Just last week, Microsoft released beta 3 of its newest Windows Server revision to the general computing public. While Windows Vista and Office 2007 have stolen a lot of publicity thunder over the past few months with their recent final releases, Microsoft has been slowly but surely churning out its update to Windows on the server. Since Beta 2, released last year, the company has made great improvements in performance, usability and polish -- not to mention that the product is more or less on time according to the product's development schedule, and no features have been cut.
Indeed, features have been added, including the much-anticipated Windows Server Virtualisation code, previously called Hypervisor. Additionally, there are myriad incremental improvements to features that have been on Windows Server for a long time -- Terminal Services, clustering and server management, just to name a few -- as well as some revolutionary new capabilities, like Server Core and PowerShell.
Let's dig deep into the Beta 3 release and see what's happening with the next version of Windows on the server.
Windows Server Virtualisation
Unless you've been living under a rock for the past year or two, you know that virtualisation is a game-changing scenario. Server consolidation, energy efficiency, simpler management and deployment and increased capacity are all tangible benefits to be gained from a move to virtual servers and virtually hosted services. Microsoft has seen the light and is here to help with Windows Server Virtualisation which, according to the company, "is a next-generation hypervisor-based virtualisation platform integrated with the operating system that allows you to dynamically add physical and virtual resources."
Let's break that down a bit. Using servers with processors equipped with Intel VT or AMD-V enabled technology, Windows Server Virtualisation interacts with Hypervisor, which is a very small layer of software that is present directly on the processor. This software offers hooks into the management of processes and threads on the processor that the host operating system can use to efficiently manage multiple virtual machines, and multiple virtual operating systems, running on a single physical processor.
Since there are no third-party software products or drivers to install, you get nearly guaranteed compatibility without the difficult problems that software bugs can introduce into your system.
Along with efficient process management, you can hot-add resources to the machine hosting your virtualised services. From processors to memory to network cards to additional storage media, you can add these devices to the machine without needing to bring down any services and interrupt user sessions. You can also host 64-bit guest sessions, which is a big boon to organisations moving toward adoption of 64-bit software. You can virtualise your migration, save money on deployment costs, and then assess how many physical machines you'll need when you finish your migration.
Windows Server Virtualisation is the natural next step in Microsoft's virtualisation story. With properly equipped hardware, you stand ready to enjoy a number of benefits that weren't possible before.
One of the core premises held by the product team during the development of Windows Server Longhorn was that administrators should have more control over their machines and that they ought to be able to spend less time on routine administrative tasks -- if they had the right tools. Enter the Server Manager, a sort of one-stop shop for managing almost any facet of a machine running Windows Server Longhorn. From the Server Manager, an administrator gets a central view of the roles the server is operating in and the services that are running; he also has access to the respective configuration tools.
Server Manager is a quick way to get a machine set up -- no more clicking around many Microsoft Management Console windows trying to get services deployed.
Within the Server Manager, you can see the options to add roles and features to the server. Additionally, the Diagnostics menu (in the left pane) provides access to the Windows Event Viewer, the Services console and the Device Manager. You also get the Reliability and Performance Monitor, which has been tuned to work with Longhorn code but to the user works in the same way as the identically named feature in Windows Vista.
Perhaps the second-most-improved area of Windows Server Longhorn Beta 3, at least to the administrator's naked eye, is Terminal Services. TS has long been part of Windows on the server, but in this release it has taken on Citrix-like features that transform the functionality from a useful administration tool to an enterprise-calibre way to deploy applications to users. Let's take a look.
One new feature of Terminal Services in Longhorn Server is the Terminal Services Gateway. Useful for corporations where large numbers of remote users would still need to be able to take advantage of RDP-based application deployment, Terminal Services Gateway allows users to access hosted applications from a centralised Web portal accessible over Port 443 (or any other port you choose) via an encrypted HTTPS channel.
