Innovative Technology Weblog

In an act of “endeavoring to deliver a release with support [that] customers deem important” VMware accidentally left a licensing timebomb enabled in the build that it shipped to customers about three weeks ago. The timebomb causes all installed licenses for ESX to be regarded as invalid on August 12, 2008. This in turn causes virtual machines to not be allowed to start from a powerdown or suspended state or allow virtual machines to be VMotioned to another ESX host.

VMware provides one way to prevent encountering the problem and one temporary workaround until they can provide a patch: VMware has released express patches to remedy the problem.

Full repeat of VMware’s latest e-mail advisory:

Dear VMware Customers,

We have released the express patches for the product expiration issue. Please go to http://www.vmware.com/go/esxexpresspatches for download and KB articles. Since our last customer email we have completed our verification tests that the express patches we’ve released are fully compatible with the VMware Update Manager. Please see the KB articles for deployment information regarding Update Manager.

The KB articles are kept up-to-date. Please refer to the KB articles for information and updates.

In our last update, we referred to an initiative by our support and engineering teams to find an option to apply the patch without the necessity of entering maintenance mode and VMotion of VM’s to other servers, or VM power-off and re-power-on. Our earlier tests have not found a consistently successful way to address this. We continue to investigate this possibility, as we know that it would reduce the maintenance burden on our customers who may not have a patched server available for VMotion.

We are on target to release updated versions of the ESX/ESXi 3.5 Update 2 patch at 6 PM PST today. This is for customers who have not already upgraded to the previously released version of ESX/ESXi 3.5 Update 2

Thank you,

The VMware ESX Product Team

Problem:

An issue has been discovered by many VMware customers and partners with ESX Update 2 (build number 103909) and ESXi 3.5 Update 2 (build number 103908) where Virtual Machines fail to power on or VMotion successfully. This problem began to occur on August 12, 2008 for customers that had upgraded to ESX 3.5 Update 2. The problem is caused by a build timeout that was mistakenly left enabled for the release build.

The following message is displayed in the vmware.log file for the virtual machine:

This product has expired. Be sure that your host machine’s date and time are set correctly.
There is a more recent version available at the VMware web site: http://www.vmware.com/info?id=4.
————–
Module License Power on failed.

Affected Products:

- VMware ESX 3.5 Update 2 & ESXi 3.5 Update 2. Thank you, The VMware ESX Product Team

- The problem will be seen if ESX350-200806201-UG is applied to a system.

- No other VMware products are affected.

Resolution:

VMware Engineering has produced express patches for impacted customers to resolve the issue

A few months ago my beloved colleague Walter gave me the Beta version of System Center Virtual Machine Manager. Unfortunately I haven’t had the time to play with it until now. While most people enjoy their well earned vacation, I’m playing around with SCVMM.

There are definitely things to be excited about:

• Ability to manage both Hyper-V and VMware farms
• Migrate virtual machines between Hyper-V hosts (maybe not a live migration, but a migration none the less! )
• But the main thing to be excited about is the future integration within the System Center family.

And their are also some irritating things:

• Hyper-V has just RTM’ed and SCVMM is still in beta. This means you got to install update after update to make everything work.
• When I try to install the integration services on Windows Vista it comes with the message: “Unsupported Guest OS - An error has occurred: The specified program requires a newer version of Windows.” Unfortunately I’m not yet in the possession of Windows 7… 
• I created a new library share. But when I try to mount an ISO file to my virtual machine it fails and the only thing you can do with your virtual machine from that point is remove it and repair it. Through the repair option you can save him by the way.

I properly can go on and on with these things but I can rather posts these on connect.microsoft.com. It is still a beta and I believe eventually these ‘minor’ issues will be solved.

There is one very interesting feature I found in SCVMM and I’m still not sure if it’s a brilliant or stupid thing. When you create a new virtual machine you got to choose your processor type. Not just the number of virtual processors or the clock rate, no actually the processor type. Like the 1.2 Ghz Athlon, the 3.0 Ghz Pentium 4 (HT Technology) or the 2.8 Ghz Xeon MP.

It states that it uses this info to determine the processor requirements of the virtual machine. That’s being used when calculating host ratings and when setting CPU resource allocations.
You can view the host rating when you create a new virtual machine. The host rating helps you to choose the best host for your virtual machine. Based on free resources.
CPU resource allocation is something we know from VMware ESX. VMware uses shares to do this. A plain number like 1000 or 2000. The virtual machine with 2000 shares gets twice the amount of CPU cycles (when needed) in comparison with the machine that has 1000 shares.

