windows server 2008, an introductory overview

Windows Server 2008An Introductory Overview

Lori M. SandersManaging Senior PartneriSolve Consulting Group

1-800-843-8733www.learningtree.ca

© 2007 Learning Tree International. All Rights Reserved.

I. Introduction . . . . . . . . . . . . . . . . . 1

II. Windows Server 2008 Family 2

III. Security Enhancements 2

• Identity and Access Control in 2008 . . . . . . . . . . . . . . . . . . . . . . . . 2

– Active Directory Federation Services (ADFS) . . . . . . . . . . . . . . . . 2

– Active Directory Rights Management Services (AD RMS) . . . 3

• Network Access Protection (NAP) . . . . 3

• BitLocker Drive Encryption . . . . . . . . . 4

• Windows Server Core Deployments . . . 4

• Read-Only Domain Controllers (RODC). . . . . . . . . . . . . . . . . . . . . . . . 5

• Domain Password Policy Changes. . . . 5

• Auditing Enhancements . . . . . . . . . . . 5

IV. Maintaining High Availability . . . . 5

• Failover Clusters . . . . . . . . . . . . . . . . . 5

• Network Load Balancing (NLB) . . . . . 6

• Distributed File System (DFS) . . . . . . 6

• Virtualization . . . . . . . . . . . . . . . . . . . 7

• Windows Server Backup . . . . . . . . . . . 8

• Restartable AD Services . . . . . . . . . . . 8

• Terminal Services . . . . . . . . . . . . . . . . 9

V. Manageability . . . . . . . . . . . . . . . . 9

• Server Manager . . . . . . . . . . . . . . . . . 9

• PowerShell . . . . . . . . . . . . . . . . . . . . 11

• Windows Deployment Services (WDS) . . . . . . . . . . . . . . . . . . . . . . . . 11

• Log and Event Consolidation . . . . . . . 11

VI. Conclusion . . . . . . . . . . . . . . . . . . 11

Books and Web Sites . . . . . . . . . . . . . . 12

About Learning Tree International . . . . 13

About the Author . . . . . . . . . . . . . . . . . 13

I. Introduction

As the world awaits the launch of another Microsoft operating system, administrators, managers and professionals are asking, “Do we really need it?”

The answer to that question is: It depends on your organization’s needs and goals. One way to determine whether Windows Server 2008 is worth spending time, energy and corporate budget on is to learn what the new operating system can do for you. There are many interesting things to talk about in this product, and the purpose of this White Paper is to give you an overview of the most important new or improved features. When you finish reading the Paper, you will have a good idea of what Windows Server 2008 offers and it can be used in your organization. You will also find additional resources and Web links at the end.

As a longtime server administrator, I see three areas of functional improvement in Windows Server 2008— security, manageability, and availability. Although some of the new tools and capabilities available offer benefit in more than one area, I will frame them within the context of these three boundaries.

Many of the components we will cover in the next pages are new to the product line, others first became available in Windows Server 2003 R2. Some are simply refinements and rebranding of existing Windows 2000, Windows Server 2003 or Windows Vista capabilities. In all cases though, I think you will find this generation of Microsoft Server easier to deploy, manage and maintain than any of its predecessors. So let’s get started!

T A B L E O F C O N T E N T S

1Windows Server 2008 – An Introductory Overview

L E A R N I N G T R E E I N T E R N A T I O N A L White Paper

1-800-843-8733 • www.learningtree.ca© 2007 Learning Tree International. All Rights Reserved

II. Windows Server 2008 FamilyBefore diving into product improvements, let’s have a quick look at the entire product line. The Windows Server 2008 family looks much like the Windows Server 2003 collection of products. You have four major versions available for purchase. They are Web Server, Standard, Enterprise and DataCenter editions. Each of these editions is available for either 32 or 64 bit platforms. DataCenter will also be available for the IA-64 architecture.

As with Windows Server 2003, the product you choose depends on the size of your organization and the functionality that you want to employ. Below we have a comparison of some of the basic features included in each server edition. Naturally, until the product is actually released to manufacturing (RTM) early next year, nothing is written in stone. And, as mentioned earlier, if you are familiar with the Windows Server 2003 product line, you will see that the new server product line is marketed with similar organizational limits in mind.

• Standard Edition—Provides fundamental server functionality; intended for use in small to medium- sized organizations; includes key server roles and features; and supports full or server core only installations. Can be used as an Active Directory (AD) domain controller (DC).

