RE: Virtualization Questions
David Lum david@nwea.org wrote on 01/05/2009 09:14:08 AM: Until you see the price tag for a SAN HDD that needs replaced. At least for the SAN we have here as the price per GB is lousy compared to standard SAS drives. Ouch - yeah, there is new technology out there - EMC, IBM, Hitachi - for quite a few workloads. Check out the performance numbers for iSCSI SAN's like Equallogic running SATA - there are articles with benchmarks out there - SATA gets allot of badmouthing, but if you pay attention it's usually from vendors trying to sell higher priced SAS :) I mean for some loads there are legitimate needs for the big iron or SAS or FC drives, but I have a sneaking suspicion they are in the minority. Eric Eskam =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The contents of this message are mine personally and do not reflect any position of the U.S. Government The human mind treats a new idea the same way the body treats a strange protein; it rejects it. - P. B. Medawar ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
RM r...@richardmay.net wrote on 01/05/2009 10:58:42 AM: Seconded. Mgmt is hellbent on EMC. The storage (for tier 1) is over $10k/TB when you include the shelf and whatever else is needed. On the other hand, there are nice little 2U and 3U SAN's from companies like IBM which use SAS disk that mere mortals can afford. Less than $2k/TB for SAS and way less for SATA. Like I told David, don't discount SATA. Equallogic used to be pretty liberal on their loaners - not sure if they still are from Dell, but it can't hurt to ask if you can get a loaner for a week to do some testing on. I think you will be pleasantly surprised. And as you add more shelves, it gets faster (more spindles, more cache, another controller, 3 more gig-e ports for I/O, etc.)... Eric Eskam =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The contents of this message are mine personally and do not reflect any position of the U.S. Government The human mind treats a new idea the same way the body treats a strange protein; it rejects it. - P. B. Medawar ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
On Wed, 7 Jan 2009 16:34:33 -0500, Eric E Eskam ees...@usgs.gov said: Like I told David, don't discount SATA. Equallogic used to be pretty liberal on their loaners - not sure if they still are from Dell, but it can't hurt to ask if you can get a loaner for a week to do some testing on. I think you will be pleasantly surprised. And as you add more shelves, it gets faster (more spindles, more cache, another controller, 3 more gig-e ports for I/O, etc.)... There's also a new class of drives that EMC calls LC-FC for low cost fiber channel. They are larger in size and 7200rpm. It appears that these drives are positioned by EMC to replace SATA for near-line and archival applications. RM ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
Seconded. Mgmt is hellbent on EMC. The storage (for tier 1) is over $10k/TB when you include the shelf and whatever else is needed. On the other hand, there are nice little 2U and 3U SAN's from companies like IBM which use SAS disk that mere mortals can afford. Less than $2k/TB for SAS and way less for SATA. RM On Mon, 5 Jan 2009 06:14:08 -0800, David Lum david@nwea.org said: Once you have a SAN you will never go back to direct attached disk. Until you see the price tag for a SAN HDD that needs replaced. At least for the SAN we have here as the price per GB is lousy compared to standard SAS drives. Don't get me wrong, we use a decent size SAN here (a few TB's IIRC), but if we had to replace a HDD off warranty...ouch. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
Don't think SAN vendors haven't taken notice of that. That's why when evaluating, you need to look at the applications. Let's face it, ANYONE can sell you a bunch of cheap disk. The back pages of PCMagazine and full of players. But, look at what else they can offer you. Things like native snapshots, replication, dynamic resizing, deduplication, application hooks into things like SQL, VMWare, Exchange, etc. If those things are not important to you in a SAN, then by all means, look elsewhere. From: RM [mailto:r...@richardmay.net] Sent: Monday, January 05, 2009 7:59 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Seconded. Mgmt is hellbent on EMC. The storage (for tier 1) is over $10k/TB when you include the shelf and whatever else is needed. On the other hand, there are nice little 2U and 3U SAN's from companies like IBM which use SAS disk that mere mortals can afford. Less than $2k/TB for SAS and way less for SATA. RM On Mon, 5 Jan 2009 06:14:08 -0800, David Lum david@nwea.org said: Once you have a SAN you will never go back to direct attached disk. Until you see the price tag for a SAN HDD that needs replaced. At least for the SAN we have here as the price per GB is lousy compared to standard SAS drives. Don't get me wrong, we use a decent size SAN here (a few TB's IIRC), but if we had to replace a HDD off warranty...ouch. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
Once you have a SAN you will never go back to direct attached disk. Until you see the price tag for a SAN HDD that needs replaced. At least for the SAN we have here as the price per GB is lousy compared to standard SAS drives. Don't get me wrong, we use a decent size SAN here (a few TB's IIRC), but if we had to replace a HDD off warranty...ouch. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: Eric E Eskam [mailto:ees...@usgs.gov] Sent: Friday, January 02, 2009 4:32 PM To: NT System Admin Issues Subject: Re: Virtualization Questions Roger Wright rwri...@evatone.com wrote on 12/29/2008 09:30:01 AM: Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? SAN! Once you have a SAN you will never go back to direct attached disk. SANs don't have to be expensive or hard to use, either. We have an Equallogic PS series iSCSI SAN and it works great and is a breeze to set up and configure. No degree required :) 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? Depends on the vendor. 3. What type of servers (DB, Oracle, FP, etc.) don?t make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. Depends on the application. There is very little that isn't a good candidate for virtualization. 4. Is clustering still possible with VMs? Sure. Although with some solutions like VMware site recover manager, you may not need to do clustering any more. Depends on what you were trying to accomplish with clustering. 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? Generally you want to balance out your load. That's where VMware gets the big bucks - they have management tools that simplify monitoring and performing load balancing of virtual hosts across your server farm. Microsoft is playing catch up with HyperV and Microsoft System Center Virtual Machine Managerbut they have a ways to go. Even if you don't virtualize, SAN's still rock! Eric Eskam =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The contents of this message are mine personally and do not reflect any position of the U.S. Government The human mind treats a new idea the same way the body treats a strange protein; it rejects it. - P. B. Medawar ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
