The Book of Doodle

One of the challenges I can already see with all that is new and good when building out my private cloud is – which amazing clustering storage ‘thing’ should I use to enable my cloud:

1. SMB Direct
2. Cluster Shared Volumes
3. Traditional Block Storage
4. Shared Nothing

I don’t have an answer yet, but I do know that there are a variety of tools that SMB 2 support (discussed previously) bring to the table.  Additional stuff is outlined here.

Within a single cluster, I can now have 4,000 virtual machines.  Excessive?  Depends on how many nodes you have or how big those nodes are.  Regardless, that’s a lot of VMs!  The nice thing is that I can now perform large amounts of tasks across my VMs collectively (bulk migrations, updates, etc) and Clustering Services is smart enough to keep things up and running by queuing things up when the load gets high, powering off lower priority VMs (called preemption), etc.

NUMA aware virtual machine placement.  Non uniform memory access is important to understand and something I am still working on.  Essentially, it is a way for Hyper V VMs to be aware when NUMA is in use on a Host and allows the VM (and placement engines) to evaluate more fully whether a VM will run successfully on a host.  Cool underpinning.

Automatically draining a cluster node – if you consider previous article on cluster aware patching, this makes sense – when you put a host node into maintenance mode to patch it, be smart – move the VMs off to other nodes and then patch.  Then, perform the next host node, etc.  This also extends to the VMs themselves which is a bit freaky.

These are all underpinning things, but speak to the power of what the clustering services will be able to do for me.  Next time, I’m going to return to my storage question and talk more about Cluster Shared Volumes and what Windows Server 8 did to them.

Well, there are a variety of features that have been improved in this arena in WS8.  At the base of all of these new clustering features is Cluster Aware Updating.  Other technologies like Cluster Shared Volume improvements, SMB amazingness improvements and the management tools help ease these burdens, but again, having your Cluster service know what’s happening when you are patching is key.  Here’s how it works:

1. One of your cluster servers becomes an ‘orchestrator’ – it scans and downloads patches to all of it’s brothers and sisters.
2. It then moves VM’s around, maintaining cluster quorum and, by the grace of the Hyper V Resource Metering feature, keeps your SLAs in check by balancing and even powering down less important VMs if resources get pinched – holy cow indeed!
3. Once a cluster node is drained, it patches, restarts, rejoins the cluster and the VMs are moved back onto the node and then particpates in helping out other nodes by taking on their VMs as directed from the big brother orchestration node.

Oh yeah – that’s hot.  Again, when you pair this stuff with the high availability cluster shared volumes feature and the new transactional SMB goo, you’ve got yourself a self healing/patching private cloud.

Bear in mind – the example here with VMs is just one use case – this totally works with other clustering applications like SQL, Exchange, plain ol highly available file shares, the new highly available DHCP stuff…the sky is the limit!

I was thinking that I’d just go through each of the technical preview documents, call out the stuff that I thought was cool, break it down into easily readable prose, go in order and keep each post short and sweet.  Then I realized, a lot of the documents bounce around, so I took a little bit of time and decided to condense and do them in rough order of feature.  The morale of the story is, I’m trying to paint a picture using the limited documents available, as well as my own encounters as I try each of them out.

The long and short of it is this: in order to build the private cloud – and that consists of more than just VMs – you have to have high availability, orchestration (some of which is provided by Windows itself, and some by System Center 2012 which is my next series) and the ability to constantly move resources around, whatever they may be, based on current conditions – which requires scalability and monitoring.  No feature in Windows Server is more fundamental (except maybe storage) than Clustering Services.  Clustering has been available for a long time, but until 2008R2, you had a great deal of work cut out for you to set them up and keep them running.  Now in WS8, we expand extensively the flexibility and robustness of the tools to create and manage clusters, starting of course with full PowerShell support, great built in tooling with Server Manager and a slew of new wizards (I counted six new wizards around just clustering) and extended support tools like System Center 2012.  But tooling is only part of the story – we need to scale clustering to big – really really big – to build a private cloud.

