Archives for posts with tag: Windows

SCCM 2007 Not a Virtualization Candidate?

August 26, 11 //
8

The last cou­ple of days I’ve been in train­ing class, tak­ing the 6451B Plan­ning, Deploy­ing and Man­ag­ing Microsoft Sys­tem Cen­ter Con­fig­u­ra­tion Man­ager 2007 course.

One of the first things that got men­tioned, was that for larger deploy­ments you should not run Sys­tem Cen­ter Con­fig­u­ra­tion Man­ager vir­tu­ally. Of course, this caught my eye as I’m a pro­po­nent for the vir­tu­al­ize first “movement”.

It runs out that the rea­son for this is that Con­fig­u­ra­tion Man­ager is some­what poorly designed, as just about every­thing it receives from the clients in the net­work is placed in text based log files (inbox folder) before being processed and pumped into the back-end SQL DB. SCCM lives for and eats log files for a living.

I’m sure there are good rea­sons for this, espe­cially back in the day when SCCM 2007 was devel­oped, but in ret­ro­spect this seems to be a poor design choice. Espe­cially since the IO inten­sity of writ­ing text-based log files is high, and doesn’t scale well when you have loads of clients which SCCM 2007 sup­pos­edly is designed for in the first place.

There are ways of alle­vi­at­ing the strain on the machine run­ning SCCM, like run­ning the SQL server on a dif­fer­ent server and run­ning the man­age­ment con­sole on your local com­puter (remem­ber a Win­dows server is tuned, by default, to pri­or­i­tize back­ground tasks), but the fact remains that sum of all the small write oper­a­tions SCCM con­stantly does to your stor­age puts a heavy strain on it.

So, if you want to run SCCM 2007 vir­tu­al­ized in your envi­ron­ment, make sure your stor­age is up to the task and that you don’t sat­u­rate it by deploy­ing what is in essence man­age­ment soft­ware. Per­haps it is bet­ter to run it on a phys­i­cal server with ade­quate local stor­age, but don’t blame it on vir­tu­al­iza­tion, blame it on poor design in SCCM 2007.

Hope­fully Con­fig­u­ra­tion Man­ager 2012, which is cur­rently in beta 2, behaves bet­ter when it’s released. If not, how will Microsoft defend not get­ting real per­for­mance when run­ning it in Hyper-V (or any other Hypervisor).

Exchange 2010 SP1 and KB2393802 or How to Have an Interesting Afternoon at the Office

July 6, 11 //
1

Let me start this post out with a lit­tle story. I am nor­mally a hard­core vir­tu­al­iza­tion and stor­age guy. Some­times my career in this sec­tor brings me into work­ing with stuff I haven’t worked with before because vir­tu­al­iza­tion encom­passes so much. As I con­tinue to work with other teams I learn more and more about what they do every­day. I usu­ally find myself involved in every per­for­mance trou­bleshoot­ing ses­sion and every new project these days. My per­sonal phi­los­o­phy is the IT guy of the future will be truly con­verged just as all the tech­nolo­gies are con­verg­ing into 1 box or “stack”. Spe­cial­ties in smaller sub­sets will fall away and a more spe­cial­iza­tion in every­thing Dat­a­cen­ter may become the norm.

Early Mon­day morn­ing I over­heard a con­ver­sa­tion about con­nec­tion issues with our new Exchange 2010 envi­ron­ment while drink­ing some cof­fee and review­ing my brand new vSphere design. I didn’t think about it very much until my boss came to my desk and asked me to have a look at the prob­lem. Our mes­sag­ing guy was on vaca­tion and I was the only other per­son on staff who had some mes­sag­ing expe­ri­ence. It seems that all of our global and even local offices were com­plain­ing about ran­dom exchange dis­con­nec­tions and also includ­ing email deliv­ery delays from 30 min­utes to 4 hours! It seems Activesync devices and OWA users were not affected by these delays at all. Being always up for learn­ing new stuff I took the challenge.

