Google Developer Day 2008

Posted on By Mark Wilson

In the past, I’ve been accused of writing too much Microsoft-focused content on this blog and, in my defence, this blog advertises itself as follows:

“Originally created as a place for me to store some notes, this blog comments on my daily encounters with technology and aims to share some of this knowledge with fellow systems administrators and technical architects across the ‘net. Amazingly, it’s become quite popular!”

My daily encounters with technology… well, as I’m an infrastructure architect who (mostly) works with Microsoft products, that would explain the volume of Microsoft stuff around here… but in order to be credible (and retain some objectivity) when I’m talking about Microsoft products, I’m also interested in what their competitors are doing. That’s why I’m also a Mac user and I dabble with Linux from time to time; my website uses an open source CMS (WordPress), running on Linux, Apache, MySQL and PHP (classic LAMP); I keep an eye on what VMware is up to; and, as well as using a bunch of Google products on the web I recently started using Google Apps for e-mail, calendar and contacts.

Google Developer Day 2008Since the Microsoft-Yahoo! merger-that-wasn’t, I’ve become increasingly interested in Microsoft’s online offerings and consequently I’m also watching the dominant force in Internet search as they expand into other areas online – that’s why I spent today at the Google Developer Day 2008. Aside from being an opportunity to visit the new Wembley Stadium (I do think they should have incorporated the iconic twin towers from the old stadium somewhere in the new structure), it’s a chance for me to find out a little about the technologies that Google is pushing right now. I feel a bit of a fraud as I’m not really a developer but I answered the registration form truthfully and Google accepted me here, so I guess that’s OK!

Over the course of the day, I noted some brief (and sometimes frivolous) highlights from the various sessions – think of it as a microblog in one post. Where I understand enough of the dev stuff, I’ll follow up with more detail later…

Stage at Google Developer Day 2008[08.20] Right from the off, it’s been a positive experience. After arriving at the venue almost an hour before registration was due to commence, I was allowed in, invited to have a coffee and some breakfast, and a really helpful guy went and found me my delegate badge. Now I’m sitting here enjoying the free Wi-Fi (and grabbing one of the few seats that’s situated next to a floorbox so I can keep my notebook PC’s battery charged during the keynote).

Google Developer Day 2008 - rooms named after classic arcade games[8.55] As I sat in the “Space Invaders” room waiting for the keynote session to begin, I was thinking that nnly Google would name the session rooms after classic computer games. Now it all makes sense… I just heard that the keynote will include the first public demo of the Android phone!

[9.10] Someone just changed the SSID on the Wi-Fi and I lost my connection mid-post… arghhh!

[9.30] I now have the rest of my delegate pack… including a snazzy gift-wrapped parcel…

Green parcel from Google Developer Day 2008

containing…

Little green Google man from Google Developer Day 2008Little green man USB key from Google Developer Day 2008

A little green man… hang on… he’s removed his head – what’s he doing inside my Mac?

(It’s OK, he’s just giving me a copy of all the materials I might need to make the most of today).

[09:59] What can’t Microsoft events be this much fun?

[10:00] The keynote is about to start…

[10:25] This keynote has lots of slides, few words, lots of pictures. I like it. Whatever the opposite of death by PowerPoint is, this is it.

[10:30] Mike Jennings is performing the first European demo of Android – the open source mobile stack.

Android demo at Google Developer Day 2008

[10:50] The keynote was an overview of what Google is doing to help people develop for the web. Highlights were:

  • The theme for today is client-cloud-connectivity:
    • Making the client more powerful.
    • Making the cloud more accessible.
    • Connecting pervasively.
  • Google Chrome is 100% open source (based on WebKit and the V8 JavaScript engine), designed to support today’s rich Internet applications.
  • Gears is a browser plugin to enable web application functionality that was previously only available on the desktop.
  • Google has two types of API – the various data APIs and those which provide AJAX functionality – both are designed to make Google services programmatically accessible.
  • Google App Engine allows organisation to run their application on the Google infrastructure in an attempt to overcome the financial and administrative hurdles associated with traditional computing.
  • Android provides a mobile application stack.
  • Google Web Toolkit (GWT) allows applications to be written in Java and run in cross-browser compiled JavaScript.
  • OpenSocial provides a family of APIs for connecting social websites.