I understand that SCVMM should use his own system that can be plotted on all the different virtualization platforms it’s going to manage (Hyper-V, XEN, ESX). But I don’t understand how a 2.4 Ghz Opteron relates to a 2.4 Ghz Xeon.
So if I just want my production server to have a 50% preference over my test server which should I choose? And what’s worse, if I’m in doubt with this option, how about a self service user that’s got the option to create a new virtual machine? I can imagine it would properly mean that this user got the advise to skip it.

But there is one more thing confusing about this. When you use the Virtual Machine Manager snap in, there is another way to set the processor weight and you can use a simple number!

So if I change the processor type in SCVMM of a virtual machine, you would suspect something to change within this screen. But it doesn’t… Neither does it the other way around.

I’m going to investigate some more but if you got some tips or hints, please post them!

I have had a love/hate relationship with the VMWare Server 2 beta for the last couple of months and today, I’m sorry to say we have parted ways. First up, my quarrel is not with VMWare products as a whole (I still love Workstation and ESX) but frankly with the poor interaction you get with VMWare in their own beta programs. It really is a far, far cry from the type of interaction and feedback you get in the Microsoft beta programs…

I would have been able to live with the lack of interaction if I weren’t having any major problems with the product. But as such things go, I ran into one showstopping problem… It turns out that on my hardware (which is a big, tricked out server that cost a small fortune and which I am not replacing) VMWare Server 2 had major issues correctly virtualizing Windows Server 2008 x64. Just that one OS. Everything else worked fine: Windows 2003 x86 & x64, even Windows 2008 x86 ran without a hitch. It has to be said that this is not a generic problem, since most others either don’t run into the problem (on a HP nx6325 laptop I also have no issues whatsoever), or they just don’t understand why things are breaking. But I’m certainly not the only one, judging from the replies and the 300+ views on the thread I posted in the VMWare Server 2 beta 2 community.

Now, I could manage without Windows 2008 x64 servers for a good while, since Exchange 2007 also runs on Windows 2003 (or if you’re really nuts like me, you can hack the x86 version on Windows 2008 into production ). But now that I’m participating in the Exchange ‘14’ TAP, I just have to have a Windows 2008 x64 machine. Either that or just don’t bother at all.

In my experience with Microsoft Technology Adoption Programs, Microsoft usually goes above and beyond to help their customers if they run into a blocking problem with the product, even if you are the only customer experiencing the problem. The experience with VMWare was pretty much the opposite, unfortunately. I have filed not one but two Support Requests and never have gotten more interaction than the support engineer asking me to run their support-info-gathering script (vm-support.vbs) and attaching the output to the Support Request. After that, either the support engineers go deaf or they just can’t help me anymore

So now I have grown tired of waiting for information that won’t come and I have decided to uninstall VMWare Server 2 and install VMWare Workstation 6 instead. I would’ve installed Hyper-V, but alas my 1st gen AMD Opterons don’t support the CPU Virtualization extensions needed for Hyper-V…

I’m actually quite sad to see VMWare Server 2 go, because I really liked the way you could manage VMWare Server 2 via the standard VMWare Virtual Infrastructure Client, even over the internet. I liked where VMWare Server 2 was going but it seems it was just to immature for my bleeding-edge needs…

Anyway, Workstation 6 has taken over now and my first Exchange ‘14’ server is (virtually) buzzing with a large grin

That’s a dozen more mailboxes to add to the running-Exchange-‘14’-in-production-count, DavidEsp!

As you might have noticed, my colleague Jeroen is totally wild on Groove… he kinda started the same enthousiasm in me….

So….as I was playing around a bit with the Sharepoint files tool (which unfortunately doesnt work with earlier versions of WindowsSharepointServices) I tried to add an Office Liveworkspace (discussed earlier) as a repository for storing files used in groove…

whilst trying to add a sps2003 document library causes a nasty error; trying to add a Live workspace to the sharepoint files tool just returns the message ‘not implemented…’

interesting….

Although it might be too early to jump to any conclusions, it must be noted that the possibilities to use Groove in conjunction with Live workspaces have clearly been left open… or at least not closed for good….

i’ll keep watching !

Martijn

Last month me and some collegues went to MMS2008 in Las Vegas were I saw a cool demo of Group Police Preferences. The name Group Policy Preferences did ring a bell with me and suddenly I remembered. A few weeks before MMS I saw a Windows Update that was called Group Policy Preferences Client Side Extensions, but I did’nt know what it was.

