March 2007 - Page 2 of 3

Secure, remote administration of a Windows computer

Posted on Saturday 24 March 2007Sunday 25 March 2007 By Mark Wilson

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I was going to call this post “secure, remote administration of a Windows computer from within Windows” but that sounds a bit odd, unless you realise that the last two posts have been “secure, remote administration of a Linux computer from within Windows” and “secure, remote administration of a Mac OS X computer from within Windows“. Basically, after getting SSH tunneling to work for administering Mac OS X and Linux machines, I thought that it would make sense to apply the same principles to Windows.

John Fitzgibbon’s comparison of free SSH and SCP programs for Windows 9x, NT, ME, 2000 and XP explains the various SSH server options for Windows but one option he doesn’t mention is Tevfik KaragÃ¼lle’s CopSSH, which I found on a list of free SSH implementations recommended by OpenSSH.

CopSSH bundles parts of OpenSSL, OpenSSH and Cygwin into a Windows installer. It’s straightforward to install, and includes a GUI interface to activate a user for SSH, including the generation of a public/private key pair (saved to %programfiles%\copSSH\username\username.key and %programfiles%\copSSH\username\username.key.pub). The private key needs to be imported into PuTTYgen after which it can be saved in PuTTY’s .PPK format and used as previously described for Mac OS X and Linux. The only other point to note is that the sshd_config file is stored in %programfiles%\copSSH\etc and requires the same AllowTcpForwarding yes and PasswordAuthentication no settings as seen previously.

To access the desktop via VNC, I installed UltraVNC Server on the target machine noting there are two settings that need to be configured for a successful connection through the SSH tunnel:

A password must be defined for VNC connections.
Loopback connections must be allowed.

That’s fine for using an SSH tunnel to secure a VNC session, but why not tunnel remote desktop (RDP) connections to Windows servers instead of using VNC? In theory, all that should involve is changing the forwarded source port from 5900 (VNC) to 3389 (RDP) and setting the corresponding SSH port forwarding destination to localhost:3389 but Windows doesn’t like that, producing an error message as follows:

Remote Desktop Disconnected

The client could not connect. You are already connected to the console of this computer. A new console session cannot be established.

One suggested fix is to change the destination to use another address from the loopback range (e.g. 127.0.0.2) but I found this just directed me to my own machine (as might be expected with a loopback). For a while, it looked as though the resolution would be related to a change made in Windows XP service pack 2, which prevents connections to loopback addresses other than 127.0.0.1, and Microsoft knowledge base article 884020 includes a hotfix that alters this behaviour but I don’t think it helped me much (I later removed the hotfix and didn’t notice any differences). Eventually I got things working by creating a new forwarded source port of 3390 and destination of localhost:3389 for SSH port forwarding, after which I could connect using mstsc /v:loopback:3390.

It’s been an interesting few days getting acquainted with using SSH tunnels to securely connect to remote systems running a variety of operating systems – hopefully posting my experiences here will be useful to others.

Secure, remote administration of a Linux computer from within Windows

Posted on Friday 23 March 2007Friday 23 March 2007 By Mark Wilson

Yesterday I wrote about using SSH to securely connect to a Mac from a Windows PC. At the time, I suggested that the advice should be equally applicable to a Linux system, or even to a Windows Server with an SSH server installed and I’ve since tested it with a Linux machine (running Fedora Core 5).

The Linux process is almost identical to my original post for Mac OS X, except that:

The sshd_config file is found in /etc/ssh.
SSH is enabled in the firewall using the system-config-securitylevel command.
The SSH deamon is restarted using the service sshd restart command.
GNOME includes a VNC server called vino, which needs to be enabled (users of other graphical environments will need to choose an alternative VNC server).

(Also… RTFM… I spent a lot of time trying to work out why I couldn’t connect, only to find that I’d neglected to place the public key in ~/.ssh/authorized_keys).

Falko Timme has written an excellent tutorial on key-based SSH logins with PuTTY which outlines all the key steps (in fact, if I knew that existed then I wouldn’t have spent so much time writing up the process here!) but Jeremy Mates’ OpenSSH public key authentication article includes a useful troubleshooting guide for public key authentication problems.

