After many months of delays, Microsoft finally released the Beta 3 version of Windows Server 2008—previously code-named "Longhorn"—a major milestone prerelease version of the next version of Windows Server. Windows 2008 has evolved quite a bit over time, and though the project hasn't suffered from the many feature drops and problems that dogged Windows Vista, Beta 3 certainly has a few surprises. Here's what you need to know about Windows 2008 Beta 3.
The Basics
Windows 2008 will boast enhanced scripting and task automation via the new Windows
PowerShell—a surprise addition to Beta 3, given that PowerShell was originally
not going to ship as part of this product. In addition, Windows 2008 will have
improved roles-based installation and management capabilities that extend to
Windows Server Core, a new lightweight and safer version of the OS that provides
only a subset of roles available in the mainstream server versions.
Like Windows Vista, Windows 2008 includes increased security prowess. The Windows Firewall is enabled now by default, for example, and in branch offices Windows 2008 can be installed using technologies such as Read Only Domain Controller (RODC) and BitLocker, which can help ensure that physical server theft won't result in a major security disaster. Windows 2008 also includes the long-awaited Network Access Protection (NAP) feature, which finally brings policy-based network quarantining to the Windows platform.
On the flexibility front, Windows 2008 adds some intriguing new Terminal Services improvements that will allow organizations to deploy remote environments and even remote applications, both within their firewall and beyond. And eventually, the inclusion of the Windows Server Virtualization piece (as an optional add-on) will provide Windows 2008 with a more performance-friendly and secure bare metal virtualization solution, though that piece isn't present in Beta 3.
Moving to Beta 3
In the gear-up to Windows 2008 Beta 3, Microsoft has made a number of improvements.
Windows Firewall is configured to open and close only the required ports as
roles and features are installed and removed, resulting in the most secure Windows
Server version yet. Server Manager, Microsoft's central console for daily server
administration tasks, has been improved and augmented by a new command-line
tool called servermanagercmd.exe that provides administrators with all of Server
Manager's functionality from the command line.
Speaking of command lines, the Server Core installation type has been augmented with a new command-line tool called oclist.exe, which provides a way to examine the roles and features that are installed in the Server Core environment. Microsoft has also increased the number of roles with the addition of new Active Directory Lightweight Directory Services (AD LDS), Print, and Windows Media Services (WMS) roles. (Other roles, such as Web Server and Virtualization, will be made available later.) The seven roles available in Beta 3 include AD, AD LDS, DNS, DHCP, WMS, File, and Print.
Beta 3 itself includes some Terminal Services improvements over past versions of Longhorn. A new feature called Easy Print makes it, well, easy to print from a Terminal Services-based environment or application to your default printer. Remote Programs has been rebranded as Terminal Services RemoteApp. You can seamlessly copy and paste between a Terminal Server session and the host OS, which is a huge improvement. And Terminal Services now supports 32-bit color sessions, increased from 24-bit in previous versions.
NAP has been updated so that you can remediate connecting clients via Windows Update or Microsoft Update if your local Windows Server Update Services (WSUS) box is unavailable. You can now integrate NAP with Cisco's Network Admission Control (NAC) quarantine solution as well, which was the ostensible reason for delaying NAP's release from Windows Server 2003 R2 to Windows 2008. And a new, simple, wizard-based UI makes setting up and managing NAP easier than ever.
Drilling Down
Looking over the long list of new and improved Windows 2008 features, a number
of them stand out. The new Server Manager is turning into a true one-stop shop
for an admin's daily management needs. Here, you'll see nodes in the Microsoft
Management Console (MMC) UI for all of the installed roles and features; troubleshooting
tools such as the new XML-based Event Viewer and the new Vista-like reliability
and performance tools; configuration tools such as Task Scheduler, Windows Firewall,
Windows Management Instrumentation (WMI) Control, and Device Manager; and storage
and backup tools such as Windows Server Backup (finally, a replacement for the
miserable NTBackup) and Disk Management, which can resize NTFSbased volumes
on the fly.
Server Manager is the culmination of years of work in management UIs. In the topmost "home page," you'll see a variety of information about the server that's currently connected, along with task pads for editing server configuration information. Other commonly needed server attributes (e.g., security, roles, features) are also available from this home page, which isn't a dashboard, but rather an interactive cockpit. That is, you can view installed features, for example, but you can also install and uninstall features from this home page and drill deeper into the functionality of installed features.
