Nathan Lasnoski - Infrastructure Architecture

Microsoft Hyper-V has Released to Manufacturing today!

Here is some information regarding the release:

http://blogs.technet.com/virtualization/

http://blogs.technet.com/windowsserver/archive/2008/06/25/microsoft-com-powered-by-hyper-v.aspx

I attended a session this morning that united two of my key interests, Exchange 2007 and Hyper-V.   I am very excited to see the level of commitment Microsoft is making to Hyper-V in respect to its applications.  These are the key items discussed, which echo the comments made by other presenters throughout the week. 

Exchange 2007 Support

The Exchange 2007 team will release full Hyper-V guidance within 60 days of Hyper-V RTM.  There will be both supported and unsupported / not recommended scenarios.   This means that customers should not plan to deploy Exchange 2007 on Hyper-V until sizing and best practice documentation has been released.

Disk IO Planning

In planning for Exchange 2007 physical deployments, one of the most important components is disk IO.  In Hyper-V there are two different types of critical VHDs that will relate to Exchange.  These include fixed size and dynamic size VHDs.  The breakout for storage is the following:

• Fixed Size:  Allocates the maximum storage for the VHD immediately.  This provides high performance disk access and has similar performance characteristics to the actual physical disk.  The performance specs showed that even in specs up to 10 database LUNS, the performance was extremely close. 
• Dynamic Size:  Allocates dynamic storage for the VHD as it is used.  In this respect, the VHD starts at a small size and grows as it is used.  Your guest OS is aware of the full capacity, but it is not actually used on the disk until it is allocated by the guest system.  This is great for development or lower performance environments.
• Pass-Through:  This type of storage is not a VHD at all, but is actually a LUN from a physical disk being exposed directly to the Hyper-V guest.

It is very important to continue to plan for virtualized storage or pass-through storage with the same concern for IO that you would have in a physical implementation.  The Exchange team has guidance in the following:

http://msexchangeteam.com/archive/2007/01/15/432207.aspx

Also, check out System Center Capacity Planner:

http://www.microsoft.com/systemcenter/sccp/default.mspx

Key Notes for Hyper-V and Exchange 2007

The following key notes were areas that I thought were important:

• No differencing disks with Exchange 2007
• No snapshot creation for VMs running Exchange 2007
• No oversubscribing CPUs to Exchange (subscribing CPUs you don't have). 
• No other applications running in root operating system
• No dynamic VHDs for guest operating systems
• Allocate disks for .VSV files
• The usage of iSCSI in the root OS is superior to iSCSI in the guest OS.
• The redundancy capabilities of Exchange 2007 are favored over Hyper-V quick migration.  This is because of the risk for data loss, the lack of Exchange component failover granularity, support for Hardware VSS< and the support of backup from a passive system.
• Watch out for aggregating roles on a single Hyper-V server where you negatively affect the overall redundancy of the Exchange solution.
• Not every situation is well suited for virtualization.
•  The security components for Exchange 2007 require specific review when implemented under Hyper-V

Unsupported Scenarios

• The Unified Messaging role will not be supported on virtualization at this time
• The usage of VHD disks over 2 TB
• No hardware VSS / VDS support

In the Virtualization presentation this afternoon by Shai Ofek he told the audience about two key items that I had not heard prior.  I thought these were very important to recap:

Microsoft Hyper-V Server

Microsoft will be publishing "Microsoft Hyper-V Server" an OEM product which comes without the use rights for general Windows Server 2008 system capabilities.  This product will come out later this year.  Windows Server 2008 Standard, Enterprise, and Datacenter will certainly also support Hyper-V.

Support for All Microsoft Applications

Microsoft will be requiring that all new Microsoft software products be supported on Hyper-V.  These include products like SQL, Exchange, Biztalk, etc.  This doesn't necessarily mean it will be certified on the first day, but it is going to happen.

I've drafted a test procedure that I thought would be helpful for individuals planning on reviewing Exchange 2007 Standby Continuous Replication (SCR).  We have used this technology in customer environments and have found it to be very successful at reliably replicating data from a primary Exchange 2007 mailbox server to a secondary Exchange 2007 mailbox server.  It is an excellent technology for smaller environments to achieve geographically dispersed failover.

