an architectural lap around windows server 2008 stephen lamb, it pro evangelist, microsoft uk ltd. ...
TRANSCRIPT
An Architectural Lap Around Windows Server 2008
Stephen Lamb, IT Pro Evangelist, Microsoft UK Ltd.http://blogs.technet.com/steve_lamb+44 7812 980621
James O’Neill, IT Pro Evangelist, Microsoft UK Ltd.http://blogs.technet.com/jamesone+44 118 9093080
Agenda
Hyper-VNetwork Access Protection
Branch OfficeTerminal ServicesBitLockerRead-only Domain Controllers
Q&A
Hyper-V
Hyper-v
The technology formerly known as “Windows Server virtualization”
Where is Microsoft going with virtualization ?
Hyper-V
Server Virtualization
Presentation Virtualization
Application Virtualization
Desktop Virtualization
Management
Server 2008 Virtualization Technologies
Virtualization Investments
ManagementInfrastructure Applications InteroperabilityLicensing
Create agilityBetter utilizeserver resourcesPartner with AMD and Intel
Ease consolidationonto virtual infrastructureBetter utilizemanagementresources
Supportheterogeneityacross thedatacenterOSP (Open Specification Promise) VHD
AcceleratedeploymentReduce the cost of supportingapplications
Deliver cost-effective, flexible and simplified licensingRoyalty Free VHD format
A Multi-level Approach
Terminal Services
Legacy applicationmigration
Test and developme
ntautomation
Server consolidation
Introducing VirtualizationConfig and Architecture Challenges
Introducing virtualization: Config & Architecture Challenges
Maintaining test / training environmentSegmenting from productionQuick rebuild / duplication
Supporting legacy line-of-business applications on aging hardware
Applications only supported on NT 4.0
Server sprawl“One server, one application”
Server Sprawl ...
The Data-centre is FULLFull of under-utilized servers
Greater wattage per unit area than everCooling at capacityIn some places, electricity is maxed out
We can’t all move to Iceland
Companies worrying about environmental record
Hardware drivers
Multi-core architectures can deliver their best with virtualization
Many work loads are “a bit parallel” but not “Embarrassingly parallel”
Processors are going “Embarrassingly parallel” Wattage goes up with Square of clock speedMoore’s law gains will give more cores,not faster clock speed
Virtualization support on chip from Intel and AMD
Software maturity
The need is there, the hardware is there ...Software is maturing too
More than one credible player in the market
We have moved beyond “Virtual PC”It’s not just the Virtualization technology...Management toolsHigh availabilityInteroperability
ApplicationGuest OS
ApplicationGuest OS
x86/x64 server
VirtualH/W
VirtualH/W
• VS works with Windows:– Heartbeat from kernel/
scheduler– Windows Device drivers
• Up to 32 host CPUs• Up to 64GB host RAM• VS leverages existing
system storage, networking and security infrastructure– Teamed NICs, teamed
HBAs• VS Standard Edition
Optimized for Windows Server 2003 Standard Edition (2-4P/32GB)
• VS Enterprise Edition Optimized for Windows Server 2003 Enterprise Edition (<8P/64GB)
• Virtualization infrastructure– VM monitor– COM API– Resource management– WMI/event log integration– Multiple Threaded
Support
Configuration and Architecture Virtual Server 2005
• Guest OS:– Runs all major x86
operating systems– 3.6GB RAM– 4 NICs– 56.5TB storage (IDE -
SCSI)– 2-N failover MSCS
clustering
• Industry-standard device models– Intel 440BX
motherboard– DEC 21140 NIC– S3 Trio64 SVGA– IDE/ATAPI controller– Adaptec 2940 SCSI
controller– Legacy devices
• KBD, Mouse etc• No custom drivers needed
Windows Server R2 Enterprise Edition INCLUDES 4
Instances
Windows Server 2003 R2 EE
Hardware
Virtualization Layer
Windows
Windows
Windows
Windows
Pre R2 License Model : Total: 5 Windows LicensesWindows Server R2 EE: Total: 1 License
Configuration and Architecture Windows Server R2 EE Licensing (1)
Library with 100 images of Windows
7 Servers running images
(1 per server)
License by “running instances”
Pre R2 License model• Total: 107 Windows Licenses
New License rights:• Total: 7 Windows Licenses
Configuration and Architecture Windows Server R2 EE Licensing (2)
Promotes the use of virtualization and a more dynamic data centreCreate and store images as neededLicense the machine used instances
Application Licensing
App. Vendors beginning to account for virtualizationE.g. Microsoft SQL ServerBizTalk® ServerISA ServerLicensed per virtual processor in virtual machines
Virtual Machine management
Microsoft System-Center Virtual Machine Manager
Powershell applets, built on existing APIs to manage Servers, VMs and LibrariesScripting interface to support Data centre automationMMC user interface built on topV1 for VS2005-R2/SP1. New API in WSV 2008 – support in V2.
