After many months of waiting, Microsoft finally released the Beta 3 version of Windows Server 2008 (previously codenamed "Longhorn"), a major milestone pre-release version of the next version of Windows Server. (More recently, a CTP, or Community Technical Preview, version was distributed to beta testers in June 2008.) Windows Server 2008 has evolved quite a bit over time, and though the project hasn't suffered from the many feature drops and problems that dogged Windows Vista, there are certainly a few surprises in Beta 3 and the June CTP. Here's what you need to know about Windows Server 2008.
Windows Server 2008 basics
Windows Server 2008 will be a major Windows Server release with dramatically improved functionality when compared to its predecessors. Enhanced scripting and task automation via the new Windows PowerShell--a surprise addition to Beta 3, given that PowerShell was originally not going to ship as part of this product--and improved roles-based installation and management capabilities will give administrators more control than ever, Microsoft says. Indeed, the roles-based installation and management features now extend to Server Core, a new lightweight and safer version of the server.
Like Windows Vista, Longhorn also includes increased security prowess, thanks to a variety of tools and low-level changes. The Windows Firewall is enabled now by default, for example, and Windows Server 2008 can be installed in branch offices using technologies such as Read Only Domain Controller (RODC) and BitLocker ensuring that physical server theft won't result in a major security disaster. Windows Server 2008 also includes the long-awaited Network Access Protection (NAP) feature, which finally brings policy-based network quarantining to the Windows platform.
On the flexibility front, Windows Server 2008 adds some intriguing new Terminal Services improvements that will allow organizations to deploy remote environments and even remote applications, both within their firewall and beyond. And eventually, the inclusion of the optional Windows Server Virtualization piece will provide Windows Server 2008 with a more performance-friendly and secure "bare metal" virtualization solution, though that's not present in Beta 3. (See below for more information).
Beta 3 and beyond
In the gear up to Windows Server 2008 Beta 3, Microsoft has made a number of improvements. PowerShell is now included in the product, as previously noted. Windows Firewall is enabled by default and is configured to open and close only the required ports as roles and features are installed and removed, resulting in the most secure Windows Server version yet. And Server Manager, Microsoft's central console for daily server administration tasks has been improved and augmented by a new command line tool called servermanagercmd.exe that provides admins with all of Server Manager's functionality from the command line. (Note that this tool runs within the standard command line environment and not PowerShell, however.)
Speaking of command lines, the Server Core install type has been augmented as well with a new command line tool called oclist.exe which provides a way to examine which roles and features are installed in that environment. Microsoft has also increased the number of roles in Server Core from 7 with the addition of new Active Directory Lightweight Directory Services (AD LDS), Print, and Windows Media Services (WMS) roles. Additionally, the company says it is examining customer requests to add other roles to Server Core in the future, though it won't commit to any at this point.
Beta also includes some Terminal Services improvements. A new feature called Easy Print makes it, well, easy to print from a Terminal Services-based environment or application to your default printer. Remote Programs has been rebranded as Terminal Services RemoteApp. You can seamlessly copy and paste between a Terminal Server session and the host OS, which is a huge improvement. And Terminal Services now supports 32-bit color sessions, up from 24-bit in previous versions.
Network Access Protection, Microsoft's network quarantine technology, has been updated so that you can remediate connecting clients via Windows Update or Microsoft Update if your local Windows Server Update Services (WSUS) box is unavailable. You can now integration NAP with Cisco's Network Admission Control (NAC) quarantine solution as well, which was the ostensible reason for delaying NAP from Windows Server 2003 R2 to this release. And new UI makes setting up and managing NAP easier than ever.
Drilling down
Looking over the long list of new and improved Windows Server 2008 functionality, a number of features stand out. The new Server Manager is turning into a true one-stop-shop for an admin's daily management needs. Here, you'll see nodes in the Microsoft Management Console (MMC) UI for all of the installed roles and features; troubleshooting tools such as the new XML-based Event Viewer, Services, and the new Vista-like Reliability and Performance tools; configuration tools such as Task Scheduler, Windows Firewall, WMI Control, and Device Manager; and storage and backup tools like Windows Server Backup (finally, a replacement for the miserable NT Backup) and Disk Management, which can now resize NTFS-based volumes on the fly.
Server Manager is the culmination of years of work on management user interface. In the topmost "home page," you'll see a wide range of information about the currently-connected server, along with task pads for editing server configuration information. Other commonly-needed server attributes, like security, roles, and features, are also available from this home page, and this isn't a dashboard, but rather an interactive cockpit. That is, you can view installed features, for example, but you can also install and uninstall features from this home page and drill deeper into the functionality of installed features.
