Infrastructure Optimization

Windows Vista has been out for a while now and hardware and software vendors have had time to update their drivers, apps, interface, etc. to the new operating system.

Nevertheless (and this happens all the time) some specialized application vendors still will not support Vista and as a result, Windows XP and 2000 will remain in the environment “forever,” much like a Styrofoam cup in the forest.

Either way, 80 to 90 percent of all workstations can be migrated over to the new, more stable and secure windows Vista.

Oh wait! Windows 7 will be out soon, should we wait? The answer to that is “NO.”

It is time to build a infrastructure that is agile enough to shorten the lifecycle management of operating systems just like it was shortened for applications.

Major application releases happen sooner than 2 years, why shouldn’t OS’s do the same?

Those who develop an environment based on Virtualization and fast deployment of OS’s will rule the day.

Not a sermon just a thought.

With 150 million licenses shipped in FY’2008 (see Steve Balmer’s report,) we are always looking for news on Vista adoption.

A list of recently posted articles on the Microsoft site follows:

• The white paper entitled “Windows Feature Comparison” compares the features and capabilities of Windows XP SP3 and Windows Vista SP1 based on five categories: Security, Management, Deployment, Mobility and Productivity. Windows Feature Comparison (PDF)

• The Business Value of Windows Vista (Microsoft - PDF File)
• “The Business Case for Windows Vista: Five reasons to deploy now (Forrester - PDF File)
• Lessons Learned from Early Windows Vista Adopters (Microsoft - PDF File)

The big question seems to be how many of those licenses are deployed. Lots of conversations on this topic.

If you are struggling with trying to diagnose LUA, or Least-Privilege User Account bugs in your Vista, Server 2003 or XP environments, then Aaron Margosis has a tool for you. The tool is called LUA Buglight and, while it’s in beta, it still may be a useful tool for you developers and system administrators out there.

What it does is grant temporary administrator privilege for a targeted app so that it can run. Buglight watches the app and what it does, and then reports on behaviors of the app that require remediation in order to be “well-behaved.”

I’m going to check this out on my locked-down Vista VPCs where I do my app compat testing.

If you’re a user of Microsoft Deployment 1.x and upgrading to Microsoft Deployment Toolkit (MDT) 2008, then you’ll want to pop over to Michael Niehaus’ blog, where he’s posted instructions on this scenario. Seems they included BDD to MDT migration, but not MD to MDT migration.

One thing of note from this posting (as we ourselves are getting down with MDT):

• Windows Automated Installation Kit (WAIK) has been updated to 1.1 - this was a big download before, so clear the pipes, folks, if you’re planning on deploying Vista SP1.

Is anyone out there planning on deploying Vista SP1 in the near term? I’d love to hear your experiences, you brave souls!

I certainly hope this is the last of the name thrashing on this product for awhile. For those of you just getting used to the name change from Business Desktop Deployment Solution Accelerator to Microsoft Deployment, the folks in Redmond have changed the name of this product again, and it’s now being referred to as the Microsoft Deployment Toolkit (MDT) 2008. Some official verbiage:

Microsoft® Deployment Toolkit 2008—Unified Tools and Guidance for Desktop and Server Deployment Automation. Download it today!

We are pleased to announce that Microsoft Deployment Toolkit (MDT) 2008 has been released! This is an update to Microsoft Deployment, released in November 2007.

MDT 2008 extends existing functionality to deploy Windows Vista® SP1 and Windows Server® 2008 for both Lite Touch and Zero Touch deployments using Systems Management Server 2003* and Microsoft System Center Configuration Manager 2007. This release of MDT supports Windows AIK 1.1 and configuration of Active Directory® directory service, DNS, and DHCP server roles. To learn more and download the latest content, go to http://www.microsoft.com/deployment.

As of this posting, the MS Deployment site had not been updated with the name change, but expect that very soon. Start downloading today - this product has only gotten better and better, and I expect that this version will not disappoint. Of course, now that I’ve said that…

We’ll be watching this one very closely, as it’s our bread and butter.

