CSCuf35678: When VLAN port count optimization (VLAN compression) is enabled on a Cisco UCS 6200 series fabric interconnect, traffic no longer stops if an uplink port channel port goes down. Around since 2.1(1a)

CSCuf60988: Virtual fibre channel ports are no longer error disabled on one FI when the server is rebooted. Around since 2.0(4a)

CSCud60746: The system no longer runs out of memory when Call Home is enabled. Around since 2.0(2a)

CSCug93076, CSCug93221, CSCug98662: The Cisco UCS B200 M3, B22 M3, and B420 M3 blade servers no longer experience non-correctable memory errors during booting. Note: There are specific upgrade steps needed which include powering off the host. Around since 2.0(5b)

CSCug40752: The KVM console now supports Java 1.7 update 17 and Java 1.6 update 43. Around since 2.1(1a)

Of course if you have a test environment, then run the firmware through its paces before pushing into production. But given 2.1 has been out a while and just minor bug fixes have been released, it’s probably pretty safe to seriously consider jumping to 2.1 if you are still on a 2.0 or prior baseline. 2.1 proper added a host of new features.

The post Cisco UCS Firmware 2.1(1F) Released appeared first on Derek Seaman's Blog.

A lot of differences in both products were not discussed, and would take a lot more time than 75 minutes. But it’s clear with Windows Server 2012 R2 and System Center 2012 R2 that they are making rapid and big strides in the private cloud and virtualization arena. Now that VMware and Microsoft appear to be on a yearly release cadence, I see the “Cloud OS” battle really heating up. MS has a lot of ground to make up, and they clearly knew it.

Private Cloud Technologies

Speaker acknowledges this is not a perfect comparison, as some products from each vendors package up features differently. For example, vCloud Director does a lot more than just self-service, but MS VMM has vCloud directly-like functionality not found in vCenter. So you can’t exactly line up products and say they are the same. But combine the entire stack from each vendor to really see how they shape up instead of doing per-product comparisons.

• Hypervisor: Microsoft – Hyper-V; VMware – vSphere Hypervisor
• VM Management – Microsoft – VMM; VMware – vCenter Server
• Self-Service – Microsoft – App Controller; VMware – vCloud Director.
• Monitoring – Microsoft – Operations Manager; VMware – vCenter Operations Management Suite
• Protection – Microsoft – Data Protection Manager; VMware – vSphere Data Protection
• Service Management – Microsoft – Service Manager ; VMware – vCloud Automation Center
• Automation – Microsoft – Orchestrator; VMware – vCenter Orchestrator

Private Cloud Software Licensing

For both suites both vendors license the products by the socket basis. You can buy some VMware products a la carte, and some lesser known products aren’t included in the vCloud Suite. So depending on what features you need, you may need a different set up products.

• Microsoft – System Center 2012 SP1 (per socket) & Hyper-V
• VMware – vCloud Suite & vCenter

Key Focus Area for this Session

• Granular App & Service Deployment
• Deeper insight and remediation
• Protection for key apps andworkloads
• Hybrid Infrastructure
• Costs

Granular App & Service Deployment

• On VMware you use templates to deploy standardized templates. Templates are simple, but static.
• In VMM you also have a dedicated Library to VM templates (like VMware) and service templates
• In VMM you can have lots of templates all pointing to the same VHDX image (templates can have different features/etc.). Or small, medium, large, etc. templates all pointing to the same OS image.
• In VMM you can add roles/features to the guest VM template and capture them in the template
• You can have separate guest profile, and can marry up them with a hardware profile and a VDHX image without using any extra disk space
• In VMM you can add applications, such as SQL, and easily create a template
• VMM can directly configure App-V server packages and inject them into the VM template
• VMM 2012 has a concept of service templates. Service template allows you to build and model multi-tier services. Ability to configure scale out rules, for example. Drag and drop VM templates onto a canvas and you can customize the VM properties.
• Anything you can do in VMM you can do in PowerShell
• VMM is more about delivering services to the business unit, not just deploying individual VMs
• “Create Cloud” button in VMM. Defines resources, networks, load balancers, VIP templates, Port classifications (NIC), Storage, library, define capacity quotas (vCPUs, memory, storage, VMs, etc.). Ability to select hypervisor (Hyper-V, VMware, XenServer).

Service Manager

• IT self-service management portal, built on SharePoint (also a full helpdesk ticketing system)
• ITaaS offering
• Plugs into VMM, Orchestrator
• BI is built into service manager for deep reporting
• Download “Cloud Service Process Pack” which pre-configures VMM, Service Manager and Orchestrator for a self-service VM portal

Orchestrator

• Custom automation with minimal scripting needed
• MS Orchestrator has a lot of plug-ins for third party products and hardware (integration packs)

Operations Manager

• Extensible with MS and third-party management packs. Veeam MP can do deep monitoring of VMware environments.
• Veeam MP is not free, so if you want to monitor VMware with SCOM you will have to license the excellent MP
• OpsMgr can also monitor network infrastructure (switch CPU usage, memory, port-level stats, etc.)
• Maintains the relationship between VMs and physical hardware such as switch ports, etc.
• Server-side, client-side and synthetic transactions for application monitoring
• Global Service Monitor (GSS) – MS Azure based global services that will test your private cloud app

Visual Studio Integration

• VMM Library is accessible from Visual Studio
• Team Foundation Server can use the “Test & Lab Manager” which will spin out VMs for automated dev testing via VMM

System Center Advisor

• Provides configuration guidance around specific workloads (SQL, etc.) for troubleshooting. Free from MS.

Data Protection Manager

• Supports Windows server, SQL server, SharePoint, Exchange, Dynamics
• Up to every 15 minute differential backups
• DPM can backup to Azure and tape
• Changed block tracking for VM backups
• Cluster aware – integrates with CSV
• Item-level restore
• DPM has no inline dedupe, but VMware data protection does

Heterogeneous Environments

• VMM can connect to and provide basic management of vCenter
• Can use VMM service templates on VMware hosts
• Many integration and management packs for third party software and hardware (HP, NetApp, Cisco, etc.)

Hybrid Infrastructure

• Private cloud (VMM can manage XenServer, vSphere, Hyper-V)
• System Center can link to Service Provider and Azure
• Single Sign on with AD (Azure)
• Integrated with DEV (Team Foundation)

Cost Scenario

Cost scenarios can be extremely tricky and misleading. Plus large enterprises will likely get big discounts from both VMware and Microsoft. So take the numbers below with a grain of salt. Not in the cost calculation is the cost of the guest operating systems, since it was assumed both used the same OSes so the cost was a wash. The costs were only for the hypervisor and cloud stack.

The speaker didn’t mention the Microsoft ECI license (enrollment for core infrastructure). This combines the operating system and system center stack licenses into a single SKU, licensed by the socket. The datacenter edition of ECI allows unlimited VM deployment and management using all cloud features. Even if you are a 100% VMware shop for the hypervisor,  you may still have the ECI license if you use system center components (such as SCCM or SCOM). So you may already be fully licensed from the MS perspective and incur no additional software costs for the MS cloud stack.

• Example: 500 VM Private cloud; 15:1 VM to host ratio; 34 hosts, 2 sockets with 16 cores; Windows Server licensing additional; comprehensive management; 68 licenses of Windows server datacenter
• 68 CPUs Hyper-V: $0; 68 CPUs of System Center $122K
• 68 CPUs vCloud Enterprise Suite $781K, vCenter $5K

The post TechEd: Comparing Microsoft and VMware Private Clouds (MDC-B352) appeared first on Derek Seaman's Blog.

The speaker was very knowledgeable and really explained the security features very well. If your organization is concerned about client security, then keep reading. The bottom line is that for BYOD, with Windows 8.1 you can leverage the TPM to validate the device is trusted and can connect to resources. You can also leverage virtual smart cards to provide remote two-factor authentication from tablets or other devices without having a physical smart card.

Agenda

• Biometric fingerprints – Moving beyond passwords
• TPM Key attestation
• Establishing user identity on BYOD devices

Passwords

• Very hard to type on touch surfaces
• Easily phishable
• Hard to remember
• Passwords are not sufficient to keep users safe
• Passwords are easily re-playable
• Passwords are symmetrical
• Users often re-use passwords
• 10,000 most common passwords would have accessed 98.1% of all accounts

Biometrics: Beyond Login

• Need low false rejection rate
• Fingerprints are the best method with today’s technology
• Goals for Windows 8.1: Ease user’s struggle to enter credentials on touch devices
• Built-in Windows experience (no third party add-ons needed)
• Introduce a new “touch” fingerprint sensors. Swipe sensors suck.
• Light up a few engaging scenarios
• Test user group loved the simplicity – very intuitive and quick. Single quick tap logs you into the system.

