Technet subscription downloads UI

Today I found out I am not the only one who thinks that the Silverlight based UI of the Technet Subscriber downloads is a monster. I had a very interesting chat with Chris Slemp from Microsoft in the Technet Zone on Tech Ed 2008 in Orlando. He admits that the current UI is not exactly what it should look like and he showed me his blog.

 
 

The Technet team is currently working on a new design for the subscriber download UI that really looks like the old UI to me. They are looking for more feedback from their users. So if you like to contribute to the new UI, make sure you check out the mock ups and tell them what you think.

 
 

Chris also did a very interesting demo off the new Technet Forums interface. Stay posted for a special blog about the really interesting functionality Microsoft has added to the Technet site.

Posted in Uncategorized | Leave a comment

Hyper-V will support disks > 2 TB

Yesterday I had a chat with Mike Sterling from the Hyper-V product team at Tech Ed 2008. And guess what? When I told him about my issue with direct attached disks larger than 2 TB, he told me this will be fixed in the next publicly available version of Hyper-V. He would not comment on the time frame or when it is supposed to be available.

 At least the keynote mentioned that Hyper-V will release before its current deadline in August.

Posted in Hyper-V | Leave a comment

Direct Connect: death of the DMZ becoming reality

Last Friday, Steve Riley – security architect at Microsoft did an excellent session about various security subjects in Amsterdam. One of the subjects was a technology that I only knew of as highly secret within Microsoft and probably one of the biggest changes in network security to come.

Imagine that corporate end users are able to take their corporate mobile systems to any Internet connected place and work with corporate resources without a VPN or gateway. This enables the users to connect to Active Directory, have their clients managed while at home or traveling. At the same time users get full access to the corporate network without the hassle of extra client software or gateways.

Direct Connect uses IPv6 with IPSec to create save direct connectivity to servers on corporate networks for trusted clients. This is quite a revolutionary approach, as it enables clients from the Internet to bypass the DMZ. The concept relies on IPSec authentication and encryption. Microsoft’s new IPSec implementation in Windows Vista and Server 2008 allow IPSec connections to be based on both computer and user credentials, combined with Network Access Protection for system health enforcement. The only thing an edge router has to do, is filter incoming traffic to allow only IPSec initiation requests and subsequent IPSec traffic. Any standard router can do just that.

Steve Riley pointed out that you can build a Direct Connect infrastructure with standard products currently available from Microsoft and that Microsoft will provide more information in the near future. He also mentioned that Microsoft marketing is not yet thrilled, because no extra licenses will be needed to build a Direct Connect infrastructure.

Microsoft is currently running a (secret) pilot with Direct Connect that enables participants to use their corporate laptops to directly work with systems on the corporate network from the Internet.

I told Steve I can’t wait for the white paper "How to build a Direct Connect infrastructure" and get instant access to my home systems from any place in the world.

Posted in Windows Server 2008 | 3 Comments

Hyper-V 2TB limit: A bug turned into a feature for the next version

A few weeks ago I decided to upgrade the storage system in my server. Besides the disks for the OS and VHD files, I have a RAID5 volume of four disks for data storage. As 1 TB disks are becoming cheaper with the day, I decided to replace the four 500GB disks with four 1 TB disk to upgrade the data store from 1.5 TB to about 3 TB. This was the end of a dream.

After replacing the disks and creating the new 3 TB RAID volume, I noticed that MBR disks are no longer an option for disks larger than 2 TB. Fortunately this is no problem when you run Vista or Windows Server 2008, because those OS-es support GPT (GUID Partition Table) disks which can be larger than 2 TB. In my server setup, one of the VMs uses the data store as a physically attached disk. Ben Armstrong has a nice description how to do this at the Virtual PC Guy’s Weblog.

I was just fine with my new 3 TB volume. I partitioned and formatted the volume from the parent partition (host OS). Set the disk in the offline state. Attached the volume to the file server VM and booted the VM. That’s when things went down hill. From the VM there was no way to access the newly created volume. No matter what I did, all I got were messages about disks being write protected or device I/O errors. Fortunately my post in the Technet Virtualization forum proved I was not getting crazy at all.

