Disclaimer: These are my personal experiences, not a “How to i on Blade”. If you’re looking for decent i on Blade documentation, look at the i on Blade Readme.

Setting up the hardware

Finally, after almost two months i was able to get my hands on a SAS cable with the correct pinout to connect the TS3100 library to the SAS Connectivity Module. After plugging in the cable, both link lights went up. The TS3100 was connected - physically at least.

I logged into the Storage Configuration Manager, and dared to assign the HS21 Windows Blade and the JS12 Blade to the external SAS Port. When looking at the Windows Device Manager, it immediately recognized the Tape Drive, but didn’t recognize the media changer. No bummer, i haven’t installed BackupExec yet.

It’s important to notice that the IBM i OS will never, ever see your tape drive. You cannot connect the tape drive to the IBM i OS, only to VIOS. This means that you always will do a disk to disk backup to the VIOS partition, and then use VIOS to save the D2D Image to tape. Restoring works the other way around - you restore from tape to VIOS disk, then load that disk into IBM i, and then run your restore or even IPL from the virtual optical medium.

This is not optimal, as this means that you cannot use BRMS to manage media (you can still use it for saving, though). It also adds another layer of indirection that makes automating backups more difficult. Another important point is that other i machines will not be able to read the VIOS created tapes, and that your i Blade will not be able to read tapes created by standalone POWER machines running IBM i.

Configuring VIOS

So i went to logon VIOS, running on the JS12 blade. I ran “lsdev | grep rmt0″, but apparently there was no tape drive to be seen. I ran “cfgdev”, to let the operating system configure devices, but that wasn’t met with success either.

This time, i chose the easy way out. I just rebooted the entire blade, and finally, the tapedrive showed up:

$ lsdev -dev rmt0 -attr
attribute      value            description                               user_settable

block_size     262144           BLOCK size (0=variable length)            True
delay          45               Set delay after a FAILED command          True
density_set_1  0                DENSITY setting #1                        True
density_set_2  0                DENSITY setting #2                        True
extfm          yes              Use EXTENDED file marks                   True
mode           yes              Use DEVICE BUFFERS during writes          True
res_support    no               RESERVE/RELEASE support                   True
ret_error      no               RETURN error on tape change or reset      True
rwtimeout      144              Set timeout for the READ or WRITE command True
var_block_size 0                BLOCK SIZE for variable length support    True
ww_id          5000e1111c878001 World Wide Identifier                     False

Okay. So as the TS3100 is a LTO4 Tape Library, the next step obviously was to load a tape into the tape drive. Now this can be done through the Web Interface or the Control Panel of the library, but that’s not the way you want to go during day to day backup - media moving should be handled by the backup software (called BRMS on IBM i).

But alas, this is not as easy on VIOS. Basically, you can get an AIX root shell on VIOS by typing “oem_setup_env” - and then there are several AIX commands to manage a tape library.

There was only one problem:

# mtlib
ksh: mtlib:  not found.
# tapeutil
ksh: tapeutil:  not found.

They’re not there. A quick google search revealed nothing. I didn’t know how IBM thought how we should use a tape library. In sequential mode? Or is there some way to manage a tape library in VIOS? If you know, tell me!

So, the next step was to create writable optical media, so i could start with creating a Save 21 of the system. This seemed as a sane first step.

Initializing the media on the i side

First, i needed to create a virtual optical volume in a volume library on VIOS - i already had the volume library from the IBM i installation, so all i needed to do was to add a writable optical volume. The system used about 40GB DASD, so i created a virtual optical device with a size of 80GB to leave room for future growth. This process took around 2 hours, probably because VIOS pre-blanked the file (it effectively used up 80GB on disk). A rate of 0.6GB/min. During this operation, the VIOS webinterface grinded to halt (didn’t respond), but SSH was still available and responded very slowly to each command. I suppose this is some issue with the disk controller, either the driver or firmware.

According to vmstat, most of the time is spent in system or IO wait context:

kthr    memory              page              faults              cpu
----- ----------- ------------------------ ------------ -----------------------
 r  b   avm   fre  re  pi  po  fr   sr  cy  in   sy  cs us sy id wa    pc    ec
 1  1 203749  6107   0   0   0 2485 3279   0 150 29483 6542  6  9 77  7  0.18  17.5
 1  1 203732  6167   0   0   0 2464 2869   0 153 30479 6333  7  9 74 10  0.18  17.6

The next step was to load the newly created virtual media into the virtual optical drive that was attached to the IBM i partition. This was rather easy to do, just click through the web interface.

Now, we need to initialize the optical volume in IBM i OS:

INZOPT NEWVOL(’Save21′)
DEV(OPT01)
CHECK(*NO)
TYPE(*PRIMARY)

This finished rather quickly, and i then started the Save 21.

