September 2010
M T W T F S S
« Apr    
 12345
6789101112
13141516171819
20212223242526
27282930  

Hyper-V and pagefile settings

One of the discussions when designing a Hyper-V server is about the pagefile settings.

The pagefile is used for:

  • Supply Virtual Memory to the operating system (i.e. the parent partition). Traditional guidance states ~1.5x the amount of physical memory, although this doesn’t make sense anymore on a >64GB host;
  • Crash dump purposes, but on a hosts with lots of memory (more than 64GB) do you want to have a full memory dump? Look at the number of hours this memory dump will take and you’re convinced that for 98% of all cases a kernel dump is sufficient.

Normally the parent partition uses around 2GB of memory (recommendation) so I usually recommend a manually managed pagefile of approximately 4 ~ 6 GB. Why not a system managed pagefile? Because it will grow to the amount of physical memory.

To change this on a Hyper-V Server Core or Hyper-V Server you can use the following commands:

wmic computersystem set AutomaticManagedPagefile=False
wmic pagefileset where name="c:\\pagefile.sys" set InitialSize=4000,MaximumSize=6000

It is possible to check the pagefile settings using the following command:

wmic pagefile get /format:list

image

Or you can use the Registry Editor (Yes, this is available on Hyper-V Server and Server Core) and navigate to
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

image

September 3rd, 2010 | Tags: , , | Category: Uncategorized | Comments are closed

Powershell on Hyper-V Server 2008 R2

It’s about time… after almost a year with only Exchange Server 2010 (SP1) projects I’m currently involved as an architect in a major Hyper-V project. Furthermore I am writing a book on Hyper-V R2, so plenty of time and lots of fun things to share here…

The first is how to enable Powershell on Hyper-V Server 2008 R2. Enabling Powershell is just a matter of installing the feature:

Start /w ocsetup MicrosoftWindowsPowerShell

But remember, Powershell has a dependancy on the .NET Framework, so enabling Powershell will fail. Enable the .NET Framework first:

Start /w ocsetup NetFx2-ServerCore

Start /w ocsetup MicrosoftWindowsPowerShell

Now you can start Powershell with:

Start C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

image

September 2nd, 2010 | Category: Hyper-V Server, Powershell | Comments are closed

Best Practices Analyzer for Hyper-V

Every important application at Microsoft has its own Best Practices Analyzer, even Windows Server 2008 R2 has its analyzer out of the Box. Microsoft has released a Best Practices Analyzer for Hyper-V. After installing you can access the Best Practices Analyzer using the Windows Server Manager.

Open the Windows Server Manager and select the Hyper-V Role. In the details pane scroll down to the  Best Practices Analyzer section. You can select “Scan this role” to scan the Hyper-V server for any issues:

image

You can double click on an issue to see more detailed information:

image

You can download the Best Practices Analyzer here: http://www.microsoft.com/downloads/details.aspx?FamilyId=89d80c15-0082-4fef-a4fc-fefa463bed08&displaylang=en

More information regarding the Best Practice Analyzer can be found on the Microsoft Technet Site: “Best Practices Analyzer

April 28th, 2010 | Category: BPA, Hyper-V, R2 | Comments are closed

Hyper-V.nu bijeenkomst

Hallo allemaal,

De meeting van 3 maart zit er weer op, ik heb goede feedback gehoord. Sessies goed op elkaar afgestemd, goede technische content. De locatie was ook er goed, en volgens mij ook goed bereikbaar. Namens het team hartelijk dank aan Nobel.

Hierbij de presentaties:

Presentatie Ment van der Plas: Ment van der Plas – Hyper-V.nu FEB10 – Introducing MED-V
Presentatie Sander Berkouwer: OGD Active Directory en Hyper-V Spanningsveld v1
Hans Vredevoort: How to Protect Your Microsoft Virtualized Environment v2
Presentatie Jaap Wesselius: Exchange 2010 en Hyper-V – 3maart2010-V09
Presentatie Bert de Reus: Hyper-V Lessons Learned

 Tot de volgende keer!

