Archives for May 2009

Operations Manager 2007 R2 RTMs

Good news! Systems Center Operations Manager 2007 R2 RTM’d, and you can download an evaluation copy right now! Get the download here. Microsoft says you can upgrade the evaluation version to a fully licensed version, once they release that around July 1.

For a good run down on what’s new in R2, see this link.

New VMware benchmark results

Last month Intel released their new Nehalem processors, which knock the socks off their previous generation processors and now beat AMD for dual socket servers. For years VMware has published benchmarks for various servers so you can judge their virtualization performance.

The sweet spot for virtualization is a dual processor server. Why? Quad socket servers generally cost more than 2x of a dual socket server. With the new Intel Nehalem processors, you can now get quad socket performance at dual socket prices. Sweet!

According to the latest benchmarks, for an 8 core system the HP BL490c G6 is the new leader at 24.24 @ 17 tiles. In fact, it beats the current 16 core leader which is rated at 20.50 @ 14 tiles.

You can see all the latest results here. The full disclosure report can is here. If you really want quad socket servers, then AMD is still the leader of the pack. But that could well change with the Intel Nehalem EX chips are released in early 2010 which will be 8 core and support four sockets.

Vista and Server 2008 SP2 is out

For the very few of you running Windows Vista (please, run Windows 7 RC1, its way better), or the larger crowd of server 2008 users, Microsoft has released service pack 2. What happened to server 2008 SP1? Well it was built into the RTM release, so it was never a separate download. Kind of weird having a service pack built-in to the first release of an OS, but that’s Microsoft for ya.

Since Vista and server 2008 share the same code base, they use the same service pack installer. You can find all the downloads here.

VMware vSphere 4.0 is almost here!

If you are looking into virtualization or already using it, you will have likely heard that VMware is releasing their next major version of ESX server tomorrow. vSphere 4.0, the new name for Virtual Infrastructure, is a significant upgrade and has dozens of new features. Although it was formally announced last month, May 21 will be the first day you can place an order and (hopefully) download an evaluation copy.

Features such as hot-add of CPU and memory, Microsoft Server 2008 cluster support, support of the Cisco Nexus 1000v, and full support for the new Intel Nehalem processors are just a few of the enhancements. Even better, if you have a current support contract you can upgrade to the ‘like’ edition for free.

For a good brief summary of the new features, check out this blog over at Dailyhypervisor. You can learn about some of the new modules VMware will release for vSphere 4.0 here.

Also, remember you can install ESX server inside a VMware Workstation 6.5.2 virtual machine. You can even run VMs inside ESX, running inside of Workstation. Not great for performance, but great for testing it at home or on your (beefy) laptop. Also very useful for studying if you are trying to pass the VCP exam, like I am.

Rollup 8 for Exchange Server 2007

In case you don’t subscribe to the Exchange team’s blog, today they announced rollup 8 for Exchange server 2007 SP1. You can read their announcement here. If you are running Windows Server 2008, you will now be glad to know rollup 8 automates the kernel mode authentication configuration required for CAS servers. Slowly Microsoft is swatting all of the server 2008 issues.

Also in the pipeline is Exchange 2007 SP2, so keep your eye out for that as well. SP2 will be required if you wish to migrate to Exchange 2010.

Buckle your seatbelt for major Microsoft releases

During TechEd 2009 in LA this year it was amazing the amount of new products that will come to market in the next six to twelve months. Here’s a short summary of some of the new releases you should expect and plan for:

  1. Windows 7 – Q4 2009
  2. Windows Server 2008 R2 – Q4 2009
  3. Exchange 2010 – By end of year 2009
  4. Office 2010 – 1H 2010
  5. Geneva (Federation identity) – End of year 2009
  6. Kilimanjaro (new SQL server) – 1H 2010
  7. Gemini (BI for Kilimanjaro) – 1H 2010
  8. ForeFront Identity Manager 2010 – 1H 2010
  9. Quebec (compontentized Windows embedded) – 2010
  10. SharePoint 2010 – 1H 2010
  11. Dublin (App server extensions to Windows server) – TBD
  12. Velocity (distributed caching for clusters) – Mid-2009
  13. Stirling (Forefront client) – Early 2010
  14. TMG/UAG – 2H 2009
  15. Madison (massively parallel data warehouse) – August 2009

What was even more surprising and out of character was that Microsoft was telling people to skip Vista and Exchange 2007 if you haven’t started deploying them today. I would go as far as say skip server 2008 and wait for R2, unless you really need some server 2008 features today. Like Windows 7, server 2008 R2 has undergone hundreds of tweaks and changes to make it faster, more secure, and easier to manage. Oh and don’t forget server 2008 R2 is 64-bit ONLY!

WHQL ATI Windows 7 Drivers

Think you have to wait until the RTM of Windows 7 to get WHQL certified drivers, think again! ATI has released their WDDM 1.1 compliant and WHQL certified drivers for Windows 7. You can download the 64-bit drivers here. For some reason the 32-bit drivers seem to be older and don’t mention WHQL certification. But who runs 32-bit operating systems anymore? 🙂

Major Adobe PDF security patch

In case you missed it, Adobe has released a patch for a critical Acrobat security vulnerability. InfoWorld has a good write up on the flaw. Adobe released an official bulletin on the patch. If you have any version of Adobe Acrobat (including the free reader), I urge you to install the patch ASAP.

If you have the free reader, download the patch here. If you have the full-blown Acrobat suite (standard, Pro, Pro extended) you can find the patch here.

How many NICs are enough for ESX?

