Windows Server 2008: The Definitive Guide

  by Jonathan Hassell Publisher: O'Reilly Pub Date: March 15, 2008

  Print ISBN-13: 978-0-59-651411-2 Pages: 492

   Overview

  This practical guide has exactly what you need to work with Windows Server 2008. Inside, you'll find step-by-step procedures for using all of the major components, along with discussions on complex concepts such as Active Directory replication, DFS namespaces and replication, network access protection, the Server Core edition, Windows PowerShell, server clustering, and more. All of this with a more compact presentation and a tighter focus on tasks than you'll find in bulkier references. Windows Server 2008: The Definitive Guide takes a refreshing approach. You won't find the history of Windows NT, or discussions on the way things used to work.

  Instead, you get only the information you need to use this

  server. If you're a beginning or intermediate system

  administrator, you learn how the system works, and how to administer machines running it. The expert administrators among you discover new concepts and components outside of your realm of expertise. Simply put, this is the most thorough reference available for Windows Server 2008, with complete guides to:

  Installing the server in a variety of different environments File services and the Windows permission structure How the domain name system (DNS) works

  Active Directory, including its logical and physical structure, hierarchical components, scalability, and replication Group Policy's structure and operation Managing security policy with predefined templates and customized policy plans Architectural improvements, new features, and daily administration of IIS 7 Terminal Services from both the administrator's user's point of view Networking architecture including DNS, DHCP, VPN, RADIUS server, IAS, and IPSec Windows clustering services --- applications, grouping machines, capacity and network planning, user account management Windows PowerShell scripting and command-line technology

  With Windows Server 2008: The Definitive Guide, you to come away with a firm understanding of what's happening under the hood, but without the sense that you're taking a graduate course in OS theory. If you intend to work with this server, this is the only book you need.

  Windows Server 2008: The Definitive Guide

  by Jonathan Hassell Publisher: O'Reilly Pub Date: March 15, 2008

  Print ISBN-13: 978-0-59-651411-2 Pages: 492

  

  

  

  

  

  

  

  

  

  

  Windows Server 2008: The Definitive Guide

  by Jonathan Hassell Copyright © 2008 Jonathan Hassell. All rights reserved.

  Printed in the United States of America. Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.

  O'Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles ( . For more information, contact our corporate/institutional sales department: (800) 998-9938 or

   .

  Editor: John Osborn Production Editor: Rachel Monaghan Copyeditor: Colleen Gorman Proofreader: Rachel Monaghan Indexer: Lucie Haskins Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Jessamyn Read

  Printing History: March 2008: First Edition.

  Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly Media, Inc.

  Windows Server 2008: The Definitive Guide, the image of an

  albatross, and related trade dress are trademarks of O'Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O'Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding.

  ISBN: 978-0-596-51411-2 [M]

  Preface

  Microsoft's server-oriented Windows operating systems have grown by leaps and bounds in capabilities, complexities, and sheer number of features since the release of Windows NT Server in the early 1990s. With each release, system administrators have found themselves grappling with new concepts, from domains, directory services, and virtual private networks, to client quarantining, disk quota, and universal groups. Just when you've mastered one set of changes, another comes along and suddenly you're scrambling once again to get up to speed. A vicious cycle this IT business is. One source of help for the beleaguered administrator has always been the technical book market and its communities of authors, publishers, and user groups. Major releases of popular operating systems have always been accompanied by the publication of books written to support them, often encouraged by the software manufacturers. Some tout themselves as complete guides to their software compadres, while others approach their subject gingerly, as though their readers were of a questionable intellectual capacity. But over the years, many of these books have become as complex, and have accumulated as much detritus, as the operating systems they explain. You now see on the shelves of your friendly local bookstores 1,200- plus-page monstrosities that you might find useful, but only if you enjoy dealing with 30 pounds of paper in your lap or on your desk, and only if you find it productive to wade through references to "how things worked" four versions of Windows NT ago. After all, there's a limit to how many times you can revise something before it's best to simply start from scratch. Do you need all of that obsolete information to do your job efficiently? I'm wagering that you don't (my luck in Las Vegas notwithstanding), and it was in that spirit that I set out to write

  

Windows Server 2008: The Definitive Guide. I have trimmed the

  content of this volume to include just enough background on a systems work in this version of Windows. I want you to come away from reading sections with a firm understanding of what's happening under the hood of the system, but without the sense that you're taking a graduate course in OS theory. Most of all, I want this book to be a practical guide that helps you get your work done—"here's how it works; here's how to do it." The book you're either holding in your hands right now or reading online provides a more compact presentation, a lower price, and a tighter focus on tasks than other books on the market.

