Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview http://connect.microsoft.com MAP: User Interface & Reports Server Migration & Virtualization Candidates Windows Server Virtualization Windows 7 •Heterogeneous Server.
Download ReportTranscript Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview http://connect.microsoft.com MAP: User Interface & Reports Server Migration & Virtualization Candidates Windows Server Virtualization Windows 7 •Heterogeneous Server.
Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview http://connect.microsoft.com MAP: User Interface & Reports Server Migration & Virtualization Candidates Windows Server 2008 Virtualization Windows 7 •Heterogeneous Server Environment Inventory Linux, Unix & VMware •Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment •Speed up Planning with Actionable Proposals and Assessments •Collect Inventory of Servers, Desktops and Applications Agentlessly •Offers Recommendations for Server/Application Virtualization •Works with the Virtualization ROI Tool to generate ROI calculations •More on MAP: http://www.microsoft.com/map Visual Studio Team System 2010 Lab Management Beta 2 VSTS Lab Management Beta 2 Scenarios Create and manage virtual or physical environments Take environment snapshots or revert to existing snapshots for virtual environments Interact with the virtual machines in the environments through environment viewer Define test settings for the environments New Beta 2 Features Simplified Environment creation & edit experience Full-screen environment viewer Out of the box template for application build-deploy-test workflow Network isolation with support for domain controller Virtual Machines “In-Use” support for shared environments VSTS “Environments” Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc. An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role. Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem. Jeff Woolsey Principal Group Program Mgr Windows Server, Hyper-V SVR307 Agenda Virtualization Requirements Hyper-V Security Hyper-V & Storage Windows Server 2008 R2: SCONFIG Designing a Windows Server 2008 Hyper V & System Center Infrastructure Deployment Considerations Best Practices & Tips and Tricks Microsoft Hyper-V Server 2008 R2 Virtualization Requirements Scheduler Memory Management VM State Machine Virtualized Devices Storage Stack Network Stack Ring Compression (optional) Drivers Management API Hyper-V Architecture Parent Partition Child Partition Rest of Windows Virtualization Stack WMI Provider VM Service Server Core Windows Kernel Provided by: Guest Applications VM Worker Processes Hyper-V ISV Ring 3: User Mode Virtualization Service Device Providers (VSPs) Drivers Virtualization Service Clients (VSCs) VMBus Ring 0: Kernel Mode Windows hypervisor Server Hardware OS Kernel Enlightenments Virtualization Attacks Parent Partition Child Partition Rest of Windows Virtualization Stack WMI Provider VM Service Server Core Windows Kernel Provided by: Guest Applications VM Worker Processes Hyper-V ISV Ring 3: User Mode Virtualization Service Device Providers (VSPs) Drivers Virtualization Service Clients (VSCs) VMBus VMBus Ring 0: Kernel Mode Windows hypervisor Server Hardware Hackers OS Kernel Enlightenments What if there was no parent partition? No defense in depth Entire hypervisor running in the most privileged mode of the system Virtual Machine Virtual Machine Virtual Machine User Mode User Mode User Mode Ring 3 Kernel Mode Kernel Mode Kernel Mode Ring 0 Scheduler Memory Management Storage Stack Network Stack VM State Machine Virtualized Devices Drivers Management API Hardware Ring -1 Hyper-V Hypervisor Defense in depth Hyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V) Further reduces the attack surface Parent Partition Virtual Machine Virtual Machine VM State Machine Virtualized Devices Management API User Mode User Mode Ring 3 Storage Stack Network Stack Drivers Kernel Mode Kernel Mode Ring 0 Scheduler Memory Management Hardware Ring -1 Security Assumptions Guests are untrusted Trust relationships Parent must be trusted by hypervisor Parent must be trusted by children Code in guests can run in all available processor modes, rings, and segments Hypercall interface will be