Windows Server 2008 Technical Overview

Article
11/04/2010

Introduction

Overview
Microsoft Windows Server 2008, with built-in web and virtualization technologies, is designed to provide organizations with increased reliability and flexibility for their server infrastructure. New virtualization tools, web technologies, and security enhancements help save time, reduce costs, and provide a platform for a dynamic datacenter. Powerful new tools like Internet Information Server 7.0 (IIS7), Windows Server Manager, and Windows PowerShell, offer more control over servers and streamline web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller harden the operating system and protect the server environment to help create a solid foundation on which to build businesses.

Solid Foundation for Business Workloads
Windows Server 2008 is the most flexible and robust Windows Server operating system to date. With new technologies and features such as Server Core, PowerShell, Windows Deployment Services, and enhanced networking and clustering technologies, Windows Server 2008 provides the most versatile and reliable Windows platform for all workload and application requirements.

Server Manger integrates server role and feature addition, removal, and configuration into a single Microsoft Management Console (MMC). Windows Deployment Services (WDS) is a suite of components that work together on Windows Server 2008 to provide a simplified, secure and rapid Windows operating system deployment to clients and servers. WDS uses network-based installation, without the need for an administrator to work directly on each computer, or install Windows components from CD or DVD media. The Windows PowerShell command-line shell and scripting language helps IT Professionals automate common tasks and more easily control system administration and accelerates automation, even in remote locations such as branch offices. PowerShell leverages existing investments by retaining compatibility with existing scripting solutions. Server core is a new installation option for selected roles that includes only the necessary subsystems required for those roles. Server core can create a more reliable and secure server that requires less patching and servicing.

Windows Server 2008 includes a new implementation of the TCP/IP protocol stack known as the Next Generation TCP/IP stack. The Next Generation TCP/IP stack meets the connectivity and performance needs of today’s varied networking environments and technologies through a complete redesign of the TCP/IP stack.

A failover cluster (formerly known as server clusters) is a group of independent computers that work together to increase the availability of applications and services. In Windows Server 2008, the improvements to failover clusters simplify clusters, making them easier to secure, and more stable.

Web
Windows Server 2008 is a powerful Web Application and Services Platform that provides organizations with the ability to deliver rich web-based experiences efficiently and effectively.

The release of Internet Information Server 7.0 (IIS7) as part of Windows Server 2008 offers improved administration and diagnostics, better development and application tools and lower infrastructure costs. It is also a completely modular, extensible Web server with expanded application hosting, while retaining excellent compatibility and solving key customer challenges.

Windows Server 2008 includes Windows SharePoint® Services 3.0, a collaboration technology that helps organizations improve business processes and enhance team productivity. With a robust set of features and tools that give people browser-based access to workspaces and shared documents, Windows SharePoint Services helps people work with others across organizational and geographic boundaries.

Microsoft Windows Media Services is an industrial-strength platform for streaming live or on-demand audio and video content over the Internet or an intranet. Windows Media Services provide the ultimate fast-streaming experience and dynamic programming for on-the-fly and personalized content delivery, on a platform that offers ease-of-administration, customization, and scalability.

Virtualization
With its built-in server virtualization technology, Windows Server 2008 enables organizations to reduce costs, increase hardware utilization, optimize their infrastructure, and improve server availability. Windows Server virtualization (WSv) uses a 64-bit hypervisor-based platform for increased reliability and scalability. WSv helps organizations optimize their hardware resources through server consolidation. WSv also leverages components of the Windows Server 2008 platform like failover clustering to provide high availability and Network Access Protection (NAP) to quarantine unhealthy virtual machines.

Another form of virtualization is Presentation Virtualization, which is the ability to detach the application presentation layer, or the user interface, from the host operating system. In Windows Server 2008 Terminal Services Gateway and Terminal Services RemoteApp™ provide centralized application access with integration of remote applications on client computers and easy access to these same remote programs using a Web browser. Terminal Services also provide a means to access remote terminals and applications across firewalls. (See the section covering Centralized Application Access for detailed information about Terminal Services.)

Security
Windows Server 2008 is the most secure Windows Server ever. Its hardened operating system and security innovations, including Network Access Protection, Federated Rights Management, and Read-Only Domain Controller, provide unprecedented levels of protection for an organization’s data. Windows Server 2008 includes security and compliance enhancements, more advanced encryption, and tools that improve auditing and secure startup. It helps organizations to prevent data theft with Rights Management Services, BitLocker, and Group Policy technologies. Windows Service Hardening helps keep systems safer by preventing critical server services from being compromised by abnormal activity in the file system, registry, or network. Security is also enhanced in the Windows Server 2008 operating system by means of Network Access Protection (NAP), Read-Only Domain Controller (RODC), Public Key Infrastructure (PKI) enhancements, a new Windows Firewall with improved filtering, and next-generation cryptography support.

Windows Server 2008 delivers a fully-integrated Federated Rights Management Services solution. This allows organizations to easily extend their Rights Management framework, allowing critical information to be securely shared with partners without the overhead of maintaining additional user accounts for users outside the organization.

Top of Page

Virtualization

Introduction
The Windows Server 2008 includes Windows Server virtualization (WSv), a powerful virtualization technology with strong management and security features. WSv enables businesses to leverage their existing familiarity with Windows server management and take advantage of virtualization's flexibility and security benefits without buying third-party software. Microsoft and its partners provide comprehensive support for Windows and supported Linux guest operating systems. WSv is a highly flexible, high performance, cost-effective and well-supported virtualization platform.

Security
Security is a core challenge in every server implementation. A server hosting multiple Virtual Machines (VMs), also known as consolidated servers, is exposed to the same security risks as non-consolidated servers, but adds the challenge of administrator role separation. WSv helps increase security for consolidated servers and addresses the challenge of administrator role separation. WSv accomplishes this through the following features:

Strong partitioning: A Virtual Machine (VM) functions as an independent operating system container that is completely isolated from other Virtual Machines running on the same physical server.
Hardware-level security: features such as Data Execute Prevention (DEP) are available in newer server hardware, which helps prevent execution of the most prevalent viruses and worms.
Windows Server virtualization: WSv helps prevent exposure of VMs that contain sensitive information, and also protects the underlying host operating system from compromise by a guest operating system.
Network security features: enable automatic Network Address Translation (NAT), firewall, and Network Access Protection (NAP).
Minimal Trusted Computing Base**:** gives a reduced attack surface and streamlined, lightweight virtualization architecture. This feature enhances the reliability of Virtual Machines based on WSv.

Configuring a consolidated server that provides the best security and operating system environment for every application can present a difficult challenge in some cases. Because WSv creates an environment where it is possible to configure each workload with an ideal operating system environment and security profile, WSv addresses the challenge of role separation on a consolidated server. WSv protects VMs and the host operating system from each other by allowing VMs to run under a service account with only needed privileges. With WSv, the host operating system is protected and a compromised VM is limited in the damage it could cause to other VMs.

Strong Isolation
Server virtualization enables workloads with varying resource requirements to coexist on the same host server. WSv offers several features that facilitate effective usage of the host server’s physical resources:

Flexible memory assignment**:** Virtual Machines can be assigned a maximum amount and a guaranteed minimum amount of RAM. This feature allows administrators to create a WSv configuration that balances individual VM resource needs against overall WSv server performance.
Dynamic hardware addition: WSv can dynamically add logical processors, memory, network adapters, and storage to supported guest operating systems while they are running. This feature facilitates granular assignment of WSv host-processing capabilities to guest operating systems.
Flexible networking configuration: WSv provides advanced network features for VMs, including NAT, firewall, and VLAN assignment. This flexibility can be used to create a WSv configuration that better supports network security requirements.

The flexible memory assignment and flexible networking configuration features of WSv facilitate a more effective response to dynamic server loads.

Performance
Design advances and integration with virtualization-aware hardware enable WSv to virtualize much more demanding workloads than previous versions, and with greater flexibility in resource assignment.

