RE: Virtualization Questions - More Q's

[Eric E Eskam]

"Webb, Brian (Corp)"  wrote on 01/02/2009 05:25:25 
PM:

> There were several sessions on security at VMWorld this past 
> year and the people leading those sessions would definitely say
> there are security issues that come about from using 
> virtualization.  In some ways the security picture gets better,
> in some ways worse.

Christofer Hoff is a great source on security and virtualization.  His 
latest article:

http://rationalsecurity.typepad.com/blog/2008/12/virtualization-so-last-tuesday.html

If you read through his virtualization posts ( 
http://rationalsecurity.typepad.com/blog/virtualization/ ), you will get a 
pretty good idea of what the "fuss" is about.  I dunno, virtualization is 
neither good nor bad.  It's just another tool, and it will take us a while 
to understand and secure it, just like anything else.  There are 
definitely issues, and it pays to read up on the potential pitfalls.

Eric Eskam
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The contents of this message are mine personally and do not reflect any 
position of the U.S. Government
"The human mind treats a new idea the same way the body treats a strange 
protein; it rejects it."
-  P. B. Medawar

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Tim Evans]

Oh, I just thought you were happy to see me


...Tim

From: David Lum [mailto:david@nwea.org]
Sent: Friday, January 02, 2009 2:56 PM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

One thing about a VM vs a physical server - a LOT easier to walk out the 
building with one, since you can fit them on a USB device...(assuming said 
person has the security, but disgruntled employees do all sorts of crappy 
stuff...).

"Look, I have a DC and SQL server in my pocket..."
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


From: Webb, Brian (Corp) [mailto:brian.w...@teldta.com]
Sent: Friday, January 02, 2009 2:25 PM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

There were several sessions on security at VMWorld this past year and the 
people leading those sessions would definitely say there are security issues 
that come about from using virtualization.  In some ways the security picture 
gets better, in some ways worse.  There are some new security appliances coming 
out that can run as a VM and watch over the other VMs.  VMWare has created some 
special hooks into the hypervisor to allow this.  Keep an eye on the issue.

At the very least there are additional privileges that must be tracked - it is 
never a good idea to have only one person who has the "keys to the kingdom"

-Brian



From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, December 30, 2008 5:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's
Most people have said "no" to question #2.

I would say that there is a definite impact. Your virtualisation team are 
pretty much now an additional "god" in the organisation. For smaller shops this 
isn't an issue. For bigger shops, or where compliance/auditing/change control 
are important, then this is another layer of people who have significant  
privileges, who must be worked into your change control process.

Cheers
Ken

From: Andy Shook [mailto:andy.sh...@peak10.com]
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's


1.   As long as the resources are available for the VM, then transparent.  
I know in the past that processors had to be in the same family as well as the 
same brand for Vmotion but I heard that this has changed with (ESX) update 3.  
I don't know the details yet, so someone please chime in here for clarification.

2.   No

3.   Most environments will have both.  Shared for the lightweight servers 
and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but check 
with the vendors in question.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Great responses so far!  You've all given me even more to think about.

A few other questions:


1.   From a DR perspective, or perhaps just for rebalancing the load on a 
host machine, how does moving from one host to another with different HW impact 
the VM, or is it transparent?


2.   Does Virtualization impact your domain security requirements in any 
way?


3.   NIC Utilization - Shared NICs or separate for each VM?


4.   OS & App licensing - can we expect any reduction in licensing 
requirements?



Thanks!


















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[David Lum]

One thing about a VM vs a physical server - a LOT easier to walk out the 
building with one, since you can fit them on a USB device...(assuming said 
person has the security, but disgruntled employees do all sorts of crappy 
stuff...).

"Look, I have a DC and SQL server in my pocket..."
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


From: Webb, Brian (Corp) [mailto:brian.w...@teldta.com]
Sent: Friday, January 02, 2009 2:25 PM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

There were several sessions on security at VMWorld this past year and the 
people leading those sessions would definitely say there are security issues 
that come about from using virtualization.  In some ways the security picture 
gets better, in some ways worse.  There are some new security appliances coming 
out that can run as a VM and watch over the other VMs.  VMWare has created some 
special hooks into the hypervisor to allow this.  Keep an eye on the issue.

At the very least there are additional privileges that must be tracked - it is 
never a good idea to have only one person who has the "keys to the kingdom"

-Brian



From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, December 30, 2008 5:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's
Most people have said "no" to question #2.

I would say that there is a definite impact. Your virtualisation team are 
pretty much now an additional "god" in the organisation. For smaller shops this 
isn't an issue. For bigger shops, or where compliance/auditing/change control 
are important, then this is another layer of people who have significant  
privileges, who must be worked into your change control process.

Cheers
Ken

From: Andy Shook [mailto:andy.sh...@peak10.com]
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's


1.   As long as the resources are available for the VM, then transparent.  
I know in the past that processors had to be in the same family as well as the 
same brand for Vmotion but I heard that this has changed with (ESX) update 3.  
I don't know the details yet, so someone please chime in here for clarification.

2.   No

3.   Most environments will have both.  Shared for the lightweight servers 
and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but check 
with the vendors in question.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Great responses so far!  You've all given me even more to think about.

A few other questions:


1.   From a DR perspective, or perhaps just for rebalancing the load on a 
host machine, how does moving from one host to another with different HW impact 
the VM, or is it transparent?


2.   Does Virtualization impact your domain security requirements in any 
way?


3.   NIC Utilization - Shared NICs or separate for each VM?


4.   OS & App licensing - can we expect any reduction in licensing 
requirements?



Thanks!













~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Webb, Brian (Corp)]

There were several sessions on security at VMWorld this past year and
the people leading those sessions would definitely say there are
security issues that come about from using virtualization.  In some ways
the security picture gets better, in some ways worse.  There are some
new security appliances coming out that can run as a VM and watch over
the other VMs.  VMWare has created some special hooks into the
hypervisor to allow this.  Keep an eye on the issue.
 
At the very least there are additional privileges that must be tracked -
it is never a good idea to have only one person who has the "keys to the
kingdom" 
 
-Brian

 



From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Tuesday, December 30, 2008 5:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's



Most people have said "no" to question #2.

 

I would say that there is a definite impact. Your virtualisation team
are pretty much now an additional "god" in the organisation. For smaller
shops this isn't an issue. For bigger shops, or where
compliance/auditing/change control are important, then this is another
layer of people who have significant  privileges, who must be worked
into your change control process.

 

Cheers

Ken

 

From: Andy Shook [mailto:andy.sh...@peak10.com] 
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

1.   As long as the resources are available for the VM, then
transparent.  I know in the past that processors had to be in the same
family as well as the same brand for Vmotion but I heard that this has
changed with (ESX) update 3.  I don't know the details yet, so someone
please chime in here for clarification. 

2.   No

3.   Most environments will have both.  Shared for the lightweight
servers and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but
check with the vendors in question.  

 

Shook

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

Great responses so far!  You've all given me even more to think about.

 

A few other questions:

 

1.   From a DR perspective, or perhaps just for rebalancing the load
on a host machine, how does moving from one host to another with
different HW impact the VM, or is it transparent?  

 

2.   Does Virtualization impact your domain security requirements in
any way?  

 

3.   NIC Utilization - Shared NICs or separate for each VM?

 

4.   OS & App licensing - can we expect any reduction in licensing
requirements?

 

 

Thanks!

 


 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Ken Schaefer]

Seth,

I think we are in violent agreement here. I'm just saying that virtualising 
your infrastructure means that there is one more team of people who have 
privileged access to your infrastructure, and they need to be built into the 
whole change control/management process.

For a physical DC, you need to worry about your AD team, and whoever your 
hardware team is (i.e. the people who have physical access to the racks that 
your DCs are in, and who probably also have access via DRAC/ILO/etc). If you 
virtualise your DC, you need to worry about the virtualisation team as well, as 
they, like the people who have physical access, now have privileged access to 
the infrastructure that hosts the DC and if the integrity of everything 
underneath the OS can't be guaranteed (physical environment, virtualisation 
software), then neither can the OS.

Cheers
Ken

-Original Message-
From: S Conn. [mailto:sysadminli...@gmail.com] 
Sent: Wednesday, 31 December 2008 7:28 AM
To: NT System Admin Issues
Subject: Re: Virtualization Questions - More Q's

On Tue, Dec 30, 2008 at 10:55 AM, Ken Schaefer  wrote:
> -Original Message-
> From: S Conn. [mailto:sysadminli...@gmail.com]
> Subject: Re: Virtualization Questions - More Q's
>
>> I don't see a lot of difference here between virtual environment vs physical.
>
> Physical access can mean control - but you can control physical access. Not 
> to mention detecting network changes and preventing/detecting BIOS changes 
> (via passwords and ILO/DRAC etc)
>
> In a virtual environment, your virtualisation people control the BIOS, the 
> boot sequence, the virtual networks that are exposed, and even the hard disks 
> of the VMs themselves. And they can do that remotely. In a physical world, 
> your virtualisation people wouldn't have access to the cabinets that store 
> your physical domain controllers or other physical servers. Just the servers 
> that host the VM hosts.
>
> Additionally, there are occasionally vulnerabilities in virtualisation 
> software (a couple for VMWare and a more for other products). These can be 
> used to gain access to VMs by holding privileges on the host.
>
> Cheers
> Ken
>

VMware allows you to password protect the BIOS, just like a physical
machine.  As for network changes, a VMWare administrator can change
only the virtual switches and virtual NICs, they can't affect the
physical switches connecting the rest of the network.

