August 2006 - Posts
OK - amazon.de is not having their database under control lately - they are fairly unable to update book descriptions and authors, and the statistics are going up and down. However, we got word from our publisher that the Windows Server 2003 - Die Expertentipps book is selling very well, and yesterday we had place 8th in the top IT-Bestsellers. We also had some comments. Fairly positive about the content, however a couple typos. While I'm really sorry about this, I'm also a bit concerned since we figured that many of those went in after our last review. However - the publisher is taking care of this and nobody blaming us (so far).
The planning of the Directory Experts Conference started and I've found something very funny related to it today. If you just pretend to be a Active Directory-Expert (and can't make it to DEC), you are able to get your own Rubber Chicken (actually a cheap copy) at the animal toys department of some stores.
I found the rubber chicken on the shelves of a German department store today, so you are free to pretend being at DEC .
 Careful - real Directory Experts know the difference.
I just recognized - I didn't post anything for a month. This is awful! Currently I'm very busy at my daytime-job (turns out it's not just daytime lately - just to much to work). And currently defines as this year (almost). However - I do a lot of interesting work - so that's fine. There are also a couple other things which suck up my spare time
And I also got the word from the organizers of TechEd EU that I'll be speaking there - look forward to my session
IAM402: A Directory Services Geek's View On Access Control Entries (ACE)
You have already deployed Active Directory, but still a lot of domain administrators? You want to increase security, decrease the risk of administration gone awry and offload daily tasks to delegated admins? In this session you will learn how Access Control works in Active Directory, notes from the field about implementing role based administration and how to figure out what to delegate. Additionally we will drill down on implementing delegation using scripts and share details on what to delegate. After this session you'll be able to design and implement role-based administration in your infrastructure.
TechEd EU will be in Barcelona this year in November - Microsoft has joined their major European Conferences TechEd and IT-Forum into one Conference with two parts - for IT-Pros and for Developers. Both of them will be in November. And I haven't updated the session description yet - but I plan on including some changes in Longhorn. This session is pretty interesting - after delivering it at the Directory Experts Conference in Las Vegas earlier this year where about 500 Directory Experts were attending I had a lot of interesting conversations with attendees afterwards. Now I'm able to deliver this session in Europe as well - I'm looking forward to it.
Thanks to ~eric (again - I owe you buddy) for his input on this post
There are more and more info's out on the Web about the next generation of Windows Server Codename »Longhorn« (the Server release which will arrive after Windows Vista) and I've mentioned earlier that we had a lot of questions at the Ask the Experts Area and Longhorn Server Booth at TechEd Boston in July, so it's time to talk here as well about what we'll expect.
One of the very new things is that during installation, right after entering your Product key, you get to select which »Version« of Longhorn Server you want to install (remember NT where you had to decide whether to install a P/BDC or Member Server? - just kidding). In Longhorn you get the choice to either install the full version with all features or a new version called »Server Core« which will only provide a limited set of features and provides local administration via command line only. But I'll focus on the full version of Longhorn Server right now, and will write about Server Core in a later post.
So let's take a look at the
New features of Longhorn Server (full version):
- Server manager:
The new Server manager is not just a collection of MMC's plus links to help files (as the Configure Your Server-Wizard in Windows Server 2003), but provides a consolidated, portal-like view about the status of each role. It's homed on top of the MMC 3.0 which was introduced in Windows Server 2003 R2 and which provides much more possibilities than the old MMC.
- IIS 7:
Among increased security, xcopy-deployment, improved tools to diagnose, troubleshoot and management the system IIS 7 also enables you to implement delegated administration (finally) and is the new base for other services such as the new version of Sharepoint or the Windows Communication Foundation.
- Read-Only Domain Controller (RODC):
Now that's one of my favorite new features! Back to the BDC? Not really. (Actually a lot of customers asked us that at TechEd)
The RODC is designed especially for Branch Office scenarios, where you are not always able to assure physical security. I already wrote about those issues in a prior blog entry »What do to if a Branch Office DC is not physically secured?«.
The RODC holds a non-writeable copy of Active Directory, and will redirect all write attempts to a Full-DC. It will replicate everything but sensitive accounts. By default accounts like Domain Admins, Schema Admins, Enterprise Admins a.s.o. are excluded and will not been replicated to the RODC. The big advantage is that if someone is able to physically access the server (or steal it) he might be able to crack the passwords of the regular user-accounts, but not of the sensitive accounts. Downside: those accounts are unable to log onto the RODC if the WAN is not available. However first time ever a local administrator account will be able to log onto the DC and perform maintenance without having rights on the AD.
To implement RODC in your environment you do not need all DCs on Longhorn. You need to have your domain and forest at the Windows Server 2003 mode, and the DC running the PDC-Emulator needs to run on a full version of Longhorn. As far as currently known there's no support for multiple RODCs in a single location (they are unable to replicate between each other, each of them would replicate with the hub office).
