The Definitive Guide to Building a Windows Server 2008 Infrastructure

by Greg Shields


Windows Server 2008 is Microsoft's first new server operating system in five years. Some of its new features will change Windows administration as we know it. Others may see a lot of hype in the market, but aren't as compelling as they may seem. The Definitive Guide to Building Windows Server 2008 Infrastructure will assist you in learning the parts of Server 2008 that are important to building the best possible Windows backbone for your business. You'll learn about the features of Server 2008 that should be implemented as soon as possible. At the same time, you'll come away with an understanding of those where you might want to steer clear, or merely put on the back-burner for a little while.

Whether you are interested in Server Manager, Active Directory, Storage Management, Server Core, Group Policy, Terminal Services, Security, or High Availability and Clustering, The Definitive Guide to Building Windows Server 2008 Infrastructure is your resource for understanding the value of Server 2008 and getting it implemented into your infrastructure in the best way possible. This guide uses plain English and plenty of real-world examples to show you the steps necessary to get it up and running as well as the best ways to manage it over the long term.


Chapter 1: Introduction to Windows Server 2008

As the title of this guide suggests, the intent is to provide you with the knowledge you need to build a Windows Server 2008 infrastructure. That means my target as author is to assist you in learning the parts of Server 2008 that are important to accomplishing that goal. At the same time, I hope to illustrate the features from which you might want to steer clear or merely put on the back-burner for a little while. As you can see in the introduction to this chapter, there's a lot in Server 2008 to digest. Figuring out which pieces will integrate best is critical to successfully deploying it within your computing environment.

Another of my intents with this guide is to revisit topics that have become established dogma within Windows administrator circles. Due to the feature sets and capabilities we've been using over the past 5 years, some topics—such as domain design, application delivery, and vulnerability management—have become established standard operating procedure for IT everywhere. With the introduction of Server 2008, some of those “known facts” change a little. Some get completely thrown out the window. Some of them remain mostly the same, but with a few changes to your operating procedure. My goal with this guide is to help you understand where you might want to update your thinking when building and administering your Windows infrastructure.

Throughout all of this, we'll be taking a look at some of the biggest new and improved elements that make up Server 2008. We'll peel back the layers of this new OS to expose some of the most exciting new capabilities you'll want to implement immediately within your infrastructure. Most importantly, we'll learn the steps necessary to get it up and running as well as manage it over the long term.

Chapter 2: Server Manager

Getting an OS installed onto a piece of hardware is only the first step in building your Windows Server 2008 infrastructure. With Server 2008's improvements to the installation experience, the experience is shorter and less painful than ever before. Though this guide is all about building your infrastructure, the actual building part is really the easiest part. Faithfully managing and maintaining that infrastructure is where the real complexities arise.

In this guide, it's my job to help you, the budding Server 2008 administrator, understand the needs and expectations associated with not only building but also properly supporting that environment. In this chapter, we'll focus on one specific element new to Server 2008 that I suspect you'll come to appreciate—Server Manager.

Server Manager represents a unification of a number of previously segregated administrative consoles used in Server 2003 and earlier. Consoles for DHCP, DNS, Active Directory, Group Policy, and many others that formerly had their own elements have now been combined into a single location for centralized management. I think you'll find the result quite handy.

But with any change to an operating procedure, there are also a few limitations of which you'll need to be aware. Though Server Manager goes far in unifying much of our administrative experience, it doesn't do so completely. There are yet some administrative consoles that haven't made their way into Server Manager. Some are missing for specific reasons. Some at first blush seem to be obvious omissions. If you're used to administration with Server 2003, one of the hardest parts of getting used to Server 2008—as with every new version of a Microsoft OS—is likely just learning where the new controls are.

Chapter 3: Active Directory Design & Domain Controller Management

In our first two chapters, we've discussed the topics of server installation and management from the perspective of a single server. Chapter 1 dealt with the needs of installing an operating system (OS) to a particular set of server hardware. Chapter 2 discussed the management needs of individual servers, specifically using the new Server Manager tool that arrives with the release of Server 2008.

But in order to fully recognize your Windows Server 2008 infrastructure, it is likely that you'll be installing multiple servers in your environment. When the number of computers in an environment grows much beyond one or two, the need for a centralized mechanism for security, authentication, and authorization grows necessary. With Windows systems, that centralized mechanism is Active Directory (AD).

