• United States

Chapter 1: Windows Server 2008 R2 Technology Primer

Dec 22, 200985 mins
Enterprise ApplicationsMicrosoftSmall and Medium Business

Cover image 

Excerpt from Windows Server 2008 R2 Unleashed.

By Rand Morimoto, Michael Noel, Omar Droubi, Ross Mistry, Chris Amaris

Published by Sams

ISBN-10: 0-672-33092-X

ISBN-13: 978-0-672-33092-6

E-mail this to a friend

Newsletters: Sign-Up & Save! Receive Special Offers, Free Chapters, Articles Reference Guide Updates, and plug into the pulse of what’s happening in your corner of the industry by subscribing to InformIT newsletters! FREE coupon after sign-up!

Try Safari Books Online NOW! Access the largest fully searchable e-reference library for programmers and IT professionals!

In This Chapter

  • Windows Server 2008 R2 Defined

  • When Is the Right Time to Migrate?

  • Versions of Windows Server 2008 R2

  • What’s New and What’s the Same About Windows Server 2008 R2?

  • Changes in Active Directory

  • Windows Server 2008 R2 Benefits for Administration

  • Improvements in Security in Windows Server 2008 R2

  • Improvements in Mobile Computing in Windows Server 2008 R2

  • Improvements in Windows Server 2008 R2 for Better Branch Office Support

  • Improvements for Thin Client Remote Desktop Services

  • Improvements in Clustering and Storage Area Network Support

  • Addition of Migration Tools

  • Improvements in Server Roles in Windows Server 2008 R2

  • Identifying Which Windows Server 2008 R2 Service to Install or Migrate to First

Windows Server 2008 R2 became available in the summer of 2009. In many ways, it is just the next-generation server operating system update to Windows Server 2008, but in other ways, it is more than just a service pack type update with significant feature enhancements introduced in the version release. To the authors of this book, we see the similarities that Windows Server 2008 R2 has in terms of usability and common graphical user interfaces (GUIs) with previous versions of Windows Server that make it easy to jump in and start implementing the new technologies. However, after over two years of early adopter experience with Windows Server 2008 R2 and the Windows 7 client operating system, when properly implemented, the new features and technologies built in to Windows Server 2008 R2 really address shortcomings of previous versions of Windows Server and truly allow IT organizations to help organizations meet their business initiatives through the implementation of key technologies now included in Windows Server 2008 R2.

This chapter provides an overview of what’s in Windows Server 2008 R2, explains how IT professionals have leveraged the technologies to improve IT services to their organization, and acts as a guide on where to find more information on these core technology solutions in the various chapters of this book.

Windows Server 2008 R2 Defined

Windows Server 2008 R2 is effectively the seventh generation of the Windows Server operating system. Upon initial boot, shown in Figure 1.1, Windows Server 2008 R2 looks like Windows 7 relative to icons, toolbars, and menus. However, because Windows Server 2008 R2 is more of a business functional operating system than a consumer or user operating system, things like the cute Windows Aero 3D interface are not installed by default, and the multimedia features found in the Windows 7 Home or Ultimate versions of the operating system are also not installed and enabled by default.

Figure 1.1

Windows Server 2008 R2 desktop screen.

Under the surface, though, and covered through the pages of this chapter are the new technologies and capabilities built in to Windows Server 2008 R2.

Windows Server 2008 and Windows Server 2008 R2 Under the Hood

Although there are a lot of new features and functions added in to Windows Server 2008 and Windows Server 2008 R2 that are covered in chapters throughout this book, one of the first places I like to start is around the things in Windows Server 2008/2008 R2 that you don’t see that make up some of the core capabilities of the new operating system. These are technologies that make the new operating system faster, more reliable, and do more things—but they aren’t features that you have to install or configure.

Self-Healing NTFS

One of the new embedded technologies in Windows Server 2008 and Windows Server 2008 R2 is self-healing NTFS. Effectively, the operating system has a worker thread that runs in the background, which makes corrections to the file system when NTFS detects a corrupt file or directory. In the past when there was a file system problem, you typically had to reboot the server for chkdsk to run and clean up file and directory corrupt errors.

This self-healing function is not something you will ever see running; however, it is an added capability under the hood in Windows Server 2008 R2 that keeps the operating system running reliably and with fewer system problems.

Server Message Block 2.0

Introduced in Windows Vista and Windows Server 2008 is Server Message Block 2.0, more commonly called SMB2. SMB2 is a protocol that handles the transfer of files between systems. Effectively, SMB2 compresses file communications and, through a larger communications buffer, is able to reduce the number of round-trips needed when transmitting data between systems.

For the old-timers reading this chapter, it is analogous to the difference between the copy command and the xcopy command in DOS. The copy command reads, writes, reads, writes information. The xcopy command reads, reads, reads information and then writes, writes, writes the information. Because more information is read into a buffer and transferred in bulk, the information is transmitted significantly faster.

Most users on a high-speed local area network (LAN) won’t notice the improvements when opening and saving files out of something like Microsoft Office against a Windows Server 2008/2008 R2 server; however, for users who might be copying up large image files or data sets between systems will find the information copying 10 to 30 times faster. The performance improvement is very noticeable in wide area network (WAN) situations on networks with high latency. Because a typical transfer of files requires short read and write segments of data, a file could take minutes to transfer across a WAN that can transfer in seconds between SMB2-connected systems because the round-trip chatter is drastically reduced.

For SMB2 to work effectively, the systems on both ends need to be Windows Server 2008/2008 R2 systems, Windows Vista or Windows 7 systems, or a combination of the two. A Windows XP client to a Windows Server 2008/2008 R2 server will communicate over SMB 1.0 for backward compatibility and will not gain from this new technology.

SMB2 and the benefits of this embedded technology are discussed in more detail in Chapter 32, “Optimizing Windows Server 2008 R2 for Branch Office Communications.”


Hyper-V is a technology built in to the core of the operating system in Windows Server 2008 and expanded in Windows Server 2008 R2 that greatly enhances the performance and capabilities of server virtualization in a Windows environment. In the past, virtual server software sat on top of the network operating system and each guest session was dependent on many shared components of the operating system.

Hyper-V provides a very thin layer between the hardware abstract layer of the system and the operating system that provides guest sessions in a virtualized environment to communicate directly with the hardware layer of the system. Without having the host operating system in the way, guest sessions can perform significantly faster than in the past, and guest sessions can operate independent of the host operating system in terms of better reliability from eliminating host operating system bottlenecks.

Hyper-V and server virtualization is covered in more detail in Chapter 37, “Deploying and Using Windows Virtualization.”

Core Parking

A technology enhanced in the core Windows Server 2008 R2 operating system is a power-management technology called core parking. Normally, when a multicore server runs, all cores on all processors run at the highest speed possible, regardless of whether the server is being utilized. For organizations that need high capacity during the weekdays when employees are working, that means their systems are effectively idle during evenings and weekends, or more than two thirds of the time, yet consuming power and expending heat. With core parking, servers with the latest processors that recognize core parking protocols will shut down cores on a system when not in use. So, on a 16-core server, if only 2 cores are needed, the other 14 cores are powered off automatically. This dramatically improves power management and decreases the cost of operations of server systems.

Windows Server 2008 R2 as an Application Server

As much as there have been significant improvements in Windows Server 2008 R2 under the hood that greatly enhance the performance, reliability, and scalability of Windows Server 2008 R2 in the enterprise, Windows servers have always been exceptional application servers hosting critical business applications for organizations. Windows Server 2008 R2 continues the tradition of the operating system being an application server with common server roles being included in the operating system. When installing Windows Server 2008 R2, the Server Manager Add Roles Wizard provides a list of server roles that can be added to a system, as shown in Figure 1.2.

Figure 1.2

Server roles in Windows Server 2008 R2.

The various server roles in Windows Server 2008 R2 typically fall into three categories, as follows:

  • File and print services—As a file and print server, Windows Server 2008 R2 provides the basic services leveraged by users in the storage of data and the printing of information off the network. Several improvements have been made in Windows Server 2008 R2 for file security (covered in Chapter 13, “Server-Level Security”) and file server fault tolerance (covered in Chapter 28, “File System Management and Fault Tolerance”).

  • Domain services—In enterprise environments running Windows networking, typically the organization is running Active Directory to provide centralized logon authentication. Active Directory continues to be a key component in Windows Server 2008 R2, with several extensions to the basic internal forest concept of an organization to expanded federated forests that allow Active Directories to interconnect with one another. There are several chapters in Part II, “Windows Server 2008 R2 Active Directory,” that address Active Directory, federated forests, lightweight directories, and so on.

  • Application services—Windows Server 2008 R2 provides the basis for the installation of business applications such as Microsoft Exchange, Microsoft Office SharePoint Services, SQL Server, and so on. These applications are initially made to be compatible with Windows Server 2008 R2, and later are updated to leverage and take full advantage of the new technologies built in to the Windows Server 2008 R2 operating system. Some of the applications that come with Windows Server 2008 R2 include Remote Desktop Services for thin client computing access (covered in Chapter 25, “Remote Desktop Services”), Windows Media Services for video and audio hosting and broadcasting (covered in Chapter 36, “Windows Media Services”), utility server services such as DNS and DHCP (covered in Chapter 11, “DHCP/WINS/Domain Controllers,” and Chapter 10, “Domain Name System and IPv6”), SharePoint document sharing and collaboration technologies (covered in Chapter 35, “Windows SharePoint Services”), and virtual server hosting (covered in Chapter 37).

This book focuses on the Windows Server 2008 R2 operating system and the planning, migration, security, administration, and support of the operating system. Windows Server 2008 R2 is also the base network operating system on top of which all future Windows Server applications will be built.

Windows Server 2008 R2 Active Directory

Although Windows Server 2008 R2 provides a number of new server roles for application services, the release of Windows Server 2008 R2 also brings with it an update to Active Directory. Unlike the shift from Windows NT to Active Directory a decade ago that required a major restructuring of domain functions, Active Directory 2008 R2 is more evolutionary than revolutionary. AD 2008 R2 adds a handful of new features that organizations might or might not choose to upgrade to AD 2008 R2 immediately; however, many organizations have found that the new enhancements in Active Directory 2008 R2 were the primary reason for their migration.

The new features in Active Directory 2008 R2 are as follows:

  • Active Directory Recycle Bin—The AD Recycle Bin provides administrators an easy way to undelete objects in Active Directory. In the past, when an administrator inadvertently deleted an Active Directory object like a user, group, organizational unit container, or the like, the object was effectively gone and the administrator would have to create the object from scratch, which would create a whole new series of security principles for the new/unique object. The AD Recycle Bin now enables an administrator to simply run the recovery tool and undelete objects.

