So, Øredev has come and passed. I have not been able to attend the last couple of years. This year I attended two days, Wednesday and Thursday (November 10 and 11). To summarize an event like that in a blog post is not very easy to do, but I will give it a shot. It will be a bit sprawling but, if nothing else, it can serve as memory notes for me at some point in the future.

The venue

This year Øredev was held at a venue called Slagthuset (article in Swedish). The venue is located in a very good spot, right next to the train station in Malmö, so it’s very easy to get there. The session rooms were built in larger halls with temporary walls around them. This worked fairly well, but sound travelled between the rooms. For many sessions that I attended this was not really a problem, but during some sessions the sound from neighboring session rooms became an issue.

The stage of each room (at least the ones that I saw; mainly on the .NET and Agile tracks) was arranged in the same way; a small round “bar table” at the right hand side (as seen from the audience), and with a cylinder formed loudspeaker standing next to the stage on the left-hand side. These two obstructed the view for people that were seated towards the edges of the room. Visibility would have improved greatly if these (especially the loudspeakers) were pushed back a bit towards the back wall. Perhaps there were (sound technical) reasons for keeping the speaker along the front edge of the stage though.

That is just about all negative stuff you will find in this text. From here on it’s all praise Everything else was a very positive experience; the food, the speakers, the attendants and the overall atmosphere all helped making this a very nice event.

The sessions

The Wednesday keynote was held by Dr. Jeffrey Norris of NASA Jet Propulsion Lab. He shared the story of how Alexander Graham Bell invented the phone, as an illustration of Agile thinking. The key message was that Bell succeeded because he had a Vision, he was willing to Risk a lot to get there, and he did not quickly commit to a specific solution, but instead kept many doors open and explored several paths. These qualities were shown to be shared by several people behind great inventions. Of course there was a touch of NASA in the talk as well; the story of how the Apollo 11 space ship came to get the design it did was told using some really cool 3D presentation technique involving printed cards that were interpreted by a camera that superimposed 3D objects on the screen.(check it out here).

The Thursday keynote was equally inspiring, and not only because there was not a [insert favorite presentation software] slide in sight. John Seddon talked about how we often focus on the wrong things, essentially indicating that when you manage something, that something tends to grow. Many organizations focus on managing cost so, well, the cost tends to go up. So focus should be on managing value instead. Suprise

Apart from the keynotes I attended sessions with (amongst others) Glenn Block (twice), Jon Skeet, Ade Miller, Roy Osherove, Diana Larsen and Jim Benson.

In his first session Glenn Block shared some insight in what is coming next in WCF. I must say that I really like how the WCF team seems to manage to walk the fine line between isolating service implementation from details on the format used for sending data to the client, while at the same time allowing (but not requiring) you as a developer to have detailed control over the process.

Jim Benson talked some about the psychology of Kanban. I recognized myself in a lot of what he said. My first experience with working with Kanban was an almost physical sense how work flowed in the project, and the great satisfaction of seeing the project advancing even if I was a bit stuck on a task.

The Diana Larsen session that I attended discussed six skills needed for members in a team to collaborate efficiently (Communicate, Built Trust, Make Decisions, Hold Effective Meetings, Share Leadership and Engage Conflict). An interesting touch in her talk was the photos that illustrated the points; they were taken by Diana, showing situations and team members that she had worked with, so she could say stuff like “that guy sitting there, his name is James, he had this situation when…” and so on, which I felt added an extra feeling that she knew what she was talking about; these were real-world examples, not paper products.

Ade Miller gave a talk walking through some patterns of parallel programming using a very good mix of illuminating slides and sample code. The sample was a simple financial application that showed the effects of different kinds of parallelization (hint; speed improved). He also handed out copies the book of Parallel Programming with Microsoft .NET to the people that attended.

Glenn Block returned with a session on the Reactive Extensions framework for .NET, which in short provides an event based model for asynchronous data exchange. His talk was followed by Roy Osherove giving a talk about how to review test code, pointing out that tests should be Maintainable (reuse code, use object factories) and Readable and that you must be able to Trust your tests. He stressed that test code should contain an absolute minimum (preferably no) logic, and that it should lean on static test data.

Jon Skeet talked (or rather demonstrated) some funny corner cases in C#, showing, amongst other things, how you can “override” extension methods, something that is quite useful for diagnostic purposes.

