vijayjain347

A topnotch WordPress.com site


1 Comment

Top Windows Server 2012 R2 Hyper-V Virtualization Features

Top Windows Server 2012 R2 Hyper-V Virtualization Features

1. Hybrid Cloud

Windows Azure Infrastructure-as-a-Service (IaaS) is built on the same hypervisor as Windows Server. This means that there is complete virtual machine compatibility between the private cloud, partner public clouds, and the Microsoft-owned public cloud. Customers now have to ask themselves: “Where do I want my service to run today?”

2. Compressed Live Migration

A compression engine is built into Live Migration in Windows Server 2012 R2 Hyper-V. The processor in hosts is often underused, so this engine makes use of this spare resource to compress the memory of virtual machines that are being moved before the memory pages are copied across the Live Migration network. Hyper-V will monitor the utilization of CPU resources on the host and throttle compression to prioritize guest services. Enabling Live Migration compression on networks with 10 Gbps or less without Remote Direct Memory Access (RDMA/SMB Direct) support will greatly reduce the time it takes to move virtual machines (not including storage migration).

3. SMB Direct Live Migration

Live Migration can be configured to leverage SMB Direct (Remote Direct Memory Access, orRDMA) on hosts that that NICs with support for this feature. This feature will provide hardware offloaded accelerated copy of memory pages using SMB 3.0 NICs. This can take advantage of SMB Multichannel to span multiple networks. SMB Direct Live Migration provides the fastest way to live migrate virtual machines (not including storage) from one host to another.
A crazy fact: Memory speed will be the bottleneck on a host with PCI3 support and three RDMA NICs for Live Migration!

This feature allows very interesting new architectures, especially where organizations have decided to deploy SMB 3.0 storage with support for SMB Direct. Investments in RDMA can be leveraged to move virtual machines very rapidly over these physical networks (with QoS applied for SLA). For example, Cluster Aware Updating (CAU) will be performed much more rapidly.

4. Live Resizing of VHDX

Virtual hard disks of the VHDX format that are attached to the SCSI controllers of virtual machines can be resized without shutting down the virtual machine. VHDX files can be up- and down-sized. Downsizing can only occur if there is unpartitioned space within the VHDX. This feature supports both Windows and Linux guests.

Live Resizing of VHDX files will be of huge value to those running mission critical workloads. It will also offer a new self-service elasticity feature for clouds.

5. Storage Quality of Service (QoS)

New storage metrics for IOPS have been added to WS2012 R2. With these metrics, you can determine the IOPS requirements of virtual machines and put caps on storage activity. This will limit how much physical disk activity that virtual machines can create, and therefore limit the damage that activity spikes can cause to other virtual machines and their guest services.

One of the concerns with shared storage is the possibility of a race for storage throughput. Enabling Storage QoS will limit the damage that any virtual machine or tenant can do in a cloud.

6. Live Virtual Machine Cloning

WS2012 R2 Hyper-V allows you to clone a running virtual machine. This will create an exact copy of the virtual machine that is stored in a saved state. This feature supports GenerationID. That means you can use Live Virtual Machine Cloning to create Active Directory supported clones of a virtual domain controller that is not the PDC Emulator.

This feature will be useful for situations where you need to debug a production system or you want to perform tests, such as guest OS upgrades.

7. Virtual Machine Export Improvements

You can export a virtual machine with a checkpoint (formerly known as a snapshot) and you can export a checkpoint of a virtual machine.

8. Linux Guest OS Support Enhancements

Dynamic Memory will be supported in Linux Guest OS’s on Windows Server 2012 R2 Hyper-V. This will give much better memory optimization for Linux virtual machines, and it’ll allow for much greater densities. Linux distributions with this built-in Linux Integration Services for Hyper-V HyH support are already available.

There will be support for online backup of Linux guest OSs. This is not Volume Shadow Copy Service (VSS) for Linux, and it does not give an application consistent backup. Instead, a file system consistent backup is created by freezing the file system. This feature does require an upgrade of any already deploy Linux Integration Services.

9. Shared VHDX

You can configure up to 64 virtual machines to share a single VHDX file on some shared storage (such as CSV or SMB 3.0). The VM sees the shared VHDX as a shared SAS disk with SCSI-3 persistent reservations. This is for data volumes to create guest clusters, and not for shared boot volumes. It works with down-level guest OSs, such as W2008 R2 with the WS2012 R2 Hyper-V Integration Components installed. This feature is supported by Service Templates in VMM 2012 R2.
This will drastically simplify guest clustering, where virtual machines are used to create a highly available service at the application layer. This could eliminate the need for guest attachment to physical LUNs and will be accommodating to self-service deployment within a cloud.

10. Hyper-V Replica Improvements

The default period for asynchronous replication of the Hyper-V Replica Log is every 5 minutes, but this can be changed to every 30 seconds or every 15 minutes. This allows companies to choose the allowed recovery point objective (RPO) – the maximum allowed amount of data loss in time.

Hyper-V Replica can now be extended to a third site. This is an A-B-C extension, and not an A-B/A-C extension. For example, a company might replicate virtual machines from the primary site to a local secondary site. This might be configured to hdappen every 30 seconds. Replica virtual machines in the secondary site might be replicated to a distant third site (such as a hosting company) maybe every 15 minutes. In the event of an unplanned failover, this would give an RPO of 30 seconds in the secondary site and an RPO of 15 minutes and 30 seconds in the third site.

The performance and scalability of Hyper-V Replica has been improved. Maintaining historical copies of virtual machines in the secondary site is costly (IOPS). This has been reduced, so maintaining historical copies of your replica VMs will not punish your storage in the secondary site.

