Windows Server 2008

An Introductory Overview

Lori M. Sanders
Managing Senior Partner
iSolve Consulting Group

1-800-843-8733
www.learningtree.ca

© 2007 Learning Tree International. All Rights Reserved.


T A B L E O F C O N T E N T S
I. Introduction . . . . . . . . . . . . . . . . . . 1
II. Windows Server 2008 Family 2
III. Security Enhancements 2
• Identity and Access Control
in 2008 . . . . . . . . . . . . . . . . . . . . . . . . 2
– Active Directory Federation
Services (ADFS) . . . . . . . . . . . . . . . . 2
– Active Directory Rights
Management Services (AD RMS) . . . 3
• Network Access Protection (NAP) . . . . 3
• BitLocker Drive Encryption . . . . . . . . . 4
• Windows Server Core Deployments . . . 4
• Read-Only Domain Controllers
(RODC). . . . . . . . . . . . . . . . . . . . . . . . 5
• Domain Password Policy Changes. . . . 5
• Auditing Enhancements . . . . . . . . . . . 5
IV. Maintaining High Availability . . . . 5
• Failover Clusters . . . . . . . . . . . . . . . . . 5
• Network Load Balancing (NLB) . . . . . 6
• Distributed File System (DFS) . . . . . . 6
• Virtualization . . . . . . . . . . . . . . . . . . . 7
• Windows Server Backup . . . . . . . . . . . 8
• Restartable AD Services . . . . . . . . . . . 8
• Terminal Services . . . . . . . . . . . . . . . . 9
V. Manageability . . . . . . . . . . . . . . . . 9
• Server Manager . . . . . . . . . . . . . . . . . 9
• PowerShell . . . . . . . . . . . . . . . . . . . . 11
• Windows Deployment Services
(WDS) . . . . . . . . . . . . . . . . . . . . . . . . 11
• Log and Event Consolidation . . . . . . . 11
VI. Conclusion . . . . . . . . . . . . . . . . . . 11
Books and Web Sites . . . . . . . . . . . . . . 12
About Learning Tree International . . . . 13
About the Author . . . . . . . . . . . . . . . . . 13
1-800-843-8733 • www.learningtree.ca
© 2007 Learning Tree International. All Rights Reserved
LEARNING TREE INTERNATIONAL White Paper
I. Introduction
As the world awaits the launch of another Microsoft
operating system, administrators, managers and
professionals are asking, “Do we really need it?”
The answer to that question is: It depends on your
organization’s needs and goals. One way to determine
whether Windows Server 2008 is worth spending time,
energy and corporate budget on is to learn what the
new operating system can do for you. There are many
interesting things to talk about in this product, and the
purpose of this White Paper is to give you an overview
of the most important new or improved features. When
you finish reading the Paper, you will have a good idea
of what Windows Server 2008 offers and it can be used
in your organization. You will also find additional
resources and Web links at the end.
As a longtime server administrator, I see three areas
of functional improvement in Windows Server 2008—
security, manageability, and availability. Although
some of the new tools and capabilities available offer
benefit in more than one area, I will frame them within
the context of these three boundaries.
Many of the components we will cover in the next
pages are new to the product line, others first became
available in Windows Server 2003 R2. Some are simply
refinements and rebranding of existing Windows 2000,
Windows Server 2003 or Windows Vista capabilities. In
all cases though, I think you will find this generation of
Microsoft Server easier to deploy, manage and maintain
than any of its predecessors. So let’s get started!
Windows Server 2008 – An Introductory Overview 1
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
II. Windows Server 2008 Family
Before diving into product improvements, let’s have
a quick look at the entire product line. The Windows
Server 2008 family looks much like the Windows
Server 2003 collection of products. You have four
major versions available for purchase. They are Web
Server, Standard, Enterprise and DataCenter editions.
Each of these editions is available for either 32 or 64
bit platforms. DataCenter will also be available for
the IA-64 architecture.
As with Windows Server 2003, the product you choose
depends on the size of your organization and the
functionality that you want to employ. Below we have
a comparison of some of the basic features included in
each server edition. Naturally, until the product is actually
released to manufacturing (RTM) early next year, nothing
is written in stone. And, as mentioned earlier, if you are
familiar with the Windows Server 2003 product line, you
will see that the new server product line is marketed
with similar organizational limits in mind.
• Standard Edition—Provides fundamental server
functionality; intended for use in small to medium-
sized organizations; includes key server roles and
features; and supports full or server core only
installations. Can be used as an Active Directory
(AD) domain controller (DC).
• Enterprise Edition—Same functionality as
the Standard Edition, plus technologies that are
generally more important in larger enterprises such
as Active Directory Federation Services (ADFS)
and Failover Clustering.
• DataCenter Edition—Same functionality
as the Enterprise edition, plus unlimited
virtualization rights and support for robust servers
with large amounts of RAM and a larger number
of processors.
• Web Server 2008—Like Web Server 2003, a
limited version of the operating system designed to
be used as a Web and application server only; has a
very limited set of server roles; cannot be used as a
Active Directory server; does not have the option to
install just the server core; and supports less RAM
and fewer processors.
© 2007 Learning Tree International. All Rights Reserved
White Paper
III. Security Enhancements
Let’s begin our discussion of new capabilities with a
topic near and dear to every IT professional’s heart:
keeping our servers secure and our corporate data
private. Windows Server 2008 has implemented
several new features and provided improvements to
existing features that will assist in achieving this
goal. Many of these features will someday end up as
individual chapters in a security textbook, but we will
discuss them at a higher level. Again, at the end of the
Paper, you will find a list of hyperlinks and resources to
deepen your knowledge of any of the security features
mentioned here.
• Identity and Access Control in 2008
In any organization, one of the first security tasks we
need to undertake is to establish and secure a perimeter
around our network. In Active Directory, we do this by
delineating domains and forest structures, and making
sure that everyone who is allowed into our perimeter
has a valid sign-on. This is a relatively simple process,
