HyperV Deploy

8/20/2019 HyperV Deploy

http://slidepdf.com/reader/full/hyperv-deploy 1/58

Hyper-V Planning and Deployment Guide

Microsoft CorporationPublished: March 2009

AbstractThis guide describes the considerations you should take into account when planning to deploy

the Hyper-! technology" and pro#ides installation and configuration details that will help you

deploy Hyper-$



Copyright information

%nfor&ation in this docu&ent" including '() and other %nternet *eb site references" is sub+ect to

change without notice$ 'nless otherwise noted" the co&panies" organi,ations" products" do&ain

na&es" e-&ail addresses" logos" people" places" and e#ents depicted in ea&ples herein are

fictitious$ .o association with any real co&pany" organi,ation" product" do&ain na&e" e-&ail

address" logo" person" place" or e#ent is intended or should be inferred$ Co&plying with all

applicable copyright laws is the responsibility of the user$ *ithout li&iting the rights under

copyright" no part of this docu&ent &ay be reproduced" stored in or introduced into a retrie#al

syste&" or trans&itted in any for& or by any &eans /electronic" &echanical" photocopying"

recording" or otherwise" or for any purpose" without the epress written per&ission of Microsoft

Corporation$

Microsoft &ay ha#e patents" patent applications" trade&arks" copyrights" or other intellectual

property rights co#ering sub+ect &atter in this docu&ent$ 1cept as epressly pro#ided in any

written license agree&ent fro& Microsoft" the furnishing of this docu&ent does not gi#e you any

license to these patents" trade&arks" copyrights" or other intellectual property$

2009 Microsoft Corporation$ 3ll rights reser#ed$

3cti#e 4irectory" Hyper-" Microsoft" M5-465" isual 7asic" isual 5tudio" *indows"

*indows .T" *indows 5er#er" and *indows ista are trade&arks of the Microsoft group of

co&panies$

3ll other trade&arks are property of their respecti#e owners$

8202009 republished to fi content bug /restored &issing list of file eceptions fro& pages ;<-;8$



Contents

Hyper- Planning and 4eploy&ent =uide$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <

3bout this guide$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$<

6#er#iew of Hyper-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$<

*hat does Hyper- do>$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <

*ho will be interested in this role>$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$8

*hat are the key features of Hyper->$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 8

7efore ?ou %nstall Hyper-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 8

Hardware Considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$ 9

Hardware re@uire&ents$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 9

Me&ory$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;0

Processors$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$ ;0

.etworking$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$ ;0

5torage$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;;

6ther hardware co&ponents$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;2

3bout irtual Machines and =uest 6perating 5yste&s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;A

(unning &ultiple #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;A

5upported guest operating syste&s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;A

%ntegration ser#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;B

3dditional considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;

Planning for Hyper- 5ecurity$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;

Hyper- security best practices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;<

3dditional resources$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 20

'sing 3uthori,ation Manager for Hyper- 5ecurity$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$20

Configure Hyper- for (ole-based 3ccess Control$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2;

Configuring role-based access control$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 22

3dditional resources$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2A

Planning for 7ackup$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2B

'nderstanding backup options and considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2B5torage considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$ 2D

'nderstanding online and offline backups$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2D

'nderstanding the restore process$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2

Considerations about clustered #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2<

%nstalling Hyper-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 28



3bout the Hyper- update packages$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$28

Hyper- role package$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$ 28

Hyper- (e&ote &anage&ent tools packages$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$29

Hyper- )anguage Pack for *indows 5er#er 2008$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$A0

3dditional considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ A0

%nstall the Hyper- (ole on a 5er#er Core %nstallation of *indows 5er#er 2008$$$$$$$$$$$$$$$$$$$$$$$$$$A0

3dditional references$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$ A2

%nstall the Hyper- (ole on a Eull %nstallation of *indows 5er#er 2008$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$AA

3dditional considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ AB

%nstall and Configure Hyper- Tools for (e&ote 3d&inistration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ AB

%nstalling the &anage&ent tools$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ AB

Configuring the &anage&ent tools$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$AD

Configuring the ser#er running Hyper-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$AD

Configuring *indows ista 5P;$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$A9

Configuring irtual .etworks$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$ B0

irtual network types$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ B;

irtual networking basics$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$B;

.etworking and #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$BB

Configuring #irtual local area networks /)3.s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$BB

%&ple&enting 4isks and 5torage$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ BD

4eter&ining your storage options on the &anage&ent operating syste&$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$B

4eter&ining your storage options on #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$B<

How to create #irtual hard disks$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$B9

How to configure physical disks that are directly attached to a #irtual &achine$$$$$$$$$$$$$$$$$$$$$ $$$D0

3ppendi 3: 1a&ple 3uthori,ation Manager Tasks and 6perations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D;

1a&ple tasks and operations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $D;

3dd eternal network to ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D;

3dd internal network to ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D2

3dd pri#ate network$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$ D2

3pply a snapshot$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D2

3ttach internal network adapter to #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DA

Connect to a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DA

Create a #irtual floppy disk or #irtual hard disk$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DA

Create a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DA4elete a pri#ate network$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DA

4elete a snapshot$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DB

4elete a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DB

1port #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DB

%&port #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DB

Modify #irtual &achine settings /reconfigure a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DB



Pass CT() F 3)T F 41)1T1 /send control signals to a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DB

Pause a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DD

(e&o#e eternal network fro& ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$DD

(e&o#e internal network adapter fro& a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DD

(e&o#e internal network fro& ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D(e&o#e pri#ate network fro& ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D

(ena&e a snapshot$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D

(ena&e a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D

(esu&e a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D

5a#e a #irtual &achine and start a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D<

5tart a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$ D<

Turn off a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D<

iew Hyper- ser#er settings$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D<

iew network &anage&ent$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D<

iew #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D<

3ppendi 7: 3uthori,ation Manager Ter&inology$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D8

Ter&inology$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D8



Hyper-V Planning and Deployment Guide

About this guideThe Hyper- Planning and 4eploy&ent =uide is intended to help you understand the

considerations you should take into account when planning to deploy Hyper-!" and to pro#ide

installation and configuration details that will help you deploy Hyper-$

• 6#er#iew of Hyper-

• 7efore ?ou %nstall Hyper-

• %nstalling Hyper-

• Configuring irtual .etworks

• %&ple&enting 4isks and 5torage

• 3ppendi 3: 1a&ple 3uthori,ation Manager Tasks and 6perations

• 3ppendi 7: 3uthori,ation Manager Ter&inology

Overview of Hyper-V

Hyper- enables you to create a #irtuali,ed ser#er co&puting en#iron&ent using a technology

that is part of *indows 5er#erG 2008$ ?ou can use a #irtuali,ed co&puting en#iron&ent to

i&pro#e the efficiency of your co&puting resources by utili,ing &ore of your hardware resources$

This is possible because you use Hyper- to create and &anage #irtual &achines and theirresources$ 1ach #irtual &achine is a #irtuali,ed co&puter syste& that operates in an isolated

eecution en#iron&ent$ This allows you to run &ultiple operating syste&s si&ultaneously on one

physical co&puter$

ote

Hyper- is a hyper#isor-based #irtuali,ation technology that re@uires specific hardware$

Eor &ore infor&ation about the re@uire&ents and other considerations about hardware"

see Hardware Considerations$

!hat does Hyper-V do"Hyper- pro#ides software infrastructure and basic &anage&ent tools in *indows 5er#er 2008

that you can use to create and &anage a #irtuali,ed ser#er co&puting en#iron&ent$ This

#irtuali,ed en#iron&ent can be used to address a #ariety of business goals ai&ed at i&pro#ing

efficiency and reducing costs$ Eor ea&ple" a #irtuali,ed ser#er en#iron&ent can help you:

• (educe the costs of operating and &aintaining physical ser#ers by increasing your hardware

utili,ation$ ?ou can reduce the a&ount of hardware needed to run your ser#er workloads$



• %ncrease de#elop&ent and test efficiency by reducing the a&ount of ti&e it takes to set up

hardware and software and reproduce test en#iron&ents$

• %&pro#e ser#er a#ailability without using as &any physical co&puters as you would need in a

failo#er configuration that uses only physical co&puters$

!ho will be interested in this role"Hyper- can be useful to you if you are:

• 3n %T ad&inistrator" planner" or designer$

• 3n %T architect responsible for co&puter &anage&ent and security throughout your

organi,ation$

• 3n %T operations &anager who is looking for ways to reduce the total cost of ownership of

their ser#er infrastructure" in ter&s of both power costs and &anage&ent costs$

• 3 software de#eloper or tester who is looking for ways to increase producti#ity by reducing

the ti&e it takes to build and configure a ser#er for de#elop&ent or test use$

!hat are the #ey features of Hyper-V"The key features of Hyper- are as follows:

• B-bit nati#e hyper#isor-based #irtuali,ation$

• 3bility to run A2-bit and B-bit #irtual &achines concurrently$

• 'niprocessor and &ultiprocessor #irtual &achines$

• irtual &achine snapshots" which capture the state" data" and hardware configuration of a

running #irtual &achine$ 7ecause snapshots record syste& states" you can re#ert the #irtual

&achine to a pre#ious state$• )arge #irtual &achine &e&ory support$

• irtual local area network /)3. support$

• Microsoft Manage&ent Console /MMC &anage&ent snap-in$

• 4ocu&ented *indows Manage&ent %nstru&entation /*M% interfaces for scripting and

&anage&ent$

Eor &ore infor&ation about the *M% interfaces" see irtuali,ation *M% Pro#ider

/http:go$&icrosoft$co&fwlink>)ink%4;08DB$

$efore %ou &nstall Hyper-VHyper- has specific hardware re@uire&ents and considerations that you should fa&iliari,e

yourself with when planning to deploy this technology$ Topics to re#iew include the following:

• Hardware Considerations

• 3bout irtual Machines and =uest 6perating 5yste&s

8

http://go.microsoft.com/fwlink/?LinkID=108564




• Planning for Hyper- 5ecurity

• Planning for 7ackup

Hardware ConsiderationsTo effecti#ely plan for and deploy Hyper-" you should understand the re@uire&ents and

&ai&u& configurations for the physical and #irtual hardware that will co&prise the #irtuali,ed

ser#er co&puting en#iron&ent$

Hardware re'uirementsHyper- re@uires specific hardware$ To install and use the Hyper- role" you will need the

following:

• An ()*-based processor+Hyper- is a#ailable in B-bit editions of *indows 5er#er 2008I

specifically" the B-bit editions of *indows 5er#er 2008 5tandard" *indows 5er#er 2008

1nterprise" and *indows 5er#er 2008 4atacenter$ Hyper- is not a#ailable for A2-bit /8

editions or *indows 5er#er 2008 for %taniu&-7ased 5yste&s$ Howe#er" the Hyper-

&anage&ent tools are a#ailable for A2-bit editions$ Eor &ore infor&ation about the tools" see

%nstalling Hyper-$

• Hardware-assisted virtuali,ation+ This is a#ailable in processors that include a #irtuali,ation

optionIspecifically processors with %ntel irtuali,ation Technology /%ntel T or 3M4

irtuali,ation /3M4- technology$

• Hardware-enforced Data (ecution Prevention .DP/ must be available and enabled+

5pecifically" you &ust enable %ntel J4 bit /eecute disable bit or 3M4 .J bit /no eecute bit$

?ou can identify syste&s that support the B architecture and Hyper- by searching the*indows 5er#er catalog for Hyper- as an additional @ualification /see

http:go$&icrosoft$co&fwlink>)ink%d;;;228 $

0ip

The settings for hardware-assisted #irtuali,ation and hardware-enforced 41P are

a#ailable in the 7%65$ Howe#er" the na&es of the settings &ay differ fro& the na&es

identified abo#e$ Eor &ore infor&ation about whether a specific processor &odel

supports Hyper-" check with the &anufacturer of the co&puter$ %f you &odify the settings

for hardware-assisted #irtuali,ation or hardware-enforced 41P" we reco&&end that you

turn off the power to the co&puter and then turn it back on$ (estarting the co&puter &ay

not apply the changes to the settings$

1emoryThe &ai&u& a&ount of &e&ory that can be used is deter&ined by the operating syste&" as

follows:

9

http://go.microsoft.com/fwlink/?LinkId=111228




• Eor *indows 5er#er 2008 1nterprise and *indows 5er#er 2008 4atacenter" the physical

co&puter can be configured with up to ; T7 of physical &e&ory" and #irtual &achines that

run either of those editions can be configured with up to B =7 of &e&ory per #irtual

&achine$

•Eor *indows 5er#er 2008 5tandard" the physical co&puter can be configured with up to A2=7 of physical &e&ory" and #irtual &achines that run that edition can be configured with up

to A; =7 of &e&ory per #irtual &achine$

ProcessorsThe release #ersion of Hyper- is supported on physical co&puters with up to ; logical

processors$ Howe#er" a hotfi /K79D<;0 is a#ailable that increases the &ai&u& nu&ber of

#irtual processors to 2B$ Eor &ore infor&ation and links to the updates" see Hyper- 'pdate )ist$

3 logical processor can be a single core or &ulti-core processor$ ?ou can configure up to B #irtual

processors on a #irtual &achine$ .ote that the nu&ber of #irtual processors supported by a guest

operating syste& &ight be lower$ Eor &ore infor&ation" see 3bout irtual Machines and =uest6perating 5yste&s$ The following are so&e ea&ples of supported syste&s and the nu&ber of

logical processors they pro#ide:

• 3 single-processordual-core syste& pro#ides 2 logical processors$

• 3 single-processor@uad-core syste& pro#ides B logical processors$

• 3 dual-processordual-core syste& pro#ides B logical processors$

• 3 dual-processor@uad-core syste& pro#ides 8 logical processors$

• 3 @uad-processordual-core syste& pro#ides 8 logical processors$

• 3 @uad-processordual-core" hyper-threaded syste& pro#ides ; logical processors$

•

3 @uad-processor@uad-core syste& pro#ides ; logical processors$

etwor#ingHyper- pro#ides a #ariety of networking options and configurations to &eet different networking

re@uire&ents$ Eor &ore infor&ation about different types of #irtual networks and #irtual network

adapters" see Configuring irtual .etworks$

Hyper- networking includes the following support:

• 1ach #irtual &achine can be configured with up to ;2 #irtual network adaptersI8 can be the

Lnetwork adapter type and B can be the Llegacy network adapter type$ The network adapter

type pro#ides better perfor&ance and re@uires a #irtual &achine dri#er that is included in the

integration ser#ices packages$

• 1ach #irtual network adapter can be configured with either a static or dyna&ic M3C address$

