Transcript Jumpstart Windows Server 2012R2

R2
Pauze
Virtualization
Storage
Networking
Identity
and
Access
Enables
software to
dynamically
manage the
network by:
Enabling integrated policies that span physical and virtual
networks
Abstracting workloads from the physical network
Controlling datacenter traffic flow
Hyper-V Network Virtualization
Blue Corp
Customer
Address
Provider
Address
10.1.1.1
10.1.1.2
192.168.1.10
192.168.1.12
Customer
Address
Provider
Address
10.1.1.1
10.1.1.2
192.168.1.11
192.168.1.13
Datacenter
network
192.168.10
192.168.11
192.168.12
192.168.13
Yellow Corp
Policy settings
10.1.1.1
10.1.1.1
10.1.1.2
Customer address spaces
How IP address rewrite works
Benefits
Maps each Customer Address (CA) to a unique Provider
Address (PA)
Requires no upgrade of network adapters, switches, or
network appliances
Sends information in regular TCP/IP packets on the wire
Can be deployed today without sacrificing performance
10.1.1.2
Blue sees
Orange sees
SQL Server
• Tenants with overlapping IP Address
10.1.1.1
range share same physical network
• Policies enforced at host level using
PowerShell or System Center Virtual
Machine Manager
Web
10.1.1.2
SQL Server
Web
10.1.1.1
10.1.1.2
10.1.1.1
192.168.1.10
10.1.1.1
192.168.1.10
10.1.1.2
192.168.2.12
10.1.1.2
192.168.2.12
What’s really happening
• DHCP servers can be part of
192.168.n.n
virtualized network to enable locally
assigned IP addresses
PROVIDER ADDRESS SPACE (PA)
192.168.1.10
• Supports guest clustering
192.168.2.12
10.1.1.1
192.168.1.10
10.1.1.1
192.168.1.10
10.1.1.1
192.168.1.10
10.1.1.1
192.168.1.10
10.1.1.2
192.168.2.12
10.1.1.2
192.168.2.12
10.1.1.2
192.168.2.12
10.1.1.2
192.168.2.12
10.1.1.1
SQL Server
10.1.1.1
SQL Server
10.1.1.2
Web
CUSTOMER ADDRESS SPACE
10.1.1.2
Web
Network Virtualization Packet Flow
Blue1 sending to Blue2
Hyper-V Switch
Hyper-V Switch
VSID ACL Enforcement
VSID ACL Enforcement
Network Virtualization
Network Virtualization
IP Virtualization
Policy Enforcement
Routing
IP Virtualization
Policy Enforcement
Routing
ARP TABLE
10.10.10.11
34:29:af:c7:d9:12
MACB1 -> MACB2
10.10.10.10 -> 10.10.10.11
Network Virtualization Packet Flow
Blue1 sending to Blue2
Hyper-V Switch
VSID ACL Enforcement
Hyper-V Switch
5001
MACB1 -> MACB2
10.10.10.10 -> 10.10.10.11
VSID ACL Enforcement
Network Virtualization
Network Virtualization
IP Virtualization
Policy Enforcement
Routing
IP Virtualization
Policy Enforcement
Routing
MACP1 ->
MACP2
192.168.2.10 ->
192.168.5.12
5001
MACB1 ->
MACB2
10.10.10.10 ->
10.10.10.11
Contoso
Fabrikam
Challenges
•
•
Internet
Hoster wants to provide isolated networks for tenant
VMs with integral S2S VPN and NAT
Enterprises have virtualized networks split across
different datacenters or virtualized networks (NVGRE
aware) communicating to physical networks (NVGRE
unaware)
Solution
•
Multi-tenant VPN
Gateway
•
Host Datacenter
Network Virtualization Fabric
Host
Bridge Between VM Networks
& Physical Networks
Host
•
•
•
•
Multi-tenant VPN gateway in Windows Server 2012 R2
Preview
Integral multitenant edge gateway for seamless
connectivity
Guest clustering for high availability
BGP for dynamic routes update
Encaps/Decaps NVGRE packets
Multitenant aware NAT for Internet access
• Provides network fault tolerance and
continuous availability when network adapters
fail by teaming multiple network interfaces
• Supports all vendors in-box
• Facilitates local or remote management
through Windows PowerShell or UI
• Enables teams of up to 32 network adapters
• Aggregates bandwidth from multiple network
adapters
• Includes multiple nodes: switch dependent
and independent
Virtual
adapters
Team network
adapter
Team network
adapter
• Automatic detection and use of multiple network
connections between SMB client and server
SMB
client
• Helps server applications be resilient to network
failure
• Transparent Failover with recovery of network
failure if another connection is unavailable
SMB
server
NIC
NIC
File
copy
File
copy
• Improved throughput
• Bandwidth aggregation through NIC
Teaming
• Multiple nodes/CPUs for network
processing with RSS-capable network
adapters
• Automatic configuration with very little
