VMware Fusion v1.0

A while ago I posted an article comparing VMware Fusion (beta) with Parallels virtualization software.
Recently, VMware released version 1.0 of Fusion, so I decided to take the software for another test run.

I noticed immediately that VMware invested lots of energy in optimizing the beta version:
- Fusion now supports virtual SMP, and performance was really stunning! It's hard to notice you're not running natively.
Also, pausing and resuming a VM only takes a few seconds.
- Fusion makes it also possible to unify a Windows VM with Mac OS. You can easily drag and drop, and launch Windows applications from the dock.
- If you have an existing boot camp partition, Fusion will detect it and make it available as a virtual machine.
- Snapshotting is also added to the list of features.

Conclusion is that VMware did a great job with the final release of Fusion, and it has finally become difficult to choose your virtualization software for Mac.

Migrate esxRanger Professional

If you want to migrate your esxRanger configuration to a different server, there's a very easy way to do so. Just install esxRanger on the new server, and copy these 4 files from the existing server to the new one :
%ProgramFiles%\vizioncore\esxRanger Professional\smtp.dat
%ProgramFiles%\vizioncore\esxRanger Professional\vcenter.dat
%ProgramFiles%\vizioncore\esxRanger Professional\servers.dat
%ProgramFiles%\vizioncore\esxRanger Professional\yourlicense.lic

Make sure you don't forget to copy your scheduled tasks as well...

Restore bkf files in Windows Vista

Together with the release of Windows Vista, Microsoft decided to replace NTBackup with a newly built backup and restore program. You can access the Backup and Restore Center in the System and Maintenance menu in Vista.

Beware though that there is no support for restoring NTBackup files (bkf) with this new solution. Microsoft did release a tool to cope with this, check it out : http://www.microsoft.com/downloads/details.aspx?FamilyID=7da725e2-8b69-4c65-afa3-2a53107d54a7&displaylang=en

Migrate Double-Take for Windows

If you want to migrate your double-take configuration to a different server, there's a very easy way to do so. Just install the same version of double-take, and copy these 3 files from the existing server to the new one :
%ProgramFiles%\DoubleTake\connect.sts
%ProgramFiles%\DoubleTake\DblTake.db
%ProgramFiles%\DoubleTake\schedule.sts

Also make sure that you add every double-take admin to the local security group "Double-Take Admin", otherwise even local admin's won't have the necessary permissions.

SMS Advanced Client Setup Problems

I recently had problems installing an sms advanced client. During setup, it failed while creating the necessary WMI namespaces.
Error: failed to create WMI namespace CCM, code 80041002.

Solution:
- Stop WMI service (winmgmt)
- Delete folder "%systemroot%\system32\wbem\Repository"
- Start WMI service
- Rerun client setup

Netbackup SQL Restore Problems

Using the Netbackup MS SQL Gui client:
If you install a new SQL server, and try to restore database backups from an existing SQL Server, the message "Error encountered trying to read database images" shows.

The issue is that the sql agent from the new netbackup client is not allowed to list the existing backups from other SQL servers.

To resolve, go to the master Netbackup server, and copy all the files from <install_path>\netbackup\db\images\<client_name>\*.* to <install_path>\netbackup\db\images\<new_client_name>\*.*.
Leave the SQL host field pointed to the existing server, and point the source client field to the new SQL server.

Works perfect!

Windows Server 2003 Access-based Enumeration

Ever had the annoying problem that users can see files and folders in shares, even when they have no rights to access them? Install the Windows Server 2003 access-based enumeration add-on for 2003 SP1.

Install offers 2 modes: enable abe for all shared folders on a server, or configure it yourself on a per share basis (default). After default install, it shows an extra tab on the properties of a shared folder:

The add-on also includes a command line interface. (abecmd.exe)

VMware Fusion vs Parallels Desktop for Mac OS

Since the release of Intel based Macs, the market is open for virtualization products for Mac OS. I decided to give VMware Fusion (build 36932) and Parallels Desktop (build 3120) a test run on my iMac Core 2 Duo.
Both of them support USB 2.0 and drag&drop functionality, but here's a short overview of the most important differences:

Fusion
- Multiple virtual processors
- 64 bit guest support
Parallels
- Coherence
- Boot Camp support (use bootcamp partition as virtual machine)

Since VMware Workstation 5.x and Server 1.x images can be used in Fusion, Parallels had to come up with a solution: Transporter. It allows easy migration of your real Windows pc, or existing VMware or Virtual PC VMs.
In my case, I decided to install 2 new Windows Vista VMs.

The test results:
First off is guest performance, which is nearly native in Parallels! Fusion beta always runs in debug mode (which decreases performance), but then again, I assigned both CPUs to this VM. The performance didn't even come close!
Pausing and resuming works quite well in both products, but Parallels is still a bit faster.

As for view modes, Coherence is quite impressive, but I doubt I will ever enable it. I'd rather use the VM window or full screen mode.

Maybe the most remarkable feature was the dynamic adjustment of the screen resolution in Parallels. Just resize the VM window, and the screen resolution inside the guest adjusts itself. Nice one!
 
Last thing to mention is the Boot Camp support. Although this works well, I wonder why you need Boot Camp if there's virtualization software like Parallels??

Check out these screenshots:

     

Group Policy Settings Reference

A few weeks ago Microsoft published a new Group Policy Reference spreadsheet. This sheet lists all policy settings for user and computer configurations included in the admx/adml files delivered with Windows Vista.

Most important information in this sheet:
- the admx file that contains the setting
- the required OS for the setting to apply
- the registry location of the setting
- reboot or logoff required

Download it here.

Utility : Group Policy Log View

A few articles ago I discussed the fact that Vista logs all of the group policy events in the event log. Now Microsoft released a tool to export all group policy related events to a text, xml or html file : Group Policy Log View.
The tool even allows to monitor events in real time in a command prompt.

