Welcome to Kraft Kennedy

Recently, Microsoft added vSphere 5.0 as a supported hypervisor for Exchange 2010 to their Server Virtualization Validation Program support policy wizard.  Exchange 2010 RTM and SP1  are both listed as supported running on Windows 2008 RTM and Windows 2008 R2 on vSphere 5.0.  In addition, Exchange 2007 SP1, SP2 and SP3 are listed as supported on vSphere 5.0 as well but RTM is not.

Great news!

This week at VMware’s Partner Exchange conference in Orlando, Florida, VMware announced three new certifications aimed at desktop virtualization.  They range from the entry level VMware Certified Associate 4 – Desktop, to a new VMware Certified Professional – Desktop aimed specifically at desktops (the VCP has been around for many years but only focused on the company’s infrastructure technology).  Finally, they’ve announced a VMware Certified Advanced Professional – Desktop certification as a new high level certificate.  It wouldn’t be a surprise to eventually see a VMware Certified Design Expert (VCDX) certification aimed specifically at desktop virtualization architects in the future.

Continue reading…

Quite a while back I saw that Eric Sloof had figured out how to add his Twitter feed directly into the VI Client.  I thought it was clever but didn’t really give it much more thought than that.

Today I decided to take that concept and extend it to systems that you might manage alongside your VI3/vSphere environment.  Storage management seemed like the obvious first choice.
Continue reading…

For quite a while there has been confusion over how VMware’s Transparent Page Sharing (TPS) feature works with vSphere 4 running on Nehalem (or other modern) processors. Many people were noticing that it appeared that TPS was not actually working anymore and looked for ways to fix the problem.

In my recent post on the effects of ASLR in vSphere the comments turned into a discussion about TPS on modern processors. And there are countless posts about this issue on the VMTN forums where folks are looking for a fix. In reality nothing is broken and there is no need to fix the issue.
Continue reading…

When VMware released vSphere 4 last year, one of the changes they made was a completely re-written software iSCSI initiator. This was done to optimize performance which is great considering how popular iSCSI SANs have become. They also gave the ability to use Round Robin MPIO (mutlipathing) in the software initiator in addition to Fixed Path and MRU which were previously available.

I’m working on a vSphere implementation using Dell EqualLogic SANs and wanted to configure Round Robin on all of my datastores. Dell has a great whitepaper on how to set this up, but unfortunately the document fails to mention one key thing: this doesn’t change the default path selection plugin (PSP) from Fixed to Round Robin.   That means that you’ll have to set the multipathing policy to Round Robin on all of your existing datastores and will have to remember to do that on all future datastores. When you’ve got multiple ESX hosts with lots of  datastores this can quickly become a pain.

Continue reading…

I’ve seen a lot of talk lately about VMware’s Transparent Page Sharing (TPS) and how it is affected by ASLR in Windows 2008/Windows 7. I wanted to see if there was any real measurable reduction in shared memory when using ASLR vs. when it was disabled. First, let’s talk about what TPS and ASLR actually are and what the acronyms mean.

Continue reading…

With the release of VMware vSphere 4, VMware has released a very powerful management tool called Fault Tolerance (FT).  At a basic level, FT allows you to keep two virtual machines (a Primary VM and a Secondary VM) running in lockstep on two different physical ESX hosts.  If one of the ESX hosts were to experience a hardware failure, the VM protected with FT would remain running on the second host without any downtime.  This can greatly reduce downtime due to hardware failures and provide increased service levels for important applications.

FT is often compared to Microsoft Windows Failover Clusters, formerly Microsoft Cluster Server (MSCS), and in fact many have talked about how FT can replace Microsoft clustering altogether.  Rather than jump to conclusions like this, it is important to understand the use cases for both technologies.  In addition, there are several limitations to FT that need to be considered. Here are some important points to remember about FT:

Continue reading…

In a previous post, I discussed how to expand virtual machine boot volumes with no downtime using Dell’s ExtPart utility.  Using this method is useful if you are using Windows Server 2000/2003, but is no longer required when using Windows 2008.  With Windows 2008 becoming the preferred server operating system going forward, using the method described below will become more and more common.