well documented and widely available to attackers All hypercalls can be attempted by guests Can detect you are running on a hypervisor We’ll even give you the version The internal design of the hypervisor will be well understood Security Goals Strong isolation between partitions Protect confidentiality and integrity of guest data Separation Unique hypervisor resource pools per guest Separate worker processes per guest Guest-to-parent communications over unique channels Non-interference Guests cannot affect the contents of other guests, parent, hypervisor Guest computations protected from other guests Guest-to-guest communications not allowed through VM interfaces Hyper-V & SDL Hypervisor built with Stack guard cookies (/GS) Address Space Layout Randomization (ASLR) HW Data Execution Prevention No Execute (NX) AMD Execute Disable (XD) Intel Code pages marked read only Memory guard pages Hypervisor binary is signed Entire stack through SDL Threat modeling Static Analysis Fuzz testing & Penetration testing Hyper-V Security Model Uses Authorization Manager (AzMan) Fine grained authorization and access control Department and role based Segregate who can manage groups of VMs Define specific functions for individuals or roles Start, stop, create, add hardware, change drive image VM administrators don’t have to be Server 2008 administrators Guest resources are controlled by per VM configuration files Shared resources are protected Read-only (CD ISO file) Copy on write (differencing disks) BitLocker – Persistent Protection Mitigating Against External Threats… Very Real Threat of Data Theft When a System is Stolen, Lost, or Otherwise Compromised (Hacker Tools Exist!) Decommissioned Systems are not Guaranteed Clean Increasing Regulatory Compliance on Storage Devices Drives Safeguards (HIPPA, SBA, PIPEDA, GLBA, etc…) BitLocker Drive Encryption Support in Windows Server 2008/2008 R2 Addresses Leading External Threats by Combining Drive Level Encryption with Boot Process Integrity Validation Leverages Trusted Platform Model (TPM) Technology (Hardware Module) Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory Protects Data While a System is Offline Entire Windows Volume is Encrypted (Hibernation and Page Files) Delivers Umbrella Protection to Applications (On Encrypted Volume) Ensures Boot Process Integrity Protects Against Root Kits – Boot Sector Viruses Automatically Locks System when Tampering Occurs Simplifies Equipment Recycling One Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless Physical Security Device installation group policies: "no removable devices allowed on this system" BitLocker: encrypts drives, securing laptops branch office servers BitLocker To Go: encrypts removable devices like USB sticks Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted" McAfee: VirusScan Enterprise for Offline Virtual Images Reduce IT management overhead for virtual environments Anti-malware security profiles of offline virtual machines are updated automatically without having to bring virtual machines online, reducing the risk of infecting the rest of the virtual environment. Ensure security for virtual machines. Automatically scan, clean and update virtual machines while offline, to eliminate the risk of dormant virtual machines threatening the corporate network. Achieve efficiencies with security management. Minimize IT efforts and reduce operating costs with common security management for both physical and virtual environments. Improve disaster recovery. Ensure that backup virtual images are up-to-date with respect to malware signatures before they go into production. Hyper-V R1 Performance Focused on Fixed Disk Performance Why? Allocating storage resources upfront and prevent surprises Result: Excellent near native performance for Fixed VHDs Dynamic VHDs performance had room for improvement Let’s take a look at R2 performance… Fixed VHD vs Raw Disk Throughput Comparison ↑: Higher is Better SQL Server Log 64K Throughput 12000 10000 IOPS 8000 6000 WS08R2(RTM)_RawDisk WS08R2(RTM)_VHD 4000 2000 (Disk/File/VHD Size: ~2040G) 0 1 2 4 Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA 8 16 I/O Queue Depth 32 64 128 256 Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0 Fixed VHD vs