VNC is all very well for forwarding the entire desktop, but X11 forwarding can be used to run individual X applications on the Windows machine. Because Microsoft Windows doesn’t include an X Window server, it is necessary to download an X11 port for Windows – I used XMing. Once XMing (and the XMing fonts) were installed and running, I edited my PuTTY connection to enable X11 forwarding and ensured that the sshd_config file on the Linux box included X11Forwarding yes (that was the default on my Fedora Core 5 installation) and could launch an xapplication from within the PuTTY terminal window with xapplicationname & (e.g. xeyes &) (I found this information at the Linux Documentation Project). XEyes is nothing special, so how about running a Linux application on the Windows desktop… try mozilla & or gimp & – it feels “wrong” but it’s also pretty impressive and oh so “right” at the same time!

Using XMing to run X11 applications on a Windows XP machine

Secure, remote administration of a Mac OS X computer from within Windows

Posted on Thursday 22 March 2007Friday 23 March 2007 By Mark Wilson

In a recent post about multimedia file format conversions, ripping DVDs, playback and more, I linked to a number of Mark Pilgrim’s “How To” articles; however there was one which wasn’t relevant to that particular post – how to use your Mac from anywhere (although it is intended for remote control of a Mac the advice should be equally applicable to a Linux system, or even to a Windows Server with an SSH server installed).

A few months back, I blogged about using creating an SSL VPN to access my network but Mark’s video explains how to open a single firewall port and use SSH to provide a secure tunnel through which other protocols (in this case VNC) can be run for remote administration of a single computer. I tried it earlier and it’s very straightforward. Best of all, the software involved is all freely available under open source licensing agreements!

I recommend downloading Mark Pilgrim’s video for a full explanation but the notes below explain what is involved (some of the Unix concepts may be unfamiliar to those more used to a graphical environment and my quick introduction to Linux for Windows administrators might be useful):

Download and install the PuTTY, PuTTYgen, Pageant and Plink SSH utilities on a Windows PC.
Using puttygen, generate a public/private key pair and protect it with a passphrase. Save the private key to a file on the Windows PC and copy the public key to the remote computer (e.g. within a text file transmitted via e-mail or FTP).
On the Mac, open a terminal session (either using the OS X Terminal application or an alternative such as iTerm) and enter the following commands from the home (~) directory:
- mkdir .ssh (this was already present on my machine as I already had the SSH server running).
- chmod 700 .ssh (again, I didn’t need to do this).
- chmod 600 publickeyfilename (the default permission set is 640).
- mv publickeyfilename .ssh/authorized_keys
- sudo nano /etc/sshd_config (non-admin users may need to su - to an admin account first as explained in my earlier post about running sudo as a standard user) and make the following edits:
  - Allow SSHtunnelling (also known as TCP forwarding or port forwarding) by changing #AllowTcpForwarding yes to AllowTcpForwarding yes
  - (Optionally) Prevent the use of usernames and passwords for login (the public/private key pair and passphrase will provide the security for the connection) by changing #PasswordAuthentication yes to PasswordAuthentication no
  - (OS X 10.4 only) Disable pluggable authentication modules by changing #UsePAM no to UsePAM no
- Exit nano and save the changes to /etc/sshd_config (exit to the original shell if su was previously used to escalate privileges).
- Generate an SSH key fingerprint (to prevent man-in-the-middle attacks) using ssh-keygen -l -f /etc/ssh_host_rsa_key.pub and make a note of the fingerprint.
Open TCP port 22 on any firewalls/routers between the Windows and Macintosh computers and enable port forwarding to the appropriate internal IP address (it may be necessary to apply a static IP address to the Mac but I prefer to use a DHCP reservation).
If the external IP address for the network is not static (mine is) then use a dynamic DNS service to assign a DNS name so that it may be located on the Internet.
Within the OS X System Preferences, Open Sharing and enable Remote Login (restart the service if it is already running in order to pick up the changes made earlier to /etc/sshd_config). Because password authentication has been disabled, remote login (SSH) will only be possible from a machine with the appropriate private key.
Although OS X includes Apple Remote Desktop, which is a VNC server, alternatives such as Vine Server (OSXvnc) offer additional functionality. In particular, VNC is insecure by default; however by selecting to only allow local connections (require SSH) and start the system server (i.e. run as a service, rather than in the context of a particular user), it is possible to run a secure VNC server each time the system is restarted.
At this stage, it should be possible to create an SSH tunnel to the Mac. On the Windows PC, run pageant which is a PuTTY helper application (SSH agent) to cache the passphrase for the private key, which adds a level of security if the PC is compromised but which would also become a nuisance if it needed to be repetitively entered. Add a key using the private key file generated in step 2 and enter the passphrase that was used when created the key.
Next, run putty and enter:
- The hostname/ipaddress in the basic session options.
- The auto-login username for the Macintosh for the connection data.
- The privatekeyfilename for SSH authentication.
- A new forwarded source port of 5900 and destination of localhost:5900 for SSH port forwarding.
Save the session with an appropriate sessionname and open the connection. On the first connection, the host key will be unknown; however the reported key can be compared with the one generated earlier to ensure that the host is the intended target computer. Assuming that all is well and the connection is allowed to continue, then a Welcome to Darwin! greeting should be displayed, along with a shell prompt.
- If the connection fails and there is a prompt for the private key then Pageant is not correctly configured.
- If there is a prompt for a password then /etc/sshd_config was not correctly edited.
Unless command line interaction with the Mac is required, the PuTTY window can be minimised. In order to create the SSH tunnel automatically at login, a startup shortcut can be created with the target of "%programfiles%\PuTTY\pageant.exe" privatekeyfilename -c "%programfiles%\PuTTY\plink.exe" sessionname
Finally, a graphical connection may be initiated with a VNC viewer such as UltraVNC. The connection should be made to localhost; however because localhost:5900 has been defined as the forwarded port in the SSH tunnel, the request is securely transferred to the VNC server on the Mac.