11. VM Connect

The crippled virtual machine connection of the past is being replaced by a Remote Desktop experience that is built into the virtualization stack. This has no dependency on the virtual machine’s networking. By default, this feature is disabled in WS2012 R2 Hyper-V and enabled in Windows 8.1 Client Hyper-V.
Things that Remove Desktop VM Connect allow you to do include:
· Copy & paste text/images.

· Copy files to/from the client desktop.

· Do session-based USB redirection. This means you might use a USB stick to copy files. It is not a USB dongle solution.

Advertisements


1 Comment

What’s New in Certificate Services in Windows Server 2012?

Active Directory Certificate Services (AD CS) is an Identity and Access Control security technology that provides customization services for creating and managing public key certificates used in software security systems that employ public key technologies.

“What’s New in Certificate Services in Windows Server 2012”

Role description

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies. The AD CS server role includes six role services:

  • Certification Authority (CA)
  • Web Enrollment
  • Online Responder
  • Network Device Enrollment Service
  • Certificate Enrollment Policy Web Service
  • Certificate Enrollment Web Service

New and changed functionality

 

  • The new and changed functionality in AD CS and PKI includes the following.

1)  Integration with Server Manager

Server Manager provides a centralized graphical user interface for installing and managing the AD CS server role and its six role services.

What value does this change add?

AD CS server role and its role services are integrated into Server Manager, which allows you to install the AD CS role service from the Manage menu using Add Roles and Features. Once the server role is added, AD CS appears in the Server Manager dashboard as one of the roles that can be managed. This provides you a central location from which you can deploy and manage AD CS and its role services. Further, the new Server Manager allows you to manage multiple servers from one location and you can see the AD CS role services installed on each server, review related events, and perform management tasks on each server. For more information on how the new Server Manager works.

What works differently?

To add the AD CS Server Role, you can use the Add Roles and Features link on the Manage menu in Server Manager. The AD CS installation flow is similar to that in the previous version, except for the division of the binary installation process and the configuration process. Previously the installation and configuration was a single wizard. In the new installation experience, you first install the binary files and then you can launch the AD CS Configuration wizard to configure the role services that have already had their binary files installed. To remove the AD CS Server Role, you can use the Remove Roles and Features link on the Manage menu.

2) Deployment and management capabilities from Windows PowerShell

All AD CS role services can be configured or have their configurations removed by using the AD CS Deployment Windows PowerShell® cmdlets. These new deployment cmdlets are described in the AD CS Deployment cmdlets Overview topic. The AD CS Administration cmdlet allows you to manage the Certification Authority role service. The new administration cmdlets are described in the AD CS Administration cmdlets Overview topic.

What value does this change add?

You can use Windows PowerShell to script deployments of any AD CS role service as well as the ability to manage the CA role service.

What works differently?

You can use either Server Manager or Windows PowerShell cmdlets to deploy the AD CS role services.

3) All AD CS role services run on any version

All Windows Server 2012 and Windows Server 2012 R2 versions allow you to install all of the AD CS role services.

What value does this change add?

Unlike previous versions, you can install AD CS roles on any version of Windows Server 2012 or Windows Server 2012 R2.

What works differently?

In Windows Server® 2008 R2 operating system the different role services (previously called components) had different operating system version requirements, as described in Active Directory Certificate Services Overview. In Windows Server 2012 or Windows Server 2012 R2, all six of the roles services work as they would on any Windows Server 2012 or Windows Server 2012 R2 version. The only difference is that you will find AD CS with all six role services available for installation on any version of Windows Server 2012 or Windows Server 2012 R2.

4) All AD CS role services can be run on Server Core

All six of the Windows Server 2012 and Windows Server 2012 R2 AD CS role services can be installed and run using the Server Core or the Minimal Server Interface installation options.

What value does this change add?

Unlike previous versions, you can now run all AD CS role services on Server Core or the Minimal Server Interface installation options in Windows Server 2012 or Windows Server 2012 R2

What works differently?

You can now easily deploy AD CS role services using Server Manager or Windows PowerShell cmdlets working locally at the computer or remotely over the network. In addition, Windows Server 2012 or Windows Server 2012 R2 provides multiple installation options that even allow you to install with a graphical user interface and later switch to a Server Core or Minimal Server Interface installation. For more information on installation options,

5) Support for key-based renewal

Certificate Enrollment Web Services is a feature that was added in Windows® 7 and Windows Server 2008 R2. This feature allows online certificate requests to come from untrusted Active Directory Domain Services (AD DS) domains or even from computers that are not joined to a domain. AD CS in Windows Server 2012 and Windows Server 2012 R2 build on the Certificate Enrollment Web Services by adding the ability to automatically renew certificates for computers that are part of untrusted AD DS domains or not joined to a domain.

What value does this change add?

Administrators no longer need to manually renew certificates for computers that are members of workgroups or possibly joined to a different AD DS domain or forest.

What works differently?

Certificate Enrollment Web Services continues to function as it did before, but now computers that are outside of the domain can renew their certificates using their existing certificate for authentication.

6) Certificate Template Compatibility

AD CS in Windows Server 2012 and Windows Server 2012 R2 include version 4 certificate templates. These templates have several differences from previous template versions. Version 4 certificate templates:

  • Support both cryptographic service providers (CSPs) and key service providers (KSPs).
  • Can be set to require renewal with the same key.
  • Are only available for use by Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.
  • Specify the minimum certification authority and certificate client operating systems that can utilize the template.

