Windows Server 2012 Hyper-V:

Back in 2011 at the Build Conference in Anaheim, California, Microsoft promised a plethora of new features for the new version of Windows Server 2012 Hyper-V. I was very skeptical and doubted that the final release would have all the promised goodies, but I’ve been proven wrong before. When Windows Server 2008 Hyper-V came out, I thought Microsoft would never be a serious competitor in this market. The product was so crude that we avoided presenting it as an alternative to VMware to any of our customers. Period. Later, Windows Server 2008 R2 Hyper-V introduced substantial improvements that made it more competitive but it still trailed VMware.

Windows Server 2012 Hyper-V represents a significant leap forward. All the new features and functionalities that Microsoft promised in Anaheim came true.

This is the first of a series of articles on Windows Server 2012 Hyper-V. We will review Windows Server 2012 Hyper-V technical requirements, different installation options and initial virtual network configuration using the Microsoft Management Console (MMC) for Hyper-V. Other management tools available for working with Hyper-V include the System Center Virtual Machine Manager (SCVMM), the Failover Cluster Manager and Windows PowerShell. We will have a separate article on managing a group of Hyper-V servers using SCVMM, Failover Cluster Manager, and Windows PowerShell.

Windows Server 2012 Hyper-V Technical Requirements

  • * 64-Bit Processor – Hyper-V requires an x64 processor; Windows Server 2012 is only available on 64-bit processors. Once Hyper-V is up and running, it is possible to run virtual machines with either 32-bit or 64-bit operating systems installed.
  • * CPUAssisted Virtualization – The host computer must have a processor that supports assisted virtualization. In some cases it may be necessary to turn on this feature in the server BIOS settings. On Intel CPUs this is called VT-x. For AMD the name is AMD-V.
  • * Data Execution Prevention (DEP) – This is another BIOS configuration setting that must be enabled for Hyper-V to operate successfully. DEP is known as XD bit (Execute Disable bit) on Intel processors. On AMD processors it is referred to as the NX bit (No execute bit). This is really a security feature designed to protect against possible buffer overrun attacks. Memory with data is tagged to prevent the processor from running malicious code that a hacker may write as instruction into data memory.
  • * Second Level Address Translation (Optional) – This feature is NOT required to implement Windows Server 2012 Hyper-V. However processors with SLAT support boost the execution of memory intensive applications such as Microsoft Exchange, SQL, and Remote Desktop Services. Second Level Address Translation allows Hyper-V to offload the mapping of virtual machine memory to the server’s physical memory; this process lessens the burden on the host’s CPU and increases virtual machine memory performance. SLAT is a requirement to run Client Hyper-V on Windows 8 computers. Client Hyper-V is a desktop application with the look and feel of the Hyper-V server management console but without server functionality like Hyper-V replica, storage migration, live migration, clustering, etc.

Installing Hyper-V Role using DISM and Windows PowerShell:

It’s possible to install the Hyper-V role using the Deployment Image Servicing and Management (DISM) tool, Windows PowerShell or Server manager. On a server core installation you will need to use DISM or Windows PowerShell; you can also add the Hyper-V role remotely from another Windows Server 2012 computer or from a Windows 8 client using the Remote Server Administration tools (RSAT).

Using the Deployment Image Servicing and Management (DISM tool), we can verify that the Hyper-V role is not installed yet by typing the following line from the command prompt:

C:>dism /online /get-features /format:table | find /I “Hyper”

Microsoft-Hyper-V – This is the actual role that provides the services necessary to create and manage virtual machines and their resources. This allows you to run multiple virtual machines and their operating systems simultaneously.

RSAT-Hyper-V-Tools-Feature – This Management package includes GUI and command-line tools for managing Hyper-V.

Microsoft-Hyper-V-Management-Clients – Hyper-V GUI Management Tools will allow you to access the Hyper-V Manager snap-in and the Virtual Machine Connection tool.

Microsoft-Hyper-V-Management-PowerShell – It is possible to manage and automate many Hyper-V tasks by using this module. Many new cmdlets have been added to allow administrators to manage Hyper-V using PowerShell scripts.

On a server core installation of Windows Server 2012, the Hyper-V Management Tools and Snap-ins cannot be run, unless you change to the minimal-shell option.

To install just the Hyper-V role, you would type the following line from the command prompt:

C:>dism /online /enable-feature /Featurename:Microsoft-Hyper-V

After rebooting, you should be able to verify that the Hyper-V role has been installed by typing:

C:>dism /online /get-features /format:table | find /I “Hyper”

Using Windows PowerShell is another option to install the Hyper-V role.

