Networking

Hyper-V Overview

Virtualisation was once found almost exclusively in large data centres. These days it can be found in many small to medium size businesses, thanks in part to powerful lower end servers and the advent of “free” virtualisation software.

Server Virtualisation comes in two main forms:

  • Host based virtual machines that run on top of an existing operating system e.g. VMware workstation, Microsoft Virtual PC, Sun VirtualBox and Parallels Desktop.
  • Hypervisor systems where the Virtualisation layer sits directly on top of the physical hardware and doesn’t require a host operating system. e.g. Microsoft Hyper-V Server, VMware ESX and Citrix XenServer.

Hyper-V Server 2008 is available as a free download and is essentially a modified version of Windows 2008 Server Core without the ability to add roles other than Hyper-V. The user interface is PowerShell command line only i.e. no GUI. A remote management console can be used to configure the Hyper-V environment or for larger environments you have the choice of either  System Centre Virtual Machine Manager (SCVMM) or Citrix Essentials for Hyper-V.

System Requirements:

  • x64 Based Intel (with VT extensions) or AMD (with AMD-V extensions) CPU
  • Data Execution Prevention must be enabled in hardware
  • 2GB RAM plus RAM for each guest Operating System
  • Either Hyper-V Server or a copy of Windows 2008 Standard, Enterprise or Datacentre

Note that you shouldn’t automatically assume all server hardware will support Hyper-V. In some cases it may be necessary to update firmware or install hardware vendor supplied updates.

Hyper-V systems can host a number of different operating systems include:

  • Windows 2003 and 2008 Server 32bit and 64bit Editions
  • Windows Vista SP1
  • Windows XP SP2 or later
  • SuSE Enterprise Linux (other versions of Linux may work but are not supported)

Limitations:

Hyper-V is currently in its first release and as such has a number of limitations when compared to VMWare ESX. Limited support for hardware pass through e.g. SCSI tape devices can’t be accessed from Hyper-V hosts but some USB devices can. Hyper-V doesn’t currently have a VMotion type function used in high-availability systems. Many of these features are enterprise type functions and may not be needed in small to medium size networks and given the cost of getting those features these limitations are accepted by many people.

Some applications may not be supported in a virtual environment and this should be taken into consideration when designing a solution. Applications that require high disk I/O are often in this category, this doesn’t mean they won’t work but you may not get the level of performance you would expect.

Watch this space:

Windows 2008R2 is due for release on the 22nd of October 2009 and will feature many improvements to Hyper-V. One of the key new features is Live Migration which provides VMotion type functionality and will help narrow the feature gap. Hyper-V is a hot technology and a key part of Microsoft’s network strategy and as such I am sure we will continue to see rapid improvement in functionality in the future.

Hyper-V Home Page
Hyper-V Team Blog

Advertisements

Windows 7 DirectAccess overview

Windows 7 clients can gain remote access to network resources using a feature called DirectAccess. Microsoft see this as a game breaking technology that will change the way we work remotely. A Windows 2008R2 server  acts as a gateway for DirectAccess clients providing access to servers on the internal LAN.

DirectAccess does away with the need for third party VPN clients or access gateways on client devices and simplifies data access from the end user.The end user experience is seamless and simple. The user simply turns on and connects to the internet, no additional user actions required. DirectAccess will automatically reconnect if the internet connection is dropped for any reason.

DirectAccess removes some of the more frustrating issues end users have when working remotely. Connections are over port 443 (a standard port) removing connection issues due to firewall rules on remote networks and routing issues due to subnet clashes. Intelligent routing means users can access internet services at the same time as company resources.

For Network Administrators the ability to manage computers outside the firewall will be a key driver for using this technology. NAP can be used to audit clients before allowing network access. Group Policy can be applied over the DirectAccess connection before the user gains full network access.

One of the biggest difference between DirectAccess and traditional VPN solutions is that the DirectAccess connection can be initiated from either end where VPN’s are initiated from the client only. The connection is established when the client device starts up and doesn’t require the end user to login and initiate a connection.

DirectAccess Requirements:

  • Windows 2008R2 Server Active Directory Domain Controller Role
  • Windows 2008R2 Server DirectAccess Role
  • 2 Network cards configured
  • 2 consecutive public static IPv4 addresses with public DNS names
  • Digital Certificates with CRL attributes
  • Windows 7 client joined to the domain

Firewall configuration details can be found on technet – DirectAccess requirements article.

DirectAccess really is in my opinion one of the best reasons to move to Windows 7 when it is released later this year. End users will love seamless access to company resources while Network Administrators will see real value in the management capabilities.