I agree, if all you need is disk space and are going to use your other toolsets for replication, backups etc, then I would look at a jbod with an iscsi front end or nfs front end. You can get a fast adaptec sas pci-x controller and get a generic sas/sata hotswap 10 bay cage for under 1k unpopulated. The drives can be bought at street prices and grow and resize as you need. However, like Martin is saying the san vendors have put some logic behind their products to maintain pricing. I still think datacore has one of the better products out there for straight san+replication. I guess because it runs within a windows shell I guess its not seen as enterprise worthy. IBM uses/used it on their shark product line (iirc) and loved it and I think bundled it in. From: Martin Blackstone [mailto:mblackst...@gmail.com] Sent: Monday, January 05, 2009 11:08 To: NT System Admin Issues Subject: RE: Virtualization Questions Don't think SAN vendors haven't taken notice of that. That's why when evaluating, you need to look at the applications. Let's face it, ANYONE can sell you a bunch of cheap disk. The back pages of PCMagazine and full of players. But, look at what else they can offer you. Things like native snapshots, replication, dynamic resizing, deduplication, application hooks into things like SQL, VMWare, Exchange, etc. If those things are not important to you in a SAN, then by all means, look elsewhere. From: RM [mailto:r...@richardmay.net] Sent: Monday, January 05, 2009 7:59 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Seconded. Mgmt is hellbent on EMC. The storage (for tier 1) is over $10k/TB when you include the shelf and whatever else is needed. On the other hand, there are nice little 2U and 3U SAN's from companies like IBM which use SAS disk that mere mortals can afford. Less than $2k/TB for SAS and way less for SATA. RM On Mon, 5 Jan 2009 06:14:08 -0800, David Lum david@nwea..org said: Once you have a SAN you will never go back to direct attached disk. Until you see the price tag for a SAN HDD that needs replaced. At least for the SAN we have here as the price per GB is lousy compared to standard SAS drives. Don't get me wrong, we use a decent size SAN here (a few TB's IIRC), but if we had to replace a HDD off warranty...ouch. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
You're right, but we're not doing any of that (as of today). The smaller players are also moving up the value chain lately. It'll be interesting to see what differentiates EMC 2-3 years from now. RM On Mon, 5 Jan 2009 08:08:29 -0800, Martin Blackstone mblackst...@gmail .com said: Dont think SAN vendors havent taken notice of that. Thats why when evaluating, you need to look at the applications. Lets face it, ANYONE can sell you a bunch of cheap disk. The back pages of PCMagazine and full of players. But, look at what else they can offer you. Things like native snapshots, replication, dynamic resizing, deduplication, application hooks into things like SQL, VMWare, Exchange, etc. If those things are not important to you in a SAN, then by all means, look elsewhere. From: RM [mailto:r...@richardmay.net] Sent: Monday, January 05, 2009 7:59 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Seconded. Mgmt is hellbent on EMC. The storage (for tier 1) is over $10k/TB when you include the shelf and whatever else is needed. On the other hand, there are nice little 2U and 3U SAN's from companies like IBM which use SAS disk that mere mortals can afford. Less than $2k/TB for SAS and way less for SATA. RM On Mon, 5 Jan 2009 06:14:08 -0800, David Lum david@nwea.org said: Once you have a SAN you will never go back to direct attached disk. Until you see the price tag for a SAN HDD that needs replaced. At least for the SAN we have here as the price per GB is lousy compared to standard SAS drives. Don't get me wrong, we use a decent size SAN here (a few TB's IIRC), but if we had to replace a HDD off warranty...ouch. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
Dell as their primary reseller J From: RM [mailto:r...@richardmay.net] Sent: Monday, January 05, 2009 19:25 To: NT System Admin Issues Subject: RE: Virtualization Questions You're right, but we're not doing any of that (as of today). The smaller players are also moving up the value chain lately. It'll be interesting to see what differentiates EMC 2-3 years from now. RM On Mon, 5 Jan 2009 08:08:29 -0800, Martin Blackstone mblackst...@gmail.com said: Don't think SAN vendors haven't taken notice of that. That's why when evaluating, you need to look at the applications. Let's face it, ANYONE can sell you a bunch of cheap disk. The back pages of PCMagazine and full of players. But, look at what else they can offer you. Things like native snapshots, replication, dynamic resizing, deduplication, application hooks into things like SQL, VMWare, Exchange, etc. If those things are not important to you in a SAN, then by all means, look elsewhere. From: RM [mailto:r...@richardmay.net] Sent: Monday, January 05, 2009 7:59 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Seconded. Mgmt is hellbent on EMC. The storage (for tier 1) is over $10k/TB when you include the shelf and whatever else is needed. On the other hand, there are nice little 2U and 3U SAN's from companies like IBM which use SAS disk that mere mortals can afford. Less than $2k/TB for SAS and way less for SATA. RM On Mon, 5 Jan 2009 06:14:08 -0800, David Lum david@nwea.org said: Once you have a SAN you will never go back to direct attached disk. Until you see the price tag for a SAN HDD that needs replaced. At least for the SAN we have here as the price per GB is lousy compared to standard SAS drives. Don't get me wrong, we use a decent size SAN here (a few TB's IIRC), but if we had to replace a HDD off warranty...ouch. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
There were several sessions on security at VMWorld this past year and the people leading those sessions would definitely say there are security issues that come about from using virtualization. In some ways the security picture gets better, in some ways worse. There are some new security appliances coming out that can run as a VM and watch over the other VMs. VMWare has created some special hooks into the hypervisor to allow this. Keep an eye on the issue. At the very least there are additional privileges that must be tracked - it is never a good idea to have only one person who has the keys to the kingdom -Brian From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 5:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
One thing about a VM vs a physical server - a LOT easier to walk out the building with one, since you can fit them on a USB device...(assuming said person has the security, but disgruntled employees do all sorts of crappy stuff...). Look, I have a DC and SQL server in my pocket... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Webb, Brian (Corp) [mailto:brian.w...@teldta.com] Sent: Friday, January 02, 2009 2:25 PM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's There were several sessions on security at VMWorld this past year and the people leading those sessions would definitely say there are security issues that come about from using virtualization. In some ways the security picture gets better, in some ways worse. There are some new security appliances coming out that can run as a VM and watch over the other VMs. VMWare has created some special hooks into the hypervisor to allow this. Keep an eye on the issue. At the very least there are additional privileges that must be tracked - it is never a good idea to have only one person who has the keys to the kingdom -Brian From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 5:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Oh, I just thought you were happy to see me ...Tim From: David Lum [mailto:david@nwea.org] Sent: Friday, January 02, 2009 2:56 PM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's One thing about a VM vs a physical server - a LOT easier to walk out the building with one, since you can fit them on a USB device...(assuming said person has the security, but disgruntled employees do all sorts of crappy stuff...). Look, I have a DC and SQL server in my pocket... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Webb, Brian (Corp) [mailto:brian.w...