Document copyright 2013 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.
Hi all —
You may have heard that we've got two more new Windows arriving sometime soon -- another round of Windows Desktop and Server. (Yes, you heard that right.) It's kind of a 1.1 version of Windows 8 and Server 2012, but they're still worth kicking the tires on it, and I'll start doing that in this issue. Lots to tell you but first, a word from our sponsor...
Why the Site's Been Slow: Thank Heavens for Amazon's Route 53
Just a short note and, I hope, something that will maybe save time and trouble for other folks hosting their own stuff.
Starting about three years ago, my site www.minasi.com would periodically get very, very slow... a ping to the site might take 750 ms. Some NetMon-ing revealed that my DNS server -- which is on the same machine as my Web server -- was getting pounded with repetitive queries -- "tell me everything you know about RIPE.net" -- from the same IP address, zillions of times per minute. I recognized this as a classic DNS-based amplified distributed denial of service attack. The key to understanding this attack is to know that most DNS communications use UDP, not TCP, and so you can send a DNS query to a DNS server and lie about your return address. Thus, if Alice wants to clobber Bob's Web site, all she has to do is to find a friendly DNS server (call it Mark's DNS server) on the Internet and say, "hi, I'm Bob, could you tell me everything that you know about domain X?" The request that Alice sends is no more than a couple hundred bytes, but as Alice has lied about her return address, the response from Mark's DNS server is more along the lines of 4,000 bytes, and gets sent to Bob. As it's easy for Alice to re-send that request many times per second -- remember, it's small -- it serves the dual function of significantly slowing down Mark's DNS server, and beating the snot out of Bob's Web server.
Now, that only worked because I was running a DNS server that would resolve for anyone, a common practice until recently. So I reconfigured my DNS servers not to recurse, which made things a bit better but not entirely, as making a request of any kind to a non-recursing DNS server still gets a response detailing the root servers. My ISP could have tracked the packets back to other ISPs and eventually found the real bad guys, but ISPs don't have any interest about doing that in my experience. I thought "hey, here's a great application for Azure," and tried to set up a DNS server in Azure, but unfortunately the one kind of server Azure's not much help with is a public DNS server.
The whole thing led to some stress on my part until my friend Brian Desmond (@brdesmond on Twitter, and a gosh-darned smart guy about AD) pointed me at Amazon Web Services's "Route 53" -- DNS runs on port 53 -- DNS hosting service. Does the job and at a great price, allowing me to shut down the DNS server service on my Web server and greatly improving my response time. Seriously, the thing is going to cost me under ten bucks a year -- it's a great deal. Thanks Brian!
What, More Windows? A Look at Server 2012R2 and Windows 8.1, Part 1
"So let's see... most of us just got Windows 7 onto our desktops and 2008R2 on our servers, just in time last Fall for Server 2012 and Windows 8... and they just announced another pass at Windows? What are those people thinking?"
I've spent the last month sitting in briefings listening to some very earnest Microsoft folks talk about why putting a bit of a polish on the new Microsoft desktop and server OSes is quite a good idea, and you'll hear even more along those lines when the first betas of Windows 8.1 and Windows Server 2012R2 arrive sometime midweek. But in case you're in a really big rush, 2012R2 and Windows 8.1 seem aimed at two things:
Server 2012 and Windows 8 in Another Light
For me, the most interesting thing about Server 2012R2 and Windows 8.1 is not what they contain, but how they make me see their predecessors. When I looked at Windows Server 2012, I was overwhelmed by the wealth of goodies and so completely missed this:
Server 2012 has essentially just one reason for existence: to make you want to and be able to build a high-availability virtual infrastructure that is similar feature-wise to but cheaper than VMWare.
Okay, that's an exaggeration, but just a small one. 2012 is one big missile aimed at VMWare, and it's got several subsystems.
The Hyper-V hypervisor gives you all of the DataCenter Server features in the $882 Standard SKU. High availability requires clusters, and that used to mean Enterprise Server, an iSCSI infrastructure and more than likely an expensive SAN, 2012 lets you skip the SAN, buy a cheap "JBOD"-type drive enclosure, hang it on a couple of Standard Server boxes to make a "Storage Space" (their word for their basic SAN software), get a few 56 gigabit/second RDMA boards and run them between the Hyper-V hosts and the Storage Spaces machines, and you fairly quickly have a pretty fast, relatively inexpensive setup that offers speed, flexibility and high availability. Besides the big chunks there -- Storage Spaces, the improvements to Hyper-V and the ability to run clusters atop cheaper Standard Server -- you soon start to notice that at least 85 percent of the "all new" stuff in 2012 just pays into the "build a big virtual infrastructure" store. (Dynamic Access Control is probably the big exception.)