• 1ach #irtual network adapter offers integrated #irtual local area network /)3. support and

can be assigned a uni@ue )3. channel$

• ?ou can ha#e an unli&ited nu&ber of #irtual networks with up to D;2 #irtual &achines per

#irtual network$

;0






ote

?ou cannot connect a #irtual network to a wireless network adapter$ 3s a result" you

cannot pro#ide wireless networking capabilities to #irtual &achines$

2torageHyper- supports a #ariety of storage options$ Eor &ore infor&ation about the storage options"

see %&ple&enting 4isks and 5torage$

?ou can use the following types of physical storage with a ser#er that runs Hyper-:

• 4irect-attached storage: ?ou can use 5erial 3d#anced Technology 3ttach&ent /53T3"

eternal 5erial 3d#anced Technology 3ttach&ent /e53T3" Parallel 3d#anced Technology

3ttach&ent /P3T3" 5erial 3ttached 5C5% /535" 5C5%" '57" and Eirewire$

• 5torage area networks /53.s: ?ou can use %nternet 5C5% /i5C5%" Eibre Channel" and 535

technologies$

&mportant

Microsoft does not support network-attached storage /.35 for Hyper-$

?ou can configure a #irtual &achine to use the following types of storage:

• Virtual &D devices+ 1ach #irtual &achine supports up to B %41 de#ices$ The startup disk

/so&eti&es referred to as the boot disk &ust be attached to one of the %41 de#ices$ The

startup disk can be either a #irtual hard disk or a physical disk$ 3lthough a #irtual &achine

&ust use a #irtual %41 de#ice as the startup disk to start the guest operating syste&" you

ha#e &any options to choose fro& when selecting the physical de#ice that will pro#ide the

storage for the #irtual %41 de#ice$ Eor ea&ple" you can use any of the types of physical

storage identified in the preceding list$

• Virtual 2C2& devices+ 1ach #irtual &achine supports up to B #irtual 5C5% controllers" andeach controller supports up to B disks$ This &eans that each #irtual &achine can be

configured with as &any as 2D #irtual 5C5% disks$ 'se of #irtual 5C5% de#ices re@uires

integration ser#ices to be installed in the guest operating syste&$ Eor a list of the guest

operating syste&s for which integration ser#ices are a#ailable" see 3bout irtual Machines

and =uest 6perating 5yste&s

• Virtual hard dis#s of up to 34*4 G$+ ?ou can use fied #irtual hard disks" dyna&ically

epanding #irtual hard disks" and differencing disks$

• Physical dis#s+ Physical disks attached directly to a #irtual &achine ha#e no si,e li&itation

other than what is supported by the guest operating syste&$

•

Virtual machine storage capacity+ 'sing #irtual hard disks" each #irtual &achine supportsup to D;2 T7 of storage$ 'sing physical disks" this nu&ber is e#en greater depending on what

is supported by the guest operating syste&$

• Virtual machine snapshots+ Hyper- supports up to D0 snapshots per #irtual &achine$

;;



0ip

3lthough the %6 perfor&ance of physical 5C5% and %41 de#ices can differ significantly"

this is not true for the #irtuali,ed 5C5% and %41 de#ices in Hyper-$ Hyper- %41 and

5C5% storage de#ices both offer e@ually fast high %6 perfor&ance when integration

ser#ices are installed in the guest operating syste&$ Eor a list of the guest operatingsyste&s for which integration ser#ices are a#ailable" see 3bout irtual Machines and

=uest 6perating 5yste&s$

Other hardware componentsThe following is infor&ation about the other types of physical and #irtual hardware co&ponents

that you can use with Hyper-$

44 dri#e 3 #irtual &achine has ; #irtual 44 dri#e by

default when you create the #irtual &achine$

irtual &achines can be configured with up to A

44 dri#es" connected to an %41 controller$

/irtual &achines support up to B %41 de#ices"

but one de#ice &ust be the startup disk$

3 #irtual 44 dri#e can access C4s and 44s"

either $iso files or physical &edia$ Howe#er" only

one #irtual &achine can be configured to

access a physical C444 dri#e at a ti&e$

irtual C6M port 1ach #irtual &achine is configured with 2 #irtual

serial /C6M ports that can be attached to a

na&ed pipe to co&&unicate with a local orre&ote physical co&puter$

ote

.o access to a physical C6M port is

a#ailable fro& a #irtual &achine$

irtual floppy dri#e 1ach #irtual &achine is configured with ; #irtual

floppy dri#e" which can access #irtual floppy

disk /$#fd files$

ote

.o access to a physical floppy dri#e isa#ailable fro& a #irtual &achine$

;2



About Virtual 1achines and Guest Operating2ystems

5unning multiple virtual machines?ou can use Hyper- to configure and use &any #irtual &achines at the sa&e ti&e$ The specific

nu&ber depends on two factors$ 6ne factor is the a#ailable physical resources on the ser#er

running Hyper-$ Eor &ore infor&ation" see Hardware Considerations$ The other factor is the

&ai&u& capacity of Hyper-$ ?ou can configure as &any as D;2 #irtual &achines on a ser#er

running Hyper-$ *ith the appropriate physical resources" the release #ersion of Hyper-

supports up to ;28 #irtual &achines running at the sa&e ti&e$ 3 hotfi /K79D<;0 is a#ailable

that increases the &ai&u& nu&ber of running #irtual &achines to ;92$ Eor &ore infor&ation

and links to the updates" see Hyper- 'pdate )ist$

2upported guest operating systemsThe following operating syste&s are supported for use on a #irtual &achine as a guest operating

syste&$ ?ou can run A2-bit and B-bit guest operating syste&s at the sa&e ti&e on one ser#er

running Hyper-$

• ?ou can use the following A2-bit and B-bit editions of *indows 5er#er 2008 as a supported

guest operating syste& on a #irtual &achine configured with ;" 2" or B #irtual processors:

• *indows 5er#er 2008 5tandard and *indows 5er#er 2008 5tandard without Hyper-

• *indows 5er#er 2008 1nterprise and *indows 5er#er 2008 1nterprise without Hyper-

• *indows 5er#er 2008 4atacenter and *indows 5er#er 2008 4atacenter without Hyper-

• *indows *eb 5er#er 2008

• *indows 5er#er 2008 HPC 1dition

• ?ou can use the following editions of *indows 5er#er 200A as a supported guest operating

syste& on a #irtual &achine configured with ; or 2 #irtual processors:

• *indows 5er#er 200A (2 5tandard 1dition with 5er#ice Pack 2

• *indows 5er#er 200A (2 1nterprise 1dition with 5er#ice Pack 2

• *indows 5er#er 200A (2 4atacenter 1dition with 5er#ice Pack 2

• *indows 5er#er 200A 5tandard 1dition with 5er#ice Pack 2

• *indows 5er#er 200A 1nterprise 1dition with 5er#ice Pack 2

• *indows 5er#er 200A 4atacenter 1dition with 5er#ice Pack 2

• *indows 5er#er 200A *eb 1dition with 5er#ice Pack 2

• *indows 5er#er 200A (2 5tandard B 1dition with 5er#ice Pack 2

• *indows 5er#er 200A (2 1nterprise B 1dition with 5er#ice Pack 2

• *indows 5er#er 200A (2 4atacenter B 1dition with 5er#ice Pack 2

• *indows 5er#er 200A 5tandard B 1dition with 5er#ice Pack 2

;A





• *indows 5er#er 200A 1nterprise B 1dition with 5er#ice Pack 2

• *indows 5er#er 200A 4atacenter B 1dition with 5er#ice Pack 2

• ?ou can run the following #ersions of *indows 2000 on a #irtual &achine configured with ;

#irtual processor:

• *indows 2000 5er#er with 5er#ice Pack B

• *indows 2000 3d#anced 5er#er with 5er#ice Pack B

• ?ou can run the following )inu distributions on a #irtual &achine configured with ; #irtual

processor:

• 5use )inu 1nterprise 5er#er ;0 with 5er#ice Pack 2 /8 edition or B edition

• 5use )inu 1nterprise 5er#er ;0 with 5er#ice Pack ; /8 edition or B edition

• ?ou can run the following A2-bit and B-bit #ersions of *indows ista on a #irtual &achine

configured with ; or 2 #irtual processors:

• *indows ista 7usiness with 5er#ice Pack ;

•*indows ista 1nterprise with 5er#ice Pack ;

• *indows ista 'lti&ate with 5er#ice Pack ;

• ?ou can run the following #ersions of *indows JP on a #irtual &achine:

• *indows JP Professional with 5er#ice Pack A /configured with ; or 2 #irtual processors

• *indows JP Professional with 5er#ice Pack 2 /configured with ; #irtual processor

• *indows JP Professional B 1dition with 5er#ice Pack 2 /configured with ; or 2 #irtual

processors

&ntegration services

%ntegration ser#ices are a#ailable for supported guest operating syste&s as described in thefollowing table$

&mportant

*hen a ser#ice pack is listed" the ser#ice pack is re@uired and the guest operating

syste& is not supported without the listed ser#ice pack$

ote

5o&e guest operating syste&s do not support the olu&e 5hadow Copy 5er#ice$ 3s a

result" online backup ser#ice is not a#ailable and is not listed for those guest operating

syste&s$

Guest operating system Device and service support

*indows 5er#er 2008 /B-bit editions and 8

editions

4ri#ers: %41" 5C5%" networking" #ideo" and

&ouse

5er#ices: operating syste& shutdown" ti&e

synchroni,ation" data echange" heartbeat" and

online backup

;B



*indows 5er#er 200A /B editions with

5er#ice Pack 2


&ouse



online backup

ote

This operating syste& does not support

a legacy network adapter$ Eor &ore

infor&ation about #irtual networking and

network adapter types" see Configuring

irtual .etworks$

*indows 5er#er 200A /8 editions with

5er#ice Pack 2


&ouse



online backup

*indows 2000 5er#er with 5er#ice Pack B 4ri#ers: %41" networking" #ideo" and &ouse


synchroni,ation" data echange" and heartbeat

*indows 2000 3d#anced 5er#er with 5er#ice

Pack B

4ri#ers: %41" networking" #ideo" and &ouse



5use )inu 1nterprise 5er#er ;0 /B edition

with 5er#ice Pack ; or 2

4ri#ers only: %41" 5C5%" and networking

5use )inu 1nterprise 5er#er ;0 /8 edition

with 5er#ice Pack ; or 2

4ri#ers only: %41" 5C5%" and networking

*indows ista /B-bit editions with 5er#ice

Pack ;


&ouse



online backup

*indows ista /8 editions with 5er#ice Pack

;

4ri#ers: %41" networking" #ideo" and &ouse



online backup

*indows JP Professional /8 editions with

5er#ice Pack 2 or A


&ouse

;D





*indows JP Professional B 1dition with

5er#ice Pack 2


&ouse



Additional considerations• 6n *indows operating syste&s" you &ay need to close the Eound .ew Hardware *i,ard to

start the installation of integration ser#ices$

• %f you installed a prerelease #ersion of integration ser#ices on a guest operating syste&" we

reco&&end that you upgrade to the release #ersion$ Eor supported *indows operating

syste&s" the release #ersion of integration ser#ices is included in the update package for theHyper- role$ Eor &ore infor&ation about the role update package" see %nstalling Hyper-$

• %ntegration ser#ices for the supported #ersions of )inu distributions are distributed through

the Microsoft Connect *eb site and are identified as )inu %ntegration Co&ponents for

Microsoft Hyper-$ Eor &ore infor&ation" see http:go$&icrosoft$co&fwlink>)ink%4;0202B$

Planning for Hyper-V 2ecurity

?ou should secure your #irtuali,ation ser#er using the sa&e &easures you would take to

safeguard any ser#er running *indows 5er#er 2008$ 3dditionally" you should use a few etra

&easures to help secure the #irtual &achines" configuration files" and data$ Eor &ore infor&ation

about how to secure *indows 5er#er 2008 workloads" see the *indows 5er#er 2008 5ecurity

=uide /http:go$&icrosoft$co&fwlink>)ink%d;AB200$

3dditionally" see the following security-related topics in this guide:

• 'sing 3uthori,ation Manager for Hyper- 5ecurity

• Configure Hyper- for (ole-based 3ccess Control

?ou should secure the #irtual &achines running on the #irtuali,ation ser#er according to your

procedures for securing that kind of ser#er or workload$ There is nothing special or different you

need to do to secure the #irtual &achine +ust because it is a #irtual &achine$ Eor ea&ple" if your

policies and procedures re@uire that you run anti#irus software" run it on the #irtual &achine$ %f

you ha#e a policy re@uire&ent to seg&ent the physical ser#er to a particular network" follow the

policy for the #irtual &achine as well$

*e reco&&end the following best practices to i&pro#e the security of your ser#ers running

Hyper-$

;







ote

?ou can use 7it)ocker 4ri#e 1ncryption to help protect #irtual &achines and data" but it

re@uires careful deploy&ent and reco#ery planning$ Eor &ore infor&ation" re#iew the

*indows 7it)ocker 4ri#e 1ncryption 4esign and 4eploy&ent =uides

/http:go$&icrosoft$co&fwlink>)ink%d;AB20;$

Hyper-V security best practices• 6se a 2erver Core installation of !indows 2erver 3447 for the management operating

system+ 3 5er#er Core installation pro#ides the s&allest attack surface and reduces the

nu&ber of patches" updates" and restarts re@uired for &aintenance$ Eor detailed infor&ation

and installation guidance" see the 5er#er Core %nstallation 6ption of *indows 5er#er 2008

5tep-7y-5tep =uide /http:go$&icrosoft$co&fwlink>)ink%d;AB202$

Eor &ore infor&ation about enabling the Hyper- role on a ser#er running a 5er#er Core

installation" see %nstall the Hyper- (ole on a 5er#er Core %nstallation of *indows 5er#er

2008$

otes

• There is no way to upgrade fro& a 5er#er Core installation to a full installation of

*indows 5er#er 2008$ %f you need the *indows user interface or a ser#er role that is not

supported in a 5er#er Core installation" install a full installation of *indows 5er#er 2008$

• To re&otely &anage Hyper- on a 5er#er Core installation" use the Hyper-

&anage&ent tools for *indows 5er#er 2008 and *indows ista 5er#ice Pack ; /5P;$

Eor &ore infor&ation" see article 9D00D0 /http:go$&icrosoft$co&fwlink>)ink%d;22;88

and article 9D22< /http:go$&icrosoft$co&fwlink>)ink%4;22;89 in the Microsoft

Knowledge 7ase$ Eor &ore infor&ation about configuring tools for re&ote &anage&ent

of Hyper-" see %nstall and Configure Hyper- Tools for (e&ote 3d&inistration$

• Do not run any applications in the management operating system8run all applications

on virtual machines+ 7y keeping the &anage&ent operating syste& free of applications and

running a *indows 5er#er 2008 core installation" you will need fewer updates to the

