• Session 1: Deploying Hyper-V Network Virtualization;
• Session 2: Cluster-in-a-Box meats Datacenter Convergence to redefine successful private cloud deployment.

Session 1

This session has been presented by Stanislas Quastana and Arnaud Lheureux. This was a demo-oriented session to present how to implement network virtualization from scratch.

The speakers first began to present that Windows Server 2012R2, Virtual Machine Manager 2012R2 and a NVGRE gateway is needed to implement network virtualization in the Microsoft world.

Next they describe the benefit of using network virtualization depending on the context:

• For private cloud/companies:
  • Isolate network between customer;
  • Extend corporate datacenters to external resources: hybrid cloud;
  • Flexible vm placement without reconfiguration;
  • Easier integration of acquired company network infrastructure.
• For hosting companies:
  • Multi-tenancy;
  • Customers can bring their own IP and IP network topology;
  • Flexible VM placement in datacenter networks without reconfiguration.

Next they introduced the concept of Provider Address (assigned to the provider’s hypervisor) and Customer Address (used by tenant’s Virtual Machines). Then they describe the features of a VM Network:

• Network isolation boundary;
• Comprised of one or more virtual subnets;
• Routing between VM subnets is explicit;
• Virtual subnet (VSID) Broadcast boundary.

When a Virtual Machine is in a virtualized network, it knows only the Customer Addresses. Only the VM Network traffic is virtualized. Then they explained how NVGRE works (you can find more information about this technology on Tech-Coffee here). In the case of using network virtualization, it is VMM that has the knowledge of VM network configuration (such as the location of the VM in Hyper-V hosts).

These explanations was followed by a demo of how to implement network virtualization from scratch using VMM.

After the demo, they explained how two VM in two different virtual subnets belonging to the same VM network can communicate by showing us network traces of NVGRE flow.

Then they presented a demo of how to implement a NVGRE Gateway using the Windows Server Gateway. They said a word about the using of a third party appliance for the NVGRE gateway as a F5. To finish the speakers presented IPAM integration with VMM.

Session 2

This session presented by John Loveall was about the Cluster-in-a-Box (CiB) technology. First he introduced the concept of the CiB:

• Full hardware solution;
• Full software solution;
• Volume hardware and software defined subsystems;
• Scalable system and integrated high availability.

These converged system are made to support private cloud infrastructure. This is why Software-Defined Compute (Hyper-V), Networking (NVGRE) and storage (Scale-Out File Servers) are usually implemented. However, CiB are usually designed for small to medium hosters.

Then he explained “what is the hardware design” for common CiB. Usually CiB are Pre-Configured, Pre-Cabled and space are available for hardware expansion. Moreover, service and data must remain available despite the failure or any single component. Below you can find the slide about system design consideration for CiBs (sorry for the poor quality of the photo):

The next slide presented the component-level recommendations:

Then the speaker presented a video to show how setting up an OEM CiB appliance Out-Of-The-Box following below steps:

• Node discovery and initial settings
• Domain and cluster settings
• Provision Clustered storage
• Deploy cluster

You can find a guide about that in this TechNet topic.

Next he presented some CiBs as the PowerEdge VRTX. Then he described four customer applications with example:

• Upgrading the datacenter for a medium-sized business
• Deploying new datacenters for multiple clients
• Using high-performance windows storage for demanding datacenter requirements
• High availability storage for the TechEd Hands-On lab

To finish, he introduced the Cloud Platform System (CPS) which is the implementation of CiB by Microsoft. The CPS hosts Windows Azure Pack, System Center, SQL Servers, Hyper-V hosts, storage and the networking stack. For more information about CPS you can follow this link.

It was a great TechEd with a lot of announcement about Windows vNext. But now it’s time to back home J.

The post TechEd Europe 2014 – Day 4 appeared first on Tech-Coffee.

• Session 1: Designing Hybrid scenario with Microsoft Azure;
• Session 2: Malware Hunting with Mark Russinovich and the Sysinternals Tools;
• Session 3: Microsoft Azure Security Compliance Overview;
• Session 4: Hyper-V Management made easy with System Center and Veeam Management Pack for System Center;
• Session 5: Planning and Designing Management Stamps with Azure Pack;
• Session 6: Managing Platform-as-a-Service with the Azure Pack.