First, let’s verify that the Hyper-V role and features have not been added to this server by typing the following command from the shell:

PS C:>Get-WindowsFeature *hyper* | ft –AutoSize (Note: the “ft –AutoSize” is to better format the command output, but it is not necessary to get the results.)

To install the role or any of the Hyper-V related features, you can use the PowerShell Install-Windows Feature cmdlet. Here is an example of installing the Hyper-V role and the management tools

PS C:>Install-WindowsFeature Hyper-V –IncludeManagementTools -restart

After rebooting, you can verify that the Hyper-V role and features have been installed.

Installing Windows the Server 2012 Hyper-V Role using Server Manager

Using Server Manager is our third option to add the Hyper-V role to a Windows Server 2012. The Server Manager console opens by default when logging on to a newly installed Windows server 2012. Let’s follow the process step by step:

  1. In the Server Manager console, on the Manage menu, click Add Roles and Features.

  1. In the Add Roles and Features Wizard, on the before you begin page, click Next.

  1. On the Select installation type page, click Role-based or feature-based installation, and then click Next.

  1. On the Select destination server page, ensure that the server name where you want to install the role is selected (in our case that is InfoSec-Win12), and then click Next.

  1. On the Select Server Roles page, select Hyper-V.

  1. In the Add Roles and Features Wizard dialog box, click Add Features.

  1. On the Select Server Roles page of the Add Roles and Features Wizard, click Next.

  1. On the Select features page, click Next.

  1. On the Hyper-V page, click Next.

  1. On the Create Virtual Switches page, select one or more network adapters that you want to make available for your virtual machines connections. If you do not select a network adapter here, you can always configure them later once the Hyper-V installation is complete. Click Next.

  1. On the Virtual Machine Migration page, click Next.

  1. On the Default Stores page, review the location of Default Stores, and then click Next. (In previous versions of Hyper-V, by default virtual machines were created on the system drive. Having the option to change the default stores for the virtual machines and the virtual hard disks during the installation process is a welcome addition to the process. As in previous versions, these settings can also be changed after the installation is complete by using the Hyper-V Manager console.)

  1. On the Confirm Installation Selections page, select Restart the destination server automatically if required.

  1. In the Add Roles and Features Wizard dialog box, review the message about automatic restarts, and then click Yes.

  1. On the Confirm Installation Selections page, click Install.

Once the installation completes, the server reboots and all the Hyper-V management tools are available to access and configure the server. Now that we have a Hyper-V host up and running, let’s start with the initial virtual networking infrastructure

There are numerous new networking features in Windows Server 2012 Hyper-V specially designed to improve the network performance and functionality of virtual machines. These new features include network virtualization, bandwidth management, Dynamic Host Configuration Protocol (DHCP) guard, router guard, virtual machine queue, IP Security (IPSec) offloading and single-root I/O virtualization (SR-IOV). We will dedicate one of our articles in this Hyper-V series to these new features.

Virtual Switches

You use the Virtual Switch Manager to create and manage virtual switches.

Virtual switches are used to control how network traffic flows between virtual machines running on the Hyper-V host and between virtual machines and the outside networks. Windows Server 2012 Hyper-V supports three types of virtual switches:


An external virtual switch maps to a physical network adapter on the Hyper-V server to allow the virtual machines to have access to a physical network. If you have installed the Wireless LAN service on the Hyper-V host, it is possible to map an external virtual switch to a wireless adapter.


An internal switch allows the virtual machines to communicate with each other and with the Hyper-V server but they cannot communicate with the physical network.


This type of virtual switch enables the virtual machines to communicate with each other, but there is no mapping to any physical network adapter in the parent partition. With these switches the virtual machines can communicate with each other but not with the host computer or with other computers on external networks.

Let’s proceed with the virtual networks configuration by creating these three different types of switches.

Configure an External Switch

  1. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.

  1. In the Virtual Switch Manager dialog box, click New virtual network switch. Ensure that External is selected, and then click Create Virtual Switch.

  1. In the Virtual Switch Properties area of the Virtual Switch Manager dialog box, specify the following information, and then click OK:
  • Name: InfoSec Network
  • External Network: Mapped to the host computer’s physical network adapter.

If you clear the option to allow management operating system to share this network adapter, the physical network adapter will be available only for virtual machines and will not be accessible by the Hyper-V server. This configuration would isolate virtual machine network traffic from the host network traffic.

In the Apply Networking Changes dialog box, review the warning, and then click Yes.

Configure a Private Switch

  1. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.

  1. Under Virtual Switches, select New virtual network switch. Then, under Create virtual switch, select Private, and then click Create Virtual Switch.