To further control access, there are connection authorisation policies, or CAPs, that administrators can create to define user groups that are permitted to access TS through the TS Gateway machine. So you can limit hosted application use to only those users that need it while still deploying full-client copies of your programs to users with desktops, laptops and other devices that can support them.
Going a little further, Terminal Services RemoteApp lets you define programs to be run directly from a TS-enabled server but appear totally integrated within the local copy of Windows. The integration is nearly perfect, showing off a seamless independent task bar button, resizable application window areas, Alt-Tab switching functionality, population of system tray icons where appropriate, and more.
Terminal Services RemoteApp is designed to remove from the user's mind the concept that he is using a hosted application; the only giveaway would be the ToolTip in the task bar that indicates Terminal Services is in use, plus occasional slow response because of network latency or server overload. It will look locally just like the application is running locally.
It's very simple to deploy as well. You simply create .rdp files that act as simply formatted profiles of available hosted applications. You can deploy these RDP files however you like throughout the enterprise, through Group Policy or over a Web site, or through e-mail or a systems management tool and so on.
Rounding out the suite is the Terminal Services Web Access feature, which lets administrators make Terminal Services RemoteApp-hosted applications available on a Web page. Users can browse the list for the application they are looking for, select it and then be seamlessly connected to the application.
You can even integrate TS Web Access within SharePoint sites using an included Web part, so users have access from their collaboration portal to various hosted applications. One of the only missing parts of this feature that I've seen is the inability to control which programs are published on the Web Access menu on a per-user or per-group basis. This could be rectified before release.
Administration of the Terminal Services functionality is, of course, conveniently located within Server Manager.
All of this is not to mention some of the other improvements, like a more-efficient RDP client that supports a better user experience; this will be available for Windows Vista clients and, at a later time, Windows XP clients running the latest service pack. Other advances include better printing support, so printing over an RDP connection isn't as kludgy as it was in previous releases. All in all, I think the Terminal Services improvements make a compelling upgrade case for shops that have invested heavily in RDP-hosted applications.
I've written this before, and I will say it again: Server Core is the killer feature of Windows Server Longhorn. Imagine, if you will, the most fundamental part of Windows Server, finely tuned for performance, with all of the other stuff -- including, for the most part, the GUI -- completely removed. These headless machines can be deployed as infrastructure servers with few moving parts and, consequently, less to break. Welcome to Server Core.
Server Core only supports a limited number of roles in production. In Beta 3, there are seven supported roles for machines running the Server Core version of the product. With the exception of two new roles, this list remains as it was at the Beta 2 release:
- Active Directory
- Active Directory Lightweight Directory Service (new to Beta 3)
- File server
- Print server
- Windows Media Services (new to Beta 3)
The final release will add support for an eighth role, specifically to run Windows Server Virtualisation.
Server Core, as I see it, has three main advantages:
- It's extremely focused, which means it does what it does very well -- better performance, resilience and robustness.
- It has limited dependencies on other pieces of the Windows puzzle, in that the core operating system can generally work by itself.
- All of this translates into a far smaller attack surface than the standard Windows Server product.
It's a fantastic addition to the product and has been made a bit more capable with the Beta 3 release.
Internet Information Services 7.0
IIS 7 has come a long way from IIS 6. I first saw a demo of IIS 7 in early 2005 and was immediately enthusiastic about its possibilities, and I remain convinced it will become the Web server to beat once Windows Server Longhorn officially releases. Of course, security and integrity have been continually refined, but the three main areas of enhancement in IIS are as follows:
IIS is completely modular. Users have never really been able to pick and choose from its features and abilities, but now IIS features operate modularly. You can load them in any combination and with no dependencies and really create a lean, mean server that does what you want it to do very well -- and it does nothing else. You also gain the benefit of IIS 7's extensibility: It's easier than ever to write a custom module that plugs directly into the IIS core to enable special functionality for your operation.