Reminder:

Each site must have the following:

• Global catalog
• Mailbox server
• Hub transport
• Client access server

************************ SCR Test Setup Process ******************

' Configure replication w/ seeding paused

Enable-StorageGroupCopy -Identity "ExchangeTest1\First Storage Group" -StandbyMachine "ExchangeTest2" -ReplayLagTime 0.0:0:0 -SeedingPostponed

' Suspend the copy

Suspend-StorageGroupCopy -Identity "ExchangeTest1\First Storage Group" -StandbyMachine "ExchangeTest2"

' Seed the copy (This will replicate all data to the failover site.)

Update-StorageGroupCopy -Identity "ExchangeTest1\First Storage Group" -StandbyMachine "ExchangeTest2"

' Resumes the copy

Resume-StorageGroupCopy -Identity "ExchangeTest1\First Storage Group" -StandbyMachine "ExchangeTest2"

'*********************** Create Failover Prep Area ***************

'We need to create the storage group and database on the failover server, then delete the files, though leaving the configuration for the database and storage group in Active Directory.

'Create Storage Group "ExchangeTest2\First Storage Group RC"

'Create Database Storage "ExchangeTest2\Mailbox Database RC"

'Mount the mailbox database "ExchangeTest2\Mailbox Database RC"

'Dismount the mailbox database "ExchangeTest2\Mailbox Database RC"

'Delete the files on the file system and directory for "ExchangeTest2\Mailbox Database RC".  Retain the storage group folder.

'Maintain the storage group and database and configuration in Exchange, dismounted.

************************ Failover Test Process********************

' Dismount Database on Production Server (ExchangeTest1) if accessable.  If not accessable, proceed to next step.

Dismount-Database "ExchangeTest1\First Storage Group\Mailbox Database" -Confirm:$False

' Remove Replication from ExchangeTest1 to ExchangeTest2.  Note that PowerShell commands can be executed from ExchangeTest2.

Restore-StorageGroupCopy –Identity "ExchangeTest1\First Storage Group" –StandbyMachine "ExchangeTest2" –Force

' Determine if Database on ExchangeTest2 is in a clean shutdown state or dirty shutdown state

eseutil /mh "d:\program files\exchange server\mailbox\First Storage Group\Mailbox Database.edb" | findstr State

' Open a regular command prompt

CMD

d:

cd\

cd "program files\exchange server\mailbox\First Storage Group"

' Run the eseutil to attempt a clean recovery (your log may be different)

eseutil /r E02

' Run the eseutil to attempt a lossy recovery

eseutil /r E02 /a

' Return to PowerShell

'**************************************

' Move storage group path for recovery storage group

Move-StorageGroupPath -Identity “ExchangeTest2\First Storage Group RC”  -LogFolderPath “D:\Program Files\Exchange Server\Mailbox\First Storage Group” -SystemFolderPath “D:\Program Files\Exchange Server\Mailbox\First Storage Group” -ConfigurationOnly

' Move database path for recovery database

Move-DatabasePath -Identity "ExchangeTest2\First Storage Group RC\Mailbox Database RC" -EdbFilePath “D:\Program Files\Exchange Server\Mailbox\First Storage Group\Mailbox Database.edb” -ConfigurationOnly

' Set the mailbox database to allow restore

Set-MailboxDatabase "ExchangeTest2\First Storage Group RC\Mailbox Database RC" -AllowFileRestore:$true

' Mount the database in Exchange

Mount-Database "ExchangeTest2\First Storage Group RC\Mailbox Database RC"

' Move all users in Active Directory to the failover site

Get-Mailbox -Database "ExchangeTest1\First Storage Group\Mailbox Database" |where {$_.ObjectClass -NotMatch '(SystemAttendantMailbox|ExOleDbSystemMailbox)'}| Move-Mailbox -ConfigurationOnly -TargetDatabase "ExchangeTest2\First Storage Group RC\Mailbox Database RC"

'Force replication of Active Directory.