The current version of Hyper-V will not support physically attached disks larger than 2 TB. This will be a feature of an upcoming version. I’m actually quite sad that in a time that prices of 1 TB disk are only 120 euros, the coming RTM release of Microsoft’s server virtualization technology will not support file servers with volumes larger than 2 TB.

Posted in Hyper-V | Leave a comment

Network issue with Hyper-V

Ok. I finished migrating my VMs to Windows Server 2008 with Hyper-V and installed my file server running Windows Server 2008 in a VM. I installed all VMs on my Dell Power Edge 2900 and at first I thought I was fine. I am running Hyper-V with three virtual switches connected the following way:

Virtual Switch 

Connected NIC 

VM Switch 1 (Internet) 

Broadcom Nextreme II port #1 

VM Switch 2 (Intranet) 

Broadcom Nextreme II port #2 

VM Switch 3 (Intranet) 

Intel Pro 1000 MT port #2 

 

My ISA Server was connected to VM Switch 1 and VM Switch 2 to provide Internet Access to the client on the Intranet. The rest of my servers was spread across VM Switch 2 and VM Switch 3.

While testing all the systems I soon came to the conclusion that something was going wrong with my mail server. The mail server was connected to VM Switch 2 and mail was not going out. I was also not able to connect to the mail server from the Internet.

When checking the logs on the ISA Server I found a shipload of TCP Checksum failures on traffic from the mail server to the Internet. This caused all traffic to and from the mail server being dropped, essentially disconnecting the system from the Internet.

With earlier issues with Virtual Server 2005 in mind, I started disabling TCP Offload features on the Hyper-V host. I had huge issues with the TCP Offload Engine (TOE) feature of the Broadcom Nextreme II network adapter when I just bought the server. These issues caused me to by the extra Intel NIC for the box. While tweaking the offload parameters of the host NICs I gradually lost all connectivity to the Internet. Even after restoring all values, I did not regain connectivity. In the end rebooting the host restored my Internet connectivity. But I still did not resolve the problem.

It was not until I posted the issue in the Technet Windows Virtualization forum that I was handed the solution: Disable TCP Offloading in the VM in stead of on the host.

In order to to disable TCP Offloading I had to create and set a new registry value in each VM connected to the Broadcom 8507 Nextreme II NIC.

I used the following registry change to disable TCP Offloading:

Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value(DWORD): DisableTaskOffload = 1

After disabling TCP offload on each VM this way all trouble was over and I was able to connect multiple VMs to one NIC port of the Broadcom 5708 Nextreme II NIC.

 

Posted in Uncategorized | Leave a comment

The pain of upgrading to Windows Virtualization with Hyper-V

Last weekend I have had the experience of upgrading my main system – a Dell PowerEdge 2900 – to Windows Virtualization on Windows Server 2008 with Hyper-V. In the same process I had to migrate my virtual machines running Windows Server 2003 from Virtual Server 2005 R2 SP1 to Hyper-V. In the end everything works, but this was not without a number of painful experiences.

My initial situation consisted of my host server Morris running Windows Server 2003 x64 with SP2. The box contains two disk spindles:

* Spindle 1 is a RAID 0+1 set containing the host OS and VMs
* Spindle 2 is a RAID 5 set containing the data

The old morris was both running as the the file server and the host for the VMs. Morris was also a member of the AD domain, of which the DC was running as a VM on the same box. This was not an ideal situation. That’s why I decided to change a few things:

* The new host will only be the Hyper-V host and not a member of the domain.
* The new file server will be running in a VM with direct access to the RAID5 disk spindle

The VM’s on the box are five VMs running Windows Server 2003 R2 with SP2 with seperate rolls in the infrastructure:

* DC with RADIUS, DNS and Certificate Services
* Exhchange Server
* Terminal Server
* IIS Server
* ISA Server

The ISA Server has both an external and an internal connection to connect the Internal network to the Internet. All other VM’s are only connected to the Internal network.