Basically you have to treat the virtual environment the same as a
physical environment and treat the access program (such as
VirtualCenter) just like physical access.  Yes you can access it
remotely, but IP KVMs, Remote PDUs, DRAC/ILO cards, etc provide the
same remote access for physical servers.  Except, with virtual, you
can delegate certain tasks a lot better than just giving a bunch of
folks the key to the door of your server room or maintaining a ton of
remote access products.

You do have a good point with the software vulnerabilities.  However,
I'd have to argue that you have those with just about any other
solution.  I'm sure a clever hacker can figure out a remote PDU or
DRAC card.  Following best practices, such as putting your service
consoles on non-production management networks, setting up isolation,
patching, etc can help with these problems.

Seth

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Fogarty, Richard R Mr CTR USA USASOC]

"Extremely granular and an extreme PITA to do any work for.  Need a VM for
testing purposes?  A minimum 3 month process as it went thru all the change
control processes."

Although I don't appreciate the 3 month process, from my experience on huge
networks, using a structured methodology such as this provides more good
than bad. If the VM is needed for testing a truly well thought out
engineered solution probably would have thought that out from the beginning.
Shooting from the hip is usually what causes the network outages, so no root
cause analysis would be truly needed in that environment. 


Just my $0.02.

 

 

From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Tuesday, December 30, 2008 12:05 PM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

No, you don't that type of experience.

 

But when you have 1000 IT personnel, they can't all be AD people, or even
domain admins. 

 

I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune
15.  For the one small segment of their network I worked on, they had over
6,000 servers and over 35,000 PCs.  They had two dedicated IT staff who did
nothing but maintain the huge Excel SS of all their DHCP scopes,
reservations, server static IPs and server/scope options.  They had people
who did nothing but monitor NetBackup, people who changed tapes, people who
handled Iron Mountain, etc.  Extremely granular and an extreme PITA to do
any work for.  Need a VM for testing purposes?  A minimum 3 month process as
it went thru all the change control processes.

 

Webster

From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Subject: RE: Virtualization Questions - More Q's

 

Wow, that's really compartmentalized. I dunno if I'd want to work somewhere
that limits me that much as far as what I'm working with.  And yet, I'm sure
if you apply for one of those positions, you are still required to have 10+
years experience, and expertise with Windows, Unix, mainframes, every
desktop OS known to man, etc.

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500 type
companies).

 

In those types of orgs the AD team is usually separate from Virtualisation
(which is predominantly VMWare), which is again separate from the hardware
components (network, security, storage). Even as a directory, AD is usually
limited to the Wintel area, and most large orgs have significant investment
in *nix, midrange/mainframe systems as well. The "source of truth" is
generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant overlap, so
it's not really an  issue. In larger shops (once there isn't a predominance
of Windows), and AD isn't "king", it starts to become something that needs
to be dealt with in some way.


Cheers

Ken

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Virtualization Questions - More Q's

[S Conn.]

On Tue, Dec 30, 2008 at 10:55 AM, Ken Schaefer  wrote:
> -Original Message-
> From: S Conn. [mailto:sysadminli...@gmail.com]
> Subject: Re: Virtualization Questions - More Q's
>
>> I don't see a lot of difference here between virtual environment vs physical.
>
> Physical access can mean control - but you can control physical access. Not 
> to mention detecting network changes and preventing/detecting BIOS changes 
> (via passwords and ILO/DRAC etc)
>
> In a virtual environment, your virtualisation people control the BIOS, the 
> boot sequence, the virtual networks that are exposed, and even the hard disks 
> of the VMs themselves. And they can do that remotely. In a physical world, 
> your virtualisation people wouldn't have access to the cabinets that store 
> your physical domain controllers or other physical servers. Just the servers 
> that host the VM hosts.
>
> Additionally, there are occasionally vulnerabilities in virtualisation 
> software (a couple for VMWare and a more for other products). These can be 
> used to gain access to VMs by holding privileges on the host.
>
> Cheers
> Ken
>

VMware allows you to password protect the BIOS, just like a physical
machine.  As for network changes, a VMWare administrator can change
only the virtual switches and virtual NICs, they can't affect the
physical switches connecting the rest of the network.

Basically you have to treat the virtual environment the same as a
physical environment and treat the access program (such as
VirtualCenter) just like physical access.  Yes you can access it
remotely, but IP KVMs, Remote PDUs, DRAC/ILO cards, etc provide the
same remote access for physical servers.  Except, with virtual, you
can delegate certain tasks a lot better than just giving a bunch of
folks the key to the door of your server room or maintaining a ton of
remote access products.

You do have a good point with the software vulnerabilities.  However,
I'd have to argue that you have those with just about any other
solution.  I'm sure a clever hacker can figure out a remote PDU or
DRAC card.  Following best practices, such as putting your service
consoles on non-production management networks, setting up isolation,
patching, etc can help with these problems.

Seth

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Christopher Bodnar]

Yes there are definitely shops out there of that size. And they are
"silo'd" to use IBM terminology. I've been part of a Global Services
outsourcing and experienced that. But keep in mind that there aren't that
many companies out there with that scope. My last employer had 100,000
users globally and didn't have that sort of granularity. 

 

 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003

  _  

From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Tuesday, December 30, 2008 12:05 PM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

No, you don't that type of experience.

 

But when you have 1000 IT personnel, they can't all be AD people, or even
domain admins. 

 

I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune
15.  For the one small segment of their network I worked on, they had over
6,000 servers and over 35,000 PCs.  They had two dedicated IT staff who
did nothing but maintain the huge Excel SS of all their DHCP scopes,
reservations, server static IPs and server/scope options.  They had people
who did nothing but monitor NetBackup, people who changed tapes, people
who handled Iron Mountain, etc.  Extremely granular and an extreme PITA to
do any work for.  Need a VM for testing purposes?  A minimum 3 month
process as it went thru all the change control processes.

 

Webster

From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Subject: RE: Virtualization Questions - More Q's

 

Wow, that's really compartmentalized. I dunno if I'd want to work
somewhere that limits me that much as far as what I'm working with.  And
yet, I'm sure if you apply for one of those positions, you are still
required to have 10+ years experience, and expertise with Windows, Unix,
mainframes, every desktop OS known to man, etc.

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500
type companies).

 

In those types of orgs the AD team is usually separate from Virtualisation
(which is predominantly VMWare), which is again separate from the hardware
components (network, security, storage). Even as a directory, AD is
usually limited to the Wintel area, and most large orgs have significant
investment in *nix, midrange/mainframe systems as well. The "source of
truth" is generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant overlap,
so it's not really an  issue. In larger shops (once there isn't a
predominance of Windows), and AD isn't "king", it starts to become
something that needs to be dealt with in some way.


Cheers

Ken

 

 

 



-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Joe Heaton]

Wow, I've never worked for anything even close to that big.  Where I'm
at now is the largest IT department I've been in, and there's only 6 of
us, 3 of which are developers, one is the manager, me on the server
side, and one guy doing desktops.

 

And I may be laid off soon, if the Governator has his way...

 

Joe Heaton

Employment Training Panel

 

From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Tuesday, December 30, 2008 9:05 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

No, you don't that type of experience.

 

But when you have 1000 IT personnel, they can't all be AD people, or
even domain admins. 

 

I did some AD/GPO/WSUS troubleshooting for a company in the Global
Fortune 15.  For the one small segment of their network I worked on,
they had over 6,000 servers and over 35,000 PCs.  They had two dedicated
IT staff who did nothing but maintain the huge Excel SS of all their
DHCP scopes, reservations, server static IPs and server/scope options.
They had people who did nothing but monitor NetBackup, people who
changed tapes, people who handled Iron Mountain, etc.  Extremely
granular and an extreme PITA to do any work for.  Need a VM for testing
purposes?  A minimum 3 month process as it went thru all the change
control processes.

 

Webster

From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Subject: RE: Virtualization Questions - More Q's

 

Wow, that's really compartmentalized... I dunno if I'd want to work
somewhere that limits me that much as far as what I'm working with.  And
yet, I'm sure if you apply for one of those positions, you are still
required to have 10+ years experience, and expertise with Windows, Unix,
mainframes, every desktop OS known to man, etc...

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500
type companies).

 

In those types of orgs the AD team is usually separate from
Virtualisation (which is predominantly VMWare), which is again separate
from the hardware components (network, security, storage). Even as a
directory, AD is usually limited to the Wintel area, and most large orgs
have significant investment in *nix, midrange/mainframe systems as well.
The "source of truth" is generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant
overlap, so it's not really an  issue. In larger shops (once there isn't
a predominance of Windows), and AD isn't "king", it starts to become
something that needs to be dealt with in some way.


Cheers

Ken

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Webster]

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

No, you don't that type of experience.

 

But when you have 1000 IT personnel, they can't all be AD people, or even
domain admins. 

