Documente Academic
Documente Profesional
Documente Cultură
An Introductory Overview
Lori M. Sanders
Managing Senior Partner
iSolve Consulting Group
1-800-843-8733
www.learningtree.ca
T A B L E O F C O N T E N T S
I. Introduction . . . . . . . . . . . . . . . . . . 1 I. Introduction
II. Windows Server 2008 Family 2
As the world awaits the launch of another Microsoft
III. Security Enhancements 2 operating system, administrators, managers and
professionals are asking, “Do we really need it?”
• Identity and Access Control
in 2008 . . . . . . . . . . . . . . . . . . . . . . . . 2 The answer to that question is: It depends on your
– Active Directory Federation organization’s needs and goals. One way to determine
Services (ADFS) . . . . . . . . . . . . . . . . 2 whether Windows Server 2008 is worth spending time,
– Active Directory Rights energy and corporate budget on is to learn what the
Management Services (AD RMS) . . . 3 new operating system can do for you. There are many
• Network Access Protection (NAP) . . . . 3 interesting things to talk about in this product, and the
• BitLocker Drive Encryption . . . . . . . . . 4 purpose of this White Paper is to give you an overview
• Windows Server Core Deployments . . . 4 of the most important new or improved features. When
you finish reading the Paper, you will have a good idea
• Read-Only Domain Controllers
(RODC). . . . . . . . . . . . . . . . . . . . . . . . 5 of what Windows Server 2008 offers and it can be used
in your organization. You will also find additional
• Domain Password Policy Changes. . . . 5
resources and Web links at the end.
• Auditing Enhancements . . . . . . . . . . . 5
As a longtime server administrator, I see three areas
IV. Maintaining High Availability . . . . 5 of functional improvement in Windows Server 2008—
• Failover Clusters . . . . . . . . . . . . . . . . . 5 security, manageability, and availability. Although
some of the new tools and capabilities available offer
• Network Load Balancing (NLB) . . . . . 6
benefit in more than one area, I will frame them within
• Distributed File System (DFS) . . . . . . 6
the context of these three boundaries.
• Virtualization . . . . . . . . . . . . . . . . . . . 7
Many of the components we will cover in the next
• Windows Server Backup . . . . . . . . . . . 8
pages are new to the product line, others first became
• Restartable AD Services . . . . . . . . . . . 8 available in Windows Server 2003 R2. Some are simply
• Terminal Services . . . . . . . . . . . . . . . . 9 refinements and rebranding of existing Windows 2000,
Windows Server 2003 or Windows Vista capabilities. In
V. Manageability . . . . . . . . . . . . . . . . 9 all cases though, I think you will find this generation of
• Server Manager . . . . . . . . . . . . . . . . . 9 Microsoft Server easier to deploy, manage and maintain
• PowerShell . . . . . . . . . . . . . . . . . . . . 11 than any of its predecessors. So let’s get started!
• Windows Deployment Services
(WDS) . . . . . . . . . . . . . . . . . . . . . . . . 11
• Log and Event Consolidation . . . . . . . 11
VI. Conclusion . . . . . . . . . . . . . . . . . . 11
Books and Web Sites . . . . . . . . . . . . . . 12
About Learning Tree International . . . . 13
About the Author . . . . . . . . . . . . . . . . . 13
1-800-843-8733 • www.learningtree.ca
© 2007 Learning Tree International. All Rights Reserved
Windows Server 2008 – An Introductory Overview 1
1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL White Paper
is included in the trust model; however, if I employ allow administrators to control, and even quarantine,
ADFS, I can specify a trusted subset of individuals in machines that don’t meet the minimum requirements
that remote domain that will be allowed access inside for the network. Non-compliant clients can be denied
my perimeter. In addition, using policies, I can set up access to the network or directed to a remediation
additional conditions and rules for this federated trust. server’s network for immediate repair.
