Posted by Openness Team

Today Microsoft announced the general availability of Windows Azure HDInsight with support for Hadoop 2.2.

Have you had the need to “Easily” create a VHD or VHDX File for use with PDT, VMM etc.?  Well me too and it turns out there is a super useful tool for this when you don't want or have the need to do this via MDT or ConfigMgr. 

http://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f

Convert-WindowsImage is the new version of WIM2VHD designed specifically for Windows 8 and above. Written in PowerShell, this command-line tool allows you to rapidly create sysprepped VHD and VHDX images from setup media for Windows 7/Server 2008 R2, Windows 8/8.1/Server 2012/R2!

Surprisingly easy to do when you simply need a VHDX file to demo etc…  Below is a sample command to create a Windows Server 2012 R2 Standard Generation 2 VHDX File.

.\Convert-WindowsImage.ps1 -SourcePath D:\en_windows_server_2012_r2_x64.iso -VHDPath D:\WS12R2SG2.vhdx -SizeBytes 72GB -VHDFormat vhdx -VHDType Dynamic -VHDPartitionStyle GPT -Edition ServerStandard -UnattendPath D:\Server2012R2_Unattend.xml

Additionally if you don't fancy the command line there is a GUI shown below:

NOTE: GUI has a limited feature set to unlock all features jump back to the command line.

.\Convert-WindowsImage.ps1 –ShowUI

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified
in theTerms of Use.

We are very excited to announce that the Windows 8.1 Deployment Kit will this week be arriving on the desks of all NZ State and Integrated Schools, with rolls of less than 700 students.

What’s in the kit?

The deployment kit contains a ready-made ‘image’ of the latest Microsoft computer operating system and Office productivity tools, as well as a ‘plain English’ installation guide. This disk allows your school to deploy Microsoft Windows 8.1 and Microsoft Office 2013 across all your school-owned computers when you are ready. You will find all the documentation necessary to complete a full deployment of the latest Windows and Microsoft Office desktop.

What’s in the kit?

• Windows 8.1 image, including:  - Office 2013 Professional Plus - Internet Explorer 11
• Guidance on implementing an automated image deployment process using Microsoft Deployment Toolkit 2013
• How to video’s
• Microsoft Schools Deployment Kit terms of use.

 What should you do now?

1. Pass the disk onto the relevant IT staff in the school, or to the school’s technology provider/partner.
2. If you don’t have a partner, email nzeducation@microsoft.com and we can direct you to a partner.
3. Don’t forget:

• Blogs will be posted with resolutions to any issues that are brought to our attention HERE and at the Deployment Kit Blog (http://blogs.technet.com/b/nzedu/p/deploymentkit.aspx)
• We’ll keep you updated on our Microsoft NZ Education Twitter page @MSNZEducation

In This Issue…
In honour of International Women’s Day this month, we bring you stories and resources that focus on the intersection between women, technology and nonprofits. We’ve also pulled together great webinar panelists for the end of March from organisations serving women in Bangladesh, Hong Kong and the Philippines who will share stories about how they use technology to better serve women and girls. We hope you’ll be as inspired as we were by the stories in this month’s edition of Tech4Good.

Women Developing a Better World
From inspiring women leaders in the nonprofit sector to girls coding to change the world, read about how women, girls and nonprofits are embracing technology to make a difference.

Women In Tech: 5 Nonprofit Leaders To Watch
Practical Office and Agricultural Skills for Nepali Youth
International Women’s Hackathon 2014
Bridging the Gender Gap: Girls in ICT Day
Girls who code can change the world: Towards gender parity in computing fields

Hear and Learn from the Experts
Watch videos of interviews and read articles about women in nonprofit technology sharing their know-how about the use of tech:

Part 1 of 3: Interview Series with Heather Mansfield from Nonprofit Tech for Good
Leila Janah Social Entrepreneur / Founder of Samasource and Samahope
Interview with Leila Janah from Social Enterprise Samasource
In Bangladesh, The Internet Comes to You on a Bike (join this month’s webinar to hear more about the InfoLadies programme!)
MoTeCH – Saving Mothers and Babies through Mobile Technology

Women of Microsoft Corporate Citizenship in Asia Pacific
Meet some of the inspiring women behind Microsoft’s Citizenship team in Asia Pacific.

Meet Crossing Wang, Microsoft China
Meet Janakie Karunaratne, Microsoft Sri Lanka
Meet Belinda Gorman, Microsoft New Zealand
Meet Supahrat Juramongkol, Microsoft Thailand

Interested in reading these articles in another language?
Try Bing Translator: www.microsofttranslator.com


Attend
Microsoft Tech4Good Events
NGO Connection Day

Indonesia
Date: April 2014
Location: Jakarta
Contact: Esther Sianipar

Malayisa
Date: June 4, 2014
Location: Kuala Lumpur
Contact:Mandeep Kaur

Webinar Series

Women and Tech
Date: March 20, 2014
Time: 12pm (Singapore Time)
Register now
Click here to check the time in your region

For more information contact Microsoft's Corporate Citizenship team.
Do you know about a technology-focused event in your area that would benefit your nonprofit peers? Let us know by emailing rhqcam@microsoft.com 

This post is part of a series spotlighting Asia-Pacific nonprofit organisations that have incorporated a thorough understanding of technology and education into their learning programmes for youth. These organisations attended Microsoft’s Tech4Good Summit on 12-13 February 2014 in Singapore.

Employing nearly 10 million people every year, India’s information technology (IT) industry is one of its largest sectors. Bangalore, known as the “IT capital” of the country, alone is home to over 500 IT companies. Two thousand kilometres away, in the rural village of Bihar, technology is hardly in the equation; half of the population is poor, and almost the same number is illiterate. Out of the 889 million people that make up India’s rural population, the Internet penetration rate remains alarmingly low at 6.7 percent.

Nonprofit organisation Aga Khan Rural Support Programme (AKRSP) (India) finds itself increasingly using technology in its educational programmes. The organisation is part of the international Aga Khan Development Network that has agencies working in 30 countries, mostly in poor areas of South Asia and Central Asia, Eastern and Western Africa and the Middle East.

Students going through self-learning courses written in English

In India, where it is active in over 1700 villages in the three states of Gujarat, Madhya Pradesh and Bihar, AKRSP addresses development issues, especially those connected to rural inequalities, through a myriad of initiatives such as microcredit schemes, community organisation projects and sustainable resource management. In its educational programmes, it is incorporating a greater use of technology to help underprivileged and marginalised youth access opportunities in India’s booming IT sector. 

AKRSP Manager of Skills Development and IT, Shiji Abraham, said, “There are so many workers who are based in India working for national and international firms. We want our beneficiaries to be part of the intellectual and technical resource that these firms are relying on, by providing computer training to more people. We also want to make use of technology as an organisation to operate more efficiently while achieving high impact.”

In states that have a better level of infrastructure, such as Gujarat, multimedia content is used in AKRSP’s educational programmes to enhance classroom lessons or as self-learning modules. Digital literacy is a vital component in the vocational education programmes where marginalised and underprivileged youth are taught how to use the Internet to access information on employment and education opportunities and for skills upgrading.

Infrastructural shortcomings in underdeveloped tribal regions like Bihar are overcome with other forms of information technology. For instance, community radio programmes in local languages are used to educate rural communities on issues, and AKRSP uses Short Messaging Services (SMS) to provide rural farmers with real-time price information, enabling them to get a fair price for their produce. 

AKRSP relies on its IT infrastructure to connect staff members working across the three states, and is exploring more ways where technology can support programme delivery, documentation, monitoring and evaluation.