Performance advancements include:

Lightweight, low-overhead virtualization architecture based on a 64-bit Hypervisor. Virtualization-aware hardware (Intel VT and AMD “Pacifica” technology) enables higher guest operating system performance.
Multi-core support. Each VM can be assigned up to eight logical processors. This enables virtualizing large, compute-intensive workloads that benefit from the parallel processing benefits of a multi-processor VM cores.
64-bit host and guest operating system support. WSv runs on the 64-bit version of Windows Server “Longhorn”2008 to provide access to large pools of memory for guest VMs. Memory intensive workloads that would suffer from extensive paging when executed on a 32-bit operating system can be successfully virtualized under WSv. WSv also supports 64-bit and 32-bit guest operating systems running on the same consolidated server.
Server Core support. WSv can use a Server Core installation of Windows Server “Longhorn”2008 as a host operating system. The minimal install footprint and low overhead of Server Core dedicate the greatest possible amount of host server processing capability to running VMs.
Pass-through disk access. Guest operating systems can be configured to directly access local or iSCSI Storage Area Network (SAN) storage, providing higher performance for I/O-intensive applications, such as SQL Server™ or Microsoft Exchange.

Many server workloads place heavy demands on server processing and I/O subsystems. Workloads like SQL Server and Microsoft Exchange are traditionally heavy users of memory and disk throughput, and there has been reluctance to virtualize these workloads. The 64-bit Hypervisor in WSv along with features like pass-through disk access make it possible and often desirable to virtualize large workloads.

Simplified Management
In the datacenters and remote branch office installations where WSv may be deployed, strong management and automation capabilities are required to fully realize the cost reducing potential of virtualization. WSv meets this challenge with the following management and automation capabilities

Extensible management: WSv is designed to work with Microsoft System Center Operations Manager (SCOM) and System Center Virtual Machine Manager (SCVMM). These management tools provide reporting, automation, deployment, and user self-service tools for WSv.
MMC 3.0 interface for VM management: The familiar Microsoft Management Console (MMC) interface is used to manage WSv configuration and VM settings, reducing the WSv learning curve significantly.
Windows Management Instrumentation (WMI) interface: WSv incorporates a WMI provider that provides system information and scriptable management access.
PowerShell scripting: WSv host and VM configuration is configurable through Windows PowerShell.
Group Policy Object (GPO) management: WSv uses the configuration management capabilities of GPO to manage WSv host virtualization and Virtual Machine configuration.

The management capabilities of SCOM and SCVMM make it possible to effectively manage both datacenter installations and highly distributed installations of WSv. For example, script access to the WMI provider in WSv could be used to automate maintenance windows on multiple WSv host servers by powering down guest VMs, powering them up on a standby server, performing host server maintenance, and then restoring the VMs to their original host. With the addition of System Center Virtual Machine Manager, this operation can be automated and performed with no perceptible downtime for many applications.

Summary
Microsoft Windows Server virtualization combines features that address many of the most difficult virtualization challenges, including: securing consolidated servers, responding to dynamic workloads, achieving high performance and scalability for virtualized workloads, and simplified management. The combination of security and strong VM isolation features in WSv make it possible to consolidate heterogeneous workloads on WSv host servers while maintaining flexibility and security. The 64-bit Hypervisor architecture that forms the foundation for WSv provides high performance for demanding workloads. And the strong, integrated management features in Windows Server 2008, System Center Operations Manager, and System Center Virtual Machine Manager allow automated and effective control in a wide variety of virtualized environments.

Top of Page

Web & Applications Platform

Introduction
Windows Server “Longhorn”2008 provides a secure, easy-to-manage platform for developing and reliably hosting applications and services that are delivered from the server or over the Web. New features include: simplified management, increased security, and both performance and extensibility improvements. In addition, enterprises will enjoy more efficient application and services management, quicker deployment and configuration of Web application and services, and a more secure, streamlined, customized Web platform. Windows Server “Longhorn”2008 provides Web applications and services greater performance and scalability, while allowing administrators fine control and visibility into how and when applications and services utilize key operating system resources.Windows Server 2008 also includes an industrial-strength platform for streaming live or on-demand audio and video content over the Internet or an intranet. It also provides collaboration technology designed to improve the business process and enhance team productivity

Internet Information Services 7.0 (IIS7)
Windows Server "Longhorn"2008 delivers a unified platform for Web publishing that integrates Internet Information Services 7.0 (IIS7), ASP.NET, Windows Communication Foundation, and Microsoft Windows SharePoint® Services. IIS7 is a major advancement to the existing IIS Web server, and plays a central role in integrating Web platform technologies. Key benefits of IIS7 include more efficient administration and management features, improved security, and reduced support costs. These features help create a unified platform that delivers a single, consistent development and administrative model for Web solutions.

Improved management tools
The new admin utility in IIS7, IIS Manager, is a more efficient tool for managing the Web server. It provides support for IIS and ASP.NET configuration settings, user data, and runtime diagnostic information. The new UI also enables those who host or administer Web sites to delegate administrative control to developers or content owners, thus reducing cost of ownership and administrative burden for the administrator. The new IIS Manager interface supports remote administration over HTTP, allowing for integrated local, remote, even cross-Internet administration, without requiring DCOM or other administrative ports be opened on the firewall.

A new command-line tool, appcmd.exe, is also included for managing and administering Web servers, Web sites and Web applications. The command-line interface simplifies common management Web server tasks for administrators. For example, appcmd.exe could be used to list Web server requests that have been forced to wait for more than 500 milliseconds. This information could be used to troubleshoot applications that are performing poorly. The output of appcmd.exe can be piped into other commands for further processing.

Modular feature-based installation
IIS7 is made up of more than 40 separate feature modules. Only half of the modules are installed by default, and administrators can selectively install or remove any feature modules they choose. This modular approach allows administrators to install only the options they need, and saves time by limiting the number of features that need to be managed and updated. In addition, because no unnecessary software is running, the attack surface of the Web server is reduced, improving security.

Distributed ConfigurationModel
IIS7 introduces major improvements to the way its configuration data is stored and accessed. One of the key goals of the IIS7 release is to enable distributed configuration of the IIS settings, allowing administrators to specify IIS configuration settings in files that are stored with the code and content.

Distributed configuration enables administrators to specify configuration settings for a Web site or application in the same directory where the code or content is stored. By specifying configuration settings in a single file, distributed configuration allows administrators to delegate administration of selected Web site features or Web applications to others. For example, a Web site might be delegated so that the application developer can configure the default document used for that Web site. Administrators can also lock specific configuration settings so that they cannot be changed by anyone else. This feature might be used to ensure that a security policy, which prevents script execution, is not overridden by a content developer who has been delegated administrative access to the Web site. By using distributed configuration, the configuration settings for a specific site or application can be copied from one computer to another as the application moves from development into test, and ultimately into production.

Diagnostics & Troubleshooting
IIS7 makes troubleshooting the Web server easier than ever with built-in diagnostics and tracing support, allowing the administrator to peer into the Web server and see detailed, real-time diagnostic information. Diagnostics and troubleshooting allow a developer or an administrator to see requests that are running on the server. IIS7 also includes new Runtime Status and Control objects, which provide real-time state information about application pools, worker processes, sites, application domains, and even running requests. This information can be used to determine, for example, which request in a worker process is consuming 100% of the CPU.

IIS7 also includes detailed trace events throughout the request and response path, allowing developers and administrators to trace a request as it makes its way through the IIS request processing pipeline, into any existing page level code, and back out to the response. These detailed trace events allow developers to understand not only the request path and any error information that was raised as a result of the request, but also elapsed time and other debugging information to assist in troubleshooting all types of errors.

IIS7 also simplifies troubleshooting by providing error messages that are much more detailed and actionable. The new custom errors module in IIS7 allows for detailed error information to be sent back to the browser (by default to localhost), and configurable to be sent to other remote clients. Instead of seeing a terse error code, administrators now can see detailed information about the request, what potential issues may have caused the error, and also suggestions about how to fix it.