Raw Disk Latency Comparison ↓: Lower is Better SQL Server Log 64K Writes Latency 30.0000 25.0000 Latency(ms) 20.0000 WS08R2(RTM)_RawDisk 15.0000 10.0000 WS08R2(RTM)_VHD (Disk/File/VHD Size: ~2040G) 5.0000 0.0000 1 2 Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA 4 8 16 I/O Queue Depth 32 64 128 256 Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0 WS2008 vs WS2008R2 Dynamic VHD Throughput Comparison ↑: Higher is Better SQL Server Log 64K Throughput 12000 10000 IOPS 8000 Up to 15x Performance Improvement with R2 6000 4000 WS08R2(RTM)_VHD WS08/Hyper-V(RTM)_VHD 2000 (Disk/File/VHD Size: ~2040G) (VHD: fully populated) 0 1 2 4 Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA 8 16 I/O Queue Depth 32 64 128 256 Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0 Dynamic VHD vs Raw Disk Throughput Comparison ↑: Higher is Better SQL Server Log 64K Throughput 12000 10000 IOPS 8000 6000 WS08R2(RTM)_RawDisk WS08R2(RTM)_VHD 4000 2000 (Disk/File/VHD Size: ~2040G) (VHD: fully populated) 0 1 2 4 Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA 8 16 I/O Queue Depth 32 64 128 256 Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0 Dynamic VHD vs Raw Disk Latency Comparison ↓: Lower is Better SQL Server Log 64K Writes Latency 30.0000 25.0000 Latency(ms) 20.0000 WS08R2(RTM)_RawDisk 15.0000 10.0000 WS08R2(RTM)_VHD 5.0000 (Disk/File/VHD Size: ~2040G) (VHD: fully populated) 0.0000 1 2 Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA 4 8 16 I/O Queue Depth 32 64 128 256 Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0 VHD Types Throughput Comparison ↑: Higher is Better SQL Server Log 64K Throughput (VHD Types Comparison) 12000 10000 IOPS 8000 WS08R2(RTM)_Differencing_VHD 6000 WS08R2(RTM)_Dynamic_VHD WS08R2(RTM)_Fixed_VHD 4000 2000 (Disk/File/VHD Size: ~2040G) 0 1 2 4 Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA 8 16 I/O Queue Depth 32 64 128 256 Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0 VHD Types Latency Comparison ↓: Lower is Better SQL Server Log 64K Writes Latency 30.0000 Latency(ms) 25.0000 20.0000 WS08R2(RTM)_Fixed_VHD 15.0000 WS08R2(RTM)_Dynamic_VHD 10.0000 WS08R2(RTM)_Differencing_VHD (Disk/File/VHD Size: ~2040G) (VHD: fully populated) 5.0000 0.0000 1 2 4 Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA 8 16 I/O Queue Depth 32 64 128 256 Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0 Hyper-V R2 Storage Key Takeaways Fixed Disks are on par with Native Disk Performance Dynamic and Differencing Disks are up to 15x times faster than Hyper-V and ~15% performance delta from native Multipath I/O (MPIO) What is it? Provides logical facility for routing I/O over redundant hardware paths connecting the server to storage Works with a variety of storage types (iSCSI, SCSI, SAS, Fibre Channel) Many hardware vendors provide MPIO capable drivers How do I enable it? Windows Server 2008 Full: Server Manager -> Features Windows Server 2008 Core: start /w ocsetup MultipathIo Enabling MPIO with iSCSI Open iscsicpl.exe (iSCSI configuration) Set up (discover 2 connections to iSCSI target Open mpiocpl.exe (MPIO configuration) Discover Multi-Path tab, “Add support for iSCSI Devices” In iscsicpl.exe, Targets tab, Connect Check “Enable multi-path” Under Advanced, specify Target Portal IP Repeat, choosing other Target Portal IP iSCSI Quick Connect Advanced Storage Capabilities Is there a Hyper-V Storage Certification? What about storage De-duplication? What about Storage Replication? Hyper-V is compatible with block based deduplication and replication solutions that are certified for Windows Server 2008/2008 R2. Solutions from: NetApp, HP, EMC, Hitachi, NEC, Compellent and more… www.windowsservercatalog.com Hyper-V Networking Don’t forget the parent is a VM Two physical network adapters at minimum One for management One (or more) for VM networking Dedicated NIC(s) for iSCSI Connect parent to back-end management network Only expose guests to internet traffic Hyper-V Network Configurations Example 1: Physical Server has 4 network adapters NIC 1: Assigned to parent partition for management NICs 2/3/4: Assigned to virtual switches for virtual machine networking Storage is non-iSCSI such as: Direct attach SAS or Fibre Channel Hyper-V Setup & Networking 