My blog is moving at the end of March.  We are moving the whole TS2 team blog to the TechNet Blog site. 

You can find our new site at http://blogs.technet.com/uspartner_TS2Team .  I’ve moved all of my Hyper-V screen casts to the new site, you can access the summary page here. 

Don’t worry, we’ll continue the discussion, we’ll just do it at our new location. 

See you there!  http://blogs.technet.com/uspartner_TS2Team

Rob

What is BitLocker?

BitLocker lets you encrypt the hard drive(s) on your Windows Vista Enterprise, Windows Vista Ultimate or Windows Server 2008 computer.  BitLocker will not encrypt hard drives for Windows XP, Windows 2000 or Windows 2003.  Only Windows Vista and Server 2008 include BitLocker.  BitLocker drives can be encrypted with 128 bit or 256 bit encryption, this is plenty strong to protect your data in the event the computer is lost or stolen.  BitLocker protects your hard drive from offline attack.  This is the type of attack where a malicious user will take the hard drive from your mobile machine and connect it to another machine so they can harvest your data.  BitLocker also protects your data if a malicious user boots from an alternate Operating System.  With either attack method, BitLocker encrypts the hard drive so that when someone has physical access to the drive, the drive is unreadable.  Now if you are a network admin and you need to harvest data from a hard drive when a machine fails, our tools include the functionality to prompt the admin for the recovery key so the hard drive can be accessed.  We've done a good job at ensuring the data does not end up in the wrong hands, while making it easy for authorized users to access the data in the event of a failure.

What does BitLocker do?

Again, BitLocker encrypts the hard drive(s) to protect the Operating System from offline attacks.  Server 2008, Windows Vista Enterprise, and Windows Vista Ultimate all include BitLocker functionality.  Windows Vista Business Edition and the Home Editions do not include BitLocker.  The RTM versions of Vista only allow BitLocker encryption of the C: drive.  SP1 for Vista includes the ability to encrypt all of the hard drives belonging to the Vista machine.  Server 2008 includes the ability to encrypt all of its attached hard drives as well.  BitLocker on a Server 2008 server might not make sense for your servers in the Data Center, but using BitLocker on servers in remote offices makes a lot of sense.  How many remote offices have their servers in secure Data Centers?  They don't!  If you're lucky, your server sits in a locked closet.  If you're unlucky, it sits under someone's desk.  Deploying BitLocker to these machines makes perfect sense because if those machines are stolen, their data is encrypted and protected from the types of attacks that they would be exposed to.  Another piece to protect these remote servers is the Read Only Domain Controller functionality.  I won't go into it here, but it gives you the ability to provide fast logon experiences for your remote users while ensuring that all of the domain credentials are not stored on these remote office servers. 

What does BitLocker not do?

BitLocker does not protect the computers contents while the operating system us running.  Again, BitLocker is built for offline attacks, once the operating system is up and running, Windows Vista will protect your data from unauthorized access.  When Vista is up and running, unauthorized access can come in the form of:

1. A malicious user trying to log onto the local computer.  Windows Vista can protect itself by enforcing strict password policy and complexity.  Please ensure that if your data is important enough to encrypt, that you also require complex passwords and/or two factor authentication.  Two factor authentication takes the simple passwords or easy to guess passwords out of the equation so that they are no longer a risk. 
2. A malicious user connecting to the computer over the network to harvest data from the local computer.  If the user has access to your physical network, the malicious user can try to connect to your machine over the network.  Again, strict user permissions on the local machine and on your network as a whole, will prevent malicious users from accessing your network. 

Other ways to protect your data:

RMS, EFS, IPSec.  I'll give you more detail in my next post.

Until next time!

Rob

I received the following question:

Thanks for the article.  What do you do about your host system's pagefile?  I'm thinking more about size.  Do you leave the default?  I have a 16GB system and 12GB of that is allocated to VMs. 

Do I size the host pagefile for the whole 16GB or just for the 3 or 4GB not used by the VMs?  Of course, I want to reduce paging and disk I/O for the host, but if I don't need a huge pagefile, then I'd rather not.

Still researching to see if the old 1.5x RAM sizing is still applicable to x64 large-RAM Hyper-V systems.