• Enterprise Edition—Same functionality as the Standard Edition, plus technologies that are generally more important in larger enterprises such as Active Directory Federation Services (ADFS) and Failover Clustering.

• DataCenter Edition—Same functionality as the Enterprise edition, plus unlimited virtualization rights and support for robust servers with large amounts of RAM and a larger number of processors.

• Web Server 2008—Like Web Server 2003, a limited version of the operating system designed to be used as a Web and application server only; has a very limited set of server roles; cannot be used as a Active Directory server; does not have the option to install just the server core; and supports less RAM and fewer processors.

III. Security EnhancementsLet’s begin our discussion of new capabilities with a topic near and dear to every IT professional’s heart: keeping our servers secure and our corporate data private. Windows Server 2008 has implemented several new features and provided improvements to existing features that will assist in achieving this goal. Many of these features will someday end up as individual chapters in a security textbook, but we will discuss them at a higher level. Again, at the end of the Paper, you will find a list of hyperlinks and resources to deepen your knowledge of any of the security features mentioned here.

• Identity and Access Control in 2008 In any organization, one of the first security tasks we need to undertake is to establish and secure a perimeter around our network. In Active Directory, we do this by delineating domains and forest structures, and making sure that everyone who is allowed into our perimeter has a valid sign-on. This is a relatively simple process, as long as everyone who needs access to your data is within this perimeter. But what happens when you have customers, suppliers or partners that are outside your forest? In the past, that situation could be a management and security nightmare. Microsoft has implemented two technologies to assist with maintaining sign-on and resource security when using extranets:

– Active Directory Federation Services (ADFS) ADFS was first introduced in Windows Server 2003 R2. In Windows Server 2008, ADFS is implemented as a server role that is capable of providing identity management for extranet customers that are called federation partners. ADFS allows browser-based clients to access Internet applications even when the user account and application are located in separate forests. ADFS allows a user to authenticate to multiple Web applications using a single sign-on. ADFS uses a new type of trust, called a federation trust, to securely share user identity and rights information between federation partners.

How is this different than simply creating an external or forest trust between the two organizations? If we create such a trust, the entire external domain


1-800-843-8733 • www.learningtree.ca L E A R N I N G T R E E I N T E R N A T I O N A L White Paper

© 2007 Learning Tree International. All Rights Reserved

is included in the trust model; however, if I employ ADFS, I can specify a trusted subset of individuals in that remote domain that will be allowed access inside my perimeter. In addition, using policies, I can set up additional conditions and rules for this federated trust.

– Active Directory Rights Management Services (AD RMS) A second server role employed to protect information is AD RMS. This is Windows Server 2003 Rights Management Services, rebranded and improved. AD RMS is a technology aimed at controlling data access rather than user identity. To use AD RMS, you must install the server role, which handles certificates and licensing, and you must employ AD RMS clients as well as a database server. Currently, only Vista has a native AD RMS client. Once in place, data authors set persistent usage rules on information and data sources that will remain attached to the data no matter where it is moved—both inside and outside the organization.

This technology augments the traditional Access Control List ACL protection by allowing security masks such as “read only – no printing” to be config-ured on a resource and have that security enforced even when the document is e-mailed to recipients outside the organization. Applications, including custom and third party, must be AD RMS enabled. Once done, any document, drawing, e-mail or other product of the application can have AD RMS security embedded in the information. Developers can create customized AD RMS applications using the AD RMS software development kit.

• Network Access Protection (NAP) How secure is your server? The answer really is: only as secure as your network clients. For example, what if a client machine isn’t running a virus scanner? Do you want to allow such a highly vulnerable laptop to communicate with your corporate servers and pass on a virus or spyware? To combat this problem, Windows Server 2008 now offers Network Access Protection (NAP). NAP allows administrators to specify base “health” requirements, such as minimum software requirements, security update levels and other security settings that must be met before a client is allowed to fully access the corporate network. These NAP policies

allow administrators to control, and even quarantine, machines that don’t meet the minimum requirements for the network. Non-compliant clients can be denied access to the network or directed to a remediation server’s network for immediate repair.

