410 likes | 649 Views
Windows Server 2012 R2 Jumpstart. Pauze. Virtualization. Storage. Storage. Networking. Identity and Access. Networking. Scale Multitenant Cost. What is Software Defined Networking?. Hyper‑V Network Virtualization. SQL. 10.1.1.1. Datacenter n etwork. Blue C orp. Yellow Corp.
E N D
Virtualization Storage Storage Networking Identity and Access
Networking Scale Multitenant Cost
Hyper‑V Network Virtualization SQL 10.1.1.1 Datacenter network Blue Corp Yellow Corp Blue Corp Web 10.1.1.2 Customer Address Customer Address Provider Address Provider Address 192.168.10 192.168.11 192.168.12 192.168.13 Hyper‑V Host 1 Hyper‑V Host 2 10.1.1.1 10.1.1.1 192.168.1.10 192.168.1.11 SQL 10.1.1.1 Yellow Corp 10.1.1.2 10.1.1.2 192.168.1.13 192.168.1.12 Web 10.1.1.2 SQL SQL Web Web 10.1.1.1 10.1.1.1 10.1.1.2 10.1.1.2 Policy settings Customer address spaces • How IP address rewrite works • Maps each Customer Address (CA) to a unique Provider Address (PA) • Sends information in regular TCP/IP packets on the wire • Benefits • Requires no upgrade of network adapters, switches, or network appliances • Can be deployed today without sacrificing performance
Hyper-V Network Virtualization • Tenants with overlapping IP Address range share same physical network • Policies enforced at host level using PowerShell or System Center Virtual Machine Manager • DHCP servers can be part of virtualized network to enable locally assigned IP addresses • Supports guest clustering 10.1.1.1 10.1.1.2 10.1.1.1 10.1.1.2 SQL Server Web Blue sees Orange sees SQL Server Web What’s really happening 192.168.n.n PROVIDER ADDRESS SPACE (PA) Hyper-V 1 Hyper-V 2 192.168.1.10 192.168.2.12 10.1.1.1 10.1.1.1 10.1.1.2 10.1.1.2 SQL Server SQL Server Web Web CUSTOMER ADDRESS SPACE
Network Virtualization Packet Flow Where is 10.10.10.11? 10.10.10.10 Blue1 10.10.10.11 Blue2 VSID 5001 • Where is 10.10.10.11? • Blue1 sends ARP Packet to locate 10.10.10.11 • Hyper-V Switch broadcasts ARP on VSID 5001 • Hyper-V Switch then broadcasts ARP to the rest of the network, but intercepted by NV Filter • Note: ARP not broadcast on physical network • NV Filter checks its Policy Table and responds with Blue2 MAC • NV Filter sends ARP Response back into Hyper-V Switch and on to Blue1 VSID 5001 Network Virtualization Network Virtualization ARP TABLE 34:29:af:c7:d9:12 34:29:af:c7:d9:12 10.10.10.11 192.168.2.10 MACPA1 192.168.5.12 MACPA2
Network Virtualization Packet Flow Packet 10.10.10.10 Blue1 10.10.10.11 Blue2 Packet Packet Packet VSID VSID VSID Packet VSID 5001 VSID 5001 VSID Blue1 starts to construct its packet for Blue2 and sends it to the Hyper-V Switch Hyper-V Switch attaches the VSID GRE GRE Network Virtualization Network Virtualization NV Filter checks to see if Blue1 is allowed to contact Blue2, then constructs GRE Packet and sends it across the physical network On receiving host, opposite process takes place – NV Filter strips GRE, pulls out the VSID information, passes packet to Hyper-V Switch, where VSID removed and packet sent to Blue2 VM 192.168.2.10 MACPA1 192.168.5.12 MACPA2
Internet Fabrikam Contoso Multi-tenant VPN Gateway • Challenges • Hoster wants to provide isolated networks for tenant VMs with integral S2S VPN and NAT • Enterprises have virtualized networks split across different datacenters or virtualized networks (NVGRE aware) communicating to physical networks (NVGRE unaware) • Solution • Multi-tenant VPN gateway in Windows Server 2012 R2 Preview • Integral multitenant edge gateway for seamless connectivity • Guest clustering for high availability • BGP for dynamic routes update • Encaps/Decaps NVGRE packets • Multitenant aware NAT for Internet access Bridge Between VM Networks & Physical Networks DNS SQL DC SPS VPN SPS VPN Multi-tenant VPN Gateway Host Datacenter Network Virtualization Fabric Host Host
NIC Teaming • Provides network fault tolerance and continuous availability when network adapters fail by teaming multiple network interfaces • Supports all vendors in-box • Facilitates local or remote management through Windows PowerShell or UI • Enables teams of up to 32 network adapters • Aggregates bandwidth from multiple network adapters • Includes multiple nodes: switch dependent and independent Operating system Virtual adapters Virtual adapters Team network adapter Team network adapter NIC Teaming 8 x 1Gb NICs – 8Gb throughput