Thanks!

Well I did some looking around and there is not a black and white answer to this one, but for the majority of your situations, I'd recommend that we let the system manage the pagefile.sys.  Pagefile.sys is around for two reasons:

1. Provide Virtual Memory to support the physical memory on the server. 1x-1.5x the amount of memory is the "suggested size" of the pagefile.sys, but usually that does not make "sense" on a 16GB machine, and this is "traditional guidance" that does not take Hyper-V into consideration.
2. Pagefile.sys has always been available as the dump location in the event of a crash, so in this situation, sometimes you need a pagefile.sys that is at least the size of your available RAM (plus a little more).  Check out the article below that discusses the details to be considered.

If the server crashes once, do you really want a dump of all of the RAM? If you do, then pagefile.sys needs to be larger than the available RAM, and the machine probably needs to be configured to allow all of the RAM to dumped. Be warned that if you do this, the memory dump could take a very long time (30 - 60 minutes?).  Most likely, you don't want to run with this big of a pagefile.sys, because machines don't bluescreen that often anymore.  If you do encounter repeated blue screens, you'll most likely work with a Support Professional that will help you configure the server to generate the appropriate dump anyway.

Now when we consider your situation, 4Gb is usually adequate since the other 12Gb is dedicated to the VMs.  Since the VM's require real RAM, not virtual memory, there's really no reason for pagefile.sys to support the VM memory for day to day operations.  Again, the only good reason I could find to have a 16Gb page file in *most* (but not all) instances is to be able to capture a memory dump in the event of a failure.

Here is the guidance on Server 2003 and WindowsXP pagefile.sys planning. While we have made some changes in Server 2008, this guidance is a very good starting place, check it out.  It asks you to profile your machine with your workloads, and then take that profile information to determine the pagefile.sys size.

How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP

At this time, we do not have guidance specifically for Server 2008 and Hyper-V, but this plan should be fine in most scenarios.  One thing that has changed in Server 2008 and Vista is that you can now specify a different dump file, location and size of the dump files.  That's a different discussion, but the pagefile.sys guidance above should be adequate for "best practice" configurations.

As you can tell, I've hedged my bets boths ways on this because there is no one size fits all answer if you feel you need to customize the pagefile.sys configuration, but usually the pagefile.sys configuration is not an item that will impact system performance that much anymore. The pagefile.sys configuration is System Managed by default for both Server 2008 and Windows Vista.  If you want to conserve space, I can see the reasoning for no more than a 4Gb pagefile.sys on a Hyper-V machine.  Heck I can even see where only a 2 Gb pagefile.sys might make sense, but again, the system by default can take care of that for you. 

Of my three Hyper-V machines, I've configured two of them manually so that I could move the pagefile.sys file off of the boot drive.  My third machine is configured with the default configuration of System Managed.  If you really want to tweak performance, putting pagefile.sys on a different drive can reduce drive contention as long as the new destination isn't hosting any other disk IO intensive applications like Virtual Machines or databases. 

Until next time!

Rob

Almost every mobile computer that is currently shipping has a Fingerprint Reader on it.  How convenient...  I've had a lot of customers get excited about the convenience of no more passwords when they think that a finger will do.  Well personally, I give those Fingerprint Readers the finger!.  Honestly, Fingerprint Readers are pretty secure for normal things, but anything you really want to secure, a strong password is still the best.

There is plenty of documentation on the Internet about the lack of Fingerprint reader security, but for a typical consumer machine, it's probably good enough.  Today I did a search on the Internet to see what I could find.  Of course Live.com is my search tool of choice, one of the first items it presented was "Gummy Fingers" Fool Fingerprint Readers http://www.extremetech.com/article2/0,1558,13730,00.asp.   Of course, the person that came up with this idea was a Japanese mathematician! I never trusted those "math guys"... Their logic and all of that!  In college I took a math class The fundamentals of Math.  I thought hey, I understand that one + one = 2, that's fundamental... Right?  I needed to raise my GPA, so I decided to give it a try.  Holy Crap was that a rough class!  That's when I decided to never again trust those math guys.   I digress, back to the topic at hand...

