Paul's Digital Lounge and Cigar Bar

Virtual Server 2005 R2 Service Pack 1 Beta 1 Is Now Available!

A beta of Virtual Server 2005 R2 service pack 1 is available today for download. Virtual Server 2005 R2 service pack 1 will support the hardware virtualization capabilities developed by AMD and Intel. By supporting both AMD Virtualization and Intel Virtualization Technology, customers will be provided better interoperability, strengthened isolation to prevent corruption of one virtual machine from affecting others on the same system, and improved performance for non-Windows guest operating systems. The beta of Virtual Server 2005 R2 service pack 1 is available at www.microsoft.com/virtualserver.

Microsoft will have two betas of Virtual Server 2005 R2 SP1. Beta 2 is scheduled for calendar Q4, with general availability in Q1 2007.

Beta 1 of Virtual Server 2005 R2 service pack 1 includes:

- Intel Virtualization Technology compatibility
- Host Clustering technical white paper and the VB script

Beta 2 is planned to include the features of Beta 1 plus:

- AMD Virtualization Technology compatibility
- Active Directory integration and management features
- Volume Shadow Service

The Beta 1 download is available via Microsoft Connect. Select the Virtual Server 2005 R2 SP1 Beta program from the list of available programs that appear here:
https://connect.microsoft.com/availableprograms.aspx.

Interesting RMS Issue

So I'm working on an RMS deployment for a customer and we ran into a weird issue that up until now I'd never seen before so I thought that I'd share the problem and what we finally discovered to be the cause of the problem.
Problem Description
If a user, let's call her Alice since RMS is a cryptographic application, created a piece of protected content using the built-in Office protection methods (IOW not using a custom template) and assigned another user, say Bob, a specific set of limited rights on the content, when Bob opened the content, rather than having the limited rights assigned appeared to have full control of the content. Now if Bob were to create a piece of protected content, and assigned limited rights to Carol, when Carol opened the protected content, she had the correct rights assigned. Similarly, if Carol assigned rights on content to Bob, everything worked as expected. If Bob or Carol assigned rights on content to Alice, Alice had the correct rights when opening the content. So the problem only occurred when Alice was protecting content. Finally, if Alice protected content using a custom template, everything worked as expected.
Examining the EULs issued to Bob or Carol showed that regardless of the protections assigned by Alice, Bob and Carol had the OWNER right, which is similar to NTFS full control, in the EUL.
Cause and Resolution
After opening a case with Microsoft's CSS we discovered what was causing this problem. The customer uses the email attribute of security groups to list the email address of the owner of each group. They do this so that they have a point of contact for adding user accounts to the group in question. This was the cause of the problem we were seeing. It turned out that Alice was the owner of a group that contained Bob and Carol and because of the practice of adding the group owner's email address to the email attribute of the group anyone who was a member of that group was being granted OWNER rights to the content. Removing Alice's email address from the email attribute of the group, and flushing RMS' group cache resolved this problem.

The other side effect of this issue is that any member of a group that contained Alice's email address in the email attribute would have OWNER rights on the content, even if they had not been specifically assigned rights on the content.

The reason that this behaviour did not appear when using custom templates is that the templates used the special RMS group Anyone which obviously doesn't have an email attribute.

The customer in question is going to fix up the security groups that affect their pilot deployment, however, this behaviour may well prevent them from pursuing a broader deployment of RMS.

Hope this helps.

Want the Performance Improvements in Virtual Server 2005 R2 But Still Want to Use Virtual PC 2004?