It’s worth noting that when I originally tried to test this configuration from a remote network I was unable to get past my employer’s firewall; however there are plenty of unsecured wireless networks around which I could use to test the connection!

Note that the original information that provided inspiration for writing this post is licensed under a creative commons attribution sharealike 2.5 license and consequently so is the information contained in this post.

Running sudo as a standard user in Mac OS X

Posted on Wednesday 21 March 2007Wednesday 21 March 2007 By Mark Wilson

Apple Mac OS X has its roots in a development of BSD Unix and as such the command line should be pretty familiar to most Unix sysadmins. It does have one significant security flaw though – the default privilege level for a user is admin (although, to be fair, that is not the same as root, which needs to be enabled manually if required). Such routine use of administrative privileges is a dangerous practice – one which many Mac users will be happy to criticise Windows for; however, unlike versions of Windows prior to Vista, it is perfectly easy to operate a Mac using the principle of least user privilege – indeed, I perform all of my Mac OS X activities as a standard user although I’m asked to authenticate using an admin account for certain activities (in a similar manner to Windows Vista user access control).

Rather than enabling root access, OS X uses the sudo command to temporarily escalate privileges when required in a terminal shell (Linux Box Admin has an interesting article comparing sudo with root); however, by default, sudo will not work for a standard user – when I tried to run sudo command earlier today I got the following response:

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type “man sudo” for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:
username is not in the sudoers file. This incident will be reported.

I could edit /etc/sudoers (the guide at MDLog:/sysadmin gives a good introduction to sudo) but I don’t know what security holes I might open in the process. One workaround is to enable the root account and use ssh root@localhost but enabling root access is really an unnecessary step. Instead, I prefer to use su - adminaccountname, after which I can sudo the appropriate command(s) and exit to return to a standard shell.

Nokia phone stops ringing

Posted on Wednesday 21 March 2007Thursday 31 May 2007 By Mark Wilson

Yesterday, when my mobile phone rang it played the awful Nokia tune (I would never set that as my ringtone). Today, it decided that it wouldn’t make any sounds at all when incoming calls were received (although once answered, calls worked as intended). Then I realised, of course, it’s a computer. Time for a reboot. Problem solved. Bloody computers.

Multimedia file format conversions, ripping DVDs, playback and more

Posted on Tuesday 20 March 2007Wednesday 31 December 2008 By Mark Wilson

Recently, I’ve had cause to convert various multimedia items between formats and it’s not always been straightforward. I’m still learning as DRM, codecs and platform-related issues often complicate the process but this post summarises what I learned along the way with:

Grabbing audio content from another application.
Trimming audio files down to a particular section.
Converting Flash video (.FLV) files to video (as well as converting between a variety of other video formats).
Ripping DVD content for playback on the computer.
Playing Windows Media content on a Mac.
Playing QuickTime content in full-screen mode without buying QuickTime Pro.

I carry out most of my multimedia work on a Mac but some of these solutions will be equally applicable to Windows and possibly even to Linux users.

Grabbing audio content from another application

I’ve just three words to say that will describe how I did this – Audio Hijack Pro – a great application from Rogue Amoeba which takes the audio from any running application and allows it to be recorded.