administrative overhead
NIC
NIC
Without
With RDMA
RDMA
File Client
File Server
App
Buffer
• Higher performance through offloading of
network I/O processing onto network adapter
• Higher throughput with low latency and ability
to take advantage of high-speed networks
(such as InfiniBand and iWARP)
• Remote storage at the speed of direct storage
SMB
Buffer
SMB
Buffer
OS
Buffer
OS
Buffer
Driver
Buffer
Driver
Buffer
Adapter
Buffer
rNIC
NIC
iWARP
InfiniBand
rNIC
NIC
Adapter
Buffer
• Transfer rate of around 50 Gbps on a single
NIC port
• Compatible with SMB Multichannel for load
balancing and failover
Increased efficiency of network
processing on Hyper-V hosts
Without VMQ
•
Hyper-V Virtual Switch is responsible for
routing & sorting packets for VMs
•
This leads to increased CPU processing, all
focused on CPU0
With VMQ
•
Physical NIC creates virtual network
queues for each VM to reduce host CPU
With Dynamic VMQ
•
Processor cores dynamically allocated for
a better spread of network traffic
processing
Hyper-V Host
Hyper-V Host
Hyper-V Host
Host
Virtual Machine
• VM traffic bypasses virtual switch and performs I/O
directly to NIC
• Ideal for high I/O workloads that do not require port
policies, QoS, or network virtualization enforced at the
end host virtual switch
VM Network Stack
Synthetic NIC
Virtual Function
• Most 10Gbps and in-box NICs SR-IOV capable
Benefits
• Maximizes use of host system processors and memory
Hyper-V
Extensible Switch
• Reduces host CPU overhead for processing network
traffic (by up to 50%)
• Reduces network latency (by up to 50%)
• Provides higher network throughput (by up to 30%)
• Full support for Live Migration
SR-IOV NIC
VF
VF
VF
• Automatic DHCP failover based on DHCP
failover IETF spec
• Provides multi-site IP address continuity to
clients by helping eliminate single points of
failure
• Provides in-box support for failover,
without the need for clustering
• Uses a failover setup consisting of two
servers located across different geographic
locations
• Includes active/active or active/passive
behavior
• Simple provisioning and configuration of
DHCP server using PowerShell
Hot standby DHCP
failover in a huband-spoke
deployment
Load-sharing
DHCP failover in a
single site with a
single subnet
Network Administrator
Fabric Administrator
• Manages virtual address space in addition to
physical address space
System Administrator
Forensics Investigator
• Imports and exports network configurations
automatically through plugin for System Center
Virtual Machine Manager
• Enables synchronization of Active Directory
Sites and subnets information with IPAM
• Supports large scale enterprise deployments
• Uses SQL Server to store IP address information
• Lets admins define user roles, access scope and
access policy through role-based access control
Security Groups
Data collection tasks
Virtualization
Storage
Networking
Identity
and
Access
Users can enroll devices for
access to the Company Portal
for easy access to corporate
applications
IT can publish Desktop
Virtualization (VDI) for
access to centralized
resources
Users can work
from anywhere on
their device with
access to their
corporate resources.
IT can publish access to
resources with the Web
Application Proxy
based on device
awareness and the users
identity
Users can register
devices for single
sign-on and access to
corporate data with
Workplace Join
IT can provide seamless
corporate access with
DirectAccess and
automatic VPN
connections.
An automatic VPN
connection provides
automated starting of the
VPN when a user launches
an application that requires
access to corporate
resources.
Traditional VPNs are userinitiated and provide ondemand connectivity to
corporate resources.
With DirectAccess, a users
PC is automatically
connected whenever an
Internet connection is
present.
Cannot originate admin
connection from intranet
VPN
Can originate admin
connection from intranet
DirectAccess
Connection to
intranet is always active
Firewall

DNS Query for DirectAccess-NLS.corp.domain.com

IPv4 (A) DNS Query for da.domain.com
User provided devices are
“unknown” and IT has no control.
Partial access may be provided to
corporate information.