Network fault tolerance with SMB Multichannel • Automatic detection and use of multiple network connections between SMB client and server • Helps server applications be resilient to network failure • Transparent Failover with recovery of network failure if another connection is unavailable • Improved throughput • Bandwidth aggregation through NIC Teaming • Multiple nodes/CPUs for network processing with RSS-capable network adapters • Automatic configuration with very little administrative overhead SMB client SMB server Network NIC NIC File copy File copy NIC NIC
Improved network performance through SMB Direct (RDMA) Without RDMA With RDMA • Higher performance through offloading of network I/O processing onto network adapter • Higher throughput with low latency and ability to take advantage of high-speed networks (such as InfiniBand and iWARP) • Remote storage at the speed of direct storage • Transfer rate of around 50 Gbps on a single NIC port • Compatible with SMB Multichannel for load balancing and failover File Client File Server Application Application App Buffer App Buffer SMB client SMB Client SMB Server SMB Server SMB Buffer SMB Buffer SMB Buffer SMB Buffer Transport Protocol Driver Transport Protocol Driver Transport Protocol Driver Transport Protocol Driver OS Buffer OS Buffer NIC Driver NIC Driver NIC Driver NIC Driver Driver Buffer Driver Buffer rNIC NIC rNIC NIC iWARP Adapter Buffer Adapter Buffer Adapter Buffer Adapter Buffer InfiniBand
Dynamic Virtual Machine Queue Increased efficiency of network processing on Hyper-V hosts • Without VMQ • Hyper-V Virtual Switch is responsible for routing & sorting packets for VMs • This leads to increased CPU processing, all focused on CPU0 • With VMQ • Physical NIC creates virtual network queues for each VM to reduce host CPU • With Dynamic VMQ • Processor cores dynamically allocated for a better spread of network traffic processing Hyper‑V Host Hyper‑V Host Hyper‑V Host CPU0 CPU1 CPU2 CPU3 CPU0 CPU1 CPU2 CPU3 CPU0 CPU1 CPU2 CPU3 Without VMQ With VMQ With DVMQ
Single Root I/O Virtualization (SR-IOV) • VM traffic bypasses virtual switch and performs I/O directly to NIC • Ideal for high I/O workloads that do not require port policies, QoS, or network virtualization enforced at the end host virtual switch • Most 10Gbps and in-box NICs SR-IOV capable • Benefits • Maximizes use of host system processors and memory • Reduces host CPU overhead for processing network traffic (by up to 50%) • Reduces network latency (by up to 50%) • Provides higher network throughput (by up to 30%) • Full support for Live Migration Host Virtual Machine VM Network Stack Virtual Function Synthetic NIC Hyper‑VExtensible Switch SR-IOV NIC VF VF VF Traffic Flow Traffic Flow
Highly Available DHCP Service • Hot standby DHCP failover in a hub-and-spoke deployment • Automatic DHCP failover based on DHCP failover IETF spec • Provides multi-site IP address continuity to clients by helping eliminate single points of failure • Provides in-box support for failover, without the need for clustering • Uses a failover setup consisting of two servers located across different geographic locations • Includes active/active or active/passive behavior • Simple provisioning and configuration of DHCP server using PowerShell • Load-sharing DHCP failover in a single site with a single subnet
IP Address Management (IPAM) • Manages virtual address space in addition to physical address space • Imports and exports network configurations automatically through plugin for System Center Virtual Machine Manager • Enables synchronization of Active Directory Sites and subnets information with IPAM • Supports large scale enterprise deployments • Uses SQL Server to store IP address information • Lets admins define user roles, access scope and access policy through role-based access control Network Administrator Fabric Administrator System Administrator Forensics Investigator IPAM Client Win 8.1 WCF VMM Server SC 2012 R2 PS/WS Man MS SQL Server SQL 2008 R2, SQL 2012 Integration Plugin Role Based Access Control IPAM Server WS 2012 R2 Server Discovery Server Configuration Address Utilization Event Collection Server Availability Server Monitoring Address Expiry DHCP Server WS2012 IPAM Administrator IPAM ASM Administrator IPAM MSM Administrator IPAM Users IPAM Audit Administrator Security Groups Data collection tasks DNS Server WS08 R2 & SPs DC Server WS2012 NPS Server WS2012
