My views - Cloud, Compute, Serverless, Security, Data Privacy, Storage, Network Virtualization

Discuss on Cloud, Best Practices on Cloud Deployments, Cloud implementations and options, administration understandings. How to approach Cloud, scale-up and on-premises deployments.Migrating workloads to major Cloud Services, Changes in architecture, security and policy settings, HA/DR option, monitoring options, support options, costing, and so on. Analyze all these in the blogs and discuss the pros and cons of Cloud,

Friday, November 8, 2013

Windows 8 shortcut keys - Quick Reference

Windows 8 shortcut keys

If you love Windows 8 then in world of shortcut you must know the hot-keys for Windows 8:

1. Windows Key + D => Show Desktop
2. Windows Key + C => Open Charms Menu
3. Windows Key + F => Charms Menu – Search
4. Windows Key + H => Charms Menu – Share
5. Windows Key + K => Charms Menu – Devices
6. Windows Key + I => Charms Menu – Settings
7. Windows Key + Q => Search For Installed Apps
8. Windows Key + W => Search Settings
9. Windows Key + E => Launch Windows Explorer Window
10. Windows Key + L => Lock PC and go to lock screen
11. Windows Key + T => Cycle through icons on taskbar (press Enter to launch app)
12. Windows Key + X => Show Advanced Windows Settings Menu
13. Windows Key + E => Launch Windows Explorer Window
14. Windows Key + M => Minimize all Windows
15. Windows Key + P => Choose secondary display modes
16. Windows Key + U => Open Ease of Access Center
17. Windows Key + Tab => Cycle through open Modern UI Apps
18. Windows Key + Shift + Tab => Cycle through open Modern UI Apps in reverse order
19. Windows Key + . => Snaps app to the right (split screen multitasking)
20. Windows Key + Shift + . => Snaps app to the left (split screen multitasking)
21. Windows Key + , => Temporarily view desktop
22. Alt + F4 => Quit Modern UI Apps
23. Windows Key + Page Up => Moves Start screen and apps to secondary monitor on the left
24. Windows Key + Page Down => Moves Start screen and apps to secondary monitor on the right
25. Windows Key + Shift + M => Restore all minimized Windows
26. Windows Key + R => Open Run dialog box
27. Windows Key + Up Arrow => Maximize current window
28. Windows Key + Down Arrow => Minimize current window
29. Windows Key + Left Arrow => Maximize current window to left side of the screen
30. Windows Key + Right Arrow => Maximize current window to right side of the screen
31. Ctrl + Shift + Escape => Open Task Manager
32. Windows Key + Print Screen => Takes a Print Screen and saves it to your Pictures folder
33. Windows Key + Pause Break => Display System Properties
34. Shift + Delete => Permanently delete files without sending it to Recycle Bin
35. Windows Key + F1 => Open Windows Help and Support
36. Windows Key + V => Cycle through notifications
37. Windows Key + Shift + V => Cycle through notifications in reverse order
38. Windows Key + 0 to 9 => Launch/show app pinned to taskbar at indicated number
39. Windows Key + Shift + 0 to 9 => Launch new instance of app pinned to taskbar at indicated number
40. Alt + Enter => Display Properties of selected item in File Explorer
41. Alt + Up Arrow => View upper level folder of current folder in File Explorer
42. Alt + Right Arrow => View next folder in File Explorer
43. Alt + Left Arrow => View previous folder in File Explorer
44. Alt + Print Screen => Print Screen focused Window only
45. Windows Key + Spacebar => Switch input language and keyboard layout
46. Windows Key + Shift + Spacebar => Switch to previous input language and keyboard layout
47. Windows Key + Enter => Open Narrator
48. Windows Key + + => Zoom in using Magnifier
49. Windows Key + - => Zoom out using Magnifier
50. Windows Key + Escape => Exit Magnifier

Thursday, October 3, 2013

Program Bug Examples

PROGRAM BUG EXAMPLES
Program Bug Examples

EXAMPLE 1:

TYPE: Accidental
for (i=0; i<numrows; i++)
  for (j=0; j<numcols; j++);
    pixels++;
Commentary: Caused by a stray ";" on line 2. Accidental bugs are often caused by stray characters, etc. While "minor" in their fix, they can be the devil to find! Note: if used correctly, a "prettyprinter" or auto-indenter would help you spot this one.

