VMM R2 RC
Overview of System Center Virtual Machine Manager 2008 R2 RC
At a Glance:
- New features in VMM 2008 R2
- Added clustering capabilities
- New Windows PowerShell cmdlets
- Enhanced role-based security
A Quick Introduction
New Features in VMM 2008 R2
The VMM 2008 R2 Console
Virtual Machine Templates and the Self-Service Portal
High Availability—Clustering in VMM 2008 R2
Driving VMM from the Command Line with Windows PowerShell
Integration with Operations Manager 2007
Security in VMM 2008 R2
Server virtualization is fundamentally changing the way IT services are viewed. It’s not hard to imagine a future in which servers are automatically and dynamically created for specifi c tasks and accessed via virtual network switches, with their data in virtual storage. Such servers might never come in contact with a single printed circuit board or physical CPU. This functionality isn't here yet, but server virtualization is definitely heading in that direction.
When working with server virtualization, most IT professionals quickly realize that the biggest challenge for them isn't understanding the technology. Rather, the main issues they have to confront relate to managing all the virtual machines, such as how to prevent virtual server sprawl, how to keep track of the locations of the servers, how to maintain security and how to convert their current physical servers to the virtual world. Microsoft's answer to managing virtual servers is System Center Virtual Machine Manager 2008 R2, VMM for short. This article explains what VMM does, how it fits into a virtualized datacenter, and what features are expected in the R2 version. This article was written using the Release Candidate (RC) of VMM R2 running on the RC (build 7100) of Windows Server 2008 R2.
A Quick Introduction
VMM manages a virtualized datacenter by controlling Hyper-V hosts, Virtual Server 2005 R2 hosts, and VMware ESX hosts through VMware vCenter Server; VMM can manage multiple vCenter Servers. Although managing Citrix XenServer isn't possible in R2, that capability is on the horizon.
Like all new server applications from Microsoft, VMM 2008 R2 is built entirely on Windows PowerShell. This means you have three ways of interacting with VMM 2008 R2: through the Windows PowerShell command line, the console and the Web-based self-service portal. VMM 2008 R2 also makes the crucial step of physical-to-virtual (P2V) conversion easy with a simple wizard that pushes out a small agent to the server that's going to be virtualized. Also helpful is VMM's Intelligent Placement feature, which suggests the best host for a fresh virtual machine (VM) or for a P2V import, based on server type and load on host machines. Because VMM is part of System Center, specific integration points exist between VMM and System Center Operations Manager 2007 R2. Performance and Resource Optimization (PRO) allows policy-based control of applications and resources for each virtual machine.
VMM 2008 R2 runs only on Windows Server 2008 x64, original or R2. You can run VMM 2008 R2 as a VM, which works fine in smaller installations. You shouldn't start a Quick Migration or a Live Migration from within VMM for the virtual machine that's running VMM, however, because you might get unexpected results and because the VM could crash.
If you run the VMM components on the same server hardware, 2GB to 4GB of RAM (for five to 10 hosts and 11 to 20 hosts, respectively) and a dual core CPU are recommended. If you're going to manage around 150 hosts on the same box, scale the RAM up to 8GB and consider splitting the various roles across several servers. The maximum size of one VMM installation tested is 400 hosts and 8,000 virtual machines. The main concern in large environments is Microsoft SQL Server: VMM needs SQL Server and comes with SQL Server Express built in, but the SQL Service Express database is limited to 4GB. Also, if you want to integrate with Operations Manager 2007 for reporting, you need to use a full version of SQL Server. Both SQL Server 2005 and SQL Server 2008 are supported, either the Standard or Enterprise edition, in 32-bit or 64-bit versions. Other software requirements are Windows PowerShell 1.0 or 2.0, Windows Remote Management (WinRM) 1.1 or 2.0, .NET Framework 3.0 or 3.0 Service Pack (SP) 1, and Internet Information Services (IIS) 7.0 or 7.5, all of which are included in Windows Server 2008 and Windows Server 2008 R2. You also need Windows Automated Installation Kit (WAIK) 1.1, which is included on the VMM 2008 media. VMM needs to be installed in a Windows Server 2003 or Windows Server 2008 domain and can automatically install its agent on hosts in the forest. If you have a stand-alone host in a perimeter network (clustered hosts are not supported in perimeter networks), you can install the VMM agent manually. During the installation, select This Host Is On A Perimeter Network, which lets you enter a key used to encrypt SecurityFile.txt. This file is then copied to the VMM server and used when you add the host.
