Group policy is a powerful feature of Active Directory but it’s important to consider management at the design stage as GPO management can become problematic if not carefully controlled.
At present, Microsoft Consulting Services is advising the use of:
Separate OUs for user and computer settings – this makes GPO application easier to troubleshoot, especially if complex features such as loopback (see Microsoft knowledge base article 231287) are in use.
Small GPOs with fewer settings where possible – whilst this will increase the overall number of GPOs to process, it aids management (easy to keep track of which GPO is doing what) and if a policy change is detected by a client at startup or during a scheduled refresh downloading a smaller GPO will assist with performance.
Advanced Group Policy Management (AGPM) (formerly DesktopStandard GPOVault) is a feature of the Microsoft Desktop Optimisation Pack (MDOP) – a software assurance benefit for Microsoft customers with particular licensing agreements. It allows the creation of a change control and reporting workflow so that GPOs are not created at will by administrators but are implemented in a controlled manner (i.e. check out policy, offline edit, check in policy, gain approval, release new policy). AGPM v3.0 (which is due for imminent release) will provide new features including increased granularity, a role-based administration model and improved reporting.
Windows Server 2008 also implements a new feature called Group Policy Preferences (formerly DesktopStandard PolicyMaker Standard Edition and PolicyMaker Share Manager). Group Policy Preferences is included within the Group Policy Management Console in Windows Server 2008 but requires client side extensions to be installed on downlevel clients (see Microsoft knowledge base article 943729. The technology allows the configuration of items that are not normally possible in Group Policy (e.g. granular targeting of printer assignment) to avoid the use of login scripts (which increase login times and create additional management overhead).
In the next post in this series, I’ll take a look at the design considerations for creation and use of security groups within AD.
Wearing as many hats as I do, I enjoy a variety of relationships with a number of IT hardware, software and services companies on various levels. I try to remain objective when I write on this blog but sometimes those other companies make it difficult.
For example: Microsoft talks to me as a partner, as a customer and as press (they take a very broad view of the press and include bloggers in that group – real journalists will almost certainly disagree) and I get a lot of information, some of which I can write about, and some of which is under NDA (sometimes the problem is remembering in which context I heard the information and therefore what I can or can’t say!); Fujitsu talks to me as an employee (and for that reason I can’t/don’t/won’t say very much about them at all); VMware sort of talk to me as a customer and it would be nice if they talked to me as a partner (they do speak to a number of my colleagues) but mostly they don’t talk to me at all…
This summer, I attended two events about desktop virtualisation within a few days of one another – one from Microsoft and the other from VMware. I was going to write a blog post about desktop virtualisation and Microsoft but I decided to hold back, in the interest of balance, to compare the Microsoft desktop virtualisation story with the VMware one. Except that the “VMware VDI Roadshow” event that I was attending turned out to be hosted by a partner (BT Basilica) and VMware were just the warm-up act for the pre-sales pitch. There was no mention of that when I registered – in fact no mention of Basilica until the last pre-event e-mail (when the sending address switched from events@vmware.com to marketing.campaign@basilica.co.uk) but within a few hours of attending (and before I was back in the office) I’d received an e-mail from someone at BT Basilica asking if they could help me at all with my virtualisation deployments.
Meanwhile, VMware had promised that the slide decks from the event would be made available if I asked for them on my feedback form (I did), so I didn’t make full notes at the presentation. Almost three months on, with calls to BT Basilica, an e-mail to the VMware presenter from that day, and having registered my displeasure in a follow-up telesales call on behalf of BT Basilica, I still don’t have the presentation slides.
So that’s one reason why I don’t have much that’s good to say about VMware right now. That and the fact that I have enjoyed almost no benefits for being a VMware Certified Professional. I would hope that VCPs would be the ideal audience to target for information about product developments, new releases, roadmaps, etc. but apparently not. If I want to stay current on VMware products then I have to do my own research (or pay for a training course).
Then there’s my purchase of VMware Fusion. After weeks of asking why their licensing system showed the license key for my copy of the product (which was purchased in an Apple store) as an evaluation copy, I was unable to get a satisfactory answer. Then version 2.0 was released as a free upgrade for existing registered customers and I heard… silence.
