, each OCS client will need to trust the server certificate in order to use TLS as the connection method as has been configured in my example.

The OCS installation media provides a Certificate wizard as part of the setup steps to request and assign a certificates to Front End OCS servers. The wizard cannot be used to assign certificates to the Web Components server- this is done via the IIS certificate wizard.

Requesting and assigning certificates is straight forward enough and is documented in detail at the following links

http://technet.microsoft.com/en-us/library/bb663618(TechNet.10).aspx

http://technet.microsoft.com/en-us/library/bb663771(TechNet.10).aspx

The important part is knowing what to include on the certificate request, specifically what to specify as the certificate name and certificate subject alternative name(s), especially when dealing with and supporting multiple SIP domains.

To place this information within the context my example consider the following -

• FQDN OCS pool = ocspool.company.local
• FQDN OCS Front End Servers
• ocssrv01.company.local
• ocssrv02.company.local

To correctly request certificates for both front servers enter the following -

1. Certificate name = ocspool.company.local
2. Certificate subject alternative names include -
• DNS Name=sip.company.local
• DNS Name=sip.company.com
• DNS Name=ocspool.company.com
• DNS Name=ocssrv01.company.local or ocssrv02.company.local

Today’s the day for the second Springboard Live! virtual roundtable: The topic? Windows Vista Security

Let’s talk Windows Vista security begins 17:00 GMT. Microsoft Technical Fellow and desktop guru Mark Russinovich will again be hosting a live, interactive Springboard Series virtual roundtable—this time on the topic of Windows Vista security.

As with the March roundtable on deployment, Microsoft will be taking questions from those tuning in for the live event. Questions can also be submitted in advance by e-mailing vrtable@microsoft.com.

Tell them to visit https://ms.istreamplanet.com/springboard and register for the June 18^th event today!

For those who can’t tune in at 17:00, the roundtable will also be available on demand at https://ms.istreamplanet.com/springboard shortly after the conclusion of the live event.

Windows Vista Deployment - Part 4 - End User Experience

One of the most important things of a Windows Vista deployment is managing change. The end users will at the end of the day have a new operating system with a massive amount of new features they will have to discover in order to take full advantage of the productivity increases they bring. But how do you communicate this to the user and when? This is an excellent question to be asking yourself, luckily Microsoft provide a great tool to do this.

This tool is called the Enterprise Learning Framework, it is free online  and basically focuses on 4 areas:

The tool has the ability to target the content for different type of employees and different times within the deployment. The following table shows the different choices you can make.

Depending on the audience the tool defines how the topics are assigned to different time frames, for example something a user would see a week before deployment is probably something that support engineer needs to know a month before. Below is a table of the choices of content and topics you can get for the preferred audience. You can choose them all in the tool.

After you've selected your audience and the type of content that you want to see you can further filter the recommended topics by scenarios for employees in certain situations like: Topics apply to everyone, Collaborate with others, Attend meetings and give presentations, Travel and work from home, Have accessibility needs, Often help others. You can also filter by type of hardware!

After you've selected the type of communication you can refine it further by applying different filters like "only tips & tricks" and different categories

Now comes the fun part, the results. From these you can create customized emails with the appropriate content and appropriate moment, get highly recommended topics or create word documents for distribution in your enterprise.

From this place you can check the actual link that is being provided to the user or create the html e-mail, if you are using IE7 for this task, please follow these instructions:

Click Create HTML E-mail or Create Text E-mail to generate a template e-mail message.

Note   The current version of the ELF tool is limited to creating template e-mail messages on computers on which Microsoft Office Outlook® is installed. The Windows Internet Explorer® Pop-up Blocker should be set to Disabled. Otherwise, the user may not be able to view items such as the e-mail help page. Also, the Internet browser security settings must be adjusted so the Initialize and script ActiveX controls not marked as safe option is set to Prompt. If this setting has not been configured and the user selects Create HTML E-mail or Create Text E-mail, an information window such as that shown in shown in Figure 13 appears, prompting the user to follow the proper configuration procedure.

It is also recommended that you read the documentation as part of the Microsoft Deployment Toolkit 2008 called Enterprise Learning Framework User Guide.doc

That is it for the Enterprise Learning Framework.

Part 5 - Supporting infrastructure is coming up next.

Using Key Management Services (KMS) Across Domains

In some environments it may be necessary to implement Key Management Services (KMS) activation across domains. An example of this can be illustrated by the requirements of a recent project that I was working on.

