Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview .
81
-
Upload
primrose-evans -
Category
Documents
-
view
216 -
download
2
Transcript of Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview .
Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Previewhttp://connect.microsoft.com
announcing
MAP: User Interface & ReportsServer Migration & Virtualization Candidates
Windows 7
Windows Server 2008
Virtualization
•Heterogeneous Server Environment Inventory Linux, Unix & VMware•Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment•Speed up Planning with Actionable Proposals and Assessments•Collect Inventory of Servers, Desktops and Applications Agentlessly•Offers Recommendations for Server/Application Virtualization•Works with the Virtualization ROI Tool to generate ROI calculations•More on MAP: http://www.microsoft.com/map
Visual Studio Team System 2010 Lab Management Beta 2
announcing
VSTS Lab Management Beta 2
ScenariosCreate and manage virtual or physical environments
Take environment snapshots or revert to existing snapshots for virtual environments
Interact with the virtual machines in the environments through environment viewer
Define test settings for the environments
New Beta 2 FeaturesSimplified Environment creation & edit experience
Full-screen environment viewer
Out of the box template for application build-deploy-test workflow
Network isolation with support for domain controller Virtual Machines
“In-Use” support for shared environments
VSTS “Environments”Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc.An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role. Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem.
Windows Server 2008 R2 Hyper-V Security & Best Practices
Jeff WoolseyPrincipal Group Program MgrWindows Server, Hyper-VSVR307
Agenda
Virtualization RequirementsHyper-V SecurityHyper-V & StorageWindows Server 2008 R2: SCONFIGDesigning a Windows Server 2008 Hyper V & System Center InfrastructureDeployment ConsiderationsBest Practices & Tips and TricksMicrosoft Hyper-V Server 2008 R2
Virtualization Requirements
SchedulerMemory ManagementVM State MachineVirtualized DevicesStorage StackNetwork StackRing Compression (optional)DriversManagement API
Parent Partition
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
Windows hypervisor
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Child Partition
Ring 0: Kernel Mode
Ring 3: User Mode
VirtualizationServiceClients(VSCs)
OSKernel
EnlightenmentsVMBus
Guest Applications
Server Hardware
Provided by:Rest of Windows
ISV
Hyper-V
Hyper-V Architecture
Virtualization AttacksParent Partition
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Child Partition
Ring 0: Kernel Mode
VirtualizationServiceClients(VSCs)
EnlightenmentsVMBus
Server Hardware
Provided by:Rest of Windows
ISV
Hyper-VGuest Applications
Hackers
OSKernel
VirtualizationServiceClients(VSCs)
Enlightenments
Ring 3: User Mode
Windows hypervisor
VMBus
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
What if there was no parent partition?No defense in depthEntire hypervisor running in the most privileged mode of the system
Ring -1
Ring 0
Ring 3
VirtualMachin
e
VirtualMachin
e
VirtualMachin
e
SchedulerMemory Management
Storage StackNetwork Stack
VM State MachineVirtualized Devices
DriversManagement API
UserMode
KernelMode
UserMode
UserMode
KernelMode
KernelMode
Hardware
Hyper-V Hypervisor
Defense in depthHyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V)
Further reduces the attack surface
Ring -1
Ring 0
Ring 3
VirtualMachin
e
VirtualMachin
e
ParentPartition
SchedulerMemory Management
VM State MachineVirtualized DevicesManagement API
KernelMode
UserMode
UserMode
Storage StackNetwork Stack
Drivers
KernelMode
Hardware
Hyper-V Security
Security Assumptions
Guests are untrusted
Trust relationshipsParent must be trusted by hypervisor
Parent must be trusted by children
Code in guests can run in all available processor modes, rings, and segments
Hypercall interface will be well documented and widely available to attackers
All hypercalls can be attempted by guests
Can detect you are running on a hypervisor
We’ll even give you the version
The internal design of the hypervisor will be well understood
