Only hard-won experience can expose pitfalls that can cause frustration when you deploy a new OS. Before you implement Windows Server 2008, benefit from an expert’s lessons-learned about integration with AD, compatibility with Microsoft server applications, virtualization, backup, and antivirus and antispyware.
In a perfect world, you would start with a Windows Server 2008 infrastructure from scratch and build your network from the ground up. Of course, most of you must integrate Server 2008 into an existing network. When you deploy a new OS, you always run into unexpected challenges. Based on my experience, I thought I’d give you a some tips to save you frustration and help you with the integration process to ensure that your transition to Server 2008 is smooth. Server 2008 incorporates some great new features, including the Microsoft-developed Hyper-V virtualization technology, self-healing NTFS, read-only domain controllers (RODCs), Network Access Protection (NAP), Microsoft Internet Information Services (IIS) 7.0, much improved Terminal Services, and Server Core. The new features improve the day-to-day management of Windows servers.
Before you introduce Server 2008 into your network, you need to understand how to set up Server 2008 as a domain controller (DC), how to use its new functional level, and how to make sure it will work well with your Microsoft server applications. I’ve also learned some lessons about Server 2008 virtualization, backup, and antivirus and antispyware solutions. Along with overview coverage of key information with links to further resources, I offer some details about implementation preparation. (For insight into one factor that can affect performance, see the sidebar “Windows Server 2008: 32-Bit or 64-Bit?”) Let me jump right in.
The First Server 2008 DC
If you plan to introduce a Server 2008 server as a DC into an existing Active Directory (AD) forest, you must extend the forest schema by running adprep on the existing DC that holds the Schema Master role. Copy the contents of the \sources\adprep folder on the Server 2008 DVD to a folder on the existing DC that holds the Schema Master role. You must use an account that has membership in the following groups: Enterprise Admins, Schema Admins, and Domain Admins for the domain that contains the Schema Master role. Then run the command
If you plan to use any RODCs, you must also run the command
You must also prepare all domains in the AD forest in which you want to use Server 2008 as a DC. To do so, you need to use an account that has membership in the Domain Admins group and run the command
adprep /domainprep /gpprep
on the DC that holds the Infrastructure Master role for each domain that you want to upgrade.
Be sure to wait for replication to take place across all of your DCs before you run dcpromo on the first Server 2008 machine that will act as a DC. Double check the Event Viewer on each DC for any replication error messages. Make sure any replication issues are addressed before you introduce the first Server 2008 DC.
New Functional Level
Server 2008 introduces a new functional level for AD forests and domains. (For details on functional levels, see Guido Grillenmeier, “Active Directory Enhancements in Windows Server 2008,” InstantDoc 98294.) All DCs in AD must run Server 2008 before you upgrade to the new functional level. When you do upgrade to the Server 2008 functional level, the following features are available:
- DFS replication support for Windows Server 2003 SYSVOL. If you have intermittent WAN connections and have experienced previous SYSVOL corruption, DFS replication support can reduce corruption and minimize the size of SYSVOL.
- Advanced Encryption Standard (AES) 128 and 256 support for Kerberos.
- User logon information: The time of the last successful interactive logon for a user, the name of the workstation where the user logged in, and the number of failed logon attempts since the last logon.
- Fine control of password policies. You can specify password and account lockout policies for users and global security groups in AD.
Microsoft Server Applications
Before you introduce Server 2008 into your network, make sure all your server applications are properly configured for the transition. To ensure a smooth upgrade, you need to be aware of a few particulars, especially if you run Exchange. Upgrades to existing applications might be necessary for the best results.
Exchange. Exchange Server 2007 Service Pack 1 (SP1) is the only version of Exchange that will run on Server 2008. Exchange 2007 SP1 includes a full set of installation files, which you can download at http://go.microsoft.com/fwlink/?LinkId=104387. If you’re installing Exchange 2007 on Server 2008, make sure you install the version that already has SP1 integrated. Of course, because Exchange 2007 runs only on 64-bit hardware, you’ll have to run the x64 version of Server 2008. Although you can use Exchange 2003 with Windows Server 2008 DCs, you should use Exchange 2007 for the best compatibility.
Exchange and RODCs. Exchange 2007 is the only version of Exchange that’s RODC-aware; it is smart enough to ignore an RODC and use a “regular” DC only. Exchange relies heavily on DCs (and AD) for the Exchange configuration itself, and it updates DCs regularly. Pre-Exchange 2007 servers will blindly use an RDOC, assuming that updates are processed on it, but they won’t be because the DC is read-only. If Exchange 2003 (or an earlier version) uses an RODC, it can cause some unpredictable, even disastrous results. If you run Exchange and plan to deploy any RODCs with Server 2008, you’ll probably want to first upgrade to Exchange 2007.
With Exchange 2003, you can turn off the auto-discovery of new DCs and specify which DCs to use with the Exchange Server, but it isn’t recommended. If you select this option, you must maintain DCs on each Exchange server. And any new introduction of DCs must be updated on each Exchange server. The upshot? Your Exchange 2003 servers can co-exist with RODCs, but you would have to make sure that no Exchange 2003 servers use RODCs.
Exchange 2000 and Server 2008 DCs. You can use Exchange 2000 Server SP3 servers with Server 2008 DCs in the same forest, but not in any AD sites that contain Exchange 2000. If you plan to use Server 2008 DCs in the same site as Exchange 2000, upgrade to Exchange 2007 before introducing Server 2008 DCs into the AD Exchange site. For all practical purposes, you shouldn’t run any 2008 DCs with Exchange 2000.
SQL Server 2005. All versions of SQL Server 2005 are compatible with Server 2008, but you must install SQL Server 2005 SP2. You can download SQL Server 2005 SP2 at http://technet.microsoft.com/en-us/sqlserver/bb426877.aspx.