Before I started upgrading, I made sure that all VMs are running the latest VM additions. I had been told that you may encounter blue screens when your VMs run older versions of the VM additions.

The upgrade process contained the following steps:

1. Remove the old host OS and install Windows Server 2008 x64 with Hyper-V
2. Configure the new host (named TAFKAP) IP, hostname etc.
3. Add the Hyper-V role
4. Define the hostnetwork and virtual switches for the new VMs
5. Define the data disk as Offline with diskpart
6. Create new VM’s for the existing VHDs
7. Upgrade VM Additions to Hyper-V

Hyper-V networking

When defining the network adapters used by Hyper-V, Windows Server 2008 creates a virtual switch for each NIC with the same name. On the host a new virtual nic is created connected to each virtual switch. As my host will only use the NIC that is not connected to a Virtual switch, I disabled all protocols on the three new virtual NICs on the host.

Here is the first catch: Even though each virtual switch has the name of a physical NIC connected to the network, still each virtual switch is NOT connected to the physical NIC. You must change the configuration of each virtual switch in the Hyper-V manager to enable LAN connectivity for your VMs.

Creating new VMs

Hyper-V does not understand the VM configurations from Virtual Server 2005 R2. So all you can do is create a new VM in Hyper-V and connect each new VM to the existing VHD from the "old" VM. This is a very straight forward operation in which you create the VM, connect the network and the VHD and voila here is the new VM.

Upgrading VM Additions

Here comes the painful part of the migration. You may think you’re almost there when you first start you VM in Hyper-V. This is where trouble starts. Your old VM might not be running the latest VM additions. In that case you may run in to a BSOD in the VM. You then must start the VM in Virtual Server or Virtual PC and remove the VM Additions. Also make sure your runs Service Pack 2 on Windows Server 2003, otherwise Hyper-V refuses to install its VM additions.

Even when you have taken the right precautions, installing VM additions became a challenge for me:

My host is based in my basement. That’s why I remotely connect to the host using Remote Desktop. My VMs were still running the VM additions from Virtual Server 2005. When I initiated the installation of Hyper-V additions, the procedure told me to uninstall the old VM additions first. No problem, until I found out that the network and the mouse were not working in the VM. Yes I know how to open the Control Panel and got to Add/Remove Programs from the keyboard. But there is no keyboard shortcut to tell Windows that the selected application must be removed! I managed to uninstall the old VM Additions from the commandline using msiexec. I went to %windir%\Installer and managed to find the MSI from the VM Additions (which has a different name on each system, but is approx. 900 MB). Then run "msiexec /i <vmadditions.msi>" and click Enter to remove the software.

After the VM restarted, the mouse and network still didn’t work. Plug an Play finds the new NIC, but has no driver yet. Windows starts the add new hardware wizard, which you must cancel. If you don’t cancel the wizard, the Hyper-V Additions installation will wait forever until the wizard ends.

How do you stop the "add new hardware" wizard without a mouse?

The easy way would just say: "Press Escape on the keyboard". But we have an issue here. The wizard is not in focus and Alt-Tab does not work here. Press Ctrl-Alt-Del and start the Task Manager. Move the focus to the "add new hardware" wizard and press the "pull down menu button" on the keyboard. Select "Bring to front". You can now use the Escape key from the keyboard to cancel the wizard.

After canceling the wizard, the Hyper-V Additions installation will resume.

Installing the Hyper-V file server with physical disk access

Installing the file server was a breeze. First I created a new VM with a single disk for the OS and installed Windows Server 2008. The installation went smooth but very slow. I think it took about three times as long to install the VM from an ISO than it took to install the host from DVD.

After installing the OS, I linked the physical disk – that I took offline in the host – in the VM properties. Now I was ready to run the file server. I created the shares and was ready to run. I absolutely didn’t like the share creation wizard in Windows Server 2008. I’m not sure if it is just me, but I like to know what I am doing when I create a share on a server.