First let’s start with the quick facts I could put together. We had users in every coun­try we have offices com­plain­ing about the ran­dom dis­con­nec­tions and delays. I had one actu­ally con­firmed in China but had some slight trou­ble get­ting exact user names from the local IT per­son. Also we had con­nec­tions ran­domly dis­con­nect­ing and show­ing dis­con­nected in the lower right hand cor­ner of the out­look client. I did not have any con­fir­ma­tion of who exactly was hav­ing these prob­lems. To start I dug through the event logs on all the servers in the Exchange 2010 envi­ron­ment and the amount of errors I found was over­whelm­ing. To shorten this up a bit and not write a novel most all of those I inves­ti­gated were directly related to run­ning Exchange 2010 SP1 with­out any update rollups in place. There were cor­re­spond­ing KB arti­cles from Microsoft con­firm­ing these fixes in var­i­ous update rollups.

I noticed an Event ID 2915 on our CAS servers that stuck out. I noticed sev­eral EWS and RPC con­nec­tions report­ing “Ses­sion Limit Over Bud­get”. I cor­re­lated this with the Default Throt­tling Pol­icy Exchange 2010 uses. It seems that the more mail­boxes a user opens the more con­nec­tions Exchange cre­ates. It doesn’t some­how trun­cate these con­nec­tions. To under­stand more about the Default Throt­tling Pol­icy see Under­stand­ing Client Throt­tling Poli­cies. So I quickly whipped up a pow­er­shell script that set the Throt­tling Pol­icy defaults to Null so there was no restric­tions (funny Microsoft states as a workaround just to do this if you encounter an issue).
If you are inter­ested in see­ing this script or want me to go deeper about Throt­tling Poli­cies con­tact me, but this arti­cle isn’t quite about this so I will move quickly on.

After the Throt­tling Pol­icy was changed the reported dis­con­nec­tions stopped but the deliv­ery delays con­tin­ued as men­tioned all around the globe. With the other prob­lem out of the way I began to real­ize that the prob­lem seemed very ran­dom. Some users expe­ri­enced it, some not, some couldn’t tell me whether they expe­ri­enced it or not. This is when the hours of fruit­lessly dig­ging through con­fig­u­ra­tions to learn them and read­ing about Exchange 2010 on Google began. I noticed our mail­box servers were set up in an active — active con­fig­u­ra­tion with bidi­rec­tional repli­ca­tion using DAGs. This is when I decided to go back to basics of trou­bleshoot­ing. I went over to my col­league sit­ting next to me and sent var­i­ous test mes­sages to him. All of them were promptly deliv­ered with­out any prob­lems. I noted down what server his mail­box was run­ning on and moved on. Then I walked around the IT depart­ment until I was able to find a col­league that con­firmed they had the deliv­ery delays up to 4 hours. Just for kicks I turned off their cache mode on the Out­look client and their prob­lem mag­i­cally van­ished. Then I turned cached mode back on and left it bro­ken since I was deter­mined to fix it on the server side and not just band aid the prob­lem. When I went back to my desk and noticed what mail­box server the col­league with the delays was expe­ri­enc­ing a light bulb went off and every­thing seemed to be com­ing together. Now all I had to do was note the dif­fer­ences between the 2 servers.

First of all to stop the global issue from occur­ring while I could resolve the prob­lem I failed all the DAG vol­umes over to the 1 server that did not seem to be hav­ing the prob­lem. Reports quickly came in that the prob­lem was resolved. Then I quickly moved on to exam­in­ing dif­fer­ences between the 2 servers. After com­par­ing win­dows updates between boxes I noticed that some updates from Feb­ru­ary were recently applied to both servers, how­ever, there was 1 dif­fer­ence. It seems Microsoft KB2393802 was applied to one server but not the other. I googled regard­ing this but only found one vague thing about delays in Exchange 2010 mail deliv­ery men­tioned in the mid­dle of a tech­net arti­cle relat­ing to this patch, but noth­ing offi­cial at all from Microsoft. I removed the patch, rebooted, and tested with a test mail­box data­base run­ning on the server I had cre­ated for this pur­pose. The prob­lem was fixed as I thought.

I tried to research on what about this patch could be caus­ing this prob­lem but came up with noth­ing. If any of you read­ers have an idea please com­ment and let me know your thoughts! I have attempted to con­tact Microsoft regard­ing this issue so they could pos­si­bly append to the KB arti­cle but they cur­rently have not replied.

Installing and running VMware Compliance Checker for vSphere

April 20, 11 //
0

The first ver­sion of the new VMware Com­pli­ance Checker for vSphere tool is now avail­able for down­load.