  I hope that this work meets your expectations, and I hope you turn to it again and again when you need to understand the massive product that is Windows Server 2008.

  P2.1. Audience

  Beginning-to-intermediate system administrators will find this book a very helpful reference to learning how Windows Server 2008 works and the different ways to administer machines running that operating system. This book has step-by-step procedures, discussions of complex concepts such as Active Directory replication, DFS namespaces and replication, network access protection, the Server Core edition, Windows PowerShell, and server clustering. Although I've eliminated material that isn't relevant to day-to-day administration, you will still find the chapters full of useful information. Advanced system administrators will also find this book useful for discovering new concepts and components outside of their realm of expertise. I've found that senior system administrators often focus on one or two specific areas of a product and are less familiar with other areas of the OS. This book provides a stepping-stone for further exploration and study of secondary parts of the operating system. One other item to mention: throughout the book I've tried to highlight the use of the command line in addition to (or in some cases, as opposed to) graphical ways to accomplish tasks. Command lines, in my opinion, are fabulous for quickly and efficiently getting things done, and they provide a great basis for launching into scripting repetitive tasks. Microsoft has done an excellent job of integrating command-line functions into this revision of Windows, and I've attempted to do the effort justice within the text. But none of this should make you shy away from this book if you are a GUI aficionado: you'll still find everything you're accustomed to within this volume.

  P2.2. Organization and Structure

  In structuring the contents of this book I have tried to make a logical progression through the product, from a high-level overview through complete discussions and treatments of all its major components. Here's how this book is organized:

   Covers the product on a very general basis, from Microsoft's

  philosophy behind the product itself and the different versions of the product that are available, to an overview of the features in this release that are new or otherwise improved and a complete overview of the system design. This chapter is designed to give the administrator a complete and systematic overview of the product.

   Provides a detailed guide to installing the product in a

  variety of environments. I also include information on mass deployments using Windows Deployment Services, a vast improvement over previous image installation options offered in the box.

  

  Discusses the file services built into Windows Server 2008. The chapter begins with an overview of sharing and a guide to creating shares, publishing them to Active Directory, mapping drives, using the My Network Places applet, and accessing shares from the Start Run command and from within Internet Explorer. Then I dive into a detailed discussion of the Windows permission structure, including permission levels, "special" permissions, inheritance, and ownership. Here, you'll also find a guide to settings permissions. Also covered in this chapter is an overview of the Distributed File System (DFS), and how to set it up and manage it.

   Covers the domain name system, or DNS. Because DNS is

  such a fundamental component of Active Directory, I wanted to include a separate treatment of how it works, including a discussion of the different types of resource records and zone files supported, integration with Active Directory, the split DNS architecture, and backup and recovery of DNS data.

   Most installations of Windows Server 2008 will include

  installation of the Active Directory technology because so many products that require the server OS are tightly integrated with Active Directory.

Chapter 5 provides a

  complete guide to the technical portion of Active Directory, including its logical and physical structure, hierarchical components (domains, trees, forests, and organizational units), scalability, and replication. Coverage of the LDAP standards is included, as well as a discussion of migration and security considerations. Then I move into planning strategies, installing Active Directory onto Windows Server, and the day-to-day administrative tools.

Chapter 6 Discusses Group Policy (GP), one of the most

  underappreciated management technologies in any server product.

Chapter 6 is dedicated to introducing GP and its

  structure and operation. I begin with a survey of GP and Active Directory interaction, objects, and inheritance. Then I provide a practical guide to implementing GP through user and computer policies and administrative templates, installing software through GP, administration through scripting, and redirecting folders and other user interface elements. I also discuss IntelliMirror, a cool technology for application distribution (similar to ZENworks from Novell).