EXAMPLE 2:

TYPE: Missing or improper initialization
int minval(int *A, int n) {
  int currmin;

  for (int i=0; i<n; i++)
    if (A[i] < currmin)
      currmin = A[i];
  return currmin;
}
Commentary: Since currmin was never initialized, it could easily start out as the minimum value. Some compilers spot no-initialization errors. Note that an improper initialization, while rarer, is even harder to spot than a missing one!

EXAMPLE 3:

TYPE: Dyslexic
int minval(int *A, int n) {
  int currmin = MAXINT;

  for (int i=0; i<n; i++)
    if (A[i] > currmin)
      currmin = A[i];
  return currmin;
}
Commentary: Here, the ">" on line 5 should be "<". Even people who are not normally dyslexic are subject to these types of errors.

EXAMPLE 4:

TYPE: Mis-copy bug
switch (i) {
  case 1:
    do_something(1); break;
  case 2:
    do_something(2); break;
  case 3:
    do_something(1); break;
  case 4:
    do_something(4); break;
  default:
    break;
}
Commentary: The cases were generated by copying case 1. Under case 3, the values were not changed as appropriate for the case. Code reuse is good -- but this form of code copying has its dangers!

EXAMPLE 5:

TYPE: Accidental
if (foo = 5)
  foo == 7;
Commentary: Two bugs in one. These are usually caused by accident rather than misunderstanding. The "=" of line 1 should probably be "==" (this one will always evaluate to true), while the "==" of line 2 should almost certainly be "=" (it has no effect). A syntactic weakness in C/C++, neither of these statements is syntactically wrong. Many compilers will warn you about both of these.

EXAMPLE 6:

TYPE: Abused global
int i = 5;
int j;

int foo(int j) {
  for (i=0; i<j; i++) do_nothing();
  return j;
}

void ineedj(void) {
  cout << "j is " << j << "\n";
}

main() {
  int j;
  j = foo(i);
  ineedj();
}
Commentary: This illustrates some fun with global/local variables. In function foo, j is local and i is global. Since i is being used as a loop variable, this is almost certainly wrong. Making j local here may or may not be logically correct, but it is certainly stylistically incorrect since the semantic meaning of j is being used in two distinct ways (once as a global, once as a local, which by definition must be inconsistent). In main, j is local. So, when it gets set by the call to foo, the global value is not being set. So, ineedj is out of luck -- the value is still undefined. Moral: If the variable is global, never use that name for anything else.

EXAMPLE 7:

TYPE: Macro bug
// random returns a random (positive) integer.
// Random returns a random integer in the range 0 to n-1.

#define Random(n)  random()%n

val = Random(j-i+1);
Commentary: The result when j=7 and i=6 is (sometimes) -5. Why? You might think there is a bug in the system routine random. But actually, the error is in the macro definition. The expansion becomes:
random()%j-i+1
Since % binds more tightly than + or -, we get random()%7 first. If random() gives a multiple of 7, then random()%7 = 0, 0-6+1 = -5. Secondary moral: Don't be too quick to blame the compiler or the libraries! In this example, the temptation is to believe that random() (a system function) gives a bad value, or that "%" itself is buggy.

EXAMPLE 8:

TYPE: Model error
char* string1 = "Hello";
char* string2 = "World";

if (string1 == string2)
  do_something();
Unless == has been explicitly overloaded, this is the wrong way to compare the value of two strings. What is really being compared here are the values of the two pointers. To compare the values of the strings (which is much more likely to be what is wanted), use strcmp. The error is classified as a "model" error, since the user may well have a wrong model about what == can do.

EXAMPLE 9:

TYPE: Model error
// Return pointer to the node storing "val" if any; NULL otherwise
void find(listnode **curr, val) {
  while (*curr != NULL)
    if (*curr->val == val) return;
  else
    *curr = *curr->next;
}
The *curr-> construct should be (*curr)-> (in two places). The reason is that -> binds more tightly than * in operator precedence, but the user probably did not realize this. Again, this is classified as a "model" error since the user probably believes (implicitly) that the operator precedence goes the other way. Of course, you could avoid the problem entirely in this particular example by using pass-by-reference in C++.

EXAMPLE 10:

TYPE: Parameter mismatch (instance of a model error)
char string1[10] = "Hello";
char string2[10];

strcpy(string1, string2);
Commentary: Oops -- strcpy's first parameter is the destination, and its second parameter is the source, not the other way around! Whether this is a dyslexic error or a model error of course depends on what the programmer believes the proper order to be.

EXAMPLE 11:

TYPE: Missing string terminator
char string[4];

for (i=0; i<4 cout="" getchar="" i="" lt="" string="">
Commentary: We didn't explicitly terminate the string, so there is no telling where the string will end. cout will keep going until it sees a terminator, regardless of how long it takes.