as long as everyone who needs access to your data is
within this perimeter. But what happens when you
have customers, suppliers or partners that are outside
your forest? In the past, that situation could be a
management and security nightmare. Microsoft has
implemented two technologies to assist with maintaining
sign-on and resource security when using extranets:
– Active Directory Federation Services (ADFS)
ADFS was first introduced in Windows Server 2003
R2. In Windows Server 2008, ADFS is implemented
as a server role that is capable of providing identity
management for extranet customers that are called
federation partners. ADFS allows browser-based
clients to access Internet applications even when
the user account and application are located in
separate forests. ADFS allows a user to authenticate
to multiple Web applications using a single sign-on.
ADFS uses a new type of trust, called a federation
trust, to securely share user identity and rights
information between federation partners.
How is this different than simply creating an external
or forest trust between the two organizations? If
we create such a trust, the entire external domain
Windows Server 2008 – An Introductory Overview 2
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
is included in the trust model; however, if I employ
ADFS, I can specify a trusted subset of individuals in
that remote domain that will be allowed access inside
my perimeter. In addition, using policies, I can set up
additional conditions and rules for this federated trust.
– Active Directory Rights Management Services
(AD RMS)
A second server role employed to protect information
is AD RMS. This is Windows Server 2003 Rights
Management Services, rebranded and improved. AD
RMS is a technology aimed at controlling data access
rather than user identity. To use AD RMS, you must
install the server role, which handles certificates and
licensing, and you must employ AD RMS clients as
well as a database server. Currently, only Vista has a
native AD RMS client. Once in place, data authors set
persistent usage rules on information and data sources
that will remain attached to the data no matter where
it is moved—both inside and outside the organization.
This technology augments the traditional Access
Control List ACL protection by allowing security
masks such as “read only – no printing” to be config-
ured on a resource and have that security enforced
even when the document is e-mailed to recipients
outside the organization. Applications, including
custom and third party, must be AD RMS enabled.
Once done, any document, drawing, e-mail or other
product of the application can have AD RMS security
embedded in the information. Developers can create
customized AD RMS applications using the AD RMS
software development kit.
• Network Access Protection (NAP)
How secure is your server? The answer really is: only
as secure as your network clients. For example, what
if a client machine isn’t running a virus scanner? Do
you want to allow such a highly vulnerable laptop to
communicate with your corporate servers and pass on
a virus or spyware? To combat this problem, Windows
Server 2008 now offers Network Access Protection
(NAP). NAP allows administrators to specify base
“health” requirements, such as minimum software
requirements, security update levels and other security
settings that must be met before a client is allowed to
fully access the corporate network. These NAP policies
© 2007 Learning Tree International. All Rights Reserved
White Paper
allow administrators to control, and even quarantine,
machines that don’t meet the minimum requirements
for the network. Non-compliant clients can be denied
access to the network or directed to a remediation
server’s network for immediate repair.
There are five enforcement mechanisms for NAP:
• DHCP
• IPSec
• VPN
• 802.1x
• TS Gateway
NAP requires components on both network clients and
servers. The server components consist of the Network
Policy Server (NPS), the System Health Validators (SHVs)
and the Quarantine Server (QS). The NPS is the heart
of the system where administrators create policies that
specify the organization’s health requirements for full
network participation by clients. When a client attempts
to access the network, the SHVs determine whether
they meet the basic requirements specified in the
policies. If a client is found non-compliant, it is sent to a
remediation network where QSs will make it compliant
allowing for full network access. The actual process may
differ based on which enforcement methods are used
and what exceptions have been created for machines
that are not NAP client enabled or need to be exempted
from NAP screening.
For a machine to be screened by NAP, it must have a
NAP client installed. Currently, the only embedded NAP
clients are in Windows Vista and Windows Server 2008.
Microsoft is developing a NAP client for XP and expects
it to be released about the same time as Windows Server
2008 RTM. The NAP client consists of three layers: the
System Health Agents (SHAs), Quarantine Agent (QA)
and the Enforcement Clients (ECs). SHAs check for
compliance with a particular requirement, such as a
particular patch or a certain level of AV software. A client
may have multiple SHAs present as each one is directed
at a particular health requirement. The QA takes the
status from the SHAs and compiles a list of results which
it forwards to the EC. The ECs then determine whether
the client is granted full or partial network access based
on the SHA outcomes. There are embedded ECs for each
of the enforcement mechanisms mentioned earlier, and
ISVs are being encouraged to come up with their own
custom ECs for installation.
Windows Server 2008 – An Introductory Overview 3
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
• BitLocker Drive Encryption
Unlike file encryption (EFS), which can be used to
encrypt folders and files, BitLocker encrypts the entire
drive, including the swap and hibernation files. This
technology foils the data thief who tries to boot the
computer to an alternate operating system where
NTFS permissions would not be enforced, use other
tools to read the drive’s information, or attempt to
access the data offline. BitLocker can be of value to
organizations that are concerned about the security
of their data traveling outside the company on laptops
and for any organization required to maintain higher
than usual data security due to regulatory requirements
such as HIPAA or Sarbanes-Oxley compliance. It is
especially useful in the server environment when
servers are located outside the server room or in some
unsecure location such as a branch office.