To help administrators separate what features are supported by which operating system version, the Compatibility tab was added to the certificate template properties tab.

What value does this change add?

The new version 4 certificate templates provide additional capabilities, such as enforcing renewal with the same key (available to only Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificate clients). The new Compatibility tab allows administrators to set different combinations of operating system versions for the certification authority and certificate clients and see only the settings that will work with those client versions.

What works differently?

The Compatibility tab appears in the Certificate Template properties user interface. This tab allows you to select the minimum certification authority and minimum certificate client operating system versions. The Compatibility tab configuration does a couple of things:

  • It marks options as unavailable in the certificate template properties depending upon the selected operating system versions of certificate client and certification authority.
  • For version 4 templates, it determines which operating system versions are able to use the template.

7)  Support for certificate renewal with same key

AD CS in Windows Server 2012 and Windows Server 2012 allow for a certificate to be configured so that it will be renewed with the same key. This allows the same assurance level of the original key to be maintained throughout its lifecycle. Windows Server 2012 and Windows Server 2012 supports generating Trusted Platform Module (TPM)-protected keys using TPM-based key storage providers (KSPs). The benefit of using TPM-based KSP is true non-exportability of keys backed up by the anti-hammering mechanism of TPMs. Administrators can configure certificate templates so that Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 to give higher priority to TPM-based KSPs for generating keys. Also, using renewal with the same key, administrators can remain assured that the key still remains on TPM after renewal.

  • What value does this change add?

                        This feature allows an administrator to enforce renewal with the same key, which can reduce administrative costs (when keys are renewed automatically) and increase key security (when keys are stored using TPM-based KSPs).

  • What works differently?

                        Clients that receive certificates from templates that are configured for renewal with the same key must renew their certificates using the same key, or renewal will fail. Also, this option is available only for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificate clients.

8)  Support for Internationalized Domain Names

Internationalized names are names that contain characters that cannot be represented in ASCII. AD CS in Windows Server 2012 and Windows Server 2012 R2 supports Internationalized Domain Names (IDNs) in several scenarios.

What value does this change add?

The following IDN scenarios are now supported

  • Certificate enrollment for computers using IDNs
  • Generating and submitting a certificate request with an IDN using the certreq.exe command line tool
  • Publishing Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) publishing to servers using IDNs
  • The Certificate user interface supports IDNs
  • The Certificate MMC snap-in also allows for IDNs in Certificate Properties

What works differently?

There is limited support for IDNs as previously described.

9)  Increased security enabled by default on the CA role service

When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described in MSDN article Authentication-Level Constants (http://msdn.microsoft.com/library/aa373553.aspx). On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA. On a Windows Server 2012 or Windows Server 2012 R2 CA, this enhanced security setting is enabled by default.

What value does this change add?

The CA enforces enhanced security in the requests that are sent to it. This higher security level requires that the packets requesting a certificate are encrypted, so they cannot be intercepted and read. Without this setting enabled, anyone with access to the network can read packets sent to and from the CA using a network analyzer. This means that information could be exposed that might be considered a privacy violation, such as the names of requesting users or machines, the types of certificates for which they are enrolling, the public keys involved, and so on. Within a forest or domain, leaking these data may not be a concern for most organizations. However, if attackers gain access to the network traffic, internal company structure and activity could be gleaned, which could be used for more targeted social engineering or phishing attacks.

The commands to enable the enhanced security level of RPC_C_AUTHN_LEVEL_PKT on Windows Server®  2003, Windows Server®  2003 R2, Windows Server®  2008, or Windows Server 2008 R2 certification authorities are:

certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST 
Restart the certification authority
net stop certsvc
net start certsvc

If you still have Windows XP client computers that need to request certificates from a CA that has the setting enabled, you have two options:

  1. Upgrade the Windows XP clients to a newer operating system.
  2. Lower the security of the CA by running the following commands:

To lower CA security for compatibility with Windows XP clients

  1. certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
  2. net stop certsvc
  3. net start certsvc
  1. What works differently?
  2. Windows XP clients will not be compatible with this higher security setting enabled by default on a Windows Server 2012 or Windows Server 2012 R2 CA. If necessary, you can lower the security setting as previously described.

10)              AD DS Site Awareness for AD CS and PKI Clients

  • Certificate services in Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 can be configured to utilize Active Directory Domain Services (AD DS) sites to help optimize certificate services client requests. This functionality is not enabled by default on either certification authority (CA) or the public key infrastructure (PKI) client computers.
  • What value does this change add?
  • This change enables Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificate clients to locate a CA in their local AD DS site.
  • What works differently?
  • When enrolling for a template-based certificate, the client queries AD DS for the template and the CA objects. The client then uses a DsGetSiteName function call to get its own site name. For CAs with the msPKI-Site-Name attribute already set, the certificate services client determine the AD DS site link cost from the client site to each target CA site. A DsQuerySitesByCost function call is used to make this determination. The certificate services client uses the returned site costs to prioritize the CAs that allow the client the Enroll permission and support the relevant certificate template. The higher cost CAs are tried to be contacted last (only if former CAs are unavailable).

11)              Group-protected PFX format

Previously, a PKCS#12 standard (also known as PFX) format was only protected by a password that had the following limitations:

  • Difficult to automate
  • Not very secure, because usually an administrator used a weak password
  • Difficult to share among multiple users

Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 can protect certificates and associated private keys by combining an existing PFX format with a new data protection feature. This allows encrypting the contents of the PFX file with a key that belongs to a group or to an individual, instead of protecting it with a password.