In addition to some new features (host based clustering using iSCSI, x64 support, etc.) VS 2005 R2 also includes some fairly significant performance improvements. What if you're running, and want to keep on using VPC 2004 but you'd still like to have the performance improvements that VS 2005 R2 provides? Now that VS 2005 R2 is free, there is a simple solution to this problem. If you install VS 2005 R2 on a system that already has VPC 2004 installed, a number of components that are shared between the two products will be installed and will then be available to VPC 2004. These shared components contain most of the performance improvements in VS 2005 R2 and as such will be available to VPC 2004 after installing VS 2005 R2. Note that if you don't plan on using VS 2005 R2 you don't need to have IIS installed before installing VS 2005 R2. Also note that you won't get any of the new features as these are all VS specific, however, you will get the benefit of the performance improvements.
This will also allow you to take advantage of the latest version of the Virtual Machine Additions which ship with VS 2005 R2. To use the new Additions you can either manually mount the ISO from Program Files\Microsoft Virtual Server\Virtual Machine Additions in a VPC guest or, if you want to be able to install the updated Additions using the Action menu item in VPC, copy the VMAdditions.iso file from that folder to the Program Files\Microsoft Virtual PC\Virtual Machine Additions folder, replacing the existing Additions ISO.

Microsoft Executive Circle Webcast: Security360 with Mike Nash: Building a Secure, Connected Infrastructure with Digital Certificates

Brian Komar, my business partner, is Mike Nash's guest on today's Microsoft Executive Circle Webcast. Should be a good one!

IdentIT Inc. Finally Has A Decent Web Site

Brian and I decided that it was finally time for IdentIT Inc. to have a proper web site so I built and published one. The URL is http://www.identit.ca.

I'm Back!

So after an extended absence, that I'm sure most folks have not even noticed, I've decided to try to keep my blog up to date. There, didn't that make your day?

VSDM Installation Instructions

Sorry for the delay on getting this posted! Without any further ado, let's look at how to install VSDM.
The first step is to download and execute the installer. You can download VSDM by clicking here if you've not already done so. The requirements for VSDM are as follows:

Supported Operating Systems: Windows 2000, Windows Server 2003, Windows XP
Microsoft Virtual Server 2005
.NET Framework 1.1
Internet Information Services (IIS), with ASP.NET (note that the VSDM installer will add ASP.NET and/or enable the ASP.NET extensions if necessary)
Client side requires: Internet Explorer (6.0 or greater)

To get started with the install, run the file you downloaded.

Due to the fact that this entry contains a lot of screen shots, I'm using MT's Extended Entry capability so you'll need to click the link below to view the remainder of this entry. Please feel free to leave a comment with any questions you might have. If you've tried to leave comments before and were turned off by the fact that they required an email address, please try again as I've disabled that requirement.

]]> Running the downloaded installer for VSDM opens the first of three wizards that allow you to control the installation process.

On the Welcome to the Virtual Server Deployment Manager 1.3.0 (VSDM) Setup Wizard page, click Next.

On the License Agreement page, click I agree, and then click Next.

On the Select Installation Folder page, select an appropriate folder for VSDM, and then click Next.

On the Confirm Installation page, click Next.

The VSDM installation begins. When the installation is complete, the second of the three wizards, the VSDM IIS Configuration Wizard is launched.

In the VSDM IIS Configuration Wizard, on the Step 1: Please locate your Virtual Server Installation page, confirm that the information is correct, and then click Next.

On the Step 2: Enable ASP.NET Runtime Engine 1.1 page, click Next.

Note: There will not be anything for you to select on this page. If you don't have ASP.NET installed, the installer will add it and enable the ASP.NET extension automatically. If you have ASP.NET installed, but don't have the extension enabled, the installer will enable it. If you have ASP.NET installed and have the extension enabled, the installer will report this.

On the Step 3: Please select your IIS installation method page, select the appropriate option to either install VSDM as a new web site, or to install it as a virtual folder (or virtual directory) in an existing web site, and then click Next.

Note: The next page will present one of two options, depending on which option you chose in Step 3.

If you chose to install VSDM as a new web site, on the Step 4: Please select your configuration page, in the Name box, enter a name for your web site. In the Port box, enter an unused port for the new web site, and then click Next.

If you chose to install VSDM as a virtual directory in an existing web site, on the Step 4: Please select your configuration page, in the Host Web Site list, select an existing web site, in the Folder box, type the name for the new virtual directory, and then click Next.

On the Step 5: Choose authentication method page, click Next.

Note: There really is nothing to configure here. If you attempt to clear the Integrated Windows authentication check box, a message will appear informing you that you must select at least one authentication method. If you want to change the authentication methods for the VSDM web site, you'll need to do so after the installation is complete by using the Internet Information Services (IIS) Manager.