– Active Directory Rights Management Services There are five enforcement mechanisms for NAP:
(AD RMS) • DHCP
A second server role employed to protect information • IPSec
is AD RMS. This is Windows Server 2003 Rights • VPN
Management Services, rebranded and improved. AD • 802.1x
RMS is a technology aimed at controlling data access • TS Gateway
rather than user identity. To use AD RMS, you must NAP requires components on both network clients and
install the server role, which handles certificates and servers. The server components consist of the Network
licensing, and you must employ AD RMS clients as Policy Server (NPS), the System Health Validators (SHVs)
well as a database server. Currently, only Vista has a and the Quarantine Server (QS). The NPS is the heart
native AD RMS client. Once in place, data authors set of the system where administrators create policies that
persistent usage rules on information and data sources specify the organization’s health requirements for full
that will remain attached to the data no matter where network participation by clients. When a client attempts
it is moved—both inside and outside the organization. to access the network, the SHVs determine whether
they meet the basic requirements specified in the
This technology augments the traditional Access
policies. If a client is found non-compliant, it is sent to a
Control List ACL protection by allowing security
remediation network where QSs will make it compliant
masks such as “read only – no printing” to be config-
allowing for full network access. The actual process may
ured on a resource and have that security enforced
differ based on which enforcement methods are used
even when the document is e-mailed to recipients
and what exceptions have been created for machines
outside the organization. Applications, including
that are not NAP client enabled or need to be exempted
custom and third party, must be AD RMS enabled.
from NAP screening.
Once done, any document, drawing, e-mail or other
For a machine to be screened by NAP, it must have a
product of the application can have AD RMS security
NAP client installed. Currently, the only embedded NAP
embedded in the information. Developers can create
clients are in Windows Vista and Windows Server 2008.
customized AD RMS applications using the AD RMS
Microsoft is developing a NAP client for XP and expects
software development kit.
it to be released about the same time as Windows Server
• Network Access Protection (NAP) 2008 RTM. The NAP client consists of three layers: the
How secure is your server? The answer really is: only System Health Agents (SHAs), Quarantine Agent (QA)
as secure as your network clients. For example, what and the Enforcement Clients (ECs). SHAs check for
if a client machine isn’t running a virus scanner? Do compliance with a particular requirement, such as a
you want to allow such a highly vulnerable laptop to particular patch or a certain level of AV software. A client
communicate with your corporate servers and pass on may have multiple SHAs present as each one is directed
a virus or spyware? To combat this problem, Windows at a particular health requirement. The QA takes the
Server 2008 now offers Network Access Protection status from the SHAs and compiles a list of results which
(NAP). NAP allows administrators to specify base it forwards to the EC. The ECs then determine whether
“health” requirements, such as minimum software the client is granted full or partial network access based
requirements, security update levels and other security on the SHA outcomes. There are embedded ECs for each
settings that must be met before a client is allowed to of the enforcement mechanisms mentioned earlier, and
fully access the corporate network. These NAP policies ISVs are being encouraged to come up with their own
custom ECs for installation.
• BitLocker Drive Encryption The question is, why did Microsoft include this installation
Unlike file encryption (EFS), which can be used to option? What do you gain from doing a core-only
encrypt folders and files, BitLocker encrypts the entire install? There are several answers, but probably the
drive, including the swap and hibernation files. This most important is: increased security. By reducing the
technology foils the data thief who tries to boot the components installed and the services that are running,
computer to an alternate operating system where Microsoft has automatically reduced the attack surface
NTFS permissions would not be enforced, use other of your server. There aren’t as many security holes to
tools to read the drive’s information, or attempt to exploit because the elements that would allow attacks
access the data offline. BitLocker can be of value to simply aren’t in place. Of course, the core architectural
organizations that are concerned about the security components of the OS are still there—the kernel,
of their data traveling outside the company on laptops Hardware Abstraction Layer (HAL) and drivers.
and for any organization required to maintain higher
Beyond security improvement, the Server Core install
than usual data security due to regulatory requirements
also gives the benefits of a smaller system footprint,
such as HIPAA or Sarbanes-Oxley compliance. It is
reduced administration and decreased need for software
especially useful in the server environment when
patching because there are fewer OS components to
servers are located outside the server room or in some
install, configure or patch. Of course, given the command
unsecure location such as a branch office.
line interface, strong experience in commands and
Although BitLocker first became available with certain scripting will be an important skill for Server Core
versions of Windows Vista, the Windows Server 2008 administrators.