Hyper-V
Greater Scalability and improved performance
SMP & x64 bit guest supportIncreased reliability and security
Minimal Trusted Code base Better flexibility and manageability
New UIIntegration with SCVMM(Dynamically Add resources)(Live OS/App Migration )
AMD-V / Intel VT
Windows Hypervisor
VM 1“Parent”
VM 2“Child”
VM 3“Child”
VirtualHard Disks
(VHD)
Hardware
Windows Server 2003
Virtual Server 2005 R2
VM 2 VM 3
Hyper-V vs Virtual server
Virtual Server 2005 R2 SP1
Hyper-V
Virtualization Type Hosted Virtualization Hypervisor Max Physical Memory 256 GB 1 Terabyte Max VM memory 3.6 GB per VM 64 GB per VM 32-bit VMs? Yes Yes 64-bit VMs? No Yes Multi-core VMs? No Yes, upto 4 core VM snapshots? No Yes VLANs (802.1q)? No Yes SCVMM Support V1 V2 Cluster support? Yes Yes Scriptable/Extensible? Yes, COM Yes, WMI Management UI Web Interface MMC 3.0 Interface
Drivers and enlightenments
VMs in virtual server see emulated hardwareS3 Trio Graphics, DEC 21140 ethernet etcSignificant overhead
Enlightened VMs in Hyper-V see a Software busVM bus devices for network, graphics etc
VM bus links “stub” in child partitionto driver in parent partition
Can can still emulate for unenlightened VMs
DemoHyper-V Management, Configuration and VM bus
Network Access Protection
Integrating the EdgePolicy, not topology, defines the edge
Requesting access. Here’s my newhealth status.
Network Access Protection Walk-through
NetworkPolicyServer
Client Network Access Device
(DHCP, VPN)
Remediation Servers
May I have access?Here’s my current health status.
Should this client be restricted basedon its health?
Ongoing policy updates to Network
Policy Server
You are given restricted accessuntil fix-up.
Can I have updates?
Here you go.
According to policy, the client is not up to date. Quarantine client, request it to update.
Corporate Network
Restricted Network
Client is granted access to full intranet.
System Health Servers
According to policy, the client is up to date.
Grant access.
Terminal Services
What’s new in Terminal Services ?
Because it isn’t new, is it ?
Device Support
Display Changes
True Type
SingleSign-on
Server Roles
RemoteApp TS Web-
Access
TS Gateway
SessionBroker
Making Terminal Services a first class citizen
Support for Client side improvements
Device support
Can use client’sAudioPrinterClipboardSmart CardSerial portDrivesCamera / MP3 player
RDC display changes
Display improvements Display was 4:3 and capped at 1600x1200 Now can be any size, including spanned monitors
ClearType supportedVista-style desktop experience supportedDisplay prioritization
Print jobs don’t affect user experience
Experience options (off vs. on)
Single sign-on
Requires Vista or Server 2008 as the clientGroup Policy setting
/Computer Configuration /Administrative Templates /System /Credentials Delegation. In “Allow Delegating Default Credentials”Add termsrv/Servername
Server Changes
Terminal Services Roles
TS Remote App
TS Remote App
Client sees an application not a desktopApplications identified at the serverPublished in one of 3 ways
.MSI file
.RDP fileTS Web access
TS Remote App
Demo
Making available apps browsable
TS Web access
TS Web Access
Can embed TS client object on web pageSince NT 4.0 !!
