23 Feb 2010

Enabling Server and Desktop Virtualization


Virtualization is a major part of today's data centers. The operating efficiencies offered by virtualization allow organizations to dramatically reduce operational effort and power consumption.

Windows Server 2008 R2 provides the following virtualization types:

  • Client and Server Virtualization Provided by Hyper-V

    Hyper-V virtualizes the system resources of a physical computer. Computer virtualization allows you to provide a virtualized environment for operating systems and applications. When used alone, Hyper-V™ is typically used for server computer virtualization. When Hyper-V is used in conjunction with Virtual Desktop Infrastructure (VDI), Hyper-V is used for client computer virtualization.

    Windows Server 2008 server virtualization using Hyper-V technology has been an integral part of the operating system. Windows Server 2008 R2 introduces a new version of Hyper-V. Hyper-V in Windows Server 2008 R2 includes three core areas of improvement for creating dynamic virtual data centers:

    Increased Availability for Virtual Data Centers

    Improved Management of Virtual Data Centers

    Increased Performance and Hardware Support for Hyper-V Virtual Machines

    Improved Virtual Networking Performance

    Simplified Method for Physical and Virtual Computer Deployments

 

Presentation Virtualization

This type of virtualization provided by Remote Desktop Services' RemoteApp (see below for more information on the Terminal Services' name change in Windows Server 2008 R2) virtualizes a processing environment and isolates the processing from the graphics and I/O, making it possible to run an application in one location but have it be controlled in another.

Terminal Services makes it possible to remotely run an application in one location but have it be controlled and managed in another. Microsoft has evolved this concept considerably in Windows Server 2008 R2, and renamed Terminal Services to Remote Desktop Services (RDS) to better reflect these new features and capabilities. The goal of RDS is to provide both users and administrators with both the features and the flexibility necessary to build the most robust access experience in any deployment scenario.

To expand the Remote Desktop Services feature set, Microsoft has been investing in the Virtual Desktop Infrastructure, also known as VDI, in collaboration with our partners, which include Citrix, Unisys, HP, Quest, Ericom and several others. VDI is a centralized desktop delivery architecture, which allows customers to centralize the storage, execution and management of a Windows desktop in the data center. It enables Windows and other desktop environments to run and be managed in virtual machines on a centralized server. RDD and VDI addresses all these challenges with the following features:

Improved User Experience

Improved RemoteApp and Desktop Connections

Improved RemoteApp and Desktop Management

Improved RemoteApp and Desktop Deployment

Posted by at No comments:

18 Feb 2010

Automated Migration from Windows XP to Windows 7

You can find more information about automating LTI deployment in the Windows 7 Resource Kit from Microsoft Press. I'm the lead author for this Resource Kit and I also maintain the Unofficial Support Site for the Windows 7 Resource Kit where you will find the latest updates and other useful information.

In the previous article of this series, we examined how MDT 2010 together with USMT 4.0 can be used to manually migrate a Windows XP computer to Windows 7 while maintaining the user settings and data on the computer. In this article we are going to fully automate the migration process.

To do this, use the Deployment Workbench on your MDT computer to open the properties of your deployment share. If you have worked through the previous article of this series then the Bootstrap.ini file for this share will look like this:

  • [Settings]
    Priority=Default
    [Default]
    DeployRoot=\\SEA-DC1\DeploymentShare$
    UserID=Administrator
    UserDomain=CONTOSO
    UserPassword=Pa$$w0rd
    KeyboardLocale=en-US
    SkipBDDWelcome=YES

This is fine as is. We do not need to modify Bootstrap.ini any further.

Now examine the CustomSettings.ini file for your deployment share, which should currently look like this:

  • [Settings]
    Priority=Default
    Properties=MyCustomProperty
    [Default]
    OSInstall=YES
    SkipAdminPassword=YES
    SkipApplications=YES
    SkipAppsOnUpgrade=YES
    SkipBDDWelcome=YES
    SkipBitLocker=YES
    SkipCapture=YES
    SkipComputerName=NO
    SkipComputerBackup=NO
    ComputerBackupLocation=AUTO
    SkipDeploymentType=NO
    SkipDomainMembership=YES
    JoinDomain=CONTOSO
    DomainAdmin=Administrator
    DomainAdminDomain=CONTOSO
    DomainAdminPassword=Pa$$w0rd
    SkipFinalSummary=NO
    SkipLocaleSelection=YES
    KeyboardLocale=en-US
    UserLocale=en-US
    UILanguage=en-US
    SkipPackageDisplay=YES
    SkipProductKey=YES
    SkipSummary=NO
    SkipTaskSequence=NO
    SkipTimeZone=YES
    TimeZoneName=Central Standard Time
    SkipUserData=NO
    UserDataLocation=AUTO

Here is where we need to make several changes in order to automate the migration process.

First, change this line:

  • SkipComputerName=NO

to the following:

  • SkipComputerName=YES

Doing this means you won't be prompted to rename the computer during the migration.

Next, change these two lines:

  • SkipComputerBackup=NO
    ComputerBackupLocation=AUTO

to the following:

  • SkipComputerBackup=YES
    ComputerBackupLocation=NONE

Of course, not backing up the computer before migrating it is not a good idea, but we will do this to speed up the walkthrough.

