Windows Server 2008 offers features that Microsoft hopes will make your server management and performance more powerful. Paul Thurrott tells you the features to watch for and those that will help you most, including componentization, Server Manager, Server Core, BitLocker Full-Drive Encryption, and read-only domain controllers (RODCs).
Windows Server 2008 is the most substantial upgrade to the Windows Server product line since Windows 2000, with a sweeping set of new capabilities and a reengineered core that will usher in a new era of 64-bit server computing. Like its Windows Vista stablemate, Server 2008 was in development an achingly long time, and some of its many features were originally slated for its predecessors, Windows Server 2003 and Windows 2003 R2. Unlike Vista’s schedule, however, Server 2008’s lengthy schedule hasn’t proven problematic. In fact, it’s arguably worked to the product’s advantage: This is a refined, mature, and stable OS that will no doubt power server systems of all kinds for years to come.
Though Server 2008 uses an evolved version of the Active Directory (AD) infrastructure that first debuted in Win2K, many of the features of this new OS are radical and revolutionary. Key among these major advances are Server Core, which provides a lightweight version of the server aimed at specific workloads, and Hyper-V, Microsoft’s hypervisor-based virtualization technology. As befits a major Windows Server upgrade, Server 2008 also includes a slew of smaller, functional advances as well as key gains in scalability, reliability, manageability, performance, and security.
Server 2008 is a feature-rich upgrade with numerous functional advantages over its predecessors. Here are some the changes in this release that I feel will have the biggest customer impact. (For more information about the specific Server 2008 versions, see the sidebar, “Windows Server 2008 Availability and Licensing,” page 30.)
Microsoft has completely redesigned Windows Server to be functionally componentized, a major change that has widereaching ramifications. At a high level, componentization allows for a more easily serviceable system, both for Microsoft and its customers. It also provides a more secure and reliable system, because it minimizes communication and dependencies between individual components.
More specifically, componentization enables some of Server 2008’s most exciting new functionality, such as its image-based deployment facilities, roles-based management, and Server Core.
While previous versions of Windows Server featured separate management consoles for all of the various roles and features in the OS (although Windows 2003 did have a simple Manage Your Server dashboard), Server 2008 provides Server Manager, a true one-stop shop for daily management needs.
Microsoft Management Console (MMC)-based Server Manager provides a UI, which Figure 1 shows, for managing each installed role and feature on the system, including Active Directory Domain Services (AD DS), Application Server, DHCP Server, DNS Server, File Services, Terminal Services, Web Server, and many others. It also includes numerous valuable troubleshooting tools such as Event Viewer and Reliability and Performance Monitor; configuration tools such as Task Scheduler, Windows Firewall, Windows Management Instrumentation (WMI) Control, and Device Manager; and the new Windows Server Backup.
Thanks to deep componentization within the system, Server Manager also handles any required system security settings when you add a role or feature. There’s no longer any need to separately run the Security Configuration Wizard every time you add or change a system feature.
What makes Server Manager even more useful is that each section of the console’s UI gets its own dedicated home page, which Figure 2 shows. Each home page offers information pertinent to the role or feature at hand, along with links to fix problems, get Figure 1: Windows Server 2008 Server Manager UI Figure 2: Windows Server 2008 console UI more information, and access other tools. It’s a well-thought-out and well-designed application, both logical and useful.
Unlike previous Windows Server versions, most Server 2008 product editions can be installed in one of two modes: the traditional GUI-based server we’ve had since Windows NT 3.1 and a lightweight new command-line–based environment called Server Core. In this new installation mode, Microsoft has stripped out virtually all the GUI, so there’s no shell (Start Menu, taskbar, Explorer windows), and little in the way of end-user applications; such things as Windows Media Player (WMP), Microsoft Internet Explorer (IE), and Windows Mail are all missing, though a few GUIbased applications such as Notepad and Task Manager are still available. For the most part, the only UI you’ll see in Server Core is a single command-line window floating over an empty blue backdrop. It’s the ultimate anti-demo.
So what’s the point of stripping out the GUI? Server Core is designed to reduce the attack surface of the server to be as small as possible. As such, a Server Core installation is also more limited than that of a standard Server 2008 installation. It supports just nine roles—AD, Active Directory Lightweight Domain Services (AD LDS), DHCP, DNS, File, Print, Virtualization (Hyper-V), Web Server, and Windows Media Services (WMS)— compared to 18 roles in the full server.