There are five enforcement mechanisms for NAP:

• DHCP• IPSec• VPN• 802.1x• TS Gateway

NAP requires components on both network clients and servers. The server components consist of the Network Policy Server (NPS), the System Health Validators (SHVs) and the Quarantine Server (QS). The NPS is the heart of the system where administrators create policies that specify the organization’s health requirements for full network participation by clients. When a client attempts to access the network, the SHVs determine whether they meet the basic requirements specified in the policies. If a client is found non-compliant, it is sent to a remediation network where QSs will make it compliant allowing for full network access. The actual process may differ based on which enforcement methods are used and what exceptions have been created for machines that are not NAP client enabled or need to be exempted from NAP screening.For a machine to be screened by NAP, it must have a NAP client installed. Currently, the only embedded NAP clients are in Windows Vista and Windows Server 2008. Microsoft is developing a NAP client for XP and expects it to be released about the same time as Windows Server 2008 RTM. The NAP client consists of three layers: the System Health Agents (SHAs), Quarantine Agent (QA) and the Enforcement Clients (ECs). SHAs check for compliance with a particular requirement, such as a particular patch or a certain level of AV software. A client may have multiple SHAs present as each one is directed at a particular health requirement. The QA takes the status from the SHAs and compiles a list of results which it forwards to the EC. The ECs then determine whether the client is granted full or partial network access based on the SHA outcomes. There are embedded ECs for each of the enforcement mechanisms mentioned earlier, and ISVs are being encouraged to come up with their own custom ECs for installation.







• BitLocker Drive Encryption Unlike file encryption (EFS), which can be used to encrypt folders and files, BitLocker encrypts the entire drive, including the swap and hibernation files. This technology foils the data thief who tries to boot the computer to an alternate operating system where NTFS permissions would not be enforced, use other tools to read the drive’s information, or attempt to access the data offline. BitLocker can be of value to organizations that are concerned about the security of their data traveling outside the company on laptops and for any organization required to maintain higher than usual data security due to regulatory requirements such as HIPAA or Sarbanes-Oxley compliance. It is especially useful in the server environment when servers are located outside the server room or in some unsecure location such as a branch office.

Although BitLocker first became available with certain versions of Windows Vista, the Windows Server 2008 implementation has a few key improvements that make it more usable in a server environment. First, the technology has been extended to include any locally created internal volume on the machine—not just the bootable volume. These non-bootable volumes are referred to as data volumes. Second, security has been improved by adding a new multifactor authentication mechanism combining a TPM protected key, which can be stored on a USB device, and a user- generated PIN, both of which must be used before access is granted to the volume. Finally, support for the Extensible Firmware Interface (EFI) has been included.

• Windows Server Core Deployments When you install Windows Server 2008, you will see that you have a new installation alternative called Server Core. Choosing this option means that only the absolutely essential OS components are deployed to the machine. Elements that are considered extraneous are not installed. The most obvious missing feature is the GUI. That’s right—Server Core is a primarily a command line driven administrative interface. There are a few GUI-like tools that you can use (such as Task Manager, regedit.exe and Notepad) but, overall, the tools you are used to seeing in Windows are gone— no Server Manager, no Taskbar, no Start Menu, no Windows Explorer.

The question is, why did Microsoft include this installation option? What do you gain from doing a core-only install? There are several answers, but probably the most important is: increased security. By reducing the components installed and the services that are running, Microsoft has automatically reduced the attack surface of your server. There aren’t as many security holes to exploit because the elements that would allow attacks simply aren’t in place. Of course, the core architectural components of the OS are still there—the kernel, Hardware Abstraction Layer (HAL) and drivers.

Beyond security improvement, the Server Core install also gives the benefits of a smaller system footprint, reduced administration and decreased need for software patching because there are fewer OS components to install, configure or patch. Of course, given the command line interface, strong experience in commands and scripting will be an important skill for Server Core administrators.

When you perform a Server Core install, you lose the ability to install some of the roles and features available with a full installation. And naturally, the roles and features you choose to install must be managed using ServerManagerCmd.exe—the command line version of Server Manager.

