Enhancing the Branch Office Experience with Windows Server 2008 R2 John Savill

Solutions ArchitectEMCSession Code: WSV403

Who am I?

Technical Evangelist for EMC ConsultingTen Time Microsoft MVPAuthor of the Windows FAQWritten numerous booksLatest book available“Complete Guide to WindowsServer 2008”Speaker at Tech Ed 2006-2009

Agenda

Challenges with a branch officeOverview of security solutions used with Windows 2008Virtualization in branch officesEnhancing User Experience and ProductivityBranch AccessRead-only Distributed File System Replicas

Branch Office Challenge Focus for Windows 2008

Offices often require local servers for both performance and resiliency to unavailable linksA local domain controller is one of the common services provided which contains a complete copy of the entire organizations domainRemote offices rarely have dedicated server infrastructure areas that are secured nor local support personnel to manage the systemsRemote office hardware is susceptible to compromiseA way is needed to protect the data on branch office servers, lower maintenance overhead and counteract risk

Protected Branch Office Server

RODC

BitLockerServer Core

2008 R2 Improvements for Security

Server Core had limitations in Windows Server 2008We had no virtualization “in-box” for Windows 2008 that was RTMBitLocker only worked for internal fixed drivesManagement had limitations

So where are we now?

Server Core Enhancements

Subset of .NET 2.0, 3.0 and 3.5 Framework now availableEnables more role services such as ASP.Net with IISEnables PowerShell scriptingActive Directory Certificate Services and File Server Resource Manager availableWoW64 optionally installable for 32bit application support

Management Changes

Remotable Server ManagerEnhancements in PowerShell (2.0) which combined with WS-Mgmt gives us fan-out capabilityBest Practice wizardsNew version of the Remote Server Administration Tools will be available for Windows 7 to manager 2008 R2

BitLocker to Go

Allows USB storage devices to be protected with BitLockerPolicy can be used to control complexity and length of passphrase required to unlock drivePossible to configure USB device to auto unlock on specific servers through passphrase caching however this is risky if server is compromised

Server Core and Manageabilitydemo

Hyper-V 2008 R2

Hyper-V is now included in-boxIncludes a number of new capabilities including:

Support for 32 logical processorsHot add/remove of VHD and pass-through disks on SCSI controller (not IDE)Second Level Address Translation (SLAT)

Live Migration and Cluster Shared VolumesDynamic memory did not make this release

Boot from VHD

Can now boot a Windows 7 or Windows 2008 R2 OS from a VHD fileBest performance use static VHD file however dynamic VHD supportedFew extra steps during the OS install process to create and mount the VHD file to allow installation

Shift-F10 to open command windowCreate, Select and Attach vdiskPartition

Virtualization in the Branch Office

Server hardware is often limited in branch officesMultiple roles are run under a single OS instance which is generally not optimalWith virtualization we can run the various roles in separate virtualized OS instancesWe still use BitLocker on the host OS to protect the drives containing the VHD filesCan now also protect USB storage devices

2008 R2 Branch Office Server

RODC

BitLockerServer Core

Improving the End User Experience

All of the previous focus was around securing the branch officeWhat about the actual users and their ability to workMost branch locations have slow, high latency linksUsers consume different types of dataData is typically stored in hub locations for easier management and central backup

Branch Cache

Most branches have poor or high latency connectionsUsers download same information from hub locations multiple timesBranch cache works in a peer-to-peer or hosted server model to cache information over HTTP (including SharePoint) and SMBBranch computers can then retrieve information from a peer or the hosted serverWorks using a hash value for each file so data has to be stored on a 2008 R2 server

Cache

Branch Cache in ActionPeer to peer

?

Hash

Cache

Branch Cache in ActionHosted cache

?

Hash

Branch Cache Requirements

For peer to peer (distributed caching) clients must be in the same subnetHosted cache does not require same subnet1 Hosted cache per branchWindows 7 and Windows 2008 R2 OnlyBoth solutions require connectivity to the original serverIf you want resiliency against connectivity failure you should look at DFSR instead

So What Exactly is Cached and When?

Any file that has a hash is cached on the clientWhen cache is full the least recently accessed item is removed to make roomOnly files over 64KB cachedDesigned for slow changing filesHashing is configured on a per-share level on the serverFor web content a script is used to create hashes for files and not done automaticallyDoes not care about transport (supports IPSEC, HTTPS etc)

Branch Cache Storage

Cache files are stored in chunks under the Network Service profileThe cached chunks are not encrypted but protected by ACLsOnly the Network Service has access

Monitoring and Controlling How Branch Cache is Used

Performance CountersGroup Policy and commands to enable distributed cache and to point to hosted cacheGroup Policy control cache % use of driveEntire cache can be cleared on client through PowerShell and netsh commands ??????

Branch Cache in Actiondemo

Distributed File System Replication

Branch Cache requires the network for users to obtain file hash valuesIf access to information is required without network connectivity Branch Cache does not workDistributed File System Replication is a good solution using delta based replicationAvailable as part of 2003 R2 and aboveDFSR only replicates closed filesIn a multi-writer situation last writer wins (no check-in/check-out, this is SharePoint functionality)

Traditional DFSRDFSRReplica

DFSRReplica

DFSRReplicaDFSRReplica

DocumentsLegal

Presentations

DocumentsLegal

Presentations

DocumentsLegal

Presentations

DocumentsLegal

Presentations

Sales

Sales

Sales

Sales

Read-Only DFSR ReplicaDFSRReplica

R-DFSR Replica

R-DFSR ReplicaR-DFSR Replica

DocumentsLegal

Presentations

DocumentsLegal

Presentations

DocumentsLegal

Presentations

DocumentsLegal

Presentations

Sales

Sales

Sales

Sales

ACCESS DENIED

PHEW!

Making a Read-Only Replica

Must have 2008 RTM schema extensionsOnly one check box differentDuring wizard to create replication group on a non-authoritative server check the read-only boxThis is per folder on the serverCan switch between being read-write and read-only with a click

Read-Only DFSR Usage

Must have Windows 2008 R2 at the branch onlyOther replication partners can be Windows 2008 or Windows 2008 R2R/O Replica can only replicate from a R/W Replica, R/O Replica cannot replicate from another R/O ReplicaMust use 2008 R2 DFS Management MMC snap-inEnd-user experience is to simply have read-only access. Acts like read-only mediaUser will get File Access Denied if they try and writeIf users need to write then they would need to access a writable replica directly via SMB UNC path

Branch Cache vs. Read-Only DFSRSo both technologies deal with publication type dataFor personal data you should be looking at folder re-direction with client side cachingFor collaboration type data we should be looking at SharePointIf you need data accessed without network connection you need Read-only DFSRIf want to save bandwidth but not provide link resiliency Branch Cache is good solutionUse Hosted cache over distributed cache if have server at branchBranch Cache requires Windows 7 clients

Summary

Windows 2008 was great for securing branch office locationsWindows 2008 R2 builds on this secure foundation and adds a great branch office user experience through various technologiesSome of the major feature wins require Windows 7

question & answer

Windows Server ResourcesMake sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter

Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2

Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies•Over 15 booths and experts from Microsoft and our partners

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.