  1. In the Virtual Switch Properties section, configure the following settings, and then click OK:
  • Name: Private Network
  • Connection type: Private network

Configure an Internal Switch

  1. In Hyper-V Manager, on the Actions pane, click Virtual Switch Manager.

  1. Under Virtual Switches, select New virtual network switch. Then, under Create virtual switch, select Internal, and then click Create Virtual Switch.

  1. In the Virtual Switch Properties section, configure the following settings, and then click OK:
  • Name: Internal Network
  • Connection type: Internal network

Hyper-V Virtual Local Area network (VLAN) Integration:

You can configure VLAN identifiers for the virtual network adapters attached to a virtual machine. When you configure this setting, the virtual machine will only be able to communicate on the designated VLAN. Virtual machines with the same VLAN identifier can communicate with each other, but cannot communicate with any other virtual machine or physical computer that belongs to a different VLAN, unless a layer 3 device is configured to allow inter-VLAN routing traffic. Configuration of VLAN identifiers for the virtual machine network adapter is possible regardless of whether the network adapter is connected to a private, internal or external virtual switch.

Besides the virtual network adapter configuration, you can also configure a VLAN identifier for internal or external virtual switches. Virtual LAN identifiers are not supported for private virtual switches. When you configure a VLAN identifier for the virtual network, all communications sent on the network adapter will be available on the designated VLAN only. With this setting you isolate the network traffic that is sent to and from that virtual switch on the Hyper-V server to a restricted VLAN.

Hyper-V MAC address range

When Hyper-V is installed, a MAC address pool is created. By default, Hyper-V dynamically assigns MAC addresses from this pool to each virtual network adapter at the time new virtual machines are created or when a new virtual network adapter is added to the VM. To access the MAC Address Range, in Hyper-V Manager right-click the Hyper-V host name and choose Virtual Switch Manager from the shortcut menu. Then under Global Network Settings click on MAC Address Range (see Figure 1 below).

Let’s examine the address range in Figure 1.

  • * 00-15-5D: Represents theMicrosoft IEEE Organizationally Unique Identifier. You will use this portion of the MAC address in all Hyper-V hosts.
  • * 07-2F: These two bytes come from the first IPv4 Address of the host. The two lowest octets are converted to hexadecimal. 07-2F maps to 7.47. In this case, the first IP address of the host was
  • * 00 to FF: The last byte shows a minimum of 00 and FF as maximum. This indicates a pool of 256 possible MAC addresses in the following range:
  • * 00-15-5D-07-2F-00: First MAC address (minimum)
  • * 00-15-5D-07-2F-FF: Last MAC address (maximum)

The MAC Address range is also available in the Windows Registry on the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization

The Virtual Switch Manager, the Windows Registry or Windows PowerShell can be used to increase the number of MAC addresses. Let’s say that you need to boost the number of MAC addresses from the default of 256 to 1,024 using Windows PowerShell. Here is the command:

  • * Set-VMHost -MacAddressMinimum “00-15-5D-07-C0-00″ -MacAddressMaximum “00-15-5D-07-C3-FF”

The new valid MAC address range from C0-00 to C3-FF allows 210 = 1,024 possible values in the pool. This change will not affect the currently used Mac addresses on running virtual machines.

Bandwidth Management

This built-in quality of service (QoS) policy setting makes it possible to set bandwidth throttle per virtual adapter on each virtual machine. By setting up the minimum and maximum values in megabits per second (Mbps), you can limit the network usage, prioritize traffic, and enhance the performance of selected virtual machines running mission critical applications and services. When configured, like a traffic cop, this feature does not allow speeding and it prevents bandwidth utilization beyond the specified rate limit. The minimum setting works as a pledge to ensure that the virtual machine has a committed capacity on that network adapter in times of contention.

Using Windows PowerShell, the command below sets the maximum and minimum bandwidth values on a virtual machine named DC1:

  • * Set-VMNetworkAdapter -VMName DC1 -MaximumBandwidth 75MB -MinimumBandwidthAbsolute 25MB

You may want to gauge the workload of the virtual network adapters before and after enabling bandwidth management. Hyper-V has a built-in metering resource process that measures resource usage by one or multiple virtual machines. You can enable Hyper-V resource metering by running the following Windows PowerShell command:

  • * Enable-VMResourceMetering –VMName DC1

The above command instructs Hyper-V to start collecting resource utilization data for DC1. The collected data includes virtual network adapters’ incoming and outgoing network traffic.