@teldta.com] Sent: Friday, January 02, 2009 2:25 PM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's There were several sessions on security at VMWorld this past year and the people leading those sessions would definitely say there are security issues that come about from using virtualization. In some ways the security picture gets better, in some ways worse. There are some new security appliances coming out that can run as a VM and watch over the other VMs. VMWare has created some special hooks into the hypervisor to allow this. Keep an eye on the issue. At the very least there are additional privileges that must be tracked - it is never a good idea to have only one person who has the keys to the kingdom -Brian From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 5:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Webb, Brian (Corp) brian.w...@teldta.com wrote on 01/02/2009 05:25:25 PM: There were several sessions on security at VMWorld this past year and the people leading those sessions would definitely say there are security issues that come about from using virtualization. In some ways the security picture gets better, in some ways worse. Christofer Hoff is a great source on security and virtualization. His latest article: http://rationalsecurity.typepad.com/blog/2008/12/virtualization-so-last-tuesday.html If you read through his virtualization posts ( http://rationalsecurity.typepad.com/blog/virtualization/ ), you will get a pretty good idea of what the fuss is about. I dunno, virtualization is neither good nor bad. It's just another tool, and it will take us a while to understand and secure it, just like anything else. There are definitely issues, and it pays to read up on the potential pitfalls. Eric Eskam =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The contents of this message are mine personally and do not reflect any position of the U.S. Government The human mind treats a new idea the same way the body treats a strange protein; it rejects it. - P. B. Medawar ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtualization Questions
Roger Wright rwri...@evatone.com wrote on 12/29/2008 09:30:01 AM: Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? SAN! Once you have a SAN you will never go back to direct attached disk. SANs don't have to be expensive or hard to use, either. We have an Equallogic PS series iSCSI SAN and it works great and is a breeze to set up and configure. No degree required :) 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? Depends on the vendor. 3. What type of servers (DB, Oracle, FP, etc.) don?t make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. Depends on the application. There is very little that isn't a good candidate for virtualization. 4. Is clustering still possible with VMs? Sure. Although with some solutions like VMware site recover manager, you may not need to do clustering any more. Depends on what you were trying to accomplish with clustering. 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? Generally you want to balance out your load. That's where VMware gets the big bucks - they have management tools that simplify monitoring and performing load balancing of virtual hosts across your server farm. Microsoft is playing catch up with HyperV and Microsoft System Center Virtual Machine Managerbut they have a ways to go. Even if you don't virtualize, SAN's still rock! Eric Eskam =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The contents of this message are mine personally and do not reflect any position of the U.S. Government The human mind treats a new idea the same way the body treats a strange protein; it rejects it. - P. B. Medawar ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
1. San is better, if cost is something you are dealing with look at DRBD, IET or I just setup NFS Server on Windows (SFU) and connected 3 fast sas drives and the box is screaming. That cost me an XP Pro license, on a 399.00 dell box. Running in NFS (not iscsi) suffers a little performance but adds a lot of functionality for backups/snapshots. 2. Yes, I usually hide the vmware tools tray icon and let them work on it first J 3. If you have enough hardware the overhead is minimal (2-4% in esx) If your server is under heavy load and very large you probably already have it on a san, how much overhead does the vmdk create? Vmware also has their own new Vmware scsi bus which is supposed to be screaming fast. 4. Yes, Shared access to a storage location in esx, or if you have the nas/san in place then its just 2 boxes running the o/s pointing to the san 5. Because you can create vswitch which is a lot faster and never hits the physical link of a network card, I will address teamed guests with that method, and then separate them if required due to overhead. If you have a client app and a SQL box, keeping them together is probably a good idea (if network latency is your primary concern). However, if you have that SQL in a cluster, you obviously don't want SQL2 on the same box ever. This is all setup in vmotion/DRS ruleset (sql1 and sql2 cannot be together, sql1 and www must be together etc etc) From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 09:30 To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 ET E-mail Signature Logo _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
RE: Virtualization Questions - More Q's
Seth, I think we are in violent agreement here. I'm just saying that virtualising your infrastructure means that there is one more team of people who have privileged access to your infrastructure, and they need to be built into the whole change control/management process. For a physical DC, you need to worry about your AD team, and whoever your hardware team is (i.e. the people who have physical access to the racks that your DCs are in, and who probably also have access via DRAC/ILO/etc). If you virtualise your DC, you need to worry about the virtualisation team as well, as they, like the people who have physical access, now have privileged access to the infrastructure that hosts the DC and if the integrity of everything underneath the OS can't be guaranteed (physical environment, virtualisation software), then neither can the OS. Cheers Ken -Original Message- From: S Conn. [mailto:sysadminli...@gmail.com] Sent: Wednesday, 31 December 2008 7:28 AM To: NT System Admin Issues Subject: Re: Virtualization Questions - More Q's On Tue, Dec 30, 2008 at 10:55 AM, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: S Conn. [mailto:sysadminli...@gmail.com] Subject: Re: Virtualization Questions - More Q's I don't see a lot of difference here between virtual environment vs physical. Physical access can mean control - but you can control physical access. Not to mention detecting network changes and preventing/detecting BIOS changes (via passwords and ILO/DRAC etc) In a virtual environment, your virtualisation people control the BIOS, the boot sequence, the virtual networks that are exposed, and even the hard disks of the VMs themselves. And they can do that remotely. In a physical world, your virtualisation people wouldn't have access to the cabinets that store your physical domain controllers or other physical servers. Just the servers that host the VM hosts. Additionally, there are occasionally vulnerabilities in virtualisation software (a couple for VMWare and a more for other products). These can be used to gain access to VMs by holding privileges on the host. Cheers Ken VMware allows you to password protect the BIOS, just like a physical machine. As for network changes, a VMWare administrator can change only the virtual switches and virtual NICs, they can't affect the physical switches connecting the rest of the network. Basically you have to treat the virtual environment the same as a physical environment and treat the access program (such as VirtualCenter) just like physical access. Yes you can access it remotely, but IP KVMs, Remote PDUs, DRAC/ILO cards, etc provide the same remote access for physical servers. Except, with virtual, you can delegate certain tasks a lot better than just giving a bunch of folks the key to the door of your server room or maintaining a ton of remote access products. You do have a good point with the software vulnerabilities. However, I'd have to argue that you have those with just about any other solution. I'm sure a clever hacker can figure out a remote PDU or DRAC card. Following best practices, such as putting your service consoles on non-production management networks, setting up isolation, patching, etc can help with these problems. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Good point, Ken. Thanks for chiming in... Shook From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
