Microsoft responds to VMWare's FUD

Much as I love blogging, I'm quite enjoying this unannounced break the past 3 weeks or so! A lot of interesting news, events (including TechEd 2009 in L.A.) and tidbits over the past weeks, and I'm sure you've kept up with it. (Incidentally, this also happened to be the first year in a long while when I actually took a break from TechEd!) What prompted me to end my unannounced break is the rather interesting turn the VMWare FUD has taken, with Microsoft's Jeff Woolsey, Principal Group Program Manager in the Windows Server Hyper-V team actually responding to VMWare on the Virtualization team blog.

Let's take a few steps back and look at the sequence of events.

Hyper-V Wows IT Pros and Critics Alike
It's no big secret that Microsoft's Hyper-V virtualization platform has wowed users and critics alike in its very first release. ZDNet's Mary-Jo Foley posted a review of the pre-release Hyper-V code (by Jason Perlow):

Even though Hyper-V is still pre-1.0 code, I think Microsoft has done a bang-up job with its hypervisor, and it may just turn this Linux freak a Windows 2008 junkie for running his own personal virtualization needs. While VMWare's ESX is still superior on a number of fronts, including its aforementioned VMotion technology and its more powerful cluster management tools, Microsoft has certainly sent a major warning shot across its bow and the bows of the respective Linux vendors, as well.

More in Review: Microsoft's Hyper-V puts VMWare and Linux on notice on ZDNet.com.

InfoWorld's Randall C. Kennedy, who can never be accused of writing a kind word for Microsoft by any stretch of the imagination, calls Hyper-V a "technically sound, well-performing hypervisor..." in Test Center reveiw: Microsoft's Hyper-V does the trick.

I've been using Hyper-V myself for a while now, and given how easy it is to deploy as a server role in Windows Server 2008, or as a standalone virtualization server using Hyper-V Server 2008, I'm admittedly a big fan and excited about where this train's headed.

Scott Drummonds' Video: VMWare FUD?
Back to the VMWare episode— On May 1, 2009, a video titled "Hyper-V Crashes in Consolidated Environments" is posted on YouTube by drummonds1974. The video, which seems to have been updated since then, leads with the following text :

On April 30, 2009, Microsoft TechNet and MSDN went down.
In 2008, Microsoft announced TechNet and MSDN migration to Hyper-V.
Are these two events related?

The video shows some VMs running on Hyper-V crashing, and the mystery voice-over informs you Hyper-V is running a workload "based on VMmark". VMmark, in case you aren't already familiar with it, is an "industry-standard" virtualization benchmark— developed by VMWare.

Of course, no technical details about the particular test or the scenario are provided in the video. Towards the end, drummonds1974 quips:

.. in one of our tests, we actually got the parent partition to crash, which brought down the entire server. Here's a bluescreen of that happening...

You can't be blamed for thinking "Perhaps a childish prank by a newbie sysadmin who just learnt a new trick or two?"

The final screen of the video boldly concludes: Consolidated workloads crash Hyper-V.

The video was posted by Scott Drummonds, Technical Marketing Manager at VMWare.

Microsoft responds
Jeff Woolsey responded to the video in Hyper-V Winning Daily/VMWare FUD Reaching New Heights. Excerpt:

The poster, who doesn't appear on the video, doesn't state what company he works for or provide any context. Gee, I wonder where he works.

and

On the Hyper-V team, we run thousands of stress tests per week and the stress tests we run are far more invasive than the test in this video. So, I consulted our Hyper-V Supportability Program Manager and dug deeper. I wanted to know if we've had any Hyper-V crashes reported. Here's what I found out.

Of the 750,000 downloads, we've had 3 reports of crashes under stress and with the same error code as seen in the video bugcheck (0x00020001). The solution in all three cases was to upgrade the server BIOS which solved the problem. This can happen as hypervisors interact very closely with hardware and BIOS updates generally inlcude updated microcode for processors ofteintimes to address errata.

In case you're wondering, VMWare has had similar crashes with older BIOSes as well. Here.

Round 2: Drummonds' non-response
May 15, 2009: (The timestamp can't be correct, because Woosley's response to this post is actually dated May 9th... !) Back at VMWare, Scott Drummonds responds with Video on Hyper-V Crashes. Scott states:

..The video and descriptive text have raised more questions than answers.

Now, like me, if you watched the entire video about 5 times in an attempt to get any answers, much as you would appreciate the conciseness of Drummond's video, it was devoid of any answers. Drummonds continues to bash Hyper-V in his response:

...the run rules were violated to make Hyper-V produce its best results...

Nice!

09 May 09 09:17: Over on the Virtualization team blog, Woolsey responds with Day Two of the Scott Drummonds VMWare FUD Fiasco. Rather than quote parts of it here, I'll let you read it and come to your own conclusion.