Android at Google Developer Day 2008[11:10] Hoping to learn more about Android in Mike Jenning’s session “An introduction to Android”…

[11:15] There’s no code in this session… I should be able to cope then ;-)

[11:25] Mike seems a nice guy but he’s clearly learning this deck as he goes…

[11:30] Into Q&A already?!

[11:50] 35 minutes to go and the Q&A is getting hard for the presenter… what’s interesting to me is that this Google-led presentation has degenerated into a group of developers and users feeding back to Google on things like security, usability, and other common considerations for mobile application development that don’t seem to have been considered. Some of the questions are tough… but that should be expected given the forum.

[12:00] He’s desperate to end this session (twice now he’s asked how much longer to go on for…). Poor guy – I feel really sorry for him the way this session has gone but there was nothing here that shouldn’t have been expected. Hopefully Google has a better idea of the state of the mobile market than this session would indicate.

[12:05] There’s a guy on the front row writing a book: Professional Android Application Development (to be published by Wrox with a November 2008 release date).

[12:20] It seemed to me that Mike was strangled by the Google PR machine but, thanks to his great sense of humour, he still managed to end the session on a high note. Key points were:

  • Based on a poll of the room, around 50% of people have more than one mobile handset; 25% of people have no land-line at home; and there was no-one here that does not have a mobile. This should be caveated heavily – this was a room full of geeks – but it is nevertheless an interesting study.
  • Android is an open mobile handset project: an open development model; open to the industry (free to carriers/manufacturers/enthusiasts); open to the developer with the ability to integrate at a deep level in the stack (e.g. replacing the dialler).
  • The Android runtime environment is implemented in Java running on a Linux kernel. Some classes are unavailable (i.e. those that are not relevant to mobile computing).
  • Android should be expected during the 4th quarter of 2008.
  • Google appears unprepared for the questions that will be asked of any new platform around security, usability, upgradability – over even why people will choice Android over more established competition. Maybe they are prepared but to quote Mike Jennings, “these kind of questions are over my pay grade”.

[12:25] Ooo! Curly Wurlys on the snack table!

[12:30] I like geek t-shirts – I just saw one which said “Gears – we power the Tubes”

[12:35] In this session Aaron Boodman will be talking talking about Google Gears… let’s hope that he is allowed to say more than Mike Jennings was.

[13:10] Great session – gave me just enough to learn something about the APIs that Gears provides. Key points were:

  • Gears is a browser extension which provides JavaScript APIs for web application development, available for Internet Explorer (5 or later), Mozilla Firefox (1.5 or later), WIndows Mobile, Chrome (which is built on Gears) and now Safari. Android will support gears (at the moment it just has a stub API).
  • Gears is now a year old and has dropped its Google prefix.
  • Gears is not just about offline access to web applications although the initial implementation was about a database, local server and worker pool.
  • APIs include desktop shortcuts, file system, binary object access and geolocation.

[13:15] I’ve just managed to sneak a quick peak outside at the stadium itself – it’s very impressive. We’ve been asked not to use any photos that identify Wembley Stadium for commercial purposes but this is just a personal snapshot (actually, it’s five of them, stitched together in Photoshop CS3).

The new Wembley Stadium

(Someone seems to have stolen half the pitch…)

[13:30] Fooling around whilst waiting for lunch…

Me at Google Developer Day 2008

[14:50] I thought that my web access was fast here… I just ran a speed test and I’m getting about 14Mbps! This is the best Internet access I’ve ever had at a conference.

