Cert Inf Seguridad Analisis Trafico Wireshark

Hyper-V Planning and Deployment Guide
Microsoft Corporation
Published: March 2009
Abstract
This guide describes the considerations you should take into account when planning to deploy
the Hyper-! technology" and pro#ides installation and configuration details that will help you
deploy Hyper-$
Copyright information
%nfor&ation in this docu&ent" including '() and other %nternet *eb site references" is sub+ect to
change without notice$ 'nless otherwise noted" the co&panies" organi,ations" products" do&ain
na&es" e-&ail addresses" logos" people" places" and e#ents depicted in e-a&ples herein are
fictitious$ .o association with any real co&pany" organi,ation" product" do&ain na&e" e-&ail
address" logo" person" place" or e#ent is intended or should be inferred$ Co&plying with all
applicable copyright laws is the responsibility of the user$ *ithout li&iting the rights under
copyright" no part of this docu&ent &ay be reproduced" stored in or introduced into a retrie#al
syste&" or trans&itted in any for& or by any &eans /electronic" &echanical" photocopying"
recording" or otherwise0" or for any purpose" without the e-press written per&ission of Microsoft
Corporation$
Microsoft &ay ha#e patents" patent applications" trade&arks" copyrights" or other intellectual
property rights co#ering sub+ect &atter in this docu&ent$ 1-cept as e-pressly pro#ided in any
written license agree&ent fro& Microsoft" the furnishing of this docu&ent does not gi#e you any
license to these patents" trade&arks" copyrights" or other intellectual property$
2 2009 Microsoft Corporation$ 3ll rights reser#ed$
3cti#e 4irectory" Hyper-" Microsoft" M5-465" isual 7asic" isual 5tudio" *indows"
*indows .T" *indows 5er#er" and *indows ista are trade&arks of the Microsoft group of
co&panies$
3ll other trade&arks are property of their respecti#e owners$
892092009 :republished to fi- content bug /restored &issing list of file e-ceptions fro& pages ;<-;80$
Contents
Hyper- Planning and 4eploy&ent =uide$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;
3bstract$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;
Copyright infor&ation$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2
Contents$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >
Hyper- Planning and 4eploy&ent =uide$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <
3bout this guide$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <
6#er#iew of Hyper-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <
*hat does Hyper- do?$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <
*ho will be interested in this role?$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 8
*hat are the key features of Hyper-?$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 8
7efore @ou %nstall Hyper-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 8
Hardware Considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 9
Hardware reAuire&ents$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 9
Me&ory$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 9
Processors$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;0
.etworking$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;0
5torage$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;;
6ther hardware co&ponents$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;2
3bout irtual Machines and =uest 6perating 5yste&s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;>
(unning &ultiple #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;>
5upported guest operating syste&s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;>
%ntegration ser#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;B
3dditional considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;C
Planning for Hyper- 5ecurity$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;C
Hyper- security best practices $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;<
3dditional resources$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 20
'sing 3uthori,ation Manager for Hyper- 5ecurity$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$20
Configure Hyper- for (ole-based 3ccess Control$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2;
Configuring role-based access control$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 22
3dditional resources$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2>
Planning for 7ackup$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2B
'nderstanding backup options and considerations $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2B
5torage considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2D
'nderstanding online and offline backups$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2D
'nderstanding the restore process$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2C
Considerations about clustered #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2C
%nstalling Hyper-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 28
3bout the Hyper- update packages$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 28
Hyper- role package$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 28
Hyper- (e&ote &anage&ent tools packages$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$29
Hyper- )anguage Pack for *indows 5er#er 2008$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$29
3dditional considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >0
%nstall the Hyper- (ole on a 5er#er Core %nstallation of *indows 5er#er 2008$$$$$$$$$$$$$$$$$$$$$$$$$$>0
3dditional references$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >2
%nstall the Hyper- (ole on a Eull %nstallation of *indows 5er#er 2008$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>2
3dditional considerations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >>
%nstall and Configure Hyper- Tools for (e&ote 3d&inistration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>B
%nstalling the &anage&ent tools$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >B
Configuring the &anage&ent tools$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >D
Configuring the ser#er running Hyper-$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>D
Configuring *indows ista 5P;$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >9
Configuring irtual .etworks$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ B0
irtual network types$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ B0
irtual networking basics$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ B;
.etworking and #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ BB
Configuring #irtual local area networks /)3.s0$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$BB
%&ple&enting 4isks and 5torage$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ BD
4eter&ining your storage options on the &anage&ent operating syste&$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$BC
4eter&ining your storage options on #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$BC
How to create #irtual hard disks$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ B9
How to configure physical disks that are directly attached to a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$B9
3ppendi- 3: 1-a&ple 3uthori,ation Manager Tasks and 6perations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D;
1-a&ple tasks and operations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D;
3dd e-ternal network to ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D;
3dd internal network to ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D2
3dd pri#ate network$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D2
3pply a snapshot$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D2
3ttach internal network adapter to #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D2
Connect to a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D>
Create a #irtual floppy disk or #irtual hard disk$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D>
Create a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D>
4elete a pri#ate network$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D>
4elete a snapshot$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D>
4elete a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DB
1-port #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DB
%&port #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DB
Modify #irtual &achine settings /reconfigure a #irtual &achine0$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DB
Pass CT() F 3)T F 41)1T1 /send control signals to a #irtual &achine0$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DB
Pause a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DB
(e&o#e e-ternal network fro& ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DB
(e&o#e internal network adapter fro& a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DD
(e&o#e internal network fro& ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DD
(e&o#e pri#ate network fro& ser#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DC
(ena&e a snapshot$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DC
(ena&e a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DC
(esu&e a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DC
5a#e a #irtual &achine and start a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$DC
5tart a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ DC
Turn off a #irtual &achine$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D<
iew Hyper- ser#er settings$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D<
iew network &anage&ent$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D<
iew #irtual &achines$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D<
3ppendi- 7: 3uthori,ation Manager Ter&inology$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$D<
Ter&inology$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ D<
Hyper-V Planning and Deployment Guide
About this guide
The Hyper- Planning and 4eploy&ent =uide is intended to help you understand the
considerations you should take into account when planning to deploy Hyper-!" and to pro#ide
installation and configuration details that will help you deploy Hyper-$
6#er#iew of Hyper-
7efore @ou %nstall Hyper-
%nstalling Hyper-
Configuring irtual .etworks
%&ple&enting 4isks and 5torage
3ppendi- 3: 1-a&ple 3uthori,ation Manager Tasks and 6perations
3ppendi- 7: 3uthori,ation Manager Ter&inology
Overview of Hyper-V
Hyper- enables you to create a #irtuali,ed ser#er co&puting en#iron&ent using a technology
that is part of *indows 5er#erG 2008$ @ou can use a #irtuali,ed co&puting en#iron&ent to
i&pro#e the efficiency of your co&puting resources by utili,ing &ore of your hardware resources$
This is possible because you use Hyper- to create and &anage #irtual &achines and their
resources$ 1ach #irtual &achine is a #irtuali,ed co&puter syste& that operates in an isolated
e-ecution en#iron&ent$ This allows you to run &ultiple operating syste&s si&ultaneously on one
physical co&puter$
ote
Hyper- is a hyper#isor-based #irtuali,ation technology that reAuires specific hardware$
Eor &ore infor&ation about the reAuire&ents and other considerations about hardware"
see Hardware Considerations$
!hat does Hyper-V do"
Hyper- pro#ides software infrastructure and basic &anage&ent tools in *indows 5er#er 2008
that you can use to create and &anage a #irtuali,ed ser#er co&puting en#iron&ent$ This
#irtuali,ed en#iron&ent can be used to address a #ariety of business goals ai&ed at i&pro#ing
efficiency and reducing costs$ Eor e-a&ple" a #irtuali,ed ser#er en#iron&ent can help you:
(educe the costs of operating and &aintaining physical ser#ers by increasing your
hardware utili,ation$ @ou can reduce the a&ount of hardware needed to run your ser#er
workloads$
<
%ncrease de#elop&ent and test efficiency by reducing the a&ount of ti&e it takes to set
up hardware and software and reproduce test en#iron&ents$
%&pro#e ser#er a#ailability without using as &any physical co&puters as you would need
in a failo#er configuration that uses only physical co&puters$
!ho will be interested in this role"
Hyper- can be useful to you if you are:
3n %T ad&inistrator" planner" or designer$
3n %T architect responsible for co&puter &anage&ent and security throughout your
organi,ation$
3n %T operations &anager who is looking for ways to reduce the total cost of ownership of
their ser#er infrastructure" in ter&s of both power costs and &anage&ent costs$
3 software de#eloper or tester who is looking for ways to increase producti#ity by
reducing the ti&e it takes to build and configure a ser#er for de#elop&ent or test use$
!hat are the #ey features of Hyper-V"
The key features of Hyper- are as follows:
CB-bit nati#e hyper#isor-based #irtuali,ation$
3bility to run >2-bit and CB-bit #irtual &achines concurrently$
'niprocessor and &ultiprocessor #irtual &achines$
irtual &achine snapshots" which capture the state" data" and hardware configuration of
a running #irtual &achine$ 7ecause snapshots record syste& states" you can re#ert the
#irtual &achine to a pre#ious state$
)arge #irtual &achine &e&ory support$
irtual local area network /)3.0 support$
Microsoft Manage&ent Console /MMC0 &anage&ent snap-in$
4ocu&ented *indows Manage&ent %nstru&entation /*M%0 interfaces for scripting and
&anage&ent$
Eor &ore infor&ation about the *M% interfaces" see irtuali,ation *M% Pro#ider
/http:99go$&icrosoft$co&9fwlink9?)ink%4H;08DCB0$
$efore %ou &nstall Hyper-V
Hyper- has specific hardware reAuire&ents and considerations that you should fa&iliari,e
yourself with when planning to deploy this technology$ Topics to re#iew include the following:
Hardware Considerations
3bout irtual Machines and =uest 6perating 5yste&s
8
Planning for Hyper- 5ecurity
Planning for 7ackup
Hardware Considerations
To effecti#ely plan for and deploy Hyper-" you should understand the reAuire&ents and
&a-i&u& configurations for the physical and #irtual hardware that will co&prise the #irtuali,ed
ser#er co&puting en#iron&ent$
Hardware re'uirements
Hyper- reAuires specific hardware$ To install and use the Hyper- role" you will need the
following:
An ()*-based processor+Hyper- is a#ailable in CB-bit editions of *indows 5er#er 2008
Ispecifically" the CB-bit editions of *indows 5er#er 2008 5tandard" *indows 5er#er 2008
