Small businesses, branch offices, and home offices usually have less stringent physical security than enterprise datacenters and IT facilities. If you have Hyper-V servers in these scenarios you should use the BitLocker Drive Encryption feature in Windows Server 2008. Use BitLocker on all volumes that house VM files (this includes the VMs, VHD, configuration files, snapshots, and any VM resource, such as ISOs and VFDs.
BitLocker works with features in server hardware and firmware to provide secure operating system boot and disk drive encryption, even when the server is not powered or operating. This helps protect data if a disk is stolen and mounted on another machine for data mining. BitLocker also protects data if an attacker uses a different operating system or runs a software hacking tool to access a disk.
For more information on how to configure Bitlocker to protect your Hyper-V server and the VMs on it, see Windows Server 2008 Hyper-V and BitLocker Drive Encryption.
See also “Windows BitLocker Drive Encryption Frequently Asked Questions,” “Windows BitLocker Drive Encryption Design and Deployment Guides,” and”Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information.”
NOTE: Use BitLocker on the Hyper-V in the parent partition. Do not run BitLocker within a virtual machine. BitLocker is NOT SUPPORTED within a virtual machine.
BitLocker supports four different authentication modes including one for servers that don’t include a Trusted Platform Module (TPM). For more information see “BitLocker Drive Encryption Technical Overview.”
NOTE: Any configurations and VHDs that are created and stored on a BitLocker-encrypted physical disk volume receive BitLocker protection, regardless of the operating systems that are running on those virtual machines. This means supported non-Windows and legacy Microsoft operating systems benefit from the same BitLocker protection when they run as guest operating systems of Windows Server 2008 Hyper-V.
Deployment is pretty straightforward:
1. Install Windows Server 2008.
2. Install the Hyper-V role and the BitLocker feature.
3. Configure the system volume for BitLocker.
4. Turn on BitLocker and encrypt the operating system and data volumes.
5. Create new virtual machines.
6. Consolidate and deploy workloads onto the Hyper-V server.
If there is a problem, you may need the BitLocker Repair Tool. This tool helps access data encrypted with BitLocker if the hard disk has been physically damaged. This tool attempts to reconstruct critical data from the drive and salvage any recoverable data. To decrypt the data, a recovery password or recovery key is required. In some cases, a backup of the key package is also required. Use this command-line tool if the following conditions are true:
Hopefully, you will never need the BitLocker Active Directory Recovery Password Viewer, extension for the Active Directory Users and Computers MMC snap-in which lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a volume that has been encrypted by using BitLocker. After you install this tool, you can examine a computer object's Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest.
NOTE: To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.
The Windows Server Catalog shows an up to date list of all successfully Hyper-V tested systems. For older server systems, newer ones not o n the catalog yet, or non-server systems you can use the following tools to check if your system process supports Hyper-V:
The AMD tool is here The Intel tool is here
One screen of the Intel tool looks likes this (emphasis added):
Hyper-V requires both hardware assisted virtualization (HAV) and data execution prevention (AMD NX/Intel XD) enabled in the BIOS.
First have a listen to this 8 minute podcast with Senior Hyper-V Dev Lead Brandon baker on Virtualization Security Best Practices. Then, you’ll want to read up on Authorization Manager (AzMan). Here are some resources to get you started:
Here are some resources for IT Pros on Windows Server 2008, compiled using the Social Bookmarking Preview on TechNet:
Windows Server 2008 Component Posters
Windows Server 2008 TechCenter
Windows Server Community
Windows Server 2008 Step-by-Step Guides
Windows Server 2008 Security Guide
Group Policy Settings Reference for Windows Server 2008
BitLocker Active Directory Recovery Password Viewer
Microsoft Deployment Toolkit 2008
Server Core Demo
Deploying Windows Server 2008
Hyper-V Technical Library content.
Microsoft Remote Server Administration Tools (RSAT)
Downloads & Pre-requisites for the Hyper-V Management tools for Vista SP1
Windows Server 2008 Enterprise Evaluation Software download
Failover Cluster Step-by-Step Guide: Configuring a Two-Node File Server Failover Cluster
Step-by-Step Guide for Testing Hyper-V and Failover Clustering
How to Enable Remote Administration of Server Core via MMC using NETSH
Process Explorer v11.20
Design and Implementation for Active Directory Datasheet
Microsoft IPsec Diagnostic Tool
Volume Activation 2.0 Technical Guidance
Windows SDK for Windows Server 2008 and .NET Framework version 3.5
Microsoft Baseline Security Analyzer 2.1 (for IT Professionals)
Server Core Blog
The final list of supported operating systems for VMs under Hyper-V RTM is now documented in KB954958.
