514 Table CHAPTER 38 Successfully implementing Kerberos delegation Free tools for testing and implementing (continued) Title URL gssMonger—tool for verifying Kerberos authentication interoperability between Windows and other platforms http://www.microsoft.com/downloads/details.aspx? FamilyID=986a0a97-cfa9-4a45-b738-535791f02460& DisplayLang=en Kerberos/delegation worksheet http://blogs.inetium.com/blogs/jdevries/archive/2006/06/26/ 245.aspx Table Blog posts Title and author URL Ask the Directory Services Team (all articles tagged with Kerberos) http://blogs.technet.com/askds/archive/tags/Kerberos/ default.aspx Kerberos Delegation to SQL Server Darwin, Australian in UK—Delegation Guy http://blogs.msdn.com/darwin/archive/2005/10/19/ 482593.aspx The Problem with Kerberos Delegation Brad Turner, ILM MVP (Gilbert, AZ, US) http://www.identitychaos.com/2008/03/problem-with-kerberosdelegation.html Spat’s Weblog: “Kerberos delegation end to end” Steve Patrick (Spat), Critical Problem Resolution, Microsoft Corporation Part I: http://blogs.msdn.com/spatdsg/archive/2007/11/14/ kerberos-delegation-end-to-end-part-i.aspx Part 2: http://blogs.msdn.com/spatdsg/archive/2007/11/20/ kerberos-delegation-end-to-end-part-ii.aspx Part 3: http://blogs.msdn.com/spatdsg/archive/2007/11/26/ kerb-part-3.aspx DelegConfig (Kerberos/delegation configuration reporting tool) Brian Murphy-Booth, Support Escalation Engineer, Microsoft Corporation http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/ delegconfig-delegation-configuration-reporting-tool.aspx Essential Tips on Kerberos for SharePoint Developers James World, Microsoft Developer Consultant, Microsoft UK http://blogs.msdn.com/james_world/archive/2007/08/20/ essential-guide-to-kerberos-in-sharepoint.aspx Microsoft BI with Constrained Kerberos Delegation Rob Kerr, MCDBA, MCTS; Principal Consultant, BlueGranite http://www.robkerr.com/post/2008/05/Microsoft-BI-withConstrained-Kerberos-Delegation.aspx Enterprise Portal Kerberos Delegation for connecting to Reporting/Analysis Services on a different box Microsoft's Enterprise Solutions blog http://blogs.msdn.com/solutions/archive/2008/02/28/ enterprise-portal-kerberos-delegation-for-connecting-to-reportinganalysis-services-on-a-different-box.aspx Understanding Kerberos and NTLM authentication in SQL Server Connections Microsoft SQL Server Protocols team http://blogs.msdn.com/sql_protocols/archive/2006/12/02/ understanding-kerberos-and-ntlm-authentication-in-sql-serverconnections.aspx Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross Resources to assist in more complex infrastructures Table Blog posts (continued) Title and author SQL 2008, Kerberos and SPNs Tomek Onyszko, Warsaw, Poland Table 515 URL http://blogs.dirteam.com/blogs/tomek/archive/2008/04/09/ sql-2008-kerberos-and-spns.aspx Microsoft TechNet articles Title URL Kerberos Authentication in Windows Server 2003: Technical Resources for IT Pros http://technet2.microsoft.com/windowsserver/en/technologies/ featured/kerberos/default.mspx Kerberos Explained http://technet.microsoft.com/en-us/library/bb742516.aspx How to: Configure Windows Authentication in Reporting Services http://technet.microsoft.com/en-us/library/cc281253.aspx Configure Kerberos authentication (Office SharePoint Server) http://technet.microsoft.com/en-us/library/cc263449.aspx Table Microsoft Help and Support articles pertaining to Kerberos delegation Title URL Unable to negotiate Kerberos authentication after upgrading to Internet Explorer http://support.microsoft.com/default.aspx/kb/299838 How to enable Kerberos event logging http://support.microsoft.com/default.aspx/kb/262177 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication http://support.microsoft.com/default.aspx/kb/215383 How to configure IIS Web site authentication in Windows Server 2003 http://support.microsoft.com/default.aspx/kb/324274 How to use Kerberos authentication in SQL Server http://support.microsoft.com/default.aspx/kb/319723 How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005 http://support.microsoft.com/default.aspx/kb/909801 How to configure a Windows SharePoint Services virtual server to use Kerberos authentication http://support.microsoft.com/default.aspx/kb/832769 You receive an “HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials” error message when you try to access a Web site that is part of an IIS 6.0 application pool http://support.microsoft.com/default.aspx/kb/871179 Authentication may fail with “401.3” Error if Web site’s “Host Header” differs from server’s NetBIOS name http://support.microsoft.com/default.aspx/kb/294382 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross 516 Table CHAPTER 