Ayer tuvimos una tremenda conferencia técnica con mucha gente que se acercó a discutir el tema de la nube. Hay algo de material que surgió del evento y agrego en este post para quienes quieran un punto de partida para crear su nube privada con SCVMM.

Pueden descargar la presentación de la conferencia acá http://cid-5f9c7b75bd402dda.skydrive.live.com/self.aspx/Pub/Conf%5E_Cloud%5E_20100518/Conferencia%20Tecnica%20-%20Cloud.pdf para ir poniendose en contexto.

Como repaso (muy por arriba) lo que hicimos en la parte de nube privada de la demostración fue,

1. Pre-Setup: SCVMM instalado y funcionando integrado con SCOM y el Self-Service Portal.
2. Pre-Setup: Crear un VHD generalizado ví­a sysprep.exe y copiarlo a la biblioteca de SCVMM.
3. IT Pro: Crear un Virtual Machine Template
   1. Partir del VHD generalizado.
   2. En el perfil de Hardware garantizar conectividad.
   3. En el perfil de Software unir al dominio, usar un archivo desatendido y correr como GUIRunOnce un script que obtiene la IP de la VM que se levantó y lo copia a un File Share donde un servicio corriendo en TMG lo levanta y crea una regla en el perímetro para que el RDP esté disponible desde la WAN.El archivo de respuestas que usamos fue,
      <?xml version=”1.0″ encoding=”utf-8″?>
      

      <unattend xmlns=”urn:schemas-microsoft-com:unattend”>
      

      <settings pass=”oobeSystem”>
      

      <component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State”>
      

      <Display>
      

      <ColorDepth>16</ColorDepth>
      <HorizontalResolution>1024</HorizontalResolution>
      <RefreshRate>60</RefreshRate>
      <VerticalResolution>768</VerticalResolution>

      </Display>
      

      <RegisteredOrganization>TechNET</RegisteredOrganization>
      

      <OOBE>
      

      <HideEULAPage>true</HideEULAPage>
      <NetworkLocation>Work</NetworkLocation>
      <ProtectYourPC>1</ProtectYourPC>
      <SkipMachineOOBE>true</SkipMachineOOBE>
      <SkipUserOOBE>true</SkipUserOOBE>

      </OOBE>
      

      <AutoLogon>
      

      <Password>
      

      <Value>Pas*********</Value>

      </Password>
      <Domain>TECHNET</Domain>
      <Enabled>true</Enabled>
      <LogonCount>1</LogonCount>
      <Username>Administrator</Username>

      </AutoLogon>
      

      </component>
      

      </settings>
      

      </unattend>

El script con el que obtuvimos la IP, ejecutado en el GUIRunOnce es (si, hay muchas mejoras por hacerle)
DIM objShell

set objShell = wscript.createObject(”wscript.shell”)

iReturn = objShell.Run(”CMD /C ipconfig > \\TN-NOD2\VHDsrc\tmp”, , True)

iReturn = objShell.Run(”powershell “”&{$match = Select-String -Path \\TN-NOD2\VHDsrc\tmp -Pattern 192\.168\.200\.? | Out-String; $match.substring(64,15)}”" > ip.txt”, ,True)

El script que crea la regla en TMG a partir del script anterior reclámenselo a su autor en http://blogs.prisma.cc/blogs/leandro/

1. ITPro: Editar el Virtual Machine Template recién creado y editarle el Cost Center.
2. ITPro: Crear un grupo del tipo Self-Service Users, agregar a los usuarios del dominio que van a poder provisionar ese template y agregar el template al grupo para que les aparezca por el portal cuando ingresen. Configurar la cuota en base a la cantidad de hardware que tenga.
3. End-User: Acceder al Self-Service Portal y provisionar una nueva máquina virtual.
4. ITPro: Correr el reporte desde SCOM “Virtual Machine Allocation” para ver cuando hardware le fue alocado a cada centro de costos.