  • Managed Service Accounts—Applications in a network frequently use service accounts associated with the security to start a database, conduct data searches and indexing, or launch background tasks. However, when an organization changes the password of a service account, all servers with applications using the service account need to be updated with the new password, which is an administration nightmare. With Active Directory 2008 R2 mode, service accounts can be identified and then managed so that a password change to a service account will initiate a process of updating the service account changes to application servers throughout the organization.

  • Authentication Mechanism Assurance—Another Active Directory 2008 R2 feature is the enhancement of claims-based authentication in Active Directory. With authentication mechanism assurance, information in a token can be extracted whenever a user attempts to access a claims-aware application to determine authorization based on the user’s logon method. This extension will be leveraged by future applications to improve claims-based authentication in the enterprise.

  • Offline Domain Join—For desktop administrators who create system images, the challenge of creating images is that a system needs to be physically connected to the network before the system can be joined to the domain. With Offline Domain Join, a system can be prejoined with a file created with a unique system credential written to a file. When a Windows 7 client system or Windows Server 2008 R2 server system needs to be joined, rather than physically connecting the system to the network and joining the system to the domain, this exported file can be used offline to join the system to the Active Directory domain.

When Is the Right Time to Migrate?

When Windows Server 2008 R2 first shipped in the summer of 2009, many organizations wondered about the right time to migrate to the new operating system. It used to be that you waited until the first service pack shipped before installing any Microsoft product; however, Windows Server 2008 R2 is effectively an update to Windows Server 2008 that is post–Service Pack 2. And early adopter beta participants found Windows Server 2008 R2 (and Windows 7) to be extremely stable and reliable and, thus, began implementation of the operating systems in production environments six+ months before the operating systems were released. So, the decision of when to implement Windows Server 2008 R2 comes down to the same decision on migration to any new technology—identify the value received by implementing Windows Server 2008 R2, test the solution in a limited environment, and roll out Windows Server 2008 R2 when you are comfortable that the product meets the needs of your organization.

This introductory chapter notes the many features and functions built in to Windows Server 2008 R2 that have helped other organizations make the decision that Windows Server 2008 R2 has significant value to plan a migration and new server implementation. Improvements in security, performance, and manageability provide benefits to organizations looking to minimize administration costs, while providing more functionality to users.

The cost and effort to migrate to Windows Server 2008 R2 vary based on the current state of an organization’s networking environment, as well as the Windows Server 2008 R2 features and functions the organization wants to implement. Some organizations begin their migration process to Windows Server 2008 R2 by adding a Windows Server 2008 R2 member server into an existing Windows 2000/2003/2008 network. Others choose to migrate their Active Directory to Windows Server 2008 R2 as their introduction to the new operating system.

Adding a Windows Server 2008 R2 System to a Windows 2003/2008 Environment

Many organizations want to add in a specific Windows Server 2008 R2 function such as Windows Server 2008 R2 Remote Desktop Services (previously called Terminal Services), Hyper-V R2 virtualization, DirectAccess, or BranchCache. Such functions can be installed on Windows Server 2008 R2 member servers in an existing Active Directory 2003 networking environment. This allows an organization to get Windows Server 2008 R2 application capabilities fairly quickly and easily without having to do a full migration to Active Directory 2008 R2. In many cases, a Windows Server 2008 R2 member server can simply be added to an existing network without ever affecting the existing network. This addition provides extremely low network impact but enables an organization to prototype and test the new technology, pilot it for a handful of users, and slowly roll out the technology to the client base as part of a regular system replacement or upgrade process.

Some organizations have replaced all their member servers with Windows Server 2008 R2 systems over a period of weeks or months as a preparatory step to eventually migrate to a Windows Server 2008 R2 Active Directory structure.

Migrating from Windows 2003 and Windows 2008 Active Directory to Windows Server 2008 R2 Active Directory

For organizations that already have a Windows 2003 or Windows 2008 Active Directory environment, migrating to Windows Server 2008 R2 for Active Directory functionality can provide access to several additional capabilities that require a Windows network to be running on Windows Server 2008 R2. Some of the Windows Server 2008 R2 technologies that require implementation of the Windows Server 2008 R2 Active Directory include Active Directory Recycle Bin, Managed Service Accounts, PowerShell Administration, and Offline Domain Join capabilities as the most popular solutions.

Fortunately, organizations that already have Windows 2003 or 2008 Active Directory in place have completed the hard part of the Active Directory implementation process. Effectively, Windows Server 2008 R2 uses the same Active Directory organizational structure that was created with Windows 2003 or 2008, so forests, domain trees, domains, organizational units, sites, groups, and users all transfer directly into Windows Server 2008 R2 Active Directory. If the organizational structure in Windows 2003 or 2008 meets the needs of the organization, the migration to Windows Server 2008 R2 is predominantly just the insertion of a Windows Server 2008 R2 global catalog server into the existing Windows 2003 or 2008 Active Directory domain to perform a global catalog update to Windows Server 2008 R2 Active Directory.

Of course, planning, system backup, and prototype testing—covered in Chapter 16, “Migrating from Windows 2003/2008 to Windows Server 2008 R2”—help minimize migration risks and errors and lead to a more successful migration process. However, the migration process from Windows 2003 and Windows Server 2008 to Windows Server 2008 R2 is a relatively easy migration path for organizations to follow.

Versions of Windows Server 2008 R2

Windows Server 2008 R2 comes in the same release versions as the more recent server version releases from Microsoft with the addition of a Server Core version that provides a lighter GUI-less version of Windows Server 2008 R2. The main versions of Windows Server 2008 R2 include Windows Server 2008 R2, Standard Edition; Windows Server 2008 R2, Enterprise Edition; Windows Server 2008 R2, Datacenter Edition; Windows Web Server 2008 R2; and Windows Server 2008 R2 Server Core.

Windows Server 2008 R2, Standard Edition

The Windows Server 2008 R2, Standard Edition is the most common server version of the operating system. Unlike previous versions of Windows Server where basic functions and scalability for memory and processor support was limited to only the Enterprise or Datacenter Editions of the operating system, Windows Server 2008 R2, Standard Edition is now the default version deployed by organizations.

A basic Windows Server 2008 R2 x64-bit Standard Edition system supports up to four x64 professor sockets and 32GB of memory and supports all of the server roles available in Windows Server 2008 R2, with the exception of clustering, cross-file replication (DFS-R technology), and Active Directory Federation Services.

The Standard Edition is a good version of the operating system to support domain controllers, utility servers (such as DNS or DHCP), file servers, print servers, media servers, SharePoint servers, and so on. Most organizations, large and small, find the capabilities of the Standard Edition sufficient for most network services. See Chapter 34, “Capacity Analysis and Performance Optimization,” for recommendations on choosing and tuning a Windows Server 2008 R2 system that is right for its intended purpose.

Note – One of the first things an organization becomes aware of is that Windows Server 2008 R2 ONLY comes in 64-bit (x64 or IA64) versions. 32-bit hardware and a 32-bit installation is no longer supported. The last version of the Windows Server operating system that supported 32-bit is Windows Server 2008.

Windows Server 2008 R2, Enterprise Edition

With the Windows Server 2008 R2, Standard Edition taking on the bulk of network services, the Windows Server 2008 R2, Enterprise Edition is really focused on server systems that require extremely large-scale processing and memory capabilities as well as clustering or Active Directory Federation Services. From the basis of scalability of processing and memory capacity, applications like Windows virtualization or enterprise-class Exchange 2010 or SQL 2008 servers would benefit from the capabilities of the Enterprise Edition of Windows Server 2008 R2.

Any time an organization needs to add clustering to its environment, the Enterprise Edition (or the Datacenter Edition) is needed. The Enterprise Edition is the appropriate version of operating system for high availability and high-processing demands of core application servers such as SQL Servers or large e-commerce back-end transaction systems.

For organizations leveraging the capabilities of Windows Server 2008 R2 for Thin Client Remote Desktop Services that require access to large sets of RAM (up to 2TB) and multiple processors (up to eight sockets), the Enterprise Edition can handle hundreds of users on a single server. Remote Desktop Services are covered in more detail in Chapter 25.

The Enterprise Edition, with support for server clustering, can provide organizations with the nonstop networking demands of true 24/7, 99.999% uptime capabilities required in high-availability environments. Windows Server 2008 R2, Enterprise Edition supports a wide variety of regularly available server systems, thus allowing an organization its choice of hardware vendor systems to host its Windows Server 2008 R2 application needs.

Windows Server 2008 R2, Datacenter Edition

Windows Server 2008 R2, Datacenter Edition is a high-end datacenter class version of the operating system that supports very large-scale server operations. The Datacenter Edition supports organizations that need more than eight core processors. The Datacenter Edition is focused at organizations that need scale-up server technology to support a large centralized data warehouse on one or limited numbers of server clusters.

As noted in Chapter 34 on performance and capacity analysis, an organization can scale-out or scale-up its server applications. Scale-out refers to an application that performs better when it is distributed across multiple servers, whereas scale-up refers to an application that performs better when more processors are added to a single system. Typical scale-out applications include web server services, electronic messaging systems, and file and print servers. In those cases, organizations are better off distributing the application server functions to multiple Windows Server 2008 R2, Standard Edition or Enterprise Edition systems, or even Windows Web Server 2008 R2 systems. However, applications that scale-up, such as e-commerce or data warehousing applications, benefit from having all the data and processing on a single server cluster. For these applications, Windows Server 2008 R2, Datacenter Edition provides better centralized scaled performance as well as the added benefit of fault tolerance and failover capabilities.

Note – The Windows Server 2008 R2, Datacenter Edition used to be sold only with proprietary hardware systems; however, Windows Server 2008 R2, Datacenter Edition can now be run on “off-the-shelf” servers with extensive core, processor, and memory expansion capabilities. This update now allows organizations to purchase nonproprietary servers and get the scalability of the Datacenter Edition of the operating system for enterprise-class performance, reliability, and supportability.

Windows Web Server 2008 R2 Edition

The Windows Web Server 2008 R2 Edition is a web front-end server version of the operating system focused on application server needs that are dedicated to web services requirements. Many organizations are setting up simple web servers as front ends to database servers, messaging servers, or data application server systems. Windows Web Server 2008 R2 Edition can be used as a simple web server to host application development environments or can be integrated as part of a more sophisticated web farm and web services environment that scales to multiple load-balanced systems. The Windows Server 2008 R2 operating system has significant improvements in scalability over previous versions of the Windows operating system, and an organization can license multiple web services systems at a lower cost per server to provide the scalability and redundancy desired in large web farm environments.