So this is a big day with 6 sessions (no way to play games to win a Surface Pro 3 today in the Tech-Expo :p).

Session 1

The first presentation was about Hybrid Cloud with Microsoft Azure. The speaker began his presentation by the fact that the new model is the consumption of resources as CPU, RAM, storage and so on. This is why cloud computing is emerging. So there are two types of cloud:

• On-Premises Private Cloud;
• Off-Premises IaaS, SaaS, PaaS and so on called also Public Cloud.

To make Private Cloud with Microsoft technologies, you should use Windows Server, System Center and Windows Azure Pack. The implementation of Public Cloud is made across Microsoft Azure. This service provides a large panel of services as networking, automation, computer services and data services. To unify the Cloud Strategy, it is possible to use the best of the two worlds to make Hybrid Cloud.

The connection from On-Premises to Microsoft Azure can be implemented by using Site-To-Site VPN, Point-To-Site VPN or Express Route. Then the speaker has presented some hybrid cloud scenarios:

• Microsoft Azure Backup. Extending Windows Server Backup in the cloud (demo: Azure Site Recovery and Backup);
• Archive with StorSimple;
• Microsoft Azure Site Recovery;
• Presentation on SQL server with one server in On-Premises site and one in Microsoft Azure and he has created an AlwaysOn.

Next he presented the network with Microsoft Azure Virtual network. In this part the speaker introduced the security groups to manage network traffic rules between subnet. That enables to control access between virtual subnet.

To finish he talked about Azure Load-Balancer which works for IaaS and PaaS. This feature supports TCP and UDP, custom health probes and reserved IPs for Load-Balancing. A new feature is available that enables to make Source IP based affinity. It is also possible now to increase the idle connection timeout.

Session 2

The speaker was Mark Russinovich that presented how to hunt a malware. For that, he used SysInternals tools. He presented these malware cleaning steps:

• Disconnect from the network the infected machine;
• Identity Malicious processes and drivers;
  • Check suspicious file as file with no icon, no description, unsigned Microsoft images, live in Windows Directory or user profile, strange url in the string, host suispicious dll or services, has an open tcp/ip endpoints and so on;
  • Begin with task Manager then use SysInternals Process Explorer;
  • Use Process Explorer to identify a strange process as a process that should not run in high privilege;
  • Next process an image verification to see if a Microsoft signature is present;
  • Presentation of VirusTotal.com that is an Antivirus-as-a-Service;
  • Use of SysInternals SigCheck to check the signature of application.
• Terminate identified processes;
  • Don’t kill the process because there are often a watchdog that restart it automatically;
  • Instead of kill the process, suspend it.
• Identify and delete malware autostarts;
  • Use SysInternals Autorun tools;
  • Autorun is now able to connect to VirusTotal.com.
• Tracing Malware;
  • Use SysInternals Process Monitor;
  • Use filter to find more precisely what malware make.
• Malware Forensics;
• SysInternal Sysmon;
  • Background system monitoring utility. First written for use in Microsoft corporate network.
• Delete the malware;
• Reboot and repeat.

At the end, the speaker has made presentation of malware hunting on Scareware and so on.

Session 3

This session is not really a technical session but it will give me information about how Microsoft assumes security on Microsoft Azure. When I talk with friends about Microsoft Azure it is difficult to find arguments for Microsoft Azure about security. This is why I have participated to this session.

The speaker first said that the cloud can be only adopted if the customers can be sure that security will be as good or better than on their On-Premises datacenters. First the speaker described how they identify and address threats before they impact customers with for example Digital Crime Unit. Next he talked about the shared responsibility between the customer and Microsoft:

The next part of this session was more technical. First he talked about physical Datacenter security with for example camera, 24/7 security staff, barriers, alarms and so on. Then he talked about the patch management, monitoring & logging, antivirus & anti-malware and IDS to protect Microsoft Azure infrastructure and customer.

Next he introduced isolated virtual network with the new feature called Network Security Groups (cf. Session 1). He also presented the VPN and ExpressRoute between On-Premises site and Microsoft Azure in case of Hybrid Cloud.

