Documentos de Académico
Documentos de Profesional
Documentos de Cultura
September 2010
To help ensure that the Microsoft IntelliMirror service continues to offer a security-enhanced enduser data backup solution that meets changing business needs, Microsoft Information Technology (MSIT) has implemented key technology changes in the Windows 7 and Windows Server 2008 R2 operating systems. This approach has enabled MSIT to add functionality to the IntelliMirror service while still operating on a limited budget.
Introduction
Intended Audience IT managers Business decision makers Technical decision makers Products & Technologies
Windows Server 2008 R2 Windows 7 Windows Vista SP1 Server Message Block Folder Redirection Offline Files File Server Resource Manager BitLocker Drive Encryption Failover clusters Volume Shadow Copy Service Microsoft System Center Data Protection Manager 2007 SP1 File Server Capacity Tool
MSIT supplies services to more than 170,000 users located in more than 600 buildings worldwide. IntelliMirror, like all MSIT-supplied services, has a strong and measurable service level agreement (SLA) in place to help safeguard its users. A key deliverable for this service is for users to have access to their data 99.99 percent of the time from any client computer on the Microsoft corporate network. The IntelliMirror management technologies are a set of features that are built into Windows Server and form the basis of MSITs backup and centralization solution for its mobile workforce. First introduced in Microsoft Windows 2000 Server, IntelliMirror enables users to redirect specific folders to centrally managed network servers for data security and recovery. At Microsoft, IntelliMirror offers a fast, cost-effective data security solution. The service enables users to have full access to a copy of their files when they are disconnected from the network, even though these files are centrally managed on a network server. The data is then synchronised as a background task when network connectivity is restored. This highly automated system was simple for MSIT to deploy and has low administration costs.
Business Requirements
When IntelliMirror was initially deployed at Microsoft, the IntelliMirror service management team wanted the service to fulfill four business requirements: Data centralization and management: Data stored on client computers needed to be centralized for IT administrators to monitor and manage it. Users also needed to have access to their data from any corporate domainjoined computer at all times. Data mobility and availability: User data needed to be mobile, without any additional IT administration or end-user requirements. The service had to give users fast access to their data, independent of their network connectivity or the quality of the connection to the centralized storage location. Data protection and portability: Protecting the integrity of the data is another core requirement of the service. MSIT needed to help ensure that users data was secure and
could be recovered in case of accidental file changes, file deletion, laptop loss, or hardware failure. Total cost of ownership (TCO): IntelliMirror had to add value for end users without increasing the TCO.
Any subsequent technologies that become available are benchmarked against these requirements to determine whether they can support and improve service delivery while maintaining the same underlying principles. The IntelliMirror service management team felt that the release of Windows Server 2008 R2 and Windows 7, plus the rollout of Hyper-V in branch offices, offered sufficient additional functionality to justify a major service improvement plan for the IntelliMirror service.
Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 2
Policy setting is then applied to the users computer and sets the IntelliMirror path information.
This single multipurpose branch-office server model originated from an earlier project called the Model Enterprise Initiative (MEI). The aim of this project was to reduce server sprawl, to simplify the infrastructure at Microsoft, and to reduce the TCO. Although MEI was a great success, the single branch-office server model that it produced affected the IntelliMirror teams ability to adapt the service to meet changing business needs, along with the teams ability to adopt new technologies. With multiple services sharing the same operating system, the chance always existed that problems could occur in areas such as: Service overlap: Having multiple services installed on one operating system created additional workload and complexity for service managers and regional IT staff. Any changes to one service had to be coordinated with all service managers who shared the same platform. Planning large changes, such as operating system upgrades, was a major undertaking because of the number of teams that had to be coordinated. Security: Sharing a single operating system also had security implications. For example, the local resources that handled file share issues were directly logging on to a server that was delivering IntelliMirror Folder Redirection. Although rights are managed based on job roles, the potential to affect overall server performance or compromise confidential data was a possibility without true service segregation. SLA and flexibility: The standard 99.99 percent service availability was hard to maintain and control in a scenario where other services could affect the availability of IntelliMirror. The only way around this was true segregation of services onto separate servers, which was not a viable or cost-effective option before Hyper-V. Early adoption of technology: One of MSITs core roles is to be the first and best customer of Microsoft, adopting new technology as early as possible so that the software can be thoroughly tested in an enterprise environment before general release to market. With virtualization, each service could now participate in different testing efforts and adopt new technology based on a timetable that suits its individual service requirements.
Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 3
The limitations of a single server with multiple technology requirements were resolved with the introduction of Hyper-V on branch-office servers running Windows Server 2008 R2. This enabled MSIT to isolate services into separate virtual machines, size resources to meet the service managers desired requirements, and give complete ownership of the virtual machines to the individual service management teams. Hyper-V was a key enabler in the service improvement plan to extend the range of user information that IntelliMirror helps secure. It also enabled MSIT to increase storage quotas. Desktop files and favorites were now added to the range of files that IntelliMirror helps secure, further improving disaster recovery capabilities. The lower cost of storage on the Hyper-V servers meant that minimum quotas could also be increased from 1.25 gigabytes (GB) per user to 3 GB per user, with the option for individuals to apply for quota increases on an as-needed basis up to 15 GB. A user warning system has also been established to alert users when their capacity utilization reaches 85 percent and 95 percent. The system provides a final alert when capacity utilization reaches 100 percent, at which point the ability to create additional content to the centralized data store is blocked. This helps users proactively manage their data and avoid problems related to managed folders. Although the rollout of branch-office virtualization was a separate project that brought a range of benefits to multiple services, it presented a good opportunity for the IntelliMirror service management team to take advantage of the new platform with little or no additional cost. Overall, virtualizing the service was a huge success for MSIT and mapped closely to the data centralization and management aspects of the IntelliMirror business requirements.
Folder Redirection
New and improved features available with Windows 7, particularly in the Folder Redirection and Offline Files areas, also enhanced the IntelliMirror service at the same time that Hyper-V was being deployed. Folder Redirection is one of the main features of IntelliMirror. This feature offers many benefits to users and administrators, such as having a copy of user data stored on a managed server that can be easily backed up as part of routine system administration task. It also enables a user to log on to different physical computers on the corporate network and still maintain access to his or her data via the server copy, which will replicate to the users current laptop or desktop computer. This is particularly useful in reducing the administration time and cost involved in upgrading a users computer or in recovering a users computer in the event of a disaster. A drawback of Folder Redirection before Windows 7 was a users first logon experience after he or she had signed up for the IntelliMirror service. For example, with the Windows Vista operating system, the user would experience delays during the first logon while all his or her local data was copied over the network to the server. To improve this experience in Windows 7, a user who has Offline Files enabled during deployment of IntelliMirror Folder Redirection will see a significantly improved first logon experience. This is because the data is moved from the local hard disk drive into a local cache, rather than being sent over the network.
Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 4
After the initial move to the cache is complete, the user can access his or her information normally, and locally cached data will be synchronized over the network to the server as a background task. This ability significantly improved end users service experience.
Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 5
Server 2008 R2. To enable Offline Files on Windows Server, an administrator must install and enable the Desktop Experience feature. Although it is possible to administratively enable Offline Files on server operating systems, MSIT did not consider this option for its implementation. Even though Microsoft has a large number of power users who choose to use a server operating system on their client computers, MSIT lets them decide whether to deploy this feature themselves.
All these changes combined have improved the end-user experience with IntelliMirror by making network usage faster and more reliable.
Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 6
Windows Server 2008 R2 supports File Server Resource Manager on all server installation options, including Server Core, although at Microsoft, the IntelliMirror virtual machines sit on a full version of Windows Server 2008 R2 with the standard graphical user interface (GUI).
Recovery
A combination of Volume Shadow Copy Service (VSS) and Microsoft System Center Data Protection Manager (DPM) 2010 provides the recovery options for the IntelliMirror service. Although this was not specifically changed as part of this project, it is important to mention here to complete the service picture. VSS for shared folders is a feature in Windows Server that transparently maintains previous versions of files on selected volumes by producing shadow copies. It works by taking snapshots of an entire volume at particular points and making these snapshots available to the user in a simple-to-use interface. This helps reduce IT operational costs by eliminating the need for administrator intervention in the recovery process. VSS enables the users themselves to have complete control over the recovery process for deleted, modified, or corrupted files from a snapshot of the volume. At Microsoft, administrators use DPM in combination with VSS to provide a total recovery solution. DPM produces the backup copies of user data. It delivers continuous data protection for compatible applications and file servers by using seamlessly integrated disk, tape, or cloud storage as a backup target. To do this, DPM invokes VSS to create a one-time full replica of the data it will help protect, followed by incremental synchronizations (recovery points) that by default are scheduled to occur every 15 minutes. For IntelliMirror, DPM provides a near-continuous data protection (near CDP) model for file servers where content is backed up on a 15-minute schedule.
