What You Need to Know About Windows Server 2008 Beta 3

This is the big one

Paul Thurrott

June 27, 2007

9 Min Read
ITPro Today logo in a gray background | ITPro Today

After many months of delays, Microsoft finally released the Beta 3 version of Windows Server 2008—previously code-named "Longhorn"—a major milestone prerelease version of the next version of Windows Server. Windows 2008 has evolved quite a bit over time, and though the project hasn't suffered from the many feature drops and problems that dogged Windows Vista, Beta 3 certainly has a few surprises. Here's what you need to know about Windows 2008 Beta 3.

The Basics
Windows 2008 will boast enhanced scripting and task automation via the new Windows PowerShell—a surprise addition to Beta 3, given that PowerShell was originally not going to ship as part of this product. In addition, Windows 2008 will have improved roles-based installation and management capabilities that extend to Windows Server Core, a new lightweight and safer version of the OS that provides only a subset of roles available in the mainstream server versions.

Like Windows Vista, Windows 2008 includes increased security prowess. The Windows Firewall is enabled now by default, for example, and in branch offices Windows 2008 can be installed using technologies such as Read Only Domain Controller (RODC) and BitLocker, which can help ensure that physical server theft won't result in a major security disaster. Windows 2008 also includes the long-awaited Network Access Protection (NAP) feature, which finally brings policy-based network quarantining to the Windows platform.

On the flexibility front, Windows 2008 adds someintriguing new Terminal Services improvements that willallow organizations to deploy remote environments andeven remote applications, both within their firewall andbeyond. And eventually, the inclusion of the WindowsServer Virtualization piece (as an optional add-on) willprovide Windows 2008 with a more performance-friendlyand secure bare metal virtualization solution, though thatpiece isn't present in Beta 3.

Moving to Beta 3
In the gear-up to Windows 2008 Beta 3, Microsoft has made a number of improvements. Windows Firewall is configured to open and close only the required ports as roles and features are installed and removed, resulting in the most secure Windows Server version yet. Server Manager, Microsoft's central console for daily server administration tasks, has been improved and augmented by a new command-line tool called servermanagercmd.exe that provides administrators with all of Server Manager's functionality from the command line.

Speaking of command lines, the Server Core installation type has been augmented with a new command-line tool called oclist.exe, which provides a way to examine the roles and features that are installed in the Server Core environment. Microsoft has also increased the number of roles with the addition of new Active Directory Lightweight Directory Services (AD LDS), Print, and Windows Media Services (WMS) roles. (Other roles, such as Web Server and Virtualization, will be made available later.) The seven roles available in Beta 3 include AD, AD LDS, DNS, DHCP, WMS, File, and Print.

Beta 3 itself includes some Terminal Services improvements over past versions of Longhorn. A new feature called Easy Print makes it, well, easy to print from a Terminal Services-based environment or application to your default printer. Remote Programs has been rebranded as Terminal Services RemoteApp. You can seamlessly copy and paste between a Terminal Server session and the host OS, which is a huge improvement. And Terminal Services now supports 32-bit color sessions, increased from 24-bit in previous versions.

NAP has been updated so that you can remediate connecting clients via Windows Update or Microsoft Update if your local Windows Server Update Services (WSUS) box is unavailable. You can now integrate NAP with Cisco's Network Admission Control (NAC) quarantine solution as well, which was the ostensible reason for delaying NAP's release from Windows Server 2003 R2 to Windows 2008. And a new, simple, wizard-based UI makes setting up and managing NAP easier than ever.

Drilling Down
Looking over the long list of new and improved Windows 2008 features, a number of them stand out. The new Server Manager is turning into a true one-stop shop for an admin's daily management needs. Here, you'll see nodes in the Microsoft Management Console (MMC) UI for all of the installed roles and features; troubleshooting tools such as the new XML-based Event Viewer and the new Vista-like reliability and performance tools; configuration tools such as Task Scheduler, Windows Firewall, Windows Management Instrumentation (WMI) Control, and Device Manager; and storage and backup tools such as Windows Server Backup (finally, a replacement for the miserable NTBackup) and Disk Management, which can resize NTFSbased volumes on the fly.

Server Manager is the culmination of years of work in management UIs. In the topmost "home page," you'll see a variety of information about the server that's currently connected, along with task pads for editing server configuration information. Other commonly needed server attributes (e.g., security, roles, features) are also available from this home page, which isn't a dashboard, but rather an interactive cockpit. That is, you can view installed features, for example, but you can also install and uninstall features from this home page and drill deeper into the functionality of installed features.