implementation has a few key improvements that
When you perform a Server Core install, you lose
make it more usable in a server environment. First,
the ability to install some of the roles and features
the technology has been extended to include any
available with a full installation. And naturally, the roles
locally created internal volume on the machine—not
and features you choose to install must be managed
just the bootable volume. These non-bootable volumes
using ServerManagerCmd.exe—the command line
are referred to as data volumes. Second, security
version of Server Manager.
has been improved by adding a new multifactor
authentication mechanism combining a TPM protected The following is a list of server roles and features that
key, which can be stored on a USB device, and a user- are available for use on a Server Core machine:
generated PIN, both of which must be used before Server Roles Available Features Available
access is granted to the volume. Finally, support for the
Active Directory Domain Services Failover Clustering
Extensible Firmware Interface (EFI) has been included.
Active Directory Lightweight Multipath I/O
• Windows Server Core Deployments Directory Services
When you install Windows Server 2008, you will see DHCP Server Network Load Balancing
that you have a new installation alternative called DNS Server Quality of Service
Server Core. Choosing this option means that only
File Services Removable Storage
the absolutely essential OS components are deployed (including NFS and DFSR) Management
to the machine. Elements that are considered extraneous Print Services SNMP Services
are not installed. The most obvious missing feature is
Streaming Media Services Subsystem for UNIX-based
the GUI. That’s right—Server Core is a primarily a Applications
command line driven administrative interface. There
IIS 7.0 * Telnet Client
are a few GUI-like tools that you can use (such as Task
Windows BitLocker Drive
Manager, regedit.exe and Notepad) but, overall, the Encryption
tools you are used to seeing in Windows are gone—
Windows Server Backup
no Server Manager, no Taskbar, no Start Menu, no
Windows Explorer. WINS Server
the Cluster Validation Wizard, which lets administrators • Network Load Balancing (NLB)
test node compatibility, check network configuration Network Load Balancing (NLB) technology distributes
for the proposed cluster, and make sure that the storage the network load for applications across multiple
access requirements are met for all the nodes in the servers arranged in an NLB cluster. As the name
cluster. Once set up, cluster management is simplified implies, NLB is useful for large organizations that want
through a new administrative interface. to balance their network traffic across multiple servers,
but it also allows applications to “scale out” when the
Additional clustering improvements include support
demand increases. By adding more servers to the NLB
for GUID Partition Table (GPT) disks which have built
cluster as the workload increases, administrators can
in redundancy, support for large partitions and more
guarantee availability and responsiveness for users of
partitions per disk. A new quorum model, called the
networked applications.
majority quorum model, allows you to be in control
of the quorum configuration. You can configure your Like other features, NLB is not new to Server in 2008,
cluster to use the traditional shared quorum device or but it has had a facelift and now includes the following
majority node models, or create a hybrid model. In improvements:
the new model, even a simple two-node cluster can I. IPv6 Support
survive the loss of the quorum resource disk. Other
II. NDIS 6.0 driver with backwards compatibility
important new storage features include the ability to
use shares (rather than whole disks) as a resource, the III. Support for multiple IP addresses per node
capacity to add additional resources to the quorum enabling administrators to have multiple
while the cluster is running, SAN support, and storage applications hosted on the same NLB cluster
connections that support persistent reservations even when each application requires a
(Fibre Channel, iSCSI, and SAS). dedicated IP address
Improvements in the networking model for clusters • Distributed File System (DFS)
include support for IPv6, removal of legacy dependen- Another availability technology that is not new but has
cies on NetBIOS, DHCP support, and the ability to certainly been improved in Windows Server 2008 is the
have cluster nodes exist on different logical IP subnets. Distributed File System (DFS). DFS has been around for
The most important of these—especially to large, decades in both the UNIX and Microsoft worlds, and
geographically distributed organizations—would be most administrators of complex networks with many
the last. This functionality change allows an enterprise resource servers are big fans of the concept. The problem
to implement GeoClusters (Geographically Dispersed has been that although we love the concept, Microsoft’s
Clusters) without the creation of a VLAN as required implementation of that concept has had issues that made
in earlier generations of Microsoft clustering. To it somewhat difficult to use for highly volatile shares.
