By Jonathan Merrill on 2/3/2010 1:13 PM

via HyperVoria by Kenneth van Surksum on 2/1/10

It's no secret that in today's interconnected world, servers require extra security. Now Microsoft Hyper-V virtualization adds another layer of concern, since you are running a host operating system where multiple servers run virtually.

The attack surface is widened from many physical machines to a single one with multiple virtual machines (VMs). Not only do you need to follow your standards for those VMs as if they were standalone servers, but you also have to consider the hosts they are sitting on.

One can argue the virtues of security features between the various hypervisor implementations, but let's focus on what you should be doing when it comes to Hyper-V installations, specifically.

Go To:  http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1380082,00.html

By Jonathan Merrill on 2/3/2010 1:12 PM

via The EXPTA {blog} by Jeff on 2/1/10

This article explains how to test that a directory server (typically, a Domain Controller or ADLDS server) is configured properly for LDAP/SSL connections. The tools described work with Windows-based systems (Windows XP and above).

First, you will need the LDP.exe utility. LDP is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory, ADLDS or ADAM.

LDP can be found for different platforms in the following locations:

• Windows XP Service Pack 2 Support Tools

• For Windows 2000, the support tools are located on the Windows 2000 CD in the Support\Tools folder

• Windows Server 2003 Service Pack 2 32-bit Support Tools

• LDP.exe is installed by default in Windows Server 2008 and Windows Server 2008 R2 installations

To test LDAP over SSL connections, do the following:

• Run the LDP utility (typically, click Start > Run > LDP)

• In the LDP menu, click Connection > Connect

• Enter the directory server name or IP address, the port (typically, 636 for secure LDAP), and check the SSL checkbox, as shown below, then click OK:

• If the connection is successful, you will see a list of output similar to this:

Note that the connection string in the title of the LDP window indicates that the connection is made using ssl

• If you get an error saying, "Cannot open connection," LDP cannot establish a secure connection to the directory server. In this case, it's very likely that the server is not configured properly for LDAP over SSL. Verify the server name/IP address and port number. You can also use the Portqry tool to verify that the directory server is listening on the correct port. Use "portqry /n servername /e 636" to check that servername is listening on endpoint (port) 636.

• The following LDP output indicates that the connection failed because the certificate used in the SSL connection cannot be trusted:

ld = ldap_sslinit("dc01", 636, 1);
Error <0x0> = ldap_set_option(hLdap,LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: {empty}
Error <0x51>: Fail to connect to dc01.

I found a cool utility on Novell's website that can be used to view the SSL certificate on a remote directory server. Download the View Directory Certificate utility and extract the files to a temporary folder. Then run ViewDirCert.exe:

Specify the directory server or IP address and click View Certificate. The certificate details will be displayed in a new window. If the certificate was generated by an untrusted Certificate Authority (CA) or is a self-signed cert that the host does not trust, you will see a warning as shown below:

You can configure the host to trust this certificate by either adding the CA to the local machine's Trusted Root Certifications Authorities store or by importing the self-signed certificate into the local machine's Trusted Root Certifications Authorities store.

By Jonathan Merrill on 2/3/2010 1:09 PM

via The EXPTA {blog} by Jeff on 2/1/10

Sriram Krishnan works on the Windows Azure team at Microsoft. He recently published a post, Stuff I've learned at Microsoft, which gives great advice and commentary on things he learned in his five+ years at Microsoft.

I highly recommend taking a few minutes to read it.

By Jonathan Merrill on 2/3/2010 1:06 PM

via You Had Me At EHLO... by Exchange on 2/1/10

The new Exchange 2010 webcast series is live! Register to attend in-person via Live Meeting or download the recorded video or podcast. A full schedule of topics and presenters is below. Each webcast is 60min in length. Looking for something shorter? We also have a new series of "How Do I" videos dedicated to Exchange 2010 that can be found in the Exchange TechCenter. Keep up to date with all new content releases by joining the Exchange twitter feed (below).

As a member of the Exchange community - you can interact with our team through blogs, forums, and now a Twitter feed. Get all the latest Exchange news direct from the product team!

