The next step
By Kay Ewbank
Should you upgrade? Kay Ewbank finds out what Windows Server 2008 has to offer.
HardCopy Issue: 39 | Found In: Development | Published: 01/02/2008 | Last Revision: 06/07/2010
In some ways, Microsoft is a victim of its own success as the current versions of its software fulfil their needs so well that it can be difficult to see how a new version can be better: if you can do more or less everything you need using the current release, why go to the expense and trouble of upgrading? This is an attractive argument, but Microsoft hasn’t just been tinkering with the edges with Windows Server 2008. It really does have benefits that should make your life easier, let you make better use of your hardware, and generally be more effective at providing an IT infrastructure that works.
The benefits promised by Microsoft are that it will help maximise the control you have over your infrastructure and lead to a significantly more secure, reliable and robust server environment than ever before. A less obvious benefit is the sharing of features with Windows Vista. Because Windows Vista and Windows Server 2008 originally started as part of a single development project, there are common technologies and you’ll see similar enhancements in areas such as networking, storage, security, and management.
Administration
Built-in virtualisation
One key benefit of Windows Server 2008 will be the built-in server virtualisation. Microsoft’s previous virtualisation product, Virtual Server, is being replaced by a technology called Hyper-V. This is a software hypervisor that will be integrated into three of the eight versions of Windows Server 2008, though not until later in the year (180 days after the US launch of Windows Server on 27 February). The versions differ in the number of Hyper-V instances you can run per server licence – a single instance with the Standard edition, four with the Enterprise edition and unlimited numbers if you’ve got Windows Server Datacenter edition.
You may well think virtualisation is not a mainstream business activity but it opens up a range of possibilities. You can make more efficient use of your existing servers, for a start. Most organisations, when faced with the need for a new server – perhaps an extra database server – automatically install a completely new machine, even if they have existing servers that are under-utilised. One reason for this is the risk of upsetting an existing working system – it’s just easier and cheaper in the long run to buy a new machine complete with extra licences.
However, if you put that new server onto one of your existing under-used servers in its own virtual environment, there is no risk of cross contamination. Your existing applications can sit in their own virtual environments, the new application can also get a clean environment, and you make more use of the hardware and existing licences. Virtualisation also offers a great way to bring legacy servers onto modern hardware as you can migrate old servers complete with their applications and if necessary run their existing operating systems in a virtual environment. If you’re testing new applications, or developing custom applications, you can have safe test environments in a number of different configurations without needing masses of hardware. There are drawbacks but virtualisation offers sufficient benefits to make it well worth trying.
The current market leader for virtualisation is of course VMware, but one attraction of Hyper-V is the fact that it can be managed like any other Microsoft server using Microsoft System Center, the management suite that evolved from Systems Management Server and Microsoft Operations Manager.
Much of the work of server administration is carried out using Server Manager. This is a new feature that provides you with a single place to do everything - installing, configuring and managing server roles and features. Server Manager takes over from Windows Server 2003 features such as Manage Your Server, Configure Your Server and Add or Remove Windows Components, and makes overall administration easier.
This new version gives you much finer control over what software and services you’d actually like to have on your server. You can have anything from a full installation down to only the core components, and can even choose to not install the standard user interface. If you choose this latter option you then have to configure the server using command line scripts, which might take you back to old style system administration but is probably a step too far for normal mortals.
The ability to install just the Server Core might well be the one feature that persuades you to upgrade to Windows Server 2008. It may seem strange, but taking away the majority of the GUI and all those services you don’t particularly want gives you a much more secure and smaller operating system with a lot less to go wrong, be patched, and generally cause problems. Here, less definitely is more.
Windows Server 2008 is also easier to configure. You can choose from a wide variety of server roles such as Web Server, File Server, Print Server, SharePoint Services, Application Server, and a variety of Active Directory roles. Whatever the role, only the services necessary to fulfil it are installed. This should ensure your servers aren’t overloaded running unnecessary services, and that the potential attack surface is minimised.
Step-by-step configuration of a new Windows Server 2008 installation.
You may already have heard of Windows PowerShell as it can be used not only with Windows Server 2008 but also with Windows Server 2003, Windows Vista and Windows XP SP2 or above. However it is closely integrated with Windows Server 2008 and offers a great scripting environment for administrators.
