WS-011 Windows

Server 2019
Administration

© Copyright Microsoft Corporation. All rights reserved.

Module 5: Hyper-V virtualization and
containers in Windows Server
Module overview

In this module, you learn the key features of the Hyper-V server role in Windows Server. You learn how
to configure Hyper-V networking, storage, and how to manage the state of a virtual machine. You also
learn how to secure the Hyper-V host and associated virtual machines using security features
within a guarded fabric provided by Windows Server.
The final lessons of this module introduce you to the concept of using and managing containers

 Lessons:
o Lesson 1: Hyper-V in Windows Server
o Lesson 2: Configuring VMs
o Lesson 3: Securing virtualization in Windows Server
o Lesson 4: Containers in Windows Server
o Lesson 5: Overview of Kubernetes
Lesson 1: Hyper-V in Windows Server
Lesson 1 overview

In this lesson, you learn how to use Hyper-V to implement virtualization. You also learn best practices for
configuring Windows server hosts, and considerations related to deployment scenarios such as
nested virtualization.

Finally, you will learn considerations, requirements, and processes for migrating on-premises
Hyper-V virtual machines to Microsoft Azure

 Topics:
o Overview of Hyper-V
o Overview of Hyper-V Manager
o Best practices for configuring Hyper-V hosts
o Overview of nested virtualization
o Migration to Azure VMs
Overview of Hyper-V (1 of 2)

 Hyper-V is a hardware virtualization server role available for Windows Server

 Provides a software layer known as the Hypervisor, used to control access to physical hardware
 Supports many types of guest operating systems including:
o All supported Windows versions
o Linux
o FreeBSD
 General Hyper-V features can be grouped as follows:
o Management and connectivity

o Portability
o Disaster recovery and backup

o Security

o Optimization
Overview of Hyper-V (2 of 2)

 System requirements for installing the Hyper-V server role include:

o A 64-bit processor with second-level address translation (SLAT)
o A processor with VM Monitor Mode extensions

o Sufficient memory

o Intel Virtualization Technology (Intel VT) or Advanced Micro Dynamics (AMD) Virtualization
(AMD-V) enabled
o Hardware-enforced Data Execution Prevention (DEP) enabled (Intel Execute Disable (XD) bit,
AMD No Execute (NX) bit)
 Methods to install the Hyper-V server role include:
o Server Manager
o Install-WindowsFeature PowerShell cmdlet
Overview of Hyper-V Manager
 A graphical user interface used
to manage both local and
remote Hyper-V host machines
 Supports:
o Previous versions
o Web Services (WS)-
Management protocol
o Alternate credential
support
 Other management tools
include:
o Windows PowerShell

o PowerShell Direct
o Windows Admin Center
Best practices for configuring Hyper-V hosts

 Consider the following when provisioning Windows Server as a Hyper-V host:

o Provision the host with adequate hardware
o Deploy virtual machines on separate disks, solid state drives, or Cluster Shared Volumes (CSVs) if
using shared storage
o Do not collocate other server roles
o Manage Hyper-V remotely
o Run Hyper-V by using a Server Core configuration
o Run the Best Practices Analyzer and resource metering
o Use Generation 2 virtual machines if the guest operating system supports them
Overview of nested virtualization

 Provides the ability to install the Hyper-V role within a guest virtual machine
 Requirements:
o Both the Hyper-V host and the guest virtual machine must be Windows Server 2016 or later
o Sufficient amount of static RAM
o Virtual machines must have a configuration version of 8.0 or greater
o Physical host computer mush have an Intel processor with VT-x and Extended Page Tables (EPT)
technology
o MAC address spoofing enabled

Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true

Migration to Azure VMs

 Azure Migrate can be used to migrate on-premises workloads, apps, and virtual machines
 Azure Migrate provides the following benefits:
o A single migration platform
o Assessment and migration tools
• Azure Migrate: Server Assessment
• Azure Migrate: Server Migration
o Ability to assess and migrate multiple object types:
• Servers
• Databases
• Web applications
• Virtual desktops
• Data
Lesson 2: Configuring VMs
Lesson 2 overview