New ADM Templates for IE 7

For those who already migrated to Internet Explorer 7, download the new Group Policy administrative templates here :
http://go.microsoft.com/fwlink/?linkid=77998

Utility : RGPRefresh

At GPOGuy.com, they created a usefull tool for remotely refreshing group policy settings. It requires the .NET Framework 1.1 to be installed for usage.

Have a look : www.gpoguy.com/rgprefresh.htm

Terminal Services in Longhorn Server

During IT Forum I got to see a nice presentation of some of the new features of Terminal Services in Longhorn. Let me sum them up for you:

- Terminal Services Gateway: it's actually the Microsoft version of Citrix Secure Gateway. It provides access to terminal server sessions with the RDP protocol encapsulated in the HTTPS protocol. The session is secure, and only firewall port 443 needs to be open to make a connection. Access through this gateway can be controlled on a per user or workstation basis.

- Remote Programs: the ability to publish programs, in stead of a complete desktop environment. The application will run in a seamless window, so the user will experience no difference with local applications. File type associations can be configured on the clients, so they will automatically launch a terminal server application for certain file types.
These remote programs can be distributed as an MSI package (created in the TS Console), or through TS Web Access.

- Terminal Services Web Access: an interface which makes the terminal services remote programs available to users from a web browser. It's a customizable web part, which can also be integrated in a Sharepoint site.

Also a very nice feature, which makes the user experience even better, is the possibility to copy/paste from the desktop environment to a terminal server session. (and visa versa)
It was already possible for text strings in the past, but this has now been expanded to support complete files.

Group Policy in Vista and Longhorn

The most innovative change in group policies with windows vista and longhorn server is the introduction of admx and adml files. Admx files are xml based policy files, which contain registry based values. Adml files only contain text (per language), and are linked to admx files by using an id attribute for each string.
The location of these admx and adml files is %systemroot%\Policy Definitions. A very nice tool by FullArmor, which has been acquired by Microsoft, is called ADMX Migrator. This allows for the migration of adm files to admx, and the creation of new admx files.

Another improvement is the creation of a Central Store. This is a repository for all admx and adml files in a domain. This ensures that all of your gpo's use the same version of a policy template. The central store has to be created in a specific location : SYSVOL\domain\policies\PolicyDefinitions. If this central store is available, the GPMC will automatically load all of the templates from this location.

Since windows vista, multiple local policies can be created. As you can see in the screenshot below, local policies can be created for specific users, administrators, non administrators, ...

 

In the past it was also pretty difficult for admins to monitor gpo application. Userenv debug logging could be enabled, but not microsoft tools helped in analyzing this information. Since vista, the complete processing of gpo's is logged in the event log.

The last new feature I want to mention, is network location awareness. The main advantage of NLA is the end of the reliance on the ICMP protocol for policy application. It ensures a more accurate determination of network bandwith.

Security in Windows Vista

Most of you who have been playing around with Vista probably noticed all of the security prompts when performing admin tasks. I'll try to give an overview of the most important security enhancements in Windows Vista.

Internet Explorer Protected Mode
With Protected Mode, the IE process runs with a different user account with very little system privileges.(Check the processes list for an additional process called ieuser.exe) By running in this sandboxed mode, the IE process does not have sufficient rights to write to most parts of the file system. (eg. users profile) Protected Mode IE reads/writes to "low" versions of cache, located in :
Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
Temp: %userprofile%\AppData\Local\Temp\Low
Cookies:
%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low
By default, protected mode is enabled for all security zones, excepted trusted sites.

Windows Firewall
The Windows firewall now has firewall rules for three fixed profiles: public (very secure), private (less secure) and domain. The domain profile is automatically configured when the workstation is added to a domain. For the other two profiles, windows will prompt you to select a profile whenever a new network is detected. This detection is done by the Network Access Protection client, which I'll talk about later. Whenever multiple networks are connected, the most restrictive firewall profile will be applied to the system. (support for multiple profile application will be added later)
Another new feature of the windows firewall is IPSEC integration. IPSEC policies are now configured with the windows firewall mmc snap-in. (or through gpo's of course, as is the rest of the firewall config)
The windows firewall now also supports outbound traffic control, which can limit installed applications to send traffic onto the network.

NAP (Network Access Protection)
NAP is actually nothing more than controlling network access based on the configuration of a network client. These checks can be done on, for example: antivirus software, sms client, patchlevel, ...
Vista has a built-in NAP client, which communicates with a NPS (Network Policy Server). NPS is actually the new version of the
RADIUS server in Longhorn.
If the client has a compliant configuration, a health certificate together with network access is granted.
After being granted network access, the nap client will continiously monitor client configuration, and deletes the health certificate if the config becomes uncompliant.

User Account Control
Probably one of the most important security enhancement in Vista is UAC. Because of UAC, even an administrator runs with regular user privileges. Each time an admin task is performed, elevation is required. This prevents unauthorized programs from running, which in the past would have run without the admin even noticing it.
Another feature of UAC is virtualization. File access by legacy applications which try to write user configuration to the windows or program files location is captured, and redirected to a virtual folder : %userprofile%\AppData\Local\VirtualStore. This virtualization is controlled by a file system filter driver (luafv.sys)
The same goes for registry access. User configuration written to HKLM is captured, and redirected to HKCU\Software\Classes\VirtualStore.
Good to know is that these virtualization locations are not included in a roaming profile.

Microsoft really put a lot of effort in securing its new OS. I didn't even talk about Bitlocker, Windows Defender, or the new authentication architecture which replaced GINA.
If you're interested, read more about it here: http://www.microsoft.com/technet/windowsvista/security/default.mspx.