An Architectural Lap Around Windows Server 2008

Stephen Lamb, IT Pro Evangelist, Microsoft UK Ltd.http://blogs.technet.com/steve_lamb+44 7812 980621

James O’Neill, IT Pro Evangelist, Microsoft UK Ltd.http://blogs.technet.com/jamesone+44 118 9093080

Agenda

Hyper-VNetwork Access Protection

Branch OfficeTerminal ServicesBitLockerRead-only Domain Controllers

Q&A

Hyper-V

Hyper-v

The technology formerly known as “Windows Server virtualization”

Where is Microsoft going with virtualization ?

Hyper-V

Server Virtualization

Presentation Virtualization

Application Virtualization

Desktop Virtualization

Management

Server 2008 Virtualization Technologies

Virtualization Investments

ManagementInfrastructure Applications InteroperabilityLicensing

Create agilityBetter utilizeserver resourcesPartner with AMD and Intel

Ease consolidationonto virtual infrastructureBetter utilizemanagementresources

Supportheterogeneityacross thedatacenterOSP (Open Specification Promise) VHD

AcceleratedeploymentReduce the cost of supportingapplications

Deliver cost-effective, flexible and simplified licensingRoyalty Free VHD format

A Multi-level Approach

Terminal Services

Legacy applicationmigration

Test and developme

ntautomation

Server consolidation

Introducing VirtualizationConfig and Architecture Challenges

Introducing virtualization: Config & Architecture Challenges

Maintaining test / training environmentSegmenting from productionQuick rebuild / duplication

Supporting legacy line-of-business applications on aging hardware

Applications only supported on NT 4.0

Server sprawl“One server, one application”

Server Sprawl ...

The Data-centre is FULLFull of under-utilized servers

Greater wattage per unit area than everCooling at capacityIn some places, electricity is maxed out

We can’t all move to Iceland

Companies worrying about environmental record

Hardware drivers

Multi-core architectures can deliver their best with virtualization

Many work loads are “a bit parallel” but not “Embarrassingly parallel”

Processors are going “Embarrassingly parallel” Wattage goes up with Square of clock speedMoore’s law gains will give more cores,not faster clock speed

Virtualization support on chip from Intel and AMD

Software maturity

The need is there, the hardware is there ...Software is maturing too

More than one credible player in the market

We have moved beyond “Virtual PC”It’s not just the Virtualization technology...Management toolsHigh availabilityInteroperability

ApplicationGuest OS

ApplicationGuest OS

x86/x64 server

VirtualH/W

VirtualH/W

• VS works with Windows:– Heartbeat from kernel/

scheduler– Windows Device drivers

• Up to 32 host CPUs• Up to 64GB host RAM• VS leverages existing

system storage, networking and security infrastructure– Teamed NICs, teamed

HBAs• VS Standard Edition

Optimized for Windows Server 2003 Standard Edition (2-4P/32GB)

• VS Enterprise Edition Optimized for Windows Server 2003 Enterprise Edition (<8P/64GB)

• Virtualization infrastructure– VM monitor– COM API– Resource management– WMI/event log integration– Multiple Threaded

Support

Configuration and Architecture Virtual Server 2005

• Guest OS:– Runs all major x86

operating systems– 3.6GB RAM– 4 NICs– 56.5TB storage (IDE -

SCSI)– 2-N failover MSCS

clustering

• Industry-standard device models– Intel 440BX

motherboard– DEC 21140 NIC– S3 Trio64 SVGA– IDE/ATAPI controller– Adaptec 2940 SCSI

controller– Legacy devices

• KBD, Mouse etc• No custom drivers needed

Windows Server R2 Enterprise Edition INCLUDES 4

Instances

Windows Server 2003 R2 EE

Hardware

Virtualization Layer

Windows

Windows

Windows

Windows

Pre R2 License Model : Total: 5 Windows LicensesWindows Server R2 EE: Total: 1 License

Configuration and Architecture Windows Server R2 EE Licensing (1)

Library with 100 images of Windows

7 Servers running images

(1 per server)