Conclusion

After upgrading each VMs addtions to Hyper-V I needed a couple of reboots on VMs and on the host to get a stable situation. It seems there is something going on with the Broadcom Nextreme II NIC that came with the Dell PowerEdge 2900. I have an extra Intel dual port NIC in the system because of trouble I had with Virtual Server 2005 R2 in an earlier stage. More about this issue later.

Thinking back, I think it would be better if I uninstalled the VM Additions before I loaded the VHDs in Hyper-V.

Posted in Windows Server 2008 | 1 Comment

Boxing and the case of the slow or hanging logon script in Vista

When you are in the process of implementing Windows Vista in an enterprise environment, you may run into the following situation:

You have a logon script that writes a file to disk or queries AD with ADSI. For no apparent reason the script hangs for minutes before it finishes without any error message. On further investigation you will find no issues regarding the network, memory or disk resources. When you manually start the script it always runs fast without issues. What is happening here?

Get ready for a long story.

Windows Vista has a number features that are supposed to improve the user experience during system startup and logon. One of these is Boxing. Boxing is a feature that makes sure that programs that start while you logon are no longer able to start fighting for all available resources eating all disk resources and CPU. Usually programs like the Adobe Updater, Winzip Quicklauncher, iTunes quicklaunch or whatever these programs are called, are not really of interest for the user in terms of how fast they startup. But they will slow down the system significantly when Windows threats them just as equal as you manually try to start after logon (like Outlook or Word for example). Windows Vista lowers the thread priority level for startup applications to " Below Normal" and will not allow them to raise their thread priority during the first 60 seconds after logon. In this way Vista slows down the execution of these applications and leaves resources available for programs that the user actually wants to start.

So far so good. Vista uses this mechanism for programs started from the following locations:

  • Startup folder in the Start Menu
  • Windows\CurrentVersion\Run key in the Registry
  • Scheduled tasks initiated at Logon
  • Defined in Group Policy in: User Configuration | Administrative Templates | System| Logon | Run these programs a user logon

Windows Vista actually lowers the thread priority level of these applications to BelowNormal and disables their normal ability to bump up their own thread level during the first minute after logon. Maarten from the Vista product team wrote a little piece about this behavior in their blog. At the same time Vista lowers the application’ s I/O priority level to "very low I/O priority level". This is a new feature that did not exist before Windows Vista. Normally a process that writes a file to disk does not directly access the disk, but uses a mechanism called the file cache. When using the file cache, a program writes data into a RAM based memory cache first. Then Windows will take care of actually writing the data to disk when it’s convenient for the system. Writing data to the file cache is really fast and programs usually hardly wait for data being written to the file cache. Processes running at the very low I/O priority level do not make use of the file cache, but write their data directly to disk when the Windows file system driver thinks it is convenient. This makes writing data to disk very very slow while the application is being "boxed".

How are logon scripts affected?

Logon scripts defined in Group Policy by default run asynchronous and invisible to the end user. Asynchronous logon scripts run in parallel with the user logging on. In this way other processes do not have to wait until the script(s) finishes. The default behavior of logon scripts imply that the scripts are actually background processes and will be handled as such in terms of thread and I/O priority. This means that logon script by default will be started at the "Low" priority thread level and the " Very low I/O priority" level. This is also true when you decide to run the script visible.

In the case of our logon script, not being able to use the file cache severely harms the performance of the script when it writes data to the local disk.

Where the thread priority of the first category of startup programs changes to normal after 60 seconds, the thread priority of logon scripts defined Group Policy stays "Low" forever just as the I/O priority level that stays "very low".

Scripts running at "very low i/o priority" has serious impact on disk write operations initiated from the script. Writing data does not perform as fast as the process expects. This causes the script to try a write operation and then see that it does not complete within the expected time, then wait for a certain time (50ms) and try again. This is very clear when you monitor the behavior of such a script with Process Monitor (from Sysinternals on the MS website). Process Monitor reports the script is running with very low IO priority and is not allowed to use fast file IO (using the file cache). Because of the very slow file IO you also see a lot of File Lock Conflict messages caused by subsequent write operations that fail because the earlier write operation did not end within the expected time frame.

