Thursday, June 26, 2008

MICROSOFT HYPER-V IS RELEASED!!!


Today, Microsoft released Windows Server 2008 Hyper-V RTM (release to manufacturing). This is the real thing, folks! No more beta. This is much earlier than the August 2008 timeframe that Microsoft announced when Windows Server 2008 was released in February.

Click here to download the RTM version of Hyper-V. In 12 days you'll be able to go to Windows Update from your Windows 2008 server and it will be listed as an optional component. As you may know, the Windows Server 2008 installation bits are cached on the local computer. When you download and install the new version of Hyper-V it will update the local cache. If you ever uninstall and re-install the Hyper-V role, it will reinstall from the updated cache (the RTM version). This means that once you update a server with the new version, you won't need to update it again (unless Microsoft releases a newer version).

We should see new Hyper-V virtualization supportability agreements for some Microsoft products, like Exchange Server 2007, within the next 60 days. System Center Virtual Machine Manager 2008 which offers both Hyper-V and VMware virtualization support should be out soon, as well.

On a side note, Rand Morimoto and I have finished writing "Windows Server 2008 Hyper-V Unleashed," published by Sams Publishing. Look for it in a store near you.

Now, go forth and virtualize!


Wednesday, June 25, 2008

Fix for Self-Update is Not Working in WSUS 3.0


I've noticed a number of WSUS 3.0 servers are coming up with the following error in the Application event log:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 13042
User: N/A
Computer: WSUS01
Description: Self-update is not working.


To fix the issue, follow these steps:
  • Open IIS Manager and ensure there is a Selfupdate virtual directory in the Default Web Site. If not, create it with the Local Path pointing to C:\Program Files\Update Services\Selfupdate

  • Click the Directory Security tab and ensure that Anonymous Access is allowed

  • Restart IIS

Verify that the problem is fixed by running the following command at the command prompt:

C:\Program Files\Update Services\Tools\wsusutil.exe checkhealth

Then examine the Application event log for the following event:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 10000
User: N/A
Computer: WSUS01
Description: WSUS is working correctly.

As background, WSUS clients must connect to the SelfUpdate virtual directory to check for a new version of the WSUS client before checking for new updates. This always happens anonymously over port 80, even if WSUS is configured to use a custom port, such as port 8530.

Outlook Calendar Delays Explained


Some customers experience performance issues when opening other user’s calendars. A delay occurs the first time they open the calendar, but subsequent access is fine. At random times the performance issue occurs again. Here’s why this happens.

When Outlook accesses another user’s calendar, Exchange applies a view which restricts the user from viewing private items. This happens regardless of whether there are any private items or not. This process is run on, and controlled by, the Exchange server. The act of applying a view to a folder creates search folders in the Exchange store. Once the search folder has been created, it is cached for later use, which makes subsequent viewings faster.

Exchange doesn’t cache all search folders forever. Doing so would cause server-side delays since the cache folders are continuously updated by Exchange.

The number of search folders (also known as views) is defined at the store level in Exchange. The default is 11 and the best practice is to set it between 5 to 20 views, per mailstore. It’s important to note that this number is global for the mailstore and views are not shared between users.

To demonstrate, suppose John is an administrative assistant and manages 10 separate calendars. The first time he accesses each calendar, there is a delay as Exchange creates the view. After the views have been built, subsequent access is fast. Now another user, Linda, opens 6 other calendars, including the first 3 calendars that John accessed. John and Linda are in the same mailstore. In this example, calendars 1-3 are cached for Linda, 4-7 are cached for John and 8-11 are cached for Linda. John will have to wait to access to access the first calendar while the view is rebuilt for him. By increasing the number of views stored on the Exchange server to 20, this will not occur (10+6=16, which is less than 20).

The number of views stored on the Exchange server is held in the msExchMaxCachedViews attribute in AD. To adjust the value, use ADSIEdit to navigate to dn: CN=Mailbox Store,CN=Storage Group,CN=InformationStore,CN=Server NAME,CN=Servers,CN=AG Name,CN=Administrative Groups,CN=Orgname,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Company,DC=com. Right-click the mailbox store to adjust on the right pane and edit the msExchMaxCachedViews attribute.

Setting the value too low will cause more frequent delays for users as the views are built more often. Setting the value too high will cause slow overall Exchange performance as more views are continously updated. It should never be set higher than 50.

Tuesday, June 24, 2008

Truer Words Were Never Spoken

"Nothing in the world is worth having or worth doing unless it means effort, pain, difficulty..." -- Theodore Roosevelt

Apparently, Teddy worked for the System Center Operations Manager application development team.