   Helps ensure that you are well versed in locking down your

  systems to protect both your own computers and the Internet community as a whole. I cover security policy, including ways to manage it using predefined templates and customized policy plans, and an overview of the Security Configuration and Analysis Tool, or SCAT. Then I provide a complete procedural guide to locking down both a Windows network server and a standard Windows client system (despite the fact that this is a server book, administrators often are responsible for the entire network, and client and server security go hand in hand).

   Covers the details of the major IIS revamp in this release.

  In version 7, IIS is arguably the best web server software available. I cover the architectural improvements and new features in this release, and then move on to a practical discussion of daily IIS administration.

   Covers the new Server Core editions of Windows Server

  2008, including deployment, activation, and using these new GUI-less versions of the operating system.

   Provides a guide to Terminal Services, including an overview

  from the server administrator's perspective and a similar overview from a typical user's point of view. Then I cover how to install both Terminal Services itself and applications such as Microsoft Office and other tools inside the Terminal Services environment. A guide to configuring Terminal Services follows, including procedures for general configuration, remote control options, environment settings, logons, sessions, and permission control. Concluding the

  chapter is a guide to daily administration using Terminal Services Manager, the Active Directory user tools, Task Manager, and command-line utilities. Covers the standard networking architecture of the operating system, including addressing and routing issues. Then I move into a discussion of the various network subsystems: the Domain Name System (DNS), the Dynamic Host Configuration Protocol (DHCP), and a discussion of

  VPN connectivity, the different phases of VPN, tunneling and encryption, and the RADIUS server bundled with .NET Server, the Internet Authentication Service (IAS). Finishing up the chapter, I discuss IPSec, its support from within the OS, and how to install, configure, use, and administer it. Coverage of client quarantining is also included.

   Covers Windows clustering services. First, a discussion of

  the different types of clustering services is provided, and then I cover successfully planning a basic cluster and its different elements: the applications, how to group the machines, capacity and network planning, user account management, and the possible points of failure. A treatment of Network Load Balancing clusters follows, and I round out the chapter with a guide to creating and managing server clusters, as well as an overview of the administrative tools bundled with the OS.

   Discusses Windows PowerShell, the powerful object-based

  scripting and command-line technology now bundled with Windows Server 2008.

   Covers the fundamentals of Microsoft's currently prerelease

  virtualization solution called Hyper-V, including its structure, operation, and setup on Windows Server 2008. We'll also look at creating virtual machines, and we'll wrap up with what to expect upon Hyper-V's official release.

  P2.3. Conventions Used in This Book

  The following typographical conventions are used in this book.

  Plain text

  Indicates menu titles, menu options, menu buttons, and keyboard accelerators (such as Alt and Ctrl).

  Italic

  Indicates new terms, URLs, email addresses, filenames, file extensions, pathnames, directories, and command-line utilities.

  Constant width

  Indicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, or the output from commands.

  Constant width bold

  Shows commands or other text that should be typed literally by the user.

  Constant width italic

  Shows text that should be replaced with user-supplied values.

  This icon signifies a tip, suggestion, or general note.

  This icon indicates a warning or caution.

  P2.4. Using Code Examples

  This book is here to help you get your job done. In general, you can use the code in this book in your programs and documentation. You do not need to contact O'Reilly for permission unless you're reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O'Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product's documentation does require permission. O'Reilly appreciates, but does not require, attribution. An attribution usually includes the title, author, publisher, and

  ISBN. For example: "Windows Server 2008: The Definitive

  Guide by Jonathan Hassell. Copyright 2008 Jonathan Hassell,

  978-0-596-51411-2." If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact O'Reilly at

   .

  P2.5. We'd Like to Hear from You

  Please address comments and questions concerning this book to the publisher: O'Reilly Media, Inc.

  1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax)

  O'Reilly has a web page for this book, where it lists errata, examples, and any additional information. You can access this page at:

  

  To comment or ask technical questions about this book, send email to:

  

  For more information about our books, conferences, Resource Centers, and the O'Reilly Network, see the O'Reilly web site at:

   P2.6. Safari® Books Online

  When you see a Safari® Books Online icon on the cover of your favorite technology book, that means the book is available online through the O'Reilly Network Safari Bookshelf. Safari offers a solution that's better than e-books. It's a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at

  P2.7. Acknowledgments

  I've always liked the fact that the acknowledgments in technical books are typically in the front. That way, when you read the remainder of the book, you already know who to thank for it, unlike in a movie. So, without further ado: John Osborn at O'Reilly was instrumental in getting this process organized and off the ground and provided very welcome guidance and feedback during the initial stages of writing this book.