Roles that can be split across servers are the main VMM server, the console, the database, the self-service portal and the library server. The console can run on both client and server versions of Windows. The library server is nothing more than one or more file shares, and the main requirement is enough disk space to handle storing the virtual machine, Virtual Hard Disk (VHD) and ISO CD/DVD media files required. If you're using failover clustering in Windows Server 2008, these shares (and thus the library) can be made highly available. For geographically distributed corporations, these shares can be stored in branch offices so that virtual machines can be created from local shares rather than being copied over WAN links. VMM indexes the content of library shares once an hour, so if you copy something into a library share outside of VMM it might take up to an hour for it to show up in VMM.
Supported host machines are Virtual Server 2005 R2 SP1 or Virtual Server 2005 R2 x64 SP1 on Windows Server 2003, and Hyper-V on Windows Server 2008 or R2. (VMM flags any missing Hyper-V updates and suggests which Knowledge Base updates to install.) For VMware, either vCenter Server 2.5 or 2.0.1 is supported with ESX Server 3.5, 3.0.2 and 3i. vSphere 4 isn't yet supported. The free, stand-alone Hyper-V server is also supported; the R2 version does away with the limitations in the previous version (no cluster support, maximum 32GB of RAM and 4 CPUs). Hyper-V Server R2 supports host clustering, both Quick Migration and Live Migration, up to 8 quad core CPUs and 1TB of memory.
To check a potential server for hardware and software configuration settings, use the free Virtual Machine Manager 2008 Configuration Analyzer (VMMCA). It doesn't duplicate the prerequisite checks in the setup program but scans either the local machine or a remote machine for optimal configurations for the VMM server role, the administrator console or the self-service portal. Once you've installed VMM, the VMMCA also scans potential Windows-based hosts, vCenter Server and P2V candidates to ensure they are configured correctly.
If you add a new host to VMM that doesn't have Hyper-V (Windows 2008) or Virtual Server 2005 (Windows 2003) installed, VMM automatically installs it.
Small to midsize businesses should seriously consider VMM Workgroup Edition; it supports only five hosts (with unlimited virtual machines), but it's a great deal for the price.
New Features in VMM 2008 R2
The main goal of the new features in VMM 2008 R2 is to support the new Hyper-V features in Windows Server 2008 R2. One new Hyper-V feature is Live Migration, Microsoft's answer to VMware's vMotion, which makes it possible to move a running virtual machine from one cluster host to another with no perceived downtime for clients. Live Migration does require shared storage accessible to all hosts in the cluster because the actual VHD files aren't moved. In the original version of Hyper-V, each VHD had to be stored on a separate logical unit number (LUN), limiting flexibility. Windows Server 2008 R2 Hyper-V introduces Cluster Shared Volumes (CSVs), a feature that allows multiple hosts to access the same shared LUN. VMM takes full advantage of this capability.
Networking also received an overhaul in R2, with the addition of Virtual Machine Queue (VMQ) and TCP Chimney, both of which should improve network performance for virtual machines. Network adapters that support VMQ can create a queue for each virtual network interface card (NIC) and then pipe that queue directly to the virtual machine's memory. This means that packets route directly from the hypervisor to the virtual machine, avoiding processing in the virtualization stack. TCP Chimney has been available in Windows Server since the scalable networking pack for Windows Server 2003, but the TCP offload capability didn't work for virtual machines until Windows Server 2008 R2. TCP calculations are offloaded from the networking stack to a NIC, which, with suitable hardware support, results in increased performance and a lower load on the host CPU.