Next week, VMware is running its Virtualisation Forum in London and I registered for attendance a few weeks back but, with a week to go, I’m still waiting to hear if my registration has been accepted (despite having received confirmation that they have my details and will be in touch) – and my follow-up e-mails are, as yet, unanswered. Maybe I’m on a waitlist because the event is full but it would be good to know if that’s the case.
I could go on but, by now, you are probably getting the picture…
VMware are leaders in their market but my experience of the company is not a good one – neither as a business customer nor as a consumer. This is a tiny blog and I’m sure VMware don’t care what I have to say (far less so than they would for Alessandro Perilli or virtualisation specialists like Scott Lowe) but, as I said at the top of this post, I wear many hats, and one of them involves building up my organisations capabilities around a certain vendor’s virtualisation products. So, next time I write about Microsoft’s virtualisation products here, please bear in mind that I did try to balance things up… and VMware didn’t want to know.
<rant>Why can’t application developers use the default browser settings for Internet access via a proxy? For two months now, I’ve been struggling with account lockouts whenever I visited the office (thankfully that’s not too often) and then today I discovered, purely by accident, that my anti-virus client was out of date and that I had it configured to use the corporate proxy server using what was probably an old password. Coincidence? We’ll see next time I visit the office. As you can see from this screenshot, I can enter proxy settings, even proxy authentication details but I can’t elect to use the browser settings (which I change according to whether I’m at home or in the office). Gahhhhhh!</rant>
The next time somebody complains about Windows User Account Control (UAC), I’d like them to actually try using a Mac as a standard user (i.e. not the default setting, which is an Administrator, albeit not the root user). I’m in the process of applying Apple’s latest 10 updates, which are huge (I didn’t notice the total for all 10, but I it was well over half a gigabyte – just one HP Printer Driver Update was 142MB and the Mac OS X 10.5.5 update is 321MB).
In the intervening time, during which I’ve been writing this post on another PC, I’ve had to enter my Administrator credentials fourfive six times to allow Apple Software Update to do its thing. Mac OS X (and Linux) use a time-based system whereby once I’ve entered my elevated credentials they are valid for a set period but at least once I’ve told Windows Update that I do want to install a bunch of updates, that process (and any child processes) are then allowed to continue unhindered. It seems that the answer for me should really be to use setuid and make Apple Software Update run elevated but that is not necessarily a good idea either.
The OU structure is not exposed to users but can make a big difference to the management of Active Directory objects. It is very flexible and therefore easy to change but change costs money and has a potential to impact on production applications (so should be avoided where possible.
Consequently, there are a couple of guiding principles to be followed:
Design the OU structure for the delegation of administrative responsibility.
Design the OU structure for group policy object (GPO) application.
Delegation of administration should be given priority, because GPO application can also be filtered using security groups, but Microsoft does also recommend the following:
Do not move domain controllers out of their own OU (some applications may rely on well-known GUIDs and default GPOs).
Do not move built-in users and groups from the Users container (due to the potential impact on the monitoring of ACL changes using AdminSDHolder – see Microsoft knowledge based article 232199).
If Windows Server 2008 is being used protect OUs from accidental deletion (this will be enabled for new OUs but not for legacy OUs from an in-place upgrade.
There is no “correct” way to design an OU structure – as the appropriate model varies from organisation to organisation but one approach to OU design is to base the top level OUs on the object type and then subdivide by role. Another approach is a geographic top level (countries do not change very often…) but the most important point is to follow an appropriate administrative model and where different objects are managed by different administrative teams, consider delegation. One thing that is almost universally agreed upon is not to replicate the organisational structure – security groups can be used for this (and are much easier to manage – e.g. for filtering GPO application).
In the next post in this series, I’ll take a look at design considerations for group policy objects.
In the past, I’ve been accused of writing too much Microsoft-focused content on this blog and, in my defence, this blog advertises itself as follows:
“Originally created as a place for me to store some notes, this blog comments on my daily encounters with technology and aims to share some of this knowledge with fellow systems administrators and technical architects across the ‘net. Amazingly, it’s become quite popular!”
