Domain controller with HyperV - performance

just a question, is a good idea to host machines with HyperV on a DC?
This is my Idea.
if the answer is no, can you explain why?
Thanks
Have a nice day

First of all, your question doesn't seem to be related to programming in any way and should hence be considered off topic for SO. Server Fault would probably be a more suitable place for (the question is somewhat old by now as well and you might already have found the info you need but I've flagged it for the moderators to perhaps consider a move from SO to SF or have it closed altogether).
Secondly, as for your question;
Generally no, it's not a good idea but there could be ifs and buts to everything I guess.
For a smaller company with perhaps only the one existing server (and no budget to add machines or get professional help to make any bigger changes to their current setup) which also happenes to be their DC, I guess it all comes down to what kind of workload the DC is under to begin with and just what will be hosted in Hyper-V. I'd personally still recommend against it though.

It's not a good idea as it's not a supported scenario from MS. I don't even know if server manager lets you install both.
You can host a VM with AD, but depending on your setup (cluster/HyperV in domain or not, ...) you really should add an AD physical server (even a very small one) for hyper-V to authenticate his services against when your AD VM has not started. It can save you a lot of time...

Related

Which companies will be happy to host a windows executable CGI program on shared hosting?

The rise of the virtual server has been very useful in many ways, but for me it was a pain, as I had a windows executable file that ran as a CGI program.
5-10 years ago this wasn't even an issue, but they are a lot more rare now, and most hosts refuse to take them on shared hosting, instead insisting that you use a virtual private server, which is an order of magnitude more expensive.
I find it a bit of a shame that anything even a little out of the ordinary is now shunted off to VPS, and I also find it strange that windows .exe files are seen as more of a danger than php, perl python etc. If anything, I would say that it is more difficult to exploit an executable, but there you go.
Anyway, the question which I'm self answering is: Which companies will be happy to host a windows executable CGI program on shared hosting?
Firstly, you need a company that has control over their own servers, rather than a reseller, as I don't think any of the "Control Panel" type software programs (such as Plesk) will allow you to do this.
Secondly, you need someone who is flexible enough to do something out of the ordinary.
I used http://ukwindowshostasp.net, they took some persuasion, but in the end were content to host the site on their most expensive shared plan.
I also talked to https://www.freethought-internet.co.uk/, who were super friendly and helpful, and were prepared to set up the CGI program, but weren't prepared to guarantee support for it. This means that it could have stopped working at any time, so I didn't go for it in the end.
The other source of hosts were design companies that host their clients websites having designed them. These companies are more used to flexible bespoke hosting. I spoke to http://www.rocktime.co.uk/ and http://www.alberon.co.uk/, who were both very friendly and helpful and would have hosted the site. The only reason I didn't go with either of them in the end was because I was in a massive rush and a company with 24 hour support got back to me sooner.
One word of warning is that you need to make absolutely sure that your host understands what you mean by a windows executable CGI program. I initially signed up with http://www.ecowebhosting.co.uk/, who were happy to take the site, but then after much nagging on my part realised they couldn't and left me in the lurch 2 days before go live.
I hope this helps someone, it took me ages to find a host.
Having used http://ukwindowshostasp.net, I can now say with certainty that you should not use them.
They told me a lot of good things about backups, but it must have all been lies, as they lost my entire website and databases.
I always thought that Hosts were super reliable backup wise, with ISO accreditation and all that, but next time I will be more careful and take more frequent backups myself.

virtual network interface for windows

I'm developing sort of VPN application and need virtual network interface (aka TUN/TAP). Is there any such driver available for windows ?
The only one I know of is OpenVPN, but it is GPLed and thus AFAIK can't be used in closed-source app.
If there's no ready solution, I'd appreciate some estimation on how complicated is it to code such beast myself (and possibly some direction on where to start).
I found this similar question, but it dated back 2008.
Found this one: wodVPN - claims to come with a virtual network adapter.
Try AnyTun.
http://www.anytun.org/
It looks like a solid tunnel driver available both on Linux and Windows, and claims to be freely redistributable.
If you do not find it to work, or something like it, I would agree with your first commenter - get a quick session with a lawyer to review the legal contract for the one you found... or even better, just call their sales department - they may say yes without legal worries.
Building the beast, as you say, is likely to be a pain. I've not done it, so I can't give a solid estimate, but it seems wise to avoid.