complement this change, cluster heartbeat timeouts With Server 2008, many of those issues have either been
are now configurable. resolved or made significantly better. Two major areas of
As with other components, Microsoft’s focus in 2008 improvement are the removal of the 5000 folder limitation
is to simplify the management of servers. In clustering, and the use of a new replication algorithm. But first let’s
talk about the benefits of DFS in general.
we see this focus come to life with the addition of the
new Failover Cluster Management interface, an MMC DFS allows administrators to create a transparent
3.0 console which lets administrators validate, create and network namespace for their users, grafting together
manage clusters through a series of three-step wizards. shared resources from many servers into a single logical
structure. From the user’s perspective, a DFS namespace Active Directory replication topology. In addition, what
appears in their interface as a single file structure with a if you need to add patches or new software to the install
top level folder and subfolders with subfolders (if needed). share? Without DFS, you would have to add it three
Users access the namespace root share just as they would times, once on each distributed server. With DFS, add it
any other network share and, once there, they are able to to one server and it automatically replicates the changes
connect to any of the resources in the structure (as long to the others.
as they have appropriate permissions, of course). This The mechanism that accomplishes that replication
eliminates the need for mapping drives to each shared between alternate targets is one of the most meaningful
resource. Now they can simply map a drive to the improvements in the DFS architecture. NTFRS (used
namespace root share. in Windows 2000 and Windows Server 2003 DFS imple-
Administrators can also reallocate resources on the fly. mentations) has been replaced by DFSR in the new
Let’s say, for example, that a server is reaching the end architecture. What makes this more efficient and network
of its useful life and needs to be retired, but it is a file friendly is the fact that DFSR uses remote differential
server and hosts gigabytes of user data from all over compression. This engine breaks files down into smaller
the company. Moving this data to another server might chunks which are then tracked for changes. When the
require e-mails to many users telling them the new system detects a change to a data block, only those blocks
drive mappings or new logon scripts to perform the that have changed are replicated among alternate targets.
mapping for users. With DFS, administrators can use With NTFRS, the entire file was replicated no matter how
the Distributed File System Manager console and small the change to the file.
specify the new file server as an additional target folder • Virtualization
in the DFS namespace. Then, through the magic of Administrators love virtualization—and they should.
DFS Replication (DFSR), the data on the existing server Virtualization allows administrators to consolidate
can be replicated to the new server automatically. multiple roles on underutilized hardware, isolate functions
Changes between the two data sources will be synchro- into individual virtual environments, perform testing in
nized and administrators can even control the replication a safe environment and remove hardware compatibility
topology, schedule, and bandwidth utilization of these issues from the environment.
replication cycles.
Unfortunately, as of this writing, sources have indicated
One of the major benefits of DFS for geographically that native virtualization will not be deployed when
dispersed organizations becomes apparent when using Windows Server 2008 is released to manufacturing.
site aware clients (Windows 2000 Professional, Windows The current estimate is that the VM components will be
XP and Windows Vista). Imagine that you have a software available as a download 180 days after Server’s RTM date.
installation server in New York and branch offices in We can look at the proposed VMM architecture, but since
Boston and Miami. With only one server, all your the release of product may be up to nine months after
installations for all sites would come through the New the date of this writing, be aware that this scenario may
York server. So…you create two more installation servers, change. For this reason, we will not go into a great deal
one at each branch. Now we are getting local installations, of detail about the planned implementation of this
but what if the Boston install server goes down? Where technology. You can count on the fact that the planned
will those clients get their installs from? Well, if they are architecture is a Type 1 hypervisor. Type 1 hypervisors are
AD clients and you are using DFS for your install shares, those that run directly on the system hardware and offer
they will look for the next closest site as defined in your a higher level of virtualization efficiency and security.