Virtualization Storage Storage Networking Identity and Access
Enabling IT to empower users Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish Desktop Virtualization (VDI) for access to centralized resources Users can work from anywhere on their device with access to their corporate resources. VDI Session host IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity RD Gateway Remote Access Web Application Proxy IT can provide seamless corporate access with DirectAccess and automatic VPN connections. Web Apps LOB Apps Users can register devices for single sign-on and access to corporate data with Workplace Join Files Active Directory
Effective working with Remote Access An automatic VPN connection provides automated starting of the VPN when a user launches an application that requires access to corporate resources. • Cannot originate admin connection from intranet Traditional VPNs are user- initiated and provide on-demand connectivity to corporate resources. VPN Session host VDI • Can originate admin connection from intranet Web Apps With DirectAccess, a users PC is automatically connected whenever an Internet connection is present. Firewall Files • Connection to • intranet is always active LOB Apps DirectAccess
Remote Access Solutions • PPTP • L2TP • SSTP • Direct Access User-based Computer-based
What does Direct Access do? • Connects you to your Corporate Office no matter where you are if you have Internet, you have corporate network access • No visible VPN client
How does it do it? • Combines multiple networking technologies • IPSEC • IPv6 • IPHTTPS • NAT64/DNS64 • Domain member configuration • Tunnels • Kerberos proxy or Certificates
Direct Access Improvements • Deploy without internal IPv6 Connectivity • PKI deployment is not needed (Windows 8 or higher) • New Kerberos Proxy and IP-HTTPS improvements • Support for External NAT for DA Edge
Direct Access client flow • Client attempts to locate Network Location Service server • DNS Query for DirectAccess-NLS.corp.domain.com • If NLS not found, assume Direct Access required • HTTP Probe to check for availability • Resolve external DA name with external DNS • IPv4 (A) DNS Query for da.domain.com • Establish IPSEC tunnel to DA endpoint • Connect to external IP Address of the Direct Access Server, validate certificates • Authenticate client computer • Either using Kerberos or Certificate based Authentication
Expanded domain join capabilities Not Joined Workplace Joined Domain Joined User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information. Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information Domain joined computers are under the full control of IT and can be provided with complete access to corporate information Browser session single sign-on Seamless 2-Factor Auth for web apps Enterprise apps single sign-on Desktop Single Sign-On
Registering and Enrolling Devices Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications Data from Windows Intuneis sync with Configuration Manager which provides unified management across both on-premises and in the cloud Active Authentication ADFS Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device Web Application Proxy As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication. Active Directory
Publish access to resources with the Web Application Proxy AD Integrated Published applications Use conditional access for granular control over how and where the application can be accessed Office Forms Based Access Claims & Kerberos web apps Restful OAuth apps ADFS Devices Web Application Proxy Users can access corporate applications and data wherever they are Active Directory provides the central repository of user identity as well as the device registration information Apps & Data Reverse proxy pass through e.g. NTLM & Basic based apps IT can use the Web Application Proxy to authenticate users and devices with multi-factor authentication Active Directory