Por último, estas son las referencias que agregamos al final de la presentación para continuar profundizando,

• Microsoft Online Services http://www.microsoft.com/online/business-productivity.mspx
• Provisionamiento Dinámico http://technet.microsoft.com/en-us/magazine/2009.09.dynamicprovisioning.aspx
• Archivo de respuestas de ejemplo http://blogs.technet.com/chrad/archive/2009/06/30/scvmm-sample-unattend-xml-for-windows-server-2008-r2.aspx
• Manejando la Biblioteca de VMM http://blogs.technet.com/chrad/archive/2009/06/26/virtual-machine-manager-library-this-ain-t-got-no-card-catalog-and-you-are-the-crazy-librarian.aspx

I wanted to begin using VMM allocation reports properly and I needed to update every Virtual Machine “Cost Center” attribute. We currently have more than 120 VMs on our Lab so I decided to write a powershell script to automate this task. The “Cost Center” y a so called Custom Property of the Virtual Machine object that you can access though the CustomProperties array $_.CustomProperties[0]

The script is simply and goes to the point,

#Connect to SCVMM remotely.

add-pssnapin Microsoft.SystemCenter.VirtualMachineManager

$scvmm = get-vmmserver TN-VMM1

#Get every VM

$vms = Get-VM -VMMServer TN-VMM1

#Set the cost center

$vms | ForEach-Object {$_.CustomProperties[0]=’Produccion’}

#Show a couple off VMs custom properties.

$vms | select Name, Status, @{Name=’CostCenter’;Expression={$_.CustomProperties[0]}}, @{Name=’LastUpdated’;Expression={$_.CustomProperties[1]}}

Próximo Martes 18 de Mayo a las 18:30 Hs en Microsoft Argentina (Bouchard 710 4to Piso) vamos a ahondar junto con el IT-Monster Leandro Amore en el estado del arte de las nubes haciendo un trabajo fino sobre nubes privadas.

Registrense aca! https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032450458&culture=es-AR

Tenemos planeada una conferencia de ~2Horas tocando los siguientes temas:

1. Intro: El estado del arte de las nubes, donde estamos parados: PaaS, IaaS y SaaS.
2. Demo Nubes Privadas: Hardware preparado para la nube y con un tremendo escenario tuneando System Center Virtual Machine Manager sobre HyperV para que nos haga de nube privada como dios manda.
   
3. Demo Nubes Públicas: Recorremos la oferta actual de Microsoft Online Services (Forefront, Sharepoint, Communicator) y Windows Azure.
   

Esto es lo que tenemos por ahora, puede cambiar todavía tenemos una semana para seguir preparando los ambientes.

Nos vemos!

Exchange deployment is not necessary to take profit of Sharepoint email capabilities. Transform a email to a given address into an item on a list is a powerful feature to empower your Information worker collaboration capabilities.

Incoming and outcoming email configuration It is finally working on my Sharepoint Server. Now you can configure your Email enabled list going to the “List Settings” configuration > Communications tab. You will be able to map any mail following the pattern mylist@mydomain.com to your Sharepoint list.

Configuration Steps

1. Configure an IIS SMTP Server on the Sharepoint Server as an open relay server.
   
   1. For Windows Server 2008 R2, add the SMTP feature,
      
      
   2. Open your IIS 6.0 manager (make sure you installed the service as part of the Web Server Role).
      
   3. Configure the default SMTP Virtual Server #1 as desired, nothing special here.
      
   4. Add your domain as an alias domain and this is it.
      
2. Point MX records for the zone mydomain.com to the SMTP server.
   
3. Create an OU on AD dedicated to Sharepoint contacts and delegate permissions to the Sharepoint computer account on the OU. We used the NETWORK_SERVICE account because the Central Admin Website is running under the Network Service account.
   
   1. Read the sections “To delegate Create all Child Objects and Delete all Child Objects control of the OU to the application pool identity account for Central Administration” and “To add Delete Subtree permissions for the application pool identity account for Central Administration” on http://technet.microsoft.com/en-us/library/cc287879(office.14).aspx
      
      
4. (Weird :S) Extend the AD schema with Exchange 2003 forestprep. Sharepoint is able to work without exchange, however for AD integration the schema has to be prepared.
   
