John Howard

Good news - as of a few hours ago, both Technet Plus and MSDN subscribers can download Windows Vista (both x86 and x64) from the relevant subscriber download site. If you weren't aware, Office 2007 (Professional, InfoPath, OneNote, Groove, Project Professional and Visio Professional) was posted up at the end of last week.

Cool :)
Cheers,
John.

So now Windows Vista and Office 2007 are here, I've been upgrading to the RTM build on my home machines over the weekend. One little foible I've found is with running the UK edition of Microsoft Money 2005 under Windows Vista.

Once Microsoft Money is installed and you open your previous money file, it will sit there for a while attempting to compact your money file, then fall over in a heap. There is an update which Money needs, but you can't install it if you can't run it. This KB describes the process in more detail.

The workaround, it turns out, is relatively simple. However the symptoms above give no indication of the problem directly. What you need to do is turn off UAC (User Account Control).

Click "Start/Control Panel"
Click "User Accounts"
Click "User Accounts (again)"
Click "Turn User Account control on or off"



Reboot the machine

Now you can follow the KB I linked to above to use the sample money file to update.

PLEASE: Now please repeat the above steps to turn UAC back on again and reboot. This is really important and I sincerely recommend you run with UAC turned on.

Now you can open you old Money file as normal again.
Hope this helps someone
Cheers,
John.

Good news. I've just noticed the launch of the "VHD Test Drive Program". In a nutshell, this is a capability to be able to download evaluation enterprise software pre-configured in a Virtual Hard Disk (VHD) to run under Virtual Server 2005 R2.

Take a look here for more information. I just took a quick peek and there's SQL Enterprise Edition 2005 SP1, Windows Server 2003 R2, Exchange 2007 Beta with Live Communication Server 2005, and ISA Server 2006 Standard Edition. The download centre itself can be found here.

The press announcement can be found here.

Cool!
Cheers,
John.

I apologise in advance - this is probably the *WORST* bit of scripting I have ever written. However, this is stage one and no doubt it will undergo many months of optimisation before I'm finished - it does the job, that's about it.

As I alluded to a few weeks ago, I tend to go through a monthly routine of defragging/pre-compacting/compacting/zipping my VMs. Although partly automated, I've been playing with a mechanism to get the VM and the host to play nicely together and go through the routine in a fully automated way. This is in addition, of course, to nightly backups of user data, exchange data etc - this is just to make sure I can come in on a Sat morning and backup a load of compact ZIPs to a DVD for disaster recovery purposes.

The biggest problem in solving the fully automated problem is that of synchronising and signalling between the guest and host. However, Windows Server 2003 gives you that for free if you know where to look, without needing to write any custom code (apart from the action itself).

The end-to-end plan looks like this:

In the guest

- Create a weekly/monthly scheduled task
- Stops all services to free up in-use files but keep the machine running
- Defrags each hard disk
- Runs the VS Precompactor in "Silent" mode
- Starts the services which were stopped (optional due to next step)
- Signals the host machine to say I'm ready to do the compacting
- Shutdown, forcing open applications to close

On the host

- Wait for the signal
- Wait for the VM to shutdown
- Compact each hard disk of interest [See note]
- Add each compacted hard disk to a new archive
- Start the VM.

Note: I tend to use a seperate swap VHD, so there's no point compacting or archiving these

The signalling comes in the form of EventCreate and EventTriggers. EventCreate is a bit of VBScript which writes and event to the event log, both locally or remotely, and using alternate credentials if necessary - the remote bit being ideal here. EventTriggers allows a machine to watch the eventlog and call a program/script once that event is seen.

So lets put this into practice. On each guest (a Virtual Domain Controller, or "VDC" in this case), I have a c:\defrag directory containing Dave's defrag tools I mentioned a little while back, and a defragandcompacttask.cmd script containing the following:

<stop services>
c:\defrag\defrag -d c:
c:\defrag\defrag -d n:
c:\precompact\precompact -Silent
eventcreate /T WARNING /D "VDC Ready for compaction" /ID 777 /SO John /L Application /S [HOST] /U [domain\user] /P [password]
shutdown /s /f /m \\vdc /t 0 /c "Precompact"

The first line is custom to the VM and consists of a series of "net stop <service>"
The next two lines are hopefully obvious: Defragging the C (system) and N (NTDS) drives. Customise as appropriate.
The next line is similarly obvious - it calls the Virtual Server precompactor in silent mode.
The next line creates an event on the VS host. It's the "777", an arbitrary figure I chose for this VM, which is the trigger. The other parameters to eventcreate are for a WARNING level entry, a description, the Source (makes filtering easier), the application log and the host and credentials. Note that as this is in free-text, I created a basic user account with limited privilege in AD to create the log entry on the host.
Lastly, the script forces a shutdown.

