Windows Server 2008 in Perspective

Sometime early next year,Microsoft will releaseWindows NT Server 6.0,once known as "LonghornServer" and now as Windows Server 2008. Will youlove it? Well, that depends:Are you looking for a revolution, or just a bitof evolution?

When it comes to Windows 2008, think more Darwin and Wallace, not Marx and Lenin. As with its two predecessors, Windows Server 2003 and Windows Server 2003 R2, Windows 2008 offers some nifty new tools and innovations, as well as fixes for some old irritations. However, Windows 2008 doesn't have the kind of paradigm-busters that we saw in Windows 2000 Server—which means that the new OS will be relatively easy to incorporate into an existing Windows server environment. Unfortunately, Windows 2008 lacks solutions for some of its earlier sibling's most significant annoyances (as did Windows 2003 and Windows 2003 R2). Although Windows 2008 offers many new technologies, I only have space to cover a few of its features.

Vista Benefits
Whether you love it or hate it, Vista—Microsoft's newest desktop OS—is the most secureversion of Windows yet. Windows 2008 buildson Vista's code base, so it inherits Vista's security. In addition, Windows 2008 benefits fromVista's improved functionality.

64-Bit Is It!
Perhaps the most comprehensive change inWindows 2008 is an architectural one: 64 bits.The default processor architecture is nowconsidered to be 64 bits; 32 bits is pure legacy.According to Microsoft, Windows 2008 is thelast server OS that the company will offer for32-bit processors.

Good or bad, you might ask? Wonderful, I'd say! Yes, 64-bit code is somewhat larger than the corresponding 32-bit code, but the AMD64/EM64T chip architecture makes for easier low-level coding for programs—which means that developers are more likely to produce solid code. And even better, 64-bit architecture frees us from the 4GB address space and lets Windows grow to 16TB. Because loading what is essentially the desktop version of Windows 2008—"64-bit Vista Ultimate"—on a desktop generates a Windows Task Manager report that Windows is using 1.08GB before you even start running applications, busting out of the 4GB limit seems like a very good idea. And since Exchange Server 2007 already requires 64 bits, perhaps Windows 2008's 64bit–centricity isn't such a shock.

Server Core
By far, the feature with the single biggest "wow" factor in Windows 2008 has to be Server Core.Working with various versions of UNIX andLinux over the years has made me wish for aWindows version that's only loosely connectedto its GUI. On a UNIX/Linux server, you can fireup the GUI just long enough to run a graphicaladministration tool, configure the server, thenturn off the GUI. This approach gives you aserver that uses less RAM, needs less CPU power,and is more secure (simply because less softwareequals fewer places for exploitable bugs).

With Windows 2008, I got my wish, toa certain extent. The Windows 2008 betagives you the option of installing either thefull-blown version, or installing Server Core. When I installed Server Core, the installationwas lightning quick. I installed Server Core asa virtual machine (VM) on a system that wasalready fairly busy, and I was stunned that theentire installation took only 11 minutes, start tofinish, and used just 200MB of RAM.

In addition, Server Core runs on somedownright skinny hardware. Although I don'tsuggest that you run a production Server Coresystem on a 256MB system, it is possible. Considering that Vista won't even install on a system with less than 512MB of RAM and won'trun worth a darn on a system with less than 1.5GB, I find it eye-opening for Server Core toshow just how much we willingly give away incomputing power in order to have a GUI.

But once you see the Server Core desktop,you might beg to trade that computing powerto get your GUI back—Server Core's desktopis nothing more than a command promptwindow. Server Core lacks about 80 percent ofthe Windows GUI and completely lacks .NET.Server Core also can't use Windows PowerShell, although it can use some PowerShellcommandlets.

Before you quit reading right here, usingServer Core isn't as bad as it sounds. You canuse several methods to administer a ServerCore system. For example, you can hunkerdown and use the command prompt. Overthe years, Microsoft has added more andmore command-line administrative power toWindows. Server Core offers several new CallLevel Interface (CLI) tools, making CLI-basedadministration more reasonable.

And GUI addicts, fear not—you can stillclick to your heart's content. Just fire up aMicrosoft Management Console (MMC)remote-management snap-in on a full-blownWindows 2008 system to remotely control yourServer Core system.

Server Core can't do everything that full-blown Windows 2008 can; for example, itcan't host an Exchange server or a SQL Servermachine. It can, however, be a DHCP, WINS,DNS, or Microsoft IIS server (although withoutASP.NET support); a domain controller (DC);and a file and print server.