Short answer: You can never have too many! Longer answer: It depends. As many people know, VMware ESX is NIC hungry. Between the kernel console, Vmotion, and various production networks, it can take six or more phyiscal NICs to provide full redundancy. If you want to do Microsoft clustering, throw in another two NICs for the private heartbeat. If you want to virtualize TMG or UAG (formerly ISA and IAG, respectively) you might need even more NICs. Doing iSCSI or other IP storage? Best practices would recommend even more NICs. Here a NIC, there a NIC, everywhere a NIC, eeee–iiii–eee–iii–oooo!

In vSphere 4.0, VMware now has a feature called VM Direct Path IO. VM Direct Path IO allows a VM to directly talk to the underlying hardware, bypassing the hypervisor and reducing overhead allowing for maximum performance. In vSphere 4.0 though you lose Vmotion with Direct Path, which is a major down side.

So back to the NIC question. How do you get eight or more NICs per physical server? Various companies have solutions…or not. My current project is focused on blade servers, so let me talk about that for a bit. When investigating blade servers, you quickly realize some vendors are more virtualization oriented than others.

For example, with the IBM BladeCenter you can’t have more than six physical NICs if you also want a fibre channel HBA. This is true even on their newest Intel Nehalem blade server the LS22. If you are using IP storage and don’t need a fibre channel HBA, you can increase the NIC count.

HP has a technology called Virtual connect Flex-10, which let’s you reconfigure the two on-board 10Gb NICs into four FlexNICs each, for a total of eight NICs out of the box without using any mezzanine slots. Throw in a dual 10Gb mezzanine card and you have up to another eight FlexNICs, for a total of sixteen per physical server. In addition, you can customize the bandwidth of each NIC in 100Mbps increments. Want a wicked fast multi-gigabit Vmotion network, go for it! Pretty cool! The ESX hypervisor sees each FlexNIC as a unique physical NIC. Eight and sixteen NICs give you good flexibility in designing your ESX hosts and follow best practices. But why stop with sixteen NICs?

Recently Cisco announced their UCS blade servers, which supports SR-IOV via a new Intel NIC chip which features VT-c. SR-IOV is Single-Root Input/Output virtualization. This is a similar concept to HP’s FLex-10, but goes much further. Instead of being limited to dividing the 10Gb bandwidth into four NICs, Cisco supports 128 NICs. Now you are thinking, why do I need 128 NICs per physical server?

As I mentioned earlier, vSphere 4.0 is supporting VM Direct Path IO. With 128 NICs, you could assign each VM its own physical NIC(s), bypassing the hypervisor and allow near-native I/O performance. Cisco assured me that in the future both VMware and Cisco were working on technology to allow Vmotion and Direct Path IO to be used together. When? Who knows.

Given that NICs and I/O performance are key features for virtualization, when evaluating hardware virtualization solutions it really pays to define your requirements and carefully look at what the various vendors can provide. Cisco is brand new to the blade market and won’t be shipping their solution until June, so they currently have zero market share.

HP is currently the blade server industry leader, but will face some stiff competition from Cisco. If you have long hardware refresh cycles and haven’t yet made the plunge into blade servers, be sure to put Cisco on your short list of vendors. If you want a product with a long track record and shipping today, HP provides a compelling solution.

Just a quick note on costs. While I haven’t done any pricing of the Cisco UCS solution, there is a good blog by Brad Hedlund discussing Cisco vs. HP and some refuting some claims made by Engerena.

Microsoft ISA vs TMG vs IAG vs UAG – Are you confused?

Sometimes Microsoft branding and renaming of products really confuses people. For example, ISA vs TMG? The whole ISA/TMG/IAG/UAG re-branding debacle really threw me for a loop. At first the renaming seemed pretty simple, but Microsoft is also re-positioning the products and I don’t think MS has done a good job of clarifying the products. So today at TechED I stopped by the security booth and tried to wrap my brain around the changes. Here’s what I learned from the MS ForeFront guys.

The ForeFront Threat Management Gateway (TMG, formerly ISA) is now being positioned as an outbound internet proxy for internal corporate users. It will include advanced anti-virus, anti-malware, and intrusion detection features. Some of these services will need subscriptions, since they need constant signature updates. One cool new feature is the ability to inspect HTTPS traffic. But you say, ISA could do that when it was put into SSL bridiging mode. True, but now TMG can inspect SSL traffic generated by external web sites. TMG will impersonate the external site’s SSL certificate, act as a man in the middle, and perform application level inspection of the traffic. So no longer will downloads from the internet via HTTPS bypass malware scanning. Pretty cool!

While you can still use TMG as a reverse proxy for publishing internal web sites to the internet, that is not the recommended use. This is a big change from ISA, which is very commonly used as a reverse proxy.

The ForeFront Unified Access Gateway (UAG, formerly IAG) according to Microsoft is now the preferred solution for inbound access to internal corporate resources. This includes acting as a reverse proxy for applications such as OWA, MOSS, and robustly supports DirectAccess. Like IAG which included ISA under the hood, UAG will also include the TMG engine. Like IAG, in UAG you will not directly configure TMG. TMG is merely there to protect the UAG, not to provide TMG functionality for other applications.

To boil it all down, you will ONLY use TMG if you want a corporate internet proxy to protect users from web based malware. If you want a reverse proxy, such as publishing OWA and MOSS to the internet, you will now use UAG. If you want both scenarios, then you will have both TMG and UAG servers. Yes TMG can technically do both just as ISA can, but this is no longer a Microsoft recommended configuration.

Another noteworthy tidbit I learned is that MS is really pushing for virtualizing TMG and UAG. Among many benefits, this would allow you to scale out very quickly should you have high demand and need to increase the number of servers.

For additional informatin on UAG, see this link. For more information on TMG, see this link.