March 3rd, 2010 | Category: Hyper-V R2, Meetings | Comments are closed

DPM Backup en Hyper-V

DPM2010   Microsoft Virtualization

DPM 2010 is nu in Release Candidate. Ik gebruik dit voor backup van Exchange 2010 en dit gaat erg goed. Bij wijze van test gebruik ik het ook om VM’s op Hyper-V R2 te backuppen, en ook dat gaat erg goed.

Microsoft heeft er een whitepaper over geschreven en die vind je hier:

How to protect Hyper-V with DPM 2010

Binnenkort zal ik hier meer over schrijven.

February 17th, 2010 | Category: Uncategorized | Comments are closed

Live Migration

hi,

it has been too quite for some time, but I have been extremely busy I’m afraid. But, I’ve written an article on the Simple Talk website about Hyper-V R2 Live Migration…

Windows Server 2008 Hyper-V offers a high availability solution by using Windows Server 2008 Failover clustering. The Virtual Machine is implemented as a cluster resource and when a host node fails, the Virtual Machine resource fails over to the other node. Like all other Windows Server 2008 Failover solutions, the resource is brought offline before it actually fails over. This results in a relatively small period of downtime which is unacceptable in certain environments.

Windows Server 2008 R2 Hyper-V offers a Failover clustering solution without any downtime for the Virtual Machine. This solution uses a new feature called “Cluster Shared Volume” or CSV and is called “Live Migration”. In this article I’ll explain what the CSV solution is and how it works.

Windows Failover Clustering

When creating a Highly Available Hyper-V environment, a Failover cluster needs to be created. A Failover cluster is a logical server consisting of two or more Windows Server 2008 servers. Windows Server 2008 supports a maximum of 16 servers in a Failover cluster.

These servers are called Cluster Nodes. All Cluster Nodes in the Failover cluster are connected to a shared storage solution where the data is stored. The Virtual Machines running under Hyper-V that need to be highly available are configured as a resource in the cluster.

Note. All servers in the cluster must run the same Operating System, all nodes must either be Enterprise or Datacenter Edition and for Live Migration all servers must run the same processor family (even the same processor stepping).

In a Windows Server 2008 Failover cluster, only one Cluster Node can be “owner” of the disk resource and only the owner of the disk resource can access the files (including the Hyper-V VHD files). Therefore, if a Virtual Machine needs to be failed-over to another Cluster Node, the complete disk resource needs to be brought down, moved to the other Cluster Node and be brought online again. The Virtual Machine is in a “saved state” during a cluster Failover. To bring the Virtual Machine in a saved state a certain amount of time is needed. For a Virtual Machine with only 256MB of memory this is only a short time, but a Virtual Machine with 8GB or 16GB can need up to minutes to be brought into a saved state. Starting the Virtual Machine on the new node will take the same amount of time. Needless to say, failing over a Virtual Machine can cause a significant downtime.

The complete article can be found here: http://www.simple-talk.com/sysadmin/virtualization/hyper-v-r2-live-migration/

February 12th, 2010 | Category: Uncategorized | Comments are closed

VHD Tool

Een van de prerequisites die je wel eens tegenkomt is het gebruik van een fixed VHD file in plaats van een dynamic disk. Een fixed VHD is een VHD bestand van een vooraf bepaalde grootte, zeg 50GB.

Deze 50GB wordt gealloceerd en deze 50GB wordt vervolgens opgeschoond (volgeschreven met nullen ofzo). Dit kost echter vrij veel tijd.

Microsoft heeft een Quick VHD tool: http://code.msdn.microsoft.com/vhdtool

Hiermee kan je heel snel fixed VHD’s maken. De 50GB wordt gealloceerd, maar wordt niet opgeschoond. Hiermee is er dus wel een potentieel security issue, want als je vervolgens binnen de VHD een disk tool loslaat is er een (kleine) kans dat je data die nog op de disk stond, op de plek van de VHD, terug zou kunnen halen. Data die misschien wel niet voor anderen bestemd was.