My daily encounters with technology… well, as I’m an infrastructure architect who (mostly) works with Microsoft products, that would explain the volume of Microsoft stuff around here… but in order to be credible (and retain some objectivity) when I’m talking about Microsoft products, I’m also interested in what their competitors are doing. That’s why I’m also a Mac user and I dabble with Linux from time to time; my website uses an open source CMS (WordPress), running on Linux, Apache, MySQL and PHP (classic LAMP); I keep an eye on what VMware is up to; and, as well as using a bunch of Google products on the web I recently started using Google Apps for e-mail, calendar and contacts.
Since the Microsoft-Yahoo! merger-that-wasn’t, I’ve become increasingly interested in Microsoft’s online offerings and consequently I’m also watching the dominant force in Internet search as they expand into other areas online – that’s why I spent today at the Google Developer Day 2008. Aside from being an opportunity to visit the new Wembley Stadium (I do think they should have incorporated the iconic twin towers from the old stadium somewhere in the new structure), it’s a chance for me to find out a little about the technologies that Google is pushing right now. I feel a bit of a fraud as I’m not really a developer but I answered the registration form truthfully and Google accepted me here, so I guess that’s OK!
Over the course of the day, I noted some brief (and sometimes frivolous) highlights from the various sessions – think of it as a microblog in one post. Where I understand enough of the dev stuff, I’ll follow up with more detail later…
[08.20] Right from the off, it’s been a positive experience. After arriving at the venue almost an hour before registration was due to commence, I was allowed in, invited to have a coffee and some breakfast, and a really helpful guy went and found me my delegate badge. Now I’m sitting here enjoying the free Wi-Fi (and grabbing one of the few seats that’s situated next to a floorbox so I can keep my notebook PC’s battery charged during the keynote).
[8.55] As I sat in the “Space Invaders” room waiting for the keynote session to begin, I was thinking that nnly Google would name the session rooms after classic computer games. Now it all makes sense… I just heard that the keynote will include the first public demo of the Android phone!
[9.10] Someone just changed the SSID on the Wi-Fi and I lost my connection mid-post… arghhh!
[9.30] I now have the rest of my delegate pack… including a snazzy gift-wrapped parcel…
containing…
A little green man… hang on… he’s removed his head – what’s he doing inside my Mac?
(It’s OK, he’s just giving me a copy of all the materials I might need to make the most of today).
[09:59] What can’t Microsoft events be this much fun?
[10:00] The keynote is about to start…
[10:25] This keynote has lots of slides, few words, lots of pictures. I like it. Whatever the opposite of death by PowerPoint is, this is it.
[10:30] Mike Jennings is performing the first European demo of Android – the open source mobile stack.
[10:50] The keynote was an overview of what Google is doing to help people develop for the web. Highlights were:
Gears is a browser plugin to enable web application functionality that was previously only available on the desktop.
Google has two types of API – the various data APIs and those which provide AJAX functionality – both are designed to make Google services programmatically accessible.
Google App Engine allows organisation to run their application on the Google infrastructure in an attempt to overcome the financial and administrative hurdles associated with traditional computing.
Google Web Toolkit (GWT) allows applications to be written in Java and run in cross-browser compiled JavaScript.
OpenSocial provides a family of APIs for connecting social websites.
[11:10] Hoping to learn more about Android in Mike Jenning’s session “An introduction to Android”…
[11:15] There’s no code in this session… I should be able to cope then ;-)
[11:25] Mike seems a nice guy but he’s clearly learning this deck as he goes…
[11:30] Into Q&A already?!
[11:50] 35 minutes to go and the Q&A is getting hard for the presenter… what’s interesting to me is that this Google-led presentation has degenerated into a group of developers and users feeding back to Google on things like security, usability, and other common considerations for mobile application development that don’t seem to have been considered. Some of the questions are tough… but that should be expected given the forum.
[12:00] He’s desperate to end this session (twice now he’s asked how much longer to go on for…). Poor guy – I feel really sorry for him the way this session has gone but there was nothing here that shouldn’t have been expected. Hopefully Google has a better idea of the state of the mobile market than this session would indicate.
