Let’s face facts: The Windows Server 2008 Los Angeles
launch gala will be a requiem for 32-bit computing.
Microsoft’s claim that more than half of server downloads are
now of the 64-bit variety confirms that IT is looking to wring full
advantage of the 64-bit-capable processors pervasively deployed in
enterprise data centers. But is smashing through the 4-Gbyte RAM
barrier all we have to look forward to, or will additions and
improvements—including Network Access Protection, high
availability, virtualization, Server Core, PowerShell, SMB 2.0,
IIS7, a completely rewritten IP stack, and an updated version of
Terminal Services—live up to their billing?
To find out, we’re launching a new breed of Rolling Review,
bringing Windows Server 2008 into our Boston Real-World Partner
Labs and analyzing the most intriguing new features, one by one.
Where competition exists, we’ll invite other vendors for
bake-offs. When a capability is unique, we’ll put it through
its paces and tell you what we find.
Microsoft is surely hoping Windows 2008 avoids the, shall we say,
lack of enterprise enthusiasm that met Vista. Of course,
there’s good reason IT held off on Vista, but given the
number of new features in Windows Server 2008, does it make sense
to do a limited deployment sooner rather than later? Many shops
will sit tight no matter what Redmond does. Ask any CIO for rules
to live by, and the No. 1 response might well be, “Thou shalt
not deploy before SP1.” Still, Microsoft seems more focused
on bringing enterprise customers into the development and testing
process this time around. Since the Beta 2 release of Longhorn, 30
Microsoft Technology Adoption Program partners have been running
Windows Server 2008 in production across 779 role-based servers.
Bill Laing, general manager of the Windows Server development team,
emphasized that Longhorn development has been highly customer
focused compared with previous rollouts. Microsoft is clearly
betting on its Technology Adoption Program to jump-start that
early-adopter base and generate buzz around Windows Server 2008.
And as usual, there’s no more aggressive—or
earlier—adopter than the company’s internal IT
organization. Jim DuBois, general manager of Microsoft’s
infrastructure and security team, says the company’s Web site
has been running entirely on Win2k8/IIS7 since Beta 3. That’s
84 servers running the sixth-most-visited Web site in the world,
with an average of 15,000 hits per second.
While we’re sure this “dog fooding” policy, as
DuBois describes it, has shaken out a few bugs, most CIOs
can’t grab a Windows Server developer by the ear when
something goes wrong. The rest of us will download, test, and
dissect Windows Server 2008 over at least a 12- to 24-month period.
To get you started, here’s a preview of what we’ll
cover in this Rolling Review.
Hyper-V
On Feb. 19, 2003, Microsoft started its foray into virtualization
by acquiring a privately held company called Connectix. Even then,
customers were asking for a virtual machine that would allow for
server OS upgrades while simultaneously maintaining support for
legacy applications. But while VM technology was, theoretically, a
great answer to a difficult problem, early success was rare.
“We had to optimize code to the nth degree just to get it to
work,” says Jeff Woolsey of the Microsoft virtualization
team. “Today, with 64-bit operating systems and
virtualization-optimized processors like the Intel VT and AMD-V, a
new level of performance and scalability has arrived.”
Still, enterprises have always been leery of host-based
virtualization, which requires all guest VMs to run inside a master
operating system. If the master OS is lost or corrupted,
you’re toast. While Microsoft was late to the game, it
realized that hypervisors, which negate the need for VMs to run
inside a core operating system, were the future.
The result is Microsoft Hyper-V Server, formerly code-named
Viridian. A preview of Hyper-V is available now for download with
Windows Server 2008 RC1, and Microsoft says a beta version will
ship with Windows Server 2008, with a general release target of 180
days after Win2k8 hits the shelves.
VMware and Xen have a big head start, and most will wait to see how
well-built Microsoft’s hypervisor is before switching. As for
cost, while the Datacenter edition of Windows Server 2008 allows
enterprises to deploy unlimited VMs on a physical server for $2,999
per processor, VMware’s Infrastructure Standard allows IT to
do the same for $2,995 and includes support for two processors.