1 Hyper-V Setup & Networking 2 Hyper-V Setup & Networking 3 Each VM on its own Switch… Parent Partition Child Partitions VM Worker Processes Applications Applications Applications VM 1 VM 2 VM 3 WMI Provider VM Service Windows Server 2008 Windows Kernel VSP VS VSC Windows Kernel VSC Linux Kernel VSC VS P P VMBus VMBus VMBus Windows hypervisor Mgmt NIC 1 VSwitch 1 NIC 2 VSwitch 2 NIC 3 VSwitch 3 NIC 4 “Designed for Windows” Server Hardware User Mode VMBus Kernel Mode Ring -1 Hyper-V Network Configurations Example 2: Server has 4 physical network adapters NIC 1: Assigned to parent partition for management NIC 2: Assigned to parent partition for iSCSI NICs 3/4: Assigned to virtual switches for virtual machine networking Hyper-V Setup, Networking & iSCSI Now with iSCSI… Parent Partition Child Partitions VM Worker Processes Applications Applications Applications VM 1 VM 2 VM 3 WMI Provider VM Service Windows Server 2008 Windows Kernel VSC Windows Kernel VSC Linux Kernel User Mode VSC VSP VS P VMBus VMBus VMBus Windows hypervisor Mgmt NIC 1 iSCSI NIC 2 VSwitch 1 NIC 3 VSwitch 2 NIC 4 “Designed for Windows” Server Hardware VMBus Kernel Mode Ring -1 Legacy vs. Synthetic NIC Legacy Network Adapter Up to 4 per virtual machine Pros: Needed for PXE/RIS/WDS installation Cons: Slow Synthetic Network Adapter Up to 8 per virtual machine! Pros: Blazing fast Both: Support VLANs Dynamic or Static MAC addresses Virtualized Network I/O Data Path Without VMQ Parent Partition VM1 VM2 TCP/IP TCP/IP VM NIC 1 VM NIC 2 Virtual Machine Switch Virtual Machine Switch (VSP) Routing, VLAN Filtering, Data Copy Routing VLAN filtering Data Copy Port 2 Port 1 Port 2 Port 1 Miniport Driver VM BUS NIC Ethernet Networking Virtual Machine Queues Hyper-V uses virtual machine queue (VMQ) support in new NICs to offload processing to hardware VMQ operation: Each VM is assigned a hardware-managed receive queue Hardware performs MAC address lookup and VLAN ID validation Places receive packets in appropriate queue Queues are mapped into VM address space to avoid copy operations Network I/O Data Path With VMQ Parent Partition VM1 VM2 TCP/IP TCP/IP VM NIC 1 VM NIC 2 Virtual Machine Switch Virtual Machine Switch (VSP) Routing, VLAN Filtering, Data Copy Routing VLAN filtering Data Copy Port 2 Port 1 Port 2 Port 1 Miniport Driver Default Queue Q1 Q2 VM BUS Switch/Routing unit NIC Ethernet VMQ Partner Support Intel Gigabit ET/EF Dual Port ~$170 Alacritech Broadcom Neterion ServerEngines Solarflare …and many more… Windows Server Core Windows Server frequently deployed for a single role Must deploy and service the entire OS in earlier Windows Server releases Server Core: minimal installation option Provides essential server functionality Command Line Interface only, no GUI Shell Benefits Less code results in fewer patches and reduced servicing burden Low surface area server for targeted roles Windows Server 2008 Feedback Love it, but…steep learning curve Windows Server 2008 R2 Introducing “SCONFIG” Windows Server Core Server Core: CLI Easy Server Configuration Manage Remotely… Hyper-V MMC for Win 7 Install the Win 7 RSAT Turn Windows features on/off Under Remote Server Admin Tools Failover Clustering Tools Hyper-V Tools Go to Start Menu->Admin Tools Deployment Minimize risk to the Parent Partition Use Server Core Don’t run arbitrary apps, no web surfing Run your apps and services in guests Two physical 1 Gb/E network adapters @minimum One for management (use a VLAN too) One (or more) for vm networking Dedicated NIC(s) for iSCSI Connect parent to back-end management network Only expose guests to internet traffic Windows Server 2003 Cluster Creation Cluster Hyper-V Servers Use Cluster Shared Volumes Hyper-V high availability and migration scenarios are supported by the new Cluster Shared Volumes in Windows Server 2008 R2 Technology within Failover Cluster feature Single consistent name space Compatible: NTFS volume Simplified LUN management Multiple data stores supported Enhanced storage availability due to built in redundancy Scalable as I/O is written directly by each node to the shared volume Single Transparent to the VM Volume Concurrent access to a single file system SAN VHD VHD VHD Don't forget the ICs! Emulated vs. VSC