2. Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview http://connect.microsoft.com

3. MAP: User Interface & Reports Server Migration & Virtualization Candidates Windows 7 Windows Server 2008 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment Speed up Planning with Actionable Proposals and Assessments Collect Inventory of Servers, Desktops and Applications Agentlessly Offers Recommendations for Server/Application Virtualization Works with the Virtualization ROI Tool to generate ROI calculations More on MAP: http://www.microsoft.com/map Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment Speed up Planning with Actionable Proposals and Assessments Collect Inventory of Servers, Desktops and Applications Agentlessly Offers Recommendations for Server/Application Virtualization Works with the Virtualization ROI Tool to generate ROI calculations More on MAP: http://www.microsoft.com/map

4. Visual Studio Team System 2010 Lab Management Beta 2

5. VSTS Lab Management Beta 2 Scenarios Create and manage virtual or physical environments Take environment snapshots or revert to existing snapshots for virtual environments Interact with the virtual machines in the environments through environment viewer Define test settings for the environments New Beta 2 Features Simplified Environment creation & edit experience Full-screen environment viewer Out of the box template for application build-deploy-test workflow Network isolation with support for domain controller Virtual Machines “In-Use” support for shared environments

6. VSTS “Environments” Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc. An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role. Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem.

7. Jeff Woolsey Principal Group Program Mgr Windows Server, Hyper-V SVR307

8. Agenda Virtualization Requirements Hyper-V Security Hyper-V & Storage Windows Server 2008 R2: SCONFIG Designing a Windows Server 2008 Hyper V & System Center Infrastructure Deployment Considerations Best Practices & Tips and Tricks Microsoft Hyper-V Server 2008 R2

9. Virtualization Requirements Scheduler Memory Management VM State Machine Virtualized Devices Storage Stack Network Stack Ring Compression (optional) Drivers Management API

10. Parent Partition Virtualization Service Providers (VSPs) Windows Kernel Server Core Device Drivers Windows hypervisor Virtualization Stack VM Worker Processes VM Service WMI Provider Child Partition Ring 0: Kernel Mode Ring 3: User Mode Virtualization Service Clients (VSCs) OS Kernel EnlightenmentsVMBus Guest Applications Server Hardware Provided by: Rest of Windows ISV Hyper-V Hyper-V Architecture

11. Virtualization Attacks Parent Partition Virtualization Stack VM Worker Processes VM Service WMI Provider Child Partition Ring 0: Kernel Mode Virtualization Service Clients (VSCs) EnlightenmentsVMBus Server Hardware Provided by: Rest of Windows ISV Hyper-V Guest Applications Hackers OS Kernel Virtualization Service Clients (VSCs) Enlightenments Ring 3: User Mode Windows hypervisor VMBus Virtualization Service Providers (VSPs) Windows Kernel Server Core Device Drivers

12. What if there was no parent partition? No defense in depth Entire hypervisor running in the most privileged mode of the system Ring -1 Ring 0 Ring 3 Virtual Machine Virtual Machine Virtual Machine Scheduler Memory Management Storage Stack Network Stack VM State Machine Virtualized Devices Drivers Management API Scheduler Memory Management Storage Stack Network Stack VM State Machine Virtualized Devices Drivers Management API User Mode User Mode Kernel Mode Kernel Mode User Mode User Mode User Mode User Mode Kernel Mode Kernel Mode Kernel Mode Kernel Mode Hardware

13. Hyper-V Hypervisor Defense in depth Hyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V) Further reduces the attack surface Ring -1 Ring 0 Ring 3 Virtual Machine Virtual Machine Parent Partition Scheduler Memory Management Scheduler Memory Management VM State Machine Virtualized Devices Management API VM State Machine Virtualized Devices Management API Kernel Mode Kernel Mode User Mode User Mode User Mode User Mode Storage Stack Network Stack Drivers Storage Stack Network Stack Drivers Kernel Mode Kernel Mode Hardware

15. Security Assumptions Guests are untrusted Trust relationships Parent must be trusted by hypervisor Parent must be trusted by children Code in guests can run in all available processor modes, rings, and segments Hypercall interface will be well documented and widely available to attackers All hypercalls can be attempted by guests Can detect you are running on a hypervisor We’ll even give you the version The internal design of the hypervisor will be well understood

16. Security Goals Strong isolation between partitions Protect confidentiality and integrity of guest data Separation Unique hypervisor resource pools per guest Separate worker processes per guest Guest-to-parent communications over unique channels Non-interference Guests cannot affect the contents of other guests, parent, hypervisor Guest computations protected from other guests Guest-to-guest communications not allowed through VM interfaces