From the excellent 4sysops blog:

Vista SP1 is officially only available for enterprise customers, but the reports about problems caused by this service pack are piling up. This post contains a list of all SP1 issues I am aware of.

List of Issues with Vista SP1 (4sysops)

Good to know, especially if you are managing Windows Updates at the Enterprise level. Also good to know for you early adopters with TechNet subscriptions.

You’re absorbing caffeine from a white cup with green letters while surfing the web on your laptop and you suddenly remember that you need something from your corporate VPN. What to do? Yes, I know you’ll try to establish VPN even if you tried it just last Thursday. You’re an optimist who believes that they just might have realized that outgoing VPN is not evil. But alas, you’ll need to head back home since airports, hotels and coffee shops notoriously block most all of the really cool protocols from working.

Some day soon (we hope) you’ll be able stay comfy and do your work. This is all due to the upcoming Windows 2008 and Vista support of SSTP!

The Secure Socket Tunnel Protocol is really an ingenious convergence of secure HTTP (HTTPS/SSL) and Point-to-Point Protocol technologies. In order to make this work you’ll need a few things:

• Windows 2008 Server - Expected February release
• A certificate authority (This can be an internal enterprise CA)
• A firewall - My personal favorite: Microsoft ISA 2006
• Vista SP1 - Early to mid March release. There’s discussion on whether XP SP3 will add this support but the future is unclear. Check again later.

Now, I won’t tell you that giving your road warriors this kind of freedom is going to take 15 minutes and a wizard, but there are already some great resources published to get you ready.

• Dr. Thomas Shinder (The smartest firewall guy I know) has published an article on ISAserver.org on how to configure ISA 2006 for SSTP access:
  • http://www.isaserver.org/tutorials/Publishing-Windows-Server-2008-SSL-VPN-Server-Using-ISA-2006-Firewalls-Part1.html
• Another Dr. Shinder article on WindowsSecurity.com. This one is a 2-part article. Part 1 is a deep-dive on the new protocol and part 2 focuses on configuring required Windows 2008 services:
  • Part 1: http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part1.html
  • Part 2: http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part2.html
• Samir Jain from the TechNet Routing and Remote Access blog has posted a primer on the SSTP protocol:
  • http://blogs.technet.com/rrasblog/archive/2007/01/10/how-sstp-based-vpn-connection-works.aspx

Happy Tunneling!

Jonathan Connery MCSE+I, MCSD
Senior Systems Architect
Getronics Consulting and Transformation Services
Infrastructure Optimization Team

If you’re familiar with BDD, and especially BDD 2007, you know that Microsoft has been thrashing around a bit on names for the next version of their excellent Business Desktop Deployment Solution Accelerator. Well, they’ve finally settled on a very Microsoft-y name: Microsoft Deployment 1.0, available for download on Microsoft Downloads. I must say - this name shocked me when Michael Niehous revealed it. I would have placed good money down on a System Center appellation.

But, irregardless of the name, MD 1.0 (which doesn’t really have the same ring as BDD, but I swear - I’m done commenting on the name!) has improved upon the already excellent feature set of BDD 2007. Let’s have a look at BDD/MD’s evolution real quick though:

Microsoft Deployment History

Pictures are great and all but what does it all mean? Well, the bottom line is that BDD 2007 was perhaps the best example of a deployment tool from Microsoft that mortals such as me could use and understand. It’s also been a highly-successful tool for our customers at Getronics. So, as you can imagine, I have been following changes to this tool (critical to my livelihood!) closely, looking for anything that will fundamentally alter what we’re already doing with clients, or for opportunities to suggest new and better ways of doing things. Let’s look at a few that I’ve found so far. If you’ve found others - shoot me a comment!

Support for Deploying Windows Server 2008 (kinda!)

One welcome addition for testing labs (such as ours!) is the psuedo-support for easy deployment of pre-release versions Windows Server 2008. I say “psuedo” because MD 1.0 is not intended to roll out production 2008 machines, and well, to be fair, neither are the current versions of Server 2008.