1nterprise" and *indows 5er#er 2008 4atacenter$ Hyper- is not a#ailable for >2-bit /-8C0
editions or *indows 5er#er 2008 for %taniu&-7ased 5yste&s$ Howe#er" the Hyper-
&anage&ent tools are a#ailable for >2-bit editions$ Eor &ore infor&ation about the tools" see
%nstalling Hyper-$
Hardware-assisted virtuali,ation+ This is a#ailable in processors that include a
#irtuali,ation optionIspecifically processors with %ntel irtuali,ation Technology /%ntel T0 or
3M4 irtuali,ation /3M4-0 technology$
Hardware-enforced Data -(ecution Prevention .D-P/ must be available and
enabled+ 5pecifically" you &ust enable %ntel J4 bit /e-ecute disable bit0 or 3M4 .J bit /no
e-ecute bit0$
@ou can identify syste&s that support the -CB architecture and Hyper- by searching the
*indows 5er#er catalog for Hyper- as an additional Aualification /see
http:99go$&icrosoft$co&9fwlink9?)ink%dH;;;2280$
0ip
The settings for hardware-assisted #irtuali,ation and hardware-enforced 41P are
a#ailable in the 7%65$ Howe#er" the na&es of the settings &ay differ fro& the na&es
identified abo#e$ Eor &ore infor&ation about whether a specific processor &odel
supports Hyper-" check with the &anufacturer of the co&puter$ %f you &odify the
settings for hardware-assisted #irtuali,ation or hardware-enforced 41P" we reco&&end
that you turn off the power to the co&puter and then turn it back on$ (estarting the
co&puter &ay not apply the changes to the settings$
1emory
The &a-i&u& a&ount of &e&ory that can be used is deter&ined by the operating syste&" as
follows:
9
Eor *indows 5er#er 2008 1nterprise and *indows 5er#er 2008 4atacenter" the physical
co&puter can be configured with up to ; T7 of physical &e&ory" and #irtual &achines that
run either of those editions can be configured with up to CB =7 of &e&ory per #irtual
&achine$
Eor *indows 5er#er 2008 5tandard" the physical co&puter can be configured with up to
>2 =7 of physical &e&ory" and #irtual &achines that run that edition can be configured with
up to >; =7 of &e&ory per #irtual &achine$
Processors
The release #ersion of Hyper- is supported on physical co&puters with up to ;C logical
processors$ Howe#er" a hotfi- /K79DC<;00 is a#ailable that increases the &a-i&u& nu&ber of
#irtual processors to 2B$ Eor &ore infor&ation and links to the updates" see Hyper- 'pdate )ist$
3 logical processor can be a single core or &ulti-core processor$ @ou can configure up to B #irtual
processors on a #irtual &achine$ .ote that the nu&ber of #irtual processors supported by a guest
operating syste& &ight be lower$ Eor &ore infor&ation" see 3bout irtual Machines and =uest
6perating 5yste&s$ The following are so&e e-a&ples of supported syste&s and the nu&ber of
logical processors they pro#ide:
3 single-processor9dual-core syste& pro#ides 2 logical processors$
3 single-processor9Auad-core syste& pro#ides B logical processors$
3 dual-processor9dual-core syste& pro#ides B logical processors$
3 dual-processor9Auad-core syste& pro#ides 8 logical processors$
3 Auad-processor9dual-core syste& pro#ides 8 logical processors$
3 Auad-processor9dual-core" hyper-threaded syste& pro#ides ;C logical processors$
3 Auad-processor9Auad-core syste& pro#ides ;C logical processors$
etwor#ing
Hyper- pro#ides a #ariety of networking options and configurations to &eet different networking
reAuire&ents$ Eor &ore infor&ation about different types of #irtual networks and #irtual network
adapters" see Configuring irtual .etworks$
Hyper- networking includes the following support:
1ach #irtual &achine can be configured with up to ;2 #irtual network adaptersI8 can be
the Lnetwork adapterM type and B can be the Llegacy network adapterM type$ The network
adapter type pro#ides better perfor&ance and reAuires a #irtual &achine dri#er that is
included in the integration ser#ices packages$
1ach #irtual network adapter can be configured with either a static or dyna&ic M3C
address$
1ach #irtual network adapter offers integrated #irtual local area network /)3.0 support
and can be assigned a uniAue )3. channel$
;0
@ou can ha#e an unli&ited nu&ber of #irtual networks with up to D;2 #irtual &achines per
#irtual network$
ote
@ou cannot connect a #irtual network to a wireless network adapter$ 3s a result" you
cannot pro#ide wireless networking capabilities to #irtual &achines$
2torage
Hyper- supports a #ariety of storage options$ Eor &ore infor&ation about the storage options"
see %&ple&enting 4isks and 5torage$
@ou can use the following types of physical storage with a ser#er that runs Hyper-:
4irect-attached storage: @ou can use 5erial 3d#anced Technology 3ttach&ent /53T30"
e-ternal 5erial 3d#anced Technology 3ttach&ent /e53T30" Parallel 3d#anced Technology
3ttach&ent /P3T30" 5erial 3ttached 5C5% /5350" 5C5%" '57" and Eirewire$
5torage area networks /53.s0: @ou can use %nternet 5C5% /i5C5%0" Eibre Channel" and
535 technologies$
&mportant
Microsoft does not support network-attached storage /.350 for Hyper-$
@ou can configure a #irtual &achine to use the following types of storage:
Virtual &D- devices+ 1ach #irtual &achine supports up to B %41 de#ices$ The startup disk
/so&eti&es referred to as the boot disk0 &ust be attached to one of the %41 de#ices$ The
startup disk can be either a #irtual hard disk or a physical disk$ 3lthough a #irtual &achine
&ust use a #irtual %41 de#ice as the startup disk to start the guest operating syste&" you
ha#e &any options to choose fro& when selecting the physical de#ice that will pro#ide the
storage for the #irtual %41 de#ice$ Eor e-a&ple" you can use any of the types of physical
storage identified in the preceding list$
Virtual 2C2& devices+ 1ach #irtual &achine supports up to B #irtual 5C5% controllers"
and each controller supports up to CB disks$ This &eans that each #irtual &achine can be
configured with as &any as 2DC #irtual 5C5% disks$ 'se of #irtual 5C5% de#ices reAuires
integration ser#ices to be installed in the guest operating syste&$ Eor a list of the guest
operating syste&s for which integration ser#ices are a#ailable" see 3bout irtual Machines
and =uest 6perating 5yste&s
Virtual hard dis#s of up to 34*4 G$+ @ou can use fi-ed #irtual hard disks" dyna&ically
e-panding #irtual hard disks" and differencing disks$
Physical dis#s+ Physical disks attached directly to a #irtual &achine ha#e no si,e
li&itation other than what is supported by the guest operating syste&$
Virtual machine storage capacity+ 'sing #irtual hard disks" each #irtual &achine
supports up to D;2 T7 of storage$ 'sing physical disks" this nu&ber is e#en greater
depending on what is supported by the guest operating syste&$
Virtual machine snapshots+ Hyper- supports up to D0 snapshots per #irtual &achine$
;;
0ip
3lthough the %96 perfor&ance of physical 5C5% and %41 de#ices can differ significantly"
this is not true for the #irtuali,ed 5C5% and %41 de#ices in Hyper-$ Hyper- %41 and
5C5% storage de#ices both offer eAually fast high %96 perfor&ance when integration
ser#ices are installed in the guest operating syste&$ Eor a list of the guest operating
syste&s for which integration ser#ices are a#ailable" see 3bout irtual Machines and
=uest 6perating 5yste&s$
Other hardware components
The following is infor&ation about the other types of physical and #irtual hardware co&ponents
that you can use with Hyper-$
44 dri#e 3 #irtual &achine has ; #irtual 44 dri#e by
default when you create the #irtual &achine$
irtual &achines can be configured with up to >
44 dri#es" connected to an %41 controller$
/irtual &achines support up to B %41 de#ices"
but one de#ice &ust be the startup disk$0
3 #irtual 44 dri#e can access C4s and 44s"
either $iso files or physical &edia$ Howe#er"
only one #irtual &achine can be configured to
access a physical C4944 dri#e at a ti&e$
irtual C6M port 1ach #irtual &achine is configured with 2 #irtual
serial /C6M0 ports that can be attached to a
na&ed pipe to co&&unicate with a local or
re&ote physical co&puter$
ote
.o access to a physical C6M port is
a#ailable fro& a #irtual &achine$
irtual floppy dri#e 1ach #irtual &achine is configured with ; #irtual
floppy dri#e" which can access #irtual floppy
disk /$#fd0 files$
ote
.o access to a physical floppy dri#e is
a#ailable fro& a #irtual &achine$
;2
About Virtual 1achines and Guest Operating
2ystems
5unning multiple virtual machines
@ou can use Hyper- to configure and use &any #irtual &achines at the sa&e ti&e$ The specific
nu&ber depends on two factors$ 6ne factor is the a#ailable physical resources on the ser#er
running Hyper-$ Eor &ore infor&ation" see Hardware Considerations$ The other factor is the
&a-i&u& capacity of Hyper-$ @ou can configure as &any as D;2 #irtual &achines on a ser#er
running Hyper-$ *ith the appropriate physical resources" the release #ersion of Hyper-
supports up to ;28 #irtual &achines running at the sa&e ti&e$ 3 hotfi- /K79DC<;00 is a#ailable
that increases the &a-i&u& nu&ber of running #irtual &achines to ;92$ Eor &ore infor&ation
and links to the updates" see Hyper- 'pdate )ist$
2upported guest operating systems
The following operating syste&s are supported for use on a #irtual &achine as a guest operating
syste&$ @ou can run >2-bit and CB-bit guest operating syste&s at the sa&e ti&e on one ser#er
running Hyper-$
@ou can use the following >2-bit and CB-bit editions of *indows 5er#er 2008 as a
supported guest operating syste& on a #irtual &achine configured with ;" 2" or B #irtual
processors:
*indows 5er#er 2008 5tandard and *indows 5er#er 2008 5tandard without Hyper-
*indows 5er#er 2008 1nterprise and *indows 5er#er 2008 1nterprise without
Hyper-
*indows 5er#er 2008 4atacenter and *indows 5er#er 2008 4atacenter without
Hyper-
*indows *eb 5er#er 2008
*indows 5er#er 2008 HPC 1dition
@ou can use the following editions of *indows 5er#er 200> as a supported guest
operating syste& on a #irtual &achine configured with ; or 2 #irtual processors:
*indows 5er#er 200> (2 5tandard 1dition with 5er#ice Pack 2
*indows 5er#er 200> (2 1nterprise 1dition with 5er#ice Pack 2
*indows 5er#er 200> (2 4atacenter 1dition with 5er#ice Pack 2
*indows 5er#er 200> 5tandard 1dition with 5er#ice Pack 2
*indows 5er#er 200> 1nterprise 1dition with 5er#ice Pack 2
*indows 5er#er 200> 4atacenter 1dition with 5er#ice Pack 2
*indows 5er#er 200> *eb 1dition with 5er#ice Pack 2
;>
*indows 5er#er 200> (2 5tandard -CB 1dition with 5er#ice Pack 2
*indows 5er#er 200> (2 1nterprise -CB 1dition with 5er#ice Pack 2
*indows 5er#er 200> (2 4atacenter -CB 1dition with 5er#ice Pack 2
*indows 5er#er 200> 5tandard -CB 1dition with 5er#ice Pack 2
*indows 5er#er 200> 1nterprise -CB 1dition with 5er#ice Pack 2
*indows 5er#er 200> 4atacenter -CB 1dition with 5er#ice Pack 2
@ou can run the following #ersions of *indows 2000 on a #irtual &achine configured with
; #irtual processor:
*indows 2000 5er#er with 5er#ice Pack B
*indows 2000 3d#anced 5er#er with 5er#ice Pack B
@ou can run the following )inu- distributions on a #irtual &achine configured with ; #irtual
processor:
5use )inu- 1nterprise 5er#er ;0 with 5er#ice Pack 2 /-8C edition or -CB edition0
5use )inu- 1nterprise 5er#er ;0 with 5er#ice Pack ; /-8C edition or -CB edition0
@ou can run the following >2-bit and CB-bit #ersions of *indows ista on a #irtual
&achine configured with ; or 2 #irtual processors:
*indows ista 7usiness with 5er#ice Pack ;
*indows ista 1nterprise with 5er#ice Pack ;
*indows ista 'lti&ate with 5er#ice Pack ;
@ou can run the following #ersions of *indows JP on a #irtual &achine:
*indows JP Professional with 5er#ice Pack > /configured with ; or 2 #irtual
processors0
*indows JP Professional with 5er#ice Pack 2 /configured with ; #irtual processor0
*indows JP Professional -CB 1dition with 5er#ice Pack 2 /configured with ; or 2
#irtual processors0
&ntegration services
%ntegration ser#ices are a#ailable for supported guest operating syste&s as described in the
following table$
&mportant
*hen a ser#ice pack is listed" the ser#ice pack is reAuired and the guest operating
syste& is not supported without the listed ser#ice pack$
ote
5o&e guest operating syste&s do not support the olu&e 5hadow Copy 5er#ice$ 3s a
result" online backup ser#ice is not a#ailable and is not listed for those guest operating
syste&s$
Guest operating system Device and service support
;B
*indows 5er#er 2008 /CB-bit editions and -8C
editions0
4ri#ers: %41" 5C5%" networking" #ideo" and
&ouse
5er#ices: operating syste& shutdown" ti&e
synchroni,ation" data e-change" heartbeat" and
online backup
*indows 5er#er 200> /-CB editions0 with
5er#ice Pack 2
&ouse
online backup
ote
This operating syste& does not support
a legacy network adapter$ Eor &ore
infor&ation about #irtual networking and
network adapter types" see Configuring
irtual .etworks$
*indows 5er#er 200> /-8C editions0 with
5er#ice Pack 2
&ouse
online backup
*indows 2000 5er#er with 5er#ice Pack B 4ri#ers: %41" networking" #ideo" and &ouse
synchroni,ation" data e-change" and heartbeat
*indows 2000 3d#anced 5er#er with 5er#ice
Pack B
4ri#ers: %41" networking" #ideo" and &ouse
5use )inu- 1nterprise 5er#er ;0 /-CB edition0
with 5er#ice Pack ; or 2
4ri#ers only: %41" 5C5%" and networking
5use )inu- 1nterprise 5er#er ;0 /-8C edition0
with 5er#ice Pack ; or 2
4ri#ers only: %41" 5C5%" and networking
*indows ista /CB-bit editions0 with 5er#ice
Pack ;
&ouse
online backup
*indows ista /-8C editions0 with 5er#ice Pack
;
4ri#ers: %41" networking" #ideo" and &ouse
;D
online backup
*indows JP Professional /-8C editions0 with
5er#ice Pack 2 or >
&ouse
*indows JP Professional -CB 1dition with
5er#ice Pack 2
&ouse
Additional considerations
6n *indows operating syste&s" you &ay need to close the Eound .ew Hardware
*i,ard to start the installation of integration ser#ices$
%f you installed a prerelease #ersion of integration ser#ices on a guest operating syste&"
we reco&&end that you upgrade to the release #ersion$ Eor supported *indows operating
syste&s" the release #ersion of integration ser#ices is included in the update package for the
Hyper- role$ Eor &ore infor&ation about the role update package" see %nstalling Hyper-$
%ntegration ser#ices for the supported #ersions of )inu- distributions are distributed
through the Microsoft Connect *eb site and are identified as )inu- %ntegration Co&ponents
for Microsoft Hyper-$ Eor &ore infor&ation" see http:99go$&icrosoft$co&9fwlink9?