 

I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune
15.  For the one small segment of their network I worked on, they had over
6,000 servers and over 35,000 PCs.  They had two dedicated IT staff who did
nothing but maintain the huge Excel SS of all their DHCP scopes,
reservations, server static IPs and server/scope options.  They had people
who did nothing but monitor NetBackup, people who changed tapes, people who
handled Iron Mountain, etc.  Extremely granular and an extreme PITA to do
any work for.  Need a VM for testing purposes?  A minimum 3 month process as
it went thru all the change control processes.

 

Webster

From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Subject: RE: Virtualization Questions - More Q's

 

Wow, that's really compartmentalized. I dunno if I'd want to work somewhere
that limits me that much as far as what I'm working with.  And yet, I'm sure
if you apply for one of those positions, you are still required to have 10+
years experience, and expertise with Windows, Unix, mainframes, every
desktop OS known to man, etc.

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500 type
companies).

 

In those types of orgs the AD team is usually separate from Virtualisation
(which is predominantly VMWare), which is again separate from the hardware
components (network, security, storage). Even as a directory, AD is usually
limited to the Wintel area, and most large orgs have significant investment
in *nix, midrange/mainframe systems as well. The "source of truth" is
generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant overlap, so
it's not really an  issue. In larger shops (once there isn't a predominance
of Windows), and AD isn't "king", it starts to become something that needs
to be dealt with in some way.


Cheers

Ken


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Ken Schaefer]

-Original Message-
From: S Conn. [mailto:sysadminli...@gmail.com] 
Subject: Re: Virtualization Questions - More Q's

On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer  wrote:
>> Most people have said "no" to question #2.
>>
>> I would say that there is a definite impact. Your virtualisation team are
>> pretty much now an additional "god" in the organisation. For smaller shops
>> this isn't an issue. For bigger shops, or where compliance/auditing/change
>> control are important, then this is another layer of people who have
>> significant  privileges, who must be worked into your change control
>> process.
>>
>
> I don't see a lot of difference here between virtual environment vs physical.

Physical access can mean control - but you can control physical access. Not to 
mention detecting network changes and preventing/detecting BIOS changes (via 
passwords and ILO/DRAC etc)

In a virtual environment, your virtualisation people control the BIOS, the boot 
sequence, the virtual networks that are exposed, and even the hard disks of the 
VMs themselves. And they can do that remotely. In a physical world, your 
virtualisation people wouldn't have access to the cabinets that store your 
physical domain controllers or other physical servers. Just the servers that 
host the VM hosts.

Additionally, there are occasionally vulnerabilities in virtualisation software 
(a couple for VMWare and a more for other products). These can be used to gain 
access to VMs by holding privileges on the host.

Cheers
Ken





A) The guest virtual machines have the same security as their physical
counterparts. (ie you still need a login/password to get into the
operating systems).  Same in a physical environment.  It's the same as
walking up to a KVM or logging into an IP KVM.
B) If you have access to the virtual environment, you could power off
the machines (reboot, etc).  It's the same if you have physical access
to the data center/server room/etc or access to a remote PDU (aka walk
up and press the off button on a machine).

The only difference is that you could change resource allocation, but
in a compliance/audit scenario, you're not accessing the actual data
or the guest OS itself, just the "box" itself.  Changing resources
does affect change control, but so would someone removing RAM out of a
physical box or adding a CPU.

I'm only speaking for VMWare here (since that's what I know and run),
but you can set up a lot of different levels of access in the virtual
environment.  You can group the machines, set administrators for those
groups, or break it down to only allow certain groups to have access
to certain machines.  For example, I myself have full access to the
entire network, but I only allow my programmers to have access to only
a couple of machines, and only restart ability to those.  When they
log in, all they see are their machines only.  Their only options are
console or power on/off/reboot, the same access they've had when the
servers where physical.  It ties into Active Directory, and you can
set groups to as much or as little access as you want.

I do agree, there is some security concerns that you'll need to
address, but virtualizing your servers won't give anyone any more
additional access to the machines over walking into the server room
IMO.


Seth

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Ken Schaefer]

No, you don't that type of experience.

But when you have 1000 IT personnel, they can't all be AD people, or even 
domain admins.

Cheers
Ken

From: Joe Heaton [mailto:jhea...@etp.ca.gov]
Sent: Wednesday, 31 December 2008 2:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Wow, that's really compartmentalized... I dunno if I'd want to work somewhere 
that limits me that much as far as what I'm working with.  And yet, I'm sure if 
you apply for one of those positions, you are still required to have 10+ years 
experience, and expertise with Windows, Unix, mainframes, every desktop OS 
known to man, etc...

Joe Heaton
Employment Training Panel

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, December 30, 2008 6:14 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

I work for Avanade - we deal mostly with large enterprises (Global 500 type 
companies).

In those types of orgs the AD team is usually separate from Virtualisation 
(which is predominantly VMWare), which is again separate from the hardware 
components (network, security, storage). Even as a directory, AD is usually 
limited to the Wintel area, and most large orgs have significant investment in 
*nix, midrange/mainframe systems as well. The "source of truth" is generally 
other systems like HR/payroll.

As I said before - in smaller shops, there's usually significant overlap, so 
it's not really an  issue. In larger shops (once there isn't a predominance of 
Windows), and AD isn't "king", it starts to become something that needs to be 
dealt with in some way.

Cheers
Ken

From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Wednesday, 31 December 2008 12:31 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

That's an interesting point. Have you actually seen this in practice? What I 
mean is, in every shop I've been in, the virtualization group is composed of 
the same people who "hold the keys to the kingdom" anyway (AD admins, or 
Linux/UNIX admins). I've never seen a group brought in to manage the virtual 
environment that didn't already have that type of access.

YMMV



Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>
Phone: 610-807-6459
Fax: 610-807-6003


From: k...@adopenstatic.com [mailto:k...@adopenstatic.com]
Sent: Tuesday, December 30, 2008 6:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Most people have said "no" to question #2.

I would say that there is a definite impact. Your virtualisation team are 
pretty much now an additional "god" in the organisation. For smaller shops this 
isn't an issue. For bigger shops, or where compliance/auditing/change control 
are important, then this is another layer of people who have significant  
privileges, who must be worked into your change control process.

Cheers
Ken

From: Andy Shook [mailto:andy.sh...@peak10.com]
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's


1.   As long as the resources are available for the VM, then transparent.  
I know in the past that processors had to be in the same family as well as the 
same brand for Vmotion but I heard that this has changed with (ESX) update 3.  
I don't know the details yet, so someone please chime in here for clarification.

2.   No

3.   Most environments will have both.  Shared for the lightweight servers 
and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but check 
with the vendors in question.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Great responses so far!  You've all given me even more to think about.

A few other questions:


1.   From a DR perspective, or perhaps just for rebalancing the load on a 
host machine, how does moving from one host to another with different HW impact 
the VM, or is it transparent?


2.   Does Virtualization impact your domain security requirements in any 
way?


3.   NIC Utilization - Shared NICs or separate for each VM?


4.   OS & App licensing - can we expect any reduction in licensing 
requirements?



Thanks!















This message, and any attachments to it, may contain information that is 
privileged, confidential, and exempt from disclosure under applicable law. If 
the reader of this message is not the intended recipient, you are notifie

RE: Virtualization Questions - More Q's

[Joe Heaton]

Wow, that's really compartmentalized... I dunno if I'd want to work
somewhere that limits me that much as far as what I'm working with.  And
yet, I'm sure if you apply for one of those positions, you are still
required to have 10+ years experience, and expertise with Windows, Unix,
mainframes, every desktop OS known to man, etc...

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Tuesday, December 30, 2008 6:14 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500
type companies).

 

In those types of orgs the AD team is usually separate from
Virtualisation (which is predominantly VMWare), which is again separate
from the hardware components (network, security, storage). Even as a
directory, AD is usually limited to the Wintel area, and most large orgs
have significant investment in *nix, midrange/mainframe systems as well.
The "source of truth" is generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant
overlap, so it's not really an  issue. In larger shops (once there isn't
a predominance of Windows), and AD isn't "king", it starts to become
something that needs to be dealt with in some way.


Cheers

Ken

 

From: Christopher Bodnar [mailto:christopher_bod...@glic.com] 
Sent: Wednesday, 31 December 2008 12:31 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

That's an interesting point. Have you actually seen this in practice?
What I mean is, in every shop I've been in, the virtualization group is
composed of the same people who "hold the keys to the kingdom" anyway
(AD admins, or Linux/UNIX admins). I've never seen a group brought in to
manage the virtual environment that didn't already have that type of
access. 

 

YMMV

 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003



From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] 
Sent: Tuesday, December 30, 2008 6:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

Most people have said "no" to question #2.

 

I would say that there is a definite impact. Your virtualisation team
are pretty much now an additional "god" in the organisation. For smaller
shops this isn't an issue. For bigger shops, or where
compliance/auditing/change control are important, then this is another
layer of people who have significant  privileges, who must be worked
into your change control process.

 

Cheers

Ken

 

From: Andy Shook [mailto:andy.sh...@peak10.com] 
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

1.   As long as the resources are available for the VM, then
transparent.  I know in the past that processors had to be in the same
family as well as the same brand for Vmotion but I heard that this has
changed with (ESX) update 3.  I don't know the details yet, so someone
please chime in here for clarification. 

2.   No

3.   Most environments will have both.  Shared for the lightweight
servers and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but
check with the vendors in question.  

 

Shook

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

Great responses so far!  You've all given me even more to think about.

