blog.scottlowe.org

I got notice of this whitepaper back during Tech-Ed but it’s been sitting in my “blog posts to write when I get time” pile until now. Microsoft has posted a whitepaper (download it here) as well as a blog entry (viewable here) regarding Windows Server 2008’s new power saving functionality.

While some of the functionality is genuinely new and useful—like the monitoring of CPU utilization and throttling of CPU speed accordingly—some of the stuff in the blog entry, at least, isn’t. Including Hyper-V virtualization as a “power saving feature” of Windows Server 2008 is a bit disingenuous, since any server virtualization solution will provide power savings simply from the simple fact of consolidating multiple workloads onto a single server.

If you’re interested in learning more about how Windows Server 2008 attempts to reduce power usage, have a look at these resources.

Like everyone else in the virtualization world (except for perhaps the folks in Palo Alto, CA), there’s a lot of Hyper-V stuff crossing in front of me.

This time it’s an article on storage options for Hyper-V, written by Jose Barreto. (You’ll recall that I referenced Jose’s clustering article a few days ago.) Out of the wide variety of blogs coming out of Microsoft, Jose’s is one that I have really, truly found informative and helpful. The home page for his blog is here.

Jose also wrote a follow-up article on Hyper-V’s storage options where he discussed booting from iSCSI.

Great work, Jose! Keep it coming.

My original article on Hyper-V’s issues with NIC teaming has gotten a fair amount of attention.

First Keith Ward over at Virtualization Review blogged about this issue. In his initial post, Keith basically pointed out the issue and then asked the readers for feedback: is this really as big of an issue as it seemed? The readers who responded were split; one blasted Hyper-V and the other wasn’t too concerned.

Keith followed that up with another post in which he provides a response from Microsoft regarding this issue:

NIC Teaming is a capability provided by our hardware partners such Intel and Broadcom. Microsoft supports our partners who provide this capability. This is true whether the customer is running Windows, Exchange, SQL, Hyper-V, etc. We’ll have a detailed KB article about this coming out soon.

Keith’s second article was then also picked up by DABCC.

While Microsoft is sticking to the “this is a device driver issue” mantra, I’m not so sure I agree. I can see their position to a point. In Keith’s second post, analyst Chris Wolf brings up storage drivers. This is similar in that Microsoft relies upon the storage vendors to provide device-specific modules (DSMs) that provide the multipathing functionality. So, like with the NIC teaming, Microsoft is pushing the functionality back to the device drivers and vendors who write them.

But that’s as far as this comparison can be taken. Microsoft officially supports storage multipathing; they don’t officially support NIC teaming. (See this KB article or this KB article.) In addition, Microsoft provides an official framework in which the storage vendors can operate: the MPIO framework. There is no such framework for network redundancy. In fact, if such a framework existed then much of the dissatisfaction with Microsoft over this issue would be alleviated, in my opinion.

Instead, there is no framework to provide official NIC redundancy for any Microsoft product running on Windows Server, and Windows itself doesn’t provide that functionality. Users are forced to adopt unsupported means to provide NIC redundancy. Why shouldn’t they be upset?

By the way, since publishing the first article I’ve been contacted by one of the presenters of the VIR358 session during this which issue came to light, but he has not yet been able to provide any additional information. As soon as more information is available, I’ll be sure to let everyone know here.

After my coverage of Tech-Ed 2008, I think a greater number of Microsoft people are reading my blog. One of them, Jose Barreto, sent me an e-mail to notify me about a post he’d written on the various ways in which to implement Windows Server Failover Clustering with Hyper-V. Quoting from his post:

There are many ways to implement Windows Server Failover Clustering with Hyper-V. I could actually find five unique methods to do it. Some of them will actually not give you a fully fault-tolerant solution, but most of them actually make sense in specific scenarios (even if only for demonstrations). In any case, just trying to understand and differentiate them will probably be a good exercise.

It’s a good read, and I recommend reading and reviewing it if you need to brush on up on how to combine clustering and Hyper-V.

Thanks for the heads-up, Jose, and thanks for the well-written article. Keep up the good work!

In UNIX/Linux integration scenarios, it’s useful to know which accounts have been UNIX-enabled, i.e., have had the UID number, NIS domain, login shell, and home directory attributes configured.

It’s certainly very possible to do this with command-line tools such as AdFind or DsQuery, but users may also find it useful to have a saved query available within the Active Directory Users & Computers console for easy reference.