Demo

• Showed a demo that just by touching the sensor it logged her in to her enterprise AD account. No need to specify a profile or username. Windows knows what account the biometric is associated with.
• Touches with a different enrolled finger and shows her personal local account. Again, no need to specify an account.
• Shows that in the Windows app store it required a biometric authentication to complete a purchase.
• In-app purchase can also be biometric enabled as well
• An app (such as a banking app or tax app) can require biometric authentication before providing access
• The API only returns yes/no to the app, not any credential information
• Showed logging in with a VPN connection via a quick tap

Hardware TPM and Keys and Certs

• TPM KSP to generate certificates with keys sealed by TPM
• Admin CA templates to select TPM KSP
• Customers want to guarantee that the key or cert is actually protected by the TPM
• Customers want to limit what TPMs are trusted for BYOD
• Solution: TPM Key attestation
• Users should perform sensitive operations from trusted devices
• A strong binding between user and device hardware

TPM Key Attestation

• EK: Endorsement key – Inserted at manufacturing time. Keys can not be tampered with or exported. Very unique and can be used at geolocation information.
• EKCert: Endorsement certificate – Some TPMs ship with EK certificate that chains up to a trusted root
• AIK: Attestation identity key – An intermediate key to hide EK in protocol due to privacy concerns
• PowerShell commands to pull EK public keys so only known devices are trusted
• Certificates issued to devices have a special OID (object ID) to signify TPM key attestation
• Certificate shows three new properties showing TPM attestation
• Microsoft v4 certificate template. New tab on a CA cert “Key attestation”

Certificates

• Simple Certificate Enrollment Protocol (SCEP) – Designed by management of mobile and routers/switches (10+ years old)
• Windows 8 did not support SCEP
• Most MDMs know how to provision SCEP certs for iOS devices
• Server component protocols had many security vulnerabiliites which are now addressed in Windows Server 2012 R2 servers
• Windows 8.1 will natively support SCEP
• SCEP APIs are available to any MDM software

Smartcards

• Modern world you can’t easily plug a smartcard reader into tables
• Two factor authentication: Virtual Smart Card
• Virtual smart cards enables devices to be used as a virtual smart card
• TPM provides three most important features of smart cards: non-exportability, isolated crypto, anti-hammering
• Not all TPMs have consistent blocking policies, so MS inserted a software layer to buffer and keep consistent blocking policies
• Virtual smart card acts and looks exactly like physical smart cards in every sense for all OS and application purposes

Virtual Smart Card

• 2 factor authentication for local and remote access
• Client authentication/mutual auth SSL
• VSC redirection for remote connections
• S/MIME email encryption
• Bitlocker keys for data volumes (e.g. drive cannot be removed from the device)

Windows 8.1 VSC

• MSIT pilot moved to production. 7K enrolled on Surfaces, 75K on x86 machines
• VSC on Surfaces enables PIN and remote access apps

Summary

• Passwords are NOT safe anymore
• With Windows 8.1 we offer several methods to fix authentication fiasco with stronger user credentials
• Rooted in hardware, based on asymmetric secrets, strong multi-factor authentication
• Biometric data is only stored on the device, and NEVER in AD or other applications.

The post TechEd: Windows 8.1 Security Enhancements (WCA-B375) appeared first on Derek Seaman's Blog.

Imaging Process

• 1) Identify requirements for the master image – Use the new PoC offering to capture requirements
• 2) Create automated image engineering task sequences using MDT 2012 U1 deployment workbench
• 3) Automate as much as possible using MDT functions and scripting
• You can fully automate the WIM build process and even bake-in Windows update patches

Identify Requirements

• 32-bit or 64-bit or both? Look at both hardware and software compatibility. Best bet is to do both.
• Thick, thin or hybrid images? Thin image is just the base OS with only minor changes/additions. Thick image is packed with applications and changes. Thick images are good for call centers or training labs.
• Deployment – How will the image be delivered to client machines? MDT can create images used for any deployment method be it MS or third-party tools

How about Office?

• Recommend to bake Office into the image.
• Able to automate the Office installation through transforms

Proof of Concept Jumpstart Kit (Free)

• Proof of concept jumpstart offer on connect. Lots of documents and pre-created scripts. Download: Windows 7 kit Windows 8 kit
• Hydration kit creates 5 pre-configured VMs for a DC, MDT, and other services with pre-created customized settings and eval OS images
• Contains infopath form to walk you through the configuration requirements gathering process
• Solution Kit for Win8 adds a lot of custom tasks not in the base MDT kit

Deployment Basics

• Build a reference image answer file (XML file) – Windows SIM (system image manager)
• Create Bootable Windows PE Media – Windows ADK
• Build and Capture a reference device – WinPE/DISM/ImageX
• Build a deployment answer file – Windows SIM
• Migrate data and settings – USMT
• Deploy reference image – WinPE/DISM/ImageX

MDT 2012 Update 1

• Basically just a file share with all the components needed to build the image
• MDT is a platform that simplifies and automates the build process

Image Engineering Process

• Install the vanilla operating system (Windows 8) – Use a VM for this
• Customize the OS and install core applications/utilities
• Sysprep and capture the machine with imagex (creates .WIM)

Other resources: Deployment Guys blog

The post TechEd: Building Windows 8 Image Engineering (WCA-B351) appeared first on Derek Seaman's Blog.

Introduction

• Three primary goals: Cloud scale performance and diagnostics; Comprehensive SDN, core infrastructure enhancements
• Requirements to transform networking:
• 1)  Deliver networking as part of a pooled resource, automated infrastructure
• 2) Ensure multi-tenant isolation, scale and performance is what you expect
• 3) Expand datacenter capacity seamlessly as per business needs
• 4) Reduce operation complexity
• What is Software Defined Networking (SDN)? Enables software to dynamically manage the network
• 1) Abstract virtual networks away from physical networks (allow flexibility)
• 2) Spanning policies across physical and virtual networks
• 3) Controlling datacenter traffic flow

Hyper-V Network Virtualization (HNV)

• Multiple virtual networks on a physical network
• Each virtual network has an illusion it is running as a physical network
• Overlays physical network
• Encapsulating using NVGRE protocol
• Workload owner Benefits: Seamless migration to the cloud, move n-tier topology to the cloud, preserve policies VM settings, IP addresses
• Enterprise benefits: Private cloud datacenter consolidation and efficiencies, extension of datacenter into hybrid cloud, incremental integration of acquired company network infrastructure
• Hoster benefits: Bring your own IP, bring your own network topology, scalable multi-tenancy

Windows Server 2012 R2 Enhancements

• HVN is part of the Hyper-V switch (prior to 2012 R2 it was a NDIS filter)
• Dynamically learn customer addresses
• Support Hyper-V clustering
• Enhanced performance and diagnostics
• Able to ping the default gateway (if allowed)

Hyper-V Networking Virtualization Concepts

• VM Network: Network isolation boundary; routing between VM networks must be explicit; comprised of one or more subnets
• Virtual Subnet (VSID): Broadcast boundary
• Routing between VM networks is via gateways (now built-in to WS2012 R2, or use third party)
• Able to re-use IP addresses in different VM networks (bring your own IP)
• Two kinds of gateways:
• 1) Default gateway (.1), routes between VMs on different virtual subnets. Built into the HNV filter running on each host
• 2) HVN gateway: Required to communicate outside a virtual network. Comes in different forms (VPN for site-to-site; load balancing and NAT for internet access; forwarding gateway for in datacenter physical machine access).
• Partners can also provide gateway (F5 Big-IP software gateway, Iron Networks, and others)
• Encapsulation: Network virtualization using Generic Routing encapsulation (NVGRE). Provider packet/IP is what the physical networks see, customer packet is encapsulated inside the provider packet and is what the VM see. Provider IPs must be routable on the physical network.

HVN Architecture

• HVN is automatically enabled for all adaptors
• New hybrid forwarding in Hyper-V switch
• New in R2 is the ability of switch extensions (e.g. Nexus 1000v) can see provider and customer packets, not just customer packets like in WS2012
• Combination of SR-IOV and HVN is not currently supported (since packets bypass the virtual switch). SR-IOV is designed for only extremely high traffic and trusted VMs.

Learning IP Addresses in Virtual Networks

• New to WS2012 R2 is the ability to learn IP addresses in the customer space, vice explicit addresses set in 2012
• Broadcast/Multicast support is new in R2
• Enables new scenarios (DHCP in the virtual network, host and guest clustering)
• Efficient implementation (uses hardware for Provider Address multicast if configured)
• if no HW multicast is configured it falls back to intelligent provider address unicast replication – Only one unicast packet not matter how many VMs are on the host
• Supports many address resolution protocols: DAD, NUD, ARP for IPv4 and IPv6
• Reliable ARP proxy

Enhanced Performance and Diags

• HNV + NIC Teaming is now allowed (new in R2)
• Inbound and outbound spread on virtualized traffic
• NVGRE Encapsulated Task Offload – Most offloads break when using NVGRE (LSO, RSS, VMQ)
• Emulex and Mellanox announced NVGRE task offload in hardware
• Showed a graph where Emulex shows line speed throughput with offload, with big decrease in CPU utilization
• Look for the Message Analyzer (new netmon) is in beta – Can decode NVGRE packets. Can filter on CA or PA packets
• Ping -p allows you to ping provider IPs
• In CA address space you can use test-vmnetworkadapter
• HVN responds to ICP request to the default gateway – Allows pinging the IP address of the CA default gateway

The post TechEd: Hyper-V 2012 R2 Networking Deep Dive (MDC-B380) appeared first on Derek Seaman's Blog.

Background

• The problem is that the internet is a source of a lot of good, with easy and instant IP connectivity.
• The information that is worth money is stored on a computer (criminal organization, intelligence agency are after your data)
• A lot of different organizations hack for various reasons. A logging company in Brazil hacked a rainforest quota system so they could log more and make more money.
• Hackers use your own systems against you. They take your admin credentials and the consequences can be deadly. 99% of the time they hack you for data/IP theft.
• The bad guys have the power to completely erase your data and render PCs unbootable if they wanted. An example was shared of a middle east oil company where 75% of the company’s 30,000 PCs were completely wiped and data files replaced with an animated gif of a burning American flag.
• Lateral movement: A attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization.
• Privilege escalation: The attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.

Attacks

• Typical pass the has attack:
• 1) Starts in a phishing email or watering hole attack (find a place users already goes, and stake it out by compromising the website) and targets workstations in masse. System needs to be compromised at the system-level, not just in the user space.
• 2) Running as local admin the bad guys takes credentials for lateral traversal
• 3) Bad guy acquires domain admin credentials
• 4) Bad guy has direct or indirect access to read/write/destroy data and systems in the environment
• If all computers have the same local admin password, then one compromised PC has compromised all PCs
• Removing admin rights from users significantly raises the bar on compromising a PC. Zero day exploit, unpatched application, etc.
• Most pass the hash attacks are human speed attacks (not automated malware) using a remote human controller (remote shell)
• Windows credential editor v1.4 beta by Amplia Security (download link)
• wce -w can also display plain text password as well
• wce has early code for using “pass the ticket” (Kerberos) attacks, but very uncommon
• pwdump7.exe was also demoed
• Easily can recompile the wce binary to hide from A/V software
• In real world attacks a complete domain can be compromised in 6 minutes to 24 hours
• Why can’t Microsoft just patch this? Local admins own the box, so they can look at any aspect of the OS and dump the passwords. MS should change the entry points, encryption, etc. and hackers will quickly release new tools. Microsoft hinted something was coming down the pipeline in the future to help, but was extremely vague.

