Windows Server 2008 R2
Windows Server 2008 R2: A Primer
At a glance:
Windows Server Editions
The $5 Tour
Windows PowerShell 2.0 and WinRM 2.0
Road Map for Active Directory Changes
By now you've heard about, and might even have installed, Windows Server 2008 R2, which I'll typically refer to simply as R2 in this article. Because R2 is an incremental release, you can apply to it much of what you already know about both Windows Server 2008 and Windows 7. Windows Server 2008 R2 builds on the enhancements Microsoft provided in Windows Server 2008 and also shares a common core with Windows 7. Because of this common core, R2 and Windows 7 share a number of common features and components, which you manage in much the same way whether you're working with Windows 7 or R2.
Like Windows Server 2008, R2 continues to use modularization for language independence and disk imaging. Microsoft distributes Windows Server 2008 R2 on media with Windows Imaging Format (WIM) disk images. Like Windows 7, R2 uses the Windows Preinstallation Environment 3.0 (Windows PE 3.0) to provide preinstallation and preboot services with a boot manager that lets you choose which boot application to run to load the operating system. On systems with multiple operating systems, you access pre-Windows Vista operating systems in the boot environment using the legacy OS entry.
The Setup program for Windows Server 2008 R2 installs a Windows Recovery Environment (Windows RE) partition on your server as well. Windows RE allows you to access a command line for troubleshooting, reinstalling from a system image and performing memory diagnostics.
Unlike Windows 7, Windows Server 2008 R2 doesn't include the Windows Aero enhancements (Aero Glass, Flip, 3D Flip and so on), Windows Sidebar, Windows Gadgets or other appearance enhancements. You can, however, install the Desktop Experience feature to add Windows 7 desktop functionality to a server. Windows 7 features added include Character Map, desktop themes, Disk Cleanup, Snipping Tool, Sound Recorder, Sync Center, Video for Windows (AVI support), Windows Defender and Windows Media Player. While these features allow a server to be used like a desktop computer, they can reduce the server's overall performance.
Getting to Know R2 Editions
Beyond the common core, Windows R2 differs significantly from Windows 7. For starters, R2 is the first 64-bit-only OS Microsoft has released. Specifically, R2 supports 64-bit systems designed for x64 architecture. Support for Itanium 64-bit (IA-64) processors is no longer standard in Windows operating systems. Microsoft has developed a separate edition of R2 for Itanium-based computers.
Figure 1- Using Action Center
The R2 family of operating systems includes the following editions:
- Windows Server 2008 R2, Foundation Edition, provides a cost-effective, entry-level foundation for small businesses. This edition doesn't support Active Directory Federation Services (ADFS) or Hyper-V. It can be used to deploy certificate authorities, but can't host other related services. This edition supports all other roles, with some limitations. Also not supported are the DirectAccess Management and Failover Clustering features. Foundation Edition supports up to 8GB RAM and one discrete-socketed processor.
- Windows Server 2008 R2, Standard Edition, provides essential services and resources to other systems on a network. This edition supports Hyper-V and has some limitations with other services, but it doesn't support ADFS. It can be used to deploy certificate authorities but can't host other related services. Also not supported is the Failover Clustering feature. Standard Edition supports up to 32GB RAM and up to four discrete-socketed processors.
- Windows Server 2008 R2, Enterprise Edition, provides enterprise-class scalability and availability. This edition supports all server roles without the limitations of the Foundation or Standard editions, and it adds support for additional features, including Failover Clustering. Enterprise Edition supports up to 2TB RAM and up to eight discrete-socketed processors.
- Windows Server 2008 R2, Datacenter Edition, provides global datacenter-class scalability and availability and has enhanced features for hot add memory, hot add processors, hot replace memory and hot replace processors. Datacenter Edition supports up to 2TB RAM and up to 64 discrete-socketed processors.
- Windows Server 2008 R2 for Itanium-based Systems provides an enterprise-class platform for hosting business-critical applications and implementing large-scale virtualization solutions. This edition isn't designed to provide core services, and it supports only the Application Server and Web Server (IIS) roles and the Failover Clustering feature. No other roles are supported at the time of this writing. This edition supports up to 2TB RAM and up to 64 discrete-socketed processors.
- Windows Web Server 2008 provides Web services for deploying Web sites and Web-based applications. This edition includes only the Microsoft .NET Framework, IIS, ASP.NET, application server and network load-balancing features, as well as DNS server, Windows Server Update Services and Media Services. This edition supports 32GB RAM and up to four discrete-socketed processors.