Now have ability to launch apps or desktopPull down RDP file from web pageRun normal client
TS Web Access
Demo
Moving from servers to farms
TS Session broker
TS Session Broker
Load balances sessions to terminal serversBasic operation
User connects to a terminal serverServer knows it is in a farmServer asks broker “where should this go ?”User session is re-directed
Broker’s decision process
Does this user have a session ?Reconnecting an open sessionSecond TS App sessionIf so connect to the same server
Does the server participate in load balancing ?If not let it have the session Otherwise, which servers allow new sessions ? Calculate sessions / relative weightConnect to server with lowest relative load
Server roles in a farm
BrokerTracks sessions
RedirectorAll servers which users initially connect toConnection might be round robin DNSor more sophisticated
Terminal serverRuns the user’s workload
Configuring Farm membership
Group PolicyOr TS configuration
Or “VPN considered harmful”
TS Gateway
TS Gateway
Tunnel RDP using “RPC over HTTP” technologyAllow client to connect from anywhere
Adds Additional roles...
Configuration
ClientSetting in Group policy, or per connection
ServerInstall roleChoose a Certificate Set a Connection Access policy
Who and HowSet a Resource Access Policy
WhatMultiple Servers can form farmsPublish with ISA...
TS Gateway
Demo
Combining Web Access with gateway
The Apps on offer in Web accesscan specify the gateway
(And can specify the TS Farm)So publish the Web Access page andpublish the gateway ....
Users get a portal of published LOB apps Accessible from wherever they are
Conclusions
Publish Apps: not desktopsBetter client experienceMultiple publication optionsAnywhere Access
Access Mail, IM anywhere, why not L.o.B apps ?
Scale with server farmsThird parties (e.g. Citrix) still add value
BitLocker
BitLocker™ Drive Encryption
BitLocker
BitLocker™ Drive Encryption Static Root of Trust Measurement of early boot components Volume Blob of Target OS
unlockedAll Boot Blobs
unlockedStatic OS
BootSector
BootManager
Start OS
OS Loader
BootBlock
PreOS
BIOS
MBR
TPM Init
Keys and Protectors (“Authenticators”)
TPM
4
TPM+USB
TPM+PIN
USB Key(Recovery or Non-TPM)
123456-789012-345678-
Recovery Password(48 Digits)
Branch Office
Technologies for the Branch Office
VirtualizationRead-Only Domain Controllers
Which run on Server Core
Admin Role SeparationLet Server admins be server admins
DFS-R for FRSCut WAN traffic, reduce exposure
DNSWrite-forwarding DNS servers in branch offices
BitlockerBlanket encryption
Read Only Domain Controller
Allows you to control three key things
Location of credentialsResistance to WAN failureSecurity
RODC Deployment Considerations
Bitlocker hostRODC DNS for clients
Choose Password Replication Policy
• No passwords cached (default)
• Most passwords cached
• Few passwords (branch-specific accounts) cached
How Many Domain Admins do you have?
?
That’s All Stephen Lambhttp://blogs.technet.com/steve_lamb
James O’Neillhttp://blogs.technet.com/jamesone
Reference Material
Network Access Protection Components
Network Policy Server(RADIUS)
Quarantine Server (QS)
Client
Quarantine Agent (QA)
Health policyUpdates
HealthStatements
NetworkAccess
Requests
System Health Servers
Remediation Servers
HealthCertificate
Network Access Device &Health Registration Authority
System Health Agent (SHA)MS and 3rd Parties
System Health Validator(SHV)
Enforcement Client(DHCP, IPSec, 802.1X, VPN)
• Client• SHA – Health agents check client
state• QA – Coordinates SHA/EC• EC – Method of enforcement
• Remediation Server• Serves up patches, AV signatures,
etc.
• Network Policy Server• QS – evaluates client
health• SHV – evaluates SHA
answer
• System Health Server• Provides SHV