Mark Minasi's Windows Networking Tech Page
Issue #109 June 2013

Document copyright 2013 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Learn with My Seminars, Audio Recordings and More!
  • Tech Section
    • Why the Site's Been Slow:  Thank Heavens for Amazon's Route 53
    • What's New in Windows Server 2012 R2, Part 1
  • Conferences
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

You may have heard that we've got two more new Windows arriving sometime soon -- another round of Windows Desktop and Server.  (Yes, you heard that right.)  It's kind of a 1.1 version of Windows 8 and Server 2012, but they're still worth kicking the tires on it, and I'll start doing that in this issue.  Lots to tell you but first, a word from our sponsor...

Why the Site's Been Slow:  Thank Heavens for Amazon's Route 53

Just a short note and, I hope, something that will maybe save time and trouble for other folks hosting their own stuff.

Starting about three years ago, my site www.minasi.com would periodically get very, very slow... a ping to the site might take 750 ms.  Some NetMon-ing revealed that my DNS server -- which is on the same machine as my Web server -- was getting pounded with repetitive queries -- "tell me everything you know about RIPE.net" -- from the same IP address, zillions of times per minute.  I recognized this as a classic DNS-based amplified distributed denial of service attack.  The key to understanding this attack is to know that most DNS communications use UDP, not TCP, and so you can send a DNS query to a DNS server and lie about your return address.  Thus, if Alice wants to clobber Bob's Web site, all she has to do is to find a friendly DNS server (call it Mark's DNS server) on the Internet and say, "hi, I'm Bob, could you tell me everything that you know about domain X?"  The request that Alice sends is no more than a couple hundred bytes, but as Alice has lied about her return address, the response from Mark's DNS server is more along the lines of 4,000 bytes, and gets sent to Bob.  As it's easy for Alice to re-send that request many times per second -- remember, it's small -- it serves the dual function of significantly slowing down Mark's DNS server, and beating the snot out of Bob's Web server.

Now, that only worked because I was running a DNS server that would resolve for anyone, a common practice until recently.  So I reconfigured my DNS servers not to recurse, which made things a bit better but not entirely, as making a request of any kind to a non-recursing DNS server still gets a response detailing the root servers.  My ISP could have tracked the packets back to other ISPs and eventually found the real bad guys, but ISPs don't have any interest about doing that in my experience.  I thought "hey, here's a great application for Azure," and tried to set up a DNS server in Azure, but unfortunately the one kind of server Azure's not much help with is a public DNS server.

The whole thing led to some stress on my part until my friend Brian Desmond (@brdesmond on Twitter, and a gosh-darned smart guy about AD) pointed me at Amazon Web Services's "Route 53" -- DNS runs on port 53 -- DNS hosting service.  Does the job and at a great price, allowing me to shut down the DNS server service on my Web server and greatly improving my response time.  Seriously, the thing is going to cost me under ten bucks a year -- it's a great deal.  Thanks Brian!

What, More Windows?  A Look at Server 2012R2 and Windows 8.1, Part 1

"So let's see... most of us just got Windows 7 onto our desktops and 2008R2 on our servers, just in time last Fall for Server 2012 and Windows 8... and they just announced another pass at Windows?  What are those people thinking?"

I've spent the last month sitting in briefings listening to some very earnest Microsoft folks talk about why putting a bit of a polish on the new Microsoft desktop and server OSes is quite a good idea, and you'll hear even more along those lines when the first betas of Windows 8.1 and Windows Server 2012R2 arrive sometime midweek.  But in case you're in a really big rush, 2012R2 and Windows 8.1 seem aimed at two things:

  • Take the virtual infrastructure improvements that appeared in 2012 and improve upon them.
  • Enable organizations to deliver domain-secured Windows-based data and applications to devices that aren't Windows domain-joined computers.

Server 2012 and Windows 8 in Another Light

For me, the most interesting thing about Server 2012R2 and Windows 8.1 is not what they contain, but how they make me see their predecessors.  When I looked at Windows Server 2012, I was overwhelmed by the wealth of goodies and so completely missed this:

Server 2012 has essentially just one reason for existence:  to make you want to and be able to build a high-availability virtual infrastructure that is similar feature-wise to but cheaper than VMWare. 

Okay, that's an exaggeration, but just a small one. 2012 is one big missile aimed at VMWare, and it's got several subsystems.