Webcast Series

• TechNet Webcast: Introducing Exchange Server 2010
  Presented by: Rand Morimoto
  In a time when your organization requires its communication tools to be cost-effective and flexible, Microsoft Exchange Server 2010 enables you to achieve new levels of reliability and performance by delivering features that can simplify your administration, help protect your communications, and delight your users by meeting their demands for great business productivity. In this webcast we introduce you to Exchange Server 2010, as well as highlight and demonstrate key investments made in this latest release.
• TechNet Webcast: Discover the New OWA: Outlook Web App
  Presented by: Gary Danoys
  The new Outlook Web App provides the most robust Web experience for accessing your Microsoft Exchange Server. With OWA 2010 users will get even more ways to communicate from the Web. From the new OWA IM and SMS Sync features to the incredible changes to the conversation view; new communications types and presentation methods abound to make users more productive. New features like MailTips, Side-by-side calendars, Delegate access, Delivery reports, and more are demonstrated. The new Exchange Control Panel (ECP) also makes end-user self-service features greatly enhanced meaning users can more easily manage their own issues. This webcasts focuses on the new end-user functions available in OWA 2010 as well as walks through the configuration of IM with Microsoft Office Communications Server 2007 R2 and helping IT pros troubleshoot common configuration errors in setting up OWA IM.
• TechNet Webcast: Upgrade and Coexistence with Exchange Server 2007 and 2003
  Presented by: Harold Wong
  Walk through the process for introducing Exchange 2010 servers into an Exchange 2003/2007 organization. Learn the pre-requisites, steps required, and the impact to client access for MAPI, Outlook Anywhere, OWA, ActiveSync, and POP/IMAP clients after the upgrade has occurred.
• TechNet Webcast: Information Protection and Control in Microsoft Exchange Server 2010
  Presented by: Michael Smith
  Worried about employees accidentally leaking valuable corporate e-mail? This webcast introduces new methods of information protection and control powered by Exchange Server 2010, including new transport rule for moderation, dynamic signatures and application of rights management. A discussion of the use of Active Directory Rights Management Service in parallel with Exchange is included, as well as an introduction to how these new features can be applied to real-world messaging control scenarios.
• TechNet Webcast: Exchange Server 2010 High Availability
  Presented by: Devin L. Ganger
  Welcome to the future! The future of Exchange high availability, that is. In this webcast we reveal the changes and improvements to the built-in high availability platform in Exchange Server 2010. Exchange 2010 includes a unified solution for high availability and disaster recovery that is quick to deploy and easy to manage. Learn about all of the new features in Exchange 2010 that make it the most resilient, highly available version of Exchange ever.
• TechNet Webcast: Getting the Most out of Exchange Server 2010: Performance and Scalability
  Presented by: John Fullbright
  Selecting the right server hardware for an Exchange 2010 deployment becomes much easier when you know the product team's scalability and performance guidelines. This webcast provides a look at the product team's guidance for the processor and memory requirements of each server role in Exchange 2010. A number of key performance enhancements from this release are discussed, and you also learn about how to use related tools like the Exchange Storage Calculator, Exchange Profile Analyzer, Loadgen, and Jetstress to take the guesswork out of server sizing.
• TechNet Webcast: Deploying and Managing Microsoft Exchange Server 2010 Transport Servers
  Presented by: David Elfassy
  The transport server role in Exchange 2010 provides some exciting new management functionality to make mail flow issues easier to monitor and diagnose. This webcast shows you how you can best leverage this functionality including Direct Deliver, Shadow Redundancy, and transport SLA measurement and reporting. Learn how to plan for the most efficient transition -- whether you're moving from Exchange 2003 or 2007.
• TechNet Webcast: Addressing E-mail Archiving and Retention
  Presented by: Kamal Janardhan
  As e-mail volume continues to grow, we recognize your user's desire for an infinite inbox and the IT Admin's goal to be able to preserve and discover these mailboxes in a cost-effective manner. To help address these needs, Exchange Server 2010 introduces integrated archiving along with message retention and multi-mailbox discovery capabilities. This webcast offers a technical deep dive and some demonstrations of the user and IT Pro archiving experience in Outlook and Outlook Web App, as well as Exchange Management Console and PowerShell. The session also highlights the message retention capabilities through Move and Delete Policies in Outlook, OWA and PowerShell, Hold Policy to preserve data for recovery in legal or accidental deletion scenarios, and e-Discovery with multi-mailbox search in the Exchange Control Panel.
• TechNet Webcast: Exchange Server 2010 Management and Operations
  Presented by: Oliver Moazzezi
  Exchange Server 2010 includes new capabilities that make the operation of your Exchange environment more efficient. Learn how we've made the Exchange Management Console more powerful, extended the reach of PowerShell, made it easier to delegate management tasks, and built Web-based tools to make the job of managing Exchange easier than ever.
• TechNet Webcast: Calendar Sharing and Federation in Microsoft Exchange Server 2010
  Presented by: Joel Stidley
  Federation is a key part of the architecture of Microsoft Exchange Server 2010, powering new organization-to-organization sharing scenarios. Attend this webcast to learn how to implement free/busy and full calendar sharing with your business partners using Exchange Server 2010.

