As much as I love doing this manually (sarcasm detected) our friends over at VMware have ingeniously automated this with a tool that includes customizable templates to enable or disable the Windows system services and features, in accordance with recommendations and best practices for VMware. It also allows you to analyze your master images that have been already created. This will come in really handy for those who would like to do this quickly, and it saves me from blogging about the old way and each individual optimization and what it meant! Easy Peazy!
Having been to VMWorld and Citrix Synergy before I did not know what to expect from (ISC)2 Security Congress, which apparently is simultaneously dubbed ASIS 2013. The feeling that I get overwhelmingly is that this is much less about the IT portion of security (ISC)2 and more about the physical aspects of security (ASIS). I am attending to keep my ISC2 CISSP certification active, and because of the CPE credits that you get for attending this put me at requirements listed for maintaining that certification; which has to be renewed every 3 years. So far this is a much less grandeur than the conferences either Citrix or VMware puts on.
Strategic. Smart. Secure. – This is the theme for this year’s conference.
STRATEGIC – With the live songs “Taking Care of Business”, “Firework” and “Don’t Stop Believing” being sung, the opening scene were painters creating a scene with the word STRATEGIC. [Being emphasized using storylines from the life of Winston Churchill] This was followed by Steve Surfaro, BDM for Axis Communications giving a live speech concerning being strategic.
SMART – More live songs… “If You Stop Me Up”, “Why Haven’t I Heard From You?”, “Anyway You Want It” and a painted scene for the words SMART. This was followed by a very short talk from James Antonelli VP of Guardsmark, LLC. This was the beginning of the emphasis of (ISC)2 security certifications and their importance. [Being emphasized using the face of Albert Einstein]
SECURE – “We Will Rock You”, “We Are The Champions”, “Simply The Best”, and of course a painted scene for the words SECURE followed. This was followed up by a more brief conversation from Rocco L. DeFelice, Executive VP of Securitas Security Services USA Inc. [Being emphasized using the ASIS International Logo and a hidden camera symbol, circuit board, and keypad]
This was followed by some more gratuitous singing and a painted scene representing a scene for Chicago and the Blues Brothers. Of course “Sweet Home Chicago” was played. This was a bit cheesy and long without a lot of meat within the whole thing. We were all then dismissed to attend the opening of the vendor area. Beware: For those interested more in the IT portion of security there really isn’t any vendors with the exception of Cisco that I saw worth looking at. Unfortunately this was dominated by physical security as well.
I am hoping that the sessions are going to highlight the conference. There are a few sessions that I believe will be pretty interesting with a brief synopsis:
Cracking the Cloud Conundrum presented by Andrew Jaquith CTO, SilverSky.
You have a job to do, secure your organization’s infrastructure and communications. This is no small task, but your IT budget is flat or shrinking, security risks are ever-evolving and complexity and regulations are growing. Your employees want to use their own devices at work, and they’re increasingly mobile, making it even more difficult to protect your company’s information. You want to utilize the potential of the cloud, but you are afraid of the security risks, uncertainty, impact on IT, cost of switching and having to answer to your Board about all of it.
Securing Big Data and the Grid presented by Dan Houser from (ISC)2
Big Data is exploding on the landscape in InfoSec, leaving many practitioners wondering how to create a viable yet secure implementation. Standard practice is to segregate, isolate or obfuscate, all of which create diseconomies of scale and erode the very value that can be gained from a big data implementation. A Security Architect and Cloud Architect have delivered multiple secure cloud and big data solution for their organization, and will deliver an interactive case study demonstrating how to lock down big data while still delivering business value and keeping the business happy.
Wednesdays ASIS Keynote Speaker Steve Wosniak – Co-Founder of Apple Computer and Philanthropist
A Silicon Valley icon, Steve Wozniak single-handedly designed the first personal computer and later redirected his lifelong passion for mathematics and electronics toward lighting the fires of excitement for education in grade school students and their teachers. In 1976, Wozniak and Steve Jobs founded Apple Computer, Inc. with Wozniak’s Apple I personal computer. A year later he introduced the Apple II, which was integral in launching the personal computer industry. After leaving Apple in 1985, Wozniak was involved in various business and philanthropic ventures. He currently serves as chief scientist for Fusion-IO and is a published author.
More to Come…
Things have been really busy, but letting everyone know that I have straightened out all the expired DNS registrations and found some breathing room in my current job to start posting again. We will now be read at both www.thevbox.info and www.thevbox.net, so expect some good new content coming out of thevbox website soon.
Think about this for just a second. Conventional or traditional storage was created 20 years prior to virtualization. So as that sinks in, I’ll ask you a question. Why has server provisioning with compute made so many advances in regards to lowered costs, less complexity, and higher performance rates, but storage has relatively remained the same? Even when talking about SSD, the larger players in the storage market are only bolting this on as a cache point and those that are leveraging total flash arrays don’t really address the real problems with storage for virtualized environments. Performance in itself doesn’t mean that you have resolved all issues, “Am I alone here?” … “Can I get an Amen?” Just because a large traditional storage manufacturer purchases a company specializing in conventional flash storage, do you think that they are suddenly resolving their issues regarding how that product interacts with the virtual environment? The answer is no. Maybe if they intended to rewrite their code from the ground up to take specific advantages of that flash storage specifically for virtual environments, then you might be onto something. This, my friends, is exactly what Tintri has done.
Although Tintri was purpose built for virtualized environments period, I will be writing specifically regarding VDI for this post. I am fully certified for both VMware View and Citrix products and my livelihood for the past few years has been centrally focused on VDI performing assessments, plan and design work, and implementations. I have integrated great third-party products such as Trend Micro Deep Security, UniDesk, and Imprivata and with those come an increase in complexity from an architectural standpoint and more specifically a storage standpoint. Let’s look at how one traditional storage provider is carving up storage to meet a specific VDI 500 seat demand. This is straight from their best practices document and is available for anyone to see. On the left is how EMC will carve up your storage into several raid groups, then into LUNS, tiering storage with SSD bolt-on cache (which is expensive BTW). Other storage vendors’ solutions aren’t much better. There are several things wrong with this… let me elaborate on a couple of points here using the 500 seat comparison.
- What happens when you need to advance beyond 500 seats? (What happens to what you have just architected? Back to the well for more spindles? More SSD? Do you have the finances available for that?)
- What happens when you have more than one golden image or use case? (Hint, you only have room for one image in this small 100GB space for a golden image. In VMware View, since a recompose process requires that the replica has to be written before the original is deleted, multiple images will run you out of space. With XenDesktop it doesn’t even make sense.)
- When using a third party product like Unidesk, the CachePoints become extremely important to get the right amount of I/O out of them to drive that performance. In this design there is not enough room in SSD for the cachepoints in the majority of cases.
- Did you have enough I/O built into the original design to accommodate the virtual infrastructure for Citrix XenDesktop or VMware View and all of the VMs? How about for the infrastructure needed for Trend Micro Deep Security? How about the throughput and latency metrics?
- How do you know for certain how many more VMs that you can fit on your current storage before performance is impacted or you are simply out of room?
- With traditional block storage are you getting any deduplication or compression advantages. (I can answer this…as no).
- How about your maximum VMs per LUN when using block storage, have you considered that?
I could go on and on but, here is one more really good question, “What if your storage was aware that VMs were running on it?” (See: VM-Aware)
With the Tintri VMstore there are no RAID groups to worry about, and no LUNS to carve up. Using NFS you can see from the picture on the right how Tintri answers that best practice design for VDI. Some people promise simple, but Tintri really delivers it. There are no cost, complexity or storage performance barriers for VDI anymore which has allowed Tintri customers to realize some ROI when implementing virtual desktops; bringing the VDI storage costs from ~60% of the project down to ~15-20%. Its hyper-density can allow for up to 1000 VMs to be deployed on one single Tintri Storage Appliance (see product specs). [In a server environment you can expect to get 250 – 300 Server VMs on a single Tintri datastore]
Tintri also gives you instant bottleneck visualization, interchangeable datastores, intuitive fuel gauges showing available capacity and performance headroom, VM trend-over-time statistics, VM auto alignment, per-VM snapshots, and more. It wraps a QoS around each VM ensuring performance and virtually eliminates the usual worries surrounding boot storms, AV storms, and login storms pertaining to VDI environments. So my point is, if you can decrease the CapEX and OpEX costs and decrease the complexity or storage while increasing the performance of storage (which is spotlighted by VDI), then what are you waiting for? Give your VDI implementation over to a Tintri VMstore and rest easy that you made a great decision. Some of the best products are the ones which you don’t have to manage and just flat out work (see Data Domain). Isn’t it time that you stop the LUNacy?