Monday, June 23, 2008

Hiding in Plain Sight

Which Post-It note contains the correct password?

Paris, Here We Come!

I will be going to Paris, France next week to judge the Imagine Cup 2008 world finals. I am a co-captain, along with captains Rand Morimoto, Chris Amaris and fellow co-captain Valy Greavu.

Congratulations to the six round three world finalists! There were over 16,000 competitors and these six students won the right to be call the best of the best. They will compete in the final hands-on challenge from July 3-8 in Paris.

To find out more about the Imagine Cup and the IT Challenge, which is open to students around the world, please visit the Imagine Cup website. Be sure to sign up for IC2009 notification list by clicking the "SIGN UP to get news about Imagine Cup 2009" link on the homepage and enter your email address.

This will be my first time in Europe and I'm very excited! I'll be taking lots of pictures and hopefully getting in a blog post or two.

Friday, June 20, 2008

Using Exchange 2007 Header Firewall

Each time an SMTP email is passed from one server to another, the receiving server records the hand-off in the SMTP headers of the email. This is usually recorded like this:
Received: from ex01.companyabc.com (10.12.1.81) by edge.companyabc.com (12.5.1.168) with Microsoft SMTP Server id 8.1.278.0; Fri, 20 Jun 2008 15:17:46 -0700
Customers often do not like their internal email infrastructure exposed in the SMTP headers for security reasons. It displays private information, such as internal IP addresses and SMTP versions that can be used by bad guys for targeted attacks. In the example above, SMTP Server id 8.1.278.0 tells me that edge.companyabc.com at public IP 12.5.1.168 is running Exchange Server 2007 SP1.

You can remove this information from the SMTP headers on Exchange 2007 using a concept called Header Firewall. This is done using the remove-adpermission cmdlet in the Exchange Management Shell. If you use Exchange 2007 Edge server(s), run the following one-liner:

Remove-ADPermission -id "EdgeSync - companyabc to Internet" -User "MS Exchange\Edge Transport Servers" -ExtendedRights Ms-Exch-Send-Headers-Routing

Note: Replace "EdgeSync - companyabc to Internet" with the name of the Internet bound send connector. You can run the Get-SendConnector cmdlet to display the names of all the Exchange send connectors.

For Exchange 2007 implementations that do not use Edge servers, use the following:

Remove-ADPermission -id "companyabc to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-Routing
Again, replace "companyabc to Internet" with the name of the Internet bound send connector.

Essentially, you want to remove the rights of the last user account that will handle the outbound SMTP from reading the Ms-Exch-Send-Headers-Routing attribute in Active Directory. For Edge servers that will be the MS Exchange\Edge Transport Servers user account and for everything else it will be NT Authority\Anonymous Logon. Doing so will remove all the internal relay entries in the header before the last Exchange server, making the email appear like it originated from that last server.

Random Photos from TechEd 2008


Most of these were taken at the TechEd Jam Session and the DoubleTake ClusterFunk Party.

Fun times were had by all!

Wednesday, June 18, 2008

TechEd 2008 Wrap-Up

I've been hitting the ground running since TechEd 2008 ended on Friday, June 13, so I haven't had time to blog. Lots of parties and afterhours events kept me from blogging during the conference. Somehow, free-flowing beer and hanging out with new friends seemed to take precedence. Anyhow, here is my post-TechEd 2008 wrap-up.


The Good


Making New Contacts - One of the biggest reasons I go to TechEd is to meet new contacts. Sometimes it's not what you know, but who you know, who has the right answers. I was fortunate to hang out with a good group of people with differing skill sets and specialties. It's good to know who to shoot a question to when you need a quick answer.

"How Microsoft Does IT" Sessions - Over the years, I've found these sessions very interesting and helpful, particularly for Exchange Server. It's interesting to see how the largest software company in the world manages their own infrastructure, make mistakes, learn from them, and share it with the IT community. I've seen strategy shift from one year to the next, based on new technologies and the way Microsoft uses them. Very interesting stuff and talking one-on-one with these folks after the sessions is very enlightening.

After Event Parties - Being an IT Pro, naturally I attended IT Pro week at TechEd. The poor Dev week guys and gals only had two parties to attend. I had to make a choice between up to four in one evening, every night of the week. The parties were of varying quality, but by far the best two parties were...