On the Thursday evening Øredev opened the doors for various communities, under the name Øredev Open. Diversify sponsored (together with Microsoft) an event organized by Swenug. Three speakers were invited and given one 20-minute slot each. Greg Young announced Mighty Moose, a tool that runs on top of AutoTest.NET. Mighty Moose will monitor the file system to detect when you save a file. It will then build the project, perform an analysis of what tests that may be affected by the change, and then automatically run these tests. This might be a huge time saver, especially in projects with a large number of tests. Mighty Moose does not seem to have an internet home yet, but follow Greg on Twitter if you are interested.

After Greg was done, Hadi Hariri entered the stage and gave a quick peek at what is coming in ReSharper 6. Lots of nice stuff here as well (including very good tools for working with JavaScript code). Finally Roy Ashton gave a lightning talk (both in terms of length and speed) about CouchDB. The event was ended with a lottery were we (Diversify) gave out a Windows Phone 7 (or rather a gift certificate for one, once it hits the store shelves), JetBrains gave away one ReSharper license and one DotTrace license, and Microsoft tossed in a Kinect as well.

From what I understand the Friday was no worse, and I will really make sure to clear the whole Øredev week in my calendar next year.

Kudos to Michael Tiberg and his team for the great achievement of making this happen.

DirectAccess with UAG

DirectAccess (a remote access solution for Windows 7 and Windows 2008 R2)

It extends the corporate network to the client sitting on the Internet.

It creates two tunnels

The first is pre logon that communicates with the infrastructure server(Patch management, health check and GPOs) in the Corporate network

The second tunnel is established when you login. It is for Network level computer/user authetication and encryption

Forefront UAG is a single entry-point for all remote access

  

It also extends Windows DirectAccess capabilities to IPv4 only servers

You can publish applications and reverse proxy with UAG

UAG Array

• We can bulid up to 8 array members (NLB)
• One server acts as the Array Manager Server (AMS)
  • It propagates configuration to the other members

 

UAG DirectAccess Functions

• Runs DirectAccess Wizard
• Provides IPSec tunnel gateway to/from DirectAccess clients
• Routes IPv6 traffic between clients and server on the corporate network
• Provides IPv6 over IPv4 tunnel end-points for internet clients
• Can provide ISATAP router to support IPv6 over IPv4 for intranet
• Can provide DNS64 and NAT64
  • Support IPv6 to IPv4 translation for IPv4 only internal resources

 

Planning is Essential

• Identify DirectAccess clients
• Identify server to be available via infrastructure tunnel
  • DCs, DNS, Management server, NAP servers etc
• Identify servers to be available to user via intranet tunnel
• Identify server requiring end-point authentication/encryption
• Choose name resolution options (anything for internal servers goes to internal DNS)
• Design the network location server
• Choose authentication enhancements
  • Smart card, NAP health certificates
• Design PKI and issue require certificates
  • Must include design for CRL distribution points
• Design the internal IPv6 network connectivity
• Design Active Directory subnets
• Design UAG server array and placement requirements

Microsoft Exchange Server 2010: High Availability Deep Dive (including changes introduced by SP1)

Important in Exchange HA is Quorum so we will start here:

Quorum

Dual Usage of Quorum:

• Data shared between the voters representing configuration, etc.
  • Physical data located on DAG servers.
• Number of voters required for the solution to stay running (majority).

Exchange 2010 uses only two of four available cluster quorums

• Node majority
• Node and file share Majority

It is essential for function in the DAG.

Witness

A witness is a file share on a server (witness server).

Needed for quorum decisions

                             One of the nodes will lock witness.log referred as the locking node.

Only used by DAGs that have a even number of members (node and file share majority quorum mode)

Witness server

No pre-configuration typically necessary

• Exchange Trusted Subsystem must be member of local Administrators group on Witness Server if Witness Server is not running Exchange 2010

Must be in the same Active Directory forest as DAG

Can be Windows Server 2003 or later

• File and Printer sharing for Microsoft Networks must be enabled

Replicating witness directory/share with DFS not supported

Not necessary to cluster Witness Server

• If you do cluster witness server, you must use Windows 2008

Single witness server can be used for multiple DAGs

• Each DAG requires its own unique directory/share

 DAG networks

Used for multi Subnet DAG

A DAG network is a collection of subnets

There a two types of DAG Networks:

• MAPI Network – Connects DAG members to network resources (Active Directory, other Exchange server, DNS) Default GW will be configured here
• Replication Network – Used for/by continuous replication only (log shipping and seeding)

DAG Networks automatically created when Mailbox server is added to DAG

DAG Networks include built-in encryption and compression

• Encryption: Kerberos SSP EncrypsMEssage/DecryptMessage APIs
• Compression: Microsoft XPRESS, based on LZ77algoritm

