WS-011 Windows

Server 2019
Administration

© Copyright Microsoft Corporation. All rights reserved.

Module 5: Hyper-V
virtualization and
containers in Windows
Server
Module overview

In this module, you learn the key features of the Hyper-

V server role in Windows Server. You learn how
to configure Hyper-
V networking, storage, and how to manage the state of a virtual machine. You also
learn how to secure the Hyper-V host and associated virtual machines using security features
within a guarded fabric provided by Windows Server.
The final lessons of this module introduce you to the concept of using and managing containe
rs

 Lessons:
o Lesson 1: Hyper-V in Windows Server
o Lesson 2: Configuring VMs
o Lesson 3: Securing virtualization in Windows Server
o Lesson 4: Containers in Windows Server
o Lesson 5: Overview of Kubernetes
Lesson 1: Hyper-V in
Windows Server
Hyper-V in Windows Server

In this lesson, you learn how to use Hyper-

V to implement virtualization. You also learn best practices for
configuring Windows server hosts, and considerations related to deployment scenarios such a
s
nested virtualization.

Finally, you will learn considerations, requirements, and processes for migrating on-premises
Hyper-V virtual machines to Microsoft Azure

 Topics:
o Overview of Hyper-V
o Overview of Hyper-V Manager
o Best practices for configuring Hyper-V hosts
o Overview of nested virtualization
o Migration to Azure VMs
Overview of Hyper-V (1 of 2)

 Hyper-V is a hardware virtualization server role available for Windows Server

 Provides a software layer known as the Hypervisor, used to control access to physical
hardware
 Supports many types of guest operating systems including:
o All supported Windows versions

o Linux

o FreeBSD

 General Hyper-V features can be grouped as follows:

o Management and connectivity

o Portability

o Disaster recovery and backup

o Security

o Optimization
Overview of Hyper-V (2 of 2)

 System requirements for installing the Hyper-V server role include:

o A 64-bit processor with second-level address translation (SLAT)
o A processor with VM Monitor Mode extensions

o Sufficient memory

o Intel Virtualization Technology (Intel VT) or Advanced Micro Dynamics (AMD)

Virtualization (AMD-V) enabled
o Hardware-enforced Data Execution Prevention (DEP) enabled (Intel Execute Disable
(XD) bit, AMD No Execute (NX) bit)
 Methods to install the Hyper-V server role include:
o Server Manager

o Install-WindowsFeature PowerShell cmdlet

Overview of Hyper-V Manager
 A graphical user interface
used to manage both local
and remote Hyper-V host
machines
 Supports:
o Previous versions

o Web Services (WS)-

Management protocol
o Alternate credential
support
 Other management tools
include:
o Windows PowerShell

o PowerShell Direct

o Windows Admin Center

Best practices for configuring Hyper-V hosts

 Consider the following when provisioning Windows Server as a Hyper-V host:

o Provision the host with adequate hardware
o Deploy virtual machines on separate disks, solid state drives, or Cluster Shared
Volumes (CSVs) if using shared storage
o Do not collocate other server roles
o Manage Hyper-V remotely
o Run Hyper-V by using a Server Core configuration
o Run the Best Practices Analyzer and resource metering
o Use Generation 2 virtual machines if the guest operating system supports them
Overview of nested virtualization

 Provides the ability to install the Hyper-V role within a guest virtual machine
 Requirements:
o Both the Hyper-V host and the guest virtual machine must be Windows Server 2016
or later
o Sufficient amount of static RAM
o Virtual machines must have a configuration version of 8.0 or greater
o Physical host computer mush have an Intel processor with VT-x and Extended Page
Tables (EPT) technology
o MAC address spoofing enabled

Set-VMProcessor -VMName <VMName> -

ExposeVirtualizationExtensions $true
Migration to Azure VMs

 Azure Migrate can be used to migrate on-premises workloads, apps, and virtual
machines
 Azure Migrate provides the following benefits:
o A single migration platform

o Assessment and migration tools

• Azure Migrate: Server Assessment

• Azure Migrate: Server Migration
o Ability to assess and migrate multiple object types:

• Servers
• Databases
• Web applications
• Virtual desktops
• Data
Lesson 1: Check your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 2: Configuring
VMs
Configuring VMs

