How-tos

VMware, Coreinfo and mapping logical CPU cores to physical processors.

by

Sometimes you may have a requirement due to licensing to ensure a Virtual Machine’s CPU configuration is perfectly set out in terms of “physical sockets”. Or perhaps you want to run an operating system such as Windows Server 2003 SE on your Virtual Machine. By default this VM would be limited to only use 4 cores because of the way VMware tells the operating system that each CPU has only 1 core per socket. (Giving it 4 x vCPUs would be the same as giving a physical Windows Server 2003 SE machine 4 x physical CPUs – the actual CPU limit). Either way, it can be quite useful to verify you have the correct CPU configuration.

Enter Coreinfo. This is a handy command line utility by Mark Russinovich which allows you to dump the information about your current CPU and cache configuration for Windows. Download the utility and execute the following command to gather information about the logical CPU core mapping to physical processor.

coreinfo.exe -c -s

In the case of a single socket, six core CPU (such as the one I have running here) this is the output you will see:

 

The Logical to Physical Processor Map information in the first section marks each CPU core with an asterisk (*). The next section, lists the Logical Processor to Socket mappings, indicating how many “processor sockets” your machine has and at which location each Processor Core is at (again marked with an asterisk).

 

If you had provisioned a VM with 4 x vCPUs by default, this would show up with 4 x Sockets and 4 x Physical Processors like so:


Besides being a limiting factor for Windows Server 2003 SE VMs when trying to use 8 x vCPUs (you can’t have more than 4 x “physical” CPUs), this may also be a potential issue with a socket licensed edition of SQL server for example, as you would now have 4 x sockets to worry about with your licensing.

 

So here is where VMware’s useful extra configuration parameters come in handy. These are basically bits of extra configuration you can add to your VMs, and are stored in your VM’s .vmx configuration file. By simply editing your VM, you can add a configuration option which specifies how many Cores per Socket there are. To do this using vSphere, power off your VM, then edit it’s settings. Go to the Options tab, then General, then Configuration Paramaters.

 

 

In this case I have a VM with 4 x vCPUs, which shows up by default with 4 x processor sockets. I want this to be 4 x cores with 1 x socket. So now I would click “Add Row” and in the first empty column, enter: cpuid.coresPerSocket and use 4 as the value in the second column. See this screenshot for specifics (and adjust the value used depending on your desired configuration):

 

 

Power up your VM, and run coreinfo again, using

coreinfo.exe -c -s

 

You should now see that VMware is assigning 4 CPU cores per “Physical CPU socket”. In other words, your VM now has 1 x “physical” processor socket, and 4 x cores. Meaning your single processor application socket is now valid on this VM. Here is the result of assigning my VM a value of 4 for “cpuid.coresPerSocket” when it uses 4 x vCPUs in vSphere:

 

 

As you can now see, it has changed from the original configuration where it had 4 x Sockets listed under “Logical Processor to Socket Map” with a “Physical Processor” for each “Socket”, to showing the 4 x “Physical Processors” all on “Socket 0”.

 

If you are using VMware Workstation, this configuration is easy to do – just edit your VM settings, and look for the dropdown menu under the CPU configuration – change this to how many Processors you want and how many Cores per Processor you will use. (See the screenshot below for an example of 2 x Sockets with 2 x cores per socket):

 

 

Well, that is a brief overview of how to look at your Processor configuration (whether you are using a physical machine or a Virtual Machine), and how to change your CPU socket / core configurations using VMware vSphere or Workstation. The two uses I can think of as stated above are for licensing issues, or issues where you are being limited by what your guest OS can handle in terms of physical CPUs. Feel free to chime in, in the comments below if you can think of any other uses this may have, or if spot a mistake anywhere!

Installing and registering Balsamiq Mockups for a Terminal Server (Remote Desktop Server) environment

by

 

A bit of a specialised how-to here, but this is the process I did to allow this Adobe Air application to run on a Terminal Server (now known as Remote Desktop Session Host Server) environment for multiple users. The issue with just installing it for all users to start with, is that the licensing information that you register does not apply to all users. This is because license information is stored in each single user’s local profile / Documents (therefore is not applicable to all users). Here is the process I did to install the software and allow all users with access to the software to run it in licensed mode. (As well as a quick section on creating a security group to restrict access to the software based on group membership).

 

1. Install Mockups using terminal services install mode from the command line.

change user /install

MockupsForDesktop.exe -silent -desktopShortcut -programMenu -location "C:\Program files" -allowDownload

– Run the application from the start menu, then exit. Now use the command line to set the server back to execute mode.

change user /execute

2. Navigate to C:\Program Files\Balsamiq Mockups

– Create a new batch file (for example RegisterStartBalsamiqMockups.bat) in this folder and enter the following as content:

"Balsamiq Mockups.exe" register "Your registered company name" yourlonglicensekeynumber

– Save this batch file and close it.