38 Successfully implementing Kerberos delegation Microsoft Help and Support articles pertaining to Kerberos delegation (continued) Title URL How to troubleshoot the “Cannot generate SSPI context” error message Table http://support.microsoft.com/default.aspx/kb/811889 Microsoft white papers Title URL Troubleshooting Kerberos Delegation http://www.microsoft.com/downloads/details.aspx?FamilyID= 99B0F94F-E28A-4726-BFFE-2F64AE2F59A2&displaylang=en Planning and Implementing Multitier Applications Using Windows Server 2003 Security Services http://www.microsoft.com/downloads/details.aspx?FamilyID= edfb4607-fda9-4f9b-82e2-aea54197eb21&DisplayLang=en Kerberos Protocol Transition and Constrained Delegation Downloadable: http://www.microsoft.com/downloads/details.aspx? FamilyID=f856a492-ad87-4362-96d9-cbdf843e6634&DisplayLang=en Online: http://technet.microsoft.com/en-us/library/cc739587.aspx Samples: http://www.microsoft.com/downloads/details.aspx? FamilyID=0d066110-7c48-453a-a1af-d6a8b1944ce2&DisplayLang=en Kerberos Authentication for Load Balanced Web Sites http://www.microsoft.com/downloads/details.aspx?FamilyID= 035465f0-5090-4f9c-ac44-fc0500769be9&DisplayLang=en Troubleshooting Kerberos Errors http://www.microsoft.com/downloads/details.aspx?FamilyID= 7dfeb015-6043-47db-8238-dc7af89c93f1&DisplayLang=en Windows 2000 Kerberos Authentication http://technet.microsoft.com/en-us/library/bb742431.aspx Table Microsoft webcasts Title URL Introduction to Kerberos http://support.microsoft.com/kb/822248 Troubleshooting Kerberos authentication with secure web applications & SQL Server http://support.microsoft.com/kb/842861 How to understand, implement, and troubleshoot Kerberos double-hop authentication http://support.microsoft.com/kb/887682 Configuring Microsoft SQL Server 2005 Analysis Services for Kerberos authentication http://support.microsoft.com/kb/916962 Understanding, implementing, and troubleshooting Kerberos double-hop authentication http://support.microsoft.com/servicedesks/webcasts/ seminar/shared/asp/view.asp?url=/servicedesks/ webcasts/en/WC102704/manifest.xml Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross Summary 517 Summary Kerberos delegation is a method of securely transferring a user’s credentials from the client’s PC to the middle application tier such as a web server, then on to a back-end database tier In the chapter, I discussed what service principle names (SPNs) are and how to register them I explained constrained and unconstrained Kerberos delegation and how to configure accounts to support these two methods I stepped through requirements for Active Directory and the client, web, and data tiers I then stepped through implementing and testing Kerberos delegation I hope you have a better understanding of Kerberos delegation, and why and when you need it Most of all, I hope that you were able to successfully implement Kerberos in your environment after reading this chapter About the author Scott Stauffer is an independent consultant working out of the metro Vancouver area, assisting clients with data systems solutions to their business challenges He has worked in IT for more than 13 years, and although Scott has managed systems with early version SQL Server on OS/2, he really started digging deep into SQL Server with the release of SQL Server 6.5 With a keen interest in continuous learning, sharing knowledge, and building community, Scott founded the Vancouver PASS chapter (http://www.Vancouver.SQLPASS.org) back in September 2004 More recently, he started the Vancouver BI PASS chapter (http://www.VancouverBI.SQLPASS.org) in order to dive deep into the business intelligence features that SQL Server has to offer Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross 39 Running SQL Server on Hyper-V John Paul Cook Virtualization is a popular term covering several technologies In the server space, virtualization is beneficial for several reasons: ƒ Disaster recovery is simple You merely copy a small number of files from your normal production environment to your disaster recovery environment Your disaster recovery hardware doesn’t have to match your production hardware ƒ Provisioning a virtual machine is simpler and faster than provisioning a physical machine Virtualization tools make it simple to clone a production server and run it on different hardware Development and test servers can be provisioned quickly, which can boost the efficiency of regression testing ƒ With fewer physical servers needed, less rack space, cooling, and electricity are consumed, making for a greener and more affordable infrastructure ƒ Microsoft offers savings on licenses A single copy of Windows 2008 Server Standard