Windows Server Core, obviously, is one of the most intriguing things about Windows Server 2008. This stripped down install type lets you configure a GUI-less, headless server with one to seven roles, including Active Directory (AD), AD LDS, DNS, DHCP, WMS, File, and Print (and, eventually, Windows Server Virtualization). Server Core comes up with a blank desktop and a single command line window. There's no shell, Internet Explorer, Windows Media Player, or any other pointless graphical applications. Indeed, even Notepad--which is available in Server Core--had to be hacked so that it could present an ancient version of the Open Save dialog.
The point behind Server Core is to provide only core server features and to do so in the most secure way. Because of the roles-based installation and management aspects of Windows Server 2008, each of the Server Core roles are installed in the most secure way possible, reducing the attack surface of the server as much as possible. Note that Server Core-based servers are still Windows 2008 servers, of course: You can still manage them remotely using the GUI-based tools you already know and love, from another server or a desktop machine.
Windows Server 2008, like Vista, includes the useful BitLocker utility, which provides full volume disk encryption for the system disk. BitLocker is as useful on the server as it is on a traveling executive's laptop, since physical server theft--especially in less well-protected branch offices--is such a serious problem. But BitLocker is even more useful when used in tandem with other Windows Server 2008 technologies. For example, businesses looking for the most secure and easily managed branch office servers could install BitLocker on those systems alongside Server Core, RODC, and EFS for secondary partitions for the most secure possible configuration. If the server is stolen, no data can be taken and hackers won't be able to access the passwords for all domain users since only the passwords for the locally cached users--and not the administrators--are stored locally on the box. On the admin side, all you need to do is delete the RODC from the domain and reset the passwords for those users who logged on locally: Best of all, that's all handled automatically.
On the Terminal Services front, a new mode called Terminal Services Gateway tunnels remote sessions via HTTPS so that you can don't need to configure a VPN or can still access Terminal Services from wireless locations that specifically block VPNs. Remote Sessions connected in this fashion are marked with the same "secure lock" graphic users are familiar with from IE. And Terminal Services RemoteApp delivers individual applications, instead of separate remote sessions, to users' desktops. After logging on, the effect is pretty seamless and almost identical to running the application locally. However you're using Terminal Services, in Windows Server 2008 you can copy and paste between the local desktop and remote session. Finally.
What's missing?
One of the most eagerly awaited Windows Server 2008 technologies--Windows Server Virtualization, codenamed Viridian--is sadly missing in the current prerelease versions of Windows Server 2008. Indeed, in the weeks before shipping Beta 3, Microsoft warned that it would not be able to ship a public beta of Viridian until the second half of 2007; it was previously expected in the first half of the year. However, Microsoft still claims that it will be able to ship Windows Server Virtualization within 180 days of the release of Windows Server 2008, which is now set for late February 2008. The company still plans to make this technology available separately from Windows Server 2008, as a free but separate update.
Whenever it is released, Windows Server Virtualization will be made available as a new server role in both Server Core and the mainstream installations of Windows Server 2008.
Windows Server 2008 Beta 3 also doesn't support a Web Server or Application Server role in Server Core, though a basic Web Server role was added to the June CTP. The issue is the .NET Framework, which would be required in either scenario: Current versions of the .NET Framework include a variety of GUI-based libraries what wouldn't work properly in Server Core, and Microsoft is investigating whether it should create a Server Core-friendly .NET Framework subset for a future release. Meanwhile, Web admins looking to deploy non-dynamic sites can work with the new Web Server role.
One potential problem with Windows Server 2008 is its dual nature. While the roles-based management approach means the system will always configure things correctly when you use the GUI tools, it's still possible to go into other tools, change settings, and configure things incorrectly. Consider Windows Firewall: When you install or configure a role like Application Server, the firewall is automatically configured so that that role will function correctly. But you can still go into the Windows Firewall GUI and manually override those settings. There's no "secure for currently configured roles" fallback switch.
Recommendations
Microsoft says it is on track to finalize Windows Server 2008 by the end of 2007 and Windows Server Virtualization by late 2007 or early 2008. (The company will launch Windows Server 2008 in February 2008.) It's time for businesses of all sizes to begin evaluating this next generation Windows Server version. Beta 3 and the June CTP are near-feature-complete and are widely available, so this is the obvious time and place to begin your evaluation. The feature set of Windows Server 2008 is so vast, as are the install possibilities, so you're going to want to take the time to really understand how this release will impact your environment. This is the big one.
An edited version of this article originally appeared in the July 2008 issue of Windows IT Pro Magazine. --Paul