Virtualization Moves Data Center Functionality to the Branch Office
Published: October 2009
Do WAN access issues and costs keep you from providing the datacenter services in branch offices that benefit your corporate users? Learn how Microsoft IT uses Windows Server 2008 R2 and virtualization to deliver datacenter functionality to branch offices. Services at the branch office level include file and print management, offline folder redirection, operating systems and application distribution, and patch management. This has significantly improved service availability, lowered management costs, and reduced servers.
Products & Technologies
Microsoft IT (MSIT) leverages Windows Server 2008 R2 and Hyper-V virtualization to provide core services to their branch offices. Service availability has improved, management costs have decreased, and the number of dedicated servers in branch offices has been reduced.
The Centralized Shared Services Model
MSIT uses a centralized shared services model. This means that IT services are delivered as a global service, designed and run out of the central services group, which is physically located at the Redmond headquarters. Local or Field IT support is delivered by regionally distributed IT managers in branch offices. At the branch office level, this means that one IT manager may support as many as 17 IT sites over a wide geographic area that may include different countries.
Branch Office Virtualization Goals
The branch office virtualization vision had three key goals:
- Drive operational efficiencies in Field IT support
- Improve the security as well as the manageability of the platform
- Provide the flexibility to change as business needs change
The Starting Point—One Box with Six Services
MSIT started with one box running Windows 2003. That one box had six services that couldn't be served from the central data centers—they had to remain in the branch office. The six services were: Windows Deployment Services (WDS); Data Distribution, File, Print, Intellimirror®, and Systems Management Server (SMS). Having all six services on one box caused security issues because everyone who worked on those services needed access to those servers. This resulted in services overlapping and overstepping each other. From an operational perspective, it was hard to coordinate and difficult to schedule downtime. Testing new service releases was also a problem because each service had to be tested with all of the other services intact. All in all, it was a very confusing model.
The New Platform—Six Services on Four Virtual Machines
"Using the centralized features and automation that virtualization provides, especially with System Center Virtual Machine Manager, Microsoft IT was able to reduce travel this fiscal year by 35 percent in North America alone."
For the new Virtual Branch Office Server platform, MSIT uses a Windows Server 2008 R2 box with the Server Core installation option and running Microsoft Hyper-V technology. MSIT segregated the six services into four virtual machines, combining some of the requirements for security and operational support into the same virtual machines. The four new virtual machines host:
- File and Data Distribution services
- WDS services
- SMS services
- Intellimirror and Print services
MSIT opted to keep WDS separate from Data Distribution services because WDS is participating in First & Best (dogfood) efforts, testing out new software. As a separate service, WDS can make changes without impacting the production service. MSIT decided to isolate SMS in a separate virtual machine for the same reason.
Virtualizing the branch office offers travel, security, time, and flexibility advantages.
The Microsoft environment is a globally diverse environment, much like a retail store or bank with a lot of branch offices. But unlike a retail store or bank, Microsoft doesn't have IT managers at each location. Using the centralized features and automation that virtualization provides, especially with System Center Virtual Machine Manager, MSIT was able to reduce travel this fiscal year by 35 percent in North America alone. With automation, MSIT doesn't need to send people to the various sites to do configuration changes.
MSIT switched the host server to a Windows Server 2008 R2 box with the Server Core installation option. Server Core is a minimal server installation option that provides a low-maintenance environment with limited functionality. It has a smaller footprint and fewer security patches to apply. By segregating the services into their own virtual machines, MSIT is able to separate the security models. For example, a HelpDesk technician who is a Print Server admin doesn't need to be an admin for the File server that might store confidential or personal information.
Branch office virtualization saves time when deploying and upgrading services. For example, MSIT is currently engaged in a First & Best effort for a new feature of Windows Server 2008 R2 called "BranchCache®." In the past, MSIT would have needed six to nine months to deploy (order, send, and install the server) that service worldwide. With the new platform, MSIT was able to do the pilot in a few days. It was so easy, in fact, that MSIT decided to expand the pilot from two to twelve sites. MSIT originally scheduled three weeks for the expansion, but they were able to complete it in one week.
With the old platform, which was one OS instance hosting six services, if MSIT had to make a change to one service, all the services would go down when the box was rebooted. With segregated services, service managers have a holistic end-to-end view. If they have an outage or need to take an outage, they don't have to coordinate with the other services. The Mean Time to Repair (MTTR) has therefore decreased significantly. Since they're the only service affected, they can reboot and repair immediately instead of waiting until Friday night or another scheduled time. This is a big savings and the operational support and customer experience is greatly enhanced.