One of the most important features which helps improve IIS7 troubleshooting support is the Runtime Status and Control API (RSCA), which is designed to give detailed runtime information about the server from deep within IIS7. With RSCA, it is possible to inspect and manage various entities including sites, application pools, and even .NET application domains. RSCA also surfaces, in real time, currently executing requests on the server. RSCA data is available from the WMI provider and managed API (Microsoft.Web.Administration). The IIS 7 admin GUI and command-line tool also reveals this data for administrators

Extensible modular architecture
In previous versions of IIS, all functionality was built-in by default, and there was no easy way to extend or replace any of that functionality. As stated earlier, in IIS7, the core is divided into more than 40 separate feature modules. The core also includes a new Win32® API for building core server modules. Core server modules are new and more powerful replacements for Internet Server Application Programming Interface (ISAPI) filters and extensions. ISAPI filters and extensions are still supported in IIS7. Because all IIS core server features were developed using the new IIS7 Win32 Module API as discrete feature modules, users can add, remove, or even replace IIS feature modules.

Flexible extensibility model for customization
IIS7 enables developers to extend IIS to provide custom functionality in new, more powerful ways. This is in part due to the all-new core server application programming interface (API) set that allows feature modules to be developed in both native code (C/C++) and managed code (languages such as C#, and Visual Basic® 2005, that use the .NET Framework). In fact, much of the IIS7 feature set for request and application processing has been implemented using these same APIs. IIS7 also enables extensibility for configuration, scripting, event logging, and administration tool feature-sets, providing software developers with a complete server platform on which to build Web server extensions.

True application xcopy deployment
IIS7 allows IIS configuration settings to be stored in web.config files, which makes it much easier to use xcopy to copy applications across multiple Web servers, and to avoid costly and error-prone replication, manual synchronization, and additional configuration tasks.

Windows SharePoint Services
Microsoft Windows SharePoint® Services 3.0 is a collaboration technology that helps organizations improve business processes and enhance team productivity. With a rich set of features and tools that give people browser-based access to workspaces and shared documents, Windows SharePoint Services helps people connect to and work with others across organizational and geographic boundaries.

Windows SharePoint Services also provides a foundation platform for building Web-based business applications that are flexible and scale easily to meet the changing and growing needs of businesses. In addition, robust administrative controls for managing storage and Web infrastructure give IT departments a cost-effective way to implement and manage a high-performance collaboration environment. Windows SharePoint Services 3.0 has many new features and enhancements that can help IT Professionals deploy and maintain Windows SharePoint Services solutions and provide better control over information resources.

Windows Media Services
Windows Media Services is an industrial-strength platform for streaming live or on-demand audio and video content over the Internet or an intranet. Windows Media Services can be configure and manage multiple Windows Media servers to deliver content to clients.

Windows Media Services provides the ultimate fast-streaming experience, dynamic programming for on-the-fly and personalized content delivery, and an industrial-strength platform that ensures ease-of-administration, customization, and scalability.

Fast Streaming capabilities in Windows Media Services effectively eliminate buffering time, and reduce the likelihood of playback interruptions due to network conditions. Features like Fast Start, Fast Cache, Fast Recovery, and Fast Reconnect provide an always-on viewing experience by streaming content with minimal buffering and down-time, even over high latency network connections such as wireless and satellite.

Windows Media Services enables dynamic content programming, so that organizations can instantly update and personalize content to provide the most compelling user experience. These programming capabilities include:

Automatically program and seamlessly update digital media content on-the-fly.
Make program changes during on-demand or live broadcasts, change the order of clips, insert an ad, insert a new clip, and more, without interruption to the viewer.
Generate revenue with a wide variety of advertising types, including lead-in or interstitial ads, which can easily be integrated with third-party advertising servers. Advanced reporting ensures tracking of how and when ads are viewed.
Make streaming content more relevant and useful to each user by automatically generating personalized playlists that are tailored to individual audience members.

With Windows Server 2008, administrators can now install the Windows Media Services services that are required to perform the Streaming Media Services role on a Server Core installation of Windows Server 2008.

Summary
The structural changes in IIS7 combine to create a very flexible Web application system. The ability to access IIS configuration through both a GUI interface and the appcmd.exe command-line tool provides effective tools for both novice Web server administrators with basic skills, and more advanced administrators who manage multiple servers using scripting tools. The tracing and troubleshooting components of IIS provide detailed, usable information that helps administrators and application developers isolate misbehaving pages and code. The modularized functionality and granular administration model of IIS7 make it easy for server administrators to create exactly the server they need, and allow only the required level of access to site and content managers.With Windows Media Services, Windows Server 2008 also provides a solid platform for delivering streaming media content

Top of Page

Server Management

Introduction
From streamlining the configuration of new servers to automating repetitive management tasks, simplifying the day-to-day complexities of server administration is a key theme in many of the enhancements included in Windows Server “Longhorn.”2008. Centralized management tools, intuitive interfaces, and automation features enable IT Professionals to more easily manage network servers, services, and printers, in both the central network and in remote locations like branch offices.

Initial Configuration Tasks
With Windows Server “Longhorn,”2008, the streamlined installation process isn’t interrupted by configuration tasks that require user intervention. Those tasks and dialog boxes now occur after the primary installation has completed, freeing the administrator from having to sit and interact with the installation sequence.

The Initial Configuration Tasks window is a new feature in Windows Server "Longhorn"2008 that helps an administrator provision and set up a new server. It includes tasks such as setting the Administrator password, changing the name of the Administrator account to improve the security of the server, joining the server to an existing domain, and enabling Windows Update and Windows Firewall.

Server Manager Console
Windows Server “Longhorn”2008 eases the task of managing and securing multiple server roles in an organization with the new Server Manager Console. The Server Manager Console provides a single, unified console for managing a server’s configuration and system information, displaying server status, identifying problems with server role configuration, and managing all roles installed on the server.

The hierarchy pane of the Server Manager console contains expandable nodes that administrators can use to go directly to consoles for managing specific roles, troubleshooting tools, or finding backup and disaster recovery options.

Server Manager consolidates a variety of management interfaces and tools into a unified management console, enabling administrators to complete common management tasks without having to navigate between multiple interfaces, tools and dialog boxes.

Server Manager Wizards
Wizards in Server Manager streamline server deployment tasks in an enterprise by cutting deployment time, compared with earlier Windows Server versions. Most common configuration tasks, such as configuring or removing roles, defining multiple roles, and role services can now be completed in a single session using Server Manager Wizards.

Windows Server "Longhorn"2008 performs dependency checks as the user progresses through Server Manager wizards, ensuring that all of the prerequisite role services needed by a selected role are installed, and none are removed that remaining roles or role services might still require .

Windows PowerShell
Microsoft Windows PowerShell command-line shell and scripting language helps IT Professionals automate common tasks. Using a new admin-focused scripting language, more than 120 standard command-line tools, and consistent syntax and utilities, Windows PowerShell allows IT professionals to more easily control system administration and to accelerate automation. Windows PowerShell is easy to adopt and use, because it works with the existing IT infrastructure and existing script investments. It allows users to automate system administration of basic server management tasks as well as specific server roles, such as Terminal Server.

Windows PowerShell integrates the command-line shell and scripting language to allow administrators to more efficiently complete and automate bulk system administration tasks. Windows PowerShell improves upon the Windows Command Prompt and Windows Script Host (WSH) by providing cmdlets (command-line tools) that have the exact same syntax as the scripting language. The command that is typed in the Windows PowerShell command prompt is the same command that would be used in a script for automating the task across multiple servers.

PowerShell supports an organization’s existing scripts (for example, .vbs, .bat, .perl) so the organization does not need to migrate scripts to adopt Windows PowerShell. Existing Windows-based command-line tools will run from the Windows PowerShell command-line. By providing consistency of syntax and naming conventions and integration of scripting language with the interactive shell, Windows PowerShell reduces the complexity and time required to automate system administration tasks.