 

A few other questions:

 

1.   From a DR perspective, or perhaps just for rebalancing the load
on a host machine, how does moving from one host to another with
different HW impact the VM, or is it transparent?  

 

2.   Does Virtualization impact your domain security requirements in
any way?  

 

3.   NIC Utilization - Shared NICs or separate for each VM?

 

4.   OS & App licensing - can we expect any reduction in licensing
requirements?

 

 

Thanks!

 

 

 

 

 

 

 



This message, and any attachments to it, may contain information that is
privileged, confidential, and exempt from disclosure under applicable
law. If the reader of this message is not the intended recipient, you
are notified that any use, dissemination, distribution, copying, or
communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete the message and any attachments. Thank you. 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Virtualization Questions - More Q's

[S Conn.]

On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer  wrote:
> Most people have said "no" to question #2.
>
>
>
> I would say that there is a definite impact. Your virtualisation team are
> pretty much now an additional "god" in the organisation. For smaller shops
> this isn't an issue. For bigger shops, or where compliance/auditing/change
> control are important, then this is another layer of people who have
> significant  privileges, who must be worked into your change control
> process.
>
>
>
> Cheers
>
> Ken
>


I don't see a lot of difference here between virtual environment vs physical.

A) The guest virtual machines have the same security as their physical
counterparts. (ie you still need a login/password to get into the
operating systems).  Same in a physical environment.  It's the same as
walking up to a KVM or logging into an IP KVM.
B) If you have access to the virtual environment, you could power off
the machines (reboot, etc).  It's the same if you have physical access
to the data center/server room/etc or access to a remote PDU (aka walk
up and press the off button on a machine).

The only difference is that you could change resource allocation, but
in a compliance/audit scenario, you're not accessing the actual data
or the guest OS itself, just the "box" itself.  Changing resources
does affect change control, but so would someone removing RAM out of a
physical box or adding a CPU.

I'm only speaking for VMWare here (since that's what I know and run),
but you can set up a lot of different levels of access in the virtual
environment.  You can group the machines, set administrators for those
groups, or break it down to only allow certain groups to have access
to certain machines.  For example, I myself have full access to the
entire network, but I only allow my programmers to have access to only
a couple of machines, and only restart ability to those.  When they
log in, all they see are their machines only.  Their only options are
console or power on/off/reboot, the same access they've had when the
servers where physical.  It ties into Active Directory, and you can
set groups to as much or as little access as you want.

I do agree, there is some security concerns that you'll need to
address, but virtualizing your servers won't give anyone any more
additional access to the machines over walking into the server room
IMO.


Seth

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Ken Schaefer]

I work for Avanade - we deal mostly with large enterprises (Global 500 type 
companies).

In those types of orgs the AD team is usually separate from Virtualisation 
(which is predominantly VMWare), which is again separate from the hardware 
components (network, security, storage). Even as a directory, AD is usually 
limited to the Wintel area, and most large orgs have significant investment in 
*nix, midrange/mainframe systems as well. The "source of truth" is generally 
other systems like HR/payroll.

As I said before - in smaller shops, there's usually significant overlap, so 
it's not really an  issue. In larger shops (once there isn't a predominance of 
Windows), and AD isn't "king", it starts to become something that needs to be 
dealt with in some way.

Cheers
Ken

From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Wednesday, 31 December 2008 12:31 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

That's an interesting point. Have you actually seen this in practice? What I 
mean is, in every shop I've been in, the virtualization group is composed of 
the same people who "hold the keys to the kingdom" anyway (AD admins, or 
Linux/UNIX admins). I've never seen a group brought in to manage the virtual 
environment that didn't already have that type of access.

YMMV



Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>
Phone: 610-807-6459
Fax: 610-807-6003


From: k...@adopenstatic.com [mailto:k...@adopenstatic.com]
Sent: Tuesday, December 30, 2008 6:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Most people have said "no" to question #2.

I would say that there is a definite impact. Your virtualisation team are 
pretty much now an additional "god" in the organisation. For smaller shops this 
isn't an issue. For bigger shops, or where compliance/auditing/change control 
are important, then this is another layer of people who have significant  
privileges, who must be worked into your change control process.

Cheers
Ken

From: Andy Shook [mailto:andy.sh...@peak10.com]
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's


1.   As long as the resources are available for the VM, then transparent.  
I know in the past that processors had to be in the same family as well as the 
same brand for Vmotion but I heard that this has changed with (ESX) update 3.  
I don't know the details yet, so someone please chime in here for clarification.

2.   No

3.   Most environments will have both.  Shared for the lightweight servers 
and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but check 
with the vendors in question.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Great responses so far!  You've all given me even more to think about.

A few other questions:


1.   From a DR perspective, or perhaps just for rebalancing the load on a 
host machine, how does moving from one host to another with different HW impact 
the VM, or is it transparent?


2.   Does Virtualization impact your domain security requirements in any 
way?


3.   NIC Utilization - Shared NICs or separate for each VM?


4.   OS & App licensing - can we expect any reduction in licensing 
requirements?



Thanks!















This message, and any attachments to it, may contain information that is 
privileged, confidential, and exempt from disclosure under applicable law. If 
the reader of this message is not the intended recipient, you are notified that 
any use, dissemination, distribution, copying, or communication of this message 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately by return e-mail and delete the message and any 
attachments. Thank you.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Christopher Bodnar]

That's an interesting point. Have you actually seen this in practice? What
I mean is, in every shop I've been in, the virtualization group is
composed of the same people who "hold the keys to the kingdom" anyway (AD
admins, or Linux/UNIX admins). I've never seen a group brought in to
manage the virtual environment that didn't already have that type of
access. 

 

YMMV

 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003

  _  

From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] 
Sent: Tuesday, December 30, 2008 6:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

Most people have said "no" to question #2.

 

I would say that there is a definite impact. Your virtualisation team are
pretty much now an additional "god" in the organisation. For smaller shops
this isn't an issue. For bigger shops, or where compliance/auditing/change
control are important, then this is another layer of people who have
significant  privileges, who must be worked into your change control
process.

 

Cheers

Ken

 

From: Andy Shook [mailto:andy.sh...@peak10.com] 
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

1.   As long as the resources are available for the VM, then
transparent.  I know in the past that processors had to be in the same
family as well as the same brand for Vmotion but I heard that this has
changed with (ESX) update 3.  I don't know the details yet, so someone
please chime in here for clarification. 

2.   No

3.   Most environments will have both.  Shared for the lightweight
servers and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but
check with the vendors in question.  

 

Shook

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

Great responses so far!  You've all given me even more to think about.

 

A few other questions:

 

1.   From a DR perspective, or perhaps just for rebalancing the load
on a host machine, how does moving from one host to another with different
HW impact the VM, or is it transparent?  

 

2.   Does Virtualization impact your domain security requirements in
any way?  

 

3.   NIC Utilization - Shared NICs or separate for each VM?

 

4.   OS & App licensing - can we expect any reduction in licensing
requirements?

 

 

Thanks!

 

 

 

 



-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Andy Shook]

Good point, Ken.  Thanks for chiming in...

Shook

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, December 30, 2008 6:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Most people have said "no" to question #2.

I would say that there is a definite impact. Your virtualisation team are 
pretty much now an additional "god" in the organisation. For smaller shops this 
isn't an issue. For bigger shops, or where compliance/auditing/change control 
are important, then this is another layer of people who have significant  
privileges, who must be worked into your change control process.

Cheers
Ken

From: Andy Shook [mailto:andy.sh...@peak10.com]
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's


1.   As long as the resources are available for the VM, then transparent.  
I know in the past that processors had to be in the same family as well as the 
same brand for Vmotion but I heard that this has changed with (ESX) update 3.  
I don't know the details yet, so someone please chime in here for clarification.

2.   No

3.   Most environments will have both.  Shared for the lightweight servers 
and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but check 
with the vendors in question.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Great responses so far!  You've all given me even more to think about.

A few other questions:


1.   From a DR perspective, or perhaps just for rebalancing the load on a 
host machine, how does moving from one host to another with different HW impact 
the VM, or is it transparent?


2.   Does Virtualization impact your domain security requirements in any 
way?


3.   NIC Utilization - Shared NICs or separate for each VM?


4.   OS & App licensing - can we expect any reduction in licensing 
requirements?



Thanks!








~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Ken Schaefer]

Most people have said "no" to question #2.

I would say that there is a definite impact. Your virtualisation team are 
pretty much now an additional "god" in the organisation. For smaller shops this 
isn't an issue. For bigger shops, or where compliance/auditing/change control 
are important, then this is another layer of people who have significant  
privileges, who must be worked into your change control process.

Cheers
Ken

From: Andy Shook [mailto:andy.sh...@peak10.com]
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's


1.   As long as the resources are available for the VM, then transparent.  
I know in the past that processors had to be in the same family as well as the 
same brand for Vmotion but I heard that this has changed with (ESX) update 3.  
I don't know the details yet, so someone please chime in here for clarification.

2.   No

3.   Most environments will have both.  Shared for the lightweight servers 
and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but check 
with the vendors in question.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Great responses so far!  You've all given me even more to think about.

A few other questions:


1.   From a DR perspective, or perhaps just for rebalancing the load on a 
host machine, how does moving from one host to another with different HW impact 
the VM, or is it transparent?


