Server Virtualization with Hyper-V
Windows Server 2008 includes Hyper-V, a powerful virtualization technology with strong management and security features. Hyper-V enables businesses to leverage their existing familiarity with Windows Server management and take advantage of virtualization’s flexibility and security benefits without buying third-party software. Microsoft and its partners provide comprehensive support for Windows and supported Linux guest operating systems. Hyper-V is a highly flexible, high-performance, cost-effective, well-supported virtualization platform.
Security
Security is a core challenge in every server implementation. A server hosting multiple virtual machines (VMs)—also known as consolidated servers—is exposed to the same security risks as non-consolidated servers, but adds the challenge of administrator role separation. Hyper-V helps increase security for consolidated servers and addresses the challenge of administrator role separation. Hyper-V accomplishes this through the following features:
- Strong partitioning ‑ A virtual machine functions as an independent operating system container that is completely isolated from other virtual machines running on the same physical server.
- Hardware-level security‑ Features such as Data Execute Prevention (DEP) are available in newer server hardware, which helps prevent execution of the most prevalent viruses and worms.
- Role-based security ‑ Hyper-V helps prevent exposure of VMs that contain sensitive information, and also protects the underlying host operating system from compromise by a guest operating system.
- Network security features ‑ These features enable automatic Network Address Translation (NAT), firewall, and Network Access Protection (NAP).
- Minimal Trusted Computing Base ‑ This gives a reduced attack surface and streamlined, lightweight virtualization architecture. This feature enhances the reliability of Virtual Machines based on Hyper-V.
Configuring a consolidated server that provides the best security and operating system environment for every application can present a difficult challenge in some cases. Because Hyper-V creates an environment where it is possible to configure each workload with an ideal operating system environment and security profile, Hyper-V addresses the challenge of role separation on a consolidated server. Hyper-V protects VMs and the host operating system from each other by allowing VMs to run under a service account with only needed privileges. With Hyper-V, the host operating system is protected and a compromised VM is limited in the damage it could cause to other VMs.
Strong Isolation
Server virtualization enables workloads with varying resource requirements to coexist on the same host server. Hyper-V offers several features that facilitate effective usage of the host server’s physical resources:
- Flexible virtual machine configuration ‑ Virtual machines can be assigned guaranteed amounts of memory and multiple processors (with Windows Server 2008 guests). This feature allows administrators to create a Hyper-V configuration that balances individual VM resource needs against overall performance.
- Flexible networking configuration ‑ Hyper-V provides advanced network features for VMs, including NAT, firewall, and VLAN assignment. This flexibility can be used to create a Hyper-V configuration that better supports network security requirements.
The flexible memory assignment and flexible networking configuration features of Hyper-V provide a more effective response to dynamic server loads.
Performance
Design advances and integration with virtualization-aware hardware enable Hyper-V to virtualize much more demanding workloads than previous versions, and with greater flexibility in resource assignment.
Performance advancements include:
- Lightweight, low-overhead virtualization architecture based on a 64-bit Hypervisor. Virtualization-aware hardware—Intel VT and AMD “Pacifica” technology—enables higher guest operating system performance.
- Multi-core support. Windows Server 2008 guests can be assigned up to four logical processors. This enables virtualizing large, compute-intensive workloads that benefit from the parallel processing benefits of a multi-processor VM cores.
- 64-bit host and guest operating system support. Hyper-V runs on the 64-bit version of Windows Server 2008 to provide access to large pools of memory for guest VMs. Memory-intensive workloads that would suffer from extensive paging when executed on a 32-bit operating system can be successfully virtualized under Hyper-V. Hyper-V also supports 64-bit and 32-bit guest operating systems running on the same consolidated server.
- Server Core support. Hyper-V can use a Server Core installation of Windows Server 2008 as a host operating system. The minimal install footprint and low overhead of Server Core dedicate the greatest possible amount of host server processing capability to running VMs. In addition, the reduced patching requirements for Server Core will minimize the number of reboots required for Hyper-V.
- Pass-through disk access. Guest operating systems can be configured to directly access local or iSCSI Storage Area Network (SAN) storage, providing higher performance for I/O-intensive applications, such as SQL Server® or Microsoft Exchange.
Many server workloads place heavy demands on server processing and I/O subsystems. Applications like SQL Server and Microsoft Exchange are traditionally heavy users of memory and disk throughput, and there has been reluctance to virtualize these workloads. The 64-bit Hypervisor in Hyper-V along with features like pass-through disk access make it possible and often desirable to virtualize large workloads.
Simplified Management
In the datacenters and remote branch office installations where Hyper-V may be deployed, strong management and automation capabilities are required to fully realize the cost reducing potential of virtualization. Hyper-V meets this challenge with the following management and automation capabilities:
- Extensible management ‑ Hyper-V is designed to work with Microsoft System Center Operations Manager (SCOM) and System Center Virtual Machine Manager (SCVMM). These management tools provide reporting, automation, deployment, and user self-service tools for Hyper-V.