Practical Mitigations

• Download the full Microsoft whitepaper for PtH mitigation here. Check back for the June 2013 version, as a new version will be released shortly.
• Mitigation 1: Restrict and protect high privileged domain accounts. Excellent effectiveness. Medium effort required.
• Don’t allow domain admins to logon to workstations
• Don’t create service accounts that use domain admin creds
• Mitigation 2: Restrict and protect local accounts with admin privileges. Excellent effectiveness. Low effort required.
• Explicitly deny network and remote desktop logon rights for all administrative local accounts
• Create random passwords for local accounts with administrative privileges
• Mitigation 3: Restrict inbound traffic using the Windows firewall. Excellent effectiveness, medium effort required.
• “Local account token filter policy” should be enabled (don’t set this to 1) as it opens up to pass the hash attack
• Whitepaper updated this week for Lync peer-to-peer considerations
• If you implement these three mitigations, then you are head and shoulders above nearly all other organizations. Attackers will have a much harder time in compromising your systems. Certainly doable, but these raise the bar significantly.

Other Mitigations (that don’t help that much)

• Disable NTLM (very costly in terms of implementing and testing. Likely break A LOT of software/hardware like printers)
• Smart cards and multifactor authentication (random password hashes are still stored and  used in the background. They are static hashes that never expire, so almost worse than password hashes that require regular changing)
• Jump servers (has good value for other reasons, not just pass the hash). Keystroke loggers and other malware reduce their effectiveness for PtH attacks.
• Rebooting workstations and servers. Many service accounts and services may use domain credentials, so they are cached upon reboot.

Microsoft also showed off a high level diagram of a security architecture that drastically mitigates PtH attacks. Microsoft professional services. The slide below shows the high level enhanced security environment.

The post TechEd: Pass the Hash: Preventing Lateral Movement (ATC-B210) appeared first on Derek Seaman's Blog.

Windows 8 is worth trying out

• Best reason: Domain join your tablet
• Learn the shortcut keys to navigate Windows
• Windows Key + D get back to the desktop from the start screen
• Windows + E Opens Explorer
• Windows + . (cycles through snap options)
• Windows + z (shows options)
• Alt-F4 closes Modern app windows
• Windows + x (lots of goodies)
• Windows + c (for charms)
• Windows + I (settings)
• Windows Page Up/Down swaps Modern screen on dual monitors
• Windows + o locks orientation

Understanding the new Apps

• Modern Apps, Windows Store Apps, Immersive Apps
• Very sandboxed and extremely hard to write malware within the app
• You can screw up your own profile settings but not system settings
• Non-admin users can install apps
• App deployment story is quite different
• Four ways to get a store app:
• 1) User installs it herself with the Windows Store application
• 2) User installs it himself from a private “company app store” the admin created
• 3) User finds a provisioned app that is on the computer (up to 24 apps)
• 4) User runs a PowerShell command “add-appxpackage” to install the app (side loading)
• Codeplex has a free Company app store tool
• If an administrator installs a Modern app, it does NOT install it for all users. Only the user can install apps for themselves.
• Provision apps in your image
• Each 64K of an appx package has a hash, and if any byte changes, the app kills itself
• To provision a Modern app you must have the appx package. You can’t get the appx package from the app store yourself. You must contact the developer/company to get the package.

Sideloading Apps

• Group policy setting to enable side loading
• Win8 home cannot side load
• Only WindowsRT and Windows 8 Pro/Enterprise can sideload
• Applications must be digitally signed (can use your own CA)
• Enterprise comes with a license to sideload, must be purchased for professional
• Powershell: import-certificate to load a certificate into the Windows store
• Domain joined enterprise server has a built-in free license
• Windows Professional requires license (MS sells them for $30 each in packs of 100)

New Cool Stuff

• Native 4K support (faster, cheaper, bigger drives)
• Windows 8 recognizes SSDs and turns off defragmenter and uses the TRIM command
• Most of the new SAN like storage spaces from server 2012 are in Windows 8
• You could mount ISOs and VHDs from Explorer
• Chkdsk is way smarter and faster
• chkdsk /f /sdcleanup driveletter: finds and removes dead SIDs on ACLs
• chkdsk /scan runs at low priority several times a day and makes mental notes on stuff to fix later
• chkdsk /spotfix will just fix the list of problems
• Powershell: repair-volume (but does NOT warn you when it takes a volume offline)
• Recovery tip: make a recovery stick
• F8 doesn’t take you safe mode anymore
• Create a recovery disk on a USB stick from the control panel (search on “recovery”)

Security Upgrades

• UEFI support means “secure boot” which means rootkits and bootkits are nearly impossible
• Hyper-V 2012/R2 can now create UEFI VMs
• Early launch anti-malware protection (ELAM)
• Defender protects against malware now
• Look at “offline defender” for cold scanning a suspected infected machine

PowerShell Goodies

• 2000+ PowerShell commandlets
• disk cmdlets: get-volume, clear-disk, get-tpm, set-partition changes drive letters easily
• networking: add-vpnconnection, set-dnsclientserveraddress, get-smbopenfile
• -scheduledtask commandlets
• printing: get-printerdriver, add-printerdriver (admin rights needed), add-printer, get-printer,

Other Goodies

• Use the Windows 8 ADK tomake a bootable USB stick:
• makewinpemedia /ufd c:\winpe4-64 h:
• WinPE 4.0 supports PowerShell
• “Refresh” returns your PC back to a known state
• Roaming profiles can be limited to “primary” PCs using set-aduser to limit roaming settings
• powercfg /batteryreport

The post TechEd: Prospecting for Windows 8 Gold (WCA-B360) appeared first on Derek Seaman's Blog.

Although not mentioned in this session, the combination of Hyper-V 2012 R2 and Windows 8.1 for VDI could be compelling for organizations concerned with high security. Since Hyper-V supports UEFI native booting and secure boot, you can now (with third party add-ons designed for Government/defense industry) provide remote attestation and assured device health for VDI. You could even go as far as bitlocker volumes for Hyper-V VM storage, for full encryption with virtually no overhead. The session notes below provide the name of companies gearing Windows 8 remote attestation solutions for the defense sector.

Introduction

• Windows XP SP2 was a huge release in terms of security
• Vista was a new security model, at the sacrifice of app compatibility
• Windows 8 investment areas: Malware resistance, securing the boot, securing the code and core, and securing the desktop
• Protect sensitive data – Securing data with encryption
• Modern access control – Securing the sign-in, secure access to resources
• Trustworthy hardware – UEFI, TPM
• Windows 8 started the move away from passwords (virtual smart cards, TPM, multi-factor authentication, etc.)
• Windows 8 certified hardware is much more secure (required to support UEFI, secure boot)

Challenges in preventing Malware

• Malware could compromise the PC before Windows even starts
• Malware can hide from anti-malware software
• Passwords aren’t good enough

UEFI 2.3.1

• Replacement for the traditional BIOS
• Key benefits: Architecture-independent
• Enables: Secure boot, encrypted HDs, network unlock for Bitlocker
• A Windows 8+ certification requirement
• UEFI bootloaders are being signed for some Linxus distros
• “Encrypted harddrive” have new firmware that fully supports Windows encryption features. “Self-encrypting HDs” are legacy and not supported by Windows for key management. “Encrypted HD” models are just now starting to show up in the market, so don’t get a “SED” (self-encrypting drive).

Securing and Maintaining UEFI

• UEFI requires firmware to be signed
• UEFI firmware updates can come through Windows update
• Unsigned options ROMs can not run
• UEFI can never roll back to a previous version
• Secure root of trust, knowing that the platform is very secure

TPM 2.0

• Enables commercial-grade security via physical and virtual key isolation from OS
• Intel Haswell will support a firmware-based software TPM (lowers costs for OEMs)
• Intel Atom has built-in TPM-like functionality
• TPM functionality will now start trickling into consumer devices
• In 2015 MS will require all certified devices to have TPM functionality

Securing the Core

• SDL – Secure Development Lifecycle started back in the XP SP2 era to address major security vulnerabilities
• In Q3 2012 the Kaspersky report has no MS products in the top-10 vulnerability list
• ASLR, DEP, Windows Heap are all much more secure than Windows 7
• Entire sections of the Win7 core were NOT covered by DEP and ASLR
• Windows 8 in whole has DEP and ASLR used across the code base
• 8 bits of entropy in Win7, now 32-bit entropy in Windows 8

Securing the Boot

• Trusted Boot – Hardens the end to end boot process
• Protects all system boot components and the anti-malware driver (ELAM)
• Ensures defenses are running before malware goes a chance to start
• Automatic remediation/self healing if compromised
• Measured boot – Comprehensive set of integrity measurements

Securing the Sign-In

• New sign-in options with varying security
• Passwords, pin and picture password
• MS uses an 8 character PIN code (most companies use 6)
• Picture passwords are not ideal in the enterprise. More a consumer feature.
• Securing Option GPO policy (puts the device into a recovery mode if using boot locker if a brute force password attack is detected)

Securing the System Post Boot

• Trustworthy apps from the Windows Store
• ISV onboarding and app screening process
• Community based ratings and reviews
• WinRT apps are all sandboxed from the start, but the apps can talk to each other but gated between apps
• DLLs are public and any app can call them. So the WinRT platform gates which features apps can call in other apps, to limit exploits spreading
• IE10 – Smart screen, enhanced protected mode

Securing Resources from Unhealthy Clients

• Traditional access control is based on ACLs and user validation (not device health)
• Modern method in Win8: Add vetting of a device security state to the access decision making process
• Leverages Windows 8 measured boot, remote attestation, enhanced access control (server side)
• MS has a current solution for Government and Defense customers since ISVs have been slow to adopt (solutions out later in 2013)
• McAfee and Symantec
• JW Secure, General Dynamics C4 Systems, ID Data/Web, DMI are four companies to offer device attestation solutions