How Do I videos

• Getting Started with Archiving in Exchange 2010
• Getting Started with Remote Management
• Getting Started with Message Retention in Exchange 2010
• Getting Started with Message Discovery
• Introduction to Exchange 2010
• Get Started with Role Based Access Control
• Get Started with DAGs
• Create and Configure Certificates
• Transitioning from Exchange 2007 to Exchange 2010 Part 1
• Transitioning from Exchange 2007 to Exchange 2010 Part 2
• Transitioning from Exchange 2007 to Exchange 2010 Part 3
• Coexisting Exchange 2010 with Exchange 2007
• Securely publish Exchange 2010 using ISA Server 2006 SP1

-Erin Briney

By Jonathan Merrill on 2/3/2010 1:05 PM

via Michael's meanderings... by michael on 1/29/10

Note: This article is written for "modern" versions of the Windows operating system - that is, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7. For older versions of the Windows operating system, the concepts still apply, but some of the command line parameters for w32tm have changed.

Windows, especially in an Active Directory environment, requires "good" time. For this discussion, having "good" time means that all members of a domain are capable of synchronizing their clock to a domain controller. Domain controllers synchronize their clocks with the domain controller which holds the PDCe (Primary Domain Controller emulator) role in their Active Directory domain. PDCe's in child domains synchronize their clocks with the PDCe of the root domain of the Active Directory forest.

When Windows does not have good time, log file entries have incorrect timestamps, event logs have incorrect timestamps, database transaction logs have incorrect timestamps, etc. etc. When the time on a computer becomes too far off from that of a domain controller (more than five minutes above or below), the computer is no longer capable of acquiring Kerberos tickets - this means that a computer and/or a user will not be able to log in to the Active Directory domain, nor will they be able to access any resources on the Active Directory network.

This can happen to user workstations and to servers. Obviously, a server may effect more users than a single workstation; but that doesn't mean you should pay any less attention to your user workstations.

The "Windows Time" service is responsible for keeping a computer's clock synchronized. This service can be controlled and configured on each computer by a command line tool named w32tm. Modifying any parameters for the Windows Time service requires local administrator permissions (and if UAC is enabled on the computer, it also requires an elevated command prompt or PowerShell session).

Determining whether a computer can synchronize its clock is easy to test (this is irrespective of whether the correct time source is configured - just that the computer can synchronize to the configured time source). Open an elevated command prompt or PowerShell session, and then enter:

                w32tm /resync

Does it work? If so, then this computer can synchronize its clock with its configured time source. If the clock on the computer is off ("skewed" is the typical term used for this situation), then further analysis is required. If the time on the clock is off by an even number of hours, you should probably be looking at the timezone configured for the user or computer, not at the time synchronization sources.

If there are other computers whose time is skewed, then enter the same command on the other computers. The command should work there too.

If the resync commands work, but the computers are getting the wrong time, you need to begin analyzing the configuration for the Windows Time service. From your shell or PowerShell session, enter:

                w32tm /query /source

This allows you to determine where the particular computer is getting its time. There are a number of possible responses. These include:

Local CMOS Clock

In this case, the computer is using the hardware clock on the computer as its time source. If you are using VMware, this means that the virtual machine is synchronizing to the VMware host.

Free Running System Clock

In this case, the computer is not using any external source, but depending on the time tick generated by the System Idle Process running on the computer. This value will generate a skewed time more quickly than any other.

a hostname of a domain controller in the Active Directory forest

In this case, the computer is using a domain controller as either an NTP server or as the time source via Active Directory. To determine which, see "/query /configuration", discussed later.

a hostname of a computer running a NTP server

In this case, the computer is using a non-Active Directory server running an NTP server as its time source.

VM IC Time Synchronization Provider

In this case, the computer is using Hyper-V virtualization services as its time source.

