08 May 2005

Build a Windows Server Farm with Virtual Server 2005 (Observation)

Got a Dell PowerEdge 6350 Server with dual CPU (550 MHz/512), 4Gb Ram from eBay recently. The idea is to create a development/testing environment that simulates an online transaction environment using this server machine. I install Windows 20003 server (W2K3) on the physical machine, then use Microsoft Virtual Server 2005 to host a number of guest server OS.

A Windows 2000 server (W2K) is acted as domain controller (DC). I use a spare laptop for this to avoid the chicken and egg problem (I will come to the point later). I found Daniel Petri has a very useful step by step guide on how to configure domain controller.

All goes well until I accidentally tripped the charger and knocked the laptop to the ground. Fortunately my boss ‘lent’ me another laptop (PII 550MHz, 192Mb RAM). So I could reinstall the DC and have host and guest OS removed and rejoin the domain.

In retrospective of the entire exercise, I have following points.

1 CPU Consideration
Virtual Server 2005 masks actual hardware and simulates an IDE desktop machine with single CPU. So the using this Dell machine gains benefit by balancing guest OS processes weight across the two CPUs. A specific guest OS always runs on a single CPU.

This becomes a problem if install w2k3 as a guest OS. As the hardware concerned, a single CPU emulation environment does not meet the minimum hardware requirements for W2K3. In fact, the installation process taking so long that I have to abort it.

Nevertheless, having W2K3 as host OS is fine, because it can fully exploit both CPUs’ capacity. (MS Virtual Server 2005 is compatible with W2K3 only).

2 Virtual Hard Drive
To preserve the hard drive space, I use ‘Differencing Virtual Hard Disk’. The first thing after starting a guest OS that is built on child virtual hard disk is to use Microsoft sysprep tool to gain a new system identity.

In retrospective, I should have made the parent virtual hard disk bigger. Child disk is sized based on the size of the parent’s. So if parent disk is 3Gb, child disk is also 3Gb. The W2K OS takes about 2Gb space. After running sysprep on child disk, it’s vhd file dynamically grows to 1.2Gb – not a lot of space remained.

In this situation you can attach a secondary virtual hard drive to the guest OS in question. It is just convenient to have a bigger primary drive in situations that windows installation can go into the default ‘C:\Program Files’ folder.

3 Network Interface Card (NICs) and connections

The Dell server comes with two NICs and two onboard NICs (not used at the moment). To maximum performance throughput they are configured as:

Card 1/Connection 1 is dedicated to the guest virtual network. So all guest OS will use this NIC to participate the domain network. On host OS, all network protocols bind to this NIC removed and leave only virtual machine network services checked. On each guest OS TCP/IP protocols is bound and assigned unique static IP addresses.

Card 2/Connection 2 is designed for handling network traffic of the host server. It TCP/IP protocols enabled but virtual machine network services unbind.

Connection 3 is a loop-back adapter for handling file sharing and other network traffic between guest and host systems without having them travel externally.

Connection 1 and 3 needed to be added to the virtual server to create two virtual networks (Note 1). Also check Note 2 on how to configure loop-back adapter for file sharing, or Host-Guest network traffic.

Virtual server emulates these NIC/connections in the guest systems. In my configuration, they all called ‘Intel 21140 Based PCI Fast Ethernet Adapter’. Virtual server generates a dynamic MAC address for each NIC on each guest OS (Note 3). This is of course different from the physical MAC address.

It is very easy to confuse on which NIC is for what purpose. So I would suggest make a note on the dynamic MAC addresses before configuring the TCP/IP protocols in the guest OS.

If more NICs are added via Virtual Server Administration website, on guest OS you can run hardware scan/update to pick them up like you will normally do on real machine.

4 Domain Controllers
There are a few options available when comes to where to place the domain controller in this garage network. Microsoft’s Running a Domain Controller in Virtual Server 2005 gives a step-by-step guide on network planning for virtual servers environment with following scenario.
1) Domain controller on host OS, application servers on guest OS.
2) Domain controller on guest OS, application servers on host OS.
3) Both domain controller and application servers are on guest OS.

The article gives credits to solution 3. It creates a pure virtual network. It has a clear defined network boundary with performance consideration.

In my opinion, solution 1 degrades the virtual server performance. Virtual server required IIS 6 to be running for administration via a web site. Having domain controller and IIS running on same server degrades IIS.

Solution 2 has application servers on host OS. Excuse me, but having guest OS running application server is you want originally, isn’t it?