EXAMPLE 12:

TYPE: Memory error
int i;
char string[5] = "hello";
int j;
Commentary: Oops! "hello" has a sixth character, the terminator. We just corrupted one of the surrounding variables on the stack.

EXAMPLE 13:

TYPE: Memory error
char* ptr;

cin >> ptr;
Commentary: ptr has no storage of its own, its just a pointer. We are writing to space that ptr happens to be pointing at. If you are lucky, the program will crash immediately since you are writing to an illegal memory location. If you are unlucky, the memory location is legal and the program won't crash until much later!

EXAMPLE 14:

TYPE: Off-by-one error
int i;
int array[5];
int j;

for (i=0; i<=5; i++)
  cin >> array[i];
Commentary: We meant to go from 0 to 4, not 0 to 5. Off-by-one errors are common, and occur in many ways. This one happens to be particularly brutal since it results in a memory error (corrupting one of the surrounding variables).

EXAMPLE 15:

TYPE: Special case error
// Delete the node following the one that ptr is pointing at.
void del_link(lnode* ptr) {
  ptr->next = ptr->next->next;
}
Commentary: Here are three errors. First, if ptr happens to be NULL, we can't follow to its next field. Second, if ptr points to a node, but that node is the last on its list, then we can't go to ptr->next->next. Third, we just dropped the space for the deleted node into the bit-bucket: OK in JAVA or LISP, but not in C or C++!

EXAMPLE 16:

TYPE: Stack frame problem
char *initialize() {
  char string[80];
  char* ptr = string;
  return ptr;
}

main() {
  char *myval = initialize();
  do_something_with(myval);
}
Commentary: Since string is a local variable, its space is lost after returning from initialize. This space will be reused by the next function to be called. Eventual disaster!

EXAMPLE 17:

TYPE: Stack frame problem
char* assign() {
  return "hello world!";
}

main() {
  char *ptr = assign();
}
Commentary: Essentially the same bug as the previous example. The space for the string is local to assign, and gets returned after leaving that function.

EXAMPLE 18:

TYPE: Recursion error
// Insert a value into an ordered linked list
void insert(lnode*& curr, int val) {
  if (curr == NULL)
    curr = new lnode(val, NULL);
  else if (lnode->val > val)
    curr = new lnode(val, curr->next);
  else {
    curr = curr->next;
    insert(curr, val);
  }
}
Commentary: The goal here is to change the value of the pointer passed in when we do the insert to the list. The assignment curr = curr->next is in error because this changes its alias as well (curr is passed by reference). Instead, the recursive call should read insert(curr->next, val);, effectively working on a local variable (curr->next) without then modifying the current recursion variable (curr).

EXAMPLE 19:

TYPE: Static vs. dynamic data
main() {
  Record city;
  lnode *list = NULL;

  while (data_to_read()) {
    Readin_data(&city);
    insert(&city, &list);
  }
}

void insert(Record*& city, lnode*& list) {
  lnode* ptr = new lnode;
  ptr->next = list;
  list = ptr;
  prt->data = city;
}
Commentary: Record city is being used for all of the data fields of all lnodes created by insert. Of course, there really is only one copy of city, so all of the lnodes have the same information! insert needs to create a Record (using new) for each lnode.

Tuesday, September 3, 2013

Microsoft SCVMM Multi Server Management for Hyper-V

(Part 1)

This article explains the Hyper-V Manager console’s limitations with regard to managing multiple Hyper-V hosts, and then goes on to examine other options for managing large numbers of virtual machines.

Introduction

One of the challenges of working with Hyper-V is the fact that most Hyper-V deployments consist of multiple host servers. Unfortunately, the Hyper-V Manager is really only designed to manage a single host server. That being the case, I decided to take the opportunity to talk about some techniques that you can use to manage multiple Hyper-V host servers.

Before I Begin

Before I get started, I need to point out that the techniques that I am writing about are based on Hyper-V 3.0 and System Center Virtual Machine Manager 2012 SP1. In some cases these techniques will work with older versions of Hyper-V or Virtual Machine Manager, and in other cases they will not.

The Hyper-V Manager

Even though the Hyper-V Manager is more than a little bit lacking in terms of its multi-server management capabilities, that isn’t to say that you can’t use the Hyper-V Manager for multi-server management.

When you open the Hyper-V Manager, the console tree’s left pane lists the name of your Hyper-V server. When you select this server, the top center pane displays a list of the virtual machines residing on that host server, as shown in Figure A.