)ink%4H;0202B$
Planning for Hyper-V 2ecurity
@ou should secure your #irtuali,ation ser#er using the sa&e &easures you would take to
safeguard any ser#er running *indows 5er#er 2008$ 3dditionally" you should use a few e-tra
&easures to help secure the #irtual &achines" configuration files" and data$ Eor &ore infor&ation
about how to secure *indows 5er#er 2008 workloads" see the *indows 5er#er 2008 5ecurity
=uide /http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B2000$
3dditionally" see the following security-related topics in this guide:
'sing 3uthori,ation Manager for Hyper- 5ecurity
Configure Hyper- for (ole-based 3ccess Control
@ou should secure the #irtual &achines running on the #irtuali,ation ser#er according to your
procedures for securing that kind of ser#er or workload$ There is nothing special or different you
need to do to secure the #irtual &achine +ust because it is a #irtual &achine$ Eor e-a&ple" if your
policies and procedures reAuire that you run anti#irus software" run it on the #irtual &achine$ %f
;C
you ha#e a policy reAuire&ent to seg&ent the physical ser#er to a particular network" follow the
policy for the #irtual &achine as well$
*e reco&&end the following best practices to i&pro#e the security of your ser#ers running
Hyper-$
ote
@ou can use 7it)ocker 4ri#e 1ncryption to help protect #irtual &achines and data" but it
reAuires careful deploy&ent and reco#ery planning$ Eor &ore infor&ation" re#iew the
*indows 7it)ocker 4ri#e 1ncryption 4esign and 4eploy&ent =uides
/http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B20;0$
Hyper-V security best practices
6se a 2erver Core installation of !indows 2erver 3447 for the management
operating system+ 3 5er#er Core installation pro#ides the s&allest attack surface and
reduces the nu&ber of patches" updates" and restarts reAuired for &aintenance$ Eor detailed
infor&ation and installation guidance" see the 5er#er Core %nstallation 6ption of *indows
5er#er 2008 5tep-7y-5tep =uide /http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B2020$
Eor &ore infor&ation about enabling the Hyper- role on a ser#er running a 5er#er Core
installation" see %nstall the Hyper- (ole on a 5er#er Core %nstallation of *indows 5er#er
2008$
otes
There is no way to upgrade fro& a 5er#er Core installation to a full installation of
*indows 5er#er 2008$ %f you need the *indows user interface or a ser#er role that is not
supported in a 5er#er Core installation" install a full installation of *indows 5er#er 2008$
To re&otely &anage Hyper- on a 5er#er Core installation" use the Hyper-
&anage&ent tools for *indows 5er#er 2008 and *indows ista 5er#ice Pack ; /5P;0$
Eor &ore infor&ation" see article 9D00D0 /http:99go$&icrosoft$co&9fwlink9?)ink%dH;22;880
and article 9D2C2< /http:99go$&icrosoft$co&9fwlink9?)ink%4H;22;890 in the Microsoft
Knowledge 7ase$ Eor &ore infor&ation about configuring tools for re&ote &anage&ent
of Hyper-" see %nstall and Configure Hyper- Tools for (e&ote 3d&inistration$
Do not run any applications in the management operating system8run all
applications on virtual machines+ 7y keeping the &anage&ent operating syste& free of
applications and running a *indows 5er#er 2008 core installation" you will need fewer
updates to the &anage&ent operating syste& because nothing reAuires software updates
e-cept the 5er#er Core installation" the Hyper- ser#ice co&ponents" and the hyper#isor$
otes
%f you run progra&s in the &anage&ent operating syste&" you should run your
anti#irus solution there and add the following to the anti#irus e-clusions:
irtual &achine configuration files directory$ 7y default" it is
C:NProgra&4ataNMicrosoftN*indowsNHyper-$
;<
irtual &achine #irtual hard disk files directory$ 7y default" it is
C:N'sersNPublicN4ocu&entsNHyper-Nirtual Hard 4isks$
5napshot files directory$ 7y default" it is Osyste&dri#e
ONProgra&4ataNMicrosoftN*indowsNHyper-N5napshots$
&&s$e-e
&wp$e-e
%f you need to use the full #ersion of *indows 5er#er 2008 and run applications in the
&anage&ent operating syste&" then you should run an anti#irus progra& there$
6se the security level of your virtual machines to determine the security level of
your management operating system+ @ou should deploy #irtual &achines onto
#irtuali,ation ser#ers that ha#e si&ilar security reAuire&ents$ Eor e-a&ple" assu&e that you
classify the le#el of risk and effort to secure your ser#ers into three categories: LsecureM"
L&ore secureM" and L&ost secureM$ @ou would put &ore co&pliance effort and control
procedures into the &ost secure ser#ers than on the secure ser#ers$ This would be true
whether the ser#er is physical or running on a #irtual &achine$ %f you deploy both secure and
&ost secure #irtual &achines on the &anage&ent operating syste&" then you should secure
the #irtuali,ation ser#er as a L&ost secureM ser#er$ 4eploying #irtual &achines with si&ilar
security le#els on a #irtuali,ation ser#er can &ake &anage&ent and &o#e&ent of the #irtual
&achines easier$
Do not give virtual machine administrators permissions on the management
operating system+ 3ccording to the principle of least pri#ilege" you should gi#e
ad&inistrators of a #irtual &achine /so&eti&es called depart&ent ad&inistrators or delegated
ad&inistrators0 the &ini&u& per&issions reAuired$ Managing the reAuired per&issions on all
the ob+ects associated with a #irtual &achine can be co&ple-" and can lead to potential
security issues if not handled properly$ (ole-based access control enables you to specify
access control in ter&s of the organi,ational structure of a co&panyIby creating a new
ob+ect called a role$ @ou assign a user to a role to perfor& a +ob function$ Hyper- uses
3uthori,ation Manager policies for role-based access control$
-nsure that virtual machines are fully updated before they are deployed in a
production environment+ 7ecause #irtual &achines are so &uch easier to &o#e around and
Auicker to deploy than physical &achines" there is a greater risk that a #irtual &achine that is
not fully updated or patched &ight be deployed$ To &anage this risk effecti#ely" use the sa&e
&ethods and procedures to update #irtual &achines as you use to update physical ser#ers$
Eor e-a&ple" if you allow the use of auto&atic updates using *indows 'pdate" Microsoft
5yste& Center Configuration Manager" or another software distribution &ethod" ensure that
#irtual &achines are updated and9or patched before they are deployed$
@ou can use &aintenance hosts and Auick &igration in Hyper- to acco&plish this$ 3
&aintenance host is a host co&puter that you can dedicate for patching stored resources and
for staging #irtual &achines before you &o#e the& into your production en#iron&ent$ Eor
&ore infor&ation about &aintenance hosts" see Planning for Hosts
/http:99go$&icrosoft$co&9fwlink9?)ink%dH;>BB820$ Eor infor&ation about using Auick &igration
;8
to &o#e #irtual &achines to a &aintenance host" see Hyper- 5tep-by-5tep =uide: Testing
Hyper- and Eailo#er Clustering /http:99go$&icrosoft$co&9fwlink9?)ink%dH;>BB8;0$
-nsure integration services are installed on virtual machines+ The accuracy of
ti&esta&ps and audit log entries is i&portant for co&puter forensics and co&pliance$
%ntegration ser#ices ensure that ti&e is synchroni,ed between #irtual &achines and the
&anage&ent operating syste&$ This synchroni,ation &akes sure that ti&e is consistent with
the physical location of the #irtual &achine in the e#ent that #irtual &achines are &igrated
between data centers in different ti&e ,ones or #irtual &achines are restored fro& pre#ious
snapshots$
6se a dedicated networ# adapter for the management operating system of the
virtuali,ation server+ 7y default" no #irtual networking is configured for the &anage&ent
operating syste&$ 'se a dedicated network adapter for &anaging the ser#er running Hyper-
and do not e-pose it to untrusted network traffic$ 4o not allow #irtual &achines to use this
network adapter$ 'se one or &ore different dedicated network adapters for #irtual &achine
networking$ This allows you to apply different le#els of networking security policy and
configuration for your #irtual &achines$ Eor e-a&ple" you can configure networking so that
the #irtual &achines ha#e different networking access than your &anage&ent operating
syste&" including the use of #irtual local area networks /)3.s0" %nternet Protocol 5ecurity
/%Psec0" .etwork 3ccess Protection /.3P0 and Microsoft Eorefront Threat Manage&ent
=ateway$ Eor &ore infor&ation about configuring networking" see Configuring irtual
.etworks$
Eor &ore infor&ation about .3P" see http:99go$&icrosoft$co&9fwlink9?)ink%4H;;<80B$ Eor
infor&ation about Microsoft Eorefront Threat Manage&ent =ateway and Microsoft Eorefront
L5tirlingM" see http:99go$&icrosoft$co&9fwlink9?)ink%dH;>BBD2$
6se $it9oc#er Drive -ncryption to protect resources+ 7it)ocker 4ri#e 1ncryption
works with features in ser#er hardware and fir&ware to pro#ide secure operating syste& boot
and disk dri#e encryption" e#en when the ser#er is not powered on$ This helps protect data if
a disk is stolen and &ounted on another co&puter for data &ining$ 7it)ocker 4ri#e 1ncryption
also helps protect data if an attacker uses a different operating syste& or runs a software
hacking tool to access a disk$
)osing a physical disk is a &ore significant risk in scenarios with s&all and &ediu&
businesses" as well as re&ote offices" where physical security of the ser#er &ay not be as
rigorous as in an enterprise data center$ Howe#er" using 7it)ocker 4ri#e 1ncryption &akes
sense for all co&ptuers$ @ou should use 7it)ocker 4ri#e 1ncryption on all #olu&es that store
#irtual &achine files too$ This includes the #irtual hard disks" configuration files" snapshots"
and any #irtual &achine resources" such as %56 i&ages and #irtual floppy disks$ Eor a higher
le#el of security that includes secure startup" 7it)ocker 4ri#e 1ncryption reAuires Trusted
Platfor& Module /TPM0 hardware$ Eor &ore infor&ation about TPM &anage&ent" see the
*indows Trusted Platfor& Module Manage&ent 5tep-by-5tep =uide
/http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B22<0$
Eor &ore infor&ation on how to configure 7it)ocker 4ri#e 1ncryption to help protect your
ser#er and the #irtual &achines running on it" see *indows 5er#er 2008 Hyper- and
7it)ocker 4ri#e 1ncryption /http:99go$&icrosoft$co&9fwlink9?)ink%4H;2>D>B0$
;9
3lso see *indows 7it)ocker 4ri#e 1ncryption EreAuently 3sked Puestions
/http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B2280 and the 7it)ocker (epair Tool
/http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B2290$
&mportant
'se 7it)ocker 4ri#e 1ncryption in the Hyper- &anage&ent operating syste& and to
protect #olu&es that contain configuration files" #irtual hard disks" and snapshots$ 4o
not run 7it)ocker 4ri#e 1ncryption within a #irtual &achine$ 7it)ocker 4ri#e
1ncryption is not supported within a #irtual &achine$
Disable virtuali,ation $&O2 settings when they are not re'uired+ *hen you are no
longer using a ser#er for #irtuali,ation" for e-a&ple in a test or de#elop&ent scenario" you
should turn off the hardware-assisted #irtuali,ation 7%65 settings that were reAuired for
Hyper-$ Eor instructions on disabling these settings" consult your hardware &anufacturer$
Additional resources
irtuali,ation 5ecurity 7est Practices Podcast /http:99go$&icrosoft$co&9fwlink9?
)ink%dH;>B22D0
*indows 5er#er irtuali,ation and the *indows Hyper#isor
/http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B22C0
6sing Authori,ation 1anager for Hyper-V
2ecurity
@ou use 3uthori,ation Manager to pro#ide role-based access control for Hyper-$ Eor instructions
on i&ple&enting role-based access control" see Configure Hyper- for (ole-based 3ccess
Control$ Eor &ore infor&ation about getting started with 3uthori,ation Manager" see 3ppendi- 7:
3uthori,ation Manager Ter&inology and Checklist: 7efore you start using 3uthori,ation Manager
/http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B;9<0$
3uthori,ation Manager is co&prised of the following:
Authori,ation 1anager snap-in .A,1an+msc/+ @ou can use the Microsoft Manage&ent
Console /MMC0 snap-in to select operations" group the& into tasks" and then authori,e roles
to perfor& specific tasks$ @ou also use it to &anage tasks" operations" user roles" and
per&issions$ To use the snap-in" you &ust first create an authori,ation store or open an
e-isting store$ Eor &ore infor&ation" see http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B08C$
Authori,ation 1anager AP&+ The 3P% pro#ides a si&plified de#elop&ent &odel in which
to &anage fle-ible groups and business rules and store authori,ation policies$ Eor &ore
infor&ation" see (ole-based 3ccess Control /http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B0<90$
3uthori,ation Manager reAuires a data store for the policy that correlates roles" users" and access
rights$ This is called an authori,ation store$ %n Hyper-" this data store can be &aintained in an
3cti#e 4irectory database or in an JM) file on the local ser#er running the Hyper- role$ @ou can
20
edit the store through the 3uthori,ation Manager snap-in or through the 3uthori,ation Manager
3P%" which are a#ailable to scripting languages such as 75cript$
%f an 3cti#e 4irectory database is used for the authori,ation store" 3cti#e 4irectory 4o&ain
5er#ices /34 450 &ust be at the *indows 5er#er 200> functional le#el$
The JM) store does not support delegation of applications" stores" or scopes because access to
the JM) file is controlled by the discretionary access control list /43C)0 on the file" which grants
or restricts access to the entire contents of the file$ /Eor &ore infor&ation about 3uthori,ation
Manager delegation" see http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B0<D0$ 7ecause of this" if an
JM) file is used for the authori,ation store" it is i&portant that it is backed up regularly$ The .TE5
file syste& does not support applications issuing a seAuence of separate write operations as a
single logical write to a file when &ultiple applications write to the sa&e file$ This &eans an
3uthori,ation Manager policy file /JM) file0 could be edited si&ultaneously by two ad&inistrati#e
applications and could beco&e corrupted$ The Hyper- 55 writer will back up the authori,ation
store with the ser#er running the Hyper- role$
Configure Hyper-V for 5ole-based Access
Control
This topic describes how to configure role-based access control for #irtual &achines in Hyper-$
@ou use the 3uthori,ation Manager Microsoft Manage&ent Console /MMC0 snap-in /3,Man$&sc0
to pro#ide role-based access control for Hyper-$ Eor &ore infor&ation" see the following topics
in this guide:
3ppendi- 7: 3uthori,ation Manager Ter&inology
Planning for Hyper- 5ecurity
To i&ple&ent role-based access control" you &ust first define scopes and then organi,e
operations into groups to acco&plish tasks$ @ou assign tasks to roles" and then assign users or
groups to the role$ 3ny user assigned to a role can then perfor& all of the operations in all of the
tasks that are assigned to the role$
There are four general steps to setting up role-based access control for Hyper-:
;$ 4efine scope according to your organi,ational needs$ Eor e-a&ple" you can define
scopes by geography" organi,ational structure" function /de#eloper9test or production0" or
3cti#e 4irectory 4o&ain 5er#ices$ Eor a sa&ple script to create the scopes" see
http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B0<B$
2$ 4efine tasks$ %n 3uthori,ation Manager" you cannot change or create new operations$
Howe#er" you can create as &any tasks as you want and then co&bine these into role
definitions$ Eor e-a&ple tasks that you can use in your role definitions" see 3ppendi- 3:
1-a&ple 3uthori,ation Manager Tasks and 6perations$
2;
>$ Create roles$ Eor e-a&ple" if you want to create an L%T MonitorM role that you can use to
#iew properties of a #irtual &achine but not interact with the #irtual &achine" create a new
task in 3uthori,ation Manager called LMonitor irtual MachineM" with the following operations:
(ead 5er#ice Configuration
iew 1-ternal 1thernet Ports
iew %nternal 1thernet Ports
iew )3. 1ndpoints
iew 5witch Ports
iew 5witches
iew irtual 5witch Manage&ent 5er#ice
iew )3. 5ettings
B$ 3ssign users or groups to roles$
Eor e-a&ple" assu&e you ha#e two sets of #irtual &achines where one set belongs to the Hu&an
(esources depart&ent and the other set belongs to the Einance depart&ent$ @ou want the #irtual
&achine ad&inistrators for Hu&an (esources to ha#e full control o#er the #irtual &achines for
that depart&ent" but to ha#e no control o#er the #irtual &achines in Einance$ @ou want the sa&e
arrange&ent for the #irtual &achine ad&inistrators for EinanceIno access to the #irtual
&achines in Hu&an (esources$ To acco&plish this" you would define one role called
L4epart&ental irtual Machine 3d&inistratorM" define the appropriate tasks" and then assign each
ad&inistrator to the L4epart&ental irtual Machine 3d&inistratorM role assign&ent in the specific
scope$ @ou would scope the #irtual &achine ad&inistrators for Hu&an (esources to the #irtual
&achines in Hu&an (esources and the #irtual &achine ad&inistrators for Einance to the #irtual
&achines in Einance$ Then" you would assign the #irtual &achines to their respecti#e scopes$
Configuring role-based access control
'se the following procedures to set up role-based access control for #irtual &achines in Hyper-$
&mportant
To co&plete these procedures" you &ust open 3uthori,ation Manager using an account
that is a &e&ber of the 3d&inistrators group$
0o create a scope
;$ 6pen 3uthori,ation Manager by running a,man+msc fro& a co&&and pro&pt$
The default authori,ation policy is JM)-based and stored at
NProgra&4ataNMicrosoftN*indowsNHyper-N%nitial5tore$-&l$
ote
.ote that NProgra&4ataN is in a hidden directory" you cannot browse to it$ Type
the location in 2tore ame in the Open Authori,ation 2tore dialog bo-$
2$ %n the console tree" right-click Hyper-V services and then click ew 2cope$
>$ %n the ew 2cope dialog bo-" in ame" type a na&e for the scope and then click
22
O:$
B$ /6ptional0 %n Description" type a description for the scope and then click O:$
The description has a &a-i&u& si,e li&it of ;02B bytes$ 1nter a description that will help
you apply the scope to achie#e your goal$ Eor e-a&ple" you can use a description to
distinguish the Hu&an (esources scope fro& the Einance scope$
0o create a tas#
2$ %n the console tree" right-click the scope" and then click Definitions$
>$ %n the console tree" right-click 0as# Definitions and then click ew 0as# Definition$
B$ %n the ew 0as# Definition dialog bo-" in ame" type a na&e for the task$
D$ Click Add to bring up the Add Definition dialog bo- and click the Operations tab$
C$ %n Operations" select each operation in the task" and then click O:$
0o create a role
2$ 1-pand the scope" click Definitions" right-click 5ole Definition" and then click ew
5ole Definition$
The description has a &a-i&u& si,e li&it of ;02B bytes$
>$ %n the ew 5ole Definition dialog bo-" in ame" type a na&e for the role$
B$ %n Description" type a description for the role and then click O: twice$
D$ /6ptional0 Click Add to specify the operations" tasks" roles" and authori,ation rules
that you want to include" and then click O: twice$
0o assign a role
2$ 1-pand the scope" right-click 5ole Assignments" and click ew 5ole Assignment$
>$ %n the Add 5ole dialog bo-" check the role definitions to add and then click O:$
B$ (ight-click the role" click Assign 6sers and Groups" and then click ;rom !indows
and Active Directory or ;rom Authori,ation 1anager$
D$ %n the 2elect 6sers< Computers< or Groups dialog bo-" enter ob+ect na&es to
select" and then click O:$
Additional resources
5copes in 3uthori,ation Manager /http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B;980
*ork *ith 5copes /http:99go$&icrosoft$co&9fwlink9?)ink%dH;>B;990
3uthori,ation Manager How ToQ /http:99go$&icrosoft$co&9fwlink9?)ink%4H;>B08C0
2>
Planning for $ac#up
*hen you plan a backup and reco#ery strategy for a #irtuali,ed ser#er en#iron&ent" there are
se#eral factors to consider$ @ou &ust consider the different types of backups you can &ake" the
state of the #irtual &achine" and the type of storage being used by the #irtual &achines$ This
topic discusses the ad#antages" disad#antages" and considerations for these factors$
ote
This topic discusses considerations for backup strategies that are i&ple&ented using
backup applications that support the Hyper- olu&e 5hadow Copy 5er#ice /550
writer$ 55 snapshots are not the sa&e as #irtual &achine snapshots$ This topic does
not co#er the use of #irtual &achine snapshots because we do not reco&&end the& as a
per&anent data or syste& reco#ery solution$ irtual &achine snapshots are intended
&ainly for use in de#elop&ent and test en#iron&ents because they pro#ide a con#enient
way to store different points of syste& state" data" and configuration$ Howe#er" there are
so&e inherent risks of unintended data loss if they are not &anaged appropriately$ Eor
&ore infor&ation about #irtual &achine snapshots" see http:99go$&icrosoft$co&9fwlink9?