November 6th, 2009 | Tags: , , | Category: Hyper-V, Management | Comments are closed

Hyper-V Authorization Manager

Ik vond dat het toch maar weer eens tijd werd voor het betere uitzoekwerk en Azman stond al een tijdje op het verlanglijstje. Met Azman kun je taken en rollen definieren waarmee je gebruikers (non-domain admins) rechten kunt geven op een Hyper-V server.

Als je een normale gebruiker (niet domain admin of local admin op de Hyper-V Server) toegang wilt geven tot Hyper-V dan kan je de Hyper-V Management tool (voor Vista) downloaden en installeren. Piece of cake. Totdat je hem opstart, dan werkt het niet:

access-denied

“you do not have the required permission to complete this task. Contact the administrator of the authorization policy for the compter ‘node1.dmc.local’” is de melding.

Middels Authorization Manager moet je een policy aanmaken waarmee je gebruikers rechten kunt geven op je Hyper-V server. Je kan de Authorization Manager opstarten met Start –> Run –> azman.msc.

De Authorization Manager wordt nu geladen, alleen is er nog geen store geladen. Open voor Hyper-V de “InitialStore.xml” die je kan vinden op C:\ProgramData\Microsoft\Windows\Hyper-V\

default-azman

Noot: De Hyper-V server is lid van het domain. Binnen het domain heb ik een gebruiker J.Wesselius gedefinieerd. Dit is een user die alleen lid is van “domain users” en op de Hyper-V server geen speciale rechten heeft.

Als eerste definieren we een task, dit is wat de gebruiker moet kunnen. Het absolute minimum moet ik nog uitzoeken, maar om mee te beginnen:

create-task

De volgende stap is het definieren van een Role. Binnen een Role worden één of meerdere taken vastgelegd. Ik maak een Role genaamd “VM-Control” en koppel daar de zojuist aangemaakte task aan:

add-task

De laatste stap is het toewijzen van de Role via de Role Assignments. Hier maak je een nieuwe assignment aan, en deze koppel je aan de betreffende gebruiker.

assign

Kat in bakkie zou je denken, alleen jammer dat het nog niet werkt. De gebruiker in kwestie moet namelijk ook toegang hebben op COM en WMI niveau.

Op de Hyper-V server open je de COM configuratie (Start –> Administrative Tools –> Component Services.

Ga via Component Services –> Computers –> My Computer en vraag de properties op. Selecteer het tabblad “COM Security” en klik op de knop “Edit Limits”bij “Launch and Activation Permissions”.

Voeg de gebruiker toe (in dit geval dus DMC\J.Wesselius) en geef hem de extra rechten “Remote Launch” en “Remote Activation”.

COM-props

Ga vervolgens naar Computer Management (Start –> Administrative Tools –> Computer Management”) en ga via “Services and Applications” naar “WMI Control”. Vraag de properties op en selecteer het tabblad Security.

Selecteer Root\CIMV2 en klik op de knop Security. Voeg ook hier de gebruiker toe en klik op de knop Advanced.

Selecteer de eerder ingevoerde gebruiker (DMC\J.Wesselius) en klik op Edit. Zorg ervoor dat je “This namespace en subnamespaces” selecteert bij “Apply to:”, zet een allow vinkje bij “Remote Enable” en zet een vinkje bij “Apply these permissions to objects and/or containers within this container only”.

wmi-settings

Klik 3x op OK en herhaal deze instellingen voor de WMI settings Root\Virtualization

De laatste stap is het rebooten van de server zodat alle COM en WMI settings worden geladen. Na het rebooten van de Hyper-V server kunnen we de Hyper-V manager op de Vista client opstarten et voila, de gebruiker (domain user) kan nu allerlei dingen met de Hyper-V Virtual Machines gaan doen.vista-hv-client

November 5th, 2009 | Tags: , | Category: Hyper-V, Management, Windows Server 2008 | Comments are closed

Hyper-V Introductie Artikel

Voor de website http://www.simple-talk.com ben ik een serie artikelen aan het schrijven over Hyper-V. Het begint met een introductie, dan een artikel over installatie en wat best practices, een artikel over deployen van VM’s inclusief VMM 2008 en daarna een artikel over High Availability. Dit vormt dan tevens de opmaat naar Windows Server 2008 R2 en Hyper-V R2. Ik ben nog aan ‘t denken over een Server Core en een Hyper-V Server artikel.