The ClusterFunk Party and Jam Sessions - The folks at DoubleTake put on an awesome party at Jimmy Buffett's Margaritaville, complete with a free flowing bar and a buffet of finger foods. These guys really know how to throw a party! Likewise, the folks at CommVault hosted the Microsoft Jam Sessions, a venue where anyone who can play an instrument is welcome to come up on stage and rock out to a music hungry crowd. Fun times were had by all! Too bad the jam sessions were limited to only one night, but I don't know where they'd fit them in any other night in the week.

Swag - While I didn't get too much swag this year, I was pleasantly surprised by the quality of it. I came home with a fistful of 1GB-2GB USB drives along with the usual plethora of tshirts (this year's color is black, BTW).


The Self-Proclaimed "Group Policy Guru" - This was just too funny not to make it on the "Good" list. There's this guy who thinks he's all that who's been worming his way into the session circuit (I won't give his name here). Anyway, I would see him walking around the TechEd venue, placing glossy cards advertising his sessions and Group Policy training services between EVERY computer on the TechEd floor. I'm talking hundreds of these 5x7" cards. About 90 seconds after he puts them down, a Microsoft TechEd guy is picking them up. He must have had 500 of them in a box, destined for the trash. I hope they cost a bundle, but I feel sorry for the trees.

Buses - The transportation this year was perfect. Buses ran to and from the venue with great efficiency. The bus drivers were courteous and the buses were clean. What more can you ask for?

Attendee party with my Family - Due to the generosity of three other attendees who didn't go to the TechEd attendee party at Universal Studios, I was able to bring my wife and two kids with me. It's a shame that Microsoft charges $110 each for additional tickets for only 4 hours in the park. Anyway, we had a great time and were able to ride all the attractions that the kids really wanted to do. Good family time!

Chalk talks - I tend to get more out of the small formal and informal sessions lead by experts. These "sessions" are more tailored to the audience and usually provide more depth than the standard sessions with hundereds of attendees. Next year I plan to attend a Birds of a Feather (BOF) session, if I can find one that appeals to me.


Steve Riley's Security Session - I was very pleasantly surprised by the very last session of TechEd 2008. It was a security session with Steve Riley that described how to build a network infrastructure that secures the data, rather than the network itself. Very interesting stuff and gave me a lot to think about on the plane ride home.

Snacks - The fresh baked cookies were a big hit. The Haagen Dazs ice cream was good, too, if you could find it. Which leads to...





The Bad


Snacks - There wasn't much of them. As a matter of fact, there wasn't really ANY of them. I'm not sure if this was Microsoft's way of sparing the environment from all those Rice Krispy Treat and candy bar wrappers or if they're trying to tell us something. In any event, we all spent a chuck of change to get here. Please don't cheap out on the snacks.

Shortened Week - This is the first year that Microsoft decided to "blow up" TechEd and turn it into two weeks - one for developers and one for IT Pros. Doing this caused two effects - The event ran for only four days instead of five. This means that I was triple of even quadruple booked sessions running at the same time. I often had a very hard decision to make about
which session to attend. It also meant that the speaker better make an instant good impression or I'm outta here for one of the other sessions.

The other thing that happened was that the vendors had to make a choice between which week to host their after hours events. You think it's expensive to ATTEND TechEd, just imagine what it's like being a vendor. Renting space, buying food, drinks, entertainment, etc. is too expensive to do both weeks, so they have to make a choice. Some vendors, like publishers, market to both developers and IT Pros, so that makes it even more difficult. I, for one, would like to see TechEd return to one 5 day week.

Few Experts - I was disappointed to find that there were no Microsoft experts on the Microsoft show floor for particular core technologies. For example, I wanted to talk with someone about a DNS issue that a client is having, but no one on the floor could answer my question. No big deal, but I remember in past years being able to find someone who knew DFS, for example, really well.

No USB to download PPT decks - Microsoft does a phenomenal job setting up the Connect computers all over the venue. Here, you can browse the 'net, check your email, fill out surveys and check your schedule. You can also download the PowerPoint presentations for the TechEd sessions, but the workstations were difficult to access under a the table with a black curtain
around it. It would be nice if there were USB docks in or near the flat panel displays where you could install a USB drive to download the decks.






The Keynote Speech - As I wrote earlier, the keynote speech with Bob Muglia was pretty
uninspiring. I still don't get the baby rattles.

Food - The lack of snacks meant that we had to depend more on breakfast and lunch for sustenance. The delivery of food was with typical TechEd efficiency, but was just OK. I'd give it a C+.

