Community Server

Tech.Ed 2008 over

Ken — Sat, 20 Sep 2008 13:05:00 GMT

It's been a long time between blog posts. Between a couple of Tech.Eds, being sick with the flu, and a large enterprise System Center Operations Manager 2007 deployment, it's been pretty busy the past month. In addition, handling bathroom and kitchen renovations is consuming pretty much all of the spare time on weekends.

This year I was privileged to deliver a few presentations at Tech.Ed South East Asia 2008 - one on IIS 7.0 for IT Pros, and a second on Web Farm Scenarios and IIS 7.0. Both of the session decks are available for download from the Tech.Ed SEA website (download the Server track ZIP file).

I also delivered the IIS 7.0 Security and Performance Tuning session at Tech.Ed Australia. My apologies if the session was quite up to scratch - I was suffering from the flu - but it's still the top rated Server track session, so thanks to all that filled in feedback. Click the session title link to download the session deck (1.2MB). Thanks to Wade Hilmo and Pete Harris from the IIS product group for helping me pull that session together.

Some random photos from Tech.Ed 2008:

Tech.Ed SEA 2008 presenter badge

The closing locknote at Tech.Ed Australia 2008. I didn't snap the slide that showed I was beating Steve Riley in the Presenter scores :-)

IIS and Kerberos Part 8 - a simple cross Forest/Domain delegation scenario

Ken — Sun, 29 Jun 2008 10:45:00 GMT

In this part we extend, slightly, upon the previous scenario, by adding delegation. Now we need to allow IIS, in our resource Forest (or domain) to delegate the end user’s credentials, to a backend service (SQL Server in this case):

The machines this case are:

Machine	Domain	IP address	Role
svr03-r2-dc-1	DomainA	192.168.132.10	DC
svr03-r2-dc-2	DomainB	192.168.132.11	DC
svr03-r2-web-1	DomainA	192.168.132.20	Web Server
svr03-r2-sql-1	DomainA	192.168.132.21	SQL Server
cltxp-pro-1	DomainB	192.168.132.50	Client

A packet capture is available for download (taken from the IIS server).

Opening the capture in Wireshark you should see the following (the bullet point numbers correspond to the numbers in the image below):

XP client makes a request to IIS server (Packet 14) and IIS server responds with 401 Access Denied (Packet 17)
XP client contacts DomainB Domain Controller for Kerberos ticket (Packet 19 – note the request for http/svr03-r2-web-1)
DomainB DC returns a referral to DomainA DC (packet 20)
XP client looks up the necessary service records for DomainA (packets 21-24) before requesting a service ticket from the DomainA DC (packet 33)
The DomainA DC returns a service ticket to the XP client (packet 34)
XP client makes a new request to IIS, supplying it’s Kerberos authentication data (packet 37)
IIS contacts its local DomainA DC seeking a referral to DomainB (packets 52-55)
DomainA DC refers IIS to DomainB DC
IIS requests a Kerberos ticket, on behalf of the end user, from DomainB DC (packet 61)
DomainB DC returns the necessary ticket (packet 62)
IIS now connects to SQL Server (packet 65), and gets the results of the query. The resulting webpage is returned to the client (packet 87)

The requirements to configure this scenario aren’t significantly beyond that to configure a basic cross-Forest/cross-Domain scenario featured in the previous part:

A two-way trust is required. This can use Selective Authentication. However Forest-Wide authentication may be administratively simpler to configure
An appropriate SPN needs to be registered for the backend SQL Server (similar to a single domain delegation scenario)

In the next part I will discuss publishing an arbitrary FQDN for the IIS host (e.g. a public facing internet site) and UPN suffix routing.

Note: A listing of parts is available in the FAQ

IIS and Kerberos Part 7 - A simple cross Forest scenario

Ken — Tue, 13 May 2008 12:13:00 GMT

Note: I have created a list of all the IIS and Kerberos parts

I'm finally getting around to writing this section on IIS and Kerberos. This initial post will cover the basics of a cross-Forest Kerberos authentication scenario. In the next few posts we'll cover more complex situations including delegation and ISA Server publishing.

The basics of cross-domain Kerberos authentication (in the same Forest) are the same as a cross-Forest scenario, so I've covered the cross-Forest scenario in these posts, and steps that are unnecessary for a cross-domain scenario can be omitted.