Security Goals
Strong isolation between partitionsProtect confidentiality and integrity of guest dataSeparation
Unique hypervisor resource pools per guestSeparate worker processes per guestGuest-to-parent communications over unique channels
Non-interferenceGuests cannot affect the contents of other guests, parent, hypervisorGuest computations protected from other guestsGuest-to-guest communications not allowed through VM interfaces
Hyper-V & SDL
Hypervisor built with Stack guard cookies (/GS)
Address Space Layout Randomization (ASLR)
HW Data Execution PreventionNo Execute (NX) AMD
Execute Disable (XD) Intel
Code pages marked read only
Memory guard pages
Hypervisor binary is signed
Entire stack through SDLThreat modeling
Static Analysis
Fuzz testing & Penetration testing
Hyper-V Security Model
Uses Authorization Manager (AzMan)Fine grained authorization and access control
Department and role based
Segregate who can manage groups of VMs
Define specific functions for individuals or roles
Start, stop, create, add hardware, change drive image
VM administrators don’t have to be Server 2008 administrators
Guest resources are controlled by per VM configuration files
Shared resources are protectedRead-only (CD ISO file)
Copy on write (differencing disks)
Protects Data While a System is OfflineEntire Windows Volume is Encrypted (Hibernation and Page Files)Delivers Umbrella Protection to Applications (On Encrypted Volume)
Ensures Boot Process IntegrityProtects Against Root Kits – Boot Sector VirusesAutomatically Locks System when Tampering Occurs
Simplifies Equipment RecyclingOne Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless
Mitigating Against External Threats…Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!)Decommissioned Systems are not Guaranteed CleanIncreasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…)
BitLocker Drive Encryption Support in Windows Server 2008/2008 R2Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity ValidationLeverages Trusted Platform Model (TPM) Technology (Hardware Module)Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory
BitLocker – Persistent Protection
Physical Security
Device installation group policies: "no removable devices allowed on this system"BitLocker: encrypts drives, securing
laptopsbranch office servers
BitLocker To Go: encrypts removable devices like USB sticks
Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"
McAfee: VirusScan Enterprise for Offline Virtual Images
Reduce IT management overhead for virtual environmentsAnti-malware security profiles of offline virtual machines are updated automatically without having to bring virtual machines online, reducing the risk of infecting the rest of the virtual environment.
Ensure security for virtual machines.Automatically scan, clean and update virtual machines while offline, to eliminate the risk of dormant virtual machines threatening the corporate network.
Achieve efficiencies with security management.Minimize IT efforts and reduce operating costs with common security management for both physical and virtual environments.
Improve disaster recovery.Ensure that backup virtual images are up-to-date with respect to malware signatures before they go into production.
VHD Performance
Hyper-V R1 Performance
Focused on Fixed Disk PerformanceWhy?
Allocating storage resources upfront and prevent surprises
Result:Excellent near native performance for Fixed VHDsDynamic VHDs performance had room for improvement
Let’s take a look at R2 performance…
Fixed VHD vs Raw Disk Throughput Comparison
1 2 4 8 16 32 64 128 2560
2000
4000
6000
8000
10000
12000
SQL Server Log 64K Throughput
WS08R2(RTM)_RawDiskWS08R2(RTM)_VHD
I/O Queue Depth
IOPS
↑: Higher is Better
Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0
(Disk/File/VHD Size: ~2040G)
Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA
Fixed VHD vs Raw Disk Latency Comparison
1 2 4 8 16 32 64 128 2560.0000
5.0000
10.0000
15.0000
20.0000
25.0000
30.0000
SQL Server Log 64K Writes Latency
WS08R2(RTM)_RawDisk
WS08R2(RTM)_VHD
I/O Queue Depth
Late
ncy(
ms)
↓: Lower is Better
Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0
(Disk/File/VHD Size: ~2040G)
Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA
WS2008 vs WS2008R2Dynamic VHD Throughput Comparison
1 2 4 8 16 32 64 128 2560
2000
4000
6000
8000
10000
12000
SQL Server Log 64K Throughput
WS08R2(RTM)_VHDWS08/Hyper-V(RTM)_VHD
I/O Queue Depth
IOPS
↑: Higher is Better
Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA
(Disk/File/VHD Size: ~2040G)(VHD: fully populated)
Up to 15x Performance Improvement
with R2
Dynamic VHD vs Raw DiskThroughput Comparison
1 2 4 8 16 32 64 128 2560
2000
4000
6000
8000
10000
12000
SQL Server Log 64K Throughput
WS08R2(RTM)_RawDiskWS08R2(RTM)_VHD
I/O Queue Depth
IOPS
↑: Higher is Better
Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA
(Disk/File/VHD Size: ~2040G)(VHD: fully populated)
Dynamic VHD vs Raw DiskLatency Comparison
1 2 4 8 16 32 64 128 2560.0000
5.0000
10.0000
15.0000
20.0000
25.0000
30.0000
SQL Server Log 64K Writes Latency
WS08R2(RTM)_RawDisk
WS08R2(RTM)_VHD
I/O Queue Depth
Late
ncy(
ms)
↓: Lower is Better
Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA
(Disk/File/VHD Size: ~2040G)(VHD: fully populated)
VHD Types Throughput Comparison
1 2 4 8 16 32 64 128 2560
2000
4000
6000
8000
10000
12000
SQL Server Log 64K Throughput (VHD Types Comparison)
WS08R2(RTM)_Differencing_VHDWS08R2(RTM)_Dynamic_VHDWS08R2(RTM)_Fixed_VHD
I/O Queue Depth
IOPS
↑: Higher is Better
Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0
(Disk/File/VHD Size: ~2040G)
Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA
VHD Types Latency Comparison
1 2 4 8 16 32 64 128 2560.0000
5.0000
10.0000
15.0000
20.0000
25.0000
30.0000
SQL Server Log 64K Writes Latency
WS08R2(RTM)_Fixed_VHD
WS08R2(RTM)_Dynamic_VHD
WS08R2(RTM)_Differencing_VHD
I/O Queue Depth
Late
ncy(
ms)
↓: Lower is Better
Storage: Dell MD1000 146G SASx15 LSI8880EM2 RAID0Host: NehalemEP Dual Quad-Core Proc 6GB RAM NUMA
(Disk/File/VHD Size: ~2040G)(VHD: fully populated)
Hyper-V R2 Storage Key Takeaways
Fixed Disks are on par with Native Disk Performance
Dynamic and Differencing Disks are up to 15x times faster than Hyper-V and ~15% performance delta from native
Multi-Path I/O (MPIO) & Adv. Storage
Multipath I/O (MPIO)
What is it?Provides logical facility for routing I/O over redundant hardware paths connecting the server to storageWorks with a variety of storage types (iSCSI, SCSI, SAS, Fibre Channel)Many hardware vendors provide MPIO capable drivers
How do I enable it?Windows Server 2008 Full: Server Manager -> FeaturesWindows Server 2008 Core: start /w ocsetup MultipathIo
Enabling MPIO with iSCSI
Open iscsicpl.exe (iSCSI configuration)Set up (discover 2 connections to iSCSI target
Open mpiocpl.exe (MPIO configuration)Discover Multi-Path tab, “Add support for iSCSI Devices”
In iscsicpl.exe, Targets tab, ConnectCheck “Enable multi-path”Under Advanced, specify Target Portal IPRepeat, choosing other Target Portal IP
iSCSI Quick ConnectNew in Windows 7/Windows Server 2008 R2
Advanced Storage Capabilities
Is there a Hyper-V Storage Certification?What about storage De-duplication?What about Storage Replication?
Hyper-V is compatible with block based de-duplication and replication solutions that are certified for Windows Server 2008/2008 R2.Solutions from: NetApp, HP, EMC, Hitachi, NEC, Compellent and more…
www.windowsservercatalog.com
Hyper-V Networking
Hyper-V NetworkingDon’t forget the parent is a VMTwo physical network adapters at minimum
One for managementOne (or more) for VM networkingDedicated NIC(s) for iSCSIConnect parent to back-end management network
Only expose guests to internet traffic
Hyper-V Network Configurations
Example 1:Physical Server has 4 network adaptersNIC 1: Assigned to parent partition for managementNICs 2/3/4: Assigned to virtual switches for virtual machine networkingStorage is non-iSCSI such as:
Direct attachSAS or Fibre Channel
Hyper-V Setup & Networking 1
Hyper-V Setup & Networking 2
Hyper-V Setup & Networking 3
Windows Server 2008
Each VM on its own Switch…
VM 2VM 1
“Designed for Windows” Server Hardware
Windows hypervisor
VM 3
Parent Partition
Child Partitions
User Mode
KernelMode
Ring -1Mgmt
NIC 1
VSwitch 1
NIC 2
VSPVSP
VSP
VSwitch 2
NIC 3
VSwitch 3
NIC 4
Applications
Applications
Applications