The following is a list of server roles and features that are available for use on a Server Core machine:

Server Roles Available Features Available

Active Directory Domain Services Failover Clustering

Active Directory Lightweight Multipath I/O Directory Services

DHCP Server Network Load Balancing

DNS Server Quality of Service

File Services Removable Storage (including NFS and DFSR) Management

Print Services SNMP Services

Streaming Media Services Subsystem for UNIX-based Applications

IIS 7.0 * Telnet Client

Windows BitLocker Drive Encryption

Windows Server Backup

WINS Server

*Without .NET framework—Announced at TechEd June 2007

• Read-Only Domain Controllers (RODC) Microsoft is marketing RODCs as a new category of domain controller that can be deployed in environ-ments where a writable copy of the AD database may be a security liability, such as a branch office where physical security may be less than perfect. If you are familiar with the NT 4 concept of a backup domain controller (BDC), the idea here is similar. The RODC contains the same domain objects and attributes as a writable domain controller (except passwords); however, as the name implies, RODCs are not able to write any changes to the database. When changes are required, administrative tools are redirected to a writable DC elsewhere in the organization. Administra-tion of a specific RODC can be delegated to any domain user without having to grant that user administrative rights on other domain controllers. This allows a local user at the branch office to perform administrative tasks on the RODC, such as configuring an application, but not have any permissions or rights on any other DC. This protects the integrity of the data on writable copies of the Active Directory database.

• Domain Password and Account Lockout Granularity Although there have been several improvements in security policies, one of the most useful (and long overdue) is the change made to the domain password and account lockout functionality. In previous AD implementations, a single password policy applied to all domain accounts. If domain users required different levels of password enforcement, such as separate minimum password lengths or different expiration periods, the only option was to create two domains and then create different password policies in each domain to each group’s specifications. In Windows Server 2008, different password policies can be set within a single domain. A new password settings object (PSO) holds the password policies. A PSO can then be associated with any group in the Active Directory.

• Auditing Enhancements Administrators have always been able to audit access to objects for file system and Active Directory objects, but with the dawn of Windows Server 2008, security tracking becomes more granular. A new policy category called Directory Service Changes will allow administrators to capture who made changes to an Active Directory object or attribute, when the change was made and what the old and new values are. The same ability to keep initial and changed values is available for any changes to the Registry as well. Administrators will also be able to audit permission changes, network share access and IPSec events.

Like other security events, this tracking is sent to the security logs and can be consolidated from several machine sources. These logs can be viewed with traditional Microsoft tools such as Event Viewer or accessed from third party toolsets. This new level of auditing detail will assist with AD change management tracking as well as maintaining regulatory compliance for organizations with HIPPA or SOX requirements.

IV. Maintaining High Availability“Anytime…anywhere.” These two words have become the mantra for our industry. Even if the business needs are not 24/7/365, the user’s needs often are. Many of the technologies you will see deployed with Windows Server 2008 are addressed at meeting such requirements. In the next section, we will discuss the most prominent of these.

• Failover Clusters One of the fundamental technologies used to create a high-availability or fault-tolerant environment is server clustering. Clustering refers to a set of independent servers that are configured to work together through physical cabling and cluster management software. If any cluster node (server participant) becomes unavailable, another node will automatically take over for the failed server. This allows always-on access to business critical applications and data, even through server crashes. In Windows Server 2008, cluster technology has been rebranded to Failover Clustering. In this generation of clustering, Microsoft has attempted to make the creation and management of clusters easier and improve cluster security and stability. This process begins with the use of







the Cluster Validation Wizard, which lets administrators test node compatibility, check network configuration for the proposed cluster, and make sure that the storage access requirements are met for all the nodes in the cluster. Once set up, cluster management is simplified through a new administrative interface.

Additional clustering improvements include support for GUID Partition Table (GPT) disks which have built in redundancy, support for large partitions and more partitions per disk. A new quorum model, called the majority quorum model, allows you to be in control of the quorum configuration. You can configure your cluster to use the traditional shared quorum device or majority node models, or create a hybrid model. In the new model, even a simple two-node cluster can survive the loss of the quorum resource disk. Other important new storage features include the ability to use shares (rather than whole disks) as a resource, the capacity to add additional resources to the quorum while the cluster is running, SAN support, and storage connections that support persistent reservations (Fibre Channel, iSCSI, and SAS).

Improvements in the networking model for clusters include support for IPv6, removal of legacy dependen- cies on NetBIOS, DHCP support, and the ability to have cluster nodes exist on different logical IP subnets. The most important of these—especially to large, geographically distributed organizations—would be the last. This functionality change allows an enterprise to implement GeoClusters (Geographically Dispersed Clusters) without the creation of a VLAN as required in earlier generations of Microsoft clustering. To complement this change, cluster heartbeat timeouts are now configurable.

As with other components, Microsoft’s focus in 2008 is to simplify the management of servers. In clustering, we see this focus come to life with the addition of the new Failover Cluster Management interface, an MMC 3.0 console which lets administrators validate, create and manage clusters through a series of three-step wizards.