In this lesson, you learn the concepts related to virtual machine configurations and generation versions. You
also learn VM settings, storage options, and virtual disk types. Finally, you learn about the types of virtual
networks and how to create and manage a virtual machine.
 Topics:
o VM configuration and generation versions
o VM settings
o Storage options in Hyper-V
o Virtual hard disk formats and types
o Shared VHDX and VHD Set files
o Overview of Hyper-V networking
o Networking features for Hyper-V
o Manage VM states and checkpoints
o Import and export VMs
o Demonstration: Create and manage a VM
VM configuration and generation versions

 VM configuration version identifies:

o Compatibility of the VM components with the version of Hyper-V
installed on the host machine
o Windows Server 2019 host machines support configuration version 9.0
o To update a configuration version, use the following command:
• Update-VMVersion <vmname>
 Generation 1 VMs:
o Support 32 and 64-bit operating systems
o Only support boot volumes a maximum of 2 TB
o Supports legacy BIOS
 Generation 2 VMs:
o Support only 64-bit operating systems
o Support secure boot and shielded VMs
o Support boot volumes a maximum of 64 TB
o Supports Unified Extensible Firmware Interface (UEFI)
VM settings Generation 1 settings

 VM settings are grouped into

two main areas:
o Hardware
Generation 2 settings
o Management
 Available hardware components
depend on the generation
version of the VM
Storage options in Hyper-V

 Consider the following factors when planning storage for virtual hard disks:
o High-performance connection to storage
o Redundant storage
o High-performance storage
o Adequate growth space
 Supported storage types include:
o Fibre channel connections
o Server Message Block (SMB) 3.0 file shares
Virtual hard disk formats and types (1 of 2)

 Virtual hard disk formats include:

o VHD
• Up to 2040 GB in size
• Typically used to support older Hyper-V versions
o VHDX:
• Up to 64 TB in size
• Recovery from corruption issues
• Supports larger block size resulting in increased performance
 Use the Edit Virtual Hard Disk Wizard to convert between hard disk formats
 Various tools can be used to create and mange virtual hard disks:
o Hyper-V Manager
o Disk Management/Diskpart
o PowerShell (New-VHD)
o Windows Admin Center
Virtual hard disk formats and types (2 of 2)

Type of disc Description

Fixed Allocates all of the hard disk space immediately

Dynamic The disk only uses the amount of space that needs to be allocated, and
it grows as necessary

Associated with another virtual hard disk in a parent-child configuration.

Differencing Any changes made to the differencing disk does not affect the parent
disk.

Allows the virtual machine to connect directly to an Internet Small

Pass through Computer Systems Interface (iSCSI) (logical unit number) LUN or a
physical disk attached on the host machine
Shared VHDX and VHD Set Files

Virtual machine cluster node 1 Virtual machine cluster node 2

Shared VHDX or VHD Set (VHDS)

Overview of Hyper-V networking

 Hyper-V supports the following virtual network adapter types:

o Legacy network adapter
o Synthetic network adapter

 Hyper-V supports three types of virtual switches:

Virtual switch type Description

Used to map a network to a specific network adapter or network

External
adapter team. Provides external access outside of the host machine.

Internal Used to communicate between the virtual machines on a host server

and to communicate between the virtual machines and the host itself

Private Used to only communicate between virtual machines on a Hyper-V host

Networking features for Hyper-V (1 of 2)

NIC
VMQ teaming

Port mirroring
IPsec task
offloading

Hyper-V
Router
networking
guard
SR-IOV

DHCP guard
Network
virtualization Bandwidth
management
Networking features for Hyper-V (2 of 2)

Hyper-V
networking
Manage VM states and checkpoints

 A VM can be in one of the following  Checkpoints:

states: o Allows you to take a snapshot of a
o Off virtual machine at a specific point
o Starting in time
o Running o Two types of checkpoints
o Paused • Production checkpoints
o Saved • Standard checkpoints
o Maximum of 50 checkpoints per
virtual machine allowed
Import and export VMs

 When importing a VM you have three options:

o Register the virtual machine in-place (use the existing unique ID)
o Restore the virtual machine (use the existing unique ID)

o Copy the virtual machine (create a new unique ID)

 Export options:
o Export a specific checkpoint
o Export a virtual machine with all checkpoints
Lesson 3: Securing virtualization in
Windows Server
Lesson 3 Overview

Hyper-V supports the concept of a guarded fabric to provide a more secure environment for virtual
machines
In this lesson, you are introduced to the concept of implementing a guarded fabric, including the Host
Guardian Service, guarded host servers, and shielded virtual machines