What value does this change add?

By using this feature, administrators will be able to:

  • Deploy, manage, and troubleshoot certificates remotely and across server farms by using Windows PowerShell.
  • Share certificates and keys securely across server farms running Windows Server 2012 or Windows Server 2012 R2by using Windows APIs.

Earlier versions of Windows can consume this PFX because internally the operating system assigns a strong random password. The password is included in the PFX, and it is protected by a set of security identifiers (SIDs) with data protection APIs. Any user that has access to the PFX can see that password and share it with previous Windows versions.

What works differently?

A PFX file can now be protected to a security principal instead of just a password. The user interface for certificate export has been updated to allow for the selection of a security principal during export.

12)              Certificate lifecycle notifications

In Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, certificates provide life cycle notifications in MY store from the certificate enrollment API and Windows PowerShell levels. The notifications include expiration, deletion, new, renewal, replacement, close to expiration, archive, and export. Administrators and developers can manage (view, install, copy, request, and delete) certificates and their associated private keys remotely by using Windows PowerShell. This feature allows a script or an executable to launch in response to a certificate lifecycle notification.

What value does this change add?

For an application and server-workload developers who use certificates in their product, integrating with the certificate life cycle in Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 is easy and reliable, and it can be done remotely. Developers can develop applications that reconfigure themselves any time a certificate is renewed or replaced with another certificate—by autoenrollment or by a manual or scripted action by an administrator. The investment needed to integrate with the certificate management interfaces is very small.

For an administrator who manages applications that use certificates, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificates are used by those applications automatically. This occurs because applications integrate with Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 certificate notifications or when the administrator’s script is triggered by a certificate event.

What works differently?

Notifications can now be enabled to alert system administrators before certificates expire.

13)              CA private keys are included in the System State Backup image

Windows Server Backup feature can be installed on the certification authority (CA) to create a System State Backup that includes the CA private keys.

What works differently?

In Windows Server 2012 and Windows Server 2012 R2 the System State Backup feature automatically backs up the CAs private key when an administrator or backup operator uses Windows Server Backup feature to perform a System State Backup.

What works differently?

The Windows Server Backup feature now includes the CA private keys.


Leave a comment

Active Directory Federation Services Overview

AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.

In Windows Server® 2012 R2, AD FS includes a federation service role service that acts as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (consumes tokens from other identity providers and then provides security tokens to applications that trust AD FS).

The function of providing extranet access to applications and services that are secured by AD FS is now performed by a new Remote Access role service called Web Application Proxy. This is a departure from the prior versions of Windows Server in which this function was handled by an AD FS federation server proxy. Web Application Proxy is a server role designed to provide access for the AD FS-related extranet scenario and other extranet scenarios.

 

Practical applications

AD FS simplifies access to systems and applications by using a claims-based authentication and access authorization mechanism to maintain application security. Prior versions of AD FS were used for the following:

  • Providing your employees or customers with a web-based, SSO experience when accessing claims-based applications within your enterprise.
  • Providing your employees or customers with a web-based, SSO experience to access resources in any federation partner organization.
  • Providing your employees or customers with a Web-based, SSO experience when remote accessing internally hosted Web sites or services.
  • Providing your employees or customers with a web-based, SSO experience when accessing resources or services in the cloud.

AD FS in Windows Server® 2012 R2 adds additional practical applications for AD FS, including the following:

AD FS in Windows Server 2012

For Windows Server 2012, the AD FS server role includes the same functionality and feature set that is available in AD FS 2.0. It also includes the following list of new functionality that was not available in AD FS 2.0:

  • Improved installation experience using Server Manager – With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure. However, in Windows Server 2012, you install the AD FS server role using Server Manager. Server Manager provides improved AD FS configuration wizard pages that perform server validation checks before you continue with the AD FS server role installation and will automatically list and install all the services that AD FS depends on during the AD FS server role installation.
  • Additional Windows PowerShell cmdlet tools – In addition to the Windows PowerShell based management capabilities provided in AD FS 2.0, AD FS in Windows Server 2012 and Windows Server® 2012 R2, includes new cmdlets for installing the AD FS server role and for initial configuration of the federation server and federation server proxy.

AD FS in Windows Server 2012 R2

The following sections summarize numerous changes that were made to AD FS in Windows Server® 2012 R2 in order to support newer practical applications of AD FS as well as to enhance existing functionality.

Enable users to access resources on their personal devices from anywhere

  • Workplace join that enables users to join their personal devices to corporate Active Directory and as a result gain access and seamless experiences when accessing corporate resources from these devices.
  • Pre-authentication of resources inside the corporate network that are protected by the Web Application proxy and accessed from the internet.
  • Password change to enable users to change their password from any workplace joined device when their password has expired so that they can continue to access resources.

Enhanced access control risk management tools

Managing risk is an important aspect of governance and compliance in every IT organization. There are numerous access control risk management enhancements in AD FS in Windows Server® 2012 R2, including the following:

  • Flexible controls based on network location to govern how a user authenticates to access an AD FS-secured application.
  • Flexible policy to determine if a user needs to perform multi-factor authentication based on the user’s data, device data, and network location.
  • Per-application control to ignore SSO and force the user to provide credentials every time they access a sensitive application.
  • Flexible per-application access policy based on user data, device data, or network location.
  • AD FS Extranet Lockout, which enables administrators to protect Active Directory accounts from brute force attacks from the internet.
  • Access revocation for any workplace joined device that is disabled or deleted in Active Directory.