)ink%dH;>>>B2$
6nderstanding bac#up options and
considerations
The backup integration ser#ice /identifiable as Hyper- olu&e 5hadow Copy (eAuestor ser#ice
in the guest operating syste&0 and the Hyper- olu&e 5hadow Copy 5er#ice /550 writer
pro#ide the &echanis& for backing up #irtual &achines as well as syste&-wide settings that
apply to Hyper-$ To i&ple&ent the backup and reco#ery scenarios discussed in this section" you
&ust use a backup application that is co&patible with the Hyper- 55 writer$ %f you want to use
*indows 5er#er 7ackup" you &ust add a registry key to register the Hyper- 55 writer$ Eor
&ore infor&ation" see http:99go$&icrosoft$co&9fwlink9?)ink%4H;>>>DB$
There are two basic &ethods you can use to perfor& a backup$ @ou can:
Perform a bac#up from the server running Hyper-V+ *e reco&&end that you use this
&ethod to perfor& a full ser#er backup because it captures &ore data than the other &ethod$
%f the backup application is co&patible with Hyper- and the Hyper- 55 writer" you can
perfor& a full ser#er backup that helps protect all of the data reAuired to fully restore the
ser#er" e-cept the #irtual networks$ The data included in such a backup includes the
configuration of #irtual &achines" snapshots associated with the #irtual &achines" and #irtual
hard disks used by the #irtual &achines$ 3s a result" using this &ethod can &ake it easier to
reco#er the ser#er if you need to" because you do not ha#e to recreate #irtual &achines or
reinstall Hyper-$ Howe#er" #irtual networks are not included in a full ser#er backup$ @ou will
need to reconfigure the #irtual networking by recreating the #irtual networks and then
reattaching the #irtual network adapters in each #irtual &achine to the appropriate #irtual
network$ 3s part of your backup planning" &ake sure you docu&ent the configuration and all
rele#ant settings of your #irtual network if you want to be able to recreate it$
2B
Perform a bac#up from within the guest operating system of a virtual machine+ 'se
this &ethod when you need to back up data fro& storage that is not supported by the Hyper-
55 writer$ *hen you use this &ethod" you run a backup application fro& the guest
operating syste& of the #irtual &achine$ %f you need to use this &ethod" you should use it in
addition to a full ser#er backup and not as an alternati#e to a full ser#er backup$ Perfor& a
backup fro& within the guest operating syste& before you perfor& a full backup of the ser#er
running Hyper-$ Eor &ore infor&ation about storage considerations" see the following
section$
2torage considerations
3s you plan your backup strategy" consider the co&patibility between the storage and backup
solutions:
Virtual hard dis#s+ These offer the best co&patibility and can be stored on &any types
of physical &edia$ Eor &ore infor&ation about the types of storage you can use with Hyper-"
see Hardware Considerations$
Physical dis#s that are directly attached to a virtual machine+ These disks cannot be
backed up by the Hyper- 55 writer$ 3s a result" this type of disk will not be included in any
backup perfor&ed by a backup progra& that uses the Hyper- 55 writer$ %n this situation"
you would need to use so&e other process to back up the physical disk" such as running a
backup application within the guest operating syste&$
i2C2&-based storage+ This storage is supported for backup by the Hyper- 55 writer
when the storage is connected through the &anage&ent operating syste& and the storage is
used for #irtual hard disks$
2torage accessed from a virtual machine by using an &nternet 2C2& .i2C2&/ initiator
within the guest operating system+ This storage will not be included in a backup of the
physical co&puter$ %n this scenario" you &ust use another process to back up the data fro&
the i5C5%-based storage before you perfor& a full ser#er backup$ Eor e-a&ple" you could run
a backup of the data on the i5C5% storage fro& a backup application running in the guest
operating syste&$
Eor &ore infor&ation about deploying storage for Hyper-" see %&ple&enting 4isks and 5torage$
6nderstanding online and offline bac#ups
*hether a backup is perfor&ed online or offline depends on whether the backup can be
perfor&ed without downti&e$
@ou can perfor& an online backup with no downti&e on a running #irtual &achine when all of the
following conditions are &et:
%ntegration ser#ices are installed and the backup integration ser#ice has not been
disabled$
3ll disks being used by the #irtual &achine are configured within the guest operating
syste& as .TE5-for&atted basic disks$ irtual &achines that use storage on which the
2D
physical partitions ha#e been for&atted as dyna&ic disks or the E3T>2 file syste& pre#ent an
online backup fro& being perfor&ed$ This is not the sa&e as dyna&ically e-panding #irtual
hard disks" which are fully supported by backup and restore operations$
olu&e 5hadow Copy 5er#ice &ust be enabled on all #olu&es used by the #irtual
&achine with a specific configuration$ 1ach #olu&e &ust also ser#e as the storage location
for shadow copies of the #olu&e$ Eor e-a&ple" the shadow copy storage for #olu&e C: &ust
be located on C:$
%f an online backup cannot be perfor&ed" then an offline backup is taken$ This type of backup
results in so&e degree of downti&e$ 3 #ariety of factors can affect the ti&e reAuired to take an
offline backup$ %f the #irtual &achine is running or paused" it is put into a sa#ed state as part of
the offline backup process$ 3fter the backup is co&pleted" the #irtual &achine is returned to its
e-isting state$
6nderstanding the restore process
The restore process is straightforward as long as the reco&&endations outlined in the pre#ious
sections were followed when the backups were created$ This includes taking the reco&&ended
steps to ensure that data which is not included in a full ser#er backup can be reco#ered or
recreated$
To restore when all co&ponents of your backup set are supported by the Hyper- 55 writer"
ha#e all the &edia and eAuip&ent a#ailable and then perfor& a restore of the entire syste& or the
#irtual &achine" depending on your circu&stances$ The Hyper- 55 writer treats Hyper- as an
application that can be backed up$ This &eans that you can reco#er indi#idual #irtual &achines$
Howe#er" you cannot use this &ethod to reco#er only a portion of a #irtual &achine$
To restore when your backup set includes &edia that is not supported by the Hyper- 55 writer"
you &ust perfor& an additional step$ Eirst" perfor& a restore of the entire syste& or the #irtual
&achine" depending on your circu&stances$ Then" restore the unsupported &edia fro& within the
guest operating syste&$
ote
%f you atte&pt to restore a #irtual &achine while it is running" it is turned off and deleted
before the backed-up #ersion of the #irtual &achine is restored$
ote
%f you restore a #irtual &achine fro& an online backup" when you start the #irtual &achine
you &ay recei#e a &essage that the operating syste& was not shut down properly$ @ou
can ignore this &essage$
Considerations about clustered virtual machines
%f you plan to cluster #irtual &achines" there are additional factors that you need to consider when
planning to backup and restore those #irtual &achines$ 7efore you atte&pt to back up or restore
clustered #irtual &achines" consider the following:
2C
3pply a hotfi- to pre#ent possible failure of a full ser#er backup on a node when a #irtual
&achine uses a #olu&e &ounted with a ='%4$ *hen the hotfi- applied" a directory path that
cannot be resol#ed will pre#ent only the #irtual &achine that uses the directory path fro&
being backed up$ Howe#er" when the hotfi- is not applied" a #olu&e &ounted with a ='%4
&ay cause the entire backup operation to fail$ Eor &ore infor&ation" see
http:99go$&icrosoft$co&9fwlink9?)ink%dH;>>>B8$
@ou &ay need to take the #irtual &achine offline before you run a backup or restore a
#irtual &achine$ Eor instructions on taking a clustered #irtual &achine offline" see
http:99go$&icrosoft$co&9fwlink9?)ink%4H;290C>$
5e#eral factors can affect backup and reco#ery operations when a #irtual &achine is
clustered$ The following tables identify the factors you need to consider and the action you
need to take to perfor& the backup or reco#ery operation$ The infor&ation in both tables
assu&es that you will run the backup or reco#ery operation on node ;$
Considerations for bac#ing up clustered virtual machines
)ocation of
cluster
group
Cluster
resource
state
Configuration
resource state
5torage
resource
state
7ackup type 3ction
reAuired to
prepare for a
backup
.ode ; 6nline 6nline 6nline 6nline .one
.ode ; 6nline 6nline 6nline 6ffline /due to
storage
configuration of
the #irtual
&achine0
'se the
Cluster
ser#ice to
take the
#irtual
&achine
cluster
resource
offline
.ode ; 6ffline 6ffline 6nline 6ffline .one
.ode ; 6ffline 6nline 6nline 6ffline .one
.ode 2 3ny state 3ny state 3ny state irtual &achine
not reported for
backup on node
;
Mo#e the
#irtual
&achine to
node ;
Considerations for restoring clustered virtual machines
)ocation Cluster
resource state
Configuration
resource state
5torage
resource state
3ction reAuired to
prepare for a
2<
restore
.ode ; 6nline 6nline 6nline Take the cluster
resource and
configuration
resource offline$
.ode ; 6ffline 6nline 6nline Take the
configuration
resource offline$
.ode ; 6ffline 6ffline 6ffline .one
.ode 2 3ny state 3ny state 3ny state The cluster
resource and the
configuration
resource need to
be taken offline on
.ode 2 to a#oid a
conflict$
&nstalling Hyper-V
The release #ersion of the Hyper- technology in *indows 5er#er 2008 is distributed in update
packages that are a#ailable fro& the Microsoft *eb site$ To install the release #ersion of any of
the Hyper- co&ponents" you &ust obtain and install the appropriate update package$ This topic
describes the packages and pro#ides links to the installation procedures for each package$
About the Hyper-V update pac#ages
5e#eral update packages are a#ailable$ 1ach update package is described below" including
infor&ation about how to obtain the package$
Hyper-V role pac#age
The release #ersion of Hyper- is distributed in the package RHyper- 'pdate for *indows 5er#er
2008 -CB 1dition /K79D00D00S$ The package consists of the Hyper- role" including the -CB
#ersion of the re&ote &anage&ent tools" and integration ser#ices for the supported #ersions of
the *indows operating syste&$
This update is offered through *indows 'pdate as a reco&&ended update$ Howe#er" you also
can obtain the update through the Microsoft 4ownload Center$ To download this update" see
http:99go$&icrosoft$co&9fwlink9?)ink%dH;2>D>9$
28
&mportant
The Hyper- role update package is a per&anent package$ 6nce you install the update
package" you cannot re&o#e it$
Eor instructions about installing the role" see %nstall the Hyper- (ole on a 5er#er Core
%nstallation of *indows 5er#er 2008 or %nstall the Hyper- (ole on a Eull %nstallation of *indows
5er#er 2008$
%f you used a prerelease #ersion of Hyper- to create #irtual &achines and installed integration
ser#ices on the #irtual &achines" you &ust upgrade the integration ser#ices to the release
#ersion$ %ntegration ser#ices are specific to the build of Hyper-$ To install the integration
ser#ices" fro& the Action &enu of irtual Machine Connection" click &nsert &ntegration 2ervices
2etup Dis#$ 6n *indows operating syste&s" if the .ew Hardware *i,ard appears" you &ust
close the wi,ard to start the installation$ %f 3utorun does not start the installation auto&atically"
you can start it &anually$ Click anywhere in the guest operating syste& window and na#igate to
the C4 dri#e$ 'se the &ethod that is appropriate for the guest operating syste& to start the
installation package fro& the C4 dri#e$
%f you are interested in &igrating fro& irtual 5er#er to Hyper-" a &igration guide is a#ailable$
Eor &ore infor&ation" see the irtual Machine Migration =uide$
Hyper-V 5emote management tools pac#ages
The Hyper- &anage&ent tools are a#ailable separately to allow re&ote &anage&ent of a ser#er
running Hyper-$ Packages are a#ailable to install the tools on *indows ista with 5er#ice
Pack ; /5P;0 and on >2-bit editions of *indows 5er#er 2008$ The following download packages
are a#ailable:
Eor CB-bit editions of *indows ista with 5P;" see http:99go$&icrosoft$co&9fwlink9?