Hyper V and File Server clustering got the most attention in this release and it makes sense – it is the underpinning of everything else in our environment.  A lot of those improvements are going to be described in their constituent articles, but I’m going to highlight some key clustering components that were enablers to their updates in this article:

Contiously Available File Share Storage

Without a doubt, the biggest piece of all of the clustering changes is the full and native support of all things SMB 2, the industry standard for storage.  By placing their development efforts here, we now have solutions available to us that we could only dream of previously.  Here are a rundown of the SMB features, as per the documentation:

• SMB2 transparent failover. You can now more easily perform hardware or software maintenance of nodes in a clustered file server by moving file shares between nodes without interrupting server applications that are storing data on these file shares. Also, if a hardware or software failure occurs on a cluster node, server message block 2 (SMB2) transparent failover lets file shares fail over to another cluster node without interrupting server applications that are storing data on these file shares.
• SMB2 multichannel. This improvement allows aggregation of network bandwidth and network fault tolerance if multiple paths are available between the SMB2 client and the SMB2 server. Server applications can then take advantage of all available network bandwidth and be resilient to a network failure.
• SMB2 direct. This improvement uses a special type of network adapter that has remote direct memory access (RDMA) capability and can function at full speed with very low latency, while using very little CPU. For server roles or applications such as Hyper-V or SQL Server, this allows a remote file server to have performance that compares to local storage.
• SMB2 performance counters for server applications. Performance counters provide detailed information about I/O size, I/O latency, IOPS, and so on. This lets a SQL Server database administrator or Hyper-V administrator analyze the performance of the SMB2 file shares where their data is stored.
• SMB2 performance optimizations. The SMB2 client and SMB2 server have been optimized for small, random read/write I/O, which is common in server applications such as SQL Server online transaction processing (OLTP). In addition, a large maximum transmission unit (MTU) is enabled by default, which significantly enhances performance in large sequential transfers, such as with a SQL Server data warehouse, a database backup or restore, or the copying or deployment of virtual hard disks.
• SMB2 management with Windows PowerShell. With Windows PowerShell, you can use the command line to manage SMB2 on the file server, end to end.
• SMB2 remote file storage. Hyper-V can now store virtual machine files (including configuration files, virtual hard disk files, and snapshots) in shared folders that use the SMB2 protocol. Support for storing database files in shared folders that use the SMB protocol was introduced in SQL Server 2008 R2.

Remote access is a tough nut to crack.  On the one hand, every employee needs access to their corporate resources at all times of the day and from whatever device they can shake a stick at.  On the other hand, IT can’t just tear down the firewall and let everyone in for obvious reasons.  For a long time, dedicated VPN equipment (like an ASA appliance) or VPN software like Microsoft RRAS was really the best option for secure, reliable connectivity when not on prem.  The challenge with those solutions are several fold:

1. Yet another system to manage
2. Not well integrated (although they are getting better) with the rest of your environment
3. Only provide access, doesn’t provide management/true connectivity (I’ll explain in a bit)

With Windows Remote Desktop Services, you can get much closer to the goal of ubiquitous access – take your Gateway server and drop it onto port 443 in your DMZ and your remote apps, remote desktops and VDI sessions are available to your end users (there’s a whole RDS post coming soon).  But that doesn’t get you true native connectivity – connectivity that has been the dreams of many throughout the ages…ok maybe that’s a bit too far.  Connectivity that makes your computer look, act and feel like it is on the corporate network without the need of complicated VPN or RAS dialers.  Connectivity that allows you to:

1. Hit internal intranet sites without FQDN (http://myportal)
2. Hit internal shares or mapped drives (\\server1\myfolder)
3. Have group policies applied and updated both during log on and via the standard 90 minute schedule
4. Have the ability for IT to ‘see’ my computer if I am having troubles and diagnose/work with me as if I were physically present
5. Not have to reconfigure my internal apps to hit FQDN or the ability of apps that are configured to hit internal IP addresses just work
6. Only route ‘internal’ traffic to the corporate network – if I hit www.cnn.com, route normally (to keep speed going)

Seems like a pipe dream does it not?  Direct Access brings all of those to your company owned workstation/laptop and more!  In Server 2008, the promise of such amazing connectivity was largely unused because it was incredibly difficult to setup and maintain.  It also required some decent major infrastructure changes throughout your network (like IP6 stuff) to enable.  Fortunately, like all things WS8, Direct Access is now AMAZING, simple, secure by default (it won’t work insecurely), etc.  Here are some of the amazing points from our preview documentation we’ve been working through:

1. Remote Access (RRAS/VPN) and Direct Access are now controlled together using a single interface.
2. Monitoring of the environment is now much easier with all the PowerShell, WMI, GUI monitoring you can shake a stick at.
3. A new Network Connectivity Assistant which provides the client computers with customizable  connectivity diagnostics.  While the default state remains to be transparent to the end user, if things go wrong, this tool will pop up and can help.
4. When enabling Direct Access, it takes care of all the Firewall goo for you – how many companies you know have a deployment step where the first thing a new server VM gets done to it is to disable the Windows Firewall?  That’s BAD and as an aside, Windows Server 8 makes this much less ‘necessary.’
5. Wizards!  Small companies can deploy this sucker with just a few clicks – much better.
6. PKI isn’t required (although still recommended) in that you don’t have to go through all the goo of setting up certificates and trusts when you have a very simple setup.
7. Direct Access can now access IP4 servers on your network – probably the best enhancement – your servers need not have IP6 setup to be exposed through DA.  DA acts as a proxy to facilitate this magic.
8. Can work with just a single network adapter (as opposed to dual NICs and weird config settings on the server in 2008R2).
9. Will work with your Network Access Protection investment (really was surprised this was missing in 2008R2).
10. Can work with One Time Passwords and key fobs for added security on your RADIUS environment – my test included a very cool toy called Yubikey.
11. Here’s one – instead of a traditional smart card (something you know and something you have) – Windows 8 now can use the TPM device built onto the board as a virtual smart card.
12. Works with server core – as do most things in WS8
13. Can configure computers ‘off network’ – the machines don’t have to be physically connected to the corporate network to join the domain and receive its Direct Access settings – that’s black magic if you ask me.

These enhancements, along with the more complex things that changed under the covers, will make Direct Access not only affordable, but technically attainable for small companies all the way up to the largest enterprises (if you get PKI configured and the cool Geo-Redundant load balancing).  It’s all very VERY cool

Perhpas my favorite WS8 feature, Branch Cache, has received tremendous updates in this release.  Branch Cache is a technology originally released in the 08 versions of Windows Server that allows companies with large remote office deployments to ease WAN traffic for file server purposes by securely caching files at remote offices on either servers or even workstations (using something akin to P2P technology).  Once a client from a remote office grabs a file off a server via the WAN, it gets cached there (again on either servers or client workstations) for other users to get.  This operation is transparent to the end user – the only thing they notice is files open faster!  To me – this is dark magic

Branch cache originally shipped with two modes – Hosted Cache and Distributed Cache.  If that isn’t pretty self explanatory, here is a snippit lifted from the TechNet article:

• Hosted Cache Mode – files are cached on servers (called hosted cache servers – duh) at the remote office.
• Distributed Cache Mode (the ‘dark magic’ mode) – files are cached on individual workstations and distributed among those workstations as needed.  These stay local to the subnet.  Very useful if you have a limited WAN connection and/or no servers to support hosted cache mode at the remote office.