The Save 21

GO SAVE/21. The performance wasn’t much better, though. the vmstat looked the same as above, indicating the same problem.

Further debugging using iostat revealed that a volume group is not a RAID1 array - but nonetheless, the disk subsystem is behaving oddly:

hdisk0, hdisk1: VIOS installation - part of it is mirrored VIOS, other part is volume group that is spanned across these two disks
hdisk2-5: SCSI passthrough to the IBM i

tty:      tin         tout    avg-cpu: % user % sys % idle % iowait physc % entc
          0.0        614.0                0.0   7.7   72.2     20.1   0.1    8.3

Disks:        % tm_act     Kbps      tps    Kb_read   Kb_wrtn
hdisk0           1.0       8.0       2.0          0         8
hdisk1          85.0     20036.0     179.0      10080      9956
hdisk2           4.0     926.0      50.0        922         4
hdisk3          14.0     4481.0      98.0       4477         4
hdisk4          13.0     3730.0      96.0       3726         4
hdisk5           3.0     652.0      36.0        648         4

This is pure sequential IO - why is it reading from the disk? A similar picture was seen throughout the whole backup - even when backing up image catalogs from the IFS. hdisk1 consistently showed strong write activity. No idea why.

My AIX skills are weak, and i didn’t know a way to see on which files the write IO happened - however it’s important to know that read and write always showed the same numbers. To me, this looks like a problem - either in my config, firmware levels, or even a problem on IBMs side.

Either way, the Save 21 completed in 45 minutes. At around 40GB, this brings us to 0.9GB/min.

Backing up the virtual image to tape

The next step is to backup to our LTO4 tape.

Here’s how the backup itself looks:

# find /var/vio/VMLibrary/D2D_1 -print | backup -ivqf /dev/rmt0 -b 512
Backing up to /dev/rmt0.
Cluster 262144 bytes (512 blocks).
Volume 1 on /dev/rmt0
Backup finished on Mon Jul 21 20:45:18 CEST 2008; there are 167772672 blocks on 1 volumes.

And the sequential IO performance is much more reasonable:

tty:      tin         tout    avg-cpu: % user % sys % idle % iowait physc % entc
          0.0        615.0               11.2  29.0   58.2      1.6   0.4   40.9

Disks:        % tm_act     Kbps      tps    Kb_read   Kb_wrtn
hdisk0           0.0       0.0       0.0          0         0
hdisk1          99.0     81920.0     160.0      81920         0
hdisk2          17.0     2250.0      29.0          0      2250
hdisk3          12.0     2236.0      28.0          0      2236
hdisk4          12.0     2385.0      30.0          0      2385
hdisk5          16.0     2250.0      29.0          0      2250

That’s roughly 5GB per Minute. A very decent performance.

Interoperability

Now, this is where it gets interesting. Attached to the BladeCenter S, we have a TS3100 with a single drive, in the BladeCenter S we have three Intel Blades running Windows Server 2008 and one POWER Blade running IBM i.

We need to back up all this to the TS3100 - on the Windows Side, i’ll be using BackupExec 12, on the i Side VIOS. How do i make sure that the tape drive can be used from both sides, without to much interaction?

The SAS Connectivity Module can attach the same port to multiple Blades. So installed BackupExec on one of the Windows Blades, just to see how interoperability would work out.

I ran a backup & restore on another tape, from BackupExec. This worked fine. The next step was loading the tape from the i Save back, and then run a test restore from that. Unfortunately, i couldn’t use BackupExec to just move the tape in the drive, so i had to use the TS3100 Web Interface again.

I looked at the tape drive from VIOS, which also seemed okay. I also saw how much space was used on the VIOS tape after checking it up with BackupExec (this is stored on a small RFID Chip on the Tape itself). But the real test was yet to come:

Restoring from Tape

I started the restore from tape.

# restore -xvqf /dev/rmt0 -b 512 /var/vio/VMLibrary/D2D_1
New volume on /dev/rmt0:
Cluster size is 262144 bytes (512 blocks).
The volume number is 1.
The backup date is: Mon Jul 21 20:24:04 CEST 2008
Files are backed up by name.
The user is root.
x  85899345920 /var/vio/VMLibrary/D2D_1
The total size is 85899345920 bytes.
The number of restored files is 1.

iostat also told me that the performance on restore was bit worse than when backing up:

tty:      tin         tout    avg-cpu: % user % sys % idle % iowait physc % entc
          0.0        611.0               14.7  85.0    0.0      0.2   1.0  101.9

Disks:        % tm_act     Kbps      tps    Kb_read   Kb_wrtn
hdisk0           0.0       0.0       0.0          0         0
hdisk1         100.0     48216.0      68.0          0     48216
hdisk2           0.0       0.0       0.0          0         0
hdisk3           0.0       0.0       0.0          0         0
hdisk4           0.0       0.0       0.0          0         0
hdisk5           0.0       0.0       0.0          0         0

So after having restored the image file to VIOS, i could IPL from it and run a complete system restore. Nice. I didn’t want to scratch my whole setup and wait until a full restore, so i tried something simpler.

