Window Server 2008

Update: I am currently testing Windows Server 2008 in detail. Please, check out the complete list of my Windows Server 2008 reviews. Also read about the latest rumors concerning the release date for Windows Server 2008.

Windows Server 2008 gets more and more media coverage these days since its release date is getting closer. This post summarizes some interesting information I found today.

Windows Server Roadmap
An article at Redmondmag.com unveils the Windows Server roadmap. Most interesting is that Windows Server 2008 is scheduled for release in January 2008 and a release candidate might already be available in November or December this year. Well, Microsoft seldom sticks to its own schedules, but at least we have a concrete date now.

Windows Server 2008 is Microsoft?s last 32-bit server OS
Several news sites are discussing this issue. Bill Laing, general manager of the Windows Server division, said that after 2008 Microsoft would only produce 64 bit operating systems. This has led to speculation that Vista would be Microsoft?s last 32 desktop OS. However, this was just a jump to conclusions as clarified by the Vista blog .

New Server Core Step by Step guide
Some days ago, I posted an article on how to get started with Windows 2008 Server Core. Microsoft has just published a new Step by Step guide covering more or less the same instructions as my post. However, Microsoft?s document is much more detailed than my introduction. So, if the sore muscles in your fingers are already better, you could continue now with your exploration of Server Core. There is a word document on Microsoft?s Download Center and there should be a HTML version on Technet. I wasn?t able to find the latter, though. But the link leads to a list of other interesting documentations about Windows Server 2008.

Computerworld has an interesting article about a new feature of Windows Server 2008: Dynamic Partitioning. A hardware partitionable server can have isolated hardware partitions comprising CPU, memory and I/O. Each of these segments runs its own Windows instance. It allows you to add, replace and remove hardware without rebooting Windows. This not only improves fault tolerance, but also scalability.

In a way, it is RAID for CPU, memory and I/O. This certainly important feature is not a new revolutionary technology, though. Mainframe systems always had similar capabilities. Therefore, it will be one further step for Microsoft in pushing Windows into the datacenter. Unfortunately, this feature will only be supported by the Datacenter and the Itanium editions of Windows Server 2008. By the way, Windows Server 2003 already supports hot-add memory.

It is interesting to note, that the white paper about the new features of Windows Server 2008, I linked to earlier, doesn?t mention this new capability. If you want to know more technical details about Dynamic Partitioning, or about the ?hot swap feature? as some call it, I recommend this PowerPoint presentation.

Whenever you read about the new features of Windows Server 2008, Server Manager is often at the beginning of the list. At first, I thought, it is only a collection of administration tools, but when I played with Server Manager today, I found out that it is more than that.You might have heard that server roles play a more important role in Windows 2008 than in Windows 2003. I think, we have never worked with server roles until now, but this will definitely change once we deploy Windows 2008. The advantage of working with server roles is that you only have to install the services that are really necessary for the task of a server. This improves security by reducing the attack surface and it makes server management easier, e. g. when it comes to patch management or troubleshooting.

First of all, Server Manager is the tool you use to install a new server role. The ?Add Roles Wizard? guides you thru the installation of a new server role. There are server roles that come with more than one role service. For example, if you add the file server role the wizard allows you to select several additional services like file replication service or the Windows Search service.

The wizard also knows which Windows features are required for a certain role. For example, if you add the server role ?Application Server?, the wizard asks for your confirmation to install the .Net Framework 3.0 and the Windows Process Activation Service. You also have to use Server Manager to add Windows features. If you try to add a Windows feature thru the Programs and Features tool in the Control Panel, Windows will start the Server Manager.

The server role setup routine will automatically add all management tools to administrate this role. This also includes the corresponding event logs in the Event Viewer. Those tools can still be accessed thru the Administration Tools menu. However, I doubt, you will need this menu often in the future because you can find everything you need more easily in the Server Manager.