There is also a chicken and Egg problem. Solution 2 and 3 requires to have domain controller installed on a guest OS. This is not a very option for my situation. The Dell server is placed in the conservatory and accessed via remote desktop (terminal services in admin mode) connection from the study room over a wireless connection.

If I install the DC in a virtual server, I must stay in the conservatory and wait for the host to boot-up, launch the guest OS (can set it to launch automatically though). Host server cannot participate in this domain. Which may cause problems in the future, for instance, file sharing issue when required to configure more virtual machines; or if the virtual network requires a W2K3 server – such like Microsoft BizTalk Business Activity Service Monitoring. BAS requires SharePoint services. And SharePoint can only deployment on W2K3.

So I decide to configure an old laptop as a DC and reducing a guest OS from the virtual server. This helps to off-load some CPU and memory load from the host as well. It looked like this:



5 Virtual Server Administration Website user authentication
The issue discussed here need to re-apply if the host/guest OS have their domain membership changed (Note 4).

On access the VS admin site, it is likely you will be challenged by an Internet security pop-out window or the website will prompt you for valid credentials. If you are sure the username and password are correct and it is not accepted, it is likely that the user is not grant access to the admin website.

There are two things here. First, we should allow IE send the NT credentials automatically. Then we need to grant user access to the virtual server admin site.

1) Add the admin site to Local Intranet category via Internet Options Security tab. Then click the ‘Custom Level…’ button on the security tab. Security Setting window pops out. Scroll to the bottom of the settings, there is an option – ‘User Authentication Logon’. Make sure it is ‘Automatically logon only in Intranet Zone’ or ‘automatically logon with current username and password’ selected.

2) Browse to the admin site, logon as a local administrator. Click on Virtual Server Server Properties on left navigation column, then click on ‘Virtual Server Security’. Then add domain users to the list.

6 Terminal Services and Remote Access
Normally you will access guest OS via remote desktop connection. This is supported by terminal services on W2K3 and W2K server (Note 5).
Again, the issue discussed here need to re-apply if the host/guest OS have their domain membership changed.

The problem occurs when you remote access guest OS with a non-administrator NT account and on successful login it display this error message: ‘You Do Not Have Access to Logon to This Session’ and you are thrown out.

To get over this problem, you need to grant remote access permission to the users/groups via Terminal Services Configuration on each guest OS.

For detail see Microsoft knowledge base article 224395.

  • Note 1 This is done via virtual server administration website). There should an existing one: ‘Internal Virtual Network’ which deploys DHCP and enable virtual machines to see each other.
  • Note 2 Loop-back adapter configuration (from Virtual Server 2005 accompanied guide vs.chm)

    1. On the host operating system, open Network Connections, right-click the local
    area connection for Microsoft Loopback Adapter, and then select Properties.
    2. In the Microsoft Loopback Adapter Properties dialog box, verify that the
    Virtual Machine Network services check box is selected.
    3. Click Internet
    Protocol (TCP/IP), and then click Properties.
    4. On the General tab, click
    Use the following IP address, and then type the IP address and subnet mask (such
    as 192.168.1.1 and 255.255.255.0).

    Important
    You can use any
    Transmission Control Protocol/Internet Protocol (TCP/IP) address, but it is best
    to choose one from a reserved range of non-routable TCP/IP addresses. For
    example, TCP/IP addresses of the form 192.168.x.y, where x is a value from 0
    through 255 and y is a value from 1 through 254, are non-routable. The value you
    choose for x must be the same on the host operating system and each guest
    operating system that is to be part of this virtual network. If your primary
    Ethernet connection uses one of these non-routable addresses, you must choose a
    different value for x to assign to Microsoft Loopback Adapter.
    5. Click OK,
    and then click Close.
    Notes
    · To perform this procedure, you must be an
    administrator or a member of the Administrators group.
    · To set up multiple
    network connections using Microsoft Loopback Adapter, use different subnets.
    · Do not set a value for Default gateway.

  • Note 3 The dynamic MAC addresses for a guest OS can be found from its configuration page on the Virtual Server Administration website, then follow the link ‘Network Adapters’.
  • Note 4 In my case, the domain controller was unrecoverable and has to be reinstalled and configured on a replacement laptop. Though I use the same domain name, active directory is essentially different from the previous one. So all domain members need to drop their existing memberships and rejoin the domain.
  • Note 5 You need to obtain license if use terminal service in application mode. For use it in administration mode you don’t need license and can have up to two concurrent connections.
  • No comments: