Best Practices: Microsoft Private Cloud Implementation Future Proof Your Business with Private Cloud Offerings Your customers are turning increasingly to virtualization as a way to cut costs and scale out services. Yet simple server consolidation is no longer enough your customers want the agility and cost-saving benefits of the cloud computing model, which they hear about every day. Microsoft partners that can deploy and/or manage a private cloud infrastructure can expand their role as a trusted advisor and boost the bottom line with Microsoft products your customers already know and trust. This document describes best practices for implementing the Microsoft private cloud.
Disclaimer This document is provided "as-is." Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
Contents WHAT IS THE MICROSOFT PRIVATE CLOUD?... 5 MICROSOFT PRIVATE CLOUD ARCHITECTURE... 6 HARDWARE ARCHITECTURE... 6 SOFTWARE ARCHITECTURE... 6 HOW TO USE THIS DOCUMENT... 7 SOFTWARE CONFIGURATION BEST PRACTICES... 7 MANAGEMENT CLUSTER BEST PRACTICES... 7 VIRTUALIZATION ARCHITECTURE... 8 Licensing... 8 Operating System Configuration... 8 Hyper-V Network Performance Settings... 9 IP Addressing... 9 MPIO Configuration... 10 Network Interface Controller Teaming... 10 HYPER-V HOST CLUSTER DESIGN... 10 HYPER-V GUEST VIRTUAL MACHINE DESIGN... 12 Virtual Machine Storage... 12 Virtual Machine Networking... 13 Virtual Processors... 13 MANAGEMENT ARCHITECTURE... 14 SQL Server 2008 SP1... 15 System Center Virtual Machine Manager 2008 R2... 16 System Center Operations Manager 2007 R2... 17 Windows Server Update Services... 18 System Center Configuration Manager... 19 Virtual Machine Servicing Tool... 19 Backup and Disaster Recovery... 19 ORCHESTRATION... 20 Microsoft Opalis... 20 SECURITY CONSIDERATIONS... 21 Host Operating System Configuration... 22 Virtual Machine Configuration... 22 CONCLUSION... 23 3
4
What Is the Microsoft Private Cloud? The Microsoft private cloud is a set of pooled resources and automation and management tools built on Windows Server 2008 R2 Hyper-V and Microsoft System Center. With the Microsoft private cloud, you can build a dedicated on-premises or hosted cloud environment to transform the way your customers consume or deliver IT services to their businesses. The software layer of the Microsoft private cloud is composed of the following components: Windows Server 2008 R2 (Datacenter edition recommended due to unlimited virtualization use rights) with Hyper-V or Microsoft Hyper-V Server 2008 R2 Microsoft SQL Server 2008 Service Pack 1 (SP1) Microsoft System Center Virtual Machine Manager Self-Service Portal Microsoft System Center Operations Manager Windows PowerShell Microsoft Deployment Toolkit 2010 (MDT) Windows Deployment Services (WDS) When you deploy the Microsoft private cloud, your customers can take advantage of core cloud attributes that help transform the way they consume IT services. These characteristics include the following: Resource pooling: A Microsoft private cloud pools computing, storage, networking, and virtual machine (VM) resources so that the resources are continuously available. Microsoft management software then dynamically assigns and reassigns these resources according to consumer demand. Elasticity: With a Microsoft private cloud, new services, capacity, or capabilities can be rapidly and elastically provisioned in some cases automatically. To the consumer, these IT services often appear to be unlimited, and the IT services can be purchased in any quantity at any time. Continuous availability: Pooled resources and automated provisioning and management in the Microsoft private cloud mean that customers can consume IT services on demand. From an administration view, continuous availability means that business continuity measures are automated on highly available resource pools, which simplifies failover and backup procedures. Multi-tenancy: A Microsoft private cloud lets Microsoft partners and their customers take advantage of economies of scale. The infrastructure can be logically subdivided and provisioned to different customers or to various organizational units within a business, with costs for the infrastructure and services shared among tenants. 5