• Network Load Balancing (NLB) Network Load Balancing (NLB) technology distributes the network load for applications across multiple servers arranged in an NLB cluster. As the name implies, NLB is useful for large organizations that want to balance their network traffic across multiple servers, but it also allows applications to “scale out” when the demand increases. By adding more servers to the NLB cluster as the workload increases, administrators can guarantee availability and responsiveness for users of networked applications.

Like other features, NLB is not new to Server in 2008, but it has had a facelift and now includes the following improvements:

I. IPv6 Support

II. NDIS 6.0 driver with backwards compatibility

III. Support for multiple IP addresses per node enabling administrators to have multiple applications hosted on the same NLB cluster even when each application requires a dedicated IP address

• Distributed File System (DFS) Another availability technology that is not new but has certainly been improved in Windows Server 2008 is the Distributed File System (DFS). DFS has been around for decades in both the UNIX and Microsoft worlds, and most administrators of complex networks with many resource servers are big fans of the concept. The problem has been that although we love the concept, Microsoft’s implementation of that concept has had issues that made it somewhat difficult to use for highly volatile shares. With Server 2008, many of those issues have either been resolved or made significantly better. Two major areas of improvement are the removal of the 5000 folder limitation and the use of a new replication algorithm. But first let’s talk about the benefits of DFS in general.

DFS allows administrators to create a transparent network namespace for their users, grafting together shared resources from many servers into a single logical




structure. From the user’s perspective, a DFS namespace appears in their interface as a single file structure with a top level folder and subfolders with subfolders (if needed). Users access the namespace root share just as they would any other network share and, once there, they are able to connect to any of the resources in the structure (as long as they have appropriate permissions, of course). This eliminates the need for mapping drives to each shared resource. Now they can simply map a drive to the namespace root share.

Administrators can also reallocate resources on the fly. Let’s say, for example, that a server is reaching the end of its useful life and needs to be retired, but it is a file server and hosts gigabytes of user data from all over the company. Moving this data to another server might require e-mails to many users telling them the new drive mappings or new logon scripts to perform the mapping for users. With DFS, administrators can use the Distributed File System Manager console and specify the new file server as an additional target folder in the DFS namespace. Then, through the magic of DFS Replication (DFSR), the data on the existing server can be replicated to the new server automatically. Changes between the two data sources will be synchro-nized and administrators can even control the replication topology, schedule, and bandwidth utilization of these replication cycles.

One of the major benefits of DFS for geographically dispersed organizations becomes apparent when using site aware clients (Windows 2000 Professional, Windows XP and Windows Vista). Imagine that you have a software installation server in New York and branch offices in Boston and Miami. With only one server, all your installations for all sites would come through the New York server. So…you create two more installation servers, one at each branch. Now we are getting local installations, but what if the Boston install server goes down? Where will those clients get their installs from? Well, if they are AD clients and you are using DFS for your install shares, they will look for the next closest site as defined in your

Active Directory replication topology. In addition, what if you need to add patches or new software to the install share? Without DFS, you would have to add it three times, once on each distributed server. With DFS, add it to one server and it automatically replicates the changes to the others.

The mechanism that accomplishes that replication between alternate targets is one of the most meaningful improvements in the DFS architecture. NTFRS (used in Windows 2000 and Windows Server 2003 DFS imple-mentations) has been replaced by DFSR in the new architecture. What makes this more efficient and network friendly is the fact that DFSR uses remote differential compression. This engine breaks files down into smaller chunks which are then tracked for changes. When the system detects a change to a data block, only those blocks that have changed are replicated among alternate targets. With NTFRS, the entire file was replicated no matter how small the change to the file.

• Virtualization Administrators love virtualization—and they should. Virtualization allows administrators to consolidate multiple roles on underutilized hardware, isolate functions into individual virtual environments, perform testing in a safe environment and remove hardware compatibility issues from the environment.

Unfortunately, as of this writing, sources have indicated that native virtualization will not be deployed when Windows Server 2008 is released to manufacturing. The current estimate is that the VM components will be available as a download 180 days after Server’s RTM date. We can look at the proposed VMM architecture, but since the release of product may be up to nine months after the date of this writing, be aware that this scenario may change. For this reason, we will not go into a great deal of detail about the planned implementation of this technology. You can count on the fact that the planned architecture is a Type 1 hypervisor. Type 1 hypervisors are those that run directly on the system hardware and offer a higher level of virtualization efficiency and security.