However, if you’re tempted by the extras that come with
VMware Infrastructure Enterprise, your cost will exceed that of a
dual-processor Hyper-V server license, and you might consider
Microsoft Windows Enterprise Server with Hyper-V, at $3,999. For
that you’ll get the OS license, 25 client access licenses,
and four virtual instances per license. Microsoft says it’s
realized a physical server consolidation ratio of 8-to-1 in
production data centers, so potential hardware, power, licensing,
and space savings are considerable. In fact, an analysis conducted
by Microsoft IT showed that power used in a full test lab server
rack went from 525 amps to 8 amps, and rack space was consolidated
from 32U to 2U. These stats speak to the advantages of
virtualization, regardless of vendor choice. Typical results? Maybe
not, but we’ll take even half those savings.
Get To The Core
Microsoft’s development team is touting a new installation
option for Windows Server 2008, called “Server Core.”
Andrew Mason, principal program manager in the Windows Server team,
says the genesis of Server Core is the role-based fashion in which
customers deploy Windows Server. It’s been years, Mason says,
since he’s heard a customer say, “This is my Windows
server.” Instead, machines might be DNS servers, say, or
domain controllers. As a result, Server Core was designed to be a
modular, role-based system that addresses the need for a reduced
attack surface and footprint.
So what does Server Core look like? Fans of MS-DOS rejoice, because
for the first time in a long time, when you boot a Microsoft server
OS, your screen will look something like this: C:\>
Server Core is a nongraphical, completely command-line-driven
version of Windows Server 2008. What this means: To start, a server
installation footprint of 1 Gbyte versus 6 Gbytes and elimination
of many client-based apps, such as IE, that have created security
threats. Because of the reduced attack surface, Microsoft says the
number of server updates should be cut by around 40 percent.
For those more comfortable in a GUI environment, a Server Core box
can be managed via MMC snap-ins running on remote servers. In
addition, a limited number of graphical tools can be run on a
Server Core build, including Task Manager, Notepad, and Regedit. If
you have grand virtualization plans, you should be able to pack
plenty of Server Core VMs onto your favorite VMware or Xen machine,
and Hyper-V later this year. Roles that can be run on a Server Core
build are limited to core Microsoft networking services.
The Power’s In The
Shell
Server Core isn’t the only “Linux-like” new
feature. Server and database admins and developers will also gain a
powerful new scripting environment, called Windows PowerShell, or
Microsoft Command Shell.
We saw an anonymous Unix blog post saying, “I didn’t
think the day would ever come that I would be saying this, but it
seems like Microsoft actually invented a decent shell.”
Sentiments like these from Unix gurus stem from the fact that this
is an object-based, .Net Framework-oriented shell. This differs
from standard Unix shell environments that are text and command
driven, with the result usually being comparatively less code to
execute the same task.
With PowerShell, IT should be able to create and store powerful
scripts that can be executed locally or remotely, in a variety of
languages. Using what Microsoft terms “Command-lets,”
IT can accomplish many administrative tasks with less programmatic
difficulty. For example, you can query a server for a list of all
inactive services with one line of code. The same task in VBScript
would take at least six lines—a lot more if you’re as
proficient at VBScript as we are.
The data returned can be easily manipulated, formatted, and fed to
the console, a file, or a different utility. For server admins,
PowerShell’s ADSI and WMI support will open up Active
Directory and Windows in a way only third-party, graphical-based
utilities could do previously. Wassim Fayed of the PowerShell team
demonstrated performing complex queries against an Active
Directory; results were automatically exported to a spreadsheet by
exposing the Office Shell through COM. PowerShell won’t turn
a point-and-click type into a scripting guru overnight, but it
should help us accomplish tasks more quickly and
efficiently.
Terminal Services
No. 4 on our hit list of interesting new features is the
improved Windows 2008 Terminal Services, which is now downright
Citrix-like. For example, with TS RemoteApp and TS Web Access,
individual applications now can be exposed to users via a desktop
shortcut or Web page. As a result, it’s no longer necessary
to launch an entire Terminal Services environment to access and run
internal corporate applications. With TS Gateway, a user outside
the corporate boundary can execute an RDP session on any personal
computer via HTTPS. And because the TS Gateway is really an SSL VPN
that runs over port 443, not the RDP port of 3389, many firewalls
will pass this traffic without problems.