Why use Server Core? Two reasons. First,as I've said, Server Core runs on much lighterhardware than the full-blown version of Windows 2008 does. Thus, Server Core might makemore sense as a VM in production than thecomplete version makes. Or, Server Core might fit on an inexpensive bit of computer hardware, making a server in a branch office morefeasible than a server requiring more siliconand iron might be. Second, a smaller softwarebase offers fewer places for bugs to crop upthat would allow malicious users to attack andexploit a Server Core system—which Microsoft claims will prevent Server Core systemsfrom needing patching as often as full-blownsystems. All other things being equal, lesssoftware means better security (which, I think,is why Microsoft didn't include .NET in ServerCore). And although some of you will disagreewith me, I think Microsoft should keep .NET off Server Core. The .NET platform is a heftybit of software with its own security subsystem—adding it to a "minimalist" version ofWindows 2008 that's designed for sturdinesswould defeat the purpose of Server Core. The big question is: Will Server Core sell?And the answer depends on just one thing:price. Microsoft says that when you buy acopy of Windows Server 2008 Standard Edition, Enterprise Edition, or Datacenter Edition,you'll have the option of installing either thecomplete or Server Core version of the software. If so, Server Core is doomed. Why wouldsomeone pay thousands of dollars for a serverOS, then install its reduced-function version?My prediction is that Server Core will die onthe vine—which would be a shame. Microsoftshould think seriously about making Servercore the Windows 2008 "low-price alternative."

Active Directory Changes
The first change that Windows 2008 brings toActive Directory (AD) is a new name, ActiveDirectory Domain Services. ADDS alters Windows-based domains in several ways: read-only DCs (RODCs), fine-grained passwordpolicies, and AD snapshots.

Before I discuss what's new in Windows2008 AD, let me point out what's not new:improvements to forest restructuring tools.Windows 2008 still offers no easy way to mergeforests, pluck a domain from a forest and make it a new forest, merge two domains, or performany of the other tasks that mergers, acquisitions, and reorganizations require.

Read-only DCs. Windows 2008 has a newsort of DC called a read-only domain controller(RODC), which might be the OS's second-biggest change after Server Core. Recall that priorto Win2K, domains had just one server with aread/write copy of the domain accounts—theserver called the primary domain controller(PDC). All the other DCs had just read-onlycopies of the domain accounts; they werecalled backup domain controllers (BDCs). InWin2K, all DCs became equal, with every DCbeing a read/write DC.

Microsoft finally decided that neither of these approaches is optimal. Therefore, in Windows 2008 you can select the mix of read/write DCs and RODCs you want. Read/ write DCs are useful because they can accept updates to domain accounts, whereas RODCs can't. So, you can't use an RODC to create a new user account or change a password.

Why use an RODC? First, RODCs generate less replication traffic. Second, RODCs have a feature that Windows NT 4.0 BDCs lack: fine-grained control of exactly how much domain data you share with a given RODC. For example, you could put an RODC into a small branch office with eight employees and tell the RODC only the passwords of those eight people. If the RODC were then stolen and its AD copy hacked, the only passwords at risk would be the ones on those eight accounts, rather than the passwords of every account in the domain. Or, you could be even more cautious and not tell the RODC any of the passwords, making the DC a nearly useless target.

A branch office RODC without any passwords would still be useful because although it couldn't provide initial logon services for a user, it could handle subsequent logons. A user's first-thing-in-the-morning workstation logon would require a WAN link, but the local RODC could handle any further logons (e.g., a Sysvol connection to read group policies, a logon to a local print server, a connection to the Exchange server). And if a branch office DC were stolen, Windows 2008's AD lets you run a wizard to change the stolen passwords or make the user accounts inactive. This wizard also makes removing a dead DC from AD far simpler than using the Ntdsutil tool.

Fine-grained password policies. The only reason for having more than one domain in an AD forest that still makes technological sense is if you want some of your users to have to change their passwords every X days and other users to have to change their passwords every Y days. Ever since Win2K, all members of an AD domain have been subject to the same password policies.

Windows 2008's AD changes this rule. You can now tell AD to show different password policies (i.e., Password Settings Objects—PSOs) to different groups or individuals. Creating PSOs is a bit arcane—the most user-friendly tool for doing so is adsiedit.msc. However, the under-the-hood features are quite well thought out. For example, have you ever created a new Group Policy Object (GPO) that failed to take effect because it was blocked by a permission or overridden by another policy? The obvious solution is to use a tool that computes Resultant Set of Policy (RSoP), which is the ultimate analysis of which policy triumphs over others. Windows 2008 has a simple built-in RSoP tool that runs automatically every time you create a PSO.