With price information and market rates available on the phone, farmers in rural India are able to get a fair price for their produce

We are very happy to announce SQL Server 2014 has been released to manufacturing and will be generally available on April 1.

What’s new in SQL Server 2014?

Breakthrough performance with In-Memory OLTP 

• In-Memory OLTP: In-memory transaction processing (In-Memory OLTP) speeds up an already very fast experience by delivering speed improvement of up to 30x. Important to our in-memory work is our approach to build SQL Server’s In-Memory OLTP right into the box. This means our you don’t need expensive additional software to take advantage of the technology. More importantly, it means customers do not have to rewrite their application or deploy new servers. SQL Server 2014 is the first database to have integrated In-Memory OLTP technology and SQL Server 2014 will have the most comprehensive in-memory offerings of leading enterprise vendors.
• Enhanced In-memory ColumnStore for Data Warehousing: Updatable, Faster, Better compression
• Resource governor adds IO governance: predictable performance
• Buffer Pool extensions to SSD: Faster paging
• Enhanced Query Performance:  Faster performance without any apps changes

Hybrid Cloud for Disaster Recovery

• Simplified Cloud Back up: Now you can easily and securely backup and recover on-premises SQL Server databases using Windows Azure.
• Disaster Recovery with Azure. SQL Server 2014’s AlwaysOn technology was not just improved for this release, it was built to enroll Windows Azure virtual machines running SQL Server into a disaster recovery solution. This turnkey solution builds on SQL Server 2014 availability in Windows Azure virtual machines – one can get SQL Server with its in-memory and mission-critical features up and running in an Azure VM in literally a few minutes.

Please find more information about these and other new SQL Server features in SQL Server 2014 Datasheet and TechNet.

>  If you want access to the release as soon as possible, please sign-up to be notified once the release is available. 

> Also, please join us on April 15 for the Accelerate Your Insights live event from San Francisco, California  to learn about our data platform strategy and how our customers who already deployed the solution are gaining significant value with SQL Server 2014. 

There also will be additional launch events.  So please check this blog for announcements or contact your Microsoft representative and local PASS chapter for more information on SQL Server readiness opportunities.

混合云策略的早期规划阶段是 IT 领导者和实施者最重要的讨论阶段，这似乎是显而易见的，但仍值得强调。

去年大多数与我讨论过问题的CIO 告诉我，他们正在考虑在几年内转型到一个完全混合的环境 - 而且这一转型首先从评估其应用程序组合如何在这种基础结构内演化开始。

这个规划过程至关重要，而且在本文中（探讨规划、构建、部署和维护混合云的“最佳实践”的 5 个部分的第 1 部分），我将深入探究每个组织在规划混合环境时需要审视的一些最重要的问题和考虑事项。

该规划阶段的目标是评估您的业务的具体 IT 需求，并指出混合云环境如何满足这些需求。每个组织都将有不同的需求和可用于解决这些需求的不同资源，这使得在您的 IT 团队内开展一次详尽且客观的讨论变得非常重要。

规划混合云也是反思您的运作方式的一个机会。如果您过去发现存在效率低下的问题，该规划过程是隔离它们并凸显改善流程的一个机会。换言之，先不要急于将现有的运作方式迁移到新混合环境 – 而要首先关注这种基础结构可如何改善您的组织各级的运作方式。

随着这一讨论的深入，我相信微软混合云的灵活且适应性强的特性将成为支持您的当前需求和未来计划的一个理想方式。

在本文中，我将分享我认为在任何混合云的规划过程中都至关重要的 5 个步骤。这些步骤将工作负载需求、地理限制、基础结构限制、成本因素、非成本因素和关系考虑在内。

步骤 1：认真、客观地评估目前的环境和工作负载，了解您需要使用什么、希望用它做什么、您的行业需要什么。

为此，您的 IT 团队和组织中的其他关键决策者需要共同确定您的组织需要的 IT 架构、应用需求（设计、安全性/隐私、响应时间）和您将运行的工作负载。

工作负载需求

在任何给定数据中心内运行着大量潜在的工作负载，而且每个组织都有独特的要素影响着这些工作负载的运行性能。我之前写过微软应用程序（比如 SQL、SharePoint、Exchange）如何最好地在微软平台（如 Windows Server、Hyper-V、System Center 和 SQL Server）上运行，这对于微软混合云环境而言是一个非常好的消息。运行微软混合云环境的组织可以选择在其自己的数据中心内、在服务提供商云内或在 Windows Azure 内运行这些关键的微软工作负载 – 同时自信地知道不管哪种情况都会是同一 Windows Server Hyper-V 助力其业务发展。此外，通过我们的网络解决方案，我们支持您轻松将数据中心扩展到 Windows Azure 中，这样一来您就可以灵活地选择要将工作负载部署到哪里。

混合云还支持针对开发/测试项目等临时需求的一个不错用例。通过测试公有云中的一个应用，首先您可以验证它是否有效运行，然后决定是否将它部署到私有云中的生产环境中。这为开发和测试组织节省了的大量资金（例如，建立测试实验室）。除了这些资金节省，公有云（比如 Windows Azure）提供的无限弹性容量还使您的开发/测试组织能够模拟和运行真实世界测试用例，而不受维护测试环境的负担所限（而且，您的组织在仅为使用的容量付费的同时，可以将这个资本支出转化为运营支出）。

最近几周美国有一个因这种模式而节省了不少时间和美元的范例：healthcare.gov 网站。如果负责 healthcare.gov 的开发/测试工作的公司使用了公有云来对站点进行负载测试，他们很可能可以避免洪水般的站点流量（以及因此产生的崩溃和困窘）造成的始料未及的意外状况。测试资源利用率不足仍然是常有的事，而且这似乎是医疗站点（比如 CNN、Reuters、Ad Age、Politico、WaPo、USA Today、Forrester等）的一个大问题。在混合环境中，不得不为内部资源而放弃测试已经是过去的事了。

如要查看这一原则实际应用的正面例子，请参考挪威的一家大型典型公司 Telenor如何为其 SharePoint 工作负载和开发/测试环境使用 Windows Azure 基础结构。

另外同样重要的是要注意您最初是如何选择工作负载的 – 例如，确定您的主要操作是否将卸载特定应用程序（这是您获得较大成本/可伸缩性优势的地方），或者您是否需要开发/测试等临时环境（这里的优势是，混合环境是在广泛部署之前测试您的应用的好地方）。

当您开始利用混合环境的优势时，切记无需立即迁移所有资源。先慢慢尝试选择几个特定应用程序进行迁移，并开始识别您组织的巨大机遇在哪里。微软的解决方案确保为您提供必要的灵活性来将工作负载迁回本地（如有需要），或者将工作负载更快迁移到公有云（以最大限度提升业务规模和实现它的优势）。

地理限制

取决于您所在行业或公司办公室的监管环境，公共和私有数据的位置可能是一个重要因素。将这些因素考虑在内是规划过程的一个重要元素，因为世界各地有无数的情况需要敏感信息永不离开某幢建筑或一个国家的边界。

通过在全球范围内构建 Windows Azure，我们积极且直接地解决了这些需求，让组织的业务遍布全球，而无需投资购买不需要的数据中心容量。

另一个地理因素是尽量将您的工作负载放在离客户近的地方。例如，在美国的节假日期间，东海岸的许多零售商都会租用西海岸服务器上的空间，以满足该区域的消费者需求。对于一家致力于提供快速流畅用户体验的公司，将该数据放在离访问它的客户尽可能近的地方，对性能可产生巨大的影响。在混合云模式下，这种随季节性需求而变化的地理位置只是您的永久数据中心的一个扩展。您可以在这里看到存放客户数据的微软数据中心位置的一个列表。