Trimming audio files down to a particular section

In this scenario, I had about half an hour’s worth of audio, but only wanted to publish a section which was about 3 minutes in length. Apple QuickTime Pro will let me trim tracks, but didn’t seem to let me set the start and end points as accurately as I needed. There is another Rogue Amoeba application that I could use for this (Fission) but tasks like this are pretty rare for me and I didn’t want to pay $32 for what could potentially be a single use (the demo version inserts fades into the track to encourage purchase of the full software which seems fair enough as at least it lets me try before I buy). Instead, I used MP3 Trimmer from Deep Niner – the interface may not be as good as Fission’s, but it’s a fully-functional demo with no time limits and registration is just $10.95 should I find myself needing to trim MP3s more often.

Converting Flash video (.FLV) files to video (as well as converting between a variety of other video formats)

I spent all afternoon yesterday trying to work this one out – I had a bunch of Flash videos which I had downloaded from a website and although I could play them using Eltima Software’s SWF and FLV Player, I wanted to play them in iTunes. After searching the net for hours all roads seemed to lead to a Windows application that would convert the files to MPEG4 format for me (Moyea FLV to Video Converter). The demo version of this application inserts a watermark in the centre of the video (again, that’s fair enough – this is try before you buy) but as I really wanted something for my Mac I decided not to part with the $39.95.

Later that evening, my friend Alex recommended Perian to help me out with problems ripping a DVD (see below) and I found out that the Perian component for QuickTime had already been installed (probably when I had a quick look at the Democracy Player a few weeks back) so QuickTime could already play back my .FLV files! Because I have QuickTime Pro, it can also save the files as .MOVs although I’ve since found Vixy – an online service that will also carry out the conversion from Flash video to a variety of MPEG4 video formats including .AVI/.MOV/.MP4 and .3GP or to .MP3 (audio only).

After I’d done all this, Alex (who really should blog more often about the huge volumes of Mac and Internet-related stuff that he knows and I don’t) told me that he uses iSquint for converting Flash Video for iTunes playback. I had been under the impression that iSquint would reduce the picture size for iPod playback but it seems it can also retain TV size (whatever that is). iSquint also has a grown-up brother – Visual Hub – and, although I haven’t used it yet, it looks to be a pretty useful program which “bridges the gap between numerous complicated video formatting standards”.

Another toolset which may be useful is ffmpegX, which provides a Mac OS X interface to a number of open-source video and audio processing tools. There’s also the Apple QuickTime MPEG-2 Playback component, which enables QuickTime to play Video CD (MPEG1) and DVD (MPEG2) content and even convert them to MPEG4.

Ripping DVD content for playback on the computer

Ripping DVDs. Surely that’s illegal? Only if I then pass copies on to others, which of course I won’t, will I? Let’s be clear from the start that I’m only talking about backing up legally purchased content for personal use.

One application commonly used to make backup copies of DVDs is Mac the Ripper. There is a Windows application called DVDShrink (which allows the DVD content to be reauthored and if necessary “shrunk” to fit on a standard DVD) but to simply rip a copy for local playback the most commonly used application is HandBrake (also available for a while as MediaFork but the two development streams have now merged and future versions will be known as HandBrake). I was having problems using this last night but once I stopped trying to rip at a constant quality of 100% quality (and stuck with the default setting of an average bitrate of 1000kbps – perfectly acceptable for computer playback) everything was fine.

Others have written better guides on this than me… you can find some here:

From Mark Pilgrim:
From Mac for beginners: importing DVDs with HandBrake.
From Digital 501: travelling with movies on a Mac (the comments offer some great tips for saving battery life whilst watching movies).

Playing Windows Media content on a Mac

Although I have a copy of Windows Media Player 9 for Mac OS X (which I think came with Office 2004 for Mac), Microsoft discontinued development of this product a while back and now distributes the free Flip4Mac Player as the Windows Media Components for QuickTime. Unfortunately there is no support for content that is protected with Windows Media digital rights management (DRM) but I’m sure there are cracks and workarounds for those who are motivated to do so… if the BBC distributes content in Windows Media format (therefore cutting out Mac and Linux users) then I might even have a look myself… the Wikipedia article on DRM is a good place to start.

Playing QuickTime content in full-screen mode without buying QuickTime Pro

Apple QuickTime Pro it is a handy application for $29.99 (although, yet again Apple rips us off in the UK with a dodgy exchange rate so it’s Â£20 here) as it can be extended to play other media formats (as discussed above); however one of the Pro benefits is playing content in full-screen mode. It seems that Mac users can trick the standard QuickTime application into playing content in full-screen mode using a little AppleScript. For QuickTime users on Windows, I wrote about some methods for full-screen MPEG4 playback last year – including simply playing the content through iTunes!

