Only IT geniuses can jump into the deployment of VMware Server on Microsoft Server 2003 without doing some homework. If they're that smart, however, they'll realize that installing this free virtualization platform correctly can be as complex as calculating pi.
Part one of this series offered basic guidelines and a brief look at how VMware Server works. Moving right along, this installment reveals the important components and services within VMware Server and how to prepare the host servers. Future segments cover Windows installation, VMware Server security and more.
Components of VMware Server
So, let's look at the most important components of VMware Server, which include user accounts and groups, services and executables.
User accounts and groups
VMware Server creates a user account on the server called "__vmware_user__" when it is installed. This seems to be a hold over from the GSX days and seems to have been supplanted by the VMware Authorization Service.
VMware Server also creates a group on the server called "__vmware__". "__vmware_user__" is a member of this group. Members of this group have the "SE_INTERACTIVE_LOGON" user right that enables them to log on locally. This is a good group to use to grant non-administrative accounts the ability to remotely connect to the VMware Server.
VMware Server has the following service components:
The VMware Authorization Service is what listens for incoming connections from local and remote VMware Server Console applications. It listens on port 902 for these incoming connections. The service also authenticates users.
The VMware DHCP Service serves IP addresses to VMs on the server that are NATd or on private networks.
The VMware NAT Service is what allows VMs on the NATd networks to communicate with the public Internet.
The VMware Registration Service is used to stop and start VMs and manage their connections.
VMware-cmd.exe can be used to control VMware Server and the VMs from the command line. To learn more about this command simply type the following on a command prompt, "%ProgramFiles%\VMware\VMware Server\vmware-cmd.exe". More information on this command can also be found at www.vmware.com/support/developer.
VMware-vmx.exe is the process that hosts the actual VMs. The security context in which this command is run is very important and will be discussed later.
Management user interface
Now deprecated in VMware VI3, the MUI is a way to interact with the VMware Server via a Web browser. It is accessible via HTTP at http://%HOSTNAME%:8222/ and HTTPS at http://%HOSTNAME%:8333/. SSL is enforced by default.
Preparing the host server
Before beginning, unplug the server's ethernet cables from their network ports. Most servers get hacked because they are installed in an unsecured state. Secure the server off the network and then restore its network connectivity at a later time.
If the server only has one network port, it helps to install a PCI ethernet card to provide an additional network port. This will allow for a private management network interface and a public network interface for the virtual machines.
Many of the steps to facilitate a private management network interface are discussed later in this document under the RDP, Firewall and VMware sections, but one step is possible at this time. Out of all available NICs on the server, patch one of those NIC's ethernet cables into a private network. The network does not even need to have access to the public Internet; its sole purpose is to provide the server administrator with access to the server.
If for some reason this cannot be accomplished, do not worry, it is still possible to create a private management network interface using the tools that Windows provides. A true, physical, private network is just a nice added layer of security.
An oft-overlooked part of configuring an application is its disk I/O requirements. More often than not, slow disk access is the culprit when it comes to errors with VMs rather than the usual suspects of CPU and memory.
One way to ensure the best possible disk I/O is to properly configure the server's RAID containers. The number of disks available to the server should determine the RAID configuration. Here is a handy list that you can use:
- 2 disks - 1 container, RAID-1 (mirror)
- 3 disks - 1 container, RAID-1 with hotspare
- 4 disks - 1 container, RAID-10
- 5 disks - 1 container, RAID-10 -OR- 2 containers, RAID-1 (system), RAID-1 with hotspare (data)
RAID-5 was not used, because although it is popular, there is a performance penalty for computing parity on every write.
While everyone has their own RAID configuration preferences, the attempt was made to present a few configurations that will provide the best possible disk access times without sacrificing redundancy. The labels "system" and "data" indicate in which container the OS should be installed and the data (in this case, the VMs) should be stored, respectively.
In part three, we'll discuss how to install Windows and its components.
|Go back to part one||Go to part three|