In case you were wondering why I don’t write much about VMware…

Posted on By Mark Wilson

VMware logoWearing as many hats as I do, I enjoy a variety of relationships with a number of IT hardware, software and services companies on various levels. I try to remain objective when I write on this blog but sometimes those other companies make it difficult.

For example: Microsoft talks to me as a partner, as a customer and as press (they take a very broad view of the press and include bloggers in that group – real journalists will almost certainly disagree) and I get a lot of information, some of which I can write about, and some of which is under NDA (sometimes the problem is remembering in which context I heard the information and therefore what I can or can’t say!); Fujitsu talks to me as an employee (and for that reason I can’t/don’t/won’t say very much about them at all); VMware sort of talk to me as a customer and it would be nice if they talked to me as a partner (they do speak to a number of my colleagues) but mostly they don’t talk to me at all…

This summer, I attended two events about desktop virtualisation within a few days of one another – one from Microsoft and the other from VMware. I was going to write a blog post about desktop virtualisation and Microsoft but I decided to hold back, in the interest of balance, to compare the Microsoft desktop virtualisation story with the VMware one. Except that the “VMware VDI Roadshow” event that I was attending turned out to be hosted by a partner (BT Basilica) and VMware were just the warm-up act for the pre-sales pitch. There was no mention of that when I registered – in fact no mention of Basilica until the last pre-event e-mail (when the sending address switched from events@vmware.com to marketing.campaign@basilica.co.uk) but within a few hours of attending (and before I was back in the office) I’d received an e-mail from someone at BT Basilica asking if they could help me at all with my virtualisation deployments.

Meanwhile, VMware had promised that the slide decks from the event would be made available if I asked for them on my feedback form (I did), so I didn’t make full notes at the presentation. Almost three months on, with calls to BT Basilica, an e-mail to the VMware presenter from that day, and having registered my displeasure in a follow-up telesales call on behalf of BT Basilica, I still don’t have the presentation slides.

So that’s one reason why I don’t have much that’s good to say about VMware right now. That and the fact that I have enjoyed almost no benefits for being a VMware Certified Professional. I would hope that VCPs would be the ideal audience to target for information about product developments, new releases, roadmaps, etc. but apparently not. If I want to stay current on VMware products then I have to do my own research (or pay for a training course).

Then there’s my purchase of VMware Fusion. After weeks of asking why their licensing system showed the license key for my copy of the product (which was purchased in an Apple store) as an evaluation copy, I was unable to get a satisfactory answer. Then version 2.0 was released as a free upgrade for existing registered customers and I heard… silence.

Next week, VMware is running its Virtualisation Forum in London and I registered for attendance a few weeks back but, with a week to go, I’m still waiting to hear if my registration has been accepted (despite having received confirmation that they have my details and will be in touch) – and my follow-up e-mails are, as yet, unanswered. Maybe I’m on a waitlist because the event is full but it would be good to know if that’s the case.

I could go on but, by now, you are probably getting the picture…

VMware are leaders in their market but my experience of the company is not a good one – neither as a business customer nor as a consumer. This is a tiny blog and I’m sure VMware don’t care what I have to say (far less so than they would for Alessandro Perilli or virtualisation specialists like Scott Lowe) but, as I said at the top of this post, I wear many hats, and one of them involves building up my organisations capabilities around a certain vendor’s virtualisation products. So, next time I write about Microsoft’s virtualisation products here, please bear in mind that I did try to balance things up… and VMware didn’t want to know.

Account lockouts and software updaters

Posted on By Mark Wilson

CA eTrust update configuration, with no option to use the browser settings<rant>Why can’t application developers use the default browser settings for Internet access via a proxy? For two months now, I’ve been struggling with account lockouts whenever I visited the office (thankfully that’s not too often) and then today I discovered, purely by accident, that my anti-virus client was out of date and that I had it configured to use the corporate proxy server using what was probably an old password. Coincidence? We’ll see next time I visit the office. As you can see from this screenshot, I can enter proxy settings, even proxy authentication details but I can’t elect to use the browser settings (which I change according to whether I’m at home or in the office). Gahhhhhh!</rant>

Hate Windows UAC? Have you actually tried the alternatives?

Posted on By Mark Wilson

The next time somebody complains about Windows User Account Control (UAC), I’d like them to actually try using a Mac as a standard user (i.e. not the default setting, which is an Administrator, albeit not the root user). I’m in the process of applying Apple’s latest 10 updates, which are huge (I didn’t notice the total for all 10, but I it was well over half a gigabyte – just one HP Printer Driver Update was 142MB and the Mac OS X 10.5.5 update is 321MB).

In the intervening time, during which I’ve been writing this post on another PC, I’ve had to enter my Administrator credentials four five six times to allow Apple Software Update to do its thing. Mac OS X (and Linux) use a time-based system whereby once I’ve entered my elevated credentials they are valid for a set period but at least once I’ve told Windows Update that I do want to install a bunch of updates, that process (and any child processes) are then allowed to continue unhindered. It seems that the answer for me should really be to use setuid and make Apple Software Update run elevated but that is not necessarily a good idea either.

I guess there are advantages and disadvantages to either approach (actually, the time-based approach has a significant weakness in that any process can run elevated during that window) but the real point is that UAC is there for our protection – and it’s not really that big a problem in my experience.

Meanwhile, for hardcore Windows users that would like to implement an equivalent of the Linux/OS X setuid command in Vista (or Windows Server 2008, I guess), Joel Bennett explains how to do it with PowerShell.

Active Directory design considerations: part 3 (organizational units)

Posted on By Mark Wilson

In the previous post in this series of posts about design considerations for Microsoft Active Directory (AD), based around the MCS Talks: Enterprise Architecture series of webcasts, I looked at forest and domain design. This post continues with a look at organizational unit (OU) structure.

The OU structure is not exposed to users but can make a big difference to the management of Active Directory objects. It is very flexible and therefore easy to change but change costs money and has a potential to impact on production applications (so should be avoided where possible.

Consequently, there are a couple of guiding principles to be followed:

  1. Design the OU structure for the delegation of administrative responsibility.
  2. Design the OU structure for group policy object (GPO) application.

Delegation of administration should be given priority, because GPO application can also be filtered using security groups, but Microsoft does also recommend the following:

  • Do not move domain controllers out of their own OU (some applications may rely on well-known GUIDs and default GPOs).
  • Do not move built-in users and groups from the Users container (due to the potential impact on the monitoring of ACL changes using AdminSDHolder – see Microsoft knowledge based article 232199).
  • If Windows Server 2008 is being used protect OUs from accidental deletion (this will be enabled for new OUs but not for legacy OUs from an in-place upgrade.

There is no “correct” way to design an OU structure – as the appropriate model varies from organisation to organisation but one approach to OU design is to base the top level OUs on the object type and then subdivide by role. Another approach is a geographic top level (countries do not change very often…) but the most important point is to follow an appropriate administrative model and where different objects are managed by different administrative teams, consider delegation. One thing that is almost universally agreed upon is not to replicate the organisational structure – security groups can be used for this (and are much easier to manage – e.g. for filtering GPO application).

In the next post in this series, I’ll take a look at design considerations for group policy objects.