That's an interesting point. Have you actually seen this in practice? What I mean is, in every shop I've been in, the virtualization group is composed of the same people who hold the keys to the kingdom anyway (AD admins, or Linux/UNIX admins). I've never seen a group brought in to manage the virtual environment that didn't already have that type of access. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 _ From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, 31 December 2008 12:31 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's That's an interesting point. Have you actually seen this in practice? What I mean is, in every shop I've been in, the virtualization group is composed of the same people who hold the keys to the kingdom anyway (AD admins, or Linux/UNIX admins). I've never seen a group brought in to manage the virtual environment that didn't already have that type of access. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtualization Questions - More Q's
On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer k...@adopenstatic.com wrote: Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken I don't see a lot of difference here between virtual environment vs physical. A) The guest virtual machines have the same security as their physical counterparts. (ie you still need a login/password to get into the operating systems). Same in a physical environment. It's the same as walking up to a KVM or logging into an IP KVM. B) If you have access to the virtual environment, you could power off the machines (reboot, etc). It's the same if you have physical access to the data center/server room/etc or access to a remote PDU (aka walk up and press the off button on a machine). The only difference is that you could change resource allocation, but in a compliance/audit scenario, you're not accessing the actual data or the guest OS itself, just the box itself. Changing resources does affect change control, but so would someone removing RAM out of a physical box or adding a CPU. I'm only speaking for VMWare here (since that's what I know and run), but you can set up a lot of different levels of access in the virtual environment. You can group the machines, set administrators for those groups, or break it down to only allow certain groups to have access to certain machines. For example, I myself have full access to the entire network, but I only allow my programmers to have access to only a couple of machines, and only restart ability to those. When they log in, all they see are their machines only. Their only options are console or power on/off/reboot, the same access they've had when the servers where physical. It ties into Active Directory, and you can set groups to as much or as little access as you want. I do agree, there is some security concerns that you'll need to address, but virtualizing your servers won't give anyone any more additional access to the machines over walking into the server room IMO. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Wow, that's really compartmentalized... I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc... Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:14 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, 31 December 2008 12:31 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's That's an interesting point. Have you actually seen this in practice? What I mean is, in every shop I've been in, the virtualization group is composed of the same people who hold the keys to the kingdom anyway (AD admins, or Linux/UNIX admins). I've never seen a group brought in to manage the virtual environment that didn't already have that type of access. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. Cheers Ken From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, 31 December 2008 2:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized... I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc... Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:14 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, 31 December 2008 12:31 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's That's an interesting point. Have you actually seen this in practice? What I mean is, in every shop I've been in, the virtualization group is composed of the same people who hold the keys to the kingdom anyway (AD admins, or Linux/UNIX admins). I've never seen a group brought in to manage the virtual environment that didn't already have that type of access. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender
RE: Virtualization Questions - More Q's
-Original Message- From: S Conn. [mailto:sysadminli...@gmail.com] Subject: Re: Virtualization Questions - More Q's On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer k...@adopenstatic.com wrote: Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. I don't see a lot of difference here between virtual environment vs physical. Physical access can mean control - but you can control physical access. Not to mention detecting network changes and preventing/detecting BIOS changes (via passwords and ILO/DRAC etc) In a virtual environment, your virtualisation people control the BIOS, the boot sequence, the virtual networks that are exposed, and even the hard disks of the VMs themselves. And they can do that remotely. In a physical world, your virtualisation people wouldn't have access to the cabinets that store your physical domain controllers or other physical servers. Just the servers that host the VM hosts. Additionally, there are occasionally vulnerabilities in virtualisation software (a couple for VMWare and a more for other products). These can be used to gain access to VMs by holding privileges on the host. Cheers Ken A) The guest virtual machines have the same security as their physical counterparts. (ie you still need a login/password to get into the operating systems). Same in a physical environment. It's the same as walking up to a KVM or logging into an IP KVM. B) If you have access to the virtual environment, you could power off the machines (reboot, etc). It's the same if you have physical access to the data center/server room/etc or access to a remote PDU (aka walk up and press the off button on a machine). The only difference is that you could change resource allocation, but in a compliance/audit scenario, you're not accessing the actual data or the guest OS itself, just the box itself. Changing resources does affect change control, but so would someone removing RAM out of a physical box or adding a CPU. I'm only speaking for VMWare here (since that's what I know and run), but you can set up a lot of different levels of access in the virtual environment. You can group the machines, set administrators for those groups, or break it down to only allow certain groups to have access to certain machines. For example, I myself have full access to the entire network, but I only allow my programmers to have access to only a couple of machines, and only restart ability to those. When they log in, all they see are their machines only. Their only options are console or power on/off/reboot, the same access they've had when the servers where physical. It ties into Active Directory, and you can set groups to as much or as little access as you want. I do agree, there is some security concerns that you'll need to address, but virtualizing your servers won't give anyone any more additional access to the machines over walking into the server room IMO. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune 15. For the one small segment of their network I worked on, they had over 6,000 servers and over 35,000 PCs. They had two dedicated IT staff who did nothing but maintain the huge Excel SS of all their DHCP scopes, reservations, server static IPs and server/scope options. They had people who did nothing but monitor NetBackup, people who changed tapes, people who handled Iron Mountain, etc. Extremely granular and an extreme PITA to do any work for. Need a VM for testing purposes? A minimum 3 month process as it went thru all the change control processes. Webster From: Joe Heaton [mailto:jhea...@etp.ca.gov] Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized. I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc. Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Wow, I've never worked for anything even close to that big. Where I'm at now is the largest IT department I've been in, and there's only 6 of us, 3 of which are developers, one is the manager, me on the server side, and one guy doing desktops. And I may be laid off soon, if the Governator has his way... Joe Heaton Employment Training Panel From: Webster [mailto:carlwebs...@gmail.com] Sent: Tuesday, December 30, 2008 9:05 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune 15. For the one small segment of their network I worked on, they had over 6,000 servers and over 35,000 PCs. They had two dedicated IT staff who did nothing but maintain the huge Excel SS of all their DHCP scopes, reservations, server static IPs and server/scope options. They had people who did nothing but monitor NetBackup, people who changed tapes, people who handled Iron Mountain, etc. Extremely granular and an extreme PITA to do any work for. Need a VM for testing purposes? A minimum 3 month process as it went thru all the change control processes. Webster From: Joe Heaton [mailto:jhea...@etp.ca.gov] Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized... I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc... Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Yes there are definitely shops out there of that size. And they are silo'd to use IBM terminology. I've been part of a Global Services outsourcing and experienced that. But keep in mind that there aren't that many companies out there with that scope. My last employer had 100,000 users globally and didn't have that sort of granularity. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 _ From: Webster [mailto:carlwebs...@gmail.com] Sent: Tuesday, December 30, 2008 12:05 PM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune 15. For the one small segment of their network I worked on, they had over 6,000 servers and over 35,000 PCs. They had two dedicated IT staff who did nothing but maintain the huge Excel SS of all their DHCP scopes, reservations, server static IPs and server/scope options. They had people who did nothing but monitor NetBackup, people who changed tapes, people who handled Iron Mountain, etc. Extremely granular and an extreme PITA to do any work for. Need a VM for testing purposes? A minimum 3 month process as it went thru all the change control processes. Webster From: Joe Heaton [mailto:jhea...@etp.ca.gov] Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized. I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc. Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtualization Questions - More Q's
On Tue, Dec 30, 2008 at 10:55 AM, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: S Conn. [mailto:sysadminli...@gmail.com] Subject: Re: Virtualization Questions - More Q's I don't see a lot of difference here between virtual environment vs physical. Physical access can mean control - but you can control physical access. Not to mention detecting network changes and preventing/detecting BIOS changes (via passwords and ILO/DRAC etc) In a virtual environment, your virtualisation people control the BIOS, the boot sequence, the virtual networks that are exposed, and even the hard disks of the VMs themselves. And they can do that remotely. In a physical world, your virtualisation people wouldn't have access to the cabinets that store your physical domain controllers or other physical servers. Just the servers that host the VM hosts. Additionally, there are occasionally vulnerabilities in virtualisation software (a couple for VMWare and a more for other products). These can be used to gain access to VMs by holding privileges on the host. Cheers Ken VMware allows you to password protect the BIOS, just like a physical machine. As for network changes, a VMWare administrator can change only the virtual switches and virtual NICs, they can't affect the physical switches connecting the rest of the network. Basically you have to treat the virtual environment the same as a physical environment and treat the access program (such as VirtualCenter) just like physical access. Yes you can access it remotely, but IP KVMs, Remote PDUs, DRAC/ILO cards, etc provide the same remote access for physical servers. Except, with virtual, you can delegate certain tasks a lot better than just giving a bunch of folks the key to the door of your server room or maintaining a ton of remote access products. You do have a good point with the software vulnerabilities. However, I'd have to argue that you have those with just about any other solution. I'm sure a clever hacker can figure out a remote PDU or DRAC card. Following best practices, such as putting your service consoles on non-production management networks, setting up isolation, patching, etc can help with these problems. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Extremely granular and an extreme PITA to do any work for. Need a VM for testing purposes? A minimum 3 month process as it went thru all the change control processes. Although I don't appreciate the 3 month process, from my experience on huge networks, using a structured methodology such as this provides more good than bad. If the VM is needed for testing a truly well thought out engineered solution probably would have thought that out from the beginning. Shooting from the hip is usually what causes the network outages, so no root cause analysis would be truly needed in that environment. Just my $0.02. From: Webster [mailto:carlwebs...@gmail.com] Sent: Tuesday, December 30, 2008 12:05 PM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune 15. For the one small segment of their network I worked on, they had over 6,000 servers and over 35,000 PCs. They had two dedicated IT staff who did nothing but maintain the huge Excel SS of all their DHCP scopes, reservations, server static IPs and server/scope options. They had people who did nothing but monitor NetBackup, people who changed tapes, people who handled Iron Mountain, etc. Extremely granular and an extreme PITA to do any work for. Need a VM for testing purposes? A minimum 3 month process as it went thru all the change control processes. Webster From: Joe Heaton [mailto:jhea...@etp.ca.gov] Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized. I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc. Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