[12:05] There’s a guy on the front row writing a book: Professional Android Application Development (to be published by Wrox with a November 2008 release date).
[12:20] It seemed to me that Mike was strangled by the Google PR machine but, thanks to his great sense of humour, he still managed to end the session on a high note. Key points were:
Based on a poll of the room, around 50% of people have more than one mobile handset; 25% of people have no land-line at home; and there was no-one here that does not have a mobile. This should be caveated heavily – this was a room full of geeks – but it is nevertheless an interesting study.
Android is an open mobile handset project: an open development model; open to the industry (free to carriers/manufacturers/enthusiasts); open to the developer with the ability to integrate at a deep level in the stack (e.g. replacing the dialler).
The Android runtime environment is implemented in Java running on a Linux kernel. Some classes are unavailable (i.e. those that are not relevant to mobile computing).
Android should be expected during the 4th quarter of 2008.
Google appears unprepared for the questions that will be asked of any new platform around security, usability, upgradability – over even why people will choice Android over more established competition. Maybe they are prepared but to quote Mike Jennings, “these kind of questions are over my pay grade”.
[12:30] I like geek t-shirts – I just saw one which said “Gears – we power the Tubes”
[12:35] In this session Aaron Boodman will be talking talking about Google Gears… let’s hope that he is allowed to say more than Mike Jennings was.
[13:10] Great session – gave me just enough to learn something about the APIs that Gears provides. Key points were:
Gears is a browser extension which provides JavaScript APIs for web application development, available for Internet Explorer (5 or later), Mozilla Firefox (1.5 or later), WIndows Mobile, Chrome (which is built on Gears) and now Safari. Android will support gears (at the moment it just has a stub API).
Gears is now a year old and has dropped its Google prefix.
Gears is not just about offline access to web applications although the initial implementation was about a database, local server and worker pool.
APIs include desktop shortcuts, file system, binary object access and geolocation.
[13:15] I’ve just managed to sneak a quick peak outside at the stadium itself – it’s very impressive. We’ve been asked not to use any photos that identify Wembley Stadium for commercial purposes but this is just a personal snapshot (actually, it’s five of them, stitched together in Photoshop CS3).
[14:55] Looking around the delegates it seems that Macs are pretty common among developers who follow Google technologies! I reckon I’ve seen 2-3 MacBooks for every PC laptop here today (and several of the PCs I saw were running Linux)… as someone who lives primarily in the Microsoft world, this is an interesting experience.
[15:00] Ryan Boyd is just starting to talk about mashing up Google APIs… hopefully I can keep up!
[16:10] That was hard work but I just about held in there… Ryan demonstrated a number of APIs working together, including example code. A few points to note:
AtomPub is used to define feeds (mostly for blog syndication), made up of entries containing additional information.
Four methods are applied to feeds (create, retrieve, update, delete) and these relate to the equivalent HTTP communications (post, get, put, delete).
Standard HTTP status codes are returned.
Google has extended AtomPub to provide:
A data model.
Batch operations.
Authentication (client login with username and password, AuthSub or OAuth).
Alternate output formats for non-Atom data (e.g. RSS, KML, JSON).
The OAuth Playground is a good place to understand how OAuth authentication works – AuthSub is similar in some ways and has been around longer but OAuth is a standardised implementation and should grow over time.
[16:20] My little green man now has some blue and red playmates.
[16:25] Next up, Google Web Toolkit (GWT): the technical advantage, presented by Sumit Chandel. This will also be developer heavy (this is a developer day after all!) so I may struggle again…
[16:35] Just noticed that quite a few people are using sub-notebook PCs here…
[16:50] And I’ve never seen as many stickers on PCs as I have today… maybe that’s a dev thing too?!
[17:15] Into Q&A now, I won’t understand the answers but to summarise the key points from the GWT session:
GWT allows developers to write AJAX applications more quickly, compiling Java into optimised JavaScript and employing techniques such as deferred binding to ensure that only those elements that are required for the local browser implementation are used.
Browser quirks are no longer a problem – GWT handles these for all supported browsers.