Edition on a physical machine allows you to also run one virtual copy of Windows 2008 Server Standard Edition at no additional licensing cost With Windows 2008 Server Enterprise Edition, up to four virtual copies of Windows 2008 Server can be run at no additional cost One copy of Windows 2008 Server Datacenter Edition allows an unlimited number of Windows Server virtual machines to be run on the same physical machine, all covered by the one datacenter license Licensing can be complicated by assignment and downgrade rights which are explained here: http:// blogs.technet.com/mattmcspirit/archive/2008/11/13/licensing-windowsserver-in-a-virtual-environment.aspx In this chapter, we will begin with an overview of virtualization architecture before exploring a number of key issues such as configuration, clock drift, and backups 518 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross Virtualization architecture 519 Virtualization architecture Virtualization technologies can be organized by technology type, as you can see in table Table Types and examples of virtualization technologies Server hardware virtualization (hypervisor) Microsoft Hyper-V, VMware ESX, Xen Hypervisor Server software virtualization Microsoft Virtual Server 2005 R2, VMware Virtual Server (formerly GSX) Presentation virtualization Terminal Services, Citrix XenApp Application virtualization Microsoft App-V, VMware ThinApp, Citrix XenApp streaming Desktop virtualization Microsoft Virtual PC and MED-V, VMware Workstation, Parallels Desktop A hypervisor is a small software layer installed directly on physical hardware It allows multiple and disparate operating systems to be installed on the hypervisor layer Hypervisors introduce little overhead, allowing the performance of the virtual machines to be close to the performance of a physical machine They are currently the enterprise standard in virtualization because they offer better performance and higher capacity than server virtualization applications such as Microsoft Virtual Server 2005 R2 Service Pack (SP1) and VMware Server When the Hyper-V role is enabled on Windows 2008 Server, the original Windows 2008 operating system is transformed into a virtual machine, which is called the parent partition The virtual machines are called child partitions Each partition is isolated from the other Figure highlights this relationship For supported operating systems, additional software may be installed into a virtual machine to facilitate interaction with the physical hardware devices For Hyper-V, this software is called Integration Services It provides special device drivers call synthetic drivers, which are optimized for the virtual world and which are necessary for achieving near native performance With synthetic drivers, the overhead of hardware emulation is avoided Windows 2008 x64 parent partition Virtual Machine x32 or x64 child partition Virtual Machine x32 or x64 child partition Microsoft Hyper-V Intel VT or AMD-V x64 hardware Figure A virtual machine running on Hyper-V only passes through a thin hypervisor layer to access the physical hardware Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross 520 CHAPTER 39 Virtual Machine x32 guest Running SQL Server on Hyper-V Virtual Machine x32 guest Microsoft Virtual Server 2005 R2 Windows 2003 or 2008 host operating system x32 or x64 hardware Figure A virtual machine running on Virtual Server 2005 R2 passes its operating system calls to the host operating system for execution, which results in a longer, slower path to the hardware Server software virtualization products such as Microsoft Virtual Server 2005 R2 SP1, as shown in figure 2, incur more overhead than hypervisors and are slower Virtual Server 2005 R2 SP1 is installed as an application running on the physical machine’s operating system Virtual operating systems are installed into Virtual Server 2005 R2 SP1 The virtual operating system must pass all of its hardware calls to the virtualization application, which in turns passes them to the host operating system For example, if Windows 2003 Server is installed as a guest operating system in Virtual Server 2005 R2 SP1, which is installed on Windows Server 2008, operating system calls in 2003 Server are passed through Virtual Server 2005 SP1 to Windows Server 2008 to finally be executed The path is less direct than that of a hypervisor and this adversely impacts performance Even with the inherent overhead of software virtualization, small volume SQL Servers with limited demands on the hardware can perform acceptably using server software virtualization such as Virtual Server 2005 R2 For more demanding database applications, hypervisor-based