Lesson 1: Working with VM High Availability CHAPTER 10 563 Host Servers Guest Cluster 1 Guest Cluster application failed over 3 Host fails and Guest Cluster detects failure 2 Host Servers Host Servers FIGURE 10-9 Guest application failover during a host failure 564 CHAPTER 10 Configuring Virtual Machine High Availability VLAN tagging is based on the Institute of Electrical and Electronics Engineers (IEEE) standard 802.1Q and is designed to control traffic flow by isolating traffic streams from one another. (See http://standards.ieee.org for more information.) Isolated streams cannot connect with each other unless a router is linked to each stream and the router includes a route that links both together. In this way, you can have a machine linked to VLAN_1 and another linked to VLAN_2, and if there is no route between the two, neither machine will be able to view the other’s traffic. VLANs can be set up in two ways: n Static VLANs In a static VLAN, you assign static VLAN IDs to each port in a network switch. All traffic that flows through a specific port is then tagged with the VLAN attached to that port. This approach centralizes VLAN control; however, if you move a computer connection from one port to another, you must make sure the new port uses the same VLAN ID or the computer’s traffic will no longer be on the same VLAN. n Dynamic VLANs In a dynamic VLAN, you assign VLAN IDs at the device level. To do so, your devices must be 802.1Q aware; that is, they must support VLAN tagging at the device level. Hyper-V supports dynamic VLAN tagging. This allows Hyper-V to support traffic isolation without requiring a multitude of physical adapters on the host server. Note, however, that the physical adapters on the host server must support 802.1Q even if you don’t assign a VLAN to the adapter itself. VLANs can be assigned at three different levels in Hyper-V: n You can assign a VLAN ID to the physical adapter itself. If the adapter supports 802.1Q, you can assign a VLAN ID as part of the driver configuration for the adapter. You do this by clicking the Configure button in the driver’s Properties dialog box and using the values available on the Advanced tab (see Figure 10-10). This isolates the traffic on the physical adapter. FIGURE 10-10 Configuring a VLAN ID on a physical adapter Lesson 1: Working with VM High Availability CHAPTER 10 565 n You can assign a VLAN ID to the parent partition when configuring either external or internal virtual network adapters (see Figure 10-11). You do this by setting the value as a property of the virtual adapter in the Virtual Network Manager. This isolates the traffic for the parent partition. FIGURE 10-11 Configuring a VLAN ID for the parent partition on an external adapter n You can assign a VLAN ID to child partitions by setting the value as part of the configuration of the virtual network adapter the VM is attached to (see Figure 10-7, shown earlier in the chapter). You do this by setting the VLAN ID as part of the virtual machine’s attached network adapter settings. This isolates the traffic for the VM itself. Each virtual network adapter can be assigned to a different VLAN ID. In all three cases, the switch ports that the physical adapters are attached to must support the VLAN ID you assigned; otherwise, the traffic will not route properly. VLAN tagging is very useful in Hyper-V because it can be used to segregate traffic at multiple levels. If you want to segregate parent partition and utility domain traffic (as discussed in Chapter 8) and you do not have a separate physical adapter to assign to the process, you can use VLAN tagging for the parent partition and the virtual machines that are part of the resource pool. If you want to create a guest failover cluster and you want to isolate the traffic 566 CHAPTER 10 Configuring Virtual Machine High Availability for the private network, you can assign a VLAN ID to one of the virtual network adapters in the VM. Make sure, however, that your entire infrastructure can support the process. Ideally, you will focus on only parent partition VLAN tagging and virtual machine VLAN tagging and omit using physical adapter VLAN tagging when you work with Hyper-V. This simplifies VLAN use and keeps all VLAN values within the Hyper-V configuration environment. In addition, all VLAN traffic is then managed by the Hyper-V virtual network switch. More Info VLAN TAGGING IN HYPER-V For more information on VLAN tagging in Hyper-V, look up Microsoft Consulting Services Adam Fazio’s blog at http://blogs.msdn.com/adamfazio/archive/2008/11/14/ understanding-hyper-v-vlans.aspx. exaM tIp VLAN TAGGING IN HYPER-V Remember that for a VLAN to work in Hyper-V, the physical adapter must support the 802.1Q standard; otherwise, the traffic will not flow even if