2.   Does Virtualization impact your domain security requirements in any 
way?


3.   NIC Utilization - Shared NICs or separate for each VM?


4.   OS & App licensing - can we expect any reduction in licensing 
requirements?



Thanks!



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Andy Ognenoff]

> Correct but I was only thinking of the sever licenses.  I am in an EDU 

> environment where CALs are "free" under our agreement with Microsoft so I 

> frequeny forget about this and you caught me in a senior moment.

 

:) No problem. I just wanted to clear that up because in our situation we
actually did save money on OS licenses by virtualizing and we used VMware.  

 

To the OP: Check out these calculators to figure out what might be best for
your own environment:

 

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/calculator.msp
x

 

It says it's for 2003 but it applies to 2008 as well.

 

 - Andy O. 

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Virtualization Questions - More Q's

[Jon Harris]

Correct but I was only thinking of the sever licenses.  I am in an EDU
environment where CALs are "free" under our agreement with Microsoft so I
frequeny forget about this and you caught me in a senior moment.

Jon

On Mon, Dec 29, 2008 at 11:11 AM, Andy Ognenoff wrote:

> > If you use Hyper-V and purchase the Enterprise license you get one
> > Physical machine license and 4 VM licenses, Data Center gets even better
> > but with VMware you get no licenses.
>
> That is not correct.  MS doesn't differentiate between an MS hypervisor and
> any other when it comes to the virtualization licenses allotted with
> Enterprise or Datacenter.
>
> http://www.microsoft.com/windowsserver2008/en/us/licensing-faq.aspx#virt
>
>
> 
> "Q. Do the virtualization licensing rights of Windows Server 2008 apply
> when
> used with non-Microsoft software virtualization technologies?
>
> A. Yes. The use rights apply regardless of the virtualization product being
> used. However, any non-Microsoft software virtualization technologies are
> not supported by Microsoft.
>
>
> 
>
>  - Andy O.
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Chad Leeper]

As far as MS goes, you do get a break on licensing since the allow you to 
license by the socket.

> Great responses so far!  You've all given me even more to think about.
> 
>  
> 
> A few other questions:
> 
>  
> 
> 1.   From a DR perspective, or perhaps just for rebalancing the load
> on a host machine, how does moving from one host to another with
> different HW impact the VM, or is it transparent?  
> 
>  
> 
> 2.   Does Virtualization impact your domain security requirements in
> any way?  
> 
>  
> 
> 3.   NIC Utilization - Shared NICs or separate for each VM?
> 
>  
> 
> 4.   OS & App licensing - can we expect any reduction in licensing
> requirements?
> 
>  
> 
>  
> 
> Thanks!
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>
> 
>  
> 
> Roger Wright
> 
> Network Administrator
> 
> Evatone, Inc.
> 
> 727.572.7076  x388
> 
> _  
> 
>  
> 
> From: Andy Shook [mailto:andy.sh...@peak10.com] 
> Sent: Monday, December 29, 2008 9:52 AM
> To: NT System Admin Issues
> Subject: RE: Virtualization Questions
> 
>  
> 
> Roger,
> 
> Opinions on this will vary, however, my responses...
> 
>  
> 
> 1.   Yes.  Centralized storage that all hosts can see and access is
> a must for Vmotion/HA/DRS as well as backups.  Needs and budget will
> dictate, however, I would have local storage only for the host OS (ESX,
> etc.) and a SAN for all the VMs\vmdk files. 
> 
> 2.   Acceptance of a dedicated VM is growing.  I've personally run
> many, many (police academy joke, if your didn't get it) applications
> with no issues raided from the vendor, YMMV by vendor
> 
> 3.   Load and amount of data usually dictate this.  I've seen every
> mainstream app virtualized and dedicated server, here in the datacenter.
> 
> 4.   I would say load and functionality.  If you have ESX with
> HA/DRS, then I personally don't care where the VMs are just as long as
> they are up.  I have seen where shops will specify that a DC\GC has to
> stay on the same host as an Exchange server, as an example.  Forget
> everything you know about server provisioning.  In my experience,
> dedicated servers that were running with dual procs and 4GB of RAM ran
> wonderfully with a single core and 512MB in a VM environment.  This is
> one of the many, many (see above reference J) beautiful things that
> virtualization brings to the table.  
> 
>  
> 
> Feel free to ping me off-list if I can help in any way.   
> 
>  
> 
> Shook
> 
>  
> 
> From: Roger Wright [mailto:rwri...@evatone.com] 
> Sent: Monday, December 29, 2008 9:30 AM
> To: NT System Admin Issues
> Subject: Virtualization Questions
> 
>  
> 
> Taking a look at the potential implementation of virtualization and have
> several questions:
> 
>  
> 
> 1.Does/should utilization of a SAN have a direct impact on
> virtualization  decisions?  Is it better to go with local or SAN
> storage?
> 
> 2.   Do vendors who normally require a dedicated server accept a
> virtualized server as equivalent?
> 
> 3.   What type of servers (DB, Oracle, F&P, etc.) don't make good
> candidates for virtualization?I would think that SQL/Oracle would
> probably be least recommended.
> 
> 4.   Is clustering still possible with VMs?
> 
> 5.   What kind of logic determines the best combination of
> host/guests?  IOW, is it recommended to put all F&P servers together on
> one host, or should it be a combination of F&P, DB, etc.?
> 
>  
> 
> TIA!
> 
>  
> 
>  
> 
>  
> 
> Roger Wright
> 
> Network Administrator
> 
> Evatone, Inc.
> 
> 727.572.7076  x388
> 
>   
> 
>  
> 
> _
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

Think green. Please consider the environment before printing 
*
 CONFIDENTIALITY NOTE: The information contained in this transmission is 
privileged and confidential information intended only for the use of the 
individual or entity named above. If the reader of this message is not the 
intended recipient, you are hereby notified that any dissemination, 
distribution or copying of this communication is strictly prohibited. If you 
have received this transmission in error, do not read it. Please immediately 
reply to the sender that you have received this communication in error and then 
delete it. Thank you. 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Andy Ognenoff]

>A. Yes. The use rights apply regardless of the virtualization product being
>used. However, any non-Microsoft software virtualization technologies are
>not supported by Microsoft.

And to clarify the support aspect of that statement, they are saying they
will not support the actual 3rd party virtualization software itself but if
it is a validated hypervisor, they will support the MS software running on
it.

See below for more info:

http://windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm

http://www.vmware.com/company/news/releases/svvp.html

 - Andy O.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Virtualization Questions - More Q's

[S Conn.]

On Mon, Dec 29, 2008 at 9:57 AM, Andy Shook  wrote:
> 1.   As long as the resources are available for the VM, then
> transparent.  I know in the past that processors had to be in the same
> family as well as the same brand for Vmotion but I heard that this has
> changed with (ESX) update 3.  I don't know the details yet, so someone
> please chime in here for clarification.
>

According to my VCP study materials (version 3.5), the processors have
to be the same brand (AMD vs Intel) and the same "family".  This is
due to the (minor) differences in the instruction sets.  Now, things
like L2 cache, hyperthreading, number of cores, clock speeds, etc
don't matter since the guest OS is seeing a virtual CPU.  Vmotion only
cares about the instructions.  Now, there are a few caveats to this,
such as non-execute and whatnot, but that's not default.

Vmotion is only for transferring running machines with minimum
interruption.  Of course you could do cold migration to any other ESX
machine, where you turn off the guest before transferring.  When the
machine is off you can start it on other machines regardless of the
CPU constraints.  There are other constraints, mainly with the set up
of the individual ESX host.  If the guest has an active connection
with local resources, the internal networking is set up differently on
the target host, etc it can't be moved.

But most of that stuff is easy to overcome.  In my experience VMotion
works extremely well, usually the most drastic interruption I've seen
is one dropped ping.  Users don't even notice it being moved.

Seth

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Ziots, Edward]

Also from a DR prespective, you might want to be looking into Site
Recovery Manager, and balancing your farm across 2 or more separate
sites in which you can fail the farm over to the other site and vice
versa, but a lot of planning needs to go on with that before you will
get to that point. 

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

-Original Message-
From: Phil Brutsche [mailto:p...@optimumdata.com] 
Sent: Monday, December 29, 2008 10:38 AM
To: NT System Admin Issues
Subject: Re: Virtualization Questions - More Q's

1) With VMotion it's tranparent and the VM doesn't miss a beat

2) No that I've seen

3) That's not a simple question to answer, it depends on the network
load of the VMs. If you're consolidating some infrequently-used machines
then shared NICs aren't a big deal, but if you're going to virtualize a
file server or an Exchange environment with a couple hundred people on
it it will be a VERY big deal.

4) Generally no. One of the excetptions is Server 2003 Enterprise and
Server 2008 Enterprise - if you use Hyper-V as your hypervisor each
Enterprice server license allows you to run 4 VMs.