  Errors and shortcomings were dutifully found by the technical review team, which consisted of IT professionals Dan Green, Eric Rezabek, and Debbie Timmons. Special thanks to the many folks at Microsoft and Waggener- Edstrom with whom I worked during the development of the book—their assistance and timely information was quite helpful in putting together this project. Of course, my family is also to thank: particularly my wife, Lisa, who patiently accepted the insufficient answer of "not yet" repeatedly to her reasonable question of "Aren't you done with that book?"

Chapter 1. Introducing Windows Server 2008 It all started with Windows NT, Microsoft's first serious entry

  into the network server market. Versions 3.1 and 3.5 of Windows NT didn't garner very much attention in a NetWare- dominated world because they were sluggish and refused to play well with others. Along came Windows NT 4.0, which used the new Windows 95 interface (revolutionary only to those who didn't recognize Apple's Macintosh OS user interface) to put a friendlier face on some simple yet fundamental architectural improvements. With version 4.0, larger organizations saw that Microsoft was serious about entering the enterprise computing market, even if the product currently being offered was still limited in scalability and availability. For one, Microsoft made concessions to NetWare users, giving them an easy way to integrate with a new NT network. The company also included a revised security feature set, including finely grained permissions and domains, which signified that Microsoft considered enterprise computing an important part of Windows.

  After a record six and one-half service packs, NT 4.0 is considered by some to be the most stable operating system ever to come out of Redmond. However, despite that, most administrators with Unix experience required an OS more credible in an enterprise environment—one that could compare to the enormous Unix machines that penetrated that market long ago and had unquestionably occupied it ever since. It wasn't until February 2000, when Windows 2000 Server was released, that these calls were answered. Windows 2000 was a complete revision of NT 4.0 and was designed with stability and scalability as first priorities. However, something was still lacking. Sun and IBM included application server software and developer-centric capabilities with their industrial-strength operating systems, Solaris and AIX. Windows 2000 lacked this functionality. In addition, the infamous security problems associated with the bundled Windows 2000 web server, Internet Information Services (IIS), cast an ominous cloud over the thought that Windows could ever be a viable Internet-facing enterprise OS. Given that many saw Microsoft as "betting the company" on a web services initiative called .NET, it was critical that Microsoft save face and do it right the next time. It wasn't too late, but customers were very concerned about the numerous security vulnerabilities and the lack of a convenient patch management system to apply corrections to those vulnerabilities. Things had to change.

  From stage left, enter Windows Server 2003. What distinguished the release other than a longer name and a three- year difference in release dates? Security, primarily. Windows Server 2003 came more secure out of the box and was heavily influenced by the month-long halt of new development in March 2002, referred to by Microsoft as the beginning of the Trustworthy Computing Initiative, wherein all developers and product managers did nothing but review existing source code for security flaws and attend training on new best practices for writing secure code. Performance was also improved in the Windows Server 2003 release, focus was put on making the operating system scalable, and in general enterprise administration was made more efficient and easier to automate. Microsoft also updated some bundled software via the Windows Server 2003 R2 release, making it more straightforward to manage identities over different directory services and security boundaries, distribute files and replicate directory structures among many servers, and more.

  But as always, no software is perfect, and there's always room for improvement. As business requirements have changed, Microsoft developers worked in tandem on Windows Vista and the next release of Windows on the server. When Windows Vista was released to manufacturing, the teams split again, and the Windows Server 2008 group added a few new features and then focused on performance and reliability until the release.

1.1. The Biggest Changes

  Unlike the transition from Windows 2000 Server to Windows Server 2003, which was a fairly minor "point"-style update, Windows Server 2008 is a radical revision to the core code base that makes up the Windows Server product. Windows Server 2008 shares quite a bit of fundamental code with Windows Vista, which was a product derived directly from the techniques of the secure development model (SDM)—sea change in programming methodologies at Microsoft that puts secure code at the forefront of all activity. Thus, a lot of new features and enhancements you will see in the product are a result of a more secure code base and an increased focus on system integrity and reliability.