Travelling Visual Studio developers

I am about to travel to Europe (I'm Australian but imagine this is a similar circumstance for US users and simply flipped for European users).
However, there is the slim possibility I will need to do some Visual Studio work while I'm travelling.
As I see it I have three options:
Leave a desktop PC on at home, access remotely via net cafes.
Carry a laptop with me on the trip, upload files as required using public wifi.
Option 2 but instead buy cheap light netbook that is miraculously capable of running VS.
Does anyone have any experience or advice to shed on any of these options?
For reference, this existing post suggests that VS remotely for short distances is okay, but over longer distances could be more problematic. I've used VS via RDP to a US server before and it was pretty laggy but for small changes I could get by.
Concerns I have that you may have some experience with:
Weight of luggage (ideally like to travel light)
Security of laptop (imagine it'll be too heavy to carry around all the time so have to leave it at hotel/hostel etc. and hope for the best)
Security of data (don't want someone stealing RDP access to my home PC)
Security of FTP (don't want someone stealing FTP passwords over wireless)
I'd go with option #2 (carry a laptop that can run VS).
This way you can use the "more convenient" method if it works well (use it as a RDP client if the connection is low-latency enough), but you can still work locally if the connection you find is not reliable.
I think the bottom line is, always have a backup method when depending on networks that are far away and beyond your control.
Edit: Regarding the additional security concerns, most of those are things you should deal with anyway, traveling or not. If the stuff you're working with is that sensitive, you should probably improve the security of your remote work environment with a VPN and more secure file transfer method. Before you take your laptop anywhere, know what your plan is if you were to lose it.
It's a vacation. How do you expect to rest up properly if you're always worrying about work. Leave the phone at home too.
I used to leave a home PC on with VS and use services like GoToMyPc or LogMeIn or some similar service.
Since I have started using a laptop, I just carry the thing with me with VPN connectivity on business trips along with a 3G data card.
But seriously, if on vacation, I do not want to take my laptop with me.
security
First and foremost, encrypt the contents of the HDD - be safe.
If I am on a business trip, the laptop is with me so I am not as concerned with where it is. If I am on vacation, I do not know that I want to take one with me.
If is important then I would keep my laptop/pc at work ON and there will be someone that has access to turn it on/reboot it. So I would carry a light laptop that lets me connect and work if I need it. If that goes down, I can always head into a cybercafe.
database
If you are anticipating working, bring your dev database with you. I know it hogs space and memory (while in use), but it pulling data over the wire has taken long enough to make me lose concentration.
standalone
Make the laptop standalone so that it can work without a connection to VPN or internet - coverage is not the best / uniform in all areas.
Use TrueCrypt for encrypting your harddisk. Use VPN, SSH or something similar for remote connections. I always bring my laptop, but in case I would lose it, it's just a brick for the finder, and I have a good backup system that makes me able to get up and running on another computer quickly.
I tried installing VS2010 on my NetBook and it was a no-go. I was, however, able to install Expression Blend/Web which is good for most tasks.
Edit: To make this more useful... my netbook is HP Mini 1100 Series w/1GB RAM running Windows 7 "Starter"
beware: i don't know where you are going in europe, but do not count on a reliable internet connection in a hotel. it generally works, but when it does not, don't count on the personnel to repair it. of course, if you also carry your own connection (G3 or EDGE on your mobile phone), then this will not be a problem.
I suggest using the option 2 when working on your source code.
I also recommand using Git so you can work with a source control while being disconnected from the office source control. When you get an access, you can sync your whole repository with your office repository.
Of course, it all depend on which source control provider you are using.
For the occasional stuff that are not on Git, use a VPN for enhanced security.
My experience:
1) Purchased a small netbook (Samsung netbook with 2gb or so of RAM, I can lookup exact model number if anyoned interested but I think it's comparable to, or just above the NC10 (just comment if interested)).
2) Internet is bad in Europe (at least the options available to trav ellers). Something to note.
3) The netbook performance was absolutely fine. You don't want to be doing too much dev because of the small screen (though it was only really an issue for me because I got sick of the trackpad and didn't have a separate mouse) but it's honestly pretty fast and easy to use for .NET MVC development in Visual Studio.