Then he said a word about Identity & access management with Azure Active Directory to provide enterprise cloud identity and access management for end users, enable SSO and offers Multi-Factor authentication.

Microsoft Azure traffic is encrypted with SSL/TLS (HTTPS). Microsoft Azure supports FIPS 140-2, Bitlocker, EFS and Transparent Data Encryption for SQL. RMS service is also available to make file encryption. StorSimple is able to use AES-256 to encrypt data.

Next the speaker has presented this incident response presentation:

To finish with this session, the speaker said a word about “where is my data and who can access it?”. First customer can choose the region to store data:

The data stored in Microsoft Azure can be accessed by restricted Microsoft people. To limit access to customer data, Microsoft has implemented Just in time & Role-Based access. Microsoft does not provide any government access to data stored in Microsoft Azure. For EU customer data, there is a special contractual close. Moreover Microsoft Azure doesn’t share data with its advertiser supported services.

To finish when a data is deleted, index is immediately removed from primary location. Then a Geo-Replication of the index is run.

Session 4

In this session, Mike Resseler made a presentation of the Veeam Management Pack for SCOM. He presented the topology view that shows storage, network and virtual machine of a hypervisor (VMWare or Hyper-V). Thanks to this topology view, we can find easily which component cause an issue and which Virtual Machines is impacted.

Next he said a word about Veeam Task Manager for Hyper-V (free tool) to view the resource consumption of a Hyper-V host and its VMs in Real-Time.

Then he returned to SCOM and has introduced Veeam SCOM widget and the analysis Dashboard. This last enables to view easily the resource utilization (CPU, Memory, Memory Pressure etc.) by a VM or a hypervisor.

Next he presented the capacity planning which show analysis of resource consumption to plan hardware upgrade.

To finish he shown us a dashboard to find zombie VMs based on performance analysis. This report enables also to find oversized VMs.

Session 5

This presentation has been presented by Kristian Nese. First he presented the basics of VM Clouds. (SPF, VMM etc.) and the interaction between each component. Next he introduced the multi-tenancy in the Windows Azure Pack with hosting plans and subscription components. Several hosting plan can be associated to the same VMM.

The Service Provider Foundation can support 5 VMM stamps. If VMM and SPF are installed in a separate domain, the VMM domain must trust the SPF domain. Each stamp is an isolated stamp that means stamps can’t interact between them. To finish WAP supports only one SPF endpoint.

Below the use case for multiple stamp:

Below the use case for a single stamp for WAP:

When deploying VM Clouds for production, Virtual Machine Manager should be deployed in high availability. Hyper-V that host NVGRE gateway should be deployed in high availability and the Gateway Server also. Host-Groups should represent the location of Hyper-V hosts and then the function.

Bare-Metal Deployment should be used to deploy new Hyper-V host to be scalable. Moreover it is necessary to manage updates on hypervisors with WSUS integration for example. To finish you should have a high availability storage as Scale-Out File Server or SAN. It is better if storages support SMB 3.0 in order to manage it directly in VMM.

Next Kristian Nese presented a scenario with a single VMM stamp. In this case, VMM must scale across locations and NVGRE must be implemented (must also support tenants with VLANs). He also implemented Remote Console, and VM Role.

Next he has made a demo to implement the above described scenario.

You can find further information about Windows Azure Pack and VM Clouds on Tech-Coffee here.

Session 6

First the speaker talked about each server roles of WebSite Clouds:

• Controller – Provisions and manage other roles
• Management – REST endpoint to manage WAP WS
• Worker – Process web requests
• Front-End – Accepts web requests and routes to workers
• Publisher – Supports multiple publishing protocols
• File Server – Web Site shared storage (SOFS not supported)
• Database – SQL Server for System information

Next he presented the interaction between each server. You can find a schema here.

Then he switched on Windows Azure Pack admin portal to show a demo of Website cloud. The speaker explained features available as PHP, ASP.net, the management of level service etc.

Microsoft tested the stability of deployment 200+ web workers and 25,000 websites. Next he introduced the Web App Gallery that enables tenants to deploy easily WordPress, phpBB and so on.

Visual Studio can be used to deploy source code in a production Webfarm. Next he made a demo of the Websites tenant experience. He shown us how to create an empty website and how to deploy a website from the Gallery. To finish speaker explained how to use SQL database and MySQL database with websites.

