Monthly Archives: October 2012

70-687 Configuring Windows 8

Just recently passed this exam, and I didn’t find it particular difficult.
You can find information about it here –>

And it measures the following:

This exam measures your ability to accomplish the technical tasks listed below.The percentages indicate the relative weight of each major topic area on the exam.The higher the percentage, the more questions you are likely to see on that content area on the exam.
The information after “This objective may include but is not limited to” is intended to further define or scope the objective by describing the types of skills and topics that may be tested for the objective. However, it is not an exhaustive list of skills and topics that could be included on the exam for a given skill area. You may be tested on other skills and topics related to the objective that are not explicitly listed here.

Install and Upgrade to Windows 8 (14%)

  • Evaluate hardware readiness and compatibility.
    • This objective may include but is not limited to: determine whether 32 bit or 64 bit is appropriate; determine screen resolution; choose between an upgrade or a clean installation; determine which SKU to install
  • Install Windows 8.
    • This objective may include but is not limited to: install as Windows to Go; migrate from Windows XP or Windows Vista; upgrade from Windows 7 to Windows 8 or from one edition of Windows 8 to another edition of Windows 8; install VHD
  • Migrate and configure user data.
    • This objective may include but is not limited to: migrate user profiles; configure folder redirection; configure profiles

Configure Hardware and Applications (16%)

  • Configure devices and device drivers.
    • This objective may include but is not limited to: install, update, disable, and roll back drivers; resolve driver issues; configure driver settings
  • Install and configure desktop applications.
    • This objective may include but is not limited to: set compatibility mode; install and repair applications by using Windows Installer; configure default program settings; modify file associations; manage App-V applications
  • Install and configure Windows Store applications.
    • This objective may include but is not limited to: install, reinstall, and update Windows Store applications; restrict Windows Store content; add internal content (side loading); disable Windows Store
  • Control access to local hardware and applications.
    • This objective may include but is not limited to: configure AppLocker; configure access through Group Policy or local security policy; manage installation of removable devices
  • Configure Internet Explorer.
    • This objective may include but is not limited to: configure compatibility view; configure security settings; manage add-ons; configure websockets; configure Download Manager
  • Configure Hyper-V.
    • This objective may include but is not limited to: create and configure virtual machines; create and manage snapshots; create and configure virtual switches; create and configure virtual disks

Configure Network Connectivity (15%)

  • Configure IP settings.
    • This objective may include but is not limited to: configure name resolution; connect to a network; configure network locations; resolve connectivity issues
  • Configure networking settings.
    • This objective may include but is not limited to: connect to a wireless network; manage preferred wireless networks; configure network adapters; configure location-aware printing
  • Configure and maintain network security.
    • This objective may include but is not limited to: configure Windows Firewall; configure Windows Firewall with Advanced Security; configure connection security rules (IPSec); configure authenticated exceptions; configure network discovery; manage wireless security
  • Configure remote management.
    • This objective may include but is not limited to: choose the appropriate remote management tools; configure remote management settings; modify settings remotely by using MMCs or Windows PowerShell

Configure Access to Resources (14%)

  • Configure shared resources.
    • This objective may include but is not limited to: configure shared folder permissions; configure HomeGroup settings; configure file libraries; configure shared printers; set up and configure SkyDrive; configure Near Field Communication (NFC)
  • Configure file and folder access.
    • This objective may include but is not limited to: encrypt files and folders by using EFS; configure NTFS permissions; configure disk quotas; configure object access auditing
  • Configure local security settings.
    • This objective may include but is not limited to: configure local security policy; configure User Account Control (UAC) behavior; configure Secure Boot; configure SmartScreen filter
  • Configure authentication and authorization.
    • This objective may include but is not limited to: configure rights; manage credentials; manage certificates; configure smart cards; configure biometrics; configure picture password; configure PIN; set up and configure Windows Live ID

Configure Remote Access and Mobility (14%)