The way to do this is define a custom query using this string:

(objectCategory=Person)(objectClass=User)(uidNumber=*)

If you add just this text and nothing else in the “Find Custom Search” dialog box (the Advanced tab), then the console will automatically add ampersands and additional parentheses to turn it into a “proper” LDAP query that will show you any account that has a UID number configured. Certainly, additional fields like loginShell or unixHomeDirectory could be added as well, but this query will probably be sufficient for most instances.

I started not to publish this, but figured if I couldn’t remember the exact syntax then someone else might not be able to remember the syntax either. This one is as much for me as it is for others.

I have to swallow my pride and admit defeat: the amount of information at Tech-Ed 2008 has overwhelmed me. I’ll be skipping my last session, a session on Server Core, to return back to my resort and prepare to fly home early tomorrow morning. If you were looking for some information on Server Core, I’m sorry to disappoint you!

Yes, yet another System Center VMM session…it’s pretty clear that System Center is a major component of Microsoft’s server virtualization strategy. This session is VIR350, System Center VMM Advanced Integration, so I suppose we will be seeing more PowerShell and more integration with other System Center family members. As with the other liveblogged sessions, I’ll try my best to weed out duplicate content.

The presenter for this session is David Armour, a Senior Program Manager at Microsoft.

(Side note: what exactly is a Program Manager, anyway? Microsoft must have thousands upon thousands of them. I think that every single presenter so far this week has been a Program Manager or a Senior Program Manager.)

The focus of this session will be on how to extend or customize System Center VMM, and most of the information presented here will apply to both VMM 2007 and VMM 2008 (currently in beta). The key technology used in this case is PowerShell, which can be used either against Hyper-V directly or against VMM. VMM, however, vastly simplifies the PowerShell code required to perform a task when compared to doing the same task against Hyper-V directly.

As has been stated elsewhere, VMM is built on PowerShell, and the GUI represents only a subset of all the functionality of the overall feature set available via PowerShell. Note that the self-service web portal is also built on top of PowerShell. David goes on to discuss the various ways in which a client, like the VMM GUI, interacts with the PowerShell layer.

David then moves into a demo of VMM. He walks through the creation of a new VM, and one thing I noticed that I hadn’t seen before was the idea of a “hardware profile.” This is a set of hardware properties like number of CPUs, amount of RAM, number of NICs, etc. This is a nice feature, as it separates common hardware configurations from the OS installation. Typical VM templates combine the hardware configuration and the OS installation together.

In the demo, David shows how the automatically-generated PowerShell script can be easily modified to use a variable and prompt the user for information so that you can create a script that quickly and easily creates a new virtual machine with the name of your choice. That’s fairly handy.

The next few slides described the hierarchical nature of the VMM PowerShell objects, and how the PowerShell Cmdlets always generate a job in VMM. This allows VMM to audit jobs, provide a job history, and store changes invoked by a job. Security can also be applied to a job, so as to enforce ACLs. This also allows long-running jobs to be asynchronously monitored over time via the job.

David recommends using the PowerShell button in VMM; this automatically loads the appropriate snap-in so that all the VMM Cmdlets are available for use. He then launches into a fairly in-depth demo and review of PowerShell, how to interrogate a snap-in to determine its commands, how to sort or filter output to show only the desired results, how to view the details on a particular command, and how to use some simple pipes. He also showed some ways to get more information or help or to view detailed documentation on a command or a command’s parameters.

The next little while was spent walking through a series of scenarios of using PowerShell to perform various tasks. First is a series of tasks to provide a report (or a group of reports) to management. Next David walks through scenarios involving the creation of new VMs, including creating a hardware profile, attaching hardware, and using intelligent placement for the new VM.

Tired of the boring old PowerShell command prompt? David moves into a demo of PowerGUI, a way of turning PowerShell commands into a GUI application. He also demonstrated PowerGadget Creator, which allows one to create a Windows Vista Sidebar Gadget using PowerShell. This would allow users to create tools to display VM or VM host information in the Vista Sidebar. Finally, David shows how to use Visual Studio to extend VMM using PowerShell. Frankly, this level of extensibility and customization is probably beyond most users, but I suppose it’s useful functionality to have nevertheless.