In the end, it turned out to be around 2GB/min. This was a lot faster than the creation of the file, which seems really odd to me.

Running a Test restore on the IBM i side

After restoring the file in the VMLibrary, it automatically appeared again in VIOS. I only had to mount it to my IBM i partition. This could easily be done through the VIOS web interface.

I ran a simple restore:

RSTLIB SAVLIB(AVNEDIAS) DEV(OPT01)

With simple results:

12 Objekt(e) von AVNEDIAS nach AVNEDIAS zurückgespeichert.

I also tried IPLing from the virtual optical media, which brought me into the limited paging DST. Nice!

Is this good?

AS you can see, this is not your fathers AS/400. This is a POWER Blade running IBM i. You’ll need to learn a bit about VIOS and AIX in order to make any sense on how this whole stuff works. But it’s not rocket science - i only know a bit about Linux, and was able to figure out the tasks i needed to do.

But now, how should one run this in production?

The current configuration i have seems unsuitable to production to me.

• VIOS/AIX can’t handle the tape library in random mode. This is a big letdown.
• Backing up to tape and restoring seems very, umm, basic to me
• The fact that you are using virtual optical devices, with no ability on the i side to change media, makes a usuable backup procedure hard to implement
• Automation on the VIOS side could be implemented by the i running the ssh client in command execution mode (similar to how this is used with the HMC
• Integration between the Windows and VIOS seems cumbersome

Solutions

Two Half-Height Tapedrives in a partitioned library

The TS3100 can be partitioned, and we could install two half-height LTO4 tapes. Reserving 12 Slots for Windows in Random Mode, and 12 Slots for VIOS in Sequential Mode. This would work, but there’s one huge downside: Price

Backing up on Windows only

Instead of using VIOS and clumsy hacks to get a halfway decent functionality, you can use Windows to backup everything. Save 21 and Systems Saves would run through VIOS in order to create bootable media, and then retrieved on the Windows side using SFTP.

For daily backups, we can use savefiles directly on the i, which is probably easier to deal with for most IBM i admins. These can be retrieved from the Windows side using FTP/TLS. The downside: If you have i and Windows people that work well together, i don’t see much of an issue. But if not, you got a big mess in your hands.

SAS Passthrough to IBM i

Unfortunately, this does option not exist yet. This is something that IBM should work on intensively. It will allow i admins to use well established backup processes with full library integration using BRMS.

Conclusions

Backing up the IBM i on Blade isn’t exactly easier than backing up a standalone POWER machine. In fact, it’s more difficult and requires additional skills.

Before buying a JS12 blade running IBM i, make sure that you think your disaster recovery strategy through completely. Your business partner should be able to help you with this.

Planning is crucial - Backup & Restore on the blade is different, and you’ll need to deal with VIOS when creating a procedure for fully automated Save 21 backups.

Any questions? What do you think about the situation? Want me to test something for you? Just leave a comment!

I also created a “i on Blade” category. Look at it if you want to see all my posts about this subject.

The i Blade is up and running, and i’ve received quite a bit of feedback on the Installing the JS12 Blade post.

In the meantime i wasn’t just wasting my time on trivial things such as getting actual customer work done, but also playing a bit further with the JS12 Blade.

I’ve installed the software my company produces (DIAS-iS) on the JS12 blade, and ran a few very unscientific benchmarks. But first let’s talk about the disk situation in with IBM i on a JS12 blade in a BladeCenter S (i really like those convoluted product names).

Managing disks under IBM i on a JS12 Blade

As i found out the hard way during the initial bladecenter setup, the JS12 blade only supports SAS disks, and can cause issues if you have SATA disks zoned to it.

There are a few important considerations when thinking about the IBM i/JS12/BladeCenter S combination: First off, disks are directly attached to VIOS, and then virtualized by VIOS for the IBM i as SCSI disks. It’s important to note here that you do not have any (supported) options of RAIDing the disks before the IBM i sees them. So all disks are mapped through 1:1 to the IBM i OS, and then mirrored using IBM i mirrored protection. This is entirely different from the approach you would use in a BladeCenter H with a FC attached SAN.

Just to be clear: There is no cache on the JS12 and there is no way to use any disk protection except IBM i mirrored protection. You can’t use RAID5, RAID6 or hotspares. You can’t VIOS mirrored volume groups either, because it’s unsupported.

I’m thinking about removing one of the disks from the BladeCenter in order to test how recovery from a disk failure would look like, but i’m afraid of wasting a lot of work that i’ve already invested in this system - i’ll try this shortly before i have to give everything back.