On the Step 6: Virtual Server Options page leave the Create reference to the Virtual Server Web Admin and Create Virtual Server folder in website root options enabled. This will create a link to the Virtual Server Administration Web site from within the VSDM web site. I've found a bug relating to this option which I'll describe later. For now, it is important that you leave these options enabled. You also have the option to create the VSDM security groups at this time.

On the Step 7: VSDM Client Support page, click Next. I'm not entirely sure what this option is for, but as the page says, it is under development and is not currently available.

On the Review your settings page, verify that all of the settings are correct, and then click Finish.

The VSDM IIS configuration is now complete and the VSDM Configuration Wizard is launched. This wizard builds the XML file that VSDM uses for its configuration information.

In the VSDM Configuration Wizard, on the Welcome page, click Next.

On the Introduction page, click Next.

On the Step 1: Installation Information page fill in the options as follows:

Title: This will appear in the top panel of the VSDM Web site.

Display: If this is enabled, the Title wil be displayed in the top panel of the VSDM web site.

Show Server: If this is enabled, the FQDN of the VSDM server will be displayed in the top panel of the VSDM web site.

URL: This is supposed to create a hyperlink for the Title value. Note: This is where I think I've identified the bug that I mentioned earlier. It would appear that the wizard actually writes this value to the wrong location in the XML file. Rather that doing what it is supposed and creating a hyperlink for the Title value, this value gets written to the XML file where the value for the Virtual Server Administration web site is supposed to be written. I've reported this to Nelson, but have not heard back from him as of yet. For now, I'd recommend that you either leave this value blank, or if you must fill it out, use the URL for your VS Administration web site, i.e. http://hostname:1024/VirtualServer. No matter what you do here, the Title value will not have a hyperlink behind it. To get a hyperlink you'll need to manually edit the XML file after the installation is complete.

Install Path: The location of the Virtual Server installation.

Images: I haven't been able to figure out what Images are as of yet. Any ideas?

Templates: Templates are existing VHD files that you make available to your users. They can use these VHD files to create their own virtual machines.

ISO: ISO files that your users can attach to their virtual machines.

Configs: Where the user created virtual machines are stored.

Runtime: Another option I haven't managed to figure out yet.

On the Step 2: Security/Administrators page, delete the 2 sample rows, and then add your VSDM Administrators using the following parameters:

Primary: This indicates the primary Administrator contact for the VSDM web site. Selecting this checkbox will cause (primary) to appear beside the administrator's link on the web site.

Contact: Selecting this option causes the administrator to be listed on the VSDM web site.

Display Name: The name of the administrator as it should appear on the VSDM web site.

Email: The email address of the administrator. This will appear beside the administrator's name on the web site and will create a mailto: hyperlink.

Domain: The domain containing the administrator's account.

User: The administrator's account name.

On the Step 3: Security/Users page, add any users and/groups that should be able to create new virtual machines or to manage existing machines that they own or have been granted permissions for, and then click Next.

Note: There seems to be another bug here that I hit consistently and that I've seen reported at least once in the public news groups. As soon as I click in the Display Name column below Users(Domain/Users) the installer throws an exception (see below). I can click Continue and, well, continue.

On the Step 4: Security/Guests page, add the users and/or groups that should be able to see or operate virtual machines for which they have been assigned permissions, and then click Next. Guests can only see and operate virtual machines. They cannot create or configure them.

On the Step 5: Security/Teams page, add the users and/or groups that should be able to create new virtual machines or to manage existing machines that they own or have been granted permissions for, and then click Next.

On the Step 6: Templates page, add the existing VHD files which you want to make available to your users as templates for new virtual machines. Use the following parameters, and then click Next:

Disabled: If selected prevents the template from being used to create new virtual machines.

ID: ID number assigned to the template.

Name: The name for the template as displayed on the VSDM web site.

Image Path: The absolute path to the folder containing the VHD.

Image Name: The file name, minus the .VHD extension of the VHD.

Description: A brief description of the template. This appears along with the Name on the VSDM web page.