Now that I've introduced the family, let's take a look at how R2 works and what new features are available.
Figure 2 - Getting Solutions to Problems
Taking the $5 Tour
Action Center, shown in Figure 1, is home base for all things related to security and maintenance. If built-in diagnostics has detected problems, you'll find information about these problems in Action Center and will have an option for getting more information about each problem. Often, when you get more information about a problem, you'll be offered a possible solution as well. In the example shown in Figure 1, the server has a problem with its sound card and Intel Active Management device. Clicking the View Message Details button displays a detailed message and provides a link to download the updated driver, as shown in Figure 2.
Built-in diagnostics won't always find problems or be able to provide solutions, but the related processes have improved as compared to earlier implementations. On the Maintenance panel, you can also click the "Check for solutions" link to check for problems that haven't yet been identified automatically.
Network and Sharing Center, shown in Figure 3, continues to be the hub for configuring networking. With Windows Server 2008 R2, networks are identified as being in one of the following categories:
- Domain network
- Work network
- Public network
Figure 3 - Using Network and Sharing Center
Each network category has an associated network profile. R2 saves network discovery, sharing and firewall settings separately for each network category, which allows a server to have different network discovery and sharing settings for each network category. Windows Firewall handles inbound rules, outbound rules and security rules separately for each network profile as well, and R2 can have multiple active firewall profiles, depending on the networks to which a server is connected.
Like Windows Server 2008, R2 supports the TCP Chimney Offload feature, which enables the networking subsystem to offload the processing of a TCP/IP connection from a server's processors to its network adapters as long as the network adapters support TCP/IP offload processing. Both TCP/IPv4 connections and TCP/IPv6 connections can be offloaded. By default, TCP connections are offloaded on 10Gbps network adapters but are not offloaded on 1Gbps network adapters. You can adjust the related settings using Netsh.
Windows Server 2008 R2 adds support for DNS Security Extensions (DNSSEC). The DNS client for both Windows 7 and R2 can send queries that indicate support for DNSSEC, process related records and determine whether a DNS server has validated records on its behalf. DNSSEC support allows your DNS servers to securely sign zones and to host DNSSEC-signed zones. It also allows DNS servers to process related records and to both validate and authenticate records.
R2 replaces Terminal Services and all related components with an updated and enhanced offering called Remote Desktop Services. Remote Desktop Services makes it possible for users to access session-based desktops, virtual machine-based desktops and applications hosted by remote servers. In R2, all Remote Desktop Services role services have been renamed, as have the related management tools. Figure 4 provides the former name and the new name of each role service. Figure 5 provides the former name and the new name of each management tool.
Figure 4 - Names for Role Services
For R2, Active Directory Certificate Services (AD CS) adds several features and services that make it easier to deploy public key infrastructure (PKI) and provide better support for Network Access Protection (NAP). The Certificate Enrollment Web and Certificate Enrollment Policy Web services enable certificate enrollment over HTTP and across forests. This enables certification authority (CA) consolidation in multiple-forest deployments and reduces CA database sizes for some NAP deployments.
Windows AppLocker replaces the Software Restriction Policies feature. AppLocker helps administrators control how users can access and use files, such as executables, DLLs, scripts and Windows Installer files. AppLocker does this by allowing you to define rules that specify which files are allowed to run. Files that aren't included in rules aren't allowed to run.
Figure 5 - Names for Management Tools
R2 Enterprise Edition, Database Edition and the edition for Itanium support failover clusters. A failover cluster is a group of independent servers that work together to increase the availability of applications and services. Each server in the cluster, called a node, can be configured to take over the failed applications or services of another server in the cluster. R2 adds Windows PowerShell cmdlets for failover clusters, improves the validation process for clusters and improves the management of clustered virtual machines (supported by Hyper-V), which can now use cluster shared volumes.
In addition to the services and applications you could previously configure in a failover cluster, you can now configure Remote Desktop Connection Broker for load balancing and session reconnection in a load-balanced remote desktop server farm. You can also configure DFS Replication to keep folders synchronized between servers across limited-bandwidth network connections. You can cluster any member server in the replication group.
