My ramblings on the stuff that holds it all together
TechEd EMEA 2008 IT Pro – Day 2
Today was a full compliment of sessions, with some good sessions on Hyper V, Windows 2008 failover clustering and Forefront.
Steve Riley started off the day with a session on virtualization and security, whilst pretty high-level without getting into too many specifics he did a good job of expressing Microsoft’s view on Hyper V security.
the key points for me were;
- Each VM has a 1:1 connection to the hypervisor; there is no sharing of memory or VM-bus connections.
- Microsoft will not be opening the hypervisor kernel to 3rd party developers to provide IPS/IDS/malware type functionality as other vendors are (i.e VMWare) as they believe this to be a more flexible approach (despite being panned by analysts over this).
- The interfaces to/from enlightenments are well documented and public, no security by obscurity.
Then there was a session on Hyper V architecture, where Jeff Woolsey demonstrated building virtual machines.
There were some cost comparisons between VMWare and Hyper V; I’ve skipped over these as like any vendor the numbers were somewhat skewed.. you can easily make your own comparisons, Hyper V will probably be cheaper – but when you pick the numbers apart they’re not as far away as Microsoft say – VMWare are just as guilty of doing this, so I’ll move on.
Key points for me were;
- IDC say by 2010 there will be just 17% virtualized servers in the world, Microsoft want to drastically increase this
- HyperV comes with Win2008 x64 edition only (std/ent/DC all have the same Hyper V instance – only difference is the RAM/CPU limits in the host OS)
- 1Tb physical memory supported, 64Gb per VM (x64)
- supports 24 logical CPUs and 192 running VMs on a single server
- Hardware AMD-V/HT/DEP is required to run Hyper V
- TAP/RDP/MSIT customers are all running Hyper V – “the red phone never rang” and they didn’t have any critical issues; I’ve participated in TAP programmes in the past and true to their word Microsoft provide excellent, direct developer support to TAP participants.
- Hyper V is running 50% of current microsoft.com; and in middle of HW refresh to complete the change over – 1Bn hits/day that’s impressive.
- MSIT now have a VM 1st policy previous 10-14 day SLA for server provision is now down to minutes/hours – storage provisioning is the only delay internally.
- TechNet.microsoft.com is 100% Hyper V since beta 1M hits/day
- MSDN, 100% Hyper-V 3M hits/day
- Hyper V role – swaps boot WinOS for Hypervisor (slides underneath)
- Hyper V supports standard windows driver model for HV (better than ESX) and more flexible.
- WMI providers for management built in allows remote mmc’s and SCVMM etc.
- I/O is traditionally virtualization biggest headache (with Virtual PC, Virtual Server)
- No emulation for I/O (as per Virtual Server) anymore
- Driver enlightenment is the solution VMBus/Virtual Service Provider [VSP]/Virtual Service Client [VSC]
- VSC – guest OS enlightenment/driver
- VSP – server side driver/assistant
All in, an interesting session; I can see where Microsoft are going with the product and I like it – they have a good end-end solution with the System Centre integration and are heavily pushing this at the moment as the hypervisor is less established than VMWare.
VMWare have some other good complimentary tools like site recovery manager, lab manager, stage/lifecycle manager that Microsoft still have to catch up with, but they’re definitely getting there, for me an equivalent HA/DRS functionality is missing for hyper V in production now and by the time WS2008 R2 is out I would expect ESX4 to debut and move the game on further.
The lack of 3rd party direct integration to the hypervisor disappoints me, to my mind that would prevent some comprehensive IPS and networking solutions (like the Cisco NX1000 vSwitch) although it does keep control entirely in the Microsoft camp.
I attended a good technical session on Windows Server 2008 fail-over cluster troubleshooting, key points for me were;
- Support is now less driven by the HCL. but a configuration validator that ships with Windows, similar to other best-practice analyser tools (exBPA etc.) provides a supported/not support statement; there is a new FCCP programme which certifies vendor solutions for Win2008 clustering – which seems the same as the previous HCL approach. HP were missing from the list of partners, but it is being worked on. otherwise all the usual suspects were there.
- Full validation of a cluster requires downtime as it needs to take disks offline to analyse – which could be a bit of an issue; if you need to make a change you then need to schedule downtime to run the analysers and get the warm and fuzzy supported feeling.
- Microsoft are building a shared clustered file system like ZFS/VMFS
- No longer a requirement to power down/mask a node when adding disks – they don’t auto-mount/signature
- NIC teaming is supported on any interface
- cluster debug logs have moved to the Event Tracing for Windows (ETW) framework – binary format, queried by tools or event viewer.
- No event log replication; cluster manager aggregates log info
- 2008 R2 will supplement cluster.exe with a PowerShell equivalent, and that will be the way forward.
- Cluster Logs are always in local time (as determined by control panel) cluster logs are always in GMT – useful to know!
- configurable debug/informational levels for cluster service
- No cluster service account any more; runs as Local System – excellent.
Finally there was a technical session around the new developments in ForeFront for Exchange/Stirling.
Stirling is a codename for a development of the Antigen acquisition a few years ago into a full security suite – edge/internal protection although multiscan engines and SSL VPN type services, this session focused on the developments for Forefront for Exchange.
Key points for me were;
- Exchange hosted services to provide a MessageLabs equivalent type service – large distributed spam/AV scanning at the network edge, being extended to sync up with on-site Exchange services and infrastructure
- Microsoft are deploying infrastructures in several geographic locations, sometimes to meet local legal/compliance reasons – for example Germany/Canada
- Back-scatter protection – tagging legitimate outbound mail with a rotating cryptographic key, if NDR’s are received from spam sent illegitimately on your behalf they will not have this tag so will be dropped by the spam/AV filter.
- Can sync spam/AV policy between in-house/cloud/hosted Exchange services to keep a uniform protection policy
All in, a good 2nd day, looking forward to day 3.