churchIT

Since it has been a while I just wanted to update my last post that listed our current projects with the progress that has and hasn’t been made.

We are now in the 2008-2009 budget year.  Due to us changing Internet providers we have reduced our budget needs for the current fiscal year.  The big project that we’ve received funds for is replacing Shelby with a new ChMS system!  (My early favorite is Shelby Arena but this is just my opinion without a team of staff talking to multiple vendors.)  This promises to be another busy year ahead of us!

We did finalize ISP bids and moved to Phonoscope from Data Foundry.

Microsoft Forefront Client Security tested well and we have migrated to the full product. This is not the easiest product to implement. I am hoping for big benefits in the future as this is further integrated with MOM and SCCM.

We have deployed Windows Server 2008 in a DC and File Server role and a Terminal Services Gateway.  Server 2008 is an excellent upgrade.

Microsoft System Center Configuration Manager, has been deployed but not fully utilized.

Still preparing for staff Office 2007 training.  I am very nervous about this deployment and all of the helpdesk calls because of the interface change.  Will look to do training after promotion Sunday in late August.

Prepared, tested and deployed new 8 core HP DL360 G5 for use as our third VMWare Server but now this server has Windows Server 2008 Enterprise x64 Server Core installed and is being setup as a member of a Microsoft Hyper-V cluster.

We’ll deploy Exchange 2007 after the Hyper-V cluster is operational.

After Exchange is virtualized, upgrade and re-purpose physical server as a Microsoft System Center Virtual Machine Manager 2008 server to manage VMs and Hyper-V servers.

I've known for a while that Vista SP1 would bring Vista the same kernel as Windows Server 2008 but I never though of Windows Server 2008 including SP1.

I didn't know what to expect when I saw the blog subject: "Windows Server 2008 is called SP1. Adventures in doing things right." from Paul Thurrott's blog.

Paul links to a blog post that explains how and why Server 2008's first service pack will be SP2.

I must admit that Windows Server 2008 is a product release that I have looked forward to for a long time.  Terminal Services, Hyper-V, Group Policy Preferences, RODC, Server Core and other features really make this a great upgrade from a technology standpoint.

One of the technologies that I wanted to test right away was Terminal Services Gateway.  This has been available through 3rd party software like Citrix for years.  At Sagemont, our use of Terminal Services is limited to thin clients and access to Shelby V5 for our user that that office outside our main campus.  I also allowed a few test users RDP access to Terminal Services outside the firewall but this is not very secure.

I am starting to get more feedback from staff that want to be able to work from home.  Especially when they found out about our test RDP users.  Now with Terminal Services Gateway (TSG) I can securely and easily deploy Terminal Services to all employees.  It allows an employee to access Terminal Services over the Internet via RPC over HTTPS.  RPC/HTTPS is the same technology that Outlook uses for Outlook Anywhere.  What is great about TSG is that you can create policies that control user access to specific resources.  There is a Connection Authorization Policy (CAP) that specifies what users and or computers can connect to the gateway and what type of Device Redirection is allowed.  For us we will probably just allow printer redirection for users connection from non-trusted computers.  For users that connect from a church issued laptop that is a domain client then we could allow drive redirection.  Then Resource Authorization Policies (RAP) are created to allow users access to Terminal Server groups.

So far TSG has tested out very well and I will have several users test it out this week.  The next steps will be to activate Windows Server 2008 on the gateway server.  Then I will be acquiring a certificate from a well known CA to make things easier on the staff when they connect.

I know my blog posts have been lacking the last few months.  It has been a very busy time.  Here is a summary of the projects that I have been working on recently.  All projects, except the Windows Server 2008, will probably be completed in the next 4 weeks.

2008-2009 IT Budget Preparation

Bidding out our Internet connections at the Main and Missions Campuses (all bids have been received and I expect a decision in the next 2 weeks)

Testing Microsoft Forefront Client Security

Beta testing Windows Server 2008 for deployment after RTM (Terminal services gateway sounds very interesting, I may deploy this as a release candidate)

Deploying Microsoft System Center Configuration Manager, formerly Systems Management Server (first priority is to deploy Office 2007 to all staff)

Preparing for staff Office 2007 training, including buying equipment for training lab.

Preparing, testing and deploying new 8 core HP DL360 G5 for use as our third VMWare Server.

After new VMWare Server is deployed, virtualize Exchange onto new server.

After Exchange is virtualized, upgrade and repurpose physical server as a VMWare Server to replace a dual processor single core server VMWare Server.

Now that Windows Live Writer supports Vista x64 I figured I'd try it out.

For the last few weeks I was having fits with our backup system, primarily our Sony AIT-3 tape backup drive. We use EMC Retrospect to perform disk to disk to tape backups. We backup nightly to disk and then transfer a weekly snapshot for disaster recovery. Well our tape transfers started to take 22 plus hours to complete and consumed 4 100/260GB tapes. We finally bit the bullet and purchased an HP Ultrium 920 400/800GB 1/8 autoloader. What a difference it made. Now tape transfers can occur without any human intervention and since this drive is faster backups take about 15 hours to complete. I thought that was I little slow so I am doing some performance tuning on the backup server and did discover one interesting tidbit below

As you can see my SATA storage array was very fragmented. I ran the Windows Disk Defragmenter on the array but it did not touch the fragmentation we were seeing on the array even with 26% free space. Here were the stats after the first defrag run

As you can see some of the backup image files were very fragmented. 4800 fragments in a 600MB file is horrible. I went ahead and installed the Diskeeper 2008 trial and performed a full defragmentation job after completing my next disk to tape transfer took about 12 hours to complete a 17% increase in performance. I still have some tuning to complete but this was a great start.