- MMC 3.0 interface for VM management ‑ The familiar Microsoft Management Console interface is used to manage Hyper-V configuration and VM settings, reducing the Hyper-V learning curve significantly.
- Windows Management Instrumentation (WMI) interface ‑ Hyper-V incorporates a WMI provider that provides system information and scriptable management access.
- Windows PowerShell scripting ‑ Hyper-V host and VM configuration is configurable through Windows PowerShell.
- Windows Hyper-V ‑ This version of Windows provides organizations that intend to virtualize with a low cost option for deploying Hyper-V. This standalone version of the Hyper-V hypervisor is suitable for lights-out and remote management scenarios like datacenters and remote infrastructures.
The management capabilities of SCOM and SCVMM make it possible to effectively manage both datacenter installations and highly distributed installations of Hyper-V. For example, script access to the WMI provider in Hyper-V could be used to automate maintenance windows on multiple Hyper-V host servers by powering down guest VMs, powering them up on a standby server, performing host server maintenance, and then restoring the VMs to their original host. With the addition of System Center Virtual Machine Manager, this operation can be automated and performed with no perceptible downtime for many applications.
Presentation Virtualization
Presentation virtualization is another key component of the Windows Server 2008 virtualization solution. Terminal Services (TS) presentation virtualization, which separates where an application is used from where it is run, enables clients to run any application. TS presentation virtualization accelerates and extends application deployment to a wide variety of client devices, making an organization’s IT infrastructure more agile and responsive.
Applications deployed with Terminal Services are installed only once in the datacenter, and not locally on client computers. This simplifies both the delivery and the ongoing maintenance of applications. New applications can be deployed to a wide variety of clients with Terminal Services, including clients that cannot run the new application natively. Microsoft Application Virtualization for Terminal Services virtualizes applications on the Terminal Server, isolating them from each other. This increases server utilization with more applications and users on each Terminal Services server.
Terminal Services presentation virtualization simplifies remote connectivity. It improves remote worker efficiency by enabling rich applications to be accessed from a Web page and seamlessly integrated with a local desktop.
Terminal Services RemoteApp
Terminal Services presentation virtualization helps organizations keep critical intellectual property secure. It also simplifies regulatory compliance by removing applications and data from the desktop. With TS applications and data live in the datacenter, and only encrypted keyboard and mouse strokes are transmitted over the network.
With Terminal Services RemoteApp™, centralized applications appear to be local applications. The remote application launches, not the entire remote desktop; it runs in its own resizable window on the desktop of the client computer. If the program uses a notification area icon, that icon appears in the client’s notification area. Pop-up windows are redirected to the local desktop and local drives and printers are redirected and made available within the remote program. Users may be unaware that the remote program is different than other local applications running side-by-side with the remote program on their desktop.
Other RemoteApp improvements are:
- Remote Desktop Connection 6.1 ‑ To access Terminal Services, users will need to use the Remote Desktop Connection 6.1. It is included with both Windows Server 2008 and Windows Vista®, and is available as free a download for Windows® XP and Windows Server® 2003.
- Remote Desktop Connection Display Improvements ‑ The Remote Desktop Connection 6.1 software adds support for higher-resolution desktops (up to 4096 x 2048) and spanning multiple monitors horizontally to form a single large desktop. Remote Desktop Connection 6.1 users can take advantage of newer high resolution monitors and modern display formats, like 16:9 or 16:10 widescreen formats, that do not conform to the previous 4:3 standard.
- Desktop Experience ‑ Remote Desktop Connection 6.1 reproduces on the user’s client computer the desktop that exists on the remote computer. With Desktop Experience installed on Windows Server 2008, the user can access Windows Vista features, such as Windows Media® Player, desktop themes, and photo management within his or her remote connection. The desktop experience feature and the display data prioritization settings—designed to keep the keyboard and mouse in sync with what displays on the monitor even under heavy bandwidth usage—enhance the end-user experience when connecting to a Windows Server 2008 Terminal Server.
RemoteApp reduces administrative effort by having only one central application on the server to maintain, instead of having to maintain individual installations on multiple desktop computers throughout the organization. It also improves the user experience, providing smoother integration of the remote application with the client computer desktop.
Windows Server 2008 Condensed Technical Overview
Published: January 2008
© 2008 Microsoft Corporation. All rights reserved. This document is developed prior to the product’s release to manufacturing, and as such, we cannot guarantee that all details included herein will be exactly as what is found in the shipping product. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. The information represents the product at the time this document was printed and should be used for planning purposes only. Information subject to change at any time without prior notice. This whitepaper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Microsoft, Active Directory, PowerShell, SharePoint, SoftGrid, Windows, Windows Media, the Windows logo, Windows Vista, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Overview
Microsoft® Windows Server® 2008, with built-in Web and virtualization technologies, is designed to provide organizations with increased reliability and flexibility for their server infrastructure. New virtualization tools, Web technologies, and security enhancements save time, reduce costs, and provide a platform for a dynamic datacenter. Powerful new tools, such as Internet Information Services 7.0 (IIS 7.0), Windows Server Manager, and Windows PowerShell, offer more control over servers and streamline Web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection (NAP) and the Read-Only Domain Controller (RODC) harden the operating system and protect the server environment to help create a solid foundation on which to build businesses.