Windows Remote Management (WS-Management)
With the growing number of remote servers in branch offices and other locations, IT Professionals need better options for effectively managing off-site servers. Windows Remote Management provides a low-bandwidth, scriptable way to easily manage servers in remote locations.

The Windows Remote Manager is the Microsoft implementation of WS-Management Protocol, a standard SOAP-based protocol that allows hardware and operating systems to interoperate. Administrators can use Windows Remote Management scripting objects, the Windows Remote Management command-line tool, or the Windows Remote Shell command-line tool to obtain management data (information, for example, about objects such as disks, network adapters, services, or processes) from local and remote computers. If the computer runs a Windows operating system version that includes Windows Remote Management, the management data is supplied by Windows Management Instrumentation (WMI).

Server Core
Beginning with Windows Server "Longhorn,"2008, administrators can choose to install a minimal installation of Windows Server with specific functionality and without any unneeded features. Server Core provides an environment for running one or more of the following server roles:

Windows Server Virtualization
Dynamic Host Configuration Protocol (DHCP) server
Domain Name System (DNS) server
File server
Active Directory® Directory Services (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
Windows Media Services
Print Management

Server Core offers the following key benefits to organizations:

Reduced software maintenance**:** Because Server Core installs only what is required to have a manageable server running the supported server roles, the server requires less software maintenance. With a smaller Server Core installation, the number of updates and patches are reduced, saving both WAN bandwidth usage by servers, and administration time by the IT staff.
Reduced attack surface**:** Because there are fewer files installed and running on the server, there are fewer attack vectors exposed to the network; therefore, there is less of an attack surface. Administrators can install just the specific services needed for a given server, keeping the exposure risk to an absolute minimum.
Fewer restarts required and reduced disk space required: With a minimal Server Core installation, there are fewer installed components that will need to be updated or patched, and the number of required restarts will be reduced. A Server Core installation installs the minimal files needed to provide the required functionality, so less disk space will be used on the server. By choosing to use the Server Core installation option on a server, administrators can reduce the management and software update requirements for a server while also reducing security risks.

With the Server Core installation option in Windows Server "Longhorn,"2008, administrators can reduce the ongoing maintenance requirements for servers, and simplify their management. By running a minimal Server Core installation limited to just the required functionality, the IT staff will only need to install patches and updates for that server that directly impact the installed files.

Windows Server "Longhorn"2008 Print Management
The larger the organization is, the larger the number of printers within the network is, and more time is required by the IT staff to install and manage those printers; all of which translates to increased operating expenses. Windows Server “Longhorn”2008 includes Print Management, which is an MMC snap-in that enables administrators to manage, monitor, and troubleshoot all of the printers within the organization – even those in remote locations –from a single interface.

Print Management provides up-to-the-minute details about the status of all printers and print servers on the network from one console. Print Management can help find printers that have an error condition, and it can also send e-mail notifications, or run scripts when a printer or print server needs attention. On printer models that provide a Web interface, Print Management can access this additional data. This allows information, such as toner and paper levels, to be managed easily, even when printers are in remote locations. In addition, Print Management can automatically search for and install network printers on the local subnet of local print servers.

Print Management saves the print administrator a significant amount of time when installing printers on client computers and in managing and monitoring printers. Rather than having to install and configure printer connections on individual computers, Print Management can be used with Group Policy to automatically add printer connections to client computer’s Printers and Faxes folder. This is an effective and time-saving way of adding printers for a large number of users who require access to the same printer, such as users in the same department, or all users in a branch office location.

The automation options and centralized control interface provided included in Print Management for installing, sharing, and managing printers simplifies administration, and reduces the time required by the IT staff to deploy printers.

Windows Deployment Services
Windows Deployment Services (WDS) is a suite of components that work together on Windows Server 2008 to provide a simplified, secure means of rapidly deploying Windows operating systems to computers by using network-based installation. WDS eliminates the need for an administrator to work directly on each computer, or install Windows components from CD or DVD media. It contains a number of new or enhanced features that will save IT staff time. The three components in WDS are organized into the following three categories:

Server components: These components include a Pre-Boot Execution Environment (PXE) server and Trivial File Transfer Protocol (TFTP) server for network booting a client to load and install an operating system. Also included is a shared folder and image repository that contains boot images, installation images, and files that are needed specifically for network boot.
Client components: These components include a graphical user interface that runs within the Windows Pre-Installation Environment (Windows PE) and communicates with the server components to select and install an operating system image.
Management components: These components are a set of tools that are used to manage the server, operating system images, and client computer accounts.

Windows Deployment Services includes the Windows Deployment Services MMC snap-in, which provides rich management of all Windows Deployment Services features. WDS also provides several enhancements to the RIS feature set specifically designed to facilitate easy deployments of Windows Vista and Windows Server 2008. With Windows Deployment Services, IT staff can:

Use the Sysprep.exe and the Windows Deployment Services snap-in to create a "capture image" that can then be used to create a custom image
Use the Windows Deployment Services Capture Wizard to create and add an image prepared with Sysprep.exe
Use the Windows Deployment Services snap-in to associate unattended installation files with Windows images
Associate one or more language packs with an image, eliminating the need for unique images for each language an organization supports
Use the Windows Deployment Services snap-in to create a "discover image" for use with computers that do not support PXE boot

Top of Page

Security & Policy Enforcement

Introduction
Windows Server “Longhorn”2008 has many features that improve security and compliance. Some of the key enhancements include:

Enforced client health: Network Access Protection (NAP) enables administrators to configure and enforce health and security requirements before allowing clients access to the network
Monitor certificate authorities: Enterprise PKI improves the ability to monitor and troubleshoots multiple certification authorities (CAs)
Identity and Access: Platform technologies designed to help organizations manage user identities and associated access privileges
Firewall enhancements: The new Windows Firewall with Advanced Security provides a number of security enhancements
Encrypt and protect data: BitLocker protects sensitive data by encrypting the disk drive
Cryptographic tools: Next Generation Cryptology provides a flexible cryptographic development platform
Server and Domain Isolation: Server and domain resources can be isolated to limit access to authenticated and authorized computers
Read-Only Domain Controller (RODC): The RODC is new type of domain controller install option that can be installed in remote sites that may have lower levels of physical security
Secure Federated Collaboration: Active Directory Rights Management Services (AD RMS) enables a new way to protect sensitive information that is both more comprehensive and easier to secure

These improvements help administrators increase the security level of their organization, and simplify the management and deployment of security-related configurations and settings.

Identity and Access in Windows Server 2008
Managing user identities is a top priority for many businesses today. People need to access multiple systems and resources on the corporate network, using different types of devices. Because many of these systems don't communicate with each other, it's not uncommon to have multiple identities for the same person. As a result, managing these redundant identities is complex, wastes time, and increases security risks due to errors and poor user password management.

Microsoft Identity and Access (IDA) solutions are a set of platform technologies and products designed to help organizations manage user identities and associated access privileges. With a focus on security and ease of use, these solutions help businesses boost productivity, reduce IT costs, and eliminate the complexity of identity and access management. Microsoft Identity and Access solutions fall into five distinct areas:

Identity Management: Automates identity and access management.
Information Protection: Safeguards confidential data—no matter where it goes.
Federated Identities: Collaborates securely across organizational boundaries.
Directory Services: Simplifies management of users and devices.
Strong Authentication:** ** Extends secure access beyond user names and passwords by incorporating the latest cryptography standards and certificate management innovations.