Next, change this line:

  • SkipDeploymentType=NO

to this:

  • SkipDeploymentType=YES

and add the following line below it:

  • DeploymentType=REFRESH

Doing this means that you won't be prompted to choose the type of deployment scenario to perform.

Next, change this line:

  • SkipTaskSequence=NO

to this:

  • SkipTaskSequence=YES

Then under this line add another line specifying the task sequence you will use for the migration, which in my own lab environment is the following:

  • TaskSequenceID=XP_TO_W7

Next, change this line:

  • SkipUserData=NO

to this:

  • SkipUserData=YES

Leave this line unchanged:

  • UserDataLocation=AUTO

This will cause user state information to be captured and restored using hard-line migration.

Finally, change these two lines:

  • SkipFinalSummary=NO
    SkipSummary=NO

to read as follows:

  • SkipFinalSummary=YES
    SkipSummary=YES

Doing this will hide the final summary screen of the Windows Deployment Wizard from the computer's user.

Having made all of these changes, your CustomSettings.ini file should now look like this:

  • [Settings]
    Priority=Default
    Properties=MyCustomProperty
    [Default]
    OSInstall=YES
    SkipAdminPassword=YES
    SkipApplications=YES
    SkipAppsOnUpgrade=YES
    SkipBDDWelcome=YES
    SkipBitLocker=YES
    SkipCapture=YES
    SkipComputerName=YES
    SkipComputerBackup=YES
    ComputerBackupLocation=NONE
    SkipDeploymentType=YES
    DeploymentType=REFRESH
    SkipDomainMembership=YES
    JoinDomain=CONTOSO
    DomainAdmin=Administrator
    DomainAdminDomain=CONTOSO
    DomainAdminPassword=Pa$$w0rd
    SkipFinalSummary=YES
    SkipLocaleSelection=YES
    KeyboardLocale=en-US
    UserLocale=en-US
    UILanguage=en-US
    SkipPackageDisplay=YES
    SkipProductKey=YES
    SkipSummary=YES
    SkipTaskSequence=YES
    TaskSequenceID=XP_TO_W7
    SkipTimeZone=YES
    TimeZoneName=Central Standard Time
    SkipUserData=YES
    UserDataLocation=AUTO

Before you perform the deployment, make sure that you have customized the users' computer, for example, by copying a photo file to the My Pictures folder in her user profile as we did in the previous article of this series.

Now log onto the user's computer as Administrator, open a command prompt, and type the following command to launch the Windows Deployment Wizard on the computer:

\\SEA-DC1\DeploymentShare$\Scripts\LiteTouch.vbs

Instead of having to respond to various prompts of the wizard, the progress bar will immediately be displayed indicating that the user state information on the computer is being captured (Figure 1):


Figure 1: User state information is being captured

After a short time, the computer will reboot and MDT will begin applying the Windows 7 image to the computer. Once Windows 7 has been installed and the computer reboots for the last time, the progress bar will indicate that the captured user state information is being restored (Figure 2):


Figure 2: User state information is being restored

Once this is done, the user can log onto her refreshed computer and when she opens her Pictures library, she sees that the photo is still present, which indicates that her user state information has been successfully migrated (Figure 3):


Figure 3: The migration succeeded

Considerations when Migrating from Windows XP to Windows 7

Before you jump in and begin migrating all your Windows XP computers to Windows 7, you need to consider a few things.

First, if your Windows XP computers are old and do not have the hardware to properly support running Windows 7 on them, consider using the Replace Computer deployment scenario instead of the Refresh Computer scenario. In the Replace Computer scenario, MDT first uses USMT to capture user state information and save it to a network share. Then MDT performs a clean installation of Windows 7 on a brand-new computer. Finally, MDT uses USMT to restore the user state information to the new computer. In this scenario, the user gets a new computer and a new operating system but retains her existing user settings and data. Afterwards you send the users' old computers to the recycle mart.

Second, if your Windows XP computers have older applications that aren't compatible with Windows 7 then you'll need to use the application compatibility tools and strategies outlined in part 12 of this series before you can consider migrating the computers to Windows 7.

Third, if you plan on upgrading the applications on your Windows XP computers to newer versions of these applications, and if all important user data is redirected for storage on the network, then maybe you shouldn't migrate the computers at all. Instead, consider using the New Computer deployment scenario to deploy Windows 7 together with new applications onto either new or existing hardware, and forget about migrating user settings and data. After all, what better time to start from scratch than when you are migrating your desktop computers from an operating system that is approaching end of life?

Finally, if you want to customize which user settings and data are migrated and which are not migrated (for example to avoid migrating settings for older applications that are no longer needed) then you need to learn how to customize the XML migration files that govern how USMT works. In this case, you can begin learning more by reading Chapter 7 of the Windows 7 Resource Kit from Microsoft Press. This will give you a good introduction to how USMT can be customized, and if you need to dig deeper into this topic then see the User State Migration Tool 4.0 User's Guide in the TechNet Library here.