(30% less on the wire when doing compressions)

Active Manager (the brain of Exchange HA)

• New in 2010
• Manages *overs
• Runs on every server in the DAG
• Selects best available copy on failovers

 Active manager is code that runs in cluster service (not a service)

• Active manager client runs on CAS and HUB
  • Failover can be performed in 30 seconds or less, that why it it not stored in AD. AD could have 15 min between replication.                
• PAM holds the default cluster group

Best copy selection

• Active Manager selects the “best” copy to become the new active copy when the existing active copy fails
• Behavior difference between RTM and SP1
  • List of potential passive copies is sorted diff when AutoDatabaseMountDial is set to Lossless

 

Improvements in Service pack (replication and copy)

Continues replication changes

• Block mode (shipping blocks during replications)
  • Enhanced to reduce data loss
  • Eliminates log drive as single point of failure
  • Automatically switched between modes
    • File mode
    • Block mode

Relocate and distribute load Scripts

                             RedistribureAtivedatabases.ps1

DAG Maintenance Scripts

                             StartSAGServerMaintenance.ps1

Exchange Management Console enhancement in SP1

                             Manage DAG IP addresses

                             Manage witness/directory and

Deployment and Migration Scenarios with Microsoft Lync Server 2010

Lync will be released in the end of the year

There is a public announcement the 17^th of Nov.

Some whitepapers and guides could be presented that date but that is not confirmed.

Upgrade migration from LCS

If you want to upgrade a LCS environment to Lync, you need to first do an upgrade on server and client to OCS 2007 and then upgrade to Lync.

If you don´t need a migration you can just uninstall LCS and than do a new installation of Lync.

Support of OS

• Only Windows 2008 R2 is supported on server with Lync.

Support for virtualization

• Fully support virtual servers on all roles

Difference between Standard (SE) and Enterprise Edition (EE)

• SE                5000 client concurrent users
• EE                10000 concurrent users

Installation procedure

1. Schema upgrade and domain upgrade
2. Topology  setup
   1. Need SQL server. Standard Edition can use SQL express

                                                               i.      It is the holder of the topology XML

1. Install Standard Edition or a Enterprise pool
2. Mediation server if connection to PBX

PBX Interoperability

• List on vendors on Microsoft.com
• Contact the vendors and explain what you want to do

Bandwidth management= CAC

• Group sites with subnets
• Region based configuration
• You may setup how much bandwidth it uses per feature
• Rules can be setup between sites (links)
• CAC is static and doesn´t learn how the network is.
• Single central server (CAC)

Migrate mediation server

• Lync server support för PBX
• Lync client can use both ocs and Lync
• Migrate users first than the mediation

Datacenter management

• A new site in i each

—————————————————————————————

Enable Secure Access using Forefront UAG Service Pack 1

New in SP1

• Simplified DA Deployment
• One-time-Password support for DA (must have a dedicated CA. Could be a sub-ordinate CA in present CA infrastructure)
  • Integrated securID agent into DA scenario
  • 3rd party supports using nRadius (OATH compliant)
  • Comprehensive policy management
  • Integrated NAP
  • Use a dedicated CA
    • Best practice
    • Use present Root CA and have seperate subordinate CAs for NAP and OTP
• Monitoring Direct Access out of the box
  • Integrated into UAG web Monitor
  • Integrated SCOM style
  • Storage is SQL based

 

ADFSv2 integration

Not able to use both ADFSv2 and ADFSv2 with UAG in the same environment.

So you need to remove present ADFS if you have before you install UAG with integrated ADFS

Deployment Multi Entry points

Included in release 2011 H1 (UAG SPI UP1)

——————————————————————————————-

Failover clustering and Hyper-V: Planning your Highly-Available virtualization environment

Host clustering

• Cluster service runs inside physical host
• Live migration
• Quick migration

Guest clustering

• Cluster runs inside a VM
• Is application aware
• Only iSCSI

Guest and host clustering can be at the same time. It is the optimal solution that offers the most flexibility and protection.

If you have question of the impact of virtualized SQL server on Hyper-V., the SQL team have published a Whitepaper of the result and impact. Read it!

This is all supported on Windows server 2008 R2

Powershell support

• Improved Manageability
• Hyper-V integration
• Replaces cluster.exe as the CLI tool

You can use Powershell to create a entire cluster

Don´t do an image after you installed the cluster feature. It will not work. There are some dependencies of Mac address that is created when installing the feature.

Do the image before and script the installation of clustering feature.