  • Configure remote connections.
    • This objective may include but is not limited to: configure remote authentication; configure Remote Desktop settings; establish VPN connections and authentication; enable VPN reconnect; manage broadband connections
  • Configure mobility options.
    • This objective may include but is not limited to: configure offline file policies; configure power policies; configure Windows to Go; configure sync options; configure WiFi direct
  • Configure security for mobile devices.
    • This objective may include but is not limited to: configure BitLocker and BitLocker To Go policies; configure startup key storage; configure remote wipe; configure location settings (GPS)

Monitor and Maintain Windows Clients (13%)

  • Configure and manage updates.
    • This objective may include but is not limited to: configure update settings; configure Windows Update policies; manage update history; roll back updates; update Windows Store applications
  • Manage local storage.
    • This objective may include but is not limited to: manage disk volumes; manage file system fragmentation; manage storage spaces
  • Monitor system performance.
    • This objective may include but is not limited to: configure and analyze event logs; configure event subscriptions; configure Task Manager; monitor system resources; optimize networking performance; optimize the desktop environment; configure indexing options

Configure Backup and Recovery Options (14%)

  • Configure backup.
    • This objective may include but is not limited to: create a system recovery disk; back up files, folders, and full system; schedule backups
  • Configure system recovery options.
    • This objective may include but is not limited to: configure system restore; determine when to choose last known good configuration; perform a complete restore; perform a driver rollback; perform a push button refresh or reset; configure startup settings
  • Configure file recovery options.
    • This objective may include but is not limited to: configure file restore points; restore previous versions of files and folders; configure File History

Now what I used for this exam wasn’t much. First of
1: Use Windows 8 as your primary OS for a while (or use it as your primary OS as default! Smile
2: Now a bit how OS deployment works
3: TechNet, TechNet and a bit more TechNet
The following URL’s were very useful Windows ToGo Windows 8 technologies Bitlocker Applocker Windows 8 and ADK

This is not an in-depth exam, is more about configuring the basics of each function within Windows 8, the depth will come with the next exam which is the 688 (Which Is still in development)

Convert from CRT to PFX with openssl

In many cases where you need an SSL certificate for your web servers (or other secure services like Lync, Exchange etc) you need to get a digital certificate from a third party certificate authority.
Now many third party CA’s will issue you with the CRT file and a CRT for the Certificate authority (Most Windows clients have most third party CA’s already in store (You can view them by opening mmc.exe and choosing certificates), and they also provide you with the RSA private key of the certificate in a separate file.
Now some CA’s also have the ability to let you download finished PFX files depending on what kind of service you need to deploy.
So check with the CA you are buying you’re certificates from that in most cases they have own certificates for web server and Lync, Exchange etc.

In Windows cases you need to merge these files into a PFX file.

Now before I tell you the secret I wish to explain what the difference is between the different files so you know how the certificate works.

  • A .csr file is a certificate signing request which initiates your certificate request with a certificate provider and contains administrative information about your organization.
  • A .key file is the private key used to encrypt your site’s SSL-enabled requests.
  • .pem and .crt extensions are often used interchangeably and are both base64 ASCII encoded files. The technical difference is that .pem files contain both the certificate and key whereas a .crt file only contains the certificate. In reality this distinction is often ignored.
  • The PFX extension is used on Windows servers for files containing both the public key files (your SSL certificate files, provided by  for instance DigiCert) and the associated private key (generated by your server at the time the CSR was generated).

So in my case I had a crt file for the certificate itself and I had a crt file for the CA and I had the private key within a .key file.
Now I had to “merge” these into a PFX file so I could import it  for use for Lync.
Now this is where openssl comes in.

Openssl comes often default with most linux distroes (ubuntu,fedora etc) in my case I had the Netscaler VPX available.
Before you can use openssl on Netscaler you have to type the command shell  to enter the regular freebsd shell.

So type the command openssl pkcs12 –export –out certificate.pfx –inkey rsaprivate.key –in certificate.crt –certfile fileca.crt
After that you need to type a password to encrypt the pfx file.