With GWT, there are no more memory leaks! A bold statement and actually there may be some where JavaScript native interface (JSNI) calls are made but there should be none for pure GWT applications (read more in Joel Webber’s article on DOM events, memory leaks and you).
Faster application development is accommodated using IDEs such as Eclipse and other Java tools bust specifically, GWT allows for debugging in bytecode.
[17:20] Just swapped my evaluation form for a t-shirt… my kids will love the Google icons on the front!
[17:45] Google has a new UK developer blog – and they just showed us a cool wrap-up video from the day – hopefully that will be on YouTube later. [Update: here it is, courtesy of Youtube]:
[17:50] Look! A Googler – complete with lab-coat!
[17:55] Mmm… beer!
[17:55] And the fun continues… with giant Chess, Connect 4, Jenga, arcade games (including Pacman and Space Invaders), Mega Blocks… and… somewhat bizarrely, a PHP Elephant!
[18:15] Whilst chatting with Tim Anderson, he made a very valid point that I hadn’t considered whilst I was getting excited about technology – Google is an advertising company and, unlike Microsoft or any of the other vendors that I enjoy a relationship with, they don’t need to sell software – they just want people to use their search, etc. and if their vision of the web continues to develop the ad revenues should keep on rolling in too.
[18:20] Just looked out of the window and saw that the turf is slowly returning to Wembley’s pitch. Only about a quarter missing now!
[18:35] Now that is a good use for the presentation projectors… Wii Sports/Guitar Hero II!
[18:55] Mmm… pizza!
[20:00] I really should head home now!
I’ve really enjoyed this event – a fantastic opportunity to learn more about Google’s developer tools and APIs and, who knows, I may even get around to implementing some of them here (if this site ever gets its long awaited AJAX overhaul). From chatting with the event organisers, I learned that this was the second annual Google Developer Day in the UK and there were just over 500 people here today. Google is looking to run more events as their portfolio expands – possibly even some smaller, more focused, events but, for me, this was the perfect balance between a conference (for which my employer is unlikely to support attendance, based on recent experience) and the shorter events – providing a small amount of information on a wide variety of topics.
Hopefully I’ll be at next years GDD too. As for the Microsoft posts… normal service will be resumed at 9am tomorrow.
Bearing in mind the key principle that requirements should dictate design, and that the solution should be as simple as possible, whenever possible, AD designers should look to consolidate and a single forest (with a single domain) should be the starting point, after which any requirements for scaling out can be considered.
Reasons for implementing multiple forests include:
Requirements to be disconnected for long periods (e.g. on a ship).
Forest design models
Single organisational forest
The single organisational forest is the starting point. In this model, users, computers and applications are all in the same forest, providing a simple Active Directory. One major advantage of having a simple AD, is that many application designs will also be simplified (e.g. Exchange Server or MOSS) and delegation of administration is still possible; however it is absolutely essential that forest-level administrators are trusted.
To mitigate the risk of rogue administrators, many organisations rely on detection (auditing and monitoring security logs – flagging any events after the fact). In many cases the effort of implementing an extra forest outweighs the risk of an exploit from a rogue administrator. Other mitigation steps include keeping highly privileged groups (e.g. Enterprise Admins and Domain Admins) empty (or at least down to a minimal number of users) and closely monitoring membership as well as implementing two-factor authentication for highly privileged accounts.
Multiple organisation forest model
The multiple organisation forest model is applicable where there are distinct business groups that require limited sharing of resources whilst retaining autonomy and isolation. In this model users, computers and applications all exist within their respective forests and a trust (1 or 2 way, as appropriate) is established, with selective authentication to control the rights granted from one forest to the other.
This model can be costly and often causes additional complexity (e.g. if Exchange Server is used in the two organisations, then identity management tools may be required for calendar and contact information).
Shared resource forest model
According to Microsoft, the shared resource forest model is gaining in popularity as it provides flexibility as organisations are created and merge but require some sharing of resources. Users and computers exist in the appropriate account forests and trusts are created as necessary to access application(s) in a separate resource forest.