Adding a command-line shell seems at first to be counter to the idea of an ever-easier administrative environment, but the fact is that it’s easier to write a script once and run it automatically from then onwards than it is to select the same menu options day in day out. PowerShell is a command-line shell that can be used to automate tasks over multiple servers, and anyone who’s tried it becomes a fan. You can use it across most administration tasks, including features such as Active Directory or even Internet Information Server (IIS).
Security
For most system administrators, security is the number one priority and Microsoft has put a lot of thought into making Windows Server 2008 more secure. This starts with the closer control over which elements you install and which services you run, but other specific security improvements include
Network Access Protection, better identity management and the ability to create a Read-Only Domain Controller. Network Access Protection (NAP) means you can set a security policy for the machines on your network and be sure it’s actually followed. If a computer isn’t compliant then you can have it isolated from the network until it does meet the requirements of your security policy. NAP is also built into Windows Vista and Windows XP once you install Service Pack 3. The way it works is that you create your own ‘health policies’ that are used to validate computers before they are allowed access or communication with your network. Compliant computers are automatically updated with security patches so they remain compliant.
The notion of a Read-Only Domain Controller (RODC) is another feature you’ll hear quite a lot about with Windows Server 2008. If you need to have a domain controller somewhere that isn’t physically secure, such as a branch office, then an RODC hosts a read-only replica of the Active Directory services database. Having a local controller is obviously more efficient than authenticating over a WAN, while making it read-only means no-one can make changes to gain access to your network.
Using the new Server Manager to add a virtual machine to a Windows Server 2008 installation.
Other improvements are aimed at making information more secure. Federated collaboration is a technology based on Active Directory Federation Services and Rights Management Services that is designed to let you share data securely with users outside your own infrastructure. External users are first authenticated by their own domain controller. This authentication is then shared with your own domain and your own Rights Management policies are enforced, at which point the external users will be given whatever access you’ve set to your own protected data.
A more familiar method of protection is provided by Windows BitLocker Drive Encryption which you’ll also find in some versions of Windows Vista. The encryption encrypts the complete drive and is designed to prevent the data being available if the drive is stolen and attempts are made to access the information by booting using another operating system or a data hacking tool. We can think of several government departments that might benefit.
You’ll also see more protection of user accounts. The User Account Control has a new authentication architecture and the administration model means you have closer control over who can install security certificates, how they’re used and who the certificates can be issued to.
Upgrade options
Final upgrade options had not been finalised at the time of writing, however it does look as though Windows Server 2008 will be available in Web Server, Standard, Datacenter and Enterprise editions, as well as a version for Itanium-based systems which can work with up to 64 processors. The Standard, Enterprise and Datacenter editions will be available both with and without Hyper-V. We also understand that those who have Software Assurance on their Windows Server 2003 licences will be able to upgrade free of charge. Keep an eye on www.greymatter.com/microsoft for latest details.
One area where Microsoft is keen to increase the use of Windows Server 2008 is that of Web servers. To counter the popularity of rivals such as Apache, Windows Server 2008 comes with a new version of Internet Information Services, namely IIS 7.0. Used alongside other Microsoft technologies including ASP.NET, Windows Communication Foundation and Windows SharePoint Services, this provides an integrated (if Microsoft-centric) way of running a Web server.
Improvements to IIS 7.0 include delegated administration, enhanced security and better administration tools. You get delegated administration of sites and the applications running on them which means local administrators can be responsible for their own projects, and you can limit the settings that individual users can alter. The administration tool now communicates securely so you can manage your Web servers remotely without the need to open ports on your firewall.
Clustering support
The history of clustered servers in Microsoft has been patchy to say the least, but Windows Server 2008 definitely does it better. Fail-over clusters let you group multiple servers, manage their services as the group, split loads across the group, and best of all, if one server fails, the rest keep running. Setting up clusters is a lot easier thanks to an improved Cluster Setup Wizard, and there’s a better interface for tasks such as adding and managing new members of the cluster.
So Windows Server 2008 is easier to install, configure and manage than Windows Server 2003, and Microsoft has clearly put a lot of thought and work into how to make it more secure and just better overall. The virtualisation features look very appealing, and across the board it feels good and works well. Whether this will be enough to persuade administrators happily working with Windows Server 2003 to upgrade is a different matter. However, if they do, they’ll be happy with what they find.