The post TechEd Europe 2014 – Day 3 appeared first on Tech-Coffee.

• Session 1: Directory Integration: Creating One Directory with Active Directory and Azure Active Directory;
• Session 2: System Center Operations Manager: Monitoring in a Modern World;
• Session 3: Protecting Virtual Machines with Veeam: There is More than Just Protection;
• Session 4: How you can Hack-Proof your clients and servers in a day.

Session 1

The speaker of this session talked about the connection between the Active Directory On-Premises and Microsoft Azure Active Directory. This enables to provide to users a common identity between On-Premises and public services. With the integration of Active Directory Federation Service, users can logon to their applications with Single Sign On.

There are 3 components to connect On-Premises AD and Microsoft Azure AD:

• The On-Premises Active Directory;
• The Microsoft Azure Active Directory;
• An Identity Bridge.

To make the identity bridge, the speaker has presented the preview of Azure Active Directory Connect. There are two configuration mode:

• Express configuration;
• Custom configuration.

The Express configuration is useful only if you have only one forest in your On-Premises Active Directory. It is really easy to configure and you need only your Microsoft Azure credentials and an Enterprise Admin account of your On-Premises Active Directory.

The Custom mode is useful when you have multiple forest in your On-Premises Active Directory and when you want to configure special features (as connecting with an AD FS for the SSO). You can also enable more features for Exchange (ex: GAL Sync) and choose which Active Directory attributes you want to synchronize with Microsoft Azure AD.

To finish with this session, new features called “Write-Back” is available in Azure Active Directory Connect preview. That enables to write modification made in Microsoft Azure AD to the On-Premises AD.

Session 2

The speaker of this session talked about monitoring in a modern architecture. First of all he presented about some new features in the next version of SCOM. The speaker announced below new features:

• Support of Windows vNext;
• Support of SQL Server 2014;
• Enhanced support of OpenSource software as LAMP stack;
• New Management Packs;
• Easy update process between SCOM and SCOM vNext.

Next the speaker presented the monitoring for Cloud Platform System (CPS) with special dashboard. He said a word about the script center where the community can publish PowerShell script.

He presented the new management pack for VMM and Exchange 2013 that has been released yesterday (pretty impressive management pack).

To finish with this session, he presented the Azure Operational Insights. It enables to transform machine data into a near real-time operational intelligence. Azure Operational Insights collect machine data as event log, IIS Logs etc. Thanks to these data, Azure Operational Insights can generate dashboard and reporting as the number of servers that are not updated. Azure Operational Insights enables also to centralize event log to show alerts. A logs search engine is provided in Azure Operational Insights.

Session 3

Today the backups and restores take too long time. These are the words of Mike Resseler. A modern backup solution must backup and restore ASAP. Moreover the backup solution should be agentless. That avoids to manage software on the clients. The 3-2-1 rule must be applied:

• Data must be store 3 times (including the data on the production servers)
• Backup on 2 media
• Backup on 1 offsite

After this introduction, Mike Resseler shown Veeam Availability Suite v8. This solution is able to manage missing updates on hypervisors (He said that every update must be applied on Hyper-V host including fixes). He presented some features as Item-Level Recovery for Active Directory or Exchange E-mail.

Next he talked about the necessity to test restores regularly. For that Veeam Availability Suite v8 provides a Virtual Labs that enables to schedule an automate restoration of Virtual Machines.

To finish he made a presentation of Veeam Backup Enterprise Manager which is a web application. This last provides dashboard, reports, the possibility to review jobs, the state of restore points etc.

This was a great presentation of the Veeam Availability Suite v8.

Session 4

The speakers presented many features to increase the security in your company. To increase the authentication security, the first step is to use password, then smartcard and authentication mechanism assurance (SSO). You can increase security without increase the complexity for the users.

So the speakers presented the smartcard authentication and dynamic group. This feature enables to be a member of a group only if you use smartcard authentication. For example you will be domain admins only if the administrators are logon with the SmartCard Authentication. This is made thanks to a special insurance policy in certificates and the configuration of the “Strong” attribute of the group in Active Directory.