I've been working primarily with VMWare so keep that in mind, but here are my opinions: 1. It depends on the situation. For example if you are talking small office or SMB type of implementations a SAN may not be possible due to cost constraints. On the other hand if it's available, I would recommend it. Specifically for HA and DRS in VMWare for high availability, load balancing, fault tolerance. 2. Some do and some don't. Over the years, I have seen a shift from vendors to not supporting it at all, to totally embracing it. At this point I think the majority of vendors support it in some form, but not all. YMMV. 3. I think a lot of that depends on the situation. I think almost anything can fit well into a virtual environment if the hardware is scaled appropriately. Lots of disk, lots of memory, lots of IO (HBA, Network). 4. There are tools available for this type of initial evaluation. I know PlateSpin has tools and so does VMWare for making an evaluation of the current environment and creating an initial proposal(number of hosts needed, specific servers categorized into best candidate types, etc.). Keep in mind this is a very dynamic area. Nothing is set in stone. The only thing you can be sure of is that once you go virtual you will need to expand it, just a matter of how much and over what period of time. Depending on how big your environment is, I'd suggest setting up a Development cluster and start by migrating some Dev boxes over or creating new test systems for different departments to evaluate. Once you have buy in from the business you can move forward. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 _ From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 9:30 AM To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 ET E-mail Signature Logo _ - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
RE: Virtualization Questions
+1 As for the MS virtualization policy see: http://support.microsoft.com/kb/957006/ And remember, just because something isn't on here doesn't mean it can't be virtualized. It's just not officially supported. ESX falls under the SVVP program. From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Monday, December 29, 2008 6:52 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses. 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference J) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 9:30 AM To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 ET E-mail Signature Logo _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
Re: Virtualization Questions
Add to that list anything that requires specialized hardware. Under many circumstances VoIP systems fall under that category, as do RAS servers and fax servers. Martin Blackstone wrote: Additionally as for what does not virtualize well, IP Phone systems for one. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions
In my experience, most vendors don't want to support a system where another product could change the configuration. To me, with them, it's not about the hardware or the processing power - in most cases, it's about the internal configurations of the OS or software. They usually make perfect VM guests. From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Monday, December 29, 2008 9:52 AM To: NT System Admin Issues Subject: Re: Virtualization Questions Personally I have am using local but wish I had a SAN. I suspect if they wanted a dedicated server then a virtualized dedicated server would work. I did that to a server we had to run for our library for several years. I never told the vendor as they never asked but we never had any issues with that setup and that was using software ported over from NT4 to 2000. Ours actually ran smoother in the virtual environment than in the physical but that may have been a result of hardware issues. I have SCE, DC/NAP/NDS/DHCP, File, Web/Print/FTP/SMTP, AV, and SQL all running virtual. The AV is on one machine the rest on another. I will also say that the SQL is not a high volume machine and except for running out of space is happy. I don't do clusters so will leave that to smarter people than me. My logic is best machine to do the work but I don't put Printing on the same machine as File services I try to get machines to do logically what is similar things on the same VM. I could have put the AV on my SCE but I am new to that technology and had the spare license so I split the two. It will make changing AV vendors easier at a later point. Some things just should be on their own when ever possible, like DC's and File should not share and File and Web app's should not share if you have the license and space to keep them separate. I am a bit old school about that. I am under orders to decrease my heat/AC and electrical draws as well as the numbers of Physical machines we support. Some vendors like ESRI require access to dedicated hardware that can not be done in a virtual environment but other than that I have been successful at virtualizing most things tried. One thing to keep in mind that you already know is nothing goes on the host but what you absolutely have to have on the host. That causes more issues than any I have had to this point. Jon On Mon, Dec 29, 2008 at 9:30 AM, Roger Wright rwri...@evatone.com wrote: Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 ET E-mail Signature Logo _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
RE: Virtualization Questions
To piggy-back off of what Andy has stated - remember, even if you can't get multiple virtual systems on a physical box -you're getting other intangibles with it. For example, having an SQL app that simply won't allow (for any number of reasons) any other guest on the same physical box, you get to use VMotion/HA/DRS on it to make it much, much more valuable. In my experience, that is priceless. Almost everything can be virtualized. From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Monday, December 29, 2008 9:52 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses. 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference J) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 9:30 AM To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 ET E-mail Signature Logo _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
Re: Virtualization Questions - More Q's
1) With VMotion it's tranparent and the VM doesn't miss a beat 2) No that I've seen 3) That's not a simple question to answer, it depends on the network load of the VMs. If you're consolidating some infrequently-used machines then shared NICs aren't a big deal, but if you're going to virtualize a file server or an Exchange environment with a couple hundred people on it it will be a VERY big deal. 4) Generally no. One of the excetptions is Server 2003 Enterprise and Server 2008 Enterprise - if you use Hyper-V as your hypervisor each Enterprice server license allows you to run 4 VMs. Roger Wright wrote: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization – Shared NICs or separate for each VM? 4. OS App licensing – can we expect any reduction in licensing requirements? Thanks! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ *From:* Andy Shook [mailto:andy.sh...@peak10.com] *Sent:* Monday, December 29, 2008 9:52 AM *To:* NT System Admin Issues *Subject:* RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses… 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I’ve personally run many, many (police academy joke, if your didn’t get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I’ve seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don’t care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference J) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook *From:* Roger Wright [mailto:rwri...@evatone.com] *Sent:* Monday, December 29, 2008 9:30 AM *To:* NT System Admin Issues *Subject:* Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don’t make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 ET E-mail Signature Logo _ -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtualization Questions - More Q's