How do I make Remote Assistance as painless as possible?

I need to provide remote assistance to the users of my app, through the Internet. I need a reference for doing this, and I need to make the whole connecting to remote desktop process as easy as clicking a menu of my app for my users.
I don't want them to get too involved with the procedure. I believe the built-in remote assistance features of Windows XP and Vista are fine, I just need to make it very simple.
Anyone any ideas?
P.S. A comprehensive reference on the whole Windows Remote Assistance would also be appreciated.
I highly recommend Mikogo. It's free, fast to install and setup, works great, and is very simple. I actually prefer it to the more expensive services ($30-$40/month) because of it's simplicity. Only thing is, I'm not sure how they make money, they have some advertising when you visit the home page, but it's very minimal.
There are many commercial tools that do make this operation effortless. I won't mention any names because this isn't an advertising forum. A quick search should turn up a handful of possibilities; I've used many of the more popular ones and found them satisfactory.
Our support desk typically uses WebEx which works really well.
There are a large number of tools which will do this. Your best is to pick a tool which has a reverse connection from the person who needs help back to the helper. This will make sure that you do not have users try and configure firewalls/open ports etc. Webex is a good recommendation by Old Nick. Another option is GotoAssist, there is also Gotomeeting which can have the same remote control functionality and is cheaper i believe. The main thing is making sure it is as easy as it can be for your users, trying to walk a user through installing an active-x control can be hard enough.
I'd suggest trying LogMeIn. It's nice because once you have the user set up the client software, you can arrange with them a time to leave their PC unattended so that you can remote in and take a look (with the option to disable local keyboard/mouse and monitor access). You can also connect such that the local peripherals are enabled and watch "over their shoulder" as they replicate a problem.
There is of course also Copilot by Fog Creek. Have never used it myself, but it looks pretty easy to use, also for non-technical people.
I use CrossLoop for that kind of thing