5. Configure the Inbound and Outbound Email settings on the “System Settings” section of the Sharepoint Central Admin.
   
6. Create a discussion list, then configure settings for this discussion list.
   
7. Sent email to test@mydomain.com and watch how the item is created.

Resources

- MX Test: http://www.mxtoolbox.com/SuperTool.aspx?action=mx:swfwd.com
- Sharepoint 2010 : http://technet.microsoft.com/en-us/library/cc287879(office.14).aspx

Hola a todos, quiero recordarles que este 21 de Abril será el evento virtual de lanzamiento de 11 importantes productos y donde muchos MVPs estaran como speakers y como expertos para resolver tus dudas.

Summary

Cloud computing, Infrastructure and Platform as a Service is becoming a key business enabler for the CIO of any mid-sized company. Why are hosted services a key enabler for small IT departments? Easy, inherent complexity in a growing business makes it very hard to keep a great level of service constantly while the months pass by.

Hosted solutions look like a charm when they are well implemented, and this is why I took a look at GFI Max MailProtection, because as a consultant I need know how these services are performing. I was very impressed by GFI Max MailProtection, I hope you enjoy this review and if you are looking for a hosted solution for your email sanitization you should definitely take a look at this great service from the people at GFI.

Review

As a technical leader and consultant I am in constant touch with my customers and need to stay current with management and security solutions. So, I gave GFI’s mail security hosted solution a try and found a very professional service run by these people, keep on reading to find out more!

Getting a Free Trial

Your journey begins with a free 30 day trial, this process was simpler than I thought, not much information is gathered in the two step form and you are not “invited” to enter your credit card information, this means that if you are simply curious as I am you will find that it is easy to get going with the service.

The terms and conditions proposed by GFI are fair enough knowing what other vendors offer, on the SERVICE LEVEL COMMITMENT AND EXCLUSIVE REMEDY section they state “if GFI determines that the GFI Systems were unavailable for twenty or more consecutive minutes during a calendar month, GFI, upon Customer’s request within five days of such event, will credit Customer’s account the pro-rated charges for one (1) day of the contracted GFI Service(s)” you may think twenty or more minutes worth more than 1 day of contracted service, however it is comparable to the Google Apps Premier conditions or Amazon Web Services to name a few mission critical hosted services. I am used to this kind of agreement and I learned that you need to use the service to see how it works when you need to move a mid-sized business forward and you do not have a legal department to back you up on a possible legal prosecution.

Then, the CONFIDENTIAL INFORMATION section states “IT IS UNDERSTOOD THAT IN ALL CASES, CLIENT’S EMAIL SHALL BE DEEMED AS CONFIDENTIAL INFORMATION” however they NEED to access the information to guarantee sanitization, that’s a fact; you cannot cure what you cannot touch. From my perspective there is a good understanding of the intellectual property as an asset and they take care of making it explicit on this agreement.

After a few seconds my free trial was provisioned and I got my login information on my inbox. Sweet!

Initial Configuration

Well, it took me 5 minutes to go through the basic initial 4-step configuration:

1. Set up a DOMAIN in the control panel.
2. Set up the USERS (email addresses) for the domain.
3. Configure INBOUND FILTERING.
4. Change the DNS “MX” records for your domain

Setting up my domain I found a great multi-tenancy approach to ease the administration of multiple companies. Every action you take is in the context of an organization,

Creating users is easy, your end-users will need to access the GFI console to see how their SPAM is been handled for example.

Configuring Inbound filtering has a handy slider-like control for your aggressive posture, the default configuration is highly aggressive which sounds good to me.

If you like Grey-listing (which is not my case) you have the chance to train your tool to challenge your unknown sender email server, although you must be willing to accept delays on your email delivery which may not be acceptable for your CXO end-users.

Finally, I changed my MX records to point to the GFI servers. It took a couple of hours for my email to begin flowing though GFI MAX MailProtection[GBO1] .

I had nothing to do next, so, in the meantime, I took a couple of minutes to take a look at the reporting capabilities and I found a neat report which enables serious threat analysis to support most of any security process needs. Summarized by days you will begin having numbers and knowing your users taxonomy, for example which sector has the worst received/infected ratio to take preventive actions.