I think Server Manager greatly simplifies server administration. It seems as if Microsoft learned something from popular Linux distributions. SuSE?s yast, for example, has similar capabilities like Server Manager. I think the main reason why Microsoft introduced Server Manager is because they plan to push modularity even more in future Windows versions. Modularity always was an advantage of Linux. Since there is more modularity in Windows now, you need a central tool that allows you to manage the dependencies of the different services and tools. I wonder if third party software vendors will also be able to integrate their management tools in Server Manager.

Be prepared that Server Manager will play an even more important role in the future. So don?t click it away when it starts automatically after you are finished with the Initial Configuration Task tool. This is the place where you should start to explore Windows Server 2008.

The only thing I don?t like about Server Manager is that you have to launch it on the server you want to administrate. This means you can?t use Server Manager to connect to another server and there is no version you can install on Windows Vista or XP. However, Keith Comp writes that Microsoft is working on a remote version of Server Manager.

If you don?t have the time to play with it now, I recommend the introduction into Server Manager at WindowsNetworking.com. Brian M. Posey discusses the most important tools of Server Manager in detail. If you prefer watching over reading, you can also check out Keith Comp?s screencast. It will give you a great overview of Server Manager.

Today, I played a little with the new features of Windows Firewall. If you are familiar with the desktop firewall in Windows Vista, you already know the most important new features. There are, however, some server-related peculiarities.First of all, you might ask, why a server needs a personal firewall, if all your servers are behind a gateway firewall, anyway. It seems superfluous to have another firewall running on the servers.

It is interesting to note that the firewall in Windows Server 2008 is activated by default. Only an upgraded Windows Server 2003 will maintain its operational state. It seems that Microsoft?s software engineers are thinking that Windows Firewall brings some extra security on servers, too.

I fully agree! Think of it as another line of defense. The more barriers you have, the more secure your network is. This corresponds to the general trend to enforce security inside the perimeter network. Please, check out a former discussion on 4sysops about the pro and contra for personal firewalls.

A disadvantage certainly is when one of your applications fails to work due to an incorrectly configured Windows firewall. However, this applies to all security measures. They make your network more complicated, therefore, more prone to errors.

Windows Server 2008 firewall has a nice feature which alleviates this problem. Whenever you add a new role to your server, the firewall is automatically configured, accordingly. For instance, if you configure your Windows server as a domain controller, the corresponding ports are opened automatically.

If you run third party applications on your servers, you have to configure the firewall yourself. For this, you have to use the ?Windows Firewall with Advanced Security MMC snap-in?. You can launch it by typing ?firewall? on the Start search prompt. You?ll also see the ?simple? Windows Firewall tool from the Control Panel. This tool can only be used to disable the firewall and to enable exceptions for Windows programs.

It is also possible to remotely manage the firewall settings using the MMC snap-in on a Vista machine. But if you try to connect remotely to change the firewall settings, you?ll get the message ?The Windows Firewall with advanced Security snap-in failed to load. Restart the Windows Firewall service on the computer that you are managing. Error code: 0X6D9?. Well, restarting the firewall service won?t help. What you really have to do is enable remote management:

Open a command prompt with admin privileges and enter: netsh advfirewall set allprofiles settings remotemanagement enable. This should also work on a Server Core system. It allows you to manage the firewall settings with much more comfort than on the command shell.

Like in Vista, the Windows Server 2008 firewall offers three different profiles: Domain, Private and Public. If a computer is a domain member, the location type is set automatically to Domain. It is not possible to change this setting. Only the firewall rules for the Domain profile apply then. If a computer is not in any domain, you can choose between the Private and the Public location types. You can change the location type in the Network and Sharing Center if you click on ?Customize? beside the network connection.

The default setting for a Windows 2008 domain controller is ?Public? and domain members can only use the Domain location type. Thus, on the domain controller, you will usually configure Public rules for third party applications and on domain members you will work with Domain rules. The difference between Private and Public doesn?t matter for servers in my view. I doubt that you will grab one of your servers and connect it at Starbucks to download some patches during your coffee break. You?ll find more information about the differences between the location types in the help file of Windows Firewall.