)ink%dH;2>DB0$
Eor >2-bit editions of *indows ista with 5P;" see http:99go$&icrosoft$co&9fwlink9?
)ink%dH;2>DB;$
Eor >2-bit editions of *indows 5er#er 2008" see http:99go$&icrosoft$co&9fwlink9?
)ink%dH;2>DB2$
&mportant
The re&ote &anage&ent tools update package for the >2-bit editions of *indows
5er#er 2008 is a per&anent package$ 6nce you install the update package" you
cannot re&o#e it$
Eor instructions about installing the tools" see %nstall and Configure Hyper- Tools for (e&ote
3d&inistration$
Hyper-V 9anguage Pac# for !indows 2erver 3447
The Hyper- )anguage Pack for *indows 5er#er 2008 installs the language pack for the release
#ersion of Hyper- and supports the following additional languages:
Chinese /5i&plified0
29
Chinese /Traditional0
C,ech
Hungarian
Korean
Polish
Portuguese /7ra,il0
Portuguese /Portugal0
(ussian
5wedish
Turkish
Eor &ore infor&ation about the language pack and links to download the packs" see article
9D;C>C in the Microsoft Knowledge 7ase /http:99go$&icrosoft$co&9fwlink9?)ink%4H;2>D>C0$
To find out whether an update has been applied to your co&puter" you can check the
update history:
6n a full installation of *indows 5er#er 2008" click 2tart" click !indows 6pdate"
click View update history" and then click &nstalled 6pdates$
6n a 5er#er Core installation" at the co&&and pro&pt" type:
wmic 'fe list
)ook for update nu&ber #bid=>?44?4" which indicates that the update for Hyper- has
been installed$
&nstall the Hyper-V 5ole on a 2erver Core
&nstallation of !indows 2erver 3447
The 5er#er Core installation option of the *indows 5er#er 2008 operating syste& installs a
&ini&al ser#er installation of *indows 5er#er 2008 to run supported ser#er roles" including the
Hyper- role$ @ou can use the 5er#er Core installation option to help secure the ser#er running
Hyper- and all the #irtual &achines running on it$ The benefits of using the 5er#er Core
installation option include a reduced attack surface and reduced &aintenance$ Eor infor&ation
about the &ini&u& hardware reAuire&ents for a ser#er running a 5er#er Core installation" see
%nstalling *indows 5er#er 2008 /http:99go$&icrosoft$co&9fwlink9?)ink%dH;2>D>80$
*hen you select the 5er#er Core installation option" 5etup installs only the files that are reAuired
for the supported ser#er roles$ Eor e-a&ple" the 1-plorer shell is not installed as part of a 5er#er
Core installation$ 3fter you ha#e enabled the Hyper- role" you can &anage the Hyper- role and
#irtual &achines re&otely using the Hyper- &anage&ent tools$ The &anage&ent tools are
a#ailable for *indows 5er#er 2008 and *indows ista 5er#ice Pack ; /5P;0$ Eor &ore
>0
infor&ation" see article 9D00D0 /http:99go$&icrosoft$co&9fwlink9?)ink%dH;22;880 and article
9D2C2< /http:99go$&icrosoft$co&9fwlink9?)ink%dH;2>D><0 in the Microsoft Knowledge 7ase$ Eor
&ore infor&ation about configuring tools for the re&ote &anage&ent of Hyper-" see %nstall and
Configure Hyper- Tools for (e&ote 3d&inistration$
@ou can use unattended installation to configure a ser#er running a 5er#er Core installation and
Hyper-$ Eor &ore infor&ation about unattended installation settings" see the *indows
3uto&ated %nstallation Kit /http:99go$&icrosoft$co&9fwlink9?)ink%dH8;0>00$ @ou can find &ore
infor&ation and a sa&ple 'nattend$-&l file in the 5er#er Core %nstallation 6ption of *indows
5er#er 2008 5tep-7y-5tep =uide /http:99go$&icrosoft$co&9fwlink9?)ink%4H;009D90$ This guide is
also a#ailable as a download /http:99go$&icrosoft$co&9fwlink9?)ink%4HC8DDC0$
&mportant
6nce you install these ser#er updates" you will not be able to re&o#e the&$ There is
no way to upgrade fro& a full installation of *indows 5er#er 2008 or a pre#ious #ersion
of *indows 5er#er to a 5er#er Core installation$ 6nly a clean installation is supported$
There is no way to upgrade fro& a 5er#er Core installation to a full installation of
*indows 5er#er 2008$ %f you need the *indows user interface or a ser#er role that is not
supported in a 5er#er Core installation" you should install a full installation of *indows
5er#er 2008$ Eor instructions about installing the Hyper- role on a full installation of
*indows 5er#er 2008" see %nstall the Hyper- (ole on a Eull %nstallation of *indows
5er#er 2008$
%f you close all local co&&and pro&pts while installing the Hyper- role" you will ha#e
no way to &anage the 5er#er Core installation$ %f this happens" press
CT()F3)TF41)1T1" click 2tart 0as# 1anager" click ;ile" click 5un" and type
cmd+e(e$ 3lternati#ely" you can log off and log on again$
0o install Hyper-V on a 2erver Core installation
;$ @ou &ust perfor& a 5er#er Core installation before you install the Hyper- role$ Eor
instructions" see the 5er#er Core %nstallation 6ption of *indows 5er#er 2008 5tep-7y-
5tep =uide /http:99go$&icrosoft$co&9fwlink9?)ink%4H;009D90$
2$ 3fter you ha#e installed *indows 5er#er 2008" you &ust apply the Hyper- update
packages for *indows 5er#er 2008 /K79D00D00$ Eor links and &ore infor&ation about
installing the update for the release #ersion of the Hyper- technology for *indows
5er#er 2008" see %nstalling Hyper-$ @ou should also apply any other reAuired updates
before you install the Hyper- role$
To #iew the list of software updates and check if any are &issing" at the co&&and
pro&pt" type:
wmic 'fe list
%f you do not see L#bid=>?44?4M" download the Hyper- updates and then type the
following co&&and at a co&&and pro&pt:
wusa+e(e !indows)+4-:$>?44?4-()*+msu @'uiet
There are three update packages$ 3fter you install the updates" you &ust restart the
>;
ser#er$ The 'pdate for *indows 5er#er 2008 -CB 1dition /K7 9D00D00 and )anguage
Pack for Hyper- /K79D;C>C0 &ust be installed on the parent partition of the 5er#er Core
installation$
The 'pdate for *indows 5er#er 2008 /K79D2C2<0 is for re&ote &anage&ent of the
5er#er Core installation if you are &anaging the ser#er fro& a co&puter running
*indows ista 5er#ice Pack ; /5P;0" and &ust be installed on the co&puter running
*indows ista 5P;$
&mportant
7efore you enable the Hyper- role" ensure that you ha#e enabled the reAuired
hardware-assisted #irtuali,ation and hardware-enforced 4ata 1-ecution
Pre#ention /41P0 7%65 settings$ Checks for these settings are perfor&ed before
you enable the Hyper- role on a full installation" but not on a 5er#er Core
installation$
3fter you &ake the 7%65 configuration changes to enable the reAuired hardware
features" you &ay need to turn off the power to the co&puter and then turn it back on
/restarting the co&puter &ay not apply the changes to the settings0$ %f you enable the
Hyper- role without &odifying the 7%65 settings" the *indows hyper#isor &ay not work
as e-pected$ %f this happens" check the e#ent log for details" &odify the 7%65 settings
according to the ser#er hardware &anufacturer instructions" turn off and turn on the
co&puter running a 5er#er Core installation" and then install Hyper- again$
To check if your ser#er hardware is co&patible" see the *indows 5er#er catalog
/http:99go$&icrosoft$co&9fwlink9?)ink%dH;2>D>D0$ Click the list of Certified 2ervers" and
then click $y additional 'ualifications A Hyper-V$ Eor instructions about how to enable
the 7%65 settings" check with your hardware &anufacturer$
Additional references
6C5etup Co&&and-)ine 6ptions /http:99go$&icrosoft$co&9fwlink9?)ink%dH;2>D>20
Co&&and (eference /http:99go$&icrosoft$co&9fwlink9?)ink%4H9;B<>0
5er#er Core installation blog on Tech.et /http:99go$&icrosoft$co&9fwlink9?)ink%dH;2>D>;0
&nstall the Hyper-V 5ole on a ;ull &nstallation
of !indows 2erver 3447
%nstalling the Hyper- role on a full installation of *indows 5er#er 2008 installs all the
co&ponents of the Hyper- technology" including the re&ote &anage&ent tools$ The tools
consist of Hyper- Manager" which is a Microsoft Manage&ent Console /MMC0 snap-in" and
irtual Machine Connection" which pro#ides you with direct access to a #irtual &achine through a
network connection$
>2
The release #ersion of this role is distributed in an update package$ *e reco&&end that you
obtain and apply the update package before you install and begin using the Hyper- role$ Eor
&ore infor&ation about the update packages for Hyper-" see %nstalling Hyper-$
&mportant
%f you ha#e installed an earlier #ersion of Hyper-" we strongly reco&&end that you
re#iew the infor&ation about &igrating to the release #ersion of Hyper- before you apply
the update package$ 5o&e co&ponents cannot be &igrated" as e-plained in the support
article that describes the role update package$ Eor &ore infor&ation" see article 9D00D0
in the Microsoft Knowledge 7ase /http:99go$&icrosoft$co&9fwlink9?)ink%dH;22;880$
&mportant
Me&bership in the local Administrators group" or eAui#alent" is the &ini&u& reAuired to
co&plete this procedure$
0o install the Hyper-V role
;$ %f you recently installed *indows 5er#er 2008" %nitial Configuration Tasks &ay be
displayed$ @ou can install Hyper- fro& %nitial Configuration Tasks or fro& 5er#er
Manager:
%n %nitial Configuration Tasks" under Customi,e 0his 2erver" click Add roles$
%n 5er#er Manager" under 5oles 2ummary" click Add 5oles$ /%f 5er#er Manager
is not running" click 2tart" point to Administrative 0ools" click 2erver 1anager" and
then" if pro&pted for per&ission to continue" click Continue$
2$ 6n the 2elect 2erver 5oles page" click Hyper-V$
>$ 6n the Create Virtual etwor#s page" click one or &ore network adapters if you
want to &ake their connection to a physical network a#ailable to #irtual &achines$
B$ 6n the Confirm &nstallation 2elections page" click &nstall$
D$ The co&puter &ust be restarted to co&plete the installation$ Click Close to finish the
wi,ard" and then click %es to restart the co&puter$
C$ 3fter you restart the co&puter" log on with the sa&e account you used to install the
role$ 3fter the (esu&e Configuration *i,ard co&pletes the installation" click Close to
finish the wi,ard$
@ou can create a #irtual network when you install the Hyper- role$ This action changes
the configuration of the physical network adapter you selected when you installed the role$
Eor &ore infor&ation about how a physical network adapter operates after you associate it to
a #irtual network" see Configuring irtual .etworks$
@ou can install the &anage&ent tools on so&e #ersions of *indows without installing the
Hyper- role$ Eor &ore infor&ation about installing the tools without installing the Hyper-
role" see %nstall and Configure Hyper- Tools for (e&ote 3d&inistration$
>>
*hen the Hyper- role is installed" the use of irtual 5er#er or irtual PC on the
co&puter is not supported$
&nstall and Configure Hyper-V 0ools for
5emote Administration
@ou can install the Hyper- &anage&ent tools on a full installation of *indows 5er#er 2008 and
on *indows ista 5er#ice Pack ; /5P;0$ This topic describes how to install and configure the
tools$
ote
Me&bership in the local Administrators group" or eAui#alent" is the &ini&u& reAuired to
co&plete this procedure$
&nstalling the management tools
%nstalling the tools consists of obtaining and applying the appropriate update to the operating
syste&$
0o install the management tools
;$ 6btain the appropriate update package for the operating syste& on which you want
to install the tools$ Eor &ore infor&ation" see %nstalling Hyper-$
2$ %nstall the update package using the &ethod appropriate for the way you obtained the
package:
%f you obtained the update fro& *indows 'pdate and the co&puter is not set up
to install updates auto&atically" install the update &anually$
%f you obtained the update fro& the Microsoft 4ownload Center" download the file
to the co&puter and then double-click the $&su file$
>$ %f you are installing the tools on *indows ista 5P;" no additional installation steps
are reAuired" so you can proceed to the configuration instructions$ %f you are installing the
tools on *indows 5er#er 2008" co&plete the re&aining steps$
B$ 6pen 5er#er Manager$ /%f 5er#er Manager is not running" click 2tart" point to
Administrative 0ools" click 2erver 1anager" and then" if pro&pted for per&ission to
continue" click Continue$0
D$ %n 5er#er Manager" under ;eatures 2ummary" click Add ;eatures$
C$ 6n the 2elect ;eatures page" e-pand 5emote 2erver Administration 0ools" and
then e-pand 5emote Administration 0ools$
<$ Click Hyper-V 0ools" and then proceed through the rest of the wi,ard$
>B
Configuring the management tools
The configuration process consists of &odifying #arious co&ponents that control access and
co&&unications between the ser#er running Hyper- and the co&puter on which you will run the
Hyper- &anage&ent tools$
ote
.o additional configuration is reAuired if you are using the &anage&ent tools on a
co&puter running *indows 5er#er 2008 and the sa&e user account is a &e&ber of the
3d&inistrators group on both co&puters$
Configuring the server running Hyper-V
The following procedures describe how to configure the ser#er running Hyper-$ *hen do&ain-
le#el trust is not established" perfor& all the steps$ *hen do&ain-le#el trust e-ists but the re&ote
user is not a &e&ber of the 3d&inistrators group on the ser#er running Hyper-" you &ust &odify
the authori,ation policy" but you can skip the steps for &odifying the 4istributed C6M 'sers
group and the *indows Manage&ent %nstru&entation /*M%0 na&espaces$
ote
The following procedures assu&e that you ha#e installed the Hyper- role on the ser#er$
Eor instructions about installing the Hyper- role" see %nstall the Hyper- (ole on a Eull
%nstallation of *indows 5er#er 2008 or %nstall the Hyper- (ole on a 5er#er Core
%nstallation of *indows 5er#er 2008$
0o configure the Hyper-V role for remote management on a full installation of !indows
2erver 3447
;$ 1nable the firewall rules for *indows Manage&ent %nstru&entation$ Ero& an
ele#ated co&&and pro&pt" type:
netsh advfirewall firewall set rule group=B!indows 1anagement &nstrumentation
.!1&/C new enable=yes
The co&&and has succeeded when it returns the following &essage: L'pdated B
rules/s0$ 6k$M
ote
To #erify that the co&&and succeeded" you can #iew the results in *indows
Eirewall with 3d#anced 5ecurity$ Click 2tart" click Control Panel" switch to