Roger Wright wrote:
> 1.   From a DR perspective, or perhaps just for rebalancing the
load
> on a host machine, how does moving from one host to another with
> different HW impact the VM, or is it transparent? 
> 
>  
> 
> 2.   Does Virtualization impact your domain security requirements
in
> any way? 
> 
>  
> 
> 3.   NIC Utilization - Shared NICs or separate for each VM?
> 
>  
> 
> 4.   OS & App licensing - can we expect any reduction in licensing
> requirements?
> 
>  
> 
>  
> 
> Thanks!
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>   
> 
>  
> 
> Roger Wright
> 
> Network Administrator
> 
> Evatone, Inc.
> 
> 727.572.7076  x388
> 
> _ 
> 
>  
> 
> *From:* Andy Shook [mailto:andy.sh...@peak10.com]
> *Sent:* Monday, December 29, 2008 9:52 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Virtualization Questions
> 
>  
> 
> Roger,
> 
> Opinions on this will vary, however, my responses...
> 
>  
> 
> 1.   Yes.  Centralized storage that all hosts can see and access
is
> a must for Vmotion/HA/DRS as well as backups.  Needs and budget will
> dictate, however, I would have local storage only for the host OS
(ESX,
> etc.) and a SAN for all the VMs\vmdk files.
> 
> 2.   Acceptance of a dedicated VM is growing.  I've personally run
> many, many (police academy joke, if your didn't get it) applications
> with no issues raided from the vendor, YMMV by vendor
> 
> 3.   Load and amount of data usually dictate this.  I've seen
every
> mainstream app virtualized and dedicated server, here in the
datacenter.
> 
> 4.   I would say load and functionality.  If you have ESX with
> HA/DRS, then I personally don't care where the VMs are just as long as
> they are up.  I have seen where shops will specify that a DC\GC has to
> stay on the same host as an Exchange server, as an example.  Forget
> everything you know about server provisioning.  In my experience,
> dedicated servers that were running with dual procs and 4GB of RAM ran
> wonderfully with a single core and 512MB in a VM environment.  This is
> one of the many, many (see above reference J) beautiful things that
> virtualization brings to the table. 
> 
>  
> 
> Feel free to ping me off-list if I can help in any way.   
> 
>  
> 
> Shook
> 
>  
> 
> *From:* Roger Wright [mailto:rwri...@evatone.com]
> *Sent:* Monday, December 29, 2008 9:30 AM
> *To:* NT System Admin Issues
> *Subject:* Virtualization Questions
> 
>  
> 
> Taking a look at the potential implementation of virtualization and
have
> several questions:
> 
>  
> 
> 1.Does/should utilization of a SAN have a direct impact on
> virtualization  decisions?  Is it better to go with local or SAN
storage?
> 
> 2.   Do vendors who normally require a dedicated server accept a
> virtualized server as equivalent?
> 
> 3.   What type of servers (DB, Oracle, F&P, etc.) don't make good
> candidates for virtualization?I would think that SQL/Oracle would
> probably be least recommended.
> 
> 4.   Is clustering still possible with VMs?
> 
> 5.   What kind of logic determines the best combination of
> host/guests?  IOW, is it recommended to put all F&P servers together
on
> one host, or should it be a combination of F&P, DB, etc.?
> 
>  
> 
> TIA!
> 
>  
> 
>  
> 
>  
> 
> Roger 

RE: Virtualization Questions - More Q's

[Ziots, Edward]

Also don't forget you can use Vlan tagging of the traffic on the NIC's
to have more VLAN's go over 1 physical NIC in a Vswitch in VMware if you
are running out of Physical slots in your switches. It might be easier
to do, since you could always have failover (another Physical NIC with
the same tagged Vlan's) in case you have a physical Nic failure. 

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

-Original Message-
From: Phil Labonte [mailto:philfromw...@gmail.com] 
Sent: Monday, December 29, 2008 11:04 AM
To: NT System Admin Issues
Subject: Re: Virtualization Questions - More Q's

for #3
With ESX server you can do both or whatever you want. If you have
enough physical nic's you can dedicate a nic to each VM if you want or
if you VM will have high utilization.
Or you can hsre one nic across multiple VM's...

Phil

On Mon, Dec 29, 2008 at 10:32 AM, Roger Wright 
wrote:
> Great responses so far!  You've all given me even more to think about.
>
>
>
> A few other questions:
>
>
>
> 1.   From a DR perspective, or perhaps just for rebalancing the
load on
> a host machine, how does moving from one host to another with
different HW
> impact the VM, or is it transparent?
>
>
>
> 2.   Does Virtualization impact your domain security requirements
in any
> way?
>
>
>
> 3.   NIC Utilization - Shared NICs or separate for each VM?
>
>
>
> 4.   OS & App licensing - can we expect any reduction in licensing
> requirements?
>
>
>
>
>
> Thanks!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
> _
>
>
>
> From: Andy Shook [mailto:andy.sh...@peak10.com]
> Sent: Monday, December 29, 2008 9:52 AM
> To: NT System Admin Issues
> Subject: RE: Virtualization Questions
>
>
>
> Roger,
>
> Opinions on this will vary, however, my responses...
>
>
>
> 1.   Yes.  Centralized storage that all hosts can see and access
is a
> must for Vmotion/HA/DRS as well as backups.  Needs and budget will
dictate,
> however, I would have local storage only for the host OS (ESX, etc.)
and a
> SAN for all the VMs\vmdk files.
>
> 2.   Acceptance of a dedicated VM is growing.  I've personally run
many,
> many (police academy joke, if your didn't get it) applications with no
> issues raided from the vendor, YMMV by vendor
>
> 3.   Load and amount of data usually dictate this.  I've seen
every
> mainstream app virtualized and dedicated server, here in the
datacenter.
>
> 4.   I would say load and functionality.  If you have ESX with
HA/DRS,
> then I personally don't care where the VMs are just as long as they
are up.
> I have seen where shops will specify that a DC\GC has to stay on the
same
> host as an Exchange server, as an example.  Forget everything you know
about
> server provisioning.  In my experience, dedicated servers that were
running
> with dual procs and 4GB of RAM ran wonderfully with a single core and
512MB
> in a VM environment.  This is one of the many, many (see above
reference J)
> beautiful things that virtualization brings to the table.
>
>
>
> Feel free to ping me off-list if I can help in any way.
>
>
>
> Shook
>
>
>
> From: Roger Wright [mailto:rwri...@evatone.com]
> Sent: Monday, December 29, 2008 9:30 AM
> To: NT System Admin Issues
> Subject: Virtualization Questions
>
>
>
> Taking a look at the potential implementation of virtualization and
have
> several questions:
>
>
>
> 1.Does/should utilization of a SAN have a direct impact on
> virtualization  decisions?  Is it better to go with local or SAN
storage?
>
> 2.   Do vendors who normally require a dedicated server accept a
> virtualized server as equivalent?
>
> 3.   What type of servers (DB, Oracle, F&P, etc.) don't make good
> candidates for virtualization?I would think that SQL/Oracle would
> probably be least recommended.
>
> 4.   Is clustering still possible with VMs?
>
> 5.   What kind of logic determines the best combination of
host/guests?
> IOW, is it recommended to put all F&P servers together on one host, or
> should it be a combination of F&P, DB, etc.?
>
>
>
> TIA!
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
>
>
> _
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virtualization Questions - More Q's

[Andy Ognenoff]

> If you use Hyper-V and purchase the Enterprise license you get one
> Physical machine license and 4 VM licenses, Data Center gets even better 
> but with VMware you get no licenses.

That is not correct.  MS doesn’t differentiate between an MS hypervisor and
any other when it comes to the virtualization licenses allotted with
Enterprise or Datacenter.

http://www.microsoft.com/windowsserver2008/en/us/licensing-faq.aspx#virt


"Q. Do the virtualization licensing rights of Windows Server 2008 apply when
used with non-Microsoft software virtualization technologies?

A. Yes. The use rights apply regardless of the virtualization product being
used. However, any non-Microsoft software virtualization technologies are
not supported by Microsoft.



 - Andy O.
 
 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Virtualization Questions - More Q's

[Phil Labonte]

for #3
With ESX server you can do both or whatever you want. If you have
enough physical nic's you can dedicate a nic to each VM if you want or
if you VM will have high utilization.
Or you can hsre one nic across multiple VM's...