Note – For organizations looking to purchase a low-cost Windows Web Server Edition to set up a simple file and print server or utility server (DNS, DHCP, domain controller), the Web Server Edition does not provide traditional multiuser file or print access or utility services. You need to purchase the Windows Server 2008 R2, Standard Edition to get capabilities other than web services.

Windows Server 2008 R2 Server Core

New to Windows Server 2008 and continued support with Windows Server 2008 R2 is a Server Core version of the operating system. Windows Server 2008 R2 Server Core, shown in Figure 1.3, is a GUI-less version of the Windows Server 2008 R2 operating system. When a system boots up with Server Core installed on it, the system does not load up the normal Windows graphical user interface. Instead, the Server Core system boots to a logon prompt, and from the logon prompt, the system drops to a DOS command prompt. There is no Start button, no menu—no GUI at all.

Figure 1.3

Windows Server 2008 R2 Server Core.

Server Core is not sold as a separate edition, but rather as an install option that comes with the Standard, Enterprise, Datacenter, and Web Server Editions of the operating system. So, when you purchase a license of Windows Server 2008 R2, the DVD has both the normal GUI Edition code plus a Windows Server 2008 R2 Server Core version.

The operating system capabilities are limited to the edition of Server Core being installed, so a Windows Server 2008 R2, Enterprise Edition Server Core server has the same memory and processor limits as the regular Enterprise Edition of Windows Server 2008 R2.

Server Core has been a great version of Windows for utility servers such as domain controllers, DHCP servers, DNS servers, IIS web servers, or Windows virtualization servers being that the limited overhead provides more resources to the applications running on the server, and by removing the GUI and associated applications, there’s less of a security attack footprint on the Server Core system. Being that most administrators don’t play Solitaire or use Media Player on a domain controller, those are applications that don’t need to be patched, updated, or maintained on the GUI-less version of Windows. With fewer applications to be patched, the system requires less maintenance and management to keep operational.

Note – With the new remote administration capabilities of Windows Server 2008 R2, covered in Chapter 20, “Windows Server 2008 R2 Management and Maintenance Practices,” administrators can now remotely manage a Server Core system from the Server Manager GUI interface on another server. This greatly enhances the management of Server Core hosts so that administrators can use a GUI console to manage the otherwise GUI-less version of Windows Server.

What’s New and What’s the Same About Windows Server 2008 R2?

From a Microsoft marketing perspective, Windows Server 2008 R2 could be said to be faster, more secure, more reliable, and easier to manage. And it is true that the Windows Server 2008 R2 operating system has all these capabilities. However, this section notes specifically which changes are cosmetic changes compared with previous Windows operating systems and which changes truly improve the overall administrative and end-user experience due to improvements in the operating system.

Visual Changes in Windows Server 2008 R2

The first thing you notice when Windows Server 2008 R2 boots up is the new Windows 7-like graphical user interface (GUI). This is obviously a simple cosmetic change to standardize the current look and feel of the Windows operating systems. Interestingly, with the release of Windows Server 2008 R2, Microsoft did away with the “Classic View” of the administrator Control Panel. For all the network administrators who always switched their server Control Panel to the Classic View, that is now gone, and you will need to figure out the “updated” Control Panel that was the standard starting with Windows XP.

Continuation of the Forest and Domain Model

Windows Server 2008 R2 also uses the exact same Active Directory forest, domain, site, organizational unit, group, and user model as Windows 2000/2003/2008. So if you liked how Active Directory was set up before, it doesn’t change with Windows Server 2008 R2 Active Directory. Even the Active Directory Sites and Services, Active Directory Users and Computers (shown in Figure 1.4), and Active Directory Domains and Trusts administrative tools work exactly the same.

Figure 1.4

Active Directory Users and Computers tool.

There are several changes to the names of the Active Directory services as well as significant improvements within Active Directory that are covered in the section “Changes in Active Directory” a little later in this chapter.

Changes That Simplify Tasks

Windows Server 2008 R2 has added several new capabilities that simplify tasks. These capabilities could appear to be simply cosmetic changes; however, they actually provide significant benefits for administrative management.

New Server Manager Tool

A tool that was added in Windows Server 2008 is the Server Manager console, shown in Figure 1.5. Server Manager consolidates all of the administrative management consoles from Windows 2000/2003 into a single management tool. Now instead of having to open up the Active Directory Users and Computers console, Control Panel system properties, the DNS management console, and so on, and then toggle to the appropriate console you want, all of the information is now available in one screen.

Figure 1.5

Server Manager.

Updated in Windows Server 2008 R2 is the ability for an administrator to use the Server Manager tool to access not only the server resources on the current server system, but also to remotely access server resources through the Server Manager tool on remote server systems. This remote capability of Server Manager minimizes the need of the administrator to remotely log on to systems to manage them; it allows the administrator to sit at a single Server Manager console and gain access to other servers in the organization.

Additionally, other tools like the Group Policy Management Console (GPMC) show up in Server Manager under the Features node and provide an administrator with the ability to edit group policies, change policies, and apply policies from the same console to which the administrator can make DNS changes, add users, and change IP configuration changes to site configuration settings.

PowerShell for Administrative Tasks

Another updated server feature in Windows Server 2008 R2 is the extension of PowerShell for server administration and management. PowerShell has now been extended to be a full scripting language for administration tasks in Windows Server 2008 R2. PowerShell was first introduced in Exchange 2007 as the Exchange Management Shell (EMS) that underlies all functions of Exchange 2007 administration. PowerShell (version 2.0) is now installed by default in Windows Server 2008 R2, as opposed to being an add-in feature in Windows Server 2008. As a built-in component, all administrative tasks are now fully PowerShell enabled.

PowerShell in Windows Server 2008 R2 provides the ability for administrators to script processes, such as adding users, adding computers, or even more complicated tasks such as querying a database, extracting usernames, and then creating Active Directory users, and to provision Exchange mailboxes all from a PowerShell script. Additionally, PowerShell in Windows Server 2008 R2 allows an administrator to script installation processes so that if, for example, the administrator creates a Remote Desktop server or web server with specific settings, the administrator can use a PowerShell script and deploy additional servers all identically configured using the same script over and over.

And with PowerShell 2.0 built in to Windows Server 2008 R2, PowerShell scripts and commands can be run against remote servers. This enables an administrator to sit at one server and remotely execute scripts on other servers in the environment. Using secured server-to-server session communications, an administrator can configure a group of servers, manage a group of servers, and reboot a group of servers all from a series of PowerShell commands.

All future server products released from Microsoft will have the PowerShell foundation built in to the core Windows Server 2008 R2 operating system, thus making it easier for products running on Windows Server 2008 R2 to use the same administrative scripting language. PowerShell is covered in detail in Chapter 21, “Automating Tasks Using PowerShell Scripting.”

Active Directory Administrative Center

New to Windows Server 2008 R2 and built on PowerShell v2.0, the Active Directory Administrative Center is a customizable console that an organization can create for specific administrators in the organization. As an example, an organization might have an administrator who only needs to reset passwords, or another administrator who only needs or manage print queues. Rather than giving the administrator access to the full Active Directory Users and Computers or Print Management consoles, an Active Directory Administrative console can be created with just a task or two specific to the administrator’s responsibilities.

The console is built on PowerShell, so underlying the GUI are simple PowerShell scripts. Anything that can be done in PowerShell on a Windows Server 2008 R2 server can be front-ended by the administration console. An example of the console is shown in Figure 1.6, and the tool is covered in detail in Chapter 18, “Windows Server 2008 R2 Administration.”

Figure 1.6

Active Directory Administrative Center.

Increased Support for Standards

The release of Windows Server 2008 introduced several industry standards built in to the Windows operating system that have since been updated in Windows Server 2008 R2. These changes continue a trend of the Windows operating system supporting industry standards rather than proprietary Microsoft standards. One of the key standards built in to Windows Server 2008 and Windows Server 2008 R2 is IPv6.

Internet Protocol version 6 (or IPv6) is the future Internet standard for TCP/IP addressing. Most organizations support Internet Protocol version 4 (or IPv4). Due to the Internet numbering scheme running out of address space in its current implementation of addressing, Internet communications of the future need to support IPv6, which provides a more robust address space.

Additionally, IPv6 supports new standards in dynamic addressing and Internet Protocol Security (IPSec). Part of IPv6 is to have support for the current IPv4 standards so that dual addressing is possible. With Windows Server 2008 R2 supporting IPv6, an organization can choose to implement a dual IPv6 and IPv4 standard to prepare for Internet communications support in the future. IPv6 is covered in detail in Chapter 10.

 Changes in Active Directory

As noted earlier in this chapter, Active Directory in Windows Server 2008 R2 hasn’t changed to the point where organizations with solid Active Directory structures have to make changes to their directory environment. Forests, domains, sites, organizational units, groups, and users all remain the same. There are several improvements made in Active Directory and the breadth of functionality provided by directory services in Windows Server 2008 R2.

The changes made in Active Directory are captured in the name changes of directory services as well as the introduction of a Read-Only Domain Controller service introduced in Windows Server 2008.

Renaming Active Directory to Active Directory Domain Services

In Windows Server 2008, Active Directory was renamed to Active Directory Domain Services (AD DS), and Windows Server 2008 R2 continues with that new name. Active Directory Domain Services refers to what used to be just called Active Directory with the same tools, architectural design, and structure that Microsoft introduced with Windows 2000 and Windows 2003.

The designation of Domain Services identifies this directory as the service that provides authentication and policy management internal to an organization where an organization’s internal domain controls network services.

For the first time, AD DS can be stopped and started as any other true service. This facilitates AD DS maintenance without having to restart the domain controller in Directory Services Restore Mode.

Renaming Active Directory in Application Mode to Active Directory Lightweight Directory Service

Another name change in the directory services components with Windows Server 2008 from Microsoft is the renaming of Active Directory in Application (ADAM) to Active Directory Lightweight Directory Services (AD LDS). ADAM has been a downloadable add-in to Windows 2003 Active Directory that provides a directory typically used in organizations for nonemployees who need access to network services. Rather than putting nonemployees into the Active Directory, these individuals—such as contractors, temporary workers, or even external contacts, such as outside legal counsel, marketing firms, and so on—have been put in ADAM and given rights to access network resources such as SharePoint file libraries, extranet content, or web services.

AD LDS is identical to ADAM in its functionality, and provides an organization with options for enabling or sharing resources with individuals outside of the organizational structure. With the name change, organizations that didn’t quite know what ADAM was before have begun to leverage the Lightweight Directory Services function of Active Directory for more than resource sharing but also for a lookup directory resource for clients, patients, membership directories, and so on. Active Directory Lightweight Directory Services is covered in detail in Chapter 8, “Creating Federated Forests and Lightweight Directories.”