I’m not sure what the virtualization by VIOS exactly entails, but i would assume it’s fairly similar to what Hyper-V/ESX do when you create “Passthrough disks”. This probably means that things like Predictive Failure Analysis (PFA) will probably not work.

Another, rather obvious, drawback is that you cannot install any expansion cards (well, there is the odd one you can install into the blade). But it also means there is no Twinax, no SNA directly over Ethernet, no Modems, etc. Not a big issue for us, as we’re urging our customers to stay current on technology, but not everyone is an IBM i shop - there are still lots of AS/400 shops out there.

If you access the System i Navigators SST/Disk management function, it will not be able to help you with disk locations. I haven’t found out on how to call disk locations in IVM/VIOS, but then again i don’t really know much about IVM/VIOS.

Installing DIAS-iS on the JS12 Blade

I’ve installed our software without a hitch, and loaded our 30GB Test/Benchmarking database on it. I ran several benchmarks, and the JS12 with it’s four SAS 15kRPM 147GB Arms in a mirrored configuration and one core and 13GB RAM in the IBM i LPAR was a bit slower (less than 5%) than our System i515 with four U320 15kRPM 70GB Arms in a RAID5 configuration and 3.5 GB in the IBM i LPAR.

Unfortunately, i do not have a M15 to pit against the JS12, as these two would be using comparable technology. It would also be interesting to see an M15 with four 147GB SAS disks in a mirrored configuration to compare the systems 1:1, especially regarding disk performance.

Next steps to go?

What’s next? Well, Backup obviously. If you’ve read the i on Blade manual you’ll see that saving to tape will be interesting to say the least. I already have a TS3100 ready to go, but i’m currently missing a SAS for attaching it. As soon as i have the cable, expect a big post about saving and restoring.

Questions? Suggestions? Any specific questions about i on Blade? Want me to test something for you?

Leave a comment or drop me a mail. I’ll be happy to help.

I noticed something interesting when installing the IBM license key on the JS12 blade running IBM i V6R1. I received Message CPF9E2D when trying to install one of the 5761-SS1 license key. Turns out this one controls the number of cores licensed in the machine.

Luckily, this was easy to remedy. Just access IVM and remove one of the cores assigned to the LPAR running IBM i.

IBM licenses it Software based on numbers of Core, not number of Sockets like most other vendors do. This is important to note, because i though the message was wrong as the blade only has a single CPU.

If you came to this post for detailed instructions on how to setup IBM i on a blade, read this offical IBM i on Blade document. I’ve wrote about my personal experiences, not detailed instructions.

Just two hours ago, i’ve received a shipment of four 3.5″ 147GB 15kRPM SAS Disks. I installed them into the BladeCenter S immediately.

I used SCM to assign the disks in the DSM to the JS12, and then booted the blade.

VIOS was already installed. So all i had to do was to create a new partition.

After creating the partition, i didn’t IPL it just yet. I needed System i Access in order to provide a console. The Operations Console part of System i Access is not supported on Server versions of Windows, so i couldn’t install it on one of the other blades running Windows Server 2008. At least not directly. So i installed the Hyper-V Role on one of the blades, and installed Windows XP and System i Access on it.

I then IPLed the partition and a minute later i was standing there with a lit attention light. I forgot about the CD drive. Bummer. I assigned the media tray to the JS12 blade, but it couldn’t see the CD drive. This must’ve worked before, because i installed VIOS using a CD. I restarted the JS12, but that wasn’t helping. Still no CD drive that i could assign to a partition. Didn’t find much on the web about this problem either, so i decided to use virtual media to install the operating system.

I logged into VIOS using SSH, downloaded the I_BASE_01 CD Image from our production system using FTP, and imported it into VIOS’s media library. I activated the I_BASE_01 CD Image, and booted. I also enabled the operations console connection (which is fairly straightforward, with just in this case the first IBM i instance having the partition ID 2).

After 10 minutes, the signon screen for the operations console finally appeared. That was kind of a Heureka! moment for me, altough i didn’t really do that much stuff yet.

I chose to install the LIC, and i was presented with a screen that i haven’t seen before - i was able to select the which disk i want to be the load source.

After that, the system started to initialize the hard drive. This was really slow on my system, taking around 5 hours for a single 147GB 15kRPM drive. I hope this isn’t indicative of the IO speed we will see when the IBM i OS is running.

While waiting for the formatting to complete, i tried to find a way on how to turn off the attention light that was lit because of my earlier mistake when trying to boot the partition. There is a detailed IBM document about turning off the attention light using IVM/VIOS. It’s a simple command: chled -r sa -t virtualsys -o off

As you can see from the screenshot (took during the middle of the run), it took quite long. In fact, it even exceeded the three hours it estimated and took 4.5 hours. I have an issue with that - the Intel blades do not need that much for initiating a RAID1 set, or NTFS formatting the disks. Even though they’re using slower 500GB SATA disks. It’s just leaving a bad impression for no reason. And it’s also an issue with disaster recovery.