VMware Com­pli­ance Checker for vSphere lets you scan your ESX and ESXi hosts for com­pli­ance with the VMware vSphere hard­en­ing guide­lines to make sure your hosts are prop­erly con­fig­ured. It also lets you save and print your assess­ment results, so you can track your com­pli­ance level over time, or use them as doc­u­men­ta­tion for inter­nal audits.

Installing VMware Com­pli­ance Checker for vSphere

After down­load­ing the VMwareComplianceCheckerForvSphere.msi installing is done in a mat­ter of sec­onds, using the all to famil­iar click Next to con­tinue Win­dows instal­la­tion rou­tine. The tool is Win­dows only at this point.


The tool is Java based, so the client machine you run it on needs to have it installed locally before you can use it.

Run­ning a Com­pli­ance Scan

Run­ning a com­pli­ance scan is very easy. Start up VMware Com­pli­ance Checker for vSphere and point it towards either a ESX/ESXi host, or towards your vCen­ter installation.

The tool runs for a while, and in the end you’ll be pre­sented with a nice HTML based report high­light­ing all your com­pli­ance shortcomings!

Impressions/Conclusion

VMware Com­pli­ance Checker for vSphere looks like it can be a valu­able tool to add to your vAd­min tool-belt. In it’s first ver­sion it does a good job of iden­ti­fy­ing poten­tial issues with your envi­ron­ment. As far as I can see, William Lam’s Perl based vSphere Secu­rity Hard­en­ing Report Script does more exten­sive checks for now.

The vSphere Secu­rity Hard­en­ing Report Script also has a cou­ple of other advan­tages, one being that it’s oper­at­ing sys­tem agnos­tic (since it’s Perl based) another advan­tage is that since it’s writ­ten in a script­ing lan­guage you can set up auto­mated cron jobs that per­forms the scan­ning for you. As far as I can see the VMware tool is miss­ing the abil­ity to sched­ule scans, which is some­thing I really hope VMware will add to it in the not to dis­tant future.

Remote Desktop Connection Manager (RDCMan) + Powershell = Win

January 20, 11 //
2

Remote Desk­top Con­nec­tion Man­ager is a great tool from Microsoft which enables you to keep track of all your RDP ses­sions and tar­gets in a nice GUI. One of the things it’s lack­ing though, is some sort of Active Direc­tory con­nec­tion that allows you to import all your server objects directly, and not man­u­ally add/remove the serves as your infra­struc­ture changes over time.

In an attempt to bridge that gap, I’ve made a very small Pow­er­Shell script that queries your Active Direc­tory for server objects and dumps their names into a text file that you can import into RDC­Man. This is a very sim­ple solu­tion, but works great in my environment.

GetAllServers.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13

Import-Module ActiveDirectory 
 
$servers = Get-ADComputer -LDAPFilter "(operatingsystem=*Windows Server*)" | select name,dnshostname
$Date = Get-Date
$filename = "Servers-{0}{1:d2}{2:d2}" -f $date.year,$date.month,$date.day
foreach ($server in $servers) { 
 
$servername = $server.name
 
#Customize this for your environment
$servername | Out-File -append -encoding ASCII <path>\$filename.txt
 
}

In short, replace the path in line 11, and you should be able to run the script. It will then cre­ate a file called servers-{current-date}.txt in the path you have spec­i­fied. This is a sim­ple text file with one server defined on each line.

This file can then be imported into RDC­Man by going to the Edit menu and select Import Servers. This brings up the Import Servers dia­log box where you can browse to the file that the Pow­er­Shell script cre­ated. Click on the Import But­ton and all your servers should now be listed in RDC­Man. The next time you need to update, delete the exist­ing servers, re-run the Pow­er­Shell script and import again.


While this isn’t a fully auto­mated solu­tion, and I really wish RDC­Man could do this for you by query­ing AD directly and find­ing new servers and remov­ing the ones that are no longer present and so on, it is a quick way to get your cur­rent servers into RDC­Man with­out man­u­ally cre­at­ing each and every entry.

Update:

After I ini­tially posted this, Jan Egil Ring, pointed me to his solu­tion which is a bit more elab­o­rate. Have a look at his solu­tion “Dynamic Remote Desk­top Con­nec­tion Man­ager con­nec­tion list”, which is how it really should be done…