然而，要注意地理位置的另一面：如果发生大范围的灾难，出于业务连续性考虑，在主数据中心与辅助数据中心之间应留有足够的地理距离。我们仔细选择了我们的数据中心位置，以缓解任何灾难恢复风险。

步骤 2：（针对私有云、公有云）选择一个满足步骤 1 中指定标准的合作伙伴。

选择合作伙伴是我过去多次讲到的一个主题，而且我确实没有夸大这一选择的重要性。另外要认识到，这个过程对于每个组织来说都是不同的。

我的建议是这样：寻找一个可提供全面解决方案来实现跨云一致性的云合作伙伴 – 这将通过实现灵活的工作负载移动性确保您避免受到单一合作伙伴的束缚。如果您的合作伙伴可以提供跨云一致性以及统一的管理方法，那么在数据中心转型过程中您将能适应未来的发展。

成本因素

在混合云内，您有大量涉及工作负载运行方式和位置的选项。对您而言，确定最佳配置就是权衡您希望在本地保留多少工作负载、可以往外迁移什么，以及您希望从这些工作负载中获得怎样的性能。

通常当我们谈到创建混合环境时，许多公司已经拥有了具备混合特征的资源集合，但真正需要的是一种在必要时快速无缝地扩展容量的方式，以便利用更多容量、更少的成本或地理位置的优势（下文中将有更多相关内容）。如要满足短期需求，那么将公有云作为数据中心内的一个层使用就是一个很明智的选择。

结合上下文，增加公有云容量的短期需求可能是，零售商事先为节假日做规划，在数据中心空间耗尽之前，将整个应用程序和/或工作负载迁移到云中。对公有云的这种容量规划强调了这样一个事实：即没有理由为一年中仅需要几个月的硬件进行大规模资本投资。

这些成本节约体现在以下方面：公司最大限度提升了其性能、可伸缩性和基础结构，或者避免了为提高企业或服务提供商的绩效而建立复杂基础结构（供应商、采购、资本支出、配置、运营）这一重任。混合云还给予企业所需的灵活性，支持他们快速运转开发/测试环境，而不会因架构不灵活而浪费时间或精力。而且也许最显而易见的是，通过有策略地利用公共和私有资源，企业只需为他们使用的服务付费。

简言之，部署微软混合云可节省时间和资金。几个不错的例子包括 Lufthansa和 Aston Martin等企业的混合云应用以及 Hostway和 Convergent Computing等服务提供商的混合云应用。

在这四家公司中，Aston Martin 是一个典型的例子，展示了迁移到混合模式的简易性，以及可轻松迁移到公有云的一些初始资源。在 Aston 的案例中，他们使用了 Hyper-V Replica和 Hyper-V 恢复服务器来进行备份和灾难恢复。备份和灾难恢复是充分发挥混合云环境优势的两种最简单的方式，因为它们降低了磁带备份的成本，且不影响任何本地操作。Aston 的这些战略举措是其全新业务持续性战略的基础 – 而且每一个组织都能从这些举措的实施中获益。

另一大成本节约来自混合环境的时间节约 - 例如，Windows Azure 管理所有底层结构和您导入的工作负载的复杂性的方式。

在该场景中，微软混合云助力您将私有云扩展到公共空间，这意味着您可以访问额外容量，而无需管理绑定到该容量的基础结构。最重要的是，Windows Azure 运行的虚拟化平台与运作本地 Windows Server 工作负载的平台是一致的。Hyper-V 为 SharePoint 和 SQL 等顶层工作负载提供支持，而且现在您可以在 Windows Azure 上运行它们（当然，还可以在未来将这些工作负载迁回本地，而无需锁定在公有云上）。如果您需要从其他地方迁移过来，不要忘记使用非常简单的 Migration Automation Toolkit。

相关的一个范例就是 HD Insight。组织通过运行 HD Insight 可获得巨大的效益，但不容否认的是它很复杂。使用 Azure 时，它运行所需的所有资源已经设置就绪，您无需进行设置即可投入运行。

这些成本因素的另一个关键部分是，您是否可以获得应有的回报。这一想法似乎是显而易见的，但您可能会惊讶地发现，云合作伙伴常常未能满足您的服务期望。在微软，如果我们未能满足 SLA 会有罚款 – 而其他云提供商不提供这种保证。我们将资金用于保护和支持您的组织。

非成本因素

非成本因素包括合规性/法规/政府问题（从政府到监管机构）、隐私和安全性。

混合云模式在这些方面大有帮助，因为它为您提供各种云选项。在坚持采用内部部署的行业或场景中，微软混合云提供灵活性来让您的业务随时保持合规性，并且在任何其他地方具有可伸缩性。微软混合云支持您构建一个强大的私有云，同时在需要时享受公有云的优势。

关于合规性和安全性，微软混合云在一些关键方面值得一提。第三方会定期审查和审计 Azure，以验证其安全性，这些审计的报告可提供给希望了解我们的公有云服务如何遵守安全性、隐私和合规性要求的客户。Azure 还在 CSA 的安全、信任和保障注册 (STAR) 中发布了有关它如何满足 CSA 云控制矩阵的详细信息。您可以在 Windows Azure 信任中心了解此信息和更多信息。

我还建议您多了解一下我们的可扩展合规框架。Microsoft Compliance Framework for Online Services是广泛监管框架的控件的一个非常详细的明细图。该框架支持我们长期使用一组控件设计和构建服务，以简化一系列法规的合规性。

有关公有云安全性的主题，请查看以下 Windows Azure 认证列表：

• ISO 27001
       Windows      Azure 每年都基于 ISO 27001（这是一种适用范围广泛的国际信息安全标准）进行认证，并且经过 ISO 合规性年度审计。
• SSAE16 SOC
       每年要基于服务组织控制 (SOC) 报告框架对 Windows Azure 进行 SOC 1 类型 2（证明其控件的设计和运行有效性）和 SOC 2 类型 2（包括对 Windows Azure      控件执行的有关安全性、可用性和保密性的进一步检查）的审核。
• 云安全联盟云控制矩阵
       根据云安全联盟 (CSA)建立的云控制矩阵 (CCM) 对 Windows Azure      进行了第三方评估。该评估已作为 SOC 2 类型 2 审核的一部分完成，是满足大多数云服务用户的保障和报告要求的手段。
• FedRAMP
       验证服务满足政府安全标准之后，联邦风险和授权管理计划 (FedRAMP) 联合授权委员会 (JAB) 向Windows Azure 授予了临时运营权限 (P-ATO)。
• 英国 G 云影响级别 2 鉴证
       Windows Azure 已被授予影响级别 2 (IL2) 鉴证，进一步增强了微软及其合作伙伴在当前 G 云采购框架和 CloudStore 上提供的产品/服务。IL2 将使许多英国公共部门组织受益，他们需要“保护”级别的安全性以进行数据处理、存储和传输。
• HIPPA
       为了帮助客户遵守 HIPAA 和 HITECH 法案的安全和隐私条款，微软向有权访问受保护健康信息 (PII) 的医疗保健机构提供 HIPAA 业务伙伴协议 (BAA)。

如上所述，您可以在 Windows Azure 信任中心阅读更多相关信息。

关系

很少有组织自己构建或运作混合云。任何这种类型的技术所需的专业技能，通常都比一栋建筑中所有人掌握的专业技能多。因此受信任的供应商或服务提供商成为这一过程的一个重要组成部分。我建议您从微软代表和同行那里获取合作伙伴信息，这些合作伙伴可提供成功部署混合云所需的可行性、信任和执行力。