In this lesson, you learn the concepts related to virtual machine configurations and generation versions.
You also learn VM settings, storage options, and virtual disk types. Finally, you learn about the types of
virtual networks and how to create and manage a virtual machine

 Topics:
o VM configuration and generation versions
o VM settings
o Storage options in Hyper-V
o Virtual hard disk formats and types
o Shared VHDX and VHD Set files
o Overview of Hyper-V networking
o Networking features for Hyper-V
o Manage VM states and checkpoints
o Import and export VMs
o Demonstration: Create and manage a VM
VM configuration and generation versions

 VM configuration version identifies:

o Compatibility of the VM components with the version of Hyper-V
installed on the host machine
o Windows Server 2019 host machines support configuration version 9.0
o To update a configuration version, use the following command:
• Update-VMVersion <vmname>
 Generation 1 VMs:
o Support 32 and 64-bit operating systems
o Only support boot volumes a maximum of 2 TB
o Supports legacy BIOS
 Generation 2 VMs:
o Support only 64-bit operating systems
o Support secure boot and shielded VMs
o Support boot volumes a maximum of 64 TB
o Supports Unified Extensible Firmware Interface (UEFI)
VM settings Generation 1
settings
 VM settings are grouped
into two main areas:
o Hardware Generation 2
settings
o Management

 Available hardware
components depend on the
generation version of the
VM
Storage options in Hyper-V

 Consider the following factors when planning storage for virtual hard disks:
o High-performance connection to storage
o Redundant storage

o High-performance storage

o Adequate growth space

 Supported storage types include:

o Fibre channel connections

o Server Message Block (SMB) 3.0 file shares

Virtual hard disk formats and types (1 of 2)

 Virtual hard disk formats include:

o VHD
• Up to 2040 GB in size
• Typically used to support older Hyper-V versions
o VHDX:

• Up to 64 TB in size
• Recovery from corruption issues
• Supports larger block size resulting in increased performance
 Use the Edit Virtual Hard Disk Wizard to convert between hard disk formats
 Various tools can be used to create and mange virtual hard disks:
o Hyper-V Manager

o Disk Management/Diskpart

o PowerShell (New-VHD)

o Windows Admin Center

Virtual hard disk formats and types (2 of 2)

Type of disc Description

Fixed Allocates all of the hard disk space immediately

Dynamic The disk only uses the amount of space that needs to be
allocated, and it grows as necessary

Associated with another virtual hard disk in a parent-child

Differencing configuration. Any changes made to the differencing disk does
not affect the parent disk.

Allows the virtual machine to connect directly to an Internet

Pass through Small Computer Systems Interface (iSCSI) (logical unit
number) LUN or a physical disk attached on the host machine
Shared VHDX and VHD Set Files

Virtual machine cluster node 1 Virtual machine cluster node 2

Shared VHDX or VHD Set (VHDS)

Overview of Hyper-V networking
 Hyper-V supports the following virtual network adapter types:
o Legacy network adapter
o Synthetic network adapter

 Hyper-V supports three types of virtual switches:

Virtual switch Description

type

Used to map a network to a specific network adapter or netwo

rk
External
adapter team. Provides external access outside of the host
machine.

Used to communicate between the virtual machines on a host

Internal server and to communicate between the virtual machines and
the host itself

Private Used to only communicate between virtual machines on a

Hyper-V host
Networking features for Hyper-V (1 of 2)

NIC
VMQ teaming

Port
mirroring
IPsec task
offloading
Hyper-V
networking Router
guard
SR-IOV

DHCP guard
Network
virtualizatio Bandwidth
n management
Networking features for Hyper-V (2 of 2)

SET

RDMA
VMMQ
Hyper-V
networking

Converged NAT
network Virtual
adapters switch
Manage VM states and checkpoints

 A VM can be in one of the following  Checkpoints:

states: o Allows you to take a snapshot
o Off of a virtual machine at a
o Starting specific point in time
o Running
o Two types of checkpoints
o Paused • Production checkpoints
o Saved • Standard checkpoints
o Maximum of 50 checkpoints
per virtual machine allowed
Import and export VMs

 When importing a VM you have three options:

o Register the virtual machine in-place (use the existing unique ID)
o Restore the virtual machine (use the existing unique ID)
o Copy the virtual machine (create a new unique ID)
 Export options:
o Export a specific checkpoint
o Export a virtual machine with all checkpoints
Demonstration:
Create and
manage a VM
 Configure a Hyper-V virtual switch
 Create a virtual hard disk
 Create a virtual machine
 Manage Virtual Machines using
Windows Admin Center
Lesson 2: Check your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 3: Securing
virtualization in Windows
Server
Securing virtualization in Windows Server

Hyper-V supports the concept of a guarded fabric to provide a more secure environment for
virtual machines
In this lesson, you are introduced to the concept of implementing a guarded fabric, including
the Host Guardian Service, guarded host servers, and shielded virtual machines

 Topics:
o Guarded fabric
o Attestation modes for guarded fabric
o Host Guardian Service
o Types of protected VMs in a guarded fabric
o General process for creating shielded VMs
o Process for powering on shielded VMs
Guarded fabric (1 of 2)

 A security solution used to protect virtual machines against:

o Inspection
o Theft
o Tampering from either malware or malicious intent
 Security benefits of a guarded fabric include:
o Secure and authorized Hyper-V hosts
o Verification that a host is in a heathy state
o Providing a secure method to release keys to healthy hosts
Guarded fabric (2 of 2)
 Guarded fabric is made up of the following
components:
o Guarded Hyper-V hosts
o Host Guardian Service
o Shielded or encryption-supports virtual machines
 Tools used to automate and manage a guarded fabric:
o System Center Virtual Machine Manager (VMM)
o Windows Azure Pack
o PowerShell
Attestation modes for guarded fabric

 Guarded fabric attestation is the process of evaluating and validating the Hyper-V host

Attestation Description
mode

• Hardware-based attestation method offering the strongest

protection but does require a more complex configuration
and higher host hardware requirements
Trusted Platform • Requirements include TPM 2.0 and UEFI 2.3.1 with Secure
Module (TPM)- Boot enabled
trusted • A guarded Hyper-
attestation V host is approved and validated based upon
its TPM identity, Measured Boot sequence, and code integrit
y
policies

• Based upon asymmetric key pairs

Host key • Used when existing Hyper-V host machines do not support
attestation TPM 2.0
• A guarded Hyper-V host is approved and validated based
upon possession of the key
Host Guardian Service

 Host Guardian Service includes:

o Attestation service
o Key Protection Service (KPS)
 Helps to ensure:
o Protected VMs contain BitLocker
encrypted disks
o Shielded VMs are deployed from trusted
template disks and images
o Passwords and other secrets are
protected when a shielded VM is created
o Control of where the shielded VM can be
started
Types of protected VMs in a guarded fabric
Capability Encryption- Shielded
 A guarded fabric is supported
capable of running:
Secure boot Yes, required but Yes, required and
o Shielded VMs configurable enforced
o Encryption-
Yes, required but Yes, required and
supported VMs Virtual TPM configurable enforced
o Normal VMs
Encrypt VM state and Yes, required but Yes, required and
live migration traffic configurable enforced

Certain components
blocked such as
Integration Configurable by PowerShell Direct
components fabric admin (enabled in Windows
Server v1803), and data
exchange

Virtual machine Enabled for hosts starting

connection, HID On, cannot be at Windows Server v1803;
devices (keyboard, disabled Disabled on earlier hosts
mouse)

COM/Serial ports Supported Disabled (cannot be

enabled)
General process for creating shielded VMs

1. Create a 2. Create a 3. Deploy a

shielded VM shielded data file shielded VM
template
• VHDX disk
disk type • Also called a Deploy using:
provisioning data
• Globally Unique file (PKD) • System Center
Identifiers (GUID) Virtual Machine
partition table • Shielding Data File Manager (SCVMM)
Wizard
• 2 partitions • Windows Azure
Pack
• NTFS file system
• PowerShell
• Support OS
• OS must be
generalized
• BitLocker encrypted
• Shielded Template Disk
Process for powering on shielded VMs
Lesson 3: Check your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 4: Containers in
Windows Server
Containers in Windows Server

By using container technology, you can package, provision, and run applications across
diverse environments located on-premises or in the cloud
In this lesson, you are introduced to the concept of preparing and using Windows containers

 Topics:
o What are containers?
o Containers vs. virtual machines
o Overview of container isolation modes
o Manage containers using Docker
o Download container base images
o Run a Windows container
o Manage containers using Windows Admin Center
o Demonstration: Deploy containers by using Docker
What are containers?

 Benefits of using containers:

o Ability to run anywhere; local
workstation, servers, or
provisioned in the cloud
o Isolation
o Increased efficiency
o A consistent development
environment
Containers vs. virtual machines (1 of 2)
Containers vs. virtual machines (2 of 2)
Overview of container isolation modes

 Process Isolation:
o “Traditional” isolation mode
o Containers share the same kernel with each other and the host
o Each container has its own user mode
o Does not provide security-enhanced isolation
o Uses the following switch when starting a container using Docker:
–isolation=process

 Hyper-V Isolation:
o Each container runs inside of a highly optimized virtual machine
o Each container gains its own kernel and an enhanced level of stability and security
o Also provides hardware-level isolation between each container and the host
o Uses the following switch when starting a container using Docker:
–isolation=hyperv
Manage containers using Docker (1 of 2)

 Docker container:
o Application wrapped in a complete file system including:
• Code
• Runtime
• System tools
• Supporting files for the app
o Based upon open standards to run on all major operating systems

o Supports any runtime environment or infrastructure; on-premises or in the cloud

 Docker core platform includes:

o Docker Engine

• Runs on Linux, MacOS, or Windows-based operating systems

o Docker Client

• Command line interface to integrate with the engine

• Runs command to build and manage Docker containers
Manage containers using Docker (2 of 2)

 To install Docker on Windows Server:

1. Install the Docker-Microsoft PackageManagement Provider:
Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
2. Install the latest version of Docker:
Install-Package -Name docker -ProviderName DockerMsftProvider
3. May require a restart if the Containers Windows Server feature is also installed
 To support Docker on Windows 10:
o Install the Docker Desktop
• Provides a toolset used to build and distribute containerized apps
 Docker Hub
• A web-based library server used to register, store, and manage Docker images
• A community resource with access to over 100,000 shared container images
Download container base images

 Container base image:

o Provides a foundational layer of operating system services for a container
o Includes user mode operating system files to support apps
o Includes runtime files and dependencies required by the app
o Use the Docker pull command to download images
docker pull mcr.microsoft.com/windows/nanoserver:1903
 Four primary container images are available:
o Window Server Core
• Subset of Windows Server APIs and support for traditional .NET framework apps
o Nano Server
• Support for the .NET Core APIs
o Windows
• Includes the full Windows API set
o Windows IoT Core
• Built to support IoT apps that run on ARM or x86/x64 processors
Run a Windows container

 Methods used to create, manage, and run containers include:

o Automation using a Dockerfile text file and the docker build process
o Manually using Docker commands. Examples illustrated as shown:
Command Description

Docker images • Lists the installed images on your container host

Docker run • Creates a container by using a container image

Docker • Commits the changes you made to a container to a

commit new container image

Docker stop • Stops a running container

Docker rm • Removes an existing container

Manage containers using Windows Admin Center

 Windows Admin Center:

o Browser-based GUI
used to manage
Windows servers,
clusters, and hyper-
converged
infrastructure
o Requires the
Containers extension:
• Summary
• Containers
• Images
• Networks
• Volumes
Demonstration:
Deploy containers
by using Docker
 Install Docker on Windows Server
 Download and run a Windows container
 Use Windows Admin Center to manage
containers
Lesson 4: Check your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 5: Overview of
Kubernetes
Overview of Kubernetes

Kubernetes is open-source orchestration software used to efficiently deploy, manage, and

scale containers in a hosted environment
In this lesson, you are introduced to the concept of Kubernetes and its benefits for managing
container technology

 Topics:
o What is Windows container orchestration?
o Overview of Kubernetes on Windows
o Deploy Kubernetes resources
What is Windows container orchestration?