Win8 Security Success

• Showed a graph of malware infections
• Windows 8 3x less likely to be infected with malware (no malware solution present). 2.7 per 1000 impacted (Win8 x64)
• Windows 8 6x less likely to be infected when anti-malware software is installed. 0.2 per 1000 (win8 x64)

Windows 8.1 Threat Background

• Modern threats: cyber-espionage, cyber-warfare, state sponsored actions (unlimited resources), assume breach (protect at all levels)
• All sectors and even suppliers are now under attack, and supply chain
• Without UEFI you can’t protect yourself against bootkit threats
• You are now dealing with the digital equivalent lent of Seal Team Six attacking you
• Lockheed Martin publically stated they can protect themselves, but attackers are going against sub-contractors

What’s new in Windows 8.1

• “Provable PC Health”
• Utilizes free cloud MS services. MS will have a huge database of all known hashes for all MS products, certified drivers, and other products/drivers.
• Windows client will send hash values for a large amount of system values to the cloud for verification
• Protects against Flame-like attacks
• Sent data is completely anonymous – Triggers machine remediation

Windows 8.1 Defender and IE 11

• Windows Defender – Adding high performance behavior monitoring. Identifies malicious patterns of behavior based (file registry, process, threads, etc.)
• IE 11: API available that enables anti-malware solutions to scan before execution

Windows 8.1 Demo

• Showed a touch-based surface for biometric authentication device
• Device injects a current into your finger to detect if the finger is alive or dead
• Showed instantly signing in with near 100% accuracy. No swiping. Just tap the sensor and instantly get your desktop.
• Apps can ask for biometic authentication at any time, even after you sign in. A split-second tap is all that is required.
• Could add biometric authentication for file access to app specific files (not yet in Explorer…app specific).

The post TechEd: Windows 8 and 8.1 Security Enhancements (WCA-B210) appeared first on Derek Seaman's Blog.

Hinted at in this session, and other sessions, is a possible roadmap feature where Microsoft would provide pre-configured gallery templates for certain Microsoft products like System Center and SQL. You would then be able to tweak the config, and easily built up a service catalog, and deploy MS services on Hyper-V in a highly controlled, standardized, and automated way. The R2 Windows Server and System Center release have a lot of the building blocks to enable those features in the future. Given the accelerated release cadence of MS’s cloud platform, customers will get new features much faster than they historically have.

Introduction

• MS is hyper-focused on consistent cloud experience across the clouds (on-prem, Azure, service provider) at all layers (UX, APIs, PowerShell)
• IaaS (Infrastructure as a service) – Elastic tiers
• Customer requests: Enable templates to be deployed to any cloud, Provide a gallery of applications, Provide console access to remote VMs, anaging standalone VMs is not enough
• Vision (not 100% delivered in R2): A consistent service model amongst Windows Server, System Center and Windows Azure for composing, deploying and scaling virtualized applications and workloads.
• Four pillars: Portal User experience, deployment artifacts, management APIs, on-prem, hosted clouds and Azure
• Consistent IaaS Platform: Delivered on portal user experience (Azure Pack), deployment artifacts, management APIs, Clouds

Demo #1

• Showed a gallery for the VM role (new to Azure). Lists various services (SQL srever, IIS web server, SharePoint, etc.) that the admin has configured and curated. Gallery shows different versions of the same template, and can be tied to a subscription. When deploying a VM you can define the number of instances, for scale-out.
• VM container, and Application container concepts (application payload is delivered into an OS)
• The Gallery wizard prompts for a number of service properties (website name, admin names, VM sizes, etc.).
• Shows a usage portal, which lists cores, RAM, storage, and VM usage. Also lists instances, IP address, disks, subscription, VM operations (power, stop, reset, etc.). Scale slider for increasing VM count.
• Shows the ability to create a virtual network  (e.g. creating a site-to-site VPN) in the Azure pack.
• Shows the ability to open a console to a Linux VM, or a VM without a network or OS

Iaas Architecture

• Stack is: Hyper-V, VMM, Orchestrator, Operations manager, and two portals (tenant and service admin)
• Steps to setup:
• Load application extensions to VMM
• Create a gallery item (VMM role template)
• Create a service admin
• Expose to tenant

Remote Console

• Requires a new RDP client to support the new console version
• Trust is established between all components (Azure Pack, Hyper-V, RDS gateway)
• RDPTLSv2 is the new protocol

How to Build your Gallery

• Definitions: VIEWDEF, RESDEF, RESEXT (consistent naming across Azure and on-prem/service provider)
• REDEF: Virtual machine role resource definition (VM size, OS settings, OS image reference)
• RESEXT: Your Application (roles, features, OS image requirements, etc.)
• VIEWDEF: User GUI experience definition (parameters, grouping, ordering, validation, etc.)
• RESCONFIG: RESDEF parameter values, single deployment, versioned (e.g. hard coded port number, etc.)
• Uses JSON not XML files (make it more REST and portal friendly format)
• Good support for command line installers/scripting (integrate PowerShell desired state, Puppet, etc.)
• First class support for SQL deployments, IIS, etc. to make it very easy to configure
• Built-in full localization support with a default language (which you can change)

The post TechEd: IaaS with the Azure Pack (MDC-B364) appeared first on Derek Seaman's Blog.

Windows Server 2012 ReCap

• Existing IPAM options: Spreadsheets, in-house tools, commercial appliances
• In-box IPAM: Compliments DNS and DHCP services. Ability to organize, assign and monitor IPv4 and IPv6 addresses.
• Automatic discovery of DC, DHCP and DNS servers dynamic IP addresses
• Track and audit changes and provide real-time view of service status
• Multi-server management to manage all DNS and DHCP servers
• DHCP and DNS have major new features: DHCP failover (active/active config), DHCP policies (group difference devices and assign different address to them (e.g. printers, phones for proxy settings, etc.). DNSSEC cache poisoning protection.

R2 Address Space Demo:

• Shows IPAM DHCP scope utilization and health status
• Shows you can now group IP address blocks by geographic regions. You can then filter views by region and drill down into countries or regions and see all scopes and IP address assignments.

Server 2012 R2 Enhancements

• WS 2012 R2 Network environment: Host or Enterprise, multi-tenant and multiple datacenters with virtual networks
• Ability to setup DHCP failover across datacenters
• Supports virtual networks (administered by Fabric administrators)

IPAM 2012 R2 Enhancements

• IPAM now manages and monitors both physical and virtual addresses
• Integrated with VMM 2012 R2 and makes all address info available to VMM
• All-new role based access control in IPAM. Granular control over what admin tasks people can perform.
• Plan, design and administer IP address schemes of virtualized datacenters
• Support network isolation WNV, VLAN
• Enhanced service monitoring
• Single and multi-entity configuration of reservations, scopes, failovers, policies, filters, etc.
• External database support (SQL)
• CIM based PowerShell – 100% parity with GUI

Virtualized Networks

• Provider address space: Physical network address space
• Logical networks in VMM are customer address space
• Customer can bring in their own address space, which may overlap with other address spaces
• Must deploy network virtualized networks (e.g. NVGRE) to keep address spaces isolated

IPAM-VMM Integration

• IPAM has a view of both physical and virtualized address space
• Network admin tasks (fabric layer): Configure address space, subnets, pools, VLANs. Then creates subnets, pools and logical networks, and then the config is pushed to VMM. Changes in VMM are pushed back to IPAM. Conflict detection, notification and updates, changes and meta-data are all synchronized. All configuration is done in IPAM by the network admin.

IPAM-VMM Demo

• New “Virtualized Address Space” node in IPAM
• “Managed by Service” column that shows VMM or IPAM service that controls the subnet config
• “Service instance” column shows which VMM instance is assigned that subnet. Subnet now appears in VMM console.
• Shows VMM synchronization with IPAM when subnets are pushed to VMM
• When creating a VM network in VMM, he shows that the config is pushed to IPAM as a customer network

Role Based Access Control

• Granular admin control within IPAM, DNS, DHCP. Five step process:
• 1) Define a user role (operations an admin can perform)
• 2) Define business hierarchy model based on the desired administration levels and controls
• 3) Define access policy based on configured use role and access scope and associate users or groups
• 4) Set/associate access scope to objects in IPAM
• 5) New access control for leaf nodes or inherited from parent

DHCP/DNS Integration

• Monitoring: Server availability, DHCP scope utilization, DNS zone health, DHCP failover health
• Management: DHCP server, scopes, properties, options, filters, policies, classes, DNS records, etc.

DHCP Management and RBAC Demo

• Shows the ability in IPAM to configure DHCP scope failover on remote DHCP servers
• Shows the new “Access control” node in IPAM. 12+ pre-configured roles. Shows the ability to create a new custom role. Dozens of operations available to delegate and add to a custom role.
• Shows the ability to create network hierarchies (e.g. in a city you can create a building).
• Shows the ability to create an “Access Policy”, then bind the access policy to a DHCP scope for delegation
• Shows the creation of a new R2 ”FQDN” DHCP policy in the IPAM tool. Able to specify that all clients that do NOT contain *.contoso.com in their hostname get registered in DNS with guest.com instead.

External System Integration

• IPAM PowerShell interface facilitates integration with other external systems like SCCM and MAP toolkit
• Integration with AD Directory Services enables synchronization of site and services and subnets information

The post TechEd: Windows Server 2012 R2 IPAM for Clouds (MDC-B376) appeared first on Derek Seaman's Blog.

I didn’t get a screenshot, but the presenter had a slide showing the storage features in every version of VMM dating back to 2007. Starting with 2012 there was an explosion in features, with more added in SP1 (shipped in January 2013) and a lot more in R2. The pace at which Microsoft is enhancing the hypervisor and management stack is pretty astounding.

This session was supposed to be heavy on demos, but the speaker’s VPN connection back to the mother ship was not behaving. For his storage demos he was going to use a 3PAR to demonstrate the fibre channel LUN provisioning features in VMM 2012 R2, and NetApp for the SMB 3.0 file share demo. VMM has a lengthy list of storage arrays which are natively supported. If you are a 3PAR customer, you will need 3.1.2 MU1 for full VMM 2012 R2 support.