"With segregated services, service managers have a holistic end-to-end view. If they have an outage or need to take an outage, they don't have to coordinate with the other services. The Mean Time to Repair (MTTR) has therefore decreased significantly."
Previously, MSIT had an average of about five reboots per month. With the new platform, the number of reboots has gone down and that directly impacts the service availability of every other service running on the platform. For example, if MSIT wants to upgrade the file servers from Windows Server 2008 to Windows Server 2008 R2, they can put up a new virtual machine in the background, preset it to the new file server, and then just move the Virtual Hard Disks (VHDs) from one virtual machine to the other. The user experience for such an upgrade from one OS to the other is a 15-minute outage instead of two or three hours, and it can be automated and done remotely instead of having to send someone to the site.
The Role of BranchCache
BranchCache is a new technology included in Windows Server 2008 R2. BranchCache enables content from file and Web servers on a wide area network (WAN) to be cached on computers at a local branch office. MSIT piloted BranchCache in two locations and saw a 58 percent reduction in wide-area-network (WAN) traffic. It was such a great savings that MSIT decided to expand the pilot to 12 sites and will use BranchCache for all of the Virtual Branch Office servers. MSIT has over 80 Virtual Branch Office Service platforms in production today, which is about 40 percent of their branch environment. The Field IT group added relevancy to Microsoft's business by participating in this First & Best effort. They're helping to uncover issues with BranchCache and helping to determine the optimum settings in a real-world environment.
MSIT designed the Branch Office Virtualization platform with additional services in mind. With the extra bandwidth that BranchCache provides, MSIT is able to add those services. For example, in a BranchCache pilot in Brussels, Belgium, MSIT realized a 78.9 percent savings in Server Message Block (SMB) traffic. This bandwidth savings provides an opportunity to add services and there is a demand from the service managers to add these extra services. They want to be on the Virtual Branch Office Server platform. They want better control and a better view of their services. Hyper-V virtualization and BranchCache helps to make this possible.
Branch Office Virtualization Roadmap
Possible future branch office services include: read-only domain controllers, private print servers, services for other operating systems, content caching, streaming media, and network monitoring. MSIT is looking at authentication right now. The Active Directory team previously pulled domain controllers out of the Field for security reasons. For example, they didn't want a HelpDesk technician to be a domain admin. With their own virtual machine and a separate security model, they're looking at leveraging the Read Only Domain Controller feature of Windows Server 2008 to put authentication back in to the local branch for a better user experience. MSIT is also looking at locating Source Depot proxy and other tools in branch locations as possible services to improve the end user experience.
MSIT has already implemented virtualization at the server level. They are adding capabilities to the branch office for Microsoft Application Virtualization (App-V) and Microsoft Enterprise Virtualization (MED-V). This technology could be very beneficial for Microsoft acquisitions. For example, several years ago, Microsoft acquired a company of about 3,000 employees and MSIT needed to provide 3,000 new machines. This was a hardware constraint issue. MSIT wasn't able to quickly acquire enough laptops so the new employees didn't have machines to work with. With a VDI infrastructure or a virtual machine farm, the new employees could have used their existing non-Microsoft-standard machines. They could have been able to get to Microsoft resources by using a virtual machine in the data center. MSIT could have set that up in a number of weeks and avoided having to ship thousands of laptops around the world. Infrastructure is key to service delivery and the Microsoft Virtual Desktop Infrastructure (VDI), App-V, and MED-V are things that MSIT is looking at to provide that infrastructure.
MSIT's new Virtualization Branch Office Server platform has provided savings in a number of areas. MSIT has been able to save on travel costs and the costs to deploy new services and upgrade existing services. The new platform is very manageable and flexible, which also results in savings. Segregating services into separate virtual machines has provided significant improvements to the security model. BranchCache, a new Windows Server 2008 R2 technology, plays an important role by helping to free up network bandwidth so additional services can be provided. The future for virtualization in the branch office is very bright with the addition of new technologies such as App-V and MED-V.
For More Information
Please visit http://technet.microsoft.com/en-us/library/ee191522.aspx to see a multimedia presentation on the content of this article.
For additional IT Showcase Windows 7 content, please visit http://technet.microsoft.com/en-us/library/bb687804.aspx#7.
For more IT Showcase content, please visit http://www.microsoft.com/technet/itshowcase
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:
© 2009 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, BranchCache, Intellimirror, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. �