This mathematician took a mold of a finger, used the same material gummy bears are made of, and created a mold of a gummy finger.  Now I wonder how many tries it took him to get it right... Did he eat his mistakes???  I agree that molding a gummy finger is considerable effort for someone to expend, but it's a low effort, low tech way to defeat a high tech solution.  Reminds me of NASA creating pens that could write in zero gravity.  The Russians, they just used pencils!  I subscribe to the Keep It Simple Stupid mentality, so gummy fingers are a pretty reasonable solution to me.  The Register http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ added some additional detail to his research. 

Microsoft's corporate policy states that we cannot store our corporate credentials on our laptops.  Finger print readers ask for, and then store, your credentials on your local machine.  [This is really the root of the concern.  If all of your credentials are stored on the same machine, eventually your credentials will be compromised.  It's only a matter of time.  The "time" factor could be 2 days or 2 hundred years.  It just depends on your level of encryption and the attackers level of skill and dedication.]  The authentication process:  When you swipe your finger on the fingerprint reader, the fingerprint reader enters your domain credentials for you.  We've done a good job of opening up the authentication API, this makes it easier for developers to develop alternate authentication methods, but we need to solve the problem of the credentials being stored locally. 

Two factor authentication is a super way to meet this need.  A number of companies have moved to two factor authentication, Microsoft made the move over 6 years ago.  We all carry smart cards; it functions like a typical proximity card that allows me to open our security doors, but it also includes a "chip" that contains my Microsoft certificate.  Whenever I have to connect remotely to the Microsoft network, I have to have my smart card inserted in my machine, and then I have to enter a PIN to allow access to the certificate on the smart card.  Not only do you need the smart card, but a PIN as well.  It all comes down to requiring 1.) What you have; The smart card, and 2.0  What you know; the PIN.  Without both items, you're not connecting to our network.  The PIN is required because the certificate on the smart card is encrypted with the PIN.  Without it, the smart card is just a gold thingy stuck to the back of your ID card.

Now if you really want to protect the data on your computer, let's talk BitLocker.  I'll save that discussion for another time.

Until next time!

Rob

During the IT Pro Conference, someone asked if they could eliminate the UAC (and the local administrator requirements) just for printer driver installations on Windows Vista machines.  Printer Drivers are the most difficult issue when it comes to removing the requirement for local administrator access to a machine.  I've monkeyed with  this a little, I have more research to do, but I think I found a way to solve this predicament.  Point and Print.  This feature was included in Windows XP and in Windows Vista we require local administrator privileges to install these drivers.  There is a Group Policy setting that tells Windows Vista to not require local administrator privileges for printer drivers that are already installed on your servers.  This is the Point and Print functionality... 

Below is a screen capture of the Group Policy setting that disables the local Point and Print Restrictions.  This will allow Windows Vista users to install printer drivers without local administrator permission.  This is a Local Machine policy, but you should also be able to define an AD based Group Policy to do the same thing.  Let me warn you, the reason we require local administrator privileges is to prevent malicious device drivers.  This setting will allow any device driver to be installed.  Now you can define the policy setting Package Point and print - Approved Servers to allow users to install the printer drivers from only an approved list of servers.  This will allow normal users to install any printer driver, once it's been approved and installed on your servers. 

To disable the Point and Print restrictions, you need to get to the screen below, To do that, let's click on Start (or the Vista Perl)  -> and in the Search box, type mmc and press enter. Once the management console comes up, choose File -> Add / Remove Snap in... Choose Group Policy Object and then click Add... If you are defining a local policy, choose local computer.  If you are an AD admin, you should know how to set an AD group policy.  If not, let me know and I'll include those instructions later.  Once you click OK, you should be back to the Local Computer Policy screen like below.  Go ahead and expand the Local Computer Policy, and then choose  User Configuration -> Administrative Templates -> Control Panel -> Printers.  Then you're able to disable the Point and Print Restrictions. 

Once you make this local policy change, you need to either reboot your computer, or go to a command prompt and execute the command gpupdate / force to ensure the local policy gets applied.  Now you should be able to browse to a local server and double click on a shared printer.  Now the printer driver will install without requiring local administrator privileges.

Give this a try and let me know how it works for you.

Until next time!