This is a lowperv (low perversion)/high information blog post. That’s a joke people. The Social Bookmarking Preview on TechNet and MSDN does not support a hyphen in a tag, the tag comes out “hyperv”. Get it? High perversion = hyperv, low perversion = unnh, never mind…
You’ll be seeing many more resources to help you use Hyper-V after the final bits release. In the meantime, here are some resources to help you get ready, add these to the Hyper-V Security Getting Started Guide and Windows Server 2008 Resources
MICROSOFT ASSESSMENT & PLANNING TOOLKIT 3.1 Beta Bits : Help for sizing your Hyper-V servers and identifying virtualization candidates based on your actual usage data. https://connect.microsoft.com/InvitationUse.aspx?ProgramID=2307&InvitationID=MP31-GT76-X98X&SiteID=297
Hyper-V FAQ : http://www.microsoft.com/windowsserver2008/en/us/hyperv-faq.aspx
Virtualization TechCenter : http://technet.microsoft.com/en-us/virtualization/default.aspx
How to Install Windows Server 2008 Hyper-V RC : http://www.microsoft.com/windowsserver2008/en/us/hyperv-install.aspx
Windows Server 2008 Hyper-V Performance Tuning Guide : http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx
MSDN & TechNet Powered by Hyper-V Whitepaper : http://download.microsoft.com/download/6/C/5/6C559B56-8556-4097-8C81-2D4E762CD48E/MSCOM_Virtualizes_MSDN_TechNet_on_Hyper-V.docx
Momentum Webcast: Virtualization Capabilities of Windows Server 2008 (Level 100) : http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032368894&CountryCode=US
Momentum Webcast: Are You Ready for Virtualization? (Level 200) : http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032372420&CountryCode=US
Hyper-V Test Lead's Blog : http://blogs.msdn.com/taylorb/ great source of scripts!
Hyper-V performance guru blog : http://blogs.msdn.com/tvoellm/archive/tags/Hyper-V/default.aspx
Virtualization Blog : http://blogs.technet.com/virtualization/default.aspx
Virtual PC Guys; Blog : another great source for scripts! http://blogs.msdn.com/Virtual_PC_Guy/
Hyper-V Sr PM Blog : http://blogs.technet.com/jhoward/
Hyper-V MCS Guy Blog : http://blogs.technet.com/roblarson/
Zarb and Bennett Virtualization Blog : http://blogs.technet.com/virtualworld/
Windows Server Division WebLog : http://blogs.technet.com/windowsserver/
Microsoft Assessment and Planning Team Blog : http://blogs.technet.com/mapblog/
Server and Tools Business News Bytes blog : http://blogs.technet.com/stbnewsbytes/
What else…? Leave comments and I’ll update this list and the Social Bookmark version.
You’ve already heard that Hyper-V was running MSDN and TechNet in production, before it was released. The Windows Server Division Weblog reveals today that the biggest website on the planet, Microsoft.com is Powered by Hyper-V.
The scale here is BIG
· Over 1.2 billion page views PER MONTH
· Over 280 million worldwide unique users PER MONTH
In the time it takes to type Microsoft Hyper-V into Live search, about 30K requests just hit www.microsoft.com.
BTW, Hyper-V RTM bits are available, starting today: Windows Server 2008 Hyper-V is available for download.
IT Showcase (my old group) documents how Microsoft IT runs Microsoft using Microsoft products. They’ve just released a technical white detailing the IT deployment of Forefront Client Security solution to on 40,000 corpet PCs. Check out Deploying Microsoft Forefront Client Security at Microsoft:
Technical White Paper | PowerPoint Presentation | IT Pro Webcast
There is a new TechNet Edge video on the first SuperFlow.
Listen to the short (7.5 min) podcast about an innovative new way to deliver content to IT Pros: the Superflow. The first Superflow is the System Center Configuration Manager 2007 Software Updates Synchronization SuperFlow.
Splogbane: If you are reading this on a blog other than http://blogs.technet.com/tonyso, why not stop patronizing a splog and come over to the original?
Wikipedia says "Flow is the mental state of operation in which the person is fully immersed in what he or she is doing, characterized by a feeling of energized focus, full involvement, and success in the process of the activity".
What is a SuperFlow? The SuperFlow is a new content model that takes a technical flowchart or process workflow to the next level by providing the following:
Interactive Flowchart The SuperFlow interactive flowchart provides: • General and in-depth technical information about each step in the process. • Procedures to accomplish relevant tasks, sample status messages, sample log file entries, troubleshooting information, and more!
Animation The SuperFlow animation provides: • A visual representation for the steps in the SuperFlow process. • A detailed description for each step in the SuperFlow process.
Resources The SuperFlow resources page provides: • Links to internal resources such as the detailed dataflow for the process, sample log entries for the end-to-end process, verification checklists, etc. • Links to external Web resources that provide more information about the product and SuperFlow process.
NOW is your chance to influence how Microsoft delivers content to you. From any section of the SuperFlow, there is a feedback link available and I encourage everyone to use the link and tell us what you think.
Or, leave comments here. The more feedback we get, the stronger case we can make for innovative ways to deliver content to you.