Best practices from Microsoft recommend that you never use virtualization services (regardless of your hypervisor provider) as a time source for domain-joined computer; instead, you should depend on typical Active Directory synchronization methods.

VMware recommends that, for domain-joined computers, you install an NTP server on the VMware host and you have the computers synchronize to that NTP server.

In my mind, you are better off starting with the Microsoft recommendations and then go from there.

Here are references to the above comments and best practices:

Virtual Domain Controllers and Time Synchronisation
Considerations when hosting Active Directory domain controller in virtual hosting environments
Deployment Considerations for Virtualized Domain Controllers
VMware KB: Timekeeping best practices for Windows

Now, if the initial resync command doesn’t work – that particular failure reason is what you need to figure out. The first thing I always check is the firewall configuration. By default, time synchronization requires that that a computer be capable of sending a UDP request to port 123 on the NTP server (and receiving the response). NTP servers also listen on port 123 for TCP requests. The Windows Advanced Firewall in the modern Windows operating systems will automatically have an entry opened for time synchronization on UDP port 123 to your domain controllers. However, if you are configuring your PDC emulator server, you also need to ensure that the external firewall also allows that request. If you have non-domain-joined computers, then you may need to globally allow port 123 requests in your firewall.

The command below will tell you the time source for a particular computer:

                w32tm /query /configuration

You are initially most interested in the value of the Type variable which is displayed. There are a number of possible responses. These include:

NTP - the external time source is the NTP server(s) specified by the NtpServer variable
NT5DS - the external time source is the domain hierarchy (that is, time synchronization originates from a domain controller)
NoSync - there is no external time source
AllSync - the computer should use both the domain hierarchy and the manually specified NTP server(s) as external time sources

There may be multiple external NTP servers listed in the NtpServer variable.

To properly set up a time source synchronization hierarchy for your domain, you need to begin by locating the domain controller which holds the PDC emulator FSMO role (obviously, if you have a single domain controller, such as is normally the case in SBS 2008, this process can be shortcut). To determine the holders of the FSMO roles, at that earlier-opened command prompt or PowerShell session, enter:

                netdom query fsmo

Next, on the domain controller which is revealed to hold the PDC emulator role, you should do something like this:

                w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual
                w32tm /config /update
                net stop w32time
                net start w32time
                w32tm /resync /rediscover

This ensures that this particular domain controller will attempt to synchronize with an external source providing known good time. pool.ntp.org is a common source. Windows computers come configured by default to use time.windows.com, which sometimes works and sometimes doesn't.

For all other domain-joined computers, the appropriate configuration is:

                w32tm /config /syncfromflags:domhier
                w32tm /config /update
                net stop w32time
                net start w32time
                W32tm /resync /rediscover

That really should take care of it. /syncfromflags:domhier is the default for domain-joined workstations and should be for all DCs except for the one in the root domain holding the PDCe role.

When a computer is properly synchronizing from an external source (after the Windows Time service restarts or becomes capable of synchronizing after some interval where it can't synchronize), the following entry is made to the System Event Log:

Log Name:      System
Source:        Microsoft-Windows-Time-Service
Date:          1/24/2010 1:01:27 AM
Event ID:      35
Task Category: None
Level:         Information
Keywords:     
User:          LOCAL SERVICE
Computer:      W2008R2-DC
Description:
The time service is now synchronizing the system time with the time source pool.ntp.org (ntp.m|0x0|0.0.0.0:123->69.26.112.120:123).

If the time source is a DC, the DC will be named and its IP address listed, just as if it were an external source.

Until next time...

If there are things you would like to see written about, please let me know.

By Jonathan Merrill on 2/3/2010 1:02 PM

via Lifehacker by Adam Pash on 1/28/10

Yesterday, Steve Jobs worked his charm, attempting to wow the world with the Apple iPad, a new, super-slim computer he touted as the missing link between iPhones and laptops. It's an undeniably beautiful device, but it also represents some serious problems.

Note: This subjective post gets rather long winded, so if you don't have time for every hem and haw, skip straight to the meat of the problem.

The Good

At first glance, the iPad does a lot of things really well—particularly compared to its competition. This depends on what you consider its competition, but for sheer size and price alone, let's say its primary competition is the Kindle, followed by netbooks. Last, and maybe more importantly, consider that maybe it doesn't have any competition because it's aiming for a mostly new market, much like the iPhone completely goosed the primarily business-friendly, BlackBerry-dominated smartphone market. No matter what you consider its competition, it's likely that the iPad outpaces said competition handily.

