One of the fantastic things about using a virtualized environment for your key servers is that you get Disaster Recovery, Ransomware resilience and Backup in one solution
I have used Hyper-V as the virtualization platform but VMware, Virtualbox, KVM and others can also be used.
Replication involves maintaining a live copy of the virtual machines on a second physical server. The capability is built into Windows Server. The replica server is updated at intervals as short as 30s. In the event of a physical failure of one server, failover to the replica server is quick and easy.
You can also run backups of the virtual machines on the main server so that you can restore a machine to a particular (last good) point in time in the event that the files are corrupted – for example by Ransomware. Veeam and Altaro and others provide good products for this.
The easiest way to use Microsoft Hyper-V is to purchase 2 licenses for Windows Server 2019 standard and deploy this on two computers – the primary server and the replica server. The replica server can be lower spec hardware and is to be used temporarily if there is a physical fault in the primary server. This also gives the right to have two virtual installations of windows 2019 for say domain controller and main medical software server.
This is a relatively expensive solution – the two licenses together are over AUD 3000. If you have an existing domain controller there is a cheaper but much more difficult way to do it.
Microsoft Hyper-V server is a free product which runs on the bare metal and it is possible to configure replication on the platform.
Computers have Network Interface Controllers (NICs) which are either cards or part of the motherboard. The NIC has a level 2 address (the MAC address which is hard coded from the manufacturer)
Used as a physical computer, we will assign to the NIC a layer 3 address – the IP address.
When we use the physical computer as a virtualization host it is a bit different. In this scenario, the NIC is assigned to a software program known as a virtual switch. This software program functions just like a physical layer 2 switch. The host will then have software based virtual NICs for itself and for each virtual guest machine with different MAC addresses. And it is these virtual NICs which will be assigned a layer 3 IP address.
It is possible to segment the network by having the virtual hosts on a different network subnet (layer 3) and/or broadcast domain (layer 2) to the guests. This provides very strong isolation of the host machines to malware running on the general computer network.
Best practice to achieve this isolation is to have the host machines connected with a separate physical NIC to their own broadcast domain and subnet and to have the virtual guests connected to the virtual switch (on the host) and to not have any host virtual NIC connected to the switch. This means a minimum of 2 physical NICs in the host computer
This seems at first a silly question. But to understand what a virtualized computer is, it is first necessary to understand what we are virtualizing.
A computer consists of
- Network adapter
- Hard drives
- Operating system – in this case Windows
- Drivers – little bits of code to connect the Hardware with the Operating system
- Applications that run within the operating system
The idea of virtualization is that a physical computer – the host which has all of these features has in addition software known as a hypervisor.
The hypervisor can be set up to emulate hardware – it can synthesize all of the hardware mentioned above so that an operating system can be installed to this synthesized (virtualized) computer known as the guest
In essence ,the guest is simply a configuration file, and a virtual hard drive file. The hardware is now just an xml file and the c drive is just a single file on the host. The host can have many guests – ultimately limited by the quality and quantity of host hardware and the load of each guest.
It should be obvious that a Windows 2016 server on physical hardware will be faster than a Windows 2016 virtual guest running on a Windows 2016 virtual host. The performance penalty for this scenario is however small but rapidly increases with increasing numbers of guests on a single host.
There are many advantages though of a virtualized environment – especially when considering disaster recovery.