  The most radical changes to Windows Server 2008 include Server Core and the new Internet Information Services 7.0.

1.1.1. Server Core

  Server Core is a minimal installation option for Windows Server 2008 that contains only a subset of executable files and server roles. Management is done through the command line or through an unattended configuration file. According to Microsoft:

  Server Core is designed for use in organizations that either have many servers, some of which need only to perform dedicated tasks but with outstanding stability, or in environments where high security requirements require a minimal attack surface on the server. Accordingly, there are limited roles that Core servers can perform. They are:

  Dynamic Host Configuration Protocol (DHCP) server Domain Name System (DNS) server

  File server, including the file replication service, the Distributed File System (DFS), Distributed File System Replication (DFSR), the network filesystem, and single instance storage (SIS) Print services Domain controller, including a read-only domain controller Active Directory Lightweight Directory Services (AD LDS) server Windows Server Virtualization

  IIS, although only with a portion of its normal abilities— namely only static HTML hosting, and no dynamic web application support Windows Media Services (WMS)

  Additionally, Server Core machines can participate in Microsoft clusters, use network load balancing, host Unix applications, encrypt their drives with Bitlocker, be remotely managed using Windows PowerShell on a client machine, and be monitored through Simple Network Management Protocol, or SNMP.

  Most administrators will find placing Server Core machines in branch offices to perform domain controller functions is an excellent use of slightly older hardware that might otherwise be discarded. The smaller footprint of Server Core allows the OS to do more with fewer system resources, and the reduced attack surface and stability make it an excellent choice for an appliance-like machine. Plus, with a branch office, you can combine Server Core with the ability to deploy a read-only domain controller and encrypt everything with BitLocker, giving you a great, lightweight, and secure solution.

1.1.2. IIS Improvements

  The venerable Microsoft web server has undergone quite a bit of revision in Windows Server 2008. IIS 7 is, for the first time, fully extensible and fully componentized—you only install what you want, so the service is lighter, more responsive, and less vulnerable to attack. The administrative interface for IIS has also been completely redesigned. Key improvements include:

  Newly rearchitected componentized structure

  For the first time in IIS history, administrators exercise complete control over exactly what pieces of IIS are installed and running at any given time. You can run the exact services you require—no more, no less. This is of course more secure, not to mention easier to manage and better performing.

  Flexible extensibility model

  IIS 7 allows developers to access a brand-new set of APIs that can interact with the IIS core directly, making module development and customization much easier than it ever has been. Developers can even hook into the configuration, scripting, event logging, and administration areas of IIS, which opens a lot of doors for enterprising administrators and third-party software vendors to extend IIS' capabilities sooner rather than later.

  Simplified configuration and application deployment

  Configuration can be accomplished entirely through XML files. Central IIS configuration can be spread across multiple files, allowing many sites and applications hosted by the same server to have independent but still easily managed configurations. One of Microsoft's favorite demos of IIS 7 is setting up a web farm with identically configured machines; as new members of the farm are brought online, the administrator simply uses XCOPY and moves existing configuration files over to the new server, and in a matter of seconds, the IIS setup on the new machine is identical to that on the existing machines. This is perhaps the most meaningful, and most welcome, change in IIS 7.

  Delegated management

  Much like Active Directory allows administrators to assign permissions to perform certain administrative functions to other users, IIS administrators can delegate control of some functions to other people, like site owners.

  Efficient administration

  IIS Manager has been completely redesigned and is joined by a new command-line administration utility, appcmd.exe.

Chapter 1. Introducing Windows Server 2008 It all started with Windows NT, Microsoft's first serious entry

  into the network server market. Versions 3.1 and 3.5 of Windows NT didn't garner very much attention in a NetWare- dominated world because they were sluggish and refused to play well with others. Along came Windows NT 4.0, which used the new Windows 95 interface (revolutionary only to those who didn't recognize Apple's Macintosh OS user interface) to put a friendlier face on some simple yet fundamental architectural improvements. With version 4.0, larger organizations saw that Microsoft was serious about entering the enterprise computing market, even if the product currently being offered was still limited in scalability and availability. For one, Microsoft made concessions to NetWare users, giving them an easy way to integrate with a new NT network. The company also included a revised security feature set, including finely grained permissions and domains, which signified that Microsoft considered enterprise computing an important part of Windows.