Classic iew if you are not using that #iew" click Administrative 0ools" and then
click !indows ;irewall with Advanced 2ecurity$ 5elect inbound rules or
outbound rules and then sort by the Group colu&n$ There should be three
inbound rules and one outbound rule enabled for *indows Manage&ent
%nstru&entation$
2$ The ne-t steps configure the authori,ation policy for the ser#er running the Hyper-
role$ %f the user who reAuires re&ote access to the ser#er running Hyper- belongs to the
3d&inistrators group on both co&puters" then it is not necessary to configure the
>D
authori,ation policy$
ote
The instructions for configuring the authori,ation policy assu&e that the default
authori,ation policy has not been &odified" including the default location" and
that the account you are configuring for re&ote access reAuires full
ad&inistrati#e access to the Hyper- role$
>$ Click 2tart" click 2tart 2earch and type a,man+msc$ %f you are pro&pted to confir&
the action" click Continue$ The 3uthori,ation Manager Microsoft Manage&ent Console
/MMC0 snap-in opens$
B$ %n the na#igation pane" right-click Authori,ation 1anager and click Open
Authori,ation 2tore$ Make sure that D19 file is selected$ 7rowse to the Osyste& dri#e
ONProgra& 4ataNMicrosoftN*indowsNHyper- folder" select %nitial5tore$-&l" click Open
and then click O:$
ote
The Progra& 4ata folder is a hidden folder by default$ %f the folder is not #isible"
type: EsystemFdriveGHProgramDataH1icrosoftH!indowsHHyper-
VHinitalstore+(ml
D$ %n the na#igation pane" click Hyper-V services" and then click 5ole Assignments$
(ight-click Administrator" point to Assign 6sers and Groups" and then point to ;rom
!indows and Active Directory$ %n the 2elect 6sers< Computers< or Groups dialog
bo-" type the do&ain na&e and user na&e of the user account" and then click O:$
C$ Close 3uthori,ation Manager$
<$ .e-t" you add the re&ote user to the 4istributed C6M 'sers group to pro#ide access
to the re&ote user$ Click 2tart" point to Administrative tools" and click Computer
1anagement$ %f 'ser 3ccount Control is enabled" click Continue$ Co&ponent 5er#ices
opens$
8$ 1-pand 9ocal 6sers and Groups" and then click Groups$ (ight-click Distributed
CO1 6sers and click Add to Group$
9$ %n the Distributed CO1 6sers Properties dialog bo-" click Add$
;0$ %n the 2elect 6sers< Computers< or Groups dialog bo-" type the na&e of the user
and click O:$
;;$ Click O: again to close the Distributed CO1 6sers Properties dialog bo-$ Close
Co&ponent 5er#ices$
;2$ The re&aining steps grant the reAuired *M% per&issions to the re&ote user for two
na&espaces: the C%M2 na&espace and the #irtuali,ation na&espace$ Click 2tart" click
Administrative 0ools" and then click Computer 1anagement$
;>$ %n the na#igation pane" click 2ervices and Applications" right-click !1& Control"
and then click Properties$
;B$ Click the 2ecurity tab" click 5oot" and then click C&1V3$ 7elow the na&espace list"
click 2ecurity$
>C
;D$ %n the 2ecurity for 5OO0HC&1V3 dialog bo-" check to see if the appropriate user is
listed$ %f not" click Add$ %n the 2elect 6sers< Computers< or Groups dialog bo-" type the
na&e of the user and click O:$
;C$ 6n the 2ecurity tab" select the na&e of the user$ 'nder Permissions for Euser or
group nameG" click Advanced$ 6n the Permissions tab" #erify that the user you want is
selected and then click -dit$ %n the Permission -ntry for C&1V3 dialog bo-" &odify
three settings as follows:
Eor Apply to" select 0his namespace and subnamespaces$
%n the Permissions list" in the Allow colu&n" select the 5emote -nable check
bo-$
7elow the Permissions list" select the Apply these permissions to obIects
and@or containers within this container only check bo-$
;<$ Click O: in each dialog bo- until you return to the !1& Control Properties dialog
bo-$
;8$ .e-t" you repeat the process for the #irtuali,ation na&espace$ 5croll down if
necessary until you can see the #irtuali,ation na&espace$ Click virtuali,ation$ 7elow the
na&espace list" click 2ecurity$
;9$ %n the 2ecurity for 5OO0Hvirtuali,ation dialog bo-" check to see if the appropriate
user is listed$ %f not" click Add$ %n the 2elect 6sers< Computers< or Groups dialog bo-"
type the na&e of the user and click O:$
20$ 6n the 2ecurity tab" select the na&e of the user$ 'nder Permissions for Euser or
selected and then click -dit$ %n the Permission -ntry for virtuali,ation dialog bo-"
&odify three settings as follows:
bo-$
2;$ Click O: in each dialog bo- and then close Co&puter Manage&ent$
22$ (estart the ser#er to apply the changes to the authori,ation policy$
0o configure the Hyper-V role for remote management on a 2erver Core installation of
!indows 2erver 3447
;$ 1nable the firewall rules on the ser#er for *indows Manage&ent %nstru&entation$
Ero& an ele#ated co&&and pro&pt" type:
netsh advfirewall firewall set rule group=B!indows 1anagement &nstrumentation
The co&&and has succeeded when it returns the following &essage: L'pdated B
rules/s0$ 6k$M
><
2$ .e-t" you &odify the 4istributed C6M per&issions to pro#ide access to the re&ote
user$ Type:
net localgroup BDistributed CO1 6sersC @add EdomainFnameGHEuserFnameG
where Tdo&ainUna&eV is the do&ain that the user account belongs to and
TuserUna&eV is the user account you want to grant re&ote access to$
>$ .e-t" you connect re&otely to the ser#er running the 5er#er Core installation so you
can &odify the authori,ation policy and the two *M% na&espaces" using MMC snap-ins
that are not a#ailable on the 5er#er Core installation$
)og on to the co&puter on which you will run the Hyper- &anage&ent tools" using a
do&ain account that is a &e&ber of the 3d&inistrators group on the co&puter running a
5er#er Core installation$ /%f you need to add this user" see the instructions in %nstall the
Hyper- (ole on a 5er#er Core %nstallation of *indows 5er#er 2008$0
ote
The instructions for configuring the authori,ation policy assu&e that the default
authori,ation policy has not been &odified" including the default location" and
that the account you are configuring for re&ote access reAuires full
ad&inistrati#e access to the Hyper- role$
B$ Click 2tart" click 2tart 2earch and type a,man+msc$ %f you are pro&pted to confir&
the action" click Continue$ The 3uthori,ation Manager snap-in opens$
D$ %n the na#igation pane" right-click Authori,ation 1anager and click Open
Authori,ation 2tore$ Make sure that D19 file is selected and type:
HHEremoteFcomputerGHcJHProgramDataH1icrosoftH!indowsHHyper-VHinitalstore+(ml
where Tre&oteUco&puterV is the na&e of the co&puter running the 5er#er Core
installation$
Click Open and then click O:$
C$ %n the na#igation pane" click Hyper-V services" and then click 5ole Assignments$
(ight-click Administrator" point to Assign 6sers and Groups" and then point to ;rom
!indows and Active Directory$ %n the 2elect 6sers< Computers< or Groups dialog
bo-" type the do&ain na&e and user na&e of the user account" and then click O:$
<$ Close 3uthori,ation Manager$
8$ The re&aining steps grant the reAuired *M% per&issions to the re&ote user for two
na&espaces: the C%M2 na&espace and the #irtuali,ation na&espace$ Click 2tart" click
Administrative 0ools" and then click Computer 1anagement$
9$ %n the na#igation pane" click 2ervices and Applications" right-click !1& Control"
and then click Properties$
;0$ Click the 2ecurity tab$ Click 5oot and then click C&1V3$ 7elow the na&espace list"
click 2ecurity$
;;$ %n the 2ecurity for 5OO0HC&1V3 dialog bo-" check to see if the appropriate user is
listed$ %f not" click Add$ %n the 2elect 6sers< Computers< or Groups dialog bo-" type the
na&e of the user and click O:$
>8
;2$ 6n the 2ecurity tab" select the na&e of the user$ 'nder Permissions for Euser or
selected and then click -dit$ %n the Permission -ntry for C&1V3 dialog bo-" &odify
three settings as follows:
bo-$
;>$ Click O: in each dialog bo- until you return to the !1& Control Properties dialog
bo-$
;B$ .e-t" you repeat the process for the #irtuali,ation na&espace$ 5croll down if
necessary until you can see the #irtuali,ation na&espace$ Click virtuali,ation$ 7elow the
na&espace list" click 2ecurity$
;D$ %n the 2ecurity for 5OO0Hvirtuali,ation dialog bo-" check to see if the appropriate
user is listed$ %f not" click Add$ %n the 2elect 6sers< Computers< or Groups dialog bo-"
type the na&e of the user and click O:$
;C$ 6n the 2ecurity tab" select the na&e of the user$ 'nder Permissions for Euser or
selected and then click -dit$ %n the Permission -ntry for virtuali,ation dialog bo-"
&odify three settings as follows:
bo-$
;<$ Click O: in each dialog bo- and then close Co&puter Manage&ent$
;8$ (estart the co&puter running a 5er#er Core installation to apply the changes to the
authori,ation policy$
Configuring !indows Vista 2PK
The following procedure describes how to configure *indows ista 5P; when do&ain-le#el trust
is not established$
0o configure !indows Vista 2PK
;$ )og on to the co&puter running *indows ista 5P;$
2$ 1nable the firewall rules for *indows Manage&ent %nstru&entation$ Ero& an
ele#ated co&&and pro&pt" type:
netsh advfirewall firewall set rule group=C!indows 1anagement &nstrumentation
>9
The co&&and has succeeded when it returns the following &essage: L'pdated 8
rules/s0$ 6k$M
ote
To #erify that the co&&and succeeded" you can #iew the results in *indows
Eirewall with 3d#anced 5ecurity$ Click 2tart" click Control Panel" switch to
Classic iew if you are not using that #iew" click Administrative 0ools" and then
click !indows ;irewall with Advanced 2ecurity$ 5elect inbound rules or
outbound rules and then sort by the Group colu&n$ There should be si- inbound
rules and two outbound rules enabled for *indows Manage&ent
%nstru&entation$
>$ 1nable a firewall e-ception for the Microsoft Manage&ent Console$ Ero& an ele#ated
co&&and pro&pt" type:
etsh firewall add allowedprogram program=LwindirLHsystemM3Hmmc+e(e
name=N1icrosoft 1anagement ConsoleN
B$ 5tart Hyper- Manager to #erify that you can connect re&otely to the ser#er$ Click
2tart" click the 2tart 2earch bo-" type Hyper-V 1anager and press 1.T1($ %f you are
pro&pted to confir& the action" click Continue$ %n Hyper- Manager" under Actions"
click Connect to 2erver$ Type the na&e of the co&puter or browse to it" and click O:$ %f
Hyper- Manager can connect to the re&ote co&puter" the co&puter na&e will appear in
the na#igation pane and the results pane will list all the #irtual &achines configured on
the ser#er$
Configuring Virtual etwor#s
This section describes the basics of #irtual networking in Hyper- and the different types of #irtual
networks you can configure$ .etworking in Hyper- works differently than networking in
irtual 5er#er 200D" and these differences are also discussed$ 7efore configuring a #irtual
network" you should deter&ine the design and type of #irtual network you plan to use$ @ou should
be aware that Hyper- does not support wireless networks$
Eor step-by-step instructions to configure a #irtual network" see 5tep-by-5tep =uide to =etting
5tarted with Hyper- /http:99go$&icrosoft$co&9fwlink9?)ink%4H;;920<0$
Virtual networ# types
@ou can create #irtual networks on the ser#er running Hyper- to define #arious networking
topologies for #irtual &achines and the #irtuali,ation ser#er$ 'sing irtual .etwork Manager
/accessed fro& Hyper- Manager0" you ha#e three different types of #irtual networks to choose
fro&$
B0
-(ternal virtual networ#s$ 'se this type when you want to allow #irtual &achines to
co&&unicate with e-ternally located ser#ers and the &anage&ent operating syste&
/so&eti&es referred to as the parent partition0$ This type also allows #irtual &achines on the
sa&e physical ser#er to co&&unicate with each other$
&nternal virtual networ#s$ 'se this type when you want to allow co&&unication between
#irtual &achines on the sa&e physical ser#er and #irtual &achines and the &anage&ent
operating syste&$ 3n internal #irtual network is a #irtual network that is not bound to a
physical network adapter$ %t is co&&only used to build a test en#iron&ent where you need to
connect to the #irtual &achines fro& the &anage&ent operating syste&$
Private virtual networ#s$ 'se this type when you want to allow co&&unication only
between #irtual &achines on the sa&e physical ser#er$ 3 pri#ate #irtual network is a #irtual
network without a #irtual network adapter in the &anage&ent operating syste&$ Pri#ate
#irtual networks are co&&only used when you want to isolate #irtual &achines fro& network
traffic in the &anage&ent operating syste& and in the e-ternal networks$
Virtual networ#ing basics
*hile Hyper- allows you to configure co&ple- #irtual network en#iron&ents" the basic concept
of #irtual networking is straightforward$ Eor a si&ple #irtual network configuration" we reco&&end
that you ha#e at least two network adapters on the ser#er running Hyper-: one network adapter
dedicated to the physical &achine for re&ote &anage&ent" and one or &ore network adapters
dedicated to the #irtual &achines$ %f you are running an %nternet 5C5% /i5C5%0 initiator for #irtual
hard disk storage" we reco&&end that you use additional network adapters in the &anage&ent
operating syste&$ The &anage&ent operating syste& is a partition that calls the *indows
hyper#isor and reAuests that new partitions are created$ There can be only one &anage&ent
operating syste&$ Eor infor&ation on the backup and reco#ery strategy for a #irtuali,ed ser#er
en#iron&ent" see Planning for 7ackup$
*hen you add the Hyper- role during a full installation of *indows 5er#er 2008" you ha#e the
option to configure one or &ore e-ternal #irtual networks$
ote
This option is not a#ailable when perfor&ing a 5er#er Core installation of *indows
5er#er 2008$ The #irtual network adapters can be rena&ed to reflect if they are assigned
to the physical &achine or the #irtual &achines$
*hen you install Hyper- and create an e-ternal #irtual network" the &anage&ent operating
syste& uses a new #irtual network adapter to connect to the physical network$ The network