Some of the important advancements (over their current • Windows Server Backup
Virtual Server and Virtual PC products) are: Microsoft is the first to admit that Windows Server
Backup is not an enterprise solution to the backup and
• 64-bit operating system support for both restore problems of large organizations. This product is
host and guests deliberately targeted at single server backup in smaller
organizations. Microsoft’s logic is that large organizations
• 64-bit hypervisor requires VM aware hardware— usually employ third party solutions to manage their
such as Intel’s VT and AMD-V processors backup processes. However, in the right environment,
administrators will see that the changes made to the
• Automatic Network Address Translation (NAT),
firewall, and Network Access Protection (NAP) Windows Server Backup component provides a backup
and recovery solution that is much more flexible and
• Dynamic hardware swapping useful for maintaining availability than any previous
version of this tool. The key technological difference
• Assignment of minimum and maximum is that the new system uses the Volume Shadow Copy
allocations of RAM to ensure minimum (VSC) service to perform backups. This means that VSC
performance and limit system hogs take a snapshot of the resource(s) being backed up and
then creates the backup from the snapshot. The benefit
• Adaptable network support, including VLANs,
of this is that a server can be fully backed up while it is
NAT and firewall configuration
running since VSC does not require the system to be
• Virtualization can be managed through GPOs idle when the snapshot is made. In addition, only one
full backup is made. After that, only incrementals are
• Security with support for hardware technologies initiated, thereby saving time and disk storage space.
such as DEP Backups can be made of the entire system, individual
volumes, or a particular folder or file.
• Multicore support for up to eight processors
When the time comes to restore from backup, the
• Virtual servers can be managed with Microsoft Windows recovery environment supports a full or partial
System Center Operations Manager (SCOM) restore. The machine can be booted from DVD, and a
and System Center Virtual Machine Manager bare metal restore (BMR) can be done from the backup
(SCVMM) source—which can be any disk media or network
resource. The only backup media not supported is tape.
• Native management tool will be MMC 3.0 based
• Restartable AD Services
• Disk Access—Guest OS can access local or In the past, certain AD functions, such as authoritative
SAN storage restores and offline defrags required that the DC be
rebooted (sometimes more than once) while these
• Support for PowerShell scripting offline functions were performed. If the DC played
multiple roles in the organization, such as DNS, DHCP
• Virtualization role available on Server Core
and printer server, all these roles were also unavailable
installations
while AD maintenance was being performed through
• Windows Management Instrumentation multiple reboot cycles.
(WMI) support Now in Windows Server 2008, the Active Directory runs
as a service, called Active Directory Directory Service
(AD DS). As such, this service can be stopped and started
like any other service on the machine through MMC
snap-ins, command line or WMIC. This allows other
services to continue to run and service clients while the
AD DS undergoes maintenance.
Figure 1
As you can see in Figure 1 above, there is a lot more to then launch a local instance of the Server Manager
Server Manager than just configuring roles. If you look program once you are connected to the remote server.
closely at the expanded tree pane, you can see that this
is where you will access the Event logs, use Windows If you are unable to use Remote Desktop for some
System Resource Manager, perform backups, create reason, you can still perform remote management of
performance and reliability reports, configure scheduled many installed server roles by employing the Remote
tasks, manage Windows Firewall…the list goes on and Server Admin Tools (RSAT) from another server—or
on. As I’ve said before, one stop shopping for the in the future (after Vista SP1 is released) from a Vista
administrator! workstation. RSAT is the adminpak.msi for the next
generation of operating systems. RSAT is a feature that
At the time of this writing, Server Manager cannot be
can be installed on Windows Server 2008, but the current
used remotely, nor can its command line interface with
version will not work with Windows Vista or XP. Using
servermanagercmd.exe. In order to use Server Manager
the RSAT is one of the recommended approaches to
on a remote machine, you must use the Remote Desktop
easily manage a remote server core machine.
client to connect to the sever you want to administer,
Books:
Introducing Windows Server 2008
by Mitch Tulloch with the Microsoft Windows
Server Team
(ISBN: 9780735624214),
Publisher: Microsoft Press.
Web Sites:
Changes in Functionality from Windows Server
2003 with SP1 to Windows Server 2008:
http://go.microsoft.com/fwlink/?LinkID=90854
Windows PowerShell:
http://www.microsoft.com/windowsserver2003/
technologies/management/powershell/default.mspx