Now after that is done you can copy the file from the share on either your unix share or Netscaler as in my case.
And you can try importing it in the certificate store.


Now when you import it you need to enter the password you used earlier in order to import it, and after you finished importing it open it and see that you have the private key available


Troubleshooting Netscaler

Netscaler is a complex device, and lets face it a lot of things can go wrong. Either when setting it up or someone does something weird with the config and saves it. So therefore I wrote this basic troubleshooting guide, hopefully it will be some help for some Smile
This guide is primarily written with CLI in mind, of course the appliance includes a pretty comprehensive GUI diagnostic menu as well.
Here you also have the “Call Home” option which (you have to enable the feature first enable feature ch)
Call Home requires that your Citrix NetScaler MPX appliance When the problem cannot be resolved using the old methods, you can decide to push “Call Home” which will then upload all the data for troubleshooting to Citrix Tech Support ( and optionally create a support case. Off course you must have an active Technical Support Contract to make use of this feature. Not having an active Technical Support will result in a registration failure.

Another useful tool is the “Revision history” that allows you to rollback to a previous config file, in case someone made a mistake to the config.

But! Lets first start talking about troubleshooting the network. If you have some traffic issues that you want to debug closer we can start a or a (for more low level debugging)
both of these store in cap (capture files) that you can analyze further via for instance Network Analyzer or Wireshark, and ill show you how.

If I run for instance the command nstrace –time 30

I will store trace data for 30 seconds in each a new cap file.
I could also for instance apply a filter to the trace in order to “filter out” stuff that I don’t need.

I could use –filter “SOURCEIP ==” –time 30
This would fetch out traffic where the source IP is from

There are some other filters that you can use, they are listed here –>

In order to kill a trace push CTRL + C

Now if you want to fetch out these files you need a SCP client for instance WINSCP
After you have downloaded and installed the client you can establish an connection to the NSIP.


Now if you go to the root/var/nstrace catalog and copy over some of the cap files.  And I suggest that you open these in for instance Wireshark.
IF you open Wireshark and choose the import file option and choose one of the cap files


Here is the cap file where I put the filter on Source ip. If you can perform a raw dump on the netscaler ( This is pretty CPU intensive so be careful ) and then perform analysis in Wireshark.
Now that we’ve covered the networking part, we can move forward to moving event viewers.
If you connected to the netscaler console you can run the command nsconmsg you have to run the command shell first.
And after you start it the console might get spammed.

You can also open log files from –> /root/var/nslogs (and there are some useful logs there)










and you can use the same command to view archived logs. For instance if you have a newnslog.100 file.
cd /var/nslog
tar xvfz newnslog.100.tar.gz
/netscaler/nsconmsg -K /var/nslog/newnslog
Remember to use K not k in the command a small k is used to write logs not read)

This will read archived logs.
You can also use the common unix command top to view utilization.
Also you can use the command ns commands:

Stat ns

Stat cpu

Stat interface

Common stat commands for vserver and service:

Stat lb vserver

Stat cs vserver

Stat service

Other common stat commands:

Stat dns

Stat ssl

Stat http

Also when In doubt doublecheck all the settings for a service. For instance if you have a high-availability setup use the
show node
There is also numerous show commands that you can use to check the status of each service.

show node

show info

show license

show lb vserver

show cs vserver

show service

show persistencesession

show connectiontable

show route

show ip

show dns addrec -type proxy

Another useful command is when you are looking at the config file.

sh run | grep XA
this will show the running config but just the lines containing anything with XA

Hopefully this will get you along the way when troubleshooting a Netscaler device Smile
Would also recommend that you check this URL below for reference for logs and messages.