Figure A: The left pane lists the name of the Hyper-V server.

As you look at the figure above, it might seem as though the console’s left pane contains an awful lot of empty space. The reason for this is that you can add additional Hyper-V host servers to the console. All you have to do is to right click on the Hyper-V Manager container, and then choose the Connect to Server command from the shortcut menu, as shown in Figure B. When prompted, just enter the name of the server that you want to add to the console.

Figure B: To manage another server, right click on the Hyper-V Manager container and choose the Connect to Server command from the shortcut menu.

You can easily populate the Hyper-V Manager console with all of your Hyper-V servers, as shown in Figure C.

Figure C: The Hyper-V Manager can display and manage multiple Hyper-V servers.

Unfortunately, this is where the Hyper-V Manager’s multi server management capabilities end. You cannot for example, select multiple Hyper-V hosts to receive an aggregate view of your virtual datacenter. For that, you will need System Center Virtual Machine Manager.

System Center Virtual Machine Manager 2012

Microsoft considers the Hyper-V Manager to be a lightweight management console that is intended for use primarily in smaller organizations. For larger organizations with several or more Hyper-V servers, Microsoft recommends using System Center Virtual Machine Manager. System Center Virtual Machine Manager 2012 has capabilities that go way beyond simple, multi-server management. In fact, entire books have been written about System Center Virtual Machine Manager. In spite of System Center Virtual Machine Manager’s complexity, Hyper-V administrators should find it relatively easy to begin using the tool for basic host server and virtual machine management.

Virtual Machine Manager 2012 : Architecture

Unlike the Hyper-V Manager, System Center Virtual Machine Manager is able to display an aggregate view of virtual machines spanning multiple hosts. As you can see in Figure D, selecting the All Hosts container causes the console to display all of the virtual machines regardless of which host server they reside on.

Figure D: System Center Virtual Machine Manager can display an aggregate view of your virtual machines.

As you look at the figure above, you can see that not only does System Center Virtual Machine Manner display virtual machines from multiple host servers, it offers all of the same management functionality that you would get through the Hyper-V Manager. For example, you can use the ribbon at the top of the screen to create new virtual machines.

Another thing that you probably noticed about the previous figure is that the list of virtual machines can grow to be quite long. I’ve only got a couple dozen virtual machines, but a large organization could easily have hundreds or even thousands of virtual machines. Once you start dealing with large scale Hyper-V deployments with hundreds or thousands of virtual machines, the idea of being able to display all of those virtual machines on the screen at the same time suddenly seems a lot less appealing. The virtual machine list can quickly become overwhelming.

Thankfully, Microsoft gives you a few different ways to filter the list of virtual machines so that you can view the specific virtual machines that you are interested in. One option is to simply click on a column heading to sort the list by the selected column. For example, you might sort the list by host server name or by average CPU usage. Another option is to create a custom view of the virtualization hosts. You might have noticed in my previous screen captures that the names of my virtualization hosts reflect the host’s purposes. I have three lab hosts and two production hosts. With that in mind, you can see how it might be useful to create a view that shows only lab hosts (and the virtual machines on them) or only production hosts.

If you want to create this type of view, you can do so by creating a host group. A host group is really nothing more than a logical collection of host servers. To create a host group, right click on the All Hosts container and select the Create Host Group command from the shortcut menu. When you do, System Center Virtual Machine Manager will create a host group called New Host Group. You can easily rename this host group to a name that reflects its purpose.

Once the new host group is in place, you can begin dragging host computers into the host group. When you click on a host group you will see the virtual machines residing on the hosts within the host group. For example, if you look at Figure E, you can see that I have created a host group called Lab Machines and then placed my lab hosts within that host group. When I select the Lab Machines host group, the console displays only the virtual machines that reside on lab servers.

Figure E: Host groups allow you to organize Hyper-V hosts by purpose.

Host groups are a handy way of organizing host servers, but they may not offer the granularity that you need. If you want to temporarily display a list of virtual machines that conform to a specific criteria, click on the search box. When you do, the console will display a number of different search criteria. Click on the criteria that you want to filter by and then click on the search box again. This time the console will display a range of values for the search criteria, as shown in Figure F. Click on the most appropriate value, and the console will display a filtered list of virtual machines.

Figure F: You can use the search box to filter the list of virtual machines.

Conclusion

In this article, I have shown you a few different tricks for managing multiple Hyper-V hosts. In Part 2, I will show you how you can manage multiple host servers using PowerShell.