Microsoft Private Cloud Architecture The Microsoft private cloud features a layered architecture in which Hyper-V virtualization decouples operating systems, data, applications, and user state from the underlying hardware. This virtualization layer drives the automation, management, and orchestration layers where Microsoft software provides the capabilities characteristic of a cloud infrastructure. Hardware Architecture The underlying hardware of the Microsoft private cloud includes elements already present in every data center: servers, storage, and networking infrastructure. The hardware on which you build a Microsoft private cloud should have the following minimum characteristics (see http://www.microsoft.com/hyperv-server/en/us/system-requirements.aspx for a complete description of hardware requirements): Servers: Late-generation, multisocket, multicore servers with hardware-assisted virtualization on the silicon, such as AMD virtualization (AMD-V) or Intel Virtualization Technology (Intel-VT) Storage: iscsi storage area network (SAN) that supports Windows Failover Clustering and that is physically or logically separated from Ethernet I/O Networking: Gigabit Ethernet (GbE) switched network (10 GbE is preferred) Software Architecture Microsoft products build on the virtualization foundation provided by Hyper-V and deliver automation, management, orchestration, and self-service provisioning capabilities that create the cloud s elasticity. The software layers facilitate the following: Virtualization: Windows Server 2008 R2 and Hyper-V Server 2008 R2 provide the virtualization that drives the cloud s flexible capabilities. Management: The management layer consists of the tools that administrators use to deploy and operate the infrastructure, such as Microsoft System Center, Microsoft Deployment Toolkit, and Windows Deployment Services. The management layer performs activities such as provisioning the SAN, deploying an operating system, managing services, or monitoring an application. One of its key attributes is its ability monitor every component of the infrastructure remotely and to capture component dependencies. Automation: Windows PowerShell, Windows Management Instrumentation (WMI), and WS- Management provide a robust automation layer for the Microsoft private cloud. This automation layer also features a series of single-purpose commands and scripts that perform such operations as starting or stopping a VM, rebooting a server, or applying a software update. Backup: The backup layer consists of tools and workflows that provide backup and restoration of critical data. This layer is crucial in facilitating disaster recovery scenarios. 6
How to Use This Document This document contains best practices guidance for implementing the software components of the Microsoft private cloud. It is written on the assumption that you have properly configured your server, storage, and networking hardware for optimal performance in a Microsoft private cloud environment. If you need additional instructions for hardware configuration, see your product documentation. Software Configuration Best Practices Management Cluster Best Practices In a private cloud scenario, IT moves from being a server operator to an IT service provider. This means a set of services, such as reporting, usage metering, and self-service provisioning, must accompany the infrastructure. For this reason, when managing eight nodes or more, you should provide high availability to the management systems. You can achieve high availability using a management host cluster that typically consists of two nodes. SAN Storage SAN Storage Management VMs Failover Cluster Nodes (up to 16 per cluster) Failover Hyper-V Cloud: Management Cluster Hyper-V Cloud: Host Cluster The following are best practice recommendations for the cloud management cluster: 7
Provide a dedicated 2-node or more host cluster for Hyper-V cloud management if the Hyper-V cloud is 8 nodes or larger. Deploy all management products in high-availability virtual machines on the management cluster. Configure the cluster with a storage area network (SAN) and storage array that is compatible with Windows Failover Clustering. Implement gigabit Ethernet or higher for all switched Ethernet network infrastructure. Virtualization Architecture Licensing Versions of Windows Server 2008 R2, such as Standard, Enterprise, and Datacenter editions, include virtualization use rights. This is the right and license to run a specified number of Windows-based virtual machines. Note that this right does not limit the number of virtual machines the host can run; rather, it denotes the number of Windows guest licenses that are included. To run more virtual machines than the number of virtualization use rights, you only need to ensure that you have valid additional licenses for the virtual machines. For example, Windows Server 2008 R2 Standard includes the use right for one running virtual machine, meaning an additional Windows Server 2008 R2 license is included for the virtual machine. The following are virtualization use rights for each version of Windows Server 2008 R2: Windows Server 2008 R2 Standard: Includes use rights for one running virtual machine. Windows Server 2008 R2 Enterprise: Includes use rights for up to four virtual machines. This does not limit the number of guests that the host can run; it means that licenses for four Windows guests are