[14:55] Looking around the delegates it seems that Macs are pretty common among developers who follow Google technologies! I reckon I’ve seen 2-3 MacBooks for every PC laptop here today (and several of the PCs I saw were running Linux)… as someone who lives primarily in the Microsoft world, this is an interesting experience.

[15:00] Ryan Boyd is just starting to talk about mashing up Google APIs… hopefully I can keep up!

[16:10] That was hard work but I just about held in there… Ryan demonstrated a number of APIs working together, including example code. A few points to note:

  • AtomPub is used to define feeds (mostly for blog syndication), made up of entries containing additional information.
  • Four methods are applied to feeds (create, retrieve, update, delete) and these relate to the equivalent HTTP communications (post, get, put, delete).
  • Standard HTTP status codes are returned.
  • Google has extended AtomPub to provide:
    • A data model.
    • Batch operations.
    • Authentication (client login with username and password, AuthSub or OAuth).
      Alternate output formats for non-Atom data (e.g. RSS, KML, JSON).
  • The OAuth Playground is a good place to understand how OAuth authentication works – AuthSub is similar in some ways and has been around longer but OAuth is a standardised implementation and should grow over time.

[16:20] My little green man now has some blue and red playmates.

[16:25] Next up, Google Web Toolkit (GWT): the technical advantage, presented by Sumit Chandel. This will also be developer heavy (this is a developer day after all!) so I may struggle again…

[16:35] Just noticed that quite a few people are using sub-notebook PCs here…

[16:50] And I’ve never seen as many stickers on PCs as I have today… maybe that’s a dev thing too?!

[17:15] Into Q&A now, I won’t understand the answers but to summarise the key points from the GWT session:

  • GWT allows developers to write AJAX applications more quickly, compiling Java into optimised JavaScript and employing techniques such as deferred binding to ensure that only those elements that are required for the local browser implementation are used.
  • Browser quirks are no longer a problem – GWT handles these for all supported browsers.
  • With GWT, there are no more memory leaks! A bold statement and actually there may be some where JavaScript native interface (JSNI) calls are made but there should be none for pure GWT applications (read more in Joel Webber’s article on DOM events, memory leaks and you).
  • GWT adds history support to AJAX applications with its implementation of really simple history (RSH).
  • GWT enables code reuse through design patterns.
  • Faster application development is accommodated using IDEs such as Eclipse and other Java tools bust specifically, GWT allows for debugging in bytecode.

[17:20] Just swapped my evaluation form for a t-shirt… my kids will love the Google icons on the front!

Google Developer Day 2008 T-Shirt

[17:45] Google has a new UK developer blog – and they just showed us a cool wrap-up video from the day – hopefully that will be on YouTube later. [Update: here it is, courtesy of Youtube]:

[17:50] Look! A Googler – complete with lab-coat!

Google employee with labcoat at Google Developer Day 2008

[17:55] Mmm… beer!

[17:55] And the fun continues… with giant Chess, Connect 4, Jenga, arcade games (including Pacman and Space Invaders), Mega Blocks… and… somewhat bizarrely, a PHP Elephant!

PHP Elephant

[18:15] Whilst chatting with Tim Anderson, he made a very valid point that I hadn’t considered whilst I was getting excited about technology – Google is an advertising company and, unlike Microsoft or any of the other vendors that I enjoy a relationship with, they don’t need to sell software – they just want people to use their search, etc. and if their vision of the web continues to develop the ad revenues should keep on rolling in too.

[18:20] Just looked out of the window and saw that the turf is slowly returning to Wembley’s pitch. Only about a quarter missing now!

[18:35] Now that is a good use for the presentation projectors… Wii Sports/Guitar Hero II!

Playing games on the projectors after Google Developer Day 2008

[18:55] Mmm… pizza!

[20:00] I really should head home now!