(Part 2)

This article continues the discussion of multi-server management for Hyper-V by talking about server groups within the Server Manager and by delving into PowerShell.

Introduction

So far in this series, I have shown you a variety of techniques for collectively managing virtual machines. In addition to the techniques that I have already shown you, Windows Server 2012 and Hyper-V provide some wonderful PowerShell based multi-server management capabilities. Before I get to that though, I want to show you one more technique for collectively managing Hyper-V host servers.

Server Grouping

As you are no doubt aware, Windows Server 2012 contains a new version of Server Manager. Although not completely intuitive, one of the really great features found in this new version is the ability to collectively manage Windows servers.

The server grouping feature is not actually a Hyper-V feature, but rather a Windows Server 2012 feature. That being the case, you cannot use it to perform virtual machine management in the sense of modifying the virtual machine resources or live migrating a virtual machine to an alternate host. However, this feature is useful nonetheless.

Server grouping allows you to create groups of similar servers – physical or virtual. This grouping means that you can collectively manage servers that are performing similar tasks. For instance, you might consider creating a group for all of your Hyper-V hosts. Likewise, you could create a group for virtual machines that need to be collectively managed. For instance, you might create a group for your virtualized domain controllers.

The process of creating a server group is actually really simple. To do so, open the Server Manager and then choose the Create Server Group command. When the Create Server Group dialog box appears, enter a name for the new group, as shown in Figure A.

Figure A: Enter a name for the new server group.

The next step is to add servers to the server group that you are creating. You will notice in the figure that right now the Server Pool tab is selected. This means that the dialog box will list all of the servers that currently exist within the server pool. To add a server to the new server group, simply select the server and then click the arrow icon.

In most cases the group that you are creating probably will act as a sub set of the servers that are in the server pool. However, you can add servers that do not currently exist within the pool. As you can see in the figure above, the dialog box contains three other tabs – Active Directory, DNS, and Import. You can use these tabs to add computers that are Active Directory members, add servers by fully qualified domain name or IP address, or to import a file containing a list of servers. When you have made your selections, click OK.

If you look at Figure B, you can see that I have created two server groups – Lab Servers and Production Servers. The groups are listed in the column to the left, with the Production Servers group currently selected.

Figure B: You can create a series of server groups.

In case you are wondering, the Production Servers group that is shown in this figure contains Hyper-V hosts that are running production workloads. I could have just as easily created a group for production virtual machines. The only real requirement for doing so is that Server Manager needs to be able to see those virtual machines, which basically means that you won’t be able to add virtual machines that reside on an isolated virtual network segment that is inaccessible to the host operating system or to the physical network.

Creating a server group does more than just group similar servers together. You can collectively manage the servers within the group. For example, if you take a look at Figure C, you can see that I have selected both of the servers in the Production Servers group. If you look at the Services pane near the bottom of the screen, you will notice that it contains listings from both of the selected servers.

Figure C: The console can display aggregate information from multiple servers.

PowerShell Management

If you need true Hyper-V level management for multiple virtual machines or for multiple Hyper-V hosts, then your best option is often to use PowerShell. Windows Server 2012 is specifically designed to allow multi server Hyper-V management through PowerShell. In fact, you can use PowerShell to accomplish many of the same management tasks that you could perform if you had System Center 2012 Virtual Machine Manager (which I discussed in the previous article).

There are a few different ways in which PowerShell lets you run commands against multiple targets. One method that you can use is to establish a session with a remote Hyper-V host. This isn’t technically a multi-server management technique, because your actions are performed against a single host, but it does allow you to execute a command on a remote Hyper-V server.

To show you how this technique works, let’s assume that you wanted to run the Get-VM command against a remote server named Lab1. In case you aren’t familiar with the Get-VM command, it is one of the simplest PowerShell commands for Hyper-V. This command returns a list of the virtual machines that exist on the host server. The commands that you would use to run the Get-VM cmdlet on a host named Lab1 are:

Enter-PSSession Lab1Get-VMExit-PSSession

The first line in this block of code establishes a session with the remote server. When this happens, you will actually see the PowerShell prompt change to reflect the fact that you are now connected to a remote server instead of the local server.

The second command is the Get-VM command. Keep in mind that I am only using Get-VM as an example. You could actually use any PowerShell cmdlet here.

The last line of the block of code shown above is Exit-PSSession. This command terminates your session with the remote Hyper-V hosts. The most important thing to know about this command is that until you enter the Exit-PSSession command you will remain connected to the remote host. In the sample code block listed above, we established a connection to a remote host, executed a single PowerShell cmdlet, and then terminated the session. While this is perfectly valid behavior, you aren’t limited to executing only a single PowerShell cmdlet within the remote session. You are free to execute as many cmdlets as you want (or even to run PowerShell scripts) until the session is terminated.

