Module 1 - Live Migration Student Manual

7/30/2019 Module 1 - Live Migration Student Manual

1/43

Published: 4th September, 2012

Windows Server 2012: Server Virtualization

Module 1B: Live Migration.

Module ManualAuthor: David Coombes, Content Master


2/43

Microsoft Virtual Academy Student Manual ii

Information in this document, including URLs and other Internet Web site references, are subject to change

without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real

company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should

be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval

system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights

covering subject matter in this document. Except as expressly provided in any written license agreement from

Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,

or other intellectual property.

2012 Microsoft Corporation. All rights reserved.

Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or

other countries.

The names of actual companies and products mentioned herein may be the trademarks of theirrespective owners.


3/43

Microsoft Virtual Academy Student Manual iii

Contents

CONTENTS .................................................................................................................................................................................................................. III

MODULE 1: VM MOBILITY. .................................................................................................................................................................................... 5

Module Overview ................................................................................................................................................................................................ 5

LESSON 1: LIVE MIGRATION ................................................................................................................................................................................ 6

LIVE MIGRATION OVERVIEW ............................................................................................................................................................................... 7

LIVE MIGRATION WITHOUT INFRASTRUCTURE ........................................................................................................................................... 8

LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 1 .................................................................................................................. 9

LIVE MIGRATION WITHOUT INFRASTRUCTURE PROCESS: 2 ................................................................................................................ 10








LIVE MIGRATION WITHOUT INFRASTRUCTURE: POWERSHELL .......................................................................................................... 18

LIVE MIGRATION WITH SMB .............................................................................................................................................................................. 19

LIVE MIGRATION WITH SMB: SHARE PERMISSIONS................................................................................................................................ 20

LIVE MIGRATION WITH SMB: FILE PERMISSIONS ..................................................................................................................................... 21

LIVE MIGRATION WITH SMB: PERMISSIONS POWERSHELL ................................................................................................................. 23

LIVE MIGRATION WITH SMB ARCHITECTURE ............................................................................................................................................. 24

Setup ....................................................................................................................................................................................... 24Memory Page Transfer .......... ........... .......... .......... ........... .......... ........... .......... ........... .......... ........... .......... ........... .......... ......... 24Memory Page Copy Process ............. ........... .......... ........... .......... ........... .......... ........... .......... .......... ........... .......... ........... ....... 25Moving the Storage Handle from Source to Destination .......... .......... ........... .......... .......... ........... .......... ........... .......... ........... 25Bringing the VM Online on the Destination Server ........... .......... ........... .......... .......... ........... .......... ........... .......... ........... ....... 25Network Cleanup .......... ........... .......... .......... ........... ........... .......... ........... .......... .......... ........... .......... ........... .......... ........... ....... 25

LIVE MIGRATION WITH SMB: POWERSHELL ............................................................................................................................................... 27

LIVE MIGRATION BETWEEN CLUSTERS .......................................................................................................................................................... 28

LIVE MIGRATION SECURITY ................................................................................................................................................................................ 29

UNDERSTANDING CREDENTIAL SECURITY: 1 ............................................................................................................................................. 31



CREDENTIAL SECURITY AND HYPER-V: 1 ..................................................................................................................................................... 34



4/43

Microsoft Virtual Academy Student Manual

iv



ENABLING CONSTRAINED DELEGATION ...................................................................................................................................................... 39

POWERSHELL REMOTING WITH CREDSSP ................................................................................................................................................... 42

REMOTE DESKTOP ................................................................................................................................................................................................. 43


5/43


Microsoft Virtual Academy Student Manual 5

Module 1: VM Mobility.

Module Overview

This module describes the Hyper-V virtual machine (VM) mobility technologies, particularly the newand enhanced technologies introduced with Windows Server 2012. These include changes to Live

Migration, new Live Storage Migration, and improvements to the VM import process. This module

also includes a review of VM mobility and protection technologies.


6/43



Lesson 1: Live Migration

This lesson describes the new Live Migration technologies introduced with Windows Server 2012. Italso explains the best practices for enabling secure Live Migrations.


7/43



Live Migration Overview

In addition to performance enhancements to existing Live Migration tools, Hyper-V in WindowsServer 2012 includes several new Live Migration options, including:

Live Migration without shared infrastructure Live Migration using shared SMB storage

Live Migration between clusters

All Live Migration technologies and options in Windows Server 2012 are based on the sameunderlying principle: the VM will always be running somewhere. This principle means that, for

example, before a VM is shut down and removed from a source Hyper-V host at the end of a

migration, a range of checks are performed to ensure that the VM is running properly on the target

host. It also means that there is always a failback optionshould a migration fail for any reason, thesource VM will still be running and available.