Installing the LIC had a more reasonable speed, took 2 minutes. After the system IPLd again, i was able to add the three other disks. Adding the disks proceeded at a much more reasonable speed, but then it hung at 99%. After two hours, the system was still stuck at 99%. At that time, I went to bed, hoping the system would be finished in the morning.

And it really was finished in the morning. The next step was to start mirrored protection. It even complained that i was running virtual disks, and a failure of VIOS would lead to the system crashing anyway. I proceeded. As always. the first part was pretty quick, and i proceeded with the OS installation.

As the LIC started, initialization of mirroring began. The first time estimate was fifteen minutes. The next one was 6 hours, 10 minutes, then 8 hours. But then i jumped back to 5 hours. I left for a customer, and looked at the status occasionally. I took somewhere between 3 and 4 hours to complete.

Next, i had to change the virtual media in order to allow the OS installation to proceed further. It’s important to know that this has to be done in the partition configuration, not in the virtual media tab. And that you’ll need to acknowledge the partition change in order to make the media change active (the AJAXy web interface doesn’t make this entirely clear).

After that, the IBM i installation started and proceeded at an acceptable speed. In around an hour, the basic operating system was installed.

After that, installation of the licensed programs started. It halted after just half an hour and telling me i had a screen error (MSG CPF3D92). I suspected a problem with the operations console, restarted the XP machine running OpsCon, and retried the installation (with just the base system). The problem happened again. This seemed odd.

Having no idea on how to proceed further, i retried again. This time it worked(?). I figured it was an OpsConsole problem, probably related to the fact that the machine running OpsCon was virtualized. I quickly installed the TCP/IP utilities, IPLd the system and installed the remaining programs using a 5250/Telnet connection.

While the installation happened, i used an additional session to explore the system. The disks where shown to the system as virtual disks, similar to SAN attached disks. But one of the more interesting parts was looking at the Hardware Service Manager in SST/DST - it was completely empty, and didn’t contain any hardware. For me, this was a moment that was quite indicative of the whole experience - i on Blade is not “AS/400 in Blade Form”. It’s a completely new environment that you’ll need to learn to deal with. You got another layer of indirection (VIOS) with it’s own platform (AIX), plus you have the blade management in itself.

The whole setup took me roughly 24 hours (i started a day ago at 16:00). Of course, the system wasn’t always busy because i didn’t give him any work, but it’s worth to note that setting up a JS12 blade takes considerably longer than setting up a model 515 or M15.

I will now continue setting up our ERP application and make further tests with the hardware. If you have any requests for screenshots or want me to test something out, tell me!

I’m not exactly what one would call an “Enterprise” Admin - so i don’t really know all that much about WMI.

We first started our internal virtualization stuff when both VMware GSX and Virtual Server 2005 still cost money. So we used VS2005 because we could get it for free since we were in the Microsoft Partner Program.

So, with the release of Hyper-V we finally had a chance to move to a more robust and faster virtualization solution - however, not everything has improved with Hyper-V, for example delegating permissions which was easy in VS2005 has now become much more complex. Probably because Microsoft wants to sell SCVMM 2008 that will automate a lot of this.

We have a few development VMs that are used for QA purposes by our development team - and we just have a single machine running Hyper-V. So i want to delegate a few of the VMs to the development team, without them being able to manage the Hyper-V server or virtual machines that do not belong to the development team.

I’ve found an excellent resource regarding setting up remote management for Hyper-V from John Howard. He has an excellent 5 Part series on how to enable remote management.

Part 1 Part 2 Part 3 Part 4 Part 5

What is not described in these links is how to delegate specific VMs. For doing this, you’ll need a script from Andrzej.

Hyper-V Azman Scope Scripts

Here’s a basic rundown of the general steps you’ll need to do:

• Create an appropriate Active Directory group for the users you want to give access to. If necessary, nest the groups according to your organizations group strategy
• The following two steps are detailed in Part IV from John Howard
  • Add to the group to the local “Distributed COM Users” group on the Hyper-V host
  • Grant the group permissions on the Root\CIMV2 and Root\Virtualization WMI Namespaces
• For detailed instructions for these three steps, see below.
  • Run azman.msc and create a new scope
  • Use the SetScope VBS script to assign the VM to scopes.
  • Run azman.msc and delegate appropriate permissions to Windows Groups using newly created scope

Creating scopes in AzMan and assigning VMs to scopes

First, you’ll need to start azman.msc and open to following Authorization Store: C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml

Then, you’ll need to right click “IntialStore.xml” and choose “New Scope”. In my case, i named the new scope “Dev”.