 

Simplified deployment experience

Deploying AD FS in Windows Server® 2012 R2 is simplified by the following enhancements:

  • AD FS is no longer dependent on IIS. This offers enhanced performance and reduces the foot print of services, especially when AD FS is installed on Active Directory domain controllers.
  • Remote installation and configuration through Server Manager. 
  • UI support for installing AD FS with SQL Server
  • Group Managed Service Account support. This enables AD FS to be run with service accounts without managing expiring service account passwords.
  • SQL Server merge replication support when deploying AD FS across globally dispersed datacenters. 

Enhanced sign-in with AD FS experience

The following are new AD FS capabilities in Windows Server® 2012 R2 that enable administrator to customize and enhance the sign-in experience:

  • Unified customization of the AD FS service, where the changes are made once and then automatically propagated to the rest of the AD FS federation servers in a given farm. 
  • Updated sign-in pages that look modern and cater to different form factors automatically.
  • Support for automatic fallback to forms-based authentication for devices that are not joined to the corporate domain but are still used generate access requests from within the corporate network (intranet).
  • Simple controls to customize the company logo, illustration image, standard links for IT support, home page, privacy, etc. 
  • Customization of description messages in the sign-in pages.
  • Customization of web themes.
  • Home Realm Discovery (HRD) based on organizational suffix of the user for enhanced privacy of a company’s partners.
  • HRD filtering on a per-application basis to automatically pick a realm based on the application.
  • One-click error reporting for easier IT troubleshooting.
  • Customizable error messages. 
  • User authentication choice when more than one authentication provider is available.

Enable developers to build modern applications

ADFS in Windows Server 2012 now supports the OAuth Authorization Grant profile with support for refresh tokens to enable modern applications that use RESTful services. ADFS also supports issuing JWT tokens that are compact tokens that are more amenable to transmit to the resources that use the REST pattern.

Other improvements

  • Reduction of SSO cookie size with dynamic group SID hydration. This provides a more deterministic cookie size and reduces bloat when a user belongs to many security groups.
  • Access to claims that are encoded within user certificates when using certificate authentication. This can help administrators differentiate access based on what type of certificate is used.
  • Consistent client-request-id that is logged in all event logs and traces for easier troubleshooting.
  • Additional request claims, for example, IP addresses, endpoint addresses, or user agents that can be used to base policy decisions on.
  • Password expiry notification as claims that an administrator can configure to send to downstream applications to notify the user when their password is about to expire.


Leave a comment

Top Windows Server 2012 R2 Hyper-V Virtualization Features

Windows Server 2012 R2 brings with it a host of new virtualization features, as well as improvements to existing features and capabilities. 

 

1. Hybrid Cloud

Windows Azure Infrastructure-as-a-Service (IaaS) is built on the same hypervisor as Windows Server. This means that there is complete virtual machine compatibility between the private cloud, partner public clouds, and the Microsoft-owned public cloud. Customers now have to ask themselves: “Where do I want my service to run today?”

2. Compressed Live Migration

A compression engine is built into Live Migration in Windows Server 2012 R2 Hyper-V. The processor in hosts is often underused, so this engine makes use of this spare resource to compress the memory of virtual machines that are being moved before the memory pages are copied across the Live Migration network. Hyper-V will monitor the utilization of CPU resources on the host and throttle compression to prioritize guest services. Enabling Live Migration compression on networks with 10 Gbps or less without Remote Direct Memory Access (RDMA/SMB Direct) support will greatly reduce the time it takes to move virtual machines (not including storage migration).

3. SMB Direct Live Migration

Live Migration can be configured to leverage SMB Direct (Remote Direct Memory Access, orRDMA) on hosts that that NICs with support for this feature. This feature will provide hardware offloaded accelerated copy of memory pages using SMB 3.0 NICs. This can take advantage of SMB Multichannel to span multiple networks. SMB Direct Live Migration provides the fastest way to live migrate virtual machines (not including storage) from one host to another.
A crazy fact: Memory speed will be the bottleneck on a host with PCI3 support and three RDMA NICs for Live Migration!

This feature allows very interesting new architectures, especially where organizations have decided to deploy SMB 3.0 storage with support for SMB Direct. Investments in RDMA can be leveraged to move virtual machines very rapidly over these physical networks (with QoS applied for SLA). For example, Cluster Aware Updating (CAU) will be performed much more rapidly.

4. Live Resizing of VHDX

Virtual hard disks of the VHDX format that are attached to the SCSI controllers of virtual machines can be resized without shutting down the virtual machine. VHDX files can be up- and down-sized. Downsizing can only occur if there is unpartitioned space within the VHDX. This feature supports both Windows and Linux guests.

Live Resizing of VHDX files will be of huge value to those running mission critical workloads. It will also offer a new self-service elasticity feature for clouds.

5. Storage Quality of Service (QoS)

New storage metrics for IOPS have been added to WS2012 R2. With these metrics, you can determine the IOPS requirements of virtual machines and put caps on storage activity. This will limit how much physical disk activity that virtual machines can create, and therefore limit the damage that activity spikes can cause to other virtual machines and their guest services.

One of the concerns with shared storage is the possibility of a race for storage throughput. Enabling Storage QoS will limit the damage that any virtual machine or tenant can do in a cloud.

6. Live Virtual Machine Cloning

WS2012 R2 Hyper-V allows you to clone a running virtual machine. This will create an exact copy of the virtual machine that is stored in a saved state. This feature supports GenerationID. That means you can use Live Virtual Machine Cloning to create Active Directory supported clones of a virtual domain controller that is not the PDC Emulator.