8/43



Live Migration without Infrastructure

With "shared nothing" Live Migration, the only requirement is that there are (at least) two Hyper-Vservers that are both members of a domain. However, gigabit networking should be used to ensure

that users do not notice any downtime during the migration process.

There are no requirements for shared storagethere can be different types of storage on eitherHyper-V server.

The entire VMvirtual hard disks (VHDs) and running stateis moved with no downtime.

Note that when you perform a Live Migration of a VM between two computers that do not share aninfrastructure, Hyper-V first performs a partial migration of the VMs storage.


9/43



Live Migration without Infrastructure Process: 1

In the scenario described over the following pages, there are two Hyper-V servers, running the usermode VM management service (VMMS). On the first Hyper-V server, there is a VM with its VHDs,

ready to be migrated to the second Hyper-V server.

How it works: First, a network connection is established between the Hyper-V hosts. This is a TCP

connection and, in the initial negotiation phase, checks are made, including:

Does the user account have permission on both servers for this migration?

Has Live Migration been enabled on both servers?

After all of the checks are complete, Hyper-V establishes the Live Migration connection.


10/43



10


How it works: After all of the checks are complete, Hyper-V establishes the Live Migration connection.


11/43



11


How it works: Hyper-V does not start Live Migrating the VMs memory and CPU state at this stage;instead, the next step is to start a form of storage migration.


12/43



12


How it works: The storage migration uses a lot of the core engine from Live Storage Migration. Thekey modification from standard Live Storage Migration is that Hyper-V copies the VHDs while the VM

is still running and then forms a disk mirror. With this mirror, disk writes are sent to both disks, anddisk reads are made from whichever host the VM is currently running on.

This mirror is critical to the principle; the VM will always be running somewhere.


13/43



13


How it works: After the mirror is established, the Live Migration can start; memory pages are copiedover to the target host, and dirty memory pages are tracked and then sent across.


14/43



14


How it works: After the memory copy phase is complete, the VM is started on the destination host.

Note that the storage mirror is maintained throughout this operation so that if there is a failure atany point in time, Hyper-V can fail back to running the VM on the source host.


15/43



15


How it works: Only after Hyper-V has confirmed that the VM is up and running on the destinationhost is the disk mirror broken down.


16/43



16


How it works: After the disk mirror is taken down, Hyper-V then deletes the VHD on the source host.


17/43



17


How it works: Finally, the Live Migration connection is dropped.


18/43



18

Live Migration without Infrastructure: PowerShell

To use Windows PowerShell to initiate a Live Migration without infrastructure, use the Move-VMcmdlet:

Move-VM "File Server 1" "HostB" -IncludeStorage DestinationStoragePath "J:\Virtual

Machines\File Server 1"

In this example:

Name of VM: File Server 1 Name of target Hyper-V host: HostB

Destination folder for VM files: J:\Virtual Machines\File Server 1


19/43



19

Live Migration with SMB

Live Migration with Server Message Block (SMB) enables you to move VMs in environments whereyou need to move the VMs but do not need to move the VHDs. Live Migration with SMB is, therefore,

similar to cluster-based Live Migration, but without the high availability.

Live Migration with SMB requires SMB 3.0.

Both the user account that initiates the migration and the source and target computer accounts need

security access to the share. Permissions must be configured at file level on the folder, and at sharelevel. This does require several steps to be correctly performed; otherwise, the migration will fail.


20/43



20

Live Migration with SMB: Share Permissions

To set up the share permissions, complete the following steps:1. In the properties of the share, click Advanced Sharing.

2. In the Advanced Sharing dialog box, click Permissions.3. In the Permissions dialog box, add the computer accounts for the administrator user (who

will be initiating the migration) and for the source and target computer accounts. All theseaccounts need the Full Control permission.

In the screenshots, the administrator account is benarm, and the computer accounts are BENARM-

EPSILON and BENARM-ZETA.


21/43



21

Live Migration with SMB: File Permissions

To set up the file permissions, complete the following steps:1. In the properties of the folder, click Edit.

2. In the Permissions dialog box, add the computer accounts for the administrator user (whowill be initiating the migration) and for the source and target computer accounts. All theseaccounts need the Full Control permission.

In the screenshots, the administrator account is benarm, and the computer accounts are BENARM-EPSILON and BENARM-ZETA.