Expansion of the Active Directory Federation Services

That leads to the third Active Directory service called Active Directory Federation Services, or AD FS. Active Directory Federation Services was introduced with Windows 2003 R2 edition and continues to provide the linking, or federation, between multiple Active Directory forests, or now with Windows Server 2008 R2 Active Directory Federation Services, the ability to federate between multiple Active Directory Domain Services systems.

Effectively, for organizations that want to share information between Active Directory Domain Services environments, two or more AD DS systems can be connected together to share information. This has been used by organizations that have multiple subsidiaries with their own Active Directory implemented to exchange directory information between the two organizations. And AD FS has been used by business trading partners (suppliers and distributors) to interlink directories together to be able to have groups of users in both organizations easily share information, freely communicate, and easily collaborate between the two organizations.

Active Directory Federation Services is covered in detail in Chapter 8.

 Introducing the Read-Only Domain Controller

Another change in Active Directory in Windows Server 2008 that was continued in Windows 2008 R2 was the addition of a Read-Only Domain Controller, or RODC. The RODC is just like a global catalog server in Active Directory used to authenticate users and as a resource to look up objects in the directory; however, instead of being a read/write copy of the directory, an RODC only maintains a read-only copy of Active Directory and forwards all write and authentication requests to a read/write domain controller.

RODCs can also be configured to cache specified logon credentials. Cached credentials speed up authentication requests for the specified users. The cached credentials are stored in cache on the RODC system, not every object in the entire global catalog. If the RODC is shut down or powered off, the cache on the RODC is flushed, and the objects in cache are no longer available until the RODC connects back to a global catalog server on the network.

The RODC is a huge advancement in the area of security being that a RODC cannot be compromised in the same manner that a global catalog server can be in the event of a physical theft of a domain server. Organizations that require the functionality of a global catalog server for user authentication that have the global catalog server in an area that is not completely secure, such as in a remote office, in a branch office location, or even in a retail store outlet, can instead put a RODC in the remote location.

Windows Server 2008 R2 Benefits for Administration

Windows Server 2008 R2 provides several new benefits that help organizations better administer their networking environment. These new features provide better file and data management, better performance monitoring and reliability tracking tools to identify system problems and proactively address issues, a new image deployment tool, and a whole new set of Group Policy Objects that help administrators better manage users, computers, and other Active Directory objects.

Improvements in the Group Policy Management

Windows Server 2008 R2 introduces over 1,000 new Group Policy Objects specific to Windows Server 2008 R2 and Windows 7, along with several new components that expand on the core capabilities of Group Policy management that have been part of Windows 2000/2003 Active Directory. The basic functions of Group Policy haven’t changed, so the Group Policy Object Editor (gpedit) and the Group Policy Management Console (GPMC) are the same, but with more options and settings available.

As mentioned earlier, the Group Policy Management Console can either be run as a separate MMC tool, or it can be launched off the Features branch of the Server Manager console tree, as shown in Figure 1.7. Group policies in Windows Server 2008 R2 provide more granular management of local machines, specifically having policies that push down to a client that are different for administrator and non-administrator users.

Figure 1.7

Group Policy Management Console.

Additionally, applications can now query or register with a network location awareness service within Group Policy management, which provides the identity where a user or computer object resides. As an example, a policy can be written that allows users to have access to applications and files if they are on a local network segment, but blocks users from accessing the same content when they are on a remote segment for security and privacy reasons. This addition to group policies adds a third dimension to policies so that now administrators can not only define who and what someone has access to, but also limit their access based on where they are.

Group policies are covered in detail in Chapter 27, “Group Policy Management for Network Clients,” as well as in Chapter 19, “Windows Server 2008 R2 Group Policies and Policy Management.”

Note – When running the Group Policy Management Console to manage a Windows Server 2008 R2 Active Directory environment, run the GPMC tool from a Windows Server 2008 R2 server or a Windows 7 client system to have access to all the editable objects available. If you run the GPMC tool from a Windows 2003 server or Windows XP client, you will not see all the features nor have full access to edit all objects available.

This is because Windows Server 2008 R2 now supports new template file formats (ADMX and ADML) that are only accessible from Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7 systems.

Introducing Performance and Reliability Monitoring Tools

Windows Server 2008 R2 introduces new and revised performance and reliability monitoring tools intended to help network administrators better understand the health and operations of Windows Server 2008 R2 systems. Just like with the Group Policy Management Console, the new Reliability and Performance Monitor shows up as a feature in the Server Manager console. By clicking on the Performance Diagnostic Console, the tool shows up in the right pane, as shown in Figure 1.8.

Figure 1.8

Windows Reliability and Performance Monitor.

The new tool keeps track of system activity and resource usage and displays key counters and system status on screen. The Reliability Monitor diagnoses potential causes of server instability by noting the last time a server was rebooted, what patches or updates were applied, and chronologically when services have failed on the system so that system faults can potentially be traced back to specific system updates or changes that occurred prior to the problem.

By combining what used to be three to four tools into a single console, administrators are able to look at system performance, operational tasks, and historical event information in their analysis of a server problem or system operations instability. You can find more details on performance and reliability monitoring in Chapter 34.

Leveraging File Server Resource Manager

File Server Resource Manager (FSRM) was a feature pack add-in to Windows 2003 R2 and has been significantly improved with the release of Windows Server 2008 R2. FSRM is a quota management system of files on network shares across an enterprise. Rather than allowing employees to copy the entire content of their laptop to a network, or potentially back up their MP3 audio files onto a network, FSRM provides the ability to not only limit the amount of content stored on network shares, but also to set quotas (or limit storage altogether) on certain file types. So, a user could be limited to store 200GB of files on a network share, but of that limit, only 2GB can be allocated to MP3 files.

FSRM, shown in Figure 1.9, in Windows Server 2008 R2 has been improved to allow the nesting of quotas to ensure the most restrictive policy is applied. Quotas can also transcend subfolders, so as new folders are created, or as policies are applied at different levels in a folder hierarchy, the policies still apply, and the rules are combined to provide varying levels of quota allocation to user data. Additionally, quotas are now based on actual storage, so if a file is compressed when stored, the user will be able to store more files within their allocated quota.

Figure 1.9

File Server Resource Manager.

File Server Resource Manager is covered in detail in Chapter 28.

Leveraging the Best Practice Analyzer

Included in Windows Server 2008 R2 is a built-in Best Practice Analyzer. Found in the Server Manager console tool, the Best Practice Analyzer runs a series of tests against Active Directory roles, such as the Hyper-V role, the DNS role, and the Remote Desktop Services role, to assess whether the role has been installed and configured properly and to compare the installation with tested best practices.

Some of the results from the Best Practice Analyzer could tell an administrator they need to add more memory to a server, to move a role to a separate server to improve role optimization, or to shift a database to a different drive on the server to distribute disk performance demands on the system. More details on the Best Practice Analyzer are covered in Chapter 20.

Introduction of Windows Deployment Services

Windows Server 2008 introduced a new tool called Windows Deployment Services (WDS), which was effectively an updated version of the Remote Installation Services (RIS) that has been available for the past several years. Unlike RIS, which was focused on primarily scripted installations and client images, WDS in Windows Server 2008 R2 can distribute images of Windows 7 clients or Windows Server 2008 R2 servers in a significantly more flexible and modifiable deployment process.

Like with RIS, Windows Deployment Services allows a client system to initiate a Preboot Execution Environment (PXE), effectively “booting” to the WDS server to see a list of images that can be deployed on the system. Alternately, an organization can create a Windows PE boot disc and have an image initiated from a CD or DVD.

With Windows Server 2008 R2 and Windows 7, the image can be created in Windows Imaging (WIM) format, which allows for the injection of patches, updates, or even new code to a WIM file without even booting the image file. This provides the organization with more than just static images that get pushed out like in RIS, but rather a tool that provides ongoing and manageable updates to image files.

WDS also supports the imaging of Windows 2003 servers and Windows XP client systems in the same manner that RIS did in terms of pushing out images or using an unattend script file to send images to systems.

Windows Deployment Services is covered in detail in Chapter 26, “Windows Server 2008 R2 Administration Tools for Desktops.”

Improvements in Security in Windows Server 2008 R2

Significantly more than just cosmetic updates are the security enhancements added to Windows Server 2008 R2. As organizations are struggling to ensure that their environments are secure, employees can depend on information privacy, and content is protected for regulatory compliance reasons; having the tools to secure the environment is critical.

Enhancing the Windows Server 2008 R2 Security Subsystem

Part IV of this book, “Security,” is focused on security in the different core areas. Chapter 13 addresses core security subsystems of Windows Server 2008 R2 as it relates to server systems. This includes the basics of server hardening, patching, and updating but also extends into new server security areas added to Windows Server 2008 R2, such as device control level security, wireless access security, and Active Directory Rights Management Services (RMS). Windows Server 2008 R2 has continued the “secure by default” theme at Microsoft and no longer installs components like Internet Information Services (IIS) by default. The good part about it is that components that are not core to the operation of a server are not installed on the system; however, it means every time you install software, you need to add basic components and features. Getting to remember what has to be installed, configured, or made operational is important as servers are being built and added to a Windows Active Directory environment.

Transport Security Using IPSec and Certificate Services

Chapter 14, “Transport-Level Security,” addresses site-to-site and server-to-server security, addressed through the implementation of IPSec encryption. Not new to Windows, IPSec has finally gotten several new Group Policy management components added to aid in the implementation and management of IPSec in the enterprise. Also not new to Windows, but something that has been greatly enhanced, is Microsoft’s offering around Public Key Infrastructure (PKI), specifically Certificate Services. It seems like everything security related is somehow connected to certificates, whether that is file encryption using Encrypting File System (EFS), email encryption using S/MIME, remote mobile device synchronization using certificate access, or transport security using IPSec. Everything needs a certificate, and the ability of an organization to easily create and manage certificates is the focus of Chapter 14.

Security Policies, Policy Management, and Supporting Tools for Policy Enforcement

Completely new to Windows Server 2008, updated in Windows Server 2008 R2, and a major focus for organizations are security policies and policy management around security systems. It used to be we would just lock down systems, make sure they were secure by default, and use our best judgment and best effort to secure a network. However, with laws and regulations, or even human resource departments getting involved in information security, the root of all IT security practices fall on having set security policies defined so that IT can implement technologies to address the organization policies around information security. This is covered in detail in Chapter 15, “Security Policies, Network Policy Server, and Network Access Protection.”