The next topic was….(drum roll please)….PRO! That’s right, another discussion of the integration between VMM and Operations Manager which is built upon PowerShell. Fortunately, David didn’t spend a great deal of time covering PRO yet again (thank you!).

David closed out the session with a quick summary of the material covered and pointed attendees to a few online resources. I found the session reasonably helpful, even if only from the perspective of getting more familiar with the VMM object model so that I can write my own PowerShell scripts.

After the conclusion of VIR358, I went up to the front to speak with the presenters about the question I had during the session: what about NIC bonding or NIC teaming? You’ll recall that I wondered about that during the VIR358 session.

Well, it turns out that Hyper-V does not support any form of NIC teaming or NIC bonding. Yes, you read that right: you can’t link more than one NIC to a virtual switch in Hyper-V.

If you follow my del.icio.us linkstream, you will probably have noted that I recently bookmarked a Microsoft KB article that describes how using HP’s Network Utility can cause Hyper-V to stop responding. I guess this just goes to further support Hyper-V’s lack of support for NIC teaming or bonding.

In my opinion, that is a huge problem. How does one go about providing network link redundancy to guests hosted on Hyper-V? Surely using Failover Clustering and Quick Migration isn’t the answer here, is it? One of the presenters offered to get back to me with more information; I’ve already sent him an e-mail so he has my contact information. As soon as I hear something back, I’ll be sure to update this post.

Day 3 of Tech-Ed 2008 is upon me, and the first session of the day is another session with Jeff Woolsey. This session, VIR358, is titled “Windows Server 2008 Hyper-V Architecture, Scenarios, and Networking.” I suspect there will be some duplicate content from Jeff’s Day 1 session, and I’ll try to weed that out wherever possible. I’m particularly interested in the networking discussions, as I was unable to gather any real information on Hyper-V networking from the Day 1 session or from my private discussion with Jeff.

As the session begins, Jeff reminds everyone of the MAP 3.1 beta. I described MAP in more detail in a session yesterday. This new version adds some additional functionality and features, primarily around Windows Server 2008 Hyper-V. Jeff went into some additional detail about MAP, but I won’t worry about covering that again here.

Jeff’s agenda lists a virtualization comparison. I’m guessing that will mean a comparison of Hyper-V with other virtualization solutions. Will that comparison be against other vendors’ products?

According to IDC, virtualization penetration is estimated to be only 17% in 2010, up from 5% in 2005.

(The session is very crowded, perhaps the most crowded session I’ve attended thus far.)

With regards to system requirements, Hyper-V requires hardware assists (Intel VT or AMD-V) and hardware-enabled data execution prevention (DEP; in the form of AMD NX or Intel XD). Without these features, Hyper-V will not operate. Hyper-V is 64-bit also, meaning that you must use x64 processors.

Jeff describes the hypervisor itself as running in “Ring -1”, which he explains as less than Ring 0 due to the hardware assists provided by Intel VT or AMD V. This allows child partitions (guest VMs) to run at native Ring 0.

The architecture slide that Jeff takes some time to walk through contains much of the same information as VIR367 on Day 1. Going back to I/O again, Jeff revisits the concept of emulation (used in Virtual Server) vs. synthetic devices. Emulation provides great backward compatibility, but performance was awful. Hyper-V uses “driver enlightenment,” or synthetic devices, which leverage VMBus. VMBus is a point-to-point high-speed connection between a child partition and the parent partition. Note that synthetic devices are only available to “enlightened” guest operating systems. You can consider Hyper-V’s synthetic devices and their corresponding drivers to be the equivalent of VMware Tools, VI Tools, etc. Some vendors also call these paravirtualized drivers. Virtualization Service Providers (VSPs) and Virtualization Service Clients (VSCs) are part of this synthetic device architecture and VMBus.

The partnerships between Microsoft and Linux vendors (like Novell) allows for enlightened drivers to be available for Linux distributions as well, preventing them from having to use emulation and suffering the performance penalty that results.

Hyper-V features checklist includes support for up to 64GB of RAM per VM, up to 4 logical CPUs per VM, integrated cluster support (this provides both HA and Quick Migration functionality), support for BitLocker (earlier sessions seemed to question Hyper-V support for BitLocker), live VM backups through integration with Volume Shadow Service (VSS), pass-through disk access for VMs, VLAN and load balancing support, and snapshots. For the most part, this puts Hyper-V on par with most other virtualization solutions, with the glaring exception of live migration. Live migration is supported by VMware, XenServer, and Virtual Iron, among others. Microsoft does have an advantage with the VSS support for live VM backups.

