I am referring to the Microsoft white paper 'Running Domain Controllers in
Virtual Server 2005'
(http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en)
for guidance. I am especially concerned about security of the VPC domain
controllers, as other admins will have access to the host servers, and I
don't want them taking offline copies of the DC VHD files. This would be a
show-stopper security risk. The original v1.0 (April 2004) of the white
paper stated "Use Encrypting File service (EFS) to encrypt the .vhd image.
This encryption results in an approximately 5% decrease in performance for
the domain controller that is running in the virtual machine." I also saw a
TechEd 2005 presentation on Virtual Server solutions for branch offices,
which gave similiar advice. This would be a perfect solution to my problem.
However, the later version of the same WP (2.0, November 2004) does not
mention the EFS option. I can't find a single other reference anywhere for
or against this option. Is it still supported? Is it advisable? Why was
this advice dropped? I can imagine taking quite a hit in terms of host CPU
and VPC I/O performance. Do I have any other real alternatives?
--
Andre Keartland
Inobits Consulting
I've experimented with VHDs on EFS (and EFS in VHDs). I can agree with the
5% performance hit.
On consumer class hardware I've seen this as bad as 20%, but personally I
think this is because of poor disk subsystem.
I guess one thing you could try is SYSKey to store your accounts DB on
separate VHD/VFD media (KB 310105) and encrypt that?
Never really thought about it until now.
I've seen a recent reference to support and EFS for VHDs. I will have a
look around and see what I can find.
HTH
---- Original Clip ----
"Andre Keartland" <AndreKe...@discussions.microsoft.com> wrote in
message news:B735EE8F-149F-4AE1...@microsoft.com...
I think your idea of splitting out the EDB into a seperate EFS-encrypted VHD
while keeping the OS VHD unencrypted makes a lot of sense on a certain level.
Although someone will be able to steal the OS VHD, there's not much they can
do with it without Dir.edb. I think a significant portion of the VPC I/O
will be page file, boot disk, etc. - leaving this unencrypted should reduce
the strain. The only danger this may introduce, is that someone could take a
copy of the OS VHD, hack into it (e.g. logging on in Directory Services
Restore Mode) then happily copying the AD data out of the encrypted disk.
Harder than with no encryption, but still feasible.
I wonder why Microsoft pulled the EFS guidance? Was there some hidden
pitfall? It would be great if someone from MS could comment.
--
Andre Keartland
Inobits Consulting
---- Original Clip ----
"Andrew Dugdell" <andrew @virtualserver.tv> wrote in message
news:uer5bkdM...@TK2MSFTNGP12.phx.gbl...
I also couldn't find any KB articles stating the support status of this
configuration. However, I did come across this article (below) in the
Virtual Server Technical Reference. It seems to be current, as it references
Windows Server 2003 R2, and it clearly states that EFS for VHDs is a
deployment option for added security:
"Virtual Server security and other Windows technologies"
http://technet2.microsoft.com/WindowsServer/en/Library/99cffde7-11a5-4c01-9a03-2405c7ead7541033.mspx
Encrypting File System (EFS). For added security, you can implement EFS on
the host operating system as well as guest operating systems that are running
Windows Server 2003 operating systems. The most efficient way to implement
EFS on all of the guest operating systems is to implement it on the host
operating system instead. This requires fewer system resources, and conveys
the benefits to all resident guest operating systems.
Product(s): Windows Server 2003,Windows Server 2003 R2,Windows Server 2003
with SP1
Andre Keartland
Inobits Consulting
· The test system was a desktop class PC (P4 2.4 Hyperthreading, 2 GB
RAM, single IDE disk) so lower spec than what I am looking to run in
production (small server with dual P4, 2 GB RAM, SCSI disks). The host and
VPC ran Windows Server 2003 SP1 and we user Virtual Server 2005 R2. No
significant optimization was done on either host or guest, although we did
load the Virtual Server Additions in the guest. I used separate NICs for
host and virtual machine network connections.
· The virtual machine used a single VHD file connected to a virtual IDE
bus, although I would use virtual SCSI in production.
· We used scripts to simulate a workload of approx. 900 NTLM logons per
second, plus some object create/modify/delete operations and LDAP queries.
Simultaneously we ran some batch file copy jobs against shared folders on the
host, to simulate file server load. The cumulative load was far heavier than
will reasonably be experienced on the planned servers, where branch sites are
all < 150 users.
· Test results showed barely a 5% increase in host CPU utilization when
running at peak load, by comparison to the same load where the VPC was
unencrypted. Either way we couldn’t get the CPU load beyond 45-50% on
average. There was no discernable increase in CPU load on the guest VPC when
using EFS. Disk and memory utilization on the host increased negligibly
after the VHD was encrypted. There was no noticeable degradation of host or
guest performance/responsiveness after the VHD was encrypted.
· I did notice that host CPU utilization spiked when a VPC with EFS
encrypted VHD was started or shut down. I can only assume this was due to
the requirement to initially decrypt the file when it was first opened, then
encrypt information stored in memory back to the file when shutting down the
guest VPC. This made guest startup and shutdown take slightly longer,
although not significantly so.
· Disk utilization on the host system was heavy, as can be expected with
the load described. This was probably the biggest performance constraint on
performance. To optimize a system running Virtual Server, the first priority
must probably be to design an adequate disk sub-system. I recommend using
fast SCSI disks; stay away from RAID-5 (use RAID-1 or RAID-0+1 if you need
fault tolerance); place virtual machines VHDs on separate disks from the host
OS, apps and page-file; use virtual SCSI controllers for VHDs. After this
make sure the server has adequate RAM. CPU capacity is probably the least
important factor affecting Virtual Server performance. Having separate
network adapters for your virtual machine traffic is also a good idea.
· In order to get the VPC to start, I had to configure the Virtual
Server service to run using a service account. This account was then given
access to the EFS-encrypted file, under Advanced EFS options. The same
account was also configured to auto-start the VPC.
All in all, I think the performance impact was quite acceptable. Unless
something comes up, e.g. Microsoft telling me this scenario is now officially
unsupported, I plan to use EFS for all my DCs running on Virtual Server.
--
Andre Keartland
Inobits Consulting
---- Original Clip ----
"Andre Keartland" <AndreKe...@discussions.microsoft.com> wrote in
message news:0C6F1604-1D63-414B...@microsoft.com...
Was this crazy manual reg change every reboot/startup the only way to do
this? More details would be greatly appreciated. Thanks for the effort!
Scott
There is a little more info further down in the thread A copy of the
snippet is here:
http://blogs.virtualserver.tv/blogs/dugie/archive/2006/03/07/SUMMARY_EFS_encryption_of_VHD_files_for_virtual_Domain_Controllers.aspx
> In order to get the VPC to start, I had to configure the Virtual Server
> service to run using a service account.
> This account was then given access to the EFS-encrypted file, under
> Advanced EFS options.
> The same account was also configured to auto-start the VPC
Let me know if this helps, if not I have some notes from own experiences I
have been meaning to clean up and post
---- Original Clip ----
"Scott P." <Sco...@discussions.microsoft.com> wrote in message
news:64BF89CC-E700-4E87...@microsoft.com...
Thanks for your help though.
Any notes may be a good idea to help clarify for others.
Scott