Other useful links: logs message reference

Error when starting a VM in Hyper-V 2012

Quick post!
Got an error after I’ve upgraded my servers from 2008 R2 to 2012 and I wanted to boot my VM’s.
In the event viewer I got this error message Hypervisor launch failed; Secure Mode Extensions have been enabled by the BIOS. Please disable Secure Mode Extensions in the BIOS to launch Hyper-V.
I the hyper-v manager I got the message:

Virtual machine ‘VM_Name’ could not be started because the hypervisor is not running (Virtual machine ID <Virtual_Machine_ID>). The following actions may help you resolve the problem:

  1. Verify that the processor of the physical computer has a supported version of hardware-assisted virtualization.
  2. Verify that hardware-assisted virtualization and hardware-assisted data execution protection are enabled in the BIOS of the physical computer. (If you edit the BIOS to enable either setting, you must turn off the power to the physical computer and then turn it back on. Resetting the physical computer is not sufficient.)
  3. If you have made changes to the Boot Configuration Data store, review these changes to ensure that the hypervisor is configured to launch automatically.

This was a bit odd since it was working for 2008 R2, so I tried the basics.

First I ran systeminfo and saw under Hyper-V requirements to see that it was fully supported.

Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes

I ran the command bcdedit /set hypervisorlaunchtype auto
Since it stated that the Hypervisor was not running.

Tried a reboot, but still nothing happened.
In my case it was because I had an old BIOS driver on my server so when I updated my BIOS everything started working again , so remember to check that you have the latest BIOS driver, that is always a good best practice Smile

Boundaries and Boundary Groups

I see a lot of searches towards the blog regarding boundaries and boundary groups so therefore I thought that I should post a bit more about how these settings work and how they affect your site.

A boundary is a network location in your infrastructure that contains one or more devices that you want to manage. A boundary can either be an IP subnet, Active Directory site, IPv6 or an IP address range and the hierarchy in ConfigMgr 2012 can include any combinations of these boundary types, and remember that to use a boundary you need to put  it into a boundary group. By using boundary groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images.

When clients are connecting from the internet, they do not use boundary group information They either download from any distribution point of their site (when the distribution point is configured to allow clients connections from internet)

And when you have created a boundary group,  you must configure the boundary group to specify an assigned site for clients to use during automatic site assignment.


And you can associate one or more distribution point with each boundary group. You can also add a single distribution point to multiple boundary groups. The default behavior is to choose the closest server from which to transfer the content from. And remember that ConfigMgr 2012 supports that a client is a member of multiple boundary groups for content location, but not for automatic site assignment.


Netscaler 101

The last couple of days I’ve seen a lot of traffic on my blog regarding the posts on Netscaler ( And I don’t have so many of them!) And with the recent events regarding Cisco ACE and Microsoft Forefront TMG, I’m guessing that a lot of people are looking into the option to switch over to Citrix.
Cisco has always been huge in the networking market, but in the ADC (Application Delivery Controller) market they have never gotten the huge market share that they were hoping for, therefore a couple of weeks ago they decided to stop further development of their ACE product. And in similar events Microsoft decided to stop further development on their TMG product. TMG is not the same product like Netscaler/ACE/BIG-IP thou it has a lot of the same functions and features.

So back to Netscaler what can it offer:
* Advanced load balancing
* Content and app caching
* Database load balancing
* Application Firewall
* Secure Remote Access
* Advanced server offload
* Application acceleration
* Integration with Citrix
      * Access Gateway features
      * Web interface
* Scale up and Scale Out features

You can read more about the different features here –>

Now the Netscaler product comes in 3 Different versions.

MPX: Which is the hardware appliance, is again split up into different models,
As you can see most of the models here have a “pay-as-you-grow” options, so for instance if you buy a MPX 7500 and your company is growing and you need more throughput you can upgrade your 7500 to a 9500. So it’s the same hardware as before you just “unlock” more features.
You can see all the different models and features here –>

VPX: Is a software based virtual appliance, which is available for Hyper-V, VMware and XenServer.
Here as well you have a “pay-as-you-grow” solution so you can upgrade it if you need more throughput, the downside to using a VPX is that it does not have  hardware based SSL acceleration (which the MPX has), which allows for a lot less SSL connections.