Storage Management Pillars

• Insight: end to end mapping, pool, volume and file share classification, monitoring, standards based
• Flexibility: Provisioning of pools, LUNs, file shares, scalable, allocation and assignment, FC zoning, zone aliases
• Automation: Rapid provisioning, scale out file server, disaster recovery, bare metal Hyper-V host provisioning, ODX

R2 Enterprise Storage Management

• More optimized storage discovery (e.g. a 3PAR with hundreds of disks) or VMAX with thousands of LUNs
• Real-time updates for out of band changes using CIM indications
• Fibre channel fabric discovery and zone provisioning and activation of zone sets
• Support for Hyper-V virtual fibre channel
• ODX optimized virtual machine deployments (copy VM from library)
• Rapid provisioning using difference disks

Storage Provisioning for Tier 1 Application Demo

• Fibre Channel switches
• Hyper-V Host with 2 FC ports
• Service template to model computer with two virtual HBAs

New to VMM 2012 R2

• 10x faster SMI-S enumeration
• Management of scale-out file server underlying spaces storage
• Added remoting and cluster-awareness for managing storage spaces
• Abilitity to assign storage and fabric classification at the volume or SMB share level. Allows finer grain SLA control.
• Fully support iSCSI targets for storage
• Support for SMB 3.02 (new to WS2012 R2)
• Spaces provisioning: Discovery of physical spindles, storage pool creation and deletion, mirror and parity spaces creation and deletion
• Capacity management: pool/volume/file share classification; file share ACL management
• Scale-out file server deployment: bare metal deployment, creation of scale-out file server cluster, add/remove nodes, file share management

The post TechEd: Storage Management with VMM 2012 R2 (MDC-B344) appeared first on Derek Seaman's Blog.

Introduction

• Windows Server 2012 is Cloud optimized
• Clouds are dynamic, multi-tenant, high scale, low cost, manageable and extensible
• Major new cloud enabling features in Server 2012, released last year
• 2012 built  a strong platform, but was not a full cloud solution

WS2012 R2 Improvements

• Live migration is much faster
• Live migration from 2012 servers
• Shared VHDX clustering
• Automated block-level storage tiering
• write-back cache
• Per-share auto-redirection to scale-out file servers
• Dedupe of VDI workloads
• iSCSI target VHDX support
• Multi-tenant site-to-site VPN gateway
• Hyper-V NAT and forwarding gateway
• vRSS
• NIC teaming dynamic-mode
• Desired state configuration
• Datacenter abstraction layer
• All aligned with System Center 2012 R2

Blueprint for a Cloud

• Build your managment stack
• Start provisioning compute nodes and storage
• Then you scale out as needed
• This is a cloud “stamp”
• Publish a self-service portal or APIs
• Add network gateways
• Add users

Infrastructure

• Think about: workloads, networking, storage, resiliency

Designing for the workload

• Cloud-aware stateless apps or stateful apps?
• IaaS cloud can support both but with different design considerations
• What are the workloads performance requirements
• 2 socket servers offer the best ROI
• Some workloads will benefit from hosts with SR-IOV
• Are workloads trusted? Think about level of isolation between workloads and QoS policies
• Keep it simple and manageable
• Can’t optimize a unified infrastructure for all possible workloads
• Standardize VMs, self-service based, managed to an SLA

Network Design

• Traffic isolation considerations (tenant generated traffic) and hoster/datacenter traffic (cluster traffic, storage, live migration mgtmt, etc.)
• Use physical isolation as needed, port ACLs, QoS & VM QoS
• Between tenants and datacenter: separate networks
• Between tenant VMs of different tenants: Hyper-V network virtualization & VM QoS
• Hardware offloads for NICs: HW QoS (DCB), RDMA, RSC, RSS, VMQ, IPsecTo, SR-IOV
• For storage, if using SMB 3.0, then the NIC would benefit from RDMA feature
• R2: can also use RDMA for Live Migration
• Look at RSS and RSC for the NIC which support management (Live Migration, management)
• Look at IPsecTO and VQM for VM guest NICs
• SR-IOV bypasses the extensible switch
• R2: vRSS (spreads NIC traffic load across multiple VM cores

Storage Design

• Hyper-V servers with internal SAS disks is a perfectly acceptable if you don’t need super high HA
• 2012: Can pool shared JBOD SAS array for some good HA
• Scaling options: Block based FC or iSCSI or file based (lower cost w/ high performance)
• Block based enables storage offload with ODX, and high IOPS

Resiliency Approaches

• Infrastructure – VMs not designed to handle failures, HA at server level, failover clustering as another layer of protection. High end servers, redundant power and apps.
• App-Level Resiliency – Cloud-aware apps can sustain failures without infrastructure dependency

WS2012 Representatitve Configurations

• Three different approaches are fully documented and validated by Microsoft:
• aka.ms/CloudBlog
• aka.ms/CloudConfigs
• aka.ms/CloudPowerShell

How do you deploy and configure?

• In 2012 it was a mixture of GUI and a lot of PowerShell
• With R2 and aligning with system center 2012 R2, it is much much easier
• “Physical computer profile” is new in SC2012R2 – Deploy Hyper-V to bare metal
• Demo showed provisioning a new scale out file server and creating a file share, all from a GUI

Scaling Considerations

• Compute (Hyper-V) cluster size
• Larger clusters improve overall efficiency
• Consider clustering across failure domains (e.g. cross-rack)
• Storage: Need JBODs with appropriate number of SAS interfaces

Management Stack Improvements In R2

• Provides a unified Powershell method to manage physical devices, such as switches
• MS created a logo program that vendors can certify against
• MS open sourced the OMI standard for anyone to use
• Desired State Configuration (DSC) MDC-B302 session

Windows Azure Pack

• Same self-service portal as Azure
• Common management experience
• Workload portability
• As future services are delivered in Azure, they will transfered into the private cloud

The post TechEd: Building Clouds on Server 2012 R2 (MDC-B312) appeared first on Derek Seaman's Blog.

One thing to note is that the Azure Pack and the System Center App controller product are different products. A question was asked whether they would be merged down the road, and the speaker could not comment about futures. But one would hope they unify the provisioning portals and experience, and I expect they will down the road.

Introduction

• Cloud OS: Three datacenters: On-prem, Windows Azure, Service Provider
• Many customers will have assets across all three clouds
• Customers need a consistent set of building blocks
• The hyper-v that ships to customers is the same version that powers all of Azure
• This session will focus on the on-prem and service provider clouds

What is the Cloud?

• Term is way over used and misunderstood
• Pool compute, storage and networking
• Allocatable on demand
• Automate everything – In VMM everything is Powered by PowerShell (500+ commandlets)
• Metered
• self-service

VMM – Enabling the Cloud

• Storage – Can use any kind of storage you wish – SAN (iSCSI, FC), or SMB 3.0
• Networking – In R2 VMM can manage physical switch configuration. NVGRE, PVLANs, etc.
• Compute – Intel and AMD processor support
• Virtualization Support – Hyper-V, VMware, Citrix XenServer
• Do not name your cloud after a department, it is a pool of compute power. Cloud is an SLA construct.
• User roles can be departments (Finance, HR, etc.). Construct an AD group, assign people, and assign access to appropriate cloud resources.
• Model your application you are deploying so you can enable self-service

Announcing the Cisco Nexus 1000v for Hyper-V is now available for production usage.

VMM Investments in 2012 R2

• Services, VMs, Clouds, Networking, Storage, Infastructure
• Think of a “stamp” as a consistent configuration of Storage, compute, edge components and management
• Later this year: All System Center components will be available a service template for fast and standard deployment
• Physical Computer profile is a new feature for a scale-out file server Hyper-V host
• 2012: VMM can appropriately zone SAN switches and provision storage from an array, such as 3PAR
• Enables ODX to copy VMs from the library to production
• Guest clustering using a shared VHDX file. No iSCSI or FC required.
• Service template supports first node having a different configuration from other nodes, so you can automate cluster builds
• VMM integrates with IPAM, so you can push/pull network configs with each other
• VMM will warn on physical switch VLAN misconfigurations with switches that support OMI management
• VMM can remediate network config problems on physical switches, if the network team allows it
• Directly deploy and configure gateway (site-to-site VPN, NAT, or virtual to physical gateway) settings
• Site-to-site VPN optionally supports iBGP
• Site-to-site VPN supports third party devices such as Juniper or Cisco concentrators, or another Windows server
• Delegation: Per-cloud delegated permissions
• New and very rich SCOM management pack for VMM

The post TechEd: What’s new in SC VMM 2012 R2 (MDC-B357) appeared first on Derek Seaman's Blog.

Benefits of Virtualizing SQL with System Center

• Performance and scalability
• Flexible storage and availablity
• Depoyment and management
• Portability of development workloads
• On demand platform provisioning
• Lower costs

Pitfalls of Virtualizing SQL

• SQL server VM sprawl – Huge problem! Create an approval process.
• Licensing challenges
• Additional layer of monitoring

System Center 2012 Benefits

• Deploy SQL server using SCVMM on Hyper-V or VMware
• Provide self-service capabilities using SC Service Manager
• Manage SQL server automations using SC Orchestrator
• Manage SQL server operations using SC Operations Manager
• Self-service backup and restore of SQL services using SC Data Protection Manager

SCVMM and SQL Server

• Ability to deploy SQL server VMs on Hyper-V and VMware
• Ability to create a SQL server profile to standarize VM templates and configuration
• Ensures a SQL server is deployed every time exactly as you want, every single time
• You can provide a SQL .ini configuration file for a standardized deployment config
• You can mix and match SQL profiles with different operating systems

SQL Server Task Automation

• Use SC Orchestrator (SCORCH)
• Standardizes automated task management
• Create a process in SCORCH which can be performed in a workflow manner
• Enables end to end automation
• Eg. Create a SQL backup, or database snapshot. With Service Manager you could provide user self service for SQL activities.
• Complex tasks may take a day or two to configure in ORCH, but many tasks can be done in 1 hour or less of work

SQL Server Monitoring

• Monitor SQL synthetic transactions and perspectives
• Monitor SQL queries using application performance monitoring
• Manage SQL server using distributed application
• Ability to trend SQL database response times

The post TechEd: SQL Virtualization and Management Best Practices (MDC-B328) appeared first on Derek Seaman's Blog.