IIS 7 can be configured from a text file. Each setting in any site configured within IIS can be edited directly from the web.config file. Aside from the obvious convenience, this is a boon for companies that host large numbers of Web sites. It's now trivial to deploy an identical configuration across thousands of sites in seconds; you can just copy web.config to each site and you are finished.
You can also delegate administration of certain sections of web.config to other people, so that a bit of control is available for, say, individual site owners while not necessarily requiring everyone to contact the IIS administrator for any changes to be made. Version control is equally simple -- just make several different versions of a text file, store them in some organised fashion and retrieve when necessary.
There's a better management interface for IIS. The new UI is designed to expose more features in a sensible manner to the user while making rapid, large-scale administration across hundreds or thousands of sites quite simple. (See Figure 3 for a preview of the new management tools.) As with most everything else about IIS 7, the new interface is extensible as well, so you can create custom plug-ins that work directly within the IIS 7 Management Console.
Overall, IIS 7 provides a great overall Web platform, with better performance and manageability, and increased power to configure a server only as necessary. For more information about IIS 7 in Longhorn, check out my earlier story.
Branch office scenario enablement
Business are growing all the time and opening up new offices, and those office, of course, require technology support. Perhaps your organisation is already teeming with satellite offices that not only need full integration with your Active Directory investment, but also require some security considerations. Possible threats to your branch office IT assets include the following:
- A thief physically stealing your branch office's domain controller and then attempting to crack the passwords contained in the replicated copy of the directory stored on the controller.
- Someone attempting to remove a hard drive from a file server and access sensitive information on an unauthorised basis.
Two new features of Windows Server Longhorn are designed to help mitigate these threats: the read-only domain controller and BitLocker drive encryption. Let's discuss each briefly.
A read-only domain controller (RODC) is just that -- it receives information replicated to it from full domain controllers, but it doesn't permit any changes to be made to its own copy of the directory database, and thus no information can be replicated back to the full DCs in the domain it's a member of.
The advantages of this structure include the following:
- You reduce the risk of someone attacking a branch office location and sending poisoned data throughout the entire Active Directory database.
- The RODC caches only the credentials of users and computers that have authenticated to the RODC and those whose credentials are allowed to be cached under the Password Replication Policy. This reduces the possibility that accounts can be cracked from a stolen branch office domain controller.
- By default, the RODC does not cache administrator credentials, so the keys to the kingdom are more fully protected.
- The Kerberos authentication tickets issued by the RODC will be valid only for systems within its scope, so it can't issue falsified tokens to get nefarious users onto the full network.
The RODC is a Server Core-designated role, which means there's hardly any need for administration locally. No GUI also means a smaller attack surface. Everyone wins with that.
Going along with the idea of securing sensitive information in a tender place, BitLocker, the whole-drive encryption feature introduced with Windows Vista, is the latest in encryption software. BitLocker, when enabled, secures all of the data on a drive and requires decryption keys, like any other software, to unlock the data. However, unique to BitLocker is the fact that the keys are stored within either a Trusted Platform Module chip on board your system or a USB flash drive that you insert upon boot-up.
You get protection for the entire Windows volume including both user data and system files, the hibernation file, the page file and temporary files.
The boot process itself is also protected by BitLocker -- the feature creates a hash based on the properties of individual boot files, so if one is modified and replaced by, for example, a Trojan file, BitLocker will catch the problem and prevent the boot. It's a very useful feature not only for servers that don't have great physical security, but also for mobile users and laptops that have a pretty good chance of being lost or stolen at some point during their lifetimes.
Windows Server 2003 R2 made some incremental improvements to branch office support, but Windows Server Longhorn, at least in its current Beta 3 form, appears to take branch office support to a higher level. Those of you with vulnerability-plagued remote offices that need to be part of your domain should certainly take a look.