Some of the important advancements (over their current Virtual Server and Virtual PC products) are:

• 64-bit operating system support for both host and guests

• 64-bit hypervisor requires VM aware hardware— such as Intel’s VT and AMD-V processors

• Automatic Network Address Translation (NAT), firewall, and Network Access Protection (NAP)

• Dynamic hardware swapping

• Assignment of minimum and maximum allocations of RAM to ensure minimum performance and limit system hogs

• Adaptable network support, including VLANs, NAT and firewall configuration

• Virtualization can be managed through GPOs

• Security with support for hardware technologies such as DEP

• Multicore support for up to eight processors

• Virtual servers can be managed with Microsoft System Center Operations Manager (SCOM) and System Center Virtual Machine Manager (SCVMM)

• Native management tool will be MMC 3.0 based

• Disk Access—Guest OS can access local or SAN storage

• Support for PowerShell scripting

• Virtualization role available on Server Core installations

• Windows Management Instrumentation (WMI) support

• Windows Server Backup Microsoft is the first to admit that Windows Server Backup is not an enterprise solution to the backup and restore problems of large organizations. This product is deliberately targeted at single server backup in smaller organizations. Microsoft’s logic is that large organizations usually employ third party solutions to manage their backup processes. However, in the right environment, administrators will see that the changes made to the Windows Server Backup component provides a backup and recovery solution that is much more flexible and useful for maintaining availability than any previous version of this tool. The key technological difference is that the new system uses the Volume Shadow Copy (VSC) service to perform backups. This means that VSC take a snapshot of the resource(s) being backed up and then creates the backup from the snapshot. The benefit of this is that a server can be fully backed up while it is running since VSC does not require the system to be idle when the snapshot is made. In addition, only one full backup is made. After that, only incrementals are initiated, thereby saving time and disk storage space. Backups can be made of the entire system, individual volumes, or a particular folder or file.

When the time comes to restore from backup, the Windows recovery environment supports a full or partial restore. The machine can be booted from DVD, and a bare metal restore (BMR) can be done from the backup source—which can be any disk media or network resource. The only backup media not supported is tape.

• Restartable AD Services In the past, certain AD functions, such as authoritative restores and offline defrags required that the DC be rebooted (sometimes more than once) while these offline functions were performed. If the DC played multiple roles in the organization, such as DNS, DHCP and printer server, all these roles were also unavailable while AD maintenance was being performed through multiple reboot cycles.

Now in Windows Server 2008, the Active Directory runs as a service, called Active Directory Directory Service (AD DS). As such, this service can be stopped and started like any other service on the machine through MMC snap-ins, command line or WMIC. This allows other services to continue to run and service clients while the AD DS undergoes maintenance.




• Terminal Services This is definitely one of those topics that could be a whole chapter in a Windows Server 2008 book, or maybe even a book topic of its own because there is so much new func-tionality embedded in Windows Server 2008’s “ Terminal Services”. We will cover the highlights of the major new components here, and then point you to some very good additional resources at the end of this paper.

– Terminal Services RemoteApp Terminal Services RemoteApp is a new way of presenting terminal services applications to the end user in Windows Server 2008. In previous versions of Terminal Services, when the user connected to a session, the entire desktop on the remote machine was presented to the user by default. With Remote- App, only the application is presented to the user. The remote application launches and runs on the user’s desktop just as a locally installed application does. Local drives and printers are automatically redirected, and the window the application runs in is resizable, just like any other program window would be. This improves the user experience, by integrating the remote application seamlessly with their local desktop.

– Terminal Services Gateway TS Gateway allows users to connect to terminal servers and remote desktop workstations that are behind the firewall without having to configure a VPN connection. The embedded security model is actually more secure than a standard VPN because users of TS Gateway are allowed access to a selected subset of servers and workstations instead of the entire network like a VPN would allow.

– Terminal Services Web Access With TS Web Access, TS RemoteApp applications can be served to the user in a browser. The user can choose from a list of programs in their browsers and, when they select an application, a TS session is started transparently on the terminal server hosting the application. For the administrator, Web Access has the same benefits of a regular terminal service application— applications are centrally managed and secured on the server. Software does not have to be maintained on the client workstations.