The customer in question is in the process of consolidating a number of legacy domains into a new pristine AD domain - trust relationships exist between the domains. This migration will take a considerable amount of time given both the size of the customer's infrastructure and the requirement to consolidate / migrate complex back office systems and applications.

Concurrently, a large scale Vista deployment project is also underway aimed at base-lining the client infrastructure on a common desktop. Where possible and for the most part newly deployed Vista clients are being deployed into the new domain however, due to reliance on and access to critical back office applications which still reside in the legacy domains, there is also a requirement to redeploy some Vista clients back to their legacy domains.

Bearing these requirements in mind, it was still desirable to configure a single domain for KMS activation - preferably the new domain - given that over time the legacy domains will be decommissioned. Thus configuring KMS activation across domains becomes the logical choice.

Network considerations - by default the client computers connect to the KMS host for activation using anonymous Remote Procedure Calls over TCP, using TCP port 1688. So you will need to ensure that this port is opened in the firewall configurations between the remote sites. Note - this port number can be changed.

DNS SRV records - by default and when dynamic DNS (DDNS) is supported in the environment,  KMS hosts automatically publish their existence by creating service (SRV) resource records in the DNS server and only the DNS domain that the KMS host belongs to is registered in an SRV record.

So if you have only one DNS domain in your network environment, no further action is required.

But if you have more than one DNS domain name, as it is with this customer's legacy domains, you can create a list of DNS domains for a KMS host to use when publishing its SRV record.  This can be done by setting a specific registry value on the KMS host -

1. Log on to a KMS host.
2. Open an elevated command prompt. To do this, click Start , click All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator.
3. At the command prompt, type Regedit.exe and then press Enter.
4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL.
5. In the tree pane, click SL. Right-click in the details pane, point to New, and then click Multi-String Value.
6. Type DnsDomainPublishList as the name for the new value, and then press Enter.
7. Right-click the new DnsDomainPublishList value, and then click Modify.
8. In the Edit Multi-String dialog box, type each DNS domain suffix that KMS should publish to on a separate line. When you are finished, click OK.
9. Restart the Software Licensing Service using the Service application. The SRV records are then created.

However, if DDNS is not supported in the different DNS environments, or if you want to have a manual control of the KMS publishing, an administrator can also create manually the SRV record that publishes the availability of a KMS host. Manually created SRV records can coexist with SRV records that are auto-published by KMS hosts in other domains as long as all records are maintained to prevent conflicts. Here is the procedure in order to create the SRV record in the legacy DNS domains that publishes the availability of a remote KMS host -

1. On the DNS server, open DNS Manager. To open DNS Manager, click Start, click Administrative Tools, and then click DNS.
2. Click the DNS server on which you need to create the SRV resource record.
3. In the console tree, expand Forward Lookup Zones, right-click the domain, and then click Other New Records.
4. Scroll down the list, click Service Location (SRV), and then click Create Record.
5. Type the following information:
   1. Service: _VLMCS
   2. Protocol: _TCP
   3. Port number: 1688
   4. Host offering the service:<FQDN_of_KMS_Host>
6. When you are finished, click OK, and then click Done.

Using Key Management Services (KMS) for Vista Activation

I have been working recently on a large Vista deployment project for an Enterprise customer. An integral component of the project required the installation and configuration of Key Management Services (KMS) to activate all newly deployed Vista computers.

Typically, an Enterprise customer will choose KMS as the preferred method of activation as the number of Multiple Activation Keys (MAK) supplied as part of their Microsoft Enterprise Agreement will be substantially less than the total amount for which they are licensed – KMS is the only way to license the entire estate. Apart from this, KMS offers other additional benefits such as –

• KMS activates operating systems on the local network, eliminating the need for individual computers to connect to Microsoft
• KMS ensures you are within your allowed number of licenses
• Virtual machines don’t count towards the KMS n-count

However, bear in mind that KMS requires a minimum number of physical computers in a network environment, called the activation threshold, to activate KMS client machines. The activation threshold for Windows Vista is 25 physical computers and 5 physical computers for Windows Server 2008.