&anage&ent operating syste& because nothing re@uires software updates ecept the 5er#er

Core installation" the Hyper- ser#ice co&ponents" and the hyper#isor$

otes

%f you run progra&s in the &anage&ent operating syste&" you should run your

anti#irus solution there and add the following to the anti#irus eclusions:

• irtual &achine configuration files directory$ 7y default" it is

C:NProgra&4ataNMicrosoftN*indowsNHyper-$

• irtual &achine #irtual hard disk files directory$ 7y default" it is

C:N'sersNPublicN4ocu&entsNHyper-Nirtual Hard 4isks$

• 5napshot files directory$ 7y default" it is Osyste&dri#e

ONProgra&4ataNMicrosoftN*indowsNHyper-N5napshots$

• &&s$ee

;<











• &wp$ee

%f you need to use the full #ersion of *indows 5er#er 2008 and run applications in the

&anage&ent operating syste&" then you should run an anti#irus progra& there$

• 6se the security level of your virtual machines to determine the security level of your

management operating system+ ?ou should deploy #irtual &achines onto #irtuali,ationser#ers that ha#e si&ilar security re@uire&ents$ Eor ea&ple" assu&e that you classify the

le#el of risk and effort to secure your ser#ers into three categories: Lsecure" L&ore secure"

and L&ost secure$ ?ou would put &ore co&pliance effort and control procedures into the

&ost secure ser#ers than on the secure ser#ers$ This would be true whether the ser#er is

physical or running on a #irtual &achine$ %f you deploy both secure and &ost secure #irtual

&achines on the &anage&ent operating syste&" then you should secure the #irtuali,ation

ser#er as a L&ost secure ser#er$ 4eploying #irtual &achines with si&ilar security le#els on a

#irtuali,ation ser#er can &ake &anage&ent and &o#e&ent of the #irtual &achines easier$

• Do not give virtual machine administrators permissions on the management operating

system+ 3ccording to the principle of least pri#ilege" you should gi#e ad&inistrators of a

#irtual &achine /so&eti&es called depart&ent ad&inistrators or delegated ad&inistrators the

&ini&u& per&issions re@uired$ Managing the re@uired per&issions on all the ob+ects

associated with a #irtual &achine can be co&ple" and can lead to potential security issues if

not handled properly$ (ole-based access control enables you to specify access control in

ter&s of the organi,ational structure of a co&panyIby creating a new ob+ect called a role$

?ou assign a user to a role to perfor& a +ob function$ Hyper- uses 3uthori,ation Manager

policies for role-based access control$

• nsure that virtual machines are fully updated before they are deployed in a

production environment+ 7ecause #irtual &achines are so &uch easier to &o#e around and

@uicker to deploy than physical &achines" there is a greater risk that a #irtual &achine that is

not fully updated or patched &ight be deployed$ To &anage this risk effecti#ely" use the sa&e&ethods and procedures to update #irtual &achines as you use to update physical ser#ers$

Eor ea&ple" if you allow the use of auto&atic updates using *indows 'pdate" Microsoft

5yste& Center Configuration Manager" or another software distribution &ethod" ensure that

#irtual &achines are updated andor patched before they are deployed$

?ou can use &aintenance hosts and @uick &igration in Hyper- to acco&plish this$ 3

&aintenance host is a host co&puter that you can dedicate for patching stored resources and

for staging #irtual &achines before you &o#e the& into your production en#iron&ent$ Eor

&ore infor&ation about &aintenance hosts" see Planning for Hosts

/http:go$&icrosoft$co&fwlink>)ink%d;ABB82$ Eor infor&ation about using @uick &igration

to &o#e #irtual &achines to a &aintenance host" see Hyper- 5tep-by-5tep =uide: Testing

Hyper- and Eailo#er Clustering /http:go$&icrosoft$co&fwlink>)ink%d;ABB8;$

• nsure integration services are installed on virtual machines+ The accuracy of

ti&esta&ps and audit log entries is i&portant for co&puter forensics and co&pliance$

%ntegration ser#ices ensure that ti&e is synchroni,ed between #irtual &achines and the

&anage&ent operating syste&$ This synchroni,ation &akes sure that ti&e is consistent with

the physical location of the #irtual &achine in the e#ent that #irtual &achines are &igrated

;8







between data centers in different ti&e ,ones or #irtual &achines are restored fro& pre#ious

snapshots$

• 6se a dedicated networ# adapter for the management operating system of the

virtuali,ation server+ 7y default" no #irtual networking is configured for the &anage&ent

operating syste&$ 'se a dedicated network adapter for &anaging the ser#er running Hyper-and do not epose it to untrusted network traffic$ 4o not allow #irtual &achines to use this

network adapter$ 'se one or &ore different dedicated network adapters for #irtual &achine

networking$ This allows you to apply different le#els of networking security policy and

configuration for your #irtual &achines$ Eor ea&ple" you can configure networking so that

the #irtual &achines ha#e different networking access than your &anage&ent operating

syste&" including the use of #irtual local area networks /)3.s" %nternet Protocol 5ecurity

/%Psec" .etwork 3ccess Protection /.3P and Microsoft Eorefront Threat Manage&ent

=ateway$ Eor &ore infor&ation about configuring networking" see Configuring irtual

.etworks$

Eor &ore infor&ation about .3P" see http:go$&icrosoft$co&fwlink>)ink%4;;<80B$ Eor

infor&ation about Microsoft Eorefront Threat Manage&ent =ateway and Microsoft EorefrontL5tirling" see http:go$&icrosoft$co&fwlink>)ink%d;ABBD2$

• 6se $it9oc#er Drive ncryption to protect resources+ 7it)ocker 4ri#e 1ncryption works

with features in ser#er hardware and fir&ware to pro#ide secure operating syste& boot and

disk dri#e encryption" e#en when the ser#er is not powered on$ This helps protect data if a

disk is stolen and &ounted on another co&puter for data &ining$ 7it)ocker 4ri#e 1ncryption

also helps protect data if an attacker uses a different operating syste& or runs a software

hacking tool to access a disk$

)osing a physical disk is a &ore significant risk in scenarios with s&all and &ediu&

businesses" as well as re&ote offices" where physical security of the ser#er &ay not be as

rigorous as in an enterprise data center$ Howe#er" using 7it)ocker 4ri#e 1ncryption &akessense for all co&ptuers$ ?ou should use 7it)ocker 4ri#e 1ncryption on all #olu&es that store

#irtual &achine files too$ This includes the #irtual hard disks" configuration files" snapshots"

and any #irtual &achine resources" such as %56 i&ages and #irtual floppy disks$ Eor a higher

le#el of security that includes secure startup" 7it)ocker 4ri#e 1ncryption re@uires Trusted

Platfor& Module /TPM hardware$ Eor &ore infor&ation about TPM &anage&ent" see the

*indows Trusted Platfor& Module Manage&ent 5tep-by-5tep =uide

/http:go$&icrosoft$co&fwlink>)ink%d;AB22<$

Eor &ore infor&ation on how to configure 7it)ocker 4ri#e 1ncryption to help protect your

ser#er and the #irtual &achines running on it" see *indows 5er#er 2008 Hyper- and

7it)ocker 4ri#e 1ncryption /http:go$&icrosoft$co&fwlink>)ink%4;2ADAB$

3lso see *indows 7it)ocker 4ri#e 1ncryption Ere@uently 3sked uestions

/http:go$&icrosoft$co&fwlink>)ink%d;AB228 and the 7it)ocker (epair Tool

/http:go$&icrosoft$co&fwlink>)ink%d;AB229$

&mportant

'se 7it)ocker 4ri#e 1ncryption in the Hyper- &anage&ent operating syste& and to

protect #olu&es that contain configuration files" #irtual hard disks" and snapshots$ 4o

;9















not run 7it)ocker 4ri#e 1ncryption within a #irtual &achine$ 7it)ocker 4ri#e

1ncryption is not supported within a #irtual &achine$

• Disable virtuali,ation $&O2 settings when they are not re'uired+ *hen you are no longer

using a ser#er for #irtuali,ation" for ea&ple in a test or de#elop&ent scenario" you should

turn off the hardware-assisted #irtuali,ation 7%65 settings that were re@uired for Hyper-$ Eorinstructions on disabling these settings" consult your hardware &anufacturer$

Additional resources• irtuali,ation 5ecurity 7est Practices Podcast /http:go$&icrosoft$co&fwlink>

)ink%d;AB22D

• *indows 5er#er irtuali,ation and the *indows Hyper#isor /http:go$&icrosoft$co&fwlink>

)ink%d;AB22

6sing Authori,ation 1anager for Hyper-V2ecurity

?ou use 3uthori,ation Manager to pro#ide role-based access control for Hyper-$ Eor instructions

on i&ple&enting role-based access control" see Configure Hyper- for (ole-based 3ccess

Control$ Eor &ore infor&ation about getting started with 3uthori,ation Manager" see 3ppendi 7:

3uthori,ation Manager Ter&inology and Checklist: 7efore you start using 3uthori,ation Manager

/http:go$&icrosoft$co&fwlink>)ink%d;AB;9<$

3uthori,ation Manager is co&prised of the following:

• Authori,ation 1anager snap-in .A,1an+msc/+ ?ou can use the Microsoft Manage&ent

Console /MMC snap-in to select operations" group the& into tasks" and then authori,e roles

to perfor& specific tasks$ ?ou also use it to &anage tasks" operations" user roles" and

per&issions$ To use the snap-in" you &ust first create an authori,ation store or open an

eisting store$ Eor &ore infor&ation" see http:go$&icrosoft$co&fwlink>)ink%d;AB08$

• Authori,ation 1anager AP&+ The 3P% pro#ides a si&plified de#elop&ent &odel in which to

&anage fleible groups and business rules and store authori,ation policies$ Eor &ore

infor&ation" see (ole-based 3ccess Control /http:go$&icrosoft$co&fwlink>)ink%d;AB0<9$

3uthori,ation Manager re@uires a data store for the policy that correlates roles" users" and access

rights$ This is called an authori,ation store$ %n Hyper-" this data store can be &aintained in an

3cti#e 4irectory database or in an JM) file on the local ser#er running the Hyper- role$ ?ou can

edit the store through the 3uthori,ation Manager snap-in or through the 3uthori,ation Manager 3P%" which are a#ailable to scripting languages such as 75cript$

%f an 3cti#e 4irectory database is used for the authori,ation store" 3cti#e 4irectory 4o&ain

5er#ices /34 45 &ust be at the *indows 5er#er 200A functional le#el$

The JM) store does not support delegation of applications" stores" or scopes because access to

the JM) file is controlled by the discretionary access control list /43C) on the file" which grants

or restricts access to the entire contents of the file$ /Eor &ore infor&ation about 3uthori,ation

20

















Manager delegation" see http:go$&icrosoft$co&fwlink>)ink%d;AB0<D$ 7ecause of this" if an

JM) file is used for the authori,ation store" it is i&portant that it is backed up regularly$ The .TE5

file syste& does not support applications issuing a se@uence of separate write operations as a

single logical write to a file when &ultiple applications write to the sa&e file$ This &eans an

3uthori,ation Manager policy file /JM) file could be edited si&ultaneously by two ad&inistrati#e

applications and could beco&e corrupted$ The Hyper- 55 writer will back up the authori,ation

store with the ser#er running the Hyper- role$

Configure Hyper-V for 5ole-based AccessControl

This topic describes how to configure role-based access control for #irtual &achines in Hyper-$

?ou use the 3uthori,ation Manager Microsoft Manage&ent Console /MMC snap-in /3,Man$&sc

to pro#ide role-based access control for Hyper-$ Eor &ore infor&ation" see the following topics in

this guide:


• 3ppendi 7: 3uthori,ation Manager Ter&inology

• Planning for Hyper- 5ecurity

To i&ple&ent role-based access control" you &ust first define scopes and then organi,e

operations into groups to acco&plish tasks$ ?ou assign tasks to roles" and then assign users or

groups to the role$ 3ny user assigned to a role can then perfor& all of the operations in all of the

tasks that are assigned to the role$

There are four general steps to setting up role-based access control for Hyper-:

;$ 4efine scope according to your organi,ational needs$ Eor ea&ple" you can define scopes bygeography" organi,ational structure" function /de#elopertest or production" or 3cti#e

4irectory 4o&ain 5er#ices$ Eor a sa&ple script to create the scopes" see

http:go$&icrosoft$co&fwlink>)ink%d;AB0<B$

2$ 4efine tasks$ %n 3uthori,ation Manager" you cannot change or create new operations$

Howe#er" you can create as &any tasks as you want and then co&bine these into role

definitions$ Eor ea&ple tasks that you can use in your role definitions" see 3ppendi 3:

1a&ple 3uthori,ation Manager Tasks and 6perations$

A$ Create roles$ Eor ea&ple" if you want to create an L%T Monitor role that you can use to #iew

properties of a #irtual &achine but not interact with the #irtual &achine" create a new task in

3uthori,ation Manager called LMonitor irtual Machine" with the following operations:

• (ead 5er#ice Configuration

• iew 1ternal 1thernet Ports

• iew %nternal 1thernet Ports

• iew )3. 1ndpoints

• iew 5witch Ports

2;







• iew 5witches

• iew irtual 5witch Manage&ent 5er#ice

• iew )3. 5ettings

B$ 3ssign users or groups to roles$

Eor ea&ple" assu&e you ha#e two sets of #irtual &achines where one set belongs to the Hu&an

(esources depart&ent and the other set belongs to the Einance depart&ent$ ?ou want the #irtual

&achine ad&inistrators for Hu&an (esources to ha#e full control o#er the #irtual &achines for

that depart&ent" but to ha#e no control o#er the #irtual &achines in Einance$ ?ou want the sa&e

arrange&ent for the #irtual &achine ad&inistrators for EinanceIno access to the #irtual

&achines in Hu&an (esources$ To acco&plish this" you would define one role called

L4epart&ental irtual Machine 3d&inistrator" define the appropriate tasks" and then assign each

ad&inistrator to the L4epart&ental irtual Machine 3d&inistrator role assign&ent in the specific

scope$ ?ou would scope the #irtual &achine ad&inistrators for Hu&an (esources to the #irtual

&achines in Hu&an (esources and the #irtual &achine ad&inistrators for Einance to the #irtual