Server Core is one of the most intriguing things about Windows 2008. This stripped down installation type lets you configure a GUI-less, headless server with one to seven roles, including AD, AD LDS, DNS, DHCP, WMS, File, and Print (and it will eventually include Web Server and Windows Server Virtualization). Server Core opens into a blank desktop and a single command-line window. There's no shell, Microsoft Internet Explorer (IE) browser, Windows Media Player, or any other pointless graphical application.
The point behind Server Core is to provide only core server features and to do so in the most secure way. Because of the roles-based installation and management aspects of Windows 2008, each of the Server Core roles are installed in a manner that significantly reduces the attack surface of the server. Note that Server Core-based servers are still based on Windows 2008, and thus provide the same connection capabilities: You can still manage them remotely using the GUI-based tools you already know and love, from another server or a desktop machine.
Windows 2008, like Vista, includes the useful BitLocker utility, which I covered in "What you need to know about Vista's User Account Control and BitLocker Drive Encryption" (April 2007, InstantDoc ID 95153). BitLocker provides full volume disk encryption for all disks attached to the server; this is a new feature: In Vista, only the system disk was protected by default. BitLocker is even more useful when used in tandem with other Windows 2008 technologies. For example, businesses looking for the most secure and easily managed branch office servers could install BitLocker alongside Server Core and RODC for the most secure configuration possible. If the server is stolen, no data can be taken and hackers won't be able to access the passwords for all domain users since only the passwords for the locally cached users—and not the administrators—are stored locally on the box.
On the Terminal Services front, a new mode called Terminal Services Gateway tunnels remote sessions through HTTP Secure (HTTPS) so that you don't need to configure a VPN, but can still access Terminal Services from wireless locations that specifically block VPNs. Remote sessions connected in this fashion are marked with the same "secure lock" graphic that users are familiar with from IE 7.0. Terminal Services RemoteApp delivers individual applications, instead of separate remote sessions, to users' desktops. After users log on, the effect is seamless and almost identical to running the application locally.
What's Missing?
As I made reference to earlier, one of the most eagerly awaited Windows 2008
technologies—Windows Server Virtualization, code-named"Viridian"—is
missing in Windows 2008 Beta 3. Indeed, in the weeks before shipping Beta 3,
Microsoft warned that it would not be able to ship a public beta of Viridian
until the second half of 2007. The revolutionary technology was previously expected
in the first half of the year; however, Microsoft still claims that it will
be able to ship Windows Server Virtualization within 180 days of the release
of Windows 2008. The company plans to make this technology available separately
from Windows 2008, as a free update. Whenever it is released, Windows Server
Virtualization will be made available as a new server role in both Server Core
and the mainstream installations of Windows 2008. Sadly, even that version of
Virtualization will be scaled back from Microsoft's original promises: The company
recently announced that it will no longer include three critical features: live
migration support; the ability to hot-add storage, networking hardware, memory,
and processors; and support for up to 32 processor cores (the initial version
of Virtualization will support just 16 processor cores).
Another significant omission is that Windows 2008 Beta 3 doesn't support a Web server or application server role in Server Core. The issue is the Microsoft .NET Framework, which would be required in either scenario for either role. Current versions of the .NET Framework include a variety of GUI-based libraries, which wouldn't work properly in Server Core. Microsoft is investigating whether to create a Server Core-friendly .NET Framework subset for a future release. But I've been told that, post-Beta 3, the company will add a new Web Server role to Server Core that includes all Microsoft IIS 7.0 functionality except for ASP. NET, which does require .NET. This solution will give Microsoft an effective answer to low-end Linux/Apache Web servers.
One potential problem with Windows 2008 is its dual nature. Although the roles-based management approach means the system will always configure settings correctly when you use the GUI tools, it's still possible to go into other tools, change settings, and end up configuring options incorrectly. Consider Windows Firewall as a likely scenario: When you install or configure a role such as Application Server, the firewall is automatically configured so that the role will function correctly. But you can still go into the Windows Firewall GUI and manually override those settings. There's no "secure for currently configured roles" fallback switch.
Recommendations
Microsoft says it is on track to deliver Windows 2008 by the end of 2007 and
Windows Server Virtualization by late 2007 or early 2008. Those dates might
be a bit optimistic if the number of unexpected Beta 3 delays is any indication,
but no matter. Windows 2008 is on the way, and it's time for businesses of all
sizes to begin evaluating this next-generation Windows Server version. Beta
3 is near-feature-complete and will be widely available by the time you read
this, so now is the time to begin your evaluation. Windows 2008's feature set
is so vast, as are the installation possibilities, that you'll want to take
the time to really understand how this release will affect your environment.