Posted by at No comments:

Manual Migration from Windows XP to Windows 7

Understanding the Refresh Computer Deployment Scenario

So far we've looked at how to use MDT 2010 to deploy a Windows 7 image onto bare-metal target computers. This is known as the New Computer deployment scenario, whereby a new installation of Windows 7 is deployed to a new computer. In the New Computer scenario, there are no existing user settings or data that need to be migrated, and the Standard Client Task Sequence is used to deploy the captured image of your reference computer onto the target computer.

But what if our target computers are already in use and are running Windows XP and have user settings and data stored on them? And what if we want to migrate these computers to Windows 7 while retaining the existing user settings and data on each computer? In that case, the user settings and data on each computer must first be saved, then the computer must be wiped, the new operating system is laid down, and finally the user settings and data are restored. This is known as the Refresh Computer deployment scenario, and in addition to using this approach to migrate computers from Windows XP to Windows 7 you can also use it to "repair" user's Windows 7 computers by re-imaging them when they become corrupted.

Note:
Why can't one use the Upgrade Computer deployment scenario to migrate computers from Windows XP to Windows 7? Because there is no supported upgrade path from Windows XP to Windows 7, take a look at this link for a list of supported upgrade scenarios. For more information on deployment scenarios, see my earlier article Understanding Deployment Scenarios in my series of articles on deploying Vista.

Verifying Migration Readiness

Before you migrate a Windows XP computer to Windows 7, you should make sure the computer is able to run the new operating system. If you are only migrating a small number of computers, you can use the Windows 7 Upgrade Advisor, available from here. For larger migrations however, you should use the Microsoft Assessment and Planning Tool (MAP) 4.0 described in article 3 and article 4 of this series.

Migrating User Settings and Data

MDT 2010 includes the User State Migration Tool (USMT) 4.0 and uses this tool to migrate user settings and data during a Refresh or Replace Computer deployment scenario. A new feature of version 4.0 of USMT is support for hard-link migration, which allows user settings and data to remain stored on the computer during a Refresh Computer deployment scenario. With earlier versions of USMT, user state information (user settings and data) had to be copied to a network share or removable media because the computer was wiped during a Refresh Computer deployment scenario, then after the operating system is installed the user state information is restored by copying it back to the computer from the network share or removable media where it was saved.

With hard-link migration however, the user state remains where it is on the user's computer, hard links are created for the user settings and data files. A hard link is a directory entry for a file on an NTFS file system. Usually each file has a single hard link, meaning the file appears in a single directory on the file system. With hard-link migration however, USMT creates an additional hard link for each user setting or data file so that the file also appears to reside in the temporary C:\MININT folder created by MDT during deployment. Then, instead of wiping the file system from the computer in order to re-image it, MDT 2010 simply deletes all operating system folders and files from the computer—the boot volume is not formatted—while the MININT folder ensures that the user state information is not deleted from the computer. After installation is complete, the user state information is restored to its proper locations by rebuilding the links to the files, and the MININT folder together with its hard links is deleted.

The benefits of this approach for migrations are threefold:

  1. The migration is faster because the file system does not need to be wiped and recreated during deployment.
  2. The migration is faster because the user state information doesn't need to be copied to a network location, deleted from the computer, and restored.
  3. The deployment is simpler because you do not need to create a separate network share for storing saved user state information.

Manually Migrating Windows XP Computers to Windows 7

Now let us try manually migrating a Windows XP computer to Windows 7 using MDT 2010. Begin by customizing the computer, for example by saving a bitmap image file in the My Pictures folder of user Karen Berg (CONTOSO\kberg) as shown in Figure 1:


Figure 1: Karen's computer is currently running Windows XP and has a photo in her My Pictures folder

Now on the technician computer, open the properties of your deployment share and configure the BootStrap.ini file to read as follows:

[Settings]

Priority=Default

[Default]

DeployRoot=\\SEA-DC1\DeploymentShare$

UserID=Administrator

UserDomain=CONTOSO

UserPassword=Pa$$w0rd

KeyboardLocale=en-US

SkipBDDWelcome=YES

Then configure the CustomSettings.ini file to read as follows:

[Settings]

Priority=Default

Properties=MyCustomProperty

[Default]

OSInstall=YES

SkipAdminPassword=YES

SkipApplications=YES

SkipAppsOnUpgrade=YES

SkipBDDWelcome=YES

SkipBitLocker=YES

SkipCapture=YES

SkipComputerName=NO

SkipComputerBackup=NO

ComputerBackupLocation=AUTO

SkipDeploymentType=NO

SkipDomainMembership=YES

JoinDomain=CONTOSO

DomainAdmin=Administrator

DomainAdminDomain=CONTOSO

DomainAdminPassword=Pa$$w0rd

SkipFinalSummary=NO

SkipLocaleSelection=YES

KeyboardLocale=en-US

UserLocale=en-US

UILanguage=en-US

SkipPackageDisplay=YES

SkipProductKey=YES

SkipSummary=NO

SkipTaskSequence=NO

SkipTimeZone=YES

TimeZoneName=Central Standard Time

SkipUserData=NO

UserDataLocation=AUTO

Then create a new task sequence based on the Standard Client Task Sequence and configure the task sequence to deploy Windows 7 Enterprise edition.