On the Step 7: CD/DVD ISO Images page, add the existing ISO file which you want to make available to your users. ISO files listed here will be available to users to attach to the virtual machines they create. Use the following parameters, and then click Next:

Disabled: If selected prevents the ISO from being attached to virtual machines.

ID: ID number assigned to the ISO.

Name: The name for the ISO as displayed on the VSDM web site.

Image Path: The absolute path to the folder containing the ISO.

Image Name: The file name, minus the .ISO extension of the ISO.

Description: A brief description of the ISO. This appears along with the Name on the VSDM web page.

On the Save Changes page, click Finish.

On the Installation Complete page, click Close. The installation of VSDM is now complete.

Note: If you want to make any changes to either the VSDM IIS configuration, or to the VSDM XML configuration after the installation is complete, you can rerun either of the configuration wizards from the VSDM - Virtual Server Deployment Manager menu You can also edit the XML configuration file directly by using an XML editor (or even Notepad).

To start using VSDM, open a browser and then open either the VSDM web site, or the VSDM virtual directory, depending on which option you chose during the installation. Stay tuned for documentation on how to use VSDM.

Questions or comments? Please leave a comment!

Microsoft Windows Rights Management Services (RMS) with Service Pack 1 (SP1) Released

RMS SP1 has been released and is available for download from here. SP1 introduces some significant changes for RMS and if you're working on a deployment of RMS, or if you've already deployed it, you really should start evaluating and working with SP1 right now. The product team has done a great job at making the deployment of SP1 pretty painless and because of their efforts it is entirely feasible to stage the SP1 deployment as you see fit. SP1 and RTM can peacefully coexist.
I'll talk some more about the changes in SP1 in the near future, but for now here are the top 10 reasons (from Microsoft) to download and install SP1 now:

No longer requires an Internet connection for deployment; RMS SP1 runs in air-gap networks?in other words, networks with no Internet connection.

Enables third parties to integrate RMS information protection into server-based applications?such as records and document management, e-mail gateways, and e-mail archival systems?for comprehensive information security platform.

Smart card integration for an additional layer of security.

Compliance with Federal Information Processing Standards (FIPS).

Eases deployment rollout with familiar Microsoft technologies?for example, Microsoft Systems Management Server (SMS).

Dynamic role-based security enables RMS policies to be applied based on dynamic groups and defined by queries of Microsoft Active Directory for certain attributes.

Supports Virtual PC for cross-platform support.

Streamlined authentication process for RPC over HTTP provides better end-user experience.

Support for phased deployment of RMS SP1 in v1 environments.

Enhanced tools and guidance with RMS SP1 Toolkit.

Virtual Server Deployment Manager 1.3.0 (VSDM)

Microsoft has released a new tool, the Virtual Server Deployment Manager (VSDM) that can help those of you who use Virtual Server 2005 in shared development and testing environments.
One of the really cool things about this tool is that it allows normal non-administrative users to manage their own virtual machines.
You should think of VSDM as a resource kit tool in that it is offered for use without any official support. However, I am working with the developer of the tool (install the tool and you'll see who the developer is ) and will be posting some unofficial documentation to my blog. I hope to have it all done today, however, that may not happen. At a minimum I'll be documenting the installation process today (though if the developer isn't working on a Sunday, there may well be a small gap or two).
VSDM can be downloaded by clicking here.

You can find the home page for VSDM by clicking here.

Finally, John Howard, an IT Evangelist with Microsoft UK, and Megan Davis, a technical writer on the Windows Server User Assistance team will more than likely be blogging about this tool as well. Even if they aren't their blogs are both definitely worth checking out.

Stay tuned for documentation.

New Virtual Server e-Learning Course

Microsoft Learning has released an eLearning course on Virtual Server:
Title: Course 2288: Using Microsoft® Virtual Server 2005
Course Type: Self-paced Course
Available Offline: Yes
Estimated Time of Completion: 5 Hours
Description:
This course prepares students to migrate legacy applications and consolidate server functions by using Microsoft Virtual Server 2005.
Objectives:
At the end of the course, students will be able to:

Install and configure Virtual Server 2005.