- Local administration of a RODC:
On a RODC there's a local administrator which is able to log onto the machine to perform maintenance tasks - you don't have to grant those local site admins domain admins rights to o this.
- Restartable Active Directory:
In Longhorn »Active Directory Domain Services« (formerly just known as Active Directory) are stoppable and restartable now. When it’s stopped you can perform certain tasks which required a reboot into Directory Services Restore Mode (DSRM) in prior versions of Windows Server. This also eases writing scripts for those tasks.
- Windows Backup:
The new version provides Admins with a simple backup and recovery solution. It's easy to handle, you don't need to think about full, differential or incremental backups, and don't need to keep the different schedules in mind when performing a recovery. The new Backup also supports Windows Recovery and therefore enables you to Recover a Server without a installed OS.
You are able to store the Backup on DVDs, external or internal Harddisks or on Networkshares. Tape drives are not supported anymore by Windows Backup.
- Windows Reliability and Performance Monitor:
Combines different Snap-Ins like the Performance Logs and Alerts, Server Performance Advisor and System Monitor, and provides you with a graphical Interface to configure the collection of Performance-Data and Event-Traces. You also get a new Snap-In, the »Reliability Monitor«, which monitors the System to detect changes which influence reliability. All diagnoses are provided in nice reports.
- Network Access Protection (NAP):
NAP is not the same as the quarantine introduced with Windows Server 2003 (useable with VPNs), however it's easier to imagine if you think of it. You are able to configure your network that all machines which want to be part of that network must perform a health-check first (for example if their virus signatures and patch-level is up-to-date). If they are not successful they will be put in a quarantine network (where they might install patches and signatures), if they are successful they are connected to the production network. This is not possible either on dial-up Networks, VPNs or even with direct LAN-Connections. The health-check is enforced either via IPSec, 802.1x, DHCP, VPN, NPS/Radius or combined. The current version of NAP requires you to run only Longhorn and Vista in your Network, but there will be most likely a client available on XP SP2.
- Terminal Services Gateway:
Now authorized computers are able to connect securely to a Terminal Server or Remote Desktop from the Internet using RDP via HTTPS without implementing a VPN-Session first. You do not need to open up additional ports in your Firewall - RDP will be tunneled through HTTPS. The admin has different ways of controlling access, such as selected user- or computer accounts which have to be Members in the domain, and he's able to configure which resources are available.
- Terminal Services Remote Programs:
This feature was first planned for Windows Server 2003 R2 and was codenamed »Bearpaw« at this point, but has been postponed to Longhorn. Finally you are able to publish single applications instead of the whole desktop to clients. TSRP is totally transparent to the user, f.e. applications like Word 2007 appear with icons in the Startmenu, the corners of the application appear rounded as if Word would be running directly on the machine, and even the associations with the document-types do work: if you double-click a Wordfile Word will open up with the file loaded - the user does not see that the application doesn't start locally but on a terminal server.
- Terminal Services Web Access:
Enables Administrators to provide access to the Terminal Services Sessions via a Webinterface. Using TS Gateway and TS Remote Programs the whole communication is via HTTP(S) and the remote applications appear transparent to the user as if they are running locally. And if the user is starting multiple applications they'll run via the same session to ensure that there's no need for additional licenses per user. TS Web Access comes with a adjustable Webpart for IIS and Sharepoint, which advertises the possible applications and connections to the user. You can use access control rights to adjust which applications appear for which users or groups. TS Web Access requires IIS7 and .
- Windows Deployment Services:
WDS supports the imagebased deployment of Operating Systems via network - initiated by a network boot request. It appears as the joint product of RIS (Remote Installation Services, which first appeared with Windows 2000 Server) and ADS (Automatic Deployment Services, a free download bound to a Windows Server 2003 Enterprise Edition Licence) - however that's not the official word (or at least as far as I know).
 relies on the clientside to the new Remote Desktop Connection Client 6.0, which is part of Windows Server Codename »Longhorn« and which will be available as download for Windows XP SP2 and Windows Server 2003 SP1 (as far as currently known).
Additional the are a lot of additional features in Longhorn (most of them are also part of Windows Vista):
- The new rule-based Windows Firewall which is able to control incoming and outgoing network traffic and which is configurable via Group Policies.
- Bitlocker Encryption for Harddrives:
not only in Vista but also in Longhorn your are able to encrypt whole Harddrives using Bitlocker.
- Desktop Experience:
A new feature which enables a Desktop look and feel on the server - targeted to users which are using a Server-OS as Desktop or Laptop.
- Internet Storage Naming Server (iSNS):
Enables central registration, deregistration and queries for iSCSI-Harddrives.
- Multipath I/O for Storage Devices
plus the features which have been part of Windows Server 2003 R2.
I'm very excited to the new major release of the Server-OS! And way cool is the Server Core Version - but more about that later. Stay tuned