KMS is a lightweight service which does not require a dedicated server and which can easily be co-hosted with other services. The KMS ‘host’ can be on physical or virtual system running Windows Server 2008, Windows Vista, or Windows Server 2003 but a KMS host running on Windows Vista can only activate Windows Vista KMS clients. KMS services are built into Windows Server 2008 but are also available as a separate download for Windows 2003.

http://www.microsoft.com/downloads/details.aspx?FamilyId=81D1CB89-13BD-4250-B624-2F8C57A1AE7B&displaylang=en

Configuring KMS requires the installation of a KMS key on the host and subsequent activation with activating with Microsoft either by telephone or online. A KMS key can activate the Windows editions within its specific product group as well as editions in ‘lower’ product key groups (i.e., KMS keys have a hierarchical association with product key groups) – see illustration below. My customer’s EA licensed them for all products. For example, activating the KMS host with a Server Group B KMS key can activate Windows Server 2008 Standard, Enterprise and Web editions, and Windows Vista editions as KMS clients.

Initially, I installed and configured the KMS host with the Server Group B KMS key as my customer has no requirement to utilise Datacenter versions of Windows Server 2008 - activation of Server Group B, Server Group A and Vista VL was sufficient. However, although the KMS host was successfully activated using the Server Group B KMS key all subsequent attempts by Vista clients to activate with the KMS host failed with the following error -

Error code = 0xC004F014

This error is indicative of issues caused by a missing or incorrect pid.txt file which is included in the sources folder on the Vista installation media. Extensive testing confirmed that this was not the case and that all deployed clients had been imaged correctly using the correct pid.txt file.

In my case, resolution of the issue involved the following steps -

1. Uninstall the Server Group B KMS key and replace with the Server Group C KMS key = slmgr -ipk <product key> (this will replace the existing key).
2. Reactivate the KMS host = slmgr -ato (ensure that host has Internet access)

Once the KMS was reactivated with the Server Group C KMS key - effectively the highest level key available in the customer's Enterprise Agreement - Vista clients began to register with and activate against the KMS host. Problem solved.

Microsoft's Identity Life Cycle Management Strategy And Roadmap Part 3: ILM "2"

Identity Lifecycle Manager “2” builds on Identity Lifecycle Manager 2007 to provide solutions for management of users, credentials, access, and policies that automate identity lifecycle tasks and balance the load between IT professionals, developers, and information workers. IT will be able to put controls in place that will enable them to securely delegate management of common user requests back to the end users. The end users will have self-service tools integrated in Office and Windows that will allow them to do things like reset their own passwords and manage membership to groups and distribution lists without calling the help desk.

The foundation of the ILM “2” solutions is the metadirectory and extensibility found in ILM 2007. ILM “2” takes this a step further by integrating workflow built on Workflow Foundation (WF), enabling delegation, approvals, notifications, and exceptions to be built into identity lifecycle processes. Furthermore, the extensibility in ILM 2003 is greatly enhanced through the addition of web services extensibility based on Windows Communication Foundation in ILM “2.”

Highlights of ILM “2” include:

- Self-service tools for group management, profile management, password reset integrated with Microsoft Office and Windows

- Customisable workflow designer that enables modelling of business processes around approvals, delegations, and escalations

- GUI-based solutions for IT and help desk to manage users, multiple credentials, access through groups and roles, and policy

- Report builder and SQL Server Reporting Services integration for identity life cycle notification and reporting

- Integration with Microsoft Systems Management Server for asset and software management, and Microsoft Operations Manager for health monitoring

- Rich platform and standards-based Web services extensibility using Visual Studio, Workflow Foundation (WF), and .NET Framework

ILM "2" Solution Areas

ILM “2” consists of four solution areas – user management, credential management, access management, and policy management.

User Management

ILM 2 will deliver GUI-based tools for user management and self-service across the enterprise without the need for custom coding of business rules or recoding of the target systems. These automated and centralized user management tools include:

- Provisioning override features to accommodate exceptions

- Broad range of connectors including Active Directory, Novell, Sun, IBM, RACF, Top Secret, ACF/2, Lotus Notes, Microsoft Exchange Server, Oracle databases, Microsoft SQL Server databases and SAP HR

- Workflow and exception request tracking and reporting for compliance

- Integrated white pages

- User profile self-service management

- Self-Service Credential Management

ILM 2 enables users to change and reset their own passwords and smart card PINs from the Windows desktop login, and enables the help desk to reset them from a single location. With self-service password reset integrated into the Windows logon, self-service will be the preferred alternative to calling the help desk.

Integrated Access Management

ILM 2 provides self-service group and distribution list management, integrated through Office to enable information workers to manage their access requests using the collaboration tools they are familiar, enhancing productivity and minimizing additional training. ILM 2 will also provide a framework that is flexible enough to be used for role based management of identities and access.