While I'm talking about clusters, R2 adds some new features for your heavy-duty hardware and datacenter solutions, including the iSCSI Software Initiator and Multipath I/O (MPIO). Microsoft iSCSI Software Initiator enables you to connect a Windows server to an external iSCSI-based storage array via an Ethernet network adapter. For R2, the iSCSI Initiator user interface has been redesigned to allow easier access to the most commonly used settings, and several new features have been added, including Quick Connect, which allows one-click connections to basic storage devices. iSCSI boot support for up to 32 paths at boot time and cyclic redundancy check header and data digest offloading are now supported as well.
MPIO supports multiple data paths to storage and improves the fault tolerance of storage connections. R2 includes improved MPIO health reporting and now provides configuration reporting. Both changes make it easier to get path data. You can also configure load-balance policies using the MPClaim command-line utility.
Figure 6 - Using Active Directory Administrative Center
Hyper-V has been improved considerably as well. Improvements to Hyper-V include new live migration functionality, support for dynamic virtual machine storage, and enhancements to processor and networking support.
As the final stop in our whirlwind tour, I want to focus on Active Directory Administrative Center, shown in Figure 6. This new tool provides a task-oriented interface for managing Active Directory. You can use this tool for the following tasks:
- Connect to one or more domains
- Create and manage user accounts
- Create and manage groups
- Create and manage organizational units
- Perform global searches of Active Directory
Active Directory Administrative Center uses Windows PowerShell to perform administration tasks and relies on the Microsoft .NET Framework 3.5.1. Because of this, both features must be installed and properly configured for you to use Active Directory Administrative Center for administration. Additionally, Active Directory Administrative Center makes use of the Web services provided by Active Directory Web Services (ADWS). At least one domain controller in each Active Directory domain you want to manage must have ADWS installed and have the related services running. Connections are made over TCP port 9389 by default, and firewall policies must enable an exception on this port for ADWS.
Windows PowerShell 2.0 and WinRM 2.0
Wondering how you can get at all those juicy, delicious Windows PowerShell cmdlets? Well, Windows PowerShell 2.0 is installed by default in most R2 configurations. On full server installations, the Windows PowerShell console is available on the Quick Launch toolbar and you can install the graphical scripting environment using the Add Features wizard. On core server installations, you now have the option of installing Windows PowerShell as well.
After starting Windows PowerShell, you can enter the name of a cmdlet at the prompt and it will run in much the same way as a command-line command. You can also execute cmdlets from within scripts. Cmdlets are named using verb-noun pairs. The verb tells you what the cmdlet does in general. The noun tells you what the cmdlet works with specifically. For example, the start-service cmdlet starts a Windows service, and the stop-service cmdlet stops a Windows service.
The yummy cmdlets that power Active Directory Administrative Center are also available. To use them, you must import the Active Directory module by entering Import-Module ActiveDirectory at the Windows PowerShell prompt. Once the module is imported, you can use it with the currently running instance of Windows PowerShell. The next time you start Windows PowerShell, you'll need to import the module again if you want to use its features. Alternatively, you can select the Active Directory Module for Windows PowerShell
option on the Administrative Tools menu, which imports the module for you when starting Windows PowerShell, as shown in Figure 7.
Figure 7 - Using the Active Directory Module for Windows Powershell
You can also use Windows PowerShell for remote management. Remoting features are supported by the WS-Management protocol and the Windows Remote Management (WinRM) service that implements WS-Management in Windows. R2 includes WinRM 2.0. Both Windows 7 and Windows Server 2008 R2 have built-in support for remote management using WinRM. For earlier releases of Windows, you may be able to install the Windows Management Framework, which includes Windows PowerShell 2.0 and WinRM 2.0.
Whenever you use Windows PowerShell for remote management, you must start it as an administrator. You'll also need to ensure WinRM is configured properly on both your management computer and the target server or servers. You can check and update the WinRM configuration by entering winrm quickconfig.
You can use Server Manager (and other Microsoft Management Consoles) to perform some management tasks on remote computers as long as the computers are in the same domain or you're working in a workgroup and have added the remote computers in a domain as trusted hosts. You can connect to servers running both full server and core server installations.
Once you've enabled remote management for Server Manager, you can use Server Manager to perform remote management tasks, including these:
- View and manage roles, role services and features (but not add or remove)
- View and manage Advanced Windows Firewall
- View and manage Windows events and services
- View and manage performance monitoring
- View and manage scheduled tasks
- View and manage disks
- Configure error reporting and customer experience status
- View automatic updates status
Remote management uses Windows PowerShell and depends on WinRM being properly configured. On both full server and core server installations, you must specifically enable remote management via Server Manager.