As I mentioned earlier, this is only one example of a way that you can use PowerShell for multi-server management. There are several other techniques that you can use. One technique isn’t necessarily better than another. It’s just that depending on what you are trying to accomplish, one technique might be better suited to a particular task than another technique would be.

Conclusion

In this article, I have demonstrated a couple more techniques for multi-server management in a Hyper-V environment. In Part 3 I plan to conclude the series by showing you some PowerShell commands that will allow you to perform administrative actions in bulk against multiple physical or virtual servers.

If you would like to read the first part in this article series please go to Multi Server Management for Hyper-V (Part 1).

Thanks to

The Author — Brien M. Posey

Tuesday, August 6, 2013

Introduction to Identity Management and Forefront Identity Manager 2010 R2 SP1

This article provides you with a foundation on which to understand the importance of identity management and begins to introduce you to FIM 2010 R2 SP1.

Even in 2013, many organizations continue to struggle with ongoing identity management needs. If you’re unfamiliar with the term, identity management in the world of IT refers to the “management of individual identities, their authentication, authorization, roles, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks.” In layman’s terms, identity management is the overarching process by which organizations answer the following questions:

Who? Who is allowed to access particularly systems or services in the organization?
What? What level of access is allowed to individual systems and services?
How? By what methods is a user allowed to access these systems and services?

For many, identity management simply boils down to user account creation and password management. While this is one element of identity management, these are important aspects of the service. However, a comprehensive identity management solution should be able to do much more, including:

Automatic creation of a user’s Active Directory account based on information gleaned from a database considered an authoritative source. In many cases, this is the human resources or payroll database.
Automatic creation of a user’s Exchange or Office 365 mailbox.
Automatic creation of a user’s home directory on a file server.
Automatic inclusion of a user’s account in any security groups that are appropriate for his job. Again, whether or not access to a particular group is appropriate would be dictated by information in the authoritative source database.
Self-service management of a user’s password. A user should be able to reset his password on demand and be provided with a mechanism by which to reset his password in the event that it is forgotten.

Note that everything in the list above implies that IT takes a mostly hands off stance with regard to ongoing identity management. Since this activity can fully consume people, particularly in organizations that see a lot of turnover, automation and self-services shifts the burden of the process away from personnel and turns it in just another IT service. Personally, I see identity management in many organizations as “low hanging fruit” that can save IT a lot of time and help the department focus more on bottom line-driven needs.

Moreover, robust identity management provides organizations with an additional layer of security. For example, IT may not be informed right away that a high level person has been fired, but you can bet that payroll has been notified. A rule could be created to deactivate an account when payroll performs a termination action in their system. This can help the organization ensure that only those that are authorized have access to the system.

Identity management can also become a compliance issue, particularly if it’s done poorly.

There are many, many ways to attack the identity management gorilla, but I’ll be focused in this series on Microsoft Forefront Identity Manager 2010 R2 SP1. With this product, administrators overseeing Microsoft-centric environments can automate and distribute significant identity and rights-related tasks. With FIM, for example, an administrator can automate the provisioning of an Active Directory account and distribute to an administrative assistant the ability to manage the permissions in distribution and security groups in that person’s division.

That’s another way by which IT can return to the users some carefully controlled keys to the kingdom, thus further reducing IT’s need to be involved in every account-related activity in the organization. With a fully realized identity management solution, IT’s involvement moves to one of oversight and exception handling only. IT still retains responsibility for the automated systems, but is able to easily delegate some of the operational tasks.

Before I jump into Forefront, it’s important that you understand some prerequisites that must be in place before you jump into identity management in your organization:

You must have a rock solid understanding of the workflow that is involved in creating accounts in your organization, right down to the field level. You can’t automate what you don’t understand.
You must understand what triggers various activities in the identity lifecycle. For example, what action initiates the creation of a new credential in a particular system? What actions deactivate a particular access level or credential?
You must have a complete systems inventory and an understanding of the authentication mechanisms for each.
Your “authoritative systems” must be clean. For example, if you intend to use the Human Resources system as the source repository for employee identity, you must ensure that the data in the system is valid and complete. For example, are you capturing the name of a new employee’s manager? If not, you’re eliminating FIM’s ability to automatically email new user credentials to an new hire’s supervisor.

Once you understand your organization’s existing landscape, you can start doing some terraforming with Forefront Identity Manager.