So now that I’m a few weeks back home I finaly had some time to play with it on my Demo Domain that I setup last week using CoreConfigurator. To use Group Policy Preferences you must have a few things in place:

• A Windows Server 2008 or Windows Vista SP1 machine (only needed for managing Group Policy Preferences)
• RSAT Installed on the management machine
• Deployed the Group Policy Preferences Client Side Extensions to your Desktops/Servers (XP SP2 or higher)
• Active Directory

Note : You don’t need a 2008 DC or Windows Vista SP1 client to use Group Policy Preferences !!

On the left screenshot you can see all the different options that can be managed using Group Policy Preferences. There ar too much settings to show them all on this blog, but I realy like to show you some nice things. I made some screenshots of some common things you normaly do in loginscripts or kix scripts, but that are now possible in Group Policy. (click on the images to see it full size)

With Group Policy Preferences it is easy to map networkdrives. Not only you can map a drive for all users in a generic user policy, but it is also  possible to target this mapping to no more then 27 targeting rules. (Image on the right)

Most common is to map a network share based on group membership or IP subnet. This way way it is possible to map a share witf for example application data to a server that is on the same geographical location as the user without the need of using DFS or site loginscripts.

An other example is setting up how users (or administrators) see their files in Windows Explorer. In this screenshot I set it up so that the user will see the file extentions for known files and also shows hidden & system files, this is a setting that most admins will set if they logon to a new machine. This is also the power of Group Policy Preferences, the most settings an administrator will have to manualy do if he is building a new image for deployment can be managed by Group Policy Preferences.

As you can imagine there are hundreds or maybe thousends of possibilities that you use in solving those anoying problems you usely have to solve using scripts or other tools.

Next thing I have to do is migrating my loginscript at home to Group Policy Preferences.

Have fun with it.

Erik Luppes

I actually ran into more problems with the PKI after the installation. Although SCCM detects your Site Server Signing certificate during setup, the process of dragging and dropping the certificate from the current user branch to the local machine branch may (not sure if there are situations where this does not happen) corrupt the private key in the certificate. To fix this, you have to change the template for the Site Server Signing certificate. On the ‘Request Handling’ tab, check ‘Allow private key to be exported’. Then go through the process of requesting the certificate as usual, and don’t drag and drop as I described in my previous post, but export from the current user certificates and import in the local machine certificates. That should fix the Site Server Signing certificate.

I also had a problem with the Web Server certificate, don’t know if it’s related to having a Windows Server 2008 Certificate Authority or not. In the Microsoft walkthrough they tell you to duplicate the normal Web Server template. When I did this, SCCM kept reporting the Management Point giving problems; a test http request would return an error. After a little Googling I found the solution: on the new template (I named it SCCM Web Server) add Client Authentication on the ‘Extensions’ tab. Don’t forget to re-enroll and re-assign the certificate to your website.

I hope that’s all I have to say about this.

2 Years after we’ve put Buit.org online, it was needed that we do a complete makeover.
In the 2 years we have upgraded Buit.org to the most current version of WordPress, but never updated our look and feel of the site.

Now that WordPress has a complete new engine using AJAX and other Web 2.0 technology it was needed that we upgraded the ’skin’ of Buit.org so we can use those new technologies. One of the biggest improvements for me as the site admin is that we now finaly kan use capcha in the comments forms. This is used for unregistred users that want to leave comments. If they want to leave a comment they have to read an image that is hard (but not impossible) to read by a spambot.

It looks that this works well, cause yesterday we had 120 spam comments within the hour and after enabling captcha (18 hours ago) we did’nt receive a single spam message

An other great thing is that we have better stats so we can track our favorite articles and anticipate on this by writing more articles on the subjects you like.

Please leave your toughts on this new look in our comments and if you are reading this in a RSS reader, please click visit our site to see what we have accomplished.

Grtz,

Erik

A few months ago I’ve wrote a post about Exchange SP1 for the lazy Admin. Now I found something on the web for the same admins but that is usefull in setting up Windows Server 2008 Core.

As you should know by now in Server Core there is no GUI (well there are exeptions like notepad and time settings) so Administrators have to know the CLI commands to setup their servers. The last 2 years I have worked on my Linux skills and can say that finaly I can remember the commands that I use on a daily/weekly basis. But how many times a day or week do you setup a new Domain Controller ? I say not offtenly enough to remember the commands without mistakes.

Last week I was looking on the web for the commandlines to setup a DC but found a tool that was called “CoreConfigurator”

As you can see you can do the basic tasks that you normaly would do if you setup a new server, but still using a GUI. For example if you want to setup the Windows Firewall (only the basic stuff) you normaly have to use the netsh command and that command alone has hundreds of options that you have to know.