– Remote Desktop Connection 6.0 Users will employ Remote Desktop Connection 6.0 to connect to Terminal Services in Windows Server 2008. This version is included in Windows Server 2008 and Windows Vista. It is also available for Windows XP users and Windows Server 2003 users as a free download from Microsoft.

– Single Sign-On (SSO) With SSO, domain users of Terminal Services can log on to a terminal session using their username and password or a smartcard. They need to do so only once. If they initiate another terminal service session, they are not asked for credentials again. This eliminates the need for the user to repeatedly enter their authentication information and, therefore, increases their satisfaction with the system.

V. ManageabilityOne of the administrative trends Microsoft has been implementing in phases over the past several years is role-based administration of servers. The idea is that a server has roles to play, such as the DNS server, file server, DFS server, Web server or domain controller. Each of these roles requires certain services to be running, ports to be opened perhaps and security to be configured. In Windows Server 2008, role-based administration has come of age. When a system is first installed, the server’s roles and features need to be installed and configured. This can be done by using the Initial Configuration Tool (ICT) which appears on the first boot of a newly installed server or through a new console called Server Manager. No matter which tool you use, the system automatically installs and configures needed services, opens required ports and configures security settings for you. In addition to this role/feature configuration task, Server Manager is the central administrative console for many server man-agement jobs, so we’ll take a deeper look at that new tool.

• Server Manager Server Manager is a new MMC console that gives the administrator a one-stop tool for managing a server. In addition to the role and feature installation and configura-tion tasks mentioned above, Server Manager can be used to remove roles and features. Once you install a role or feature, the Server Manager interface automatically adds the management snap-ins for that role or feature.

As you can see in Figure 1 above, there is a lot more to Server Manager than just configuring roles. If you look closely at the expanded tree pane, you can see that this is where you will access the Event logs, use Windows System Resource Manager, perform backups, create performance and reliability reports, configure scheduled tasks, manage Windows Firewall…the list goes on and on. As I’ve said before, one stop shopping for the administrator!

At the time of this writing, Server Manager cannot be used remotely, nor can its command line interface with servermanagercmd.exe. In order to use Server Manager on a remote machine, you must use the Remote Desktop client to connect to the sever you want to administer,

then launch a local instance of the Server Manager program once you are connected to the remote server.

If you are unable to use Remote Desktop for some reason, you can still perform remote management of many installed server roles by employing the Remote Server Admin Tools (RSAT) from another server—or in the future (after Vista SP1 is released) from a Vista workstation. RSAT is the adminpak.msi for the next generation of operating systems. RSAT is a feature that can be installed on Windows Server 2008, but the current version will not work with Windows Vista or XP. Using the RSAT is one of the recommended approaches to easily manage a remote server core machine.




Figure 1




• PowerShell PowerShell is an interactive command line shell with an embedded administrative scripting language that employs consistent syntax and utilities. PowerShell lets administrators automate repetitive tasks and doesn’t require a college degree in programming to learn and use effectively. One of the secrets to this low learning curve is the use of more than 130 standard command line tools, called cmdlets, that address common admin-istrative tasks such as managing services, logs, processes and more. On a surprising note, PowerShell does not require migration of your existing scripts. PowerShell can understand and use data from all Microsoft admin-istrative data access technologies, such as WMI, ADSI, XML, ADO, HTML and COM.

• Windows Deployment Services (WDS) Windows Deployment Services (WDS) is the new and improved version of the Remote Installation Services (RIS) that came with Windows Server 2000 and 2003. WDS, like RIS, allows you to boot a client machine to the network, retrieve a boot image and then install an operating system on that machine—all without you having to be present at the client.

If you weren’t a big fan of RIS, you may want to take some time to re-evaluate this generation of WDS. This implementation overcomes several of the common complaints about the RIS architecture. For example, WDS supports multicasting. Not only can it multicast, a client can join a multicast deployment that is already in progress and not lose any data. Next, in order to quiet the ACKs down on the network from the use of con-nectionless UDP, TFTP windowing is in place. WDS also supports network boots of x64-based computers with the Extensible Firmware Interface (EFI). The client uses the Windows PE (Pre-installation Environment) system to boot the machine, which gives us an environment with much more functionality than before. WDS supports WIM images. And finally, as you will see in the next section, some of the burdensome architectural elements needed for RIS to work are no longer required for WDS.