'Test user access.

I attended an Microsoft Office Communications Server 2007 (OCS) troubleshooting session today.  I found this very interesting because Concurrency is a Microsoft Unified Communications Voice partner and we have to deal with a multitude of call routing, voice quality, and PSTN connectivity issues in our OCS deployments.

I found the troubleshooting areas noted by the presenter (Bryon Spurlock), to be very consistent with the issues we've worked with.   The top voice and video troubleshooting areas he noted are essentially in areas of quality (device, network, mediation, PSTN) and connectivity (number assignment, call routes, UM).    

The Bryon reviewed the following tools:

A/V Tuning Wizard

The A/V Tuning Wizard enables an Office Communicator or Live Meeting user to tune a USB connected hardware device for volume, echo, and general call quality. 

QoE Monitoring Server

The QoE monitoring server is an OCS server role that enables the monitoring of voice and video quality within an OCS deployment.   QoE Monitoring Server Guide:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9ed29d74-3391-4902-bf2c-6757410f3335&DisplayLang=en

Deployment Validation Tool

This tool is utilized in OCS to travel and test calls for jitter (packet arrival), packet loss, and delay.  This tool can integrate with Microsoft Operations Manager.  The tool uses agents and organizer, which allows a very realistic test scenario.  I have personally found the deployment validation tool to be very useful for ensuring that an OCS deployment has been built properly. 

Answering Agent Tool

The tool is essentially an answering agent to record a message.  A user can call the tool and record a message to analyze the quality of the call.  If you need to determine how you sound in a particular usage situation, you can call the tool, leave a message, then play it back.  This tool can be deployed to the end user community so that they can be aware of their call quality before they make a call.  For example, lets say you're working from a hotel and you want to know if the hotel bandwidth is sufficient to make high quality calls to important customers.  You can use the answering agent tool to validate the quality before making the call.

Console Logging

The console logger allows an administrator to review the operation of the OCS roles and functions in a very granular fashion.  The console enables the administrator to select specific logging options, logging levels, flags, and output processes.  I have personally utilized this tool in analyzing many different OCS issues and have found it to be invaluable. 

Enterprise Voice Route Helper

The enterprise voice router helper enables the administrator to investigate the operation of dial plans.  These include issues with normalization, location profiles, routes, and phone usages.  We've found this particularly useful for normalization and PSTN routing.  The cool thing about the application is that you can literally punch in a number an see how OCS will translate and route it for a particular user.  This is very useful for troubleshooting your own configurations before the affect the user community.    This tool can also be used to establish a test plan for any time a change to OCS is made. 

You can download many of these tools from the OCS 2007 Resource Kit:

http://www.microsoft.com/downloads/details.aspx?FamilyID=b9bf4f71-fb0b-4de9-962f-c56b70a8aecd&DisplayLang=en

I attended a session by Jeff Woolsey this morning on Hyper-V system architecture and networking.  Although this is a little bit of a repeat from the first session, I was very interested to see this session to focus on learning as much as possible about Hyper-V IO and networking.  The house was packed with people!  I'm thrilled to see just how many people are pumped about Hyper-V coming out.  It seems clear to me that Hyper-V has a significant value proposition and that it is going to totally change the server virtualization market.  It has been my experience that the mid-market is really excited about virtualization and the benefits that it provides. 

Scaling for IO and Networking

The planning of Hyper-V brings with it important planning for IO and networking capabilities, since many systems are now utilizing the same physical hardware.  It is very easy to fully utilize IO paths, since many virtual machines could be accessing those paths.  In the example of networking, the Hyper-V team recommends at minimum two network adapters per Hyper-V system, to separate management from VM networking.  In order to scale, the Hyper-V product allows for the creation of virtual switches, to which multiple physical network cards can be assigned.  The Hyper-V team also recommends that iSCSI NICs be dedicated to that function.