you set all configurations properly at the VM level. As a best practice, you should rely on the network address you assign to the adapters— physical or virtual—as the VLAN ID for the network. For example, if you assign IPv4 addresses in the 192.168.100.x range, use 100 as the VLAN ID; if you use addresses in the 192.168.192.x range, assign 192 as the VLAN ID, and so on. This will make it easier to manage addressing schemes in your virtual networks. Configuring iSCSI Storage When you work with iSCSI storage, you rely on standard network adapters to connect remote storage to a machine. All storage traffic moves through the network adapters. Storage is provisioned and offered for consumption to endpoint machines by an iSCSI target—a storage container running an iSCSI interpreter so that it can receive and understand iSCSI commands. An iSCSI target can be either the actual device offering and managing the storage, or it can be a bridge device that converts IP traffic to Fibre Channel and then relies on Fibre Channel Host Bus Adapters (HBAs) to communicate with the storage container. iSCSI target storage devices can be SANs that manage storage at the hardware level or they can be software engines that run on server platforms to expose storage resources as iSCSI targets. More Info iSCSI TARGET EVALUATION SOFTWARE You can use several products to evaluate iSCSI targets as you prepare to work with highly available VMs. Microsoft offers two products that support iSCSI targets: Windows Storage Server 2003 R2 and Windows Unified Data Storage Server 2003. Both can be obtained as evaluations for use as iSCSI targets from http://microsoft.download-ss.com/default. aspx?PromoCode=WSREG096&PromoName=elbacom&h=elbacom. A registration process is required for each evaluation product you select. Lesson 1: Working with VM High Availability CHAPTER 10 567 You can also obtain an evaluation version of StarWind Server from Rocket Division Software to create iSCSI targets for testing virtual machine clustering. Obtain the free version from http://rocketdivision.com/download_starwind.html. The retail version of StarWind Server lets you create iSCSI targets from either physical or virtual machines running Windows Server software and including multiple disks. This greatly simplifies cluster constructions in small environments because you do not require expensive storage hardware to support failover clustering. iSCSI clients run iSCSI Initiator software to initiate requests and receive responses from the iSCSI target (see Figure 10-12). If the iSCSI target is running Windows Server 2003, you must download and install the iSCSI Initiator software from Microsoft. If the client is running Windows Server 2008, the iSCSI Initiator software is included within the operating system. Because iSCSI storage traffic is transported over network adapters, you should try to install the fastest possible adapters in your host servers and reserve them for iSCSI traffic in VMs. More Info iSCSI INITIATOR SOFTWARE You can also obtain the Windows Server 2003 iSCSI Initiator software from http://www.microsoft.com/downloads/details.aspx?familyid=12cb3c1a-15d6-4585-b385- befd1319f825&displaylang=en. Also, look up the iSCSI Initiator User’s Guide at http://download.microsoft.com/download/A/E/9/AE91DEA1-66D9-417C-ADE4- 92D824B871AF/uGuide.doc. Virtual Machine Clients IP Switch iSCSI Target Storage Array TCP/IP Protocol iSCSI client contains Microsoft iSCSI Initiator FIGURE 10-12 iSCSI Clients initiate requests that are consumed by iSCSI targets. Installing and configuring the iSCSI Initiator is very simple. If you are using Windows Server 2003, you must begin by downloading and installing the Microsoft iSCSI Initiator, but if you are working with Windows Server 2008, the iSCSI Initiator is already installed and ready to run. You can find the iSCSI Initiator shortcuts in two locations on Windows Server 2008: in 568 CHAPTER 10 Configuring Virtual Machine High Availability Control Panel under Classic View or in Administrative Tools on the Start menu. To configure a machine to work with iSCSI storage devices, begin by configuring an iSCSI target on the storage device and then use the following procedure on the client. Note that you need local administrator access rights to perform this operation. 1. Launch the iSCSI Initiator on the client computer. If this is the first time you are running the Initiator on this computer, you will be prompted to start the iSCSI service. Click Yes. This starts the service and sets it to start automatically. 