Our setup involves a resource Forest (domainA.local) and a user Forest (domainB.local). A network packet capture is included (it can be opened using Wireshark/Ethereal - rename the extension back to .cap), and to help decipher the capture the machines involved are:

Machine	Domain	IP address	Role
svr03-r2-dc-1	DomainA	192.168.132.10	DC
svr03-r2-dc-2	DomainB	192.168.132.11	DC
svr03-r2-web-1	DomainA	192.168.132.12	Web Server
cltxp-pro-1	DomainB	192.168.132.50	Client

In the scenario the client in DomainB.local attempts to connect to svr03-r2-web-1 in DomainA.local. The sequence of packets are:

Client connects to web server and gets 401 (Packets 4 and 6)
Client connects to DC in local Domain asking to a ticket to http/svr03-r2-web-1.domainA.local (Packet 8)
The DC in DomainB.local provides a referral to DomainA.local (Packet 9)
The client connects to a DC in DomainA.local asking for a ticket (Packet 12)
The DC in DomainA.local provides a Kerberos ticket to the client (Packet 13)
The client again connects to the web server, presenting its Kerberos ticket (Packet 15)
The server responds with a 200 OK (Packet 21)

And the user successfully authenticates using Kerberos:

Things to be aware of in this simple scenario:

Typically a client will be connecting using the FQDN (fully qualified domain name) of the web server. Since Kerberos is only attempted if the website is in Internet Explorer's Intranet security zone, the website will need to be added to that security zone either using a GPO or manually
Clients must be able to contact domain controllers in the resource Forest in order to get appropriate Kerberos tickets. If there are some DCs in the resource domain that are unreachable (e.g. due to firewalls ec) then you need to ensure that clients in the user Forest only get referrals to reachable DCs
EDIT: Forest trusts can only be created when using a Windows 2003 functional level Forest. The Forest functional level can be raised using the Active Directory Domains and Trusts Admin MMC tool. Before you can raise the Forest functional level, you need to raise the Domain functional level of all Domains within the Forest to Windows Server 2003. If your Forest functional level is Windows 2000, only an external trust can be created, which does not permit Kerberos authentication.
EDIT: Only a one-way trust (the resource Forest trusts the User forest) is required for this scenario. In future scenarios (e.g. when we introduce delegation) a two-way trust will be required. However we can limit the access the Resource forest has to the User forest using Selective Authentication
EDIT: If you need guidance on creating a Forest Trust, then Microsoft's TechNet has a good guide

SCVMM 2008 Beta 1 install fails at the WAIK prerequisite step

Ken — Thu, 08 May 2008 10:50:00 GMT

I was just trying to install SCVMM 2008 Beta 1 today. When installing the SCVMM 2008 Server, it failed installing the WAIK prerequisite asking me to instead install this manually.

Attempting to run the WAIK msi directly from the prerequisites folder (\prerequisites\WAIK\1033) failed asking me to "Insert the WAIK setup CD". I think this problem might be caused because I'm install SCVMM 2008 from a DVD. I copied the files from that folder onto the hard disk of the machine, and then attempted to run the MSI again, and WAIK installed successfully.

MVP Summit 2008

Ken — Tue, 22 Apr 2008 04:20:00 GMT

Last week I was in Seattle attending the Microsoft MVP Summit for 2008. Certainly this year's summit was much better organised than some previous summits in terms of interaction with the IIS product group.

Whilst we've seen a bunch of interesting stuff coming out from the product group over the past few months (WebDAV, MSDeploy, Powershell Provider, Bitrate Throttling, Admin Pack - including the Config Editor). However over the next few months expect to see a number of significant additional releases. Whilst I'm probably not at liberty to disclose what these are, think about the major market that IIS 7.0 has gone after (e.g. hosting with Apache) and some of the major features and modules that the competing platform has that IIS 7.0 doesn't currently, and you'll probably be pretty close to the mark in terms of upcoming features.

In addition to getting the inside scope from the product group, the MVP Summit also offers opportunities to talk and network with other MVPs, as well as an executive briefing. This year Ray Ozzie and Steve Ballmer came by to talk to us. Whilst I've had the opportunity to listen to many of Micosoft's senior executives in other forums (Tech.Eds, Partner events etc), what is refreshing about the MVP Summit is that these executives will spend half an hour (or more) taking questions, without notice, from the floor. Whilst they are naturally guarded about the answers they can give (if press are present), we're still above to canvas a range of topics. And more than once a product has changed somewhat due to the questions or feedback given during these sessions.

I, for one, am looking forward to the next MVP Summit in 2009 (assuming I'm reawarded of course!). As a small bonus, whilst browsing Barnes and Noble in downtown Seattle, I came across a most excellent book that everyone should have a copy of :-)

Potential Critical Security issue in Windows Server 2003/2008 - IIS may be a vector for compromise

Ken — Fri, 18 Apr 2008 06:59:00 GMT

As some of you may be aware, Cesar Cerrudo of Argeniss presented a session at the just completed Hack in a Box conference where exploit code was demonstrated that allows certain code running with restricted privileges (e.g. Network Service) to gain high privileges (e.g. LocalSystem). The exploit appears to rely on the fact that certain other processes running as network service have SeImpersonatePrivilege, and the malicious code can use this to gain additional privileges on the system.