With this model, an application such as Exchange Server would be installed into the resource forest (as a single organisation) and the users in the account forests would see the global address list from the resource forest, avoiding the need for directory synchronisation tools.
Potential downsides of this approach are the extra servers that will be required and the corresponding management overhead; however it is flexible and is commonly deployed.
Shared account forest model
The shared account forest model is similar to the shared resource forest model except that a common account forest is used for all users and computers, with various resource forests deployed for restricted access to data and applications and corresponding trust relationships with the account forest. With this model, users can log on anywhere but some control is exercised over their access to applications and data.
This model might also be used in an extranet scenario – for example MOSS in an extranet forest but with access provided to internal accounts using a forest trust or through ADFS.
Considerations for domain design
Having decided on the overall forest structure, domain design needs to be considered and this is also simplified where a single domain exists within each forest (this is the most straightforward, and hence least expensive, option to implement, manage and recover). Multiple domains may need to be considered:
Where there is a large number of frequently changing attributes.
To reduce replication.
To control replication over slow links.
To present legacy Active Directory structures.
With Windows Server 2008, it is no longer necessary to implement a separate domain where an alternative password policy is required (e.g. PIN access for mobile users) as Active Directory Domain Services supports fine grained password policies. Note that these policies are not applied at an organizational unit (OU) level but through group membership or at an individual user level. To aid when troubleshooting application of multiple policies, Microsoft recommends that security groups are used for policy application and users added to groups accordingly.
A domain is a replication boundary but whereas with Windows 2000 network links were poor, these days bandwidth is more plentiful and controls may be exercised over replication. Microsoft considers that the only real hard limit is the maximum number of domain controllers, which was around 1200 under Windows Server 2003 due to the limitations of sysvol replication using the file replication service (FRS). With Windows Server 2008 this is no longer a concern, once the domain has been switched to use DFS-R for replication.
In short, there are very few technical reasons for separate domains; however this may be influenced by political concerns.
Forest and domain functional levels
Forest and domain functional levels can drive requirements for domain design, with consideration due to migration vs. an in-place upgrade. On the face of it, in-place upgrades seem simple, but the health of the existing AD needs to be considered. If the domain has been upgraded previously from Windows 2000 to 2003, there may be older groups in place which do not use linked value replication, or there may be issues around strict replication consistency.
The basic changes at each level are:
Windows Server 2003 interim forest functional level:
Linked value replication.
Different replication compression ratios.
Improved knowledge consistency checker.
Windows Server 2003 forest functional level:
Forest trusts (and selective authentication).
Deactivation of attributes within the schema.
Domain renaming.
Read only domain controllers (requires Windows Server 2008, plus schema updates).
Windows Server 2008 domain functional level:
Fine-grained password policies.
DFS-R for sysvol.
Last interactive logon information.
Domain naming
Domain naming ought to be the simple part of the design; however it is often heavily influenced by politics. Whilst domain renames are possible, it’s generally not advised due to the potential impact on other applications.
For each domain, there are two names to consider – NetBIOS and DNS.
The NetBIOS name must not exceed a maximum length of 15 characters and must be unique on the network.
Meanwhile, Microsoft recommends that the DNS name does not replicate an existing Internet domain name, is registered with Internic (to prevent future conflicts – this also means that once-common naming conventions such as .local are no longer recommended).
In general, the NetBIOS and the domain portion of the DNS names should be made to match one another as many tools expect one to be derived from the other; however single label names should not be used as they cannot be registered and may cause issues with certain applications (Microsoft knowledge base article 300684 has more details). Also, the name should not represent a business unit or division (as this is likely to change over time).
Summary
After following the advice in this article, the forest and domain structure, level and naming should all be clear.
In the next post in this series, I’ll take a look at organizational unit design.
Session 2 of the MCS Talks series looked at Active Directory (AD), so I’m kicking off a new series of posts here based on the information from that webcast, supplemented where appropriate with my own experiences.
The original webcast on which this series was based was presented by Andrew Hill and Rob Lowe (who are both consultants with Microsoft Consulting Services in the UK) and they stressed that there are 6 tenets to AD design which are inextricably linked:
Complexity.
Cost.
Fault tolerance.