Microsoft Windows Server 2008 provides the comprehensive and integrated identity and access platform. The Microsoft IDA platform is built on Active Directory and provides familiar interfaces for IT professionals, developers and information workers to ensure that an entire organization can participate in safeguarding sensitive information while easily collaborating with others inside and outside the organization. Integrated support on Windows environments can be extended to support heterogeneous environments with readily available partner solutions. These platform capabilities are grouped into the following three categories of services, with each featuring several key components:

Directory Services

Read-Only Domain Controller (RODC)
Active Directory Federation Services (AD FS)
Directory Service Auditing
Service-based Active Directory Domain Services (AD DS)

Information Protection

Federated collaboration
BitLocker
Federated Rights Management

Strong Authentication

Cryptography API
V3 certificate templates
Public Key Infrastructure (PKI)

Network Access Protection
Network Access Protection (NAP) prevents unhealthy computers from accessing and compromising an organization’s network. NAP is used to configure and enforce client health requirements and to update, or remediate, noncompliant client computers before they can connect to the corporate network. With NAP, administrators can configure health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to the organization’s network.

NAP enforces health requirements by assessing the health of client computers, and limiting network access when client computers are noncompliant. Both client and server-side components assist in the remediation of noncompliant client computers, so that they can obtain unlimited network access. If a client computer is determined to be noncompliant, it can be denied access to the network, or patched immediately to bring it into compliance.

NAP enforcement methods support four network access technologies that work in conjunction with NAP to enforce health policies: Internet Protocol security (IPsec) enforcement, 802.1X enforcement, virtual private network (VPN) enforcement for Routing and Remote Access, and Dynamic Host Configuration Protocol (DHCP) enforcement.

Windows Firewall Advanced Security Functionality
The Windows Firewall with Advanced Security in Windows Server “Longhorn”2008 is a stateful host-based firewall that allows or blocks network traffic according to its configuration and the applications that are currently running to provide protect the network from malicious users and programs.

One new feature is the ability to support firewall interception of both incoming and outgoing traffic. A network administrator, for example, can configure the new Windows Firewall with a set of exceptions to block all traffic sent to specific ports, such as well-known ports used by virus software, or to specific addresses containing either sensitive or undesirable content. This protects the computer from viruses that might spread through the network, and protects the network from viruses that may try to spread from a compromised system.

Since the number of configuration options for Windows Firewall has increased, a new MMC snap-in named Windows Firewall with Advanced Security has been added to simplify administration. With the new snap-in, network administrators can remotely configure settings for Windows Firewall on client workstations and servers (something that is not possible on previous versions without a remote desktop connection), simplifying remote configuration and management.

In previous versions of Windows Server, Windows Firewall and IPsec were configured separately. Because both a host-based firewall and IPsec in Windows can block or allow incoming traffic, it is possible to create overlapping or contradictory firewall exceptions and IPsec rules. The new Windows Firewall in Windows Server “Longhorn”2008 has combined the configuration of both network services using the same GUI and command-line commands. This integration of firewall and IPsec settings simplifies firewall and IPsec configuration and helps prevent policy overlap and contradictory settings.

BitLocker DriveEncryption
BitLocker Drive Encryption is a key new security feature in Windows Server “Longhorn”2008 that helps protect servers, workstations, and mobile computers. It is also available in Windows Vista™ Enterprise and Windows Vista™ Ultimate editions for protecting client computers and mobile computers. BitLocker encrypts the contents of a disk drive. This prevents a thief who runs a parallel operating system, or runs other software tools, from breaking the file and system protections, or from performing offline viewing of the files stored on the protected drive.

BitLocker enhances data protection by bringing together two major sub-functions: system volume encryption and integrity-checking for early-boot components. The entire system volume is encrypted, including the swap and hibernation files, which increases the security of the remote servers in the branch office location. BitLocker addresses the threats of data theft or exposure from a lost, stolen, or inappropriately decommissioned PC. BitLocker also helps organizations comply with government regulations, such as Sarbanes-Oxley and HIPAA, which require the maintenance of extremely high standards for security and data protection.

Active Directory Federation Services

Active Directory Federation Services (AD FS) is server role in Windows Server 2008 that provides a highly extensible and secure identity access solution that can operate across multiple platforms. AD FS provides browser-based clients, both inside and outside the network, access to protected, Internet-facing applications, even when user accounts and applications are located in different networks or organizations.

In a typical scenario, an application is located in one network and a user account is in another network. Users are required to enter secondary credentials when they attempt to access the application. However, with AD FS secondary accounts are not necessary. Instead trust relationships can be used to project a user's digital identity and access rights to trusted partners. In a federated environment, each organization continues to manage its own identities, but each organization can securely project and accept identities from other organizations.

By deploying federation servers in multiple organizations business-to-business transactions can be facilitated between trusted partner organizations. Organizations that own and manage resources that are accessible from the Internet can deploy AD FS federation servers and AD FS–enabled Web servers that manage access to the protected resources for trusted partners.

Service-based AD DS
In Windows Server 2008, Active Directory Domain Services (AD DS) is service-based, meaning it may now be stopped and started via Microsoft Management Console (MMC) snap-ins or from the command line. A service-based AD DS simplifies management by reducing the time required to perform offline operations, such as an offline defragmentation or authoritative restore. It also improves the availability of other services that are running on a domain controller by keeping them active while performing AD DS maintenance. Any clients that are specifically bound to a stopped domain controller would simply contact another domain controller through discovery.

Enterprise PKI (PKIView)
There are a number of enhancements to the public key infrastructure (PKI) in the Windows Server “Longhorn”2008 and Windows Vista operating systems. There have been increases in manageability throughout all aspects of Windows PKI, the revocations services have been redesigned, and there is a decreased attack surface for enrolment. PKI enhancements include:

Enterprise PKI (PKIView): Originally part of the Microsoft Windows Server™ 2003 Resource Kit and called the PKI Health tool, PKIView is now a Microsoft Management Console (MMC) snap-in for Windows Server “Longhorn.”2008. It is used to analyze the health state of CAs, and to view details for CA certificates published in AD CS.
Online Certificate Status Protocol (OCSP): An Online responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information in cases where the use of conventional CRLs is not an optimal solution. Online Responders can be configured on a single computer or in an Online Responder Array.
Network Device Enrollment Service (NDES): In Windows Server “Longhorn,”2008, the Network Device Enrollment Service (NDES) is the Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices, such as routers and switches that cannot otherwise be authenticated on the network, to enroll for x509 certificates from a certification authority (CA).
Web Enrollment**:**The new Web Enrollment control is more secure, easier to script, and easier to update than the previous version.
Group Policy and PKI**:**Certificate settings in Group Policy enable administrators to manage certificate settings from a central location for all of the computers in the domain.

V3 Certificate Templates
Certificate templates provide a practical way to implement certificate enrollment in a managed Active Directory environment with Enterprise Certificate Authority. The CA administrator can define the blueprint for certificates that are enrolled from Enterprise CAs. With Windows Server 2008, more certificate templates and certificate template properties became available. The new certificate template types in Windows Server 2008 are called V3 templates.

V3 templates can leverage the latest cryptographic algorithms introduced in Windows Server 2008. With V3 certificate templates, administrators can also ensure that CA related communications between clients and the CA occur in the most secure fashion. Windows Server 2008 also introduces a completely new default template that allows clients to validate the certificate source using Kerberos authentication.

Because of dependencies on the underlying operating system, Windows Server 2008 templates can only be assigned to CAs that are also running on Windows Server 2008. Additionally, only Windows Vista client computers and Windows Server 2008 computers can enroll for V3 certificate templates.