Of course, it doesn't end here!

Round 3: VMWare Responds, Again
May 14, 2009: VMWare's Bruce Herndon responds in Setting the Record Straight on the Hyper-V Video:

I am not exactly pleased to be writing on this particular subject in a public venue...

I can't help but comment here - Herndon is not exactly pleased about responding, but apparently, posting a public video on YouTube appears to be perfectly alright.

I had hoped that this whole kerfuffle would quickly die down, but it shows little sign of abating....

You hoped? Wihtout any details forthcoming for two weeks while a colleague from product marketing amateurishly bashes a competitor's product? As Woolsey points out,

In the meantime, VMware Sales Staff emails customers and would be customers to "check out this video" and VMware senior architects Twitter to "check out this video on You Tube"

Herndon ends his post with:

In the mean time, we intend to focus on helping to build amazing rock-solid products that our competitors can’t yet imagine.

Needless to say, I'm truly amazed by the attitude and tone of VMWare's posts!

Rather than reproducing Herndon's post and commenting on every bit, I'll let you head over to the Virtualization team's response from 17 May 09 10:01: VMware FUD Fiasco Part 3....

All I can say is— it's not the VMWare I know, and certainly not the many fine folks who work at its Palo Alto headquarters (I'm super-impressed with their new campus.. every bit as cool as Google's!). Perhaps the pressure of having real competition to deal with changes things? As Jason Perlow pointed out not too long ago:

Hyper-V represents the first stage of the mass-commodization of hypervisor technology, and if this beta release is any indication, it’s going to be a rough ride ahead for Microsoft’s competitors.

Using Outlook's Instant Search on Windows Server 2008

If you have Microsoft Outlook 2007 installed on Windows Server 2008 (perhaps because you're also using a lab server as your workstation, or require Outlook for testing), when you start Outlook it complains about Windows Search service not being installed and that Outlook cannot provide fast search results when using the Instant Search feature.


Figure 1: Microsoft Outlook 2007 prompt indicating Windows Search service is not installed

Outlook also displays a clickable notification under the Instant Search box.


Figure 2: Microsoft Outlook 2007 notification to enable Instant Search

Clicking on the notification brings up the same dialog box shown in Figure 1.

In Online mode, Outlook 2007 uses Exchange Search for searching the mailbox - the mailbox is not cached locally.

In Cached Mode, it uses Windows Search service to index messages in the cached copy of your mailbox. Windows Vista includes Windows Desktop Search (WDS) out-of-the-box. Windows Server 2008 and Windows XP do not.

Of course, you can disable the prompt to enable Instant Search in Outlook by going to Tools | Options | Other tab | Advanced Options, and unchecking Show prompts to enable Instant Search. But if you live in a high-volume email environment and have a fairly large mailbox to show for it, Search is an invaluable tool!


Figure 3: Disabling the prompt to enable Instant Search in Outlook 2007

Install Windows Search service
To install the Windows Search service on Windows Server 2008, use the following command:

ServerManagerCmd -i FS-Search-Service

Or install it using the Server Manager console using the following procedure:

1. Start Server Manager
   
2. Click Roles in the navigation tree on the left
   
3. Select Add Role in the Roles Summary section
   
4. Select the File Services role and click next
   
5. Select the Windows Search role service
   

After Windows Search is installed, when you click the notification in Outlook, it acknowledges Windows Desktop Search has been installed, and prompts you to restart Outlook to enable Instant Search.

Meanwhile, Windows Search indexes your email and documents in the background. If you use Instant Search before indexing is complete, it returns results from the messages it has already indexed, and notifies you of number of items still to be indexed.

Windows Search 4.0 is the more current version of Windows Search. Download: x64 | x86 .

ASN1 Bad Tag Error Installing an SSL Certificate in IIS 7

You've installed SSL certificates on previous versions of IIS more times than you care to remember. It's no rocket science - you create a certificate request, request the certificate from a Certification Authority, get the certificate and complete your certificate request.

Then there's IIS 7. Modularized. Optimized. Secure. You follow the same procedure as you did with previous versions of IIS. Create a certificate request, check. Get the certificate from a CA, check. Install the certificate, and that's where the familiarity ends. Instead of installing the certificate, IIS 7 throws up a cryptic error: There was an error while performing this operation. Details: CertEnroll::CX509Encrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267).


Figure 1: IIS 7's cryptic error when trying to install an SSL certificate

If you fire up the Certificates console (start a new MMC console | add Certificates snap-in | select the computer account), you'll see the certificate is indeed installed.

By default, IIS does not create a binding for HTTPS.