  After a record six and one-half service packs, NT 4.0 is considered by some to be the most stable operating system ever to come out of Redmond. However, despite that, most administrators with Unix experience required an OS more credible in an enterprise environment—one that could compare to the enormous Unix machines that penetrated that market long ago and had unquestionably occupied it ever since. It wasn't until February 2000, when Windows 2000 Server was released, that these calls were answered. Windows 2000 was a complete revision of NT 4.0 and was designed with stability and scalability as first priorities. However, something was still lacking. Sun and IBM included application server software and developer-centric capabilities with their industrial-strength operating systems, Solaris and AIX. Windows 2000 lacked this functionality. In addition, the infamous security problems associated with the bundled Windows 2000 web server, Internet Information Services (IIS), cast an ominous cloud over the thought that Windows could ever be a viable Internet-facing enterprise OS. Given that many saw Microsoft as "betting the company" on a web services initiative called .NET, it was critical that Microsoft save face and do it right the next time. It wasn't too late, but customers were very concerned about the numerous security vulnerabilities and the lack of a convenient patch management system to apply corrections to those vulnerabilities. Things had to change.

  From stage left, enter Windows Server 2003. What distinguished the release other than a longer name and a three- year difference in release dates? Security, primarily. Windows Server 2003 came more secure out of the box and was heavily influenced by the month-long halt of new development in March 2002, referred to by Microsoft as the beginning of the Trustworthy Computing Initiative, wherein all developers and product managers did nothing but review existing source code for security flaws and attend training on new best practices for writing secure code. Performance was also improved in the Windows Server 2003 release, focus was put on making the operating system scalable, and in general enterprise administration was made more efficient and easier to automate. Microsoft also updated some bundled software via the Windows Server 2003 R2 release, making it more straightforward to manage identities over different directory services and security boundaries, distribute files and replicate directory structures among many servers, and more.

  But as always, no software is perfect, and there's always room for improvement. As business requirements have changed, Microsoft developers worked in tandem on Windows Vista and the next release of Windows on the server. When Windows Vista was released to manufacturing, the teams split again, and the Windows Server 2008 group added a few new features and then focused on performance and reliability until the release.

1.1. The Biggest Changes

  Unlike the transition from Windows 2000 Server to Windows Server 2003, which was a fairly minor "point"-style update, Windows Server 2008 is a radical revision to the core code base that makes up the Windows Server product. Windows Server 2008 shares quite a bit of fundamental code with Windows Vista, which was a product derived directly from the techniques of the secure development model (SDM)—sea change in programming methodologies at Microsoft that puts secure code at the forefront of all activity. Thus, a lot of new features and enhancements you will see in the product are a result of a more secure code base and an increased focus on system integrity and reliability.

  The most radical changes to Windows Server 2008 include Server Core and the new Internet Information Services 7.0.

1.1.1. Server Core

  Server Core is a minimal installation option for Windows Server 2008 that contains only a subset of executable files and server roles. Management is done through the command line or through an unattended configuration file. According to Microsoft:

  Server Core is designed for use in organizations that either have many servers, some of which need only to perform dedicated tasks but with outstanding stability, or in environments where high security requirements require a minimal attack surface on the server. Accordingly, there are limited roles that Core servers can perform. They are:

  Dynamic Host Configuration Protocol (DHCP) server Domain Name System (DNS) server

  File server, including the file replication service, the Distributed File System (DFS), Distributed File System Replication (DFSR), the network filesystem, and single instance storage (SIS) Print services Domain controller, including a read-only domain controller Active Directory Lightweight Directory Services (AD LDS) server Windows Server Virtualization

  IIS, although only with a portion of its normal abilities— namely only static HTML hosting, and no dynamic web application support Windows Media Services (WMS)

  Additionally, Server Core machines can participate in Microsoft clusters, use network load balancing, host Unix applications, encrypt their drives with Bitlocker, be remotely managed using Windows PowerShell on a client machine, and be monitored through Simple Network Management Protocol, or SNMP.