Microsoft has released an advisory on this potential vulnerability, and if you are running IIS 6 or IIS 7, you are urged to examine the potential implications and workarounds posted.

Edit: 19/04/2008 - the slides from Cesar's presentation have been posted on the Argeniss website

Converting from VMWare Server to Hyper-V RC0

Ken — Mon, 24 Mar 2008 06:06:00 GMT

This Easter weekend, having a bit of downtime, I decided to convert my virtual infrastructure at home from VMWare Server to Hyper-V. The major blocking issue was a lack of RAID controller drivers from 3Ware for their 9650SE-series cards, but thanks to Justin Ho it seemed like I was good to go. The timely release of Hyper-V RC0 meant that I could use an updated version of Hyper-V, and also install my Windows Server 2008 machine using my local en-au settings rather than en-us.

The servers that I had running where:

Server1 - Windows Home Server
Server2 - Exchange 2007 (Windows Server 2003 x64)
Server3 - Operations Manager 2007 + WSUS (Windows Server 2003 x86)
Server4 - ISA Server 2006 (Windows Server 2003)
Server5 - Domain Controller 1 (Windows Server 2003)
Server6 - Domain Controller 2 (Windows Server 2003 x64)

To speed up the conversion time, I removed DC2 from the domain (and recreated it as a brand new VM at the end of the process. It is now my first Windows Server 2008 DC). I also removed the Operations Manager 2007 machine (and recreated this on Windows Server 2008)

The steps I used to convert these VMs:

Made a backup of all my virtual machines before I started!
DCPromo DC2, and remove it from the domain
Uninstall Operations Manager clients from all managed servers, then remove Server3 from the domain
Uninstall the VMWare Tools from each remaining virtual machine
Shutdown all remaining machines and make a backup of the VMDK files (again)
Convert the VDMK files to VHD files. You can use System Center Virtual Machine Manager (SCVMM) to do this. Alternatively I used the free VDMKtoVHD tool from VMToolKit. Note that if your VMDK files are pre-allocated fixed sized disks, they will become dynamically expanding VHD disks after the conversion (empty space isn't converted)
Configure my 3Ware 9650SE RAID controller BIOS per Justin Ho's instructions (see earlier)
Format my arrays, and install a brand new copy of Windows Server 2008 x64
Install the Hyper-V RC0 update
Install the Hyper-V role, as well as desired features (Backup and PowerShell)
Create the necessary virtual networks in Hyper-V
Create new virtual machines using the newly converted VHD files and boot the machines

Some issues that I discovered:

My VMWare machines were using SCSI disks connected to a SCSI controller. Unfortunately booting Hyper-V machines requires IDE disks at the moment. Since the IDE mass storage controller wasn’t set to start in my VMs, they Blue Screened with STOP 0x7B (Inaccessible_Boot_Device). I fixed this issue by inserting the OS setup CD and doing a repair on the OS.
EDIT: Steen has a great tip below for how to get around this issue. It requires you to add a dummy IDE disk to your VMWare VM prior to do the conversion (to get the IDE mass storage controller into a started state)
There appears to be an issue with guest OSes talking to a virtualised ISA Server when all the machines are using the new VMBus NICs and the NICs are connected to a Private or Internal Hyper-V network (the issue doesn't appear to manifest if the NICs are bridged to a physical NIC). Networking doesn't work to well, and when running ISA's monitoring tools, packets are missing. To fix this issue, I changed the NICs on my ISA Server that were connected to Private or Internal networks to using the Legacy (Intel 21140) NIC. Since ISA Server 2006 only runs on Windows Server x86, there are supplied Intel 21140 drivers on the Hyper-V Integration Services disc.

So this was the picture beforehand:

and this is the picture aftewards:

Performance appears to be much snappier under Hyper-V compared to VMWare Server, especially with respect to Disk I/O. Additionally, I can now backup my virtual machines when running (well, I hope I can) using my new RD1000 device.

Media bit rate throttling module released for IIS 7.0

Ken — Sat, 15 Mar 2008 03:56:00 GMT

Here's a useful little module I didn't know even existed, but it appears to have been added to the Microsoft download site in the past couple of days. It allows for bit rate throttling of common, supported, media files when served by IIS 7.0. IIS first sends the first twenty or so seconds of data at the fastest possible rate, and then streams the rest slowly.

Full information on configuring this module is available on the http://learn.iis.net/ website. You can download the module from the Microsoft download site for x86 and x64.

WebDAV module released for IIS 7.0

Ken — Thu, 13 Mar 2008 08:02:00 GMT

Today Microsoft released to the Microsoft download site WebDAV modules for Windows Server 2008 / IIS 7.0 in both x86 and x64 versions. These are also available from the www.iis.net website.