Performance.
Scalability.
Security.
The main point that they wanted to make was to let requirements dictate design (to avoid over-complicating the solution) and that is the focus in each of the posts that will make up this series.
The rest of this series will examine key design considerations for forest/domain design, organisational unit structure, group policy objects, security groups, domain controller placement, site topology, domain controller configuration and DNS. Two important areas that have not been included though are backup/recovery of AD (I’m reading a book on AD disaster recovery and will post my review soon) and delegation of administration. Also, some previous knowledge is assumed – this is not an introduction to Active Directory.
Calendar is all very well, but e-mail is still my main communications tool. So how have I found the switch to Google Mail and how do I keep my contacts in sync between devices? Actually, it’s been remarkably straightforward but I have learnt a few things along the way and this post describes the way I have things working.
My home computer is a Mac, so I simply enabled IMAP access on my Google Apps mail account and made sure I followed Google’s recommended client settings for setting up Apple Mail. There’s not more to say really – Google provides an IMAP Service and Apple provides an IMAP client.
On a Windows PC I would have used Windows Mail/Outlook Express (depending on the version of Windows) or Outlook to achieve the same thing. Even so, on the Windows PC that I use for work, I have Google Chrome installed, so I set myself up with a Chrome application shortcut for my Google Apps e-mail account. It’s only webmail, but GMail is dripping with AJAX and so highly functional and very usable.
With my PCs set up, that left the iPhone. Again, Google publishes advice for configuring IMAP with the iPhone (as well as recommended client settings) and I followed it.
I’m still a little confused about what is being saved where – my iPhone mail application has a Sent folder with some items in, but there’s another one called Sent Mail underneath [Google Mail] – similarly, I have two Drafts folders – as well as both Trash and Deleted Messages. None of that really matters though as all my mail seems to be in the Google Mail account (automagically… I’m not going to get too hung up on the details). Push e-mail would be nice (at the moment I have to tell the phone to periodically check for e-mail) but I’m sure Google will add that feature in time – the important thing is that it seems to work.
I tend to use the iPhone’s built-in mail application most of the time but the iPhone interface to GMail is pretty good too and has the advantage that it groups messages by conversation, rather than using the traditional approach of showing individual messages.
With e-mail working, I turned my attention to my contacts. Google Mail was doing a good job of identifying the people I’d sent e-mail to and creating associated contacts but I wanted to make that I had the same contact list available natively on the Mac and the iPhone. No problem – the Mac OS X Address Book application includes Google Contact syncing although I’m a little confused why I have it enabled in both the Address Book application and in iTunes (Contact Sync uses iTunes for synchronisation). Then, Address Book and iTunes worked together to make the contacts available on the iPhone (regardless of the Google part of the solution).
It’s worth noting that I didn’t think the address book synchronisation was working, but signing out of Google Mail (and then back in again) seemed to force a refresh of the contact information inside Google Mail.
That just left bringing all of my legacy e-mail into my Google Apps mailbox. I haven’t been brave enough to do that yet (actually, it needs a lot of consolidation first) but I will do it eventually – and, when I do, I’ll be sure to blog about how it went…
Then, there are people like me – infrastructure architects who see emerging technologies blurring the edges of the traditional desktop and web hosting models – technologies like Microsoft Silverlight (taking the Microsoft.NET Framework to the web), Adobe AIR (bringing rich internet applications to the desktop) and Google Gears (allowing offline access to web applications). We’re excited by all the new possibilities, but need to find a way through the minefield… which is where we end up going full circle and returning to conversations with product vendors about their vision for the future.
What I saw in Bittman’s presentation was an analyst, albeit one who was speaking at a Microsoft conference, talking broad terms about cloud computing and how it is affected by virtualisation. No vendor alegiance, just tell it as it is. And this is what he had to say:
When people talk about virtualisation, they talk about saving money, power and space – and they talk about “green IT” – but virtualisation is more than that. Virtualisation is an enabling technology for the trasnformation of IT service delivery, a catalyst for changing architectures, processes, cultures, and the IT marketplace itself. And, through these changes, it enables business transformation.