Although BitLocker first became available with certain
versions of Windows Vista, the Windows Server 2008
implementation has a few key improvements that
make it more usable in a server environment. First,
the technology has been extended to include any
locally created internal volume on the machine—not
just the bootable volume. These non-bootable volumes
are referred to as data volumes. Second, security
has been improved by adding a new multifactor
authentication mechanism combining a TPM protected
key, which can be stored on a USB device, and a user-
generated PIN, both of which must be used before
access is granted to the volume. Finally, support for the
Extensible Firmware Interface (EFI) has been included.
• Windows Server Core Deployments
When you install Windows Server 2008, you will see
that you have a new installation alternative called
Server Core. Choosing this option means that only
the absolutely essential OS components are deployed
to the machine. Elements that are considered extraneous
are not installed. The most obvious missing feature is
the GUI. That’s right—Server Core is a primarily a
command line driven administrative interface. There
are a few GUI-like tools that you can use (such as Task
Manager, regedit.exe and Notepad) but, overall, the
tools you are used to seeing in Windows are gone—
no Server Manager, no Taskbar, no Start Menu, no
Windows Explorer.
© 2007 Learning Tree International. All Rights Reserved
White Paper
The question is, why did Microsoft include this installation
option? What do you gain from doing a core-only
install? There are several answers, but probably the
most important is: increased security. By reducing the
components installed and the services that are running,
Microsoft has automatically reduced the attack surface
of your server. There aren’t as many security holes to
exploit because the elements that would allow attacks
simply aren’t in place. Of course, the core architectural
components of the OS are still there—the kernel,
Hardware Abstraction Layer (HAL) and drivers.
Beyond security improvement, the Server Core install
also gives the benefits of a smaller system footprint,
reduced administration and decreased need for software
patching because there are fewer OS components to
install, configure or patch. Of course, given the command
line interface, strong experience in commands and
scripting will be an important skill for Server Core
administrators.
When you perform a Server Core install, you lose
the ability to install some of the roles and features
available with a full installation. And naturally, the roles
and features you choose to install must be managed
using ServerManagerCmd.exe—the command line
version of Server Manager.
The following is a list of server roles and features that
are available for use on a Server Core machine:
Server Roles Available Features Available
Active Directory Domain Services Failover Clustering
Active Directory Lightweight Multipath I/O
Directory Services
DHCP Server Network Load Balancing
DNS Server Quality of Service
File Services Removable Storage
(including NFS and DFSR) Management
Print Services SNMP Services
Streaming Media Services Subsystem for UNIX-based
Applications
IIS 7.0 * Telnet Client
Windows BitLocker Drive
Encryption
Windows Server Backup
WINS Server
*Without .NET framework—Announced at TechEd June 2007
Windows Server 2008 – An Introductory Overview 4
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
• Read-Only Domain Controllers (RODC)
Microsoft is marketing RODCs as a new category
of domain controller that can be deployed in environ-
ments where a writable copy of the AD database may
be a security liability, such as a branch office where
physical security may be less than perfect. If you are
familiar with the NT 4 concept of a backup domain
controller (BDC), the idea here is similar. The RODC
contains the same domain objects and attributes as
a writable domain controller (except passwords);
however, as the name implies, RODCs are not able
to write any changes to the database. When changes
are required, administrative tools are redirected to a
writable DC elsewhere in the organization. Administra-
tion of a specific RODC can be delegated to any domain
user without having to grant that user administrative
rights on other domain controllers. This allows a local
user at the branch office to perform administrative
tasks on the RODC, such as configuring an application,
but not have any permissions or rights on any other
DC. This protects the integrity of the data on writable
copies of the Active Directory database.
• Domain Password and Account Lockout
Granularity
Although there have been several improvements in
security policies, one of the most useful (and long
overdue) is the change made to the domain password
and account lockout functionality. In previous AD
implementations, a single password policy applied
to all domain accounts. If domain users required
different levels of password enforcement, such as
separate minimum password lengths or different
expiration periods, the only option was to create two
domains and then create different password policies
in each domain to each group’s specifications. In
Windows Server 2008, different password policies
can be set within a single domain. A new password
settings object (PSO) holds the password policies.
A PSO can then be associated with any group in
the Active Directory.
© 2007 Learning Tree International. All Rights Reserved
White Paper
• Auditing Enhancements
Administrators have always been able to audit access
to objects for file system and Active Directory objects,
but with the dawn of Windows Server 2008, security
tracking becomes more granular. A new policy
category called Directory Service Changes will allow
administrators to capture who made changes to an
Active Directory object or attribute, when the change
was made and what the old and new values are. The
same ability to keep initial and changed values is available
for any changes to the Registry as well. Administrators
will also be able to audit permission changes, network
share access and IPSec events.
Like other security events, this tracking is sent to the
security logs and can be consolidated from several
machine sources. These logs can be viewed with traditional
Microsoft tools such as Event Viewer or accessed from
third party toolsets. This new level of auditing detail will
assist with AD change management tracking as well as
maintaining regulatory compliance for organizations
with HIPPA or SOX requirements.
IV. Maintaining High Availability
“Anytime…anywhere.” These two words have become