Rob

I have a series of screen casts (here) that talk about setting up Hyper-V, but I wanted to let you know that we just released a new Hyper-V: Live Migration Network Configuration Guide here.  I wish I would have had this when I was building out my demos.  This guide does a good job of detailing the different scenarios that are supported and those that are not recommended.  One of the things I did that is different from this guide is that I dedicated two of my four network adapters to my iSCSI connection and I did not dedicate a network connection just for Live Migration.  I like the idea of dedicating a network for Live Migration, I chose to use the two iSCSI NICs and leverage MPIO.  If I was in a production environment, I would lean towards dedicating a network adapter for Live Migration instead.  Or, better yet, I’d consider adding a fifth network adapter so I could do it all. 

It all comes down to where you expect your loads and bottlenecks to occur.  While it is ideal to have a dedicated network for Live Migration, if you don’t, the server will just leverage one of the other network adapters to handle the task. 

I hope this guide helps.

Hyper-V: Live Migration Network Configuration Guide

http://technet.microsoft.com/en-us/library/ff428137(WS.10).aspx

Until next time,

Rob

I received another really good question, so I want to share it.

My servers will be running Windows Enterprise running HyperV with 4 VM's each.   The third server will run Windows Standard 2008 with Microsoft SCVMM.   Is there a way for SCVMM to be installed and manage the Windows Enterprise HyperV hosts and VM's without being a domain admin.   These are being installed on a large secured network and getting Domain Admin privileges to Active Directory will not be possible.

I didn’t know the answer to this one so I was going to do some research.  As I was contemplating how I wanted to tackle this one, Ken Lince, one of my peers spoke up with the right way to handle this scenario, so here it is:

There are user roles that you can define in SCVMM to delegate administrative access across server groups or libraries - and the same with Hyper-V Manager - you can delegate access to specific VM's without giving 'domain admin' type privileges at the server level.  So, the admins can use the MMC consoles and effectively do not need or require administrative access to the server itself.

That said, an Admin will need to install it and add the Hyper-V Servers (requires domain admin type access to do this because you have to supply credentials to add hosts), but past that they should be able to devise an administrator policy so that VMM managers don't require that level of access.

Of course, the  other management tools like SCOM have similar capabilities.

Quick blurb on Delegated Admin:

Delegated administration. The delegated administrator is a new role available to manage hosts and VMs in SCVMM 2008. A delegated administrator can perform all the functions of a full administrator but only on a subset of objects. This kind of job is useful for people who need to perform administrative functions on some but not all hosts managed by SCVMM. This role has broader administrative rights than the selfservice user role. You can control the selfservice user role according to what types of functions are allowed on a per-VM basis, whereas the delegated administrator has full rights on a predefined scope of host servers and libraries. For example, you could delegate administration rights to manage hosts and libraries for a particular region.

Thanks again Ken!

This article does a good job of spelling out the requirements:

http://technet.microsoft.com/en-us/library/dd548295.aspx

Until next time,

Rob

I received the following question:

Hi, I have been following your video on setting up Hyper-V server with the Equallogic SAN which we have. It has been really helpful however I am having a problem getting the CSV to work. After creating the cluster the disk we are planning to use is only shown in "Disk Witness in Quorum" and no "Available Disks". Do you have any idea why this may be occurring? The disk that is shown in Quorum is the Custer Disk 1 which we want to use for CSV. Any help\Advice would be greatly appreciated. Many Thanks,

I had the same frustration when I first setup my cluster so I wanted to walk through how to make the change here.

First, the Witness volume does not have to be a very big volume, I use a 1 GB volume for my witness.  The Witness volume must be a dedicated volume, it cannot be used to store VMs or VM configuration files.

Second, you need to make sure you have at least one additional volume in your cluster.  If you don’t have more than one volume in your cluster, here’s how you add more volumes. 

1. From your SAN, provision your new volume.
2. Make sure that each node in your cluster is attached to the new volume.
3. Be sure to format the volume (NTFS).
4. Now just add it to the cluster, by right clicking on Storage and choosing Add a disk.

This will kick off a wizard that will allow you to add additional storage to the cluster.  Note that it will only let you add shared storage that is visible to all of the cluster nodes. 