&achines in Einance$ Then" you would assign the #irtual &achines to their respecti#e scopes$

Configuring role-based access control'se the following procedures to set up role-based access control for #irtual &achines in Hyper-$

&mportant

To co&plete these procedures" you &ust open 3uthori,ation Manager using an account

that is a &e&ber of the 3d&inistrators group$

0o create a scope

;$ 6pen 3uthori,ation Manager by running a,man+msc fro& a co&&and pro&pt$The default authori,ation policy is JM)-based and stored at

NProgra&4ataNMicrosoftN*indowsNHyper-N%nitial5tore$&l$

ote

.ote that NProgra&4ataN is in a hidden directory" you cannot browse to it$ Type

the location in 2tore ame in the Open Authori,ation 2tore dialog bo$

2$ %n the console tree" right-click Hyper-V services and then click ew 2cope$

A$ %n the ew 2cope dialog bo" in ame" type a na&e for the scope and then click O:$

B$ /6ptional %n Description" type a description for the scope and then click O:$

The description has a &ai&u& si,e li&it of ;02B bytes$ 1nter a description that will help

you apply the scope to achie#e your goal$ Eor ea&ple" you can use a description to

distinguish the Hu&an (esources scope fro& the Einance scope$

0o create a tas#

;$ 6pen 3uthori,ation Manager by running a,man+msc fro& a co&&and pro&pt$

2$ %n the console tree" right-click the scope" and then click Definitions$

22



A$ %n the console tree" right-click 0as# Definitions and then click ew 0as# Definition$

B$ %n the ew 0as# Definition dialog bo" in ame" type a na&e for the task$

D$ Click Add to bring up the Add Definition dialog bo and click the Operations tab$

$ %n Operations" select each operation in the task" and then click O:$

0o create a role


2$ 1pand the scope" click Definitions" right-click 5ole Definition" and then click ew 5ole

Definition$

The description has a &ai&u& si,e li&it of ;02B bytes$

A$ %n the ew 5ole Definition dialog bo" in ame" type a na&e for the role$

B$ %n Description" type a description for the role and then click O: twice$

D$ /6ptional Click Add to specify the operations" tasks" roles" and authori,ation rules that

you want to include" and then click O: twice$

0o assign a role


2$ 1pand the scope" right-click 5ole Assignments" and click ew 5ole Assignment$

A$ %n the Add 5ole dialog bo" check the role definitions to add and then click O:$

B$ (ight-click the role" click Assign 6sers and Groups" and then click ;rom !indows and

Active Directory or ;rom Authori,ation 1anager $

D$ %n the 2elect 6sers< Computers< or Groups dialog bo" enter ob+ect na&es to select"

and then click O:$

Additional resources• 5copes in 3uthori,ation Manager /http:go$&icrosoft$co&fwlink>)ink%d;AB;98

• *ork *ith 5copes /http:go$&icrosoft$co&fwlink>)ink%d;AB;99

• 3uthori,ation Manager How ToQ /http:go$&icrosoft$co&fwlink>)ink%4;AB08

Planning for $ac#up

*hen you plan a backup and reco#ery strategy for a #irtuali,ed ser#er en#iron&ent" there are

se#eral factors to consider$ ?ou &ust consider the different types of backups you can &ake" the

state of the #irtual &achine" and the type of storage being used by the #irtual &achines$ This

topic discusses the ad#antages" disad#antages" and considerations for these factors$

2A









ote

This topic discusses considerations for backup strategies that are i&ple&ented using

backup applications that support the Hyper- olu&e 5hadow Copy 5er#ice /55 writer$

55 snapshots are not the sa&e as #irtual &achine snapshots$ This topic does not co#er

the use of #irtual &achine snapshots because we do not reco&&end the& as aper&anent data or syste& reco#ery solution$ irtual &achine snapshots are intended

&ainly for use in de#elop&ent and test en#iron&ents because they pro#ide a con#enient

way to store different points of syste& state" data" and configuration$ Howe#er" there are

so&e inherent risks of unintended data loss if they are not &anaged appropriately$ Eor

&ore infor&ation about #irtual &achine snapshots" see http:go$&icrosoft$co&fwlink>

)ink%d;AAAB2$

6nderstanding bac#up options andconsiderations

The backup integration ser#ice /identifiable as Hyper- olu&e 5hadow Copy (e@uestor ser#ice

in the guest operating syste& and the Hyper- olu&e 5hadow Copy 5er#ice /55 writer

pro#ide the &echanis& for backing up #irtual &achines as well as syste&-wide settings that

apply to Hyper-$ To i&ple&ent the backup and reco#ery scenarios discussed in this section" you

&ust use a backup application that is co&patible with the Hyper- 55 writer$ %f you want to use

*indows 5er#er 7ackup" you &ust add a registry key to register the Hyper- 55 writer$ Eor

&ore infor&ation" see http:go$&icrosoft$co&fwlink>)ink%4;AAADB$

There are two basic &ethods you can use to perfor& a backup$ ?ou can:

• Perform a bac#up from the server running Hyper-V+ *e reco&&end that you use this

&ethod to perfor& a full ser#er backup because it captures &ore data than the other &ethod$

%f the backup application is co&patible with Hyper- and the Hyper- 55 writer" you canperfor& a full ser#er backup that helps protect all of the data re@uired to fully restore the

ser#er" ecept the #irtual networks$ The data included in such a backup includes the

configuration of #irtual &achines" snapshots associated with the #irtual &achines" and #irtual

hard disks used by the #irtual &achines$ 3s a result" using this &ethod can &ake it easier to

reco#er the ser#er if you need to" because you do not ha#e to recreate #irtual &achines or

reinstall Hyper-$ Howe#er" #irtual networks are not included in a full ser#er backup$ ?ou will

need to reconfigure the #irtual networking by recreating the #irtual networks and then

reattaching the #irtual network adapters in each #irtual &achine to the appropriate #irtual

network$ 3s part of your backup planning" &ake sure you docu&ent the configuration and all

rele#ant settings of your #irtual network if you want to be able to recreate it$

• Perform a bac#up from within the guest operating system of a virtual machine+ 'se this

&ethod when you need to back up data fro& storage that is not supported by the Hyper-

55 writer$ *hen you use this &ethod" you run a backup application fro& the guest

operating syste& of the #irtual &achine$ %f you need to use this &ethod" you should use it in

addition to a full ser#er backup and not as an alternati#e to a full ser#er backup$ Perfor& a

backup fro& within the guest operating syste& before you perfor& a full backup of the ser#er

2B












running Hyper-$ Eor &ore infor&ation about storage considerations" see the following

section$

2torage considerations 3s you plan your backup strategy" consider the co&patibility between the storage and backup

solutions:

• Virtual hard dis#s+ These offer the best co&patibility and can be stored on &any types of

physical &edia$ Eor &ore infor&ation about the types of storage you can use with Hyper-"

see Hardware Considerations$

• Physical dis#s that are directly attached to a virtual machine+ These disks cannot be

backed up by the Hyper- 55 writer$ 3s a result" this type of disk will not be included in any

backup perfor&ed by a backup progra& that uses the Hyper- 55 writer$ %n this situation"

you would need to use so&e other process to back up the physical disk" such as running a

backup application within the guest operating syste&$

• i2C2&-based storage+ This storage is supported for backup by the Hyper- 55 writer when

the storage is connected through the &anage&ent operating syste& and the storage is used

for #irtual hard disks$

• 2torage accessed from a virtual machine by using an &nternet 2C2& .i2C2&/ initiator

within the guest operating system+ This storage will not be included in a backup of the

physical co&puter$ %n this scenario" you &ust use another process to back up the data fro&

the i5C5%-based storage before you perfor& a full ser#er backup$ Eor ea&ple" you could run

a backup of the data on the i5C5% storage fro& a backup application running in the guest

operating syste&$

Eor &ore infor&ation about deploying storage for Hyper-" see %&ple&enting 4isks and 5torage$

6nderstanding online and offline bac#ups*hether a backup is perfor&ed online or offline depends on whether the backup can be

perfor&ed without downti&e$

?ou can perfor& an online backup with no downti&e on a running #irtual &achine when all of the

following conditions are &et:

• %ntegration ser#ices are installed and the backup integration ser#ice has not been disabled$

• 3ll disks being used by the #irtual &achine are configured within the guest operating syste&

as .TE5-for&atted basic disks$ irtual &achines that use storage on which the physical

partitions ha#e been for&atted as dyna&ic disks or the E3TA2 file syste& pre#ent an online

backup fro& being perfor&ed$ This is not the sa&e as dyna&ically epanding #irtual hard

disks" which are fully supported by backup and restore operations$

• olu&e 5hadow Copy 5er#ice &ust be enabled on all #olu&es used by the #irtual &achine

with a specific configuration$ 1ach #olu&e &ust also ser#e as the storage location for shadow

2D



copies of the #olu&e$ Eor ea&ple" the shadow copy storage for #olu&e C: &ust be located

on C:$

%f an online backup cannot be perfor&ed" then an offline backup is taken$ This type of backup

results in so&e degree of downti&e$ 3 #ariety of factors can affect the ti&e re@uired to take an

offline backup$ %f the #irtual &achine is running or paused" it is put into a sa#ed state as part ofthe offline backup process$ 3fter the backup is co&pleted" the #irtual &achine is returned to its

eisting state$

6nderstanding the restore processThe restore process is straightforward as long as the reco&&endations outlined in the pre#ious

sections were followed when the backups were created$ This includes taking the reco&&ended

steps to ensure that data which is not included in a full ser#er backup can be reco#ered or

recreated$

To restore when all co&ponents of your backup set are supported by the Hyper- 55 writer"

ha#e all the &edia and e@uip&ent a#ailable and then perfor& a restore of the entire syste& or the#irtual &achine" depending on your circu&stances$ The Hyper- 55 writer treats Hyper- as an

application that can be backed up$ This &eans that you can reco#er indi#idual #irtual &achines$

Howe#er" you cannot use this &ethod to reco#er only a portion of a #irtual &achine$

To restore when your backup set includes &edia that is not supported by the Hyper- 55 writer"

you &ust perfor& an additional step$ Eirst" perfor& a restore of the entire syste& or the #irtual

&achine" depending on your circu&stances$ Then" restore the unsupported &edia fro& within the

guest operating syste&$

ote

%f you atte&pt to restore a #irtual &achine while it is running" it is turned off and deleted

before the backed-up #ersion of the #irtual &achine is restored$

ote

%f you restore a #irtual &achine fro& an online backup" when you start the #irtual &achine

you &ay recei#e a &essage that the operating syste& was not shut down properly$ ?ou

can ignore this &essage$

Considerations about clustered virtual machines%f you plan to cluster #irtual &achines" there are additional factors that you need to consider when

planning to backup and restore those #irtual &achines$ 7efore you atte&pt to back up or restore

clustered #irtual &achines" consider the following:• 3pply a hotfi to pre#ent possible failure of a full ser#er backup on a node when a #irtual

&achine uses a #olu&e &ounted with a ='%4$ *hen the hotfi applied" a directory path that

cannot be resol#ed will pre#ent only the #irtual &achine that uses the directory path fro&

being backed up$ Howe#er" when the hotfi is not applied" a #olu&e &ounted with a ='%4

&ay cause the entire backup operation to fail$ Eor &ore infor&ation" see

http:go$&icrosoft$co&fwlink>)ink%d;AAAB8$

2





• ?ou &ay need to take the #irtual &achine offline before you run a backup or restore a #irtual

&achine$ Eor instructions on taking a clustered #irtual &achine offline" see

http:go$&icrosoft$co&fwlink>)ink%4;290A$

5e#eral factors can affect backup and reco#ery operations when a #irtual &achine is

clustered$ The following tables identify the factors you need to consider and the action youneed to take to perfor& the backup or reco#ery operation$ The infor&ation in both tables

assu&es that you will run the backup or reco#ery operation on node ;$

Considerations for bac#ing up clustered virtual machines

)ocation of

cluster

group

Cluster

resource

state

Configuration

resource state

5torage

resource

state

7ackup type 3ction

re@uired to

prepare for a

backup

.ode ; 6nline 6nline 6nline 6nline .one

.ode ; 6nline 6nline 6nline 6ffline /due to

storage

configuration of

the #irtual

&achine

'se the

Cluster

ser#ice to

take the

#irtual

&achine

cluster

resource

offline

.ode ; 6ffline 6ffline 6nline 6ffline .one

.ode ; 6ffline 6nline 6nline 6ffline .one

.ode 2 3ny state 3ny state 3ny state irtual &achine

not reported for

backup on node

;

Mo#e the

#irtual

&achine to

node ;

Considerations for restoring clustered virtual machines

)ocation Cluster

resource state

Configuration

resource state

5torage

resource state

3ction re@uired to

prepare for a

restore

.ode ; 6nline 6nline 6nline Take the cluster

resource and

configuration

resource offline$

.ode ; 6ffline 6nline 6nline Take the

2<





configuration

resource offline$

.ode ; 6ffline 6ffline 6ffline .one

.ode 2 3ny state 3ny state 3ny state The clusterresource and the

configuration

resource need to

be taken offline on

.ode 2 to a#oid a

conflict$

&nstalling Hyper-V

The release #ersion of the Hyper- technology in *indows 5er#er 2008 is distributed in update

packages that are a#ailable fro& the Microsoft *eb site$ To install the release #ersion of any of

the Hyper- co&ponents" you &ust obtain and install the appropriate update package$ This topic

describes the packages and pro#ides links to the installation procedures for each package$

About the Hyper-V update pac#ages5e#eral update packages are a#ailable$ 1ach update package is described below" including

infor&ation about how to obtain the package$

Hyper-V role pac#ageThe release #ersion of Hyper- is distributed in the package RHyper- 'pdate for *indows 5er#er

2008 B 1dition /K79D00D0S$ The package consists of the Hyper- role" including the B

#ersion of the re&ote &anage&ent tools" and integration ser#ices for the supported #ersions of

the *indows operating syste&$

This update is offered through *indows 'pdate as a reco&&ended update$ Howe#er" you also

can obtain the update through the Microsoft 4ownload Center$ To download this update" see

http:go$&icrosoft$co&fwlink>)ink%d;2ADA9$

&mportant

The Hyper- role update package is a per&anent package$ 6nce you install the updatepackage" you cannot re&o#e it$

Eor instructions about installing the role" see %nstall the Hyper- (ole on a 5er#er Core

%nstallation of *indows 5er#er 2008 or %nstall the Hyper- (ole on a Eull %nstallation of *indows

5er#er 2008$

%f you used a prerelease #ersion of Hyper- to create #irtual &achines and installed integration

ser#ices on the #irtual &achines" you &ust upgrade the integration ser#ices to the release