Configure virtual machines on Virtual Server 2005.

Migrate applications and servers to virtual machines.

Visit https://www.microsoftelearning.com/eLearning/offerDetail.aspx?offerPriceId=62154 for more information.

Microsoft's Virtualization Support Policies Updated

Today Microsoft published three new Knowledgebase articles that are significant to those who are using, or are thinking about using virtualization technologies.
The first of these articles, Microsoft Virtual Server Support Policy (897613) lays out Microsoft's support policies for Windows Server System software running in Virtual server virtual machines. This article basically states that all Windows Server System software is supported in a Virtual Server environment with the exception of the software listed in the second of the three articles. In addition, this article points to several server consolidation Solution Accelerators (including the one that one of my TechEd sessions is based on).
The second article, Windows Server System software not supported within a Microsoft Virtual Server environment (897614) lists the Windows Server System software that is not currently supported in a Virtual Server environment. the list is surprisingly short, with only 5 items on the list, and one of those, Certificate Services, is actually supported given Windows Server SP1 .
The final article, Support policy for Microsoft software running in non-Microsoft hardware virtualization software (897615) supersedes articles 273508 and 320220 and updates and clarifies the support policy for virtual environments such as VMWare.

Virtual Server MOM Management Pack Released

The long anticipated MP for Virtual Server 2005 has finally been released and is available for download.
I'll be testing this MP over the next week or so and will share my results here when I get a chance.

Finally back up and running!

Some of you may have noticed that I haven't made any entries since April the 7th. Although I've been busy, that isn't why I haven't blogged for a while. It seems that my hosting provider made some changes to my server and these changes broke MovableType. My blog itself has been accessible, I just haven't been able to make any changes to it. Without going into the gory details this has been a very frustrating experience which fortunately seems to have been resolved.
So, I'm back!

Time Synch Between Guests and Hosts

A very common request in the public news groups is, "How can I disable the time synch between guests and the hosts OS? <insert any number of varied reasons why this needs to be disabled>. One of the big problems with the way time synch is implemented in both Virtual PC 2004 and Virtual Server 2005 is that it doesn't respect time zone differences between the guest and the host. What exactly do this mean? Well, say for example the your host is set to Eastern Standard time (UTC -5) and one or more of your guests are set to Pacific Standard time (UTC -8) and that the current time on the host is 11:00 AM EST. This means that the time in PST should be 8:00 AM PST (3 hours earlier). When the time is synched between the guest and the host, VS and VPC don't take into account the fact that the time zones require a delta of 3 hours and the time in the guest will be set to 11:00 AM, which means that it will be off by 3 hours. This can cause all kinds of problems, for example Kerberos authentication issues if both your guests and your host are in the same Active Directory domain. As I mentioned above, there are a number of other reasons why you may want to disable the time synch, this is just one example.
Disabling the time synch in Virtual Server 2005 is very easy. Simply open the VS Administration web site, edit the configuration of the virtual machine in question, on the Status page, click the Virtual Machine Additions link, and then clear the Host time synchronization check box. Note that the virtual machine needs to be completely shut down in order to make this change. If the guest is running, or is in a saved state, the check box will be disabled.
In Virtual PC 2004 disabling the time synch is more involved as there is nothing in the GUI that allows this change to be made. It is important to understand that time synch occurs in two different ways; any time you boot a guest it synchs time with the host, and periodically while the guest is running (if you have the additions installed) it also synchs time with the host. Completely disabling time synch in the guest requires two changes in VPC:

In the guest, you need to disable the Virtual Machines Additions Services Application service. This can be done through the Services console. Note that disabling this service does not impace the performance gains you receive when the additions are installed, nor does it affect the additional display capabilities provided by the additions. In all of my testing, the only impact this has is on the time synch. Of course, you should test this as YMMV.

Edit the .VMC file used by the guest

The .VMC files used by the guests are XML format files that contain configuration information specific to each guest. NOTE: I strongly suggest that you make a copy of your .VMC file before attempting to make any manual changes to it. Also, make sure that the guest is shutdown. You can use any text editor to make these changes.
You need to add some XML tags to this file, and it is important that they be added in the correct location. The new tabs need to be added to the integration/microsoft portion of the tree and it is important that you add the tags to the existing tree and that you do not create a new tree. Here are the steps to make this change:

Open the .VMC file in a text editor and search for <integration>.