Another interesting new feature lets you add and remove VHDs from virtual machines while they're running. VMM now supports the Sanbolic clustered file system (CFS), also known as the Melio file system, a popular choice for storage area network (SAN) storage. More important in large environments is the VMM 2008 R2 support for Veritas Storage Foundation 5.1 for Windows (SFW), a solution that gives a holistic view of storage in an enterprise. Direct-attached, iSCSI SAN and Fibre Channel SAN storage are all inventoried; one central console shows the storage connections and usage for each server. An SFW volume is limited to storing one virtual machine in VMM 2008 R2.
The VMM 2008 R2 Console
The VMM 2008 R2 console is similar to consoles in other System Center products. The scope of what you're looking at is in the left pane (Hosts, Virtual Machines, Library, Jobs and Administration). The top half of the middle pane shows a list of objects, depending on the scope and properties for selected objects in the bottom half. The right-hand pane contains actions applicable to the current scope, as shown in Figure 1.
Figure 1 The main VMM console with focus on virtual machines.
Be aware that if you delete a virtual machine in Hyper-V manager, the VHDs are still there—only the configuration is deleted. If you delete a virtual machine through VMM, however, both the configuration and the actual VHDs are deleted. By default, VMM 2008 R2 doesn't allow multiple users to connect to a virtual machine using Virtual Machine Remote Control (VMRC). You can change this setting on the Remote tab of the host properties so that VMRC works in training and demonstration environments. If you have a large number of virtual machines, you can use quick filters to show only the ones that have stopped, paused or failed.
One of my favorite features in VMM 2008 R2 is the Jobs queue (shown in Figure 2), where every task you assign to VMM is listed, along with its status. This is particularly important because some tasks, like P2V, can take several hours. Another great feature of VMM 2008 R2 is the option to view all virtual machines on one or more hosts and their network connections in a visual diagram, as shown in Figure 3.
Figure 2 Jobs queue showing each task and its status.
Figure 3 Diagram of VM hosts and their connections.
Virtual Machine Templates and the Self-Service Portal
The workflow for generating templates to be used in creating virtual machines starts with an existing, deployed virtual machine. When you create a template, the original virtual machine is destroyed, so if you want to keep it, start by cloning it when it's either stopped or saved. Next, create a hardware profile to define the hardware configuration to be applied to the new virtual machine. A guest OS profile establishes the organization name, local administrator password, product keys, time zone, domain membership and operating system. With these components in place, you can combine the baseline virtual machine, the hardware and the guest OS profiles to create a new template. Finally, to create a new virtual machine based on this template, just select the template and a host on which to house the virtual machine. The ability to combine these different components provides a very flexible approach to creating a library of ready-made virtual machines. Keep in mind that file copying from the library can be time-consuming.
Self-service portal users need to install the VMware ActiveX control to access VMware virtual machines, either by enabling Secure Sockets Layer (SSL) on the host machine or by installing the Virtual Infrastructure client on the client machine (which contains the ActiveX control). If you're deploying a virtual machine to a VMware ESX server host, VMM 2008 R2 allows you to select from the VMware port groups defined on the virtual switches. A port group is a set of parameters that identifies a particular network connection (namely, VLAN IDs); by having this defined, a virtual machine that is transferred from one host to another will find exactly the same network configuration on its new ESX host.
One task as important in the virtual world as in the physical world is patching. Whereas physical production servers are rarely offline for any length of time, however, virtual servers are often used for specific, intermittent tasks or at peak load times and then turned off. This difference means that virtual servers might be out of date when they are brought online and thus a security risk. To make sure your virtual machines receive the necessary updates, you can use the free Microsoft Offline Virtual Machine Servicing Tool 2.0.1. This tool automatically starts servers stored in the library, downloads any updates from Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) and then returns the servers to the library.
You can do a P2V conversion while the target system is online, provided it has Volume Shadow Copy Service. So operating systems from Windows Server 2003 and after, including Windows Vista and Windows XP, support online P2V conversions. With Windows 2000 Server, P2V conversions are done offline: the server is rebooted into Windows PE and then uploaded to the designated host.