Chapter 15 goes beyond the policies and common best practices around policy management in an enterprise, and also digs into the underlying technologies that help organizations turn security policies into IT-managed technology services. Tools like the Network Policy Server in Windows Server 2008 R2 allow policies to be defined, and the Network Policy Server enforces those policies, specifically around remote logon access, access over wireless network connections, or the integration of Network Access Protection (NAP) in querying a device and making sure the device (desktop, laptop, or mobile device) has the latest patches, updates, and antivirus software dictated by management to ensure a device is secure.

Improvements in Mobile Computing in Windows Server 2008 R2

As organizations find their workforce becoming more and more mobile, Microsoft has made significant improvements to mobility in Windows Server 2008 R2. New technologies provide a more seamless experience for users with laptops to move from office, to home, to Internet Wi-Fi hot spots and maintain connectivity to network resources. These improvements do require mobile users to run the latest Windows 7 client operating system on their laptop system to gain access to these new services; however, once implemented, users find the functionality to greatly support easier access to network resources no matter where the user resides.

Windows Server 2008 R2 DirectAccess

One of the significant remote access enhancements in Windows Server 2008 R2 is the DirectAccess technology. DirectAccess provides a remote user the ability to access network resources such as file shares, SharePoint shares, and the like without having to launch a virtual private network (VPN) to gain access into the network.

DirectAccess is an amazing technology that combines sophisticated security technology and policy-based access technology to provide remote access to a network; however, organizations do find it challenging to get up to speed with all the technology components necessary to make DirectAccess work. So, although many organizations will seek to achieve DirectAccess capabilities, it might be months or a couple of years before all the technologies are in place for the organization to easily enable DirectAccess in their enterprise environment.

Some of the technologies required to make DirectAccess work include the following:

  • PKI certificates—DirectAccess leverages PKI certificates as a method of identification of the remote device as well as the basis for encrypted communications from the remote device and the network. Thus, an organization needs to have a good certificate infrastructure in place for server and client certificate-based encrypted communications.

  • Windows 7 clients—DirectAccess only works with clients that are running Windows 7. The client component for encryption, encapsulation, and policy control depend on Windows 7 to make all the components work together.

  • IPSec—The policy control used in DirectAccess leverages IPSec to identify the destination resources that a remote user should have access to. IPSec can be endpoint to endpoint (that is, from the client system all the way to the application server) or IPSec can be simplified from the client system to a DirectAccess proxy server where the actual endpoint application servers do not need to be IPSec enabled. In any case, IPSec is a part of the security and policy structure that ensures the remote client system is only accessing server resources that by policy the remote client should have access to as part of the DirectAccess session connection.

  • IPv6—Lastly, DirectAccess uses IPv6 as the IP session identifier. Although most organizations have not implemented IPv6 yet and most on-ramps to the Internet are still IPv6, tunneling of IPv6 is fully supported in Windows 7 and Windows Server 2008 R2 and can be used in the interim until IPv6 is fully adopted. For now, IPv6 is a requirement of DirectAccess and is used as part of the remote access solution.

More details on DirectAccess are provided in Chapter 24, “Server-to-Client Remote Access and DirectAccess.”

Windows 7 VPN Reconnect

VPN Reconnect is not a Windows Server 2008 R2–specific feature but rather a Windows 7 client feature; however, with the simultaneous release of the Windows 7 client and Windows Server 2008 R2, it is worth noting this feature because Microsoft will be touting the technology and network administrators will want to know what they need to do to implement the technology. VPN Reconnect is simply an update to the VPN client in Windows 7 that reestablishes a VPN session on a client system in the event that the client system’s VPN session is disconnected.

VPN Reconnect effectively acknowledges that a client VPN session has been disconnected and reestablishes the session. Many longtime administrators might wonder why this is new because client systems in the past (Windows XP, Vista, and so forth) have always had the ability to retry a VPN session upon disconnect. However, the difference is that instead of simply retrying the VPN session and establishing a new VPN session, the VPN Reconnect feature of Windows 7 reestablishes a VPN session with the exact same session identification, effectively allowing a session to pick up exactly where it left off.

For example, a Windows 7 client user can be transferring a file on a wired VPN connected session and then switch midstream to a Wi-Fi VPN-connected session, and the file transfer will continue uninterrupted.

VPN Reconnect utilizes the IKE v2 protocol on the client and on the Windows Server 2008 R2 side with an established session identification so that upon reconnect, the session ID remains the same.

Chapter 24 provides more details on VPN Reconnect.

Windows 7 Mobile Broadband

Another Windows 7–specific technology for mobile users is Windows 7 Mobile Broadband. Again, something that has nothing to do specifically with Windows Server 2008 R2, Windows 7 Mobile Broadband is an update to the carrier-based (for example, AT&T, Sprint, Verizon) mobile connection devices and services in Windows 7.

In the past, a user plugged in a Mobile Broadband card to their Windows XP or Vista system and then had to launch an application such as the AT&T Connection Manager. With Windows 7 and the latest Mobile Broadband drivers for the device and for Windows 7, the insertion of the Mobile Broadband card into a mobile system automatically connects the user to the Internet. Just like if the user turns on a Wi-Fi adapter in a system and automatically establishes a connection to a Wi-Fi access point, Mobile Broadband automatically connects the user to the Internet.

When the Windows 7 Mobile Broadband adapter is disconnected from the user’s system, the Mobile Broadband session disconnects, and if the system has a Wi-Fi or wired Ethernet connection available, the user’s system automatically connects to an alternate connection point. Combine Mobile Broadband with VPN Reconnect or with DirectAccess and a mobile user has seamless connection access back into their organization’s network.

Improvements in Windows Server 2008 R2 for Better Branch Office Support

Windows Server 2008 R2 has greatly enhanced the technology offerings that provide better IT services to organizations with remote offices or branch offices. Typically, a remote or branch office has limited IT support or at least the site needs to have the same functionality and reliability as the main corporate or business office, but without the budget, to have lots of redundant hardware and devices for full operational support. With the new Windows Server 2008 R2 branch office resources, a remote location can now have high security, high performance, access to data without significant latency, and operational capabilities, even if the remote site is dropped off the network due to a WAN or Internet connection problem.

The tools and technologies new or improved in Windows Server 2008 R2 include Read-Only Domain Controllers, BitLocker Drive Encryption, distributed file server data replication, and distributed administration.

Details on the new technologies built in to Windows Server 2008 R2 that better support remote and branch offices are covered in Chapter 32.

Read-Only Domain Controllers for the Branch Office

As covered in the section “Introducing the Read-Only Domain Controller” earlier in this chapter, the RODC provides a copy of the Active Directory global catalog for logon authentication of select users and communications with the Active Directory tree without having the security exposure of a full global catalog server in the remote location. Many organizations concerned with distributed global catalog servers chose to not place a server in a remote location, but rather kept their global catalog and domain controllers centralized. What this meant for remote and branch offices is that all logon authentication had to go across the WAN or Internet connection, which could be very slow. And in the event of a WAN or Internet connection failure, the remote or branch office would be offline because users could not authenticate to the network and access network resources until the WAN or Internet connection was restored.

Read-Only Domain Controllers provide a way for organizations to distribute authentication and Active Directory access without increasing their security risk caused by the distribution of directory services.

BranchCache File Access

New to Windows Server 2008 R2 is a role called BranchCache. BranchCache is a technology that provides users with better access to files across a wide area network (WAN). Normally, if one user accesses a file, the file is transferred across the WAN for the user, and then when another user accesses the same file, the same file is again transferred across the WAN for the other user. BranchCache acknowledges that a file has been transferred across the WAN by a previous user, and instead of retrieving the file across the WAN, the file is accessed locally by the subsequent user.

BranchCache requires Windows 7 on the client side and can be set up so that the file is effectively retrieved in a peer-to-peer manner from another Windows 7 client that had previously accessed a file. Or, a Windows Server 2008 R2 server with the BranchCache server role can be set up in the remote location where remotely accessed files are temporarily cached for other Windows 7 client users to seamlessly access the files locally instead of being downloaded across the WAN.

BranchCache does not require the user to do anything differently. Users simply accesses files as they normally do (either off a Windows file system or from a SharePoint document library), and the combination of Windows 7 and Windows Server 2008 R2 does all the caching automatically. BranchCache has proven to improve access time on average 30%–45% for remote users, thus increasing user experience and potentially user productivity by having faster access to information in remote locations.

BitLocker for Server Security

BitLocker is a technology first introduced with Windows Vista that provides an organization with the ability to do a full partition encryption of all files, documents, and information stored on the encrypted partition. When BitLocker was first introduced in Windows Server 2008 as a server tool, it was hard to understand why a server would need to have its drive volume encrypted. It made sense that a laptop would be encrypted in the event the laptop is stolen—so that no one could get access to the data on the laptop hard drive. However, when considering that servers are placed in remote locations—many times not in a locked server rack in a locked computer room but rather sitting in a closet or even under a cash register in the situation of a retail store with a server acting as the point-of-sale system—servers with sensitive data are prevalent in enterprise environments.

So, BitLocker provides encryption of the volume of a Windows Server 2008 R2 server; for organizations that are concerned that the server might be physically compromised by the theft of the server or physical attack of the system, BitLocker is a great component to implement on the server system.

Distributed File System Replication

Introduced in Windows 2000, improved in Windows 2003, and now a core component of the branch office offerings in Windows Server 2008 R2, Distributed File System Replication (DFSR) allows files to be replicated between servers, effectively providing duplicate information in multiple locations. Windows Server 2008 R2 has a much improved Distributed File System than what was available in Windows 2000/2003. In most organizations, files are distributed across multiple servers throughout the enterprise. Users access file shares that are geographically distributed but also can access file shares sitting on several servers in a site within the organization. In many organizations, when file shares were originally created years ago, server performance, server disk capacity, and the workgroup nature of file and print server distribution created environments in which those organizations had a file share for every department and every site. Thus, files have typically been distributed throughout an entire organization across multiple servers.

Windows Server 2008 R2 Distributed File System Replication enables an organization to combine file shares to fewer servers and create a file directory tree not based on a server-by-server or share-by-share basis, but rather an enterprisewide directory tree. This allows an organization to have a single directory spanning files from multiple servers throughout the enterprise.

Because the DFSR directory is a logical directory that spans the entire organization with links back to physical data, the actual physical data can be moved without having to make changes to the way the users see the logical DFS directory. This enables an organization to add or delete servers, or move and consolidate information, however it works best within the organization.

For branch office locations, DFSR allows for data stored on a file server in a remote location to be trickled back to the home office for nightly backup. Instead of having the remote location responsible for data backup, or the requirement of an organization to have tape drives in each of its branch offices, any data saved on the branch office can be trickle replicated back to a share at the main office for backup and recovery.