the mantra for our industry. Even if the business needs
are not 24/7/365, the user’s needs often are. Many of the
technologies you will see deployed with Windows Server
2008 are addressed at meeting such requirements. In the
next section, we will discuss the most prominent of these.
• Failover Clusters
One of the fundamental technologies used to create a
high-availability or fault-tolerant environment is server
clustering. Clustering refers to a set of independent
servers that are configured to work together through
physical cabling and cluster management software. If any
cluster node (server participant) becomes unavailable,
another node will automatically take over for the failed
server. This allows always-on access to business critical
applications and data, even through server crashes.
In Windows Server 2008, cluster technology has been
rebranded to Failover Clustering. In this generation of
clustering, Microsoft has attempted to make the creation
and management of clusters easier and improve cluster
security and stability. This process begins with the use of
Windows Server 2008 – An Introductory Overview 5
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
the Cluster Validation Wizard, which lets administrators
test node compatibility, check network configuration
for the proposed cluster, and make sure that the storage
access requirements are met for all the nodes in the
cluster. Once set up, cluster management is simplified
through a new administrative interface.
Additional clustering improvements include support
for GUID Partition Table (GPT) disks which have built
in redundancy, support for large partitions and more
partitions per disk. A new quorum model, called the
majority quorum model, allows you to be in control
of the quorum configuration. You can configure your
cluster to use the traditional shared quorum device or
majority node models, or create a hybrid model. In
the new model, even a simple two-node cluster can
survive the loss of the quorum resource disk. Other
important new storage features include the ability to
use shares (rather than whole disks) as a resource, the
capacity to add additional resources to the quorum
while the cluster is running, SAN support, and storage
connections that support persistent reservations
(Fibre Channel, iSCSI, and SAS).
Improvements in the networking model for clusters
include support for IPv6, removal of legacy dependen-
cies on NetBIOS, DHCP support, and the ability to
have cluster nodes exist on different logical IP subnets.
The most important of these—especially to large,
geographically distributed organizations—would be
the last. This functionality change allows an enterprise
to implement GeoClusters (Geographically Dispersed
Clusters) without the creation of a VLAN as required
in earlier generations of Microsoft clustering. To
complement this change, cluster heartbeat timeouts
are now configurable.
As with other components, Microsoft’s focus in 2008
is to simplify the management of servers. In clustering,
we see this focus come to life with the addition of the
new Failover Cluster Management interface, an MMC
3.0 console which lets administrators validate, create and
manage clusters through a series of three-step wizards.
© 2007 Learning Tree International. All Rights Reserved
White Paper
• Network Load Balancing (NLB)
Network Load Balancing (NLB) technology distributes
the network load for applications across multiple
servers arranged in an NLB cluster. As the name
implies, NLB is useful for large organizations that want
to balance their network traffic across multiple servers,
but it also allows applications to “scale out” when the
demand increases. By adding more servers to the NLB
cluster as the workload increases, administrators can
guarantee availability and responsiveness for users of
networked applications.
Like other features, NLB is not new to Server in 2008,
but it has had a facelift and now includes the following
improvements:
I. IPv6 Support
II. NDIS 6.0 driver with backwards compatibility
III. Support for multiple IP addresses per node
enabling administrators to have multiple
applications hosted on the same NLB cluster
even when each application requires a
dedicated IP address
• Distributed File System (DFS)
Another availability technology that is not new but has
certainly been improved in Windows Server 2008 is the
Distributed File System (DFS). DFS has been around for
decades in both the UNIX and Microsoft worlds, and
most administrators of complex networks with many
resource servers are big fans of the concept. The problem
has been that although we love the concept, Microsoft’s
implementation of that concept has had issues that made
it somewhat difficult to use for highly volatile shares.
With Server 2008, many of those issues have either been
resolved or made significantly better. Two major areas of
improvement are the removal of the 5000 folder limitation
and the use of a new replication algorithm. But first let’s
talk about the benefits of DFS in general.
DFS allows administrators to create a transparent
network namespace for their users, grafting together
shared resources from many servers into a single logical
Windows Server 2008 – An Introductory Overview 6
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
structure. From the user’s perspective, a DFS namespace
appears in their interface as a single file structure with a
top level folder and subfolders with subfolders (if needed).
Users access the namespace root share just as they would
any other network share and, once there, they are able to
connect to any of the resources in the structure (as long
as they have appropriate permissions, of course). This
eliminates the need for mapping drives to each shared
resource. Now they can simply map a drive to the
namespace root share.
Administrators can also reallocate resources on the fly.
Let’s say, for example, that a server is reaching the end
of its useful life and needs to be retired, but it is a file
server and hosts gigabytes of user data from all over
the company. Moving this data to another server might
require e-mails to many users telling them the new
drive mappings or new logon scripts to perform the
mapping for users. With DFS, administrators can use
the Distributed File System Manager console and
specify the new file server as an additional target folder
in the DFS namespace. Then, through the magic of
DFS Replication (DFSR), the data on the existing server
can be replicated to the new server automatically.
Changes between the two data sources will be synchro-
nized and administrators can even control the replication