17. Hyper-V & SDL Hypervisor built with Stack guard cookies (/GS) Address Space Layout Randomization (ASLR) HW Data Execution Prevention No Execute (NX) AMD Execute Disable (XD) Intel Code pages marked read only Memory guard pages Hypervisor binary is signed Entire stack through SDL Threat modeling Static Analysis Fuzz testing & Penetration testing

18. Hyper-V Security Model Uses Authorization Manager (AzMan) Fine grained authorization and access control Department and role based Segregate who can manage groups of VMs Define specific functions for individuals or roles Start, stop, create, add hardware, change drive image VM administrators don’t have to be Server 2008 administrators Guest resources are controlled by per VM configuration files Shared resources are protected Read-only (CD ISO file) Copy on write (differencing disks)

19. Protects Data While a System is Offline Entire Windows Volume is Encrypted (Hibernation and Page Files) Delivers Umbrella Protection to Applications (On Encrypted Volume) Ensures Boot Process Integrity Protects Against Root Kits – Boot Sector Viruses Automatically Locks System when Tampering Occurs Simplifies Equipment Recycling One Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless Mitigating Against External Threats… Very Real Threat of Data Theft When a System is Stolen, Lost, or Otherwise Compromised (Hacker Tools Exist!) Decommissioned Systems are not Guaranteed Clean Increasing Regulatory Compliance on Storage Devices Drives Safeguards (HIPPA, SBA, PIPEDA, GLBA, etc…) BitLocker Drive Encryption Support in Windows Server 2008/2008 R2 Addresses Leading External Threats by Combining Drive Level Encryption with Boot Process Integrity Validation Leverages Trusted Platform Model (TPM) Technology (Hardware Module) Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory BitLocker – Persistent Protection

20. Physical Security Device installation group policies: "no removable devices allowed on this system" BitLocker: encrypts drives, securing laptops branch office servers BitLocker To Go: encrypts removable devices like USB sticks Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"

21. McAfee: VirusScan Enterprise for Offline Virtual Images Reduce IT management overhead for virtual environments Anti-malware security profiles of offline virtual machines are updated automatically without having to bring virtual machines online, reducing the risk of infecting the rest of the virtual environment. Ensure security for virtual machines. Automatically scan, clean and update virtual machines while offline, to eliminate the risk of dormant virtual machines threatening the corporate network. Achieve efficiencies with security management. Minimize IT efforts and reduce operating costs with common security management for both physical and virtual environments. Improve disaster recovery. Ensure that backup virtual images are up-to-date with respect to malware signatures before they go into production.

23. Hyper-V R1 Performance Focused on Fixed Disk Performance Why? Allocating storage resources upfront and prevent surprises Result: Excellent near native performance for Fixed VHDs Dynamic VHDs performance had room for improvement Let’s take a look at R2 performance…

24. Fixed VHD vs Raw Disk Throughput Comparison

25. Fixed VHD vs Raw Disk Latency Comparison

26. WS2008 vs WS2008R2 Dynamic VHD Throughput Comparison Up to 15x Performance Improvement with R2

27. Dynamic VHD vs Raw Disk Throughput Comparison

28. Dynamic VHD vs Raw Disk Latency Comparison

29. VHD Types Throughput Comparison

30. VHD Types Latency Comparison

31. Hyper-V R2 Storage Key Takeaways Fixed Disks are on par with Native Disk Performance Dynamic and Differencing Disks are up to 15x times faster than Hyper-V and ~15% performance delta from native

33. Multipath I/O (MPIO) What is it? Provides logical facility for routing I/O over redundant hardware paths connecting the server to storage Works with a variety of storage types (iSCSI, SCSI, SAS, Fibre Channel) Many hardware vendors provide MPIO capable drivers How do I enable it? Windows Server 2008 Full: Server Manager -> Features Windows Server 2008 Core: start /w ocsetup MultipathIo

34. Enabling MPIO with iSCSI Open iscsicpl.exe (iSCSI configuration) Set up (discover 2 connections to iSCSI target Open mpiocpl.exe (MPIO configuration) Discover Multi-Path tab, “Add support for iSCSI Devices” In iscsicpl.exe, Targets tab, Connect Check “Enable multi-path” Under Advanced, specify Target Portal IP Repeat, choosing other Target Portal IP

36. Advanced Storage Capabilities Is there a Hyper-V Storage Certification? What about storage De-duplication? What about Storage Replication? Hyper-V is compatible with block based de- duplication and replication solutions that are certified for Windows Server 2008/2008 R2. Solutions from: NetApp, HP, EMC, Hitachi, NEC, Compellent and more… www.windowsservercatalog.com