在整个规划过程中，而且在考虑每一步的每次讨论中，都要谨记以下几点，了解一旦上线运行之后微软混合云如何运作：

• 不管您的应用在微软混合云内如何部署，您始终可以使用 Visual Studio 编写和调试部署到 Azure 和 Windows（反之亦然）的应用程序。Java 和其他语言也受支持。
• 鉴于微软混合云内的一致性，您的开发人员仅需要创建一个用户体验，不管应用程序会在哪里使用。这意味着他们可以花时间学习一个 UX。
• 所有微软的云都使用相同的 Web 友好型协议 – 而且所有这些云都可使用 System Center      Orchestrator 实现自动化。
• 不管您的工作负载在混合环境内的哪个位置，您总是可以从 System Center Operations Manager中的单一界面监控它并了解它是否健康。

地理位置

如果您的场景需要具体的地理位置，混合云模式提供真正的灵活性：如果您需要将数据存放在附近的地方，那么可以将其托管在 Windows Server 和 SQL Server 本地，或 Azure 全球分布的数据中心之一中的公有云中。如果公有云不是可选项，或者如果您位于一个偏远地区，不在我们的数据中心涵盖内，那么很容易可以与我们受信任的服务提供商合作伙伴合作。

步骤 3：包含规划过程中需要的管理工具。

您需要一个统一管理功能（和工具集），从而以受控方式管理您的混合环境。我见过很多云部署尝试因缺少可靠管理策略而立即失控 – 但令人欣慰的是，微软混合云通过 Operations Manager提供可靠、久经考验的监控功能（如上所述）。

利用 Operations Manager，您可以从单一控制台监控所有云中的所有工作负载和应用。我们之前讨论过，Operations Manager 一直以来都太过复杂，IT 团队之外的任何人都难以一致地使用它 – 但它现在变得更具用户友好性。Operations Manager 现在得到广泛使用，是因为它能够提供可自定义的数据视图，并显示任何指标、KPI、环境或应用 – 这一切都无需在不同工具之间切换。它的数据可视化功能也是查看最新数据的一种重要方式，而非依赖于报告已经发生的情况。

使用 Operations Manager（我建议在这里和这里阅读更多相关信息），您可以全面查看、管理和控制您的公有云和私有云 – 因此，如果这些层级中有一个出现问题，您可以从一个界面调查问题，将应用看作一个元素，而不是跨多个层级的多个部分。

此外，Orchestrator 和 Operations Manager 可共同通过跨所有云的自动化功能实现应用程序弹性。这些工具甚至包括支持您轻松预定义应用程序伸缩性和性能阈值的功能，一旦超过阈值，该功能可自动触发配置 Windows Azure 中的其他基础结构，以支持您的应用程序需求（例如，一年中某段时间的需求高峰情况）。Orchestrator 还拥有集成包，可自动执行工作流，在本地或 Windows Azure 内部署计算和存储实例。

关于应用程序和基础结构配置，微软发布了 Service Templates for System Center Virtual Machine Manager 2012（参见下文的链接），它将大幅减少为进行自动化交付而准备许多工作负载的时间。该文档可以作为每个已发布工作负载的参考，指导您从手动安装转而使用一个智能的托管应用平台，该平台支持冗余性、高可用性，并且知道它们如何影响变更管理服务模型 – 而且这是一个将继续发展的核心知识领域。

请查阅 Building Clouds 博客，了解有关微软工作负载服务模板的更多信息：

• Active Directory
• Exchange Server 2013
• Lync Server 2013
• SharePoint Server 2013
• SQL Server 2012
• Oracle Self-Service Kit
• Service Template Example Kit

步骤 4：企业需要确认其 IT 团队如何像组织的服务提供商一样运作。

随着您开始持久观察您的混合云，您会很快看到该环境的一个更复杂的视图，该视图模糊了所有资源（私有云、公有云和合作伙伴）之间的界限。微软混合云的目标是，通过自助服务配置（这里有详细讨论）在这些云之间迁移时，最大限度提高您的数据中心的敏捷性。

您还应将这一规划阶段作为一个机会来确定如何重组您的数据中心，使其像云服务提供商那样运作。以这种方式组织数据中心的目标是，提供给您的团队自助服务选项 – 这反过来使他们可以更高效和敏捷地使用他们需要的服务。

需要考虑的另一个重要元素是，将组织的 IT 部门想象成资源的提供者，其作用是按需配置、共享/池化资源，提供广泛的网络访问、快速和弹性资源分配/取消分配，以及实时资源计量等。

如要从规划的这一方面入手，微软提供了丰富的架构指导来帮助您描绘蓝图、设计和部署您的混合云基础结构。

步骤 5：确定您的组织将如何在您利用公有云资源的同时继续构建和改善您的私有云。

有时世界上似乎没有什么东西比企业技术老化得块，但混合云的灵活性质意味着，随着时间的推移您可以持续修改、调整和改进这一环境。也就是说，利用新流程和工具（弹性资源分配、集成监控和业务流程、自助服务、计量）并即时掌握对您的业务影响最大的技术。

回顾 What’s New in 2012 R2系列，我强调过，Windows Azure Pack 表明了微软的承诺是利用全球公有云的成功和强大力量来改进私有云。具体来讲就是，我们收集从 Windows Azure 创新中学到的知识，并通过 Windows Server、System Center 和 Windows Azure Pack (WAP) 将它们提供给您，以供在您的数据中心中使用。WAP 中的功能来自我们在公有云中开发的、久经考验的、进而在我们提供的云服务中得到有效使用的创新。

Windows Azure Pack 和它带给私有云的技术（比如与微软公有云产品一致的自助服务、多租户服务和经验）非常实用。对于那些提供新功能给其客户的服务提供商而言，这些功能尤其有价值。

WAP与 Windows Server 2012 R2和 System Center 2012 R2一同正式发布，无额外成本。所有这些都表明我们在履行实现跨云一致性的承诺。

* * *

了解规划混合云的这 5 个步骤之后，不要担心这一规划流程的复杂性。许多组织已经具备了混合云的大部分必要组件– 而且规划阶段是一个估量这些资源并找到最佳途径来最高效利用它们的机会。在您逐一理清这 5 个连续步骤的过程中，我想您会看到您的组织可利用的一些巨大机会，而且您会看到我们可以合作的一些明显领域。

在下一篇文章中，我们将探讨用在规划上的时间和精力有哪些回报：我们将探究构建混合云的最佳实践。

Posted by David Finn
Associate General Counsel & Executive Director, Microsoft Cybercrime Center

A new study released Tuesday reaffirms what we in Microsoft’s Digital Crimes Unit have seen for some time now – cybercrime is a booming business for organized crime groups all over the world. The study, conducted by IDC and the National University of Singapore (NUS), reveals that businesses worldwide will spend nearly $500 billion in 2014 to deal with the problems caused by malware on pirated software. Individual consumers, meanwhile, are expected to spend $25 billion and waste 1.2 billion hours this year because of security threats and costly computer fixes.

[Read more...]

Businesses worldwide will spend nearly $500 billion this year to deal with the problems caused by malware on pirated software, according to a new study released Tuesday.

Pirated software will also take a heavy toll on consumers: $25 billion will be spent dealing with security threats and costly computer fixes.

The finding “reaffirms what we in Microsoft’s Digital Crimes Unit have seen for some time now – cybercrime is a booming business for organized crime groups all over the world,” writes David Finn, associate general counsel and executive director of the Microsoft Cybercrime Center.