Figure 8 - Using Windows PowerShell Scripts in Group Policy
On full server installations, you can use the Configure Server Manager Remote Management option when logged on locally or the Configure-SMRemoting.ps1 script. On core server installations, you can use the Server Configuration (Sconfig.exe) utility.
R2 includes cmdlets that allow you to manage Group Policy from the Windows PowerShell as well. Simply import the Group Policy module by entering Import-Module GroupPolicy at the Windows PowerShell prompt. Once the module is imported, you can use Group Policy cmdlets with the currently running instance of Windows PowerShell.
You can also run Windows PowerShell scripts during logon, logoff, startup and shutdown. As Figure 8 shows, you can configure Windows PowerShell scripts to run before other types of scripts. There's also an option to run Windows PowerShell scripts after other types of scripts. In your scripts, don't forget to set the working environment by importing any required modules.
Introducing Core Parking
Core Parking is a feature of R2 you've likely heard about. What you might not know is where the feature comes from and how it works. Core Parking is designed to reduce power consumption by throttling or idling processor cores based on server load. The feature is possible because Windows 7 and Windows Server 2008 R2 support the Advanced Configuration and Power Interface (ACPI) 4.0 specification, which was finalized in June 2009. Because it's unlikely you'll ever want to read all 700-plus pages of the official specification, I'll give you some of the highlights related to power management.
Windows uses ACPI to control system and device power-state transitions. Windows puts devices in and out of full-power (working), low-power and off states to reduce power consumption. A low-power, or throttled, state involves reducing the operating frequency of the processor. An off, or idled, state involves putting the processor in an idle sleep state.
The power settings for a server come from the active power plan. The default, active power plan in Windows Server 2008 R2 is called Balanced, and it takes advantage of ACPI enhancements to reduce power consumption. While the ACPI 3.0 specification defined minimum and maximum processor states as a way to throttle processors, the specification was designed to work with discrete-socketed processors and not logical processor cores. A solution for throttling and idling logical processor cores is exactly what ACPI 4.0 delivers (as well as some other stuff, though not as interesting).
Thanks to ACPI 4.0, when you specify maximum and minimum limits for the processor state in a power policy, Windows knows to apply these states to logical processor cores as well as to discrete-socketed processors. The maximum and minimum values define the bounds for the allowed performance states. For example, if the upper bounds is 100 percent and the lower bounds is 5 percent, Windows can throttle the processors in this range, as workloads permit, to reduce power consumption. In a computer with multiple 4GHz processors, Windows would adjust the operating frequency of the processors between .25GHz and 4GHz.
Figure 9 shows an example, for illustrative purposes only, of processor throttling and idling. Here, the computer has four discrete-socketed processors, each with four logical processors. Processor cores that aren't needed for the current workload are idled, and processor cores that are only partially needed are throttled. For example, processor 1's logical core 1 is running at 90 percent while its logical cores 2, 3 and 4 are running at 80 percent. In a 4GHz processor, this would mean logical core 1 is operating at 3.6GHz while logical cores 2, 3 and 4 are operating at 3.2GHz. You also see that processors 3 and 4 have cores that are fully idled and are in a sleep state.
Figure 9 - Understanding Processor States
To force Windows to remain in a specific performance state, you can use the same maximum and minimum values. In this case, Windows doesn't adjust the operating frequency of the processor. It's important to point out that processor affinitized work reduces he effectiveness of this feature, so you'll want to plan carefully prior to configuring processing affinity settings for applications.
Road Map for Active Directory Changes
Active Directory Domain Service (AD DS) in R2 has many new features. When you're using R2 and have deployed the OS on all domain controllers throughout all domains in your Active Directory forest, your domains can operate at the R2 domain functional leve and the forest can operate at the R2 forest functional level. These new operating levels allow you to take advantage of Active Directory enhancements that improve manageability, performance and supportability.
One of the most important enhancements is the Active Directory Recycle Bin. This feature allows administrators to undo the accidental deletion of Active Directory objects. When you enable the recycle bin, all link-valued and non-link-valued attributes of a deleted object are preserved, allowing you to restore the object in the exact same state it was in prior to being deleted and without having to initiate an authoritative restore. This approach differs substantially from earlier implementations, which used an authoritative restore to recover deleted objects. Previously, when you deleted an object, most of its non-link-valued attributes were cleared and all of its link-valued attributes were removed, which meant that although you could recover a deleted object, it wasn't restored fully to its previous state.