I hope this pile of multimedia tips has been useful. Comments are welcome from those who have other free or low-cost solutions to contribute to the mix.

I can’t get no sleep

Posted on Sunday 18 March 2007Wednesday 31 December 2008 By Mark Wilson

I’ve just got home from the first night of the new Faithless tour and am pleased to say that it was a great night out (even though we couldn’t get standing tickets and were high up in the seated area at the side of the venue).

Although I’d heard the first track (Bombs) on Radio 1, I didn’t have a copy of the new album (To All New Arrivals) and so hadn’t listened to it until we were on the way to the gig (Stuart brought a copy with him for the car). I was reasonably impressed after the first play (it’s very chilled) and it will definitely grow on me over time. Although the tour is clearly promoting the new album the set didn’t just include new tracks – old favourites like Insomnia, God is a DJ, We Come One and Salva Mea were in there too.

For anyone who has doubts about a live performance by an electronic act it works really well – in the late 90s, I saw The Chemical Brothers at the Glastonbury Festival and that was really just a DJ set in a marquee but then, a couple of years back, I saw Moby supporting Robbie Williams at Knebworth and that gig was huge (about 120,000 people each day). About 9000 people were watching Faithless tonight and the atmosphere was electric.

Faithless at Nottingham Arena, 17 March 2007 Oh yes, and in case you’re wondering what a 34-year-old father of two is doing at a Faithless gig – that’s the great thing about dance music – even crusties like me can have a good time (although I remember when people held lighters up in the air – these days it’s mobile camera phones)!

Links

Faithless (iTunes).
Official Faithless website.
Faithless podcast (only two episodes so far but includes a trailer for the new album including live footage from a previous performance and a high-definition version of the video for Bombs – banned by MTV and very thought provoking as the UK’s present war-mongering administration prepares to invest in upgrading its nuclear arsenal…).

Be careful when mixing wireless Ethernet devices

Posted on Thursday 15 March 2007Friday 16 March 2007 By Mark Wilson

It’s well known that the proprietary extensions employed by some vendors to increase the speed/range of their wireless Ethernet (IEEE 802.11) equipment can cause issues (and sometimes refuse to work with one another at all); however there is something else to consider when working with older wireless kit – the network will automatically slow down to match the slowest device. Added to the fact that wireless networks already share bandwidth (WiFi is not switched), even a fast network could well have dropped to the lowest common denominator and may be operating at 11Mbps (or slower) because of a single 802.11b adapter.

When I upgraded my wireless network to 54Mbps 802.11g, I left my wife’s PC untouched because I didn’t want to inadvertently affect her business. When I finally upgraded her PC this evening I removed the legacy Compaq WL110 card and saw an instant improvement in file transfer speeds across the wireless link from our office to my server!

With high-speed 802.11n (draft) equipment coming onstream, it’s important to remember that upgrading the network is not enough and for the full benefits to be achieved will be necessary to upgrade every connected device too – including all those laptops with built-in wireless capabilities – potentially a very costly exercise.

Mac OS X keyboard shortcuts

Posted on Tuesday 13 March 2007Friday 18 May 2007 By Mark Wilson

After my backup hard disk failed a couple of weeks ago, I needed to be sure that a hard reset of my Mac hadn’t damaged anything so I fired the machine up in single user mode and ran AppleJack.

As it happened, there was nothing wrong, but there’s no harm in a bit of preventative maintenance from time to time; however I had forgotten the keypress to bring Mac OS X up in single user mode – for future reference, Apple has a document which details OS X keyboard shortcuts.

Looking forward to Windows Server Virtualization

Posted on Monday 12 March 2007Sunday 8 April 2007 By Mark Wilson

Okay, I’m English, so I spell virtualisation with an “s” but Windows Server Virtualization is a product name, so I guess I’m going to have to get used to the “z” in the title of this post…

Over the last year-or-so, much of my work has been concerned with server virtualisation technologies from both Microsoft and VMware (I haven’t really looked at the SWsoft Virtuozzo or Parallels products yet, although I am interested in some of the desktop integration that the latest version of Parallels Desktop for Mac offers). The majority of my efforts have been focused on consolidating server workloads to increase operational efficiency (hence the lack of focus on desktop products) and even though Microsoft Virtual Server 2005 R2 is a very capable product, it is severely constrained by two main factors – a hosted architecture and a lack of management products – consequently I find myself recommending VMware Virtual Infrastructure because Microsoft doesn’t have a product that can really compete in the enterprise space.