included. To run more than four guests, you simply need to ensure you have valid Windows Server licenses for the additional virtual machines. Windows Server 2008 R2 Datacenter: Includes unlimited virtualization use rights, which lets you run as many guests as you like on the physical server running Windows Server 2008 R2 Datacenter edition. The following is the best practice recommendation for Windows Server 2008 R2 licensing: Use Windows Server 2008 R2 Enterprise or Datacenter editions. Datacenter edition is preferred due to use rights advantages. Operating System Configuration Your host operating system should be tuned for highest performance in a Hyper-V cloud environment. The following are general considerations for the Hyper-V host operating system. 8
Use Windows Server 2008 R2 with either the Full or Server Core installation option. Note that there is no upgrade path from Server Core to Full or vice-versa, so make this selection carefully. Use the latest hardware device drivers. Join the Hyper-V parent partition OS to a domain. Enable the Hyper-V Server role and failover clustering. Apply relevant Windows updates, including out-of-band (OOB) updates not offered on Microsoft Update. The list of Hyper-V updates can be found at http://technet.microsoft.com/en-us/library/ff394763%28ws.10%29.aspx. Confirm that all nodes, networks, and storage are accepted by the Cluster Validation Wizard. Hyper-V Network Performance Settings A key factor in configuring a cloud architecture such that it provides flexibility and elasticity is network optimization. The following Hyper-V R2 settings can improve your network performance: Enable TCP checksum offload. This reduces the load on the host server s CPU, improves overall network throughput, and is fully supported by Live Migration. Enable jumbo frames. Hyper-V in Windows Server 2008 R2 extends jumbo frame support to virtual machines. Jumbo frames provide up to six times larger payloads per packet, improve overall throughput, and reduce CPU load for large file transfers. Enable Virtual Machine Queue (VMQ) for 10 gigabit Ethernet networks. VMQ lets a single network interface card (NIC) in the host server appear as multiple NICs to VMs by letting the host s NIC place packets directly into individual VM memory stacks. Each VM NIC buffer is assigned a VMQ, which avoids excess packet copies and route lookups in the virtual switch. This results in less data in the host s buffers and an overall performance increase. IP Addressing Segregating the networks on which your private cloud is built should be a key design consideration. Subnets for the various facets of the private cloud architecture should be separate and distinct. Keep in mind the following best practices when determining IP network addressing: Place the cluster heartbeat network on a distinctly separate subnet from the host management network. Do not share the virtual machine network adapter with the host operating system. The physical NIC that is used by VMs should not have an IP address assigned to it. Separate and isolate the iscsi network from the host and VM networks. Use a dedicated IP range for the storage devices. 9
MPIO Configuration When configuring a disk device to be managed by Multipath I/O (MPIO) for multipath access, the hardware ID for the disk device is required to be present in two different locations in the registry in order to be claimed by MPIO and the Device Specific Module (DSM) that is managing connection to the device. These two locations are: HKLM\System\CurrentControlSet\Control\MPDEV\MPIOSupportedDeviceList HKLM\System\CurrentControlSet\Services\<DSMNAME>\Parameters\DsmSupportedDeviceList If the device will be associated with the Microsoft DSM (MSDSM), then the <DSM NAME> will be MSDSM. If the device connection will be handled by a vendor-provided DSM, then the name of this key will be dependent on the service name associated with the DSM in the HKLM\System\CurrentControlSet\Services registry hive. The following is a best practice for MPIO configuration: Configure the hardware ID for a specific disk device so that it is associated with one DSM in the services key. This ensures that the device is only available to be claimed by the desired DSM when multiple DSMs have the ability to support a given device. For more information about MPIO configuration, please download the Windows Server High Availability with Microsoft MPIO white paper at http://www.microsoft.com/downloads/en/details.aspx?familyid=cbd27a84-23a1-4e88-b198-6233623582f3. Network Interface Controller Teaming NIC Teaming or Link Aggregation (IEEE 802.3ad) bonds physical NICs together to form one or more logical network link that sends traffic to all NICs in the team. This lets a single NIC, cable, or switch sustain a planned or unplanned outage without disrupting the host s Ethernet traffic. Keep in mind the following when designing your virtual and host networks: Implement NIC teaming to provide high availability to the virtual machine networks. Team two or more NICs into a logical NIC that can be used by the VMs. Do not use NIC teaming for storage traffic in conjunction with iscsi or FCoE. Storage networking should take advantage of MPIO. Hyper-V Host Cluster Design A Hyper-V host cluster is a group of servers that operate together to increase the availability of applications and services. Hyper-V clustering facilitates high-availability configurations where if one of the cluster nodes fails, a failover node begins to provide service, restarting the VMs from the failed node 10