Phil

On Mon, Dec 29, 2008 at 10:32 AM, Roger Wright  wrote:
> Great responses so far!  You've all given me even more to think about.
>
>
>
> A few other questions:
>
>
>
> 1.   From a DR perspective, or perhaps just for rebalancing the load on
> a host machine, how does moving from one host to another with different HW
> impact the VM, or is it transparent?
>
>
>
> 2.   Does Virtualization impact your domain security requirements in any
> way?
>
>
>
> 3.   NIC Utilization – Shared NICs or separate for each VM?
>
>
>
> 4.   OS & App licensing – can we expect any reduction in licensing
> requirements?
>
>
>
>
>
> Thanks!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
> _
>
>
>
> From: Andy Shook [mailto:andy.sh...@peak10.com]
> Sent: Monday, December 29, 2008 9:52 AM
> To: NT System Admin Issues
> Subject: RE: Virtualization Questions
>
>
>
> Roger,
>
> Opinions on this will vary, however, my responses…
>
>
>
> 1.   Yes.  Centralized storage that all hosts can see and access is a
> must for Vmotion/HA/DRS as well as backups.  Needs and budget will dictate,
> however, I would have local storage only for the host OS (ESX, etc.) and a
> SAN for all the VMs\vmdk files.
>
> 2.   Acceptance of a dedicated VM is growing.  I've personally run many,
> many (police academy joke, if your didn't get it) applications with no
> issues raided from the vendor, YMMV by vendor
>
> 3.   Load and amount of data usually dictate this.  I've seen every
> mainstream app virtualized and dedicated server, here in the datacenter.
>
> 4.   I would say load and functionality.  If you have ESX with HA/DRS,
> then I personally don't care where the VMs are just as long as they are up.
> I have seen where shops will specify that a DC\GC has to stay on the same
> host as an Exchange server, as an example.  Forget everything you know about
> server provisioning.  In my experience, dedicated servers that were running
> with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB
> in a VM environment.  This is one of the many, many (see above reference J)
> beautiful things that virtualization brings to the table.
>
>
>
> Feel free to ping me off-list if I can help in any way.
>
>
>
> Shook
>
>
>
> From: Roger Wright [mailto:rwri...@evatone.com]
> Sent: Monday, December 29, 2008 9:30 AM
> To: NT System Admin Issues
> Subject: Virtualization Questions
>
>
>
> Taking a look at the potential implementation of virtualization and have
> several questions:
>
>
>
> 1.Does/should utilization of a SAN have a direct impact on
> virtualization  decisions?  Is it better to go with local or SAN storage?
>
> 2.   Do vendors who normally require a dedicated server accept a
> virtualized server as equivalent?
>
> 3.   What type of servers (DB, Oracle, F&P, etc.) don't make good
> candidates for virtualization?I would think that SQL/Oracle would
> probably be least recommended.
>
> 4.   Is clustering still possible with VMs?
>
> 5.   What kind of logic determines the best combination of host/guests?
> IOW, is it recommended to put all F&P servers together on one host, or
> should it be a combination of F&P, DB, etc.?
>
>
>
> TIA!
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
>
>
> _
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Christopher Bodnar]

1.Keep in mind there are some limitations with hardware in regards to
VMotion. Specifically related to CPU. They need to be "compatible". See
this to get more info:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US
<http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=
displayKC&externalId=1991> &cmd=displayKC&externalId=1991

 

2.None that I am aware of.

3.You will be sharing NIC's. If you are doing HA and DRS, there is no way
to tie a specific VM to a NIC. I suggest as many NIC's in the host as
possible. In my last job the host ESX servers had the following hardware:

 

(4) Quad Core CPU's

128G RAM

(4) Quad Port NIC cards + the 2 onboard NICs

(2) Dual Port HBA cards

 

4. I think you can save on licensing with Hyper-V if you get the Data
Center version. Not sure about that. But in general licensing is not what
you save on in my experience. 

 

 

 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003

  _  

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

Great responses so far!  You've all given me even more to think about.

 

A few other questions:

 

1.   From a DR perspective, or perhaps just for rebalancing the load
on a host machine, how does moving from one host to another with different
HW impact the VM, or is it transparent?  

 

2.   Does Virtualization impact your domain security requirements in
any way?  

 

3.   NIC Utilization - Shared NICs or separate for each VM?

 

4.   OS & App licensing - can we expect any reduction in licensing
requirements?

 

 

Thanks!

 

 

 

 

 

   

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

_  

 

From: Andy Shook [mailto:andy.sh...@peak10.com] 
Sent: Monday, December 29, 2008 9:52 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions

 

Roger,

Opinions on this will vary, however, my responses.

 

1.   Yes.  Centralized storage that all hosts can see and access is a
must for Vmotion/HA/DRS as well as backups.  Needs and budget will
dictate, however, I would have local storage only for the host OS (ESX,
etc.) and a SAN for all the VMs\vmdk files. 

2.   Acceptance of a dedicated VM is growing.  I've personally run
many, many (police academy joke, if your didn't get it) applications with
no issues raided from the vendor, YMMV by vendor

3.   Load and amount of data usually dictate this.  I've seen every
mainstream app virtualized and dedicated server, here in the datacenter.

4.   I would say load and functionality.  If you have ESX with HA/DRS,
then I personally don't care where the VMs are just as long as they are
up.  I have seen where shops will specify that a DC\GC has to stay on the
same host as an Exchange server, as an example.  Forget everything you
know about server provisioning.  In my experience, dedicated servers that
were running with dual procs and 4GB of RAM ran wonderfully with a single
core and 512MB in a VM environment.  This is one of the many, many (see
above reference :-)) beautiful things that virtualization brings to the
table.  

 

Feel free to ping me off-list if I can help in any way.   

 

Shook

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Monday, December 29, 2008 9:30 AM
To: NT System Admin Issues
Subject: Virtualization Questions

 

Taking a look at the potential implementation of virtualization and have
several questions:

 

1.Does/should utilization of a SAN have a direct impact on
virtualization  decisions?  Is it better to go with local or SAN storage?

2.   Do vendors who normally require a dedicated server accept a
virtualized server as equivalent?

3.   What type of servers (DB, Oracle, F&P, etc.) don't make good
candidates for virtualization?I would think that SQL/Oracle would
probably be least recommended.

4.   Is clustering still possible with VMs?

5.   What kind of logic determines the best combination of
host/guests?  IOW, is it recommended to put all F&P servers together on
one host, or should it be a combination of F&P, DB, etc.?

 

TIA!

 

 

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

  

ET E-mail Signature Logo

_

 

 

 

 

 

 

 

 

 

 



-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this mes

RE: Virtualization Questions - More Q's

[Andy Shook]

1.   As long as the resources are available for the VM, then transparent.  
I know in the past that processors had to be in the same family as well as the 
same brand for Vmotion but I heard that this has changed with (ESX) update 3.  
I don't know the details yet, so someone please chime in here for clarification.

2.   No

3.   Most environments will have both.  Shared for the lightweight servers 
and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but check 
with the vendors in question.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Great responses so far!  You've all given me even more to think about.

A few other questions:


1.   From a DR perspective, or perhaps just for rebalancing the load on a 
host machine, how does moving from one host to another with different HW impact 
the VM, or is it transparent?


2.   Does Virtualization impact your domain security requirements in any 
way?


3.   NIC Utilization - Shared NICs or separate for each VM?


4.   OS & App licensing - can we expect any reduction in licensing 
requirements?



Thanks!







Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388
_

From: Andy Shook [mailto:andy.sh...@peak10.com]
Sent: Monday, December 29, 2008 9:52 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions

Roger,
Opinions on this will vary, however, my responses...


1.   Yes.  Centralized storage that all hosts can see and access is a must 
for Vmotion/HA/DRS as well as backups.  Needs and budget will dictate, however, 
I would have local storage only for the host OS (ESX, etc.) and a SAN for all 
the VMs\vmdk files.

2.   Acceptance of a dedicated VM is growing.  I've personally run many, 
many (police academy joke, if your didn't get it) applications with no issues 
raided from the vendor, YMMV by vendor

3.   Load and amount of data usually dictate this.  I've seen every 
mainstream app virtualized and dedicated server, here in the datacenter.

4.   I would say load and functionality.  If you have ESX with HA/DRS, then 
I personally don't care where the VMs are just as long as they are up.  I have 
seen where shops will specify that a DC\GC has to stay on the same host as an 
Exchange server, as an example.  Forget everything you know about server 
provisioning.  In my experience, dedicated servers that were running with dual 
procs and 4GB of RAM ran wonderfully with a single core and 512MB in a VM 
environment.  This is one of the many, many (see above reference :)) beautiful 
things that virtualization brings to the table.

Feel free to ping me off-list if I can help in any way.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 9:30 AM
To: NT System Admin Issues
Subject: Virtualization Questions

Taking a look at the potential implementation of virtualization and have 
several questions:


1.Does/should utilization of a SAN have a direct impact on 
virtualization  decisions?  Is it better to go with local or SAN storage?

2.   Do vendors who normally require a dedicated server accept a 
virtualized server as equivalent?

3.   What type of servers (DB, Oracle, F&P, etc.) don't make good 
candidates for virtualization?I would think that SQL/Oracle would probably 
be least recommended.

4.   Is clustering still possible with VMs?

5.   What kind of logic determines the best combination of host/guests?  
IOW, is it recommended to put all F&P servers together on one host, or should 
it be a combination of F&P, DB, etc.?

TIA!



Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388

[cid:image001.jpg@01C969A1.DBCE20A0]
_

















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<>

Re: Virtualization Questions - More Q's

[Jon Harris]

That would depend on which of the host systems you choose and how much money
you want to spend.

Not really but again it does depend on the host system.  I would prefer to
have the host outside the domain so that it is not looking for the domain on
booting.  VMware and Hyper-V support this.

Shared NIC's work but spend the money and get a dedicated NIC for each VM if
you can, way way better!

If you use Hyper-V and purchase the Enterprise license you get one Physical
machine license and 4 VM licenses, Data Center gets even better but with
VMware you get no licenses.