Policy Management

As part of the ILM 2 release, Microsoft will deliver an intuitive user interface that enables system architects, IT administrators and information workers to create rules governing users and groups using natural language descriptors and easy-to-use menu-driven controls.

The policy management tools will also enable business owners and IT to report on the events and business rules processed by ILM 2, and to act on that information in an automated manner. This provides a view into the state of compliance as well a mechanism to enforce business rules that support compliance.

ILM "2" Business Process Alignment

These next screenshots show some of the most powerful features of ILM "2"

This first one shows how self service will be integrated into Office and Windows. The first screen shot is of an email in progress where you can see the My Groups menu has been added to the Outlook 2007 ribbon. From the Office ribbon, you can do things like add and remove members, and view and manage groups you own or are a member of. In addition, you will be able to request and approve group membership through Outlook, including bulk approvals.

The second screen shot shows how the self-service password/PIN reset will be integrated into the Vista credential provider. When you logon or hit control, alt, delete, there will be an additional option to reset your password or PIN. There will also be tools for registering your secret questions and answers that will enable you to do self-service reset. We are also looking at additional self-service methods (or gates) beyond question and answer, such as using your smart card PIN to reset your password, as well as providing the extensibility to build additional self-service reset methods/gates.

This next screen shot shows the beginning of the creation of an approval process. ILM “2” will include the ability to use a wizard to create workflow processes. In this case you can see an approval is being created. You can select the approvers for a particular workflow based on group membership or other attributes. In this case, we will be seeking approval from the group IDM Governance. You can also set an expiration date on the approval and any escalation path required post-approval.

One very powerful feature of the customisable workflow designer in ILM “2” is the fact that you can reuse workflows for different processes. So you don’t have to recreate workflows every time you have a new approval process.

In order to ensure that you can customize ILM “2” to your organization’s needs, we are building in extensibility on a number of levels. Here you can see the beginning of a new workflow based on workflow foundation. You will be able to use Visual Studio to develop and customize as necessary

So as you can see ILM "2" will take Identity and Access Management to the next generation. I hope you enjoyed the series. Stay tuned for some exciting announcements regarding the ILM "2" beta program!

Microsoft's Identity Life Cycle Management Strategy And Roadmap Part 2: ILM 2007

This is the second post in this series. In the first one I talked about Microsoft's philosophy and vision for Identity Management. In this post I'll look at our current offering, Identity Lifecycle Manager 2007

Identity Lifecycle Manager 2007 brings together metadirectory, certificate management, and user provisioning across Windows and enterprise systems into a single packaged offering.

Lets talk about each of these capabilities briefly.

-With the metadirectory capabilities in ILM 2007, you can have a single view of the user across all your enterprise systems. ILM 2007 keeps this view consistent across all of the connected systems.

-The certificate management functionality in ILM 2007 enables you to dramatically reduce the cost of deploying and managing certificates and smart cards. ILM 2007 automates the process of issuing and revoking certificates based on workflow, so approvals and notifications are integrated into the solution.

-ILM 2007 provides a solution for provisioning and deprovisioning users. With ILM 2007 you can provision a user’s accounts, synchronize their passwords, and manage their certificates through the same process.

Now lets drill into each of these features a bit more:

ILM 2007 Metadirectory Services

ILM 2007 metadirectory services provides a solution that synchronises identity information from all the connected identity stores. ILM 2007 includes over 30 different types connectors, or management agents, out of the box so you can connect to the leading directory services, email systems, databases, mainframe systems and line of business applications. For other systems ILM 2007 provides an extensible management agent that you can use to build custom connectors for your legacy infrastructure and applications.

One of the strong points of the ILM 2007 metadirectory is that it helps you keep identity data consistent throughout your enterprise, and automates the process of reconciling and cleaning up disparate identity data across the various stores. This importance of this reconciliation and clean up process cannot be overstated and is a critical first step to delivering identity lifecycle management solutions, such as provisioning, that layer business process on top of this identity information and synchronization. Without ensuring that your identity information is clean and consistent across your organization, it will be difficult to be successful as you add business process on top.