The study, “The Link Between Pirated Software and Cybersecurity Breaches: How Malware in Pirated Software is Costing the World Billions,” conducted by IDC and the National University of Singapore, was released as part of Microsoft’s “Play It Safe” campaign. The campaign is a global initiative to create greater awareness of the connection between cybersecurity breaches, malware and piracy.

The results, Finn writes, show once again “how vital it is that individuals, small businesses, enterprises and government institutions buy new computers from reputable sources and demand genuine software. Because if you don’t, you never know what will come along for the ride.”

More information about the IDC study is available at the Microsoft Play It Safe website. To read Finn’s full post, head over to Microsoft on the Issues.

You might also be interested in:

· Marlee Matlin: “Glad Microsoft has invested so much into making the Xbox accessible”
· Microsoft in Education Global Forum Educator Awards give six schools funding for teaching projects
· Microsoft Research’s David Rothschild makes March Madness predictions

Suzanne Choney
Microsoft News Center Staff

(この記事は 2014 年 3 月 11 日に Office ブログに投稿された記事 Introducing codename Oslo and the Office Graphの翻訳です。最新情報については、翻訳元の記事をご参照ください。)

今回は、ノルウェーを拠点とする FAST エンジニアリング チームのグループ プログラム マネージャーを務める Ashok Kuppusamy の記事をご紹介します。

マイクロソフトでは今回、Office 365 ファミリに新たに加わった Oslo (開発コードネーム) を発表でき、たいへん嬉しく思います。この Oslo と Office Graph は、先日開催された SharePoint Conference の基調講演で発表いたしました。Oslo については、以下の Office 365 のガレージ シリーズのエピソードで詳しくご確認いただけます。このエピソードは SharePoint Conference の会場で撮影されたもので、ホスト役の Jeremy Chapman と同僚の Cem Aykan と一緒に私も出演しています。

(Please visit the site to view this video)

この発表内容に高い関心をお持ちいただき、嬉しい限りです。この記事では、Oslo によって次世代の検索/発見機能がどのように実現されるかを、さらに詳しくご紹介したいと思います。

次世代の検索/発見機能 – 情報に基づく自動検索

Oslo を開発するうえでの目標は、検索機能を刷新するだけでなく、ユーザーが的確な情報に基づいて簡単に、さらには楽しく仕事を進めることができるよう支援することでした。結局のところ、ユーザーの仕事は "検索する" ことそのものではありません。検索は、実際の仕事を進めるための手段の 1 つです。上記の大きな目標を見据え、私たちは、アプリケーション間にある情報の垣根を取り払い、情報を発見しやすくして、チームでネットワークのような連携を実現するにはどうしたらよいかと考えるようになりました。その結果生まれたのは、単なる検索ソリューションではなく、先を見越し、変革をもたらし、楽しく働くという、これまでにない働き方です。Oslo は、インテリジェントかつソーシャルな新しい働き方を実現する最初のソリューションになります。

この後は、一連の機能を羅列していくのではなく、Oslo によって働く世界がどう変わるのかを見ていきましょう。

先を見越してユーザーに合わせてカスタマイズされる Oslo

皆様も私と同じように、毎日多くの仕事を抱えていらっしゃることでしょう。数時間に及ぶ会議が予定されており、大量のメールに目を通して対応しなければならず、通常は多くの人と緊急の問題について話し合う必要があり、1 日の時間がまったく足りません。これは、皆様にも馴染みがある状況ではないでしょうか。

Oslo をご利用いただけば、そうした慌ただしい日々に平和が訪れます。その日に確認する必要がある情報、さらには近いうちに重要になりそうな情報が表示されるため、不要な情報が目に入ることはありません。また、業務内容や社内ネットワークのユーザーに関連して話題になっている情報も確認できます。情報は、活用しやすく、すぐに確認できる形で提供されます。

Oslo では、業務内容やネットワーク内のユーザーの行動に基づいて、ユーザーの関心を引く重要な情報に焦点が当てられます。

Oslo は、ユーザーに合わせてカスタマイズされます。たとえば、Oslo で私に対して表示される情報は、私のチームに所属する他のどのメンバーの場合とも異なります。では、表示する内容を Oslo がどのように把握するかというと、Office Graph の機能を利用するのです。

Office Graph は、高度な機械学習の手法によって、関連するドキュメント、会話、周りの人とユーザーをつなぎます。

Oslo をご利用いただく場合、仕事のやり方については何も変える必要はありません。Oslo には、Office Graph を通じて、どのドキュメントを共有し、どの人と会議を行い、どのドキュメントに目を通すのかといった、既に毎日行っているアクティビティが自動的に表示されます。アクティビティの種類としては、確認したドキュメントなどの非公開アクティビティと、Yammer でフォローしているユーザーなどの公開アクティビティがありますが、非公開アクティビティは常に非公開のままです。

過去に見たコンテンツを見つける

冬季オリンピック開催中のある時、私は開発マネージャーである Kjartan Mikkelsen と会議を行っていました。Kjartan は、どのような話題についても何かしら知っている、優秀な人材の 1 人です。彼は優れた PowerPoint ファイルを使用してプレゼンテーションを行い、スピード スケートと、ノルウェー人がスケートのラップ タイムをひどく気にする理由について紹介してくれました。このすばらしい会議のおかげで、私は今後、スピード スケートをまったく違う観点から見ることになるでしょう。

さて、昨日は偶然にも、その時見せてもらったプレゼンテーション資料を再度確認する必要がありました。Kjartan が資料のリンクを送ってくれなかったので、私はその保存場所を知りませんでした。普通なら、彼にメールしてただひたすら待ちますが、その必要はなくなりました。なぜなら Oslo で、私に対して表示された ([Presented to me]) すべての PowerPoint プレゼンテーションが表示されるからです。

Oslo の [Presented to me] ビュー。Kjartan のスピード スケートに関するプレゼンテーションが最上部に表示されています。

では、Oslo は、私に対して表示された内容をどのように把握するのでしょうか。実はこれも、Office Graph の魔法のような機能のおかげです。Office Graph は、ユーザーが参加している会議、だれかがプレゼンテーションを行っている状況、そのプレゼンテーションが保存されている場所を把握しています。Oslo はこれらの情報を結び付けて全体像を作り上げ、ユーザーに対して行われたプレゼンテーションを表示します。

この魔法のように見える機能は、[Presented to me] ビューに限定されるわけではありません。Oslo では、[Shared with me]、[Modified by me]、[Trending around me] といった直観的かつ自然なビューによって、業務に関するすべてを操作できます。このように、Office 365 では、情報の保存場所を覚えておく必要はなくなります。

よく利用するフィルターとユーザーにとって重要な人がオプションとして表示された、既定の検索ビュー。

Work like a network – ネットワークのようにつながり働く

ほとんどの人にとっては、社内ネットワークで非常に多くの情報が飛び交っているため、自分の周りで何が起きているのかを把握するのは困難です。たとえば、同僚である Dan が作業したドキュメントを探す必要があり、それが学習に関するドキュメントだとします。今日の検索エンジンで "学習" と入力した場合、表示される結果はあまりにも多すぎます。なぜなら、"学習" という言葉は膨大な数のドキュメントに含まれているためです。Oslo なら、検索ボックス内に "Dan" と入力するだけで済みます。すると Oslo で Dan のページに移動し、そこで Dan が扱ったドキュメントや彼が一緒に仕事をしたことがあるユーザーを確認できます。もちろん、表示できるのはアクセス権があるドキュメントのみです。