Why is ADSI harmed by the very low IO priority thread level

It is less obvious that a script is writing to disk when you are using ADSI to collect data from AD. When the script requests information from AD, a local copy of the AD schema may be locally cached in the user profile as %userprofile%\\AppData\Local\Microsoft\Windows\SchCache\<forest_name>.sch, where <forest_name> is replaced with the fqdn of the AD forest. Windows Vista should only do this the first time a user logs on to the domain and used ADSI to query information from the domain, but I have seen cases where the Schema cache was rebuild every time at logon. Writing the schema cache (~ 1 MB) to disk can take 6 to 15 minutes.

Is there a workaround?

It is possible to disable boxing for programs initiated from the Startup folder or the Run key in the Registry. To accomplish this, the following registry key must be changed:

Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DelayedApps

Value: Delay_Sec = 0 (default value = 60)

Changing the value is a bit hard because the key is owned by TrustedInstaller and Administrators only have Read access to the key. To overcome this hurdle you must first take ownership of the key.

Unfortunately programs initiated from logon scripts defined in Group Policy are not affected by this key.

If you need to have your logon scripts run at a different I/O level, you have the following options:

  • Run the scripts synchronous instead of asynchronous
  • Use another mechanism to start the script:
    • Startup folder in the Start Menu
    • Windows\CurrentVersion\Run key in the Registry
    • Scheduled tasks initiated at Logon
    • Use the policy: User Configuration | Administrative Templates | System| Logon | Run these programs a user logon

Both options have a their own issues:

  • Issues when running logon scripts synchronous:
    • Running logon scripts synchronous will kill all child processes started from the script when the script ends.
    • The user will not get to see the desktop until the script ends. If something goes wrong and the script does not end, the end user will never see the desktop.
  • Issues when using one of the other startup options:
    • Harder to delegate, because with logon scripts each GPO has its own folder structure for scripts.
    • These scripts are still being boxed for the first 60 seconds. Any script that writes to disk will be slowed down during the first minute unless you completely disable boxing (which is not recommended by Microsoft).

Conclusion

In the end, what appeared to be a bug, seems to be a feature. In my opinion, an asynchronous logon script that runs visible is no longer a background process and should not be running a low or very low I/O and thread levels. I also have my doubts about the benefits of very low I/O priority and the way it works out for lots of applications or scripts that slow down to crawl speed without warning.

Posted in Uncategorized | 1 Comment

Group Policy Preferences: I truly like this feature

Last week Steven Bink got my attention with the announcement of the new Group Policy Prefences white paper on the Microsoft site. After reading the paper and a very interesting discussion with Jason Leznek, who is the product manager for this feature at Microsoft, I am sure: This is an exciting new feature in Windows! I think it actually is one of the most useful enhancements of Group Policies since its introduction in Windows 2000. And the nicest part: it will work on all currently supported versions of Windows without the need for Windows Server 2008 as a server.

What are Group Policy Preferences?

Group Policy Preferences that I will call GPP in the rest of this article, allow you to define settings from Group Policy that I used to define in logon scripts and default profiles. GPP settings are more flexible than the current Group Policies, because you can specify if settings are permanent or can be changed by the end user and you can define the scope of each setting on the setting itself. This creates the option to define multiple settings for multiple target groups within the same GPO.