Robert McMurray has written a page explaining how to configure the new WebDAV module.

Professional IIS 7.0 released

Ken — Fri, 07 Mar 2008 05:37:00 GMT

Well, the book is finally a reality. I received my copies today - yay!

You can buy a copy from Amazon.com or your favourite bookstore now.

IIS and Kerberos Part 6 - New in IIS 7

Ken — Thu, 21 Feb 2008 11:56:00 GMT

Note: previous articles

Windows Server 2008 and IIS 7.0 introduce some changes to the way that you need to implement Kerberos support. The three major changes that I'm aware of are:

Service Principal Names (SPNs) no longer need to be registered under the account that the web application pool is running under. Instead, in a default configuration you can run the web application pool under any account (custom user account, or LocalSystem, Local Service or Network Service) and register the SPN under the machine account in Active Directory. See this post for more details.
Your web application pool does not need LocalSystem privileges to be able to perform protocol transition. You can do this using Network Service.
If you want to use <identity impersonate="true" /> in web.config for your ASP.NET pages, you need to disable validateIntegratedModeConfiguration if you are using the Integrated Mode Pipeline. Otherwise you'll get a 500.24 error. You can either set validateIntegratedModeConfiguration to False or you can run in Classic Mode Pipeline

If I find any more things, I'll add them to the list.

IIS - two security patches this month

Ken — Wed, 13 Feb 2008 11:23:00 GMT

Hi all,

There are two security patches out this month for IIS.

The first (MS08-005) affects Windows XP x86 (IIS 5.1), Windows XP x64 (IIS 6.0), Windows Server 2003 (IIS 6.0) and Vista RTM (IIS 7.0). Vista SP1 and Windows Server 2008 are not affected. This is a local escalation of privilege vulnerability, and requires that the attacker be able to access a server locally, or be able to somehow execute code locally (e.g. by placing a file that contains the necessary code on the server, and then have the server run that code from a remote location)

The second (MS08-006) affects Windows XP (x86/x64) and Windows Server 2003, and is a remote code exploitation. It does require that the ASP web service extension be enabled on Windows Server 2003.

Whilst it's always disappointing to see new bugs in IIS, I think the overall record of IIS 6.0 has been very good. Since it's release in early 2003, we've seen only a handful of bugs that are directly IIS' fault (e.g. the previous ASP issue), and handful of bugs that can be exploited via IIS (e.g. the previous WebDAV issue). Overall, there are less than 5 bugs exploitable via IIS 6.0 - which is a great record especially when compared with IIS 5.0 and with its major competitors.

New in IIS 7 - Kernel Mode Authentication

Ken — Wed, 13 Feb 2008 00:34:00 GMT

Windows Server 2003 SP1 introduces kernel mode SSL. Windows Server 2008 takes this one step further and introduces kernel mode authentication. This can be utilised by IIS 7.0 applications to improve performance. It also has implications for Kerberos authentication and management of SPNs.

Consider the following scenario:

Ensuring Kerberos AuthN for App1 wouldn’t be possible in IIS 6/5 (earlier versions were pre-Windows 2000 so didn’t support Kerberos). This was because SPNs are based on a FQDN and the SPN for http/website1.domain.com could only be registered under a single account (and not under the two different accounts that App Pool 1 and App Pool 2 are using).

In Windows Server 2008 there is support for a new kernel mode authentication. I am supposing that this is implemented in ksecdd.sys, but it may be implemented elsewhere. When using kernel mode authentication, the service ticket is decrypted by the server (aka machine account), not by the user account that the web app pool is running under.

Because of this, it’s possible to:

Register every SPN for each application hosted webserver under the machine account in Active Directory, regardless of the identity of the web app pool that the application is being hosted in
Run multiple web applications hosted at the same FQDN under web app pools that are, in turn, running under multiple Windows identities.

Edit: Anil from the IIS Product Group pointed out an error in my advice below (it's not necessary to actually disable Kernel Mode Authentication). I have updated the section below:

There is a caveat. This is because the service ticket decryption takes place using the server’s AD machine account. If you are using a web farm, then the KDC doesn’t know in advance which individual server will be servicing the request. In that case, it's impossible to deterministically register the SPN under a single machine account. Instead, you will need to:

~~Disable kernel mode authentication~~ Configure IIS to use the web application pool's identity for Kerberos service ticket decryption
Run the web app pool under a common domain user account
Be restricted to running all web application accessible at that FQDN under web app pools that are using the same domain user account above

If you are in this situation, then you can ~~disable kernel mode authentication~~ enable the use of the web app pool's identity for Kerberos service ticket decryption by setting the property useAppPoolCredentials to true for the web application or web site in question. An example would be:

<system.webServer>
   <security>
      <authentication>
         <windowsAuthentication enabled="true" useAppPoolCredentials="true" />
      </authentication>
   </security>
</system.webServer>

If you're not sure how SPNs and Keberos work, then check out the earlier posts

New in IIS 7 - App Pool Isolation

Ken — Wed, 30 Jan 2008 11:47:00 GMT

In previous versions of IIS, it has sometimes been difficult to isolate web application pools from each other. If multiple web application pools are configured to run as the same identity (e.g. Network Service) then code running inside one web application pool would be able to use File System objects to access configuration files, web pages and similar resources belonging to another web application pool. This was because it was impossible to allow one process running as Network Services access to a file, but prevent another process also running as Network Service access to the same file.