Jeff references a white paper due to be published soon that details how to use BitLocker with Hyper-V.

Jeff did cover one slide on Hyper-V security. I won’t reproduce that stuff again; refer back to my coverage of Jeff’s discussion on Day 1 in VIR367.

Next, Jeff reviews the results of the TAP, RDP, and MSIT deployments. Based on thousands of VMs running on Hyper-V running in production across a variety of industries, Jeff says there have been zero performance blockers, zero deployment blockers, zero application compatibility bugs, and zero scalability blockers. According to Jeff, “the little red phone” that TAP or RDP customers can call if there’s a problem hasn’t rung even once. He also revisits the use of Hyper-V for the TechNet and MSDN web sites.

Mike Sterling then takes over to provide a demo of Hyper-V. Following the demo of Hyper-V, Mike also provides a brief demo of System Center Virtual Machine Manager (SCVMM) 2008. I’ve covered that product extensively in other sessions, so I won’t cover that material again here.

Once Mike concludes his demo, Jeff starts into a discussion of networking. Microsoft recommends at least two network adapters; obviously, more would be better. If you are going to use iSCSI, use another dedicated NIC for storage. That brings it up to three NICs at a minimum. I recommend an absolute minimum of three adapters with other virtualization solutions, so this is nothing surprising or unusual. In terms of connecting the NICs, connect one NIC to a management network (this is where the parent partition will communicate) and separate NICs connected to storage and production networks. Only VMs should be exposed to production networks.

We now move into some networking examples. In example 1, we have 4 adapters. One adapter will be assigned to the parent partition for management, and the remaining three NICs will be used for VM networking. Storage in this case will not be iSCSI; it will be Fibre Channel or direct attached. In the Hyper-V configuration, selecting these three NICs for use with VM traffic creates three separate virtual switches. What about NIC bonding for virtual switches?

In example 2, we have 4 adapters again, but this time 1 NIC will be used for iSCSI traffic. This leaves only two NICs for VM traffic. This example shows multiple VMs sharing a single virtual switch, but I still don’t see anything with multiple NICs assigned to a single virtual switch.

When looking at the properties for NICs assigned to the parent partition, all the typical components will be bound. Conversely, for NICs assigned to virtual switches, only the Virtual Switch Protocol will be bound to the NIC.

When looking at a VM, emulated NICs will be listed as “Legacy Network Adapter,” whereas the new synthetic adapters will be listed simply as “Network Adapter.”

If you’d like to run Hyper-V on a laptop (perhaps for demos or testing), Hyper-V does not provide any support for wireless networks. It also doesn’t support sleep or hibernation, and multiple spindles (multiple physical hard disks) are highly recommended. You also need a laptop that uses the Santa Rosa chipset or a later chipset. These newer chipsets will allow you to use 4GB of RAM or more in the laptop.

Jeff went through a few more slides, describing his personal laptop configuration (dual-boot Windows Server 2008 and Windows Vista with dual hard drives), a cheap test/dev system, and the overall procedure for creating new VMs. I believe I described the process for creating new VMs earlier, but if you’ve used a virtualization solution before there’s nothing new here. Jeff speaks highly of the rapid deployment capabilities that are possible now with Hyper-V, SCVMM, and VM libraries; I would dare to say this kind of functionality is pretty standard with most every virtualization solution out there. That’s not a knock against Hyper-V, just a “level set” that this isn’t something that doesn’t exist with other platforms. This just brings Hyper-V on the same level with other products.

The next few slides were all material that’s already been covered else, like SCVMM, SCOM integration with SCVMM, other System Center components, etc. I won’t bore you with all the details again. If there is one thing that I’m tired of hearing here at Tech-Ed this year, it’s the story about bringing all of System Center together with Hyper-V. Every single session says it.

The virtualization comparison first compares Hyper-V with Virtual Server 2005 R2, and then moves on to compare Hyper-V with ESX 3.5. I don’t necessarily agree with the way in which Jeff makes the comparisons with ESX; for example, he lists Hyper-V as having “unified physical and virtual management” but ESX as having only “virtual management.” It’s not Hyper-V that provides this functionality; that’s System Center Operations Manager. That kind of comparison is, in my opinion, playing loose and fast with the boundaries of the products and related products. I may just have to perform and publish my own comparison…

That wrapped up the session. They gave away three copies of Windows Server 2008, SQL Server, Visual Studio, but I didn’t win. Bummer.