38. Hyper-V Networking Don’t forget the parent is a VM Two physical network adapters at minimum One for management One (or more) for VM networking Dedicated NIC(s) for iSCSI Connect parent to back-end management network Only expose guests to internet traffic

39. Hyper-V Network Configurations Example 1: Physical Server has 4 network adapters NIC 1: Assigned to parent partition for management NICs 2/3/4: Assigned to virtual switches for virtual machine networking Storage is non-iSCSI such as: Direct attach SAS or Fibre Channel

40. Hyper-V Setup & Networking 1

41. Hyper-V Setup & Networking 2

42. Hyper-V Setup & Networking 3

43. Windows Server 2008 Each VM on its own Switch… VM 2VM 1 “Designed for Windows” Server Hardware Windows hypervisor VM 3 Parent Partition Child Partitions User Mode Kernel Mode Ring -1 Mgmt NIC 1 Mgmt NIC 1 VSwitch 1 NIC 2 VSwitch 1 NIC 2 VS P VSwitch 2 NIC 3 VSwitch 2 NIC 3 VSwitch 3 NIC 4 VSwitch 3 NIC 4 Applications VM Service WMI Provider VM Worker Processes Windows Kernel VSC Windows Kernel VSC Linux Kernel VSC VMBus

44. Hyper-V Network Configurations Example 2: Server has 4 physical network adapters NIC 1: Assigned to parent partition for management NIC 2: Assigned to parent partition for iSCSI NICs 3/4: Assigned to virtual switches for virtual machine networking

45. Hyper-V Setup, Networking & iSCSI

46. Windows Server 2008 Now with iSCSI… VM 2VM 1 “Designed for Windows” Server Hardware Windows hypervisor VM 3 Parent Partition Child Partitions User Mode Kernel Mode Ring -1 Mgmt NIC 1 Mgmt NIC 1 iSCSI NIC 2 VS P VSwitch 1 NIC 3 VSwitch 1 NIC 3 VSwitch 2 NIC 4 VSwitch 2 NIC 4 Applications VM Service WMI Provider VM Worker Processes Windows Kernel VSC Windows Kernel VSC Linux Kernel VSC VMBus

47. Legacy vs. Synthetic NIC Legacy Network Adapter Up to 4 per virtual machine Pros: Needed for PXE/RIS/WDS installation Cons: Slow Synthetic Network Adapter Up to 8 per virtual machine! Pros: Blazing fast Both: Support VLANs Dynamic or Static MAC addresses

49. Virtualized Network I/O Data Path Without VMQ VM1 VM2 Ethernet VM BUS TCP/IP VM NIC 1 VM NIC 2 Parent Partition Virtual Machine Switch Miniport Driver Miniport Driver Routing VLAN filtering Data Copy Routing VLAN filtering Data Copy Port 1 Port 2 Parent Partition Virtual Machine Switch (VSP) Miniport Driver Miniport Driver Port 1 Port 2 Routing, VLAN Filtering, Data Copy NIC

50. Networking Virtual Machine Queues Hyper-V uses virtual machine queue (VMQ) support in new NICs to offload processing to hardware VMQ operation: Each VM is assigned a hardware-managed receive queue Hardware performs MAC address lookup and VLAN ID validation Places receive packets in appropriate queue Queues are mapped into VM address space to avoid copy operations

51. Network I/O Data Path With VMQ Parent Partition VM1 VM2 Ethernet VM BUS TCP/IP VM NIC 1 VM NIC 2 Virtual Machine Switch Miniport Driver Miniport Driver Switch/Routing unit Default Queue Default Queue Routing VLAN filtering Data Copy Routing VLAN filtering Data Copy Port 1 Port 2 NIC Parent Partition Virtual Machine Switch (VSP) Miniport Driver Miniport Driver Routing, VLAN Filtering, Data Copy Port 1 Port 2 Q2 Q1

52. VMQ Partner Support Intel Gigabit ET/EF Dual Port ~$170 Alacritech Broadcom Neterion ServerEngines Solarflare …and many more…

54. Windows Server Core Windows Server frequently deployed for a single role Must deploy and service the entire OS in earlier Windows Server releases Server Core: minimal installation option Provides essential server functionality Command Line Interface only, no GUI Shell Benefits Less code results in fewer patches and reduced servicing burden Low surface area server for targeted roles Windows Server 2008 Feedback Love it, but…steep learning curve Windows Server 2008 R2 Introducing “SCONFIG”

55. Windows Server Core Server Core: CLI

56. Easy Server Configuration

58. Manage Remotely…

59. Hyper-V MMC for Win 7 Install the Win 7 RSAT Turn Windows features on/off Under Remote Server Admin Tools Failover Clustering Tools Hyper-V Tools Go to Start Menu->Admin Tools