To disable or change other general settings of the firewall for a certain profile, you have to right click on ?Windows Firewall with Advanced Security on Local Computer? and then choose ?Properties?. Of course, you also can use Group Policy to configure Windows Firewall.

Like Vista, Windows Server 2008 also supports outbound filtering. By default, outbound connections are allowed, though. It probably is too much hassle to configure outbound filtering manually on server systems. Another change compared to the firewall in Windows Server 2003 SP1 is that IPsec rules can now be configured with the same snap-in. This certainly makes sense because it reduces the risk of conflicting settings.

Password polices are an essential part of any security strategy. Most users tend to use too weak passwords because they are easier to memorize, thereby, endangering your whole network. In a Windows 2000/2003 domain you can only enforce one password and lockout policy for all users. Windows Server 2008 enables you now to use multiple password policies. In my view, this is a very interesting new feature.Different security groups in your domain have different rights. The more rights they have the stronger their passwords should be. Of course, you could work with just one policy enforcing very strong passwords for all users. However, this might stress your helpdesk, because users will forget their passwords more often as a result.

This is especially true if you are working with a short maximum password age. It makes sense to commit administrators to changing their password every month or so. But if you do this with standard users, it will certainly mean a lot of extra work for your helpdesk staff. This time might be better invested somewhere else.

So, I really like this new feature of Windows 2008. However, I don?t like how one has to configure multiple password policies. Like in Win2k/Win2k3 you can setup only one password policy for the whole domain using the Group Policy Editor. If you want to use more than one policy, you have to mess around with ADSIedit.msc.

First, you have to create a so-called Password Settings Object (PSO) underneath the Password Settings Container which you find under System. A wizard will guide you thru the creation of the PSO asking you to set the values for attributes like password complexity, minimum password length or lockout threshold. Simon Weidner has a complete list of all password policy attributes with a detailed description of each. Note that the wizard expects negative integers for some attributes.

Next, you have to link this PSO to a global group. If you enabled ?Advanced Features? in the Active Directory Users and Computes snap-in, you?ll see the System container and underneath the Password Settings Container. There, you can access the properties of the PSO you just created. You can link this PSO to a global group or user by adding its name to the msDS-PSOAppliesTo attribute. Note that you have to use the distinguished name in the form ?cn=group name, ou=group container, dc=domain name, dc=com?. It is also possible to link a PSO to multiple groups.

It could happen that you create conflicting password policies where a user belongs to multiple groups. However, only one PSO can be effective for a certain user object. There are several rules used to calculate the so called Resultant Set of Policy (RSOP). You can check out this Technet article for more information. The best way certainly is that you specify in advance which PSO is effective. For this you can use the msDS-PasswordSettingsPrecedence attribute. A lower value for this attribute indicates that the PSO has a higher priority. If you assign a unique precedence value to each PSO, it will always be easy to determine the effective password policy for a certain user object.

Even though my short article only covered the essentials of the new fine-grained password feature, you?ve probably realized that things can get quite complicated. I certainly would prefer using Group Policy for this.

Active Directory auditing, i.e. the logging of directory service accesses, is already possible with Window Server 2000/2003. Windows Server 2008 extends the auditing capabilities of Windows Server 2003 in several interesting ways. You can use this feature, if you have to track down errors or security issues.The most interesting extension is that you can now log the current and the previous value of a changed attribute and not just that it has been changed. The latter can be quite useful, if unwanted changes have to be canceled.

Win2k/Win2k3 has only one audit policy (Audit Directory Service Access); now there are four different policies available: Directory Service Access, Directory Service Changes, Directory Service Replication, and Detailed Directory Service Replication. The second one introduces the feature mentioned above.

