Tag Archives: Uncategorized

Giving a Workgroup Server an FQDN

Recently I needed to be able to securely, remotely manage a set of Windows Servers that were not domain joined.  One problem that I hit while setting this up was that each of the servers did not believe that they had a valid FQDN.

For example – I could:

  • Set the name of a computer to “HyperVSV1”
  • Create a DNS entry that said that “HyperVSV1.mydomain.com” resolved to that computer
  • I could then correctly ping the computer at that address

But when I tried to use tools like PowerShell Remoting or Remote Desktop – they would complain that “HyperVSV1.mydomain.com” did not believe it was “HyperVSV1.mydomain.com”.

Thankfully, this is relatively easy to fix.

If you open PowerShell and run the following two commands:

Set-ItemProperty "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" -Name Domain -Value "mydomain.com"
Set-ItemProperty "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" -Name "NV Domain" -Value "mydomain.com"

After this your workgroup server will correctly identify itself with a valid FQDN.

Cheers,
Ben

Steelcase and Microsoft announce development of technology-enabled spaces designed to boost creative work

GRAND RAPIDS, Mich. and REDMOND, Wash. – March 6, 2017 – Steelcase and Microsoft Corp. have joined forces to explore the future of work, developing a range of technology- enabled spaces designed to help organizations foster creative thinking and better collaboration. These spaces seamlessly integrate the best of Microsoft Surface devices with Steelcase architecture and furniture. Today the companies unveiled five new “Creative Spaces” showcasing how Steelcase and Microsoft can help organizations unlock creativity for every employee.

Additionally, Steelcase and Microsoft announced:

  • That Microsoft is expanding its partner network into the world of design by bringing in select Steelcase dealers as authorized Surface Hub resellers.
  • Steelcase and Microsoft are working together to develop technology-enabled workplace solutions built on Microsoft Azure IoT technology.

“The problems people face at work today are much more complex than they used to be. They require a new creative way of thinking and a very different work process,” says Sara Armbruster, vice president of strategy, research and new business innovation for Steelcase. “We believe that everyone has the capacity for creative thinking, and people are happier doing creative, productive work. Together, Microsoft and Steelcase will help organizations thoughtfully integrate place and technology to encourage creative behaviors at work.”

The Problem: Fostering Creativity as a Business Advantage

According to joint research conducted by Steelcase and Microsoft, creativity is seen as a critical job skill driven by organizations’ need for innovation and growth in addition to employees’ desire for meaningful work. However, today many organizations invest in technology and space as separate entities rather than approaching them holistically. The lack of cohesion creates sub-optimal conditions for fostering creativity at work.

The research released today (of 515 US and Canadian companies with 100+ employees)[i] reveals the pressure people feel about the shift toward more creative work:

  • Seventy-two percent of workers from diverse fields including Health Care, Retail, Education, Financial Services and Manufacturing believe their future success depends on their ability to be creative.
  • Seventy-six percent believe emerging technologies will change their jobs, requiring more creative skills as routine work becomes automated.
  • There is greater need to collaborate in business, yet only 25 percent of respondents feel they can be creative in the places they currently have available for group work.
  • The study also reveals the connection between creativity and privacy, as employees ranked having a place to work without disruption as the second highest factor that could improve creativity, just behind the need for more time to think.

Creative Spaces

The companies’ exploration of creative work found that creativity is a process in which anyone can engage and requires diverse work modes as well as different types of technology. People need to work alone, in pairs and in different size groups throughout a creative process, and they need a range of devices that are mobile and integrated into the physical workplace. Additionally, spaces should inspire people without compromising performance.

“Every Microsoft Surface device strives to enable the creator in each of us. Devices like Surface Studio and Surface Hub are fundamentally designed around how people naturally create, connect, and collaborate,” says Ryan Gavin, general manager, Microsoft Surface Marketing. “With Steelcase we have the compelling opportunity to blend place and technology into a seamless environment that allows our most important asset, our people, to unlock their creativity and share that with others. The future of work is creative.”

“Most employees are still working with outdated technology and in places that are rooted in the past, which makes it difficult for them to work in new, creative ways,” said Bob O’Donnell, president, founder and chief analyst at TECHnalysis Research. “Creative Spaces were clearly designed to bridge the current gap between place and technology and to help creative work happen more naturally.”

Five initial Creative Spaces are on display now at the Steelcase WorkLife Center in New York City. Spaces include:

Focus Studio: Individual creative work requires alone time to focus and get into flow, while also allowing quick shifts to two-person collaboration. This is a place to let ideas incubate before sharing them with a large group, perfect for focused work with Microsoft Surface Book or Surface Pro 4.