Server Core is one of the most intriguingthings about Windows 2008. This strippeddown installation type lets you configure aGUI-less, headless server with one to sevenroles, including AD, AD LDS, DNS, DHCP,WMS, File, and Print (and it will eventuallyinclude Web Server and Windows Server Virtualization). Server Core opens into a blankdesktop and a single command-line window.There's no shell, Microsoft Internet Explorer(IE) browser, Windows Media Player, or anyother pointless graphical application.

The point behind Server Core is to provideonly core server features and to do so in themost secure way. Because of the roles-basedinstallation and management aspects of Windows 2008, each of the Server Core roles areinstalled in a manner that significantly reducesthe attack surface of the server. Note thatServer Core-based servers are still based onWindows 2008, and thus provide the sameconnection capabilities: You can still managethem remotely using the GUI-based tools youalready know and love, from another server ora desktop machine.

Windows 2008, like Vista, includes the useful BitLocker utility, which I covered in "What you need to know about Vista's User Account Control and BitLocker Drive Encryption" (April 2007, InstantDoc ID 95153). BitLocker provides full volume disk encryption for all disks attached to the server; this is a new feature: In Vista, only the system disk was protected by default. BitLocker is even more useful when used in tandem with other Windows 2008 technologies. For example, businesses looking for the most secure and easily managed branch office servers could install BitLocker alongside Server Core and RODC for the most secure configuration possible. If the server is stolen, no data can be taken and hackers won't be able to access the passwords for all domain users since only the passwords for the locally cached users—and not the administrators—are stored locally on the box.

On the Terminal Services front, a new mode called Terminal Services Gateway tunnels remote sessions through HTTP Secure (HTTPS) so that you don't need to configure a VPN, but can still access Terminal Services from wireless locations that specifically block VPNs. Remote sessions connected in this fashion are marked with the same "secure lock" graphic that users are familiar with from IE 7.0. Terminal Services RemoteApp delivers individual applications, instead of separate remote sessions, to users' desktops. After users log on, the effect is seamless and almost identical to running the application locally.

What's Missing?
As I made reference to earlier, one of the most eagerly awaited Windows 2008 technologies—Windows Server Virtualization, code-named"Viridian"—is missing in Windows 2008 Beta 3. Indeed, in the weeks before shipping Beta 3, Microsoft warned that it would not be able to ship a public beta of Viridian until the second half of 2007. The revolutionary technology was previously expected in the first half of the year; however, Microsoft still claims that it will be able to ship Windows Server Virtualization within 180 days of the release of Windows 2008. The company plans to make this technology available separately from Windows 2008, as a free update. Whenever it is released, Windows Server Virtualization will be made available as a new server role in both Server Core and the mainstream installations of Windows 2008. Sadly, even that version of Virtualization will be scaled back from Microsoft's original promises: The company recently announced that it will no longer include three critical features: live migration support; the ability to hot-add storage, networking hardware, memory, and processors; and support for up to 32 processor cores (the initial version of Virtualization will support just 16 processor cores).

Another significant omission is that Windows 2008 Beta 3 doesn't support a Web server or application server role in Server Core. The issue is the Microsoft .NET Framework, which would be required in either scenario for either role. Current versions of the .NET Framework include a variety of GUI-based libraries, which wouldn't work properly in Server Core. Microsoft is investigating whether to create a Server Core-friendly .NET Framework subset for a future release. But I've been told that, post-Beta 3, the company will add a new Web Server role to Server Core that includes all Microsoft IIS 7.0 functionality except for ASP. NET, which does require .NET. This solution will give Microsoft an effective answer to low-end Linux/Apache Web servers.

One potential problem with Windows 2008 is its dual nature. Although the roles-based management approach means the system will always configure settings correctly when you use the GUI tools, it's still possible to go into other tools, change settings, and end up configuring options incorrectly. Consider Windows Firewall as a likely scenario: When you install or configure a role such as Application Server, the firewall is automatically configured so that the role will function correctly. But you can still go into the Windows Firewall GUI and manually override those settings. There's no "secure for currently configured roles" fallback switch.

Recommendations
Microsoft says it is on track to deliver Windows 2008 by the end of 2007 and Windows Server Virtualization by late 2007 or early 2008. Those dates might be a bit optimistic if the number of unexpected Beta 3 delays is any indication, but no matter. Windows 2008 is on the way, and it's time for businesses of all sizes to begin evaluating this next-generation Windows Server version. Beta 3 is near-feature-complete and will be widely available by the time you read this, so now is the time to begin your evaluation. Windows 2008's feature set is so vast, as are the installation possibilities, that you'll want to take the time to really understand how this release will affect your environment.

About the Author

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like