onto a failover node. When planning downtime for a node, Live Migration moves running VMs from one node to another with no perceptible interruption to the VM. The host servers are one of the critical components of a dynamic, virtual infrastructure. Consolidation of multiple workloads onto the host servers requires that those servers be highly available. Windows Server 2008 R2 provides advances in failover clustering that facilitate high availability and Live Migration of virtual machines between physical nodes. The following are recommended best practices for designing a Hyper-V cluster: Implement a dedicated network for managing the infrastructure. Ensure that all Hyper-V hosts have a dedicated network adapter connected to the management network for exclusive use by the parent partition. If the server hardware contains out-of-band management adapters, implement a dedicated network for these adapters also. If using iscsi, implement a dedicated iscsi network or virtual local area network (VLAN). If using 1 Gb Ethernet NICs, ensure two NICs are dedicated to iscsi traffic to ensure redundancy. If using 10 Gb Ethernet NICs, ensure a teamed, virtual NIC is presented to the parent partition for iscsi traffic to ensure redundancy. Enable Cluster Shared Volumes (CSV) for storing multiple virtual machines on a single logical unit number (LUN). Implement a dedicated CSV/cluster communication network. If you are using 1 Gb Ethernet NICs, ensure that all Hyper-V hosts have a dedicated network adapter connected to the CSV network for exclusive use by the parent partition. If using 10 Gb Ethernet NICs, ensure a teamed, virtual NIC is presented to the parent partition for CSV traffic to ensure redundancy. Implement a dedicated Live Migration network. If using 1 Gb Ethernet NICs, ensure that all Hyper-V hosts have a dedicated network adapter connected to the Live Migration network for exclusive use by the parent partition. If using 10 Gb Ethernet NICs, ensure a teamed, virtual NIC is presented to the parent partition for Live Migration traffic to ensure redundancy. Utilize a dedicated or shared 10 Gb Ethernet connection for the Live Migration network. This significantly reduces the time required to move VMs between hosts with zero downtime during maintenance or update windows. Implement one or more dedicated VM networks. If using gigabit Ethernet NICs, ensure that all Hyper-V hosts have two or more dedicated network adapters connected to the VM network for exclusive use by the guest VMs. If using 10 gigabit NICs, ensure a teamed, virtual NIC is presented to the guest VMs to ensure redundancy. 11
Hyper-V Guest Virtual Machine Design Standardization is a key design tenet for VMs. A standardized collection of virtual machine templates can ensure predictable performance and can greatly improve capacity planning. Keep in mind the following best practice when designing virtual machines: Use documented, standardized configurations for all VMs, including management and tenant VMs. Standardized, documented VMs ease provisioning and maintenance of virtual machine environments. The following is a sample virtual machine configuration matrix: Table 1: Sample virtual machine configuration matrix Template Specs Network Operating System Unit Cost Template 1 Small 1 vcpu, 2 GB Memory, 50-GB Disk VLAN x Windows Server 2003 R2 1 Template 2 Med 2 vcpu, 4 GB Memory, 100-GB Disk VLAN x Windows Server 2003 R2 2 Template 3 Large 4 vcpu, 8 GB Memory, 200-GB Disk VLAN x Windows Server 2003 R2 4 Template 4 Small 1 vcpu, 2 GB Memory, 50-GB Disk VLAN x Windows Server 2008 R2 1 Template 5 Med 2 vcpu, 4 GB Memory, 100-GB Disk VLAN x Windows Server 2008 R2 2 Template 6 Large 4 vcpu, 8 GB Memory, 200-GB Disk VLAN x Windows Server 2008 R2 4 Virtual Machine Storage Several factors can affect virtual machine storage. Several storage options are available to virtual machines, but the benefits and drawbacks of each option should be weighed against performance and host storage requirements. 12