AD snapshots. Wouldn't it be neat to look at an AD snapshot as if it were a live, working, running AD? Windows 2008 lets you do so—sort of. An AD snapshot is an image taken from a working copy of AD on a DC, like a backup. But an AD snapshot is more than a just a backup; you can use the tool dsamain.exe to mount an AD snapshot and get a seemingly functional but nonactive AD installation. Then, you can use an LDAP editor to examine the backed-up AD's objects, object attributes, and so on.

A benefit of AD snapshots is that you can compare two different DCs' ADs, or you can compare the state of a DC's AD over time to see what changed in the DC's copy of AD. AD snapshots also let you easily browse your AD backups. The alternative method for examining an AD backup is to set up a DC that's disconnected from the enterprise network, then restore the backup—which is fairly time consuming.

The one fly in the AD snapshots ointment is a lack of LDAP viewers. You can't fire up the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in to examine a snapshot; instead, you're stuck with adsiedit.msc or ldp.exe. Perhaps a future version of Windows Server will offer a tool that simplifies the process of exploring AD naming contexts. For example, a tool for sifting through a Global Catalog (GC) would certainly make Exchange troubleshooting a lot easier.

Group Policies
Although Windows 2008 brings a lot of Group Policy improvements, we've already seen most of them in Vista, which makes sense because the workhorse of group policies isn't the DC that holds the GPOs—instead, it's the Group Policy client software that runs on the desktop and server systems. Still, Microsoft saved a few Group Policy goodies for Vista's big brother, Windows 2008.

First, and long overdue, Group Policy Management Console (GPMC) gets a Find command. Although GPOs can contain any or all of more than 2,400 settings, no command currently exists for easily finding the setting you want. For example, you can't ask the Group Policy Object Editor to show you all the settings that refer to WPA.

Second, Windows 2008's GPMC will let you add comments to GPOs. As someone who's been running production ADs for more than seven years, I admit that sometimes I can't remember what I was thinking when I assembled a particular GPO. Just being able to add an explanatory paragraph to a GPO will be a welcome addition.

Finally, Windows 2008's GPMC introduces the notion of "starter GPOs." Although Group Policy can accomplish many tasks, performing some of them can seem a bit cryptic. For example, Windows systems have always had a quirky security weakness called an "anonymous logon" or "null session." This weakness lets people on your intranet access information about your computer without logging on. To reduce these anonymous users' power in Windows, you need to activate several Group Policy settings. And as anyone who's ever pored over the many Windows "hardening guides" can attest, figuring out those settings and how to enable them can take a lot of time. Windows 2008 offers some help in the form of a starter GPO document that anyone can create to collect the settings in one place, then distribute them to users. Microsoft promises a few built-in settings, including a desktop hardening starter GPO, but I'm sure that users will create some great ones as well.

Terminal Services
Terminal Services just continues to get better in Windows 2008. For example, you just have to love the Terminal Services Gateway (TSG). This new service lets users connect to a terminal server/remote desktop behind a firewall by first logging on to the TSG, then choosing the terminal server/remote desktop inside the firewall that they want to access. The beauty is that a TSG user doesn't need to connect to a draggy VPN in order to log on to the desired system. But TSGs are still secure because they employ a new sort of RDP over Secure Sockets Layer (SSL). The result is speed and security. And from what I hear, you don't need Windows 2008 (or even Vista) to use RDP over SSL; apparently the new RDP client for Windows XP that Microsoft released earlier this year extends RDP over SSL capabilities to XP and Windows 2003.

In addition, Terminal Services takes a leaf right out of Citrix's playbook, using "Remote Programs" (which resemble Citrix's "Seamless Windows" feature). With Remote Programs, you can use Terminal Services to deploy an application to a Windows desktop. In such a deployment, a user would see a new icon on the desktop and could click the icon to use the associated application, without the local hard disk having to store any of the application's code. The application would actually be nothing more than a Terminal Services window, but with a normal Windows frame.

Give It a Whirl!
Microsoft's upcoming Windows Server offering has many interesting new features. If you have access to the Windows 2008 beta, I strongly recommend that you fire it up and start playing. The last I heard, Windows 2008's release to manufacturing (RTM) date is early November, with general availability in February 2008. The more you can learn ahead of time, the better off you'll be.