The Kindle: To start, if we compare the iPad to a Kindle, it's really only lacking in one or two arenas from the standpoint of most consumers: It's not using e-ink, so it's potentially not as friendly on the eyes (okay, it's definitely not as eye-friendly), and the battery life is only 10 hours (with video, mind you, which was the only benchmark Apple gave), which is seriously short by e-book reader standards. Now consider this: It's roughly the same size as the Kindle, can do infinitely more (even running a complete end-around the Kindle by running Kindle software), and it's beautiful.

Like in life, that last bit—the looks—matter more than we may like to admit. And why shouldn't it matter? Apart from, you know, the usefulness factor, eye candy has always played an important role in technology adoption.

Netbooks: Full disclosure: I've never owned a netbook. And maybe that's part of the problem. For all the useful, inexpensive netbooks out there, the netbook market has yet to take hold in a truly meaningful way outside of the enthusiast niche. I'm not relying on any real numbers here—more on experience at airports, coffee shops, and public places where people with computers go. Those are the places netbooks were made for, right? And yet all I see at those places are laptops and iPhones. Update: As many commenters have pointed out, the netbook market has been very successful, and my personal experience isn't a good substitute for the numbers. Either way, don't get too hung up on this point—whether or not netbooks are popular is really not the problem.

For most people, netbooks have very limited sex appeal. There's no question they do what they're supposed to do, or that they do it well, but last I checked, the netbook hasn't really filled that "When you just need a lightweight computer to do some lightweight surfing, word processing, etc." need. The iPad is aiming straight at this market, and could potentially succeed where netbooks haven't.

Lack of competition: Most disconcerting to this technology lover—which I'll discuss in more detail below—is that the iPad really has no little direct competition out yet. (Several tablets showed up at CES, but I haven't seen any release date for promising slates. We'll see how those turn out, but at the end of the day, this is still a market like the smartphone market was before the iPhone came along. It wasn't the first smartphone, but it had the best hardware and usability.) In fact, at the end of the day it's much more like an iPhone or iPod touch than it is anything else. It's just got better guts and a bigger screen. It seems most accurate to consider the iPad a computer that runs the iPhone OS.

The Problem

So why is it a problem if the iPad is better than it's competition, or, more importantly, fills a niche that hasn't been addressed well enough to this point? Yesterday Gizmodo rounded up 8 things that suck about the iPad, focusing primarily on hardware issues like its lack camera, an ugly bezel, and lack of even a single USB port (sans adapters); we could likewise complain about how the iPad's graphical design seems like a complete afterthought. But much more important, at least from the perspective of a blog that's pretty serious about the free use and control of computers.

The iPad, much like the iPhone, is completely locked down. The user has no control over what she installs on the hardware, short of accepting exactly what Apple has approved for it. From past experience, we know what happens when a completely legitimate application—from a huge company that's actually partnered with Apple—doesn't gel with Apple's business plan. They reject it, and you can't use it. And what recourse does the power user have?

Jailbreaking! And certainly the iPad will see plenty of hacking, but only because Apple requires you to hack the device if you actually want control over it yourself. Apple's gotten into the habit of acting like you're renting hardware. They've become the all-powerful, over-restrictive, ambivalent IT person in the sky, restricting what users can and can't install on their hardware.

With a device like the iPhone, most people slowly accepted Apple's IT state over time. Apple's stance is basically that their lockdown is for your own good—they're protecting us from unstable apps, pornography, confusion, and other nasties. And for the most part, it worked, right? iPhones have remained fast, capable, strong-like-bull, and extremely popular. But conceding that Apple's restrictive policies are to credit is sort of like claiming you've cured cancer because you knocked on wood every morning of your life and, as a result, never got cancer. (Sorry for the weak simile.)

What's dangerous about the iPad is that it's much closer to a "real" computer than the iPhone is. If you dock it with the keyboard accessory, it really is just a sort of low-powered franken-laptop. And yet this is a computer over which you have absolutely no control. And the question is: If we all continue to buy Apple's locked-down products hand-over-fist (Jobs went so far as to talk about Apple as a mobile device company yesterday), what reason does Apple have not to keep moving forward with that model—a model that, to many, is defective by design.