Conclusion

I had extensive use of other hosted email sanitization services like Postini. GFI did a great job in the ease of use aspect making the life of the IT professional a bit easier allowing him to manage more volume more effectively. They also provide a great experience for the end-user making it more tangible as to why email sanitization is necessary showing how many SPAM messages were filtered, every security professional agrees this: “End user training is key for the security of the enterprise” so, end-users need to be aware and services like this which are hard to maintain on a mid-sized business with an IT area of 4 guys help to move towards this vision.

I have found many post in the web about how easy is to develop and debug custom Visual Webpart, here are a couple of great references

• http://blogs.msdn.com/bethmassi/archive/2010/01/28/creating-a-sharepoint-visual-web-part-using-visual-studio-2010.aspx
• http://www.helloitsliam.com/archive/2009/10/20/sharepoint-2010-–-create-a-visual-web-part.aspx
• http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32

The problem is that there is not much talking about how to deploy the packaged Webpart on a different server. I run into this issue following the last post mentioned above because I am trying to deploy a custom Webpart to analyze the Claims inside a Token in a Claims based Authentication Sharepoint Web Application.

I finally came across this post (http://dotnet.sys-con.com/node/1208275) which details the deployment process as follows and is a recommended reading BWT. I am considering that you have a .WSP Webpart packaged by Visual Studio 2010 Beta.

1. Add-SPSolution c:\code\SharePointProject2\bin\debug\SharePointProject2.wsp
2. Install-SPSolution –Identity SharePointProject2.wsp –WebApplication http://sp2010 -GACDeployment

I will complement that post adding the final steps you should run to actually be able to see that webpart on your web application!

When adding a web part while editing a sharepoint page you might find that not all available webparts are show. This might happen if your Site Collection has not enabled all features and is also necessary for activating custom webparts. You should do the following as a Site Collection administrator,

1. Site Actions
2. Site Settings
3. Manage Site Features
4. Site Collection Features

Hope this helps!

Well, I spent a couple of days working with the Sharepoint 2010 Beta and have a couple of IMPORTANT Operational Tips to keep in mind when managing the Beta at least. I have an on-premise deployment (pre-production) and a cloud deployment on Amazon EC2 (production) and in both places I run into issues by limiting the log files growth.

We expect to see this monitored on the SCOM Management Pack when the product hits RTM.

Lessons Learned

1. Watch out the Log files on File System: By default on “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS” On Sharepoint generated 147Gb of log files in two weeks! Yes, 147Gb, this is kindly we fixed by the RTM release. But you should configure Central Administration > Diagnostic Logging to limit the space available for log files. I configured 1Gb for our Cloud deployment.
2. Watch out the WSS_Logging Database: When you do a Single Server installation using SQL Express 2008 to host Sharepoint DBs, you must watch out for the growth of the DB named “WSS_Logging” which usually resides on “C:\Program Files\Microsoft Office Servers\14.0\Data\MSSQL10.SHAREPOINT\MSSQL\DATA”. I had one instance which reached 4Gb and put my SQLExpress instance to the limit (Here is someone who run into the same issue). That DB cannot be truncated as it is not supported right now and it takes care of analytics of the web traffic. You can disable the Health and Data Collection gathering from Monitoring > Reporting > Configure usage and health data collection, however web analytics is very neat to be left apart.
   I was not able to find a procedure to migrate that DB to another server, so I had to disable the feature.

Key Takeaways

1. Limit your log files usage.
2. Deploy on server-farm mode to move the WSS_Logging db to another db server.

We had a great show this Tuesday, the first session after the keynote was about Windows Server 2008 R2 and we had lot of stuff to show and to share with the audience, you can get the presentation here,

I promise I was going to drop the powershell scripts here, and here they are,

Remote Powershell and Best Practices Analyzer Example

TechNET Migration Portal CMDLets

TechNET did a great work to ease migration experience to Windows 2008 R2, go and take a look to the TechNET Migration Portal. During the demostration we migrated a File Server role from a Windows 2008 server to a Windows 2008 R2 server.