28





#ersion$ %ntegration ser#ices are specific to the build of Hyper-$ To install the integration ser#ices"

fro& the Action &enu of irtual Machine Connection" click &nsert &ntegration 2ervices 2etup

Dis#$ 6n *indows operating syste&s" if the .ew Hardware *i,ard appears" you &ust close the

wi,ard to start the installation$ %f 3utorun does not start the installation auto&atically" you can start

it &anually$ Click anywhere in the guest operating syste& window and na#igate to the C4 dri#e$

'se the &ethod that is appropriate for the guest operating syste& to start the installation package

fro& the C4 dri#e$

%f you are interested in &igrating fro& irtual 5er#er to Hyper-" a &igration guide is a#ailable$

Eor &ore infor&ation" see the irtual Machine Migration =uide$

Hyper-V 5emote management tools pac#agesThe Hyper- &anage&ent tools are a#ailable separately to allow re&ote &anage&ent of a ser#er

running Hyper-$ Packages are a#ailable to install the tools on *indows ista with 5er#ice

Pack ; /5P; and on A2-bit editions of *indows 5er#er 2008$ The following download packages

are a#ailable:

• Eor B-bit editions of *indows ista with 5P;" see http:go$&icrosoft$co&fwlink>

)ink%d;2ADB0$

• Eor A2-bit editions of *indows ista with 5P;" see http:go$&icrosoft$co&fwlink>

)ink%d;2ADB;$

• Eor A2-bit editions of *indows 5er#er 2008" see http:go$&icrosoft$co&fwlink>

)ink%d;2ADB2$

&mportant

The re&ote &anage&ent tools update package for the A2-bit editions of *indows

5er#er 2008 is a per&anent package$ 6nce you install the update package" you

cannot re&o#e it$

Eor instructions about installing the tools" see %nstall and Configure Hyper- Tools for (e&ote

3d&inistration$

Hyper-V 9anguage Pac# for !indows 2erver 3447The Hyper- )anguage Pack for *indows 5er#er 2008 installs the language pack for the release

#ersion of Hyper- and supports the following additional languages:

• Chinese /5i&plified

• Chinese /Traditional

• C,ech

• Hungarian

• Korean

• Polish

• Portuguese /7ra,il

• Portuguese /Portugal

29

















• (ussian

• 5wedish

• Turkish

Eor &ore infor&ation about the language pack and links to download the packs" see article

9D;A in the Microsoft Knowledge 7ase /http:go$&icrosoft$co&fwlink>)ink%4;2ADA$

Additional considerations• To find out whether an update has been applied to your co&puter" you can check the update

history:

• 6n a full installation of *indows 5er#er 2008" click 2tart" click !indows 6pdate" click

View update history" and then click &nstalled 6pdates$

• 6n a 5er#er Core installation" at the co&&and pro&pt" type:

wmic 'fe list

)ook for update nu&ber #bid=>?44?4" which indicates that the update for Hyper- has

been installed$

&nstall the Hyper-V 5ole on a 2erver Core&nstallation of !indows 2erver 3447

The 5er#er Core installation option of the *indows 5er#er 2008 operating syste& installs a

&ini&al ser#er installation of *indows 5er#er 2008 to run supported ser#er roles" including the

Hyper- role$ ?ou can use the 5er#er Core installation option to help secure the ser#er running

Hyper- and all the #irtual &achines running on it$ The benefits of using the 5er#er Core

installation option include a reduced attack surface and reduced &aintenance$ Eor infor&ation

about the &ini&u& hardware re@uire&ents for a ser#er running a 5er#er Core installation" see

%nstalling *indows 5er#er 2008 /http:go$&icrosoft$co&fwlink>)ink%d;2ADA8$

*hen you select the 5er#er Core installation option" 5etup installs only the files that are re@uired

for the supported ser#er roles$ Eor ea&ple" the 1plorer shell is not installed as part of a 5er#er

Core installation$ 3fter you ha#e enabled the Hyper- role" you can &anage the Hyper- role and

#irtual &achines re&otely using the Hyper- &anage&ent tools$ The &anage&ent tools are

a#ailable for *indows 5er#er 2008 and *indows ista 5er#ice Pack ; /5P;$ Eor &ore

infor&ation" see article 9D00D0 /http:go$&icrosoft$co&fwlink>)ink%d;22;88 and article

9D22< /http:go$&icrosoft$co&fwlink>)ink%d;2ADA< in the Microsoft Knowledge 7ase$ Eor

&ore infor&ation about configuring tools for the re&ote &anage&ent of Hyper-" see %nstall and

Configure Hyper- Tools for (e&ote 3d&inistration$

?ou can use unattended installation to configure a ser#er running a 5er#er Core installation and

Hyper-$ Eor &ore infor&ation about unattended installation settings" see the *indows

3uto&ated %nstallation Kit /http:go$&icrosoft$co&fwlink>)ink%d8;0A0$ ?ou can find &ore

infor&ation and a sa&ple 'nattend$&l file in the 5er#er Core %nstallation 6ption of *indows

A0














5er#er 2008 5tep-7y-5tep =uide /http:go$&icrosoft$co&fwlink>)ink%4;009D9$ This guide is

also a#ailable as a download /http:go$&icrosoft$co&fwlink>)ink%48DD$

&mportant

• 6nce you install these ser#er updates" you will not be able to re&o#e the&$ There is no

way to upgrade fro& a full installation of *indows 5er#er 2008 or a pre#ious #ersion of

*indows 5er#er to a 5er#er Core installation$ 6nly a clean installation is supported$

There is no way to upgrade fro& a 5er#er Core installation to a full installation of

*indows 5er#er 2008$ %f you need the *indows user interface or a ser#er role that is not

supported in a 5er#er Core installation" you should install a full installation of *indows

5er#er 2008$ Eor instructions about installing the Hyper- role on a full installation of

*indows 5er#er 2008" see %nstall the Hyper- (ole on a Eull %nstallation of *indows

5er#er 2008$

• %f you close all local co&&and pro&pts while installing the Hyper- role" you will ha#e no

way to &anage the 5er#er Core installation$ %f this happens" press CT()F3)TF41)1T1"

click 2tart 0as# 1anager " click ;ile" click 5un" and type cmd+e(e$ 3lternati#ely" you canlog off and log on again$

0o install Hyper-V on a 2erver Core installation

;$ ?ou &ust perfor& a 5er#er Core installation before you install the Hyper- role$ Eor

instructions" see the 5er#er Core %nstallation 6ption of *indows 5er#er 2008 5tep-7y-

5tep =uide /http:go$&icrosoft$co&fwlink>)ink%4;009D9$

2$ 3fter you ha#e installed *indows 5er#er 2008" you &ust apply the Hyper- update

packages for *indows 5er#er 2008 /K79D00D0$ Eor links and &ore infor&ation about

installing the update for the release #ersion of the Hyper- technology for *indows

5er#er 2008" see %nstalling Hyper-$ ?ou should also apply any other re@uired updates

before you install the Hyper- role$

To #iew the list of software updates and check if any are &issing" at the co&&and

pro&pt" type:

wmic 'fe list

%f you do not see L#bid=>?44?4" download the Hyper- updates and then type the

following co&&and at a co&&and pro&pt:

wusa+e(e !indows)+4-:$>?44?4-()*+msu @'uiet

There are three update packages$ 3fter you install the updates" you &ust restart the

ser#er$ The 'pdate for *indows 5er#er 2008 B 1dition /K7 9D00D0 and )anguage

Pack for Hyper- /K79D;A &ust be installed on the parent partition of the 5er#er Core

installation$

The 'pdate for *indows 5er#er 2008 /K79D22< is for re&ote &anage&ent of the

5er#er Core installation if you are &anaging the ser#er fro& a co&puter running

*indows ista 5er#ice Pack ; /5P;" and &ust be installed on the co&puter running

*indows ista 5P;$

&mportant

A;









7efore you enable the Hyper- role" ensure that you ha#e enabled the re@uired

hardware-assisted #irtuali,ation and hardware-enforced 4ata 1ecution

Pre#ention /41P 7%65 settings$ Checks for these settings are perfor&ed before

you enable the Hyper- role on a full installation" but not on a 5er#er Core

installation$ 3fter you &ake the 7%65 configuration changes to enable the re@uired hardware

features" you &ay need to turn off the power to the co&puter and then turn it back on

/restarting the co&puter &ay not apply the changes to the settings$ %f you enable the

Hyper- role without &odifying the 7%65 settings" the *indows hyper#isor &ay not work

as epected$ %f this happens" check the e#ent log for details" &odify the 7%65 settings

according to the ser#er hardware &anufacturer instructions" turn off and turn on the

co&puter running a 5er#er Core installation" and then install Hyper- again$

To check if your ser#er hardware is co&patible" see the *indows 5er#er catalog

/http:go$&icrosoft$co&fwlink>)ink%d;2ADAD$ Click the list of Certified 2ervers" and

then click $y additional 'ualifications Hyper-V$ Eor instructions about how to enable

the 7%65 settings" check with your hardware &anufacturer$

Additional references• 6C5etup Co&&and-)ine 6ptions /http:go$&icrosoft$co&fwlink>)ink%d;2ADA2

• Co&&and (eference /http:go$&icrosoft$co&fwlink>)ink%49;B<A

• 5er#er Core installation blog on Tech.et /http:go$&icrosoft$co&fwlink>)ink%d;2ADA;

&nstall the Hyper-V 5ole on a ;ull &nstallation

of !indows 2erver 3447%nstalling the Hyper- role on a full installation of *indows 5er#er 2008 installs all the

co&ponents of the Hyper- technology" including the re&ote &anage&ent tools$ The tools

consist of Hyper- Manager" which is a Microsoft Manage&ent Console /MMC snap-in" and

irtual Machine Connection" which pro#ides you with direct access to a #irtual &achine through a

network connection$

The release #ersion of this role is distributed in an update package$ *e reco&&end that you

obtain and apply the update package before you install and begin using the Hyper- role$ Eor

&ore infor&ation about the update packages for Hyper-" see %nstalling Hyper-$

&mportant

%f you ha#e installed an earlier #ersion of Hyper-" we strongly reco&&end that you

re#iew the infor&ation about &igrating to the release #ersion of Hyper- before you apply

the update package$ 5o&e co&ponents cannot be &igrated" as eplained in the support

article that describes the role update package$ Eor &ore infor&ation" see article 9D00D0

in the Microsoft Knowledge 7ase /http:go$&icrosoft$co&fwlink>)ink%d;22;88$

A2













&mportant

Me&bership in the local Administrators group" or e@ui#alent" is the &ini&u& re@uired to

co&plete this procedure$

0o install the Hyper-V role;$ %f you recently installed *indows 5er#er 2008" %nitial Configuration Tasks &ay be

displayed$ ?ou can install Hyper- fro& %nitial Configuration Tasks or fro& 5er#er

Manager:

• %n %nitial Configuration Tasks" under Customi,e 0his 2erver " click Add roles$

• %n 5er#er Manager" under 5oles 2ummary" click Add 5oles$ /%f 5er#er Manager is

not running" click 2tart" point to Administrative 0ools" click 2erver 1anager " and

then" if pro&pted for per&ission to continue" click Continue$

2$ 6n the 2elect 2erver 5oles page" click Hyper-V$

A$ 6n the Create Virtual etwor#s page" click one or &ore network adapters if you want to

&ake their connection to a physical network a#ailable to #irtual &achines$

B$ 6n the Confirm &nstallation 2elections page" click &nstall$

D$ The co&puter &ust be restarted to co&plete the installation$ Click Close to finish the

wi,ard" and then click %es to restart the co&puter$

$ 3fter you restart the co&puter" log on with the sa&e account you used to install the role$

3fter the (esu&e Configuration *i,ard co&pletes the installation" click Close to finish

the wi,ard$

Additional considerations• ?ou can create a #irtual network when you install the Hyper- role$ This action changes the

configuration of the physical network adapter you selected when you installed the role$ Eor

&ore infor&ation about how a physical network adapter operates after you associate it to a

#irtual network" see Configuring irtual .etworks$

• ?ou can install the &anage&ent tools on so&e #ersions of *indows without installing the

Hyper- role$ Eor &ore infor&ation about installing the tools without installing the Hyper-

role" see %nstall and Configure Hyper- Tools for (e&ote 3d&inistration$

• *hen the Hyper- role is installed" the use of irtual 5er#er or irtual PC on the co&puter is

not supported$

&nstall and Configure Hyper-V 0ools for5emote Administration

?ou can install the Hyper- &anage&ent tools on a full installation of *indows 5er#er 2008 and

on *indows ista 5er#ice Pack ; /5P;$ This topic describes how to install and configure the

tools$

AA



ote

Me&bership in the local Administrators group" or e@ui#alent" is the &ini&u& re@uired to

co&plete this procedure$

&nstalling the management tools%nstalling the tools consists of obtaining and applying the appropriate update to the operating

syste&$

0o install the management tools

;$ 6btain the appropriate update package for the operating syste& on which you want to

install the tools$ Eor &ore infor&ation" see %nstalling Hyper-$

2$ %nstall the update package using the &ethod appropriate for the way you obtained the

package:

•

%f you obtained the update fro& *indows 'pdate and the co&puter is not set up toinstall updates auto&atically" install the update &anually$

• %f you obtained the update fro& the Microsoft 4ownload Center" download the file to

the co&puter and then double-click the $&su file$

A$ %f you are installing the tools on *indows ista 5P;" no additional installation steps are

re@uired" so you can proceed to the configuration instructions$ %f you are installing the

tools on *indows 5er#er 2008" co&plete the re&aining steps$

B$ 6pen 5er#er Manager$ /%f 5er#er Manager is not running" click 2tart" point to

Administrative 0ools" click 2erver 1anager " and then" if pro&pted for per&ission to

continue" click Continue$

D$ %n 5er#er Manager" under ;eatures 2ummary" click Add ;eatures$$ 6n the 2elect ;eatures page" epand 5emote 2erver Administration 0ools" and then

epand 5emote Administration 0ools$

<$ Click Hyper-V 0ools" and then proceed through the rest of the wi,ard$

Configuring the management toolsThe configuration process consists of &odifying #arious co&ponents that control access and

co&&unications between the ser#er running Hyper- and the co&puter on which you will run the

Hyper- &anage&ent tools$

ote.o additional configuration is re@uired if you are using the &anage&ent tools on a

co&puter running *indows 5er#er 2008 and the sa&e user account is a &e&ber of the