That would depend on which of the host systems you choose and how much money you want to spend. Not really but again it does depend on the host system. I would prefer to have the host outside the domain so that it is not looking for the domain on booting. VMware and Hyper-V support this. Shared NIC's work but spend the money and get a dedicated NIC for each VM if you can, way way better! If you use Hyper-V and purchase the Enterprise license you get one Physical machine license and 4 VM licenses, Data Center gets even better but with VMware you get no licenses. Jon On Mon, Dec 29, 2008 at 10:32 AM, Roger Wright rwri...@evatone.com wrote: Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization – Shared NICs or separate for each VM? 4. OS App licensing – can we expect any reduction in licensing requirements? Thanks! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ *From:* Andy Shook [mailto:andy.sh...@peak10.com] *Sent:* Monday, December 29, 2008 9:52 AM *To:* NT System Admin Issues *Subject:* RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses… 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference J) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook *From:* Roger Wright [mailto:rwri...@evatone.com] *Sent:* Monday, December 29, 2008 9:30 AM *To:* NT System Admin Issues *Subject:* Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 [image: ET E-mail Signature Logo] _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
RE: Virtualization Questions - More Q's
1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Monday, December 29, 2008 9:52 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses... 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference :)) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 9:30 AM To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 [cid:image001.jpg@01C969A1.DBCE20A0] _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~inline: image001.jpg
RE: Virtualization Questions - More Q's
1.Keep in mind there are some limitations with hardware in regards to VMotion. Specifically related to CPU. They need to be compatible. See this to get more info: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd= displayKCexternalId=1991 cmd=displayKCexternalId=1991 2.None that I am aware of. 3.You will be sharing NIC's. If you are doing HA and DRS, there is no way to tie a specific VM to a NIC. I suggest as many NIC's in the host as possible. In my last job the host ESX servers had the following hardware: (4) Quad Core CPU's 128G RAM (4) Quad Port NIC cards + the 2 onboard NICs (2) Dual Port HBA cards 4. I think you can save on licensing with Hyper-V if you get the Data Center version. Not sure about that. But in general licensing is not what you save on in my experience. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 _ From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Monday, December 29, 2008 9:52 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses. 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference :-)) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 9:30 AM To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 ET E-mail Signature Logo _ - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return
Re: Virtualization Questions - More Q's
for #3 With ESX server you can do both or whatever you want. If you have enough physical nic's you can dedicate a nic to each VM if you want or if you VM will have high utilization. Or you can hsre one nic across multiple VM's... Phil On Mon, Dec 29, 2008 at 10:32 AM, Roger Wright rwri...@evatone.com wrote: Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization – Shared NICs or separate for each VM? 4. OS App licensing – can we expect any reduction in licensing requirements? Thanks! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Monday, December 29, 2008 9:52 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses… 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference J) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 9:30 AM To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
If you use Hyper-V and purchase the Enterprise license you get one Physical machine license and 4 VM licenses, Data Center gets even better but with VMware you get no licenses. That is not correct. MS doesnt differentiate between an MS hypervisor and any other when it comes to the virtualization licenses allotted with Enterprise or Datacenter. http://www.microsoft.com/windowsserver2008/en/us/licensing-faq.aspx#virt Q. Do the virtualization licensing rights of Windows Server 2008 apply when used with non-Microsoft software virtualization technologies? A. Yes. The use rights apply regardless of the virtualization product being used. However, any non-Microsoft software virtualization technologies are not supported by Microsoft. - Andy O. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Also don't forget you can use Vlan tagging of the traffic on the NIC's to have more VLAN's go over 1 physical NIC in a Vswitch in VMware if you are running out of Physical slots in your switches. It might be easier to do, since you could always have failover (another Physical NIC with the same tagged Vlan's) in case you have a physical Nic failure. Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -Original Message- From: Phil Labonte [mailto:philfromw...@gmail.com] Sent: Monday, December 29, 2008 11:04 AM To: NT System Admin Issues Subject: Re: Virtualization Questions - More Q's for #3 With ESX server you can do both or whatever you want. If you have enough physical nic's you can dedicate a nic to each VM if you want or if you VM will have high utilization. Or you can hsre one nic across multiple VM's... Phil On Mon, Dec 29, 2008 at 10:32 AM, Roger Wright rwri...@evatone.com wrote: Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Monday, December 29, 2008 9:52 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses... 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference J) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 9:30 AM To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Also from a DR prespective, you might want to be looking into Site Recovery Manager, and balancing your farm across 2 or more separate sites in which you can fail the farm over to the other site and vice versa, but a lot of planning needs to go on with that before you will get to that point. Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Monday, December 29, 2008 10:38 AM To: NT System Admin Issues Subject: Re: Virtualization Questions - More Q's 1) With VMotion it's tranparent and the VM doesn't miss a beat 2) No that I've seen 3) That's not a simple question to answer, it depends on the network load of the VMs. If you're consolidating some infrequently-used machines then shared NICs aren't a big deal, but if you're going to virtualize a file server or an Exchange environment with a couple hundred people on it it will be a VERY big deal. 4) Generally no. One of the excetptions is Server 2003 Enterprise and Server 2008 Enterprise - if you use Hyper-V as your hypervisor each Enterprice server license allows you to run 4 VMs. Roger Wright wrote: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ *From:* Andy Shook [mailto:andy.sh...@peak10.com] *Sent:* Monday, December 29, 2008 9:52 AM *To:* NT System Admin Issues *Subject:* RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses... 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference J) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook *From:* Roger Wright [mailto:rwri...@evatone.com] *Sent:* Monday, December 29, 2008 9:30 AM *To:* NT System Admin Issues *Subject:* Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 ET E-mail Signature Logo _ -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtualization Questions - More Q's
On Mon, Dec 29, 2008 at 9:57 AM, Andy Shook andy.sh...@peak10.com wrote: 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. According to my VCP study materials (version 3.5), the processors have to be the same brand (AMD vs Intel) and the same family. This is due to the (minor) differences in the instruction sets. Now, things like L2 cache, hyperthreading, number of cores, clock speeds, etc don't matter since the guest OS is seeing a virtual CPU. Vmotion only cares about the instructions. Now, there are a few caveats to this, such as non-execute and whatnot, but that's not default. Vmotion is only for transferring running machines with minimum interruption. Of course you could do cold migration to any other ESX machine, where you turn off the guest before transferring. When the machine is off you can start it on other machines regardless of the CPU constraints. There are other constraints, mainly with the set up of the individual ESX host. If the guest has an active connection with local resources, the internal networking is set up differently on the target host, etc it can't be moved. But most of that stuff is easy to overcome. In my experience VMotion works extremely well, usually the most drastic interruption I've seen is one dropped ping. Users don't even notice it being moved. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