Interesting VDI Video:
“Stay thirsty my friends.”
~ The most interesting man in the world.
Well I have had to setup a KMS server in several of our clients sites, and found that the documentation from Microsoft is somewhat confusing. I have set these up before, but it is always a pain to go back and find the information on how to do it all over again. I ran across a blog from Ivan Dretvic at http://ivan.dretvich.com/2011/06/how-to-configure-a-kms-server-in-windows-server-2008-r2/ and much love goes out to him for putting this together. I thought it was worth reblogging not only for clients and other visitors but also for myself to review when I need it. Below are the steps used to configure the first KMS server in the organization for use with Windows Server, Windows client and Microsoft Office activation. These steps will only include the installation of 1 KMS server.
Installing first KMS Server
These are the steps I followed to install the KMS server. We determined that due to the number of client activations, and the capacity of our infrastructure we had no problems installing this server on our secondary domain controller. From here on we will call it DC2.
- Log onto https://www.microsoft.com/licensing/servicecenter/ and fetch your key: “Win Srv 2008 R2 Data Ctr/Itan KMS C” – Note your key may be similar, but either way it must end in either KMS B, or KMS C.
- On DC2 we run CMD with elevation
- Type slmgr /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx where the last section is the Key from your volume licensing website.
- Open “Windows Firewall with Advanced Security” via Start menu -> Administrative Tools.
- Under Inbound Rules scroll down to “Key Management Service (TCP-In)”, right click and select enable.
- Reboot the machine – note you can restart the Software Licensing service but I preferred to reboot it (seeing as the server was not in use for anything else)
net stop sppsvc && net start sppsvc
- Active server after reboot. This can be done via the GUI or by executing the following command from an elevated command prompt:
- Enables automatic DNS publishing by the KMS host by entering the below command in an elevated command promt. Note this should already be enabled, but just in case, we execute the command.
Now you are done installing your KMS server.Note this will provide activation for clients and/or servers depending on the KMS key you used to activate DC2. Office KMS activation will be covered in a later section.
I do recommend verifying that the SRV record in DNS is created. Note that you should have no problems with the automatic creation if you are using the vanilla install of AD and have no specific security restrictions in DNS. To verify that the DNS record has been created open up DNS and check. Refer to the screenshot below to see where it lives:
Installing Office KMS Host
As mentioned above we have determined that the one KMS box (DC2) is suitable to do all of our activations for Microsoft products, so now we have to configure the Office KMS host on DC2. To do this we do the following:
- Log onto https://www.microsoft.com/licensing/servicecenter/ and fetch your key: “Office 2010 Suites and Apps KMS” – Note your key may be similar. If unsure speak to your Microsoft Account Manager.
- Download the Office 2010 KMS Host License Pack from the Microsoft website: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=97b7b710-6831-4ce5-9ff5-fdc21fe8d965. Its only 903kb so wont take too long.
- Execute KeyManagementServiceHost.exe from your existing KMS server> In our case its DC2. Follow the prompt to finish the setup process.
- When prompted enter the KMS key for Office 2010.
Thats it. Just as easy to setup. Now you are ready to activeate Office 2010 with KMS. to help monitor this, please refer the the section below.
Administering the KMS server
I take it now you want to see whether it works and if clients can be activated. Now i will go into administering the KMS server, which will be quite brief as there is not much to it, and is really only there to aid in troubleshooting, and to have a sticky beak when implementing it. Once its running there is no real reason to keep going in and checking up on it.