The Microsoft Assessment and Planning Toolkit has been updated, and now includes:
Download MAP 3.1: http://www.microsoft.com/downloads/details.aspx?FamilyID=67240b76-3148-4e49-943d-4d9ea7f77730&DisplayLang=en
MAP Team Blog (video demos): http://blogs.technet.com/MAPBLOG
Forum Community: http://forums.technet.microsoft.com/en-US/map/threads/
I recently had a chance to chat with the manager of the design/edit team for TN/MSDN/Expression - Geoff Wheelwright. You can listen to the 8.5 minute podcast on the TechNet/MSDN Facelift. John Martin’s blog has some great behind-the-scenes info as well. Want to get involved? Engage with the forums:
MSDN Future Plans
TechNet Future Plans
MSDN & TechNet Site Feedback
As reported on the Microsoft Education US Specialist Team Blog, user demand has resurrected Microsoft Producer. You can try out the prerelease version and give your feedback on http://connect.microsoft.com. For a clue about why the education market in particular used Producer heavily see the “Publishing Presentations with Microsoft Producer" white paper.
Yay community. Score one for the users.
One of the first steps you’ll need to handle is surveying yoru current environment for good/bad virtualization candidates. Even though Hyper-V is not yet released, the tools below will help you get started on this key deployment planning task.
The Microsoft Assessment and Planning Solution Accelerator (MAP) scans the environment of servers, captures perfmon counters and recommends virtualization candidates.
The Infrastructure Planning and Design Solution Accelerator (IPD) guides offer tech guidance on what key decisions to make when designing a solid virtualized infrastructure.
Here is a blog post that explains “How-to do Virtualization Candidate Reporting.” And a MAP Video Demo.
After you have your list, you’ll begint to plan migration of various workloads to virtualization. You’ll want to keep the support policy in mind:
897615 Support policy for Microsoft software running in non-Microsoft hardware virtualization software
Hardware virtualization software lets you run multiple operating system instances at the same time on a single computer. Microsoft has two software offerings, Microsoft Virtual PC and Microsoft Virtual Server, that provide this functionality. Third parties also have software in the market that provides this functionality. This article describes support provided by Microsoft for its software running together with non-Microsoft hardware virtualization software.
Except as described in this article, Microsoft does not test or support Microsoft software running together with non-Microsoft hardware virtualization software. For Microsoft customers who do not have a Premier-level support agreement, Microsoft will require that the issue to be reproduced independently from the non-Microsoft hardware virtualization software. Where the issue is confirmed to be unrelated to the non-Microsoft hardware virtualization software, Microsoft will support its software in a manner that is consistent with support provided when that software is not running together with non-Microsoft hardware virtualization software. For Microsoft Premier-level support customers running non-Microsoft hardware virtualization software from vendors with which Microsoft does not have an established support relationship that covers virtualization solutions, Microsoft will use commercially reasonable efforts to investigate potential issues with Microsoft software running together with non-Microsoft hardware virtualization software. As part of that investigation, Microsoft may require the issue to be reproduced independently from the non-Microsoft hardware virtualization software. Where issues are confirmed to be unrelated to the non-Microsoft hardware virtualization software, Microsoft will support its software in a manner that is consistent with support provided when that software is not running together with non-Microsoft hardware virtualization software. Microsoft will jointly support certain non-Microsoft hardware virtualization software from vendors with which Microsoft has established a support relationship that covers virtualization solutions. This joint support will include coordinating with the vendor to investigate support issues. As part of the investigation, Microsoft may require the issue to be reproduced independently from the non-Microsoft hardware virtualization software. Where issues are confirmed to be unrelated to the non-Microsoft hardware virtualization software, Microsoft will support its software in a manner that is consistent with support provided when that software is not running together with non-Microsoft hardware virtualization software.
Hyper-V makes it possible to consolidate servers onto a much smaller number of physical machines, significantly reducing power consumption without unduly sacrificing performance. Multiple virtual machines can run on a single physical machine without consuming significantly more power than a standalone server while keeping comparable throughput. This means you can add virtual machines at essentially no power cost, as dictated by your hardware and performance needs. The savings continue to scale with the number of servers you are able to virtualize. Running 4 virtual machines means saving the equivalent power output of three physical servers; running 10 virtual machines means saving the equivalent power output of 9 physical servers.
The Windows Server 2008 Power Savings White Paper details some of the savings:
Read more about Energy Efficiency Best Practices in Microsoft Data Center Operations on the Microsoft Environment site.
Virtualization ROI Tool
Five Ways to Reduce Data Center Sever Power Consumption
"In the Data Center, Power and Cooling Costs More Than the IT Equipment It Supports." Electronics Cooling.
The Green Grid Data Center Power Efficiency Metrics: PUE and DCiE.
The UA team over at Operations Manager have just published a FREE System Center Content Search gadget for Vista.
Built on Live Search macros, this gadget makes it easier to find help for Microsoft System Center products because it uses Live Search macros to search specific sites instead of the entire web. Search results are only returned from sites that are known to contain helpful information about System Center products. Use the settings in the gadget to pick the System Center product that you want to find information about, and then enter a search term in the gadget to get customized search results.
Feedback? Want to let us know the next gadget we should release? Leave comments.