Cluster share volumes

• Live migration with CSV. No dismounted and remounting
• ARP redirects client to new node (sends an arp to the router)

AD consideration

• Nodes in the same domain
• Need accessible writeable DC
• DCs can be run on nodes, but use 2+ nodes
• Don´t install DC on parent partition or no other features
• Do not put all your DCs on clustered VMs
  • DC i needed for the cluster service

 Network considerations

Minimum of two networks:

•     Internal and live migration
•     Public and Guest Management

Use network prioritizing to configure your network

Best solution: 5 NIC

AntiAffinityClassNames

• Enabled VM Distribution
• Failover behavior on large clusters: KB299631

Root Memory reserve(d)

Difference between 2008 R2 RTM and 2008 R2 SP1

In Sp1 you don´t need to configure.

Dynamic memory SP1

Memory Priority Value is configurable per VM

Where to changes

Always use Failover Cluster manager or SCVMM when doing changes

Hyper-V Manager is not cluster aware

Storage Migrations

SCVMM enabled Quick Storage Migration. Not live migration. You will have some downtime.

Today (Tuesday) is the first (real) day on Teched Europe in Berlin. We will continue to post information from a lot of sessions throughout the week. We will focus on Forefront, Active Directory, Virtualization, Lync and some bits and pieces of other topics.

Explore Secure Collaboration Using Identity Federation in Forefront UAG Service pack 1

Service Pack 1 for Forefront UAG RTM is going to be released in December 2010.

Examples of features that is included in Sp1:

• ADFS v2 Integration
• Enhanced Direct access deployment and Operation
  • One-time-password support
  • Integrated NAP for simplified Endpoint policy enforcement
  • RMS server publishing
  • Exchange 2007 and Exchange 2010 are supported in coexistence with UAG
  • UAG and ADFS 2.0
    • UAG as AD FS proxy
    • Single Sign on even for legacy applications
    • Health policies are applied to partner users
    • Claims-based Authentication and Authorization

A legacy application in this session means applications that are not Claims-aware.

With AD FS and UAG you don´t need to reengineer old applications to get it to work, that for example uses Kerberos.

You can publish and use Claims to the UAG, UAG then uses a shadow user with Kerberos in for example the internal network. The ticket is sent between UAG and DC if you use Active Directory. The framework is configured in AD FS.

There are monitoring and auditing capabilities.

A couple of these features are enabled with only AD FS 2.0 but UAG publishes a nice portal in front of it.

UAG supports only passive clients like web browser or applications that simulate passive clients.

Question:

Do you need a separate firewall in front of the UAG?

Answer:

It´s Microsoft best practice to have a separate firewall although UAG have TMG.

Impact of cloning and Virtualization on Active Directory Domain Services

Scenario 1:

Clone a domain joined computer (VHD).

Can the cloned (copied) computer co-exist with the new computer?

It will work at first, but because of password requirements (computer objects also got passwords in a domain), when the first of the computers changes the password. Then the other one will be in trouble because it has the old password. The time to failure is based on the policies applied.

Always use sysprep when you are deploying a new computer.

Scenario 2:

You cannot clone from the same VHD as you have cloned to a DC. When you do DCPromo the domain SID is based on the original computer SID.

Do not, domain join a VHD that you have created a DC with. Local SID will have the same SID as the domain.

Scenario 3:

You will not be able to configure a trust between two domains that has the same SID. If you had cloned DC in domainA and cloned DC in domainB of the same VHD.

So always use sysprep when deploying computers. Do not just copy a VHD.

Same problem is on all virtualization platforms.

Best practice from Microsoft when using virtual DCs. Always keep 1-2 physical DC´s.

Advanced Group Policy Management 4.0 (AGPM 4.0)

Features:

• Offline editing of GPO
• Compare settings between GPOs (Difference report).
  • What was added, changed or removed.
  • Delegation of roles
    • Editor, Approver, Reviewer, Full control
    • Workflow:
      • Create a workflow for your changes in GPOs like:
      • (Offline) Control-> Checked out-> edit->Check in->Request->reporting->(Production) Deployment
    • Recycle bin:
    • You may restore deleted GPOs
    • Search filtering:
      • What is does
      • What it doesn´t do
    • Multi Forest Support
      • You can export and import the GPO

To setup AGPM you need to set it up on a separate server than the DC. It will than hold a copy of all GPOs.

The license is included in MDOP (Microsoft Desktop Optimization Pack) and cannot be purchased separately.

When you have deployed AGPM. Always use AGPM when editing GPOs. Because if you change it on the DC directly it will be overwritten the next time you publish it from AGPM.

