1
Special Fall 2007 Issue:
"Livin' the Longhorn Life"
What it is
Latest version of Windows NT Server, NT Server 6.0Available in Standard, Enterprise, Data Center, even Web EditionAlso offers a reduced-function version called "Server Core" in Standard, Enterprise, Data Center and even Web EditionUltimately named "Windows Server 2008”Shipping 27 February…
2
3
You remember this, of course?
It's where a goodly piece of Server 2008 comes from; more specifically….
First-In-Vista Server 2008 Technologies
New setup engineDeployment toolsslmgr, KMS server and other licensing toolsFolder renames (“Users”)Heavy XML useNew search engineMore metadata
“Previous versions”Transaction-based NTFSUser Account ControlWindows Integrity LevelsBitLocker drive encryption
4
First-In-Vista Server 2008 Technologies
More secure services architecturePatchGuard anti-rootkit technologyTighter security defaultsIPv6 included and installed by defaultWindows Meeting Space
Remote desktop changes700+ new group policy settingsRevised file shareHardware installation policiesNew Windows Event Viewer
5
First-In-Vista Server 2008 Technologies
New WinRM protocol (eventual RPC replacement)Improved task schedulerNew boot manager controlled by bcdedit, not boot.ini
Reliability Monitor
6
64 Bit is the Default
As you may know, Exchange 2007 only shipped in a 64-bit versionThe current point of view at MS is that "32 bit server hardware is legacy hardware"Keep that in mind when buying hardwareAnd don't worry about the "there are no 64 bit drivers" stuff -- server hardware's got drivers
7
Management ToolsTools to herd them dogies
8
Server Manager
Folds togetherAdd/remove Windows componentsManage Your ServerServer Configuration Manager… and a bunch of other stuff
Intended to be "one stop shopping" for server management
9
Server Manager
Comes up automatically, or run Administrative Tools / Server ManagerFormat is to show current state, and offer changes in the upper-right-hand side Differentiates "features" and "roles"Think of it as the old Manage Your Server wizard combined with the Security Configuration WizardAlso ties together other MMCs
10
11
12
What's New In Monitoring
Data Collector Sets (find them in Server Manager) Monitor a suite of related itemsBut it's more than Perfmon -- it's got rules for warning you about things needing attentionHelp includes proscriptive advice and links to KB articlesSort of a "MOM lite"
13
14
Group Policiesall the Vista stuff, and…
GPMC built inGP effect on Sysvol greatly reduced"Find" finally comes to GPMCYou can amalgamate numbers of like GP settings to get a single task done with a “Starter GPO“You can add comments to GP objects and starter GPOsWe even get PolicyMaker, yay!
15
Rollouts
Still Windows Deployment ServicesBut… this'll make Ghost fans happyYou'll be able to multicast Windows Image (.wim) filesImage multicasting does not require IPv6
16
Virtual Machine Technology
17
The Hypervisorit's virtually impossible to ignore virtual machines
An option for Longhorn & Server CoreSimilar notion to VMWare's ESXLighter-weight hypervisor, howeverBuilt to exploit AMD Pacifica/V and Intel Vanderpool/VT's new opcodes(Separate AMD support is in it)Theory: a smaller base "hypervisor" means faster virtual machinesArrives about six months post-LonghornEnds up without Live Migration, the VMotion competitor (bummer!)
18
Hypervisor Structure
Hypervisor is sort of the base OS, although it doesn't do muchFirst VM acts very much like the "host" OS
19
Hardware
Hypervisor
VM 2(“Child”)
VM 3(“Child”)
Virtual-ization Stack
VM 1(“Parent”)
DriversDriversDriversDriversDriversDrivers
DriversDriversDrivers
Virtual Tech and Licenses
Buy a copy of Standard server and you can create one VMBuy a copy of Enterprise server and you can create four VMsBuy a copy of Datacenter server and you can create as many VMs as you like
20
Networking
21
Network Access Protection
Problem: people bring computers into your intranet, computers that may carry malwareSolution: some kind of quarantine systemCovers DHCP, VPN, IPsec and wirelessTwo modes: "monitoring" and "isolating"This is not NAQ, the 2003 thing that required a PhD to make work
22
NAP Ingredients
Network policy: "no XP box gets on the network unless it's got SP2 and patches X, Y, and Z"NAP-smart network componentsA "quarantine" networkA certificate infrastructureA policy serverClients with System Health Agents (none for 2000, Mac or Linux yet)
23
NAP Approach (VPN example)
Remote user contacts VPN serverGets directed to the policy serverPolicy server interrogates the System Health Agents on the remote userCompares it to the network policy, sees if pass or failIf "isolate," leave remote user on quarantine network; if "monitor," let 'em on the network
24
What if you fail?