Make corporate data available to users with Work Folders Active Directory discoverability provides users Work Folders location IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management IT can selectively wipe the corporate data from Windows 8.1 clients Reverse Proxy Active Directory Devices Access Policy File Services Users can sync their work data to their devices. Users can register their devices to be able to sync data when IT enforces conditional access Web Application Proxy IT can publish access directly through a reverse proxy, or conditional access can be enforced via device registration through the Web Application Proxy Domain joined devices Apps & Data
Get started DownloadWindows Server 2012 R2 Learn and Expand Act
Extra Content • Dynamic Access Control • Rechten geven doormiddel van een centrale policy • Twee belangrijke elementen • 1 De classificatie van bestanden • 2 Het maken van Claims • Certificeringen voor Windows Server 2012R2 • MCSA (en Upgrade) • MCSE Server Infrastructure • MCSE Desktop Infrasructure
Protect data with Dynamic Access Control Active Directory File Services Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents. Automatically identify and classify data based on content. Classification applies as files are created or modified. Centrally manage access control and audit polices from Windows Server Active Directory. Integration with Active Directory Rights Management Services provides automated encryption of documents. File classification, access policies and automated Rights Management works against client distributed data through Work Folders.
1 Data Classification
Data classification – identifying data • Manual Classification • Classify data based on location inheritance • Classify data automatically Data Classification Classify your documents using resource properties stored in Active Directory. Automatically classify documents based on document content.
1 2 Data Classification Central Access Policy
Expression based access control • Manage fewer security groups by using conditional expressions • Central! Access Policy • Compound Identity Expression based access conditions Flexible access control lists based on document classification and multiple identities. Centralized access control lists using Central Access Policies.
How Access Check Works ShareSecurity Descriptor Share Permissions Active Directory (cached in local Registry) Cached Central Access Policy Definition File/FolderSecurity Descriptor Cached Central Access Rule Central Access Policy Reference Cached Central Access Rule NTFS Permissions Cached Central Access Rule • Access Control Decision: • Access Check – Share permissions if applicable • Access Check – File permissions • Access Check – Every matching Central Access Rule in Central Access Policy
MCSA: Windows Server 2012 410 412 411 20412 20411 20410 MOC MOC MOC EXAM EXAM EXAM Installing and Configuring Windows Server 2012 Administering Windows Server 2012 Configuring Advanced Windows Server 2012 Services MCSA: Windows Server 2012 + = + Find a Learning Partner Configuring Advanced Windows Server 2012 Services 5 5 5 Installing and Configuring Windows Server 2012 Administering Windows Server 2012
MCSE: Server Infrastructure 414 413 20414 20413 MOC MOC EXAM EXAM Designing and Implementing a Server Infrastructure Implementing an Advanced Server Infrastructure MCSE: Server Infrastructure * Requires recertification + = + Find a Learning Partner Implementing an Advanced Server Infrastructure 5 Windows Server 2012 5 Designing and Implementing a Server Infrastructure
MCSE: Desktop Infrastructure 416 415 20416 20415 MOC MOC EXAM EXAM Implementing a Desktop Infrastructure Implementing Desktop Application Environments MCSE: Desktop Infrastructure * Requires recertification + = + Find a Learning Partner Implementing Desktop Application Environments 5 Windows Server 2012 5 Implementing a Desktop Infrastructure
Upgrade paths Designing and Implementing a Server Infrastructure Implementing an Advanced Server Infrastructure + = 413 414 Windows Server 2012 Upgrading Your Skills to MCSA Windows Server 2012 Desktop Infrastructure Server Infrastructure • Any of the following certifications qualify: • MCSA: Windows Server 2008* • MCITP: Virtualization Administrator • MCITP: Enterprise Messaging Administrator • MCITP: Lync Server Administrator • MCITP: SharePoint Administrator • MCITP: Enterprise Desktop Administrator + + Either or Both 417 Implementing a Desktop Infrastructure Implementing Desktop Application Environments + = 415 416