Windows 2008 license saving with Hyper-V

A friend of mine (a Server Manager in a large MNC) shared with me that I can potentially save more Windows 2008 licenses using Hyper-V. Before Hyper-V, you would need to purchase a server license for each VM. For example, if your host contains 4 VMs running Windows server 2003 using VMWare, you would need to purchase 4 copies of 2003 server license.

With the introduction of Hyper-V, each edition of Windows 2008 server comes with a certain number of free VMs (with server license included!).

Number of free Hyper-V VM for each edition:

• Standard Edition: 1 free VM
• Enterprise Edition: 4 free VMs
• Data Center Edition: Unlimited

For example, an Enterprise edition comes with 4 free VMs. That would mean you can have 4 instances of Windows 2008 enterprise servers for the price of a single enterprise server license, as compared to 3 additional enterprise licenses purchase if you use VMWare ESXi instead.

Look like Microsoft is "out" to kill VMWare with this huge carrot dangling. Another business partner from Dell also shared with me that he can bundle a much cheaper OEM Data Center edition if I buy new hardware from him.

With a little planning, we can actually save more on licensing if we use Hyper-V. VMWare indeed has wonderful features like v-motion - live migration, bare-metal performance etc. But not sure if we really need that, esp when 2008 also supports quick migration and R2 has improved performance significantly; AND these additional features I heard are not cheap. To me, Hyper-V is probably good enough for most pure Microsoft shops. For environment mixed with non-microsoft platforms, VMWare has cool P2V and V2V tools for Linux/Unix migration when Microsoft is still seriously lacking in this aspect (only Suse Linux is supported at this point). Conversely, one may argue that none of the Fortune 500 has deployed Hyper-V in production yet - but hey Hyper-V is only available in 2008, most servers today are still running 03.

What’s New in Windows Server 2008 R2?

Openfiler on Hyper-V

It's pretty cool to build a virtual iSCSI SAN built on RAID array of Virtual Hard Disks (VHDs) using Hyper-V. Download the ISO image of Openfiler and create a new VM to be installed from this image. Something to note for OpenFiler + Hyper-V combo: (1) choose text based installation on OpenFiler; (2) use only virtual IDE hard disks (OpenFiler doesn't detect iSCSI on Hyper-V); (3) use legacy network adaptor on Hyper-V settings. As for the rest, follow this installation guide (which used VMWare ESX instead). After setting up a iSCSI target on OpenFiler, use iSCSI initiator on Windows 2008 to connect and initialize the virtual storage on "Computer Management" as shown below.

Running Windows 2008 R2 on Home PC

Windows 2008 R2 (64-bit only) is now available for download. I downloaded it to get rid of my old WinXP and is trying out many new features. And it's free for 180 days, which mean I could also further delay (or even skip) my Windows 7 upgrade. What more - you can also experience new Windows 7 features by adding a new feature "Desktop Experience"on the server manager.

Add Hyper-V role and build a "Contoso.com" domain at home, which is ideal for the new MCTS (Active Directory) and even MCITP (Server Admin/Enterprise) wannabes. My "Contoso.com" is built on several VMs with two domain controllers (one full + one server core), one file server, one terminal server (now renamed remote desktop services), one Vista client and one Windows 7 client. Add another free linux-based OpenFiler VM for iSCSI SAN storage that is built on a RAID array of Virtual Hard Disks (VHDs). The outcome is a full scale of virtual enterprise infrastructure running on a single dual-core PC with just 4GB RAM.

Group Policy Preferences

You may want to do these for all your corporate desktops: Want to modify the registry settings? Need to lock down all USB device storage? Want to copy or delete certain files? Want to do all these without writing logon scripts? All these are now possible with Group Policy Preferences. Preferences are new feature, along side, with policy settings on the Group Policy Objects (GPOs). Using Group Policy preferences comes at no added cost but provides several advantages. It improves IT productivity. It reduces deployment costs by helping organizations reduce image count and reduce the cost of maintaining images. It reduces configuration errors during and after deployment. It reduces, if not eliminates the need for complex logon scripts. It allows you to fine-tune settings for users and computers throughout your organization. Preferences are available since the release of the new Group Policy Management Console (GPMC) on Windows Server 2008. Note: you need not raise the domain functional level to Windows 2008. New Client Side Extensions (CSEs - the enforcers on the clients) have to be installed for clients, in order for the preferences to be effective.

1) Group Policy Preference Client Side Extensions for Windows XP (KB943729)
2) Group Policy Preference Client Side Extensions for Windows Vista (KB943729)

It is recommended that you modify or manage a GPO from a Windows 2008 or Vista SP1 with Remote Server Administration Tools (RSAT). If you try to modify the GPO from a Windows Server 2003 or XP workstation, you will not see the new Preference capability.

References: http://www.microsoft.com/grouppolicy/

Microsoft Virtual Desktop Infrastructure (VDI)

Besides RemoteApp, Microsoft Virtual Desktop Infrastructure (VDI) is introduced as part of Remote Desktop Services (RDS) in Windows Server 2008 R2. User sessions are executed on the client VMs (i.e. Windows Vista or Win7) residing on backend infrastructure i.e. Hyper-V hosts.

MS VDI comes in 2 variants: (1) static 1 user to 1 specific VM, (Personal Virtual Desktop); OR (2) many users share a pool of VMs (Virtual Desktop Pool) with common image.

For the former (personal virtual desktop), each user is assigned to a fixed client VM that can be personalized and customized by the users. These changes are available to users each time that they log on to their personal virtual desktop. For the latter (virtual desktop pool), a single image is replicated across many virtual machines. As users connect to the shared virtual desktop pool, they are dynamically assigned with any client VMs. Because users may not always be assigned to the same client VMs whenever they connect, any personalization and customization made by the users are not saved. If you choose dynamic virtual desktop pool and users still need their personalization and customizations, you have to consider roaming profiles and folder redirection as well.

Reference: http://blogs.msdn.com/rds/archive/2009/08/19/microsoft-vdi-overview.aspx

Present-V Smart Card & Printer Redirection

Present-V supports smart card & printer redirection, even though the application is running on the backend server and the smart card/printer is located at the client desktop.

The same device middleware (or drivers) must be installed on both the server and the client. If you use ActivClient smart cards, ActivIdentity must be installed on both server and client, so that the server can locate the matching device driver. Whenever the application requires smart card access, TS would re-direct the I/O to the client local devices. Also, ensure that the Device and Resource Redirection is enabled, which is allowed by default.

Overall, it is how device redirection work:

Present-V Single Sign On (SSO)

Recently, I have worked with the interns to setup a cross domain Present-V POC, with the Exchange infrastructure on one domain and the windows clients & terminal server on another. Initially, winxp users need to keep logging in with password to launch remoteapp, while win7/vista users are able to launch remoteapp with Single Sign On (SSO). A deeper search reveals that SSO to Terminal Services 2008 uses the Credential Security Service Provider (CredSSP). CredSSP delegates credentials to defined target servers and is native to Windows Vista. Windows XP SP3 includes CredSSP but it is not enabled by default.

To enable SSO, here is the solution. Take note that SSO can only be used for password authentication (i.e. not smart card authentication)