server hardware virtualization is needed Hyper-V offers significantly improved disk I/O performance when compared to Microsoft Virtual Server 2005 R2 Benefits of isolation When a virtual machine crashes, it doesn’t affect the other virtual machines or the physical machine because each virtual machine is isolated from the others and the physical machine Processes in one virtual machine (VM) can’t read, corrupt, or access processes running in other virtual machines Because of this complete isolation, it is possible to have multiple default instances of SQL Server running on a single physical server by having each default instance in its own virtual machine This is particularly important when trying to consolidate third-party applications which require default instances of SQL Server Each application can run in its own virtual machine with each virtual machine running a default instance of SQL Server Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross Configuring virtual machines 521 Configuring virtual machines To obtain the best possible results from a virtual machine, it must be configured properly Configuration of virtual disks, virtual processors, and virtual network adapters affect performance Configuring disks Microsoft Hyper-V offers the following choices for its virtual disks: ƒ Passthrough disks ƒ Virtual hard disks (VHDs) ƒ Dynamically expanding ƒ Fixed size ƒ Differencing Passthrough disks are physical disks directly accessed by the virtual machine Because they offer the most direct path, they provide the best performance and are well suited for large data volumes They lack flexibility and portability A virtual hard disk is a file that resides on the parent partition’s file system or storage area network (SAN) Dynamically expanding VHDs are best suited for development and test environments because they conserve disk space Dynamically expanding VHDs grow as needed, which minimizes space usage but tends to cause fragmentation Because the virtual machine’s operating system is isolated from the physical machine, it has no knowledge of the amount of physical disk space available The virtual machine only knows the maximum allowable size of the dynamic VHD This can create a disparity between what the virtual machine sees as free space and the reality of free space on the physical machine In figure 3, the virtual machine running in the window on the right shows 117 GB of free space in its VHD But because this dynamically expanding VHD resides on physical disk D, which has no free space left, the 117 GB of free space doesn’t actually exist Hyper-V places the virtual machine into a paused state because it has no physical space to continue operating SQL Server can be configured to provide you with low free disk space alerts, but if you are using dynamically expanding VHDs, you may not get the alert The virtual machine doesn’t know when there isn’t room for a dynamically expanding disk to grow Fixed-size VHDs perform better than dynamically expanding VHDs because all of their space is preallocated, although the performance difference has been lessened with the R2 release of Hyper-V When a fixed VHD is created and its size specified, it takes all of its space from the physical machine If there isn’t enough space, an error occurs and it is not created Differencing VHDs also grow as needed, but they are linked to another VHD in a parent- child relationship When a differencing VHD is used, all changes are written to the differencing VHD instead of the parent VHD Although this causes an overall slight decrease in disk performance, it allows changes to be made without altering the Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross 522 CHAPTER 39 Running SQL Server on Hyper-V Figure A dynamically expanding virtual hard disk is seen by the virtual machine as having 117 GB of free space when there is actually no disk space left on the physical file system This forces the virtual machine into a paused state parent VHD Differencing VHDs are useful in test environments because extensive changes to a virtual machine can be made without changing the original VHD When differencing VHDs are used, any changes to the parent VHD breaks the parent-child relationship rendering the children differencing VHDs nonfunctional To prevent this from happening accidentally, it is advisable to set a parent VHD to read only You can create more than one differencing VHD from the same parent VHD Doing this allows you to create different branches sharing a common ancestor For example, you might have a parent VHD with a client application that accesses SQL Server You could use two different differencing VHDs for testing two independent