If the main office has data that it wants to push out to all remote offices, whether that is template files, company policy documents, standard company materials, or even shared data that a workgroup of users needs to access and collaborate on, DFSR provides the ability to push out data to other servers on the network. Users with access rights to the data no longer have to go across a WAN connection to access common data. The information is pushed out to a server that is more local to the user, and the user accesses the local copy of the information. If any changes are made to remote or centralized copies of data, those changes are automatically redistributed back to all volumes storing a copy of the data.

One of the enhancements made in Windows Server 2008 R2 specific to DFS-R is the ability for an administrator to set a DFS replica to be read-only. In the past, DFS replicas were all read/write replicas so that a user in a remote location could accidentally overwrite files that then replicate to all replicas in the environment. Administrators have compensated for this potential issue by setting file-level permissions across files and folders; however, for many remote branch offices, if the administrator could simply make the entire replica read-only, it would simplify the security task dramatically. Thus, read-only replicas can now be set so that an entire server or branch of a DFS tree can be set to replicate to a remote server on a read-only basis.

Distributed File System Replication is covered in detail in Chapter 28.

Improvements in Distributed Administration

Finally, for remote or branch offices that do have IT personnel in the remote locations, administration and management tasks have been challenging to distribute proper security rights. Either remote IT personnel were given full domain administrator rights when they should only be limited to rights specific to their site, or administrators were not given any administrative rights because it was too difficult to apply a more limiting role.

Windows Server 2008 R2 Active Directory has now defined a set of rights specific to branch office and remote site administrators. Very similar to site administrators back in the old Exchange Server 5.5 days—where an administrator was able to add users, contacts, and administer local Exchange servers—now network administrators in Active Directory can be delegated rights based on a branch or remote site role. This provides those administrators with the ability to make changes specific to their branch location. This, along with all the other tools in Windows Server 2008 R2 specific to branch office and remote office locations, now provides better IT services to organizations with multiple offices in the enterprise.

Improvements for Thin Client Remote Desktop Services

Windows Server 2008 R2 has seen significant improvements in the Terminal Services (now called Remote Desktop Services [RDS]) capabilities for thin client access for remote users and managed users in the enterprise. What used to require third-party add-ons to make the basic Windows 2000 or 2003 Terminal Services functional, Microsoft included those technologies into Windows Server 2008 and further enhanced them in Windows Server 2008 R2. These technologies include things such as the ability to access Remote Desktop Services using a standard Port 443 SSL port rather than the proprietary Port 3389, or the ability to publish just specific programs instead of the entire desktop, and improvements in allowing a client to have a larger remote access screen, multiple screens, or to more easily print to remote print devices.

These improvements in Windows Server 2008 R2 Remote Desktop Services have made RDS one of the easiest components to add to an existing Windows 2003 Active Directory to test out the new Windows Server 2008 R2 capabilities, especially because the installation of a Windows Server 2008 R2 Remote Desktop Services system is just the addition of a member server to the domain and can easily be removed at any time.

All of these new improvements in Windows Server 2008 R2 Remote Desktop Services are covered in Chapter 25.

Improvements in RDP v6.x for Better Client Capabilities

The first area of significant improvement in Windows Server 2008 Terminal Services was addressed in the update to the Remote Desktop Protocol (RDP) v6.x client, shown in Figure 1.10.

Figure 1.10

Remote Desktop Protocol client for Remote Desktop Services.

The RDP client with Windows Server 2008 provided the following:

  • Video support up to 4,096 x 2,048—Users can now use very large monitors across an RDP connection to view data off a Windows Server 2008 Terminal Services system. With Windows Server 2008 R2 Remote Desktop Services, the latest support has been extended to support DirectX 9, 10, and 11 redirection.

  • Multimonitor support—Users can also have multiple (up to 10) monitors supported off a single RDP connection. For applications like computer-aided design (CAD), graphical arts, or publishing, users can view graphical information on one screen and text information on another screen at the same time.

  • Secured connections—The new RDP client now provides for a highly encrypted remote connection to a Remote Desktop Services system through the use of Windows Server 2008 R2 security. Organizations that need to ensure their data is protected and employee privacy is ensured can implement a highly secured encrypted connection between a Windows Server 2008 R2 Remote Desktop Services system and the remote client.

Remote Desktop Services Web Access

Also new to Windows Server 2008 and extended in Windows Server 2008 R2 Remote Desktop Services is a new role called Remote Desktop Services Web Access. Remote Desktop Services Web Access allows a remote client to access a Remote Desktop Services session without having to launch the RDP 6.x client, but instead connect to a web page that then allows the user to log on and access their session off the web page. This simplifies the access method for users where they can just set a browser favorite to link them to a web URL that provides them with Terminal Services access.

Note – Remote Desktop Services Web Access still requires the client system to be a Windows XP, Windows Vista, Windows 7, Windows 2003, Windows Server 2008, or Windows Server 2008 R2 server system to connect to a Remote Desktop Services session. A browser user cannot be running from an Apple Macintosh or Linux system and access Remote Desktop Services Web Access. For non-Windows-based web clients, third-party vendors like Citrix Systems provide connector support for these types of devices.

Remote Desktop Services Gateway

Remote Desktop Services Gateway is an update to Windows Server 2008 R2 Remote Desktop Services and provides the connectivity to a Remote Desktop Services session over a standard Port 443 SSL connection. In the past, users could only connect to Windows Remote Desktop Services using a proprietary Port 3389 connection. Unfortunately, most organizations block nonstandard port connections for security purposes, and, thus, if a user was connected to an Internet connection at a hotel, airport, coffee shop, or other location that blocked nonstandard ports, the user could not access Terminal Services.

Now with Remote Desktop Services Gateway, the remote user to the Remote Desktop Services Gateway connection goes over Port 443 just like surfing a secured web page. Because of the use of SSL in web page access (anytime someone accesses a web page with https://), effectively now a user can access Windows Server 2008 R2 Remote Desktop Services from any location.

Remote Desktop Services RemoteApps

Another new server role added to Windows Server 2008 and updated in Windows Server 2008 R2 is called Remote Desktop Services RemoteApps. Remote Desktop Services RemoteApps allows administrators to “publish” certain applications for users to access. These applications could be things like Microsoft Outlook, Microsoft Word, the company’s time sheet tracking software, or a customer relationship management (CRM) program. Instead of giving users full access to a full desktop session complete with a Start button and access to all applications on the session, an organization can just publish a handful of applications that it allows for access.

Leveraging group policies and Network Policy Server, along with Remote Desktop Services RemoteApps, the administrators of a network can publish different groups of applications for different users. So, some users might get just Outlook and Word, whereas other users would get Outlook, Word, and the CRM application. Add in to the policy component the ability to leverage network location awareness (new to Windows Server 2008 R2 covered in the earlier section “Improvements in the Group Policy Management”), the administrators of the network can allow different applications to be available to users depending on whether the user is logging on to the network on the LAN or from a remote location.

Beyond just limiting users to only the programs they should have access to by policy, Remote Desktop Services RemoteApps minimizes the overhead for each user connection because the user no longer has a full desktop running, but only a handful of applications deemed necessary for the remote user’s access.

Remote Desktop Services Connection Broker

Formerly called the Session Broker in Windows Terminal Services, the Remote Desktop Services Connection Broker is a system that manages Remote Desktop sessions to ensure that if users are disconnected from a Remote Desktop server, the users can reestablish a connection to their session without loss of the session state. Without a Connection Broker, users who attempt to reconnect to Remote Desktop Services after a session disconnect might end up logging on to a completely different Remote Desktop server and have to go back to where they last saved data to pick up where they left off.

Other than the name change from Session Broker to Connection Broker, new to Windows Server 2008 R2 Connection Broker is the ability to cluster this role. In the past, this role was a single server instance. In the event that this server session was down, the connection states would not be preserved and the Session Broker would not do its job. By clustering the Connection Broker role, an organization can now add redundancy to a critical role for an organization that has several Remote Desktop servers and wants to provide users with the ability to reconnect back to their session after a temporary disconnect.

Virtual Desktop Infrastructure (VDI)

Lastly, a completely new role added to Windows Server 2008 R2 is the Virtual Desktop Infrastructure, or VDI role. Instead of Remote Desktop Services that provides a one-to-many experience, where effectively a single server instance is shared across multiple users, VDI provides a one-to-one virtual guest session relationship between the server and remote client. When a VDI client user logs on to a guest session, a dedicated guest session is made available to the user with a separate client boot-up shell, separate memory pool allocated, and complete isolation of the guest session from other guest sessions on the host server.

Windows Server 2008 R2 VDI provides two different VDI modes. One mode is a personalized desktop and the other is a pooled desktop. The personalized desktop is a dedicated guest session that users have access to each and every time they log on to the VDI server. It is basically a dedicated guest session where the image the guest uses is the same every time. A pooled desktop is a guest session where the user settings (favorites, background, and application configuration settings) are saved and reloaded on logon to a standard template. Actual guest session resources are not permanently allocated but rather allocated and dedicated at the time of logon.

VDI is covered in more detail in Chapter 25.

Improvements in Clustering and Storage Area Network Support

Although clustering of servers has been around for a long time in Windows (dating back to Windows NT 4.0, when it was available, but really didn’t work), clustering in Windows Server 2008 R2 now not only works, but also provides a series of significant improvements that actually make clustering work a whole lot better.

As IT administrators are tasked with the responsibility of keeping the network operational 24 hours a day, 7 days a week, it becomes even more important that clustering works. Fortunately, the cost of hardware that supports clustering has gotten significantly less expensive; in fact, any server that meets the required specifications to run Windows Server 2008 R2, Enterprise Edition can typically support Windows clustering. The basic standard for a server that is used for enterprise networking has the technologies built in to the system for high availability. Windows Server 2008 R2, Enterprise Edition or Datacenter Edition is required to run Windows Server 2008 R2 clustering services.

Clustering is covered in detail in Chapter 29, “System-Level Fault Tolerance (Clustering/Network Load Balancing).”

No Single Point of Failure in Clustering

Clustering by definition should provide redundancy and high availability of server systems; however, in previous versions of Windows clustering, a “quorum drive” was required for the cluster systems to connect to as the point of validation for cluster operations. If at any point the quorum drive failed, the cluster would not be able to failover from one system to another. Windows Server 2008 and Windows Server 2008 R2 clustering removed this requirement of a static quorum drive. Two major technologies facilitate this elimination of a single or central point of failure, which include majority-based cluster membership verification and witness-based quorum validation.