3d&inistrators group on both co&puters$

AB



Configuring the server running Hyper-VThe following procedures describe how to configure the ser#er running Hyper-$ *hen do&ain-

le#el trust is not established" perfor& all the steps$ *hen do&ain-le#el trust eists but the re&ote

user is not a &e&ber of the 3d&inistrators group on the ser#er running Hyper-" you &ust &odify

the authori,ation policy" but you can skip the steps for &odifying the 4istributed C6M 'sersgroup and the *indows Manage&ent %nstru&entation /*M% na&espaces$

ote

The following procedures assu&e that you ha#e installed the Hyper- role on the ser#er$

Eor instructions about installing the Hyper- role" see %nstall the Hyper- (ole on a Eull

%nstallation of *indows 5er#er 2008 or %nstall the Hyper- (ole on a 5er#er Core

%nstallation of *indows 5er#er 2008$

0o configure the Hyper-V role for remote management on a full installation of !indows2erver 3447

;$ 1nable the firewall rules for *indows Manage&ent %nstru&entation$ Ero& an ele#atedco&&and pro&pt" type:

netsh advfirewall firewall set rule group=B!indows 1anagement &nstrumentation

.!1&/ new enable=yes

The co&&and has succeeded when it returns the following &essage: L'pdated B

rules/s$ 6k$

ote

To #erify that the co&&and succeeded" you can #iew the results in *indows

Eirewall with 3d#anced 5ecurity$ Click 2tart" click Control Panel" switch to

Classic iew if you are not using that #iew" click Administrative 0ools" and then

click !indows ;irewall with Advanced 2ecurity$ 5elect inbound rules oroutbound rules and then sort by the Group colu&n$ There should be three

inbound rules and one outbound rule enabled for *indows Manage&ent

%nstru&entation$

2$ The net steps configure the authori,ation policy for the ser#er running the Hyper- role$

%f the user who re@uires re&ote access to the ser#er running Hyper- belongs to the

3d&inistrators group on both co&puters" then it is not necessary to configure the

authori,ation policy$

ote

The instructions for configuring the authori,ation policy assu&e that the default

authori,ation policy has not been &odified" including the default location" and

that the account you are configuring for re&ote access re@uires full

ad&inistrati#e access to the Hyper- role$

A$ Click 2tart" click 2tart 2earch and type a,man+msc$ %f you are pro&pted to confir& the

action" click Continue$ The 3uthori,ation Manager Microsoft Manage&ent Console

/MMC snap-in opens$

AD



B$ %n the na#igation pane" right-click Authori,ation 1anager and click Open Authori,ation

2tore$ Make sure that 19 file is selected$ 7rowse to the Osyste& dri#eONProgra&

4ataNMicrosoftN*indowsNHyper- folder" select %nitial5tore$&l" click Open and then click

O:$

ote

The Progra& 4ata folder is a hidden folder by default$ %f the folder is not #isible"

type: EsystemFdriveProgramData1icrosoft!indowsHyper-

Vinitalstore+(ml

D$ %n the na#igation pane" click Hyper-V services" and then click 5ole Assignments$ (ight-

click Administrator " point to Assign 6sers and Groups" and then point to ;rom

!indows and Active Directory$ %n the 2elect 6sers< Computers< or Groups dialog

bo" type the do&ain na&e and user na&e of the user account" and then click O:$

$ Close 3uthori,ation Manager$

<$ .et" you add the re&ote user to the 4istributed C6M 'sers group to pro#ide access to

the re&ote user$ Click 2tart" point to Administrative tools" and click Computer

1anagement$ %f 'ser 3ccount Control is enabled" click Continue$ Co&ponent 5er#ices

opens$

8$ 1pand 9ocal 6sers and Groups" and then click Groups$ (ight-click Distributed CO1

6sers and click Add to Group$

9$ %n the Distributed CO1 6sers Properties dialog bo" click Add$

;0$ %n the 2elect 6sers< Computers< or Groups dialog bo" type the na&e of the user and

click O:$

;;$ Click O: again to close the Distributed CO1 6sers Properties dialog bo$ Close

Co&ponent 5er#ices$

;2$ The re&aining steps grant the re@uired *M% per&issions to the re&ote user for two

na&espaces: the C%M2 na&espace and the #irtuali,ation na&espace$ Click 2tart" click

Administrative 0ools" and then click Computer 1anagement$

;A$ %n the na#igation pane" click 2ervices and Applications" right-click !1& Control" and

then click Properties$

;B$ Click the 2ecurity tab" click 5oot" and then click C&1V3$ 7elow the na&espace list" click

2ecurity$

;D$ %n the 2ecurity for 5OO0C&1V3 dialog bo" check to see if the appropriate user is

listed$ %f not" click Add$ %n the 2elect 6sers< Computers< or Groups dialog bo" type the

na&e of the user and click O:$

;$ 6n the 2ecurity tab" select the na&e of the user$ 'nder Permissions for Euser or

group name" click Advanced$ 6n the Permissions tab" #erify that the user you want is

selected and then click dit$ %n the Permission ntry for C&1V3 dialog bo" &odify

three settings as follows:

• Eor Apply to" select 0his namespace and subnamespaces$

• %n the Permissions list" in the Allow colu&n" select the 5emote nable check bo$

A



• 7elow the Permissions list" select the Apply these permissions to obIects and@or

containers within this container only check bo$

;<$ Click O: in each dialog bo until you return to the !1& Control Properties dialog bo$

;8$ .et" you repeat the process for the #irtuali,ation na&espace$ 5croll down if necessary

until you can see the #irtuali,ation na&espace$ Click virtuali,ation$ 7elow the

na&espace list" click 2ecurity$

;9$ %n the 2ecurity for 5OO0virtuali,ation dialog bo" check to see if the appropriate user

is listed$ %f not" click Add$ %n the 2elect 6sers< Computers< or Groups dialog bo" type

the na&e of the user and click O:$

20$ 6n the 2ecurity tab" select the na&e of the user$ 'nder Permissions for Euser or


selected and then click dit$ %n the Permission ntry for virtuali,ation dialog bo"

&odify three settings as follows:





2;$ Click O: in each dialog bo and then close Co&puter Manage&ent$

22$ (estart the ser#er to apply the changes to the authori,ation policy$

0o configure the Hyper-V role for remote management on a 2erver Core installation of!indows 2erver 3447

;$ 1nable the firewall rules on the ser#er for *indows Manage&ent %nstru&entation$ Ero&

an ele#ated co&&and pro&pt" type:

netsh advfirewall firewall set rule group=B!indows 1anagement &nstrumentation

.!1&/ new enable=yes

The co&&and has succeeded when it returns the following &essage: L'pdated B

rules/s$ 6k$

2$ .et" you &odify the 4istributed C6M per&issions to pro#ide access to the re&ote user$

Type:

net localgroup BDistributed CO1 6sers @add EdomainFnameEuserFname

where do&ainUna&eV is the do&ain that the user account belongs to and

userUna&eV is the user account you want to grant re&ote access to$

A$ .et" you connect re&otely to the ser#er running the 5er#er Core installation so you can&odify the authori,ation policy and the two *M% na&espaces" using MMC snap-ins that

are not a#ailable on the 5er#er Core installation$

)og on to the co&puter on which you will run the Hyper- &anage&ent tools" using a

do&ain account that is a &e&ber of the 3d&inistrators group on the co&puter running a

5er#er Core installation$ /%f you need to add this user" see the instructions in %nstall the

Hyper- (ole on a 5er#er Core %nstallation of *indows 5er#er 2008$

A<



ote

The instructions for configuring the authori,ation policy assu&e that the default

authori,ation policy has not been &odified" including the default location" and

that the account you are configuring for re&ote access re@uires full

ad&inistrati#e access to the Hyper- role$

B$ Click 2tart" click 2tart 2earch and type a,man+msc$ %f you are pro&pted to confir& the

action" click Continue$ The 3uthori,ation Manager snap-in opens$

D$ %n the na#igation pane" right-click Authori,ation 1anager and click Open Authori,ation

2tore$ Make sure that 19 file is selected and type:

EremoteFcomputercJProgramData1icrosoft!indowsHyper-Vinitalstore+(ml

where re&oteUco&puterV is the na&e of the co&puter running the 5er#er Core

installation$

Click Open and then click O:$

$ %n the na#igation pane" click Hyper-V services" and then click 5ole Assignments$ (ight-click Administrator " point to Assign 6sers and Groups" and then point to ;rom

!indows and Active Directory$ %n the 2elect 6sers< Computers< or Groups dialog

bo" type the do&ain na&e and user na&e of the user account" and then click O:$

<$ Close 3uthori,ation Manager$

8$ The re&aining steps grant the re@uired *M% per&issions to the re&ote user for two

na&espaces: the C%M2 na&espace and the #irtuali,ation na&espace$ Click 2tart" click

Administrative 0ools" and then click Computer 1anagement$

9$ %n the na#igation pane" click 2ervices and Applications" right-click !1& Control" and

then click Properties$

;0$ Click the 2ecurity tab$ Click 5oot and then click C&1V3$ 7elow the na&espace list" click2ecurity$

;;$ %n the 2ecurity for 5OO0C&1V3 dialog bo" check to see if the appropriate user is

listed$ %f not" click Add$ %n the 2elect 6sers< Computers< or Groups dialog bo" type the

na&e of the user and click O:$

;2$ 6n the 2ecurity tab" select the na&e of the user$ 'nder Permissions for Euser or


selected and then click dit$ %n the Permission ntry for C&1V3 dialog bo" &odify

three settings as follows:





;A$ Click O: in each dialog bo until you return to the !1& Control Properties dialog bo$

;B$ .et" you repeat the process for the #irtuali,ation na&espace$ 5croll down if necessary

until you can see the #irtuali,ation na&espace$ Click virtuali,ation$ 7elow the

na&espace list" click 2ecurity$

A8



;D$ %n the 2ecurity for 5OO0virtuali,ation dialog bo" check to see if the appropriate user

is listed$ %f not" click Add$ %n the 2elect 6sers< Computers< or Groups dialog bo" type

the na&e of the user and click O:$

;$ 6n the 2ecurity tab" select the na&e of the user$ 'nder Permissions for Euser or

group name" click Advanced$ 6n the Permissions tab" #erify that the user you want isselected and then click dit$ %n the Permission ntry for virtuali,ation dialog bo"

&odify three settings as follows:





;<$ Click O: in each dialog bo and then close Co&puter Manage&ent$

;8$ (estart the co&puter running a 5er#er Core installation to apply the changes to the

authori,ation policy$

Configuring !indows Vista 2PKThe following procedure describes how to configure *indows ista 5P; when do&ain-le#el trust

is not established$

0o configure !indows Vista 2PK

;$ )og on to the co&puter running *indows ista 5P;$

2$ 1nable the firewall rules for *indows Manage&ent %nstru&entation$ Ero& an ele#ated

co&&and pro&pt" type:

netsh advfirewall firewall set rule group=!indows 1anagement &nstrumentation.!1&/ new enable=yes

The co&&and has succeeded when it returns the following &essage: L'pdated 8

rules/s$ 6k$

ote

To #erify that the co&&and succeeded" you can #iew the results in *indows

Eirewall with 3d#anced 5ecurity$ Click 2tart" click Control Panel" switch to

Classic iew if you are not using that #iew" click Administrative 0ools" and then

click !indows ;irewall with Advanced 2ecurity$ 5elect inbound rules or

outbound rules and then sort by the Group colu&n$ There should be si inbound

rules and two outbound rules enabled for *indows Manage&ent%nstru&entation$

A$ 1nable a firewall eception for the Microsoft Manage&ent Console$ Ero& an ele#ated

co&&and pro&pt" type:

etsh firewall add allowedprogram program=LwindirLsystemM3mmc+e(e

name=N1icrosoft 1anagement ConsoleN

A9



B$ 5tart Hyper- Manager to #erify that you can connect re&otely to the ser#er$ Click 2tart"

click the 2tart 2earch bo" type Hyper-V 1anager and press 1.T1($ %f you are

pro&pted to confir& the action" click Continue$ %n Hyper- Manager" under Actions"

click Connect to 2erver $ Type the na&e of the co&puter or browse to it" and click O:$ %f

Hyper- Manager can connect to the re&ote co&puter" the co&puter na&e will appear inthe na#igation pane and the results pane will list all the #irtual &achines configured on

the ser#er$

Configuring Virtual etwor#s

This section describes the basics of #irtual networking in Hyper- and the different types of #irtual

networks you can configure$ .etworking in Hyper- works differently than networking in

irtual 5er#er 200D" and these differences are also discussed$ 7efore configuring a #irtual

network" you should deter&ine the design and type of #irtual network you plan to use$ ?ou should

be aware that Hyper- does not support wireless networks$

Eor step-by-step instructions to configure a #irtual network" see 5tep-by-5tep =uide to =etting

5tarted with Hyper- /http:go$&icrosoft$co&fwlink>)ink%4;;920<$

Virtual networ# types?ou can create #irtual networks on the ser#er running Hyper- to define #arious networking

topologies for #irtual &achines and the #irtuali,ation ser#er$ 'sing irtual .etwork Manager

/accessed fro& Hyper- Manager" you ha#e three different types of #irtual networks to choose

fro&$• (ternal virtual networ#s$ 'se this type when you want to allow #irtual &achines to

co&&unicate with eternally located ser#ers and the &anage&ent operating syste&

/so&eti&es referred to as the parent partition$ This type also allows #irtual &achines on the

sa&e physical ser#er to co&&unicate with each other$

• &nternal virtual networ#s$ 'se this type when you want to allow co&&unication between

#irtual &achines on the sa&e physical ser#er and #irtual &achines and the &anage&ent

operating syste&$ 3n internal #irtual network is a #irtual network that is not bound to a

physical network adapter$ %t is co&&only used to build a test en#iron&ent where you need to

connect to the #irtual &achines fro& the &anage&ent operating syste&$

• Private virtual networ#s$ 'se this type when you want to allow co&&unication only between