2. You are prompted to unblock the iSCSI service (see Figure 10-13). Click Yes. This opens TCP port 3260 on the client computer to allow it to communicate with the iSCSI target. This launches the iSCSI Initiator Properties dialog box and displays the General tab. FIGURE 10-13 Unblocking the iSCSI Service on the client computer 3. Click the Discovery tab, click Add Portal, type in the IP address of the iSCSI target, make sure port 3260 is being used, and click OK. 4. Click the Targets tab. The iSCSI target you configured should be listed. Click Log On, select Automatically Restore This Connection When The Computer Starts, and then click OK. Note that you can also configure Multi-Path I/O (MPIO) in this dialog box (see Figure 10-14). MPIO is discussed later in the chapter. Leave it as is for now. Repeat the logon process for each disk you want to connect to. Each disk is now listed with a status of Connected. FIGURE 10-14 Logging on to the remote disk 5. Click the Volumes And Devices tab and then click Autoconfigure. All connected disks now appear as devices. Click OK to close the iSCSI Initiator Properties dialog box. Lesson 1: Working with VM High Availability CHAPTER 10 569 6. Reboot the cluster node to apply your changes. Repeat the procedure on the other node(s) of the cluster. 7. When the nodes are rebooted, expand the Storage node and then expand the Disk Management node of the Tree pane in Server Manager. The new disks appear offline. Right-click the volume names and click Online to bring the disks online. You can now proceed to the creation of a cluster. Follow the steps outlined in Lesson 1 of Chapter 3. More Info CREATING iSCSI CLUSTERS IN HYPER-V For a procedure outlining how to create an iSCSI cluster in Hyper-V, see the Ireland Premier Field Engineering blog at http://blogs.technet.com/pfe-ireland/archive/2008/05/16/ how-to-create-a-windows-server-2008-cluster-within-hyper-v-using-simulated-iscsi- storage.aspx. For more information on iSCSI in general, see the Microsoft TechNet iSCSI landing page at http://www.microsoft.com/windowsserver2003/technologies/storage/iscsi/ default.mspx. For a discussion on how to use the Windows Unified Data Storage Server evaluation as an iSCSI target for the creation of virtual machine clusters, see http://blogs. technet.com/josebda/archive/2008/01/07/installing-the-evaluation-version-of-wudss-2003- refresh-and-the-microsoft-iscsi-software-target-version-3-1-on-a-vm.aspx. exaM tIp THE iSCSI INITIATOR Make sure you understand how to work with the iSCSI Initiator because it is an important part of the exam. If you do not have access to iSCSI target devices, you can always download the evaluation copy of StarWind Server from Rocket Division Software, as mentioned earlier. More Info USING THE INTERNET STORAGE NAME SERVICE (iSNS) Windows Server also includes support for iSNS. This service is used to publish the names of iSCSI targets on a network. When you use an iSNS server, then the iSCSI Initiator will obtain target names from the list the iSNS server publishes instead of having them statically configured in each client once the address of the iSNS server has been added to the iSCSI Initiator configuration. Understanding iSCSI Security Transferring storage data over network interface cards (NICs) can be a risky proposition on some networks. This is one reason the iSCSI Initiator includes support for several security features that allow you to encrypt the data between the iSCSI client and the target. You can use three methods to secure client/target communications: n CHAP The Challenge-Handshake Authentication Protocol (CHAP) is a protocol that authenticates peers during connections. Peers share a password or secret. The secret must be entered in each peer of the connection along with a user name that must 570 CHAPTER 10 Configuring Virtual Machine High Availability also be the same. Both the secret and the user name are shared when connections are initiated. Authentication can be one-way or mutual. CHAP is supported by all storage vendors supporting the Microsoft iSCSI implementation. If targets are made persistent, the shared secret is also made persistent and encrypted on client computers. n IPsec The IP Security Protocol (IPsec) provides authentication and data encryption at the IP packet layer. Peers use the Internet Key Exchange (IKE) protocol to negotiate the encryption and authentication mechanisms used in the connection. Note that not all storage vendors that support the Microsoft iSCSI implementation provide support for IPsec. n RADIUS The Remote Authentication Dial-In User Service (RADIUS) uses a server-based service to authenticate clients. Clients send user connection requests to the server during the iSCSI client/target connection. The server authenticates the connection and sends the client the information necessary to support the connection between the client and the target. Windows Server 2008 includes a RADIUS service and can provide this service in larger iSCSI configurations. Because