License by “running instances”

Pre R2 License model• Total: 107 Windows Licenses

New License rights:• Total: 7 Windows Licenses

Configuration and Architecture Windows Server R2 EE Licensing (2)

Promotes the use of virtualization and a more dynamic data centreCreate and store images as neededLicense the machine used instances

Application Licensing

App. Vendors beginning to account for virtualizationE.g. Microsoft SQL ServerBizTalk® ServerISA ServerLicensed per virtual processor in virtual machines

Virtual Machine management

Microsoft System-Center Virtual Machine Manager

Powershell applets, built on existing APIs to manage Servers, VMs and LibrariesScripting interface to support Data centre automationMMC user interface built on topV1 for VS2005-R2/SP1. New API in WSV 2008 – support in V2.

Hyper-V

Greater Scalability and improved performance

SMP & x64 bit guest supportIncreased reliability and security

Minimal Trusted Code base Better flexibility and manageability

New UIIntegration with SCVMM(Dynamically Add resources)(Live OS/App Migration )

AMD-V / Intel VT

Windows Hypervisor

VM 1“Parent”

VM 2“Child”

VM 3“Child”

VirtualHard Disks

(VHD)

Hardware

Windows Server 2003

Virtual Server 2005 R2

VM 2 VM 3

Hyper-V vs Virtual server

Virtual Server 2005 R2 SP1

Hyper-V

Virtualization Type Hosted Virtualization Hypervisor Max Physical Memory 256 GB 1 Terabyte Max VM memory 3.6 GB per VM 64 GB per VM 32-bit VMs? Yes Yes 64-bit VMs? No Yes Multi-core VMs? No Yes, upto 4 core VM snapshots? No Yes VLANs (802.1q)? No Yes SCVMM Support V1 V2 Cluster support? Yes Yes Scriptable/Extensible? Yes, COM Yes, WMI Management UI Web Interface MMC 3.0 Interface

Drivers and enlightenments

VMs in virtual server see emulated hardwareS3 Trio Graphics, DEC 21140 ethernet etcSignificant overhead

Enlightened VMs in Hyper-V see a Software busVM bus devices for network, graphics etc

VM bus links “stub” in child partitionto driver in parent partition

Can can still emulate for unenlightened VMs

DemoHyper-V Management, Configuration and VM bus

Network Access Protection

Integrating the EdgePolicy, not topology, defines the edge

Requesting access. Here’s my newhealth status.

Network Access Protection Walk-through

NetworkPolicyServer

Client Network Access Device

(DHCP, VPN)

Remediation Servers

May I have access?Here’s my current health status.

Should this client be restricted basedon its health?

Ongoing policy updates to Network

Policy Server

You are given restricted accessuntil fix-up.

Can I have updates?

Here you go.

According to policy, the client is not up to date. Quarantine client, request it to update.

Corporate Network

Restricted Network

Client is granted access to full intranet.

System Health Servers

According to policy, the client is up to date.

Grant access.

Terminal Services

What’s new in Terminal Services ?

Because it isn’t new, is it ?

Device Support

Display Changes

True Type

SingleSign-on

Server Roles

RemoteApp TS Web-

Access

TS Gateway

SessionBroker

Making Terminal Services a first class citizen

Support for Client side improvements

Device support

Can use client’sAudioPrinterClipboardSmart CardSerial portDrivesCamera / MP3 player

RDC display changes

Display improvements Display was 4:3 and capped at 1600x1200 Now can be any size, including spanned monitors

ClearType supportedVista-style desktop experience supportedDisplay prioritization

Print jobs don’t affect user experience

Experience options (off vs. on)

Single sign-on

Requires Vista or Server 2008 as the clientGroup Policy setting

/Computer Configuration /Administrative Templates /System /Credentials Delegation. In “Allow Delegating Default Credentials”Add termsrv/Servername

Server Changes

Terminal Services Roles

TS Remote App

TS Remote App

Client sees an application not a desktopApplications identified at the serverPublished in one of 3 ways

.MSI file

.RDP fileTS Web access

TS Remote App

Demo

Making available apps browsable

TS Web access

TS Web Access

Can embed TS client object on web pageSince NT 4.0 !!