 Container orchestration involves the  Types of orchestration tools:

following tasks: o Kubernetes
o Scheduling o Docker Swarm
o Affinity/Anti-affinity o Apache Mesos
o Health monitoring
o Failover
o Scaling
o Networking
o Service discovery
o Coordinated application
upgrades
Overview of Kubernetes (1 of 2)

 Based upon cluster technology where a centralized Master/Control plane is responsible

for scheduling and managing components located on multiple nodes within the cluster
Overview of Kubernetes (2 of 2)

 Kubernetes Pods:
o A workload consisting of one or more
containers disbursed throughout multiple
worker nodes within the cluster
 Includes information about the shared storage,
network configuration, and specification on
how to run its packaged containers
 Defined as Pod Templates
Deploy Kubernetes resources

1. Create a 2. Configure 3. Join worker 4. Manage

Kubernetes network solution nodes Kubernetes
master • Used to create
resources
• Linux operating • Windows Server • Kubectl used to
system routable cluster deploy and manage
subnets
• Linux Kubernetes pods
• Kubeadm used to
initialize the master • Linux CNI plugin
and manage cluster
• Flannel, ToR, OvS,
nodes
OVN

Cloud services such Azure Kubernetes Service (AKS) reduce many of the challenges of
manually configuring Kubernetes clusters by providing a hosted Kubernetes environment
Lesson 5: Check your knowledge

Refer to the Student Guide for lesson-review questions

Instructor-led
labs:
Implementing
and configuring
virtualization in
Windows Server
 Create and configure VMs
 Install and configure containers
Lab: Implementing and configuring virtualization in Windows
Server
 Exercise 1: Create and Configure VMs
 Exercise 2: Install and configure containers

Sign-in information for the exercise(s):

 Virtual machines:
o WS-011T00A-SEA-DC1

o WS-011T00A-SEA-ADM1

o WS-011T00A-SEA-SVR1

 Username: Contoso\Administrator
 Password: Pa55w.rd
Lab scenario

Contoso is a global engineering and manufacturing company with its head office in Seattle,
USA. An IT office and data center are in Seattle to support the Seattle location and other
locations.
Contoso recently deployed a Windows Server 2019 server and client infrastructure.
Due to many physical servers being currently underutilized, the company plans to expand
virtualization to optimize the environment. Because of this, you decide to perform a proof of
concept to validate how Hyper-V can be used to manage a virtual machine environment.
Also, the Contoso DevOps team wants to explore container technology to determine whether
they can help reduce deployment times for new applications and to simplify moving
applications to the cloud. You plan to work with the team to evaluate Windows Server
containers and to consider providing Internet Information Services (Web services) in a
container.
Lab-review questions

1. In Exercise 1, you created a Hyper-V virtual switch as a Private Network. Describe the
impact to your virtual network by using this type of virtual switch.
2. In Exercise 2, which command did you use to browse the Docker base images from the
online repository?
Lab-review answers

1. In Exercise 1, you created a Hyper-V virtual switch as a Private Network. Describe the
impact to your virtual network by using this type of virtual switch.
• Answer: The Private Network only allows communication between virtual machines
running on the host machine.
2. In Exercise 2, which command did you use to browse the docker base images from the
online repository?
• Answer: Docker search Microsoft
Module-review questions

1. Which of the following are requirements for installing the Hyper-V server role? Choose two.
2. You plan to enable nested virtualization on a Hyper-V host. What do you need to do to
ensure that the nested VM can route to external destinations?
3. Which of the following are true for considerations when implementing a Host Guardian
service? Choose two.
4. Which of the following are requirements for creating a shielded template disk? Choose
two.
5. You download a container base image. When you attempt to create and run a container
using the base image, you get an error message that relates to incompatibility with the
host machine. What should you do?
6. Which of the following can be used as worker nodes in a Kubernetes cluster? Choose two.
Module-review answers

1. Which of the following are requirements for installing the Hyper-V server role? Choose two.
• Answer: A 64-bit processor, Intel VT or AMD-V enabled
2. You plan to enable nested virtualization on a Hyper-V host. What do you need to do to ensure that the nested
VM can route to external destinations?
• Answer: Enable MAC address spoofing
3. Which of the following are true for considerations when implementing a Host Guardian service? Choose two.
• Answer: A new Active Directory forest is created dedicated to the Host Guardian Service; The Host Guardian
Service uses certificates for signing and encryption tasks
4. Which of the following are requirements for creating a shielded template disk? Choose two.
• Answer: A basic disk; Must be generalized
5. You download a container base image. When you attempt to create and run a container using the base image,
you get an error message that relates to incompatibility with the host machine. What should you do?
• Answer: Download a new container base image that matches the version of operating system installed on
the host machine
6. Which of the following can be used as worker nodes in a Kubernetes cluster. Choose two.
• Answer: Windows Server 2019; Linux
Thank you.

© Copyright Microsoft Corporation. All rights reserved.