Windows Server 2012 Recap

• Native NIC teaming
• DHCP failover
• SMB 3.0 multi-channel
• Hyper-V extensible switch
• QoS
• PVLAN support
• Hyper-V network virtualization
• SR-IOV support
• IPAM, resource metering, etc.

Windows Server 2012 R2

• Learning from MS datacenters: Cutting costs (maximize resource utilization), choice and flexibility matter, agility and automation are key
• Three big R2 focus areas: Cloud scale performance and diags, comprehensive SDN, core infrastructure enhancements

Cloud Scale Performance – vRSS

• Virtual RSS
• In 2012 VMs restricted to 1 process for network traffic
• In R2 vRSS maximizes resource utilization by spreading network traffic across multiple vCPUs
• Now possible to virtualize traditionally network intensive applications
• Requires no hardware upgrade and works with any NICs that support VMQ
• Provides near line rate to a VM on existing hardware

NIC Teaming Enhancements

• 2012: Provided fault tolerance and aggregrate bandwidth
• R2 introduces a new dynamic mode. Balances based on flowlets
• Applies to outboud and inbound network flows
• In 2012 a TCP flow would be pinned to one NIC. In R2 it breaks up the TCP flow and spreads across all NICs
• Can provide big improvements with large data transfers

Extended ACLs

• In 2012 had basic allow/block ACLs. Not very rich
• R2 provides filters based on network address, application port or protocol type
• Stateful packet inspection
• Allows or blocks traffic for specific workloads

Remote Live Monitoring

• In 2012 remotely monitoring traffic is not simple
• R2 enables mirror and capture network traffic for remote and local viewing
• GUI experience with Message Analyzer. Similar to netmon GUI experience
• supports remote offline traffic captures
• Filtering based on addresses and VMs

Demos:

• Showed that incoming network packets on 2012 were pinned to one NIC
• Showed with 3 VMs that TCP traffic was evenly load balanced across all four pNICs
• Showed in 2012 5.4Gbps bottleneck on 10Gb NIC, because traffic pinned to one vCPU. Showed that vRSS spread the load across all vCPUs. Throughput jumped up to 8.4 to 9.6 Gbps.
• New Powershell commandlet test-netconnection. Combines ping, traceroute, and provides more detailed information. Can be configured to use different ports and protocols (SMB, RDP, etc.) for testing. Available in Windows 8.1 too.

Comprehensive SDN (Software Defined Network)

• Focus areas: Flexibility, automation, control
• 2012: Hyper-V network virtualization, Hyper-V extensible switch
• R2: Network physical switch management (via OMI), built-in gateways
• DMTF standards utilization for managing physical switches
• MS believes in both physical and virtual management with their SDN solution

Hyper-V Network Virtualization

• Uses NVGRE standards protocol for packet encapsulation
• Solves VM mobility issues (migrate VM beyond L2 domains)
• Ability to import customer IP addresses and network topology
• Ability to use same IPs in test/dev and production environments on the same physical network
• NVGRE uses 24-bit identifier, and are unique within the datacenter. Removes 4096 VLAN limitation
• R2: Dynamic learning of customer addresses: Allows for highly available hosts using guest and host clustering. Ability to do DHCP within a customer network.
• R2: Performance enhancements: NIC teaming integration and NVGRE task offload enabled NICs
• Partners are delivering on NVGRE task offload (Emulex, etc.) and providing near line rate NVGRE
• R2: Enhanced diagnostics of virtual networks

Hyper-V Extensible Switch

• Cisco Nexus 1000v for Hyper-V is now RTM
• R2: Moved Hyper-V network virtualization into the switch, so extensions can process the provider and customer packets
• R2: Hybrid forwarding: Hyper-V networking and third-party can both process different types of packets
• R2: Forwarding extensions can modify packet headers on both ingress and egress
• Third parties can now use their full network virtualization (e.g. Cisco VXLAN)

Standards Based Management

• Standards-based CIM model
• Switches running Open Management Infrastructure (OMI)
• Enables powershell management of physical network switches
• Problems solved: automate common network tasks (such as VLAN validation across Hyper-V networking and physical switches)
• Logo program enables customers to buy switches that “just work”
• Enables cloud plug and play of switches and de-couples the management plane from the data plane

Built-In Gateways

• 2012 had no built-in gateways and required third party add-ons
• R2: Built-in gateway with three major capabilities: Multi-tenant multi-site VPN gateway; NAT gateway for internet access; forwarding gateway for within the datacenter

Core Infrastructure Enhancements

• 2012: IPAM tool in-box
• R2: Manages physical and virtual address spaces
• R2: Imports and exports network configs automatically through SC VMM plug-in
• Enables synchronization and AD site and subnets with IPAM
• Lets admins define user roles, access scope and access through role access controls

The post TechEd: What’s new in Windows Server 2012 R2 Networking (MDC-B216) appeared first on Derek Seaman's Blog.

• Windows Azure uses the stock Windows Server 2012 Hyper-V
• Complete virtual machine compatibility between on prem Hyper-V and Azure IaaS

Hyper-V 2012 R2

Generation 2 VMs

• Legacy free (no BIOS) but uses UEFI
• Many emulated devices removed
• Boots from virtual SCSI or synthetic network adapters
• Enables UEFI secure boot standard
• Supported Guest OS: 64-bit Windows 8, Windows Server 2012, 64-bit Windows 8.1, Windows Server 2012 R2
• You can run Gen1 and Gen2 VMs side by side
• Gen1 VMs are not going anywhere anytime soon
• No performance improvements on Gen2 VMs, except booting is 20% faster and OS install is about 50% faster.
• Big advantage is booting off a virtual SCSI or network controller instead of IDE device

Automatic Activation

• Zero touch activation of VMs
• Automatically activated according to the hosting environment
• Gets its activation information from the Hyper-V host
• Not tied to type of activation method (OEM, VL, etc.)
• The VM does not have the product key in it
• Only supported for Windows Server 2012 R2 VMs (no prior versions)

Demos:

• Difference between generation 1 and generation 2 VMs: No ISA, no com ports, no PS/2 ports, no floppy, etc. Simplifies VM hardware configuration.
• Showed the ability to enable secure boot for VMs
• Enhanced virtual machine connection – Supports rich text copy and paste in and out of VMs. Cut and paste files in and out of VMs.
• VM console now supports audio redirection as well
• VM connect now uses remote desktop services, so you can do smart cards, folder redirection, plus USB support.
• Full support for these features on Windows 8.1 Hyper-V, and are enabled by default. Disabled by default on server for security, but can easily enable per-host.

Zero-downtime upgrade

• Live migrate virtual machine from Windows Server 2012 to Windows Server 2012 R2
• Includes shared nothing live migration

More new Features

• Online VHDX resize (expand, shrink, compact)
• Increase or decrease the size of virtual disks while the VM is running
• Live machine export (clone a running VM)
• VMs with snapshots and other settings can be migrated without intervention to 2012 R2 (no more draconian procedures)
• Live migration with compression – default option (1/3 faster than w/o in his demo)
• Live migration using RDMA (SMB Direct) – Uses less CPU than a standard Live Migration
• Faster live migration – 10Gb or less then use compression. Over 10Gb, use SMB/SMB Direct

Enhanced Linux Guest Support

• Full dynamic memory support
• Online backup with filesystem consistency (VSS-like functionality on Linux)
• Online VHDX resize
• New video driver
• Linux has and will continue to run very well on Hyper-V
• You can use any enterprise solution that backups up Hyper-V and get full Linux support automatically
• Microsoft claims they offer the most Linux support of any hypervisor, since the competition can’t do VSS-like Linux backups
• Microsoft releases the hypervisor integration pack with a GPL license to the open source community

Additional Features

• Storage QoS
• Ability to configure min/max IOPS on a per-VM basis
• Guest Clustering with shared virtual disks. No need for ISCSI, fibre channel SAN, or block storage. Can be done with SMB, or cluster in a box.

Hyper-V Replica Disaster Recovery

• Extended replication (tertiary copies)
• Replication frequency has 30 seconds, 5 minutes and 15 minute intervals
• Example: On-prem replicated to hoster, then host replicates it elsewhere
• Example: first hop within prem, then second hop to hoster/Azure

The post TechEd: What’s new in Hyper-V 2012 R2 (MDC-B330) appeared first on Derek Seaman's Blog.

System Center 2012 Capability Primer

• Self-service portal
• Service model
• Process automation
• IT service management
• Tools to deploy, configure, migrate, inventory, monitor and protect
• Seamless deployment on-premises, Azure or service provider
• Cloud OS is three datacenters (private cloud, hosted cloud or Azure) and should all be managed in the same manner with the same tools

System Center 2012 R2 Features

Infrastructure Provisioning

• Windows Server 2012 R2: Dynamic VHDX resizing, dynamic memory support for Linux, snapshot of running VM, synthetic fiber channel HBA in guest
• Service templates & run books for system center components
• Automated standards-based Top of Rack configuration
• Multi-tenant edge gateway
• Built-in Site to Site connectivity VPN
• Bring your own IP
• Service management automation
• Orchestrator integration pack for Azure

Multi-tenant cloud infrastructure

• In-box service templates and runbooks for system center components
• Bult-in multi-tenant isolation and scale across multiple system center instances
• Service management automation (new in R2) – Web based authoring, workflow automation, integration with CMDB, ticketing, billing, management systems
• Capacity planning and chargeback – Enhanced in R2
• Granular metering of resource usage by tenant, including CPU, memory & storage
• Virtual network support – Provision in-box multi-tenant edge gateway for seamless connectivty between physical and virtual systems

Consumer Self-Service

• Self-service application provisioning with Azure-consistent user experience
• Unified view across clouds with app controller
• Windows Azure integration pack
• SharePoint integration pack
• Scalable multi-VM tenant services (VM-tier) for Windows Server environments with Windows Azure-consistent user experience (new to R2)
• Admin publishes gallary, user can consume them

Application Performance Monitoring

• Deep Java monitoring including line-of-code traceabiltity
• Deeply integrated with dev-ops – Faster issue tracking and remediation with system center-visual studio connector
• Global Service Monitor – inject synthetic transactions and measure various metrics

Infrastructure Monitoring

• Enhanced cross-platform monitoring of Linux, Solaris, HP-UX, IBM AIX
• Cross-platform configuration of Windows Server, Linux, Unix

Consistent Management Experience

• Enhance agility by delivering Windows Azure-consistent services to Windows server
• Extensible, enterprise-ready service management portal
• Standardized VM gallery format for Windows Azure and for service providers
• Windows Azure pack for Windows Server 2012 R2 provides a consistent user experience

Service Consumers

• Build highly scalable web apps
• Guaranteed message delivery
• Standard protocols (REST, etc.)
• Supports .NET, Java, Node.js, Python

Demo showed a new feature where you can console connect to any running VM, even if the OS is not running or it’s a non-Windows OS like Linux.