For online P2V conversions, a small agent is pushed out to the target system. The agent inventories the system and presents any issues that need to be addressed before the conversion process starts. You also have to define which volumes to convert to VHD files; as always, fixed-size VHDs are preferable to dynamic ones in a production environment. Once you define which virtual network(s) to connect the server to and where to host the new virtual machine, the transfer begins. The Convert Physical Server Wizard is much easier to use than the original Virtual Server Migration Toolkit. I've found it a dream to work with and very reliable. Remember that you can do a P2V conversion on a virtual machine if, for example, you want to move a virtual machine from an ESX host to a Hyper-V host. You can also use the Migrate task to convert VMware virtual machines to be hosted on a Hyper-V or Virtual Server host.
Selecting the best host machine for a particular virtual machine depends on several factors, including the workload and performance requirements of the virtual machine as well as the other virtual machines on the host. VMM 2008 R2 helps you match virtual machines to hosts with Intelligent Placement, which takes into account performance data from the virtual machine (and if you've integrated with Operations Manager 2007, historical data as well) and then rates each available host with 1 star to 5 stars to make it easy for you to choose the best host. VMM uses two different algorithms for this evaluation: resource maximization (fill up each host in turn with as many virtual machines as can comfortably run there) and load balancing (spread virtual machines among hosts). Intelligent Placement takes into account processor and memory usage as well as disk and network data.
High Availability—Clustering in VMM 2008 R2
Once an expensive exercise for specific workloads in enterprise environments, clustering and high availability have now become commonplace in many businesses. And they become crucial with server virtualization: if one physical server goes down, that's bad; but if a host with 20 virtual machines goes down, that's a "time to look for a new job" disaster. Hence, don't even consider a virtualized datacenter without planning for clustering. Fortunately, creating clusters has become much easier in Windows Server 2008, and the availability of reasonably priced iSCSI shared storage puts this technology in reach of even small businesses. In writing this article, I realized I needed to build a small cluster to really test VMM. An old Windows Server 2003 machine with free iSCSI target software from Starwind (limited to 2TB), along with some cheap gigabit NICs and a five-port switch created my SAN. Then it was just a matter of adding two Windows Server 2008 R2 Enterprise boxes and installing Hyper-V and clustering. I now had my very own highly available datacenter.
Jose Barreto's blog gives step-by-step instructions for setting up different types of clusters, including how to use Windows Storage Server 2008 x64, which used to be available only to OEMs but recently has been offered to TechNet Plus and MSDN subscribers. It includes Microsoft's iSCSI target software, another option for setting up a SAN quickly.
If you need to work on the hardware of a particular host in a cluster or apply updates, you can now place a host in maintenance mode. If Live Migration is available, you can elect to evacuate all highly available virtual machines to other hosts in the cluster; other virtual machines are placed in a saved state. You can also choose to save the state of all virtual machines. While a host is in maintenance mode, you can't create new virtual machines on the host, and the host doesn't show up as available during VM placement. Be aware that when you take the host out of maintenance mode, virtual machines aren't automatically moved back to the host if they were migrated using Live Migration—neither are virtual machines that are in a saved state started.
Moving a virtual machine from one host to another poses an interesting issue: What if the CPU models are different? The operating system inside the virtual machine would have "adapted" to a particular set of available CPU instructions; when moved to a different environment, it could very well crash when it discovers that the CPU is different. The original version of Hyper-V overcame this problem by requiring that each host in the cluster have an identical processor. VMM 2008 R2 has a new setting to limit the CPU features for migration. This setting allows VM movement between hosts within the same processor brand (Intel or AMD), but not between brands.
Another new clustering feature in VMM 2008 R2 is SAN migration. When you migrate a virtual machine into a cluster, VMM checks that each node can see the LUN and automatically creates a cluster disk resource for the LUN. If a virtual machine is stored on a dedicated LUN in a SAN, you can choose to migrate it from the SAN. Migrating into a cluster makes sense in a test environment where you can set up a virtual machine as a separate host and perform updates and configuration before moving it into production in a SAN. VMM 2008 R2 also adds supports for LUN masking so that each iSCSI target can have multiple LUNs, which means more iSCSI SANs should work with VMM.