The Hyper-V hypervisor gives you all of the DataCenter Server features in the $882 Standard SKU.  High availability requires clusters, and that used to mean Enterprise Server, an iSCSI infrastructure and more than likely an expensive SAN, 2012 lets you skip the SAN, buy a cheap "JBOD"-type drive enclosure, hang it on a couple of Standard Server boxes to make a "Storage Space" (their word for their basic SAN software), get a few 56 gigabit/second RDMA boards and run them between the Hyper-V hosts and the Storage Spaces machines, and you fairly quickly have a pretty fast, relatively inexpensive setup that offers speed, flexibility and high availability.  Besides the big chunks there -- Storage Spaces, the improvements to Hyper-V and the ability to run clusters atop cheaper Standard Server -- you soon start to notice that at least 85 percent of the "all new" stuff in 2012 just pays into the "build a big virtual infrastructure" store.  (Dynamic Access Control is probably the big exception.)

So why 2012 R2?  They take all the cool "build a data center on the cheap" features of 2012 and ladle a little caramel and whipped cream on top.

Now, on the Windows 8 desktop side, I was not fuzzy at all about its raison d'être: create a version of Windows supporting tablet apps that could compete with Android and iOS apps.  Did they succeed on that score?  Not yet, but we'll see.  Where Windows 8's cousin Windows RT kind of fell down was on the whole I-have-a-tablet-that-can't-join-a-domain thing.  I love my iPad and wish that it could join a domain, but am in no way surprised that it can't.  In contrast, I have a Surface RT that I also love for different reasons and really wish that it could join a domain... but was very disappointed that it could not. 

So why Windows 8.1?  It -- and 2012 R2 -- enable a new "domain join lite" called "Workplace Join" that lets you join iOS and RT devices to a domain, kind of, establishing a three-tier aristocracy of trust -- traditional domain-joined Windows boxes, Workplace Join-ed boxes, and other devices like smartphones, Blackberries, Android and the like.  (Before you ask, Android's on the way... the Microsoft speakers at TechEd just all paused before they said "Android," so it sounds like there will be a small delay on Android support but they're not dumb, it'll appear soon.)  Unfortunately, you've got to be an inTune subscriber to use Workplace Join to control devices.  ("That'll be $72/year/person, sir.  Cash or check?")  The other new big BYOD feature in Windows 8.1 is "Workplace Folders," a kind of DropBox for folks wanting to sync data on their Windows file shares amongst their devices.  (If you know Skydrive Pro already then think of it as "Skydrive Pro for SMB shares.")

There's an awful lot of new things in 12R2 -- I'm already getting tired of writing "Windows Server 2012 R2" and I can't say "R2" or most inhabitants of The Real World will think I'm talking about Windows Server 2008 R2 -- and 8.1, but here's my short version of the new goodies.  I will of course cover all of this in greater detail when we actually see the beta instead of the PowerPoints.

More Windows, More of the Time

Every new version of Windows seems to come with a "catchphrase," a new word that every Microsoft speaker apparently can't stop using.  For Vista, the magic word was "beautiful."  For Windows 8, it was "bold."  For 12R2 and 8.1, it's "cadence," as in "we're stepping up the cadence in our releases," as if Microsoft coders were boot camp draftees being driven by Lou Gossett, Jr. in An Officer and a Gentleman.  That does not mean, a Microsoft higher-up hastened to add, that Microsoft was announcing annual revisions of Server.  Anyway, if you and some friends are watching the recordings from TechEd and want to spice things up a bit with The Microsoft Drinking game, then everyone's got to take a shot whenever the speaker says, "cadence."

Hyper-V Upgrades

Nope, they couldn't leave massively-improved alone.

  • Generation 2 VM:  virtual machines are created atop software that cleverly fools operating systems into thinking that it is actual hardware, not software.  It's a brilliant feat and my hat's off to anyone building a successful hypervisor like VirtualBox, VMware, Hyper-V or whatever.  But that imaginary hardware has always seemed sort of inspired by 90's actual hardware.  A Gen2 VM sports the new UEFI-type BIOS, allowing you to exploit 2012/8's much-needed Secure Boot.  The other thing is that this imaginary computer "hardware" structure is lean and mean -- no floppies and that kind of stuff, and I'm guessing that creating an imaginary machine atom minimalist imaginary hardware leads to a fast imaginary machine.  It also boots from virtual SCSI adapters, making virtual servers that much more like physical ones.  Nice work and good news, except for one thing.  The virtual machine's virtual hardware does not include a virtual TPM chip.  I'm sort of thinking that anyone who cares enough about security to use a virtual machine with a UEFI BIOS -- and if you don't know what that is, trust me when I say that it's a desirable thing security-wise -- would want the crypto support provided by TPM.  What's even crazier about it is that the new systems with the Haswell processor will all have essentially a "firmware TPM," which will enable Windows 8.1 to implement encryption on everything that runs on Haswell.  Even cooler, that firmware TPM chip will let you perform more secure comms with your banks, financial agencies etc via virtual smart cards.  If TPM's going to be that omnipresent... shouldn't my VMs have it?

