Module Manual
Author: David Coombes, Content Master
Information in this document, including URLs and other Internet Web site references, are subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2012 Microsoft Corporation. All rights reserved. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ii
Contents
CONTENTS.................................................................................................................................................................................................................. III MODULE 1: VM MOBILITY. .................................................................................................................................................................................... 5 Module Overview ................................................................................................................................................................................................ 5 LESSON 1: LIVE MIGRATION ................................................................................................................................................................................ 6 LIVE MIGRATION OVERVIEW ............................................................................................................................................................................... 7 LIVE MIGRATION WITHOUT INFRASTRUCTURE ........................................................................................................................................... 8 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 1 .................................................................................................................. 9 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 2 ................................................................................................................10 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 3 ................................................................................................................11 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 4 ................................................................................................................12 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 5 ................................................................................................................13 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 6 ................................................................................................................14 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 7 ................................................................................................................15 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 8 ................................................................................................................16 LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 9 ................................................................................................................17 LIVE MIGRATION WITHOUT INFRASTRUCTURE: POWERSHELL ..........................................................................................................18 LIVE MIGRATION WITH SMB..............................................................................................................................................................................19 LIVE MIGRATION WITH SMB: SHARE PERMISSIONS................................................................................................................................20 LIVE MIGRATION WITH SMB: FILE PERMISSIONS .....................................................................................................................................21 LIVE MIGRATION WITH SMB: PERMISSIONS POWERSHELL .................................................................................................................23 LIVE MIGRATION WITH SMB ARCHITECTURE .............................................................................................................................................24 Setup ....................................................................................................................................................................................... 24 Memory Page Transfer ........................................................................................................................................................... 24 Memory Page Copy Process .................................................................................................................................................. 25 Moving the Storage Handle from Source to Destination ........................................................................................................ 25 Bringing the VM Online on the Destination Server ................................................................................................................ 25 Network Cleanup .................................................................................................................................................................... 25 LIVE MIGRATION WITH SMB: POWERSHELL ...............................................................................................................................................27 LIVE MIGRATION BETWEEN CLUSTERS ..........................................................................................................................................................28 LIVE MIGRATION SECURITY................................................................................................................................................................................29 UNDERSTANDING CREDENTIAL SECURITY: 1 .............................................................................................................................................31 UNDERSTANDING CREDENTIAL SECURITY: 2 .............................................................................................................................................32 UNDERSTANDING CREDENTIAL SECURITY: 3 .............................................................................................................................................33 CREDENTIAL SECURITY AND HYPER-V: 1 .....................................................................................................................................................34 CREDENTIAL SECURITY AND HYPER-V: 2 .....................................................................................................................................................35 Microsoft Virtual Academy Student Manual iii
CREDENTIAL SECURITY AND HYPER-V: 3 .....................................................................................................................................................36 CREDENTIAL SECURITY AND HYPER-V: 4 .....................................................................................................................................................37 ENABLING CONSTRAINED DELEGATION ......................................................................................................................................................39 POWERSHELL REMOTING WITH CREDSSP ...................................................................................................................................................42 REMOTE DESKTOP .................................................................................................................................................................................................43
This module describes the Hyper-V virtual machine (VM) mobility technologies, particularly the new and enhanced technologies introduced with Windows Server 2012. These include changes to Live Migration, new Live Storage Migration, and improvements to the VM import process. This module also includes a review of VM mobility and protection technologies.
This lesson describes the new Live Migration technologies introduced with Windows Server 2012. It also explains the best practices for enabling secure Live Migrations.
In addition to performance enhancements to existing Live Migration tools, Hyper-V in Windows Server 2012 includes several new Live Migration options, including: Live Migration without shared infrastructure Live Migration using shared SMB storage Live Migration between clusters All Live Migration technologies and options in Windows Server 2012 are based on the same underlying principle: the VM will always be running somewhere. This principle means that, for example, before a VM is shut down and removed from a source Hyper-V host at the end of a migration, a range of checks are performed to ensure that the VM is running properly on the target host. It also means that there is always a failback optionshould a migration fail for any reason, the source VM will still be running and available.
With "shared nothing" Live Migration, the only requirement is that there are (at least) two Hyper-V servers that are both members of a domain. However, gigabit networking should be used to ensure that users do not notice any downtime during the migration process. There are no requirements for shared storagethere can be different types of storage on either Hyper-V server. The entire VMvirtual hard disks (VHDs) and running stateis moved with no downtime. Note that when you perform a Live Migration of a VM between two computers that do not share an infrastructure, Hyper-V first performs a partial migration of the VMs storage.
In the scenario described over the following pages, there are two Hyper-V servers, running the user mode VM management service (VMMS). On the first Hyper-V server, there is a VM with its VHDs, ready to be migrated to the second Hyper-V server. How it works: First, a network connection is established between the Hyper-V hosts. This is a TCP connection and, in the initial negotiation phase, checks are made, including: Does the user account have permission on both servers for this migration? Has Live Migration been enabled on both servers? After all of the checks are complete, Hyper-V establishes the Live Migration connection.