Duo Studio: Working in pairs is an essential behavior of creativity. This space enables two people to co-create shoulder-to-shoulder, while also supporting individual work with Microsoft Surface Studio. It includes a lounge area to invite others in for a quick creative review with Surface Hub or to put your feet up and get away without going away.

Ideation Hub: A high-tech destination that encourages active participation and equal opportunity to contribute as people co-create, refine and share ideas with co-located or distributed teammates on Microsoft Surface Hub.

Maker Commons: Socializing ideas and rapid prototyping are essential parts of creativity. This space is designed to encourage quick switching between conversation, experimentation and concentration, ideal for a mix of Surface devices, such as Surface Hub and Surface Book.

Respite Room: Creative work requires many brain states, including the need to balance active group work with solitude and individual think time. This truly private room allows relaxed postures to support diffused attention.

“We are facing a time of unprecedented change at work. Through this partnership we will bring together space and technology to help workers and organizations solve the workplace challenges they face today and in the future and ultimately perform their best at work,” explains Armbruster.

Steelcase: Microsoft Surface Hub Reseller

Select Steelcase dealers are authorized to resell Microsoft Surface Hub as a part of the Microsoft partner network beginning today in the United States and Canada, and in later Summer 2017 additional dealers in Germany and the United Kingdom are expected to be added to the program. The companies will announce additional markets in the coming months. As the spaces roll out in the Americas, Europe and Asia Pacific, the range of spaces will continue to expand and evolve.

Internet of Things

In the coming months, Steelcase expects to announce new technology-enabled office solutions built on Microsoft Azure IoT technology, which will provide companies with analytics that help improve workplaces and solutions to help employees find the best places to do diverse types of work within the office.

For more information on Creative Spaces and the partnership between Microsoft and Steelcase, visit www.steelcase.com/creativity or www.microsoft.com/en-us/devices/business/steelcase.

About Microsoft

Microsoft (Nasdaq “MSFT” @Microsoft) is the leading platform and productivity company for the mobile-first, cloud-first world, and its mission is to empower every person and every organization on the planet to achieve more.

About Steelcase Inc.

For over 100 years, Steelcase Inc. has helped create great experiences for the world’s leading organizations. We demonstrate this through our family of brands – including Steelcase®, Coalesse®, Designtex® PolyVision® and Turnstone®. Together, they offer a comprehensive portfolio of architecture, furniture and technology products and services designed to unlock human promise and support social, economic and environmental sustainability. The company is globally accessible through a network of channels, including over 800 dealer locations. Steelcase is a global, industry-leading and publicly traded company with fiscal 2016 revenue of $3.1 billion.

https://www.steelcase.com/press-releases/steelcase-microsoft-announce-development-technology-enabled-spaces-designed-boost-creative-work/ 


[i] Based on a Microsoft and Steelcase February 2017 study of 515 US and Canadian companies with 100+ employees.

How to give us feedback

We love hearing from you.  So what’s the best way to give us feedback?

The best way to report an issue or give a quick suggestion is the Feedback Hub on Windows 10 (Windows key + F to open it quickly). The feedback hub lets the product team see all of your feedback in one place, and allows other users to upvote and provide further comments. It’s also tightly integrated with our bug tracking and engineering processes, so that we can keep an eye on what users are saying and use this data to help prioritize fixes and feature requests, and so that you can follow up and see what we’re doing about it.

In the latest build, we have reintroduced the Hyper-V feedback category.

After typing your feedback, selecting “Show category suggestions” should help you find the Hyper-V category under Apps and Games. It looks like a couple people have already discovered the new category:

 

Hyper-V feedback

When you put your feedback in the Hyper-V category, we are also able to collect relevant event logs to help diagnose issues. To provide more information about a problem that you can reproduce, hit “begin monitoring”, reproduce the issue, and then “stop monitoring”. This allows us to collect relevant diagnostic information to help reproduce and fix the problem.

Begin monitoring

We also love to hear from you in our forums if there are any issues you are running into. This is a good place to get direct help from the product group as well as community members. Hyper-V Forums

Hyper-V Forums

That’s all for now. Looking forward to seeing your feedback!

Cheers,
Andy

Hyper-V vs. KVM for OpenStack performance

During the development of Windows Server 2016 we spent a lot of time working on delivering the best core performance as a cloud platform.  At the same time the Cloudbase team have spent a lot of time optimizing the performance of the Hyper-V OpenStack drivers as part of their work on the Mitaka release of OpenStack.