Template	Windows version required to modify a template	Windows version of the CA where the template can be assigned
V1 Template	n/a (Since V1 templates are static)	Windows 2000 Enterprise Edition Windows Server 2003 Enterprise Editiion Windows Server 2008
V2 Template	Windows Server 2003 Windows XP Windows Server 2008	Windows Server 2003 Enterprise Edition Windows Server 2008 Enterprise Edition
V3 Template	Windows Server 2008	Windows Server 2008

One important change in Windows Server 2008 and Windows Vista is the addition of Cryptography Next Generation (CNG). CNG supports Suite-B algorithms, making it possible to use alternate and customized cryptographic algorithms for encryption and signing certificates.
Federated Rights Management in Windows Server 2008

Collaboration, especially the sharing of information with colleagues and trusted business partners across organizational boundaries, is a vital part of conducting business today. Traditional perimeter security methods do not offer the granular protection needed to safeguard key data and information during inter-company collaboration. The Microsoft Identity and Access platform offers such comprehensive information protection, providing persistent protection from unauthorized use regardless of where that information travels. This helps to mitigate risks while enabling compliance and uninterrupted collaboration.

Windows Server 2008 Active Directory Rights Management Services (AD RMS) is a key to providing protection for sensitive information. Windows Server 2008 enables a new way to protect sensitive information that is both more comprehensive and easier to administer. As in Windows Server 2003, Active Directory Federation Services (AD FS) enables one organization to set up a federated trust with another organization. Users sign on once—to their local domain—and gain access to a partner domain through identity and access federation. Because AD RMS has been integrated with AD FS in Windows Server 2008, a federated trust now allows AD RMS to grant appropriate RMS permissions to an external user without requiring them to sign in locally or have their own AD RMS server.

This scenario is called “secure federated collaboration.” In essence, an administrator inside a company with a need to share RMS-protected information no longer needs to maintain separate usernames and passwords for external users. External users experience a single sign-on (SSO) that enables them to access RMS-protected content as appropriate without the need to keep track of multiple identities. In short, sharing confidential information securely—whether with partners, suppliers or customers—has become much easier.

AD RMS in Windows Server 2008 works with many applications and across platforms, providing tightly integrated usage rights and encryption that follow content wherever it goes. It can be used to protect documents, spreadsheets, intranet Web sites, and e-mail. It also provides the tools necessary for developers to integrate RMS functionality with non-RMS-enabled applications. Also, organizations can create custom usage rights templates that can be applied instantly.

Cryptography Next Generation(CNG)
Cryptography Next Generation (CNG) provides a flexible cryptographic development platform allowing IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications, such as Active Directory Certificate Services (AD CS), Secure Sockets Layer (SSL), and Internet Protocol security (IPsec). CNG implements the U.S. government's Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing.

CNG provides a set of APIs that are used to perform basic cryptographic operations, such as creating, storing, and retrieving cryptographic keys. It also supports the installation and use of additional cryptographic providers. CNG enables organizations and developers to use either their own cryptographic algorithms, or implementations of standard cryptographic algorithms.

CNG supports the current set of CryptoAPI 1.0 algorithms and also provides support for elliptic curve cryptography (ECC) algorithms. A number of ECC algorithms are required by the United States government’s Suite B effort.

Read-Only Domain Controllers
A read-only domain controller (RODC) is a new type of domain controller available in the Windows Server "Longhorn"2008 operating system, designed primarily to be deployed in branch environments. An RODC can reduce the risks of deploying a domain controller in remote locations, such as branch offices, where physical security cannot be guaranteed.

Except for account passwords, an RODC holds all the Microsoft Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds. Clients, however, are not able to write changes directly to a RODC. Because changes are not written directly to the RODC and therefore do not originate locally, writable domain controllers that are replication partners do not have to pull changes from the RODC. Administrator role separation specifies that any domain user can be delegated to be the local administrator of an RODC without granting that user any user rights for the domain itself, or other domain controllers.

Server and domain isolation
In a Microsoft Windows-based network, administrators can logically isolate server and domain resources to limit access to authenticated and authorized computers. For example, a logical network can be created inside the existing physical network, where computers share a common set of requirements for secure communications. Each computer in this logically isolated network must provide authentication credentials to other computers in the isolated network to establish connectivity.

This isolation prevents unauthorized computers and programs from gaining access to resources inappropriately. Requests from computers that are not part of the isolated network are ignored. Server and domain isolation can help protect specific high-value servers and data as well as protect managed computers from unmanaged or rogue computers and users.

Two types of isolation can be used to protect a network:

Server isolation: In a server isolation scenario, specific servers are configured using IPsec policy to accept only authenticated communications from other computers. For example, the database server can be configured to accept connections from the Web application server only.
Domain isolation**:** To isolate a domain, administrators can use Active Directory domain membership to ensure that computers that are members of a domain accept only authenticated and secured communications from other computers that are domain members. The isolated network consists of only computers that are part of the domain. Domain isolation uses IPsec policy to provide protection for traffic sent between domain members, including all client and server computers.

Summary

With Windows Server "Longhorn,"2008, organizations can benefit from unprecedented security using the policy based security features such as Network Access Protection. Evaluating and controlling the health and security status of connecting computers will provide significant security improvements for organization. The new management interfaces in Windows Server “Longhorn”2008 simplify the administrative process of configuring and maintaining multiple servers within the organization, reducing the costs of managing the enterprise’s network security.

Top of Page

Centralized Application Access

Introduction
Windows Server “Longhorn”2008 provides improvements and innovations to Terminal Services that go beyond simply enabling access to applications, but improve the users experience by allowing them to run remote applications on their own desktop side-by-side with local applications. It also provides new options for accessing available applications centrally through Terminal Services Web Access.

The new Terminal Services components include:

Terminal Services RemoteApp**:** Terminal Services RemoteApp® lets users run remote-access Windows programs side-by-side on their desktop with local applications, by using the new Remote Desktop Connection 6.0 client.
Terminal Services Gateway**:** Terminal Services Gateway (TS Gateway) extends the reach of Terminal Services beyond the corporate firewall by providing secure access to Terminal Servers and shared desktops without the need for Virtual Private Network (VPN) infrastructure.
Terminal Services Web Access**:** Terminal Services Web Access (TS Web Access) provides a remote application solution that simplifies the process of publishing remote applications for the administrator, while also simplifying the process of finding and running remote applications for the user.
Single Sign-On**:** Single Sign-On improves the user experience for remote users by eliminating the need to repeatedly enter credentials.

Terminal Services
For Windows Server "Longhorn,"2008, Terminal Services includes new core functionality that enhances the end user experience when connecting to a Windows Server "Longhorn"2008 terminal server. This new core functionality includes:

Remote Desktop Connection 6.0: To access Terminal Services, users will need to use the Remote Desktop Connection 6.0. It is included with both Windows Server “Longhorn”2008 and Windows Vista™, and is available as free a download for Windows® XP users and Windows Server 2003.
Remote Desktop Connection Display Improvements: The Remote Desktop Connection 6.0 software adds support for using higher-resolution desktop computers (up to 4096 x 2048) and spanning multiple monitors horizontally to form a single large desktop. Remote Desktop Connection 6.0 users can take advantage of newer high resolution monitors and modern display formats (like 16:9 or 16:10 widescreen formats) that do not conform to the previous 4:3 standard.
Desktop Experience: Remote Desktop Connection 6.0 reproduces the desktop that exists on the remote computer on the user’s client computer. With Desktop Experience installed on the Windows Server “Longhorn,”2008, the user can use Windows Vista features, such as Windows Media® Player, desktop themes, and photo management within their remote connection. The Desktop Experience feature and the display data prioritization settings—designed to keep the keyboard and mouse in sync with what is displaying on the monitor even under heavy bandwidth usage—enhance the end user experience when connecting to a Windows Server "Longhorn"2008 terminal server.

Single sign-on
Single sign-on allows users with a domain account to log on to a Terminal Services session once, using a password or a smart card, and then gain access to remote servers and applications without being prompted for their credentials again. Single sign-on improves the user experience by eliminating the need for users to enter credentials every time they initiate a remote session.

Terminal Services RemoteApp
Terminal Services RemoteApp is a new remote application presentation method available in Windows Server “Longhorn.”2008. RemoteApp complements the Terminal Services presentation method, which presents the entire remote desktop to users who access applications within that window.