The majority-based cluster membership enables the IT administrator to define what devices in the cluster get a vote to determine whether a cluster node is in a failed state and the cluster needs to failover to another node. Rather than assuming that the disk will always be available as in the previous quorum disk model, now nodes of the cluster and shared storage devices participate in the new enhanced quorum model in Windows Server 2008 R2. Effectively, Windows Server 2008 R2 server clusters have better information to determine whether it is appropriate to failover a cluster in the event of a system or device failure.

The witness-based quorum eliminates the single quorum disk from the cluster operation validation model. Instead, a completely separate node or file share can be set as the file share witness. In the case of a GeoCluster where cluster nodes are in completely different locations, the ability to place the file share in a third site and even enable that file share to serve as the witness for multiple clusters becomes a benefit for both organizations with distributed data centers and also provides more resiliency in the cluster operations components.

Stretched Clusters

Windows Server 2008 R2 also introduced the concept of stretched clusters to provide better server and site server redundancy. Effectively, Microsoft has eliminated the need to have cluster servers remain on the same subnet, as has been the case in Windows clustering in the past. Although organizations have used virtual local area networks (VLANs) to stretch a subnet across multiple locations, this was not always easy to do and, in many cases, technologically not the right thing to do in IP networking design.

By allowing cluster nodes to reside on different subnets, plus with the addition of a configurable heartbeat timeout, clusters can now be set up in ways that match an organization’s disaster failover and recovery strategy.

Improved Support for Storage Area Networks

Windows Server 2008 R2 also has improved its support for storage area networks (SANs) by providing enhanced mechanisms for connecting to SANs as well as switching between SAN nodes. In the past, a connection to a SAN was a static connection, meaning that a server was connected to a SAN just as if the server was physically connected to a direct attached storage system. However, the concept of a SAN is that if a SAN fails, the server should reconnect to a SAN device that is now online. This could not be easily done with Windows 2003 or prior. SCSI bus resets were required to disconnect a server from one SAN device to another.

With Windows Server 2008 R2, a server can be associated with a SAN with a persistent reservation to access a specific shared disk; however, in the event that the SAN fails, the server session can be logically connected to another SAN target system without having to script device resets that have been complicated and disruptive in disaster recovery scenarios.

Addition of Migration Tools

Beyond the standard migration tools that help administrators migrate from one version of Active Directory to another, or to perform an in-place upgrade from one version of Windows to another, Windows Server 2008 R2 has migration tools to help administrators move entire server roles from one system to another. These new tools provide migration paths from physical servers to virtual servers, or from virtual servers to physical servers. Other tools allow for the migration of DHCP configuration and lease information from one server to another. These tools and the prescriptive guidance help administrators migrate servers more easily than ever before.

Operating System Migration Tools

Windows Server 2008 R2 provides tools that help administrators migrate from older versions of the Windows Server operating system to Windows Server 2008 R2. The supported migration paths are as follows:

  • Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2—These operating systems can be migrated to Windows Server 2008 R2 using the operating system migration tools and guidance documentation.

  • x86 and x64—Servers can be migrated from x86 to x64 and from x64 to x64 with limitations. Because Windows Server 2008 R2 is an x64 operating system only, there is no in-place upgrade support from x86 to x64, so the upgrade path is a server-to-server transition, not in-place. However, x64 to x64 in-place is supported as long as any applications sitting on the server can be upgraded from one x64 platform to the Windows Server 2008 R2 x64 platform.

  • Full Server and ServerCore—Operating system migration from Full Server to ServerCore and from ServerCore to Full Server are supported typically as a server-to-server migration because in-place migrations between Full Server and ServerCore have limitations. The GUI needs to be added or removed and, thus, applications are typically migrated rather than complete operating system migrations between the platforms.

  • Physical and virtual—Virtualization of guest sessions is the de facto standard in data centers these days and the implementation of applications on virtual guest sessions is the norm. As such, organizations wanting to migrate from physical server configurations to virtual guest sessions can leverage the migration tools and guidance available in performing server and application migrations to virtual server roles.

Server Role Migrations

Included in Windows Server 2008 R2 are tools and guidance that help administrators migrate server roles to Windows Server 2008 R2 server systems. The supported migration paths are as follows:

  • Active Directory Domain Services—The migration from Active Directory 2003 and Active Directory 2008 to Active Directory 2008 R2 is fully supported and covered in Chapter 16 of this book.

  • DNS and DHCP migrations—New migration tools are available that help administrators migrate their DNS and DHCP servers from running on previous versions of Windows to servers running Windows Server 2008 R2, and not only just the service configurations but also DNS and DHCP data. In the past, the migration of DHCP to a new server usually meant the loss of DHCP lease information. With the new migration tools in Windows Server 2008 R2, an administrator can now migrate the server configuration as well as the lease data, including lease expiration data, as part of the migration process. These migration tools are covered in Chapters 10 and 11 of this book.

  • File and print migrations—Included in the migration tools for Windows Server 2008 R2 are features that migrate file data, included file permissions, and the migration of print server configurations and settings from older servers to new Windows Server 2008 R2 configurations. These migration tools help simplify the process of updating servers from old server systems to new systems with the least amount of impact on the organization and drastically simplify the process of migration for domain administrators.

Improvements in Server Roles in Windows Server 2008 R2

The introduction of Windows Server 2008 R2 added new server roles to Windows as well as enhanced existing roles based on feedback Microsoft received from organizations on features and function wish lists. Server roles are no longer installed by default on a Windows Server 2008 R2 server and have to be selected for installation after the initial installation of the Windows operating system.

Some of the new or improved server roles in Windows Server 2008 R2 include Internet Information Services 7.5, SharePoint Services, Rights Management Service, and Windows virtualization.

Introducing Internet Information Services 7.5

Internet Information Services 7.5 (IIS) is the seventh-generation web server service from Microsoft. Microsoft completely redesigned IIS 7.0 in Windows Server 2008 rather than just adding more functions and capabilities to the exact same IIS infrastructure as they have done for the past several years. The good part of the new IIS 7.x is that it now provides organizations with the ability to manage multiple web servers from a single console, rather than having to install components and configure each web server individually. This requires organizations to rethink and redesign their web management tasks from pushing the same content to dozens of servers individually to a process where information is pushed to a Shared Configuration store, where common information is posted and shared across all IIS 7.x servers. Organizations can continue to post information the old way by pushing information individually to each server; however, to gain the advantage of the new IIS 7.x services, redesigning how information gets posted should be changed to meet the new model.

The advantage of the new model of content posting is that information is stored, edited, and managed in a single location. At a designated time, the information in the single location is posted to each of the servers in the shared application hosting farm. This is a significant improvement for organizations managing and administering a lot of IIS web servers. This ensures that all servers in a farm are using the same content, have been updated simultaneously, and any changes are ensured to be propagated to the servers in the farm. Web administrators no longer have to worry that they forgot a server to update, or to stage an update at a time when each individual server could be updated in a fast enough sequence that the experience of all users was going to occur at around the same time.

IIS 7.5 is covered in detail in Chapter 12, “Internet Information Services.”

Windows SharePoint Services

A significant update provided as part of the Windows Server 2008 client access license (CAL) is the ability to load and run Windows SharePoint Services. Now in its third generation, Windows SharePoint Services (WSS) is a document-storage management application that provides organizations with the capability to better manage, organize, and share documents, as well as provide teams of users the ability to collaborate on information. Windows SharePoint Services sets the framework from which the Microsoft Office SharePoint Services 2007 (MOSS) is built. MOSS leverages the core functionality of WSS and extends the capability into enterprise environments. WSS is the basis of document sharing and communications for organizations in the evolution of file and information communications.

Windows SharePoint Services is covered in detail in Chapter 35.

Windows Rights Management Services

Windows Rights Management Services (RMS) was available as a downloadable feature pack in Windows 2003 and is now included as an installable server role in Windows Server 2008 R2. Windows Rights Management Services sets the framework for secured information sharing of data by encrypting content and setting a policy on the content that protects the file and the information stored in the file.

Organizations have been shifting to RMS rather than the old secured file folder primarily because users who should be saving sensitive information into a file folder frequently forget to save files in the folder, and thus sensitive information becomes public information. By encrypting the content of the file itself, even if a file with sensitive information is stored in the wrong place, the file cannot be opened, and the information in the file cannot be accessed without proper security credentials to access the file.

Additionally, RMS allows the individual saving the file to set specific attributes regarding what the person would like to be secured about the file. As an example, a secured file in RMS can be set to not be edited, meaning that a person receiving the file can read the file, but he or she cannot select content in the file, copy the content, or edit the content. This prevents individuals from taking a secured file, cutting and pasting the content into a different file, and then saving the new file without encryption or security.

RMS also provides attributes to enable the person creating a file to prevent others from printing the file. The file itself can have an expiration date, so that after a given period of time, the contents of the file expire and the entire file is inaccessible.

Rights Management Services is covered in Chapter 13.

Windows Server Virtualization

A new technology that wasn’t quite available at the time Windows Server 2008 shipped in 2008, but has since been released and available on the original Windows Server 2008 R2 DVD, is Windows server virtualization known as Hyper-V. Hyper-V provides an organization with the ability to create guest operating system sessions, like those shown in Figure 1.11, on a Windows Server 2008 R2 server to get rid of physical servers, and instead make the servers available as virtual server sessions.

Figure 1.11

Windows virtualization guest sessions.

Instead of purchasing a new physical server every time a new server system needs to be placed on the network, a virtual server can be created that has all the same operations and functions as the physical server itself. Or, for organizations that are putting in place disaster recovery centers and server clustering for better server reliability and redundancy, virtualization allows the addition of these additional servers within the guest operating system space of a single server system.

Virtualization in Windows Server 2008 R2 supports 64-bit and 32-bit guest sessions; has a built-in tool that allows a snapshot of a virtual session so that the session can be protected or rolled back in the event of a guest image failure or corruption; and has virtual sessions that can span terabytes of disk storage and use 16GB, 32GB, or more of memory per guest session. Windows Server 2008 R2 Hyper-V supports “live migrations,” which allows for a faster failover and recovery of a virtual guest session across host servers.

More details on Windows Server 2008 R2 virtualization are covered in Chapter 37.

Identifying Which Windows Server 2008 R2 Service to Install or Migrate to First

With the release of Windows Server 2008 R2, organizations need to create a plan to install or migrate to Windows Server 2008 R2 in a logical manner. Covered so far in this chapter have been all the top features, functions, and technologies built in to Windows Server 2008 R2 that organizations have found as key technologies they implemented to improve technology-driven business processes.

