john savill solutions architect emc session code: wsv403
TRANSCRIPT
Enhancing the Branch Office Experience with Windows Server 2008 R2 John Savill
Solutions ArchitectEMCSession Code: WSV403
Who am I?
Technical Evangelist for EMC ConsultingTen Time Microsoft MVPAuthor of the Windows FAQWritten numerous booksLatest book available“Complete Guide to WindowsServer 2008”Speaker at Tech Ed 2006-2009
Agenda
Challenges with a branch officeOverview of security solutions used with Windows 2008Virtualization in branch officesEnhancing User Experience and ProductivityBranch AccessRead-only Distributed File System Replicas
Branch Office Challenge Focus for Windows 2008
Offices often require local servers for both performance and resiliency to unavailable linksA local domain controller is one of the common services provided which contains a complete copy of the entire organizations domainRemote offices rarely have dedicated server infrastructure areas that are secured nor local support personnel to manage the systemsRemote office hardware is susceptible to compromiseA way is needed to protect the data on branch office servers, lower maintenance overhead and counteract risk
2008 R2 Improvements for Security
Server Core had limitations in Windows Server 2008We had no virtualization “in-box” for Windows 2008 that was RTMBitLocker only worked for internal fixed drivesManagement had limitations
So where are we now?
Server Core Enhancements
Subset of .NET 2.0, 3.0 and 3.5 Framework now availableEnables more role services such as ASP.Net with IISEnables PowerShell scriptingActive Directory Certificate Services and File Server Resource Manager availableWoW64 optionally installable for 32bit application support
Management Changes
Remotable Server ManagerEnhancements in PowerShell (2.0) which combined with WS-Mgmt gives us fan-out capabilityBest Practice wizardsNew version of the Remote Server Administration Tools will be available for Windows 7 to manager 2008 R2
BitLocker to Go
Allows USB storage devices to be protected with BitLockerPolicy can be used to control complexity and length of passphrase required to unlock drivePossible to configure USB device to auto unlock on specific servers through passphrase caching however this is risky if server is compromised
Hyper-V 2008 R2
Hyper-V is now included in-boxIncludes a number of new capabilities including:
Support for 32 logical processorsHot add/remove of VHD and pass-through disks on SCSI controller (not IDE)Second Level Address Translation (SLAT)
Live Migration and Cluster Shared VolumesDynamic memory did not make this release
Boot from VHD
Can now boot a Windows 7 or Windows 2008 R2 OS from a VHD fileBest performance use static VHD file however dynamic VHD supportedFew extra steps during the OS install process to create and mount the VHD file to allow installation
Shift-F10 to open command windowCreate, Select and Attach vdiskPartition
Virtualization in the Branch Office
Server hardware is often limited in branch officesMultiple roles are run under a single OS instance which is generally not optimalWith virtualization we can run the various roles in separate virtualized OS instancesWe still use BitLocker on the host OS to protect the drives containing the VHD filesCan now also protect USB storage devices
Improving the End User Experience
All of the previous focus was around securing the branch officeWhat about the actual users and their ability to workMost branch locations have slow, high latency linksUsers consume different types of dataData is typically stored in hub locations for easier management and central backup
Branch Cache
Most branches have poor or high latency connectionsUsers download same information from hub locations multiple timesBranch cache works in a peer-to-peer or hosted server model to cache information over HTTP (including SharePoint) and SMBBranch computers can then retrieve information from a peer or the hosted serverWorks using a hash value for each file so data has to be stored on a 2008 R2 server
Branch Cache Requirements
For peer to peer (distributed caching) clients must be in the same subnetHosted cache does not require same subnet1 Hosted cache per branchWindows 7 and Windows 2008 R2 OnlyBoth solutions require connectivity to the original serverIf you want resiliency against connectivity failure you should look at DFSR instead
So What Exactly is Cached and When?
Any file that has a hash is cached on the clientWhen cache is full the least recently accessed item is removed to make roomOnly files over 64KB cachedDesigned for slow changing filesHashing is configured on a per-share level on the serverFor web content a script is used to create hashes for files and not done automaticallyDoes not care about transport (supports IPSEC, HTTPS etc)
Branch Cache Storage
Cache files are stored in chunks under the Network Service profileThe cached chunks are not encrypted but protected by ACLsOnly the Network Service has access
Monitoring and Controlling How Branch Cache is Used
Performance CountersGroup Policy and commands to enable distributed cache and to point to hosted cacheGroup Policy control cache % use of driveEntire cache can be cleared on client through PowerShell and netsh commands ??????
Distributed File System Replication
Branch Cache requires the network for users to obtain file hash valuesIf access to information is required without network connectivity Branch Cache does not workDistributed File System Replication is a good solution using delta based replicationAvailable as part of 2003 R2 and aboveDFSR only replicates closed filesIn a multi-writer situation last writer wins (no check-in/check-out, this is SharePoint functionality)
Traditional DFSRDFSRReplica
DFSRReplica
DFSRReplicaDFSRReplica
DocumentsLegal
Presentations
DocumentsLegal
Presentations
DocumentsLegal
Presentations
DocumentsLegal
Presentations
Sales
Sales
Sales
Sales
Read-Only DFSR ReplicaDFSRReplica
R-DFSR Replica
R-DFSR ReplicaR-DFSR Replica
DocumentsLegal
Presentations
DocumentsLegal
Presentations
DocumentsLegal
Presentations
DocumentsLegal
Presentations
Sales
Sales
Sales
Sales
ACCESS DENIED
PHEW!
Making a Read-Only Replica
Must have 2008 RTM schema extensionsOnly one check box differentDuring wizard to create replication group on a non-authoritative server check the read-only boxThis is per folder on the serverCan switch between being read-write and read-only with a click
Read-Only DFSR Usage
Must have Windows 2008 R2 at the branch onlyOther replication partners can be Windows 2008 or Windows 2008 R2R/O Replica can only replicate from a R/W Replica, R/O Replica cannot replicate from another R/O ReplicaMust use 2008 R2 DFS Management MMC snap-inEnd-user experience is to simply have read-only access. Acts like read-only mediaUser will get File Access Denied if they try and writeIf users need to write then they would need to access a writable replica directly via SMB UNC path
Branch Cache vs. Read-Only DFSRSo both technologies deal with publication type dataFor personal data you should be looking at folder re-direction with client side cachingFor collaboration type data we should be looking at SharePointIf you need data accessed without network connection you need Read-only DFSRIf want to save bandwidth but not provide link resiliency Branch Cache is good solutionUse Hosted cache over distributed cache if have server at branchBranch Cache requires Windows 7 clients
Summary
Windows 2008 was great for securing branch office locationsWindows 2008 R2 builds on this secure foundation and adds a great branch office user experience through various technologiesSome of the major feature wins require Windows 7
Windows Server ResourcesMake sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter
Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2
Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies•Over 15 booths and experts from Microsoft and our partners
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.