Now log onto Karen's computer as Administrator, open a command prompt, and type the following command to launch the Windows Deployment Wizard on the computer:

\\SEA-DC1\DeploymentShare$\Scripts\LiteTouch.vbs

The wizard will begin by prompting you to select a task sequence (Figure 2):


Figure 2: Select the task sequence for migrating from XP to Windows 7

Next, you will be prompted to select the Refresh Computer deployment scenario (Figure 3):


Figure 3: Note that the Upgrade Computer deployment scenario is not available for Windows XP

Next, you will be prompted to specify a new name for the computer or accept the existing name (Figure 4):


Figure 4: Specify the computer name

Next, you are prompted to specify how to handle user state information. Leave this set at the default of automatically determining the location and storing the information locally on the computer (Figure 5):


Figure 5: Using hard-link migration to store user state information locally on the computer

Next, you are prompted to make an image backup of your computer in case the migration fails. You should always do this, but for this walkthrough we will omit the part where you create the backup to speed things up (Figure 6):


Figure 6: You should back up the computer before migrating it to Windows 7 (though we are not doing this here)

Next, review the choices you have made (Figure 7):


Figure 7: Review your selections

Now click Begin, and soon a progress bar will indicate that user state information is being captured (Figure 8):


Figure 8: User state information is being captured and saved on the computer

After a short time, the computer will reboot and MDT will begin applying the Windows 7 image to the computer. Once Windows 7 has been installed and the computer reboots for the last time, the progress bar will indicate that the captured user state information is being restored (Figure 9).


Figure 9: User state information is being restored

This may take a few minutes. Once this is done, Karen Berg can log onto her refreshed computer and when she opens her Pictures library, she sees that the photo is still present, which indicates that her user state information has been successfully migrated (Figure 10):


Figure 10: The migration of user state information was successful during the XP to Win7 migration

Posted by at No comments:

Understanding MAP 4.0

The Microsoft Assessment and Planning Toolkit (MAP), allows organizations to assess their current IT infrastructure (hardware and software) in order to determine what Microsoft technologies can help them meet their business needs. MAP evolved from the earlier Windows Vista Hardware Assessment Solution Accelerator, which was designed to help organizations assess the readiness of their desktop computing infrastructure for the deployment of Windows Vista and Microsoft Office 2007. MAP is a Solution Accelerator, a set of automation tools and a form of guidance that helps accelerate the adoption of Microsoft technologies by helping organizations during the planning phase of desktop or server migration or consolidation. A complete list of available Solution Accelerators can be found here.

The previous version of MAP (version 3.2) allows organizations to:

  • Perform secure agent-less network-wide hardware and software inventory of Windows computers and their devices by using WMI, SNMP, and other mechanisms.
  • Perform comprehensive data analysis of hardware and device compatibility in order to determine readiness of migration systems for Windows Vista, Windows Server 2008, Microsoft Office 2007 and Microsoft Application Virtualization and to assist in planning for consolidation of physical computers onto Hyper-V or Virtual Server 2005 R2.
  • Generate in-depth readiness reports containing both summary and detailed assessment results for different migration scenarios that include recommendations for migration or server consolidation.

The new version of MAP (version 4.0) that was recently released includes these new features:

  • An improved, simpler user interface that makes it easier than ever to inventory your infrastructure, assess readiness for different scenarios, and generate reports and recommendations.
  • Support for readiness assessment for Windows 7 and Windows Server 2008 R2.
  • Expanded support for readiness assessment for different server consolidation scenarios.
  • Improved experience to calculate Return on Investment (ROI) for server virtualization project by using MAP and the Integrated Virtualization ROI Tool.
  • Support for OEM and Partner customization of the MAP user interface and migration proposal documents.

The focus of this present series is on deploying Windows 7 and MAP 4.0 is a terrific tool to help you plan your desktop migration. Even so, MAP 4.0 can do far more than just assess whether your desktop computers can run Windows 7. Using MAP 4.0, you can:

  • Perform a comprehensive inventory of PC hardware and software including SQL Server instances.
  • Assess whether your servers are ready for migration to Windows Server 2008 R2.
  • Discover server roles on your network.
  • Find physical computers that are potential candidates for virtualization using Hyper-V.
  • Discover VMware virtual machines for potential migration to Hyper-V.
  • Assess possible candidates for App-V virtualization.
  • Perform readiness assessments for Microsoft Forefront and implementing Network Access Protection (NAP).
  • Estimate potential power savings when different power management settings are implemented on clients and servers.

MAP 4.0 and Windows 7 Deployment

MAP 4.0 is one of three key tools from Microsoft that organizations typically will need to use when preparing to migrate their desktops to Windows 7:

  1. MAP 4.0 – Use this tool first to assess the readiness of your environment to migrate your desktop computers to Windows 7.
  2. ACT 5.5 – Use the Application Compatibility Toolkit 5.5 next to test your existing applications for possible compatibility issues when running them on Windows 7 and for mitigating such issues by creating application shims for problem apps.
  3. MDT 2010 – Use the Microsoft Deployment Toolkit 2010 to deploy Windows 7 once you have assessed that your desktop computers are ready for Windows 7 and that your legacy line-of-business (LoB) applications can be shimmed to run properly under Windows 7.