How it works: After all of the checks are complete, Hyper-V establishes the Live Migration connection.
How it works: Hyper-V does not start Live Migrating the VMs memory and CPU state at this stage; instead, the next step is to start a form of storage migration.
How it works: The storage migration uses a lot of the core engine from Live Storage Migration. The key modification from standard Live Storage Migration is that Hyper-V copies the VHDs while the VM is still running and then forms a disk mirror. With this mirror, disk writes are sent to both disks, and disk reads are made from whichever host the VM is currently running on. This mirror is critical to the principle; the VM will always be running somewhere.
How it works: After the mirror is established, the Live Migration can start; memory pages are copied over to the target host, and dirty memory pages are tracked and then sent across.
How it works: After the memory copy phase is complete, the VM is started on the destination host. Note that the storage mirror is maintained throughout this operation so that if there is a failure at any point in time, Hyper-V can fail back to running the VM on the source host.
How it works: Only after Hyper-V has confirmed that the VM is up and running on the destination host is the disk mirror broken down.
How it works: After the disk mirror is taken down, Hyper-V then deletes the VHD on the source host.
To use Windows PowerShell to initiate a Live Migration without infrastructure, use the Move-VM cmdlet: Move-VM "File Server 1" "HostB" -IncludeStorage DestinationStoragePath "J:\Virtual Machines\File Server 1"
In this
example: Name of VM: File Server 1 Name of target Hyper-V host: HostB Destination folder for VM files: J:\Virtual Machines\File Server 1
Live Migration with Server Message Block (SMB) enables you to move VMs in environments where you need to move the VMs but do not need to move the VHDs. Live Migration with SMB is, therefore, similar to cluster-based Live Migration, but without the high availability. Live Migration with SMB requires SMB 3.0. Both the user account that initiates the migration and the source and target computer accounts need security access to the share. Permissions must be configured at file level on the folder, and at share level. This does require several steps to be correctly performed; otherwise, the migration will fail.
To set 1. 2. 3.
up the share permissions, complete the following steps: In the properties of the share, click Advanced Sharing. In the Advanced Sharing dialog box, click Permissions. In the Permissions dialog box, add the computer accounts for the administrator user (who will be initiating the migration) and for the source and target computer accounts. All these accounts need the Full Control permission.
In the screenshots, the administrator account is benarm, and the computer accounts are BENARMEPSILON and BENARM-ZETA.
To set up the file permissions, complete the following steps: 1. In the properties of the folder, click Edit. 2. In the Permissions dialog box, add the computer accounts for the administrator user (who will be initiating the migration) and for the source and target computer accounts. All these accounts need the Full Control permission. In the screenshots, the administrator account is benarm, and the computer accounts are BENARMEPSILON and BENARM-ZETA. Note that, by default, computer accounts are not listed when browsing for Active Directory directory service objects. You must, therefore, click Object Types when browsing for objects:
As an alternative to the UI, you can use the following command-line code to create a new folder, add file permissions for user and computer accounts to this folder, create a new share, and then share permissions for user and computer accounts to this share: MD X:\VMS ICACLS.EXE X:\VMS --% /Grant Contoso\Admin1:(CI)(OI)F ICACLS.EXE X:\VMS --% /Grant Contoso\HostA$:(CI)(OI)F ICACLS.EXE X:\VMS --% /Grant Contoso\HostB$:(CI)(OI)F ICACLS.EXE X:\VMS /Inheritance:R New-SmbShare -Name VMS -Path X:\VMS FullAccess Contoso\Admin1, Contoso\HostA$, Contoso\HostB$ In this code example: Domain: Contoso Name of administrator user account: Admin1 Name of source Hyper-V host: HostA Name of target Hyper-V host: HostB Folder for VM files: X:\VMS Share for VM files: VMS 23
There are six key steps in Live Migration based on an SMB share (the first four are shown in the figure). The following sections describe these steps.
Setup
During the Live Migration setup stage, the source host creates a TCP connection with the destination host. This connection transfers the VMs configuration data to the destination host. A skeleton VM is set up on the destination host, and memory is allocated to the destination VM, as the figure shows.
Module 1B: Live Migration. working set of Test VM. The active pages within the Test VM working set are copied to the destination HyperV host. In addition to copying the working set of Test VM to the destination host, Hyper V monitors the pages in the working set for Test VM on the source host. As Test VM modifies the memory pages, it tracks and marks the pages as they are modified. The list of modified pages is simply the list of memory pages that Test VM modified after the copy of its working set began. During this phase of the migration, the migrating VM continues to run. HyperV iterates the memory copy process several times, and each iteration requires a smaller number of modified pages to be copied. After the working set is copied to the destination host, the next stage of the Live Migration begins.
Network Cleanup
In the final stage of a Live Migration, the migrated VM runs on the destination server. At this time, a message is sent to the network switch, which causes it to obtain the new media access control (MAC) Microsoft Virtual Academy Student Manual 25
Module 1B: Live Migration. addresses of the migrated VM so that network traffic to and from Test VM can use the correct switch port. The Live Migration process completes in less time than the TCP time-out interval for the VM that is being migrated. TCP time-out intervals vary based on network topology and other factors.