All functions to view settings and make changes are done through the already used VBS script slmgr.vbs. To see all the commands simply run slmgr from the command prompt. Note to execute changes you will need elevated command prompt. You will see the following screens:
So the most common command that i used was:
Displays license information (KMS Activation Count)
Displays detailed license information
For Office specific information you can run the below command to get the info wanted:
Note I add cscript to the front of the command so that the output stays within the command window, this lets me output/scroll if there is a lot of data where as the usual vbs dialog crops the output.
Configuring KMS Clients
By default, Volume Licensing edition of Windows Vista, Windows 7 , Windows Server 2008, and Windows Server 2008 R2 are KMS clients. If the computers the organisation wants to activate using KMS are using any of these operating systems and the network allows DNS auto-discovery, no further configuration is needed.
If required you can configure the KMS client to connect to a specific KMS host, use a specific port and disable KMS auto-discovery.
When deploying KMS clients using WAIK you can use 2 different methods to prepare the client:
- SYSPREP – run Sysprep /generalize which will reset the activation timer along with removing SID and a few other settings. Read about this before actually using it.
- Software License Manager – run slmgr.vbs /rearm in an elevated command prompt to reset the grace period back to 30 days. Note you can only perform this 3 times in total.
You can also manually force activation of the client by using the GUI from Control Panel -> System or by running slmgr /ato.
If you want to convert MAK installations of Windows or Office to KMS, you need to change their product key, and then reactivate. Use the below keys to perform this:
|Operating system edition||Product key|
|Windows 7 Professional||FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4|
|Windows 7 Professional N||MRPKT-YTG23-K7D7T-X2JMM-QY7MG|
|Windows 7 Enterprise||33PXH-7Y6KF-2VJC9-XBBR8-HVTHH|
|Windows 7 Enterprise N||YDRBP-3D83W-TY26F-D46B2-XCKRJ|
|Windows Server 2008 R2|
|Windows Server 2008 R2 HPC Edition||FKJQ8-TMCVP-FRMR7-4WR42-3JCD7|
|Windows Server 2008 R2 Datacenter||74YFP-3QFB3-KQT8W-PMXWJ-7M648|
|Windows Server 2008 R2 Enterprise||489J6-VHDMP-X63PK-3K798-CPX3Y|
|Windows Server 2008 R2 for Itanium-Based Systems||GT63C-RJFQ3-4GMB6-BRFB9-CB83V|
|Windows Server 2008 R2 Standard||YC6KT-GKW9T-YTKYR-T4X34-R7VHC|
|Windows Web Server 2008 R2||6TPJF-RBVHG-WBW2R-86QPH-6RTM4|
|Windows Vista Business||YFKBB-PQJJV-G996G-VWGXY-2V3X8|
|Windows Vista Business N||HMBQG-8H2RH-C77VX-27R82-VMQBT|
|Windows Vista Enterprise||VKK3X-68KWM-X2YGT-QR4M6-4BWMV|
|Windows Vista Enterprise N||VTC42-BM838-43QHV-84HX6-XJXKV|
|Windows Server 2008 Datacenter||7M67G-PC374-GR742-YH8V4-TCBY3|
|Windows Server 2008 Datacenter without Hyper-V||22XQ2-VRXRG-P8D42-K34TD-G3QQC|
|Windows Server 2008 for Itanium-Based Systems||4DWFP-JF3DJ-B7DTH-78FJB-PDRHK|
|Windows Server 2008 Enterprise||YQGMW-MPWTJ-34KDK-48M3W-X4Q6V|
|Windows Server 2008 Enterprise without Hyper-V||39BXF-X8Q23-P2WWT-38T2F-G3FPG|
|Windows Server 2008 Standard||TM24T-X9RMF-VWXK6-X8JC9-BFGM2|
|Windows Server 2008 Standard without Hyper-V||W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ|
|Windows Web Server 2008||WYR28-R7TFJ-3X2YQ-YCY4H-M249D|
|Office 2010 Suites|
|Office Professional Plus 2010||VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB|
|Office Standard 2010||V7QKV-4XVVR-XYV4D-F7DFM-8R6BM|
|Office Home and Business 2010||D6QFG-VBYP2-XQHM7-J97RH-VVRCK|
|Office 2010 Stand-alone products|
|SharePoint Workspace 2010||QYYW6-QP4CB-MBV6G-HYMCJ-4T3J4|
|Project Professional 2010||YGX6F-PGV49-PGW3J-9BTGG-VHKC6|
|Project Standard 2010||4HP3K-88W3F-W2K3D-6677X-F9PGB|
|Visio Premium 2010||D9DWC-HPYVV-JGF4P-BTWQB-WX8BJ|
|Visio Professional 2010||7MCW8-VRQVK-G677T-PDJCM-Q8TCP|
|Visio Standard 2010||767HD-QGMWX-8QTDB-9G3R2-KHFGJ|
You can convert Windows and Office from MAC to KMS using the GUI available, or you can use the following commands:
To install a KMS key, type slmgr.vbs /ipk KmsKey at a command prompt.