#irtual &achines on the sa&e physical ser#er$ 3 pri#ate #irtual network is a #irtual network

without a #irtual network adapter in the &anage&ent operating syste&$ Pri#ate #irtual

networks are co&&only used when you want to isolate #irtual &achines fro& network traffic

in the &anage&ent operating syste& and in the eternal networks$

B0





Virtual networ#ing basics*hile Hyper- allows you to configure co&ple #irtual network en#iron&ents" the basic concept

of #irtual networking is straightforward$ Eor a si&ple #irtual network configuration" we reco&&end

that you ha#e at least two network adapters on the ser#er running Hyper-: one network adapter

dedicated to the physical &achine for re&ote &anage&ent" and one or &ore network adaptersdedicated to the #irtual &achines$ %f you are running an %nternet 5C5% /i5C5% initiator for #irtual

hard disk storage" we reco&&end that you use additional network adapters in the &anage&ent

operating syste&$ The &anage&ent operating syste& is a partition that calls the *indows

hyper#isor and re@uests that new partitions are created$ There can be only one &anage&ent

operating syste&$ Eor infor&ation on the backup and reco#ery strategy for a #irtuali,ed ser#er

en#iron&ent" see Planning for 7ackup$

*hen you add the Hyper- role during a full installation of *indows 5er#er 2008" you ha#e the

option to configure one or &ore eternal #irtual networks$

ote

This option is not a#ailable when perfor&ing a 5er#er Core installation of *indows5er#er 2008$ The #irtual network adapters can be rena&ed to reflect if they are assigned

to the physical &achine or the #irtual &achines$

*hen you install Hyper- and create an eternal #irtual network" the &anage&ent operating

syste& uses a new #irtual network adapter to connect to the physical network$ The network

connections consist of the original network adapter and the new #irtual network adapter$ The

original physical network adapter does not ha#e anything bound to it$ Howe#er" the #irtual

network adapter has all of the standard protocols and ser#ices bound to it$

Hyper- binds the irtual .etwork 5er#ice Protocol to a physical network adapter when an

eternal #irtual network is created$ ?ou should be aware that eternal network connecti#ity will be

te&porarily disrupted when an eternal #irtual network is created or deleted$

6nce it is created" a #irtual network works +ust like a physical network ecept that the switch is

software based and ports can be added or re&o#ed dyna&ically as they are needed$

6nce an eternal #irtual network is configured" all networking traffic is routed though the #irtual

switch$ Eor this reason" we reco&&end using at least one additional physical network adapter for

&anaging network traffic$ The #irtual switch functions as a physical switch would and routes

networking traffic through the #irtual network to its destination$ The following i&age is an ea&ple

of an eternal #irtual network$

B;



(ternal virtual networ#

Eor internal #irtual networks" only co&&unication between #irtual &achines on the sa&e physical

ser#er and between #irtual &achines and the &anage&ent operating syste& is allowed$ The

following i&age is an ea&ple of an internal #irtual network$

B2



&nternal virtual networ#

'se a pri#ate #irtual network when you want to allow co&&unication only between #irtual

&achines on the sa&e physical ser#er$ The following i&age is an ea&ple of a pri#ate #irtual

network$

Private virtual networ#

BA



etwor#ing and virtual machines%n Hyper-" when a #irtual &achine is created and attached to a #irtual network" it connects using

a #irtual network adapter$ There are two types of network adapters a#ailable for Hyper-: a

network adapter and a legacy network adapter$ Eor the network adapter to work" integration

ser#ices &ust be installed" which is part of the Hyper- installation$ %f integration ser#ices cannotbe installed because of the #ersion of the operating syste&" the network adapter cannot be used$

%nstead" you need to add a legacy network adapter that e&ulates an %ntel 2;;B0-based PC% East

1thernet 3dapter and works without installing a #irtual &achine dri#er$ 3 legacy network adapter

also supports network-based installations because it includes the ability to boot to the Pre-7oot

1ecution 1n#iron&ent /PJ1$ The legacy network adapter is also re@uired if a #irtual &achine

needs to boot fro& a network$ ?ou will need to disable the network adapter after the PJ1 boot$

The #irtual &achine is logically connected to a port on the #irtual network$ Eor a networking

application on the #irtual &achine to connect to so&ething eternally" it is first routed through the

#irtual network adapter to the #irtual port on the eternal #irtual network to which the #irtual

&achine is attached$ The networking packet is then directed to the physical network adapter and

out to an eternal physical network$

Eor the #irtual &achine to co&&unicate with the &anage&ent operating syste&" there are two

options$ 6ne option is to route the network packet through the physical network adapter and out

to the physical network" which then returns the packet back to the ser#er running Hyper- using

the second physical network adapter$ 3nother option is to route the network packet through the

#irtual network" which is &ore efficient$ The option selected is deter&ined by the #irtual network$

The #irtual network includes a learning algorith&" which deter&ines the &ost efficient port to

direct traffic to and will send the network packet to that port$ 'ntil that deter&ination is &ade by

the #irtual network" network packets are sent out to all #irtual ports$

Configuring virtual local area networ#s .V9As/Hyper- supports #irtual local area networks /)3.s" and because a )3. configuration is

software-based" co&puters can easily be &o#ed and still &aintain their network configurations$

Eor each #irtual network adapter you connect to a #irtual &achine" you can configure a )3. %4

for the #irtual &achine$ ?ou will need the following to configure )3.s:

• 3 physical network adapter that supports )3.s$

• 3 physical network adapter that supports network packets with )3. %4s that are already

applied$

6n the &anage&ent operating syste&" you will need to configure the #irtual network to allow

network traffic on the physical port$ This is for the )3. %4s that you want to use internally with

#irtual &achines$ .et" you configure the #irtual &achine to specify the #irtual )3. that the #irtual

&achine will use for all network co&&unications$

There are two &odes in which you can configure a )3.: access &ode and trunk &ode$ %n

access &ode" the eternal port of the #irtual network is restricted to a single )3. %4 in the '%$

?ou can ha#e &ultiple )3.s using *M%$ 'se access &ode when the physical network adapter

is connected to a port on the physical network switch that also is in access &ode$ To gi#e a #irtual

&achine eternal access on the #irtual network that is in access &ode" you &ust configure the

BB



#irtual &achine to use the sa&e )3. %4 that is configured in the access &ode of the #irtual

network$ Trunk &ode allows &ultiple )3. %4s to share the connection between the physical

network adapter and the physical network$ To gi#e #irtual &achines eternal access on the #irtual

network in &ultiple )3.s" you need to configure the port on the physical network to be in trunk

&ode$ ?ou will also need to know the specific )3.s that are used and all of the )3. %4s used

by the #irtual &achines that the #irtual network supports$

0o allow Hyper-V to use a V9A

;$ 6pen Hyper- Manager$

2$ Ero& the 3ctions &enu" click Virtual etwor# 1anager $

A$ 5elect the #irtual network you want to edit" and" in the right pane" check to select nable

virtual 9A identification$

B$ 1nter a nu&ber for the )3. %4$ 3ll traffic for the &anage&ent operating syste& that

goes through the network adapter will be tagged with the )3. %4 you set$

0o allow a virtual machine to use a V9A

;$ 6pen Hyper- Manager$

2$ %n the results pane" under Virtual 1achines" select the #irtual &achine that you want to

configure to use a )3.$

A$ %n the Action pane" under the #irtual &achine na&e" click 2ettings$

B$ 'nder Hardware" select the #irtual network adapter connected to the eternal #irtual

network$

D$ %n the right pane" select nable virtual 9A identification" and then enter the )3. %4

you plan to use$

%f you need the #irtual &achine to co&&unicate using additional )3.s" connect additional

network adapters to the appropriate #irtual network and assign the )3. %4$ Make sure to

configure the %P addresses correctly and that the traffic you want to &o#e across the )3. is also

using the correct %P address$

&mplementing Dis#s and 2torage

This section describes the #arious storage options that a ser#er running Hyper- supports$ %t also

generally discusses how to plan for storage" how to create a #irtual hard disk" and how to

configure storage$?ou can use the following types of physical storage with a ser#er that runs Hyper-:

• Direct-attached storage .storage attached to the management operating system/+ ?ou

can use 5erial 3d#anced Technology 3ttach&ent /53T3" eternal 5erial 3d#anced

Technology 3ttach&ent /e53T3" Parallel 3d#anced Technology 3ttach&ent /P3T3" 5erial

3ttached 5C5% /535" 5C5%" '57" and Eirewire$

BD



• 2torage area networ#s .2As/+ ?ou can use %nternet 5C5% /i5C5%" Eibre Channel" and

535 technologies$

ote

.etwork-attached storage /.35 is not supported for Hyper-$

Eor &ore infor&ation about the re@uire&ents and other considerations about hardware" see

Hardware Considerations$

Determining your storage options on themanagement operating system

6n the &anage&ent operating syste&" you can select to use either #irtual hard disks or physical

disks that are directly attached to a #irtual &achine$ irtual hard disks can ha#e a capacity of up

to 20B0 gigabytes and include the following types:

• ;i(ed$ 3 fied #irtual hard disk is a disk that occupies physical disk space on the

&anage&ent operating syste& e@ual to the &ai&u& si,e of the disk" regardless of whether

a #irtual &achine re@uires the disk space$ 3 fied #irtual hard disk takes longer to create than

other types of disks because the allocated si,e of the $#hd file is deter&ined when it is

created$ This type of #irtual hard disk pro#ides i&pro#ed perfor&ance co&pared to other

types because fied #irtual hard disks are stored in a contiguous block on the &anage&ent

operating syste&$

• Dynamically e(panding$ 3 dyna&ically epanding #irtual hard disk is a disk in which the si,e

of the $#hd file grows as data is written to the disk$ This type pro#ides the &ost efficient use of

disk space$ ?ou will need to &onitor the a#ailable disk space to a#oid running out of disk

space on the &anage&ent operating syste&$

•

Differencing$ 3 differencing #irtual hard disk stores the differences fro& the #irtual hard diskon the &anage&ent operating syste&$ This allows you to isolate changes to a #irtual

&achine and keep a #irtual hard disk in an unchanged state$ The differencing disk on the

&anage&ent operating syste& can be shared with #irtual &achines and" as a best practice"

&ust re&ain read-only$ %f it is not read-only" the #irtual &achineSs #irtual hard disk will be

in#alidated$

*ith #irtual hard disks" each #irtual &achine supports up to D;2 T7 of storage$ Physical disks that

are directly attached to a #irtual &achine ha#e no si,e li&it other than what is supported by the

guest operating syste&$ Physical disks are discussed in &ore detail later in this docu&ent in How

to configure physical disks that are directly attached to a #irtual &achine$

Determining your storage options on virtualmachines

?ou can select either integrated de#ice electronics /%41 or 5C5% de#ices on #irtual &achines:

• &D devices$ Hyper- uses e&ulated de#ices with %41 controllers$ ?ou can ha#e up to two

%41 controllers with two disks on each controller$ The startup disk /so&eti&es referred to as

B



the boot disk &ust be attached to one of the %41 de#ices$ The startup disk can be either a

#irtual hard disk or a physical disk$ 3lthough a #irtual &achine &ust use an %41 de#ice as the

startup disk to start the guest operating syste&" you ha#e &any options to choose fro& when

selecting the physical de#ice that will pro#ide the storage for the %41 de#ice$ Eor ea&ple"

you can use any of the types of physical storage identified in the introduction section$

• 2C2& devices$ 1ach #irtual &achine supports up to 2D 5C5% disks /four 5C5% controllers

with each controller supporting up to B disks$ 5C5% controllers use a type of de#ice

de#eloped specifically for use with #irtual &achines and use the #irtual &achine bus to

co&&unicate$ The #irtual &achine bus &ust be a#ailable when the guest operating syste& is

started$ Therefore" #irtual hard disks attached to 5C5% controllers cannot be used as startup

disks$

ote

3lthough the %6 perfor&ance of physical 5C5% and %41 de#ices can differ significantly"

this is not true for the #irtuali,ed 5C5% and %41 de#ices in Hyper-$ Hyper- %41 and

5C5% de#ices both offer e@ually fast %6 perfor&ance when integration ser#ices areinstalled in the guest operating syste&$

The following table describes the #arious storage options a#ailable with %41 de#ices:

2cenario 9ocal &D

virtual hard

dis#

9ocal directly

attached &D

5emote &D virtual

hard dis#

5emote directly

attached &D

5torage type 4irect-attached

storage

4irect-attached

storage

53." Eibre

Channeli5C5%

53." Eibre

Channeli5C5%

Type of disk that

is eposed to the&anage&ent

operating syste&

irtual hard

disk on .TE5

Physical disk

directlyattached to a

#irtual &achine

irtual hard disk on

.TE5

Physical disk

directly attached toa #irtual &achine

Mai&u&

supported disk

si,e on #irtual

&achine

2 terabytes .o si,e li&it

other than what

is supported by

the guest

operating

syste&

2 terabytes .o si,e li&it other

than what is

supported by the

guest operating

syste&

irtual hard disk

snapshots are

supported

?es .o ?es .o

4yna&ically

epanding #irtual

hard disk

?es .o ?es .o

4ifferencing ?es .o ?es .o

B<



2cenario 9ocal &D

virtual hard

dis#

9ocal directly

attached &D

5emote &D virtual

hard dis#

5emote directly

attached &D

#irtual hard disk

3bility of #irtual

&achines to

dyna&ically /hot

add access any

disk

.o .o .o .o

The following table describes the #arious storage options a#ailable with 5C5% de#ices:

2cenario 9ocal 2C2&

virtual hard

dis#

9ocal directly

attached 2C2&

5emote 2C2& virtual

hard dis#

5emote directly

attached 2C2&

5torage type 4irect-attached

storage

4irect-attached

storage

53." Eibre

Channeli5C5%

53." Eibre

Channeli5C5%

Type of disk that

is eposed to the

&anage&ent

operating syste&

irtual hard

disk on .TE5

Physical disk

directly

attached to a

#irtual &achine

irtual hard disk on

.TE5

Physical disk

directly attached to

a #irtual &achine

Mai&u&

supported disk

si,e on #irtual&achine

2 terabytes .o si,e li&it

other than what

is supported bythe guest

operating

syste&

2 terabytes .o si,e li&it other

than what is

supported by theguest operating

syste&

irtual hard disk

snapshots are

supported

?es .o ?es .o

4yna&ically

epanding #irtual

hard disk

?es .o ?es .o

4ifferencing

#irtual hard disk

?es .o ?es .o

3bility of #irtual

&achines to

dyna&ically /Lhot-

add access any

.o .o .o .o

B8



2cenario 9ocal 2C2&

virtual hard

dis#

9ocal directly

attached 2C2&

5emote 2C2& virtual

hard dis#

5emote directly

attached 2C2&

disk

How to create virtual hard dis#s?ou can use #irtual hard disks as a storage option on the &anage&ent operating syste&" and

then &ake the storage a#ailable to #irtual &achines$

?ou can create and &anage #irtual hard disks using the Hyper- Manager tool$ To create a new

#irtual hard disk" you would use either the .ew irtual Hard 4isk *i,ard or the .ew irtual

Machine *i,ard$ %f you are creating dyna&ically epanding disks" the .ew irtual Machine