In IIS 7.0 it is possible, with some work, to prevent this from occurring. As part of IIS 7.0 inbuilt functionality, each web application pool has an application pool configuration file generated on-the-fly when that application pool is started. These are stored, by default, in the %systemdrive%\inetpub\temp\appPools folder. Each web application pool has an additional SID (Security Identifier) generated for it, and this in injected into the relevant w3wp.exe process. The application pool's configuration file is ACLed to allow only that SID access. Since each w3wp.exe process has it's own SID, each application pool's configuration file is ACLed to a different SID:

Using the icacls.exe tool it is possible to determine the SID applied to any given application pool's configuration file. This can be done by using the command:

icacls.exe %systemdrive%\inetpub\temp\appPools\appPool.config /save output.txt

The actual SID always starts with the well-known identity prefix: S-1-5-8-82 followed by a hash of the Application Pool's name.

The retrieved SID can now be used to secure web site content in the same way. To do this:
Edit: Thomas Deml (from the IIS Product Group) has shown me an easier way to perform Step 4 below

Configure each website (or web application) to run in its own web application pool
Configure anonymous authentication to use the application pool identity rather than the IUSR account (this can be done by editing the Anonymous Authentication properties for the website in question)
Remove NTFS permissions for the IUSRS group and the IUSR account from the website's files and folders.
Use the icacls.exe tool to permit the App Pool's individual SID Read (and optionally Execute and Write) access to the web site's files and folders. You don't need to initially retrieve the SID using iCacls. Instead simply use: IIS APPPOOL\ApplicationPoolName as the user to grant read permissions to (see screenshot below for an example for the Default App Pool)

After configuring these NTFS permissions, only the SID that has been injected into a particular w3wp.exe process will be able to read the contents of the website in question. All code running in other w3wp.exe processes, even though the process identity may also be Network Service, will be unable to read this particular website's content. This technique may be most useful to web hosters or similar administrators, that need to accept content from various external or untrusted parties.

Edit #2: Here's a screenshot of the dynamic SID injection in action for the Default App Pool (using the excellent Process Explorer tool). The username highlighted can be used with icacls.exe to ACL your web content.

OT: You can get certification for Home Server, Media Center and other sundry topics - awesome!

Ken — Sat, 26 Jan 2008 05:34:00 GMT

Well, I'm writing a blog post on IIS application sandboxing, and this item crosses my inbox. It appears that all the time spent mucking about with Windows Home Server, and Windows Media Centre might now actually result in MCTS certification. So, I can justify the endless hours spent mucking with drivers and backups as a work-related endeavour! Yay

IIS syncronisation tool - tech preview released

Ken — Fri, 25 Jan 2008 02:59:00 GMT

Hi,

For all those wondering what options you have post-Application Center 2000 for synchronisation (let alone load balancing etc), the IIS Product Group has released a technical preview of a new tool: msdeploy.exe. This tool can sync or migrate:

IIS 7.0 configuration settings
Web content
Registry keys and values
SSL certificates

The product group is planning to have Powershell cmdlet support by the final release. Read more and download the bits from the MSDeploy blog

Windows Hyper-V and Wireless adapters - using RRAS (Routing and Remote Access Service)

Ken — Fri, 18 Jan 2008 09:33:00 GMT

I see that Ben Armstrong has posted instructions on how to use Windows Internet Connection Sharing (ICS) to give your Hyper-V virtual machines access to networks via a wireless adapter.

However ICS does not appear to work if the network that your wireless adapter is connected to uses the 192.168.0/24 subnet (as this is used on the internal side of ICS).

If you are in this situation, then instead of using ICS, the inbuilt Routing and Remote Access (RRAS) service can be used instead. The benefit of RRAS is that any arbitrary subnet(s) can be used on the internal interface (and you can have as many as you want).

To install RRAS use the Server Manager to install the Network Policy And Access Role. RRAS now exists as a sub-feature of this role. You can add this role using Server Manager.

Then open the RRAS MMC Administrative console, and use the wizard that runs at first use to choose NAT routing, and then configure your external (WLAN) interface and internal interface (an internal network created by Hyper-V Management MMC).