61. Deployment Minimize risk to the Parent Partition Use Server Core Don’t run arbitrary apps, no web surfing Run your apps and services in guests Two physical 1 Gb/E network adapters @minimum One for management (use a VLAN too) One (or more) for vm networking Dedicated NIC(s) for iSCSI Connect parent to back-end management network Only expose guests to internet traffic

62. Windows Server 2003 Cluster Creation

63. Cluster Hyper-V Servers

64. Single Volume VHD Concurrent access to a single file system VHD Hyper-V high availability and migration scenarios are supported by the new Cluster Shared Volumes in Windows Server 2008 R2 Technology within Failover Cluster feature Single consistent name space Compatible: NTFS volume Simplified LUN management Multiple data stores supported Enhanced storage availability due to built in redundancy Scalable as I/O is written directly by each node to the shared volume Transparent to the VM Use Cluster Shared Volumes

65. Don't forget the ICs! Emulated vs. VSC

66. Installing Integration Components

67. Hyper-V & Localization…

68. Hyper-V/AV Software Configuration Host: If you are running antivirus software on the physical server, exclude: the Vmms.exe and Vmswp.exe processes the directories that contain the virtual machine configuration files and virtual hard disks from active scanning. An added benefit of using pass-through disks in your virtual machines is that you can use the antivirus software running on the physical server to protect that virtual machine Guest: Run AV within guest

69. Storage BitLocker Great for branch office VHDs Use fixed virtual hard disks in production VHD Compaction/Expansion Run it on a non-production system Use.isos Great performance Can be mounted and unmounted remotely Physical DVD can’t be shared across multiple vms Having them in SCVMM Library fast & convenient

70. Jumbo Frames Offers significant performance for TCP connections including iSCSI Max frame size 9K Reduces TCP/IP overhead by up to 84% Must be enabled at all end points (switches, NICs, target devices Virtual switch is defined as an end point Virtual NIC is defined as an end point

71. Jumbo Frames in Hyper-V R2 Added support in virtual switch Added support in virtual NIC Integration components required How to validate if jumbo frames is configured end to end Ping –n 1 –l 8000 –f (hostname) -l (length) -f (don’t fragment packet into multiple Ethernet frames) -n (count)

72. More Tips… Mitigate Bottlenecks Processors Memory Storage Networking Turn off screen savers in guests Windows Server 2003 Create vms using 2-way to ensure an MP HAL

73. Creating Virtual Machines Use SCVMM Library Templates help standardize configurations Steps: 1. Create virtual machine 2. Install guest operating system & latest SP 3. Install integration components 4. Install anti-virus 5. Install management agents 6. SYSPREP 7. Add it to the VMM Library

75. Microsoft Hyper-V Server R2 New Features Live Migration High Availability New Processor Support Second Level Address Translation Core Parking Networking Enhancements TCP/IP Offload Support VMQ & Jumbo Frame Support Hot Add/Remove virtual storage Enhanced scalability Free download:  www.microsoft.com/hvs www.microsoft.com/hvs

76. Microsoft Virtualization: Customers Win

77. Online Resources Microsoft Virtualization Home/Case Studies from customers around the world: http://www.microsoft.com/virtualization Windows Server Virtualization Blog Site: http://blogs.technet.com/virtualization/default.aspx Windows Server Virtualization TechNet Site: http://technet2.microsoft.com/windowsserver2008/en/servermanager/virtualization.mspx MSDN & TechNet Powered by Hyper-V http://blogs.technet.com/virtualization/archive/2008/05/20/msdn-and-technet-powered-by-hyper-v.aspx Virtualization Solution Accelerators http://technet.microsoft.com/en-us/solutionaccelerators/cc197910.aspx How to install the Hyper-V role http://www.microsoft.com/windowsserver2008/en/us/hyperv-install.aspx Windows Server 2008 Hyper-V Performance Tuning Guide http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx Using Hyper-V & BitLocker White Paper http://www.microsoft.com/downloads/details.aspx?FamilyID=2c3c0615-baf4-4a9c-b613- 3fda14e84545&DisplayLang=en

78. Related Content MGT220 - Virtualization 360: Microsoft Virtualization Strategy, Products, and Solutions for the New Economy SVR314 - From Zero to Live Migration. How to Set Up a Live Migration SVR308 - Storage and Hyper-V: The Choices You Can Make and the Things You Need to Know SVR307 - Security Best Practices for Hyper-V and Server Virtualization SVR09-IS - Windows Server 2008 R2 Hyper-V Deployment Considerations Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.

79. www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.

80. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!