Quick Storage migration is another addition to VMM R2. It allows you to move the VHDs associated with a virtual machine from any storage to any other storage visible to your Hyper-V hosts with minimal downtime on Windows Server 2008 R2. This addition brings the total number of migration types in VMM 2008 R2 to seven, as shown in Figure 4.
|Figure 4 Migration Types in VMM 2008 R2|
|Quick Migration||Hyper-V in Windows 2008 or 2008 R2 clusters||VM state is saved for transfer—generally about 1 minute downtime|
|Live Migration||Hyper-V R2||No service interruption|
|vMotion||ESX 3.0/3.5||No service interruption|
|SAN Migration||Virtual Server, Hyper-V||VM state is saved for transfer—generally about 1 minute downtime|
|Network based / LAN migration||Virtual Server, Hyper-V, ESX||In Windows 2003/2008 this can take minutes to hours, in 2008 R2 the downtime is about 1 minute|
|Storage vMotion||ESX 3.5||No service interruption|
|Quick Storage Migration||Hyper-V R2||VM state is saved for transfer—generally about 1 minute downtime|
Driving VMM from the Command Line with Windows PowerShell
There are over 170 VMM-specific cmdlets, and everything you can do in the GUI you can also do from the command line. In VMM 2008 R2, file transfers in and out of the library (over the BITS 2.5 protocol) are always encrypted using SSL; in R2, you can improve performance by using the AllowUnencryptedTransfers option with both the Set-LibraryServer and Set-VMHostGroup cmdlets or by setting the option in the GUI. If both the host and the library servers are set to allow it, file transfers are unencrypted. In a high-security environment, you should allow unencrypted file transfers only if your environment is protected by another technology, such as Internet Protocol security (IPSec). If the library share is stored on a host server, local file transfers on the same server are never encrypted.
Another pair of new cmdlets, Enable-VMHost and Disable-VMHost, put a host in and out of maintenance mode. You use the new MoveWithinCluster parameter when putting a host into maintenance mode to migrate all highly available virtual machines on the host to another host in the same cluster. The LimitCPUForMigration option is used with the New-HardwareProfile, Set-HardwareProfile, New-VM, Set-VM and Set-Template cmdlets to enable moving virtual machines between hosts with different CPU models. The View Script button, available at the end of every wizard in VMM, now opens the script in Notepad, allowing for easy editing and saving.
Another new option in VMM 2008 R2 is rapid provisioning, which uses the template from the library but a local VHD file on the host (or a cloned VHD in a SAN) where you're creating the new virtual machine. This option is available only from the command line with the new UseLocalVirtualHardDisk parameter for New-VM. Two new Windows PowerShell scripts are included for this task: RapidProvisionVM.ps1 and RapidProvisionVMwithAnswerFile.ps1
Integration with Operations Manager 2007
You need Operations Manager 2007 or Operations Manager 2007 R2 to enable the following functionality in VMM 2008 R2:
- Health monitoring for virtual machines and hosts
- Diagram views of the virtualized environment
- Performance and Resource Optimization (PRO)
- VMM reporting
PRO is implemented through special PRO-enabled management packs (MPs) that collect data about virtual machines, hosts, and applications, as well as hardware performance, to identify opportunities to optimize the virtual environment. Each host and virtual machine also needs to have the Operations Manager 2007 agent installed. Any alert that targets a PRO class generates a PRO tip in VMM; you can configure these tips for automatic or manual implementation. The VMM 2008 MP, which brings with it basic PRO functionality, is installed automatically when you run the Configure Operations Manager option. For PRO integration to work properly, you must enable remote running of scripts in Windows PowerShell on each Operations Manager 2007 management server.
Security in VMM 2008 R2
VMM 2008 R2 takes a role-based approach to security with three predefined roles: Administrator, Delegated Administrator and Self-Service User. Each role has a profile that defines the set of available operations it can perform. These roles are then applied to a scope of objects and Active Directory user accounts, and groups are assigned to each role.
The Administrator role can perform all actions on all objects; at least one administrator should be a member of this role. A Delegated Administrator has full administrator rights on all objects in the scope defined by the host groups and library servers assigned to the role. A Delegated Administrator can't, however, modify VMM global settings or add or remove members of the Administrator role, and doesn't have access to the self-service portal. When designing security around VMM, you should use the Delegated Administrator role extensively; ideally, only one or a few accounts need to be full Administrators.