A product manager on the MAP team told me that internally they like to refer to these tools as "The Three Musketeers". Personally, I like to refer to them as MAPACTMDT :)

Installing MAP 4.0

Begin by downloading MAP 4.0 from here on the Solution Accelerators TechCenter on Microsoft TechNet. It is supported on:

  • Windows XP SP2 or later
  • Windows Vista Ultimate, Enterprise or Business
  • Windows 7 Professional, Enterprise or Business
  • Windows Server 2003 SP1 or later
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2

There are versions of MAP for the x86 and x64 architectures. Before installing MAP 4.0 you must ensure that you have the following additional software installed:

  • .NET Framework 3.5 SP1
  • Windows Installer 4.5
  • Microsoft Office Word 2007 or Microsoft Word 2003 SP2
  • Microsoft Office Excel 2007 or Microsoft Excel 2003 SP2

During installation of MAP 4.0, the setup will download and install SQL Server 2008 Express Edition on your computer. Once installation of MAP 4.0 is completed, you will be prompted to create an instance of a SQL Server 2008 Express database for storing the inventory information MAP acquires during the assessment process (see Figure 1):


Figure 1: Creating a SQL Server 2008 Express database instance for use by MAP

Examining MAP 4.0

Once MAP 4.0 has been installed on a computer, you can launch the program from the Start menu. The MAP console displays a navigation pane on the left that has three buttons at the bottom: Inventory and Assessment, Surveys, and Reference Material. Selecting the Inventory and Assessment button displays a tree view of options you can choose from:

  • Discovery and Readiness
  • Server Consolidation

Selecting the Discovery and Readiness option as shown in Figure 2 below lets you perform inventory and assess readiness for:

  • Migrating client computers to Windows 7, Windows Vista or Office 2007.
  • Discovering server roles and SQL Server instances, and migrating servers to Windows Server 2008 or Windows Server 2008 R2.
  • Discovering virtual machines present on your network.


Figure 2: The Discovery and Readiness option under Inventory and Assessment

Selecting the Server Consolidation option as shown in Figure 3 below lets you perform the following server consolidation tasks:

  • Inventory your server environment for physical servers that can be consolidated as virtual machines on Hyper-V.
  • Gather performance metrics for server consolidation.
  • Configure host machine equivalents and make recommendations concerning placement of guest machines.
  • Calculate the potential return on investment (ROI) your organization can achieve through implementing a Microsoft integrated virtualization solution.


Figure 3: The Server Consolidation option under Inventory and Assessment

Selecting the Survey button in the bottom portion of the navigation pane allows you to:

  • Use an online survey to evaluate the migration of your existing messaging infrastructure to the Microsoft Exchange Hosted Services available from Microsoft Online Services (click here for more information).
  • Download the Infrastructure Planning and Design (IPD) assessment guide and scenario selection tool for Windows Optimized Desktop Scenarios, which you can use to evaluate the implementation of different Microsoft desktop virtualization technologies that could provide extra benefits to your desktop users, including rich and thin client solutions such as Windows Vista, App-V, VDI and more.


Figure 4: The Surveys option provides links to an online survey and a Solution Accelerator you can download

The final button (Reference Material) found at the bottom of the navigation pane takes you to a page that has links to other useful planning and assessment tools available from Microsoft. It will also direct you to various documentation pages on Microsoft TechNet that can help you during the planning phases (Figure 5):


Figure 5: Links to additional reference material are available from within the MAP

Posted by at No comments:

Windows Server 2008 R2 Name Resolution Policy Table (NRPT)

Wouldn't it be nice to have a method you could use to control what DNS server is used by a DNS client based on the FQDN or some other criteria you set within Group Policy? This kind of feature would expand your client-side name resolution options by allowing the client to use the DNS servers configured on the systems' NIC(s) or use different DNS servers based on FQDN, DNS suffix, DNS prefix, IPv4 Network ID, IPv6 Network ID or anything else! Well, you can do that in a limited set of scenarios by taking advantage of the Name Resolution Policy Table included with Windows Server 2008 R2.

The NRPT defines the DNS client behavior based on queries made by the DNS client. If the client makes a query for one FQDN, that query would be sent to the DNS server configured on the client's NIC. If the client makes a query for another FQDN, that query would be sent to another DNS server, not configured on the client's NIC, but based on an entry in the NRPT. In fact, Windows 7 and Windows Server 2008 R2 take advantage of this ability to control what DNS servers are used and what the DNS client behavior should be based on the query subject in their implementations of DNSSEC and DirectAccess.

Before the DNS client issues a DNS query, it will check with the NRPT to see if it should set any flags on the request. After receiving a response from the DNS server, the DNS client will check again to see if there is any other processing requirements before moving forward. If there is no NRPT configured on the client, then the client will use the DNS server setting figured on its NIC to send DNS queries to, and there will be no special processing of DNS queries either before or after the query is sent.