Oslo では、一緒に働いている人が表示されるほか、同僚どうしの関係も表示されます。

Oslo なら、人の名前を覚えておくだけで、必要なすべての情報を見つけることができます。私たち人間にとっては、ドキュメント名やキーワードよりも人の名前を覚える方がはるかに簡単です。こうした、人を通じてコンテンツにつながるという変化は、本当の意味で変革をもたらすものを示唆しています。つまり、周囲の状況を常に "把握している" 状態を実現するための新しい方法です。これは、ドアが閉まっていて周囲で起こっていることがほとんどわからないオフィスでの勤務と、絶えず変化する情報に接するオープンなオフィスでの勤務との違いです。

この変革は小規模のチームでも起こります。マイクロソフトでも、チームで Oslo を使用している場合、会議が少なくなります。また、進捗レポートの送信回数も減ります。そして、"業務について話すこと" 自体が少なくなります。その代わり、私たちは皆自分の仕事をしながら、Oslo を通じてお互いの業務の最新情報を確認します。また、組織全体にわたる情報を、より効果的に再利用できます。仕事に対するフィードバックも、会議を待つまでもなくすぐに行います。仕事のペースが上がりますが、それでも周囲の状況を "把握している" という感覚があります。それはまるで、チーム全体が、何が起こっているかを把握していながらも絶えず邪魔が入るわけではない、オープン スペースの部屋で働いているかのようです。マイクロソフトではこれを "Work like a network – ネットワークのようにつながり働く" と表現しています。なぜなら Oslo によって、他の人とつながり、関係を築いて、情報を共有することがこれまで以上に簡単になるためです。さらに、オープン性と透明性を基礎とする Oslo は、新たなレベルの生産性を実現します。

皆様と共に働き方を変革し、ユーザーの業務の進め方を大きく変えることができれば、これほど嬉しいことはありません。ここでご紹介したのは氷山の一角にすぎず、さらなる詳細を発表してまいります。

今後公開される Oslo の最新情報にぜひご期待ください。

引き続きノルウェーで開発を進めてまいります。今後ともどうぞよろしくお願いいたします。

– Ashok Kuppusamy

Microsoft is partnering with the National Board for Professional Teaching Standards to provide technology training to National Board-certified teachers.

Microsoft will provide the tools and professional development training to help the teachers integrate Microsoft technologies into their work. This partnership includes online and in-person training, entry into the Microsoft Innovative Educator (MIE) program and certificates of learning.

This partnership builds on Microsoft’s existing support for President Barack Obama’s ConnectED initiative with an offer that provides affordable Windows 8 devices to schools across the nation. 

Check out the Microsoft in Education blog to find out more about this partnership and what it offers to these teachers.

You might also be interested in:

• Microsoft in Education Global Forum Educator Awards give six schools funding for teaching projects
• Microsoft’s professional development program gives educators year-round support and training
• Educators gain recognition in Learn-a-Thon focused on sustainability, gender equality and poverty

Athima Chansanchai
Microsoft News Center Staff

Por Tim Rains: Microsoft

Neste artigo, parte 2 de uma série sobre o panorama de ameaças na América do Sul, concentra-se no Brasil. O Brasil teve um dos panoramas de ameaças mais ativos do mundo por muitos anos. Como mostrado na Figura 1, no primeiro trimestre de 2011 (1T11), a taxa de infecção do Brasil (19.18) foi mais que o dobro da média mundial (8,65). No entanto, a taxa de infecção do Brasil melhorou significativamente durante os nove trimestres seguintes, terminando no segundo trimestre de 2013 (2Q13) em 6,7, comparativamente com a média mundial de 5,8.

 
Figura 1: taxas de infecção por malware (CCM) para Argentina, Bolívia, Brasil, Chile, Colômbia, Equador, Paraguai, Peru, Uruguai e Venezuela, em comparação com a média mundial entre o primeiro trimestre de 2011 (1T11) e o segundo trimestre de 2013 (2Q13).

Figura 2 permite que você compare a taxa de infecção por malware (CCM) no Brasil com a taxa da presença de malware no mesmo país. A taxa de presença é a porcentagem de sistemas que executam os produtos de segurança em tempo real da Microsoft que malware detectado que tentou resolver, ou manter-se nestes sistemas, mas produtos da Microsoft antimalware impediram que isto ocorre. O mais interessante da Figura 2 é a taxa de presença aumentada durante o segundo trimestre de 2013, mas diminuiu a taxa de infecção de malware. Em outras palavras, mais sistemas detectaram a presença de malware, mas menos sistemas foram infectados. Algo a ter em mente é que os tipos de ameaças detectadas, muitas vezes não são tipos que infectam os sistemas mais freqüentemente.

Figura 2: infecção por malware e tendências de detecção no Brasil e no mundo durante o segundo trimestre de 2013 (2Q13).

Figura 4, o adware, downloaders e conta-gotas de Trojans, senhas e monitoramento ferramentas ladras ultrapassou a média mundial no Brasil durante o quarto trimestre de 2012. Detectada a presença de adware por 40,8% de todos os computadores com detecções no Brasil durante o quarto trimestre de 2012, aumentada de 17,4% experiente no terceiro trimestre de 2012. Acho que esta mudança e os níveis relativamente elevados de adware como boas notícias para o Brasil, porque isso significa que há uma pequena proporção das mais graves ameaças.

Para entender melhor como tão significativamente a taxa de infecção por malware no Brasil, podemos comparar as categorias de ameaças detectadas no Brasil no segundo trimestre de 2011 com o detectado no quarto trimestre de 2012. Como mostrado na Figura 3, worms foram detectadas em quase um quarto dos sistemas infectados com malware no Brasil no segundo trimestre de 2011. No entanto, worms por quase 10% menos sistemas foram detectados com detecções no Brasil. Outra mudança muito positiva foi a grande diminuição de roubos de senhas e ferramentas de monitoramento detectadas no Brasil, uma categoria de ameaças que o Brasil tem lutado por muito tempo; o número de sistemas no Brasil com esta categoria de detecções de ameaça caiu quase pela metade entre o segundo trimestre de 2011 e o quarto trimestre de 2012. No entanto, como mostrado na Figura 5, um tipo de ameaças que pertencem a esta categoria de ameaças permanece na lista das dez principais ameaças no Brasil durante o quarto trimestre de 2012: Win32/bancos. Win32/bancos é um Trojan ladrão de dados capturando credenciais de banco on-line e retransmite-os para o atacante. A maioria das variantes é destinada a clientes de bancos brasileiros.

Figura 3 (esquerda): categorias de malware e software potencialmente indesejado no Brasil durante o segundo trimestre de 2011, pela porcentagem de computadores relatando deteção;

Figura 4 (embaixo): categorias de malware e software potencialmente indesejado no Brasil durante o quarto trimestre de 2012, a porcentagem de computadores relatando deteção;

Nota: cada período totais podem exceder 100% desde algum relatório de equipes em mais de uma categoria de ameaça em cada período

Também digno de nota é um Win32/Banload, uma família de cavalos de Tróia que descarreguam outros tipos de malware. Em geral, Banload download Win32/Banker, que rouba credenciais bancárias e outros dados confidenciais e a envia para um invasor remoto. Ameaças destinadas a clientes que utilizam serviços bancários on-line tem sido prevalecente no Brasil por muitos anos.

Win32/Sality foi classificado no 8º lugar da lista dos dez principais ameaças detectadas no Brasil durante o quarto trimestre de 2012. Embora o Sality é um vírus, isto não é necessariamente surpreendente. Sality tem sido um dos vírus mais bem sucedidos dos últimos anos. Você pode ler mais sobre isso em um artigo que eu escrevi intitulado "os vírus estão de volta?"