With Windows Sever “Longhorn,”2008, the user’s interaction with the remote application is significantly different. Now the remote application, not the entire remote desktop, launches, and runs in its own resizable window on the client computer’s desktop. If the program uses a notification area icon, that icon appears in the client’s notification area. Popup windows are redirected to the local desktop, and local drives and printers are redirected and made available within the remote program. Many users might be unaware that the remote program is any different than other local applications running side-by-side with the remote program on their desktop.

RemoteApp reduces administrative effort by only having one central application on the server to maintain, instead of having to maintain individual installations on multiple desktops throughout the organization. It also improves the user experience, providing smoother integration of the remote application with the client computer desktop.

Terminal Services Gateway (TS Gateway)
Terminal Services Gateway (TS Gateway) is a Terminal Services role that allows authorized remote users to connect through the Internet to terminal servers and workstations on a corporate network. This enables organizations to make selected servers and workstations easily and securely available to remote or traveling workers without using a VPN connection.

Some of the key benefits of TS Gateway:

Enables remote users to connect securely to resources on the corporate network from the Internet, without the complexity of Virtual Private Network (VPN) connections.
Leverages the security and availability of the HTTPS protocol to deliver Terminal Services with no client configuration.
Provides a comprehensive security configuration model that enables administrators to control access to specific resources on the network.
Enables users to connect remotely to terminal servers and remote workstations across firewalls and network address translators (NATs).
Provides a more secure model, allowing users to access only selected servers and workstations instead of the entire corporate network through a VPN.

Terminal Services Gateway provides a secure and easy way for organizations to provide remote users with access to servers and workstations within the network without having to install and configure a VPN connection. The comprehensive security features also enable the administrators to control access to specific resources.

Terminal Services Web Access
Terminal Services Web Access (TS Web Access) is a Terminal Services role that lets administrators make Terminal Services RemoteApp programs available to users from a Web browser without requiring any software installation by the user. With TS Web Access, users can visit Web site and access a list of all available applications. When the user starts one of the listed programs, a Terminal Services session is automatically started for that user on the Windows Server “Longhorn”-based2008-based terminal server hosting that application. For the user, this Web interface provides a centralized menu showing all remote applications that are currently available; and running a remote application is as simple as choosing a program from the menu.

By using TS Web Access, administrative overhead is reduced. Programs can be easily accessed from a central location. Programs are running on a terminal server and not on the client computer, so the IT staff has a single instance of the application to maintain and update.

Top of Page

Branch Office

Introduction
Businesses want to get closer to their customers, and are moving workers away from central locations and out to branch offices. With the growing number of branch offices, the IT management needs and security concerns for these remote locations also grows proportionally. Microsoft recognizes this rapidly-growing part of the workforce, and the need for new solutions to deal with the challenges specific to branch offices.

Because branch offices have little or no IT staff on-site, servers in these branch locations pose several concerns for IT managers. Software running on servers must utilize the lower-speed WAN connections effectively without consuming all bandwidth, slowing down mission-critical data transfer, or degrading application experiences for branch users. Security is a greater concern at branch offices because the physical security of the server cannot always be guaranteed. With the majority of the IT staff off site, server solutions that provide centralized management, as well as remote administration and deployment, are preferred for a branch office.

Microsoft began addressing the needs and challenges of the Branch Office scenario in Windows Server 2003 R2. The release of Windows Server “Longhorn”2008 includes many additional improvements that will give administrators greater control over branch offices and increase the level of protection of both the branch office and the organization’s central network and data. It also provides a greater degree of flexibility for IT Professionals needing to meet the unique needs of their organization.

For the branch office, the key benefits provided by Windows Server “Longhorn”2008 can be divided into three categories:

Improving the efficiency of branch office server deployment and administration
Reducing security risks in branch offices
Improving the efficiency of WAN communications and bandwidth utilization

Microsoft’s branch office solution and Windows Server “Longhorn”2008 address fundamental branch office needs with a variety of new features and enhancements by providing simplified deployment and effective management of key server roles, improved security, and an architecture that optimizes performance and provides for service continuity.

Deployment and Administration
Managing the servers, services, and security at remote locations is an on-going challenge for IT Professionals. Windows Server “Longhorn”2008 simplifies remote deployment and on-going administration of the servers located in branch offices.

Changes and enhancements of Active Directory directory service, the introduction of the Read-Only Domain Controller, BitLocker, role separation, and the Server Core installation option are specific Windows Server “Longhorn”2008 features that address the unique needs of the branch office, and increase the effectiveness of IT departments managing remote locations.

Read-Only Domain Controllers
A read-only domain controller (RODC) is a new type of domain controller available in the Windows Server "Longhorn"2008 operating system. RODC is designed primarily to be deployed in branch office environments. With an RODC, organizations can limit the risks of deploying a domain controller in locations, such as branch offices, where physical security cannot be guaranteed.

Except for account passwords, an RODC holds all of the Microsoft Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds. Clients, however, are not able to write changes directly to a RODC. Because no changes are written directly to the RODC and therefore do not originate locally, writable domain controllers that are replication partners do not have to pull changes from the RODC. This reduces the workload of bridgehead servers in the hub site and the effort required to monitor replication.

Administrator role separation specifies that any domain user can be delegated to be the local administrator of an RODC without granting that user any user rights for the domain itself or other domain controllers. This creates a scenario where a local branch user can log on to an RODC to perform maintenance work on the server, such as upgrading a driver, without having access to domain resources outside the branch.

BitLocker DriveEncryption
BitLocker Drive Encryption is a key new security feature in Windows Server “Longhorn”2008 that helps protect servers in branch offices. It is also available in Windows Vista Enterprise and Windows Vista Ultimate editions for protecting client computers and mobile computers for roaming users. BitLocker encrypts the contents of a disk drive. This prevents a thief who runs another operating system, or runs other software tools, from breaking the file and system protections or performing offline viewing of the files stored on the protected drive.

BitLocker enhances data protection by bringing together two major sub-functions: system volume encryption, and integrity-checking for early-boot components. The entire system volume is encrypted, including the swap and hibernation files which increases the security of the remote servers in the branch office location. BitLocker addresses the threats of data theft or exposure from a lost, stolen, or inappropriately decommissioned PC. In the branch office scenario, this is important because the physical security of the server cannot always be guaranteed.

Dynamic Host Configuration Protocol (DHCP) server
Domain Name System (DNS) server
File server
Active Directory Domain Service (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
Windows Media Services
Print Management
Windows Server Virtualization

In the branch office scenario, Server Core offers the following key benefits:

Reduced software maintenance**:** With a smaller Server Core installation, the number of updates and patches are reduced, saving both WAN bandwidth usage by branch servers and administration time by the IT staff.
Reduced attack surface: Administrators can install just the specific services needed for their branch office setting, keeping the exposure risk to an absolute minimum.
Fewer restarts required and reduced disk space required: With a minimal Server Core installation, there are fewer installed components that will need to be updated or patched, and the number of required restarts will be reduced. A Server Core installation installs the minimal files needed to provide the required functionality, so less disk space will be used on the branch office server.

Enhanced Manageability of Active Directory
Windows Server “Longhorn”2008 includes improvements in Active Directory Domain Services that simplify the management of Domain Services and provide administrators with a greater degree of flexibility to address the needs of branch offices. Some key management enhancements include:

An updated Active Directory Domain Services (AD DS) Installation Wizard
Changes to the Microsoft Management Console used to manage AD DS
New installation options for domain controllers
Updated installation wizard that simplifies the AD DS installation
Improved interface and management options for AD DS
Improved tools to find domain controllers through the enterprise

With the new installation wizard, all related functionality is now grouped together, streamlining the process and saving time during deployment. Unattended installation in Windows Server “Longhorn”2008 never requires a response to any user interface prompt, further simplifying remote installations. This also enables the installation of AD DS on a Server Core installation. To ensure that a newly installed DNS server operates correctly, DNS is automatically configured for DNS client settings, forwarders, and root hints as necessary based on the installation options selected.