To get a better idea of what you can do in the NRPT, let's take a look at the NRPT settings in Active Directory Group Policy. You can find them by opening the Group Policy Editor and navigating to Computer Configuration\Policies\Windows Settings\Name Resolution Policy, as seen in the figure below.


Figure 1

In the right pane of the console you will see the NRPT configuration interface, as seen in the figure below.


Figure 2

Let us now examine the options and see how they are used to configure an NRPT entry.

In the To which part of the namespace does this rule apply? Well, you decide whether you want the rule to apply to a Suffix, a Prefix, a FQDN, a Subnet (IPv4), a Subnet (IPv6) or Any. If you select "Any" then all queries will be controlled by the policy you set for this NRPT entry. In this example, we have chosen the Suffix option and entered a DNS suffix of ipadsux.org.

The next option is the Certification Authority(Optional) setting. This is used when you use the NRPT for a DNSSEC deployment. DNSSEC is a method you can use to insure that DNS queries and responses are done in a secure fashion, and that DNS clients can authenticate DNS servers for queries made for hosts in specific domains. You can click the Browse button to find a CA certificate that you want the DNS client to trust when authenticating the DNS server in a DNSSEC deployment.

There are two tabs that you can use to create this rule for the NRPT: the DNSSEC tab and the DNS Settings for DirectAccess. When creating the rule, use only one of these tabs at a time. In general, it's better to break the rules out, separating the DNSSEC rules from the DirectAccess rules; this makes them easier to keep track of and clear independently if you ever have a need to do so.

On the DNSSEC tab, as seen in the figure below, you have the following options:

  • Enable DNSSEC in this rule: When this is enabled, any queries for the FQDN specified above will require the use of DNSSEC.
  • Require DNS clients to check that name and address data has been validated by the DNS Server: Setting this value controls how the DNS client processes DNS queries; it does not control DNS server behavior or configuration of a "trust anchor" (used by DNSSEC to secure zones) on the DNS server. What it does do is tell the DNS clients to check for the "Authenticated Data" bit in the DNS response returned by the DNS server for the DNS query issued by the client. If the "Authenticated Data" bit is not set (thus confirming that the response data is not validated) the DNS client will drop the response and consider the query as failed.
  • Use IPsec in communication between the DNS client and DNS server: This option tells the client whether it should establish an IPsec connection between itself and the DNS server before issuing the DNS query and receiving the DNS query response. If you do choose to enable IPsec to secure the communication between the DNS client and server, then you have several options in terms of how to secure the connection: No encryption (integrity only), Low: 3DES, AES (128, 192, 256), Medium: AES (128, 192,256), or High: AES (192,256). The "no encryption" option provides for machine authentication only and the DNS query traffic will move in the clear. If you choose an encryption option, the IPsec link will be both authenticated and encrypted, using the level of encryption you select here and that supported by the client and server.


Figure 3

After making your DNSSEC configuration selection, you can click the Update button and then see the NRPT entry in the Name Resolution Policy Table as seen in the figure below. Notice that there are two buttons under the table: Delete Rule and Edit Rule. These buttons appear when you click the line on the table for the rule of interest. If you want to edit the rule, click the Edit Rule button. If you want to delete the rule, click the Delete Rule button. It's pretty easy.


Figure 4

Now let us examine the options for the DNS Settings for DirectAccess. Notice that there is a minor spelling error on this Group Policy Object configuration page. DirectAccess should be one word but is listed as a two-word term several times in this configuration interface. I told Tom about this and now it's his problem :)

Note that if you want to create a new rule, you should click the Clear button and start the configuration over from the To which part of the namespace does this rule apply section and the Certification Authority section. Then you can click the Create button to create the new rule and use the Edit Rule button to make changes later if you like.

The options you have here include:

  • Enable DNS settings for Direct Access [sic] in this rule: This option turns on the DNS settings configured here for the DirectAccess clients.
  • Web proxy (optional): This is an interesting option, which might have several meanings. However, this appears to not be documented, so I recommend you avoid this option until such documentation becomes available.
  • IPsec: Use IPsec in communication between the DNS client and DNS server: This option enables the same options as the IPsec choices seen earlier. You have the same options, which include No encryption, Low, Medium and High.


Figure 5

There is one more dialog box that is of interest if you are deploying a Windows DirectAccess solution. Click the Advanced Global Policy Settings button to expose this dialog box, as seen in the figure below.


Figure 6

This dialog box exposes three sections:

  • Network Location Dependency
  • Query Failure
  • Query Resolution

The Network Location Dependency option allows you to configure roaming options. The default is Let Network ID (NID) determine when Direct Access [sic] settings are to be used. This is an undocumented option, but I believe it is related to whether or not the client is able to connect to a certain resource on the corpnet to determine which DNS settings to use when the client is acting as a DirectAccess client. If the client detects that it is on-network, it will use the DNS settings configured on its NIC. If the DirectAccess client isn't able to connect to a resource that is located on the corpnet, then the DirectAccess client assumes that it is off-network and will use DirectAccess settings for name resolution. However, this is an educated guess, since these settings are undocumented at this time.