I’ve really enjoyed this event – a fantastic opportunity to learn more about Google’s developer tools and APIs and, who knows, I may even get around to implementing some of them here (if this site ever gets its long awaited AJAX overhaul). From chatting with the event organisers, I learned that this was the second annual Google Developer Day in the UK and there were just over 500 people here today. Google is looking to run more events as their portfolio expands – possibly even some smaller, more focused, events but, for me, this was the perfect balance between a conference (for which my employer is unlikely to support attendance, based on recent experience) and the shorter events – providing a small amount of information on a wide variety of topics.

Hopefully I’ll be at next years GDD too. As for the Microsoft posts… normal service will be resumed at 9am tomorrow.

Active Directory design considerations: part 2 (forest and domain design)

Posted on By Mark Wilson

Having set the scene for this series of posts, the first area to examine is Active Directory forest and domain design.

Bearing in mind the key principle that requirements should dictate design, and that the solution should be as simple as possible, whenever possible, AD designers should look to consolidate and a single forest (with a single domain) should be the starting point, after which any requirements for scaling out can be considered.

Reasons for implementing multiple forests include:

  • Multiple schemas (to avoid application conflicts).
  • Resource forests (deliberate isolation).
  • Distrust of forest administrators (autonomy).
  • Legal regulations around application/data access.
  • Requirements to be disconnected for long periods (e.g. on a ship).

Forest design models

Single organisational forest

The single organisational forest is the starting point. In this model, users, computers and applications are all in the same forest, providing a simple Active Directory. One major advantage of having a simple AD, is that many application designs will also be simplified (e.g. Exchange Server or MOSS) and delegation of administration is still possible; however it is absolutely essential that forest-level administrators are trusted.

To mitigate the risk of rogue administrators, many organisations rely on detection (auditing and monitoring security logs – flagging any events after the fact). In many cases the effort of implementing an extra forest outweighs the risk of an exploit from a rogue administrator. Other mitigation steps include keeping highly privileged groups (e.g. Enterprise Admins and Domain Admins) empty (or at least down to a minimal number of users) and closely monitoring membership as well as implementing two-factor authentication for highly privileged accounts.

Multiple organisation forest model

The multiple organisation forest model is applicable where there are distinct business groups that require limited sharing of resources whilst retaining autonomy and isolation. In this model users, computers and applications all exist within their respective forests and a trust (1 or 2 way, as appropriate) is established, with selective authentication to control the rights granted from one forest to the other.

This model can be costly and often causes additional complexity (e.g. if Exchange Server is used in the two organisations, then identity management tools may be required for calendar and contact information).

Shared resource forest model

According to Microsoft, the shared resource forest model is gaining in popularity as it provides flexibility as organisations are created and merge but require some sharing of resources. Users and computers exist in the appropriate account forests and trusts are created as necessary to access application(s) in a separate resource forest.

With this model, an application such as Exchange Server would be installed into the resource forest (as a single organisation) and the users in the account forests would see the global address list from the resource forest, avoiding the need for directory synchronisation tools.

Potential downsides of this approach are the extra servers that will be required and the corresponding management overhead; however it is flexible and is commonly deployed.

Shared account forest model

The shared account forest model is similar to the shared resource forest model except that a common account forest is used for all users and computers, with various resource forests deployed for restricted access to data and applications and corresponding trust relationships with the account forest. With this model, users can log on anywhere but some control is exercised over their access to applications and data.

This model might also be used in an extranet scenario – for example MOSS in an extranet forest but with access provided to internal accounts using a forest trust or through ADFS.

Considerations for domain design

Having decided on the overall forest structure, domain design needs to be considered and this is also simplified where a single domain exists within each forest (this is the most straightforward, and hence least expensive, option to implement, manage and recover). Multiple domains may need to be considered:

  • Where there is a large number of frequently changing attributes.
  • To reduce replication.
  • To control replication over slow links.
  • To present legacy Active Directory structures.

With Windows Server 2008, it is no longer necessary to implement a separate domain where an alternative password policy is required (e.g. PIN access for mobile users) as Active Directory Domain Services supports fine grained password policies. Note that these policies are not applied at an organizational unit (OU) level but through group membership or at an individual user level. To aid when troubleshooting application of multiple policies, Microsoft recommends that security groups are used for policy application and users added to groups accordingly.