Dit is de introductie, welke officieel hier staat: http://www.simple-talk.com/exchange/exchange-articles/windows-server-virtualisation-hyper-v,-an-introduction

Hyper-V Introduction

Microsoft released its hypervisor based virtualization product Hyper-V in the summer of 2008. But what’s the difference with Virtual Server? And why is Hyper-V a better product than Virtual Server? And what’s the difference with VMware ESX for example? In a series of articles I’ll try to explain what Hyper-V is, how it relates to other products and try to give some best practices regarding the use of Hyper-V.

Windows Architecture

Before we take a look at the Hyper-V architecture we take a look at the Windows Server 2008 (and basically all Windows NT servers) architecture. When Window Server 2008 is installed on appropriate hardware two modes can be identified:

  • Kernel mode – this is a protected space where the kernel, the “heart” of Windows Server 2008 is running and where processes run that interact directly with the hardware, for example the device drivers using buffers allocated in kernel mode. When such a process crashes it is very likely that the server will crash as well which will result in a blue screen of death;
  • User mode – this is a more protected space where applications are running, for example Microsoft Office, or SQL Server, or Exchange Server. When an application in User Mode crashes only the application stops and the server continues running.

Win-Architecture

When an application needs to access a piece of hardware, for example the hard disk or the network interface the application needs to communicate with the appropriate driver running in Kernel mode. Switching from User mode to Kernel mode is a costly process and consumes a considerable amount of processor cycles. This is known as “mode switching”.

Virtual Server and Virtual PC are applications and as such are running in User Mode, the complete environment where the Virtual Machine is running in is emulated. After installing the Virtual Machine additions or when using Hardware Assisted Virtualization some kernel processes are handled directly by the processor. Every piece of hardware the Virtual Machine has to access has to go from User Mode to Kernel Mode and vice versa. The overhead in this scenario is large and will have a large performance impact. The same is true for VMware Server and VMware workstation.

Hyper-V Architecture

Hyper-V is a so called hypervisor. The hypervisor is installed between the hardware and the operating system. Hyper-V is a role in Windows Server 2008 and can only be installed after Windows Server 2008 is installed. When installing the Hyper-V role the hypervisor is “slid” between the hardware and the operating system. Besides the hypervisor a little more is installed as well. The VMBus is installed which is running in kernel mode as well as a Virtual Storage Provider (VSP). Furthermore a WMI provider is installed which is running in User Mode. A VMWorker process is spawn for every Virtual Machine that’s started when Hyper-V is running.

Note. Hyper-V is only available on Windows Server 2008 X64 edition. Besides X64 capable hardware the server should support hardware virtualization and Data Execution Prevention (DEP) should be enabled on the server. The server’s BIOS should support these settings as well.

After installing the Hyper-V role in Windows Server 2008 the server needs to be rebooted and the server is operational. The original Windows Server 2008 that was installed is turned into a Virtual Machine as well, this one is called the “root” or the “parent partition”. It is a very special Virtual Machine since it controls the other Virtual Machines running on the server. I’ll get back to this later in this article.