Because Windows Server 2008 R2 provides many different functions, each organization has to choose how to best implement Windows Server 2008 R2 and the various networking features that meet its own needs. In small network environments with fewer than 20 to 30 users, an organization might choose to implement all the Windows Server 2008 R2 features on a single server. However, in larger environments, multiple servers might be implemented to improve system performance, as well as provide fault tolerance and redundancy; thus, a more staged implementation of core services needs to be taken.

Windows Server 2008 R2 Core to an Active Directory Environment

For an organization that does not have Windows Active Directory already in place, that is one place to start because Active Directory Domain Services is key to application and user authentication. For organizations that already have a fully operational Active Directory running on Windows 2003 or Windows 2008, upgrading to Active Directory Domain Services on Windows Server 2008 R2 might be something that is addressed a little later in the upgrade cycle when AD DS 2008 R2 functionality is needed. To get a lot of the Windows Server 2008 R2 server functionality like 2008 R2 DFS, SharePoint Services, Hyper-V virtualization, and so on, an organization can still run on an older Active Directory environment (typically Active Directory 2003 native mode). However, the point is that Active Directory 2008 R2 is not a prerequisite to get Windows Server 2008 R2 server role functionality.

Because Active Directory is more than a simple list of users and passwords for authentication into a network, but rather a directory that Microsoft has embedded into the policy-based security, remote access security, and certificate-based security enhancements in Windows Server 2008 R2, AD DS 2008 implementation does occur earlier in the migration cycle for organizations wanting to implement many of the new Active Directory 2008 R2 technologies, such as Active Directory Recycle Bin, Offline Domain Join, Managed Service Accounts, and the ability to use PowerShell cmdlets within a Group Policy Object.

Windows Server 2008 R2 extends the capabilities of the Active Directory by creating better management tools, provides for more robust directory replication across a global enterprise, and allows for better scalability and redundancy to improve directory operations. Windows Server 2008 R2 effectively adds in more reliability, faster performance, and better management tools to a system that can be leveraged as a true enterprise directory provisioning, resource tracking, and resource management tool. Because of the importance of Active Directory to the Windows Server 2008 R2 operating system, plus the breadth of capabilities that Active Directory can facilitate, six chapters in Part II of this book are dedicated to Active Directory.

Windows Server 2008 R2 Running Built-in Application Server Functions

As much as many administrators think of Active Directory as one of the key areas to upgrade when a new release of the operating system becomes available, in reality, Active Directory tends to not be the first thing updated. Instead, the real business drivers for migrating to Windows Server 2008 R2 typically come from the built-in application server programs that are available on Windows Server 2008 R2.

Windows Server 2008 R2 comes with several programs and utilities to provide robust networking capabilities. In addition to the basic file and print capabilities covered earlier in this chapter, Windows Server 2008 R2 can provide name resolution for the network and enable high availability through clustering and fault tolerance, connectivity for mobile users, web services functions, and dozens of other application server functions.

When convincing management that an upgrade to Windows Server 2008 R2 is important, the IT professional needs to sift through the technologies built in to Windows Server 2008 R2 and pick those services that help an organization use technology to achieve its business initiatives. When planning the implementation of Windows Server 2008 R2, a network architect needs to consider which of the server services are desired, how they will be combined on servers, and how they will be made redundant across multiple servers for business continuity failover.

For a small organization, the choice to combine several server functions to a single system or to just a few systems is one of economics. However, an organization might distribute server services to multiple servers to improve performance (covered in Chapter 34), distribute administration (covered in Chapter 18), create server redundancy (covered in Chapter 29), create a disaster recovery strategy (covered in Chapter 31, “Recovering from a Disaster”), enable security (covered in Chapter 13), or to serve users in other remote site locations of the organization (covered in Chapter 32).

Some of the built-in application server functions in Windows Server 2008 R2 include the following:

  • Domain controller—Like in previous versions of the Windows operating system, the domain controller enables users to authenticate to the domain for access to network resources.

  • Global catalog server—The global catalog server is a domain controller that also stores a subset of AD DS objects from other domains in the forest. When an internal or external user with appropriate security rights wants to look at a list of Active Directory users in the forest, the global catalog server provides the list.

  • DNS server—The domain name system (DNS) maintains a list of network servers and systems and their associated IP addresses, so a DNS server provides information about the devices connected to the network.

  • DHCP server—The Dynamic Host Configuration Protocol (DHCP) assigns IPv4 and/or IPv6 network addresses to devices on the network. Windows Server 2008 R2 provides the service function to facilitate DHCP addresses to network devices.

  • Cluster server—When fault tolerance is important to an organization, clustering provides failover from one system to another. Windows Server 2008 R2 provides the ability to link systems together so that when one system fails, another system takes over.

  • Network Policy Server—NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. NPS routes authentication and accounting messages to other RADIUS servers. It also acts as a health evaluation server for Network Access Protection (NAP).

  • Remote Desktop server—Instead of having a full desktop or laptop computer for each user on the network, organizations have the option of setting up simple, low-cost thin terminals for users to gain access to network resources. Windows Server 2008 R2 Remote Desktop Services allows a single server to host network system access for dozens of users.

  • Remote access server—When a remote user has a desktop or laptop system and needs access to network services, Windows Server 2008 R2 provides remote access services that allow the remote systems to establish a secure remote connection.

  • Web server—As more and more technologies become web-aware and are hosted on web servers, Windows Server 2008 R2 provides the technology to host these applications for browser-based access.

  • Media server—With information extending beyond text-based word processing documents and spreadsheets into rich media such as video and audio, Windows Server 2008 R2 provides a source for hosting and publishing video and audio content.

  • Virtualization server—Windows Server 2008 R2 provides the core capabilities to do server virtualization, providing the capability for an organization to consolidate physical servers into fewer host server systems, thus decreasing the total cost of IT operations.

  • Distributed File System (DFS) server—For the past decade, data files have been stored on file servers all around an organization. Windows Server 2008 R2 provides Distributed File Systems that allow an organization to take control of distributed files into a common unified namespace.

These plus several other functions provide robust networking services that help organizations leverage the Windows Server 2008 R2 technologies into solutions that solve business needs.

Windows Server 2008 R2 Running Add-in Applications Server Functions

Although some of the newer, built-in server application functions in Windows Server 2008 R2—such as Network Policy Server, server virtualization, Remote Desktop Services Web Access, Media Server, and so on—provide key areas for organizations to select as initial areas to implement Windows Server 2008 R2 technologies, other organizations might find add-in applications as being the key areas that drive an initial implementation of Windows Server 2008 R2. Some of the add-in applications come from Microsoft, such as the Microsoft Exchange Server 2010 messaging system or Microsoft SQL Server 2008 database system. Other add-ins to Windows Server 2008 R2 are provided by companies that provide human resource management applications; accounting software; document management tools; fax or voicemail add-ins; or other business, industry, or user productivity capabilities.

In earlier Windows Server operating systems, the core operating system provided simple logon and network connectivity functions; however, with Windows Server 2008 R2, the operating system includes many core capabilities built in to the Windows Server 2008 R2 operating environment. With integrated fault tolerance, data recovery, server security, remote access connectivity, web access technologies, and similar capabilities, organizations creating add-ins to Windows Server 2008 R2 can focus on business functions and capabilities, not on core infrastructure reliability, security, and mobile access functionality. This off-loading of the requirement of third-party add-in organizations to implement basic networking technologies into their applications enables these developers to focus on improving the business productivity and functionality of their applications. Additionally, consolidating information routing, security, remote management, and so on into the core operating system provides a common method of communication, authentication, and access to users without having to load up special drivers, add-ins, or tools to support each and every new application.

Much of the shift from application-focused infrastructure components to core operating system-focused functionality was built in to Windows 2000 and then later enhanced in Windows 2003 and Windows Server 2008. There were many challenges to earlier versions of the Windows operating system; however, after being on the market for many years now, Windows Server 2008 R2 add-ins have had several revisions to work through system functionality and component reliability between application and operating system. Fortunately, Windows Server 2008 R2 uses the same application/operating system technology used in Windows 2003 and Windows Server 2008, so applications written for Windows 2003 and Windows Server 2008 typically need just a simple service pack update to be able to run on Windows Server 2008 R2, if anything at all.


This introductory chapter was intended to highlight the new features, functions, migration tools, and management utilities in Windows Server 2008 R2 that will help administrators take advantage of the capabilities of the new operating system. If Windows Server 2008 R2 is seen as just a simple upgrade to Windows 2000/2003/2008, an organization will not benefit from the operating system enhancements. However, when fully leveraged with the capabilities of the Windows Server 2008 R2 operating system, an organization can improve services to its employees through the use of new tools and technologies built in to the operating system.

Because Windows Server 2008 R2 is a relatively simple migration from existing Windows 2003 and Windows 2008 Active Directory environments, and Windows Server 2008 R2 application servers can be added to existing Active Directory 2000/2003/2008 domains, the migration process really is one where the IT administrators need to prioritize which Windows Server 2008 R2 services to install or migrate to first, and to then plan and test the new technologies to make sure they improve IT services to the organization.

Best Practices

The following are best practices from this chapter:

  • When implementing Windows Server 2008 R2 for the first time, or migrating to Windows Server 2008 R2 from a previous version of Windows, choose to implement the technologies in Windows Server 2008 R2 that will provide the organization with the most value in terms of employee productivity enhancements or regulatory compliance security improvements first.

  • When considering adding a Windows Server 2008 R2 server to an existing Windows 2000/2003/2008 Active Directory environment, consider implementing things like Remote Desktop Services Web Access, SharePoint Services, or Windows virtualization, which have proven to be pretty easy to implement and provide a lot of value to organizations.

  • To ultimately improve Windows security, tune and optimize Windows Server 2008 R2 for a secured networking environment.

  • Use Remote Desktop Services in Windows Server 2008 R2 to provide users with access to local hard drives, as well as to redirect the audio from a centralized Terminal Server to a remote system.

  • Use Windows Deployment Services (WDS) to create client system images that can be quickly and easily rolled back through Group Policy.

  • Windows Server 2008 R2 virtualization can help organizations deploy clustering and add in disaster recovery data centers without having to add additional physical servers to the network.

  • Remote and branch office locations greatly benefit from the use of Read-Only Domain Controllers, Distributed File System Replication, BitLocker security, and distributed administration tools built in to Windows Server 2008 R2.

  • Using the new Windows Server 2008 R2 Server Manager can simplify the task of a network administrator trying to access information residing on different servers and in different server roles in the environment.

  • It is best to run the Group Policy Management Console on a Windows Server 2008 R2 or Windows 7 system to have access to all the policy features available (compared with running GPMC on a Windows XP or Windows Server 2003 system).

© Copyright Pearson Education. All rights reserved.