Now that the cluster is setup, you can see the cluster configuration here:

The one warning I want to point out is that you’ve now added additional disk to your cluster, this additional disk did not get tested by the cluster validation wizard.  As long as you confirm that each node “see’s” the new disk, you should be fine, but if you have the time, re-running the cluster validation wizard is a good idea.  You can tell the validation wizard to just run part of the tests, or the whole thing again, but this way you know that your cluster is valid, from beginning to end.  As I’ve mentioned before, if you run into issues with your cluster, the cluster validation wizard is usually a good place to start your troubleshooting process.

When you setup a failover cluster, the cluster wizard is nice enough to pick a Disk Witness for you (if needed).  Now if you don’t like the choice it made, it’s easy to change the witness.  We start by right clicking on the name of the cluster, choosing More Actions… and then Configure Cluster Quorum Settings…

The Configure Cluster Quorum Settings… starts a wizard that will walk you through your cluster quorum settings.

I would suggest that you not make any changes on the screen above unless you really know what your doing (or your doing it in a lab).  If you change the number of nodes in your cluster, you might make a change here, but for this example, we are just going to choose Next >.  This will now take us to the section that will let us make our change to the Witness drive.  As you can see from the screen shot below, it lists all of the available storage and you just check the box for the Witness drive you want to use.

One you make your selection and complete the wizard, your new Witness drive is configured. 

That’s all there is to it, please let me know if you have any questions.

Until next time,

Rob

I posted a blog on the technet blog site and wanted to point you to it here.  Please check it out and let me know what you think.

Until next time,

Rob

I’ve been putting it off, but I finally had time to install Office 2010.  Now I did spend a little time with it when I was experimenting with App-V, but I just rebuilt my Tablet-PC and thought I’d go with Office 2010 Beta.  I really like it.  Of course I’m biased, but Outlook 2010 has the one feature I’ve long for for a long time.  The Zoom control!  Check out the lower left corner of outlook, it contains the zoom control just like Excel 2007.  Here’s a shot of the zoom control in Outlook 2010.  As I’ve aged, I’ve found that I enjoy the bigger text on my screen, so this zoom control has made a big difference! 

Don’t worry, there’s more cool stuff in Outlook 2010.  I’ll talk about some of the thread clean up controls soon.

Until next time!

Rob

I received a question a few days ago about how to license SQL (per processor) within a Virtual Machine on a Hyper-V server (or other hypervisor based host).  There has been a lot of confusion on this, at least I’ve been confused, so I wanted to dig into this and see what I could find.  I found the SQL 2008 Licensing Guide.  It can be found on the SQL 2008 Licensing page here. 

The problem with SQL licensing when you look at the per processor licensing option is, “How do I license SQL in a virtual environment?  Do I have to license every processor on the Hyper-V server?”  So I’m going to point out a few pages of this SQL licensing document that will help you understand how to work this out.

The SQL 2008 Licensing Guide can be downloaded from the page above, or it can be downloaded from here.  This document does a great job of working through the licensing scenarios.  Chapter 4 is where it actually gets interesting with respect to virtualization, but you need to read Chapter 3 first to understand the licensing models.  I’m going to focus on the per processor licensing, that is the one that is less obvious in a virtual environment.  Page 25 is where we get started, let’s first take a look at the introductory explanation. 

The thing I like about this is that now we have a straight forward formula.  Page 28 talks about running SQL in multiple Hyper-V machines and how you should handle that licensing scenario, it even points out the following detail: 

Note: If all of the physical processors (data point C) are licensed for SQL Server Enterprise, then instances of SQL Server may be run on as many VMs as the hardware and
operating system will support. That means you never need more Processor licenses than the total number of physical processors.

Taking directly from the document again, if I have a dual CPU server with Hyper-Threading enabled, the server has a total of four threads.  Using the formula, if you give your SQL VM four virtual processors, you will need to acquire two processor licenses to fully license your SQL server.

I hope this helps clarify some of the SQL licensing questions.

Until next time!

Rob

As I mentioned in my prior post, I split the screen cast into two parts and here’s the second part.  I pick right up where I left off, so be sure to check out Part 1 first. 