Next, you will need to create a role in the top-level of the authorization store. This role is needed so that the Hyper-V Management tool can even connect. I called mine “View Only”, as it does not grant any specific permissions. It should look like this:

You’ll also need to add the Windows Group to this azman role in order for it to be of any use:

Next, we need to create a role that grants the necessary VM management skills to the Dev scope. It should look like this:

You’ll also need to add a Windows Group to this role.

After you’ve come so far, we will need to assign the VMs to the newly created scope. You can find the scripts here: Andrzej’s Hyper-V Scripts.

Assigning a VM to a scope is simple.

For example, if you want to assign the VM “dev-hdi-xp-01″ to the scope “Dev”, use this command.

setscope.vbs dev-hdi-xp-01 Dev

There will be three popup Windows - the first two don’t matter, and the latter will contain a single number. If the number is 4096 (or anything else), it failed. If the number is “0″, it succeeded.

You can verify scope membership using getscope.vbs

getscope.vbs dev-hdi-xp-01

The result should look like this:

If my posting is entirely correct, and you followed it correctly, the end result should look like this:

Here, we’re logged on as an admin. All VM’s are visible:

Here, we’re logged on as a normal user. It does not have any special privileges on the Hyper-V box, except the WMI / DCOM and AzMan changes. You’ll only see the two Development VMs.

So, this is quite a bit more complex than VS2005. But also a lot more cool.

I hope there are no mistakes in this post. If you find any, please tell me. If you found this post helpful, tell me too. Thanks for reading!

SonicWALL recently launched a new SMB Firewall Appliance - the NSA 2400. Pictured to the right is an NSA 3500 - the look mostly similar, and have the same number of ports (i couldn’t find a high-res image of the NSA 2400).

So far, we have mostly used ZyXEL’s ZyWALL products to serve our Small Business customers, however the ZyWALL Line wasn’t always very satisfying when moving to the upper end of the Small Business spectrum. Thus, we had a look at SonicWALL - i’ve been using them for quite some time.

There are a few things about SonicWALL that is different about people which are used to the low-end market (like the ZyXEL products).

• You’ll need to purchase Software Maintenance in order to be able to download newer Firmware versions
• The old SonicWall Hardware Generations (TZ / PRO) have “Standard” and “Enhanced” Firmware images - the Standard versions are stripped down and less flexible - the NSA Models just have “Enhanced”
• Registration on MySonicWall is mandatory

One of the things fixed with the release of SonicOS 5.0 was the graphical user interface - the new GUI is completely revamped, and looks like something that belongs to the Year 2008. Other improvements include a completely redesigned hardware, that uses multi-core CPUs to provide real-time traffic analysis.

The NSA Series ship with basic Firewall/VPN features that are licensed as part of the base hardware. Additional features like Anti-Virus Scanning, Content Filtering, Anti-Spam, Intrusion Detection and Prevention all require extra expenses. This model is similar to what other UTM appliances like the ZyWALL 5 UTM uses.

SonicWALL Global VPN Client is a IPsec compatible VPN client, that works pretty well. There is not 64bit Version yet, and it doesn’t work with other VPN Clients running on the same PC. If you do not want to use SonicWALLs GVC, the SonicWALL also offers the ability to use L2TP and your Operating Systems native VPN functionality. While L2TP connections are mostly unrestricted, the number of GVC Licenses can be pretty low (e.G. 10 for the NSA2400).

One of the main advantages over the ZyWALL Line of products is the object-based configuration, and the ability to have multiple, Gigabit interfaces on the hardware - the NSA 2400 offers 6 Gigabit interfaces with the ability to use 802.1q VLANs to create even more logical interfaces. Even the low-end NSA 2400 can offer quite a lot of throughput (I’ve measured up to 30 Megabyte / s), which is important if you have Servers deployed in your DMZ.

Other cool features include the “SonicPoint” Management, which is basically the same as Symbol’s or Cisco’s Lightweight Wireless Access Points. This is a very cool feature in Smaller Businesses that do not want to buy separate Hardware to maintain their Wireless Infrastructure.

You can even access Live Demo of the SonicWALL Web Interface to see for yourself.

Advantages

• Very flexible configuration
• Streamlined GUI with useful features like Packet Capturing and self updating Log views
• Lightweight VPN Client and the ability to use Standard L2TP
• Lightweight Access Point Deployment using the NSA as a base
• LDAP Integration, preconfigured for Active Directory
• 6 Gigabit Interfaces
• High Performance

Disadvantages

• High price of Hardware (List: 2700 CHF)
• High price of mandatory service contracts for Firmware updates (List: 1300 CHF for 3Y 7×24 and HW Advance Replacement)
• High price of UTM features licenses (List: Starting at 1700 CHF for 3Y AS/AV/IPS)
• Incomplete user authentication solution (based on an Agent using WMI to query logged on userinstead of using secure Kerberos authentication)
• No redundant PSU or Fans to compensate for high hardware price (the NSA 7500 has redundant Fan/PSU)

Last Friday i received a new toy. An IBM BladeCenter S, with two HS21, one HS21 XM and a JS12 Blade.