Microsoft has made it possible to expand boot volumes easily and on the fly without downtime without the need for any additional tools.  In this example, we’ll expand the C: drive of a Windows 2008 virtual machine from 25GB to 30GB.

1. Expand the size of the virtual disk.

2. Launch Disk Management by right clicking on My Computer, selecting Manage, and then selecting Storage\Disk Management.  If you do not see the unallocated space, right click on Disk Management and select “Rescan Disks.”

Continue reading…

Installing the VMware Tools package inside a VMware virtual machine improves overall performance and allows the use of advanced features and faster virtual hardware drivers.  The installation package also installs a tray icon that controls guest access to virtual hardware, time synchronization, etc.  Since most virtual machines are servers and end users don’t typically access the console of a server, worries about the security implications of leaving that tray application running have been fairly minimal.  However, as firms move towards solutions like virtualized XenApp servers or virtual desktops, this becomes more of a concern.

Removing administrator access to end users is unfortunately not enough.  For example, a user can open the VMware Tools tray icon and select the Devices tab, and from there can uncheck “NIC1″ and click Apply.  What happens?  You guessed it – the virtual NIC is disconnected and the user loses connection.  That’s bad in a virtual desktop environment since it will orphan the desktop and likely require a connection broker like XenDesktop to create another desktop but it is even worse on a XenApp server where the user potentially just disconnected dozens of other users as well.

This, and several other things found in the VMware Tools, can be dangerous to leave available to an end user even if they have no rights to the server itself.  To get around this, there are two approaches that make sense:

1) Remove access to the VMware Tools for end users.

2) Modify the VMX configuration file to prevent these actions.

I prefer the second method since it allows for more granular control over security, though if you’re interested in option one then you can read VMware’s KB article on the subject.  In order to prevent this at the VMX (virtual machine configuration file) level, simply add the following lines to the virtual machine(s) that you wish to protect (after powering it down):

isolation.device.connectable.disable = “true”
isolation.device.edit.disable = “true”

To see how to add one of these values to the VMX file via PowerShell and PowerCLI, it would look something like this:

$vm = Get-View (Get-VM NameofVM).ID
$vmConfigSpec = New-Object VMware.Vim.VirtualMachineConfigSpec
$vmConfigSpec.extraconfig += New-Object VMware.Vim.optionvalue
$vmConfigSpec.extraconfig[0].Key=”isolation.device.connectable.disable”
$vmConfigSpec.extraconfig[0].Value=”true”
$vm.ReconfigVM($vmConfigSpec)

There are many other security parameters that can be set in the VMX file that are covered in VMware’s Security Hardening document (PDF).  The document covers this and many other common security best practices for virtual machines.  As always, test any change you make (especially the script above) before putting anything into production.

Microsoft has made a very interesting virtualization play this week by submitting source code for the Linux kernel. This will allow Linux guests to run on the maturing Windows 2008 hypervisor, Microsoft Hyper-V. This is an unexpected move from Microsoft to publicly release source code and an indicator of their appetite to compete with VMware’s dominate market share.

Microsoft stuns Linux world, submits source code for kernel

In an historic move, Microsoft Monday submitted driver source code for inclusion in the Linux kernel under a GPLv2 license. The code consists of four drivers that are part of a technology called Linux Device Driver for Virtualization.

Microsoft Linux Move Puts Pressure on VMware

Microsoft’s historic embrace of Linux technology could have wide-reaching impacts on the virtualization market and Microsoft’s rival VMware.

By allowing greater ability to run Linux on the Hyper-V virtualization platform, Microsoft is making a compelling case that it could be the virtualization vendor of choice for consolidation of Windows and Linux applications, says Gartner analyst George Weiss.