Service Providers

• Create offers of select services (define quotas, offer add-on or upsell, etc.)
• Consistent interface for all services (REST, OData & JSON)
• Enable third-party billing providers with ITFM integration
• Data warehouse
• Out of the box runbooks to automate delivery of cloud services
• operational dashboard

The post TechEd: System Center 2012 R2 (MDC-B206) appeared first on Derek Seaman's Blog.

Intro

• Microsoft Cloud OS Vision
• Private Cloud – Windows Server + System Center
• Virtualization for consolidation is NOT a cloud. Are you just virtualizing, then you are NOT doing cloud computing.
• Clould is reqestable, cloud is usage based, cloud is chargeable
• People are highly focused on the hypervisor but completely overlook management
• One Cloud OS Vision has three pillars and one consistent platform:
• 1. Private cloud is about control and security
• 2. Public cloud is about scale: Office 365, Windows Azure, Azure Virtual machines
• 3. Service Provider is about customization
• Windows Server 2012 powers the entire Azure infrastructure
• MS provisions 25K VMs a day for test/dev

Windows Server 2012 R2 Enhancements

• Focus: Datacenter without boundaries, cloud innovation everywhere, dynamic application delivery, flexible and consistent application platform, enable people-centric IT

Virtualization – Hyper-V 2012 R2

• Cross-version live migration
• Online VHDX resize
• Automatic VM activation
• Live VM export/cloning
• Remote Access console via VMBus (does not rely on RDS or networking)
• Live migration compression
• Live migration with RDMA
• More robust Linux support

Hyper-V 2012 R2 Demo

Teaser demo from the Hyper-V session later today. Showed a VM that was hammering storage and slowing down all other VMs on the same host or SAN. With 2012R2 and enable minimum or maximum IOPS on a per-VM database. IOMeter showed a drop from 20K IOPS to 100 IOPS, with a setting on the VM.

2012R2 has enhanced Linux support. Full hot-add and remove of dynamic memory with Linux guests. Full on dynamic memory, complete feature parity with Windows implementation. Support for full Linux backups in a consistent state. File consistent backups with zero downtime. Similar to VSS functionality in Windows, but for Linux filesystems.

Clustering VMs without iSCSI or Fibre Channel shared storage. Can now share VHDX files between VMs for clustering. Fully supported in production environments. Cloud service provider can now provide clustering services without having to expose iSCSI or raw LUNs to VMs.

Windows Server 2012 R2 Storage Enhancement

• Azure does NOT use SANs. It uses cheap direct attached storage. SANs do not scale and are very expensive. Laser focused on driving down cost per IOPS. Storage is cheap, IOPS is not.
• Windows Storage Spaces now features block-level automated data tiering
• Data deduplication enhanced in R2 (now with running VMs)
• Flexible resiliency options (enhanced in R2) – Three way mirrors, write-back cache,
• Pooling of disks

Demoed creating a physical clustered file server using VMM 2012 R2. VMM connects to the baseboard management controller (e.g. ILO) of the server, boots the server into WinPE, and deploys a standard VHDX and configures the Windows OS for file services. With a few clicks a share was created, and provisioned to Hyper-V VMs for storage.

• Challenges of Guest Clustering (MDC-B337)
• Shared VDHX enables guest clustering within a tenant without accessing raw LUNs or iSCSI disks

Software Defined Networking

• Allows you to move VMs and workloads from private cloud to public cloud to service providers
• Provides seamless experience for business agility and ease of management
• Live migration across subnets
• Breaks VLAN scalability limits
• Merge networks on same fabric
• 2012 R2 provides in-box multi-tenant edge gateway for seamless connectivity to Azure and service providers or internal networks
• 2012 R2 Gateway enables direct routing or NAT
• System Center is the control plane, Windows server is the data plane
• F5, Iron Networks, Huawei and Arista are providing additional gateway options
• Cisco, NEC, 5 Nine (security), InMon (packet capture) for Hyper-V extensions

Hyper-V 2012 R2 Replica

• Broaden your coverage of business continunity with hybrid cloud solutions spanning on-prem and the cloud
• Enhanced in R2 for cloud providers
• Tertiary replication in the box
• Hyper-V Recovery Manager (new) - Configurable down to 30s window, recovery orchestration with Azure Hyper-V
• Replica frequency options are 30s (new), 5 minutes, 15 minutes
• Replica now supports pre-staging the data via offline methods, then online sync the deltas
• Hyper-V Recovery Manager has “recovery plans” for runbook automation

The post TechEd: Windows Server 2012 R2 Features (MDC-B205) appeared first on Derek Seaman's Blog.

• Users and devices want great apps
• Major updates to nearly all Microsoft datacenter products

What’s new in Windows

• Ian McDonald, from Windows Core Group
• Windows Azure is running nearly all Windows Server 2012
• Windows 8.1 will be released this year – free upgrade for Windows 8. Preview bits available June 26th.
• Start screen control on Win8.1: Export start screen config to XML file via PowerShell, then use GPO to deploy XML file to computers.
• Windows 8.1 industry edition (from the embedded line) will provide the ability to restrict start screen and MS app store access to only certain apps.
• Windows 8.1 will have built-in “mirror cast”. Uses ScreenBeam for conference room/presentations for PowerPoint.
• Passive NFC tag on wifi printer, and Windows tablet will read the NFC tag and automatically pair.
• Windows 8.1 will simplify WiFi connectivity and tethering.
• Windows apps will now support micro VPN. An app can create its own VPN and can use virtual smart card.
• Windows 8 is the first MS OS to fully deliver on the trustworthy computing effort started 10 years ago.
• Security is a huge focus on Windows 8.1
• 2560 x 1440 Toshiba ultrabook with Windows 8 demod

Empower People-Centric IT

• 1.2 billion smart devices sold around the world in the last 12 months
• BYOD is a “right” to many employees
• Empower your end users, unify your environment, help protect your data
• Cloud optimized Windows Azure Active Directory
• 265 billions authentications against Azure AD so far. 9K requests a second.
• 420,000 unique domains in Azure AD
• With Windows InTune if devices are on the internet, you can fully manage them via the cloud
• 35,000 unqiue tenants using Azure InTune

Announcements – Windows Server 2012 R2

• Windows Server 2012 R2, System Center 2012 R2 and Windows InTune updates
• Microsoft is now releasing “cloud first” products and a rapid candence in new products
• Windows Server 2012 R2: Workplace join their devices to active directory. Device is also authenticated, so IT is aware of the devices and can deny access (to services such as SharePoint).
• Leverages Windows Azure authentication for “workplace join”
• Dual factor authentication – Supports phone factor (calls the user to sign in via their phone)
• Able to turn on IT management of a BYOD devices. Device is registered with Azure AD and InTune services.
• Windows Server 2012 R2 “Work folders” to enable users to access their files across all devices.
• “Leave your work place” and turn off management to remove your BYOD from the corp network. De-installs corp apps and removes data. Selective wipe.

Modern Applications

• Time to Market, Revolutionary technology, organizational readiness
• Azure and Visual store core concepts: Rapid lifecycle, multi-device, any data, any size, secure and available
• Azure is now expanding with a datacenter in mainland China
• EasyJet is now changing to allocated seating, vice open seating. Major IT changes and leveraged Azure instead of their reservation system. Browser blends Azure services and their own site.
• Web page makes AJAX request to Azure and one panel on their page shows aircraft seating, rules, etc. Azure sends events to their on-site web page regarding seat selection.
• EasyJet fills 10 planes a minute in their January server and they easily scale up the Azure services to handle the load.
• Scott Guthrie – Azure VP. Announcing Azure dev/test features.
• No charge for stopped VMs! Per-minute billing instead of per-hour billing. Pro-rated billing.
• MSDN subscribers get discounted Azure rates for dev/test. Up to 97% discount on standard rates.
• MSDN subscription with upto $150 of monthly credits. Pro $50, Premium $100, ultimate $150
• Azure management portal updated to show hours/credits for MSDN and how much is left, with burndown chart.
• Goto www.windowsazure.com and activate your MSDN offer
• Visual Studio is now using a continous update model. Visual Studio 2013 and team foundation server 2013 will come out this year. Preview version on June 26th at Build conference.
• Announced ”cloud load testing” lets you load test your app from the cloud
• “Heads up display” in Visual Studio 2013
• InRelease acquired by Microsoft to help you scale release processes
• In 5 years we will have 10x the data we have now
• 85% of generated data is created by new devices (sensors, RFID, etc.)