topology, schedule, and bandwidth utilization of these
replication cycles.
One of the major benefits of DFS for geographically
dispersed organizations becomes apparent when using
site aware clients (Windows 2000 Professional, Windows
XP and Windows Vista). Imagine that you have a software
installation server in New York and branch offices in
Boston and Miami. With only one server, all your
installations for all sites would come through the New
York server. So…you create two more installation servers,
one at each branch. Now we are getting local installations,
but what if the Boston install server goes down? Where
will those clients get their installs from? Well, if they are
AD clients and you are using DFS for your install shares,
they will look for the next closest site as defined in your
© 2007 Learning Tree International. All Rights Reserved
White Paper
Active Directory replication topology. In addition, what
if you need to add patches or new software to the install
share? Without DFS, you would have to add it three
times, once on each distributed server. With DFS, add it
to one server and it automatically replicates the changes
to the others.
The mechanism that accomplishes that replication
between alternate targets is one of the most meaningful
improvements in the DFS architecture. NTFRS (used
in Windows 2000 and Windows Server 2003 DFS imple-
mentations) has been replaced by DFSR in the new
architecture. What makes this more efficient and network
friendly is the fact that DFSR uses remote differential
compression. This engine breaks files down into smaller
chunks which are then tracked for changes. When the
system detects a change to a data block, only those blocks
that have changed are replicated among alternate targets.
With NTFRS, the entire file was replicated no matter how
small the change to the file.
• Virtualization
Administrators love virtualization—and they should.
Virtualization allows administrators to consolidate
multiple roles on underutilized hardware, isolate functions
into individual virtual environments, perform testing in
a safe environment and remove hardware compatibility
issues from the environment.
Unfortunately, as of this writing, sources have indicated
that native virtualization will not be deployed when
Windows Server 2008 is released to manufacturing.
The current estimate is that the VM components will be
available as a download 180 days after Server’s RTM date.
We can look at the proposed VMM architecture, but since
the release of product may be up to nine months after
the date of this writing, be aware that this scenario may
change. For this reason, we will not go into a great deal
of detail about the planned implementation of this
technology. You can count on the fact that the planned
architecture is a Type 1 hypervisor. Type 1 hypervisors are
those that run directly on the system hardware and offer
a higher level of virtualization efficiency and security.
Windows Server 2008 – An Introductory Overview 7
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
Some of the important advancements (over their current
Virtual Server and Virtual PC products) are:
• 64-bit operating system support for both
host and guests
• 64-bit hypervisor requires VM aware hardware—
such as Intel’s VT and AMD-V processors
• Automatic Network Address Translation (NAT),
firewall, and Network Access Protection (NAP)
• Dynamic hardware swapping
• Assignment of minimum and maximum
allocations of RAM to ensure minimum
performance and limit system hogs
• Adaptable network support, including VLANs,
NAT and firewall configuration
• Virtualization can be managed through GPOs
• Security with support for hardware technologies
such as DEP
• Multicore support for up to eight processors
• Virtual servers can be managed with Microsoft
System Center Operations Manager (SCOM)
and System Center Virtual Machine Manager bare metal restore (BMR) can be done from the backup
(SCVMM)
• Native management tool will be MMC 3.0 based
• Disk Access—Guest OS can access local or
SAN storage
• Support for PowerShell scripting
• Virtualization role available on Server Core
installations
• Windows Management Instrumentation
(WMI) support
© 2007 Learning Tree International. All Rights Reserved
White Paper
• Windows Server Backup
Microsoft is the first to admit that Windows Server
Backup is not an enterprise solution to the backup and
restore problems of large organizations. This product is
deliberately targeted at single server backup in smaller
organizations. Microsoft’s logic is that large organizations
usually employ third party solutions to manage their
backup processes. However, in the right environment,
administrators will see that the changes made to the
Windows Server Backup component provides a backup
and recovery solution that is much more flexible and
useful for maintaining availability than any previous
version of this tool. The key technological difference
is that the new system uses the Volume Shadow Copy
(VSC) service to perform backups. This means that VSC
take a snapshot of the resource(s) being backed up and
then creates the backup from the snapshot. The benefit
of this is that a server can be fully backed up while it is
running since VSC does not require the system to be
idle when the snapshot is made. In addition, only one
full backup is made. After that, only incrementals are
initiated, thereby saving time and disk storage space.
Backups can be made of the entire system, individual
volumes, or a particular folder or file.
When the time comes to restore from backup, the
Windows recovery environment supports a full or partial
restore. The machine can be booted from DVD, and a
source—which can be any disk media or network
resource. The only backup media not supported is tape.
• Restartable AD Services
In the past, certain AD functions, such as authoritative
restores and offline defrags required that the DC be
rebooted (sometimes more than once) while these
offline functions were performed. If the DC played
multiple roles in the organization, such as DNS, DHCP
and printer server, all these roles were also unavailable
while AD maintenance was being performed through
multiple reboot cycles.
Now in Windows Server 2008, the Active Directory runs
as a service, called Active Directory Directory Service
(AD DS). As such, this service can be stopped and started
like any other service on the machine through MMC
snap-ins, command line or WMIC. This allows other
services to continue to run and service clients while the
AD DS undergoes maintenance.
Windows Server 2008 – An Introductory Overview 8
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL White Paper