  Most administrators will find placing Server Core machines in branch offices to perform domain controller functions is an excellent use of slightly older hardware that might otherwise be discarded. The smaller footprint of Server Core allows the OS to do more with fewer system resources, and the reduced attack surface and stability make it an excellent choice for an appliance-like machine. Plus, with a branch office, you can combine Server Core with the ability to deploy a read-only domain controller and encrypt everything with BitLocker, giving you a great, lightweight, and secure solution.

1.1.2. IIS Improvements

  The venerable Microsoft web server has undergone quite a bit of revision in Windows Server 2008. IIS 7 is, for the first time, fully extensible and fully componentized—you only install what you want, so the service is lighter, more responsive, and less vulnerable to attack. The administrative interface for IIS has also been completely redesigned. Key improvements include:

  Newly rearchitected componentized structure

  For the first time in IIS history, administrators exercise complete control over exactly what pieces of IIS are installed and running at any given time. You can run the exact services you require—no more, no less. This is of course more secure, not to mention easier to manage and better performing.

  Flexible extensibility model

  IIS 7 allows developers to access a brand-new set of APIs that can interact with the IIS core directly, making module development and customization much easier than it ever has been. Developers can even hook into the configuration, scripting, event logging, and administration areas of IIS, which opens a lot of doors for enterprising administrators and third-party software vendors to extend IIS' capabilities sooner rather than later.

  Simplified configuration and application deployment

  Configuration can be accomplished entirely through XML files. Central IIS configuration can be spread across multiple files, allowing many sites and applications hosted by the same server to have independent but still easily managed configurations. One of Microsoft's favorite demos of IIS 7 is setting up a web farm with identically configured machines; as new members of the farm are brought online, the administrator simply uses XCOPY and moves existing configuration files over to the new server, and in a matter of seconds, the IIS setup on the new machine is identical to that on the existing machines. This is perhaps the most meaningful, and most welcome, change in IIS 7.

  Delegated management

  Much like Active Directory allows administrators to assign permissions to perform certain administrative functions to other users, IIS administrators can delegate control of some functions to other people, like site owners.

  Efficient administration

  IIS Manager has been completely redesigned and is joined by a new command-line administration utility, appcmd.exe.

1.2. Networking Improvements

  The Windows Server 2008 team has made a special effort at improving network performance and efficiency. For the first time, there is a dual-IP layer architecture for native IPv4 and

  IPv6 support together, simultaneously. (If you've ever configured IPv4 and IPv6 on a Windows Server 2003 machine, you'll know what a pain it is to get them to interoperate without falling all over each other.) Communications security is enhanced through better IPsec integration throughout the various pieces of the TCP/IP stack. Hardware is used more efficiently and robustly to speed up performance of network transmissions, intelligent tuning and optimization algorithms run regularly to ensure efficient communication, and APIs to the network stack are more directly exposed, making it easier for developers to interact with the stack. Let's take a look at some of the improvements in what the team is calling Next Generation Networking.

1.2.1. TCP/IP Stack Enhancements

  As I alluded to earlier, many changes in Windows Server 2008 were made to the TCP/IP stack itself. One such improvement is the auto-tuning TCP window size: Windows Server 2008 can automatically tune the size of the receive window by each individual connection, increasing the efficiency of large data transfers between machines on the same network. Microsoft quotes the following example: " ... on a 10 Gigabit Ethernet network, packet size can be negotiated up to 6 Megabytes in size." The dead gateway detection algorithm present in Windows Server 2003 has been slightly improved: Windows Server 2008 now tries every so often to send TCP traffic through what it thinks to be a dead gateway. If the transmission doesn't error out, then Windows automatically changes the default gateway to the previously detected dead gateway, which is now live. And Windows Server 2008 supports offloading network processing functions from the CPU itself to the processing circuitry on the network interface card, freeing up the CPU to manage other processes. There are also improvements to network scaling. For example, in previous versions of Windows Server, one NIC was associated with one single, physical processor. However, with the right network card, Windows Server 2008 supports scaling NICs and their associated traffic among multiple CPUs (a feature called receive-side scaling), permitting much higher amounts of traffic to be received by one NIC on a highly loaded server. This particularly benefits multiprocessor servers, since more scale can be added simply by adding processors or NICs and not by adding entirely new servers.