That said, the ILM 2007 metadirectory is truly the foundation for identity life cycle management solutions, enabling you to do things like

- Automate user provisioning

- Manage global address lists

- Automate group and distribution list management

- And ultimately put you on a path to take advantage of the solutions in ILM “2”

ILM 2007 Certificate & Smart Card Management

ILM 2007 certificate and smart card management provides a single place to administer digital certificates and smart cards. One of the biggest costs of getting to strong authentication is the deployment of certificates and smart cards. ILM 2007 automates this process and dramatically lowers the cost of deploying and managing certificate based credentials such as smart cards.

You are able to set up and configure workflows (i.e., approvals) to do a number of things for your certificate environment, including

-Managing the process of enrolling, renewing, and updating certificates

-Replacing smart cards that are lost, or issuing temporary cards in the case of someone forgetting their card at home

-Revoking certificates or retiring or disabling smart cards when an employee leaves your organization

ILM 2007 certificate management provides detailed auditing and reporting for the activities that take place in your Microsoft certificate infrastructure.

ILM 2007 also supports admin based or self-service smart card PIN reset as well as key recovery.

ILM 2007 User Provisioning

ILM 2007 automates the process of provisioning and deprovisioning user accounts, mailboxes, and group and distribution list memberships. With ILM 2007 you can manage the process of providing users with the access and assets they need to do their jobs; and when a employee switches roles, say from a finance to marketing role, they have the accounts and access added for them to do the new marketing role, while they have the account in the finance application revoked since they no longer need it to do their new job. When an employee leaves the organization, ILM automatically disables their accounts and access so they can’t log back into systems once they are no longer an employee.

ILM 2007 also enables you to extend your user provisioning solution to integrate with existing solutions such as portals or identity management tools you may have already developed. In addition, ILM 2007 provides a foundation to extend to partner solutions that include additional connectors, complex workflow, or self service portals.

So that's about it on ILM 2007. In the next post I'll look at some of the exciting new features available in ILM "2"

Microsoft Solution for Hosted Messaging and Collaboration 4.5 has been released !

HMC 4.5 brings together powerful Microsoft enterprise products such as Microsoft Exchange Server, Microsoft Windows SharePoint Services, and now gives you Microsoft Office Communications Server 2007, which manages all real-time communications such as instant messaging (IM) and audio and video conferencing.

Other new features and enhancements:

· Exchange Server 2007 SP1:  Web-based OABs and resource mailboxes

· Windows SharePoint Services:  multi-tenant People Picker functionality

· Provisioning capabilities have been expanded:

o Microsoft Provisioning System (MPS)
cross data store integration procedures

o Individual Information Worker (IIW) tenant model

· New SDK, updated for HMC 4.5

Get started now with HMC 4.5 and HMC 4.5 SDK

Note:

If you are running a Vista machine you may have issues viewing the content of the CHM file.

If you encounter this issue you will need to do the following:

- Download and save the file

- Right Click on the CHM file

- Go to properties

- On the Generals Tab, click Unblock

- Click Apply

The contents of the CHM file will now appear correctly.

Microsoft Ireland - MCS Infrastructure team

Assess Your Infrastructure for OS Migration and Virtualization Readiness with Microsoft Assessment and Planning Toolkit 3.1 Beta!

No IT project can be successful unless the specific network environment is well understood.  To help IT professionals and Microsoft Partners solve common migration issues and assist them in planning their virtualization efforts, the Microsoft Solution Accelerators team is proud to announce the release of the Microsoft Assessment and Planning Toolkit 3.1 Beta .

The Microsoft Assessment and Planning Toolkit (or MAP) is the next-generation version of the agent-less assessment platform from Microsoft. In this new version, MAP has expanded its capabilities into assessment areas of Hyper-V server virtualization, desktop security, and SQL 2008 migration.  In summary, MAP 3.1 assessment areas now include:

•            Server Migration Reports and Proposals (Windows Server 2008)

•            Server Consolidation Reports and Proposals (Virtual Server 2005 R2 and Hyper-V) (NEW!)

•            Desktop Security Assessment to determine if desktops have anti-virus and anti-malware programs installed or if the Windows Firewall is turned on (NEW!)

•            Application Virtualization Assessment Reports (Microsoft Application Virtualization, formerly SoftGrid)

•            SQL 2008 Migration Assessment Reports (NEW!)

•            Windows Vista and Microsoft Office 2007 Hardware Assessment Reports and Proposals

The Microsoft Assessment and Planning Toolkit performs three key functions - including hardware and device inventory, compatibility analysis, and readiness reporting.