This feature will be useful for situations where you need to debug a production system or you want to perform tests, such as guest OS upgrades.

7. Virtual Machine Export Improvements

You can export a virtual machine with a checkpoint (formerly known as a snapshot) and you can export a checkpoint of a virtual machine.

8. Linux Guest OS Support Enhancements

Dynamic Memory will be supported in Linux Guest OS’s on Windows Server 2012 R2 Hyper-V. This will give much better memory optimization for Linux virtual machines, and it’ll allow for much greater densities. Linux distributions with this built-in Linux Integration Services for Hyper-V HyH support are already available.

There will be support for online backup of Linux guest OSs. This is not Volume Shadow Copy Service (VSS) for Linux, and it does not give an application consistent backup. Instead, a file system consistent backup is created by freezing the file system. This feature does require an upgrade of any already deploy Linux Integration Services.

9. Shared VHDX

You can configure up to 64 virtual machines to share a single VHDX file on some shared storage (such as CSV or SMB 3.0). The VM sees the shared VHDX as a shared SAS disk with SCSI-3 persistent reservations. This is for data volumes to create guest clusters, and not for shared boot volumes. It works with down-level guest OSs, such as W2008 R2 with the WS2012 R2 Hyper-V Integration Components installed. This feature is supported by Service Templates in VMM 2012 R2.
This will drastically simplify guest clustering, where virtual machines are used to create a highly available service at the application layer. This could eliminate the need for guest attachment to physical LUNs and will be accommodating to self-service deployment within a cloud.

10. Hyper-V Replica Improvements

The default period for asynchronous replication of the Hyper-V Replica Log is every 5 minutes, but this can be changed to every 30 seconds or every 15 minutes. This allows companies to choose the allowed recovery point objective (RPO) – the maximum allowed amount of data loss in time.

Hyper-V Replica can now be extended to a third site. This is an A-B-C extension, and not an A-B/A-C extension. For example, a company might replicate virtual machines from the primary site to a local secondary site. This might be configured to hdappen every 30 seconds. Replica virtual machines in the secondary site might be replicated to a distant third site (such as a hosting company) maybe every 15 minutes. In the event of an unplanned failover, this would give an RPO of 30 seconds in the secondary site and an RPO of 15 minutes and 30 seconds in the third site.

The performance and scalability of Hyper-V Replica has been improved. Maintaining historical copies of virtual machines in the secondary site is costly (IOPS). This has been reduced, so maintaining historical copies of your replica VMs will not punish your storage in the secondary site.

11. VM Connect

The crippled virtual machine connection of the past is being replaced by a Remote Desktop experience that is built into the virtualization stack. This has no dependency on the virtual machine’s networking. By default, this feature is disabled in WS2012 R2 Hyper-V and enabled in Windows 8.1 Client Hyper-V.
Things that Remove Desktop VM Connect allow you to do include:
· Copy & paste text/images.

· Copy files to/from the client desktop.

· Do session-based USB redirection. This means you might use a USB stick to copy files. It is not a USB dongle solution.


Leave a comment

Windows Server 2012 – 10 key features

Windows Server 2012

1. New Server Manager – Create and manage server groups

One of the benefits of the new Server Manager interface is the capability to create server groups, which are collections of servers that already exist on your network and can be managed through the new user experience. Creating new server groups lets you manage tasks among each server with common attributes – a server group containing all machines running IIS, for example, a group of all database servers, and so on – and provide specific information on any of them as you wish. This is a big boon for organisations without dedicated monitoring software in place.

2. Better edition and SKU Selection

Kudos to Microsoft for cleaning up what was a muddy value proposition. The core OS is now the same, and the edition you buy – Standard or Datacenter – depends on whether you want to run up to two virtual machines as guests or if you’d like unlimited guest virtualisation. There’s no Enterprise edition gumming up the works. This is a big win for everyone.

3. A command-line first, GUI second mentality

The emphasis for Windows Server has changed from a GUI-first philosophy to a GUI-optional mindset. Indeed, when you first install the OS, youre asked to choose between a core and a full installation. Core is the preferred, and encouraged, option. Once you install a core version of Windows Server 2012, you can flip on a GUI simply by installing the GUI role, and you can then opt to take it off without a full reinstall.

This is a great feature when you first deploy a server. You can use the GUI to take care of all of the mundane configuration tasks, but when the machine is ready for production, you can flip the GUI off and deploy. This offers a number of benefits, including reducing the attack surface, resource load and energy requirements.

4. Hyper-V replication

The Hyper-V Replica feature allows you to replicate a virtual machine from one location to another with Hyper-V and a network connection – and without any shared storage required. This is a big deal in the Microsoft world for disaster recovery, high availability and more. VMware does this, too, but the vendor charges new licensees extra for the capability.

This makes standing up instances of services all around the world just a one- or two-click affair (assuming network connectivity exists). The new Hyper-V Replica interfaces within Hyper-V Manager include a much simpler interface for setting up a replication sequence and better monitoring of the process and the overall health of replication systems and partners.

5. Expanded PowerShell capabilities

There are hundreds more cmdlets in the latest version of Windows Server. This will make your life easier, since PowerShell is essentially the preferred method of managing all of the workloads you can run on the operating system.

6. Storage Spaces – Flipping complexity on its head

Storage Spaces is an innovative features that basically takes commodity storage hardware – inexpensive drives and their controllers, like a JBOD (informal parlance for Just a Bunch of Disks – and turns it into a pool of storage that is divided into spaces that are in turn used just like regular disks.