Feature set

Forefront Identity Manager 2010 R2 brings to IT a host of features that can ease the identity management burden. I won’t say that getting to a fully realized identity management system is an easy undertaking; it isn’t. However, once an organization commits to and see it through, the product feature show a clear benefit.

Self-service portal

An identity management system isn’t complete unless a user can perform some self-service functions on his own. Again, this helps IT focus on what’s important rather than on the mundane. FIM 2010 R2 brings such a portal, which is based on SharePoint. Included in the portal is the ability to:

Manage personal information.
Manage group memberships.
Manage password, including self-service password reset.

FIM’s self-service password reset capability is quite good. It works by requiring that a user first register with the password reset service. Just like you do with your bank, you’re asked a series of personal questions and your answers are stored in a database. If you happen to forget your password, you can browse to a web site to reset it or, if you’re not able to log in to your machine, you can take advantage of FIM’s ability to integrate with the Windows login screen, as shown below. When you click the Reset Password link, you’re provided just enough of a computing environment to reset your password after which you can log in as normal.

Figure 1: FIM integrates with the Windows login screen

Some help desks spend more than ½ of their time managing user password issues. What if that particular class of call went away or, at the very least, was reduced to a trickle? That can mean vast savings for the IT department and the ability to redirect staff resources at higher priority projects.

With FIM, you can grant users as many or as few of the rights that I’ve described above using FIM’s built in capability to granularly manage roles and role assignments.

Codeless user management

For relatively straightforward deployments, FIM 2010 includes the ability to prevision and deprovision users without having to write a bunch of code. Of course, this isn’t supported in every scenario, but is supported for such items as Active Directory and can make the product a bit easier to deploy.

Ongoing data synchronization

Organizations are not static creations. They change every day. People change, departments change and even whole companies change. With FIM, if you make a change to authoritative data, you can configure the product to automatically reflect that change across all systems. For example, if you change the name of a department, any users in that department can have their Active Directory accounts updated to reflect the change.

Workflow

While automation is wonderful, sometimes a human has to be involved for approvals. For example, if a user makes an attempt to use the self-service portal to change their nickname, HR can create a policy that forbids that change without HR’s approval.

Summary

This article provided you with a foundation on which to understand the importance of identity management and began to introduce you to FIM 2010 R2 SP1. In the next part of this series, we will continue exploring the product.

+++++++++++++++++++++

(Part 2)

+++++++++++++++++++++

In this part of this series, I will introduce to you Microsoft’s answer to identity management.

Introduction

When we last met, we had just wrapped up a 1,300 word discussion regarding the importance of identity management in the enterprise and outlined some of its benefits. We also discussed some foundational items you need to consider before embarking on an identity management journey in your organization. In this part of this series, I will introduce to you Microsoft’s answer to identity management. Entitled Forefront Identity Manager 2010 R2, Microsoft’s product provides organizations with a comprehensive set of identity management features.

Buying FIM 2010 R2

Before we jump into the product feature set, let’s take a look at how it’s licensed. As is usually the case with Microsoft products, licensing for FIM 2010 R2 is messy and complex.

Servers

First of all, for each server to which you deploy a FIM component, you must buy a server license to run the software.

Database

FIM requires a SQL Server database to operate. Frankly, I’m stunned that Microsoft doesn’t grant a runtime instance of SQL for FIM, but according to the full licensing document, FIM implementers must also buy a SQL Server license.

Users

For each user that you manage through FIM, you need a Windows Server Client Access License (CAL). If you’re a Microsoft shop, you probably already have these licenses.

Additionally, for each user that you manage through FIM, you need a FIM CAL is required. Administrators that manage users through FIM also require a CAL.

If you have external users that you need to include in your FIM environment, you also need an external connectorlicense as well as a CAL for each external user.

Reporting

FIM 2010 R2 leverages the reporting functionality from System Center Service Manager. With the purchase of FIM, you are granted an SCSM license designed strictly to enable reporting.

FIM 2010 R2 components

In small environments, you might deploy most of the FIM environment to a single server, but as the environment grows, you will probably find it easier to deploy FIM to multiple servers. This allows you to more easily grow those aspects of the environment that experience the most usage. The table below describes FIM’s major components.