and different enhancements to the client application Hyper-V allows you to take a snapshot of a running virtual machine After creating a snapshot, all changes to the virtual machine are written to a separate virtual disk file This is similar to a differencing disk in that performance is reduced slightly because of the additional overhead of a file depending on another file Snapshots are particularly useful in testing service packs Before applying a service pack, create a snapshot After testing the service pack you can create another snapshot, revert to your snapshot made before the service pack was applied, or merge the snapshot’s changes to the initial VHD Although snapshots allow recovery of a virtual machine to a particular prior state, they are not substitutes for backup and should not be considered as such Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross Configuring virtual machines 523 Although Windows 2008 Server is generally considered a server operating system, many developers and people who demonstrate software use Windows Server 2008 so that they can use Hyper-V For these use cases, performance is usually less of an issue than minimizing physical disk space usage; therefore dynamically expanding virtual hard disks are a good compromise on minimizing space while maintaining good performance Virtual hard disks can be attached to either IDE or SCSI buses Hyper-V virtual machines must boot from a VHD attached to an IDE bus A virtual SCSI bus supports more devices than a virtual IDE bus If you need more than four VHDs, you’ll have to use a virtual SCSI bus Virtual machines and physical machines are more alike than not The same principles of maximizing disk performance that apply to physical machines also apply to virtual machines When there is concurrent disk access, separate spindles or logical unit numbers (LUNs) should be used to avoid disk contention On a physical machine, to maximize performance by minimizing contention, you might put tempdb on a spindle or LUN by itself Translating this to the virtual world, tempdb would exist by itself in its own VHD This VHD containing tempdb would in turn be placed on its own spindle or LUN to avoid I/O contention If other VHDs were stored on the same physical device, I/O contention could occur CPU configuration Hyper-V allows up to four processor cores to be allocated to a virtual machine and refers to them as logical processors If your SQL Server workload requires more than four processors, it is not a suitable candidate for virtualization with Hyper-V If you have two SQL Server instances running on identical hardware, you might want to consolidate them onto one physical machine by migrating both of them into virtual machines If they typically run at under 40 percent of the available CPU resources on the physical machines, having two of these running as virtual machines on the same hardware will not overtax the available physical resources If a third SQL Server instance is added to the physical machine, and it uses as much CPU as the other virtual machines, the total CPU demand from all three virtual machines exceeds the physical CPU available In this example, with three virtual machines each needing 40 percent of the available CPU, they will all perform suboptimally because there isn’t enough physical resource available Conventional approaches to performance monitoring are not adequate for identifying all performance problems in virtualized SQL Server instances Task Manager shows the CPU usage within the virtual machine in isolation An individual SQL Server may show only minimal CPU usage but actually be starved for CPU If the running virtual machines collectively are overtaxing the physical machine, all virtual machines will suffer In figure 4, Task Manager in the child partition (shown on the right side of the screen capture) gives the appearance of ample CPU resource availability, which is clearly not the case The child partition has no visibility of the load in other partitions Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Licensed to Kerri Ross ... of a virtual SQL Server instance as being like a physical SQL Server instance The real value of SQL Server backups is the ability to point-in-time recovery This requires true SQL Server backup... although Scott has managed systems with early version SQL Server on OS/2, he really started digging deep into SQL Server with the release of SQL Server 6.5 With a keen interest in continuous learning,... and using SQL Server? ??s ability to correlate the tracing tool with Performance Monitor I wish to thank all the SQL Server MVPs for their ongoing generosity in providing support to the SQL Server