Performance monitor also provides several important performance counters, among them:

  • * Hyper-V Virtual Network Adapter(*)\Bytes/sec:This counter tracks the total number of bytes per second sent and receive over a virtual NIC.
  • * Hyper-V Virtual Network Adapter(*)\Bytes Received/sec: This counter tracks the total number of bytes received per second on a virtual NIC.
  • * Hyper-V Virtual Network Adapter(*)\Bytes Sent/sec: This counter represents the total number of bytes sent per second on a virtual NIC.

Hardware Acceleration Features

Even though some of the hardware acceleration features are enabled by default in a virtual network adapter, that does not mean the virtual machine is actually implementing them. All the hardware acceleration settings require hardware support. To configure virtual machine network adapter hardware acceleration settings, open the Hyper-V Manager console, right-click on the VM and choose the “Settings” command from the shortcut menu. In the “Settings for the VM” box, select the network adapter that you want to manage and click on the plus icon (+) to access the hardware acceleration section.

Let’s review these brawny hardware acceleration features to see how they can improve Hyper-V’s performance:

Virtual Machine Queue

VMQ is enabled by default but, like other hardware acceleration settings, it must be supported by the underlying physical network adapters. This is a dynamic activity that improves virtual machine performance by spreading the network processing workload across all available CPUs in the Hyper-V host. VMQ allows the presence of multiple, separate queues on the physical network adapter. Each queue is mapped to a specific VM; every VM has its own dedicated NIC, since the physical adapter appears to the virtual machines as multiple network interface cards. VMQ abates some of the labor on the Hyper-V switch as the host network adapter passes DMA packets directly into the memory stack of individual virtual machines. The traffic still goes through the virtual switch. To disable virtual machine queue (VMQ), uncheck the “Enable Virtual machine” queue option.

The following Windows PowerShell command disables VMQ on a VM name DC1:

  • * Set-VMNetworkAdapter -VMName DC1 -VMQWeight 0

To re-enable it:

  • * Set-VMNetworkAdapter -VMName DC1 -VMQWeight 1

IPSec Task Offloading

Encrypting and decrypting IPsec packets is a CPU-intensive operation that may slow down a Hyper-V host running multiple VMs. Enabled by default, this feature alleviates CPU utilization by offloading the processing of IPSec traffic to the physical network adapter. Depending on the capabilities of the physical NIC, you can configure the maximum number of offloaded security associations in a range between 1 and 4,096.

The following command disables IPSec Task Offloading on a VM name DC1:

  • * Set-VMNetworkAdapter -VMName DC1 -IPsecOffloadMaximumSecurityAssociation 0

To re-enable the functionality:

  • * Set-VMNetworkAdapter -VMName DC1-IPsecOffloadMaximumSecurityAssociation 1024

Single-root I/O virtualization (SR-IOV)

SR-IOV allows the VM to bypass the virtual switch and directly access a physical network adapter. Implementing SR-IOV reduces network latency for virtualized workloads, increases network throughput, and takes pressure off CPU utilization. This feature demands a SR-IOV-capable PCI Express network adapter, system BIOS support and, even though Hyper-V server does not require Second Level Address Translation (SLAT) to run, SLAT is a requirement for SR-IOV to work. Before enabling it on the virtual network adapter, SR-IOV must be enabled on the external virtual switch. You can enable SR-IOV on an external switch only when you create the switch. To enable SR-IOV on a virtual NIC, select the check box labeled “Enable SR-IOV.”

Using Windows PowerShell, you can run the following command to enable SR-IOV on all virtual network adapters in a VM name DC1:

  • * Get-VM DC1| Set-VMNetworkAdapter –IovWeight 1

Virtual Network Adapter Advanced Features

To configure a virtual machine network adapter advanced features, open the Hyper-V Manager console, right-click on the VM, and choose the “Settings” command from the shortcut menu. When the “Settings for the VM box” appears, select the network adapter that you want to manage and click on the plus icon (+) to access Advanced Features.

Let’s take a closer look at these options.

MAC Address

The default setting is dynamic MAC address assignment, which means that the virtual machine gets a different MAC address every time you turn it on. This MAC address comes from the pool of MAC addresses described earlier. To change the default configuration to a static MAC address, the VM must be turned off first. The MAC address spoofing option allows virtual machines to change the source MAC address in outgoing packets from the one originally assigned to them. This may be needed when the virtual machine is participating in a network load balancing (NLB) cluster that requires that all cluster nodes use the same MAC address for outgoing traffic.