Component	Description
FIM Synchronization Service	The synchronization service is one of FIM’s core services. It handles “metaverse”-wide synchronization of identities between data sources. This service creates and maintains identities in other systems.
FIM Service	The FIM service is a web service component that provides connecting functionality behind the scenes in FIM.
FIM Portal	The FIM portal is a user and administrator-facing component that exposes much of FIM’s functionality to users, including password reset capability, group management tasks, and administrative options. The portal runs on SharePoint.
FIM Certificate Management	The certificate management component is generally used in conjunction with smart cards and isn’t deeply integrated into the rest of the suite. Many FIM deployments don’t even include this component.
FIM Reporting	FIM leverages System Center Service Manager’s reporting engine. Reporting in FIM is handled through this special SCSM service. Users of FIM are granted a runtime license for SCSM’s reporting component to enable this functionality.
FIM Password Registration Portal	One of FIM’s best features is the ability to provide users with the ability to establish security questions and answers that they can use to reset their passwords on their own in the event that they’re forgotten.
FIM Password Reset Portal	Once a user establishes security questions, if he forgets his password, he can visit the password reset portal and reset it without having to contact the IT help desk. In R2, the password reset portal is fully web based, so it can be used across any platform. There are no longer any ActiveX controls. The password reset tool can also integrate with the Windows login screen so that users can reset their passwords even if they’re unable to log in to their PCs.
SQL (FIM service database database)	The FIM database stores all of the information for the environment and is used for certain transformations that take place.
BHOLD	BHOLD is a relatively new addition to FIM that enables organizations to delegate role management to users. This can further streamline the identity management experience in the organization.
FIM Outlook Client	A number of FIM actions require authorization through built-in workflows. Through the FIM Outlook client add-in, users and administrators can approve or deny actions right from Outlook without having to open a separate application.

Table 1

In this article series, you will learn about the identity management and password reset parts of FIM, but I will not be discussing certificate management.

Some additional terminology

As you may have guessed, FIM is a relatively complex software platform and there is a lot of supporting knowledge that goes into deploying the product. As such, there is quite a bit of terminology that’s important to understand.

Metaverse. According to Microsoft, the metaverse is “…a set of tables in the SQL Server database that contains the combined identity information for a person or resource. Management agents update and modify the metaverse from multiple connected data sources, and in turn, management agents use the data in the metaverse to update and modify the connected data sources. The metaverse contains its own schema, which defines which object types and attributes the metaverse can contain.” In other words, the metaverse is the universe in which the various FIM objects reside.
Connector space. This is an area where objects are written before being synchronized with the metaverse or a connected data source.
Connector. In FIM, a connector is an object is the connector space that is connected to an object in the metaverse.
Explicit Connector. A specialized type of connector that can only be created manually and that remains connected even when filters are in place.
Management agent. In FIM, a management agent is responsible for connectivity to a specific data source.

Data source options

FIM can connect to a variety of data source data. The list below described which data sources Microsoft Forefront Identity Manager (FIM) 2010 R2 supports:

Active Directory Domain Services 2000, 2003, 2003 R2, 2008 
Active Directory Lightweight Directory Services (ADLDS) 
Active Directory global address list (GAL)  
Attribute-value pair text files  
FIM Certificate Management 
Delimited text files  
Directory Services Markup Language (DSML) 2.0  
Microsoft Exchange Server 2007 and 2010 (use the management agent for Active Directory) 
Microsoft SQL Server 2000, SQL Server 2005, SQL Server 2008 
Fixed-width text files  
IBM DB2 Universal Database 9.1 or 9.5 
IBM Directory Server 6.0 or 6.2 
LDAP Data Interchange Format (LDIF)  
Lotus Notes release 6.5 or 7.0 
Novell eDirectory 8.7.3 or 8.8 
Oracle10g Database  
AP R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0) 
Sun ONE and Netscape Directory Server 5.1 and 5.2 
SAP HCM
Oracle eBusiness Suite
Oracle PeopleSoft

There are also some additional management agents available for certain online services, such as Office 365. Using these data sources, you can manage identities across just about any system.

High level deployment overview

Bearing in mind that I won’t be covering the certificate management parts of FIM in this series, it’s possible to deploy FIM in a number of different scenarios. Here are some things to keep in mind:

Most roles can coexist on a single server. This is generally suitable only in very small or lab environments.
The SCSM data warehouse service must run separately from the other services.
For scalability, administrators often place each role on a separate server. In the world of virtualization, this is a pretty easy feat to accomplish and provides the opportunity to granularly scale components as needed.
A best practice is to install the FIM portal and the FIM service together.

On the issue of scale, not all FIM services can load balance or use multiple servers. Only a single server of the role type is supported.

Summary

With more foundational elements in place, in the next part of this series, we’ll walk through the beginnings of a FIM deployment.