– Now open the Local Profiles Folder for the terminal server, and navigate to \All Users\Start Menu\Programs

– Right click and drag your batch file into your \All Users\Start Menu\Programs folder and select to create a new shortcut.

– Right click your shortcut and change the icon to use the Icon from the Balsamiq Mockups.exe if you wish to make it look better.

– Also change the “Run” parameter to “Minimized” in the shortcut properties window and then OK this.

– Rename the shortcut to something user friendly, then remove the actual Balsamiq Mockups shortcut that the silent installer put in there earlier.

 

Now login with a normal Terminal Server user, and they should have the new shortcut file available in the start menu. Ensure they use this to start the application. It will register the license key each time they start the application, but it at least provides a way to automatically register the application for any user running the software.

Finally, ensure you set up a security group in Active Directory called “Balsamiq Mockups Users” and add only the users that are licensed for the software to this security group as members. Right-click the executable in C:\Program Files\Balsamiq Mockups for the application, go to properties, security, then remove the “Domain Users” or “All Users” groups from this executable (Effectively preventing them from running it). Add the “Balsamiq Mockups Users” security group in the place of the domain users group, and allow Read and Read & Execute permissions.

Now only the members of this security group (licensed for the software) will be able to run the software.

Hope that helps those of you looking to get this done. While this may not be a very general instruction set or how-to, some of the above principles can be used elsewhere – for example the security group method can be used to restrict access to certain applications within your organization for specific users.

 

BES Express Installation on Exchange 2010 SP1 – MaxSessionsPerUser key?

by

So, “where has the MaxSessionsPerUser key setting in the microsoft.exchange.addressbook.service.exe.config file gone”, I hear you asking?

Research in Motion’s current (as of today) documentation for BES Express 5.0.3 tells us that we need to increase the maximum number of connections to the Address Book service in Exchange 2010 by modifying a key value in a file. To quote the document, they say:

By default, Microsoft® Exchange 2010 limits the maximum number of connections from the BlackBerry® Enterprise Server Express Express to the Address Book service to 50. To permit the BlackBerry Enterprise Server Express Express to run, you must increase the number of permitted connections to a large value (for example, 100,000).

1. On the computer that hosts the Microsoft Exchange CAS server, in :\Program Files\Microsoft\Exchange Server\V14\Bin, in a text editor, open themicrosoft.exchange.addressbook.service.exe.config file.
2. Change the value of the MaxSessionsPerUser key to 100000.
3. Save and close the file.
4. Restart the Address Book service.

Now this as I have found, is no longer applicable to Exchange 2010 SP1 (and above of course). Apparently, Microsoft have moved this functionality to the Throttling policies in Exchange 2010 SP1. This means we’ll need to modify (or at least check) the Throttling policy that is applied to our “BesAdmin” user instead to ensure that certain settings are null / blank (i.e. meaning there is no limitation on them).

So if you notice you don’t have the MaxSessionsPerUser key in your file as per RIMs instructions, or you know straight off that you are on SP1, do the following to check using the Microsoft Exchange Management Shell.

1. Check the Throttling Policy called “BESPolicy” that you would have created earlier in the management shell as per the RIM documentation. Run: Get-ThrottlingPolicy BESPolicy

Your output will look like the following if the settings are correct (i.e. null):


2. Ensure that all the “RCA” Values listed are NULL – i.e. blank (refer to the screenshot in this post for a sample of the output I got when running the command). If they are not, then run the following:
3. (Run this if the RCA values are not NULL): Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null

This “BESPolicy” should be the Throttling policy which is applied to your “BesAdmin” user, as per RIMs installation instructions for BES Express and shouldn’t really be applied to any other users or groups in your organization.

Following the above instructions should allow you to continue along with your BES Express installation alongside Exchange 2010 SP1. Hope this helps!

Securing your Microsoft Exchange 2010 Server / services with an SSL Certificate

by

Exchange 2010 has definitely simplified the process of applying SSL certificates to your mail services such as Outlook Web Access/App and Exchange ActiveSync. No more muddling about with IIS is required and you can do everything via the Exchange Management Console (GUI) too. I’ll also list a cmdlet at the end for generating a CSR if you wish to go the Exchange Management Shell way.

Exchange Management Console steps:

 

  • Open the Management Console and from the summary / home tab click on “Manage databases”. Now on the list in the left of the Management Console, select “Server Configuration”, then in the list of Actions on the right look for “New Exchange Certificate” and select this.