The Query Failure option defines how name resolution should be handled if there is a DNS name query failure. If you select the Configure query failure options checkbox, the default setting is Always fall back to Link-Local Multicast Name Resolution (LLMNR) and NetBIOS if the name does not exist in DNS or if the DNS servers are unreachable when on a private network (moderately secure). This option allows the use of local name resolution on a private network when the corpnet DNS servers are unavailable to the DirectAccess client.

The Query Resolution section is also interesting. Again, this entire dialog box is not documented, but I think we can figure it out. When you select the Configure query resolution options checkbox, you have two options: Resolve only IPv6 address for names (recommended) and Resolve both IPv4 and IPv6 addresses for names. This is interesting because when the DirectAccess client connects to resources on the corpnet over a DirectAccess connection, is uses only IPv6 addresses, as all communications from the DirectAccess client to the corpnet are IPv6 communications – IPv4 is never used when the DirectAccess client connects to the corpnet. Perhaps that's why it's recommended.

The Resolve both IPv4 and IPv6 addresses for names does not seem to make sense in the DirectAccess client context given the facts as stated above. However, perhaps this means that you can use IPv4 for local name resolution or names that are not processed by the NRPT? I think we will have to wait for Microsoft to create some documentation of this configuration page before we make any hard and fast decisions on the utility of these settings.

All of this might be a moot issue anyhow, as Tom tells me that when using UAG for your DirectAccess solution, UAG handles the configuration of the NRPT and delivers the correct settings to DirectAccess clients using a GPO that's applied only to DirectAccess client computers that are members of a security group to which the GPO is applied. So, when working with UAG DirectAccess, you won't have to deal with this dialog box. Still, it would be nice to get some documentation on the missing settings.

Posted by at No comments:

17 Feb 2010

Tips for buying music online

As music connoisseurs worldwide already know, Windows Media Player 11 is the ultimate digital music jukebox, letting you store, catalog, and enjoy your entire audio collection on your PC without skipping a beat.

Included with Windows Vista and available free to Genuine Windows XP users, Windows Media Player gets your party started—a few clicks is all it takes for you to vastly expand your audio horizons online.

So get ready to boogie… Following is everything an Internet user needs to know to instantly sample, shop for, download, and share millions of hit singles and albums from the recording industry's biggest names.

URGE music service

URGE—just one of nearly a dozen great ways Windows Media Player 11 users can buy music online. Click to open larger image.

Purchasing options

Two ways exist to purchase music online:

1. By the song/album—Browse by individual song or record, with most singles available for under a dollar.

Pros:

  • Immediate savings

  • Pay as you go

  • Music is yours to keep

  • Copy to CD/MP3 player on demand

Cons:

  • Costly in the long run

  • Tunes come one track at a time

  • Best suited to casual admirers

Examples: Wal-Mart Music Downloads, Puretracks, MusicGiants

2. Subscription—Enjoy unlimited access to millions of songs for one low monthly price (average: $10–15).

Pros:

  • All-you-can-eat approach

  • Cheaper for frequent shoppers

  • Sample in full before buying

Cons:

  • Songs expire when subscription does

  • Can't burn to CD without buying

  • Copying to portable music player costs extra

  • Incompatibility with certain players

Examples: URGE, Napster, f.y.e Download Zone

How to buy

  1. Load Windows Media Player 11.

  2. On the top menu bar, click the arrow located just below the URGE tab. Choose Browse All Online Stores.

    Browsing for music online

    Browse online music stores from directly within Windows Media Player. Click to open larger image.

  3. The Choice of Online Stores window opens. Under the Categories menu, located on the left-hand side of the screen, select Music.

    Available online music stores

    Choose which online music store that you want to shop from. Click to open larger image.

  4. Click the appropriate logo to select a vendor.

  5. Follow the chosen provider's instructions to register for an account and begin downloading individual tracks or entire albums.

If you've purchased by the track: Select the Windows Media Player 11 Library tab, located at the top of your screen, and choose Music from the drop-down menu.

Library tab in Windows Media Player

Use the Library tab to download individual tracks to your computer. Click to open larger image.

Note: Click the Library tab itself next if a list of songs/albums doesn't immediately appear.

Congratulations—this music is now yours to archive and appreciate. Just select the desired tune or record with your mouse and press play, or double-click to listen.

If you're using a subscription service: Just double-click the track to begin streaming the highlighted song, or select Download or Buy to purchase and enjoy as above.

Hints and tips

A few important points to consider before virtually adding music to your collection:

  • Availability—Like traditional record shops, all pay-as-you-go and online music subscription services feature unique inventories. Before signing up with one, always check to make sure that they host the artists and albums you're looking for.

    SongTouch music service

    Many providers such as SongTouch specialize in specific musical categories. Click to open larger image.

    Hint: Some services specialize in different genres, e.g. SongTouch, which touts an impressive catalog of Christian music.

  • Ownership—The trade-off for subscribing to a monthly service is that you don't own the music you're paying for. Fail to upkeep your membership, and you'll lose access to this content. Likewise, you'll have to purchase individual songs (albeit at a sizable discount) in order to burn them to CD. It may also cost as much as $5 extra/month for the right to copy this music to an MP3 player.