My videos have moved, please check out

http://blogs.technet.com/uspartner_ts2team/archive/2010/01/31/so-you-want-to-get-started-with-hyper-v-start-here-in-summary.aspx

For all of my Hyper-V videos. 

My next post will be a demonstration of Live Migration.

This session is one part of a whole series of screen casts around Hyper-V, you can go this link to access the whole series.

So you want to get started with Hyper-V? Start here! – In Summary

Until next time,

Rob!

I’ve talked to a lot of partners about Hyper-V, and the same question always comes up.  Which version of Hyper-V should I choose?  We have a page that lays out the differences between the different versions of Windows Server 2008 R2 and the Microsoft Hyper-V Server.  I’ve included the chart below, if you click on the chart, it will take you right to our page that explains what the free Hyper-V server has to offer.  As you saw from my earlier screen casts, I was pleasantly surprised at how easy it was to setup and use the Microsoft Hyper-V server.  Using the Microsoft Hyper-V server as a stand-alone solution and as a clustered solution was very easy to use.  We’ve updated the management of the Microsoft Hyper-V server in R2, we now have sconfig.cmd file.  Sconfig.cmd is night and day better than the version that shipped in the original Microsoft Hyper-V server.  If you haven’t looked at the free version yet, give it a look.

To me, the biggest difference I saw was the GUI and the additional server licenses included with Windows Server 2008 R2 Enterprise and Data Center editions.  Adding additional server roles to your Hyper-V server is useful for a lab, but in production, I’d recommend Hyper-V as your only role on your Hyper-V servers.  If you need licenses for your virtual machines, and you’re using more than 4 virtual machines per host, check out Windows Server 2008 R2 Data Center Edition.  Data Center Edition provides unlimited Windows Server licenses for the virtual machines hosted on your Data Center Edition server. 

Have you used the Microsoft Hyper-V server?  If so, I’d love to hear your thoughts.

Until next time,

Rob

I received a question about one of my old screen casts, and I thought I should share it, and the answer, with you:

Rob,

I have viewed you video on dual boot xp and win 7 beta. My question is will the same procedure work with xp and the newly released windows 7? I had my computer refurbished and to my dismay, it does not support HAV. So, I am wondering if the procedure you have in your video will work.

Thanks, Tony

This answer is, yes!  Dual Boot in Windows 7 RTM works just like it did in the Beta and it does not require Hardware Assisted Virtualization (HAV) since neither Operating System is running in a Virtual Machine.

Until next time,

Rob

I’ve talked before about the fact that we cannot Live Migrate from an AMD CPU to an Intel CPU or vice-versa, but what about Live Migrating from an older Intel CPU to a newer Intel CPU?  I’m going to show you a Live Migration from a three year old Intel Xeon 5050 CPU to a new Intel Xeon 3440 CPU.  Below the video, I’ve also included the comparison chart that compares the Xeon 5050 to the Xeon 3440 CPU so you can see the progress Intel has made in the last three years. 

So why is the three year old CPU a 5000 series CPU and the newest CPU is a 3000 series CPU?  The 5000 series CPUs are for multi-processor configurations, the 3000 series CPUs are for single-processor configurations.  It’s the last three numbers that Intel has actually been updating as they’ve improved their processors.

The biggest reason that I put this together is that I wanted to demonstrate that customers that have an existing Hyper-V cluster can add new servers to to their existing cluster, to scale out their clusters, even with newer hardware and CPUs.  I want to make sure that I dispel the myth that your Hyper-V servers must be identical.  While identical servers do make your clusters easier to deploy and manage, as this video shows, it is possible to increase the size of your cluster over time as needed.

Here’s the comparison chart that compares the two CPUs so you can see the technical differences between them.

I again would like to thank Intel, Crucial, and Dell for the loan of this equipment.  The server C4 is the Intel CPU and MBO, the memory in it is from Crucial, and of course the live Migration was hosted on the Dell Equallogic SAN. 

I hope this information has helped, if you have any more questions, please let me know.

This session is one part of a whole series of screen casts around Hyper-V, you can go to this link to access the whole series.

So you want to get started with Hyper-V? Start here! – In Summary

Until next time,

Rob