This session couldn’t be published live because I had no wireless signal and no cellular signal in the breakout room. However, I did want to capture the information and publish it at the next available opportunity for the benefit of the readers.

This session was hosted by Luis Camara Manoel, Satish Mathew, and Jay Sauls (he was also one of the presenters in the session prior to this one). The focus of the session, quite obviously, is the Offline Virtual Machine Servicing Tool, which is designed to help in the maintenance and patching of offline VMs. Offline VMs are typically cited as one of the major security concerns with virtualization projects, in that they likely will not as up-to-date with patches and malware protection as online VMs; thus, when they finally do come online they could present a security risk to the organization.

The session starts off with an overview of the various Solutions Accelerators that are available from Microsoft, and then Jay Sauls takes over and begins to talk about the MAP toolkit again. Of course, I’ve just finished an extensive session on the MAP toolkit, so this is completely redundant and absolutely useless for me. I tuned him out until the session changed focus again to the Offline VM Servicing Tool.

When the session switches focus back to the Servicing Tool, the question is asked: Why are offline VMs such a problem? Many attendees in the session indicate that they have sizable numbers of offline VMs sitting in a library. The typical problem, as I mentioned earlier, is that the offline VMs miss patches, miss compliance scans, and miss other updates.

The solution to this problem is the Offline Virtual Machine Servicing Tool. This tool is designed to automate the application of OS patches as well as application patches. This is accomplished by integrating with existing System Center products like System Center Virtual Machine Manager (SCVMM) and System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS). I appreciate the fact that Configuration Manager is not required; otherwise, this tool would be far less useful.

Note that “true offline” patching will be available in the next version of Configuration Manager, but it will only service VMs running Windows Vista and Windows Server 2008.

The Offline VM Servicing Tool takes four steps in its operation:

1. Identify
2. Assess
3. Patch
4. Report

The overall process of how the Offline VM Servicing Tool works looks something like this:

1. The tool reads the SCVMM library and gets a list of VMs
2. A VM group is created
3. The user must select a group of maintenance hosts; these maintenance hosts will be where the offline VMs will be moved to be patched
4. It will schedule a job on these maintenance hosts
5. The VMs will be moved from the library to the maintenance hosts and started
6. The VMs will be patched using Configuration Manager or WSUS (see below)
7. Upon confirmation of the patching of the VMs, they will be shut down and moved back to the SCVMM library

The tool works by utilizing PowerShell to automate a series of tasks like starting the VM, moving the VM, applying patches, etc. The UI screens for the tool were developed to match the SCVMM UI screens. Windows Server 2003, Windows XP, and Windows Vista are currently supported; Windows Server 2008 is not yet supported.

The requirements for using the tool:

• All VMs must be under SCVMM control
• It’s strongly recommended to setup a separate VLAN for the maintenance hosts
• If using Configuration Manager, all VMs must have the Configuration Manager client
• If using WSUS, all clients must be configured to use WSUS
• The server running the Offline VM Servicing Tool must be dual homed to talk to both SCVMM and Configuration Manager/WSUS

At this point Satish, one of the presenters, took over with a demo of the tool. As mentioned earlier, the tool looks and acts a lot like SCVMM.

The presentation consistently referenced SCVMM 2007, the currently shipping version; support for SCVMM 2008 will be included in the next version of the tool. Also slated to inclusion in the next version is support for Windows Server 2008, Hyper-V, Configuration Manager 2007 SP1, and WSUS 3.0 SP1. Unfortunately, this next version isn’t due until 2009, leaving quite a sizable gap in time between the availability of Windows Server 2008 and Hyper-V and the ability of the tool to work with those products. It seems to me that the Offline VM Servicing Tool, while useful right now, will become much less relevant and much less useful once Hyper-V and SCVMM 2008 go RTM.

At this point, Stephen Anderson with Compellent took the stage and began to discuss his company’s products. I’m not really clear why Compellent was given time to advertise their products, unless it was by virtue of the fact that Compellent provided Microsoft with some tools and equipment to assist in the development of the Offline VM Servicing Tool. In any event, I found this to be completely inappropriate and left the session.