Implement fixed virtual disks for production VMs. A fixed disk allocates the full size of the disk upon creation and provides better performance and monitoring of storage availability. Dynamically expanding disks are also an option for production use, though they carry other risks such as storage oversubscription and fragmentation. Use this type of virtual disk with caution. Do not use differencing disks for production server workloads. Use pass-through disks only in cases where you require absolute maximum performance and the loss of features, such as snapshots and portability, is acceptable. Note that since the performance difference between pass-through and fixed disks is minimal, there are very few scenarios where pass-through disks are required. When using iscsi within a VM, ensure that a separate virtual network is used for access to the iscsi storage. If the VM iscsi network is shared with regular Ethernet traffic, implement quality of service (QoS) to provide performance guarantees to the different networks. Consider using jumbo frames within the guest VM to improve iscsi performance. Virtual Machine Networking Poor virtual machine networking design can severely affect virtual machine performance. Architects should give careful consideration when planning how virtual machines communicate with each other, with the host, and with external networks. Hyper-V provides several types of networks to VMs. Private network: The network that provides communications between virtual machines only. Internal network: The network that provides communications between the host server and virtual machines. External network: The network that provides communications between a virtual machine and a physical network by creating an association to a physical network adapter on the host server. Keep the following recommendations in mind when configuring virtual machine networking. Always use synthetic virtual network adapters when possible. Use emulated network adapters only for unsupported guest operating systems or in special circumstances such as if the guest VM needs to Pre-Boot Execution Environment (PXE) boot. For private cloud scenarios, use one or more external networks per VM. Segregate the networks with VLANs and other network security infrastructure as needed. Virtual Processors Hyper-V supports a maximum ratio of eight virtual processors (VP) per logical processor. A logical processor is a processor core accessible by the host operating system or parent partition. For example, with Intel HyperThreading, each thread is considered a logical processor. 13
The following table shows the number of virtual processors supported by guest operating systems: Table 2: Number of virtual processors supported by guest operating systems Supported Operating Systems Virtual Processors 1 2 4 Windows Server 2008 R2 x x x Windows Server 2003 x86/x64 with SP2 x x Windows 2000 Server and Windows 2000 Advanced Server SP4 Windows HPC Server 2008 x x x SUSE Linux Enterprise Server 10 and 11 x86/x64 x x x Red Hat Enterprise Linux 5.2, 5.3, 5.4 x86/x64 x x x Windows 7 x86/x64 x x x Windows Vista x86/x64 w/ SP1 x x Windows XP Professional x64 w/ SP2 and x86 w/ SP3 x x Windows XP Professional x86 w/ SP2 x x The following are virtual processor best practices for creating VM templates: Use a virtual-to-logical processor ratio of approximately 2.75 to 1 for production server workloads. Do not exceed the Hyper-V maximum supported ratio of 8 virtual processors to 1 logical processor. Management Architecture The private cloud management layer is made up of the tools, systems, and networks that are used to deploy and manage the virtual infrastructure. In most cases, this consists of a variety of different toolsets for managing hardware, software, and applications. Many of these tools can be run in virtual machines and should be deployed on a dedicated management infrastructure that is separate from the production virtual environment. Microsoft provides a number of technologies that can be used to manage the private cloud architecture. These include: Microsoft SQL Server 2008 SP1 System Center Virtual Machine Manager (VMM) 2008 R2 Microsoft System Center Operations Manager 2007 R2 Windows Server Update Services Microsoft System Center Configuration Manager Virtual Machine Servicing Tool (VMST) 14
SQL Server 2008 SP1 The majority of Microsoft management tools are database-driven applications. Therefore, a highly available, high-performance database infrastructure is critical to the overall management of the environment. Microsoft recommends the following SQL Server VM configuration SQL Server running on 2 non-high availability VMs running on separate Hyper-V hosts Windows Server 2008 R2 Enterprise edition 4 vcpus 8 GB RAM (do not configure as dynamic memory) 3 vnics o 1 vnic for client connections o 1 vnic for cluster communications o 1 vnic for iscsi VM storage o 1 operating system virtual hard disk (VHD) o 3 dedicated iscsi LUNs The following tables show how SQL data should be organized: Table 3: SQL data configuration LUN Purpose Size LUN 1, CSV Volume VM Operating System 30-GB VHD LUN 2, iscsi SQL Databases Varies based on implementation LUN 3, iscsi SQL Logging Varies based on implementation LUN 4, iscsi SQL Cluster Quorum 1-GB LUN Database Instance Name DB name Authentication Client VMM SSP <Instance 1> <SCVMMSSP> Win Auth WSUS <Instance 1> <WSUS_DB> Win Auth Ops Mgr <Instance 1> <Ops Mgr_DB> Win Auth Ops Mgr <Instance2> <Ops Mgr_DW_DB> Win Auth VMM <Instance 1> <VMM_DB> Win Auth 15