Microsoft have recently published some tools to help implement and manage Direct Access. Download the kit from here:
Direct Access Admin Kit

EBS 2008 Firewall Configuration

Essential Business Server 2008 (EBS 2008) automatically installs and configures most of the components required to provide remote access. Details can be found in my EBS 2008 Remote Access article.

Forefront TMG is automatically configured during installation to allow the ports listed below to access services in the EBS 2008 environment. If you have an external router or firewall you will need to forward the following ports from that device to the WAN Adapter of the EBS 2008 Security Server:

  • Port 25 TCP – SMTP
  • Port 80 TCP – HTTP (EBS 2008 redirects inbound HTTP to HTTPS)
  • Port 443 TCP – HTTPS (RWW, OWA and TS Gateway)
  • Port 987 TCP – External secure Windows SharePoint Services intranet access
  • Port 1723 TCP – PPTP (VPN) – optional as RRAS is not configured by default

Note that RDP access to server consoles is done via Terminal Services Gateway (over port 443) so do not allow inbound connections on port 3389 as it is a security risk.

DNS Aliasing

How many times have you had to upgrade a server and run around making changes to login scripts and group policies. How about migrating users to a new terminal server or migrating applications to a new SQL server. DNS aliases can be used to simplify these tasks and with a little bit of thought prevent the need to ever make those changes again.

File Server example

In this example we have a existing file server  FS-1 and a new file server FS-2. We will create an alias called FILESERVER

Disable Strict Name checking on both file servers (needed to allow connection to SMB shares):

  • Edit HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
  • Add a REG_DWORD DisableStrictNameChecking = 1
  • Restart the server so the setting takes affect

In DNS create a CNAME record called FILESERVER and point the CNAME at the DNS A record for FS-1.

You can now change login scripts and GPO’s to connect to FS-1 in two ways. Note this works for file shares and shared printers too:

  • \\FS-1\share
  • \\FILESERVER\share

Now lets assume you want to replace FS-1 with a new server FS-2. Simply move the data and create shares on FS-2 and when your’re ready to swap servers change the FILESERVER CNAME to point to FS-2. No changes to login scripts or GPO’s.

Tips:

Before cutting over to FS-2 you can use a hosts file on a PC to connect to shares and test your shares.

The same concept can be used in many places including aliases for SQL databases, Sharepoint, mail servers, web servers and many applications that use TCP/IP to communicate.

This is a good way to present “friendly” server names to users while maintaining names that are meaningful to the IT team.

You can have multiple CNAME records pointing to the same server. Useful for application specific DNS aliases e.g. a SQL server running several databases could have CNAME for each databases so that if one is moved to another server in the future the CNAME can follow.

Free Network Improvements

Once EBS 2008 is up and running you have a great network foundation on which to build. Here is a short list of things you can do to enhance your network for free using features of Windows 2008, Exchange 2007 or free downloads. You don’t need EBS 2008 to use these features, they are available for SBS 2008 and Windows 2008 Server editions.

Replicating your data

Distributed File System-Replication (DFS-R) allows files to be replicated between Windows servers and works well even across WAN links. Replication can be in one way, two way or a more mesh arrangement between multiple servers.

DFS-R overview

Accessing your documents remotely using Outlook Web Access

Outlook Web Access (OWA) 2007 includes a direct document access feature that can be configured from Exchange 2007. This provides a quick way to publish read only access to network shares for remote users. CIFS permissions need to be altered if the shares are not on the Exchange Server hosting OWA.

Direct File Access Tutorial

Standardising Office application settings

Download the Office Admin pack for Office 2003 or 2007 and add the .ADM files to the Group Policy Management console. Once installed Group Policies can be created to ensure Office users get consistent settings e.g. File locations, language settings etc.

Office .ADM files

Printer Management

The Printer Management Console allows management of printers on local and remote print servers from a central location. This greatly reduces the amount of effort required to manage environments with large numbers of printers on multiple Window print servers. It also eases migration of printers between print servers.

Printer Management Console

Email Disclaimers

Exchange 2007 Transport Rules can be used to add email disclaimers to out going email messages.

How to configure email disclaimers

Learn PowerShell

Powershell can be used to automate tasks that are normally done using the GUI interface. Using Powershell will ensure tasks are done consistently, saves time on repeatitive tasks and allows tasks to be done out side of hours by scheduling scripts.

Powershell Tutorial

Extend the EBS 2008 Console

A number of free add-ins can be added to the EBS 2008 Management Console. Currently add-ins are available for SQL 2008, Dynamics and Data Protection Manager.

EBS Console Add-ins