The ability to centrally control access to network resources and
apps at the TS Gateway level will be another strong sell. While TS
Gateway still needs to be thoroughly tested in our labs, in some
shops it could negate the need for enterprise VPN appliances to
provide secure, remote access to corporate resources. Microsoft
states up front that Windows 2008 Terminal Services isn’t
positioned for enterprise-scale deployments; it still lacks
maturity when compared with Citrix for large-scale load-balancing,
compression, and management of client connections. We hope to put
Windows Server 2008 TS in a head-to-head comparison with Citrix
later this year.
Nap Time
Network Access Protection provides for client patching and
antivirus compliance. NAP is not meant to replace a firewall, and
it’s not a software distribution tool, but it is positioned
as a pervasive enforcement point for clients attempting to connect
to a network.
To ensure that non-domain-joined and remote clients are scanned for
compliance, Microsoft is focusing on enforcing security policies at
the DHCP, VPN, 802.1X, IPsec, and TS Gateway levels. DHCP will
likely be the enforcement point of choice, given that most clients
will need to consult a DHCP server before accessing network
resources. Clients that fail a defined policy check for the
presence of certain Windows updates, for example, or up-to-date
antivirus client software, can be automatically placed into a
quarantine area where patches and updates may be downloaded and
installed. The NAP policy server can then revalidate.
We recommend a phased implementation, where a reporting-only period
is followed by a delayed enforcement phase, where clients are given
time to update before being quarantined. Or you can go for
immediate enforcement, even for clients not under direct control.
There is one rather large caveat: You must be using a client that
can be natively checked by a NAP Server, and as of now that list
has only Vista, Win2k8, XP with the upcoming release of SP3, and
certain Windows Mobile devices. Windows 2000 will reach end of
support soon, so don’t count on it to ever get native NAP
support.
Microsoft is working on integration with Cisco Systems’
Network Access Control. But can NAP compete with a more mature
offering like Cisco’s NAC from the get-go? We’ll put
that to the test. Microsoft has said it will release a set of APIs
that will allow patch management, antivirus, security, and terminal
services vendors to develop software using NAP as a base.
NAP is a role of Windows Server 2008 and doesn’t require an
additional license, but we’ll have to depend on third parties
for NAP components to provide enforcement for Linux and the Mac
OS.
Finally, Microsoft appears to have made solid advancements in
clustering and high availability. Windows Server 2003 provided high
availability in two ways: through server failover clustering and
network load balancing. The quorum model has been improved in
failover clustering to eliminate the single point of failure that
was present in the past when the quorum disk was lost. Using a
voting methodology in what Microsoft calls the “majority
quorum model,” clustered servers and shared storage each get
a vote in determining the availability of the clustered resource.
As a result, a two-node cluster with shared storage can now survive
the loss of a quorum because the shared storage now also gets a
vote. Cluster configuration is easier thanks to an improved
management UI with wizard-based setup options.
IT can also now disperse clustered resources geographically because
Microsoft has eliminated the single subnet requirement for cluster
setup. Configurable heartbeats account for network latency when
configuring clusters over a WAN. Network load-balancing
enhancements include improved DoS protection, additional health
monitoring, and the ability to use a Server Core build as part of a
network load-balancing cluster.
Let the Testing Begin
Even Microsoft detractors have to agree that Windows Server 2008
represents a significant advancement of the platform when compared
with the Windows 2000 to Windows 2003 upgrade path. In addition,
the shared code base of Vista and Windows Server 2008 should
provide tangible benefits to those running Vista Pro in the
enterprise in the way of NAP, faster IP networking, event log
forwarding, and better client management.
But will Windows Server 2008’s security, client management,
virtualization, terminal services, and high-availability advances
top best-of-breed third-party systems? Should small and midsize
enterprises become early adopters to gain the wide range of
role-based services that Windows Server 2008 provides? While we
wait for the final version of Windows Server 2008, we’ll prep
our labs to put these new features to the test.