• Terminal Services – Remote Desktop Connection 6.0

This is definitely one of those topics that could be a whole Users will employ Remote Desktop Connection 6.0
chapter in a Windows Server 2008 book, or maybe even a to connect to Terminal Services in Windows Server
book topic of its own because there is so much new func- 2008. This version is included in Windows Server 2008
tionality embedded in Windows Server 2008’s “ Terminal and Windows Vista. It is also available for Windows
Services”. We will cover the highlights of the major new XP users and Windows Server 2003 users as a free
components here, and then point you to some very good download from Microsoft.
additional resources at the end of this paper.
– Single Sign-On (SSO)
– Terminal Services RemoteApp With SSO, domain users of Terminal Services can
Terminal Services RemoteApp is a new way of log on to a terminal session using their username
presenting terminal services applications to the end and password or a smartcard. They need to do so
user in Windows Server 2008. In previous versions only once. If they initiate another terminal service
of Terminal Services, when the user connected to a session, they are not asked for credentials again.
session, the entire desktop on the remote machine This eliminates the need for the user to repeatedly
was presented to the user by default. With Remote- enter their authentication information and, therefore,
App, only the application is presented to the user. increases their satisfaction with the system.
The remote application launches and runs on the
user’s desktop just as a locally installed application V. Manageability
does. Local drives and printers are automatically One of the administrative trends Microsoft has been
redirected, and the window the application runs in implementing in phases over the past several years is
is resizable, just like any other program window role-based administration of servers. The idea is that a
would be. This improves the user experience, by server has roles to play, such as the DNS server, file server,
integrating the remote application seamlessly with DFS server, Web server or domain controller. Each of
their local desktop. these roles requires certain services to be running, ports
– Terminal Services Gateway to be opened perhaps and security to be configured. In
TS Gateway allows users to connect to terminal Windows Server 2008, role-based administration has
servers and remote desktop workstations that are come of age. When a system is first installed, the server’s
behind the firewall without having to configure a roles and features need to be installed and configured.
VPN connection. The embedded security model is This can be done by using the Initial Configuration Tool
actually more secure than a standard VPN because (ICT) which appears on the first boot of a newly installed
users of TS Gateway are allowed access to a selected server or through a new console called Server Manager.
subset of servers and workstations instead of the No matter which tool you use, the system automatically
entire network like a VPN would allow. installs and configures needed services, opens required
ports and configures security settings for you. In addition
– Terminal Services Web Access to this role/feature configuration task, Server Manager
With TS Web Access, TS RemoteApp applications is the central administrative console for many server man-
can be served to the user in a browser. The user can agement jobs, so we’ll take a deeper look at that new tool.
choose from a list of programs in their browsers
and, when they select an application, a TS session is • Server Manager
started transparently on the terminal server hosting Server Manager is a new MMC console that gives the
the application. For the administrator, Web Access administrator a one-stop tool for managing a server. In
has the same benefits of a regular terminal service addition to the role and feature installation and configura-
application— applications are centrally managed and tion tasks mentioned above, Server Manager can be used
secured on the server. Software does not have to be to remove roles and features. Once you install a role or
maintained on the client workstations. feature, the Server Manager interface automatically adds
the management snap-ins for that role or feature.