Edit: You should give the internal adapter an IP address before running the wizard - so that the NAT routing wizard knows what IP addresses your internal LAN is going to be using, and can configure routing appropriately.

It is possible to have the RRAS service provide DHCP addresses to your Hyper-V machines. However since most of these are probably servers (and thus have static addresses), you can configure a static address pool in RRAS.

If you wish to have your Hyper-V machines able to contact your host PC on the internal interface, configure exceptions (or disable) in th Windows Firewall on the individual adapter configured by Hyper-V (this can be done on the Advanced tab in the Windows Firewall control panel on the host).

Edit: If you haven't using RRAS before, then John Paul Cook has an excellent step-by-step guide on configuring this entire configuration (with screenshots) on his blog.

Moving a Windows Server 2008 Hyper-V virtual machine

Ken — Tue, 15 Jan 2008 10:32:00 GMT

Windows Server 2008 Hyper-V stores a list of virtual machines in %systemroot%\ProgramData\Microsoft\Windows\virtualisation\Virtual Machines. In that folder are a set of symbolic links, that are linked to the actual config files for each virtual machine.

To move a virtual machine:

Shut down or suspend the virtual machine
Delete the symbolic link in the folder mentioned above. The VM will disappear from the Windows Virtualisation Management MMC console (if you have it open). To delete a symbolic link, you can use the del command in a command window
Move the virtual machines files (VHD virtual hard disk file, configuration files and so on) to the new location
Open the virtual machine's configuration file (e.g. using Notepad.exe) and update any references to physical paths. Typically you'll need to update the location of the virtual hard disk and saved state location. The configuration file is a GUID with an XML extension, such as 0A8D4907-82C6-11DC-8061-02004C4F4F50.xml
Create a new symbolic link to the virtual machine's XML configuration file. This can be done using the mklink.exe file (mklink.exe /? for how to create a link to a file)

To make it easier to create the links, you can output the contents of the virtual machines folder using dir and then piping it to a text file (e.g. dir > VMs.txt). Open the text file in notepad.exe, and for each machine will you have an entry like:

14/01/2008 12:22 PM <SYMLINK> 0A8D4907-82C6-11DC-8061-02004C4F4F50.xml [D:\WSVs\SVR03-ISA06-1\Virtual Machines\0A8D4907-82C6-11DC-8061-02004C4F4F50.xml]

It's a simple matter of editing to turn this into:

mklink 0A8D4907-82C6-11DC-8061-02004C4F4F50.xml e:\newLocation\SVR03-ISA06-1\Virtual Machines\0A8D4907-82C6-11DC-8061-02004C4F4F50.xml

Save this as a batch file (.bat) and just doubleclick to create the new link. The VM should then show up in Windows Virtualisation Management MMC console.

EDIT: this technique was tested with Windows Server 2008 RTM and Hyper-V Beta 1. It may not work with subsequent builds of Hyper-V. I will update this post when Hyper-V goes RTM

Windows Server 2008 Hyper-V backup (Dell RD1000 review)

Ken — Mon, 14 Jan 2008 10:24:00 GMT

Meta: IIS and Kerberos Part 6 is coming (for anyone interested in IIS still reading this blog)

The Windows Server 2008 backup feature no longer supports direct backup to disk (you'll need third party backup software to do that). You can backup to disk though - either to a SAN (or network share). Or to disk based backup media like the Dell RD1000.

Previously I've been backing up my server to an external enclosure via eSATA - which works, but doesn't provide the scalability of tape. The RD1000 gives you catridges similar to tape, but they appear as removable disk media to Windows Server 2008.

The RD1000 - next to two stacked 3.5" hard disks.

The RD1000 (also available from Imation in their RDX series) is available both internally (as 3.5" or 5.25" connected via SATA) or externally (connected via USB 2.0). The actual enclosure isn't much bigger than two 3.5" hard disks.

RD1000 seen from the front

The power supply is pretty small as well:

and catridges are about the same size as LTO / Ultrium tapes:

RD1000 catridge -vs- LTO tape

Internally, the RD1000 catridges appear to contain 2.5" 7200 RPM SATA disks. The SATA connector is visible by peering into the catridge.

The backup performance of the external USB-connected RD1000 is approximately 1GB/minute. The following screenshot shows a test run backing up both the system partition (with Windows Server 2008 running) as well as a second partition hosting Hyper-V virtual machines. At the time of the backup, two Hyper-V machines were running (an Active Directory domain controller, and second machine running SQL Server 2005).

Note: I paid for my RD1000 and backup disks. I didn't receive this from Dell - i.e. no conflict of interest etc.