At this point, there will be a delay while the VM shutsdown.

Lets move onto the host. Again, apologies for the worst form of scripting I've ever hacked together. The first thing you need is the trigger picking up event 777 in this case. As I have multiple VMs, I have a createtriggers.cmd script which re-creates the triggers if necessary, containing lots of similar lines - each one varies the event ID and the VM Name (again, this was VDC, so it should be obvious).

eventtriggers /create /L Application /T Warning /EID 777 /TK b:\backups\vms\777.vdc.vbs /tr vdccompact /so John

This script will fire when it sees an event like below:

The next thing is the 777.vdc.vbs VBScript where all the heavy work happens. I'll annotate it throughout hopefully without having broken it along the way :)

[Change the name of the VM Here]
Const VM="VDC"
Const BackupDir="b:\backups\vms"

[Change to an appropriate archiver here]
Const YourArchiver="<path_to_your_archiver eg winrar or winzip.exe>"

[These come straight out of the VS programmers help]
Const vmVMState_TurnedOff = 1
Const vmVMState_Running = 5

[This is a common routine so that I can log progress through the hosts event log]
Sub LogEvent(lID, szData)
    szCmd = chr(34) & "EventCreate" & chr(34) & " /T INFORMATION /D " & _
            chr(34) & szData & chr(34) & " /ID " & lID & _
            " /SO John /L Application"
    objShell.Exec szCmd
End Sub

[Now we start: We need a reference to the VM Object
Set objVS = CreateObject("VirtualServer.Application")
Set objVM = objVS.FindVirtualMachine(VM)

[Once it's shutdown, call compact and add to archive]
if 0 = WaitForShutdown() then
    Call Compact
    Call AddToArchive
end if

[Start the VM Running]
LogEvent 612, "Starting " & VM
objVM.StartUp

[Wait for it to start, logging an error if it fails]
i = 0
while (i < 100) & objVM.State <> vmVMState_Running
    LogEvent 613, "Waiting for " & VM & " to enter running state"
    i=i+1
    wscript.sleep 10000
wend
if objVMState <> vmVMStateRunning then
    szCmd = chr(34) & "EventCreate" & chr(34) & " /T ERROR /D " & _
            chr(34) & "VM " & VM & " did not restart." & chr(34) & _
            " /ID 604 /SO John /L Application"
    objShell.Exec szCmd
else
    LogEvent 615, "Compaction of " & VM & " completed :)"
end if   

[Hopefully fairly straight forward]
Function WaitForShutdown
    WaitForShutdown = 0
    iCount = 0
    while (objVM.State <> vmVMState_TurnedOff) and (iCount < 100)
       LogEvent 601, "Waiting for VM " & VM & " to shutdown"
       wscript.sleep 10000
       i = i + 1
    wend

Up to yesterday, the VHD format was available for licensing from Microsoft. Where as that still exists for those that have previously licensed the format, the VHD format is also now available to everyone under the Open Specification Promise.

There's lots more information about what this means on the Windows Server Division blog, 
Cheers,
John

I meant to publish this earlier today, but I've been on a course with flakey Internet. Ben was on the ball though - for more info on how to sign up for the Virtual PC 2007 Beta, more details are on his blog.

Cheers,
John.

A problem I've been doing some headscratching with recently I managed to solve this evening - hopefully this will prove useful for others. And yes, before you ask about the subject line, I did have ISA 2006 installed at one point, but went back to ISA 2004 due to some other problems with the upgrade - another day for that. I need to get my test domain back running again first rather than implementing an upgrade straight into production - not wife friendly, if you understand what I mean ;)

So onto todays problem. I've not been able to upload files or delete existing files through an FTP client which is behind my ISA 2004 server - I've been getting access denied messages. In other words, it was to all intents and purposes read-only.

I knew it wasn't my ISP as it worked fine when the same machine was directly connected to the Internet. Hence, it was somewhere hidden in the depth of the ISA 2004 configuration. I have an individual rule to allow FTP.

Well, it turns out, if you right click on an FTP rule and choose to configure FTP, there's a non-obvious little check box which I didn't know about.

A simple check later and applying the policy, it all works

Hope this is a useful tip to someone!
Cheers,
John.

I've been meaning to try this for a while and finally got round to it at the weekend. Currently, on a monthly backup (or so - you know how things get in the way), I'll compact my Virtual Machine images running on my home domain, zip them up and burn them to DVD, and/or copy them to an external hard-drive for disaster recovery purposes. Obviously, each month this can be a bit tedious - the defrag/pre-compact/compact etc. - I may even get round to semi-automating this when I get some time. However, that's not what I'm writing about today.