The should be only one <integration> string in the file, and it should be immediately followed, on a new line, by <microsoft>.

Directly below the <microsoft> tag, add the following tags, each tag on a new line:

<components>
<host_time_synch>
<enabled type="boolean">false</enabled>
</host_time_synch>
</components>

Save the file and start your guest

Time synch between the guest and the host will now be disabled.
Note that this is obviously not the optimal solution. I'd like to see two things in future versions:

A GUI based method to disable time synch in VPC

Have the time synch process respect the time zone differences between the guests and the host. Ideally this would be a configurable option as I can anticipate some situations where this would be useful and some where it would not be desirable

One final caveat here. You may well find that disabling the time synch feature means that your guests loose time (after all, there is a reason that the time synch feature is in the products in the first place). You should thouroughly test the effect that disabling this feature has before deciding on whether or not it is the right way to go.
If you have any questions, please feel free to add a comment to this entry.

Microsoft Identity Management Server (MIIS) Sessions at TechEd

So it looks like I'm going to be rather busy at TechEd in Orlando this year (guess I can leave my golf clubs at home :-)). I just picked up my third session, this one on cross-platform password management with MIIS. The session number and title is SVR327: Cross-Platform Password Management with Microsoft Identity Integration Server 2003 (MIIS). Here is the abstract for the session:
With MIIS 2003 SP1, password management has become a first class citizen of the lifecycle management. In this session, we discuss how MIIS can be used to secure accounts from provisioning to de-provisioning, how passwords can be managed in any identity store, how to synchronize passwords changed by the user from his Windows desktop to any identity store managed by MIIS, and how users can manage passwords for systems that do not participate in password synchronization through a Web portal. In addition, get a preview of a new end user password self-service reset tool that we will ship in a future release of MIIS.

MIIS has a pretty big presence at TechEd this year as you can tell from the following list of sessions and hands-on labs that either cover MIIS directly, or at least mention MIIS in the abstract:

CSI200 (Strategic Briefing Session) Connected Systems: Applications of the Future (session)

CSI322 Identity Integration Using Host Integration Server and BizTalk Server (session)

SEC04 Using Microsoft Identity Integration Server to Synchronize User Identity Information and Credentials (lab)

SRV04 Microsoft's Identity Management Solution (session)

SRV05 Developing Management Agents with the Identity Integration Server 2003 Management Agent Software Development Kit (lab)

SVR210 Enforce Endpoint Health Policy with Network Access Protection (NAP) (session)

SVR215 Microsoft Identity Integration Server 2003: What's New in Microsoft Identity Integration Server 2003 SP1, Futures and Roadmap (session)

SVR220 Microsoft's Identity Management Strategy and Roadmap (session)

SVR304 Server Migration Chapter One: Novell Netware and NT 4 Migration Planning (session)

SVR317 Microsoft IT: Managing Identity Lifecycle, Consistency and Self-Healing with MIIS (session)

SVR318 Developing Solutions on the Microsoft Identity and Access Platform (Part 1) (session)

SVR322 Providing Web SSO and Identity Federation Solutions Using Active Directory Federation Services Windows Server 2003 R2 (session)

SVR323 Active Directory Federation Services Architecture Drilldown (session)

SVR324 Deploying Web SSO and Identity Federation Solutions Using Active Directory Federation Services: Scenarios and Strategies (session)

SVR325 Identity Lifecycle Management Using Microsoft Identity Integration Server 2003 (MIIS) (session)

SVR326 How to Build a Self-Service Application Using Microsoft Identity Integration Server 2003 (MIIS) (session)

SVR328 Microsoft Identity Integration Server 2003 Deployment Best Practices (session)

SVR400 Developing Solutions on the Microsoft Identity and Access Platform (Part 2) (session)

If you can't make a session, or if you have additional questions, feel free to drop by the cabana area.