Technology, training, learning and development blogs
Windows Server 2008 & the branch office
Gary Duffield
Gary Duffield, chief learning architect for Xpertise, has over twenty years experience in IT, over the years, he has amassed credentials that include CNI, MCT, MCDST, ITIL and MSF. He was one of the first consultants globally to be awarded Microsoft Certified Learning Consultant status. He sits on the advisory boards of Microsoft MCLC, CLO Magazine and is a regular judge for the Brandon Hall excellence in Learning awards. Gary manages the Microsoft portfolio at Xpertise.
Previous posts
- SharePoint: The Swiss Army knife of server products
Posted by Gary Duffield
22 August 2008 - Houston: We have a paradigm shift...
Posted by Gary Duffield
20 July 2008 - Bill Gates has left the building (and taken Windows XP with him)
Posted by Gary Duffield
27 June 2008
RSS feeds
Are you responsible for managing IT in an organisation with servers scattered throughout the country / world? Looking after branch offices that are equipped with a server, a UPS and a wing and a prayer can be a challenge. Especially if there is no onsite support. Often the server is locked in a cupboard or perched on a filing cabinet. Is there anything in Windows Server 2008 that can make your life a little less stressed?
The branch office is well catered for in Windows Server 2008. Let’s start with what I think is the most revolutionary – Windows without a GUI (Graphical User Interface) – A server without a GUI – wasn’t that called NetWare 3.12 in the old days.
Server Core Installation:
Why lose valuable CPU time and RAM keeping services running that, frankly, are irrelevant to a server locked in a cupboard? Server Core mode installs a minimum set of services and no GUI. For the branch office this has five big advantages.
- Improved performance (no GUI, no audio...)
- Nothing for the semi-expert branch office know-it-all to click and break
- Fewer services means a “reduced attack surface”
- Fewer services = less to patch = easier to own
- Security
Server Core reduces the functionality to a command-line interface for administration, or via the MMC remotely. Server Core does not support every Server 2008 role, you are limited to:
- Dynamic Host Configuration Protocol (DHCP)
- File and Print
- Active Directory Domain Services (AD DS)
- Read-Only Domain Controller (RODC)
- Active Directory Lightweight Directory Services (AD LDS)
- Windows Media Services (WMS)
- Internet Information Server 7.0 (IIS 7.0)
- Domain Name System (DNS)
- No .NET you’ll notice
No, I’ve not used the crop tip from my last blog, the image below is Server Core, there is no taskbar and, wait for it, no clock !
Bitlocker Drive Encryption
Bitlocker arrived with Vista and was roundly ignored, which is a shame, as on suitable hardware it goes way beyond the right-click encrypt capabilities of XP. Initially, when I first played with Longhorn (AKA Server 2008) I wondered why Bitlocker was included, I mean when was the last time you saw someone legging it down the street clutching a red hot Proliant rack? Of course in the branch office, we may have less control over the physical security of our server. Bitlocker provides drive (not file) level encryption. Obviously the trade off is…encryption adds CPU overhead, it’s a case of risk mitigation. If you had to tell your MD that your branch office data was missing, possibily accessed, how would he take it?
Think about our perspective thief. She/he has the server at home, Server Core would confuse them, they try to install Linux alongside the OS to crowbar access to your precious data…Bitlocker would make the partition look like goo. I think it would quickly be passed on in the pub or have a cracked copy of Windows ME installed on it.
The Backup Domain Controller, sorry I mean the Read-Only Domain Controller
Do you remember with Windows NT4 server we had PDCs and BDCs, then with Windows Server 2000 we were told that BDCs were bad, well now they are back, improved and well, good again. Ideal in a branch office where the physical security of the domain controller cannot be guaranteed. As its name implies a RODC is read only. Changes must be made on a writable domain controller and then replicated back to the RODC – sound familiar? This time however the writable domain controller replicates the relevant credentials to the RODC, and the RODC caches them, only if the Password Replication Policy allows it. After the credentials are cached on the RODC, the RODC can directly service that user’s logon requests until the credentials change. It sort of populates organically. Benefits of all this gobbledegook to the branch office include:
- Improved security
- Faster logon times
- Improved allocation of domain admin rights
Hyper-V
Install Server Core, Add Hyper-V and host a virtual server to meet the needs of the branch office. Why? If you use virtual images, it’s very easy to provision the server, make major changes and provide disaster recovery. Add Systems Center Virtual Machine Manager to the mix and you can manage your virtual estate from the comfort of your armchair. Remember that you get virtual image rights with Windows Server 2008 with Hyper-V versions.
Of course there are other features, some I like (NAP), some I don’t understand (IPv6) and some I hate (IPSec Host-to-Host Authentication), but I think we’ve had a good starter for ten.
Where next?
If you want to get hands on with RODC or Server Core, give sales a call and book yourself on to Paul Thomas’s one day Windows Server 2008 course. Tell sales I sent you and I’m sure they’ll give you a cheeky discount.
Till next time
Gary