One of my frustrations is that I've never been able to fit my six most critical VMs (IIS Web Server, Domain Controller, Exchange Server, WSUS (but not the 12 GB of data), Certificate Authority and ISA Firewall) on a single DVD. Until now that is. Of course, if you look back through my blog, you'll get the idea that each VM is running a fairly tight ship in terms of minimising what's physically on disk. However, I've been filling up around 7GB, or just under 2 DVDs each month so far just for VMs (plus another couple of DVDs for essential user data and other backups).

Yes, I could cheat and use a double-sided burner (which I do have, just not the DVDs themselves), but where would the fun lie in that? Instead, I turned to a utility I found out about maybe 15 or 18 months ago but never tried. Boy - I'm impressed with the end results. An example of some of the resulting ZIP sizes:

- Web Server: 420MB (Including logs but no data - it points at DFS shares hosted elsewhere)
- Certificate Authority: 520MB
- Exchange 2003 (With a lot of "family" data): 832MB
- ISA 2006 Firewall: 898MB (Including 12 months worth of log files)
- Domain Controller: 480MB

This was a saving of between 20 and 65% over last months backup. I've no idea why the huge difference in result - again for another days investigation. Each VM is running a full-blown Windows Server 2003 Enterprise Edition R2 OS. The answer to the figures lies in the choice of defragmentation utility prior to running the disk pre-compactor. Now please see my disclaimer - any utility operating at a disk level can cause loss of data, this utility is not a Microsoft supported or endorsed product, and your mileage may vary. Also, it's worth turning off all un-necessary services before running defragmentation (in my experience, that is). With that said, check out here.

By the way - all my VMs have a seperate fixed disk to hold the swap file. I don't back these up - if you can't get figures close to these, that may be another thing to consider as well as looking back through my blog for other tips.

Cheers,
John.

If you weren't aware, you can register for redistribution rights for Virtual Server 2005 Enterprise Edition through this recently published link.

Cheers,
John.

Following on a previous entry in April, within the last hour, Beta 2 of Virtual Server 2005 R2 SP1 has been made available for public release. For more information, sign up at http://connect.microsoft.com

Beta 2 introduces support for AMD Virtualization Technology (formerly Pacifica) for hardware assisted vitualization. Beta 1 previously introduced this support for Intel VT. If, on the host, you are running an x64 version of Windows on an AMD machine, you will need to install a hotfix _before_ installing Beta 2. More information is in the release notes.

Beta 2 also introduces VSS support, a long asked for capability to be able to perform snapshot backups, and support for mounting of Virtual Hard Disks.

As always, please remember to take all the normal precautions - NOT deploying Beta software in your production environment, limiting it to test use only and reading the release notes carefully. Oh, and don't forget to shutdown (not save the state of) your VMs before upgrading to this build. Otherwise, enjoy!

More information can be found here.

Cheers,
John.

PS - No, I haven't forgotten the Secure Wireless Network stuff - just I'm extra busy right now... Normal service will be resumed shortly :)

Continuing the configuration of a secure wireless network, this part deals with configuring the IAS server to recognise authentication requests from your wireless device. The first part of configuring IAS is configuring a RADIUS client. In this case, it is the wireless box. There's a simple wizard built into IAS to walk you through this.

Right-Click RADIUS Clients and select new client

Give it a friendly name and the IP address of assigned to your wireless device (note I'm disguising my actual IP address range and internal domain names in this article).

If your wireless vendor supports RADIUS standard, choose this. Otherwise, from the drop-down list, choose the appropriate setting. Also now re-type the shared secret password you configured on your wireless box. NOW you see why I recommended the use of notepad in the previous article :)

Finally, your screen should look similar to below

Next you need to configure a wireless access policy in IAS. If you select the Remote Access Policy node in the IAS MMC, you'll see a couple of default policies. In our case, we need to configure a new access policy for wireless. Fortunately, again everything can be configured through a wizard.

Right-click on Remote Access Policies and choose "New Remote Access Policy"

After the intro page to the wizard, a typical policy is probably sufficient for most needs. Give it an appropriate name such as, logically I guess, Wireless

On the next page, choose Wireless

On the next page, select the appropriate groups from Active Directory you wish to allow wireless access to. You may wish to allow all users, or maybe just selected users (in my personal case I have a specific group for wireless access - the reason for this may become apparent later on when it comes to adding accounts from un-trusted domains. The screen shot just shows domain users though).

Now comes the important part. On the next screen, for the EAP type for this policy (assuming you do want this secure), use Smart Card or other certificate.

Click the configure box. At this point, you'll realise you need a certificate authority (but hopefully that will be obvious).

If you're astute, you'll notice in my case I have a certificate for Domain Controller Authentication being issued to the DC. That in itself was a little challenging, but the CA documentation is pretty readily available online :) That's pretty much the end of the wizard.  Once the wizard is complete, it's worth revisiting the settings for the wireless policy and ensure that the only encryption setting checked is that for strongest encryption - by default, all encryption settings are allowed.