  • Hyper-V Replication: arguably the coolest small business feature in 2012 has caught the eye of larger enterprises.  At first blush, Hyper-V Replication's mainly a way to just buy a second computer and create a manual failover, almost-hot-start system, but the fact that that second computer can be on another continent has prompted some of the big boys to play with it.  12R2 lets you change the currently-hard-wired update interval -- or should I have said "cadence?" -- from five minutes down to 30 seconds.  You can also control the failover from a cloud service, and you can have more than one failover site.

  • Cut and paste between VMs.  Made possible atop an implementation of the already-present Remote Desktop capabilities.  Haven't played with it on Windows 8.1 yet, but it might give VMWare Workstation a run for its money.

  • Live Migration over RDMA.  Live Migration -- Hyper-V's answer to VMWare's VMotion -- is a great tool but the sheer amount of data that's got to be transferred between the source and destination VMs means that a migration can take over a minute.  By exploiting RDMA boards and 12R2's built-in compression, you can get that down to six seconds.  Nope, I wouldn't have believed it if I hadn't seen it.

  • Resize VHDx files on the fly.  Only the new virtual disks-- the VHDxes -- can support this, but it's easy to convert from VHD.  And the VHDxes must be connected to virtual SCSI host adapters.

  • "Linux is a first-class client."  Said of the VMs created in Azure, but I'm assuming that means a better set of Integration Services for Linux on Hyper-V as well.  Azure will soon support running Linux scripts automatically after deployment, resizing VHDs on the fly, and online backup of Linux VMs using something like a VSS provider for Linux.

  • Automatic activation of VMs under Datacenter.  Windows activation is that constant annoyance for us all, but inasmuch as the Datacenter license lets you run as many VMs as you like on a given Datacenter machine, 12R2 will somehow automatically activate 12R2 guests under 12R2 Hyper-V.  Just a bit less administration to hassle with.

  • Merge checkpoints on a running system.  I've not done much with checkpoints -- that's the Hyper-V word for "snapshots," in case you didn't know -- and 12R2's Hyper-V can now merge them without having to shut down the whole virtual machine.

Storage Changes

Microsoft's Storage Spaces is their implementation of a SAN.  It lets you attach a box of cheap drives to a 2012 server and get many of the traditional SAN features and pretty much all of what you need to build a large Hyper-V cluster on.  Think of it as 75 percent of the functionality of an appliance SAN at 25 percent of the price. It was a good 1.0 outing, but 12R2 beefs it up in a few notable ways.

  • Tiered storage -- SSDs and rotational drives.  I characterized Storage Spaces as a software SAN that you could cook up from a pile of middlin'-level drives, and that's true.  But in 12R2, you can add some solid state drives (SSDs) into the mix, and create a "two-class" storage system.  The idea here is that you can now either choose to put certain heavily-used files into the SSD "tier," or -- if I understood the presentation right, we didn't get to play with it -- you can just set the thing on auto-pilot, in which case Storage Spaces monitors disk activity and moves the most-used-blocks -- yes, that's blocks, not entire files -- to the SSD.

  • Caching.  Again, we did not see the UI in the presentation that I was in, but we were told that we could allocate some RAM as cache for the Storage Space.  Thus, I guess the really-heavily-used stuff ends up in the cache, the almost-as-used stuff in the SSDs and the rest in the rotational drives.
  • Deduplication expansion.  2012 introduced a deduplication feature, but in the final version of 2012 it would not de-duplicate VHDs and VHDxes.  That was a real shame -- we were told that it would in an early briefing -- because consider what cluster storage looks like for a Hyper-V cluster.  It's all VHDs and VHDxes, and they're essentially C: drives for Windows Server systems.  That means that those VHDxes have a lot of files in common -- all Windows folders are 99% identical -- and so de-duping a cluster storage's VHDx files would be insanely cool.  Files like that almost certainly live on a "cluster shared volume" or CSV, and those can now de-dup.  It'll be cool to build a cluster and try that out.

  • Storage QoS.  If one virtual machine is pulling too many IOPS, you can throttle it with this feature.

That's all I've got time for this issue, but I'll be back with more soon.  Drop me a line if I can explain more, and another great source would be the TechEd Channel 9 recordings of the New Orleans TechEd 2013 presentations.

To Subscribe, Read Old Newsletters, Send Me a Comment or Change Your Email Address

To subscribe: (which just means I'll send you about a three-tweet-sized message in plain text via email including a link to my latest newsletter), please visit http://www.minasi.com/nwsreg.htm.

To change e-mail or other info, drop me a line (haven't figured out a secure method yet).

To read old newsletters: visit http://www.minasi.com/nwstoc.htm and, if you like 'em, please consider subscribing.

To send me a comment:  I'm at help@minasi.com.

All contents copyright 2013 Mark Minasi.  I encourage you to quote this material, so long as you include this entire document. Thanks very much for reading, and see you next time.