Virtualisation is a hot topic but it’s also part of something much larger – cloud computing. But rather than moving all of our IT services to the Internet, Gartner see virtuaInternetlisation allegiancetransformationas a means to unlock cloud computing so that internal IT departments deliver services to business units in a manner that is more “cloud like”.
Bittman explained that in the past, our component-oriented approach has led to the management of silos for resource management, capacity planning and performance management.
Then, as we realise how much these silos are costing, virtualisation is employed to drive down infrastructure costs and increase flexibility – a layer-oriented approach with pools of resource, and what he refers to as “elasticity” – the ability to “do things” much more quickly. Even that is only part of the journey though – by linking the pools of resource to the service level requirements of end users, an automated service-oriented approach can be created – an SoA in the form of cloud computing.
At the moment internal IT is still evolving, but external IT providers are starting to deliver service from the cloud (e.g. Google Apps, salesforce.com, etc.) – and that’s just the start of cloud computing.
Rather than defining cloud computing, Bitmann described some of the key attributes:
Service orientation.
Utility pricing (either subsidised, or usage-based).
Elasticity.
Delivered over the Internet.
The first three of these are the same whether the cloud is internal or external.
Virtualisation is not really about consolidation. It’s actually the decoupling of components that were previously combined – the application, operating system and hardware – to provides some level of abstraction. A hypervisor is just a service provider for compute resource to a virtual machine. Decoupling is only one part of what’s happening though as the services may be delivered in different ways – what Gartner describes as alternative IT delivery models.
Technology is only one part of this transformation of IT – one of the biggest changes is the way in which we view IT as we move from buying components (e.g. a new server) to services (including thinking about how to consume those services – internally or from the cloud) and this is a cultural/mindset change.
Pricing and licensing also changes – no longer will serial numbers be tied to servers but new, usage-based, models will emerge.
IT funding will change too – with utility pricing leading to a fluid expansion and contraction of infrastructure as required to meet demands.
Speed of deployment is another change – as virtualisation allows for faster deployment and business IT users see the speed in which they can obtain new services, demand will also increase.
Management will be critical – processes for management of service providers and tools as the delivery model flexes based on the various service layers.
And all of this leads towards cloud computing – not outsourcing everything to external providers, but enabling strategic change by using technologies such as virtualisation to allow internal IT to function in a manner which is more akin to an external service, whilst also changing the business’ ability to consume cloud services.
Wearing as many hats as I do, I enjoy a variety of relationships with a number of IT hardware, software and services companies on various levels. I try to remain objective when I write on this blog but sometimes those other companies make it difficult.
<rant>Why can’t application developers use the default browser settings for Internet access via a proxy? For two months now, I’ve been struggling with account lockouts whenever I visited the office (thankfully that’s not too often) and then today I discovered, purely by accident, that my anti-virus client was out of date and that I had it configured to use the corporate proxy server using what was probably an old password. Coincidence? We’ll see next time I visit the office. As you can see from this screenshot, I can enter proxy settings, even proxy authentication details but I can’t elect to use the browser settings (which I change according to whether I’m at home or in the office). Gahhhhhh!</rant>
[08.20] Right from the off, it’s been a positive experience. After arriving at the venue almost an hour before registration was due to commence, I was allowed in, invited to have a coffee and some breakfast, and a really helpful guy went and found me my delegate badge. Now I’m sitting here enjoying the free Wi-Fi (and grabbing one of the few seats that’s situated next to a floorbox so I can keep my notebook PC’s battery charged during the keynote).
[8.55] As I sat in the “Space Invaders” room waiting for the keynote session to begin, I was thinking that nnly Google would name the session rooms after classic computer games. Now it all makes sense… I just heard that the keynote will include the first public demo of the Android phone!
[11:10] Hoping to learn more about Android in Mike Jenning’s session “An introduction to Android”…
Virtualisation is not really about consolidation. It’s actually the decoupling of components that were previously combined – the application, operating system and hardware – to provides some level of abstraction. A hypervisor is just a service provider for compute resource to a virtual machine. Decoupling is only one part of what’s happening though as the services may be delivered in different ways – what Gartner describes as 