Figura 5 (à esquerda): os dez principais tipos de malware e software potencialmente indesejado no trimestre do Brasil o quarto de 2012;

Figura 6 (embaixo): estatísticas de sites mal-intencionados no Brasil, entre o terceiro trimestre de 2012 e segundo trimestre de 2013

Outro fator que pode contribuir para a taxa de infecção por malware no Brasil é o número de sistemas que estejam executando o software antivírus atualizado; 21% dos sistemas no Brasil não tinha um software antivírus atualizado real tempo que protegê-los durante o segundo semestre de 2012. Isto é melhor do que a média mundial de 24% dos sistemas que carecia de antivírus em tempo real, atualizadas durante o mesmo período. Infelizmente, ainda não tenho dados para tendências que nos ajudam a entender se o número de sistemas no Brasil executando software antivírus tem aumentado ao longo do tempo. Os fatores sócio-econômicos, desde o segundo trimestre de 2011 associado com taxas de infecção por malware podem ser vistos na Figura 7. Se você quer aprender mais sobre como esses fatores estão correlacionados com as taxas de infecção por malware na região, leia o seguinte artigo: "Relatório de inteligência de segurança edição especial lançado – como fatores sócio-econômicos afetam taxas regionais de Malware" (edição especial publicou o relatório de inteligência de segurança: como fatores socioeconômicos afetam as taxas regionais de malware).

Figura 7: alguns dos fatores socio-económicos correlacionaram com taxas de infecção por malware, com valores para o Brasil desde o segundo trimestre de 2011

O plano de ação para os usuários de computadores no Brasil:

•  Evite Pesquisar ou usar software pirata, desde que os atacantes se aproveitam do desejo de descontos ou software livre para enganar os usuários a baixar malware nos seus sistemas. Número de ameaça de Win32/Keygen, dois de top ten no Brasil, é a prova de que os atacantes estão usando essa tática com sucesso no Brasil.
• Utilize software antivírus em tempo real de um fornecedor respeitável e o  mantenha atualizado. Você pode encontrar esses fornecedores aqui. Se você tem o Windows 8, certifique-se de que o Windows Defender está ativo no sistema, se o software de anti-vírus de teste expirou.
• Manter atualizado todos os programas do seu sistema, incluindo Microsoft, Adobe, Java, etc. Os atacantes tentam tirar proveito de vulnerabilidades em todos os programas de software, então esta é uma maneira muito eficaz para ajudar a proteger os sistemas.

Vamos analisar ameaças na Argentina e no Uruguai, na parte 3 desta série.

Tim Rains

Diretor

Computação confiável

For some businesses, a gradual transition to the cloud is the way to go for their production and budget cycles. But for others, it’s better to make a full transition — if they can overcome price concerns.

No matter what cloud arrangement is best for your business, Microsoft Payment Solutions offers flexible payment structures that reflect the seasonality and needs of a business, writes the Microsoft Volume Licensing Blog. Options include:

· Scheduling payments over time to spread out the cost of IT investments.
· Deferring payments to allow time for deploying and benefiting from IT investments.
· Ramping up payments to increase as revenue increases.
· Customizing payments to match the cash flow patterns of your particular business.

For more information, visit Microsoft Payment Solutions, and to read the full post, head over to the Microsoft Volume Licensing Blog.

You might also be interested in:

· North Carolina’s largest county chooses Office 365, Windows Azure and Surface Pro
· US partners: New diversity focus study wants you
· Genius Scan app now works with OneNote for easy capture and save

Suzanne Choney
Microsoft News Center Staff

“El cloud”, “la nube”, son términos que se escuchan mucho en estos días, pero en ¿realidad qué es la nube?, es un término nuevo?

Introduction

One of the longest standing asks on the Service Manager Team has been to improve the performance of the Active Directory (AD) Connector. The AD connector is the primary source for bringing in data about users, groups, printers, and computers as configuration items (CIs) from Active Directory Domain Services (AD DS) into the Service Manager database (CMDB). As you can imagine proper functioning of the AD Connector is critical to realize many of the scenarios in Service Manager. It is also one of the most stressed components in Service Manager due to the volume of data synchronized, especially in large environments with 50,000+ users and/or computers.

This post will discuss a workaround which can help the AD connector scale and perform better, albeit with some tradeoffs which are discussed in detail below. Read on if you’re still interested :)

AD Connector Theory of Operations

At a very high level the AD Connector works by doing a full sync of data from the domain or OU chosen by the administrator on its first run. Subsequent runs typically sync only the new information or changes made to the domain or OU. The connector first connects to AD DS using the LDAP protocol and then pulls in objects to the staging tables in the Service Manager database. Once the objects are staged, the connector then processes and transforms these objects and inserts them into the regular Service Manager tables. This information is then consumed by the Console, Workflows and various other solutions and sub-systems in SM. For more information on the AD connector click here.

The design described above works well when operating within the supported limits on users and computer objects as published here. In truth, however, many Service Manager deployments operate far beyond the supported configuration, with a few at 5-7x the recommended limits. The large volume of data in such environments has a significant performance impact on the implied permissionssecurity model in SM – a component which is called repeatedly during any AD connector sync. In our investigations we saw that the time spent in calculating these permissions accounts for a large percentage of the total sync time – so naturally we decided to take a deeper look.

Implied Permissions Security Model

The implied permissions security model in SM is responsible for handling the implicit mapping of user objects in the CMDB to the permissions which they may have on other objects in the system. For example, Service Manager implicitly allows all users to read and edit Incidents where they are the Affected User, or read and edit the review activities where they are the Assigned Reviewer. Similarly, all users are also implicitly granted the necessary permissions to edit the email address, time-zone, and locale information associated with themselves in the CMDB. To achieve this implicit mapping of permissions, Service Manager depends on Windows Authorization Manager (AzMan) to provide a framework for Role Based Access Control (RBAC).

So, during an AD Connector sync, for each user object brought in from AD, Service Manager makes multiple calls to AzMan to build the necessary ImpliedUserPreference (see the table 1 below) permissions. These calls however can be fairly expensive because of scaling limitations inherent in AzMan which, per our investigation, frequently queues up calls for extended amounts of time. Collectively these round trips to AzMan are the primary reason for the sluggish performance of the AD connector.

So we had two options, one was to remove our dependency on AzMan entirely and rewire our security model, and the other was to analyze AzMan interactions in the product code, and opportunistically look for ways to improve performance. Rewriting the security model being a much larger and far more invasive approach, we decided to explore the latter first. The remainder of this post will discuss one workaround which has shown promising results both internally and with a few large-scale customer deployments.

Workaround

Understanding Implied Permissions

As discussed above, Service Manager provides an out of the box “implied permissions” security model. This system implicitly allows users that are related to objects by certain relationships to have the appropriate permissions on those objects. Let’s look at a few detailed examples of such permissions:

• A user related to a configuration item by the System.ConfigItemOwnedByUser (custodian) relationship is automatically granted read permission on that configuration item object and everything it contains so long as they are related to that configuration item

• A user related to an incident by the System.WorkItemAffectedUser relationship is automatically granted view and edit permissions on that work item and everything it contains

• A reviewer related to a review activity by the ImpliedReviewer relationship is automatically granted permission to vote on a review activity assigned to them

In all, there are 6 such implied permission relationship types. Each of these implied permissions are implemented using a workflow. The table below provides a brief description of each.

Table 1

To read more on implied permissions and user roles click here.