Redundancy and Hyper-V

In planning for Hyper-V it is very important to plan for system redundancy, since an outage of a Hyper-V server could mean a very significant production server outage.  This though was complemented by Jeff, who discussed the capabilities of Hyper-V to address VHD portability and high availability scenarios.  This allows for server consolidation in conjunction with recoverability. 

Backup and Snapshots

The Hyper-V server brings with it the capability to do live backups and live snapshots of virtual machines.  With DPM and other backup providers, the product can create copies of the VHD and store that on the backup system.  Hyper-V also supports manual and scriptable snapshots. 

Hyper-V Validation in Production

The Hyper-V product has been validated by many customers running the beta and RC products in production.  There are literally thousands of Hyper-V VMs in production under the TAP and RDP programs.  They are literally running almost every Microsoft application under Hyper-V.  The question "what should I not virtualized under Hyper-V"?  The answer "not much", the primary scenarios being when the system requires some type of physical device access not supported by Hyper-V (dongle, etc.).   The Hyper-V is capable of hitting most high performance computing scenarios, even for applications like Microsoft SQL or Exchange 2007.  This is made possible because of the hypervisor architecture.

System Center Virtual Machine Manager 2008

The latest version of the System Center Virtual Machine Manager product is a centralized console for virtualization management.  The product allows the administrator to control virtual machine distribution, movement, resources, snapshot creation, and template creation.   The template process is made possible through the virtualization library, where the administrator can create template systems stored as VHDs in a library that can be deployed to selected parent machines.  The product also includes a robust Physical to Virtual (P2V) conversion tool.  The product is capable of managing Hyper-V, Virtual Server, and VMware out-of-box. 

Summary Comments

I am continuing to become more and more excited about Hyper-V and the value it brings to infrastructure environments.  Hyper-V provides a high performance virtualization environment, integrated into the operating system, with licensing and management costs far superior to its competitors.  

I attended a session on Exchange 2007 Unified Messaging design and deployment.  This presentation was very interesting to me because I give Microsoft Unified Communications (OCS and Exchange 2007) presentations monthly, so I wanted to see the kinds of items they included in their own demo.  In our own internal demo we focus on showing combined Unified Communications capabilities between Exchange 2007 UC and OCS IM / Voice.  I was very excited to see a Exchange specific presentation to see where ours could be better augmented with features I may not have been aware of.  I found that the presenter did an excellent job of highlighting the Exchange 2007 UC functions in a customer engaging manner and in presenting the areas to obtain the necessary supporting resources.

In the demo the presenter setup a Exchange 2007 system extremely quickly (claim of less than 60 seconds).  This was a great demonstration of just how easy and integrated the Exchange 2007 Unified Messaging capability is, especially when compared to traditional messaging systems.

The presenter also overviewed the key features of Exchange 2007 UM, being the following:

• Voicemails and Fax in Exchange 2007 Inbox
• Automated Attendant
• Outlook Voice Access
• Outlook Web Access Voicemail and Play on Phone
• Anywhere Access

The Exchange 2007 gateway configuration for Unified Communications notes the existing gateways that we also use:

• Dialogic: http://www.dialogic.com/microsoftuc/products.htm
• AudioCodes:  http://www.audiocodes.com/Content.aspx?voip=2331

The Exchange 2007 MWI partners also includes the vendors that we've been working with successfully:

• Message Waiting Indicator (MWI) - (from presentation)
  • Geomant:  http://www.mwi2007.com
  • Interactive Intelligence: http://www.inin.com/Products/imi/
  • Enabling Technologies:  http://www.enablingtechcorp.com/Default.aspx?tabid=178

An item I was particularly interested in is the new announcement for the Microsoft UC Open Interoperability Program:

http://technet.microsoft.com/en-us/office/bb735838.aspx

Case Study Presentation

The presentation highlighted an Exchange 2007 Unified Messaging case study for Medtronic.  The company has 37,000 employees, in 120 countries.  This is a very impressive voice deployment because it shows how Exchange 2007 is not just for smaller companies, but is a rich, enterprise capable Unified Messaging solution. 