Virtual Machines and the parent partition on Hyper-V are running side-by-side as shown in Figure 2. Virtual Machines are called “child partitions”. There are three types of Virtual Machines:

  • Hypervisor aware Virtual Machine like Windows Server 2003 and Windows Server 2008;
  • Non-hypervisor aware Virtual Machines like Windows Server 2000 and Windows NT4. These Virtual Machines run in an emulated environment;
  • Xen enabled Linux kernels (which also support the VMBus architecture). The only one that’s available as a standard distribution at this point is SUSE Linux.

hv-architecture

Now we’re installing a Virtual Machine based on Windows Server 2008. This child partition is running on top of the hypervisor. When the Integration Components are installed the new Virtual Machine can fully utilize the power of Hyper-V. The Integration Components are special Hyper-V drivers, the so called synthetic drivers. Also a Virtual Storage Client (VSC) is installed in the Virtual Machine. These drivers can use the VMBus structure. The VMBus is a point-to-point in-memory bus architecture, running fully in kernel mode. An application running in this Virtual Machine wants to access the network interface or a local disk on the parent partition and makes a request to do so. This request goes from user mode to kernel mode and is sent via the VSC over the VMBus to the VSP. From here the request is sent to the appropriate device. No additional mode switching is needed and this is truly a very fast solution.

A non hypervisor aware Virtual Machine, for example a Windows NT4 server does not have the Integration Components and a VSC. Everything is emulated, and it is emulated in the VMWorker processes. These processes are running in user mode on the parent partition.

When an application on this Virtual Machine make a request to the local disk the request is sent to the driver running in kernel mode in the Virtual Machine. This is intercepted and sent to the emulator on the parent partition which in turn sends it to the local disk. This means that three additional mode switches are needed. One in the Virtual Machine, from the Virtual Machine to the host partition and on the actual host partition from user mode to kernel mode. This creates additional overhead which results in reduced performance for emulated Virtual Machine. Virtual Server also makes use of a fully emulated environment and thus suffers from the same performance hit.

Virtual Machines running on SUSE Linux and have the Linux Integration Components installed can also fully utilize the new VMBus architecture and thus fully utilize the server’s resources. Other Linux clients use a fully emulated Virtual Machine, just like the NT4 example.

Micro-kernelized hypervisor

One difference between ESX and Hyper-V is the type of hypervisor. Microsoft uses a micro-kernelized hypervisor where VMware uses a monolithic hypervisor. So what are the differences between these two?

A micro-kernelized hypervisor is a very thin hypervisor (less then 800 Kb) when an absolute minimum of software in the hypervisor. Drivers, memory management etc. needed for the Virtual Machines are installed in the parent partition. This means that Windows Server 2008 with the appropriate, certified hardware drivers can be used for a Hyper-V server.

A monolithic hypervisor is a hypervisor that contains more software and management interfaces. Network drivers and disk drivers for example are part of the hypervisor and not of the parent partition. This automatically means that only servers that are certified by VMware and have certified drivers can be used for an ESX Server.

micro-kernelized

Both solution have pros and cons, time will tell which solution is the best one and offers the best performance and scalability.

Security

After installing the Hyper-V role in Windows Server 2008 the original Windows installation automatically turns into a Virtual Machine, the so called parent partition or root. After logging in to the parent partition this just looks like an ordinary Windows Server 2008. But it controls all other Virtual Machines running on the server, so special care needs to be taken.

When the parent partition is compromised with a virus or a Trojan horse not only the parent partition is under somebody else’s control, but potentially all Virtual Machines running on this server. The Hyper-V manager is available on this server as well as all WMI interfaces that control the Virtual Machines running on this server. It is a best practice to install no other software on the parent partition and not use it for example for browsing on the Internet. All applications and software should be installed on Virtual Machines and NOT on the parent partition.

A better solution is to use Windows Server 2008 Server Core. This is very minimalistic instance of Windows Server 2008 with few software or services installed. Also the explorer is not present on the Server Core and after logging in to this Server Core only a Command Prompt is shown. Some small GUI’s are available though, for example the data-time applet to set the data and time on the server. Managing a Windows Server 2008 Server Core is definitely more difficult than management a ‘normal’ server with a Graphical User Interface (GUI) but once you’re used to it and can fully manage it is much safer due to the reduced attack surface.