Each of these pools can contain hot standby disks, and each of the Spaces in the pool can have availability policies such as mirroring and RAID-style redundancy. You can even perform thin provisioning, which is specifying a volume that’s bigger than you actually have space for. That way, when you do need the additional room, just pop in a few more drives; no reconfiguration is required. It takes the complexity and expense of network-attached storage and SANs and basically flips it on its head. You can just get a bunch of disks together and get really flexible in carving them up where you need additional space.

7. DirectAccess – A VPN without the pain of a VPN

DirectAccess allows VPN-like secure tunneling from any endpoint back to the corporate network without the overhead and performance hit of a true VPN. There is also no management agent on the client. When the technology is configured correctly, it just works – users have seamless connectivity to file shares, on-premises equipment and other resources just as if they were on the corporate campus. In addition, group policy objects get applied and administrators can manage machines wherever they are, not just when they come to headquarters or when they connect up to the VPN. This technology had previously been difficult to set up, but in Windows Server 2012, it very much just works.

8. Dynamic Access Control – New way of thinking

Dynamic Access Control (DAC) is a suite of facilities that really enhances the way you can control access to information. It’s no longer about taking files or folders and making decisions about “Yes, these people can” and “No, these people can’t.”

Instead, it’s about abstracting away the individual data and making larger assignments about the types of data that live on your system, as well as the types of users that should and should not have access to it. It’s a new way of thinking that very much complements the strong abilities of the file system to secure data. There are minimal schema additions to make to Active Directory, and you can begin using the lion’s share of the feature set of DAC with just a Windows Server 2012 file server and a domain controller.

9. Resilient File System – An evolution of NTFS

The Resilient File System (ReFS) was designed as an evolution of the New Technology File System (NTFS) with a focus on availability and integrity. ReFS writes to different locations on disk in an atomic fashion, which improves data resiliency in the event of a power failure during a write, and includes the new “integrity streams” feature that uses checksums and real-time allocations to protect the sequencing and access of both system and user data.

Problems identified by Windows Server 2012 on volumes protected with these features can be automatically repaired without bringing the disk or volume offline in most cases – and in many cases without any administrative intervention either. ReFS is also built to scale further than NTFS as well, which is an important point in the age of Big Data and private cloud operations.

10. Out-of-the-box IP address management

In the box with Windows Server 2012, youll find a complete IPAM suite. This is something many medium-sized businesses simply don’t have access to. With the IPAM suite, you can allocate, group, issue, lease and renew IP addresses in an organized fashion, as well as integrate with the in-box DHCP and DNS servers to discover and manage devices already on your network. If youve not played with IPAM services from Nortel and others, this is a very interesting and worthwhile inclusion to the product–and, as it’s free with the OS licence, it’s well worth the price


Leave a comment

What’s New in Windows Server 2012????

    • Image
  • What’s New in AD CS and PKI?
    Active Directory Certificate Services (AD CS) in Windows Server 2012 provides multiple new features and capabilities over previous versions. This document describes new deployment, manageability, and capabilities added to AD CS in Windows Server 2012.
  • What’s New in Active Directory Domain Services (AD DS)
    Active Directory Domain Services (AD DS) in Windows Server 2012 includes new features that make it simpler and faster to deploy domain controllers (both on-premises and in the cloud), more flexible and easier to both audit and authorize access to files with Dynamic Access Control, and easier to perform administrative tasks at scale, either locally or remotely, through consistent graphical and scripted management experiences.
  • What’s New in Active Directory Rights Management Services (AD RMS)?
    Active Directory Rights Management Services (AD RMS) is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.
  • What’s New in BitLocker for Windows 8 and Windows Server 2012
    BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen.
  • What’s New in BranchCache
    BranchCache in Windows Server 2012 and Windows 8 provides substantial performance, manageability, scalability, and availability improvements.
  • What’s New in DFS Namespaces and DFS Replication in Windows Server 2012
    DFS Namespaces and DFS Replication in Windows Server 2012 provide new management functionality as well as interoperability with DirectAccess and Data Deduplication.
  • What’s New in DHCP in Windows Server 2012
    Dynamic Host Configuration Protocol (DHCP) is an Internet Engineering Task Force (IETF) standard designed to reduce the administration burden and complexity of configuring hosts on a TCP/IP-based network, such as a private intranet.
  • What’s New in DNS
    Domain Name System (DNS) services in Windows Server 2012 and Windows 8 are used in TCP/IP networks for naming computers and network services. DNS naming locates computers and services through user-friendly names.
  • New and changed functionality in File and Storage Services
    File and Storage Services provides a number of new management, scalability, and functionality improvements in Windows Server 2012.
  • What’s New in Failover Clustering
    Failover clusters provide high availability and scalability to many server workloads. These include file share storage for server applications such as Hyper-V and Microsoft SQL Server, and server applications that run on physical servers or virtual machines.
  • What’s New in File Server Resource Manager
    File Server Resource Manager provides a set of features that allow you to manage and classify data that is stored on file servers.
  • What’s New in Group Policy in Windows Server 2012
    Group Policy is an infrastructure that enables you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences
  • What’s New in Hyper-V
    The Hyper-V role enables you to create and manage a virtualized computing environment by using virtualization technology that is built in to Windows Server 2012. Hyper-V virtualizes hardware to provide an environment in which you can run multiple operating systems at the same time on one physical computer, by running each operating system in its own virtual machine.
  • What’s New in IPAM in Windows Server 2012
    IP Address Management (IPAM) is an entirely new feature in Windows Server 2012 that provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network.
  • What’s New in Kerberos Authentication
    The Microsoft Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key and password-based authentication. The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI).
  • What’s New for Managed Service Accounts
    Standalone Managed Service Accounts, which were introduced in Windows Server 2008 R2 and Windows 7, are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators.
  • What’s New in Networking in Windows Server 2012
    Discover new networking technologies and new features for existing technologies in Windows Server 2012. Technologies covered include BranchCache, Data Center Bridging, NIC Teaming, and more.
  • What’s New in Remote Desktop Services in Windows Server 2012
    The Remote Desktop Services server role in Windows Server 2012 provides technologies that enable users to connect to virtual desktops, RemoteApp programs, and session-based desktops. With Remote Desktop Services, users can access remote connections from within a corporate network or from the Internet.
  • What’s new in Security Auditing
    Security auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key goals of security audits is to verify regulatory compliance.
  • What’s new in Server Manager
    In this blog post, senior Server Manager program manager Wale Martins describes the innovations and value of the new Server Manager. Server Manager in Windows Server 2012 lets administrators manage multiple, remote servers that are running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
  • What’s New in Smart Cards
    Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources.
  • What’s New in TLS/SSL (Schannel SSP)
    Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. The Security Support Provider Interface (SSPI) is an API used by Windows systems to perform security-related functions including authentication.
  • What’s New for Windows Deployment Services for Windows Server 2012
    Windows Deployment Services is a server role that enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation.
  • What’s new in Windows PowerShell 3.0
    Windows PowerShell 3.0 includes many new features and improvements in the scripting and automation experience, such as Windows PowerShell Workflow, multiple new features in Windows PowerShell ISE to help make scripting and debugging faster and easier, updatable Help, Windows PowerShell Web Access, and over 2,200 new cmdlets and functions.