connections consist of the original network adapter and the new #irtual network adapter$ The
original physical network adapter does not ha#e anything bound to it$ Howe#er" the #irtual
network adapter has all of the standard protocols and ser#ices bound to it$
Hyper- binds the irtual .etwork 5er#ice Protocol to a physical network adapter when an
e-ternal #irtual network is created$ @ou should be aware that e-ternal network connecti#ity will be
te&porarily disrupted when an e-ternal #irtual network is created or deleted$
B;
6nce it is created" a #irtual network works +ust like a physical network e-cept that the switch is
software based and ports can be added or re&o#ed dyna&ically as they are needed$
6nce an e-ternal #irtual network is configured" all networking traffic is routed though the #irtual
switch$ Eor this reason" we reco&&end using at least one additional physical network adapter for
&anaging network traffic$ The #irtual switch functions as a physical switch would and routes
networking traffic through the #irtual network to its destination$ The following i&age is an e-a&ple
of an e-ternal #irtual network$
-(ternal virtual networ#
Eor internal #irtual networks" only co&&unication between #irtual &achines on the sa&e physical
ser#er and between #irtual &achines and the &anage&ent operating syste& is allowed$ The
following i&age is an e-a&ple of an internal #irtual network$
B2
&nternal virtual networ#
'se a pri#ate #irtual network when you want to allow co&&unication only between #irtual
&achines on the sa&e physical ser#er$ The following i&age is an e-a&ple of a pri#ate #irtual
network$
Private virtual networ#
B>
etwor#ing and virtual machines
%n Hyper-" when a #irtual &achine is created and attached to a #irtual network" it connects using
a #irtual network adapter$ There are two types of network adapters a#ailable for Hyper-: a
network adapter and a legacy network adapter$ Eor the network adapter to work" integration
ser#ices &ust be installed" which is part of the Hyper- installation$ %f integration ser#ices cannot
be installed because of the #ersion of the operating syste&" the network adapter cannot be used$
%nstead" you need to add a legacy network adapter that e&ulates an %ntel 2;;B0-based PC% East
1thernet 3dapter and works without installing a #irtual &achine dri#er$ 3 legacy network adapter
also supports network-based installations because it includes the ability to boot to the Pre-7oot
1-ecution 1n#iron&ent /PJ10$ The legacy network adapter is also reAuired if a #irtual &achine
needs to boot fro& a network$ @ou will need to disable the network adapter after the PJ1 boot$
The #irtual &achine is logically connected to a port on the #irtual network$ Eor a networking
application on the #irtual &achine to connect to so&ething e-ternally" it is first routed through the
#irtual network adapter to the #irtual port on the e-ternal #irtual network to which the #irtual
&achine is attached$ The networking packet is then directed to the physical network adapter and
out to an e-ternal physical network$
Eor the #irtual &achine to co&&unicate with the &anage&ent operating syste&" there are two
options$ 6ne option is to route the network packet through the physical network adapter and out
to the physical network" which then returns the packet back to the ser#er running Hyper- using
the second physical network adapter$ 3nother option is to route the network packet through the
#irtual network" which is &ore efficient$ The option selected is deter&ined by the #irtual network$
The #irtual network includes a learning algorith&" which deter&ines the &ost efficient port to
direct traffic to and will send the network packet to that port$ 'ntil that deter&ination is &ade by
the #irtual network" network packets are sent out to all #irtual ports$
Configuring virtual local area networ#s .V9As/
Hyper- supports #irtual local area networks /)3.s0" and because a )3. configuration is
software-based" co&puters can easily be &o#ed and still &aintain their network configurations$
Eor each #irtual network adapter you connect to a #irtual &achine" you can configure a )3. %4
for the #irtual &achine$ @ou will need the following to configure )3.s:
3 physical network adapter that supports )3.s$
3 physical network adapter that supports network packets with )3. %4s that are already
applied$
6n the &anage&ent operating syste&" you will need to configure the #irtual network to allow
network traffic on the physical port$ This is for the )3. %4s that you want to use internally with
#irtual &achines$ .e-t" you configure the #irtual &achine to specify the #irtual )3. that the #irtual
&achine will use for all network co&&unications$
There are two &odes in which you can configure a )3.: access &ode and trunk &ode$ %n
access &ode" the e-ternal port of the #irtual network is restricted to a single )3. %4 in the '%$
@ou can ha#e &ultiple )3.s using *M%$ 'se access &ode when the physical network adapter
is connected to a port on the physical network switch that also is in access &ode$ To gi#e a
#irtual &achine e-ternal access on the #irtual network that is in access &ode" you &ust configure
BB
the #irtual &achine to use the sa&e )3. %4 that is configured in the access &ode of the #irtual
network$ Trunk &ode allows &ultiple )3. %4s to share the connection between the physical
network adapter and the physical network$ To gi#e #irtual &achines e-ternal access on the #irtual
network in &ultiple )3.s" you need to configure the port on the physical network to be in trunk
&ode$ @ou will also need to know the specific )3.s that are used and all of the )3. %4s used
by the #irtual &achines that the #irtual network supports$
0o allow Hyper-V to use a V9A
;$ 6pen Hyper- Manager$
2$ Ero& the 3ctions &enu" click Virtual etwor# 1anager$
>$ 5elect the #irtual network you want to edit" and" in the right pane" check to select
-nable virtual 9A identification$
B$ 1nter a nu&ber for the )3. %4$ 3ll traffic for the &anage&ent operating syste& that
goes through the network adapter will be tagged with the )3. %4 you set$
0o allow a virtual machine to use a V9A
;$ 6pen Hyper- Manager$
2$ %n the results pane" under Virtual 1achines" select the #irtual &achine that you want
to configure to use a )3.$
>$ %n the Action pane" under the #irtual &achine na&e" click 2ettings$
B$ 'nder Hardware" select the #irtual network adapter connected to the e-ternal #irtual
network$
D$ %n the right pane" select -nable virtual 9A identification" and then enter the )3.
%4 you plan to use$
%f you need the #irtual &achine to co&&unicate using additional )3.s" connect additional
network adapters to the appropriate #irtual network and assign the )3. %4$ Make sure to
configure the %P addresses correctly and that the traffic you want to &o#e across the )3. is
also using the correct %P address$
&mplementing Dis#s and 2torage
This section describes the #arious storage options that a ser#er running Hyper- supports$ %t also
generally discusses how to plan for storage" how to create a #irtual hard disk" and how to
configure storage$
@ou can use the following types of physical storage with a ser#er that runs Hyper-:
Direct-attached storage .storage attached to the management operating system/+
@ou can use 5erial 3d#anced Technology 3ttach&ent /53T30" e-ternal 5erial 3d#anced
Technology 3ttach&ent /e53T30" Parallel 3d#anced Technology 3ttach&ent /P3T30" 5erial
3ttached 5C5% /5350" 5C5%" '57" and Eirewire$
BD
2torage area networ#s .2As/+ @ou can use %nternet 5C5% /i5C5%0" Eibre Channel" and
535 technologies$
ote
.etwork-attached storage /.350 is not supported for Hyper-$
Eor &ore infor&ation about the reAuire&ents and other considerations about hardware" see
Hardware Considerations$
Determining your storage options on the
management operating system
6n the &anage&ent operating syste&" you can select to use either #irtual hard disks or physical
disks that are directly attached to a #irtual &achine$ irtual hard disks can ha#e a capacity of up
to 20B0 gigabytes and include the following types:
;i(ed$ 3 fi-ed #irtual hard disk is a disk that occupies physical disk space on the
&anage&ent operating syste& eAual to the &a-i&u& si,e of the disk" regardless of whether
a #irtual &achine reAuires the disk space$ 3 fi-ed #irtual hard disk takes longer to create than
other types of disks because the allocated si,e of the $#hd file is deter&ined when it is
created$ This type of #irtual hard disk pro#ides i&pro#ed perfor&ance co&pared to other
types because fi-ed #irtual hard disks are stored in a contiguous block on the &anage&ent
operating syste&$
Dynamically e(panding$ 3 dyna&ically e-panding #irtual hard disk is a disk in which the
si,e of the $#hd file grows as data is written to the disk$ This type pro#ides the &ost efficient
use of disk space$ @ou will need to &onitor the a#ailable disk space to a#oid running out of
disk space on the &anage&ent operating syste&$
Differencing$ 3 differencing #irtual hard disk stores the differences fro& the #irtual hard
disk on the &anage&ent operating syste&$ This allows you to isolate changes to a #irtual
&achine and keep a #irtual hard disk in an unchanged state$ The differencing disk on the
&anage&ent operating syste& can be shared with #irtual &achines and" as a best practice"
&ust re&ain read-only$ %f it is not read-only" the #irtual &achineSs #irtual hard disk will be
in#alidated$
*ith #irtual hard disks" each #irtual &achine supports up to D;2 T7 of storage$ Physical disks that
are directly attached to a #irtual &achine ha#e no si,e li&it other than what is supported by the
guest operating syste&$ Physical disks are discussed in &ore detail later in this docu&ent in How
to configure physical disks that are directly attached to a #irtual &achine$
Determining your storage options on virtual
machines
@ou can select either integrated de#ice electronics /%410 or 5C5% de#ices on #irtual &achines:
&D- devices$ Hyper- uses e&ulated de#ices with %41 controllers$ @ou can ha#e up to
two %41 controllers with two disks on each controller$ The startup disk /so&eti&es referred to
BC
as the boot disk0 &ust be attached to one of the %41 de#ices$ The startup disk can be either a
#irtual hard disk or a physical disk$ 3lthough a #irtual &achine &ust use an %41 de#ice as the
startup disk to start the guest operating syste&" you ha#e &any options to choose fro& when
selecting the physical de#ice that will pro#ide the storage for the %41 de#ice$ Eor e-a&ple"
you can use any of the types of physical storage identified in the introduction section$
2C2& devices$ 1ach #irtual &achine supports up to 2DC 5C5% disks /four 5C5%
controllers with each controller supporting up to CB disks0$ 5C5% controllers use a type of
de#ice de#eloped specifically for use with #irtual &achines and use the #irtual &achine bus to
co&&unicate$ The #irtual &achine bus &ust be a#ailable when the guest operating syste& is
started$ Therefore" #irtual hard disks attached to 5C5% controllers cannot be used as startup
disks$
ote
3lthough the %96 perfor&ance of physical 5C5% and %41 de#ices can differ significantly"
this is not true for the #irtuali,ed 5C5% and %41 de#ices in Hyper-$ Hyper- %41 and
5C5% de#ices both offer eAually fast %96 perfor&ance when integration ser#ices are
installed in the guest operating syste&$
The following table describes the #arious storage options a#ailable with %41 de#ices:
2cenario 9ocal &D-
virtual hard
dis#
9ocal directly
attached &D-
5emote &D- virtual
hard dis#
5emote directly
attached &D-
5torage type 4irect-attached
storage
4irect-attached
storage
53." Eibre
Channel9i5C5%
53." Eibre
Channel9i5C5%
Type of disk that
is e-posed to the
&anage&ent
operating syste&
irtual hard
disk on .TE5
Physical disk
directly
attached to a
#irtual &achine
irtual hard disk on
.TE5
Physical disk
directly attached to
a #irtual &achine
Ma-i&u&
supported disk
si,e on #irtual
&achine
2 terabytes .o si,e li&it
other than what
is supported by
the guest
operating
syste&
2 terabytes .o si,e li&it other
than what is
supported by the
guest operating
syste&
irtual hard disk
snapshots are
supported
@es .o @es .o
4yna&ically
e-panding #irtual
hard disk
@es .o @es .o
4ifferencing @es .o @es .o
B<
2cenario 9ocal &D-
virtual hard
dis#
9ocal directly
attached &D-
5emote &D- virtual
hard dis#
5emote directly
attached &D-
#irtual hard disk
3bility of #irtual
&achines to
dyna&ically /hot
add0 access any
disk
.o .o .o .o
The following table describes the #arious storage options a#ailable with 5C5% de#ices:
2cenario 9ocal 2C2&
virtual hard
dis#
9ocal directly
attached 2C2&
5emote 2C2& virtual
hard dis#
5emote directly
attached 2C2&
5torage type 4irect-attached
storage
4irect-attached
storage
53." Eibre
Channel9i5C5%
53." Eibre
Channel9i5C5%
Type of disk that
is e-posed to the
&anage&ent
operating syste&
irtual hard
disk on .TE5
Physical disk
directly
attached to a
#irtual &achine
irtual hard disk on
.TE5
Physical disk
directly attached to
a #irtual &achine
Ma-i&u&
supported disk
si,e on #irtual
&achine
2 terabytes .o si,e li&it
other than what
is supported by
the guest
operating
syste&
2 terabytes .o si,e li&it other
than what is
supported by the
guest operating
syste&
irtual hard disk
snapshots are
supported
@es .o @es .o
4yna&ically
e-panding #irtual
hard disk
@es .o @es .o
4ifferencing
#irtual hard disk
@es .o @es .o
3bility of #irtual
&achines to
dyna&ically /Lhot-
addM0 access any
.o .o .o .o
B8
2cenario 9ocal 2C2&
virtual hard
dis#
9ocal directly
attached 2C2&
5emote 2C2& virtual
hard dis#
5emote directly
attached 2C2&
disk
How to create virtual hard dis#s
@ou can use #irtual hard disks as a storage option on the &anage&ent operating syste&" and
then &ake the storage a#ailable to #irtual &achines$
@ou can create and &anage #irtual hard disks using the Hyper- Manager tool$ To create a new
#irtual hard disk" you would use either the .ew irtual Hard 4isk *i,ard or the .ew irtual
Machine *i,ard$ %f you are creating dyna&ically e-panding disks" the .ew irtual Machine
*i,ard pro#ides a way to create storage for the new #irtual &achine without running the .ew