Apple's saying to consumers: "Trade in choice for a guarantee that this will work exactly as we designed it to, and you'll never be upset with a computer again." Unfortunately there's no reason to believe the trade is necessary. At the very best, it seems like Apple's extreme and obsessive control over what you're allowed to run on the iPad, iPhone, and iPod touch is maybe delaying the point at which your software demands outpace the hardware, but even that is debatable. With the iPad, iPhone, and iPod touch, you're trading choice and control in exchange for unsubstantiated promises. The Free Software Foundation put it much better:

DRM is used by Apple to restrict users' freedom in a variety of ways, including blocking installation of software that comes from anywhere except the official Application Store, and regulating every use of movies downloaded from iTunes. Apple furthermore claims that circumventing these restrictions is a criminal offense, even for purposes that are permitted by copyright law.

If Jobs and Apple are actually committed to creativity, freedom, and individuality, they should prove it by eliminating the restrictions that make creativity and freedom illegal.

Attention needs to be paid to the computing infrastructure our society is becoming dependent upon. This past year, we have seen how human rights and democracy protesters can have the technology they use turned against them by the corporations who supply the products and services they rely on. Your computer should be yours to control. By imposing such restrictions on users, Steve Jobs is building a legacy that endangers our freedom for his profits.

A Simple Solution?

The App Store isn't exactly the problem—it's the way Apple runs and limits the App Store. Let's say, for example, that Apple added one simple section to the App Store. I'll leave it to the Apple Geniuses to come up with a more marketable name, but for our purposes, let's call it the Restricted section.

Now let's say that Apple continues to run the App Store the way it always has, but rather than reject applications that it feels may confuse the user (like they claimed Google Voice* or Google Latitude might), or applications that allow users to access naughty pictures, or even applications that it hasn't had time to vet for the App Store proper, they put those applications in the Restricted section. Before a user is able to install applications from the Restricted section, that user has to agree that the application may confuse their feeble minds, offend their delicate sensibilities, or even slow down their device. Is this such a problem?

(*Incidentally, even if we accept Apple's reasons for rejecting the Google Voice application on the iPhone, what reason is there to likewise reject it for the iPod touch and, presumably, the iPad? Neither have phone functionality out of the box, and now the non-phone devices actually outnumber the iPhone.)

Even better, it could work like the package manager it actually is and allow users to add their own trusted repositories as sources for other applications. Same disclaimers apply, but Apple is even further removed from culpability—they're not even hosting the apps.

The point is, users should at least be allowed to flip some switch, somewhere on the machine, that says, "Hey computer, I'm an adult, and I take responsibility over how I use this machine."

So You're Saying I Have to Make a Statement with My Computer Purchases Now?

I'm not here to get all political (though Apple doesn't give a shit about poor people), but the point is this: As power users, do we really want to send the message to Apple and other hardware manufacturers that we're cool with them taking away our choice? The iPad looks great, and by every account it also feels great and performs like a peach, but it's rife with problems. Unlike the iPhone, where it was easy enough to convince ourselves that these problems were imposed for good reason, the iPad is basically a keyboard-less netbook that will exert complete control over what you're allowed to use on it.

A very quick response to the many, many people who feel I'm missing the point because the iPad isn't for me, but for the non-tech savvy users: There's no reason it can't be both. OS X ships with Terminal, even though most Mac users will never use the command line. To say that "either a device is user friendly or it's open" is a false dichotomy. It's also worth mentioning again, as I did above, that Apple's proven itself to be a unreliable, user-hostile gatekeeper.

Caveat Emptor!

Sending messages aside, my main aim is to discourage readers from buying an iPad. Or if not to discourage, to ensure that people understand the system they're buying into, if and when they do purchase one. The fact remains that the iPad is probably better than any device of its kind out there, so it's very tempting if you want a big, pretty tablet that can do a lot of neat computer things. But it also comes with some serious problems.

---

Jonathan’s Note:  I have no no problem with Apple Computer Corporation, the Apple OS, nor do I have a real problem with the people of Apple.  My problem with these folks are hardware.  Apple doesn’t belong in the hardware business.  Ever run an Apple server?  Got a broken iPod?  It’s my opinion and doesn’t need to be debated.  This post is another example of Apple not getting it in the hardware market.