How to comply with the new Federal Desktop Core Configuration (FDCC), which will remove local administrator access for all users? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
As developers, we believe that not having local administrative access is going to severely handicap our productivity. We will be restricted from running IIS (we’re a web development shop), installing applications, running Microsoft power tools, etc. If you’re going through the FDCC process now, it would be great to hear how you are coping with these changes.
Having actively worked as a contract developer at a base that uses the AF Standard Desktop, I can tell you a few things.
1: and most important. Don't fight it and don't do what the first person suggested "and let them choke on it". That is absolutely the wrong attitude. The military/government is fighting lack of funding, overstretched resources and a blossoming technology footprint that they don't understand. The steps they are taking may not be perfect, but they are under attack and we need to be helping, not hindering.
OK, that off my chest.
2: You need to look at creating (and I know this is hard with funding the way it is) a local development lab. Every base that I have worked at has an isolated network segement that you can get on that has external access, that is isolated from the main gov network. You basically have your work PC for e-mail, reports etc.. that is on the protected network. But, you develop in your small lab. I've had a lab be 2 PCs tucked under my desk that were going to be returned during a tech refresh. In other words, be creative with making yourself a development machine +servers that are NOT restricted. Those machines are just not allowed to be connected to the main lan segment.
3: Get the distributions of the desktop configurations. Part of your testing needs to be deploying/running on these configurations. Again, these configurations are not meant for development boxes. They are meant to be the machines the people use for day to day gov work.
4: If you are working on web solutions, be very aware of the restrictions on adding trusted sites, ActiveX components, certs, certain types of script execution that the configuration won't allow. Especially if you are trying to embed widgets/portlets/utils that require communications outside the deployed application domain.
5: Above all remember that very few of the people you work for understand the technology they are asking you to implement. They know they want function X but they want you to follow draconian security rule Y while achieving it. What that usually means is that the "grab some open source lib or plugin and go" is not an option. But, that is exactly what your managers think you are going to do because of the buzz around rapid development.
In summary, it's a mess out there. Try to help solve the problem.
While I've never been through the FDCC process, I once worked for a U.S. defense contractor who's policy was that no one had local administrative access to their machines. In addition, flash drives and CD-ROMs were disabled (if you wanted to listen to music on CDs, you had to have a personal CD player with headphones).
If you needed software installed you had to put in a work order. Someone would show up at your desk with the install media, login to a local admin account, and let you install the software (the reasoning being that you knew what to install better than they did). Surprisingly, the turnaround was pretty quick, usually around 1/2 an hour.
While an inconvenience, this policy didn't really cripple us. We were doing a combination of Java, C++ (MS Visual C++ and GNU/C++), VB 6.0 and some web development. For what little web development we did, we had a remote dev box we would RDP into for testing. Again, a bit of an inconvenience, but it didn't stop us from getting our jobs done.
Without ever having had the problem, today I'd probably try a virtualising solution to run these tools.
Or, as a friend of mine once opined: "Follow the process until They choke on it." In this case this'd probably mean calling the helpdesk each time you needed to have a modification to your local IIS config or you'd needed one of the powertools started.
From what I can tell FDCC is only intended to be a recommended security baseline. I'd give some push back on the privileges that you require and see what they can come up with to accommodate your request. Instead of saying I need to be a local administrator, I'd list the things that you need to be able to do and let them come up with a solution that works (which will likely to be to let you administer your machine or a VM). You need to be able to run the debugger in Visual Studio, run a local web server (Cassini), install patches/updates to your dev tools on your schedule, ...
I recently moved to a "semi-managed" environment with SCCM that gets patches installed on a regular basis from a local update repository. I was doing this myself, but this is marginally more efficient for the enterprise and it makes the security office happy. I did get them to put me, and the other developers, in a special collection so that we could block breaking changes if needed (how could IE7 be a security update?). Not much broke except that now I need to update Windows Defender manually since I updated it more frequently than they do in the managed collection! It wasn't as extreme as your case, obviously, but I think that is, in part, due to the fact that I was able to present the case for things that I needed to do for my job that required more local control.
From the NIST FAQ on Securing WinXP.
Should I make changes to the baseline settings? Given the wide
variation in operational and technical
considerations for operating any major
enterprise, it is appropriate that
some local changes will need to be
made to the baseline and the
associated settings (with hundreds of
settings, a myriad of applications,
and the variety of business functions
supported by Windows XP Systems, this
should be expected). Of course, use
caution and good judgment in making
changes to the security settings.
Always test the settings on a
carefully selected test machine first
and document the implemented settings.
This is quite common within financial institutions. I personally treat this as a game to see how much software I can run on my PC without any admin rights or sending requests to the support group.
So far I have done pretty well I have only sent one software install request which was for "Rational Software Architect" ('cos I need the plugins from the "official" release). Apart from that I have perl, php, python, apache all up and running. In addition I have jetty server, maven, winscp, putty, vim and a several other tools running quite happlily on my desktop.
So it shouldnt really bother you that much, and, even though I am one of the worst offenders when it comes to installing unofficial software I would recommend "no admin rights" to any shop remotly interested in securing their applications and networks.
One common practice is to give developers an "official" locked down PC on which they can run the official applications and do their eMail admin etc. and a bare bones development workstation to which they have admin rights.
Not having local administrative access to your workstation is a pain in the rear for sure. I had to deal with that while I was working for my university as a web developer in one of the academic departments. Every time I needed something installed such as Visual Studio or Dreamweaver I had to make a request to Computing Services.

Resources