*i,ard pro#ides a way to create storage for the new #irtual &achine without running the .ew

irtual Hard 4isk *i,ard$ This can be useful if you want to install a guest operating syste& in a#irtual &achine soon after you create it$

*hen creating a new #irtual hard disk" a na&e and storage location is re@uired$ The disks are

stored as $#hd files" which &akes the& portable but also poses a potential security risk$ ?ou

should &itigate this risk by taking precautions such as storing the $#hd files in a secure location$

4o not create the #irtual hard disk in a folder that is &arked for encryption$ Hyper- does not

support the use of storage &edia if 1ncrypting Eile 5yste& has been used to encrypt the $#hd file$

Howe#er" you can use files stored on a #olu&e that uses *indows 7itlocker 4ri#e 1ncryption$

0o create a virtual hard dis#

;$ 6pen Hyper- Manager$ Click 2tart" point to Administrative 0ools" and then click

Hyper-V 1anager $

2$ %n the 3ction pane" click ew" and then click Hard Dis#$

A$ Proceed through the pages of the wi,ard to custo&i,e the #irtual hard disk$ ?ou can click

e(t to &o#e through each page of the wi,ard" or you can click the na&e of a page in

the left pane to &o#e directly to that page$

B$ 3fter you ha#e finished configuring the #irtual hard disk" click ;inish$

How to configure physical dis#s that are directlyattached to a virtual machine

?ou can use physical disks that are directly attached to a #irtual &achine as a storage option on

the &anage&ent operating syste&$ This allows #irtual &achines to access storage that is

&apped directly to the ser#er running Hyper- without first configuring the #olu&e$ The storage

can be either a physical disk which is internal to the ser#er" or a 53. logical unit nu&ber /)'.

that is &apped to the ser#er /a )'. is a logical reference to a portion of a storage subsyste&$

The #irtual &achine &ust ha#e eclusi#e access to the storage" so the storage &ust be set in an

B9



6ffline state in 4isk Manage&ent$ The storage is not li&ited in si,e" so it can be a &ultiterabyte

)'.$

*hen using physical disks that are directly attached to a #irtual &achine" you should be aware of

the following:

• This type of disk cannot be dyna&ically epanded$

• ?ou cannot use differencing disks with the&$

• ?ou cannot take #irtual hard disk snapshots$

0o configure physical dis#s that are directly attached to a virtual machine

;$ Map the storage de#ice you plan to use to the ser#er running Hyper-$ %n 4isk

Manage&ent" the storage appears as a raw #olu&e and is in an 6ffline state$

2$ To initiali,e the raw #olu&e" in 4isk Manage&ent" right-click the disk you want to

initiali,e" and then click &nitiali,e Dis#$ .ote that before you can initiali,e the disk" it &ust

be in an 6nline state$

A$ %n the &nitiali,e Dis# dialog bo" select the disk to initiali,e$ ?ou can select whether to

use the &aster boot record /M7( or ='%4 partition table /=PT partition style$

B$ 3fter a disk is initiali,ed" return it to an 6ffline state$ %f the disk is not in an 6ffline state" it

will not be a#ailable when configuring storage for a #irtual &achine$

D$ Eollow the steps in LTo create a #irtual hard disk and &ake sure to select Attach a

virtual hard dis# later in the .ew irtual Machine *i,ard$

$ 6pen Hyper- Manager$ Click 2tart" point to Administrative 0ools" and then click

Hyper-V 1anager $

<$ 'nder Virtual 1achines" select the #irtual &achine that you want to configure$

8$ %n the Action pane" under the #irtual &achine na&e" click 2ettings$

9$ %n the na#igation pane /left pane" click the controller that you want to attach the disk to$ %f

you plan to use the disk as a startup disk" &ake sure you attach it to an %41 controller$

Click Add$

;0$ 6n the Hard Drive page" select the location on the controller to attach the disk$

;;$ 'nder 1edia" specify the physical hard disk$ %f the disk does not appear in the drop-down

list under Physical hard dis#s" &ake sure the disk is in an 6ffline state in 4isk

Manage&ent$

;2$ 6nce the physical disk is configured" you can start the #irtual &achine and store data on

the disk$ %f installing an operating syste&" the installation process auto&atically prepares

the disk for use$ %f you are using the physical disk to store data" it &ust first be prepared

by the #irtual &achine$

%f you are installing an operating syste& on the physical disk and it is in an 6nline state

before the #irtual &achine is started" the #irtual &achine will fail to start$ ?ou &ust store

the #irtual &achine configuration file in an alternate location because the physical disk is

used by the operating syste& installation$ Eor ea&ple" locate the configuration file on

another internal dri#e on the ser#er running Hyper-$

D0



Appendi( A (ample Authori,ation 1anager

0as#s and Operations?ou can use the ea&ple tasks and operations listed here to help create role definitions$ (ole

definitions" co&bined with scopes and role assign&ents" help you pro#ide security for your

#irtuali,ation en#iron&ent using role-based access control$ Eor &ore infor&ation about role-

based access control in Hyper-" see the following topics in this guide:


• Configure Hyper- for (ole-based 3ccess Control

ote

?ou &ust be a &e&ber of the 3d&inistrators group on the local co&puter to &odify thedefault 3uthori,ation Manager policy /an JM) file to create role definitions and

assign&ents$

(ample tas#s and operations?ou cannot create or change operations$ ?ou can create tasks and role definitions that include

different groups of operations to allow a user within that role to perfor& the task$ 5o&e tasks

re@uire a co&ple group of operations$ 5uggested task na&es that describe what the tasks do

are listed in alphabetical order$ The operations re@uired are listed underneath each task na&e$

Add e(ternal networ# to server • 7ind to 1ternal 1thernet Port

• Create %nternal 1thernet port

• Connect irtual Machine

• Create irtual 5witch

• Create irtual 5witch Port





• iew 5witches



D;



Add internal networ# to server • Create %nternal 1thernet Port


• Connect irtual 5witch Port





• iew 5witches



Add private networ#• Connect irtual 5witch Port



• iew 5witches


Apply a snapshot• 3llow 6utput fro& irtual Machine

• Pause and (estart irtual Machine


• (econfigure irtual Machine

• 5tart irtual Machine

• 5top irtual Machine

• iew irtual Machine Configuration

Attach internal networ# adapter to virtual machine• (ead 5er#ice Configuration


• Connect irtual 5witch Port




• iew 5witches

D2





• 3llow 6utput fro& irtual Machine



• Change )3. Configuration on Port

Connect to a virtual machine• 3llow 6utput fro& irtual Machine

• 3llow %nput to irtual Machine


Create a virtual floppy dis# or virtual hard dis#• (ead 5er#ice Configuration

Create a virtual machine• 3llow 6utput fro& a irtual Machine

• Change irtual Machine 3uthori,ation 5cope

• Create irtual Machine


• 6ptional: Connect irtual 5witch Port

ote

%f you do not need this #irtual &achine connected to a network" you can lea#e this

out$ %f you want to connect your #irtual &achine to a network" add this operation$

Delete a private networ#• 4elete irtual 5witch


• iew 5witches


Delete a snapshot• (ead 5er#ice Configuration

• 4elete irtual Machine

DA



Delete a virtual machine• 3llow 6utput fro& irtual Machine


• 4elete irtual Machine

(port virtual machine• (ead 5er#ice Configuration

• 3llow 6utput fro& irtual Machine

&mport virtual machine• 3llow 6utput fro& a irtual Machine

• Create irtual Machine

• Change irtual Machine 3uthori,ation 5cope



1odify virtual machine settings .reconfigure a virtual machine/• 3llow 6utput fro& a irtual Machine




Pass C059 A90 D90 .send control signals to a virtualmachine/

• 3llow %nput to a irtual Machine

• 3llow 6utput fro& a irtual Machine


Pause a virtual machine• 3llow 6utput fro& irtual Machine

• Pause and (estart irtual Machine


5emove e(ternal networ# from server • 4elete irtual 5witch

• 4elete irtual 5witch Port

DB



• 4elete %nternal 1thernet port

• 4isconnect irtual 5witch Port

• 'nbind 1ternal 1thernet Port






• iew 5witches


5emove internal networ# adapter from a virtual machine• 3llow 6utput fro& irtual Machine

• Create irtual 5witch Ports

• Change )3. Configuration on Port

• 4isconnect irtual 5witch Port

• (econfigure 5er#ice






• iew 5witches




5emove internal networ# from server • 4elete irtual 5witch

• 4elete irtual 5witch Ports

• 4elete %nternal 1thernet Ports

• 4isconnect irtual 5witch Ports




• iew 5witches

DD





5emove private networ# from server • 4elete irtual 5witch


• iew 5witches


5ename a snapshot• 3llow 6utput fro& irtual Machine




5ename a virtual machine• 3llow 6utput fro& irtual Machine




5esume a virtual machine• 3llow 6utput fro& irtual Machine


• Pause and (estart a irtual Machine

2ave a virtual machine and start a virtual machine• 3llow 6utput fro& irtual Machine




2tart a virtual machine• 3llow 6utput fro& irtual Machine



D



0urn off a virtual machine• 3llow 6utput fro& irtual Machine



View Hyper-V server settings• 3llow 6utput fro& irtual Machine


• (econfigure 5er#ice


View networ# management• iew 5witch Ports

• iew 5witches


View virtual machines• 3llow 6utput fro& irtual Machine



Appendi( $ Authori,ation 1anager0erminology

?ou use the 3uthori,ation Manager Microsoft Manage&ent Console /MMC snap-in /3,Man$&sc

to select operations" group the& into tasks" and then authori,e roles to perfor& specific tasks$

?ou also use the snap-in to &anage tasks" operations" and user roles and per&issions$ 5ee

'sing 3uthori,ation Manager for Hyper- 5ecurity and Configure Hyper- for (ole-based 3ccess

Control for &ore infor&ation about using role-based access control for #irtual &achines in Hyper-

$

0erminologyThe following ter&inology is used in the contet of 3uthori,ation Manager:

• Operation+ 3 low-le#el per&ission in an application$ 6perations are the building blocks of

your policy for role-based access control$ Eor ea&ple" in Hyper- W3llow %nput to a irtual

MachineW" W3llow 6utput fro& a irtual Machine"W and WCreate a irtual MachineW are

operations$

D<



• Policy+ The data that 3uthori,ation Manager uses for role-based access control$ This data"

configured by a #irtuali,ation ad&inistrator" describes the relationships between roles" tasks"

and operations$ The policy is an JM) file that you can edit using the 3uthori,ation Manager

snap-in or with scripting tools$ Eor &ore infor&ation about the ele&ents of a policy" see

Checklist: 7efore you start using 3uthori,ation Manager /http:go$&icrosoft$co&fwlink>

)ink%4;AB;9<$

• 5ole+ 3 set of users andor groups that define a category of user who can perfor& a set of

tasks or operations$ Eor ea&ple" the users assigned to the ad&inistrator role by default ha#e

the ability to perfor& any task or operation in Hyper-$ The ad&inistrator can create any

nu&ber of other roles$

• Authori,ation store+ The repository for the authori,ation policy$ ?ou &ust create a store to

control resource accessIyou can do this either progra&&atically or using the snap-in$ The

default store location in Hyper- is an JM) file located at

NProgra&4ataNMicrosoftN*indowsNHyper-N%nitial5tore$&l$ 7oth Hyper- and 3uthori,ation

Manager support JM) files and 3cti#e 4irectory 4o&ain 5er#ices for storing a policy$

Howe#er" 3uthori,ation Manager stores for other applications can be created in 3cti#e4irectory )ightweight 4irectory 5er#ices and Microsoft 5) 5er#er /new for *indows ista

and *indows 5er#er 2008$

• 2cope+ 3 collection of resources with a co&&on access control policy$ %n 3uthori,ation

Manager" the scope can be a folder" an 3cti#e 4irectory container" a file-&asked collection of

files /for ea&ple" X$doc" a '()" or any ob+ect that can be accessed by the application and

its underlying authori,ation store$ The ob+ect can be assigned to only one scope$ 3ny ob+ect

that is not assigned to a scope takes the access control policy that is defined in the

3uthori,ation Manager application /or root scope$ The default scope is LHyper-V 2ervices$

Hyper- ob+ects that you can use for scopes include #irtual &achines" #irtual switches" and

#irtual switch ports$

Eor ea&ple" to grant ad&inistrator access to a set of #irtual &achines to a specific user or

group" create a scope for those #irtual &achines$ Eor &ore infor&ation" see *ork with

5copes /http:go$&icrosoft$co&fwlink>)ink%4;AB;99$

• 0as#+ 3 logical group of operations for acco&plishing a task$ Tasks can be categori,ed by

ob+ects and used to control access to the ob+ect$

ote

.o checks are &ade for dependent operations when you add tasks to a role

definition$ Eor ea&ple" the LConnect to a #irtual &achine task re@uires the L(ead

5er#ice Configuration" L3llow 6utput fro& a irtual Machine" and L3llow %nput to a

irtual Machine operations$• Departmental administrator+ 3n ad&inistrator who only has per&issions to perfor& the

tasks that are outlined in the role description$ 3t a higher organi,ational le#el" the

#irtuali,ation ad&inistrator creates and &aintains the role definitions and scopes$ Eor

ea&ple" the #irtuali,ation ad&inistrator can create a LHu&an (esources 3d&inistrator

depart&ental ad&inistrator role that is scoped only to #irtual &achines owned by the Hu&an

(esources depart&ent" and can create a different role /with the sa&e operations and tasks

D8










called LEinance 3d&inistrator that is scoped only to the Einance depart&ent #irtual

&achines$

• 5ole definition+ The list of operations that a user can perfor& with the assigned role$

• 5ole assignment+ 3 list of users who can perfor& the operations that are listed in the role

definition$

Eor ea&ple" the default ad&inistrator role definition includes all operations and the default

role assign&ent is for all users in the 7'%)T%.N3d&inistrators group$ ?ou can create a L'ser

role that can only use the L5tart irtual Machine" L5top irtual Machine" L3llow %nput to

irtual Machine and L3llow 6utput fro& irtual Machine operations$ ?ou can also create

roles based on organi,ational structures$ Eor ea&ple" you can create a role called Lirtual

.etwork 3d&inistrator and assign only the operations for #irtual networking to that role$ Eor

&ore infor&ation" see Manage =roups" (oles" and Tasks /http:go$&icrosoft$co&fwlink>

)ink%d;ABD;<$

• Virtuali,ation administrator+ 3n ad&inistrator who has local ad&inistrator per&ission on the

#irtuali,ation ser#er &anage&ent operating syste& and controls all other delegated

ad&inistrator rights and per&issions$





Documents

HyperV Deploy