Local management of Server Core is performed using command-line tools only. But because Server Core is still Server 2008, all of the familiar GUI-based management tools will work remotely just fine against this server. What won’t work, in addition to the missing roles, is anything that requires a true GUI or the Microsoft .NET Framework. This cancels out some key Server 2008 functionality unfortunately, including ASP .NET. Server Core’s Web Server role is pretty much static, supporting only older, non– .NET technologies such as ASP.
Thanks to the reduced number of ondisk components, Server Core will need to be patched far less frequently than comparable full installations of Server 2008. Microsoft says that Server Core’s smaller footprint reduces patching by an average of 60 percent. My expectation is that Server Core will prove hugely popular as an infrastructure (AD, DNS, DHCP, file, print) server and as a low-cost, low-end Web server. It’s a product that should compete well with Linux-based solutions.
Continue on Page 2
BitLocker Full-Drive Encryption
BitLocker is a full-drive encryption solution that first debuted in Vista as a way to protect data stored on easily lost and stolen executive notebook computers. It requires hardware based on Trusted Platform Module 1.2 to store encryption keys and can be configured via Group Policy. What’s unique about BitLocker is that unlike other disk encryption solutions, it protects both online and offline volumes and includes boot-time protection as well.
On the server, BitLocker is particularly valuable for machines stored in branch offices, because those servers are often less well physically protected than the machines back in the home office. If a thief walks off with a BitLocker-protected server, he or she won’t be able to access any of the data stored on the system’s hard drives. BitLocker also works really well with some of the other technologies discussed here, including read-only domain controller (which follows), to create a truly secure and useful branch office solution.
Read-Only Domain Controller
RODC is new functionality that lets administrators have the option to configure the AD database as read-only, which means only locally cached user passwords are stored on the machine and AD replication is unidirectional, rather than bidirectional.
So why would you want to do this? Today, many organizations are installing servers in branch offices and other remote locations, and these servers often connect back to the home office using slow or unreliable WAN links. That makes AD replication—and even authentication—an arduous and lengthy process. With RODC, the server is typically set up and configured in the home office, shipped to the remote location, and then switched on.
Like BitLocker, RODC is an excellent solution for physically insecure remote servers. Indeed, if you combine RODC with other new Server 2008 technologies such as BitLocker and Server Core, you can configure the most secure remote server possible. That way, even hackers who gain physical control of the server can’t take over your network. And removing the stolen RODC from your AD is as simple as checking a switch: Only those users who logged on to that machine will need to change their passwords. You won’t have to institute an organization-wide emergency, because only local accounts will have been cached on that machine.
RODC is somewhat limited in that it can only support a subset of the roles and functionality normally supported on Server 2008. For example, while RODC-based servers can support technologies such as Active Directory Federation Services (ADFS), DHCP, DNS, Group Policy, DFS, Microsoft Operations Manager (MOM), and Microsoft Systems Management Server (SMS), they don’t support such technologies as Microsoft Exchange.
Microsoft Internet Information Services 7.0
The new Web server in Server 2008 is driven by a major new update to Microsoft Internet Information Services (IIS). Like the server itself, IIS 7.0 is completely componentized so that only those components needed for the desired configuration are installed and, thus, need to be serviced. It sports a drastically improved management console, supports Xcopy Web-application deployment and delegated administration, and is backed by a new XML-based configuration store, which replaces the previous monolithic configuration store.
Services You’ll see some major changes in Terminal Services in Server 2008. The new Terminal Services RemoteApp (TS RemoteApp) functionality lets admins remotely deploy individual application windows to desktops instead of entire PC environments with separate PC desktops, which can be confusing to users. These applications download and run on user desktops and, aside from the initial logon dialog box, function and look almost exactly as they would were they installed locally. This functionality requires the new Remote Desktop client, which shipped in Vista and can be downloaded for Windows XP SP2 and above (for more information see the Microsoft download site at www.microsoft.com/downloads).
TS Gateway lets you tunnel Terminal Services sessions over HTTPS outside the corporate firewall, so that users can access their remote applications on the road without having to configure a VPN client. This is particularly useful because VPN connections are often blocked at wireless access points, whereas HTTPS rarely is.