irtual Hard 4isk *i,ard$ This can be useful if you want to install a guest operating syste& in a
#irtual &achine soon after you create it$
*hen creating a new #irtual hard disk" a na&e and storage location is reAuired$ The disks are
stored as $#hd files" which &akes the& portable but also poses a potential security risk$ @ou
should &itigate this risk by taking precautions such as storing the $#hd files in a secure location$
4o not create the #irtual hard disk in a folder that is &arked for encryption$ Hyper- does not
support the use of storage &edia if 1ncrypting Eile 5yste& has been used to encrypt the $#hd file$
Howe#er" you can use files stored on a #olu&e that uses *indows 7itlocker 4ri#e 1ncryption$
0o create a virtual hard dis#
;$ 6pen Hyper- Manager$ Click 2tart" point to Administrative 0ools" and then click
Hyper-V 1anager$
2$ %n the 3ction pane" click ew" and then click Hard Dis#$
>$ Proceed through the pages of the wi,ard to custo&i,e the #irtual hard disk$ @ou can
click e(t to &o#e through each page of the wi,ard" or you can click the na&e of a page
in the left pane to &o#e directly to that page$
B$ 3fter you ha#e finished configuring the #irtual hard disk" click ;inish$
How to configure physical dis#s that are directly
attached to a virtual machine
@ou can use physical disks that are directly attached to a #irtual &achine as a storage option on
the &anage&ent operating syste&$ This allows #irtual &achines to access storage that is
&apped directly to the ser#er running Hyper- without first configuring the #olu&e$ The storage
can be either a physical disk which is internal to the ser#er" or a 53. logical unit nu&ber /)'.0
that is &apped to the ser#er /a )'. is a logical reference to a portion of a storage subsyste&0$
The #irtual &achine &ust ha#e e-clusi#e access to the storage" so the storage &ust be set in an
B9
6ffline state in 4isk Manage&ent$ The storage is not li&ited in si,e" so it can be a &ultiterabyte
)'.$
*hen using physical disks that are directly attached to a #irtual &achine" you should be aware of
the following:
This type of disk cannot be dyna&ically e-panded$
@ou cannot use differencing disks with the&$
@ou cannot take #irtual hard disk snapshots$
0o configure physical dis#s that are directly attached to a virtual machine
;$ Map the storage de#ice you plan to use to the ser#er running Hyper-$ %n 4isk
Manage&ent" the storage appears as a raw #olu&e and is in an 6ffline state$
2$ To initiali,e the raw #olu&e" in 4isk Manage&ent" right-click the disk you want to
initiali,e" and then click &nitiali,e Dis#$ .ote that before you can initiali,e the disk" it &ust
be in an 6nline state$
>$ %n the &nitiali,e Dis# dialog bo-" select the disk to initiali,e$ @ou can select whether
to use the &aster boot record /M7(0 or ='%4 partition table /=PT0 partition style$
B$ 3fter a disk is initiali,ed" return it to an 6ffline state$ %f the disk is not in an 6ffline
state" it will not be a#ailable when configuring storage for a #irtual &achine$
D$ Eollow the steps in LTo create a #irtual hard diskM and &ake sure to select Attach a
virtual hard dis# later in the .ew irtual Machine *i,ard$
C$ 6pen Hyper- Manager$ Click 2tart" point to Administrative 0ools" and then click
Hyper-V 1anager$
<$ 'nder Virtual 1achines" select the #irtual &achine that you want to configure$
8$ %n the Action pane" under the #irtual &achine na&e" click 2ettings$
9$ %n the na#igation pane /left pane0" click the controller that you want to attach the disk
to$ %f you plan to use the disk as a startup disk" &ake sure you attach it to an %41
controller$ Click Add$
;0$ 6n the Hard Drive page" select the location on the controller to attach the disk$
;;$ 'nder 1edia" specify the physical hard disk$ %f the disk does not appear in the drop-
down list under Physical hard dis#s" &ake sure the disk is in an 6ffline state in 4isk
Manage&ent$
;2$ 6nce the physical disk is configured" you can start the #irtual &achine and store data
on the disk$ %f installing an operating syste&" the installation process auto&atically
prepares the disk for use$ %f you are using the physical disk to store data" it &ust first be
prepared by the #irtual &achine$
%f you are installing an operating syste& on the physical disk and it is in an 6nline state
before the #irtual &achine is started" the #irtual &achine will fail to start$ @ou &ust store
the #irtual &achine configuration file in an alternate location because the physical disk is
used by the operating syste& installation$ Eor e-a&ple" locate the configuration file on
another internal dri#e on the ser#er running Hyper-$
D0
Appendi( AO -(ample Authori,ation 1anager
0as#s and Operations
@ou can use the e-a&ple tasks and operations listed here to help create role definitions$ (ole
definitions" co&bined with scopes and role assign&ents" help you pro#ide security for your
#irtuali,ation en#iron&ent using role-based access control$ Eor &ore infor&ation about role-
based access control in Hyper-" see the following topics in this guide:
Configure Hyper- for (ole-based 3ccess Control
ote
@ou &ust be a &e&ber of the 3d&inistrators group on the local co&puter to &odify the
default 3uthori,ation Manager policy /an JM) file0 to create role definitions and
assign&ents$
-(ample tas#s and operations
@ou cannot create or change operations$ @ou can create tasks and role definitions that include
different groups of operations to allow a user within that role to perfor& the task$ 5o&e tasks
reAuire a co&ple- group of operations$ 5uggested task na&es that describe what the tasks do
are listed in alphabetical order$ The operations reAuired are listed underneath each task na&e$
Add e(ternal networ# to server
7ind to 1-ternal 1thernet Port
Create %nternal 1thernet port
Connect irtual Machine
Create irtual 5witch
Create irtual 5witch Port
iew )3. 1ndpoints
iew 5witch Ports
iew 5witches
iew )3. 5ettings
D;
Add internal networ# to server
Create %nternal 1thernet Port
Connect irtual 5witch Port
iew )3. 1ndpoints
iew 5witch Ports
iew 5witches
iew )3. 5ettings
Add private networ#
iew 5witch Ports
iew 5witches
Apply a snapshot
3llow 6utput fro& irtual Machine
Pause and (estart irtual Machine
(econfigure irtual Machine
5tart irtual Machine
5top irtual Machine
iew irtual Machine Configuration
Attach internal networ# adapter to virtual machine
iew )3. 1ndpoints
iew 5witch Ports
iew 5witches
D2
iew )3. 5ettings
Change )3. Configuration on Port
Connect to a virtual machine
3llow %nput to irtual Machine
Create a virtual floppy dis# or virtual hard dis#
Create a virtual machine
3llow 6utput fro& a irtual Machine
Change irtual Machine 3uthori,ation 5cope
Create irtual Machine
6ptional: Connect irtual 5witch Port
ote
%f you do not need this #irtual &achine connected to a network" you can lea#e this
out$ %f you want to connect your #irtual &achine to a network" add this operation$
Delete a private networ#
4elete irtual 5witch
iew 5witch Ports
iew 5witches
Delete a snapshot
4elete irtual Machine
D>
Delete a virtual machine
4elete irtual Machine
-(port virtual machine
&mport virtual machine
Create irtual Machine
Change irtual Machine 3uthori,ation 5cope
1odify virtual machine settings .reconfigure a virtual machine/
Pass C059 P A90 P D-9-0- .send control signals to a virtual
machine/
3llow %nput to a irtual Machine
Pause a virtual machine
Pause and (estart irtual Machine
5emove e(ternal networ# from server
4elete irtual 5witch Port
DB
4elete %nternal 1thernet port
4isconnect irtual 5witch Port
'nbind 1-ternal 1thernet Port
iew )3. 1ndpoints
iew 5witch Ports
iew 5witches
iew )3. 5ettings
5emove internal networ# adapter from a virtual machine
Create irtual 5witch Ports
Change )3. Configuration on Port
4isconnect irtual 5witch Port
(econfigure 5er#ice
iew )3. 1ndpoints
iew 5witch Ports
iew 5witches
iew )3. 5ettings
5emove internal networ# from server
4elete irtual 5witch Ports
4elete %nternal 1thernet Ports
4isconnect irtual 5witch Ports
iew )3. 1ndpoints
iew 5witch Ports
iew 5witches
DD
iew )3. 5ettings
5emove private networ# from server
iew 5witch Ports
iew 5witches
5ename a snapshot
5ename a virtual machine
5esume a virtual machine
Pause and (estart a irtual Machine
2ave a virtual machine and start a virtual machine
5top irtual Machine
2tart a virtual machine
DC
0urn off a virtual machine
5top irtual Machine
View Hyper-V server settings
(econfigure 5er#ice
View networ# management
iew 5witch Ports
iew 5witches
View virtual machines
Appendi( $O Authori,ation 1anager
0erminology
@ou use the 3uthori,ation Manager Microsoft Manage&ent Console /MMC0 snap-in /3,Man$&sc0
to select operations" group the& into tasks" and then authori,e roles to perfor& specific tasks$
@ou also use the snap-in to &anage tasks" operations" and user roles and per&issions$ 5ee
'sing 3uthori,ation Manager for Hyper- 5ecurity and Configure Hyper- for (ole-based 3ccess
Control for &ore infor&ation about using role-based access control for #irtual &achines in Hyper-
$
0erminology
The following ter&inology is used in the conte-t of 3uthori,ation Manager:
Operation+ 3 low-le#el per&ission in an application$ 6perations are the building blocks of
your policy for role-based access control$ Eor e-a&ple" in Hyper- W3llow %nput to a irtual
MachineW" W3llow 6utput fro& a irtual Machine"W and WCreate a irtual MachineW are
operations$
D<
Policy+ The data that 3uthori,ation Manager uses for role-based access control$ This
data" configured by a #irtuali,ation ad&inistrator" describes the relationships between roles"
tasks" and operations$ The policy is an JM) file that you can edit using the 3uthori,ation
Manager snap-in or with scripting tools$ Eor &ore infor&ation about the ele&ents of a policy"
see Checklist: 7efore you start using 3uthori,ation Manager /http:99go$&icrosoft$co&9fwlink9?
)ink%4H;>B;9<0$
5ole+ 3 set of users and9or groups that define a category of user who can perfor& a set
of tasks or operations$ Eor e-a&ple" the users assigned to the ad&inistrator role by default
ha#e the ability to perfor& any task or operation in Hyper-$ The ad&inistrator can create any
nu&ber of other roles$
Authori,ation store+ The repository for the authori,ation policy$ @ou &ust create a store
to control resource accessIyou can do this either progra&&atically or using the snap-in$ The
default store location in Hyper- is an JM) file located at
NProgra&4ataNMicrosoftN*indowsNHyper-N%nitial5tore$-&l$ 7oth Hyper- and 3uthori,ation
Manager support JM) files and 3cti#e 4irectory 4o&ain 5er#ices for storing a policy$
Howe#er" 3uthori,ation Manager stores for other applications can be created in 3cti#e
4irectory )ightweight 4irectory 5er#ices and Microsoft 5P) 5er#er /new for *indows ista
and *indows 5er#er 20080$
2cope+ 3 collection of resources with a co&&on access control policy$ %n 3uthori,ation
Manager" the scope can be a folder" an 3cti#e 4irectory container" a file-&asked collection of
files /for e-a&ple" X$doc0" a '()" or any ob+ect that can be accessed by the application and
its underlying authori,ation store$ The ob+ect can be assigned to only one scope$ 3ny ob+ect
that is not assigned to a scope takes the access control policy that is defined in the
3uthori,ation Manager application /or root0 scope$ The default scope is LHyper-V 2ervicesM$
Hyper- ob+ects that you can use for scopes include #irtual &achines" #irtual switches" and
#irtual switch ports$
Eor e-a&ple" to grant ad&inistrator access to a set of #irtual &achines to a specific user or
group" create a scope for those #irtual &achines$ Eor &ore infor&ation" see *ork with
5copes /http:99go$&icrosoft$co&9fwlink9?)ink%4H;>B;990$
0as#+ 3 logical group of operations for acco&plishing a task$ Tasks can be categori,ed
by ob+ects and used to control access to the ob+ect$
ote
.o checks are &ade for dependent operations when you add tasks to a role
definition$ Eor e-a&ple" the LConnect to a #irtual &achineM task reAuires the L(ead
5er#ice Configuration"M L3llow 6utput fro& a irtual Machine"M and L3llow %nput to a
irtual MachineM operations$
Departmental administrator+ 3n ad&inistrator who only has per&issions to perfor& the
tasks that are outlined in the role description$ 3t a higher organi,ational le#el" the
#irtuali,ation ad&inistrator creates and &aintains the role definitions and scopes$ Eor
e-a&ple" the #irtuali,ation ad&inistrator can create a LHu&an (esources 3d&inistratorM
depart&ental ad&inistrator role that is scoped only to #irtual &achines owned by the Hu&an
(esources depart&ent" and can create a different role /with the sa&e operations and tasks0
D8
called LEinance 3d&inistratorM that is scoped only to the Einance depart&ent #irtual
&achines$
5ole definition+ The list of operations that a user can perfor& with the assigned role$
5ole assignment+ 3 list of users who can perfor& the operations that are listed in the
role definition$
Eor e-a&ple" the default ad&inistrator role definition includes all operations and the default
role assign&ent is for all users in the 7'%)T%.N3d&inistrators group$ @ou can create a L'serM
role that can only use the L5tart irtual MachineM" L5top irtual MachineM" L3llow %nput to
irtual MachineM and L3llow 6utput fro& irtual MachineM operations$ @ou can also create
roles based on organi,ational structures$ Eor e-a&ple" you can create a role called Lirtual
.etwork 3d&inistratorM and assign only the operations for #irtual networking to that role$ Eor
&ore infor&ation" see Manage =roups" (oles" and Tasks /http:99go$&icrosoft$co&9fwlink9?
)ink%dH;>BD;<0$
Virtuali,ation administrator+ 3n ad&inistrator who has local ad&inistrator per&ission
on the #irtuali,ation ser#er &anage&ent operating syste& and controls all other delegated
ad&inistrator rights and per&issions$
D9

Cert Inf Seguridad Analisis Trafico Wireshark

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cert Inf Seguridad Analisis Trafico Wireshark

Загружено:

Авторское право:

Доступные форматы

Hyper-V Planning and Deployment Guide

Вам также может понравиться