The Microsoft Party - A few years ago, it seemed that every major product group had their own party - Exchange, Microsoft MVP/Learning, MOM, etc. Times are tight now and the only Microsoft party (besides the attendee party) was hosted by the Springboard group. It was OK, I guess, if you like a party in a strip club with no strippers and you're a fan of Budweiser. Definitely could have done without the ship's siren.




All in all, I did enjoy my time there and found it very useful. I hope to see you all next year in Los Angeles at TechEd 2009!

Thursday, June 12, 2008

Best. Hat. Ever.


On the front: "Certified by Chuck Norris".
On the back: "If Chuck says we need new servers, we need new servers."

Wednesday, June 11, 2008

TechEd Jam Sessions

Last night was the TechEd Jam sessions. Only one night this year - dangit! It was a mess of fun with some very talented people on stage. So far this has been the best party I've been to.

Tonight's a big night with four different parties all happening at the same time. That's one of the problems about shortening the TechEd event - everyone wants to have a party, but they all have to compete for the same evenings. I heard from a sponsor last night that it's very expensive to have events (and booths) at TechEd, so they can only afford one week (Dev or ITPro). That sucks, because there are a lot of companies that straddle the line between those two types of professionals. Book publishers, for example.

This partying till 1AM and getting up at 7am to make my first session is getting harder every year...

Tuesday, June 10, 2008

You know it's TechEd when...

Funny looking foam lego people want to hug you.

TechEd Keynote this morning

This morning was the keynote from Bob Muglia, Senior Vice President of the Server and Tools Business at Microsoft. His speech was "IT Pro Heroes – Changing the World of Information Technology".

Now, I'm not really sure how orange baby rattles play into "Changing the World of Information Technology," but there's one on every seat.

The keynote began with an inane cartoon for Microsoft Communities that was just plain annoying. Nothing to see here. Move along, move along. Then it went into a drum/percussion performance that was, well, interesting. Ah, I see. The big orange baby rattles are maraccas and they want us to play along! Um, no.

Now that that's out of the way, we can get on with the keynote.

Bob Muglia sang praises of the real IT heroes, the folks that manage the IT infrastructure. We saw a clip of how an admin used SharePoint and Groove to match people up after the Katrina disaster.

Next he talked about the state of dynamic IT in the enterprise. He said that 5 years ago Microsoft began a ten year investment to enable the dynamic IT concept. They have made substantial gains in this area and things will change even faster in the next 5 years. I totally agree with him.

There were demos of .Net (wrong group, IMHO), SAAS, Exchange Hosted Services (EHS) and SQL 2008. A good deal of time was spent talking about and demoing virtualization solutions, which proves that Microsoft has a lot invested in these technologies and plans to do a lot more in the future. There was an interesting demo of a new product MS just acquired called Kidaro.

Meh. I've seen much better keynotes.

Monday, June 9, 2008

Pre-Conference Session with Marcus Murray

Monday I attended the pre-con session, "Step-By-Step Guide to Hack-Proofing Your Microsoft Network" by Marcus Murray. Marcus is a security rock star! Very funny and engaging.

Last year he scared the hell out of me when he demonstrated how easy it is to compromise a system and domain. Since then, I've unplugged the network cables from all my servers as a security precaution, but I'm sure that would only slow him down a little.

The session was very good, but it was a little slower paced than I was expecting and hoping for. The basic security concept is "you can't fix stupid." If the users have elevated rights (by that, I mean running with more permissions than they need to have to do their work) it's very easy to compromise their machine and use it as a springboard to the rest of the network.

The takeaway is this: You must kill your users. Kill zem all.

And so it begins...

We arrived in Orlando Saturday evening and checked into the hotel in time to go to dinner and let the kids unwind in the pool. It's hot, but not too bad. My wife would respectfully disagree.

Sunday was my only free day before the festivities begin, so we did what any good tourist to Florida should do -- we went to GatorLand! Lots of fun watching gator wrestin', gator shows and eating gator nuggets. Well, I would have liked to try gator nuggets, but I couldn't talk my kids into it and my wife said she wouldn't ever let me kiss her again.

Last night I joined the Krewe at Cricketer's Arms Pub (where I'm going tonight, too). It was good to finally meet the people I've been chatting with on the Extracurricular Activities group on Connect. Good scotch and beer, too. :)

This morning I checked in for TechEd and picked up my bag. I have a security pre-conference session with Marcus Murray at 9:30am. I'm really looking forward to this, he's awesome! Sounds like a lot of people signed up for the Windows Server 2008 pre-con session, too.