A domain is a replication boundary but whereas with Windows 2000 network links were poor, these days bandwidth is more plentiful and controls may be exercised over replication. Microsoft considers that the only real hard limit is the maximum number of domain controllers, which was around 1200 under Windows Server 2003 due to the limitations of sysvol replication using the file replication service (FRS). With Windows Server 2008 this is no longer a concern, once the domain has been switched to use DFS-R for replication.

In short, there are very few technical reasons for separate domains; however this may be influenced by political concerns.

Forest and domain functional levels

Forest and domain functional levels can drive requirements for domain design, with consideration due to migration vs. an in-place upgrade. On the face of it, in-place upgrades seem simple, but the health of the existing AD needs to be considered. If the domain has been upgraded previously from Windows 2000 to 2003, there may be older groups in place which do not use linked value replication, or there may be issues around strict replication consistency.

The basic changes at each level are:

  • Windows Server 2003 interim forest functional level:
    • Linked value replication.
    • Different replication compression ratios.
    • Improved knowledge consistency checker.
  • Windows Server 2003 forest functional level:
    • Forest trusts (and selective authentication).
    • Deactivation of attributes within the schema.
    • Domain renaming.
    • Read only domain controllers (requires Windows Server 2008, plus schema updates).
  • Windows Server 2008 domain functional level:
    • Fine-grained password policies.
    • DFS-R for sysvol.
    • Last interactive logon information.

Domain naming

Domain naming ought to be the simple part of the design; however it is often heavily influenced by politics. Whilst domain renames are possible, it’s generally not advised due to the potential impact on other applications.

For each domain, there are two names to consider – NetBIOS and DNS.

The NetBIOS name must not exceed a maximum length of 15 characters and must be unique on the network.

Meanwhile, Microsoft recommends that the DNS name does not replicate an existing Internet domain name, is registered with Internic (to prevent future conflicts – this also means that once-common naming conventions such as .local are no longer recommended).

In general, the NetBIOS and the domain portion of the DNS names should be made to match one another as many tools expect one to be derived from the other; however single label names should not be used as they cannot be registered and may cause issues with certain applications (Microsoft knowledge base article 300684 has more details). Also, the name should not represent a business unit or division (as this is likely to change over time).

Summary

After following the advice in this article, the forest and domain structure, level and naming should all be clear.

In the next post in this series, I’ll take a look at organizational unit design.

Active Directory design considerations: part 1 (introduction)

Posted on By Mark Wilson

A few weeks back, I wrote a series of posts on the architectural considerations for designing a predominantly-Microsoft IT infrastructure, based on the MCS Talks: Enterprise Infrastructure series (Introduction, Remote offices, Controlling network access, Virtualisation, Security, High availability and data centre consolidation).

Session 2 of the MCS Talks series looked at Active Directory (AD), so I’m kicking off a new series of posts here based on the information from that webcast, supplemented where appropriate with my own experiences.

The original webcast on which this series was based was presented by Andrew Hill and Rob Lowe (who are both consultants with Microsoft Consulting Services in the UK) and they stressed that there are 6 tenets to AD design which are inextricably linked:

  • Complexity.
  • Cost.
  • Fault tolerance.
  • Performance.
  • Scalability.
  • Security.

The main point that they wanted to make was to let requirements dictate design (to avoid over-complicating the solution) and that is the focus in each of the posts that will make up this series.

The rest of this series will examine key design considerations for forest/domain design, organisational unit structure, group policy objects, security groups, domain controller placement, site topology, domain controller configuration and DNS. Two important areas that have not been included though are backup/recovery of AD (I’m reading a book on AD disaster recovery and will post my review soon) and delegation of administration. Also, some previous knowledge is assumed – this is not an introduction to Active Directory.

Microsoft has also provided a collection of AD design resources on the MCS Talks blog.