Figure 2: IIS 7's default site bindings

Add a binding for HTTPS

1. In the Site Bindings window, click Add
   
2. In the Add Site Binding window, select https from the Type: drop-down.
   
3. Select an IP address (or optionally, leave All Unassigned selected if you want the site to bind to the specified SSL port on all IP addresses
   
4. From the SSL certificate: drop-down, select the certificate you want to use for the binding/web site.
   
   [Optional] You can click the View button to view the certificate and ensure you're selecting the right one.
   
   Figure 3: Creating a binding for https in IIS 7
   
5. Click OK to close the Add Site Binding window.

Close the Site Bindings, start a browser, and test the web site using https.

IIS 7 Authentication: What happened to the IUSR_MachineName account?

In previous versions of IIS, the IUSR_MachineName account is created for anonymous authentication. This is an actual user account created on the server (a domain account can be used in domain environments), and like all user accounts— it has a SID, and an account password with the accompanying management costs and risks.

One of the resulting annoyances (for me): when you install IIS first and then change the computer name, the computer name and the MachineName in IUSR_MachineName account don't match.

IIS 7 gets rid of the IUSR_MachineName account in favor of a built-in IUSR account that's guaranteed to have the same SID on all computers. This ensures ACLs copied from one web server to another work, domain accounts are no longer required, and applications can be easily deployed across multiple web servers. The IIS_WPG group (for IIS Application Pool identities) is replaced by the built-in group IIS_IUSRS.

Note: The IUSR_MACHINENAME account isn't completely gone— it is used for anonymous authentication to FTP, and gets created if/when you install FTP.

More on the IIS team blog in 'Understanding the Built-In User and Group Accounts in IIS 7.0'

- Security identifiers
- Well-known security identifiers in Windows operating systems

Announced: Plug-in for Exchange backups on Windows Server 2008

Windows Server 2008's new Windows Server Backup utility, the replacement for NTBackup, doesn't do Exchange backups out of the box.

I'm in Scott Schnoll's session where he just announced a new Microsoft plug-in that will do Exchange VSS backups. The tool will be released this summer.

More notes from this excellent session soon!

Longhorn: Active Directory Users and Computers console saves trips to ADSIEdit

One of the nice features I noticed about the Active Directory Users & Computers (ADUC) console in Longhorn server - in an object's properties, there's an Attribute Editor tab built-in, that allows one to directly edit an object's attributes. In previous versions, one had to use a tool like ADSIEdit to edit attributes not exposed by the ADUC user interface. The Attribute Editor will save trips to ADSIEdit for editing such unexposed attributes (for instance, the employeeID and employeeNumber attributes, as shown in the screenshot below). When directly editing AD attributes, it's important to ensure the validity of data so entered/changed, just like you would with tools like ADSIEdit.

'Crapware'-free: Longhorn Server does not include useless desktop apps

We've been hearing a lot about 'crapware' apps installed by hardware vendors on desktops and laptops - apps like AOL (or other ISP) software, myriad browser add-ins and toolbars, trial versions of anti-virus, firewall, and security software that you may never use - perhaps because your organization has standardized on some more manageable enterprise versions of such apps, or the apps installed are either not the the ones you would choose, or they're completely useless. Annoying as it is to get these apps installed by default, what's even more annoying is the fact that most vendors generally give you no choice to get a computer with a "clean"/base operating system installed.

Given the razor-thin margins in the PC industry, vendors cannot resist augmenting their bottom line through such deals with application vendors.

However, little attention has been paid to the crapware that comes with the operating system itself. For instance, why does a server OS need Windows Media Player installed by default? Cursors of different shapes and sizes? Themes and wallpapers? NetMeeting? It's a long list.

It's a common practice in many organizations, where servers are deployed/redeployed on a regular basis, to build a secure server image sans all these apps and services that are of no use on a server (further locked down using the organization's secure server build procedures).

Luckily, that's not the case with Longhorn server. None of the crapware or desktop-like apps get installed by default. Should you want to, features like "Desktop Experience" can be installed.


Click here for a complete screenshot

Additionally, Server Core - a barebones install of the OS sans the Windows Explorer GUI interface (can be managed locally from the commandline or remotely from a workstation with management tools installed), and purposing a server based on server roles - 17 of them available in Beta3, ensures Longhorn servers are leaner, with a reduced attack surface.

It's important to realize that the Windows management experience is going to change from the everything-turned-on-by-default model of previous versions of Windows (server and client OSes), where you disabled or removed the components you did not need, to one where you get a basic install that makes the OS functional, requiring other components to be added/enabled/configured later, as required.

One component that does get installed by default is Internet Explorer. It would be great to get rid of this as well - though a web browser may be seen as an essential component of the OS by many, particularly - as the argument goes - for the ability to download patches/updates/drivers, etc., do you really want to browse web sites from the server? Using IE?