Other security enhancements
There is a laundry list of security enhancements to the Windows Server Longhorn product. A few of the most interesting or potentially most useful features include:
- Network Access Protection (NAP). NAP allows you to define policies that state a minimally acceptable level of client health for any device on your network. The criteria could include service pack level, update level, the presence of antivirus software, successful return of a quick security/malware scan and so on. NAP works with your network hardware -- Cisco gear in particular -- to enforce these policies. When a client doesn't meet the baseline requirements for machine health, it is kicked off the network and is only able to speak with certain machines that you designate, typically ones that contain software that enable the machine to heal itself. NAP is revolutionary and a fantastic security tool.
- Network Policy and Access Services. With NPAS, you have a one-stop service for all network security policies and access control services. You can deploy VPN servers, dial-up machines and routers. You can set up a RADIUS server and proxies and create remote access policies through the Connection Manager Administration Kit. NPAS also allows you to configure secure wired and wireless access as necessary to better protect communications on your network.
- New behaviours in the Windows firewall with advanced security. For one thing, the firewall is on by default now; that's a much-anticipated change that proved impossible during the Windows Server 2003 time frame. Additionally, all incoming traffic is blocked by default unless it is solicited traffic, or unless it is specifically allowed by a rule created to allow that traffic. The new interface combines the firewall tools with the controls you previously found in the IPsec snap-ins, IP Security Policies and IP Security Monitor, so management is a little bit easier with everything in one place.
There are numerous other security improvements within Windows Server Longhorn Beta 3, all of which are incremental and serve to further harden the base on which Windows on the server operates. Any security improvements are welcome.
Think of Windows PowerShell as the command line on steroids, with extensibility that touches a lot of applications running on the server as well as areas of the server itself. With PowerShell, you get a command-line environment built on top of the .Net runtime and the .Net framework, which allows for much greater customisation and flexibility of commands.
PowerShell uses "cmdlets," or simple utilities that perform a very specific task, as its base. Cmdlets are designed to be run, piped and otherwise used with other cmdlets to create powerful automated systems. PowerShell can integrate with your custom C# or VB code, and you can create new cmdlets that perform tasks specific to your deployment. Since PowerShell uses and consumes .Net objects, not text, the capabilities to configure applications, services, Web sites and other facilities are much extended over the traditional command line. But from within PowerShell, you retain the ability to run traditional and command-line utilities as well, so from one environment you can get the best of both worlds.
The cluster story gets better with Windows Server Longhorn as well. Now called "fail-over clusters," server clusters allow multiple machines to be grouped together to a set of common tasks, such that loads are split, services are managed as a group, and failures on one machine don't bring the whole group down. Of course, constructing a server cluster takes some configuration work, but the new Validation Wizard makes it a bit easier to run tests on the most fundamental components of your proposed cluster to ensure that they pass muster. Three different types of tests are enabled:
- Node tests look at each of the machines that will make up the cluster and ensure their software meets the common configuration requirements of a cluster.
- Network tests examine specific requirements of the network components of the cluster, including numbering and addressing.
- Storage tests query disk components and ensure that they support some core SCSI commands and can react to cluster operations correctly.
Additionally, the Cluster Setup Wizard has been simplified and is scriptable, so setting up many fail-over clusters with a common, consistent configuration is much easier. And you can export a cluster configuration based on Windows Server 2003 and re-import it to a Windows Server Longhorn fail-over cluster. That's not to mention a streamlined interface for adding and managing new fail-over cluster members, integration with the Volume Shadow Copy Service for efficient backups and improvements to the stability and security of the cluster infrastructure itself.
The last word
There's been a notable difference in stability and refinement from Beta 2, which was released around this time last year, to Beta 3. Features work now. Services deploy properly. There are few configuration errors. Beta 3 is certainly a usable build for testing and development purposes, if you're not brave enough to be part of the Rapid Deployment Program.
Windows Server Longhorn is a major upgrade, one that promises benefits and advantages for a wide swathe of shops across the world. Depending on where your heavy technology investments are, or how your company and its IT infrastructure are laid out, you'll find a lot to like -- and little to dislike.
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics.
This is a major upgrade with many benefits and advantages, with little not to like.