© 2007 Learning Tree International. All Rights Reserved

Windows Server 2008 – An Introductory Overview 9
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
Figure 1
As you can see in Figure 1 above, there is a lot more to
Server Manager than just configuring roles. If you look
closely at the expanded tree pane, you can see that this
is where you will access the Event logs, use Windows
System Resource Manager, perform backups, create
performance and reliability reports, configure scheduled
tasks, manage Windows Firewall…the list goes on and
on. As I’ve said before, one stop shopping for the
administrator!
At the time of this writing, Server Manager cannot be
used remotely, nor can its command line interface with
servermanagercmd.exe. In order to use Server Manager
on a remote machine, you must use the Remote Desktop
client to connect to the sever you want to administer,
© 2007 Learning Tree International. All Rights Reserved
White Paper
then launch a local instance of the Server Manager
program once you are connected to the remote server.
If you are unable to use Remote Desktop for some
reason, you can still perform remote management of
many installed server roles by employing the Remote
Server Admin Tools (RSAT) from another server—or
in the future (after Vista SP1 is released) from a Vista
workstation. RSAT is the adminpak.msi for the next
generation of operating systems. RSAT is a feature that
can be installed on Windows Server 2008, but the current
version will not work with Windows Vista or XP. Using
the RSAT is one of the recommended approaches to
easily manage a remote server core machine.
Windows Server 2008 – An Introductory Overview 10
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
• PowerShell
PowerShell is an interactive command line shell with
an embedded administrative scripting language that
employs consistent syntax and utilities. PowerShell lets
administrators automate repetitive tasks and doesn’t
require a college degree in programming to learn and
use effectively. One of the secrets to this low learning
curve is the use of more than 130 standard command
line tools, called cmdlets, that address common admin-
istrative tasks such as managing services, logs, processes
and more. On a surprising note, PowerShell does not
require migration of your existing scripts. PowerShell
can understand and use data from all Microsoft admin-
istrative data access technologies, such as WMI, ADSI,
XML, ADO, HTML and COM.
• Windows Deployment Services (WDS)
Windows Deployment Services (WDS) is the new and
improved version of the Remote Installation Services
(RIS) that came with Windows Server 2000 and 2003.
WDS, like RIS, allows you to boot a client machine to
the network, retrieve a boot image and then install an
operating system on that machine—all without you
having to be present at the client.
If you weren’t a big fan of RIS, you may want to take
some time to re-evaluate this generation of WDS. This
implementation overcomes several of the common
complaints about the RIS architecture. For example,
WDS supports multicasting. Not only can it multicast,
a client can join a multicast deployment that is already
in progress and not lose any data. Next, in order to quiet
the ACKs down on the network from the use of con-
nectionless UDP, TFTP windowing is in place. WDS also
supports network boots of x64-based computers with the
Extensible Firmware Interface (EFI). The client uses the
Windows PE (Pre-installation Environment) system to
boot the machine, which gives us an environment with
much more functionality than before. WDS supports
WIM images. And finally, as you will see in the next
section, some of the burdensome architectural elements
needed for RIS to work are no longer required for WDS.
Like many technologies, WDS has server side as well as
client components. On the server side, you need a PXE
© 2007 Learning Tree International. All Rights Reserved.
White Paper
server to answer client requests for boot images, as well
as a TFTP server. You will need a shared folder for your
image repository. The image repository holds your boot
images, installation images, and the files required for
network boots. There is also a server multicast component
and a diagnostics module for enhanced logging. Finally,
there is a set of management tools for administering
images, the WDS server and client computer accounts.
For those of you familiar with RIS, notice that I did not
mention the Active Directory. No, I didn’t forget. This
generation of deployment technology doesn’t require the
AD. You have to install Transport Server to make it work,
but it can be done. On the client, there will be a GUI that
runs on the Windows PE. The GUI is used to select and
install the client image.
• Log and Event Consolidation
This was mentioned a little earlier in our paper, but
from the manageability standpoint, I think it is important
enough to be given a section of its own. In Windows
Server 2008, you can now combine and track events
from several logs sources even if the logs are on multiple
physical systems. This greatly reduces the hassle histori-
cally associated with trying to monitor events on multiple
geographically separated machines. Through the use
of subscriptions, events can be consolidated into one
management interface such as Event Viewer, or third
party tools can be utilized to see the events.
VI. Conclusion
Windows Server 2008 is a powerful base to build your
enterprise architecture on. Many of the new components
are going to simplify management and lead to less
downtime for your organization’s server architecture. But,
now that you have seen just some of the more important
improvements for Windows Server 2008, I think you can
agree that there is a lot to learn as you move into this new
environment. Although this article is a good start to your
education, and a good product overview, you will need a
deeper level of detail to successfully implement these new
features. The following page shows is a list of books and
Web sites that you can use to increase the depth of your
knowledge.
Windows Server 2008 – An Introductory Overview 11
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL White Paper