CHAP is supported by all vendors, it tends to be the security method of choice for several iSCSI implementations. More Info iSCSI SECURITY MODES For more information on supported iSCSI security modes, go to http://technet.microsoft. com/en-us/library/cc754658.aspx. In the case of CHAP and IPsec, however, the configuration of iSCSI security is performed on the General tab of the ISCSI Initiator Properties dialog box (see Figure 10-15). To enter the CHAP secret, click Secret. To configure IPsec settings, click Set Up. Make sure the same settings have been configured on the iSCSI target; otherwise, your iSCSI connections will fail. Note that the General page of the iSCSI Properties dialog box also lets you change the name of the Initiator. In most cases, the default name is fine because it is based on a generic name followed by the server name that differentiates it from other iSCSI Initiator names. Note, however, that the Internet Qualified Name (IQN) used by initiators and targets must be unique in all instances. You can configure more advanced security settings on the Targets tab under the Log On button when you click Advanced (see Figure 10-16). Both CHAP and IPsec advanced settings are available in this dialog box. This is also where you can enable the use of RADIUS servers. When you implement iSCSI storage for virtual machines, make sure you secure the traffic—these machines are running public end-user services and the storage traffic carries valuable information over the network. Also keep in mind that you can combine the security features of iSCSI for more complete protection. For example, you can use CHAP for authentication and IPsec for data encryption during transport. Lesson 1: Working with VM High Availability CHAPTER 10 571 FIGURE 10-15 The General page of the iSCSI Initiator properties FIGURE 10-16 Using advanced CHAP or IPsec configurations 572 CHAPTER 10 Configuring Virtual Machine High Availability IMportant ENABLING iSCSI ON SERVER CORE When you work with Server Core, you do not have access to the graphical interface for iSCSI configuration. In this case, you must use the iscsicli.exe command to perform iSCSI configurations. You can type iscsicli /? at the command prompt to find out more about this command. In addition, you will need to enable iSCSI traffic through the Windows Firewall on client servers. Use the following command to do so: netsh advfirewall firewall set rule “iSCSI Service (TCP-Out)” new enable=yes Understanding Guest Network Load Balancing Network Load Balancing is not a high-availability solution in the same way as failover clustering. In a failover cluster, only one node in the cluster runs a given service. When that node fails, the service is passed on to another node and at that time that node becomes the owner of the service. This is due to the shared-nothing cluster model that Windows Server Failover Clustering relies on. Because of this model, only one node can access a given storage volume at a time and therefore the clustered application can only run on a single node at a time. Update alert CLUSTER SHARED VOLUMES It is precisely the shared-nothing model that is changed in Windows Server 2008 R2 to support live virtual machine migrations in Hyper-V. CSVs use a shared-everything model that allows all cluster nodes to “own” the shared storage volume. Note that this shared-everything model through CSVs is only available for clusters running Hyper-V. All other clustered applications will continue to use the shared-nothing model. In NLB clusters, every single member of the cluster offers the same service. Users are directed to a single NLB IP address when connecting to a particular service. The NLB service then redirects users to the first available node in the cluster. Because each member in the cluster can provide the same services, services are usually in read-only mode and are considered stateless. IMportant CREATING GUEST NLB CLUSTERS When you create a guest NLB cluster, you should apply a hotfix to the guest operating system otherwise the NLB.sys driver may stop working. Find out more on this issue at http://support.microsoft.com/kb/953828. NLB clusters are fully supported in Hyper-V virtual machines because the Hyper-V network layer provides a full set of networking services, one of which is NLB redirection. This means that you can create multi-node NLB clusters (up to 32) to provide high availability for the services you make available in your production virtual machines. Note, however, that each computer participating in an NLB cluster should include at least two network adapters: one for management traffic and the other for public traffic. This is very simple to do in virtual machines—just add another virtual network adapter. Enlightened machines can [...]