Here is a list of stuff you can define with GPP:

  • Drive Mappings to shares
  • Creation, replacement and updating of Printers and printer connections, including the assignment of the default printer
  • Creation, replacement and updating of Environment Variables
  • Creation, replacement, updating and deletion of Files on the target system
  • Creation, replacement, updating, deletion and cleanup of Folders on the target system
  • Creation, deletion and updating individual entries in INI-Files
  • Creation, deletion and updating of File Shares, including management of Access Based Enumeration
  • Creation, deletion and updating of any entry in the Registry for REG_SZ, REG_DWORD, REG_BINARY, REG_MULTI_SZ, and REG_EXPAND_SZ types
  • Creation, deletion and updating of Shortcuts to files, websites and Shell Objects like the Recyle Bin
  • Definition of all settings that you find in the Control Panel, including:
    • Definition of Data Sources for ODBC
    • Enabling and disabling of Devices
    • Definition of Folder Options (finally no more hidden extension for "known" apps)
    • Linking File Extensions to applications
    • Definition of Internet Settings for Internet Explorer (5, 6 and 7)
    • Configuration of Local Users and Groups
    • Definition of VPN and Dial-up connections
    • (Easy) definition of Power Options
    • Definition of Regional Settings, including UI language and time/data formatting
    • Creation, deletion and updating of Scheduled Tasks
    • Configuration of Services
    • Configuration of the Start Menu

This is quite a list, isn’t it? Now think of it that you can define for each setting, if the user will be able to change it and that you need NO SCRIPTING to do all this stuff!

What is needed to use Group Policy Preferences?

The administration tool for GPP is included from the November CPP build of Windows Server 2008 and in the upcoming beta of the Remote Server Administration Tools (RSAT) that will run on Windows Vista with Service Pack1.

The client side for GPP is already built in Windows Server 2008. A GPP Client Side Extension will be available for the following operating systems:

  • Windows XP with Service Pack 2
  • Windows Server 2003 with Service Pack 1
  • Windows Vista

The GPP client side extension will be available with the upcoming beta of RSAT.

There is no need for Schema updates or changes in the configuration of Domain Controllers.

Will I be using Group Policy Preferences?

Definitely!

To be honest, I am almost as excited as the Microsoft PM. And I haven’t even used it yet. But I already see tons of possibilities to simplify my logon scripts and put less information in default user profiles.

Posted in Uncategorized | Leave a comment

Disable the “Set Network Location” dialog in Vista

This week I got a Windows Vista question that sounded easy, but turned out to be one of those things missing as a policy configurable option.

Whenever Windows Vista is connected to a new network, the system presents the "Set Network Location" dialog requesting to categorize the newly connected network as one of the following:

  • Home
  • Work
  • Public Location

Public is the only option that can be chosen without using administrative rights on the system.

When an admin does not want this dialog to pop when one of his mobile computers is connected to non-trusted network, there is no option in Group Policy to stop the dialog from occurring.

The user has the option to disable the dialog from the UI:

  • Right Click the network icon in the system tray
  • Click Turn off/on notification of new networks

 This is not the ideal option for the average admin. So this can be arranged from the registry:

  • On a per user basis
    • Set the value "Show" (REG_DWORD) to 0 in
      HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\NwCategoryWizard
  • At the system level
    • Create a new Registry key (without any value) NewNetworkWindowOff in HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff
Posted in Windows Vista | 1 Comment

Vista Language Interface Packs

Windows Vista offers two options to change the User Interface (UI) language:

  • MUI (Multi Language Interface) Packs
  • LIP (Language Interface Pack)

The MUI packs offer the possibility to introduce multiple languages in a single Vista installation and choose a language per user. Users can change UI language whenever they like to. MUIs are only available for Windows Vista Enterprise and Ultimate editions. The MUIs for Vista Ultimate are available for download from Windows Update. The MUIs for Vista Enterprise must be obtained from the Volume Licensing Program.

LIPs provide the possibility to change the UI for Home Premium and Business versions of Windows Vista. A LIP changes most parts of the UI and is probably less complete than the MUI. A LIP changes the UI for the complete OS and offers no possibility to change languages after installation of the LIP.

LIPs seem to be one of the hardest add-ons to find on the Microsoft site. The Microsoft Local Language Program website seems to offer LIP downloads, but does not get any further then Windows XP and Office 2003.

A full list of available LIPs is located here. The only problem with the list is that it is not complete and download locations are not provided L

Fortunately an MCT colleague (thanks Johan) located quite a number of available LIPS that I will be listing here:

 

Posted in Windows Vista | 1 Comment