Note that, by default, computer accounts are not listed when browsing for Active Directory

directory service objects. You must, therefore, click Object Types when browsing for objects:


22/43



22

You must then select Computers:


23/43



23

Live Migration with SMB: Permissions PowerShell

As an alternative to the UI, you can use the following command-line code to create a new folder, addfile permissions for user and computer accounts to this folder, create a new share, and then share

permissions for user and computer accounts to this share:

MD X:\VMS

ICACLS.EXE X:\VMS --% /Grant Contoso\Admin1:(CI)(OI)F

ICACLS.EXE X:\VMS --% /Grant Contoso\HostA$:(CI)(OI)F

ICACLS.EXE X:\VMS --% /Grant Contoso\HostB$:(CI)(OI)F

ICACLS.EXE X:\VMS /Inheritance:R

New-SmbShare -Name VMS -Path X:\VMS FullAccess Contoso\Admin1, Contoso\HostA$,

Contoso\HostB$

In this code example:

Domain: Contoso

Name of administrator user account: Admin1

Name of source Hyper-V host: HostA Name of target Hyper-V host: HostB

Folder for VM files: X:\VMS

Share for VM files: VMS


24/43



24

Live Migration with SMB Architecture

There are six key steps in Live Migration based on an SMB share (the first four are shown in thefigure). The following sections describe these steps.

Setup

During the Live Migration setup stage, the source host creates a TCP connection with the destinationhost. This connection transfers the VMs configuration data to the destination host. A skeleton VM isset up on the destination host, and memory is allocated to the destination VM, as the figure shows.

Memo ry Page Trans ferIn the second stage of a Live Migration, shown in the figure, the memory assigned to the migratingVM is copied over the network to the destination host. This memory is referred to as the working set

of the migrating VM. A page of memory is 4 kilobytes (KB).

For example, suppose that a VM named Test VM,configured with 1,024 megabytes (MB) of RAM, ismigrating to another HyperV host. The entire 1,024 MB of RAM that is assigned to this VM is in the


25/43



25

working set of Test VM. The active pages within the Test VM working set are copied to the

destination HyperV host.

In addition to copying the working set of Test VM to the destination host, HyperV monitors the

pages in the working set for Test VMon the source host. As Test VM modifies the memory pages,

it tracks and marks the pages as they are modified. The list of modified pages is simply the list of

memory pages that Test VM modified after the copy of its working set began.

During this phase of the migration, the migrating VM continues to run. HyperV iterates the memory

copy process several times, and each iteration requires a smaller number of modified pages to becopied. After the working set is copied to the destination host, the next stage of the Live Migration

begins.

Memory Page Copy Process

This stage is a memory copy process that duplicates the remaining modified memory pages for Test

VM to the destination host. The source host transfers the CPU and device state of the VM to thedestination host.

During this stage, the available network bandwidth between the source and destination hosts is

critical to the speed of the Live Migration. Use of a onegigabit Ethernet (GbE) or faster connection is

important. The faster the source host transfers the modified pages from the migrating VMs workingset, the more quickly Live Migration is completed.

The number of pages transferred in this stage is determined by how actively the VM accesses andmodifies the memory pages. The more modified pages, the longer it takes to transfer all pages to thedestination host.

After the modified memory pages are copied to the destination host, the destination host has an up-to-date working set for Test VM. The working set for Test VM is present on the destination host in

the exact state it was in when Test VM began the migration. The memory page copy process isillustrated in the figure.

Note: You can cancel the Live Migration process at any time before this stage of the migration.

Movin g the Storage Handle from Sour ce to Dest ination

During this stage of a Live Migration, control of the storage associated with the Test VM, such asVHD files or physical storage attached through a Virtual Fibre Channel adapter, is transferred to the

destination host.

Brin ging the VM Onl ine on th e Dest inat ion ServerIn this stage of a Live Migration, the destination server has the up-to-date working set for Test VM

and access to any storage that Test VM uses. At this time, Test VM resumes operation.

Network Cleanup

In the final stage of a Live Migration, the migrated VM runs on the destination server. At this time, a

message is sent to the network switch, which causes it to obtain the new media access control (MAC)


26/43



26

addresses of the migrated VM so that network traffic to and from Test VM can use the correct

switch port.

The Live Migration process completes in less time than the TCP time-out interval for the VM that is

being migrated. TCP time-out intervals vary based on network topology and other factors.


27/43



27

Live Migration with SMB: PowerShell

After the file and share permissions have been set up, you can use Windows PowerShell to initiate aLive Migration with SMB, by using the Move-VM cmdlet:

Move-VM "File Server 2" "HostB"

In this example: Name of VM: File Server 2

Name of target Hyper-V host: HostB

Note that no other parameters are required, because the shared storage location for the VM files is

specified in the VM configuration.


28/43



28

Live Migration Between Clusters

As Windows Server 2012 now supports up to 64 nodes in a cluster, a lot more virtualizationdeployments are likely to use clustering. To make cluster-based deployments easier to configure and

manage, Windows Server 2012 now supports VM migrations both within clusters (as supported inWindows Server 2008 R2) and between clusters. You can also easily migrate VMs from a cluster to astand-alone host and from a stand-alone host into a cluster.

This enables administrators to respond to new requirements, make best use of existing and newhardware, and easily reconfigure high-availability solutions.