Factors to Consider

In the planning of an Exchange 2007 Unified Messaging deployment it is important to consider the following:

• Voice System
• Scalability
• Availability
• Recovery
• Bandwidth Requirements
• MWI Requirements

The presentation at Tech Ed 2008 was an excellent overview of Exchange 2007 UM with a nice case study and good resources for planning a unified messaging deployment.

I attended an overview review of the Data Protection Manager product to get a better idea of what the future of the product contains and how it fits into an overall enterprise backup strategy.  I had reviewed past versions of the product and was interested to see if it had reached a level of maturity that would allow it to fit the customers we work with.  In particular, I was interested to see how the DPM product fit into a Hyper-V virtualization strategy.

Data Protection Manager's Intended Function

The Data Protection Manager product is a Volume Shadow Copy powered backup product intended to backup the configuration of Microsoft application environments.  The backup capabilities include:

• Active Directory
• Exchange Server
• Sharepoint Server
• Hyper-V (DPM 2007 SP1)
• Virtual Server (DPM 2007)
• Windows XP / Windows Vista
• Windows Server 2003
• Windows Server 2008

The Data Protection Product is the combination of continuous data protection, disk backup, and tape backup written specifically for the Microsoft application platform.  It does not support non-Microsoft application backup.

The Data Protection Manager backup support the following backup strategies:

• Agent => Disk => Tape
• Agent => Disk
• Agent => Tape

A primary strength of Data Protection Manager is its continuous protection of Microsoft applications to disk.  The product is capable of protecting data throughout the day at a granular level, in increments of the administrator's choosing.  This enables the administrator to choose to perform recovery of applications like SQL or Exchange in small time increments.  Furthermore, because of the way the backup is performed, in many cases the product can recover the files and allow the SQL administrator to "play back" the log files to a specific transaction.  These scenarios represent a significant improvement over a typical "nightly backup".

The product utilizes disk in a block fashion in the following structures: 

• DPM Replica

This copy is the most recent "copy" of the data from the production system.  It is made up of the original backup + the block level changes copied over time.

• DPM Recovery Point Area

These copies are "displaced blocks" from the original data, able to be recovered through the retained DPM replica.  This enables older data to be recovered without requiring several copies of the same data on disk.

Virtual Server Backup

The active backup of Virtual Servers is a stellar component of DPM.  The capability to backup an entire guest operating system in a virtualized environment to tape is a huge value proposition.  Just being able to recover yesterday's VHD from tape to another virtual machine after a parent system hardware failure is awesome.

Client Installation

The client installation process can be accomplished through a remote install tool in DPM, group policy, SCCM, or manually.  The installation process through DPM will allow you to choose remote hosts and perform an install.  The installation does require reboot.

Licensing

The license types includes the "Standard DPML File License" and the "Enterprise DPML License", served by the singular agent type.  The Standard DPML license is used to protect file servers.  The Enterprise DPML license is used to protect applications, such as SQL, Exchange, or Sharepoint.

I attended a presentation on the System Center Configuration Manager 2007 R2 product release.  The key enhancements to the product include application virtualization management, client status reporting, server provisioning capabilities, integration with SQL reporting services, and integration with Forefront Client Security.

Application Virtualization Management

The System Center Configuration Manager R2 (SCCM R2) product is now integrated with the Microsoft Application Virtualization 4.5 (SoftGrid) product, enabling the distribution and removal of SoftGrid virtualized applications through SCCM packages.  The focus is on making the management of virtualized applications the same as managing physical applications where possible.   The core scenarios include package management, deployment, and inventory. 

The key enhancements related to application virtualization include:

• Deployment and Removal

The virtualized applications can be deployed to workstations through HTTP distribution or through a traditional "download and run" process.  This deployment supports both user and computer based targeting processes, based upon the collections in SCCM.  The deployment process also features removal of virtualized applications from the computer and local cache.

• Reporting with Asset Intelligence

The product includes the capability to inventory both physical and virtualized applications using the Asset Intelligence 1.5 feature set. 

Operating System Deployment

The SCCM R2 product includes features which allow for operating system deployment on bare metal using boot media or PXE boot processes.  The process no longer requires that you create the computer information prior.  The system now includes two new resources for both x86 and x64 unknown computers.  These resource are used to deploy operating systems to these computers when they become available.