Just recently, they sat down and did a series of OpenStack benchmarks that compared OpenStack on KVM to OpenStack on Windows Server 2012 R2 and OpenStack on Windows Server 2016.

You can read about it in this series of blog posts:

Hopefully, you will not be surprised to hear that Windows Server 2016 wins the performance race in this comparison 🙂

Cheers,
Ben

Editing VMConnect session settings

When you connect to a VM with Virtual Machine Connection in enhanced session mode, you’re prompted to choose some settings for display and local resources.

VMConnect Session Settings

The main thing that changes between sessions is usually display configuration. But since you can now resize after connecting starting in the latest Insider build, you might not want to see this page each time you connect. You can select  “Save my settings for future connections to this virtual machine” and you won’t see this page for future sessions. 

VMConnect save session settings

 

However, you might want to occasionally configure local resources like audio and devices, so there are 2 easy ways to get back to these settings:

  1. In Hyper-V Manager, you will see an option to “Edit Session Settings…” for any VM for which you have saved settings.

    VMConnect edit session settings
  2. Open VMConnect from command line or Powershell, and specify the /edit flag to open the session settings. 

capture33

Cheers,
Andy

Live Migration via Constrained Delegation with Kerberos in Windows Server 2016

Introduction

Many Hyper-V customers have run into new challenges when trying to use constrained delegation with Kerberos to Live Migrate VMs in Windows Server 2016.  When attempting to migrate, they would see errors with messages like “no credentials are available in the security package,” or “the Virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: no suitable credentials available.”  After investigating, we have determined the root cause of the issue and have updated guidance for how to configure constrained delegation.

Fixing This Issue

Resolving this issue is a simple configuration change in Active Directory.  In the following dialog, select “use any authentication protocol” instead of “use Kerberos only.”

constrained_delegation

Root Cause

Warning: the next two sections go a bit deep into the internal workings of Hyper-V.

The root cause of this issue is an under the hood change in Hyper-V remoting.  Between Windows Server 2012R2 and Windows Server 2016, we shifted from using the Hyper-V WMI Provider *v1* over *DCOM* to the Hyper-V WMI Provider *v2* over *WinRM*.  This is a good thing: it unifies Hyper-V remoting with other Windows remoting tools (e.g. PowerShell Remoting).  This change matters for constrained delegation because:

  1. WinRM runs as NETWORK SERVICE, while the Virtual Machine Management Service (VMMS) runs as SYSTEM.
  2. The way WinRM does inbound authentication stores the nice, forwardable Kerberos ticket in a location that is unavailable to NETWORK SERVICE.

The net result is the WinRM cannot access the forwardable Kerberos ticket, and the Live Migration fails on Windows Server 2016.  After exploring possible solutions, the best (and fastest) option here is to change the configuration to enable “protocol transition” by changing the constrained delegation configuration as above.

How does this impact security?

You may think this approach is less secure, but in practice, the impact is debatable.

When Kerberos Constrained Delegation (KCD) is configured to “use Kerberos only,” the system performing delegation must possess a Kerberos service ticket from the delegated user as evidence that it is acting on behalf of that user.  By switching KCD to “use any authentication protocol”, that requirement is relaxed such that a service ticket acquired via Kerberos S4U logon is acceptable.  This means that the delegating service is able to delegate an account without direct involvement of the account owner.  While enabling the use of any protocol — often referred to as “protocol transition” — is nominally less secure for this reason, the difference is marginal due to the fact that the disabling of protocol transition provides no security promise.  Single-sign-on authentication between systems sharing a domain network is simply too ubiquitous to treat an inbound service ticket as proof of anything.  With or without protocol transition, the only secure way to limit the accounts that the service is permitted to delegate is to mark those accounts with the “account is sensitive and cannot be delegated” bit.

Documentation

We’re working on modifying our documentation to reflect this change.

John Slack
Hyper-V Team PM

Introducing VMConnect dynamic resize

Starting in the latest Insider’s build, you can resize the display for a session in Virtual Machine Connection just by dragging the corner of the window.

dynamic_resize

When you connect to a VM, you’ll still see the normal options which determine the size of the window and the resolution to pass to the virtual machine:

vmconnectclassic

Once you log in, you can see that the guest OS is using the specified resolution, in this case 1366 x 768.

vmconnect4

Now, if we resize the window, the resolution in the guest OS is automatically adjusted. Neat!

dynamic_resize

Additionally, the system DPI settings are passed to the VM. If I change my scaling factor on the host, the VM display will scale as well.