BitLocker
A big step toward rounding off security requirements for IntelliMirror was the introduction of BitLocker Drive Encryption in the Windows Vista and Windows 7 deployments. Like HyperV, the implementation of BitLocker was a separate but complementary project that added value to IntelliMirror. Enabling BitLocker protection on all mobile and desktop computers is a high priority for Microsoft. BitLocker helps keep everything from documents to passwords safer by encrypting the entire drive that the Windows operating system and user data reside on. A large portion of the Microsoft workforce is mobile, which makes technologies like IntelliMirror an attractive proposition because it provides security for user data on a centralized infrastructure while still being portable. However, the copy of confidential Microsoft and customer information available on client computers is particularly vulnerable to loss or theft. The adoption of data encryption strategies such as BitLocker is therefore critical to help protect the data on corporate portable and desktop computers. BitLocker is part of a defensein-depth strategy that Microsoft enforces on all client computers. This strategy also includes the use of mandatory antivirus, firewall, and antispyware software. Although this technology is not specifically part of the core IntelliMirror service, its implementation helps address the data protection and portability aspects of the service.
Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 7
Taking advantage of opportunities from technology deployments by other service teams, such as BitLocker, has improved the security for IntelliMirror users with no additional administration overhead for the IntelliMirror service management team.
Future Developments
The MSIT IntelliMirror service management team is now researching a storage reduction feature, known as "Dedup," After MSIT identifies the requirements and features that can add the most value to the IntelliMirror service, it will set up a test environment in the Microsoft infrastructure to validate the scenarios and establish a new service improvement plan. Also, in partnership with the branch-office services team, the IntelliMirror service management team is introducing failover clusters to large branch offices (those that have more than 3,000 users) to provide high availability in these locations. Part of Windows Server 2008 R2, failover clusters can scale to include 16 servers (nodes) in a single cluster by using a shared storage back end with support for Serial Attached SCSI (SAS), Internet SCSI (iSCSI), or Fiber Channel interconnects. Initially, MSIT plans to use two-node clusters in its large branch offices. The nodes maintain constant communication with each other to help ensure service availability. If one of the nodes in a cluster becomes unavailable because of an unscheduled or scheduled failure, another node immediately begins to provide service. Users who are accessing a service that has moved from one cluster node to another because of failure or another service-affecting outage will typically not notice any service impact and will continue to work without issue. Finally, the IntelliMirror service management team, like many of commercial customers of Microsoft, is evaluating the Windows Azure cloud platform to establish whether it can offer an alternative solution for the DPM requirements in IntelliMirror. The IntelliMirror service management team sees the flexibility of Windows Azure as an opportunity to meet growing user demand for the service by making the right resources available when and where they are needed. The first stage of the move toward the cloud is already underway. Initially, IntelliMirror service management team plans to set up a pilot on selective IntelliMirror and DPM client servers by early 2011, to evaluate the benefits of on-premises versus the cloud for certain parts of the service.
Conclusion
The service improvement plan to adopt the new features available in the Windows 2008 R2 and Windows 7 operating systems surpassed the expectations of the IntelliMirror service management team. The project has enabled MSIT to add features to the service while continuing to reduce costs. By taking advantage of the existing Microsoft worldwide enterprise server infrastructure, MSIT has been able to increase the user base of the service while maintaining a low TCO. Depending on user counts, the monthly cost for each IntelliMirror user at Microsoft is approximately $2 US per month, which is considered a good return on investment for the benefits that it brings. This project, combined with the Hyper-V rollout in branch offices, has enabled the IntelliMirror service management team to produce a more dynamic product that can adapt easily to
Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 8
business needs. The IntelliMirror offering to the Microsoft internal user base has become a more valuable and attractive business resource as a result.
Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 9