Understanding the impact of bypassing implied permissions

In the case of AD Connector the ImpliedUserPreference permission typically requires multiple round-trips to AzMan for each imported user. At scale this process takes a huge toll on performance of the system as a whole. So one clear way to improve performance would then be to just disable this permission. However, there is no easy way to disable just one permission, while keeping the others active.

So the other option is to disable implied permissions entirely and instead explicitly grant users access to objects they need via the use of user roles. Let’s look at this option and the alternate permissions model in more detail.

Table 2        *For a detailed description of the users roles see Table 3 below

Table 3 below lists the access privileges provided out of the box with the user roles discussed in table 2 above

Table 3

Note 1:Disabling implied permissions considerably loosens the security model, please carefully study the tables above to decide if this workaround works for you. It also mandates fine-grained control over the memberships of a couple of user groups.

Note 2:This workaround is designed to provide relief to customers operating at volumes significantly larger than the supported configurations. Please evaluate the security policies, processes, and best practices in place at your organization before applying this workaround.

Things to Watch Out For

After implementing the workaround you will see the following behavior.

• End users who are not members of the Incident Resolver role will no longer be able to see their own tickets in ‘My Requests’ view in the portal.
• End users will not be able to vote on review activities where they are listed as a reviewer, unless they are added to the Advanced Operator user role.
• End users will not be able to view or edit any manual activities that they are the assigned to user for, unless they are placed in the Activity Implementer user role.

Preparing Your Environment

It is highly recommended that you first implement this workaround in a lab environment, and not directly in production. Once implemented validate that common scenarios work as expected. Additionally, perform tests to ensure that the granting users permissions via user roles works for you and is a workable option.

Once satisfied with the results in your test/lab environment, take a snapshot/backup of the production environment before proceeding further. This is especially important on mission-critical setups of the system. Also plan for some downtime (roughly 1-2 hours). Ensure that you read and understand the steps to perform a disaster recovery here.

Importing the MP with overrides

Import the attached DisableImpliedPermissionsRuleMP.xml MP to override the implied permissions workflow. By importing this MP, you will have disabled the Implied Permissions workflow immediately. As always, once you import the MP please restart the SM services. Next follow verification steps in order to make sure that the MP got imported successfully and that the workflow is disabled.

Validate the workaround

First, ensure that the MP was imported properly and is listed as an installed management in the console.

Next, to validate that the workflow has been disabled perform the following steps:

1. Ensure that you have at least one user in the “End Users” user group

2. Log into SM Portal as an end user – you can use the script below to start internet explorer in the end user context: runas.exe /u:<DOMAIN\USERNAME> "C:\Program Files\Internet Explorer\iexplore.exe"

3. Create a generic incident from the portal and submit the ticket - by default the end user should be added as the “Affected User” on the ticket – you can confirm that by opening the ticket in the SM Console and checking the “Affected User” field.

4. Next, navigate to the “My Requests” view in portal, you should not be able to see the ticket you just created because the workflow which calculates the “ImpliedIncidentAffectedUser” permission is now disabled

5. Switch back to the SM console and add the end user from step 2 to the “Incident Resolver” user role

6. Refresh the “My Requests” view in portal and the ticket you created as the end user should now be visible again.

7. Ensure that you are only seeing the tickets which were created by you and not all tickets. If the ticket is not immediately visible, wait for a few minutes and refresh the portal.

Upgrade Impact

Product upgrade is not impacted by the workaround. We validated this by upgrading our 2012 SP1 lab to 2012 R2 with the workaround installed. There were no upgrade problems. Additionally, the MP with the override was still in place and the implied permissions workflow was still disabled.

Rollback (Important)

If for any reason you want to roll back this workaround you will have to delete the imported MP and also roll back any explicit permissions provided to your users. Soon after the MP is deleted the workflow will kick in again and will start processing from the last watermark. Depending on how old the watermark is, and how much work the workflow has to “catch-up” to, the system might seem unresponsive and sluggish for an extended period of time. You can use the following queries to find out how many changes the workflow will have to catch up to when enabled:

select EntityTransactionLogID as Watermark from [dbo].[ImplicitUserRoleAdministratorState]

and

select max(entitytransactionlogID) as LatestChange from EntityChangeLog

The first query gives you the last change which was processed by the implied permissions workflow, and the second one gives you the ID of the last change in the EntityChangeLog table. The difference between these two values is a good indicator of the volume of changes the workflow might have to churn through when re-enabled.

Note: In case a considerable amount of time has passed since you implemented the workaround, or you don’t want the performance of you system to be impacted, our recommendation is that you delete the watermark form SQL by running the following command before deleting the MP.

delete from [dbo].[ImplicitUserRoleAdministratorState]

This will reset the watermark and once the workflow is started back again, it will use the most recent ID as the new watermark.

Note: If you reset the watermark and roll back the MP, all the entries which were made since the workaround was implemented will not be processed and thus some users might not have access to do the related actions. To resolve this you will have to delete and re-import the effected users from AD.

Conclusion

Based on our testing this workaround goes a long way in alleviating AD connector performance concerns bypassing AzMan. However, as mentioned earlier, this workaround has a significant impact on how the system works. It requires a fair bit of planning and analysis to understand how the business processes in place might be impacted by disabling of implied permissions calculation. It also requires a good understanding of various implicit permission types and the alternate ways to explicitly grant the required permissions. We recommend that you do test this thoroughly across your scenarios. If you have questions, reach us directly on this blog post. That’s the most efficient way to get our inputs on this topic.

This blog post would not have been made possible if not for the contributions and many hours of investigation by Manoj Parvathaneni, Jay Pathak, and Mihai Sarbulescu. Special thanks to a couple of our customers who were patient enough to work with us on this investigation.

Please share your thoughts, views, and questions on this post in the comments section below.

Contoso Labs Series - Table of Contents

Now that we've got our JBODs and our file servers, we need to tackle an underappreciated aspect of this solution: The SAS connectivity itself.

How Many?

After discussing our configuration and layout with folks inside of Microsoft with serious experience in Storage Spaces, we learned that having as much connectivity to our JBODs as possible was going to be the ideal configuration. Our planned SOFS cluster was 3 file servers with full connectivity to 3 JBODs. Each JBOD has dual controllers, each controller with 3 SAS ports. That meant we could provide full dual-path access from each server, to each JBOD, for a total of 18 connections.

In practical terms, that meant we needed six external SAS ports in each file server. That started limiting our options for SAS controllers. There are many 2-port cards out there, and a smaller selection of 4-port ones. No one makes a 6-port card. That meant we were definitely going to need to commit both of our PCIe slots to SAS controllers. We briefly considered a 4-port and a 2-port card, but decided that consistency and symmetry were useful here. One driver, and losing a card loses 1 path to each JBOD, instead of potentially losing all access to 1 of them. We chose cards from LSI for our solution.

LSI

We selected LSI 9206-16e cards for our SAS connectivity. These cards checked all the right boxes for us.

• They're certified for use with Storage Spaces.
• They have 4 external SAS ports each.
• DataON supports them with their JBODs.
• They're half-height PCIe cards, which means they work in both slots of our servers.

The only drawback we could find with using these cards is that they have SFF-8644 connectors on them. These are lesser-used small form factor connectors than the more well-known SFF-8088 type you might be familiar with on most SAS equipment. The smaller size means 4 ports can fit comfortably on a half-height card, where the larger SFF-8088's would be too large. That meant getting specialized cabling, a minor hassle at worst.

Now that we have all the pieces of our storage puzzle identified, we can build out some file server clusters and get down to business, right? Well, not quite yet. When time comes to put everything together, we'll have a lot more information about our storage configuration, and some information about how it's all working. Next up, we'll circle back to our purchasing decisions, specifically the network gear.