Client Status Reporting

The SCCM R2 product includes a new enhancement to perform quality management on managed client systems.  The product includes reports out-of-box that provide client health analysis.  This is an enhancement on the functionality that was originally deployed in SMS 2003.

Reporting Services

The SCCM R2 product now leverages SQL Reporting Services for providing reports within the product.  This utilizes a new role called "Reporting Services Point".  It's excellent to see this feature finally converted to SQL Reporting Services so that it is consistent with the other Microsoft products in the System Center family.

Forefront Client Security

The SCCM R2 product will now integrate with the Forefront Client Security product, a Windows OS antivirus and malware protection product from Microsoft.   The SCCM R2 product can now deploy and report on the "states" of Forefront Client Security installations on client machines.

Review

I find the release of System Center Configuration Manager 2007 R2 to provide some key features, particularly in the utilization of SQL Reporting Services and integration with Microsoft Application Virtualization.

I attended a session on the new Identity Lifecycle Manager "2", which was overviewed at the keynote presentation.  I was interested to see where the Identity Lifecycle Manager line was going and especiallly to see more detail about the topics covered in the keynote.

The presenter talked about how Microsoft Identity Lifecycle Manager is Microsoft's leveraging of Active Directory and other identity components to ease the end user identity provisioning and management experience. 

The key question that is asked is "what is identity and access management".  It essentially contains, compliance and audit, policy management, access management, and credential management".  The key deliverable of ILM is easing the provisioning and management of the user and their various assets.  The key point is that a user is much more than their Active Directory account.  In the user setup process you are configuring the new user, certificates, permissions, passwords, laptop, ERP system account, and other identity information.  The ILM product is intended to ease the creation, management, and removal of the various assets and accounts for each business user.

Identity Lifecycle Manager 2007 vs. Identity Lifecycle Manager "2"

The Identity Lifecycle Manager 2007 was the original product, including identity synchronization, user provisioning, and especially certificate and smartcard management.  The version "2" product matures this product to include office integration for self-service, support for third party CAs, codeless provisioning, group and DL management, and workflow / policy capabilities.  

ILM "2" Principals

The key delivery principals of ILM v2 as described by Alex Weinert are:

• Alignment Experiences

The product focuses on ease of use, "defeating" the simple help desk call for password resets and common user provisioning tasks.

• Integrated Policy Management

The product unifies the process of controlling an identity "type" within an organization.

• Extensible Platform

The product is intended to be extensible through partner products.  This includes provisioning tasks, workflow, integration with third party apps, etc.

• Enhance Existing Investments

The product is intended to make other applications better by providing greater integration between identities.  In addition, the product is web service based application.

The ILM application is a "hub and spoke" architecture which provides centralization for the following "identity stores" through the ILM Sync DB database:

• Directories
• Applications
• Databases
• Mail Systems

The ILM application utilizes its centralized information to provide the following "solutions":

• Group Management
• User Management
• Credential Management
• Policy Management

The key point about the solutions built for this application, is that they are all built with the same tools that are available to the application developer community.  The pre-build "bulls-eye  scenarios" are simply solutions build for the ILM product, but custom development is encouraged to utilize ILM for custom solutions.

Policy Definitions

The policy definitions in ILM are built on a set of expressions, essentially including the actors and actions in the change to be performed.  This is essentially a combination of nouns and verbs about what you'd like to accomplish with a particular expression. 

The policy rules in ILM essentially include the following objects

• Principal
• Action
• Target (initial)
• Transition
• Target (final)

Process Workflow

The demo highlighted the awesome process design and workflow engine that is accessible from the web GUI or creatable through Visual Studio.  I was very impressed by the flexibility and ease of use in this environment.  This workflow is also very extensible in respect to non-Microsoft application activities.   I could see this being very relevant where when provisioning a new user, the ILM application goes out and kicks off an application which provisions a user in an ERP system, a web site, or kicks off a request in a Sharepoint system.