... Table 1 0-3 outlines the different Microsoft products, applications, and server roles that are supported to run in virtual environments Three environments are supported: n n Microsoft Hyper-V Server Also runs 32-bit or 64-bit guest operating systems H ­ owever, Hyper-V Server does not support failover clustering n Windows Server with Hyper-V  Hyper-V supports 32-bit or 64-bit guest operating systems Server. .. Working with VM High Availability CHAPTER 10 573 Virtual Machine Characteristics Host Server Clustering Failover Clustering NLB Message queuing servers Virtual Private Network (VPN) servers File servers Streaming Media servers Print servers Unified Communications servers App-V servers The guidelines in Table 1 0-2 will assist you in your selection of a high-availability solution for your production... role Application servers (stateful) Application servers (stateless) File and print servers Dedicated Web servers Collaboration servers (storage) Collaboration servers (front end) Network infrastructure servers Terminal servers (front end) SQL Server computers Web Farms Exchange mailbox servers Exchange Client Access Servers Message queuing servers Internet Security and Acceleration Server (ISA) Internal... Configuring Hyper-V hosts active directory domain services, 80–81 full installation, 63–67 Hyper-V management tools, 91–93 initial server configuration, 61–72 installing Hyper-V role, 61, 72–78 installing Hyper-V updates, 79–80 Conversions overview, 59 practice, installing Hyper-V role, 85–90 practice, Windows Server 2008 for Hyper-V, 97 102 Server Core installation, 67–72 Server Core, Hyper-V role, 76–78... http://www.microsoft.com/downloads/ details.aspx?FamilyID= 44C66AD6-F18 5-4 A1D-A9AB473C1188954C&displaylang=en http://technet.microsoft com/en-us/exchange/ bb499043.aspx Office SharePoint Server 2007 http://www.microsoft.com/downloads/ details.aspx?FamilyID= 67f93dcb-ada 8-4 db5-a47bdf17e14b2c74&displaylang=en http://technet.­ icrosoft m com/en-us/office/­ sharepointserver/ bb512933.aspx System Center Configuration Manager... details.aspx?FamilyID= 4a27e89c-2d7 3-4 f57-a62c83afb4c953f0&displaylang=en http://www.microsoft com/systemcenter/­ virtualmachinemanager/ en/us/default.aspx Windows 2003 R2 Enterprise edition http://www.microsoft.com/downloads/ details.aspx?FamilyID= 77f24c9d-b4b 8-4 f7399e3-c66f80e415b6&displaylang=en http://technet.microsoft com/en-us/virtuallabs/ bb539981.aspx Windows Server 2008 Enterprise Server Core http://www.microsoft.com/... Enterprise Server Core http://www.microsoft.com/ windowsserver2008/en/us/ virtual-hard-drive.aspx http://technet.microsoft com/en-us/virtuallabs/ bb512925.aspx Windows Vista http://www.microsoft.com/downloads/ details.aspx?FamilyID= c2c27337-d4d 1-4 b9b-926d86493c7da1aa&displaylang=en http://technet.microsoft com/en-us/virtuallabs/ bb539979.aspx 5 80 CHAPTER 10 Configuring Virtual Machine High Availability... http://www.microsoft.com/downloads/ details.aspx?FamilyID= e0fadab 7-0 62 0-4 81d-a8b6 0700 01727c56&displaylang=en http://msevents microsoft.com/cui/ webcasteventdetails.aspx ?eventid =103 2343963&e ventcategory=3&culture =en-us&countrycode=us System Center Essentials 2007 SP1 http://www.microsoft.com/downloads/ details.aspx?familyid= e6fc311 7-4 8c 5-4 fd1-a3d2927eab397373&displaylang=en System Center Virtual Machine... Availability CHAPTER 10 579 In addition, Table 1 0-4 points you to online virtual labs if they exist for the same product More Info Microsoft Applications Available in VHDs Some of the information in Table 1 0-4 was compiled from the evaluation VHD landing page at http://technet.microsoft.com/en-us/bb738372.aspx Watch this page to find more VHDs as they become available Table 1 0-4   Microsoft Evaluation... each other E xercise 1  Configure a Host Server VLAN I n this exercise you will use ServerFull01 and ServerCore01 to configure a VLAN Perform this activity with domain administrator credentials 1 Begin by logging on to ServerFull01 and launching the Hyper-V Manager You can use either the standalone console or the Hyper-V Manager section of Server Manager 2 Click ServerFull01 in the Tree pane and then . http://blogs. technet.com/josebda/archive/2008/01/07/installing-the-evaluation-version-of-wudss-200 3- refresh-and-the-microsoft-iscsi-software-target-version- 3-1 -on-a-vm.aspx. exaM tIp THE iSCSI INITIATOR Make. http://blogs.technet.com/pfe-ireland/archive/2008/05/16/ how-to-create-a-windows -server- 2008-cluster-within-hyper-v-using-simulated-iscsi- storage.aspx. For more information on iSCSI in general, see. NLB Message queuing servers File servers Print servers Virtual Private Network (VPN) servers Streaming Media servers Unified Communications servers App-V servers The guidelines in Table 1 0-2 will assist