System Center Virtual Machine Manager 2008 R2 Microsoft System Center Virtual Machine Manager (VMM) 2008 R2 facilitates centralized management of physical and virtual IT infrastructure, increased server utilization, and dynamic resource optimization across multiple virtualization platforms. It includes end-to-end capabilities that let administrators plan, deploy, manage, and optimize the virtual infrastructure. In a Microsoft private cloud environment, VMM is used to manage only Hyper-V Cloud Fast Track hosts and guests in a single data center. No additional virtualization should be managed by VMM. The following are best practices for deploying VMM in a private cloud environment: Implement VMM on a dedicated VM and use a remote SQL Server 2008 instance. Place the VMM library on a dedicated, high-performance VHD or pass-through disk. Integrate VMM with Microsoft Operations Manager 2007. Performance and Resource Optimization (PRO) must be used with automatically implemented tips. Server Configuration Microsoft recommends the following VMM configuration: System Center Virtual Machine Manager 2008 R2 running on 1 highly available VM Windows Server 2008 R2 2 vcpus 4 GB memory 1 vnic VM storage o 1 operating system VHD o 1 data VHD or pass-through volume VMM Roles VMM requires the following roles: VMM server Administrator console Command shell VMM library Remote SQL Server database VMM is also integrated with Operations Manager 2007 to monitor the health and availability of the hosts and virtual machines and to monitor the health and availability of the VMM server, database server, library servers, and self-service web servers. For more information on integrating VMM with Operations Manager, visit http://technet.microsoft.com/en-us/library/cc956099.aspx. 16
VMM Library Placement Libraries are where VM-related items such as VM templates, VHDs, and ISO image files are stored. The Library Share resides on the VMM server; however, the share should be placed on its own logical partition and corresponding VHD or pass-through disk whose underlying disk subsystem is powerful enough to service the provisioning demands. Performance and Resource Optimization Performance and Resource Optimization (PRO) is a feature of System Center Virtual Machine Manager 2008 that makes possible dynamic management of virtualized infrastructure. PRO migrates virtual machines that reach specific resource usage thresholds. When a virtual machine reaches a certain threshold, VMM migrates the VM to another host, host in a host group, or host cluster that is running the same virtualization software. VMM takes action on a VM when it receives PRO tips, and migrations are performed in the order in which the PRO tips are received. System Center Operations Manager 2007 R2 Microsoft System Center Operations Manager 2007 R2 is used by VMM to monitor the health and availability of the virtual machines and virtual machine hosts that VMM is managing. VMM also uses Operations Manager to monitor the health and availability of the VMM server, database server, library servers, and self-service web servers and to provide diagram views of the virtualized environment in the VMM Administrator Console. The following are best practices for deploying System Center Operations Manager 2007 R2 in a private cloud environment: Implement Operations Manager on a dedicated VM, and use a remote SQL Server 2008 instance. Integrate Operations Manager with VMM. Use System Center Virtual Machine Manager and Operations Manager reporting. Server Configuration Microsoft recommends the following System Center Operations Manager server configuration: System Center Operations Manager running on 1 highly available VM Windows Server 2008 R2 2 vcpus 4 GB memory 1 vnic Storage: o 1 operating system VHD 17