 

 

  • A wizard will popup and you can begin setting up your new Certificate Signing Request (CSR). Fill in a Common / Friendly name for the certificate. I used the same name as would be used for the actual certificate itself so that I can easily identify it.

 


 

  • Continue the wizard. I won’t be using a wildcard certificate so I will leave the “Enable Wildcard Certificate” selection unchecked.

 

 

  • The next section allows you to select the services you want to use with your SSL / describe the Exchange configuration for the CSR that we are going to generate. Expand out the sections and you’ll see that some are pre-populated for you. Check over this information and tick any services that you want to use. I want this SSL certificate for Outlook Web App and Exchange ActiveSync for mobile devices, so I checked the options for “Outlook Web App is on the Internet” and “Exchange Active Sync is enabled”. In each of those cases, I entered the A name record for the services (The external name used to connect to the services) – i.e. mail.shogan.co.uk – this is important and it is what your SSL certificate will be securing, so double check that it is correct.

 

 

  • Continue by entering some administrative / contact details for your company, choosing a location to the save the CSR request file, then finishing the wizard off. Now, go to your SSL provider’s site and purchase a new SSL certificate. I am using a basic SSL123 certificate in this case from Thawte.

 

  • Go through the steps of purchasing the certificate, and you’ll get to a point where they ask you for the CSR – paste the exact text of your CSR generated in Exchange’s Management Console into the CSR text box on the website and get your certificate ordered. When it is approved and emailed back to you, save the .cer certificate file on your Exchange server.

 

  • Go back to the management console, select “Server Configuration”, select the certificate under the “Exchange Certificates” tab and in the Actions view on the side, select “Complete Pending Request”. Browse for the completed SSL certificate your certificate issuer sent you and finish by completing this wizard.

 

 

  • You now just need to highlight the certificate under “Exchange Certificates” once again, and under the “Actions” panel, click “Assign Services to Certificate”. In this wizard, select your relevant Exchange server name, then click next. On the next screen, select “Internet Information Services”, then “Next”. Check the summary page looks correct then finish the wizard.

 

Your SSL certificate should now be configured and ready for use. Browse to the URL of your Outlook Web App service via https. You should find that you don’t get a certificate warning, and clicking the security icon in your web browser to view the site certificate should show that it is valid and providing encryption.

 

Generate a CSR using the Exchange Management Shell.

 

You can also generate a CSR using the cmdlet below. Just substitute the relevant values with your own. Be sure you aren’t putting any incorrect values in when using this though as you don’t have a nice GUI to explain things to you as you do with the Exchange Management Shell.

 

Set-Content -path “C:\mail_shogan_co_uk” -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName “c=gb, s=London, l=London, o=Shogan.tech, ou=IT, cn=mail.shogan.co.uk”  -PrivateKeyExportable $True)

 

The above cmdlet will save the CSR file to C:\mail_shogan_co_uk. You would then copy and paste the text of that file into your SSL certificate provider’s site as part of your SSL purchase process. The cmdlet uses some values that will need to be unique to your organisation – here are the value explanations of parts of the above cmdlet:

 

c = country code
s = city
l = province/state
o = organisation name
ou = organisational unit
cn = common name the SSL certificate is to be provided for

The cmdlet won’t give you any output if it works correctly, but you’ll be able to see the CSR in the Exchange Management Console if you refresh it at this stage.

That is basically it – the steps above should help you secure some Exchange services such as OWA or ActiveSync with an SSL certificate from a trusted authority.

 

How to set up a VMware vSphere Lab in Virtual Machines, with DRS and HA

by

 

I recently wrote a (reasonably!) lengthy article on how to set up your own VMware vSphere lab or test environment consisting entirely of Virtual Machines, running off of one piece of host hardware. This is really handy as a lot of people new to Virtualization often think they need to purchase full on server equipment to create a white box, or find second hand servers off of eBay. Even more often, they make the mistake of overlooking the CPU feature set required to run vSphere – Hardware Virtualization, buying 64bit capable servers (good), but lacking the Intel VT or AMD-V feature-set required for vSphere (bad!)

 

This is when running everything virtualized comes in really handy. As well as keeping your hardware and lab requirements/size down, you have everything you need all in one installation of VMware Workstation. You’ll also be able to test out some really cool features that vSphere / vCenter Server has to offer – such as HA (High Availability) and DRS (Distributed Resource Scheduling). In the article I also make reference to a few best practises to have when configuring the real deal for production use. I hope this comprehensive guide is useful for those of you looking to set something like this up!

 

VMware lab consisting - nested VMs running in Virtualized ESXi hypervisors.

 

Read the article here on Simple-Talk.com to get started and see how its all done!