What is Windows 2008 Hyper-V?

What is Windows 2008 Hyper-V?

Windows Server 2008 Hyper-V is a new role in Windows 2008 that allows you to create and manage a virtualized server environment.  You can run multiple servers inside of one server. This feature will allow you to consolidate many servers onto fewer servers. Like other virtualization products, Hyper-V can provide more efficient use of hardware and administrative resources.
Keep in mind that Windows 2008 Hyper-V is much different than running Microsoft Virtual Server 2005. Virtual Server is an application that is installed and run – providing virtualization services. As Hyper-V is a feature built into the operating system, it is more efficient and offers more features than Virtual Server.

What are the key features of Windows 2008 Hyper-V?

1. Support for Virtual LANs.
2. Large amount of memory for the virtual machines,
3. Ability to run 32bit and 64bit machines at the same time,
4. Up to 32GB of RAM and 4 CPUs in each guest OS,
5. Support for either one processor or multiple processor support for the virtual machines,
6. Support for Snapshots, used to capture the state of a virtual machine at a certain times. You can revert back to that snapshot at any time.
7. Support for quick migration - allowing you move a virtual machine from one server to another without having shut down that virtual machine (not to be confused with live migration where there is no host downtime, comparable to VMware’s VMotion),
8. Support for network load balancing between the virtual machines,
9. Future integration with Microsoft Virtual Machine Manager (VMM) as its centralized management platform.

What do I need to know before installing Windows 2008 Hyper-V?

If you are looking into installing Windows 2008 Hyper-V you will need to check your hardware first as you will need is a x64 based processor. It will also require you to have Hardware Data Execution Protection enabled.
Another thing that you will need to do before installing the virtualization role on Windows 2008 is to install two updates. Both of these updates are located in the <systemdrive>\windows\wsv folder. Inside this folder you should find two updates. One of the updates is Windows6.0-KB939854-x64.msu and the other update is Windows6.0-KB939853-x64.msu. You can install these updates in any order that you like. If you do not install these updates windows server virtualization will not be an option when you try to add the virtualization role.

How do I install Windows Virtualization Role on Windows 2008?

1. First you need to Click on Start -> All Programs- > Administrative Tools -> Server Manager.

Figure 1: Server Manager

2. After you have Server Manager open you need to click on Roles on the left pane.

3. Then you need to click on the Add Roles at the top right of the screen.

Figure 2: Add Roles button

4. After you have clicked on the Add Roles button then the Add Roles Wizard should come up.

Figure 3: Add Roles Wizard

5. Click on the Next button.

6. Select Windows Server Virtualization.

Figure 4: Select Server Roles

7. Click on Next.

Figure 5: Windows Virtualization Setup Screen

8. Click on Next.

9. Select the Network card that you want to use for the Virtual machines and then click Next.

Figure 6: Windows 2008 Virtual Network selection

Figure 7: Setup Confirmation Screen

10. Click on Install.

Figure 8: Setup Results Screen

11. Click on Close and then Reboot the server.

How does Windows 2008 WSV compare to VMware ESX Server?

Windows 2008 Hyper-V and VMware ESX are two competing virtualization solutions.  There are some features that both of them have. There are also some advantages of using Windows Server 2008 WSV. Of course, there are also advantages to using VMware ESX.
A similarity between Windows 2008 WSV and VMware ESX is that they are both meant to be enterprise virtualization platforms that work at the OS layer. No more do you have to compare Microsoft Virtual Server to VMware ESX Server.
Both products provide huge performance advances over using Virtual Server or VMware Server.
One of the major advantages that Microsoft has over VMware is that, once released, Microsoft WSV / Hyper-V is a free feature that is included with Windows 2008 Server Standard, Enterprise, and Datacenter Editions. Another advantage of using Microsoft’s Hyper-V is the support for more hardware. Current VMware has a list of hardware that it is capable of using and that is it. With Microsoft as long as the hardware is recognized in Windows 2008 you can use the hardware for virtualization. There are always new updated drivers coming out for Windows so even if the hardware does not support Windows 2008 yet it will support it later down the road.
The advantage of using VMware ESX is that it has many more features than Microsoft and ESX is overall a much more mature product. For example, ESX offers VMotion which does migrations of virtual guests from one host to another without any downtime. ESX offers VMHA and instantly moves all virtual guests from one host to another if the virtual host fails. With VMware, you will likely use their Virtual Center centralized management console, which is far advanced, compared to Microsoft’s virtual machine manager. Additionally, VMware offers their consolidated backup product (VCB) to allow you to do live backups of VMs. With ESX Server 3.5 and ESX 3i about to come out in December 2008, VMware is already increasing the number of features offered with ESX & their Virtual Infrastructure Suite before Microsoft ever gets the features above out of “release candidate zero”.

Summary

I have gone over all the things that are similar in VMware and Microsoft’s Windows 2008 Virtualization. I have listed the advantages of using VMware. I have also listed the advantages of using Microsoft’s Windows 2008 Virtualization. What it really comes down to is if you really have a need for all the features of VMware and the money to purchase VMware then VMware is the product you. But if you are on a tight budget and just need some of the basic features for virtualizing a server then go with Microsoft’s Hyper-V. Now that you know the features of VMware and Microsoft Hyper-V has you should be able to decide on what product would be right for you.

