Q: Rod has this question: "I recently made the switch over to Virtual Server 2005 from VMware.  I love the web based interface but am having troubles with enabling SSL. Can I use SelfSSL from the IIS6 Reskit?  Could I set up a CA in a virtual machine to create the website and VMRC SSL certificates? Any tips on securing the Admin website and VMRC?

A: Here's a response from Ed Reed, a developer on the Virtual Machine team, and our resident VM security expert:

For the Administration Website, there are no special requirements for an SSL certificate. As long as the certificate supports Server Authentication, it really doesn't matter where the certificate comes from. The choice of certificate, however, determines the level of security that SSL encryption can provide. Here are some links to relevant information:

• Designing a Public Key Infrastructure:
  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/b1ee9920-d7ef-4ce5-b63c-3661c72e0f0b.mspx
• Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
• Windows Server 2003 PKI Operations Guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
• How to implement SSL with a stand-alone certificate server in Virtual Server 2005: http://support.microsoft.com/default.aspx?scid=kb;en-us;887490

The requirements are different, however, for VMRC. Because Virtual Server runs as NetworkService, you need to create the VMRC SSL certificate using the IVMVirtualServer::VMRCCreateEncryptionCertificateRequest COM interface. You can also create this certificate from the Administration Website on the Virtual Machine Remote Control (VMRC) Server Properties page. This request makes a temporary certificate that can be used to perform SSL encryption, however, it doesn't have the full security of a certificate signed by a third-party CA. If you use MAKECERT or some other tool, the private key is stored such that it is inaccessible to NetworkService. Such a certificate will not work for VMRC.

If you want to use Virtual Server 2005 Migration Toolkit (VSMT) to migrate a computer running Windows Server 2003 SP1 to a virtual machine, you'll need to copy some system files from your installation of Windows Server 2003 SP1 to the computer running VSMT. Normally VSMT automatically swaps out certain system files in your installation for others that are compatible with virtual machine emulated hardware, but VSMT doesn't have the necessary files for Windows Server 2003 SP1. This is because VSMT was released before Windows Server 2003 SP1.

1. Copy the following files from your installation of Windows Server 2003 SP1 to %ProgramFiles%\Microsoft VSMT\Patches\Source\5.2.3790\sp1\.

a. From %SystemDrive%\WINNT\system32\drivers, copy the following files:

atapi.sys
intelide.sys
pciide.sys
pciidex.sys

b. From %SystemDrive%\WINNT\Driver Cache\i386\driver.cab, copy the following file:

aic78xx.sys

c. From %SystemDrive%\WINNT\Driver Cache\i386\sp1.cab, copy the following files:

hal.dll
halacpi.dll
ntkrnlpa.exe
ntoskrnl.exe

2. Copy the following XML files from %ProgramFiles%\Microsoft VSMT\Patches\Source\5.2.3790\ to %ProgramFiles%\Microsoft VSMT\Patches\Source\5.2.3790\sp1\:

finish.xml
hal.xml
hal_nacpi.xml
start.xml
storage.xml
storageSCSI.xml
UNIPROC.xml

For more information how VSMT swaps out system files and the reasons why it's important, see the "Step 6: Load system files" topic in the VSMT User's Guide (%ProgramFiles%\Microsoft VSMT\Help\vsmt.chm). To download VSMT, go to http://www.microsoft.com/windowsserversystem/virtualserver/evaluation/vsmt.mspx.

Important notes:

• You should either run Windows Server 2003 SP1 under Virtual Server 2005 SP1 (now in beta), or at least install the Virtual Machine Additions that ship with Virtual Server 2005 SP1. Otherwise, you may be unhappy with your virtual machine's performance. For more information about the beta, see http://blogs.technet.com/megand/archive/2005/04/20/403950.aspx.
• ADS 1.0 doesn't work with Windows Server 2003 SP1. If you installed ADS 1.0 and pointed it to Server2003-SP1 SlipStream binaries, you'll get an error (Error Code: 81070303). To fix the problem, you'll need to uninstall ADS, then reinstall it. During setup when it asks for location of windows files, point it to Server2003 RTM binaries.

Here's a tip from Paul Adare (author of Paul's Digital Lounge and Cigar Bar). If you want an application to discover it's running in a virtual machine, you can do the following:

You could query the registry for the existence of the HKLM\SOFTWARE\Microsoft\Virtual Machine key. Or you could use an WMI query, such as this:

On Error Resume Next

strComputer = "."

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root
\cimv2")

Set colItems = objWMIService.ExecQuery("Select * from Win32
_BaseBoard",,48)

For Each objItem in colItems

if objitem.Product = "Virtual Machine"

Many of you would like to know how Virtual Server is being used at Microsoft. Here's a response from Jeff Woolsey, Lead Program Manager for virtualization. Thanks Jeff!

Virtual Server is being used in a variety of ways at Microsoft, including for test and development and online training, such as Microsoft Learning.

Test and Development

Virtual Server is used by test teams throughout Microsoft, including Exchange, SQL, SBS, MOM, and many others. This is because Virtual Server allows you to rapidly deploy test servers within virtual machines while minimizing hardware requirements. Also, Virtual Server makes debugging easier. Debugging typically requires that a test computer is attached to a developer’s computer via a serial cable. With Virtual Server there's no need for this. The process is as follows:

1. Testers reproduce the issue in a virtual machine.
2. The virtual machine is saved at the point the issue occurs.
3. The virtual machine is copied to the developer’s computer.
4. The developer connects the virtual machine to a debugger though a named pipe (a virtual serial port) and debugs the issue in the development environment.

Production Use by Microsoft Learning

In the past year, Microsoft Learning has converted the majority of their online training from scripted Flash-type demos to live interactive training using Virtual Server. They started off slowly and have been ramping up with the increase in demand. Users log in and perform step-by-step interactive training with Virtual Server. On the back end, this is all done using virtual machines and Undo disks. When the customer logs in, an Undo disk is created for the session. When the user finished and logs out, the Undo disk is discarded and immediately the virtual machine is ready for the next user.

Benefits

Microsoft Learning is servicing more customers than ever. This is a production environment in use everyday: 30,143 attendees in January (972 attendees daily) alone with a 206,390 YTD. Because of the huge success of this program, Microsoft Learning is adding more hardware to increase the number of available labs.

Here are a few of the positive results they’ve seen…

• The 90-minute lab sessions are the most popular.
• Lab session use has gone up.
• Time spent in the lab has gone up (averaging 75 minutes per lab now).
• Customer satisfaction is up (way up!).

Customer Comments

• I think this is the way IT was meant to be all along.  Thank You Bill and company. 
• The implementation is entirely innovative and gives administrators like me a chance to experiment away from production systems.
• Awesome. This is the type of thing IT training has needed for ages.
• Excellent. Very useful hands on training.  This module needs to be longer.
• EXCELLENT!  This is extremely useful hands on training.
• Great! This is what admins who need to implement your products need. What about providing other training on SMS site design configurations, clusters etc.? A virtual lab setup like that will again help admins who are looking to implement this product.

If you want your applications to install more quickly in a virtual machine, do this: After you install the guest operating system, install Virtual Machine Additions, restart the virtual machine, and then install the applications.