Browser session single
sign-on
Seamless 2-Factor Auth
for web apps
Enterprise apps single
sign-on
Desktop Single Sign-On
Registered devices are “known”
and device authentication
allows IT to provide conditional
access to corporate information
Domain joined computers
are under the full control of
IT and can be provided with
complete access to corporate
information
Users can enroll devices which
configure the device for management
with Windows Intune. The user can
then use the Company Portal for easy
access to corporate applications
Users can register BYO
devices for single sign-on
and access to corporate
data with Workplace Join.
As part of this, a certificate
is installed on the device
IT can publish access to corporate resources with
the Web Application Proxy based on device
awareness and the users identity. Multi-factor
authentication can be used through Windows
Azure Active Authentication.
Data from Windows Intune is
sync with Configuration
Manager which provides unified
management across both onpremises and in the cloud
As part of the registration
process, a new device object is
created in Active Directory,
establishing a link between the
user and their device
AD Integrated
Use conditional access for
granular control over how
and where the application
can be accessed
Published
applications
Devices
Users can access
corporate applications
and data wherever
they are
Apps & Data
IT can use the Web Application
Proxy to authenticate users and
devices with multi-factor
authentication
Active Directory provides
the central repository of
user identity as well as
the device registration
information
IT can selectively wipe the
corporate data from
Windows 8.1 clients
Devices
Users can sync
their work data to
their devices.
Users can register
their devices to be
able to sync data
when IT enforces
conditional access
IT can configure a File Server to
provide Work Folder sync
shares for each user to store
data that syncs to their devices,
including integration with
Rights Management
Apps & Data
IT can publish access directly
through a reverse proxy, or
conditional access can be
enforced via device
registration through the
Web Application Proxy
Active Directory
discoverability
provides users Work
Folders location
Download Windows Server 2012 R2
Learn and Expand
Act
Automatically
identify and classify
data based on
content. Classification
applies as files are
created or modified.
File classification, access
policies and automated
Rights Management
works against client
distributed data through
Work Folders.
Centrally manage
access control and
audit polices from
Windows Server
Active Directory.
Integration with
Active Directory
Rights Management
Services provides
automated
encryption of
documents.
Central access and audit
policies can be applied
across multiple file servers,
with near real-time
classification and processing
of new and modified
documents.
1
1
2
Share
Security Descriptor
Share Permissions
File/Folder
Security Descriptor
Central Access Policy Reference
NTFS Permissions
Access Control Decision:
1) Access Check – Share permissions if applicable
2) Access Check – File permissions
3) Access Check – Every matching Central Access
Rule in Central Access Policy
Active Directory
(cached in local Registry)
Cached Central Access Policy
Definition
Cached Central Access Rule
Cached Central Access Rule
Cached Central Access Rule
MCSA: Windows Server 2012
Installing and
Configuring Windows
Server 2012
Installing and
Configuring Windows
Server 2012
+
+
=
Administering Windows
Server 2012
Configuring Advanced
Windows Server 2012
Services
MCSA: Windows Server
2012
Administering Windows
Server 2012
Configuring Advanced
Windows Server 2012
Services
Find a Learning Partner
MCSE: Server Infrastructure
* Requires recertification
+
Windows Server 2012
+
=
Designing and
Implementing a Server
Infrastructure
Implementing an
Advanced Server
Infrastructure
MCSE: Server
Infrastructure
Designing and
Implementing a Server
Infrastructure
Implementing an
Advanced Server
Infrastructure
Find a Learning Partner
MCSE: Desktop Infrastructure
* Requires recertification
+
+
Windows Server 2012
=
Implementing a Desktop
Infrastructure
Implementing Desktop
Application
Environments
MCSE: Desktop
Infrastructure
Implementing a Desktop
Infrastructure
Implementing Desktop
Application
Environments
Find a Learning Partner
Upgrade paths
Windows Server 2012
Designing and
Implementing an Advanced
Implementing a Server
Infrastructure
Server Infrastructure
Server Infrastructure
Any of the following certifications qualify:
•
•
•
•
•
•
MCSA: Windows Server 2008*
MCITP: Virtualization Administrator
MCITP: Enterprise Messaging Administrator
MCITP: Lync Server Administrator
MCITP: SharePoint Administrator
MCITP: Enterprise Desktop Administrator
Either or Both
Upgrading Your Skills to
MCSA Windows Server
2012
Implementing a Desktop
Infrastructure
Implementing Desktop
Application Environments
Desktop Infrastructure