Managed accounts are another important enhancement. Mission-critical applications often use service accounts. On a local computer, you can configure applications to run as built-in user accounts, such as Local Service or Local System. However, these accounts are shared among multiple applications and services and can't be managed on a domain level. If you configure applications to use domain accounts, you can isolate the privileges for the application, but you then must manually manage the account passwords and any service principal names (SPNs) required for Kerberos authentication.
To reduce the overhead required to maintain service accounts, R2 supports two new types of managed accounts:
- Managed Service Accounts
- Managed Virtual Accounts
Managed Service Accounts are a special type of domain user account for managed services that reduce service outages and other issues by having Windows manage the account password and related SPNs automatically. Managed Virtual Accounts are a special type of local computer account for managed services that provide the ability to access the network with a computer identity in a domain environment.
With managed service accounts, you create an actual account, which is stored by default in the Managed Service Accounts OU in Active Directory. Next, you install the managed service account on a local server to add it to the account as a local user. Finally, you configure the local service to use the account.
With virtual accounts, you configure a local service to access the network with a computer identity in a domain environment. Because the computer identity is used, no account needs to be created and no password management is required.
R2 doesn't have a user interface for creating and managing these accounts. You'll need to use the Active Directory module for Windows PowerShell to manage them.
With R2, you can also take advantage of new authentication controls. Authentication Mechanism Assurance improves the authentication process by allowing administrators to control resource access based on whether a user logs on using a certificate-based logon method. A user could then be assigned one set of access permissions when logged on using a smart card and a different set when not logged on with a smart card.
Finally, R2 makes it possible to perform offline domain joins, though this feature doesn't require raising the domain or forest functional level. With an offline domain join, administrators can preprovision computer accounts in the domain to prepare operating systems for deployment. Preprovisioned computers can then join the domain without having to contact a domain controller. The command-line utility for preprovisiong accounts is called Djoin.exe.
Introducing Branch Caching
Windows BranchCache is a file-caching feature that works in conjunction with Background Intelligent Transfer Service (BITS). In a domain environment where desktop computers are running Windows 7 and servers are running R2, administrators can enable branch caching to allow desktop computers to retrieve documents and other types of files from the local cache rather than having to retrieve files from remote servers.
Becausee branch caching works with files transferred using HTTP and Server Message Block (SMB), files transferred from either intranet Web servers or internal file servers can be cached. At a basic level, branch caching works like this:
- When you enable branch caching, the first time a file is accessed from an intranet Web site or file server, Windows transfers the file from the originating server and then caches the file locally within the branch office.
- When the same user or a different user at the branch office accesses the file later, Windows looks for the file in the local cache. If it finds the file, Windows queries the originating server to see whether the file has changed since it was cached.
- If the file hasn't changed, Windows retrieves the file from the local cache, eliminating the need to transfer the file over the wide area network. If the file has changed, Windows retrieves the file from the originating server and updates the copy of the file in the cache.
You can configure branch caching using either a distributed cache mode or a host cache mode. With the distributed cache mode, desktop computers running Windows 7 host distributed file caches. A branch server isn't needed because each local computer caches and sends out files. With the host cache mode, a server running R2 and located in the branch offices hosts the local file cache. The server caches files and sends them to clients. As you might expect, branch caching can dramatically improve the response times and dramatically reduce transfer times for documents, Web pages and multimedia content.
Well, there you have it -- the overview of Windows Server 2008 R2 from available editions to the $5 tour to new features and beyond. I hope you find this introduction useful and you'll look for my new books, "Windows PowerShell 2.0 Administrator's Pocket Consultant," "Windows 7 Administrator's Pocket Consultant" and "Windows Server 2008 Administrator's Pocket Consultant, 2nd Edition."
William R. Stanek*(williamstanek.com) is a leading technology expert, a pretty-darn-good instructional trainer and the award-winning author of more than 100 books. Current and forthcoming books include: "Active Directory Administrator's Pocket Consultant," "Group Policy Administrator's Pocket Consultant," "Windows 7 Administrator's Pocket Consultant," "Windows PowerShell 2.0 Administrator's Pocket Consultant" and "Windows Server 2008 Inside Out." Follow Stanek on Twitter at WilliamStanek.*