So why 2012 R2? They take all the cool "build a data center on the cheap" features of 2012 and ladle a little caramel and whipped cream on top.
Now, on the Windows 8 desktop side, I was not fuzzy at all about its raison d'être: create a version of Windows supporting tablet apps that could compete with Android and iOS apps. Did they succeed on that score? Not yet, but we'll see. Where Windows 8's cousin Windows RT kind of fell down was on the whole I-have-a-tablet-that-can't-join-a-domain thing. I love my iPad and wish that it could join a domain, but am in no way surprised that it can't. In contrast, I have a Surface RT that I also love for different reasons and really wish that it could join a domain... but was very disappointed that it could not.
So why Windows 8.1? It -- and 2012 R2 -- enable a new "domain join lite" called "Workplace Join" that lets you join iOS and RT devices to a domain, kind of, establishing a three-tier aristocracy of trust -- traditional domain-joined Windows boxes, Workplace Join-ed boxes, and other devices like smartphones, Blackberries, Android and the like. (Before you ask, Android's on the way... the Microsoft speakers at TechEd just all paused before they said "Android," so it sounds like there will be a small delay on Android support but they're not dumb, it'll appear soon.) Unfortunately, you've got to be an inTune subscriber to use Workplace Join to control devices. ("That'll be $72/year/person, sir. Cash or check?") The other new big BYOD feature in Windows 8.1 is "Workplace Folders," a kind of DropBox for folks wanting to sync data on their Windows file shares amongst their devices. (If you know Skydrive Pro already then think of it as "Skydrive Pro for SMB shares.")
There's an awful lot of new things in 12R2 -- I'm already getting tired of writing "Windows Server 2012 R2" and I can't say "R2" or most inhabitants of The Real World will think I'm talking about Windows Server 2008 R2 -- and 8.1, but here's my short version of the new goodies. I will of course cover all of this in greater detail when we actually see the beta instead of the PowerPoints.
More Windows, More of the Time
Every new version of Windows seems to come with a "catchphrase," a new word that every Microsoft speaker apparently can't stop using. For Vista, the magic word was "beautiful." For Windows 8, it was "bold." For 12R2 and 8.1, it's "cadence," as in "we're stepping up the cadence in our releases," as if Microsoft coders were boot camp draftees being driven by Lou Gossett, Jr. in An Officer and a Gentleman. That does not mean, a Microsoft higher-up hastened to add, that Microsoft was announcing annual revisions of Server. Anyway, if you and some friends are watching the recordings from TechEd and want to spice things up a bit with The Microsoft Drinking game, then everyone's got to take a shot whenever the speaker says, "cadence."
Nope, they couldn't leave massively-improved alone.
Microsoft's Storage Spaces is their implementation of a SAN. It lets you attach a box of cheap drives to a 2012 server and get many of the traditional SAN features and pretty much all of what you need to build a large Hyper-V cluster on. Think of it as 75 percent of the functionality of an appliance SAN at 25 percent of the price. It was a good 1.0 outing, but 12R2 beefs it up in a few notable ways.
That's all I've got time for this issue, but I'll be back with more soon. Drop me a line if I can explain more, and another great source would be the TechEd Channel 9 recordings of the New Orleans TechEd 2013 presentations.
To Subscribe, Read Old Newsletters, Send Me a Comment or Change Your Email Address
To subscribe: (which just means I'll send you about a three-tweet-sized message in plain text via email including a link to my latest newsletter), please visit http://www.minasi.com/nwsreg.htm.
To change e-mail or other info, drop me a line (haven't figured out a secure method yet).
To read old newsletters: visit http://www.minasi.com/nwstoc.htm and, if you like 'em, please consider subscribing.
To send me a comment: I'm at email@example.com.
All contents copyright 2013 Mark Minasi. I encourage you to quote this material, so long as you include this entire document. Thanks very much for reading, and see you next time.