SDX: Is the best of both worlds. It is a hardware appliance like the MPX but in also has capabilities of running VPX. So it’s a piece of hardware which basically runs a stripped down XenServer which allows to run multiple VPX inside. And since this piece of hardware has SSL acceleration capabilities it does not have downside of a regular VPX. It allows for up to 40 VPX’s and that will allow for true multi-tenancy.
You also have the “pay-as-you-grow” option here.

Also Netscaler comes in 3 Different editions (Like most of Citrix products)
You can see the different editions and their limitations in this datasheet

A summary,
Standard = Use for Load-balancing (Web and DB) also has Citrix Web interface and TCP optimization
Enterprise = For more advanced features – cloud bridge, edgesight for netscaler, branch repeater client.
Platinum = Includes all the features.

So what do I need for my organization ?
Well first of you need to figure out what your needs are.
1: Do I need just the load balancing for my Web-servers?
2: SSL VPN solution and/or SSL offloading?
3: Advanced Web load-balancing and caching and optimization?
4: Multi-tenancy solution ?
5: DDos defenses ? Or do I have a firewall in front which is fully capable ?
6: Just for my Citrix pieces (Access Gateway and Web interface)?
7: SQL load-balancing?
8: How many users do I have?

You also need to calculate the bandwidth usage the service you are going to load-balance, most of the products (for instance Lync) has well documented traffic usage for each feature.
Let’s take an example if I am a small business that just needs to load-balance my 2 webservers for my internal users (and I have 100 of them) the smallest VPX would suffice.
If I am a enterprise service provider and I offer fully multitenancy solution where customers can setup LB for all their services I would recommend a SDX (The best solution regarding version is to start with the lowest system you think you need and upgrade when you need to grow)

So after you have chosen the model (remember that you always need two of them, since if you only have 1 you have a single point of failure). The next part is setting up the device.
Remember that a Netscaler operating system consists of two parts.
1: Part is FreeBSD (The Appliance uses this part for booting and for logging)
2: Part is the core os (NSOS NetscalerOS) Which controls the traffic in / out of the appliance.

When a appliance boots, it will get system image from the flash and decompress and put it into the ram. The config file is also fetched from the flash and put into the ram. (Which is know as the running-config)
(You can show the running-config from CLI by running the command, show ns runningconfig if you want to see the saved config you can run the command show ns.conf )
You can access it either via a console (serial cable or console via the hypervisor )

And remember that you can save at anytime by running the command save ns config, if you screwed up you can restart the Netscaler (if you didn’t save your config)

But when you start the NS appliance the first thing you see is that it asks for an IP (Which is known as the NSIP Netscaler IP) Which is used for management purposes and clustering. You also enter a subnet mask and a gateway.


After that you can save and quit the config menu and you can now access the appliance via a webconsole. You can also see more info regarding the interface by running the command show ns ip


As you can see here it says that “Management Access is enabled” and FTP, Telnet, SSH and GUI is enabled.
So we should disable the insecure access methods before we continue. By running the commands set ns ip –telnet disabled and same for FTP

And there are other things we should configure as well, change the default password for the user “nsroot
You can do this by running the command config system user nsroot PASSWORD (something very very safe)

Also you SHOULD enable NTP sync with a authorized ntp server.
add ntp server IP –minpool integer –maxpool integer
enable ntp sync
Now we can log onto the Web GUI.  (Im using version 10 of the Netscaler VPX you can get a free trial for your hypervisor from and might add that the web gui is much improved in V10)

The default username and password for the local system user on a netscaler is nsroot and nsroot
So after you have logged in you will come to main menu.

Its split up into 3 panes (Dashboard, Configuration and Reporting) and what you see here is the configuration pane.
If I go to the Dashboard, you see a lot of read-time information regarding well.. everything you want to see
I can choose if I wish to view SSL connections, TCP handshakes, HTTP traffic etc..


The reporting pane is just that, you can create reports and there are a bunch out of the box that we can view as well.
But most of the time we are going to be in the configuration pane.
Now what other things do we need to do in order to load balance a service?
First of we have to design how the netscaler should be placed in our infrastructure, most of the designs are based on
one-arm-mode or two-armed-mode.