In Australia the internal RD1000 device costs approximately A$400 (external A$700), and a 300GB cartridge costs approximately A$550 (at time of writing)

Review Dell XPS M1330 (compared to Sony SZ48)

Ken — Tue, 08 Jan 2008 12:04:00 GMT

Well Frank's posted the various gadgets he's accumulated, as IT Pro, I've been accumulating a few things in the last month (a new LTO2 tape drive, a 5GB Toshiba PCMCIA hard disk, a Dell 24" monitor, and other boring stuff). One thing I do like is my new Dell XPS M1330.

There are plenty of reviews of the XPS M1330 out there on the 'net already. Here are some additional impressions beyond "the screen is bright" and "it comes with a finger print reader". I also compare it to the Sony SZ48 series, which is remakably similar (except for the price).

FWIW the specs of the Dell XPS M1330 that I bought are:

Core 2 Duo 2.2GHz
4GB of RAM
200GB 7200 RPM hard disk
LED backlit screen (with 0.6 MP webcam built in)
Wireless N, Bluetooth, 5520 WWAN option (Vodafone)
Everything else standard (DVD burner, fingerprint reader, nVidia 8400M GS card etc)

Figure 1 - both laptops closed

The Sony, with its carbon fibre case, seems marginally lighter than the Dell (at least in the configuration that I bought). However the Sony has a much larger power brick than the Dell. After combining these two together, the weight seems similar. Physically, both are remakably alike. The Sony has a thinner screen (even though both boast LED backlighting), but the base is marginally thicker, leading to an overal similar thickness. Both boast a 13.3" screen, giving the same width,

Figure 2 - both laptops open

Once again, it's remarkable how similar the form factors are. The Sony has the fingerprint reader between the two trackpad buttons (making the buttons too small to be usable IMHO). On the other hand, the Dell has both the Wireless-N and 5520 WWAN (Vodafone in my case) mini-PCI cards under the trackpad making it *very* hot and unusable.

Spec wise, the two are very similar:

13.3" screen, 1280x800 maximum resolution, LED backlit screens, 0.6 MP built in camera
Core 2 Duo CPUs (currently available up to 2.4GHz)
Up to 4GB of RAM
Only 2 USB ports, but both have Firewire ports
~~nVidia 8400M GS GPU~~

The Sony as the following benefits:

Both PC-Card and Express Card (only EC34) support
Much thinner screen
Lighter laptop body
Memory stick slot (no SD card slot, but comes with an ExpressCard SD adapter in box)
EDIT: So far, no calls to Sony support required to keep this thing running

The Dell has the following benefits:

WWAN support (Dell 5520 card) - no need to carry around a separate card or USB dongle for WWAN access
ExpressCard 54 slot (but no PC-Card slot
HDMI output (in addition to VGA)
Wireless-N Intel WiFi card
Comes with a 200GB 7200 RPM drive (or a 5400RPM 320GB drive for the same price). There is an option for an SSD drive as well (but at $1000 more)
Ability to enable Intel VT support in the BIOS (important for running VMs)
About $1000 cheaper than the corresponding Sony, even with the extended warranty (Australian pricing)
Higher end graphics card (8-series -vs- 7-series) - but does that really matter much in a laptop? C&C3 - Tiberium Wars plays flawlessly on both :-)
If you want to upgrade the hard-disk you unscrew a single screw on the bottom of the case. Upgrading the Sony requires a bit more work
EDIT: Onsite support as standard. However I've had to have Dell support out twice to fix issues (the second time because of the support guy breaking the LCD bezel the first time he was out)
EDIT: Dell will give you a regular Vista installation DVD, and an additional DVD for installing drivers and apps. The Sony recovery DVDs install a whole bunch of Sony apps (including a SQL Server 2005 Express Edition installation). You need to spend a fair bit of time uninstalling/removing what you don't want.

Both have drawbacks:

Only 2 USB slots. After using one USB slot for you mouse, you are limited in what you can attach. I've been forced to use the Microsoft Wireless Presenter 8000 Bluetooth mouse to keep the USB slots free for other devices.
Low resolutions screens (1280x800). After using a minimum of 1400x1050 for the past 4 years, this is a real downer. Running multiple virtual machines is difficult at this resolution.

Figure 3 - The Sony has a much thinner screen (2mm or so)

Compared to my work supplied Dell Latitude D830, the 1330 is a small child. That said, the D830 supports a 2nd hard drive (via the modular D-Bay), as well as 1920x1200 resolution. Unfortunately, it weighs more than a kilo more than the XPS1330

Figure 4 - the Latitude D830 -vs- the XPS M1330

Figure 5 - various laptops

In Figure 5, I tried to capture the various sizes of these laptops, but it didn't quite work out how i hoped. From bottom to top: Latitude D830, Apple Macbook, Sony SZ48, Dell XPS M1330, and my trusty Toshiba M400 tablet PC.