The BladeCenter S

The BladeCenter S i received came with 10 500GB SATA Disks and two DSMs, four power supplies, an Advanced Management Module, a Server Connectivity Module and a SAS Connectivity Module. The power supplies use standard 230V type 23 plugs, which do require a little special installation, but much less so than industrial plugs used with the bigger BladeCenters.

The big point about the BladeCenter S is that it does not require an external SAN to provide Storage to the Blade - an integrated SAS Switch that allows very flexible disk configurations is integrated. Configuration can be done using a Webbrowser against the SAS Connectivity Web Interface, using SSH/Telnet to access the SAS Connectivity Commandline, or using a fully graphical interface using IBM’s Storage Configuration Manager. There are some predefined configurations, but none of them suited my configuration - creating new configurations using SCM is easy enough though.

The disks in the BladeCenter’s DSMs (Disk Storage Module) are hot swappable - currently, only 3.5″ DSMs are available, with a 2.5″ DSM in the pipeline. Most of the blades support one or two internal disks, but the problem here is that these disks are not hot swappable. Depending on your Blade loadout, 12 disks might not be enough. For example, the HS21 XM Blades only fit one internal disk, and running without RAID on the System partition seems pointless, so you would be using at least 6 disks (without hotspares) for a basic Exchange deployment.

The Webinterface on the AMM is nicely done, although it lacks a bit of flashiness. That’s not a requirement though, it does a very solid job at what it needs to do.

After powering up the BladeCenter S for the first time, i connected to it using a web browser and upgraded all the firmwares. There are quite a lot of them (AMM, SAS, Server Connectivity), but it all worked out flawlessly. Time to move on to the real course: the Blades.

The HS21 and the HS21 XM

Starting with the familiar first, i started with the HS21 Intel Blades first. The two HS21 Blades both had a 2.66 Ghz Quadcore and 4GB RAM, the HS21 XM Blade had a 2.5 Ghz Quadcore and 9GB of RAM (more about that later).

When starting the first HS21 Blade, after configuring all the storage using SCM, it failed to POST it’s LSI Logic SAS/RAID Controller. I searched for the error message on the net, assuming that i screwed up the configuration. I didn’t find anything meaningful, so i tried to do what everyone else would do in this situation: Apply every Firmware update for the Blade i could find.

Of course it wasn’t as easy as i wanted it to be. The controller not POSTing was an endless loop, i couldn’t get the machine to start from the AMM virtual floppy drive. I used SCM to disconnect the storage (by disabling the Blade’s SAS port). Now, the blade booted flawlessly, indicating that i probably had a problem with my disks. When browsing the IBM website, it became obvious that only newer firmwares support SATA drives. After upgrading the SAS Firmware, i was able to boot the blade without disabling the Blade’s SAS port. Unfortunately, the onboard SAS controller only supports RAID level 1 and 10. Probably owed to the fact that most blades are using SAN storage - IBM promised that there would be SAS RAID adapter that supports other RAID levels - these are especially important for the cost-conscious SMB market.

I booted a Windows PE 2.0 using WDS, and was able to install Windows Server 2008 x64 without any issues.

The HS21 XM blade on the other hand complained when booted for the first time that it’s memory configuration was invalid - it only supports 2, 4 and 8 DIMM configurations - 6 DIMM configurations are not supported. I removed two 512MB modules and booted the Blade with 8GB - it worked flawlessly and without complaining.

The JS12

First, read this document about i on Blade. It explains everything better than i ever could.

The JS12 is a POWER6 based blade that is able to run IBM i. The first time i turned on the blade, all the HS21 blades (already running Windows Server 2008) crashed hard. When rebooting, they no longer found their drives. I turned off all the blades, disconnected the JS12’s SAS port and turned everything on again. The Intel blades booted, and after i was sure that they’re up and running again, i powered on the JS12 again. This time, no issue arised. I tried to reproduce the behaviour i’ve seen before, and the same thing happened again.

My current assumption is that the issues were caused by the SAS Controller which does not have a Firmware update yet, and can’t deal with the SATA drives located in the DSMs. Further investigation told me that there’s no firmware upgrade for the SAS Controller in the POWER6 blade, and that SATA drives are not supported when running IBM i on the blade anyway. I ordered 4 147GB SAS drives, disabled the SAS port on the blade, and tried booting the POWER6 blade again. It booted flawlessly again.

The next step was to install VIOS - this is a rather complicated multi-step process. First, you have to turn on “Serial over LAN” aka SOL, then logon to the AMM using SSH, connect to the POWER blade using serial passthrough and then boot the blade from the VIOS CD. The install is pretty self explanatory.