In one-arm-mode the netscaler has ONE interface, and on that interface external traffic comes in and the inside traffic out on the same interface (traffic is split by using VLAN’s)
In two-arm-mode the netscaler has TWO interfaces, 1 for external traffic comes in and comes out and 1 for internal traffic. So this is the much more common deployment.

Now in both scenarios the traffic to the back-end servers are flowing as the following.

Now when the client connects to the web service as the virtual IP ( The Netscaler (depending on the LB rules) make a connection to one of the servers which are connected to that virtual service with the Netscaler SNIP(Subnet IP)
The Subnet IP is an address that connects the netscaler to the servers in the backend, so you should have an SNIP address for each subnet you want to have services in.
So SOURCE IP —> VIRTUAL IP (NS) SNIP —-> WEB SERVER (BASED ON LB) so for the web servers it will appear that the connections come from the same IP. And the same will go back to the clients
WEB SERVER –> SNIP (NS) VIRTUAL IP —> SOURCE IP, so for the clients all they see is that one IP address which may house loads of web servers.

Now is there a problem with this ?
Well yeah.. if you have a web server you probably want to have logging in place for the IP address of the client,  now you have the Netscaler option which known as use “Source IP mode”(USIP) which will allow for clients to do a direct connection with the backend servers.  But what is the downfall of this ?
1: TCP Multiplexing which allows for the netscaler appliance to have one connection to the webserver will be disabled when you use Source IP mode.
2: When backend servers see the source IP they will look at their default routing table instead of returning the traffic to the netscaler, so therefore the servers with go with the local gateway instead of the netscaler. When the backend servers try to connect to a TCP connection with the client, the client will drop connection since it is awaiting its response from the Netscaler VIP.
So in the case you use Source IP mode you need to set the default GW on the backend servers to point to the NS.

You can set USIP mode in modes.
Configuration –> Settings –> Configure Modes –> Use Source IP
Alternative enable ns mode usip
In case of logging we have another choice(  inject HTTP header option which allows the Netscaler to inject the source IP header into the http request which again allows logs on the webserver to contain the IP-address of the client. )
But in general I would recommend that you don’t use USIP.

Now lets setup a load-balancing configuration.
Before we continue remember that you need to setup at least 3 addresses on the NetScaler
2: VIP
3: SNIP or MIP

There are a few things we need to find out before we can setup LB, what kind of service to we need to load-balance and what servers are hosting this service. And we need to setup a monitor towards that service as well, this monitor check is the service in the backend is responding on that server, if one server is not responding for a particular service it is taken out of the LB queue. So we need.
1: Servers (The list of servers that have a particular service running
2: Service (What kind of service is it ? Webhosting port 80?
3: Monitors (Checks if the service on the server is responding if not it is taken out of the LB-queue until it start responding again)
4: Virtual IP (a virtual IP address which the Netscaler will respond to)
All this is added together and it creates a load balanced service on a virtual Ip address which consists of the servers in the server list.

So lets go ahead and create a LB service. First we add a VIP and a SNIP
Go to configuration pane –> IPs and add a IP address. Remember that a VIP is the ip address that the end users are going to connect to, the SNIP is a ip which the netscaler uses to connect to the servers in the backend.
After that go to the load-balancing pane further down below.
Go to servers and add the servers that has a service.
(Remember that this is just a list of servers, you don’t define the services here)

After that go to monitors –>
As you can see the HTTP monitor is enabled by default
This does a HTTP HEAD command, and if it is working as it should you should get a code 200 response.
You can see this by opening the http monitor
After that we add the service,
We add a service that runs on port 80 on one server and add the HTTP monitor. (Remember to add this for both servers) And have a very descript full name each service on each server.)


Now that we have both services on both servers it should look like this
(In my case I don’t have any hosts on these IP addresses yet so therefore they are stated as Down) because the monitor is trying to do http request on them.