I'll try to give reviews on sessions as they happen, but may end up writing just a rollup at the end of the day if I don't have time.

Saturday, June 7, 2008

I'm TechEd Bound!

We left SFO this morning at 5:30am and just arrived in Charlotte, NC. Next stop, Orlando after a brief stopover. The weather's hot here, but nice. About 90F.

Friday, June 6, 2008

New PowerShell Scriptomatic


For those of you who are familiar with the the WMI Scriptomatic tool (and those of you who aren't), check out this awesome new version for Windows PowerShell -- The PowerShell Scriptomatic!

This tool will have you writing PowerShell scripts like a pro with absolutely NO experience. Imagine the fun you'll have deleting all the user accounts in the domain without having to write a single line of code yourself! Well, errr, maybe that was a bad example.

Actually, this really is a great tool to use to create PowerShell scripts without having to know the classes and objects necessary to access. Just select the WMI namespace and WMI class to access, and the PowerShell Scriptomatic will generate the correct PowerShell code. Then use this code to experiment with or add to other snippets. Brilliant!
It's great for those new to PowerShell and seasoned veterans who are just plain lazy.

New Certifications


May 2008 was a busy month for me.

In addition to writing a book, I passed five exams in the first three weeks and earned my MCITP:Enterprise Messaging Administrator (the premier Exchange 2007 administrator certification) and three MCTS certifications (SCOM 2007, ForeFront and Exchange 2007).

That makes 34 exams in a row that I've passed without failing, including my CISSP. Yes!! The streak remains unbroken!

I've put together a certifications page that lists the current certifications that I hold, which I'm rather proud of.

Tomorrow I'm off to TechEd and I can't wait! I'll be blogging at least once a day while I'm there. Check my blog all week. If you're going to TechEd yourself, I might meet you at the TechEd Blogger Ultra Lounge. See you there!

TechEd Newbie Resource Posts






As TechEd 2008 ITPro week approaches, I thought I'd provide links to the posts I've made that will help first time TechEd attendees. A sort of one stop shopping blog entry, if you will.

If you have a suggestion for future articles, let me know by posting a comment.

Thursday, June 5, 2008

VMM 2008 Managed Hyper-V 's Won't Start


This evening our neighborhood took a large power surge due to a car hitting a power pole. Everything in the house shutdown abruptly, including my local network running Hyper-V hosts and Virtual Machine Manager 2008 (beta).

When the power returned about 60 seconds later, all my physical servers turned back on, but the Hyper-V VMs would not start. The following events were logged in the Hyper-V Event Log:

Log Name: Microsoft-Windows-Hyper-V-Worker-Admin
Source: Microsoft-Windows-Hyper-V-Worker
Date: 6/5/2008 8:36:30 PM
Event ID: 17040
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: VM.expta.com
Description:The authorization store could not be initialized from storage location 'msxml://C:\ProgramData\Microsoft\Virtual Machine Manager\HyperVAuthStore.xml'. Error: General access denied error (0x80070005).

Log Name: Microsoft-Windows-Hyper-V-VMMS-Admin
Source: Microsoft-Windows-Hyper-V-VMMS
Date: 6/5/2008 8:36:44 PM
Event ID: 15500
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: VM.expta.com
Description:'EDGE STD x64' failed to start worker process: The extended attributes are inconsistent. (0x800700FF). (Virtual machine ID 118D4321-2B6D-4DE3-B1F0-E55BCD1DCD60)

To fix this problem, uninstall the VMM 2008 Local Agent and reinstall it. Catastrophe averted!

New TechEd Airline Check-in Service

Open Thursday, June 12 and Friday, June 13
7:00am–6:00pm

South Hall A1 next to Registration

New this year for TechEd attendees!

Airline Check-in is a full-service, multi-airline remote skycap operation that offers issuance of boarding pass and luggage receipts. The next time you’ll have to think about your luggage will be at your final destination!

Airline Check-in service is available to all attendees departing on domestic flights from Orlando International Airport on American, Alaska, Air Tran, Continental, Delta, JetBlue, Northwest and United Airlines. You must have your luggage checked in a minimum of three hours before your flight departure time.

Remember, this service is only valid for flights departing on June 12-13.

Check Your Bags
Enter Event ID: 15019 and Passcode: microsoft to check your baggage and receive your boarding pass. Online check-in service fee is US$5 per person.

Walk-up airline check-in at the OCCC is US$10 per person.

Airline Check-in is also available at the Rosen Centre and Rosen Plaza hotels.

Check your bags here!