By Jonathan Merrill on 2/3/2010 12:57 PM

via [Geeks Are Sexy] Technology News by Geeks are Sexy on 1/28/10

[Via Reddit]

By Jonathan Merrill on 2/3/2010 12:56 PM

via [Geeks Are Sexy] Technology News by Geeks are Sexy on 1/28/10

Whether it’s about the lack of a camera or multitasking capabilities, a lot of people are disappointed by the new iPad, including Peter Serafinowicz, aka “John” in the following video, who compares the device to a simple pad of paper. Check it out:

http://www.geeksaresexy.net/2010/01/28/peter-serafinowicz-produces-hilarious-ipad-parody/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+geeksAreSexyTechnologyNews+%28[Geeks+are+Sexy]+technology+news%29

[Via BoingBoing]

By Jonathan Merrill on 2/3/2010 12:53 PM

via Servers and Storage by Scott Lowe on 1/25/10

If you’re designing a new storage system, read about these seven storage gotchas that could lead to you having a lot of time on your hands.

—————————————————————————————————-

Designing a storage solution isn’t a trivial undertaking; there are many moving parts, many decisions to be made, and just as many mistakes that can be made. Here are seven mistakes that might lead to you getting in trouble.

1. Not taking RAID storage overhead into consideration.

Unfortunately, I’ve actually seen this happen. Any responsible storage implementation will probably use RAID to protect against the loss of one or more disks. With the exception of RAID 0, which is just a bunch of disks strung together to create a larger storage pool, all RAID implementations result in storage-related overhead that is used for mirror or parity information. The storage overhead requirements can be substantial. For example, in a RAID 1 implementation, 50% of the total disk space is used to copy the information to the mirrored set of drives. RAID 10 — an extension of RAID 1 that stripes data across multiple RAID 1 sets to improve performance — exacts a 50% space toll but is frequently used due to its significant performance benefits. Don’t forget to take into consideration RAID overhead when deciding how much storage you need to buy.

RAID storage penalty for common RAID levels:

• RAID 0: No storage penalty, but no protection either.
• RAID 1: 50% storage penalty (mirrored disks).
• RAID 5: 1/n storage penalty where n is the number of disks that make up the array.
• RAID 6: 2/n storage penalty where n is the number of disks that make up the array.

More information about RAID levels:

• Understand ’single digit’ RAID levels
• Get the basics on multilevel RAID sets
• Build Your Skills: Know the differences between RAID levels

2. Not taking RAID performance overhead into consideration.

RAID exacts more than just a storage penalty; in addition to reducing the amount of usable disk space, different RAID levels also impact the overall performance of the storage system. Different applications require different storage performance characteristics. Different RAID levels are best suited to different kinds of applications. For example, because of the need to calculate parity for RAID 5 and RAID 6, those RAID levels are not always suitable for write-intensive tasks such as, for example, SQL Server log files.  Choosing a RAID level that is not best suited for your application will not yield the best possible results.

In general, here are some pointers:

• RAID 1: Read: Good, Write: Good
• RAID 5: Read: Good, Write: Mediocre
• RAID 6: Read: Good, Write: Poor (double parity calculation and storage)
• RAID 10: Read: Very Good, Write: Very Good

Don’t take this list to the bank, though; performance needs and characteristics vary wildly between applications, so do your homework!

More information:

• RAID storage explained
• Comprehending the Tradeoffs Between Deploying Oracle Database on RAID 5 and RAID 10 Storage Configurations
• EMC CLARiion RAID 6 Technology: A Detailed Overview
• RAID 1+0 is the Cadillac of RAID
• Comprehensive RAID performance report

3. Not implementing a solution with enough spindles.

IOPS (Input/Output Operations Per Second) is a standard method by which storage performance is measured. While a lot of elements go into figuring out the total input/output capacity of a storage infrastructure, the number of spindles (a common way to refer to the number of disks in a storage solution) is one of the most important that you can design in. The more spindles you throw at a solution, the better the overall performance will be.  Many people often assume that the transport mechanism — iSCSI, Fibre Channel, etc. — is the primary limiting factor from a performance standpoint, but this is often not the case. Each individual disk in your storage system is capable of a maximum number of IOPS. This maximum number is multiplied by the number of usable disks in your RAID configuration to arrive at a theoretical maximum IOPS value.

For some applications, you can figure out the number of IOPS that you need, but for other applications, you need to work with the vendor to arrive at a reasonable calculation. Without enough spindles to support your load, the rest of the storage design simply won’t matter.