Microsoft Office SharePoint Server (MOSS) 2007. Server 2008 is compatible with MOSS 2007; however, you must select the proper roles in Server 2008 for a MOSS Front End Server. In particular, you must select the Web Server role with the following parameters:
- Common HTTP Features—static content, default document, directory browsing, HTTP errors
- Application Development—ASP.NET, .NET extensibility, Internet Server API (ISAPI) extensions, ISAPI filters
- Health and Diagnostics—HTTP logging, logging tools, request monitor, tracing
- Security—Basic authentication, Windows authentication, Digest authentication, request filtering
- Performance—static content compression, dynamic content compression.
- Management Tools—IIS management console
- IIS 6.0 management compatibility—IIS 6.0 metabase compatibility
Originally, Windows SharePoint Services (WSS) 3.0 was to be an integrated role in Server 2008, but it has been removed. You can download WSS 3.0 from www.microsoft.com/downloads/details.aspx?familyid=D51730B5-48FC-4CA2-B454-8DC2CAF93951&displaylang=en.
Virtualization continues to be a hot topic in IT, and Server 2008’s Hyper-V is designed to compete with VMware’s ESX. Hyper-V and ESX hypervisors are designed to provide an environment for virtual server guests and little else. Because hypervisors are specific to providing a virtual server environment, the performance, manageability, and consolidation rates of the virtual server guests are significantly better than with a nonhypervisor virtualization solution (e.g., Virtual Server 2005 or VMware Server) on a general purpose OS such as Server 2008. Based on what I’ve seen so far, Hyper-V compares most closely with the Foundation version of the Virtual Infrastructure (which includes ESX), because Hyper-V lacks the high availability, load balancing, and VMotion features of the Enterprise version of Virtual Infrastructure. Here’s a brief summary of the compatibility concerns for running Server 2008 on existing and new virtualization platforms.
Virtual Server 2005 R2 SP1. Although you can run Virtual Server 2005 on Server 2008, it’s not an officially supported configuration. For information about running Virtual Server 2005 on Server Core, go to blogs.msdn.com/virtual_pc_guy/archive/2007/06/28/running-virtual-server-2005-on-windows-server-2008-core-installations.aspx. Microsoft does provide a Virtual Hard Drive (VHD) version of Server 2008 that will run as a virtual guest using Virtual Server 2005 R2 SP1. You can download the VHD version for testing from www.microsoft.com/downloads/details.aspx?FamilyID=9aa65956-4a13-46a3-9711-82939a041792&DisplayLang=en. Best practices dictate that nothing else should run on virtual server host besides the hypervisor and virtual server guests. The Server Core installation is basically a stripped down version of Server 2008 without the Windows Shell and other overhead features.
Running Hyper-V on a full installation of Server 2008 really makes no sense because you have additional overhead that you will never need. You also create more security risk by using a general purpose OS such as Server 2008 on the same machine that is running a hypervisor; you have more exposure to threats because of the general purpose OS. If you need to run Server 2008, run it as a virtual server guest on the host, but don’t use the full version of Server 2008 as the host OS itself.
Hyper-V. The Server 2008 RTM with Hyper-V is available for download at www.microsoft.com/downloads/details.aspx?FamilyId=8F22F69E-D1AF-49F0-8236-2B742B354919&displaylang=en.
Virtual Server Guest on VMware ESX. Running Server 2008 as a guest is supported on ESX 3.5. Both the 32- and 64-bit versions of Server 2008 have experimental support on ESX 3.5. Like all Server 2008 installations, a Server 2008 virtual server guest must have at least 512MB of memory allocated to it. The 32-bit version of Server 2008 must be installed on a virtual disk that’s larger than 16GB; the 64-bit version of Server 2008 must be installed on a virtual disk that’s larger than 24GB.
VMware Server 2.0 Beta. VMware Server 2.0 beta supports Server 2008 RTM both as a host OS and a guest OS.
VMware Server 1.0. Although it’s not officially supported, you can run Server 2008 as a guest on VMware Server 1.0.3. For more information, go to www.gilkirkpatrick.com/Blog/post/Running-Windows-Server-2008-x64-RC0-on-VMWare-Server-103.aspx.
Server 2008 comes with Windows Server Backup, which can be installed using the Server Manager. If your third-party backup solution doesn’t offer support for Server 2008, you can use Windows Server Backup to protect your Server 2008 servers.
Antivirus and Antispyware
Microsoft Forefront Security SP1 supports Server 2008. You can download a trial version of Forefront from technet.microsoft.com/en-us/bb738109.aspx. As with your backup vendor, check with your antivirus and antispyware vendor to verify when your vendor’s product will support Server 2008.
A Smooth Path
I hope these implementation tips help you mark out a smooth path for integrating Server 2008 into your existing network environment. Of course, you’ll need specific additional information for your networking environment. Depending on your environment and applications, you might need to perform some additional upgrades before you can start using Server 2008 on your network. You might also have to wait until your backup and antivirus and antispyware vendor fully supports Server 2008 before you can place the new server OS in a production environment. Consider running Server 2008 in a virtual environment to get up to speed on the new interface and to test your company’s application compatibility.
In my personal experience, Server 2008 has some great features, but to really leverage the new server, you should be on the latest release of any application that you’re running. This recommendation of course includes Exchange, SQL Server, and Sharepoint, as well as any third-party applications. Even with the latest releases, you’ll probably have a few applications that won’t provide support for Server 2008 until it’s been out for a quarter or two. That’s why I like the idea of running Server 2008 in a virtual environment: It gives you the opportunity to get up to speed and test with the new OS without having to jeopardize your production environment.