To active online, type slmgr.vbs /ato at a command prompt.
To activate by using the telephone, type slui.exe 4 at a command prompt.
To install a KMS key, type ospp.vbs /inpkey:KmsKey at a command prompt.
To active online, type ospp.vbs /act at a command prompt.
Here are the resources that I got most of the information I needed.
- Deploying KMS Activation
- How to install or Update KMS on Server 2008 for windows 7 and Server 2008 Support
- Plan volume activation of Office 2010
- Deploy volume activation of Office 2011
- Troubleshoot volume activation for Office 2010
- Tools to configure client computers in Office 2010
I just finished posting my blog on creating a Citrix XenServer bootable USB image. I did so after having to create a bootable ESXi 5 USB image for a client who just couldn’t get the external USB CD-ROM to work right and we were using the HP iLO to perform installations which was painfully slow. Installing from USB was incredibly fast and I wanted to share those instructions with you as well. Since PendriveLinux wouldn’t work in the same way XenServer 6 did, I have made a small step-by-step guide on how to achieve this using a different tool. So here we go…
- Download the ESXi 5 .ISO and have it ready on your PC
- Download UNetbootin and run the software (Windows – Mac OS X – Linux).
- Start the UNetbootin application and choose Diskimage (ISO) and browse to the downloaded ESXi 5 .ISO file.
- Choose Type: USB Drive and choose the correct USB drive letter that you want the bootable installer to be installed to.
- There you are one bootable USB image for ESXi 5! Enjoy!!
I needed to finally get some XenServers in my lab at home, so I purchased a pair of SUN Sunfire X4100 servers containing Quad-Core AMD processors and 16GB of RAM on the cheap which I thought would be perfect. The only thing about these servers is that they don’t have a CD-ROM on them, so I set the BIOS to boot from USB hoping to use a thumb drive. This is when I realized…Uh oh! How do I get the Xenserver 6 .iso on the USB making it bootable? Below I will save you some time by providing the best steps that I have found to get this made easily and quickly.
- Download the XenServer 6 .ISO and have it ready on your PC
- Download PendriveLinux (http://www.pendrivelinux.com/) from here (http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/)
- Launch the Universal USB Installer
- From the drop-down, scroll to the bottom and choose “Try Unlisted Linux ISO (NEW Syslinux)”
- Choose the location of the XenServer ISO
Select the drive letter for your USB
- (optional) I chose to format the drive
- Click Create
After creation is finished, on the USB drive, navigate to the /boot/isolinux folder on the root of the USB
- Rename the ‘isolinux.cfg’ file to ‘syslinux.cfg’
- Rename the ‘isolinux.bin’ file to ‘syslinux.bin’
There you are one bootable USB image for XenServer 6! Enjoy!!
The vCenter Server Linux Virtual Appliance (vCSA) is a preconfigured Linux-based virtual machine that is optimized for running vCenter Server and associated services.
vCenter Server Virtual Appliance provides all features as the Windows vCenter Server but does not support the following features:
- Microsoft SQL as the database for vCenter – requires stable ODBC driver for Linux that can scale.
- vCenter Server Linked Mode – requires ADAM.
- vCenter Server Heartbeat – requires Windows.
- Single sign-on using Windows session credentials.