Leave a comment

Windows Server 2012 Licensing – A Quick Reminder

This came up recently for a customer and while it’s not new news, I thought a quick reminder would be useful. There are a few key points to remember about licensing of Windows Server 2012 in server virtualization projects, these rules apply to XenServer, VMware, Hyper-V, Oracle VM, etc.:

  • Licenses are applied to physical servers, never to virtual machines. If you are thinking about how you need a license for the VM you are about to build, you’re probably doing something wrong
  • There is feature parity between Standard and Datacenter editions, Enterprise Ed has been dropped
    • The only difference between these 2 major editions is in the number of virtual OSE’s (operating system environments, aka a virtual machine) granted with the license
    • A license covers 2 processor sockets within 1 server, 1 license cannot be purchased to cover 2 servers each containing 1 populated processor
    • The license allows for one bare-metal install of the operating system, but doesn’t require it – as would be the case if your hypervisor is anything other than Hyper-V
    • Virtual OSE grants by edition:
      • Standard: 2 virtual OSE’s per license
      • Datacenter: unlimited OSE’s per license
  • More than 1 license of the same edition may be applied to a given physical server to cover additional CPU sockets or additional virtual machines
    • 2 Standard Edition licenses would cover 4 processor sockets and/or up to 4 VM’s
    • 2 Datacenter Edition licenses would cover 4 processor sockets and two * unlimited for the number of VM’s ..that’s like beyond infinity, but 4 CPU sockets.
  • The license cannot be transferred more than once every 90 days – yeah, you read that right. This rule is to prevent a license from jumping from one host to another to follow live migration activities
    • This is where most people pause and say “oh..”. That tells me they were purchasing 1 license per VM and just thinking the license moves around with the VM
    • You need to cover the high water mark of virtual OSE’s for a given host
  • Licensing math:
    • Standard Ed. list pricing is $882
    • Datacenter Ed. list pricing is $4809
    • The break-even point for Datacenter is at 5.45 Standard licenses; in effect, for a density of more than 10 VM’s (5 std licenses each granting 2 OSE’s), you should use a Datacenter Edition license
  • A real world example: New virtualization customer deploying 3 VMware hosts
    • We generally size the environment for N+1, meaning we’re planning that 1 of the servers is a “spare” from the perspective of workload sizing – so all the workload can run on just 2 servers; we’re planning for this and so should you in your licensing.
    • If you plan to run more than 20 total VM’s in this environment, you need 3 Datacenter Edition licenses
      • 20 VM’s running on 2 servers = 10 VM’s/server
      • 10 VM’s requires 5 Standard Edition licenses to have enough OSE grants
      • More than 10 per server, and it’s now cheaper to have just bought a single Datacenter Edition license
        • 6 * $882 = $5292, which is greater than $4809 for datacenter
      • Since you don’t know which host (think of a rolling patching cycle) is going to carry the increase load, all the hosts in the environment should be licensed uniformly to this high water mark
    • Depending on the licensing model, an upgrade from 5 * Standard Edition licenses to a single Datacenter Edition license may not be possible – plan ahead!
    • If you have OEM licenses that came with your old physical server environment, these are likely not transferrable – they don’t follow the P2V action
  • With this understanding, while you might have some work to do upfront (or scrambling to get back into compliance now) the long term savings are very real for dense virtualization projects that can leverage the Datacenter Edition license. On a modern 2 socket server with 16 cores/32 threads, 10 VM or greater density is easily achievableImage

General licensing FAQ:
http://download.microsoft.com/download/4/D/B/4DB352D1-C610-466A-9AAF-EEF4F4CFFF27/WS2012_Licensing-Pricing_FAQ.pdf

Licensing brief for virtualized environments:

http://download.microsoft.com/download/3/D/4/3D42BDC2-6725-4B29-B75A-A5B04179958B/WindowsServer2012VirtualTech_VLBrief.pdf