Microsoft's two new operating systems: A win-win

Microsoft released the Windows 7 and Windows 2008 Server R2 release candidates at the same time last month, with final versions of both products expected to ship by yearend. Undoubtedly, part of the message is that the desktop and server operating systems are supposed to work together and provide additional value when combined.

Slideshow: What we love and hate about Win 7/Windows 2008 Server R2

Blog: MDOP is the hidden gem of Microsoft's WS2008 R2 and W7 releases

In testing, we found that implementing Win 7, Win Server and Microsoft Desktop Optimization Pack (MDOP) requires careful planning and attention to detail. But this trifecta offers a significant payoff in terms of virtualization and administrative policy controls.

Let's start with Windows 2008 Server R2. The major updates in this 64-bit-only release are a new version of Microsoft's Hyper-V virtualization hypervisor, branch cache of files and folders, improved IPv6 connectivity, and DirectAccess remote connectivity ('VPN-less VPN'). In addition, a key ingredient for administrators (and those happy with command line control) is the rapid expansion of control offered by Microsoft's powershell.

Windows 7 comes in a confusing array of options, but for enterprise use, we recommend 64-bit versions of Windows 7 Ultimate and Enterprise. The third leg of the stool is Microsoft Desktop Optimization Pack (MDOP), which ships 90 days after the final production delivery date for Server R2 and Win 7.

Certainly you can use the W7/Server R2 combination without it, but the tools in the MDOP are fairly juicy and they're currently available for Vista use — although some of them tragically don't work with Vista 64-bit versions.

The current MDOP tools include application virtualization (called App-V), where apps are 'stubbed' onto the desktop but execute somewhere else, and Microsoft Enterprise Desktop Virtualization (called 'MED-V'), which includes deployment, policy administration, desktop recovery and remediation tools, as well as desktop error monitoring.

While MDOP is a separate product, enterprise deployment is likely to be popular and we wonder why it isn't included in the R2. There's potential danger in not using MDOP, too — especially when using a key feature of Win 7 — the hosting of Windows XP.

Win 7 will contain a Windows XP virtualized client mode, which on the surface looked to be troublesome to us. We understand that compatibility issues are one of the objections to the adoption of Windows Vista, but we reeled at the thought of supporting two operating systems per user and the additive requirements, let along rogue installations of XP that might ensue.

The way it works is that XP installs (via Windows VirtualPC Version 7) as a virtual machine guest of Windows 7 Professional, Ultimate or Enterprise editions. MED-V V2 would run the pre-loaded VM (Windows XP SP3 with pre-embedded Active Directory controls and policies where programmed), and provide control.

In our quick deployment test, we found there's a lot of work to make XP usable as a Win 7 hosted operating system, but the payoff is reasonable control (with the optional MDOP-based MEV-V2) and the fact that XP applications can be made to be look like normally appearing desktop applications on the Win 7 desktop and menus.

And all of this presumed that our desktop host computer uses a V or VT-compatible AMD or Intel CPU and a sufficient amount of memory to not impede the host or the guest operating system.

MDOP isn't required, however, to stop VirtualPC hosting or any other app that we tried, however. If you want to lock-out an application, AppLocker can do this for you. It's a method that prevents application launching (and installation, too, if it's part of a local policy) after a Win 7 machine joins an Active Directory domain. We found it effective to totally kill specific application execution — even specified malware executables.

Hyper-V V2 arrives

The release candidate for Server R2 contains a kind of Holy Grail for Microsoft, the first iteration of its competitive analog to VMware's Live Migration, which is the ability to take a virtual machine operating systems instance — while it's running and alive — and move it to a new hardware server target. Formerly, Hyper-V required that a virtualized operating system instance be shut down, moved, then restarted, which is rather inconvenient for production servers.

The idea behind Microsoft's Live Migration goes back to a concept that Microsoft first exposed years ago as Wolfpack, which was designed to 'cluster' two or more machines together so that if one machine failed, the remaining machine(s) would take over.

We found the process can work, but there are constraints compared with VMware.

Hyper-V V2 required us to first establish the systems as members of a Failover Cluster to make source and target servers designated for failover. Then we needed to setup a compatible (not any iSCSI driver link will do, we found) iSCSI 'quorum drive' that's used as cache between the migrating servers. This Clustered Shared Volume served as the quorum drive, and our first successful Live Migration went from there.

We were heartened that Microsoft can support Live Migration between machines using different CPUs — which frees us from having identical source and destination (for example captive vendor) hardware — except that it must be Intel-to-Intel or AMD-to-AMD.

VPN-less VPNs

Connecting external Win 7 clients to Internet-facing 'Server R2' servers can also be done in a 'VPN-less' connectivity called Direct Access. Based on the IPSec protocol, Direct Access still creates an encrypted connection, just not the tunneled protocol associated with Point-to-Point-Tunneling Protocol, and other IPSec-based VPNs.

We found that the formula requires two server Gigabit Ethernet interfaces that'll face the public side of the Internet, IPv6 (or 6-to-4 IPv6-IPv4 address translation), as well as a working firewall with admittance (System Health) control in place.

The client-side via Win 7 to this VPN-less VPN connects more simply as a Layer 2 connection. Our fears of this direct connection methodology might be unfounded, as it also requires using the second iteration of Microsoft's System Health Check for admittance control. System Health Check requires quite a bit of work to control access correctly — and remediate systems that fail health checks at logon.

In Win Server 2008 R2, administration of clients — especially Win 7 — are controlled by shiny new policy administration scripts delivered with Microsoft's CLI-based PowerShell 2.0 commandlets, some 300+ of them. Some have the capacity to 'push' policy directives based on Active Directory connection logons or states between a Win 7 client and a server. This also means that cracking an administrative logon and keeping administrative states alive must be controlled cautiously.

Win 7 improvements

Microsoft's sense of security and help desk support is improved in Win 7. As an example, the BitLocker encrypting technology can now (by policy) force encryption of not only internal drives, but portable drives (think flash dongles) and other media — but only in Enterprise and Ultimate editions.

The Problem Steps Recorder we first saw in the beta now works bug-free in our abbreviated testing. The idea behind the recorder is to allow users to very simply record what they're doing when an error occurs, then turn the steps into a Web page slideshow with the steps taken — all compressed into a file that can be sent to a support person.

An updated communications link (SMB 2+) connects Win 7 and Windows 2008 R2 that's supposed to be more efficient for client/server communications, and Microsoft touts much faster download times — but this is RC code and testing it for speed is speculative at best.

In our testing, we found that Win 7 and Server R2 release candidates are potentially worth the ticket of buying both. The upside is virtualization, improved management control, direct access, branch cache (repetitive downloads are cached at local servers), and mobility via application virtualization and Network Access Protection. But don't forget to deploy MDOP.

Henderson and Allen are researchers for ExtremeLabs. They can be reached at thenderson@extremelabs.com.

Henderson is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.