MAP is based upon an agent-less infrastructure scanning technology that allows users to conduct a network inventory of their servers, desktops, applications, and devices - all without installing any software agents on each machine being assessed. This tool has the ability to discover machines within Active-Directory managed domains and forests as well as workgroups.

With the new user interface and enterprise-scale inventory engine, users can generate multiple technology migration reports and proposals for their OS migration and virtualization projects in a matter of hours.

Additionally, MAP can generate localized desktop readiness reports in 7 languages including N. American English, German, French, Japanese, Korean, Spanish, and Portuguese.

Fast and Zero-Touch. MAP provides secure network-wide assessment of a typical environment in a matter of hours instead of days, all without the deployment of any software agents on each inventoried machines.

Saves Pre-Sales and Planning Time. For most IT consultants and Microsoft Partners, a detailed network inventory and assessment of servers and desktops would typically take days of manual labor.  With MAP, they can now drastically reduce the time it takes for the same inventory to a matter of hours; allowing them more time to focus their efforts on critical pre-sales engagement tasks.  For IT professionals, it significantly reduces the time it takes to gather the information to make the business case for client and server migration as well as for their upcoming virtualization projects.

Actionable Recommendations and Reporting. MAP offers valuable inventory and readiness assessment reports with specific upgrade recommendations and virtualization candidate reports that make it easier for IT migration and deployment projects to get off the ground and running.

From Desktops to Servers. MAP provides technology assessment and planning recommendations for many Microsoft products including Windows Vista, Windows Server 2008, Hyper-V, Virtual Server 2005 R2, Microsoft Application Virtualization (SoftGrid), Terminal Services, System Center Virtual Machine Manager 2007, SQL 2008, and also desktop security.

Try the Microsoft Assessment and Planning Toolkit 3.1 Beta now and spread the word to your customers and partners today!

· Download Microsoft Assessment and Planning Toolkit

· · Listen to TechNet and Partner Readiness

· Read Team Blog

· Join the TechNet Forum Community

· MAP is a member of a rich family of Server and Virtualization Solution Accelerators.

Get Microsoft Assessment and Planning Toolkit 3.1 Beta

Download MAP and learn more about it on TechNet.

Learn More about Windows Server 2008 and Virtualization Solution Accelerators

Microsoft Assessment and Planning Toolkit

Infrastructure Planning and Design Guides

Windows Server 2008 Security Guide

Microsoft Deployment Toolkit

Visit the Solution Accelerators Home Page

See the full catalog of Solution Accelerators here.  And, join a variety of beta programs today (Live ID required).

Also, visit our Microsoft Partners Solution Accelerators site to learn more about our partner program.

June 18th Virtual Roundtable on Windows Vista Security

Let’s talk Windows Vista security! On Wednesday June 18^th at 9:00AM Pacific Time, Microsoft Technical Fellow and desktop guru Mark Russinovich will again be hosting a live, interactive Springboard Series virtual roundtable—this time on the topic of Windows Vista security.

As with the March roundtable on deployment, Microsoft will be taking questions from those tuning in for the live event. Questions can also be submitted in advance by e-mailing vrtable@microsoft.com.

Give IT pros the chance to join the discussion!
Tell them to visit https://ms.istreamplanet.com/springboard and register for the June 18^th event today!

For those who can’t tune in at 9:00AM, the roundtable will also be available on demand at https://ms.istreamplanet.com/springboard shortly after the conclusion of the live event.

New Windows Client TechCenter launched

Microsoft has  launched the new Windows Client TechCenter, merging the Windows XP and Windows Vista TechCenters with the Springboard Series lifecycle approach to ease the adoption path and give desktop IT pros a one-stop source for all of the Windows Client guidance, downloads, and community resources they need to adopt and manage Windows in a desktop environment! This offers a global IT Pro engagement platform for available in 8 languages: French, Spanish, Chinese (Simplified and Traditional), Germany, Russian, Portuguese, Korean, and Italian.

Strongly recommend a visit for those involved with desktop support!

BEFORE:

TODAY: Managed experience across adoption lifecycle with Microsoft and external community components.

Key features of the new TechCenter include:

· New “zones” for top tasks related to application compatibility, User Account Control (UAC), imaging, hardware compatibility and performance, desktop security and encryption, and networking.

· Improved organization of resources by lifecycle phase and technical level (overview or advanced)

· Advice from subject matter experts at Microsoft and in the community

· New zone to support shift to modern desktop – with to advance and simplify desktop management

Regards

Microsoft Ireland MCS infrastructure team.