1. #En ambos servers
   
   Add-PSSnapin Microsoft.Windows.ServerManager.Migration
2. #Primero: Desde server origen
   
   Receive-SmigServerData
3. #2do: Desde Server destino
   
   Send-SmigServerData -ComputerName <DestinationServer> -SourcePath d:\users -DestinationPath d:\shares\users -Recurse -Include All -Force

Active Directory Recycle Bin

The credits for the “Enable AD Recycle Bin” part are for  Leandro Amore, I took the script from his blog, I know he wont be mad about it :).

1. #Enable AD recycle bin
   
   import-module activedirectory

   $forest=Get-ADForest -Current loggedonuser

   Set-ADForestMode -Identity $forest.name -ForestMode ‘windows2008r2forest’ -confirm:$false

   Enable-ADOptionalFeature -Identity ‘Recycle Bin Feature’ -Scope forest -Target $forest.name -confirm:$false

   Get-ADOptionalFeature -filter ‘name -eq "Recycle Bin Feature"’

2. #Mostrar computadoras en el recycle bin
   
   Get-ADObject -filter ‘isdeleted -eq $true -and name -ne "Deleted Objects"’ -includeDeletedObjects -property * | Select samAccountName,displayName,lastKnownParent | Out-GridView
3. #Restore de computadora una ves ubicada
   
   Get-ADObject -filter ’samAccountName -eq "TN-SCO1$"’ -includeDeletedObjects | Restore-ADObject

Active Directory Managed Accounts

Finally, we configured a service to run under the identity of a Managed Service account a cool new feature of AD DS on Windows Server 2008 R2.

1. #registrar MSA
   
   Import-Module ActiveDirectory

   New-ADServiceAccount -Name wwwTN-SCO1 -Enabled $true

   Add-ADComputerServiceAccount -Identity TN-SCO1 -ServiceAccount wwwTN-SCO1

2. #instalar MSA
   
   Install-ADServiceAccount -Identity wwwTN-SCO1

Hope you enjoy it!

Esto va en castellano en honor a mi lengua nativa, quisiera compartir con ustedes una camino para IT Pros para meterse en el mundo de los STSs e Identidad Federada de la mano de Windows Identity Foundation (ADFS v2.0). Al momento ya desplegué varios laboratorios y 2 ambientes de pre-producción de Geneva Server Beta 2 y es momento de recapitular un poco de donde salieron las cosas,

Para llegar a primera base y tener los conceptos básicos, les recomiendo leer un artículo que me hizo entender que habáía atrás de todo el tema de identidad y STS, es parte de la entrega 16 del Architecture Journal dedicada a identidad, el artá­culo es Claims and Identity: On-Premise and Cloud Solutions de Vittorio Bertocci. A modo de introducción también pueden rememorar la charla que dio Matias Woloski en Microsoft este año Microsoft Architecture Day: Roadmap to Identity.

Con la visión, Tokens, Claims y STSs en el bolsillo, vamos en concreto a la implementación de Microsoft que es ADFS v2 (aka Geneva Server). La mejor documentación técnica al momento se ve en el Site de ADFS v2 dentro de TechNET. Geneva Server está documentado alineado con dos casos de uso, “Web SSO Design” y “Federated Web SSO Design” si bien el segundo es el mas rico por atacar el tema de federación es importante que se entiendan ambos. Luego de comprendido el tema de Federation Server, saltamos al tema deProxy Server que utilizamos para acomodarnos a DMZs, al leer estas secciones presten especial atención al tema DNS.

Es importante manejar el tema de certificados (Sobre todo si usan publicaciones con proxy reverso de ISA Server). Hay certificados en cada Federation Server y en cada Proxy Server para garantizar autenticación segura con tokens. Finalmente, esto tiene que ver con la capa de STS exclusivamente. Recordemos que debajo de esta capa seguramente tengamos una granja NLB de Windows 2008 R2 que es un tema aparte.

Espero sea de ayuda y quisiera en futuros posts profundizar en detalles de implementación que han surjido en la práctica,