Web and Applications
Windows Server 2008 is a powerful Web Application and Services Platform that helps organizations to deliver rich Web-based experiences efficiently and effectively. The release of Internet Information Services 7.0 (IIS 7.0) as part of Windows Server 2008 offers improved administration and diagnostics, better development and deployment tools, and lower infrastructure costs. IIS 7.0 is also a completely modular, extensible Web server with expanded application hosting, while retaining excellent compatibility and solving important customer challenges. The IIS 7.0 architecture delivers highly available, secure, and scalable Web-based applications and services. IIS 7.0 offers robust application support for classic ASP, ASP.NET, XML, and PHP, providing organizations with the flexibility to write applications in the language that they prefer, and to host applications on the platform that best meets their needs.
Microsoft Windows Media® Services is an industrial-strength platform for streaming live or on-demand audio and video content over the Internet or an intranet. Windows Media Services provide the ultimate fast-streaming experience and dynamic programming for on-the-fly and personalized content delivery, on a platform that offers ease-of-administration, customization, and scalability.
Virtualization
With its built-in server virtualization technology, Windows Server 2008 enables organizations to reduce costs, increase hardware utilization, optimize their infrastructure, and improve server availability. Windows Server Hyper-V™ uses a 64-bit hypervisor-based platform for increased reliability and scalability. Hyper-V helps organizations optimize their hardware resources through server consolidation. Hyper-V also leverages components of the Windows Server 2008 platform, like failover clustering to provide high availability, and Network Access Protection (NAP) to quarantine non-compliant virtual machines.
Another form of virtualization is Presentation Virtualization, which is the ability to detach the application presentation layer, or the user interface, from the host operating system. In Windows Server 2008, Terminal Services Gateway and Terminal Services RemoteApp™ provide centralized application access with integration of remote applications on client computers, and easy access to these same remote programs using a Web browser. Terminal Services also provide a means to access remote terminals and applications across firewalls. (For detailed information about Terminal Services, see the section covering Centralized Application Access.)
Security and Compliance
Windows Server 2008 is the most secure Windows Server ever. Its hardened operating system and security innovations, including Network Access Protection, Federated Rights Management, and Read-Only Domain Controller, provide unprecedented levels of protection for an organization’s data. Windows Server 2008 includes security and compliance enhancements, more advanced encryption, and tools that improve auditing and secure startup. It helps organizations to prevent data theft with Rights Management Services and Windows BitLocker™ Drive Encryption.
Windows Service Hardening helps keep systems safer by preventing critical server services from being compromised by abnormal activity in the file system, registry, or network. Security is also enhanced in the Windows Server 2008 operating system by means of Network Access Protection (NAP), Read-Only Domain Controller (RODC), Public Key Infrastructure (PKI) enhancements, a new Windows Firewall with improved filtering, and next-generation cryptography support.
Windows Server 2008 delivers a fully-integrated Federated Rights Management Services solution. This allows organizations to easily extend their Rights Management framework, allowing critical information to be securely shared with partners without the overhead of maintaining additional user accounts for users outside the organization.
Solid Foundation for Business Workloads
Windows Server 2008 is the most flexible and robust Windows Server operating system to date. With new technologies and features such as the Server Core installation option, Windows PowerShell, Windows Deployment Services, and enhanced networking and clustering technologies, Windows Server 2008 provides the most versatile and reliable Windows-based platform for all workload and application requirements.
Server Manger integrates server role and feature addition, removal, and configuration into a single Microsoft Management Console (MMC). Windows Deployment Services (WDS) is a suite of components that work together on Windows Server 2008 to provide a simplified, secure, and rapid Windows operating system deployment to clients and servers. WDS uses network-based installation, without the need for an administrator to work directly on each computer, or to install Windows components from CD or DVD media. The Windows PowerShell command-line shell and scripting language helps IT Professionals to automate common tasks, and to control system administration more easily. It also accelerates automation, even in remote locations, such as branch offices. PowerShell leverages existing investments by retaining compatibility with existing scripting solutions.
Server Core is a new installation option for selected server roles that includes only the necessary subsystems required for those roles. Server core can create a more reliable and secure server that requires less patching and servicing.
Windows Server 2008 includes the enhanced and improved TCP/IP stack. This next generation TCP/IP stack improves security by providing filtering capabilities at all layers of the TCP/IP stack. It also provides improved future-proof security at the platform level while ensuring backward compatibility.
A failover cluster—formerly known as server clusters—is a group of independent computers that work together to increase the availability of applications and services. In Windows Server 2008, the improvements to failover clusters simplify administration, make them easier to secure, and more stable.