After the file and share permissions have been set up, you can use Windows PowerShell to initiate a Live Migration with SMB, by using the Move-VM cmdlet: Move-VM "File Server 2" "HostB" In this example: Name of VM: File Server 2 Name of target Hyper-V host: HostB Note that no other parameters are required, because the shared storage location for the VM files is specified in the VM configuration.
As Windows Server 2012 now supports up to 64 nodes in a cluster, a lot more virtualization deployments are likely to use clustering. To make cluster-based deployments easier to configure and manage, Windows Server 2012 now supports VM migrations both within clusters (as supported in Windows Server 2008 R2) and between clusters. You can also easily migrate VMs from a cluster to a stand-alone host and from a stand-alone host into a cluster. This enables administrators to respond to new requirements, make best use of existing and new hardware, and easily reconfigure high-availability solutions. To move a VM between two clusters: 1. Remove the VM from the source cluster. 2. Use Hyper-V Manager to Live Migrate the VM to a node in the destination cluster. 3. Join the VM to the destination cluster. Note that the VM does not need to be turned off during the migration. However, it is not protected from hardware failure during the course of the migration.
The first level of Live Migration security is that when you install Hyper-V, by default it is not enabled for Live Migration; you must manually enable Live Migration by using the Hyper-V Windows PowerShell cmdlets or by using Hyper-V Manager:
The next security consideration is to specify the networks that will be used for Live Migration. There is the option to use any available network for Live Migration; however, this is not a good idea, both from a performance and a security perspective. By specifying a separate network for Live Migration, you can ensure that Live Migration traffic does not impact on regular production networking, and you can also ensure that Live Migration occurs over a secure network. In Hyper-V, there is no native encryption of the Live Migration traffic, and in some environments it may be enough simply to ensure that the Live Migration network is physically secure and is a private network that other users cannot connect to. However, there are also other optionssuch as using Internet Protocol Security (IPsec) or other encryption methodsthat you can use to protect the migration packets on the wire. Performance data collected within Microsoft has shown that using IPsec for Live Migration has no impact on migration scale or performance. Microsoft Virtual Academy Student Manual 30
When you use a computer or laptop to connect to a server, your user credentials are sent to the server, so that the server can check whether you have the required permissions for any actions you attempt to perform on that server.
By design, Windows does not allow the server to then take your credentials and use them to connect to another server.
This prevention of credentials being used across a second hop is intentional and is designed to prevent an attacker from making use of these credentials. Even if the first server is compromised, the attacker cannot take your credentials and use them on other computers. However, this default configuration can affect the management of Hyper-V Live Migrations.
If you log on to the first Hyper-V server, you can initiate a Live Migration to the second server, without needing to make any changes to Windows security.
However, if you want to sit at your desktop or laptop, connect to your Hyper-V server, and then start a Live Migration, Windows will block that.
Similarly, if you log on to the first Hyper-V server, Live Migrate a VM to the second server, and then using the same console session, try to migrate the VM back, it will fail. This security failure occurs because even though there are only two servers involved, as far as Windows security is concerned, there is now a second hop. Your credentials are trying to be passed to a second server, and it does not matter that the second server is actually the first server that initiated the communication; Windows still sees this as credentials being passed somewhere else.
There are two options for getting around the challenge of credential security and Hyper-V. The first option is to configure Windows security so that Hyper-V is trusted to re-use credentials. This is done by enabling constrained delegation in Active Directory.
Module 1B: Live Migration. When using constrained delegation, you must specify Use Kerberos when configuring Hyper-V for Live Migration:
The second option is to be logged on to the server where you are initiating the migration, by using either Windows PowerShell Remoting or Remote Desktop.
To enable constrained delegation, you must edit the properties of both the source and target HyperV servers, and on the Delegation tab, click Trust this computer for delegation to specified services only, and then click either Use any authentication protocol or Use Kerberos only.
After adding the server, you then select the Microsoft Virtual System Migration Service and CIFS services:
Note that the Common Internet File System (CIFS) delegation is only required when the VMs you want to migrate are hosted on SMB shares.
In Windows Server 2012, Windows PowerShell Remoting is enabled by default; however, Windows PowerShell Remoting with CredSSP does require additional configuration before it can be used. You first enable the Credential Security Support Provider (CredSSP) on the server and then enable it on the client computer. Note that in addition to the fully qualified domain name (FQDN) of a specific server, you can use a wildcard, such as *.dev.contoso.com, to configure your client to be able to use Windows PowerShell Remoting against any server in the dev.contoso.com sub-domain (as long as the server is enabled for CredSSP). After CredSSP has been enabled, there are two ways to run Windows PowerShell Remoting commands: You can establish a session and then run any command on the remote computer within the Windows PowerShell console window. You can run commands one at a time using the invoke command (ICM) option.
Remote Desktop
Next step watch the Live Migration, Live Migration SMB and Live Migration between clusters videos.