At this point, you're pretty much there for the basics. I guess it's group policy next. (It may be a few days to prepare the next blog post part - takes a while to prep the screenshots and walkthroughs).
Cheers,
John.

So there's many tricks to optimising the size of a VHD. One which I always use, but appears not to be widely known about, is to turn of the system file checker. Of course, this has it's downsides and your mileage may vary. In practice you can reduce a VHD by some 300M or so on an instance of Windows 2003 SP1.

To turn off SFC, open a command prompt (must be elevated if run on Windows Vista or Longhorn Server) and run

sfc /cachesize=0
sfc /purgecache

Then perform the standard compaction routine (if this is a dynamically expanding disk).
Cheers,
John.

[Corrected 8/16 as per comments, 300K isn't much of a saving. I did indeed mean 300MB;)]

So I've got a few blog posts which piece together something I've been trying to do (and finally got working) since moving to Seattle. Namely - set up a secure wireless network. Now, I did have a wireless network at home when I was in England, but it wasn't secure. Well, it was, just not quite as secure as I could achieve with the infrastructure I have running (namely AD and a host of virtual machines running all sorts of services).

Some of this may be old news, some new to you. However, if you're a novice at setting up WPA, I hope this will help. Now of course, I didn't want just WPA, I wanted "guest" machines to be able to connect to the network - guests as in non-domain joined machines, or more accurately guest machines which are joined to another domain (such as my corporate laptop), running Windows Vista (of course) to also be able to connect to the network.

The first step in all of this is obviously the hardware. I bought a relatively new Linksys Wireless G box which supported WPA.

The basics are fairly obvious, such as giving it a static IP address in your subnet, putting a secure password on the administration access, an SSID, the wireless channel (best not to clash with neighbours) and (optionally, but useful) configuring a host name in your internal DNS server. Much nicer to be able to go http://wireless than http://192.168.x.x. Some pople would also advocate hiding the SSID from broadcast. Personally, if you've secured the back-end, I don't see there's a lot of value in this considering it's just too easy to use off the shelf tools to find hidden networks.

At this stage, you're on to configuring WPA itself. The first step in this is making sure your wireless box is configured for WPA-Enterprise mode with TKIP encription and pointing at a RADIUS server on your network. In my case, I have a couple of RADIUS servers, both on DCs. Unfortunately, the Linksys configuration doesn't allow for a backup RADIUS server (some DLink boxes do - worth checking first if this is important to you). Important - make sure you choose a REALLY secure shared secret password. A random password generator is recommended. Also, copy it to notepad somewhere so you can paste it later. Your screen should look similar to below at this point.

The next stage (if you haven't already done so) is to install the Internet Authentication Service (IAS) to provide RADIUS services on an appropriate machine on your network. It's hidden away under add/remove programs, Windows Components, Networking Services

In the next part, I'll walk you through configuring the IAS server.

Cheers,
John.

This webcast coming up next week took my eye as I've recently put in a (hopefully) secure wireless network at home over the past few weeks since moving over to the US. There's a few blog posts about that and some of the pain which has been involved - it isn't as easy as you'd think.

Wednesday, August 16, 2006 10AM PST (6PM UK)
Pre-Registration Available Now. Click to register

Experience a live on-line demonstration of Microsoft’s identity-based, policy-driven network authentication infrastructure built on Windows Server 2003 and Windows XP. Together with Aruba Networks Mobile Edge, learn how to deploy a secure wireless LAN end-to-end from the experts.
Microsoft and Aruba Networks professionals will be online to answer your questions in real-time.
Featured Products:
- Microsoft Windows Server 2003 R2 Internet Authentication Service (IAS), Active Directory and Group Policy
- Microsoft Windows XP SP2
- Aruba Networks Aruba 800 Mobility Controller and Aruba AP70 Access Point
 

Webcast Details
- This webcast will include a compelling live demo of how to configure the solution for the most common identity-based wireless access scenarios.
- Experts will enable the most common wireless LAN access scenarios through flexible access policies in both the Windows Server 2003 Internet Authentication Service (IAS) and the stateful firewall in the Aruba Networks' Mobility Controller.
- The demonstration will show how to configure secure, role-based access for trusted employees and short-term contractors using company-managed PCs and a guest using their personal PC. To validate the security of the solution, access rights for an untrusted "hacker" will be shown before configuring the solution for secure role-based access and then afterwards.

A revised version of the VM Additions which supports current public builds of Windows Vista Beta 2 (5384, June Refresh Build 5465 and July Refresh Build 5472) in Virtual Machines is available. If you aren't already registered for the Virtual Server 2005 R2 SP1 Beta program, sign up through http://connect.microsoft.com where the additions are available. The additions are version 13.709.

Be sure to uninstall any previous additions first.
Cheers,
John.