Terminal Services offers a few small but useful changes as well. These include TS Easy Print, which makes it easy to print to local printers from remote sessions, 32-bit color support in Terminal Services sessions, and seamless copy-and-paste operations between the host OS and remote sessions.
Network Access Protection
Microsoft first planned to ship simple and easily configurable network quarantining functionality in Windows 2003, and it’s here at last in Server 2008 with Network Access Protection (NAP). This DHCP-based feature lets you set up security policies for your network: When a client system connects, NAP examines the device to make sure it meets the requirements of your security policies. Those that do are allowed online. Those that do not—typically machines that only connect infrequently to the network, such as those used by travelling employees—are pushed aside into a quarantined part of the network, where they can be updated. How these updates happen depends on the configuration of your environment, but once that’s complete, the system is given full access again and allowed back on the network.
NAP includes remediation failback to Windows Update or Microsoft Update if the local Windows Server Update Services (WSUS) server is unavailable, and it’s compatible with Cisco’s Network Admission Control (NAC) quarantining technologies. This is important for corporations that have standardized on Cisco’s technologies and for those who need something more than Microsoft’s DHCP-based approach to quarantining.
Continue on Page 3
For the first time, Windows Server ships with a firewall that’s enabled by default. The new Windows Firewall is bidirectional and works seamlessly with all of the roles and features you can configure in Server 2008. In fact, Windows Firewall is part of the new roles-based management model: As you enable and disable various roles and features, Windows Firewall is automatically configured in the background so that only the required ports are opened. This is a major change, and one that could hamper compatibility with third-party products, so testing will be crucial.
Command-Line and Scripting Goodness
Those who prefer to automate their servers will rejoice in the new command-line and scripting enhancements in Server 2008, though I’m a bit concerned by the haphazard and temporary nature of some of these changes. In this version of Windows Server, we’re seeing the beginning of the transition from the old DOS-like command line to the new .NET-based PowerShell environment.
For now, however, you’ll need to have a toe in both environments to best take advantage of the new capabilities. Server Core, for example, doesn’t support Power- Shell because it lacks support for the .NET Framework. To make this even more confusing, Microsoft continues to add Windows Shell commands to Windows Server, and Server 2008 has several new Windows Shell commands.
On the command-line side, we get two major additions: a Server Core management utility called oclist.exe and a command- line version of Server Manager called servermanagercmd.exe. Both are designed with the same premise, providing ways to configure and manage the roles that are possible under each environment.
PowerShell is a complex but technically impressive environment, with support for discoverable .NET-based objects, properties, and methods. It provides all of the power of UNIX command-line environments with none of the inconsistencies. (It also provides backwards compatibility with Windows Shell and VBScript commands.) The issue is whether Windowsbased administrators will quickly move to this new command-line interface. Server 2008 doesn’t ship with any PowerShell administrative commandlets—fully contained scripts that can be executed from the command line—that can handle common management tasks. Microsoft tells me it will ship Server 2008 commandlets on its Web site over time and expects a community to quickly evolve as well.
One of the most important and futurelooking technologies in Server 2008 isn’t even available in the initial shipping version of the product. Hyper-V is a hypervisorbased virtualization platform that Microsoft is shipping as a beta version with Server 2008 and will update automatically using to this bundling: From a management perspective, Hyper-V is installed and managed as a role under Server 2008, just like DHCP, file and print services, and other standard roles.
Hyper-V ships only with x64-based versions of the product and relies on hardware virtualization features that are available only in the latest AMD and Intel chipsets. It supports both 32-bit and 64-bit guest OSs, up to 64GB of RAM in each guest OS, and up to four virtual CPUs for each guest OS. The VM images used by Hyper-V are compatible with VMs created for Microsoft’s earlier virtualization products, such as Virtual PC and Virtual Server. That means it’s easy to configure, manage, and service.
Wrapping It All Up
I’ve only touched the surface of Server 2008, highlighting but a subset of the improvements Microsoft has shipped in this release. I’ll have more to say about this impressive update, and of course my Windows IT Pro compatriots will also, in the coming months. Though familiar on the surface, Server 2008 enables so much new functionality, and comes with so many changes, that you’ll need to dedicate some time to understanding how it will benefit your own requirements and needs. This effort is worthwhile: Server 2008 is a solid and impressive upgrade that should meet the needs of virtually any business customer. Highly recommended.