There are 2 requirements for dynamic resizing to work:

  • You must be running in Enhanced session mode
  • You must be fully logged in to the guest OS (it won’t work on the lockscreen)

 

This remains a work in progress, so we would love to hear your thoughts.

-Andy

 

 

 

 

Introducing the Host Compute Service (HCS)

Summary

This post introduces a low level container management API in Hyper-V called the Host Compute Service (HCS).  It tells the story behind its creation, and links to a few open source projects that make it easier to use.

Motivation and Creation

Building a great management API for Docker was important for Windows Server Containers.  There’s a ton of really cool low-level technical work that went into enabling containers on Windows, and we needed to make sure they were easy to use.  This seems very simple, but figuring out the right approach was surprisingly tricky.

Our first thought was to extend our existing management technologies (e.g. WMI, PowerShell) to containers.  After investigating, we concluded that they weren’t optimal for Docker, and started looking at other options.

Next, we considered mirroring the way Linux exposes containerization primitives (e.g. control groups, namespaces, etc.).  Under this model, we could have exposed each underlying feature independently, and asked Docker to call into them individually.  However, there were a few questions about that approach that caused us to consider alternatives:

  1. The low level APIs were evolving (and improving) rapidly.  Docker (and others) wanted those improvements, but also needed a stable API to build upon.  Could we stabilize the underlying features fast enough to meet our release goals?
  2. The low level APIs were interesting and useful because they made containers possible.  Would anyone actually want to call them independently?

After a bit of thinking, we decided to go with a third option.  We created a new management service called the Host Compute Service (HCS), which acts as a layer of abstraction above the low level functionality.  The HCS was a stable API Docker could build upon, and it was also easier to use.  Making a Windows Server Container with the HCS is just a single API call.  Making a Hyper-V Container instead just means adding a flag when calling into the API.  Figuring out how those calls translate into actual low-level implementation is something the Hyper-V team has already figured out.

linux-arch windows-arch

Getting Started with the HCS

If you think this is nifty, and would like to play around with the HCS, here’s some infomation to help you get started.  Instead of calling our C API directly, I recommend using one the friendly wrappers we’ve built around the HCS.  These wrappers make it easy to call the HCS from higher level languages, and are released open source on GitHub.  They’re also super handy if you want to figure out how to use the C API.  We’ve released two wrappers thus far.  One is written in Go (and used by Docker), and the other is written in C#.

You can find the wrappers here:

If you want to use the HCS (either directly or via a wrapper), or you want to make a Rust/Haskell/InsertYourLanguage wrapper around the HCS, please drop a comment below.  I’d love to chat.

For a deeper look at this topic, I recommend taking a look at John Stark’s DockerCon presentation: https://www.youtube.com/watch?v=85nCF5S8Qok

John Slack
Program Manager
Hyper-V Team

Bulk changing virtual hard disk path

I received this in email today:

“I have XCOPY’d a bunch of VHDX files from one volume to another on WS2016.    What’s the easiest / fastest way to fix up the paths for the VM’s???”

The answer to this is quite simple.  Open PowerShell and run:

$oldPath = "C:UsersPublicDocumentsHyper-VVirtual Hard Disks"
$newPath = "D:"
get-vm | Get-VMHardDiskDrive | ? path -Like $oldPath* | %{Set-VMHardDiskDrive -VMHardDiskDrive $_ -Path $_.path.Replace($oldPath, $newPath)}

A couple of details on this answer:

  1. PowerShell is wonderful for these kinds of bulk operations
  2. While we do not allow you to edit the virtual hard disk path on a saved virtual machine using Hyper-V manager – we do allow you to do this through PowerShell.  In fact – there are a lot of things that are blocked in Hyper-V manager that are possible through PowerShell.

Cheers,
Ben

PSA – Flickering Laptop Screen with Hyper-V? Update your drivers.

Last year I went out and got an Alienware 13 laptop.  Later I got the Alienware Amplifier and put a NVidia 1070 GPU in it.  I have been really happy with this setup – as it is a powerful portable system.  I have only had one complaint: whenever I enabled Hyper-V on it the laptop screen would flicker randomly.

Now, I know that many people have experienced this over the last year – and it has been something that we on the Hyper-V team have been actively working with hardware vendors on.

Thankfully – last night I checked and saw that Dell had released an updated firmware and graphics driver for my laptop.  I installed it and am now completely flicker free!

Long story short: If you are seeing this problem – check with your laptop provider to ensure that you have the latest firmware and video drivers installed.

Cheers,
Ben