Like many technologies, WDS has server side as well as client components. On the server side, you need a PXE

server to answer client requests for boot images, as well as a TFTP server. You will need a shared folder for your image repository. The image repository holds your boot images, installation images, and the files required for network boots. There is also a server multicast component and a diagnostics module for enhanced logging. Finally, there is a set of management tools for administering images, the WDS server and client computer accounts. For those of you familiar with RIS, notice that I did not mention the Active Directory. No, I didn’t forget. This generation of deployment technology doesn’t require the AD. You have to install Transport Server to make it work, but it can be done. On the client, there will be a GUI that runs on the Windows PE. The GUI is used to select and install the client image.

• Log and Event Consolidation This was mentioned a little earlier in our paper, but from the manageability standpoint, I think it is important enough to be given a section of its own. In Windows Server 2008, you can now combine and track events from several logs sources even if the logs are on multiple physical systems. This greatly reduces the hassle histori-cally associated with trying to monitor events on multiple geographically separated machines. Through the use of subscriptions, events can be consolidated into one management interface such as Event Viewer, or third party tools can be utilized to see the events.

VI. ConclusionWindows Server 2008 is a powerful base to build your enterprise architecture on. Many of the new components are going to simplify management and lead to less downtime for your organization’s server architecture. But, now that you have seen just some of the more important improvements for Windows Server 2008, I think you can agree that there is a lot to learn as you move into this new environment. Although this article is a good start to your education, and a good product overview, you will need a deeper level of detail to successfully implement these new features. The following page shows is a list of books and Web sites that you can use to increase the depth of your knowledge.




Books:

Introducing Windows Server 2008 by Mitch Tulloch with the Microsoft Windows Server Team (ISBN: 9780735624214), Publisher: Microsoft Press.

Microsoft Windows PowerShell Step by Step by Ed Wilson (ISBN: 9780735623958), Publisher: Microsoft Press

Web Sites:

Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008: http://go.microsoft.com/fwlink/?LinkID=90854

Windows Server 2008 TechNet Webcasts, Virtual Labs, Podcasts & Chats: http://go.microsoft.com/fwlink/?LinkID=90855

Windows Server 2008 Step-by-Step Guides (15 downloadable documents—varied topics): http://go.microsoft.com/fwlink/?LinkID=90856

Windows Server 2008 TechCenter: http://go.microsoft.com/fwlink/?LinkID=86041

Windows Server 2008 Troubleshooting: http://go.microsoft.com/fwlink/?LinkID=90857

Windows PowerShell: http://www.microsoft.com/windowsserver2003/ technologies/management/powershell/default.mspx

Microsoft Script Center Repository: Sample PowerShell Scripts: http://www.microsoft.com/technet/scriptcenter/scripts/msh/default.mspx?mfr=true

Microsoft System Center: http://www.microsoft.com/systemcenter/

About Learning Tree International

Learning Tree International is a leading worldwide provider of vendor-independent training to managers and IT professionals in business and government organizations. Since 1974, over 1,800, 000 course participants from over 13,000 organizations worldwide have enhanced their skills and extended their knowledge under the guidance of expert instructors with real- world experience. Learning Tree develops, markets and delivers a broad, proprietary library of instructor-led courses focused on the latest information technologies, management practices and key business skills.

Learning Tree International annually trains over 87,000 professionals in its Education Centers around the world. Learning Tree also provides training in a number of additional cities and on site at customer locations in 26 countries. For more information about Learning Tree products and services, call 1-800-THE-TREE (1-800-843-8733), or visit our Web site at www.learningtree.ca

About the Author

Lori M. SandersManaging Senior PartneriSolve Consulting [email protected]

Lori Sanders is the head of iSolve Consulting Group, an independent firm offering project management and consulting services in Windows server-based network solutions, Active Directory planning, implementation and integration, group policy consulting and technical and process-oriented consulting in software engineering and configuration management.

Lori has 27 years of experience in the IT field and has supported Microsoft products since DOS 1.0. Her responsibilities have included desktop support, server administration, project management and technical management. Lori is also an instructor, author and technical editor for Learning Tree as well as a Certified Professional for both Windows Server 2000 and 2003.

Lori has written a book on group policies and desktop management, published by New Riders: Windows 2000 User Management, ©2000.

13 Windows Server 2008 – An Introductory Overview


© 2007 Learning Tree International. All Rights Reserved. WPWinServer2008Final 0710CN

Atlanta Los Angeles Boston

Washington, DC

Chicago

Toronto LondonNew York City

StockholmOttawa TokyoParis

windows server 2008, an introductory overview

Documents