Next is connecting to the Integrated Virtualization Manager (IVM) running on the VIOS partition. The IVM is basically a HMC light minus the console functionality. The only way to get a console on the JS12 blade is using a LAN console (which can only run on consumer versions of Windows, and is not supported on most of the Blades).

I installed the latest VIOS patches (around 4GB) and enabled mirroring on the two 147GB SAS disks in the blade itself. The next step will be installing IBM i, with which i have to wait until i receive the ordered SAS Disks.

Preliminary Summary

The BladeCenter S is great. Yep, not everything ran flawlessly from the start, but nobody’s perfect from the beginning. The BladeCenter brings an innovative new perspective to the SMB market. The problems that IBM needs to address are the addition of 2.5″ DSMs (already in the works) and more capable RAID controllers (also in the works). A BladeCenter S with the ability to use around 20-40 disks could prove interesting.

The POWER6 Blade is interesting, and while VIOS adds complexity, it is as streamlined as possible. I’m interested about seeing IBM i running on the machine.

If you have any other question about the BladeCenter S - or anything you would like to see in detail, post a comment. I’ll try to figure it out.

I’m at the Digicomp testing center right now and waiting for my collegue to finish the exam too.

In General, my impression was that the exam was pretty solid but certainly “Enterprise Heavy” in focus. There were a lot of questions regarding appropriate configurations for failover clustering, and also several pieces of SCVMM 2008 (the latter though were never hard - anyone who has toyed with SCVMM and browsed through the main functionality should be able to answer them).

I’ve seen a few questions that weren’t worded 100% precisely, but that can always happen - the quality was generally high.

Other areas that were featured heavily:

• Clusters (as mentioned above)
• Snapshots - especially pay close attention on how Snapshots can be reverted, reused, etc. Snapshots can also be used in deployment scenarios
• Integration between SCOM and SCVMM
• Disk configuration - the available options for VHD files, their advantages and disadvantages, the usage of physical disks from the host and of course the use of iSCSI disks that are directly attached in the VM
• Hardware requirements and configuration requirements when setting up Hyper-V - pay close attention on how you configure the Windows Bootloader, and what necessary steps need to be taken when enabling hardware assisted virtualization in the BIOS
• Proper VM hardware configuration - remember which controllers in Hyper-V are bootable and which are not. Also, think about very old legacy applications that might have problems with newer CPU features available on modern CPUs and about the implications of running an OS that does not support synthetic hardware
• Network configuration - pay close attention to bigger scenarios involving the cluster heartbeat link, iSCSI connections from the host, iSCSI connections from the VMs themselves, Quorum disks in cluster scenarios. Also, remember the difference between internal and private network interfaces

Did i pass? I’m not sure. There were many cluster questions, and i never had much contact with those since i primarily work with Small Business customers.

So if you intend to go at this exam, make sure you’ve toyed around with SCVMM (SCOM knowledge not necessary, just look up on how these two can be integrated). Also, make sure you’ve setup a Hyper-V cluster at least once. You can emulate an iSCSI SAN by using an open source appliance like FreeNAS that can export disks using iSCSI. None of the questions i’ve seen seemed “hard” to me, but i was guessing at a few because i didn’t know about the topic.

Good luck!

So yesterday i ranted about being unable to register for exam 70-652, and not getting any help from Prometric.

I have to remedy that - when i checked my email this morning, i already got notice from Prometric asking for my MCP and Testing ID - i replied quickly, and got a an answer back in just a few minutes. This is good!

I’ll be going this Friday and see how it was.

I received this nice mail from Microsoft learning:

You are invited to take beta exam 70-652: TS: Windows Server Virtualization, Configuring. You were specifically chosen to participate in this beta because of your current Microsoft Certification status or previous participation with Microsoft Learning. If you pass the beta exam, the exam credit will be added to your transcript and you will not need to take the exam in its released form. The 71-xxx identifier is used for registering for beta versions of MCP exams, when the exam is released in its final form the 70-xxx identifier is used for registration.

By participating in beta exams, you have the opportunity to provide the Microsoft Certification program with feedback about exam content, which is integral to development of exams in their released version. We depend on the contributions of experienced IT professionals and developers as we continually improve exam content and maintain the value of Microsoft certifications.

70-652: TS: Windows Server Virtualization, Configuring counts as credit towards the following certification(s).
• TS: Windows Server Virtualization, Configuration

So i tried to sign up for the exam. But i wasn’t even able to logon to my Prometric account.

Got the following error message:

Duplicate emails. Please call customer service.

So, i tried calling customer services. It’s a toll free Swiss number in a call center located at some other part of the earth. Unfortunately, i wasn’t even able to place a call

The number you’re calling is currently unavailable. Please check the number and dial again

So i mailed Prometric support and i’m hoping for an answer now.

If Prometric won’t fix it, at least i can ask Helmer what was in the exam. If you have a working Prometric account, you can get the invite code for the exam from Trika’s Blog