  • Frequency—Do you plan on downloading a single song here and there or dozens of tracks each month? Serious audiophiles looking to feed their addiction may be better off taking a one-size-fits-all subscription plan versus shelling out by the track.

    Hint: eMusic offers a handy compromise, letting you buy a set number of songs each month—which you own, and can copy to CD/MP3 player as much as you like—for as little as $0.27 apiece.

    eMusic music service

    eMusic combines the best features of subscription and pay-as-you-go services. Click to open larger image.

  • Compatibility—Some digital audio file formats and subscription services aren't compatible with various portable music players and systems. (Happily, as a rule, PlaysForSure devices are generally a safe bet.) Don't forget to read the fine print before signing on the dotted line.

  • Accessibility—All providers take artists' intellectual property rights seriously. As a result of these security measures, songs purchased from one outlet are typically incompatible with other vendors. Therefore, it pays to pick a single service provider and stick with them.

Posted by at No comments:

Working wirelessly

Many companies are making the leap to wireless networks in the office for both financial savings in overall equipment and sheer convenience for their employees. They also often provide mobile PCs with wireless capabilities to their employees so that they can be productive anytime anywhere, hence enhancing the company's bottom-line.

In this article, I will explain what WiFi is and how it works. I will also discuss what you need to start working wirelessly as well as what you can expect to gain from doing so. Finally, I'll discuss the precautions you should take when working on the go.

What is WiFi? Learn the lingo

Wireless, or WiFi, technology is another way of connecting your computer to the network using radio frequency and no network cables.

Wireless works similarly to cordless phones; they transmit data from one point to another through radio signals. But wireless technology also requires that you be within the wireless network range area to be able to connect your computer. There are three different types of wireless networks:

  • Wireless Local Area Network (WLAN): WLAN are wireless networks that use radio waves. The backbone network usually uses cables, with one or more wireless access points connecting the wireless users to the wired network. The range of a WLAN can be anywhere from a single room to an entire campus.

  • Wireless Personal Area Network (WPAN): WPANs are short-range networks that use Bluetooth technology. They are commonly used to interconnect compatible devices near a central location, such as a desk. A WPAN has a typical range of about 30 feet.

  • Wireless Wide Area Networks (WWAN): WWANs are created through the use of mobile phone signals typically provided and maintained by specific mobile phone (cellular) service providers. WWANs can provide a way to stay connected even when away from other forms of network access. Also, be aware that additional charges are often associated with the usage of WWANs in some locations.

How do I get started?

The only thing you really need to go wireless (in addition to a mobile PC) is a wireless PC Card. Depending on the age of your mobile PC, the card is either built-in or needs to be inserted in the PC Card slot and includes an antenna. In addition, you can also use wireless keyboards and mice, which can provide more freedom and flexibility when you're working in your office.

It's always good to research the available hotspots in the area you're planning on visiting (whether a neighborhood in your city you're not familiar with or a city on the other coast). You can use Bing to find hotspots when you travel.

As you head out in this brave new world of wirelessly connectivity, you can connect to a wireless network (whether at home, at work, or on the go).

Connect to a wireless network

Working wirelessly: What's in it for me

Working wirelessly can offer you the following benefits.

  • Flexibility: The lack of cables that comes with wireless networking enables you to roam with your mobile PC. You can roam from your office to a nearby conference room for a meeting, or from the couch in the living room to a kitchen for a snack. For example, if you're working wirelessly in a meeting you can printout a report for a co-worker without having to leave the meeting.

  • Time-saving: If you're waiting for an important response you can use your mobile PC to monitor your e-mail even when you're in meetings or at lunch. As soon as you get the data needed, you can promptly forward it to your customer rather than wondering whether the information has come in while you were away and having to run back to your office between meetings and other commitments.

  • Increased productivity: Working wirelessly enables you to turn down times between meetings or while in transit into productive time. For example, you may be attending a conference and just found out that one of the sessions you were planning on attending has been cancelled. Rather than waste the next hour, you can check e-mail, start compiling your trip report, or order your son's birthday present.

  • Easier collaboration: Using wireless mobile PCs, you can easily share files and information with others. For example, you can collaborate on a presentation with colleagues during a flight delay in an airport lounge, or you can share the syllabus of a course while attendees so that they can take more digitally during the class.

What should I worry about when working wirelessly?

When working wirelessly from hotspots and public places, you are responsible for ensuring the security of your files and your mobile PC.

To make network access easier for their users, public hotspots typically leave all security turned off. This means that any information you send from a hotspot is most likely unencrypted, and anyone within range of the wireless LAN, whether at a next table or in the parking lot, can access and use your Internet connection, and look at your unprotected information.

For more information, see tips for working securely from hotspots.

WiFi gives you the freedom to go anywhere and still be connected to your office, your family, and other important aspects of your life. Your virtual office can now be an ice cream parlor in a seaside resort. Embrace and enjoy the flexibility that WiFi affords you.
Posted by at No comments:
Subscribe to: Posts (Atom)