Operations Manager Roles Operations Manager requires the following roles: Root Management Server Reporting Server, with the database residing on a remote SQL Server instance Data Warehouse, with the database residing on a remote SQL Server instance Operator Console Command Shell Management Packs Operations Manager deployed in a private cloud environment requires the following Operations Manager Management Packs: Virtual Machine Manager 2008 R2 Windows Server Base Operating System Windows Server Failover Clustering Windows Server 2008 Hyper-V Microsoft SQL Server Management Pack Internet Information Services (IIS) 2000/2003/2008 System Center management packs (MPs) Server original equipment manufacturer (OEM) third-party MPs Reporting Integrating Operations Manager with VMM provides the following reports. In addition, Operations Manager Management Packs contains many additional reports. Virtualization candidates: Identify physical computers that are good candidates for conversion to VMs using server performance metrics available in Operations Manager. VM utilization: Report resource utilization by virtual machine, and report under-utilized or overutilized virtual machines. VM allocation: Calculate chargeback to cost centers, and report CPU, memory, disk, and network usage. Host utilization: Report the number of virtual machines running on each host. Report average usage and total or maximum values for processors, memory, and disk space. Host utilization growth: Report the percentage of change in resource usage and the number of running VMs. Windows Server Update Services Windows Server Update Services (WSUS) lets information technology administrators deploy the latest Microsoft product updates to computers that are running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. 18
For more information, refer to the Microsoft Windows Server Update Services 3.0 SP2 Deployment Guide, available at http://www.microsoft.com/downloads/en/details.aspx?familyid=113d4d0c-5649-4343-8244-e09e102f9706&displaylang=en. System Center Configuration Manager System Center Configuration Manager 2007 R2 comprehensively assesses, deploys, and updates servers, client computers, and devices-across physical, virtual, distributed, and mobile environments. Optimized for Windows, it is the best choice for gaining enhanced insight into and control over IT systems. For more information, refer to the Configuration Manager Planning and Deployment Overview, available at http://technet.microsoft.com/en-us/library/bb693806.aspx. Virtual Machine Servicing Tool Microsoft Virtual Machine Servicing Tool (VMST) 3.0 helps customers reduce IT costs by making it easier to update their offline virtual machines, templates, and virtual hard disks with the latest operating system and application patches without introducing vulnerabilities into their IT infrastructure. Version 3.0 of the tool works with System Center Virtual Machine Manager 2008 R2, System Center Configuration Manager 2007 SP2, and Windows Server Update Services 3.0 SP2. The tool also supports updating the Windows 7 and Windows Server 2008 R2 operating systems. For more information, refer to the VMST 3.0 documentation, available at http://technet.microsoft.com/en-us/library/cc501231.aspx. Backup and Disaster Recovery A private cloud environment uses three common backup methods: host based, guest based, and SAN based. The following table is a comparison of the three common backup methods: Table 4: Backup method comparison Capability Host Based Guest Based SAN Snapshot Protection of VM configuration X X* Protection of host and cluster configuration X X* Protection of virtualization-specific data such as VM snapshots X X Protection of data inside the VM X X X Protection of data inside the VM stored on pass-through disks X X 19
Capability Host Based Guest Based SAN Snapshot Support for VSS-based backups for supported operating systems and applications X X X* Support for Continuous Data Protection X X Ability to granularly recover specific files or applications inside the VM X *Depends on storage vendor s level of Hyper-V integration The following are best practices for backup and disaster recovery in a private cloud environment: The backup solution should support the Hyper-V Volume Shadow Copy Service (VSS) writer for host-based backup Backup storage should be separate from the SAN. SAN snapshot technology can be used in conjunction with a mechanism to move the backup off the production SAN. The backup solution should have the capability to restore individual files from the VM backup. The backup solution should have application awareness. Orchestration The orchestration layer is the critical interface between the IT organization and its infrastructure. Ideally, it provides a graphical interface in which complex workflows consisting of events and activities across multiple management-system components can be combined to form an end-to-end IT business process, such as automated patch management or automatic power management. The orchestration layer must provide the ability to design, test, implement, and monitor these IT workflows. Microsoft Opalis Microsoft Opalis is an automation platform for orchestrating and integrating IT tools to drive down the cost of data center operations, while