Deep Dive on Designing a BranchCache Infrastructure

BranchCache have two different types of configurations:

• Distributed Cache
  • Uses clients in the branch office
  • Hosted Cache
    • Uses a dedicated server in the branch office

If you want to prelude the cache you can do that by scripting.

NLB (or physical load balancing) works also. Be sure you configure the load balanced server the same way. They must have the same Server Secret key.

The data that is transferred from the central site is divided into 64 bit blocks. This will ease your network on the WAN.

Cached data is stored in the clear, but it can be protected with Bitlocker or EFS.

Protocols:

SMB and HTTP is enabled out of the box. Even HTTPS is available because of the layer in the stack the BranchCache is operating.

If you are a developer you need to check out Peer Distribution on MSDN. It is a public API that you can build your application with so you can use the BranchCache features.

If you want to deploy this you should use GPO and link them to Sites in Active Directory. This will solve potential problems when users travel with their laptops. They will get the GPO that applies on the site they are logging in from.

Mixed mode:

You cannot have both configurations (Distributed and Hosted) on the same branch office.

Disaster Recovery by Stretching Hyper-V Clusters Across Sites

Regarding Multi Site Clustering, Microsoft said that they have a fully automated solutions and that the competitors doesn´t.

The biggest concern in a Disaster Recovery scenario is the dependence on people.

Windows 2008 R2 added support for Multiple Subnet clustering.

This is highly dependent on DNS. To enable faster failover you can use:

• RegisterallprovidersIP
• HostRecordTTL

Solution 1:

 Local failover First

• Configure local failover first high availability.
• Cross site failover for disaster recovery.
• Minimum of two servers.

 Solution 2:

Stretch VLANs

• Deploying a VLAN minimizes time for fail over. No new IP is applied, so therefore no change in DNS. No need for DNS to update and replicate.

Sol3: Abstraction in Networking Device

A network device that uses 3rd IP address. The client uses the device to connect to the services on the VM.

Live migration and CSV are not dependant but complimentary.

Cross subnet failover

• Use DHCP
• Static- can be solved by script
  • Example: look for errors in the cluster logs to the see if a fail over has occurred. Then update the IP settings and DNS.

Best practice to use DHCP

Quorum

There are four different setups of Quorum.

• Disk only (not recommended)
• Node and disk majority
• node majority
• node and file share majority

 Node majority must be uneven.

If you have 2 servers in SiteA and 3 servers in SiteB. If the entire Site B is unavailable you can force Quorum by command in Powershell (R2)

Start-clusternode -fixquorum or fq

once majority achieved, it drops out of forced quorum.

multi-site with file share witness

A 3rd site is the best setup.

Complete resiliency and automatic recovery from the loss of one site.

It uses file lock on the file share on 3rd site and the cluster will still work, if connection between SiteA and SiteB breaks.

For more info take a look these documents at Microsoft.com:

• Design guide deployment guide/checklist
• Multi-site Clustering Content

I saw a question at StackOverflow that, amongst other things, asked if it could ever be that a.ReferenceEquals(b) is true, while at the same time a.SomeProperty != b.SomeProperty. The spontaneous answer to that is probably “no, if they refer to the same instance, they also refer to the same data” and, I would argue, in most practical cases that answer would (and should) also be true. But there are situations when this could happen.

Imagine that we have a type with a property that has value that changes over time, and where it also takes a small amount of time to produce the value:

class Foo
{
    public long SomeValue
    {
        get
        {
            // simulate that it takes a short while
            // to get the info
            Thread.Sleep(10);
            return DateTime.Now.Ticks;
        }
    }
}

Then consider the following program:

class Program
{
    static void Main()
    {
        Foo a = new Foo();
        Foo b = a;
        Console.WriteLine("object.ReferenceEquals(a, b) => {0}",
                           object.ReferenceEquals(a, b));
        Console.WriteLine("a.SomeValue == b.SomeValue   => {0}",
                           a.SomeValue == b.SomeValue);
    }
}

What do you think it prints?

The answer is:

object.ReferenceEquals(a, b) => True
a.SomeValue == b.SomeValue   => False

The reason is obviously that the property getter is called twice on the same instance, but returns a different value each time. So, when a property returns a value that is produced in the getter, there is a possiblity to create scenarios where two variables may reference the same instance, but where comparing the values from the same property may still return
false.

This is not very strange really, but many programmers (myself included) might find such behavior confusing, and I would use that as an argument that property access should always be extremely cheap,
preferably just reading the value from a field. If there is work required to produce the value, and especially if the value may differ between calls, it should be a method instead.