Figure 6 - Various laptops

An older shot, showing the Sony SZ48, Toshiba M400 tablet, and Toshiba Tecra M5 on the same table. HP ML330 in the background.

After all's said and done however, I'm happy with my purchase. The Dell XPS M1330, even in a top-of-the-line configuration, is quite cheap (compared to what we were paying a couple of years ago), is thin and light. It's a good complement to the fully featured (but heavy) Latitude D830. The only downsides to my previous personal latop (the M400) are:

no inbuilt tablet functionality (but I have a Wacom Bamboo to compensate)
low resolution screen (not sure what to do about that, except move more stuff across to the D830)

IIS 7.0 WebDAV module (beta) released

Ken — Mon, 07 Jan 2008 04:45:00 GMT

Well it seems that the IIS product is just sneaking in the final bits and pieces missing from IIS 7.0 at this very late stage of the Windows Server 2008 release cycle. Spotted on Robert McMurray's blog is a GoLive Beta release of the IIS 7.0 WebDAV module. This will be included inbox with the final Windows Server 2008 release, but wasn't included in RC1.

Features of this WebDAV module include:

Full integration into the IIS 7.0 Manager MMC Console
Per site enabling/disabling of WebDAV functionality (in IIS 6.0, you could only disable/enable WebDAV per server, then needed to ensure your permissions were set correctly on sites where you didn't want authoring to occur)
Per URL security (this was doable in IIS 6.0, but it was pretty slow if you did it through the GUI)

Additionally, other modules (such as the Request Filtering module) can be configured to not apply rules to WebDAV requests, allowing authenticated authoring to occur, but disallowing other non-permitted anonymous requests.

Download locations for the x86 and x64 bits.

IIS 7.0 Health Model published, and MOM 2005 MP for IIS 7.0 (beta) released

Ken — Sun, 06 Jan 2008 10:51:00 GMT

I hope everyone had a great Christmas and New Year.

Spotted on Mike Volodarsky's blog is an announcement that the Health Model for IIS 7.0 has been published on Microsoft TechNet. This describes the various error conditions that IIS 7.0 (and related services, like the Worker Process Activation Service) might encounter.

If you are familiar with Microsoft Operations Manager, then you'll know that these health models form the basis for developing a management pack for that particular service. And right on cue, a beta of the Management Pack for IIS 7.0 (MOM 2005) has been released on Microsoft Connect.

Passed 70-649 (Upgrading to Windows Server 2008 for 2003 MCSEs) today

Ken — Thu, 13 Dec 2007 05:57:00 GMT

I took the 3-in1 upgrade exam today (70-649). I honestly thought I'd fail after spending the last few days digging further into a few of the topics that are covered (WDS in particular).

In the end, I scored:

970/1000 for TS 70-643 (Configuring Application Services), which probably isn't surprising as this covers IIS 7.0 and Terminal Services
887/1000 for TS 70-640 (Configuing Active Directory Services), which now covers traditional Directory services, AD Lightweight Services (formarly ADAM), AD RMS (formerly Windows Rights Management Services) and AD CS (formerly just Certificate Services)
850/1000 for TS 70-642 (Configuring Network Infrastructure), which covers stuff like Network Access Protection, RRAS and so on. There was also a WSUS question in there, and some Virtual Server questions.

A question a colleague asked was whether you needed to pass all three components, or just have an overall passing score. At the end of the exam, the testing application told me I'd passed with a score of 850/1000, so it appears that you need to score higher than 700 in each individual section of the exam (as your final score is the lowest score out of the three individual components).

In any case, I'll be having a beer (or two) to celebrate tonight. I'd have more, but upon returning home I found my Amex statement in the mail, which put a bit of a dampener on things. :-)

What is Volta?

Ken — Thu, 06 Dec 2007 14:47:00 GMT

Good question. I saw this today in my RSS reader:
http://blogs.msdn.com/wesdyer/archive/2007/12/05/volta-redefining-web-development.aspx

Can someone who knows something about development tell this IT Pro what this is all about? I asked around today, and no one (yet) seems to be able to explain the significance of this technology.

Thanks :-)

Exchange Server 2007 Service Pack 1 ships

Ken — Fri, 30 Nov 2007 04:06:00 GMT

Exchange Server 2007 Service Pack 1 (SP1) shipped earlier today. It incorporates a myriad of enhancements, which arguably should have been in the RTM product. I'll be installing this at home as soon as I can! Be sure to check the system requirements first (an update to .NET Framework may be required for some installs).

Update: I've successfully deployed SP1 on my home Exchange 2007 server, and everything appears to be working fine (after the second attempt). The first attempt failed due to some Hub Transport role configuration issues (which in turn caused a bunch of things to fail until I could correct the issues and start SP1 setup again).