Self-Service Users can manage their own virtual machines through the Web portal with a simplified view of only their own virtual machines visible and a specific set of actions they can perform. Available actions you can assign are Create, Start, Stop, Pause and Resume, Checkpoint, Remove, Local Administrator, Remote Connection and Shut Down (see Figure 5). Interestingly, Self-Service Users can also have access to Windows PowerShell to control their virtual machines. As in earlier versions of VMM, each VM template can be assigned a specific cost (given that some virtual machines likely use significantly more resources than others) and each Self-Service User can be given a quota. The cost applies whether or not the virtual machine is running, but storing a virtual machine in the library means that its cost no longer applies to the user's quota. A Self-Service User can also transfer ownership of a virtual machine to another user who is a member of the Self-Service User role.
Figure 5 Available actions for self-service users.
When a Self-Service User deploys a virtual machine, it's automatically assigned to a host; end users have no visibility into this process, nor do they see where the actual ISO and template files available to them are stored.
VMM 2008 R2 works differently than VMM 2008 with respect to Hyper-V security. VMM 2008 completely replaces any specific permissions assigned in Hyper-V with its own set of permissions. VMM 2008 R2, however, preserves any changes to role definitions and memberships. Hyper-V security uses the Authorization Manager API, also known as AzMan; in VMM 2008 R2, when you add a Hyper-V host, VMM creates its own AzMan authorization store, HyperVAuthStore.xml. The registry is updated to point to the new store, and VMM imports any user roles and memberships from the Hyper-V initialstore.xml. VMM 2008 doesn't take any of these steps: it simply ignores the Hyper-V initalstore.xml.
The Local System account is the default account for the VMM service; if you use an Active Directory domain account, it should be a member of the SysAdmin role in SQL Server. If you're using the Restricted Groups feature via Group Policy in Active Directory, it doesn't allow machine accounts (such as Local System) to be a member of the local administrators group, and thus you must use an ordinary Active Directory account. If you're using an Active Directory account, make sure it's not the same account used for communication with SQL Server, and don't use it for any other purpose on host computers. You also can't use this account for adding or removing Hyper-V or Virtual Server hosts in VMM.
If you're integrating with Operations Manager 2007 using PRO, the VMM service account must be a member of the Administrator role in Operations Manager 2007; VMM setup automatically adds the service account to the local Administrators group on the Operations Manager 2007 root management server. If this isn't the group that your organization uses to populate the Administrator role in Operations Manager 2007, you must add the service account manually to the right group.
Enabling communication with ESX hosts and vCenter Server takes a little bit of configuring. When you add a vCenter Server, VMM adds each ESX host as OK (Limited). To enable file transfers from each host, enable SSH root logon on each host. By default, VMM manages VMware environments in secure mode, which requires SSL certificate authentication of ESX server hosts. You can turn off this setting when you add the vCenter Server. Once file transfer is enabled, you can import existing VMware templates into the VMM library for creating virtual machines on ESX hosts.
System Center Virtual Machine Manager 2008 R2 is a very capable product that builds on the strength of Hyper-V. It is a delight to use. In mixed or Microsoft-only virtualization environments with more than a handful of hosts, VMM is a no-brainer—it will make your life so much easier. In VMware shops, I suspect VMM will be a harder sell; if you've built a virtualized datacenter based on one platform, there has to be a very compelling reason to redesign. On the other hand, VMware should be worried: Hyper-V R2 is now on a par with ESX; VMM as a management tool is very capable (R2 is the third full version of VMM released in the last three years) and adding the other System Center products provides deeper insight into both physical and virtual environments than anything VMware offers. And the cost equation is definitely on Microsoft's side: after all, Microsoft doesn't have to make all its profits from the virtualization platform and associated management tools, whereas VMware does.
Paul Schnackenburg has been working in IT since the days of 286 computers. He works part time as an IT teacher as well as running his own business, Expert IT Solutions, on the Sunshine Coast of Australia. He has MCSE, MCT, MCTS and MCITP certifications and specializes in Windows Server, Hyper-V and Exchange solutions for businesses. Reach him at firstname.lastname@example.org.