 Topics:
o Guarded fabric
o Attestation modes for guarded fabric
o Host Guardian Service
o Types of protected VMs in a guarded fabric
o General process for creating shielded VMs
o Process for powering-on shielded VMs
Guarded fabric (1 of 2)

 A security solution used to protect virtual machines against:

o Inspection
o Theft

o Tampering from either malware or malicious intent

 Security benefits of a guarded fabric include:

o Secure and authorized Hyper-V hosts
o Verification that a host is in a heathy state
o Providing a secure method to release keys to healthy hosts
Guarded fabric (2 of 2)
 Guarded fabric is made up of the following components:
o Guarded Hyper-V hosts
o Host Guardian Service
o Shielded or encryption-supports virtual machines

 Tools used to automate and manage a guarded fabric:

o System Center Virtual Machine Manager (VMM)
o Windows Azure Pack
o PowerShell
Attestation modes for guarded fabric

 Guarded fabric attestation is the process of evaluating and validating the Hyper-V host

Attestation mode Description

• Hardware-based attestation method offering the strongest

protection but does require a more complex configuration and
higher host hardware requirements
Trusted Platform
• Requirements include TPM 2.0 and UEFI 2.3.1 with Secure Boot
Module (TPM)-
enabled
trusted attestation
• A guarded Hyper-V host is approved and validated based upon
its TPM identity, Measured Boot sequence, and code integrity
policies

• Based upon asymmetric key pairs

Host key • Used when existing Hyper-V host machines do not support TPM 2.0
attestation • A guarded Hyper-V host is approved and validated based upon
possession of the key
Host Guardian Service

 Host Guardian Service includes:

o Attestation service
o Key Protection Service (KPS)

 Helps to ensure:
o Protected VMs contain BitLocker encrypted
disks
o Shielded VMs are deployed from trusted
template disks and images
o Passwords and other secrets are protected
when a shielded VM is created
o Control of where the shielded VM can be
started
Types of protected VMs in a guarded fabric
Capability Encryption-supported Shielded
 A guarded fabric is
capable of running: Secure boot Yes, required but Yes, required and enforced
configurable
o Shielded VMs

o Encryption- Virtual TPM Yes, required but Yes, required and enforced
configurable
supported VMs
o Normal VMs
Encrypt VM state and Yes, required but Yes, required and enforced
live migration traffic configurable

Certain components blocked

Integration components Configurable by fabric such as PowerShell Direct
admin (enabled in Windows Server
v1803), and data exchange

Virtual machine Enabled for hosts starting at

connection, HID devices On, cannot be disabled Windows Server v1803;
(keyboard, mouse) Disabled on earlier hosts

COM/Serial ports Supported Disabled (cannot be enabled)

Attach a debugger to Supported Disabled (cannot be enabled)

the VM process
General process for creating shielded VMs

1. Create a shielded 2. Create a shielded 3. Deploy a

VM template disk data file shielded VM
• VHDX disk type • Also called a Deploy using:
provisioning data file
• Globally Unique Identifiers (PKD) • System Center Virtual
(GUID) partition table Machine Manager
• Shielding Data File (SCVMM)
• 2 partitions Wizard
• Windows Azure Pack
• NTFS file system
• PowerShell
• Support OS
• OS must be generalized
• BitLocker encrypted
• Shielded Template Disk
Creation Wizard
Process for powering-on shielded VMs
Lesson 4: Containers in
Windows Server
Lesson 4 overview

By using container technology, you can package, provision, and run applications across diverse
environments located on-premises or in the cloud
In this lesson, you are introduced to the concept of preparing and using Windows containers

 Topics:
o What are containers?
o Containers vs. virtual machines
o Overview of container isolation modes
o Manage containers using Docker
o Download container base images
o Run a Windows container
o Manage containers using Windows Admin Center
o Demonstration: Deploy containers by using Docker
What are containers?