A. Yes. The use rights apply regardless of the virtualization product being used. However, any non-Microsoft software virtualization technologies are not supported by Microsoft. And to clarify the support aspect of that statement, they are saying they will not support the actual 3rd party virtualization software itself but if it is a validated hypervisor, they will support the MS software running on it. See below for more info: http://windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm http://www.vmware.com/company/news/releases/svvp.html - Andy O. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtualization Questions
Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 1. Roger, if you use a SAN you will get more out of your virtualization infrastructure. Example. In VMware's case you cannot use vmotion if you do not have a SAN. Also, without a SAN vmware is unable to load balance your VMs between hosts automatically. SANs are expensive. There is free software (Open filer) that can be used to turn any server into a SAN. We have chosen to move to VMware and have implemented local storage on a pair HP DL 380s. We will be moving to a SAN year two. It was just too hard to swing the new hardware and Vmware and a SAN in the same year. 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 2.Most vendors I have worked with are onboard with virtualization. I will say we have one vendor who does not give its blessing to virtualization at the moment. We have challenged the vendor to provide reasons why they do not support virtualization and a road map as to when their software will support it. 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 3. SQL 2008 is fully supported in Microsoft's hypervisor. I can tell you that I am running a couple of SQL 2005 databases on Vmware esx and have had no problems. Building a virtual server is not that much different than building a physical one. i.e. SQL likes spindles and ram. As long as the hardware available to the hypervisor is adequate you should be fine. Just like a physical server YMMV and you will want to test. 4. Is clustering still possible with VMs? 4. I think so but, I have not set it up. 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? 5. The answer to that question will vary. If you put all of your FP on one host and that host dies, you lose access to all FP services. (If you have a SAN and vmotion the VMs would be directed to another host. If you have local storage and a product like replicator you could bring the VMs up on another host that was replicated to, it just would not happen automagically like with vmotion) Obviously, you do not want to put all of your DCs on one host. Think load balancing. If you have a database that has to serve 2000 clients maybe you put a couple low utilized servers with it. I have only scratched the surface on what virtualization can do. TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Think green. Please consider the environment before printing * CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
As far as MS goes, you do get a break on licensing since the allow you to license by the socket. Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Monday, December 29, 2008 9:52 AM To: NT System Admin Issues Subject: RE: Virtualization Questions Roger, Opinions on this will vary, however, my responses... 1. Yes. Centralized storage that all hosts can see and access is a must for Vmotion/HA/DRS as well as backups. Needs and budget will dictate, however, I would have local storage only for the host OS (ESX, etc.) and a SAN for all the VMs\vmdk files. 2. Acceptance of a dedicated VM is growing. I've personally run many, many (police academy joke, if your didn't get it) applications with no issues raided from the vendor, YMMV by vendor 3. Load and amount of data usually dictate this. I've seen every mainstream app virtualized and dedicated server, here in the datacenter. 4. I would say load and functionality. If you have ESX with HA/DRS, then I personally don't care where the VMs are just as long as they are up. I have seen where shops will specify that a DC\GC has to stay on the same host as an Exchange server, as an example. Forget everything you know about server provisioning. In my experience, dedicated servers that were running with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM environment. This is one of the many, many (see above reference J) beautiful things that virtualization brings to the table. Feel free to ping me off-list if I can help in any way. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 9:30 AM To: NT System Admin Issues Subject: Virtualization Questions Taking a look at the potential implementation of virtualization and have several questions: 1.Does/should utilization of a SAN have a direct impact on virtualization decisions? Is it better to go with local or SAN storage? 2. Do vendors who normally require a dedicated server accept a virtualized server as equivalent? 3. What type of servers (DB, Oracle, FP, etc.) don't make good candidates for virtualization?I would think that SQL/Oracle would probably be least recommended. 4. Is clustering still possible with VMs? 5. What kind of logic determines the best combination of host/guests? IOW, is it recommended to put all FP servers together on one host, or should it be a combination of FP, DB, etc.? TIA! Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Think green. Please consider the environment before printing * CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtualization Questions - More Q's
Correct but I was only thinking of the sever licenses. I am in an EDU environment where CALs are free under our agreement with Microsoft so I frequeny forget about this and you caught me in a senior moment. Jon On Mon, Dec 29, 2008 at 11:11 AM, Andy Ognenoff andyognen...@gmail.comwrote: If you use Hyper-V and purchase the Enterprise license you get one Physical machine license and 4 VM licenses, Data Center gets even better but with VMware you get no licenses. That is not correct. MS doesn't differentiate between an MS hypervisor and any other when it comes to the virtualization licenses allotted with Enterprise or Datacenter. http://www.microsoft.com/windowsserver2008/en/us/licensing-faq.aspx#virt Q. Do the virtualization licensing rights of Windows Server 2008 apply when used with non-Microsoft software virtualization technologies? A. Yes. The use rights apply regardless of the virtualization product being used. However, any non-Microsoft software virtualization technologies are not supported by Microsoft. - Andy O. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Correct but I was only thinking of the sever licenses. I am in an EDU environment where CALs are free under our agreement with Microsoft so I frequeny forget about this and you caught me in a senior moment. :) No problem. I just wanted to clear that up because in our situation we actually did save money on OS licenses by virtualizing and we used VMware. To the OP: Check out these calculators to figure out what might be best for your own environment: http://www.microsoft.com/windowsserver2003/howtobuy/licensing/calculator.msp x It says it's for 2003 but it applies to 2008 as well. - Andy O. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~