If you enable it, then the security log will also store the values of modified attributes. If you create a new object, then all attributes of this object are logged. If an object is moved, the new and the old location will appear in the security log and if an object is undeleted, its new location is logged, too.

It is a bit strange in my view that you can?t enable, disable or view the new policies with the Group Policy Editor. You?ve to do this on the command prompt! Were Microsoft?s programmers too lazy to add these new policies to GPedit.msc?

However, if you enable the Audit Directory Service Access global audit policy with GPedit.msc all new policies are enabled too, by default. You can find the global audit policy under Windows Settings\Security Settings\Local Policies\Audit Policy\ in GPedit.msc.

If you want to disable the new Directory Service Changes policy you can do it with this command: auditpol /set /subcategory:?directory service changes? /success:disable. To view the current setting you have to type: auditpol /get /subcategory:?directory service changes?. There might be certain circumstances where it makes sense to disable this feature, for example, when you modify many Active Directory objects with a script.

Like in former Windows versions, you still can control which objects are audited by modifying its SACL (System Access Control List). For instance, if you want to disable auditing for all objects in a certain container, you have to right click on it in the Active Directory Users and Computers snap-in, navigate to Properties\Security\Advanced\Auditing and remove the entries there. Make sure that ?Advanced Features? under ?View? is enabled in the snap-in. Otherwise, you won?t see the Security tab.

It is also possible to only disable auditing of certain attributes by editing the Schema with the ADSI Edit snap-in. After you added the snap-in to the MMC, right click on ADSI Edit and select ?Connect to?. Then choose ?Schema? as naming context. Now select one of the attributes, e.g. Given-Name, and change searchFlags to 256. This sets bit 9 of the searchFlags property which will disable auditing of the Given-Name attribute of all user objects in the domain. Note that it usually takes some minutes until schema changes are active. I recommend trying schema changes first in a testing environment.

All audits are logged in the security log which you can access with the new Event Viewer. You?ll find the security log under Windows Logs. The new Event IDs for attribute changes are 5136 (modify), 5137 (create), 5138 (undelete) and 5139 (move). The Event ID 566 for a mere directory service access, which you might know from Windows Server 2003, has been changed to 4662 in Windows Server 2008.

Microsoft just announced that Windows Server 2008 Server Core will be able to run IIS7 (Internet Information Server 7.0) as a server role. This isn?t yet possible with Server Core Beta 3 which I am currently testing. It only supports typical Intranet roles like file server, DHCP, and Active Directory Services. Interestingly, Microsoft added this new role due to customers? demand.

I raised doubts before that many sysops will embrace Server Core just for security reasons. Since the roles that were originally planned are not really security sensitive, it is not clear how much Server Core can improve security. The roles supported in Beta 3 are usually only accessed from the company network. Why should you give up the comfort of GUI administration on a system that isn?t really endangered because it is behind your firewall, anyway?

I believe this announcement changes everything. It makes Server Core a very interesting product. The web server is certainly the most endangered system. It usually can be accessed from the Internet and it is the most visible server. You probably remember the countless security issues of IIS5. The security of IIS6 was greatly improved, and IIS7 will most likely be even more secure.

However, secure web server software isn?t enough. The underlying OS is certainly important, too. I think that many prefer Apache over IIS just because they can run it on a Linux box where they can remove all unnecessary services. That?s why, I think, this move might indeed increase the market share for IIS.

Some new sites are speculating that the release of Windows Server 2008 might be delayed. The Windows Server Division Weblog meanwhile denied these claims. Microsoft is still planning to release Windows Server 2008 to manufacturing in the second half of 2007.Joe Wilcox from Microsoft Watch has an impressive list of arguments supporting his claim that Windows 2008 will not be released this year. It all sounds quite reasonable to me. This argument is most convincing in my view:

Beta 3, the first public release of Windows Server 2008, has been available for nearly six weeks. Time between Beta 2 and Beta 3 was about 11 months.