4. Choosing a RAID level that leaves your organization at risk.

For some, RAID had long been considered the gold standard when it comes to data protection; however, when used incorrectly, that protection might only be an illusion. Besides taking into consideration storage and performance needs, your RAID level needs to take into account the level of protection you want to maintain in the environment. RAID 5 is, by far, the most common level of RAID out there and, when used correctly, will provide organizations with a degree of protection.  However, as drive sizes get larger, the risk of data loss increases pretty quickly. Since RAID 5 can tolerate the loss of only a single disk, losing two disks is a recipe for disaster.

For more information:

• There are some people that truly hate RAID 5… the group is named BAARF.
• How to protect yourself from RAID-related Unrecoverable Read Errors (UREs)
• RAID 5 Is A Cruel Mistress
• Why RAID 5 stops working in 2009

5. Using the wrong kind of disk.

I already indicated that you need to make sure you have enough spindles to support the needs of your application environment. Along with that spindle count, make sure you get the right kind of disks. From an IOPS perspective, not all disks are created equal. Further, from a reliability perspective, not all disks are created equal. SATA disks, for example, can be one or two orders of magnitude less reliable than SAS disks and create a much higher risk for data loss (read my URE article). Second, most SATA disks spin at slower rates than their SAS counterparts. Although there are enterprise-grade SATA disks that spin at 10K RPM, SAS disks almost always have a 10K RPM minimum speed and can spin as fast as 15K RPM. The faster the disk spins, the more quickly it can read and write information and, hence, the higher the IOPS value.

Note that there are tricks (such as short-stroking) that you can use to force more IOPS from a disk, but I’m not going to get into those here.

More resources:

• Get a performance boost with Serial Attached SCSI (SAS)
• How higher RPM hard drives rip you off

6. Not configuring a hot spare.

A hot spare is a critical part of a redundant storage system and provides the system with a way to immediately begin recovering from the loss of a disk due to hardware failure or some other catastrophe.  The quicker that an array begins to rebuild after a failure, the less likely it is that the array will suffer another disk fault that could end up resulting in the loss of data from the entire RAID volume.

Using a hot spare results in the immediate loss of that disk as usable space in the array. With many people creating multiple RAID sets on an array, you might be concerned about losing a hot spare per RAID set. Many arrays will allow you to configure a global hot spare that can automatically take the place of any drive in any RAID set across the entire array, so you can minimize your hot spare overhead while continuing to meet availability needs.

7. Not implementing enough redundancy.

Depending on the way that your storage environment will be used, you will implement different levels of redundancy. For primary, high-need storage, make sure that you implement enough redundancy in the environment to meet business needs — that may mean dual controllers, dual UPSs, redundant data paths to the storage, redundant replicated arrays and, much more.

When designing your storage, draw every component on paper. Then, in turn, place an X over each component and determine the impact if that particular component were to fail and, for each, component, decide if you need an additional level of redundancy. For example, at Westminster, we use a dual controller EMC AX4 iSCSI. The whole storage infrastructure is redundant from the controllers to the Ethernet switches that service the storage network. For each server that connects to the storage, we use multiple NICs and provide two connections to storage; neither connection uses a common NIC in the server. For example, we use one motherboard NIC connection and an add-in Ethernet adapter connection in order to protect against the failure of a single NIC.

By Jonathan Merrill on 2/3/2010 12:48 PM

via virtualboy by mattmcspirit on 1/22/10

Had a few cracking documents sent across to me from Steve Winfield, NetApp Consulting Systems Engineer in the UK, (and member of the Curry Council) which are particularly useful if you’re scoping out a Hyper-V & NetApp combo, and also if you’re planning on running Exchange, SQL and SharePoint on Hyper-V with a MetroCluster stretched across the WAN!

Now, although these documents are obviously aimed at NetApp Storage backends, some of the best practice hints and tips will be applicable to Hyper-V on other platforms too, however, if you’re using NetApp and Hyper-V, you’ll find this info spot on.

• NetApp Storage Best Practices for Microsoft Virtualization
• NetApp Implementation Guide for Microsoft Virtualization
• Solution Guide: Microsoft Exchange, SQL, SharePoint Server Mixed Workloads Running within the Virtual Machines hosted on Microsoft Hyper-V within a NetApp MetroCluster environment

One of the key contributors to these documents (at least 2 of the 3!) is NetApp’s Chaffie McKenna, who is also one of the authors on the NetApp MSEnviro blog, which provides a number of useful pieces of information around the 2 vendors’ technologies.  One for the RSS reader I believe!

Have a good weekend!