Isolated system can be sent to a "remediation server" that supplies patches, service packs, etcIt's not just VPN; replace "VPN" with
DHCP server802.1x network devicesRadius serverTS Gateway (later)
All work in the same way
25
SMB Gets Cooler
SMB 2.0 offersLarger dynamic block sizing -- significantly better file transfer speedSupport on Vista and LonghornTransfers encrypted files encryptedlyless chatty, quicker setupmore robust, handles short network glitches bettermutual authenticationrequires SMB signing
26
How much faster?
A white paper on Microsoft’s site says that moving from XP/2003 to Vista/2008 can produce start-to-finish changes in speed in file transfers of 2.5x to 3.3xI was not, however, able to duplicate those results, so I guess your mileage may vary
27
IIS 7.0
No more metabase; sites are configured with an ASCII text XML file called ApplicationHost.configVery nice and much simpler to pare a site down to its basics, which makes for faster code and more securityModularity is amazing – they’re trying for the best of Apache
28
Terminal Services Gets Better
SSL connections, runs on RPC over HTTPTerminal Services Gateway lets you get past firewallsWinFX apps will “remote” graphical callsWill let you deploy an app so that the app by itself is a TS session… but it looks to the user like a standard window ("remote applications")Can redirect many PnP devices
29
Command-Line Remote Management
Wouldn't it be great to have ssh?We've got WinRS, "Windows remote shell" (which is always encrypted)Built atop WinRM, "Windows Remote Management" which is an implementation of the WS-Management standardRuns on port 80Harder to do outside a domain but simple inside a domainex: winrs -r:otherpc ipconfig
30
A SQL Server In Every Box
Longhorn has an optional feature called "Windows Internal Database"It's basically SQL Server 2005 ExpressDownload the SQL 2005 command line clientsqlcmd -S \\.\pipe\mssql$microsoft##ssee\sql\query -EStart it with NET START MSSQL$MICROSOFT##SSEE
31
Name Resolution Changes(or lack of changes)
32
What's up with WINS?
Well, it's like this:WINS, your days are numbered.Unfortunately that number appears to be pretty large.Supposedly NetBT was going to be disabled by default on LH, but it isn't yet
33
DNS Changes
Several new RR types and featuresHere are just the top two(Join me tomorrow to see more on these and other name resolution changes!)
34
DNS Changesdnames
Migrating domain names?It can be a pain to find all of the things referring to somename.old.com and change them to somename.new.comNew DNAME record tells DNS, "whenever someone asks for somename.old.com, just return the record for somename.new.com"
35
DNS Changesnext nearest site
Right now, computers try to find a local DC and if that fails they just look at the global list of DCsWith Vista and Longhorn clients, you can enable a feature whereby the client will try the "next nearest site" if the nearest failsLots more on DNS, but those are the biggiesJoin me for the "Changes in Name Resolution in Server 2008 Talk" for more!
36
Server Core
37
What it is
Reduced-function version of ServerCan be a DC, RODC, DNS, DHCP server, Web or file serverNo .NET, no MMC, no IEAdminister locally with command promptMost GUI stuff will not runRemote: TS, MMC, WinRSWill host a hypervisor when Veridian arrives
38
Why Run Server Core?