In WS8, we get some very cool features that enable some interesting scenarios for hosted cache mode deployments:

1. File Server role
2. Web Server role
3. Application Server role

Which one you choose depends on what you have available in your remote offices.  File Server mode, as you might expect, requires SMB.  Web Server mode requires IIS (and preferrably HTTPS).  Application Server mode requires BITS.  Security is handled for you and it is very cool – this version no longer requires decently complex certificate and BitLocker stuff to keep things secure.  In WS8, we also see Branch Cache using ESE (circa Exchange DB engine) to help scalability and demand.  As with all WS8 features, Branch Cache is completely managable via Server Manager (and in groups), PowerShell, WMI or even locally if you are so inclined.

Setting Branch Cache up couldn’t be easier.  Configure some Group Policy objects (that have even been streamlined since the previous version which is nice) for the clients and turn it loose.  Once you have the Branch Cache server(s) – should you choose to use Hosted Cache mode – up and running, the clients detect them, self configure and the end user is none-the-wiser.

In all, a lot more could be said about Branch Cache, but the bottom line is this is one of those dark magic things that just works so well, you wonder where it has been all your life.  It will save tremendous amounts of bandwidth on your WAN, the hosted cache servers can be pre-seeded and then shipped out, and your end users don’t do anything different.  Perfect!

PS – I forgot to mention – it also works with the new de-duplication and storage spaces features that I’ll be talking about in future articles.  Huzzah!

It comes as no surprise that in order to build a private cloud (or a public one if you’re in the hosting space) that the fewer server admins per server, the better.  Some enterprises have a hard limit of say 20 to 1, others with impressive automation and orchestration have gotten up to 100 to 1, or more likely, broken out individual server administration tasks to individual teams – this team for patching, that team for AD, etc.

In WS8, the convergence of knowledge around maintaining large numbers of server instances becomes almost fun.  There really is no longer a reason to have one large server running dozens or hundreds of apps, simply because they are easier to administer.  In fact, because of the continuous fine tuning of memory and processing requirement, dozens of Windows 8 instances can run on a single host without any trouble!  But the tools better be there – and they are!

PowerShell 3 - the key to unlocking the potential of maintaining large numbers of servers is the ability to script their management and maintenance without going through hundreds of clicks on each server.  I was always hesitant to run command lines – just always felt more comfortable with my GUI so I could see exactly what was happening.  Linux/Unix admins scoff at me frequently.  PowerShell has come a long ways since its introduction and is chock full of great new features to help you keep tabs on your systems, without ever actually logging in to them!  Here are the new PowerShell 3 features from the docs:

1. Workflows – create a workflow in native PowerShell or XAML and it can be run via the Windows Workflow Engine.  These workflows will be able to take advantage of all of the great WF features developers have come to love (and some hate) such as parallel processing, restart, resume, repeat, branching, etc.
2. Session ‘Resilience’ – baked into PS3 is the ability to reconnect to broken remote sessions in a very safe way.
3. Scheduling – It’s nice to queue up large configuration changes – PS3 scheduling provides for just that.
4. Run As – For those teams that delegate certain administrative tasks to other admins, you have thee ability now to have your scripts elevate appropriately (and remotely!) so they can execute privileged commands without explicitly granting that user privileged rights.
5. Easier to use – PS3 helps you out a lot more by making command discovery and scripting more intuitive.  They haven’t ditched $_. yet, but I’m still trying to get them too
6. Ability to build entire ‘deployment’ scripts that configure every piece of your newly installed server remotely and in batches – need 100 new IIS vms, script away and target the right machines when they come up!

Server Manager - Server Manager is essentially ‘the app of apps’ – originally introduced several versions back, I wasn’t really sure it would be useful.  Boy was I wrong!  Most administrative things are controlled by Server Manager from installing features and roles to configuring those roles, monitoring, etc.  Since everything is now remotely manageable, it stands to reason that MSFT would make it easy to do just that with Server Manager.  Server Manager supports the ability to not only control servers remotely, it can control them in batches by type, role and more.  What’s even better, almost everything you do in Server Manager outputs for your easy saving later the actual PowerShell script that it ran behind the scenes.  This allows you to quickly build a library of scripts that you can use in the future – do it once in the GUI, get the script, modify, replicate, run!