VM Service
WMI Provider
VM Worker
Processes
Windows Kernel VSC Window
s KernelVSC Linux
Kernel VSC
VMBus VMBus VMBusVMBu
s
Hyper-V Network Configurations
Example 2:Server has 4 physical network adaptersNIC 1: Assigned to parent partition for managementNIC 2: Assigned to parent partition for iSCSINICs 3/4: Assigned to virtual switches for virtual machine networking
Hyper-V Setup, Networking & iSCSI
Windows Server 2008
Now with iSCSI…
VM 2VM 1
“Designed for Windows” Server Hardware
Windows hypervisor
VM 3
Parent Partition
Child Partitions
User Mode
KernelMode
Ring -1Mgmt
NIC 1iSCSI NIC
2
VSPVSP
VSwitch 1
NIC 3
VSwitch 2
NIC 4
Applications
Applications
Applications
VM Service
WMI Provider
VM Worker
Processes
Windows Kernel VSC Window
s KernelVSC Linux
Kernel VSC
VMBus VMBus VMBusVMBu
s
Legacy vs. Synthetic NIC
Legacy Network AdapterUp to 4 per virtual machinePros: Needed for PXE/RIS/WDS installationCons: Slow
Synthetic Network AdapterUp to 8 per virtual machine!Pros: Blazing fast
Both:Support VLANsDynamic or Static MAC addresses
Hyper-V R2 Networking with VMQ
Virtualized Network I/O Data PathWithout VMQ
VM1 VM2
Ethernet
VM BUS
TCP/IP TCP/IP
VM NIC 1 VM NIC 2
Parent Partition
Virtual Machine Switch
MiniportDriver
RoutingVLAN filtering
Data Copy Port 1Port 2
Parent Partition
Virtual Machine Switch (VSP)
MiniportDriver
Port 1Port 2
Routing, VLAN Filtering, Data Copy
NIC
Networking Virtual Machine Queues
Hyper-V uses virtual machine queue (VMQ) support in new NICs to offload processing to hardware VMQ operation:
Each VM is assigned a hardware-managed receive queueHardware performs MAC address lookup and VLAN ID validationPlaces receive packets in appropriate queueQueues are mapped into VM address space to avoid copy operations
Network I/O Data PathWith VMQ
Parent Partition VM1 VM2
Ethernet
VM BUS
TCP/IP TCP/IP
VM NIC 1 VM NIC 2
Virtual Machine Switch
MiniportDriver
Switch/Routing unit
DefaultQueue
RoutingVLAN filtering
Data Copy Port 1Port 2
NIC
Parent Partition
Virtual Machine Switch (VSP)
MiniportDriver
Routing, VLAN Filtering, Data Copy
Port 1Port 2
Q2Q1
VMQ Partner Support
IntelGigabit ET/EFDual Port ~$170
AlacritechBroadcomNeterionServerEnginesSolarflare…and many more…
Windows Server 2008 R2: SCONFIG
Windows Server Core
Windows Server frequently deployed for a single roleMust deploy and service the entire OS in earlier Windows Server releases
Server Core: minimal installation optionProvides essential server functionality
Command Line Interface only, no GUI Shell
BenefitsLess code results in fewer patches and reduced servicing burden
Low surface area server for targeted roles
Windows Server 2008 FeedbackLove it, but…steep learning curve
Windows Server 2008 R2 Introducing “SCONFIG”
Windows Server Core
Server Core: CLI
Easy Server Configuration
DEMO
Manage Remotely…
Hyper-V MMC for Win 7
Install the Win 7 RSATTurn Windows features on/offUnder Remote Server Admin Tools
Failover Clustering ToolsHyper-V ToolsGo to Start Menu->Admin Tools
Hyper-V Best Practices
Deployment
Minimize risk to the Parent PartitionUse Server CoreDon’t run arbitrary apps, no web surfing
Run your apps and services in guests
Two physical 1 Gb/E network adapters @minimumOne for management (use a VLAN too)One (or more) for vm networkingDedicated NIC(s) for iSCSIConnect parent to back-end management network
Only expose guests to internet traffic
Windows Server 2003Cluster Creation
Cluster Hyper-V Servers
Single Volume VHD
SAN
Concurrent access to a single file system
VHD VHD
Hyper-V high availability and migration scenarios are supported by the new Cluster Shared Volumes in Windows Server 2008 R2
Technology within Failover Cluster featureSingle consistent name spaceCompatible: NTFS volumeSimplified LUN managementMultiple data stores supportedEnhanced storage availability due to built in redundancyScalable as I/O is written directly by each node to the shared volumeTransparent to the VM
Use Cluster Shared Volumes
Don't forget the ICs!Emulated vs. VSC
Installing Integration Components
Hyper-V & Localization…
Hyper-V/AV Software Configuration
Host: If you are running antivirus software on the physical server, exclude:
the Vmms.exe and Vmswp.exe processesthe directories that contain the virtual machine configuration files and virtual hard disks from active scanning. An added benefit of using pass-through disks in your virtual machines is that you can use the antivirus software running on the physical server to protect that virtual machine
Guest: Run AV within guest
Storage
BitLockerGreat for branch office
VHDsUse fixed virtual hard disks in production
VHD Compaction/ExpansionRun it on a non-production system
Use .isosGreat performanceCan be mounted and unmounted remotelyPhysical DVD can’t be shared across multiple vmsHaving them in SCVMM Library fast & convenient
Jumbo Frames
Offers significant performance for TCP connections including iSCSIMax frame size 9K
Reduces TCP/IP overhead by up to 84%
Must be enabled at all end points (switches, NICs, target devices
Virtual switch is defined as an end pointVirtual NIC is defined as an end point
Jumbo Frames in Hyper-V R2
Added support in virtual switchAdded support in virtual NICIntegration components requiredHow to validate if jumbo frames is configured end to end
Ping –n 1 –l 8000 –f (hostname)-l (length)-f (don’t fragment packet into multiple Ethernet frames)-n (count)
More Tips…
Mitigate BottlenecksProcessorsMemoryStorageNetworking
Turn off screen savers in guestsWindows Server 2003
Create vms using 2-way to ensure an MP HAL
Creating Virtual Machines
Use SCVMM LibraryTemplates help standardize configurations
Steps:1. Create virtual machine2. Install guest operating system & latest SP3. Install integration components4. Install anti-virus5. Install management agents6. SYSPREP7. Add it to the VMM Library
Microsoft Hyper-V ServerR2
Microsoft Hyper-V Server R2New Features
Live Migration
High Availability
New Processor SupportSecond Level Address Translation
Core Parking
Networking EnhancementsTCP/IP Offload Support
VMQ & Jumbo Frame Support
Hot Add/Remove virtual storage
Enhanced scalability
Free download: www.microsoft.com/hvs
Microsoft Virtualization:Customers Win
Virt
ual S
erve
r 200
5 R2 32-bit Guests: Up to 4 GB
per VMUni-Processor GuestsHigh Availability via scriptsUp to 8 Cluster Nodes
Win
dow
s Se
rver
200
8 Hyper-V R116 LP Support/Up to 128 VMs1 Terabyte Memory32-bit/64-bit (Up to 64 GB per VM)SMP GuestsHigh Performance I/O (VSP/VSC/VMBus)HA Integrated/IncludedQuick Migration IncludedUp to 16 Cluster Nodes
Win
dow
s Se
rver
200
8 R2 Hyper-V R2
64 LP Support/Up to 384 VMs/Up to 512 VPsLive MigrationCluster Shared VolumesProcessor FlexibilityPower Enhancements10 Gb/E ReadyHot Add Virtual StorageConnection Broker for Hosted DesktopsQuick Storage Migration with SCVMM R2
Greater Performance
More Capabilities
High Availability Built-In
Increased Scalability
Live Migration Built-In
Ready for Next Gen Servers
November 2005 June 2008 July 2009
Online ResourcesMicrosoft Virtualization Home/Case Studies from customers around the world:http://www.microsoft.com/virtualization
Windows Server Virtualization Blog Site:http://blogs.technet.com/virtualization/default.aspx
Windows Server Virtualization TechNet Site:http://technet2.microsoft.com/windowsserver2008/en/servermanager/virtualization.mspx
MSDN & TechNet Powered by Hyper-Vhttp://blogs.technet.com/virtualization/archive/2008/05/20/msdn-and-technet-powered-by-hyper-v.aspx
Virtualization Solution Acceleratorshttp://technet.microsoft.com/en-us/solutionaccelerators/cc197910.aspx
How to install the Hyper-V rolehttp://www.microsoft.com/windowsserver2008/en/us/hyperv-install.aspx
Windows Server 2008 Hyper-V Performance Tuning Guidehttp://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx
Using Hyper-V & BitLocker White Paperhttp://www.microsoft.com/downloads/details.aspx?FamilyID=2c3c0615-baf4-4a9c-b613-3fda14e84545&DisplayLang=en
Related Content
MGT220 - Virtualization 360: Microsoft Virtualization Strategy, Products, and Solutions for the New Economy
SVR314 - From Zero to Live Migration. How to Set Up a Live Migration
SVR308 - Storage and Hyper-V: The Choices You Can Make and the Things You Need to Know
SVR307 - Security Best Practices for Hyper-V and Server Virtualization
SVR09-IS - Windows Server 2008 R2 Hyper-V Deployment Considerations
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