Why I think this is great is that my fellow engineers and me are trying out different configurations on virtual hardware, and being able to re-image via PXE is super-sweet. And hey, the fact that it’s restricted to Lite-Touch (LTI) is fine with me. Who deploys servers via Zero Touch anyway? Google, perhaps.

Documentation Wheel Changes

One really obvious change from previous versions of BDD is how the Documentation Wheel works now. It looks the same, but there are some subtle changes here, bringing its terminology into the present and in line with current thinking on deployment.

MS Deployment 1.0 Documentation Wheel

For example, the rather confusing “Computer Imaging System” has been renamed “Image Engineering” which makes a lot more sense to me, at least. The documents behind all of these areas have been updated as well, and are well-worth reading. Documentation in BDD has always been kind of a two-edged sword: there’s a lot of it, but it seems to be organized in a difficult-to-fathom kind of way. That still plagues MD 1.0, but in all fairness, there is a lot to cover, and I’m not sure I could organize it any better. Suffice it to say, if you are just getting started with BDD/MD, set aside a day or two to read every “feature team guide” that’s available from the documentation wheel. The Gestalt of knowledge you acquire will make you better at implementing BDD/MD than any one of the documents alone.

Compatibility with SCCM 2007

A big one for us is compatibility with System Center Configuration Manager (SCCM), and the new ability to deploy XP, Vista and Server 2003 with MD and SCCM 2007. In addition, MD is completely integrated into the SCCM console, and shares the advanced task sequence features with its elder product. Task sequences can be built in, and imported from SCCM, which is really, really nice. Or, if you’re newer to the game, you can create “quick start” task sequences and packages from MD that are easily imported into SCCM.

MD 1.0 also extends the available actions in SCCM 2007 task sequences. Those of you who live inside the task sequencer, and have felt the raw power of these easy-to-explain, but hard-to-write-on-your-own automation tools will appreciate this.

This all means that MD and SCCM are ever-more tightly integrated, and if I had to guess, I’d guess that despite MS’s protestations to the contrary, MD will eventually be enfolded into SCCM, and will disappear as a standalone product. If anything, I would predict that if a standalone version does persist, MD will become “System Center Deployment Manager.”

Oh, and get this, BDD old-timers: you can now deploy to computers that SCCM 2007 does not see! This is kind of revolutionary, if you’ve struggled with getting all deployment targets into SMS/SCCM.

Multicast

Hang on to your hats, folks. But the biggest feature, IMO, of MD 1.0 is multicast. What’s that, you ask? If you’ve done large-scale deployments over heterogeneous networks, then multicast is just what you’ve been looking for. Some of the requirements are quite stiff, but if your hardware can handle it, its definitely worth looking into if you’re going to be doing significant hardware refreshes or upgrades.

Multicast is a technique in which one image is sent out from the imaging server, and is used multiply by the intended targets. In this way, multiple copies of the image are not being transmitted and overburdening your network.

There’s a new type of WDS (Windows Deployment Services) server called a Transport Server, and this is the new piece of the MD/WDS/SCCM universe that allows for multicasting. Read more on WDS in Server 2008 here. If you want to do multicasting, you’ll also need routers that are capable of it, and you’ll need to watch out for a bug: multicast only works with the boot.wim on Server 2008 install media. It does not work with the WIM from Vista install media. There are other caveats, but they are outside the scope of this article.

Small, but big changes

I don’t have the room to describe the full range of changes, but a few highlights are appropriate, before I go::

• Lite-Touch Installation: easy migration from LTI to SCCM 2007
• Support for multiple task sequence templates
• Task sequence rules can now invoke web services - great for keeping a running inventory of machines imaged, or for hooking into existing systems.
• Support for offline patching
• Support for language pack installation, both on- and off-line
• Windows Update integration
• Enhanced User State migration (stay tuned for a future article!)

In addition, if you aren’t ready to give up BDD 2007, the two products can now be installed side-by-side. I don’t see much reason to stick with BDD 2007 if you haven’t fully committed to it yet. If you’ve got a rock-solid BDD 2007 system, you may want to instance a lab before committing.

Overall, I’m liking what I’m seeing, and am looking forward to many, many deployments over the coming year.