- VMware View Composer (Linked Clones) – installed on Windows vCenter Server only.
- vSphere Storage Appliance – VSA Manager & VSA Cluster Server installed on Windows vCenter Server.
- VIX Plugin for vCenter Orchestrator – VMware Tools API only works with Windows vCenter Server.
Other VMware products that work with the vCSA:
- vCenter Operations.
- vCenter Orchestrator.
- vCenter CapacityIQ.
- Auto Deploy.
- vCenter Update Manager.
- vSphere Client.
- vSphere Web Client.
The following table lists the required files that you will need, gather these files before proceeding.
Watch the 10-minute installation video (Optimized for iPad)
Deploy the vCenter Server Linux Virtual Appliance
- Launch your vSphere Client and navigate to File | Deploy OVF Template.
- Browse to the location of the vCenter Appliance .ovf file, then click on Open.
- On the following screen click on Next.
- Then click on Next again on the OVF Template Details page.
- Under Name and Location, give your vCenter Appliance a name then click Next.
- Choose a datastore then click Next.
- Select a disk format on the next page then click on Next to continue.
Click on Finish to start deploying.
Configuring the vCenter Server Linux Virtual Appliance
- Boot the appliance.
- Open a vSphere Client console session to the virtual appliance and configure the network and timezone.
- Now open up a browser and type https://<ip_of_appliance>:5480 to continue the configuration.
- Accept the certificate error to continue.
- Login as root, the default password is vmware.
- Now read through the entire EULA and click on Accept EULA to continue. Please be patient while the vCenter is configured (this takes a few minutes). If you look at the appliance remote console you’ll see the services being configured and started.
- You can start using the web interface again once the console screen returns to default.
- Next click on Status, and view the current status of the vCenter Server. The service should be on a Stopped state and the Database Type should show not configured.
- Click on the tab, you will notice that there are no DNS Servers configured and the appliance’s hostname is the standard localhost.localdom, lets change this.
The best way to change the Network settings is to go to the console of the vCenter server and select configure network. Walk through changing the IP address, DNS servers, and the Hostname for the appliance.
- Log back into the interface using the IP address which you just configured. https://<ip_of_appliance>:5480 Setup authentication by clicking on and then on either NIS or Active Directory. My ‘thevbox.info’ lab environment uses AD.
Click on the tick box and then fill in your domain details and then click on Save Settings. You should receive an Operation is successful message to confirm that the authentication settings has worked.
- We now need to configure a database for vCenter to use, for this article, let’s use the embedded DB2 database. Click on to continue.
When using the embedded database, there is no need to enter any details, just click on . This will take several minutes to complete, once done click on . After what seems to be too long, the database will complete configuration, you should receive an Operation is successful message to confirm.
Set the time zone by clicking on and then . Select your time zone and then click
- Now reboot the virtual appliance one last time. To reboot click on and then click on . Click Reboot again to confirm.
- This time the vCenter Appliance will successfully start the vpxd daemon and initialize the database, eventually vCenter 5.0 will be ready for you to use.
Connecting to vCenter 5.0 for the first time
With all VMware vSphere Clients, when you start the vSphere Client and connect to either a vCenter Server or an ESX/ESXi host, it will check whether the vSphere Client is compatible. This is still the case with vSphere 5.0 and you will need to update your vSphere Client if you haven’t already done so. You can update by connecting to vCenter Server or ESX/ESXi or you can download the vSphere Client executable from the VMware Downloads website.
- Launch the vSphere Client and connect to your newly configured vCenter Server.
- You must use root | vmware to login, domain credentials will not work until the permissions are added to vCenter.
- Update the vSphere Client as necessary.
- Add an AD group into vCenter permissions and set the role as Administrator. [See video].
- Now you will be able to log in with domain credentials.
- You will need to enter your username in DOMAIN\Username or username@DOMAIN format.
The little things…
To make sure that you can continue to use host customization files, use the following KB Article combined with WinSCP. Connect to the virtual appliance using WinSCP and navigate to the /etc/vmware-vpx/sysprep and place the appropriate sysprep files in their proper folders.
- More to come….