Jon

On Mon, Dec 29, 2008 at 10:32 AM, Roger Wright  wrote:

>  Great responses so far!  You've all given me even more to think about.
>
>
>
> A few other questions:
>
>
>
> 1.   From a DR perspective, or perhaps just for rebalancing the load
> on a host machine, how does moving from one host to another with different
> HW impact the VM, or is it transparent?
>
>
>
> 2.   Does Virtualization impact your domain security requirements in
> any way?
>
>
>
> 3.   NIC Utilization – Shared NICs or separate for each VM?
>
>
>
> 4.   OS & App licensing – can we expect any reduction in licensing
> requirements?
>
>
>
>
>
> Thanks!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
> _
>
>
>
> *From:* Andy Shook [mailto:andy.sh...@peak10.com]
> *Sent:* Monday, December 29, 2008 9:52 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Virtualization Questions
>
>
>
> Roger,
>
> Opinions on this will vary, however, my responses…
>
>
>
> 1.   Yes.  Centralized storage that all hosts can see and access is a
> must for Vmotion/HA/DRS as well as backups.  Needs and budget will dictate,
> however, I would have local storage only for the host OS (ESX, etc.) and a
> SAN for all the VMs\vmdk files.
>
> 2.   Acceptance of a dedicated VM is growing.  I've personally run
> many, many (police academy joke, if your didn't get it) applications with no
> issues raided from the vendor, YMMV by vendor
>
> 3.   Load and amount of data usually dictate this.  I've seen every
> mainstream app virtualized and dedicated server, here in the datacenter.
>
> 4.   I would say load and functionality.  If you have ESX with HA/DRS,
> then I personally don't care where the VMs are just as long as they are up.
> I have seen where shops will specify that a DC\GC has to stay on the same
> host as an Exchange server, as an example.  Forget everything you know about
> server provisioning.  In my experience, dedicated servers that were running
> with dual procs and 4GB of RAM ran wonderfully with a single core and 512MB
> in a VM environment.  This is one of the many, many (see above reference J)
> beautiful things that virtualization brings to the table.
>
>
>
> Feel free to ping me off-list if I can help in any way.
>
>
>
> Shook
>
>
>
> *From:* Roger Wright [mailto:rwri...@evatone.com]
> *Sent:* Monday, December 29, 2008 9:30 AM
> *To:* NT System Admin Issues
> *Subject:* Virtualization Questions
>
>
>
> Taking a look at the potential implementation of virtualization and have
> several questions:
>
>
>
> 1.Does/should utilization of a SAN have a direct impact on
> virtualization  decisions?  Is it better to go with local or SAN storage?
>
> 2.   Do vendors who normally require a dedicated server accept a
> virtualized server as equivalent?
>
> 3.   What type of servers (DB, Oracle, F&P, etc.) don't make good
> candidates for virtualization?I would think that SQL/Oracle would
> probably be least recommended.
>
> 4.   Is clustering still possible with VMs?
>
> 5.   What kind of logic determines the best combination of
> host/guests?  IOW, is it recommended to put all F&P servers together on one
> host, or should it be a combination of F&P, DB, etc.?
>
>
>
> TIA!
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
>
>
> [image: ET E-mail Signature Logo]
>
> _
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<>

Re: Virtualization Questions - More Q's

[Phil Brutsche]

1) With VMotion it's tranparent and the VM doesn't miss a beat

2) No that I've seen

3) That's not a simple question to answer, it depends on the network
load of the VMs. If you're consolidating some infrequently-used machines
then shared NICs aren't a big deal, but if you're going to virtualize a
file server or an Exchange environment with a couple hundred people on
it it will be a VERY big deal.

4) Generally no. One of the excetptions is Server 2003 Enterprise and
Server 2008 Enterprise - if you use Hyper-V as your hypervisor each
Enterprice server license allows you to run 4 VMs.

Roger Wright wrote:
> 1.   From a DR perspective, or perhaps just for rebalancing the load
> on a host machine, how does moving from one host to another with
> different HW impact the VM, or is it transparent? 
> 
>  
> 
> 2.   Does Virtualization impact your domain security requirements in
> any way? 
> 
>  
> 
> 3.   NIC Utilization – Shared NICs or separate for each VM?
> 
>  
> 
> 4.   OS & App licensing – can we expect any reduction in licensing
> requirements?
> 
>  
> 
>  
> 
> Thanks!
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>   
> 
>  
> 
> Roger Wright
> 
> Network Administrator
> 
> Evatone, Inc.
> 
> 727.572.7076  x388
> 
> _ 
> 
>  
> 
> *From:* Andy Shook [mailto:andy.sh...@peak10.com]
> *Sent:* Monday, December 29, 2008 9:52 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Virtualization Questions
> 
>  
> 
> Roger,
> 
> Opinions on this will vary, however, my responses…
> 
>  
> 
> 1.   Yes.  Centralized storage that all hosts can see and access is
> a must for Vmotion/HA/DRS as well as backups.  Needs and budget will
> dictate, however, I would have local storage only for the host OS (ESX,
> etc.) and a SAN for all the VMs\vmdk files.
> 
> 2.   Acceptance of a dedicated VM is growing.  I’ve personally run
> many, many (police academy joke, if your didn’t get it) applications
> with no issues raided from the vendor, YMMV by vendor
> 
> 3.   Load and amount of data usually dictate this.  I’ve seen every
> mainstream app virtualized and dedicated server, here in the datacenter.
> 
> 4.   I would say load and functionality.  If you have ESX with
> HA/DRS, then I personally don’t care where the VMs are just as long as
> they are up.  I have seen where shops will specify that a DC\GC has to
> stay on the same host as an Exchange server, as an example.  Forget
> everything you know about server provisioning.  In my experience,
> dedicated servers that were running with dual procs and 4GB of RAM ran
> wonderfully with a single core and 512MB in a VM environment.  This is
> one of the many, many (see above reference J) beautiful things that
> virtualization brings to the table. 
> 
>  
> 
> Feel free to ping me off-list if I can help in any way.   
> 
>  
> 
> Shook
> 
>  
> 
> *From:* Roger Wright [mailto:rwri...@evatone.com]
> *Sent:* Monday, December 29, 2008 9:30 AM
> *To:* NT System Admin Issues
> *Subject:* Virtualization Questions
> 
>  
> 
> Taking a look at the potential implementation of virtualization and have
> several questions:
> 
>  
> 
> 1.Does/should utilization of a SAN have a direct impact on
> virtualization  decisions?  Is it better to go with local or SAN storage?
> 
> 2.   Do vendors who normally require a dedicated server accept a
> virtualized server as equivalent?
> 
> 3.   What type of servers (DB, Oracle, F&P, etc.) don’t make good
> candidates for virtualization?I would think that SQL/Oracle would
> probably be least recommended.
> 
> 4.   Is clustering still possible with VMs?
> 
> 5.   What kind of logic determines the best combination of
> host/guests?  IOW, is it recommended to put all F&P servers together on
> one host, or should it be a combination of F&P, DB, etc.?
> 
>  
> 
> TIA!
> 
>  
> 
>  
> 
>  
> 
> Roger Wright
> 
> Network Administrator
> 
> Evatone, Inc.
> 
> 727.572.7076  x388
> 
>  
> 
> ET E-mail Signature Logo
> 
> _
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
>  
> 
>  
> 



-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Roger Wright]

Great responses so far!  You've all given me even more to think about.

 

A few other questions:

 

1.   From a DR perspective, or perhaps just for rebalancing the load
on a host machine, how does moving from one host to another with
different HW impact the VM, or is it transparent?  

 

2.   Does Virtualization impact your domain security requirements in
any way?  

 

3.   NIC Utilization - Shared NICs or separate for each VM?

 

4.   OS & App licensing - can we expect any reduction in licensing
requirements?

 

 

Thanks!

 

 

 

 

 

   

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

_  

 

From: Andy Shook [mailto:andy.sh...@peak10.com] 
Sent: Monday, December 29, 2008 9:52 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions

 

Roger,

Opinions on this will vary, however, my responses...

 

1.   Yes.  Centralized storage that all hosts can see and access is
a must for Vmotion/HA/DRS as well as backups.  Needs and budget will
dictate, however, I would have local storage only for the host OS (ESX,
etc.) and a SAN for all the VMs\vmdk files. 

2.   Acceptance of a dedicated VM is growing.  I've personally run
many, many (police academy joke, if your didn't get it) applications
with no issues raided from the vendor, YMMV by vendor

3.   Load and amount of data usually dictate this.  I've seen every
mainstream app virtualized and dedicated server, here in the datacenter.

4.   I would say load and functionality.  If you have ESX with
HA/DRS, then I personally don't care where the VMs are just as long as
they are up.  I have seen where shops will specify that a DC\GC has to
stay on the same host as an Exchange server, as an example.  Forget
everything you know about server provisioning.  In my experience,
dedicated servers that were running with dual procs and 4GB of RAM ran
wonderfully with a single core and 512MB in a VM environment.  This is
one of the many, many (see above reference J) beautiful things that
virtualization brings to the table.  

 

Feel free to ping me off-list if I can help in any way.   

 

Shook

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Monday, December 29, 2008 9:30 AM
To: NT System Admin Issues
Subject: Virtualization Questions

 

Taking a look at the potential implementation of virtualization and have
several questions:

 

1.Does/should utilization of a SAN have a direct impact on
virtualization  decisions?  Is it better to go with local or SAN
storage?

2.   Do vendors who normally require a dedicated server accept a
virtualized server as equivalent?

3.   What type of servers (DB, Oracle, F&P, etc.) don't make good
candidates for virtualization?I would think that SQL/Oracle would
probably be least recommended.

4.   Is clustering still possible with VMs?

5.   What kind of logic determines the best combination of
host/guests?  IOW, is it recommended to put all F&P servers together on
one host, or should it be a combination of F&P, DB, etc.?

 

TIA!

 

 

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

  

 

_

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<>