Now at alas we will add the virtual server that will point to the http server on these 2 servers in the backend. Go to Load balancing and virtual server –>

Remember to add both of the services on those servers (If you wish to load balance differently for instance it you have a more power on one of the server you can alter the weight on that server to 2, then this server will take twice the load)
You can also go to method and persistence to change how the service is load balanced. By default it is set to “least connection” that server with least connections will get the next connection, this will happen until they are even. You can also specify persistence (This will define if a client should talk with the same server it spoke with earlier) the most typical choice here is cookie insert for web services. But we will leave it at the default.


Now I’ve added a HTTP server with actually responds to HTTP

You can see that is responds to http request if I open a browser to IP
And if you are like me and would like to do it via the CLI you can do this.
Run the command add service servername ip http portname


Next we need to add the services to a virtual IP. (that will do the load balancing )
first we do a add lb vs servicename http ip 80
then we bind the services to that virtual ip
bind lb vs servicename serviceserver


After that you can do a

sh lb vs v1 to show that if the load balancing is active


Phuh! long post, next one will be regarding setting up a cluster on Netscaler, since you would always need 2 x Netscalers so you don’t have a single point of failure. And we are going to integrate authentication with LDAP.
Now I would also recommend that some user look at the command reference sheet from Citrix eDocs

Windows Server 2012 & System Center 2012 licensing

Even thou Microsoft said that it would be easier it was still a bit difficult for me to understand how it worked, but in the end I finally got a good grasp of how the licensing model works so therefore I would like to share it with you. Windows Server 2012 and System Center 2012 is licensed in the same manner, so therefore it easier to combine both of them.

First of System Center and Windows Server 2012 comes in two editions. Standard and Datacenter
The difference between the two is the the right to virtualize.

Standard allows you to have 2 virtual server OSE
Datacenter allows for unlimited virtual servers OSE 

And also remember that each license covers two processors
You also need to remember that there are no differences between Standard and Datacenter, they have all the same functions and they have no restrictions.
If you plan to have implement both these solutions you might want to consider a Core Infrastructure license with contains either Standard ( Windows Server & System Center ) or Datacenter ( Windows Server & System Center) at a reduced price.

Some estimated prices on Server: Datacenter $4,809 Standard $882
and on System Center: Datacenter $3,607 Standard $1,323

Some examples of pricing.
1 physical server, 1 CPU, 1 VM = 1 Standard license
1 physical server, 4 CPU, 1 VM = 2 Standard license (or 2 datacenter) 
1 physical server, 4 CPU, 10 VM = 5 Standard license ( or 2 datacenter)
1 physical server, 4 CPU, 20 VM = 10 standard license ( or 2 datacenter would be a lot cheaper to buy datacenter here)
2 physical server, 2 CPU each, 2 VM each = 2 standard license (or 2 datacenter ofc it would be a lot cheaper to buy standard here)

So some other examples (What if I have 1 Datacenter license on Server 2012 and System Center and I have 2 CPU’s and I have Operations Manager installed, what happens if I want to install Configuration Manager on some virtual machines on the server?) Nothing! licensing is based on physical processors not virtual.

So what is the catch, what else do I need to think of ?
For Server you still need a CAL for each user that is accessing the server
For System Center you still need a Client ML(Management License) for each managed device that run non-server OSE’s
And for System Center you have 3 different Client ML
Configuration Manager Client ML ( Configuration Manager and Virtual Machine Manager) (Included in Core CAL)
Endpoint Protection Subscription ( Endpoint Protection ) (Included in Core CAL)
Client Management Suite Client ML ( Service Manager, Operations Manager, Data Protection Manager, Orchestrator) (Included in Enterprise CAL)

So if have 1 server with 2 physical CPU (without virtual machines on that server) and you wish to manage 50 computers using ConfigMgr and have Endpoint Protection you would need
1 Standard Server license, 1 System Center Standard license, 50 Configuration Manager Client ML + Endpoint Protection Subscription (Unless you have an Core CAL in place)