After Beta 3 there probably will be a release candidate and then maybe a second release candidate like it was with Vista. Considering that it took MS 11 months to release Beta 3, it is hard to believe that we will see the final product this year. I mean, it is June already and they are still adding features, like the IIS7 support in Server Core.

Anyway, even though it might take quite some time until you will deploy this new server OS, I recommend, you start learning about its new features now. Together with Vista, Windows Server 2008 will change a lot in your network. So you?d better get acquainted with their new tools and features as soon as possible. This way, you can learn about them step by step, and you won?t be in a hurry later. I?ll continue blogging about the new functionality of Windows Server 2008 in detail. So stay tuned!

Core to any server is the ability to service networks requests.

Some weeks ago, I summarized an article from Paul Thurrott discussing the ten most important features of Windows Server 2008. Today, I found an article at BetaNews also listing the top 10 WS2K8 features. However, both lists only share two features. One is Server Core and the other is Windows PowerShell.This confirms what I?ve said before. Windows Server 2008 doesn?t really have killer features. You could also say that everyone can create a personal top 10 list choosing among the myriads of new features. I personally prefer other features over the ones listed in the BetaNews article, but some of them are quite interesting.

#10: The self-healing NTFS file system
This term is certainly an exaggeration. We won?t see any self-healing computer systems in the near future even though the marketing guys keep telling that. ?Self-healing NTFS files system? only means that low level file system repair operations can now run while the system is online. So you don?t have to run CHKDSK offline anymore.

#9: Parallel session creation
This is a new Terminal Server feature. If users logon at the same time, a Ws2K8 Terminal Server can distribute the creation of the corresponding sessions to different processors. So if you have four processors in your machine, Terminal Server can create four sessions in parallel. This reduces the logon time when users are connecting at the same time to the server in the morning.

#8: Clean service shutdown
In Windows XP/2003 the OS gives applications 20 seconds time to end if you initiated a shutdown. If the application doesn?t respond during this time period, you get a message allowing you to end the application manually. Windows 2008 waits for applications as long as they keep signaling that they still need time to shutdown properly.

#7: Kernel Transaction Manager
This new Transaction Resource Manager can make sure that certain file or registry operations are finished before another process is allowed to modify the same object. Like with database transactions this can prevent inconsistencies. Third-party plug-ins can use the Transaction Manager to initiate transactions for different managed resources.

#6: SMB2 network file system
SMB (Server Massage Block) is Microsoft?s network protocol that is mainly used for file and printer sharing. Microsoft says that SMB2 is thirty to forty times faster. Well, that remains to be seen. I suppose, this performance boost only applies to certain scenarios.

#5: Address Space Load Randomization (ASLR)
This feature has been widely discussed before Vista came out. In Vista and Windows 2008 a system service randomly occupies one of 256 locations. In WinXP/2003 services could be found at the same location which made it easy for malware programmers to manipulate them.

#4: Windows Hardware Error Architecture (WHEA)
Microsoft has now standardized the way devices report errors. This will make it easier for third-party applications to identify problems.

#3: Windows Server Virtualization
I wouldn?t call this a WS2K8 feature as Microsoft plans to ship the hypervisor-based virtualization only six months after the release of Windows 2008. Since so many important features have been cut (live migration capabilities, hot-adding of storage, networking hardware, memory, and processors, and support for up to 32 processor cores), VMware probably doesn?t have to fear Microsoft?s new server OS.

#2: PowerShell
It is nice that Microsoft?s new scripting language and command interface eventually got the blessing for Windows 2008, too. However, it is a bit far-fetched to call this a WS2K8 feature since it is already available for Windows Vista/XP/2003.

#1: Server Core
Isn?t it a bit ironic that BetaNews? top 1 feature is just a special edition of Windows 2008 lacking many features of the standard version? Anyway, Server Core is certainly an interesting product. However, I?ve some doubts that many Windows admins will give up the graphical interface just to improve security and patch management.