I downloaded Windows Server 2008 RC1 yesterday and had a chance to play with it a couple hours last night. A feature that is new to Server 2008 and is now available in RC1 is Group Policy Preferences. Well this feature is not new to us at Sagemont since we've used it for about 3 years now. Last year Microsoft purchased DesktopStandard the maker of PolicyMaker Standard and PolicyMaker Share Manager. Since then I have been anxiously awaiting word on Microsoft's intentions for the product. I was told that Microsoft would either integrate the product in the base code or it would make it available to customers with Software Assurance. Microsoft announced yesterday that they would make Group Policy Preferences available in the base product which is great news for everyone.

Like I said we've been using the product for about 3 years and was dreading the thought of managing our network without it. Here are some of the things we manage with it.

• Manage local Administrative Account passwords on all workstations. The admin password is the same on all workstations and can be changed in a few minutes via group policy.
• Manage local Power Users and Administrators group membership on workstations. No more rogue local admins.
• Centrally manage Task Scheduler. One uses is shutting down and restarting workstations at night so workstations run more stable, changed computer policies get applied and we can reduce our electric bill for 100 computers We also schedule nightly defrag jobs using the XP building defragmenter so workstations run better and IT has a cost savings in not needing to buy commercial software.
• Manage workstation shares. No workstation is allowed to share files so we wipe all non administrative shares. If you need to share it there are file servers that we backup that can share it much better since the file servers are faster than the local workstations and we do not backup local workstations.
• Push Exchange/Outlook settings to local workstations so local users and helpdesk never has to manually configure Exchange connectivity. Although it does look like this feature has been removed from the Microsoft product.
• Manage network drive mappings, registry settings, and copy files and folders to workstations without using a single logon script.

Now that these features will be deployed in Server 2008 it looks like we will be accelerating our plans on deploying Server 2008 domain controllers. My next task is researching the transition from PolicyMaker to Group Policy Preferences. You can find a whitepaper on Group Policy Preferences at DesktopStandard's website.

I had been planning on moving to ESX server from VMWare server for months but the $5000+ was a major stumbling block and made it harder to justify its ROI. I ran across a couple reviews of a server virtualization product named Virtual Iron a couple months ago. It is a competitor to VMWare ESX Server and other hypervisor based virtualization products. One review performed by Infoworld really caught my attention and prompted me to call their sales department for more information. I talked with a gentleman that went over the features of Virtual Iron. They offer some of the advanced features VMWare does like Snapshots, LiveMigrate and LiveCapacity and at 1/5 the price of VMWare. This looks like it could be a very compelling product and I have received the evaluation for their product so I will keep you posted on how that goes.

I had the craziest problem the last 2 months. On one of my two Windows Server 2003 with VMware Server boxes I was not able to mount and format any volumes on our EqualLogic iSCSI SAN. I troubleshot this from every angle and Googled every possible phrase. I just could not figure it out. I finally broke down and called Microsoft Professional Support last week and spent 4 hours on the phone with Microsoft. They tried everything and could not figure out a solution. The tech finally suggested that I log on locally to the server and the problem was fixed. All drives mounted and formatted successfully.

I do 95% of my server management through the Terminal Services Client (MSTSC) and almost never at the console. I was told a couple times before that some operations could only be done at the console and not through MSTSC. I honestly thought those techs were full of crap and were trying pass on a tough service call. To get around this issue you can also run MSTSC with the /console switch "mstsc /console". You may also run the console switch if you were logged into a console session on a server and need to remote desktop to that session.

I have spent the last month virtualizing 4 servers. At this time, I am using VMware Server on Windows Server 2003 but I am monitoring this setup. So far I have not seen a pressing need to spend $4-6K per physical server for VMware Infrastructure.

To virtualize the first server I used VMware Converter to perform a P2V conversion. So far that server is working very well and I have had no problems with it, related to virtualization. Since that time I have created 3 new virtual servers that are now in production. Those servers are an Altiris Deployment Solution server (manages our HP Thin Clients), one running Service Desk Plus (Helpdesk Tickets), and one running Ricoh/Savin ScanRouter Software (Copier scanner to email). All of these servers perform as well virtualized as they did when installed on a physical box!

I am in the process of virtualizing our Main Campus print server, our Shelby/SQL server, and Windows SUS server. The printer server and WSUS servers should go into production next week. I am a bit worried about the performance of the Shelby/SQL server in a virtualized environment on a Windows VMware Server Host. I will be testing its performance extensively before deploying into the production environment. If SQL performs well and I can get my hands on another HP DL360 or DL380 server I will start evaluating Exchange 2007 with SP1. If the performance is not close to a physical server then I may look to VMware Infrastructure much sooner than planned.

I'll keep you posted on the progress.