1.2.2. Changes to Terminal Services

  Network applications are growing in popularity with each passing week. Windows Server 2008 sees more work in the Terminal Services/Remote Desktop area than might have been expected, and some of the new capabilities are very welcome improvements. Aside from the three new features, the team worked on improving the core processes that make TS tick, including single sign-on to Terminal Services sessions, monitor spanning and high-resolution support for sessions, integration with the Windows System Resource Manager to better monitor performance and resource usage, and themes that make TS sessions seamless to the client. There are three key new features added in the Windows Server 2008 release. The first is Terminal Services RemoteApp. Like the functionality offered by Citrix MetaFrame years ago, Windows Server 2008 will support—out of the box—the ability to define programs to be run directly from a TS-enabled server but be integrated within the local copy of Windows, adding independent taskbar buttons, resizable application window areas, Alt-Tab switching functionality, remote population of system tray icons, and more. Users will have no idea that their application is hosted elsewhere, except for the occasional slow response because of network latency or server overload. It's also simple to enable this functionality: administrators create .RDP files, which are essentially text-based profiles of a Terminal Services connection that the client reads and uses to configure an RDP session for that particular program. They can also create .MSI files that can populate profiles; the main advantage here is that .MSI files are traditionally very easy to deploy via automated system management methods like Systems Management Server, Group Policy and IntelliMirror, and so on.

  Next, there's the Terminal Services Gateway. This feature allows users to access Terminal Services-hosted applications from a web portal anywhere on the Internet, secured via an encrypted HTTPS channel. The gateway can send connections through firewalls and correctly navigate NAT translation situations that stymied the use of this technology before. This saves corporations from having to deploy VPN access to remote users for the sole purpose of accessing a Terminal Services machine; plus, since the data is sent over HTTPS, almost anyone can access the sessions, even at locations where the RDP protocol is blocked by the firewall. Administrators can set connection authorization policies, or CAPs, that define user groups that are permitted to access TS through the TS Gateway machine.

  Finally, in conjunction with the Terminal Services RemoteApp feature, there is also in Windows Server 2008 the TS Web Access feature, which lets administrators publicly display available TS Remote Programs on a web page. Users can browse the list for the application they want to run, click on it, and then be seamlessly embedded in the application—using all the features of TS Remote Programs—while retaining the ability to launch other programs from the same Web Access site. The service is smart enough to know that multiple programs launched by the same user should reside in the same Terminal Services session, making resource management a bit simpler. And, you can even integrate TS Web Access within SharePoint sites using an included web part.

1.2.3. Active Directory: Read-Only Domain Controllers

  Windows Server 2008 introduces the concept of a read-only domain controller (RODC), which is great for branch offices and other locations where the machines hosting the domain controller role can't be physically protected in the same way as a machine in a datacenter might be. RODCs hold a read-only copy of Active Directory, which allows for the immediate benefits of faster logons and quicker authentication turnaround times for other network resources, but also for the long-term security benefits. No attacker can create changes in an easily accessible DC in a branch office that will then replicate up to the main tree at the corporate office, since the DC is read-only. The RODC can also cache the credentials of branch office users and, with just one contact to a regular, writeable domain controller up the tree, can directly service users' logon requests. However, this caching is left off by default in the Password Replication Policy for security reasons.

1.3. Security Improvements

  Security problems have plagued Microsoft since the Windows inception, but only in the last few years, as more people have become connected, have those flaws been exploited by malcontents. Indeed, some of the vulnerabilities in products that we see patches for on "Patch Tuesdays" are the results of poor design decisions. These types of flaws are the ones Microsoft is hoping to stamp out in the release of Windows Server 2008. You'll see quite a bit of change to the architecture of services in Windows Server 2008, including increasing the number of layers required to get to the kernel, segmenting services to reduce buffer overflows, and reducing the size of the high-risk, privileged layers to make the attack surface smaller. While fundamentally changing the design of the operating system, the Windows Server 2008 team has also included several features designed to eliminate security breaches and malware infestations, as well as capabilities meant to protect corporate data from leakage and interception. Let's take a look at some of the improvements.

1.3.1. Operating System File Protection

  A new feature currently known as operating system file

  protection ensures the integrity of the boot process for your