Microsoft made a couple of design decisions with respect to security. Not using shared memory for example is such a decision. When using shared memory you can over commit memory on your host server. Over committing is assigning more memory to Virtual Machines than there’s available on the host server. By sharing memory pages between Virtual Machines it is possible to achieve this. Although this is definitely true it was a security decision made by Microsoft to not use this feature.

Virtual Machines can be compromised as well and this is also a situation you do not want to occur. But when a Virtual Machine is compromised it is not possible to access the hypervisor to take over the host server. It is also not possible to access other Virtual Machines.

This also means that when you have to copy data from one Virtual Machine to another it’s just like physical machines. You have to copy this data across the network using file shares. The only option that’s possible is to copy plain text between your Parent Partition and a Virtual Machine using the “Copy Text” option in the Hyper-V Manager.

Integration Components

When installing a Virtual Machine initially this is running in an emulated environment. As explained earlier this is not the most efficient way of running a Virtual Machine. After the initial installation you have to install the Integration Components. Open the Hyper-V Manager, select the Virtual Machine, choose Action and select “Insert Integration Services Setup Disk”. This will install the Integration Components in your Virtual Machine. When finished reboot the Virtual Machine and it’s done.

When installing the Integration Components the synthetic drivers are installed in the Virtual Machine, making it possible to have the Virtual Machine communicate via the VMBus architecture. This will speed up performance dramatically. You can see the Integration Components using the Virtual Machine’s device manager:

Integration-Components

Besides the synthetic drivers the Integration Components offer more services to Virtual Machines, like time synchronization between the root partition and the Virtual Machine, backup options (volume snapshot) and operating system shutdown from the Hyper-V Manager.

Server Virtualization Validation Program

Microsoft has always been reluctant in supporting virtualized application, especially in the timeframe before Hyper-V. In those days Microsoft only had Virtual Server as virtualization software while VMware was offering ESX Server.

When Hyper-V entered the virtualization market Microsoft had not only to support their own software and application running on Hyper-V, but also their applications running on other virtualization software, from other vendors that is. Microsoft has setup a program where other vendors can have their solutions validated, this program is known as the Server Virtualization Validation Program (SVVP). VMware’s ESX Server for example is validated in this program and all recommendations made for running Microsoft applications under Hyper-V also apply for running these applications under ESX Server. When issues are submitted by customers in Microsoft Product Support Services Microsoft does not make a difference between ESX Server and Hyper-V when it comes to troubleshooting. You can find more information regarding the SVVP program on the Microsoft website: http://www.windowsservercatalog.com/svvp.aspx

Conclusion

Microsoft Windows Server 2008 Hyper-V was released in the summer of 2008 and is Microsoft first real hypervisor virtualization solution. It is not an emulated environment like Virtual Server or Virtual PC, but as a hypervisor solution it “sits” between the hardware and the Operating System. With the Integration Components installed you can fully use the functionality offered by Hyper-V. You have to secure the Parent Partition as much as possible to prevent compromising the complete system.

In the next articles I will talk more about the Hyper-V best practices, deploying Virtual Machines, using the System Center Virtual Machine Manager (VMM) 2008 and the “high availability” options and why these aren’t really high available in the current release of Hyper-V.

November 4th, 2009 | Category: Hyper-V, Windows Server 2008 | One comment - (Comments are closed)

Hyper-V.nu revisited

Hi,

As you might have noticed we faced a major outage at Hyper-V.nu. I will not go into details, but VMM 2008 was under the impression that the Hyper-V.nu configuration was corrupt and during a regular clean-up the Hyper-V.nu VM was deleted as well. While it was running….

Right now we have rebuilt a new Virtual Machine, running Windows Server 2008 R2 with Wordpress. We have changed the platform because of the number of attacks and fake subscribers that you have on CommunityServer.

This is an official Virtual Machine, officially provisioned and therefore configured to be part of the daily backup cycle. Let’s hope it won’t happen again ;-)

November 4th, 2009 | Category: Uncategorized | Comments are closed