Archives for January 2010

New virtualization aware Ethernet standards coming to a switch near you

Network world has a great article on new Ethernet standards that Cisco and HP are proposing to the IEEE for ratification which are directly related to a virtualized environment. You may have heard of Cisco’s VN-Tag feature, which was a proprietary extension to Ethernet developed by Cisco and VMware. VN-Tag was submitted to the IEEE as 802.1Qbg. HP is working on VEPA (Virtual Ethernet Port Aggregation), while related to virtualization, does not cover the same bases as VN-Tag. VEPA was submitted to the IEEE as 802.1Qbh.

What do these two standards hope to do? They propose to offload a lot of policy, security and management processing from the virtual switches, NICs and servers and place it in the physical Ethernet switches. In essence, it make the virtualization environment more efficient and secure.

According to the Network World article, Cisco and HP have banded together and hope to have the standards ratified by mid-2011. One piece missing from both standards is a discovery protocol for autoconfiguration. We will have to wait and see whether a new protocol will be proposed, or use an existing protocol like LLDP.

I hope that the final standards can be implemented on existing hardware through firmware updates from both Cisco and HP, such as the Cisco Nexus switches and the HP blade system virtual connect. If it will require new hardware purchases, that will be a significant issue for companies that have invested large amounts of money into their virtualization infrastructure.

vSphere enhancements in 2010?

I found a good article that speculates on some possible enhancements that could be coming to vSphere this year and into next year. It will be interesting to see how closely these rumors track with reality as the year unfolds.

Highlights of the speculation include:

32-way VMs
512GB RAM or more per VM
Enhance ESXi with Active Directory Authentication
Boot from SAN support in ESXi
Enhanced virtual graphics card to support high-def VDI
DRS for storage

P2V HP Proliants? Use the PSP Cleaner

Although I personally haven’t done it, you can easily P2V Windows servers running on HP Proliant hardware. However, you have major cleanup work to de-install all of the HP-specific software, drivers, agents, etc. If you don’t do this your VM will likely run extremely slow and suffer lots of problems.

To save lots of pain and trouble, you can simply download the HP PSP cleaner. It appears you install it after you do the P2V conversion and it will remove all traces of the HP Proliant support pack. No readme or documentation with it, so you will have to try it out for yourself to see how well it works.

No idea if it supports Server 2003, 2008, 2008 R2, x86, x64, etc. So if you try it out, leave a comment on how well it did or didn’t work and what OS platform.

Beta VMware vSphere Hardening Guides

VMware has finally released their draft version of the security hardening guides for vSphere 4.0. After taking a look at some of them, I’ll make a few observations:

1) Totally different format than previous versions, now organized in tables. Very similar to the DISA STIG security guides.

2) VMware adopted various security levels (DMZ, Enterprise, SSLF). They took the SSLF designation from Microsoft, it seems. SSLF is the most secure setting, which usually breaks some functionality.

3) When using Foxit many of the hot URL links didn’t work. Manually cutting and pasting links into IE worked most of the time. If that fails, Google the title of the document.

4) The guides cover ESX, ESXi, vCenter, VMs, networking, and the ESX console OS.

Overall, I think these are much better and more usable products than their 3.x versions. I get the sense that VMware worked with DISA on these settings, or at least tried to follow a similar organized format. The five guides are around 20 pages each, which is long enough to be thorough but not overwhelming large.

Windows 2008/7 Offline activation via TBA

Microsoft, in their infinite wisdom, has imposed much stricter licensing controls in Windows Server 2008 and beyond. This is in an effort to stem the flow of piracy, which is probably pretty rampant in some communities. To help combat these evil forces in the world, Microsoft introduced Volume Activation 2.0. I won’t go into all the gory details about MAK and KMS keys, but let’s suffice it to say that it’s not a totally offline experience. At some point the PC/server needs to either call home to Microsoft, contact an authorized KMS server, or manually activate via the telephone.

As you can imagine, there are many cases where these options are totally unacceptable. Many of these cases are within Governments, Intelligence agencies, and other entities like foreign Governments.

Microsoft offers to very select people a third type of activation, which can be completely offline. If packaged properly into a deployment image the OS activates out of the box with no network connection whatsoever. This option is called TBA, or Token Based Activation. From TechNet:

Token-based activation is a specialized activation option that is available for approved Microsoft Volume Licensing customers. It is designed for specific scenarios in which the end systems are completely disconnected from the network or phone. This option enables customers to use the public key infrastructure (PKI) and digital certificates (or “tokens,” which are typically stored on smart cards) to locally activate Windows 7 (and Windows Server 2008 R2). Customers do not have to activate the software through KMS or MAK.

In its simplest terms you work with your Microsoft account manager to understand the entire process. 🙂 But at a high level you first obtain a special PKI certificate from a root certificate authority that you trust. You then submit certain properties of the certificate to Microsoft via some software. These properties is what the certificate that Microsoft issues you, an Issuance License, checks to verify you are an authorized user of TBA.

When you combine all of the right pieces (generic VLK, your certificate, Microsoft IL certificate, and your trusted root/intermediary certificate chain), Windows will activate without contacting any entity. All of these pieces can be sealed into your golden image and then when deployed, your server or client will be activated. Depending on your scenario and agreement with Microsoft, you may be required to use a hard token (such as smartcard/CAC), or a software digital certificate file.

Bottom line is that you must work with your Microsoft technical rep, ask about “Token Based Activation” and see if you qualify for such an arrangement. If you don’t qualify, then you are stuck with using MAK or KMS for product activation.

There are a lot more technical details, and I’ve oversimplified the entire process. But the end result is a set of files and procedures that allow your images to act like VLK 1.0 systems that to the end user didn’t appear to need any activation. This technology is baked into Windows Server 2008 R2, Windows 7, and Server 2008 SP2. Microsoft has a very detailed guide about the entire process called the “Token Based activation deployment guide.” This document is not on the public Microsoft web site, so ask your Microsoft rep for a copy.

This method should also work for Office 2010, as it will require the same activation techniques as Windows Server 2008 and later. I’m very glad Microsoft has come up with this solution, although I found virtually no reference to it on Microsoft’s own web site.

As a side note, for those of you familiar with OEM activation which is also completely offline, TBA is very similar. Instead of relying on special digitally signed information in your system’s BIOS (SLIC 2.1), it’s relying on a hard token (smart card) or a soft token (PKI certificate file) for the authentication. The best place for additional information is your Microsoft rep, as there’s virtually no public information about this program. There are a few references here (search for the key word token).

One final note, this method will work with KMS/VLK versions of Windows 7 Professional, Enterprise, and all server editions. This does NOT work with retail copies of products such as Windows 7 home premium or Ultimate. Vista is compatible as well, but seriously, who uses that operating system?

Windows 7 God mode

1. Create a folder anywhere and name it:


2. Click on the control panel looking icon that the folder turns into.

3. Have fun!

You can also rename a new folder as well and paste in the string above.

WhooHoo! VMware VCP on 3.5!

A couple of weeks after taking and passing the VCP 4.0 exam I took the 3.5 exam today. Passed! It was funny..several of the questions on this exam carried over nearly word for word on the vSphere exam. The project I support at work is exclusively vSphere based, but I had a free voucher for the 3.5 exam so I basically went in cold, except for a quick review of the old maximum configuration values.

It’s pretty amazing at the scalability and feature increase that made it into vSphere. I really can’t imagine doing what we are using VI3. I’m so glad we started our virtualization effort right after vSphere hit the streets.

P.S. I updated my Cisco Nexus 1000v blog with some additional links to Cisco documentation.