Using this tool I was able to setup my Demo domain within 5 minutes with only one CLI Command : C:\Program Files\CoreConfigurator\CoreConfigurator.exe

So the rest of the evening I have spend on drinking beer and eating some chips while watching the 5th season of 24 (the terrorists have stolen some Sentox-nervegas, but I think that Jack Bauer will save the day within 24 hours )

To download CoreConfigurator Click Here

The last couple of days I’ve been playing around with the SCCM 2007 SP1/R2 beta. I wanted to try out the NAP (network access protection) features, which require Windows Server 2008 on the SCCM server. So I went ahead and created some virtual machines, a domain controller and a SCCM server. I wanted to do it right, so I decided to install Windows Server 2008 on the domain controller as well. To build the PKI required by native mode I followed the excellent walkthrough at http://technet.microsoft.com/en-us/library/bb694035.aspx. And then I ran into trouble…..
There are two issues with getting the Site Server Signing certificate on the SCCM server. First, because the CA is running on a Windows Server 2008 machine, when you duplicate the ‘Computer’ certificate template, you get the choice which versions of Windows should support this template. Considering the fact that all servers in my environment are running Windows Server 2008, I went with that. And that was my mistake. If you select “Windows Server 2008, Enterprise Edition” the certificate template will not show up while enrolling it from the web interface, so you should select “Windows Server 2003, Enterprise Edition”.
The second issue I ran into was related to the requesting client being a Windows Server 2008 machine. When this is the case, the web interface no longer shows the option to store the certificate in the local computer certificate store. Just continue as you normally would and after that, open an MMC on the SCCM server. Add two certificates snap-ins, one for the current user, the other for the local computer. All you have to do is drag the certificate you just enrolled from the web interface from the Personal/Certificates store under the current user branch to th Personal/Certificates store under the local computer branch.
After this, in my case the SCCM installation automatically detected my certificate and installation went smoothly.

 Please note that I have posted a follow-up to this post, because although installation will go smoothly, you will have some errors if you do it the way I descibed above. Here’s the correct way to do it:  http://www.buit.org/2008/05/22/installing-sccm-2007-sp1r2-in-native-mode-on-windows-server-2008-part-2/

@ MMS 2008 there was a session about Licensing for the System Center Suite. Normally Licensing looks like University Math but they made it easier. When you are using SMS and MOM 2005 your would pay for each product and per managed client, were for MOM de clients could be Standard OML or Enterprise OML and for SMS the client and server license would vary as well. With this wide variety of possibilities the calculations for the complete license investment could take quite a while and some checking and cross check the different client and server roles.

But now with the Server Management Suite Enterprise (SMSE) licensing model things are made easy. Normally easier is more expansive and in this case it sometimes is. When your just going to buy SCOM or SCCM licenses and your using standard OML for SCOM you still have to make a good calculation before going to the SMSE license type. 

When you want to use SCCM, SCOM and are on or building a virtual infrastructure the SMSE license will make it cheaper and you can start using Data protection Manager for only the license management server costs.

One of the shown license advantages in a Microsoft client environment was the following monitoring scenarios:

In this case the 100 virtual machines are license covered by the SMSE and your only paying for the hosts not for the virtual machines. according to the Microsoft the System Center Virtual Machine Manager will be added to the SMSE as well so a complete and easy to calculate Server Management platform license can be used.

Microsoft definition of SMSE: Comprehensive solution for end-to-end management of physical and virtual server environments that includes the Enterprise Server management licenses for Operations Manager 2007, Configuration Manager 2007, and Data Protection Manager 2007; the license for Virtual Machine Manager 2007; and, rights to manage an unlimited number of operating system environments on a single server.

Not mentioned in this article are the required Server 200X Standard, Enterprise and Data center licenses. But when your are running a lot of VM’s take al look at the Data center value proposition with the unlimited amount Virtual Machine options!!!

So, a small recap to see if SMSE is the licensing for your organization:

• Your running a big number of virtual machines and want SCOM for monitoring
• Your using SCOM and SCCM to manage your complete environment, running some virtual machines
• Your using SCOM and SCCM to manage your complete environment and want to use DPM or VMM
• Your using DPM and SCCM, SCOM or VMM running some virtual machines
• You want to use SCOM and VMM

For more information visit the Microsoft System Center License Site and save yourselves some money.

Regards,
Walter Eikenboom
http://weblogwally.spaces.live.com