Yet.

A couple of years back, I wrote about Microsoft’s intention to move from hosted virtualisation to a hypervisor-based architecture (in VMware product terms, this can be compared to the differences between VMware Server and VMware ESX Server) and Windows Server Virtualization (codenamed Viridian) is the result.

Last week, I was alerted (by more than one Microsoft contact) to the presence of a video in which Jeff Woolsey – Lead Programme Manager Windows Server Virtualisation team – demonstrates Windows Server Virtualization and System Center Virtual Machine Manager and, if it does everything that it promises, then I see no reason not to use the Microsoft platform in place of VMware ESX Server and Virtual Center for the majority of enterprise clients.

I’ve never doubted Microsoft’s ability (given sufficient time) to grab a huge slice of the x86 server virtualisation market and later this year we should see a new version of Windows Server (codenamed Longhorn) arrive along with Windows Server Virtualization. Soon after that, unless VMware produce something pretty fantastic, I predict that we’ll start to see Microsoft increasing its dominance in the enterprise server virtualisation market.

In the video I mentioned above, Jeff demonstrates that Windows Server Virtualisation runs as a role on Windows Server Core (i.e. a lightweight version of the Windows Server operating system using fewer system resources), allowing for an increase in the number of running virtual machines. Because Windows Server Core uses a command line interface for local administration, most access will be achieved using remote management tools (VMware ESX Server users – does this sound familiar?). Microsoft are keen to point out that they can support an eight-core virtual machine, which they consider will be more than enough to cover the vast majority of enterprise-class workloads; however I imagine that VMware would release a patch to allow this on ESX Server should it become necessary (they already support 4-core virtual SMP).

Continuing to look at what Windows Server Virtualization will offer, according to Microsoft UK’s James O’Neill:

There will be no support for parallel ports and physical floppy disks – floppy disk images will be supported.
The remote management protocol will change from VMRC to RDP.
The virtualization layer will provide the RDP support (rather than the guest operating system) so there should be no more of a problem getting to the machine’s BIOS or accessing guest operating systems that don’t support RDP than there is today with VMRC.
The web console interface has been replaced with an MMC interface.
It will not be a chargeable product (as for Virtual Server 2005 R2 and Virtual PC 2004/2007); however what James doesn’t point out (and that I think is likely) is that the management products (see below) will have a cost attached.
Windows Server Virtualization will require 64-bit processors (in common with most of the Longhorn Server wave of products).
It will support 64-bit guests.
It won’t be back-ported to Server 2003 (even 64-bit).
It will support today’s .VHD images.

What I have not yet managed to ascertain is whether or not Windows Server Virtualization will allow the overcommitment of resources (as VMware ESX Server does today).

From a management perspective, Microsoft is planning to release a new product – System Center Virtual Machine Manager (VMM) to manage workloads or both physical and virtual resources including a centralised console and new functionality for P2V and live migrations. VMM will organise workload by owner, operating system or user-defined host group (e.g. development, staging and production) as well as providing direct console access to running virtual machines (very like VMware Virtual Center). For the other side of management – that of monitoring the health and performance of physical and virtual workloads – there will be System Center Operations Manager 2007 (a replacement for MOM).

In my experience of implementing virtualisation in an enterprise environment it’s not the technology that presents the biggest issues – it’s the operational paradigm shift that is required to make the most of that technology. Overcoming that hurdle requires a strong management solution, and that’s where Microsoft has been putting a lot of work in recent years with the System Center range of products.

Until now, it’s the management of Virtual Server that has been the product’s Achilles’ heel – the combination of VMM and Operations Manager will provide a complete solution for both physical and virtual workloads – and that is potentially Microsoft’s unique selling point – competing products from VMware require learning a new set of tools for managing just the virtual infrastructure, whereas Microsoft is trying to make it easy for organisations to leverage their existing investment in Windows Server administration.

Quoting Mike Neil, Microsoft GM for Virtualisation Strategy in a recent post on where [Microsoft’s] headed with [virtualisation] (via John Howard):

“We want to make Windows the most manageable virtualization platform by enabling customers to manage both physical and virtual environments using the same tools, knowledge and skills”

They may just pull it off – Windows Server Virtualization plus Virtual Machine Manager and Operations Manager may not be as all-encompassing as VMware Virtual Infrastructure but it will come close and it’s probably all that many organisations are ready for at the moment.

markwilson.it

get-info -class technology | write-output > /dev/web

Month: March 2007