Books:
Introducing Windows Server 2008
by Mitch Tulloch with the Microsoft Windows
Server Team
(ISBN: 9780735624214),
Publisher: Microsoft Press.

Microsoft Windows PowerShell Step by Step

by Ed Wilson (ISBN: 9780735623958),
Publisher: Microsoft Press

Web Sites:
Changes in Functionality from Windows Server
2003 with SP1 to Windows Server 2008:
http://go.microsoft.com/fwlink/?LinkID=90854

Windows Server 2008 TechNet Webcasts, Virtual

Labs, Podcasts & Chats:
http://go.microsoft.com/fwlink/?LinkID=90855

Windows Server 2008 Step-by-Step Guides

(15 downloadable documents—varied topics):
http://go.microsoft.com/fwlink/?LinkID=90856

Windows Server 2008 TechCenter:

http://go.microsoft.com/fwlink/?LinkID=86041

Windows Server 2008 Troubleshooting:

http://go.microsoft.com/fwlink/?LinkID=90857

Windows PowerShell:
http://www.microsoft.com/windowsserver2003/
technologies/management/powershell/default.mspx

Microsoft Script Center Repository: Sample

PowerShell Scripts:
http://www.microsoft.com/technet/scriptcenter/
scripts/msh/default.mspx?mfr=true

Microsoft System Center:

http://www.microsoft.com/systemcenter/

© 2007 Learning Tree International. All Rights Reserved.

Windows Server 2008 – An Introductory Overview 12
 1-800-843-8733 • www.learningtree.ca LEARNING TREE INTERNATIONAL
About Learning Tree International
Learning Tree International is a leading worldwide
provider of vendor-independent training to managers
and IT professionals in business and government
organizations. Since 1974, over 1,800, 000 course
participants from over 13,000 organizations worldwide
have enhanced their skills and extended their knowledge
under the guidance of expert instructors with real-
world experience. Learning Tree develops, markets and
delivers a broad, proprietary library of instructor-led
courses focused on the latest information technologies,
management practices and key business skills.
Learning Tree International annually trains over
87,000 professionals in its Education Centers around
the world. Learning Tree also provides training in a
number of additional cities and on site at customer
locations in 26 countries. For more information
about Learning Tree products and services, call
1-800-THE-TREE (1-800-843-8733), or visit our
Web site at www.learningtree.ca
Atlanta Los Angeles Boston
Washington, DC New York City Toronto
Paris Ottawa Stockholm
© 2007 Learning Tree International. All Rights Reserved.
WPWinServer2008Final 0710CN
White Paper
About the Author
Lori M. Sanders
Managing Senior Partner
iSolve Consulting Group
lsanders@isolvegroup.com
www.isolvegroup.com
Lori Sanders is the head of iSolve Consulting Group,
an independent firm offering project management and
consulting services in Windows server-based network
solutions, Active Directory planning, implementation
and integration, group policy consulting and technical
and process-oriented consulting in software engineering
and configuration management.
Lori has 27 years of experience in the IT field and has
supported Microsoft products since DOS 1.0. Her
responsibilities have included desktop support, server
administration, project management and technical
management. Lori is also an instructor, author and
technical editor for Learning Tree as well as a Certified
Professional for both Windows Server 2000 and 2003.
Lori has written a book on group policies and desktop
management, published by New Riders: Windows 2000
User Management, ©2000.
Chicago
London
Tokyo
Windows Server 2008 – An Introductory Overview 13