Using PowerShell, the following command configures a static MAC address and turns on MAC address spoofing in a virtual network adapter named Ethernet1:

  • * Set-VMNetworkAdapter –VMNetworkAdapter Ethernet1 -StaticMacAddress “00165D078A01″ -MacAddressSpoofing On

To enable dynamic MAC address allocation:

  • * Set-VMNetworkAdapter –VMNetworkAdapter Ethernet1 -DynamicMacAddress

DHCP Guard

DHCP guard is not enabled by default. This security setting is designed to protect other computers on the LAN from the possibility of a rogue DHCP server running in this virtual machine. With DHCP guard disabled, an unauthorized DHCP server could accidentally dole out conflicting or invalid IP addresses on the network. This is a potential security risk, as a DHCP server may dispense mischievous IP settings to redirect the DHCP client’s traffic to hurtful destinations. Enabling DHCP Guard prevents the virtual machine from answering DHCP clients’ requests; even if a DHCP server is running in the virtual machine, it will not be able to offer TCP/IP settings over this virtual network adapter.

The following PowerShell command enables DHCP guard on a virtual network adapter name Ethernet1:

  • * Set-VMNetworkAdapter – VMNetworkAdapter Ethernet1 – DhcpGuard On

To enable DHCP guard on all the network adapters on the virtual machine, run this command:

  • * Set-VMNetworkAdapter * -DhcpGuard On

Router Guard

This is another security feature that is disabled by default. As with DHCP guard, router guard aims to thwart rogue router advertisements and avert man-in-the-middle type attacks. Selecting the “Enable router advertisement guard” check box will prevent this virtual machine from sending router advertisements and redirection messages over this virtual network adapter to other devices in the network. When you enable router guard, you explicitly tell Hyper-V that this virtual machine is not allowed to provide routing advertisement services even if the routing and remote access service are configured for IP forwarding.

The following PowerShell command enables router guard on a virtual network adapter named Ethernet1:

  • * Set-VMNetworkAdapter – VMNetworkAdapter Ethernet1 – RouterGuard On

To enable DHCP guard on all the network adapters on the virtual machine:

  • * Set-VMNetworkAdapter * – RouterGuard On

Protected Network

Enabled by default, this option supports network health detection and recovery when the virtual machine is running on a server that is a member of a failover Hyper-V cluster. This setting allows a failover Hyper-V cluster to detect a network outage on a protected virtual network and initiate a live migration of the affected virtual machine to another Hyper-V host in the cluster on which that external virtual network is available.

This is really a cluster monitoring option. You may want to prevent non-critical virtual machines from live-migrating when this type of network outage occurs. To disable this feature, the virtual machine does not need to be turned off: Just uncheck the “Protected network” box. Using PowerShell, you can run the following command to disable “protected network” on all the virtual network adapters on a VM name DC1.

  • * Set-VMNetworkAdapter –VMName DC1 –VMNetworkAdapterName * -NotMonitoredInCluster $True

Port Mirroring

This feature facilitates monitoring of the incoming and outgoing traffic for virtual machines. Traffic sent to or from a Hyper-V virtual switch port is copied and directed to another port. This functionality can be very helpful in troubleshooting traffic, security evaluation, network diagnostics, and performance management. The port mirroring mode is set to “None” by default. You configure port mirroring by setting one virtual machine as the source and another VM as the destination. Both the source and destination virtual network adapters must be on the same virtual switch. The virtual switch copies all traffic from the source virtual network adapter to the destination adapter. Usually a network monitoring application or sniffer program is installed on the virtual machine that has the virtual network adapter configured as the destination.

Let’s say that we want to configure port mirroring using two virtual machines. The VM from which the traffic is going to be copied is named SourceVM and the VM to which traffic is going to be sent to is named SnifferVM. Using PowerShell, we can run the following commands:

  • * Set-VMNetworkAdapter SourceVM -PortMirroring Source
  • * Set-VMNetworkAdapter SnifferVM -PortMirroring Destination

To disable port mirroring in all the network adapters:

  • * Set-VMNetworkAdapter * -PortMirroring None

NIC Teaming

Windows NIC teaming is also known as load balancing and failover (LBFO). Enabling this setting allows you to group multiple virtual network cards on a virtual machine into a single virtual team network adapter. The virtual team adapter aggregates the bandwidth and provides redundancy, regardless of whether or not NIC teaming is configured on the Hyper-V host.

To enable NIC teaming on a virtual machine name DC1 using Windows PowerShell, run the following command:

  • * Set-VMNetworkAdapter DC1 -AllowTeaming On

Most of the configuration options that we reviewed in this article were not available before Windows Server 2012. Features like bandwidth management, dynamic VMQ, IPSec task offloading, SR-IOV, DHCP guard, router guard, protected network, port mirroring, and NIC teaming bestow levels of performance and security that make Windows Server 2012 R2 Hyper-V a stronger competitor to VMware in many data centers.