 Benefits of using containers:

o Ability to run anywhere; local
workstation, servers, or provisioned in
the cloud
o Isolation
o Increased efficiency
o A consistent development
environment
Containers vs. virtual machines (1 of 2)
Containers vs. virtual machines (2 of 2)
Overview of container isolation modes

 Process Isolation:
o “Traditional” isolation mode
o Containers share the same kernel with each other and the host
o Each container has its own user mode
o Does not provide security-enhanced isolation
o Uses the following switch when starting a container using Docker:
–isolation=process

 Hyper-V Isolation:
o Each container runs inside of a highly optimized virtual machine
o Each container gains its own kernel and an enhanced level of stability and security
o Also provides hardware-level isolation between each container and the host
o Uses the following switch when starting a container using Docker:
–isolation=hyperv
Manage containers using Docker (1 of 2)

 Docker container:
o Application wrapped in a complete file system including:
• Code
• Runtime
• System tools
• Supporting files for the app
o Based upon open standards to run on all major operating systems
o Supports any runtime environment or infrastructure; on-premises or in the cloud
 Docker core platform includes:
o Docker Engine
• Runs on Linux, MacOS, or Windows-based operating systems
o Docker Client
• Command line interface to integrate with the engine
• Runs command to build and manage Docker containers
Manage containers using Docker (2 of 2)

 To install Docker on Windows Server:

1. Install the Docker-Microsoft PackageManagement Provider:
Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
2. Install the latest version of Docker:
Install-Package -Name docker -ProviderName DockerMsftProvider
3. May require a restart if the Containers Windows Server feature is also installed
 To support Docker on Windows 10:
o Install the Docker Desktop

• Provides a toolset used to build and distribute containerized apps

 Docker Hub
• A web-based library server used to register, store, and manage Docker images
• A community resource with access to over 100,000 shared container images
Download container base images

 Container base image:

o Provides a foundational layer of operating system services for a container
o Includes user mode operating system files to support apps
o Includes runtime files and dependencies required by the app
o Use the Docker pull command to download images
docker pull mcr.microsoft.com/windows/nanoserver:1903
 Four primary container images are available:
o Window Server Core
• Subset of Windows Server APIs and support for traditional .NET framework apps
o Nano Server
• Support for the .NET Core APIs
o Windows
• Includes the full Windows API set
o Windows IoT Core
• Built to support IoT apps that run on ARM or x86/x64 processors
Run a Windows container

 Methods used to create, manage, and run containers include:

o Automation using a Dockerfile text file and the docker build process
o Manually using Docker commands. Examples illustrated as shown:

Command Description

Docker images • Lists the installed images on your container host

Docker run • Creates a container by using a container image

Docker commit • Commits the changes you made to a container to a new

container image

Docker stop • Stops a running container

Docker rm • Removes an existing container

Manage containers using Windows Admin Center

 Windows Admin Center:

o Browser-based GUI used
to manage Windows
servers, clusters, and
hyper-converged
infrastructure
o Requires the Containers
extension:
• Summary
• Containers
• Images
• Networks
• Volumes
Lesson 5: Overview of
Kubernetes
Lesson 5 overview

Kubernetes is open-source orchestration software used to efficiently deploy, manage, and scale containers
in a hosted environment
In this lesson, you are introduced to the concept of Kubernetes and its benefits for managing container
technology

 Topics:
o What is Windows container orchestration?
o Overview of Kubernetes on Windows
o Deploy Kubernetes resources
What is Windows container orchestration?

 Container orchestration involves the  Types of orchestration tools:

following tasks: o Kubernetes
o Scheduling
o Docker Swarm
o Affinity/Anti-affinity
o Apache Mesos
o Health monitoring
o Failover

o Scaling

o Networking

o Service discovery

o Coordinated application upgrades

Overview of Kubernetes on Windows (1 of 2)

 Based upon cluster technology where a centralized Master/Control plane is responsible for scheduling
and managing components located on multiple nodes within the cluster
Overview of Kubernetes on Windows (2 of 2)

 Kubernetes Pods:
o A workload consisting of one or more
containers disbursed throughout multiple
worker nodes within the cluster
 Includes information about the shared storage,
network configuration, and specification on how to
run its packaged containers
 Defined as Pod Templates
Deploy Kubernetes resources

1. Create a 2. Configure network 3. Join worker 4. Manage Kubernetes

Kubernetes master solution nodes resources
• Linux operating system • Used to create routable • Windows Server • Kubectl used to deploy
cluster subnets and manage Kubernetes
• Kubeadm used to initialize • Linux pods
the master and manage • Linux CNI plugin
cluster nodes
• Flannel, ToR, OvS, OVN

Cloud services such Azure Kubernetes Service (AKS) reduce many of the challenges of manually
configuring Kubernetes clusters by providing a hosted Kubernetes environment
Thank you.

© Copyright Microsoft Corporation. All rights reserved.