Installing Integration Components Hyper-V & Localization… Hyper-V/AV Software Configuration Host: If you are running antivirus software on the physical server, exclude: the Vmms.exe and Vmswp.exe processes the directories that contain the virtual machine configuration files and virtual hard disks from active scanning. An added benefit of using pass-through disks in your virtual machines is that you can use the antivirus software running on the physical server to protect that virtual machine Guest: Run AV within guest Storage BitLocker Great for branch office VHDs Use fixed virtual hard disks in production VHD Compaction/Expansion Run it on a non-production system Use .isos Great performance Can be mounted and unmounted remotely Physical DVD can’t be shared across multiple vms Having them in SCVMM Library fast & convenient Jumbo Frames Offers significant performance for TCP connections including iSCSI Max frame size 9K Reduces TCP/IP overhead by up to 84% Must be enabled at all end points (switches, NICs, target devices Virtual switch is defined as an end point Virtual NIC is defined as an end point Jumbo Frames in Hyper-V R2 Added support in virtual switch Added support in virtual NIC Integration components required How to validate if jumbo frames is configured end to end Ping –n 1 –l 8000 –f (hostname) -l (length) -f (don’t fragment packet into multiple Ethernet frames) -n (count) More Tips… Mitigate Bottlenecks Processors Memory Storage Networking Turn off screen savers in guests Windows Server 2003 Create vms using 2-way to ensure an MP HAL Creating Virtual Machines Use SCVMM Library Templates help standardize configurations Steps: 1. 2. 3. 4. 5. 6. 7. Create virtual machine Install guest operating system & latest SP Install integration components Install anti-virus Install management agents SYSPREP Add it to the VMM Library Microsoft Hyper-V Server R2 New Features Live Migration High Availability New Processor Support Second Level Address Translation Core Parking Networking Enhancements TCP/IP Offload Support VMQ & Jumbo Frame Support Hot Add/Remove virtual storage Enhanced scalability Free download: www.microsoft.com/hvs Microsoft Virtualization: Uni-Processor Guests High Availability via scripts Up to 8 Cluster Nodes Hyper-V R1 16 LP Support/Up to 128 VMs 1 Terabyte Memory 32-bit/64-bit (Up to 64 GB per VM) SMP Guests High Performance I/O (VSP/VSC/VMBus) HA Integrated/Included Quick Migration Included Up to 16 Cluster Nodes Windows Server 2008 R2 32-bit Guests: Up to 4 GB per VM Windows Server 2008 Virtual Server 2005 R2 Customers Win Hyper-V R2 64 LP Support/Up to 384 VMs/Up to 512 VPs Live Migration Cluster Shared Volumes Processor Flexibility Power Enhancements 10 Gb/E Ready Hot Add Virtual Storage Connection Broker for Hosted Desktops Quick Storage Migration with SCVMM R2 Online Resources Microsoft Virtualization Home/Case Studies from customers around the world: http://www.microsoft.com/virtualization Windows Server Virtualization Blog Site: http://blogs.technet.com/virtualization/default.aspx Windows Server Virtualization TechNet Site: http://technet2.microsoft.com/windowsserver2008/en/servermanager/virtualization.mspx MSDN & TechNet Powered by Hyper-V http://blogs.technet.com/virtualization/archive/2008/05/20/msdn-and-technet-powered-by-hyper-v.aspx Virtualization Solution Accelerators http://technet.microsoft.com/en-us/solutionaccelerators/cc197910.aspx How to install the Hyper-V role http://www.microsoft.com/windowsserver2008/en/us/hyperv-install.aspx Windows Server 2008 Hyper-V Performance Tuning Guide http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx Using Hyper-V & BitLocker White Paper http://www.microsoft.com/downloads/details.aspx?FamilyID=2c3c0615-baf4-4a9c-b6133fda14e84545&DisplayLang=en Related Content MGT220 - Virtualization 360: Microsoft Virtualization Strategy, Products, and Solutions for the New Economy SVR314 - From Zero to Live Migration. How to Set Up a Live Migration SVR308 - Storage and Hyper-V: The Choices You Can Make and the Things You Need to Know SVR307 - Security Best Practices for Hyper-V and Server Virtualization SVR09-IS - Windows Server 2008 R2 Hyper-V Deployment Considerations Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!