Group Policy Extensions in Windows Vista and Windows Server 2008,

In the first part of this article series, I explained that Windows Vista and Windows Server 2008 offer hundreds of additional group policy settings beyond those offered in Windows Server 2003 and Windows XP. In this article, I want to continue the discussion by talking about the group policy settings that are used to control user accounts and hardware devices.
The group policy settings that I will be discussing are all located at Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options. As you can see in Figure A, there are far too many group policy settings in the Security Options container for me to discuss them all. Therefore, I will limit my discussion to the policy settings that are the most useful or most interesting.

Figure A: Account related group policy settings are located at Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options

Administrator Account Status

One of the major security weaknesses of previous Windows operating systems has always been the existence of a local administrator account on workstations. While Windows Vista does make use of a local Administrator account, the Accounts: Administrator Account Status policy setting can be used to disable it.
By default, the administrator account is enabled, but disabling it is simple. All you have to do is set this policy setting to Disabled. Before you start disabling local administrator accounts though, there are some consequences that you need to be aware of. If you have disabled the administrator account, you will not be able to re-enable it again unless the local administrator account’s password meets the minimum password length and complexity requirements. Another administrator can reset the account’s password assuming that such an account exists.
If you find yourself locked out of a machine, and there is no other administrative account that can reset the password, all is not lost. The local Administrator account is always enabled when the machine is running in safe mode. Therefore, you can boot the machine into safe mode, log in as the local administrator, and then reset the password. You should then be able to re-enable the local administrator account.

Limiting the Use of Blank Passwords

Normally, there is no reason why anyone in your organization should ever have a blank password. As a precaution though, the Accounts: Limit Local Account Use of Blank Passwords to Console Logon Only policy setting limits how accounts with blank passwords can be used.
This policy setting, which is enabled by default, makes it so that any user accounts that do not have passwords are only allowed to log in locally. This means that someone could use such an account to log in directly to a PC using a keyboard, but the account could not be used to log in through another mechanism such as Remote Desktop.

Renaming the Administrator Account

For well over a decade, Microsoft has been telling us to rename the Administrator account for security reasons. The problem with doing so is that every workstation has its own administrator account, which has to be manually renamed.
Vista and Server 2008 now offer us a group policy setting which can be used to rename the local administrator account automatically. The name of the policy setting is Accounts: Rename Administrator Account. To use this policy setting, all you have to do is to enter a new name for the administrator account, and the change will be propagated to all of the machines for which the group policy applies.

Auditing Backup and Restore Operations

One of the more interesting group policy settings is the Audit: Audit the Use of Backup and Restore Privilege setting. The basic idea behind this policy setting is that if you choose to enable it (the policy setting is disabled by default) then backup and restore operations are audited.
The reason why I say that this is one of the more interesting policy settings is because it has both its good points and its bad points. This policy is good in that it allows you to verify that the person responsible for backing up the system really is performing backups according to company policy. It also allows you to be aware of any restore operations that have occurred. The bad point of using this policy setting is that it produces a log entry for every file that is backed up. This means that your audit logs could potentially become flooded with log entries related to the backup. Of course some small amount of disk and CPU resources are also used when a log entry is written. By itself, the effects of writing a log entry are nominal. If you are writing hundreds of thousands of log entries at a time though, the log entries could severely impact performance.

Removable Media

In many companies, the use of removable media is simply not allowed. Removable media such as CDs and DVDs allows users to bring unauthorized data or applications into the organizations or to make copies of sensitive data and remove that data from the organization. Since the use of removable media is often discouraged, Microsoft created the Devices: Allowed to Format and Eject Removable Media policy setting. As the name implies, this policy setting can be used to prevent users from formatting or ejecting removable media.

Printer Drivers

Windows is designed in a way that if a user wants to print to a network printer, they do not typically need a CD containing the printer driver, nor do they need to download a driver from the Internet. When a user uses a universal naming convention (UNC) to attach to a printer that is being shared by a Windows machine, the host checks the user’s workstation to see if it has an appropriate driver. If no driver exists, then the printer’s host sends a copy of the printer driver to the machine that just attached to the share.
In most cases, this is probably a desirable behavior, because it allows users to do their jobs without having to contact the help desk every time they need to print to a different printer. In higher security environments though, it might be considered risky to allow users to print to printers that have not been specifically designated to them. One way of preventing users from printing to unauthorized printers is to prevent users from installing print drivers.
You can stop users from installing printer drivers by enabling the Devices: Prevent Users from Installing Printer Drivers policy setting. This policy setting is disabled by default on workstations, but it is enabled by default on servers.
There are a couple of things that you need to keep in mind if you are thinking of enabling this policy setting. First, this policy setting does not prevent users from adding local printers, it only stops users from installing drivers for network printers. Another thing to keep in mind is that enabling this policy will not stop a user from printing to a network printer for which the user already has a driver. Finally, enabling this setting has no effect on administrators.

Conclusion

In this article, I have shown you several group policy settings related to controlling user accounts and hardware devices. In Part 3 I will continue the discussion by showing you more group policy settings that are unique to Windoes Server 2008 and Windows Vista.