These AD DS interface improvements offered in Windows Server “Longhorn”2008 will reduce IT administration time by streamlining the initial deployment simplifying the management of servers in branch locations.

Top of Page

High Availability

Introduction
Ensuring that mission critical applications are always available is a key service provided by IT departments, and “High Availability” is a central theme in many of the enhancements in Windows Server “Longhorn.”2008. Failover Clustering, network load balancing, and new backup and restoration features in Windows Server “Longhorn”2008 combine to provide organizations with a “High Availability” solution to ensure that mission-critical applications, services and information remain available to all users.

Failover Clustering
A failover cluster, formerly known as a server cluster, is a group of independent computers that work together to increase the availability of applications and services. The clustered servers, called nodes, are connected by physical cables as well as by software. If one of the cluster nodes fails, through a process known as failover, another node in the cluster will take over for the failed node ensuring that users experience a minimal disruption in service. Failover clusters are used by IT professionals who need to provide high availability for mission critical services and applications.

In Windows Server "Longhorn,"2008, the improvements to failover clusters are aimed at simplifying clusters, making them more secure, and enhancing cluster stability.

Cluster setup and configuration has been simplified in Windows Server “Longhorn”2008 with a new validation wizard that lets users confirm that the system, storage, and network configuration are suitable for a cluster. Some of the tests performed by the new validation wizard include:

Node tests: Confirm that the servers are running the same operating system version and have the same software updates
Network tests: Determine whether the planned cluster network meets specific requirements such as having at least two separate subnets for network redundancy
Storage tests: Analyze whether the storage is correctly configured so that all cluster nodes have access to all shared disks and meet specified requirements.

Windows Server “Longhorn”2008 includes support for global unique identifier, or GUID Partition Table (GPT) disks in cluster storage. GPT disks can have partitions larger that two terabytes and have built-in redundancy, unlike master boot record (MBR) disks. GPT offers more advantages than master boot record (MBR) partitioning because it allows up to 128 partitions per disk, provides support for volumes up to 18 exabytes in size, allows primary and backup partition tables for redundancy, and supports unique disk and partition IDs.

To simplify cluster management, the management interfaces have been improved to allow administrators to focus on managing their applications and data, not their cluster. The new interface is task-based and more intuitive, and is supported by wizards that guide administrators through what were previously complex operations.

Windows Server “Longhorn”2008 failover clusters provide better functionality and reliability than in previous releases of server clusters. Key improvements include:

Dynamic addition of disk resources**:** Resource dependencies can be modified while resources are online, which means administrators can make additional disk storage available without interrupting the applications that will use it.
Improved performance and stability with data storage**:**When a failover cluster communicates with a Storage Area Network (SAN) or direct attached storage (DAS), it uses the least disruptive commands - there are fewer SCSI bus resets. Disks are never left in an unprotected state, meaning that the risk of volume corruption is reduced. Failover clusters also support improved methods for disk discovery and recovery. Failover clusters support three types of storage connections: Serial Attached SCSI (SAS), iSCSI, and Fibre Channel.
Easier disk maintenance**:**"Maintenance mode" is significantly improved, so that administrators can run tools to check, fix, back up, or restore disks more easily, and with less disruption to the cluster.

For administrators using clusters to deliver a high availability solution, Windows Server “Longhorn”2008 simplifies the deployment and management of clusters and improves the performance and reliability.

Network Load Balancing
Network Load Balancing (NLB) is a feature that distributes the load for networked client and server applications across multiple servers in an NLB cluster. NLB is important for organizations that need to distribute client requests across a set of servers. It is particularly useful for ensuring that stateless applications, such as a Web based applications running on Internet Information Services (IIS), can be scaled out by adding additional servers as the work load increases. NLB provides scalability by allowing additional servers to be added as load increases. NLB provides reliability by allowing users to easily replace a malfunctioning server. Enhancements to NLB in Windows Server “Longhorn”2008 include:

Support for IPv6: NLB fully supports IPv6 for all communication.
Support for NDIS 6.0: The NLB driver has been completely rewritten to use the new NDIS 6.0 lightweight filter model. NDIS 6.0 retains backward compatibility with earlier NDIS versions. Improvements in the design of NDIS 6.0 include enhanced driver performance and scalability and a simplified NDIS driver model.
WMI Enhancements: The WMI enhancements to the MicrosoftNLB namespace are for IPv6 and multiple dedicated IP address support.
Classes in the MicrosoftNLB namespace: support IPv6 addresses (in addition to IPv4 addresses).
The MicrosoftNLB_NodeSetting class: supports multiple dedicated IP addresses by specifying them in DedicatedIPAddresses and DedicatedNetMasks.
Enhanced functionality with ISA Server: ISA Server can configure multiple dedicated IP addresses for each NLB node for scenarios where clients consist of both IPv4 and IPv6 traffic. Both IPv4 and IPv6 clients need to access a particular ISA Server to manage the traffic. ISA can also provide NLB with SYN attack and timer starvation notifications (these scenarios typically occur when a computer is overloaded, or is being infected by an Internet virus).
Support for multiple dedicated IP addresses per node: NLB fully supports defining more than one dedicated IP address per node (previously, only one dedicated IP address per node was supported), allowing multiple applications to be hosted on the same NLB cluster in scenarios where separate applications require their own dedicated IP address.

These features provide support for new industry standards, increased performance, enhanced interoperability, better security, and more flexibility and for application deployment and consolidation.

Windows Backup
Backup is the third key component of Windows Server “Longhorn”2008 designed to provide high availability of services. The Backup feature provides a backup and recovery solution for the server on which it is installed. It introduces new backup and recovery technology, replacing the previous Backup feature that was available with earlier versions of the Windows operating system.

The Backup feature can be used to protect the entire server efficiently and reliably without worrying about the intricacies of backup and recovery technology. Simple wizards guide the user through setting up an automatic backup schedule, creating manual backups if necessary, and recovering items or entire volumes. Backup in Windows Server “Longhorn”2008 can be used to back up an entire server or selected volumes.

Backup uses Volume Shadow Copy Service and block-level backup technology to efficiently back up and recover the operating system, files and folders, and volumes. After the first full backup is created, Backup automatically runs incremental backups by saving only the data that has changed since the last backup occurred. Unlike previous versions, administrators no longer have to worry about manually scheduling full and incremental backups.

Restoration is improved and simplified with Windows Server “Longhorn.”2008. Items can now be restored by choosing a backup from which to recover, and then selecting items to restore. Specific files or all of the contents of a folder can be recovered. With regard to incremental backups, previously, if an item was stored on an incremental backup, it was necessary to manually restore from multiple backups. Now, the user can simply choose the date on which the version they want to restore was backed up.

Windows Server “Longhorn”2008 provides the backup and recovery solutions needed to complete a high-availability solution that protects both the organization’s data and the operating systems on the servers in the network, while easing the administrative burden of ensuring mission-critical data is properly backed up, and speeding data recovery.

Summary

Microsoft Windows Server “Longhorn”2008 represents the next generation of Windows Server. Windows Server "Longhorn"2008 gives IT Professionals more control over their server and network infrastructure, allowing them to focus on criticalproviding a solid foundation for their business needs.workloads. It increases security by hardening the operating system and protecting the network environment. It also provides IT Professionals with flexibility, speeding up deployment and maintenance of IT systems, making consolidation and virtualization of servers and applications easier, and providing intuitive administrative tools. Windows Server “Longhorn”Windows Server 2008 also enables organizations to deliver rich Web-based experiences efficiently and effectively, and is a powerful Web Application and Services Platform. Windows Server 2008 provides the best foundation for any organization’s server and network infrastructure.

Top of Page

Windows Server 2008 Technical Overview

On This Page

Introduction

Virtualization

Web & Applications Platform

Server Management

Security & Policy Enforcement

Centralized Application Access

Branch Office

High Availability

Summary

Additional resources