SQL Server 2014 Announced

• Big Data – GPS telemetry from consumers
• Real-time data analysis; in memory processing
• Find, combine, manage, analyze, refine, take action and operationalize at scale
• From Data to insight. Must be easy, powerful, complete
• Excel “data explorer” feature. Powerful data analysis with Azure hooks
• Hybrid backup to Azure
• Transaction processing in-memory
• Building transaction data processing right into the database engine and in-meory, not a separate product
• Near realtime data processing capability using in-memory
• Excel project Geoflow – In preview. Maps excel data right onto a map in real time

Transform the Datacenter

• Cloud options on demand, reduced cost and complexity, rapid response to the business
• Datacenter without boundaries, cloud innovation everywhere, dynamic application delivery
• Windows Azure runs entirely on Hyper-V
• Windows Server 2012 R2 and System Center 2012 R2 announced
• R2 releases focus on Azure lesson learned and bake it into the product
• Designed for the cloud, but delivering to the customer
• Consistency across clouds (on-premises, Windows Azure, service provider)
• Windows Azure Pack for Windows Server 2012 R2
• High density web servers (5K web sites on a single server)
• Self-service Azure portal brought to your datacenter
• Azure density and scale delivered internally with System Center and WS2012 R2
• VM provisioning workflows (standardize and automate provisioning)
• Able to scope provisionion options per-user
• Hyper-V Live migrate across different versions of Windows server
• “Cloud innovation everywhere” demo by Jeff Woosley
• Windows Server 2012 R2 – Dramatic performance and scale improvements. Automated block-level data tiering.
• 16x performance improvement in IOPS and data tiering
• Windows Server 2012 R2: Deduped running Hyper-V VMs and provide BETTER performance
• VMs booting on de-duped storage boot more than 2x faster than non-deduped
• Live Migration with no-shared storage performance improvements in WS2012 R2 – Live Migration compression for much faster migrations
• RDMA support for live migration and SMB direct – super fast Live Migrations
• Hyper-V recovery manager – Multi-site recovery and runs on Azure
• Supports planned and unplanned DR site orchestration (runbook in the cloud)

The post TechEd 2013: Day 1 Keynote Session appeared first on Derek Seaman's Blog.

There were a few major take-aways that anyone looking at SCCM 2012 SP1 should understand:

• SQL server design and architecture is hugely critical. You can’t just do a click next install of SQL server and expect SCCM to perform within your expectations. You need to have a detailed understanding of SQL server best practices, including TempDB settings. It’s is also strongly recommended to combine SQL server and your primary site roles onto a single server/VM, unless you are a huge organization (sizing details are below). Yes, let me state that again, don’t use a remote SQL instance that is hosting other databases. Use a dedicated local SQL server instance for SCCM.
• Once SQL server is installed, it needs regular maintenance to keep it performing well. Backups, re-indexing, and other jobs must be run regularly or performance can tank. Session notes have a lot more details and links to some free tools.
• If you are using SCCM 2007 or older with multiple primary sites, they should all be collapsed down to a single site. Yes, even for large multi-national companies with 100K clients. Do NOT do multiple primary sites.
• Use MDT 2012 SP1 to build all of your Windows golden images. The resulting WIM file can then be used by any deployment tool on the market, including SCCM or third-party tools. It will sequence and fully automate the injection of patches, software, and other tweaks. Do not build your OS images in SCCM, or you won’t be able to use them with other deployment solutions.
• The importance of creating intelligent collections cannot be understated. Read up on the SCCM 2012 collection options (include/exclude, etc.) and do a lot of research before just jumping in and creating a bazillion to manage your environment. You will pay for the lack of planning down the road.
• Use a third-party program to scan for and patch non-MS updates, such as Java and Adobe products. Solarwinds or Secunia are the only two you should consider. A majority of vulnerablities are now in third-party products, not the MS OS. So if you aren’t properly patching third party software, you are just asking to get hacked.

Session Notes

Configuration Manager 2012 Goals:

• Empower Users
• Unify Infrastructure
• Simplify Administration – Most can consolidate to a single primary site.

System Requirements

• WS2008 x64 or later (strongly recommend WS2012)
• At least 16-24 GB RAM for primary site with SQL local. 24-32GB is more typical.
• 8GB RAM for secondary site
• Dedicated disk arrays (Disk IO is HUGE. Poor performance is likely due to storage being slow).

Typical disk layout: C: OS, D: Program, E: content library, F: DB files (100GB), G: TempDB (50 GB), H DB Logs (50GB). NTFS allocation size 64KB for SQL volumes.

SQL Guidelines:

• Recommend LOCAL SQL install on SCCM server (STRONG RECOMMENDATION!!!! Strongly Microsoft recommended.)
• Minimum SQL versions: SQL server 2008 SP2 CU9, 2008 R2 SP1 and CU6, 2012 CU3, 2012 SP1
• SQL 2012 Always On is NOT supported.
• Don’t use SQL mirroring (may appear to work, but SP upgrades will break)
• Pre-create the SQL database so you can control the layout. Don’t let SCCM create it, as performance will not be good.
• Estimate 3-5MB per client for database storage
• Not a traditional SQL database. Very high SQL load from constant queries from all clients.
• Site server 1: DB – Site System; Server 2 – DP/SUP/MP
• Do NOT combine databases from other system center products. Don’t build a giant SQL cluster for all system center products.
• MUST carefully consider TempDB. 1 file per core, with no more than 8 files.
• 1 TempDB file per vCPU for VMs
• Need to manually configure SQL memory usage so OS/SCCM has memory to use. Don’t leave to the default of infinite.
• Cap SQL log file size in SQL manager to what you think is the max
• Turn off auto-growth
• Don’t use full recovery model for Reporting Services database. Use simple for Reporting services.
• VM snapshots are NOT backups. Use SQL server backup feature. Uses compression for much smaller backups.

Site Sizing:

• Less than 2000 clients, just install everything on a single VM (including SQL)
• Less than 20000 clients, Server #1: SQLDB, primary site, SMS provider, endpoint protection, #2: MP, Software Update, DP, app catalog
• 100K clients: #1: SQL DB, primary site, SMS, endpoint; #2-4: MP, software update, DP, app catalog

Hydration Kit for ConfigMgr 2012 SP1 is here: Automates provisioning AD, SCCM deployment via scripts. If using Hyper-V don’t use dynamic memory for the VM during deployment. You can configure it to use dynamic memory after. Can create a huge bootable ISO and it automates the installation following best practices. Great for creating labs, then deploying in production exactly like the lab. Works on Hyper-V, VMware and physical servers.

Other good tools located at: DeploymentResearch and Deploymentbunny.com.

IMPORTANT: Site maintenance tasks: Rebuild Indexes (always enable it; runs every 7 days). Use a third-party solution as the build-in job is NOT reliable. Use the DB maintennace script from Ola.hallengren.com. Just enter the site code, and use on WSUS database as well. This is a MUST HAVE. USE THE SCRIPT. Microsoft internally uses this script, so you should too.

Strongly recommend only a single primary site. For secondary sites, consider them when you have 500 to 1000 or more clients.

Migrating from ConfigMgr 2007 SP1

• Don’t need to configure boundary sites since you should only have one primary site
• Co-existence is perfectly acceptable. Don’t do a big bang migration.
• SCCM 2012 can pull config data from 2007 SP1, so they are sync’d.
• DP migration can take many hours or even a week, if you have huge amount of content
• Migrating collections: Consider security, folders, users & devices. Limit collections. Create a base collection, then use include/exclude to customize the rules.
• Decide on role based access controls
• Configure collection refresh cycle after migration
• Limit use of folders – They are evil as you cannot assign permissions. Good folder name is “Software Updates”.
• Setup role based administration in 2012 prior to migration

Software Distribution

• Software and OS packages are so big these days, you should use DPs at branch offices
• Use WS2012 for DP points. DPs are usually long lived, so start with the new OS. Create PowerShell automation features.
• You can inject software updates/patches into Win7/Win8 images
• You can now pre-provision BitLocker with SCCM 2012 SP1, so it starts encryption prior to OS deployment.
• Make sure server firmware is up to date, since WinPE 4.0 won’t boot on servers with older firmware
• PXE performance is creaming on WS2012. Can boot a WS2012 WDS image in 4 seconds via PXE.
• Strongly urge users to add MDT 2012 SP1 to SCCM OS deployment
• Use Lite Touch mode to create master images
• Use Zero Touch for added features – 280 new features from MTD 2012 SP1 add-on (free)
• Dynamic deployments are a HUGE value-add. Can customize OS deployments based on various parameters.
• New hardware uses UEFI so you need to boot into WinPE 4.0
• Boot off memory sticks using FAT32, not NTFS, for UEFI support
• OSD deployment supports new App model
• You can set primary user of a machine prior to deployment, so its customized for that user
• User device affinity in CM2012
• New to CM2012 SP1: WS2012 and Win8 OS deployment
• Use MDT 2012 Update 1 Lite Touch to create a reference image. Creates images that works with anything. Don’t create your image in SCCM. Image will be compatible with any other deployment solution you have when using MDT 2012. It’s also 2x faster creating an image. You can copy the admin default profile, easy to delegate, and you can suspend deployment if needed.
• Take a look at the MDT Database admin tool here.
• MDT needs a separate WSUS instance (not the one you use for ConigMgr) for update approval
• “Request State Store” task must be added if you want to perform a machine backup
• You can use WMI queries to insert specific drivers instead of relying on PnP
• Never share an application between OSD and CM deployment. Create an OSD security role, and limit the permissions to the OSD pacakges to the OSD team.
• Look at iconarchive.com for application icons

Software Update Management

• Vulnerabilty intelligence + vulnerability scanning + patch creation + patch deployment
• Define the update process: pilots, servers with auto restart, servers with manual restart, logically grouped servers, workstations in prod, excluded devices.
• Can use MS SC Orchestrator to orchestrate SCCM patching
• Define your SLAs, collection design is #1 (HUGE!!), maintenance windows
• Create a custom report (computer uptime in days). Can color code uptimes to see most recent reboots.
• Cortech Update Manager freebie tool
• Don’t organize software updates by OS. Control everything through maintenance windows.
• Run a regulary query for expired updates and remove them from ALL deployments.
• Remember to still do the WSUS DB cleanup and re-index on a regular database
• Solarwinds patch manager and Secunia are the only two you should consider using. Excellent third party support.

The post TechEd 2013: Configuration Manager 2012 SP1 Lessons Learned appeared first on Derek Seaman's Blog.