improving the reliability of IT processes. It lets IT organizations automate best practices, such as those found in Microsoft Operations Framework (MOF) and Information Technology Infrastructure Library (ITIL). Opalis achieves this through workflow processes that coordinate System Center and other management tools to automate incident response, change and compliance, and service life-cycle management processes. Through its workflow designer, Opalis automatically shares data and initiates tasks in System Center Operations Manager, System Center Configuration Manager, System Center Service Manager, Virtual Machine Manager, Active Directory, and third-party tools. Opalis workflow automates IT infrastructure tasks, while System Center Service Manager workflow provides automation of human workflow. The combined offering ensures repeatable, consistent results by removing the latency associated with 20
manual coordination of service delivery. System Center and Opalis make integration, efficiency, and business alignment of the data center IT services possible by: Automating cross-silo processes and enforcing best practices for incident, change, and service life-cycle management. Reducing unanticipated errors and service delivery time by automating tasks across vendor and organization silos. Integrating System Center with non-microsoft tools to make interoperability possible across the data center. Orchestrating tasks across systems for consistent, documented, compliant activity. Security Considerations Microsoft Hyper-V was designed to minimize the attack surface on the virtual environment. The hypervisor itself is isolated to a microkernel, independent of third-party drivers. Host portions of the Hyper-V activities are isolated in a parent partition, separate from each guest. The parent partition itself is a virtual machine. Each guest virtual machine operates in its own child partition. In addition to the usual security best practices for physical servers, the following are recommended security best practices for a Hyper-V environment: Consider using domain isolation with IP Security (IPSec) for both hosts and guests. Secure the communications between the Hyper-V server and its administrators and users. 21
Host Operating System Configuration Use a Windows Server 2008 R2 Server Core installation for the management operating system. Keep the management operating system up to date with the latest security updates. Use a separate network with a dedicated network adapter for the management operating system of the physical Hyper-V computer. Secure the storage devices where you keep virtual machine resource files. Harden the management operating system using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit. Configure any real-time scanning antivirus software components installed on the management operating system to exclude Hyper-V resources. Do not use the management operating system to run applications. Do not grant virtual machine administrators permission on the management operating system. Use the security level of your virtual machines to determine the security level of your management operating system. Use Windows BitLocker Drive Encryption to protect resources. Note that Windows BitLocker does not work with Failover Clustering. Virtual Machine Configuration Configure virtual machines to use fixed virtual disks. Store virtual disks and snapshot files in a secure location. Decide how much memory to assign to a virtual machine. Impose limits on processor usage. Configure the virtual network adapters of each virtual machine to connect to the correct type of virtual network to isolate network traffic as required. Configure only required storage devices for a virtual machine. Harden the operating system running in each virtual machine according to the server role it performs using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit. Configure antivirus, firewall, and intrusion-detection software within virtual machines based on server role. Ensure that virtual machines have all the latest security updates before the virtual machines are turned on in a production environment. Ensure that your virtual machines have integration services installed. For more information regarding Hyper-V security, please see the Hyper-V Security Guide, available at http://www.microsoft.com/downloads/en/details.aspx?familyid=2220624b-a562-4e79-aa69- a7b3dffdd090&displaylang=en. 22
Conclusion Microsoft private cloud provides agility and cost-savings benefits to service providers and users. By following the recommended best practices for deploying the private cloud software infrastructure outlined in this document, service providers can achieve higher levels of service, increased cost savings, and the computing resource elasticity and high availability customers demand. 23