The answer to a prayer!Runs a limited set of roles/features, so all kinds of services are offInstalls to a VM in 11 minutes flatNeeds far less RAM and CPU; I run one in 183 MB RAMMake it an RODC/DNS/file server and you've got one interesting appliance serverOkay, so the user interface isn't glitzy…
39
Here's Server Core…
40
Tools That Work on SC
NotepadTask ManagerTM's new Services tabRegeditvbscriptDriver VerifierPnputil (installs drivers)Chewable cud
Plus the usual command line stuff, and some new stuffdnscmdwevtutilocsetup installs rolesHeck, it's even got edlin
41
Active Directory
42
What's NOT Fixed
MS discovered a while back that any domain admin in any domain in a forest can elevate him/herself to enterprise adminNew advice: "the forest is the security boundary"In other words, there's not that much point to multi-domain forestsResult: many firms need quite a number of forestsNot addressed in Longhorn. Bummer. 43
Fine-Grained Password Policies
Want to have people in the Sales group change their passwords every three months, but the folks in the Administrators group every six months?Roll out Longhorn DCsYou can then apply different password policies to different groups
44
Read-Only DCs
In the old days, we had one read/write DC (the PDC), and a bunch of read-only DCs (BDCs)That was bad.So then we had only read/write DCsThat was bad also.With Longhorn, you can make any DC an "RODC," read-only domain controller
45
RODC authentication
Default: RODCs contain no user account infoAll authentication requests go to the nearest RWDC*You can choose to download any subset of user accounts to a RODC, perhaps the local onesThink of them as the "arms length" DCs
* RWDC = "read/write DC." Official MR&D acronym, copyright 2007
46
RODC Updates
Like the old BDC modelFind a RWDCRefer account changes thereAccept updates from the RWDCsSysvol is read-only on a RODC as wellAs RODCs are lower-power, it's possible to create "subdomain admins" who can do local administration of an RODC without being a herd domain admin
47
Hardening RODCs
Design assumes that an RODC may be stolenWhen decommissioning a stolen RODC, ADUC offers a list of the accounts on that RODC to make for quick disabling/password changingBitLocker and RODC are an obvious pairing
48
New Sysvol
Sysvol holds default profiles, logon scripts and the bulk of each group policyIt has turned out to be the weak link on DCsR2 introduced a better file replication system, DFS-RSysvol on Longhorn will shift from the old FRS replication system to DFS-RActivated in "2008 domain functional level" with a wizard
49
AD Snapshots
Neat new backupBacks up to network share or DVDSnapshot Viewer lets you examine older backups… but not copy/recover themMeanwhile, normal AD backups go away and are replaced with a "disaster recovery-friendly" backup tool, CompletePC Backup
50
Miscellaneous
Kerberos can now use AES instead of RC4, when in Longhorn FLFreshly-created Longhorn forests shift to Longhorn FL automaticallyActive Directory can now be restarted without having to reboot to directory services restore modeRestores still need DSRM, though
51
Remember…this thing ain't shipped yet!
Don't believe me…Get on the beta programThe technical people at MS are listening very hard
52
Thanks!
I’m at [email protected] FILL OUT AN EVAL!Tech newsletter, forum at www.minasi.comOther sessions, all tomorrow (Tuesday):
10:45 AM: SVR318 Name Resolution 2008 Style: DNS, WINS and NetBIOS in 2008 (Auditorium)3:15: This talk repeated (Rm 116)5:00: Chalk Talk on Name Resolution (RM 131)
53
Resources
TechNet Library
Knowledge Base
Forums TechNet Magazine
Security bulletins User
Groups
Newsgroups
E-learning Product Evaluations
Videos Webcasts V-labs
Blogs MVPs
Certification Chats
Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus!
learn
support
connect
subscribe
Technical Communities, Webcasts, Blogs, Chats & User Groups
http://www.microsoft.com/communities/default.mspx
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn
http://microsoft.com/technet
Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx
New, as a pilot for 2007, the Breakout sessions will be available post event, in the TechEd Video
Library, via the My Event page of the website
Complete your evaluation on the My Event pages of the website at the CommNet or the Feedback Terminals to win!
All attendees who submit a session feedback form within 12 hours after the session ends will have the chance to win the very latest HTC 'Touch' smartphone complete with Windows Mobile® 6 Professional
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.