To move a VM between two clusters:

1. Remove the VM from the source cluster.2. Use Hyper-V Manager to Live Migrate the VM to a node in the destination cluster.

3. Join the VM to the destination cluster.

Note that the VM does not need to be turned off during the migration. However, it is not protectedfrom hardware failure during the course of the migration.


29/43



29

Live Migration Security

The first level of Live Migration security is that when you install Hyper-V, by default it is not enabledfor Live Migration; you must manually enable Live Migration by using the Hyper-V Windows

PowerShell cmdlets or by using Hyper-V Manager:


30/43



30

The next security consideration is to specify the networks that will be used for Live Migration.

There is the option to use any available network for Live Migration; however, this is not a good idea,

both from a performance and a security perspective. By specifying a separate network for Live

Migration, you can ensure that Live Migration traffic does not impact on regular productionnetworking, and you can also ensure that Live Migration occurs over a secure network.

In Hyper-V, there is no native encryption of the Live Migration traffic, and in some environments itmay be enough simply to ensure that the Live Migration network is physically secure and is a privatenetwork that other users cannot connect to.

However, there are also other optionssuch as using Internet Protocol Security (IPsec) or otherencryption methodsthat you can use to protect the migration packets on the wire. Performance

data collected within Microsoft has shown that using IPsec for Live Migration has no impact on

migration scale or performance.


31/43



31

Understanding Credential Security: 1

When you use a computer or laptop to connect to a server, your user credentials are sent to theserver, so that the server can check whether you have the required permissions for any actions you

attempt to perform on that server.


32/43



32


By design, Windows does not allow the server to then take your credentials and use them toconnect to anotherserver.


33/43



33


This prevention of credentials being used across a second hop is intentional and is designed toprevent an attacker from making use of these credentials. Even if the first server is compromised,

the attacker cannot take your credentials and use them on other computers.

However, this default configuration can affect the management of Hyper-V Live Migrations.


34/43



34

Credential Security and Hyper-V: 1

If you log on to the first Hyper-V server, you can initiate a Live Migration to the second server,without needing to make any changes to Windows security.


35/43



35


However, if you want to sit at your desktop or laptop, connect to your Hyper-V server, and then starta Live Migration, Windows will block that.


36/43



36


Similarly, if you log on to the first Hyper-V server, Live Migrate a VM to the second server, and thenusing the same console session, try to migrate the VM back, it will fail.

This security failure occurs because even though there are only two servers involved, as far as

Windows security is concerned, there is now asecond hop.Your credentials are trying to be passed

to a second server, and it does not matter that the second serveris actually the first server thatinitiated the communication; Windows still sees this as credentials being passedsomewhere else.


37/43



37


There are two options for getting around the challenge of credential security and Hyper-V.

The first option is to configure Windows security so that Hyper-V is trusted to re-use credentials. Thisis done by enabling constrained delegation in Active Directory.


38/43



38

When using constrained delegation, you must specify Use Kerberos when configuring Hyper-V for

Live Migration:

The second option is to be logged on to the server where you are initiating the migration, by usingeither Windows PowerShell Remoting or Remote Desktop.


39/43



39

Enabling Constrained Delegation

To enable constrained delegation, you must edit the properties of both the source and target Hyper-V servers, and on the Delegation tab, click Trust this computer for delegation to specified

services only, and then click either Use any authentication protocol or Use Kerberos only.


40/43



40

After adding the server, you then select the Microsoft Virtual System Migration Service andCIFS services:


41/43



41

Note that the Common Internet File System (CIFS) delegation is only required when the VMs you

want to migrate are hosted on SMB shares.


42/43



42

PowerShell Remoting with CredSSP

In Windows Server 2012, Windows PowerShell Remoting is enabled by default; however, WindowsPowerShell Remoting with CredSSP does require additional configuration before it can be used.

You first enable the Credential Security Support Provider (CredSSP) on the server and then enable it

on the client computer. Note that in addition to the fully qualified domain name (FQDN) of a specific

server, you can use a wildcard, such as *.dev.contoso.com, to configure your client to be able to useWindows PowerShell Remoting against any server in the dev.contoso.com sub-domain (as long as

the server is enabled for CredSSP).

After CredSSP has been enabled, there are two ways to run Windows PowerShell Remoting

commands: You can establish a session and then run any command on the remote computer within the

Windows PowerShell console window.

You can run commands one at a time using the invoke command (ICM) option.


43/43


Remote Desktop

Remote Desktop can be used as an alternative to using Windows PowerShell Remoting.

Next step watch the Live Migration, Live Migration SMB and Live Migration between clustersvideos.

Module 1 - Live Migration Student Manual

Documents

Transcript of Module 1 - Live Migration Student Manual