Now have ability to launch apps or desktopPull down RDP file from web pageRun normal client

TS Web Access

Demo

Moving from servers to farms

TS Session broker

TS Session Broker

Load balances sessions to terminal serversBasic operation

User connects to a terminal serverServer knows it is in a farmServer asks broker “where should this go ?”User session is re-directed

Broker’s decision process

Does this user have a session ?Reconnecting an open sessionSecond TS App sessionIf so connect to the same server

Does the server participate in load balancing ?If not let it have the session Otherwise, which servers allow new sessions ? Calculate sessions / relative weightConnect to server with lowest relative load

Server roles in a farm

BrokerTracks sessions

RedirectorAll servers which users initially connect toConnection might be round robin DNSor more sophisticated

Terminal serverRuns the user’s workload

Configuring Farm membership

Group PolicyOr TS configuration

Or “VPN considered harmful”

TS Gateway

TS Gateway

Tunnel RDP using “RPC over HTTP” technologyAllow client to connect from anywhere

Adds Additional roles...

Configuration

ClientSetting in Group policy, or per connection

ServerInstall roleChoose a Certificate Set a Connection Access policy

Who and HowSet a Resource Access Policy

WhatMultiple Servers can form farmsPublish with ISA...

TS Gateway

Demo

Combining Web Access with gateway

The Apps on offer in Web accesscan specify the gateway

(And can specify the TS Farm)So publish the Web Access page andpublish the gateway ....

Users get a portal of published LOB apps Accessible from wherever they are

Conclusions

Publish Apps: not desktopsBetter client experienceMultiple publication optionsAnywhere Access

Access Mail, IM anywhere, why not L.o.B apps ?

Scale with server farmsThird parties (e.g. Citrix) still add value

BitLocker

BitLocker™ Drive Encryption

BitLocker

BitLocker™ Drive Encryption Static Root of Trust Measurement of early boot components Volume Blob of Target OS

unlockedAll Boot Blobs

unlockedStatic OS

BootSector

BootManager

Start OS

OS Loader

BootBlock

PreOS

BIOS

MBR

TPM Init

Keys and Protectors (“Authenticators”)

TPM

4

TPM+USB

TPM+PIN

USB Key(Recovery or Non-TPM)

123456-789012-345678-

Recovery Password(48 Digits)

Branch Office

Technologies for the Branch Office

VirtualizationRead-Only Domain Controllers

Which run on Server Core

Admin Role SeparationLet Server admins be server admins

DFS-R for FRSCut WAN traffic, reduce exposure

DNSWrite-forwarding DNS servers in branch offices

BitlockerBlanket encryption

Read Only Domain Controller

Allows you to control three key things

Location of credentialsResistance to WAN failureSecurity

RODC Deployment Considerations

Bitlocker hostRODC DNS for clients

Choose Password Replication Policy

• No passwords cached (default)

• Most passwords cached

• Few passwords (branch-specific accounts) cached

How Many Domain Admins do you have?

?

That’s All Stephen Lambhttp://blogs.technet.com/steve_lamb

James O’Neillhttp://blogs.technet.com/jamesone

Reference Material

Network Access Protection Components

Network Policy Server(RADIUS)

Quarantine Server (QS)

Client

Quarantine Agent (QA)

Health policyUpdates

HealthStatements

NetworkAccess

Requests

System Health Servers

Remediation Servers

HealthCertificate

Network Access Device &Health Registration Authority

System Health Agent (SHA)MS and 3rd Parties

System Health Validator(SHV)

Enforcement Client(DHCP, IPSec, 802.1X, VPN)

• Client• SHA – Health agents check client

state• QA – Coordinates SHA/EC• EC – Method of enforcement

• Remediation Server• Serves up patches, AV signatures,

etc.

• Network Policy Server• QS – evaluates client

health• SHV – evaluates SHA

answer

• System Health Server• Provides SHV