I continue to be impressed with the management features and the increase in completeness of Server Manager and PowerShell.  There will still be the need occasionally to dive into WMI (if wishing only made it not so) or standard command prompt or the occasional MMC, but those days are clearly numbered!

One of the most stable and well designed pieces of software to come out of Microsoft – ever – is Active Directory.  While its development was riddled with twists and turns (and the occasional run in with Novell), the identity platform for millions of businesses is a stalwart of stability.  Few outside IT Administrators ever know of its existence – and that is the point.  The basic ability to authenticate and gain access to corporate resources, be that a computer, a server or a file would not work without the consistent resiliency of this gorgeous database.

The biggest advantages of Active Directory over other products is its ubiquity.  Microsoft has spent untold sums making it accessible and secure to a variety of applications – the entire MSFT stack included.  It also is the underpinning of major infrastructural components of many software packages including Exchange, Lync, SharePoint and thousands of LoB applications.  In recent versions, it has gained prominence in the realm of federation, enabling businesses to seamlessly federate their authentication and authorization stores using technologies like ADFS and Claims Authentication.  The changes in WS8 around Active Directory continue to provide support for the major system components from previous versions (great backward compatibility) as well as the new features throughout Windows Server (describe later in this series) and support administrators by addressing common pain points.  Here’s what’s new!

Simplified Deployment - similar to Windows 8 Client where everything is touch first, in WS8, everything is PowerShell first!  Deploying Active Directory is so much easier now that it can be accurately scripted.  All but the smallest companies have needs to deploy multitudes of AD servers.  In WS8, you can deploy AD on multiple servers at once, export your GUI based configuration to a series of PowerShell scripts and can clone brand new Domain Controllers (think sysprep on steroids) for rapid AD forest topology builds.

Safer Virtualization Support - this exact issue has bitten me!  What’s the cardinal sin with virtual machines and Active Directory?  DON’T P2V a DC (without following very complex prescriptive processes).  The dreaded rollback USN will bite you.  AD in WS8, however, recognizes that virtual domain controllers are what enterprises need, so they’ve built in additional replication logic to keep time synchronized with hosts and algorithms that keep things in check when they are virtualized.

These three updates with AD, along with refined management experiences, new/simpler PowerShell commands will make administering your forest much easier.  I’ll update this post as more information is learned about any of the underpinnings of AD – I’m particularly interested to see if the schema has changed any!

If ever there was a time when the technology of the world that enables millions of businesses and this new concept of the cloud converged on a single piece of software, it is occurring with Windows Server 8.  While the rest of the planet contemplates the good, the bad and the ugly of Windows 8 client (myself included), I wanted to take an opportunity to digest the underpinnings of the server counterpart – to see if the server team was doing things as radical as their client team cousins.  The answer?  A resounding YES.  In fact, in many ways, what is happening on the server side of the shop is MORE disruptive and compelling than the client side.  Sexier even you ask?  Only to a nerd’s nerd (me) and maybe a few of my colleagues.

Windows Server 8 (WS8) focuses on making the life of the administrator easier.  It streamlines management, completes features introduced in previous versions, and adds a host of new features that make this the largest software update to Windows Server since Windows 2000.

WS8 also bridges many of the remaining gaps between the public cloud and the private cloud.  It allows dynamic and automated workflows for the rapid provisioning and re-provisioning of resources.  It brings into competitive parity (and then some!) its Hyper Visor with industry heavyweight VMWare and does so at a fraction of the cost.

This series focuses on my research within the technical preview documentation, my own personal experimentation with the product and thoughts of how they can apply to the real world as soon as it RTMs.  Over the coming months, I hope you enjoy what you see!