Next the speakers presented the /restrictedadmin option when using mstsc.exe command. In this case, SSO is used between client and RDS server. When the user is logged on the RDS server with this option, the token contains computer information instead of the user information (as SID, hash password etc.).

Next speakers recommended to apply JEA (Just Enough Administration). They made an example with Role-Based PowerShell Access where it is possible to limit PowerShell commands available for a user.

Next they presented a new built in group called “Protected Users” only available on Windows 2012 R2. When a user is a member of this group:

• No locally stored credentials (only a kerberos token)
• No NTLM
• Strong KRB AES encryption (No RC4/DES)
• No account delegation (none can impersonate the account)
• Default TGT Lifetime=4h (configurable by authentication policies)

To finish the speakers made a presentation of Dynamic Access Control. This feature enables to attribute the access to a resource regarding its classification.

See you tomorrow :).

The post TechEd Europe 2014 – Day 2 appeared first on Tech-Coffee.

• TechEd Keynote
• Optimizing your Datacenter with Windows Server, System Center, and Microsoft Azure
• Software Defined Compute in the Next Release of Windows Server Hyper-V
• Next Generation Networking in the next release of Windows Server: SDN, NFV and Cloud Scale fundamentals
• Software Defined Storage in the next release of Windows Server

First a presentation of the last build of Windows 10 has been done:

• The (re)new start menu;
• The titles in the start menu;
• The virtual desktop;
• The Windows interface switching depending of using a keyboard or not on a Surface Pro 3. . If the keyboard is used, the windows user interface is in desktop mode and if you use the Surface Pro 3 without keyboard Windows switch on tablet interface;
• Logon with your Windows Phone instead of using password;
• You can choose if the computer is bought for personal use or for organizational use. In case of organizational use, the user can enter some credentials and the computer is enrolled in the IT of the organization;

Next new features has been teased regarding Azure Pack and Microsoft Azure:

• “G” Virtual Machine (32CPU, 448GB RAM and 6,5TB SSD);
• Docker Engine that enables to run Linux commands from Windows;
• Azure Operational Insights (Capacity Management, Centralize information about cloud as number of servers not updated, event log etc.);
• Azure Witness that enables to use cloud as Witness in Failover Cluster;
• Cloud Platform System (CPS). It is Cloud-in-a-box;
• A presentation of Azure batch with Blender to increase computing.

In the Software Define Compute session some, new Hyper-V and Cluster feature for the vNext has been presented as:

• Quarantined node of Hyper-V node. If a node has intermittent issues (if the node leave the cluster three times within an hour), the node is moved in quarantine (after live-migrated Virtual Machines). When the node is in quarantine, it can’t host virtual machine;
• Improve the process to update SOFS or Hyper-V nodes member of a Failover Cluster to the next Windows Server edition. You can update the OS even if the server is member of a cluster;
• Improve the backup process of Virtual Machine;
• And all feature described in this TechNet topicJ.

In the Software Define Networking, some new features for the vNext as been announced:

• Support VXLAN and NVGRE;
• Software Network Load-balancing (different of NLB);
• Network Controller;
• IPAM enhancement;
• Cloud oriented DNS (Geo-Location awareness and traffic management);
• Increase converged fabric. For example one network card can be used for RDMA based storage access and tenant traffic.

To finish in Software Defined Storage, these new features for the vNext has been presented:

• Storage Quality of Service (QoS) with greater efficiency (define minimum & maximim IOPs, Policy per VHD, VM, service or Tenants, Fair distribution within policy etc.). It is easier to define service level;
• Rolling upgrades with Windows Server 2012R2 and vNext nodes within the same cluster. The process to upgrade is esiesr;
• SOFS cluster can use witness cluster
• Quarantined node of SOFS node (if the node leave the cluster three times within an hour). If a node has intermittent issues, the node is moved in quarantine. When the node is in quarantine, it can’t host storage;
• Storage Replica. Enable to replicate a volume to another volume in an offsite. It is a block-level in sync or async mode. Work with Storage Space or any SAN volume;
• A small presention of SOFS without shared storage (for low cost).

That’s all for today. See you tomorrow

The post TechEd Europe 2014 – Day 1 appeared first on Tech-Coffee.