I am beginning a series on all that is amazing in Windows Server 8.  There will be 55 posts in all.  It’s a very exciting time!  Look for them to start early next week.

There is a great article in Information Week this week about the 2012 State of Storage that I wanted to comment on.  If you don’t have a subscription, that’s okay – the basic premise is that SSD costs are really starting to drop and the idea of Enterprise’s using SSD SANs (or higher numbers of SSDs in existing SAN technology) is starting to gain traction.  This is certainly true and will continue to provide great performance improvements for needed IOPS.  It’s telling that to this day, many enterprise, including the 5 that I work closely with, are stuck in the traditional models of storage.  This isn’t their fault – these kinds of sea level changes take time and there are obvious risks to upending a trusted SAN solution.  But the writing is on the wall:  traditional massive storage arrays for both performance applications and archival/compliance/storage requirements are going to look very different in a few short years.

1. Three tiered storage is not going away.  Local SANs are always going to be needed for certain applications.  Particularly in this day of massive BI needs, the faster those IOPS, the better and SAN solutions built using SSDs in Tier 1 exclusively are going to quickly become the norm.
2. Structure and unstructured data, to paraphrase from the IW article linked above, are now neck and neck as the leading growth sources in Tier 1.  However, at Tier 2 and Tier 3 – its heavily unstructured and getting more and more so daily.  This calls for a different paradigm with regard to those solutions – this is because of massive ‘gunk’ growing into the environment – data that you wish you didn’t have to keep but you do.  So – instead of spending millions on Tier 2 and Tier 3 – let’s consider alternatives.
3. Here it comes – wait for it….almost there….TO THE CLOUD! Ahhhh – I feel better:

The Cloud is a perfect repository for unstructured data, or data that has long retention policies around it.  It must be understood, however, that the security and integrity of your data isn’t something that be negotiable.  Wherever your data sits, it must be safe, verifiable and audit-able.  But these constraints do not preclude the use of the cloud – much to the contrary, it calls for the cloud – let me explain:

1. The ‘cloud’ isn’t all about applications and development – it is also about infrastructure, and Microsoft’s cloud has some really robust infrastructure.  There are tools and technologies on the market today that can take Tier 2 and Tier 3 (and even Tier 1 if you wanna get really crazy!) into Azure without significant changes to your infrastructure.  One such example is a tool I’ve been learning about lately from StorSimple.  50 Tb of Cloud Data for $50,000.  That’s pretty cost effective infrastructure!
2. Costs will go down and continue to do so – see above but more: In the passed six months, the cost of doing business in Azure has gone down three times.  The reason?  Every time Microsoft hits another one of their sociability targets, they can (and do) reduce the prices for everyone.  I’ve never seen a company do that before – pretty impressive.
3. Security goes up – Your data in the cloud can be more secure than on prem.  Yes I said it.  Products like StorSimple have attained HIPPA compliance certifications  (and that’s saying something!).  The Azure data centers also have varying degrees of security certifications depending on services used include FERP, ITAR, SAS70, etc.  When was the last time your data center got all of those?
4. Integrity and availability are critical – can you PROVE that in the event of a data center loss, your data is safe?  Again, the Azure data centers can – your data, encrypted both in flight and at rest depending on your solution, are stored in at least three separate data centers.  I suspect you can’t do that for $0.12/Gb/Mo on your own.  A tool like StorSimple can also be attractive because of the technology it is using behind the scenes that can make your data immediately accessible to your secondary data center in the event of DC 1 loss and you don’t have to pay for that unless you need it.  Not too shabby.

Information Week surveys aside, and they are saying the same thing – consider the cloud carefully for Tier 2 and Tier 3 as there are options for you – you can have enterprise data in the cloud that costs less, is more secure, is verifiable and can plug directly into your existing infrastructure, obviating the need for Tier 2 and Tier 3 to be located on prem in some cases.

It’s a good time to be in the cloud!