AD is at its core a directory of objects, much like a phone book directory. The directory contains information about the computers, users, and other configuration objects that are useful for its users. AD is also a source of information control and security. As AD becomes the database of record associated with these objects, it also serves as a location where these objects can identify themselves (identification), provide information that proves who they are (authentication), and request use of resources managed by AD (authorization). Thus, one of AD's major tasks is to provide the structure whereby resources such as files, folders, and registry keys among others are accessed in a controlled manner. AD provides a central location where security principals such as users and computers are assigned rights and privileges to access resources.

In this chapter, we'll be taking a high-level and introductory approach to describing the structure and function of AD as well as the process for installing AD into your computing environment. We'll discuss some best practices associated with the design of AD, and we'll conclude with one critical topic associated with the management of AD's Domain Controllers—ensuring proper backups and successful restores.

Chapter 4: File Servers & Storage Management

This guide is designed to give you an overview of the topics and technologies you need to know to properly deploy a Windows Server 2008 infrastructure. Along those lines, the order of topics I’ve chosen to present here should align with how you’ll likely be bringing these services into your existing Windows environment. We have spent time talking about the prerequisites and installation processes associated with getting servers onto hardware. We then focused on the centralized management tool Server Manager where you’re likely to initially be spending a lot of time. In Chapter 3, we discussed Active Directory (AD) in-depth and its installation to candidate Domain Controllers.

Now that we have a domain in place running atop Server 2008, the next likely place where Server 2008 will make its way into your environment is within your file servers. Why here? As with Domain Controllers, owing to their composition and requirements, file servers make excellent candidates for early Server 2008 adoption:

  • They are typically not installed with large numbers of third-party applications other than the somewhat-common antivirus and backup software.
  • The process of serving file shares is an inherent part of the Windows OS and does not require a large number of add-on components.
  • File servers—though highly critical to business operations—are not highly complex.
  • The files stored on file servers are often fully segregated from the OS. Thus, the wholesale OS replacement is easy because it has virtually no impact on data files.

Because of each of these, the risk associated with migrating file servers to Server 2008 is low. Cutting your teeth with these servers as a first penetration of Server 2008 into your environment will give you the skills and experience you need for future upgrades.

Chapter 5: Server Core

At times throughout the career of every IT administrator comes the thought, “There’s got to be a different way to do this.” Administering servers in the data center, out in the field, and within branch offices across the network involves different sets of skills and experience. The processes that work well for daily administration on a Windows server physically residing down the hall are quite different for those that sit down the street or on the other side of the world.

In addition to handling the common tasks associated with the daily care and feeding of Windows servers, administrators are required to possess another suite of skills to keep those servers secure. Windows has long-held a stigma—most often directed from the UNIX world—that it is an easily hackable operating system (OS). This stigma in many ways originates from Windows’ design goals. Windows Server has always tried to be “everything to everyone.” This monolithic structure to the Windows OS makes it highly flexible. The same Windows OS that runs a Web server can also be used as a file server or an email server. Applications are relatively guaranteed to function across all instances of the same OS version. But at the same time, this flexibility introduces numerous additional touch points for a would-be attacker, each of which is a vector for potential compromise.

With Windows Server 2008, Microsoft takes a hard look at that critical thought. In developing Windows Server 2008, Microsoft has realized that in a few special circumstances there is another way to do Windows administration. There are situations where administrators want to sacrifice flexibility in place of greater security, a lower profile, and easier remote administration. Server hardware that would otherwise be seeing its end of life can be repurposed for special needs. Enlightened administrators who are willing to change their processes just a little for these special circumstances can stand to gain through a streamlined OS that sports minimal interfaces and limited configuration options. That “new and different way” is Windows Server Core.

Chapter 6: Managing & Customizing Group Policy

The advent of client/server computing brought about many changes to the tasks commonly associated with IT. In the mainframe days, actual computers were few in number, with terminals being the mechanism for connecting users to their applications. This centralization was a boon to systems management, as relatively few touch points were in need of control and all were centralized onto just a few computers.

But times change and so do computer architectures. The mainframe computing model eventually gave way to the client/server approach, where processing was distributed between the server and the clients connecting to that server. This new way of computing reduced the reliance on massive computers in the data center, but at the same time, significantly increased the total count of computers under management. With more individual computers to manage, IT found itself with a new problem: How to control the configuration of the machines across the network.

Early on, Microsoft recognized this growing management problem. Upon the initial release of Active Directory (AD) for Windows 2000 Server, Microsoft attempted to solve the problem with a centralized control mechanism called Group Policy. This mechanism for centralized control of individual desktops was made possible through integration with AD. Since every computer was a member of AD, each could be forced to follow “the rules” as laid down through Group Policy configurations. Using Group Policy, it became possible to create a single policy that mandated the configuration of multiple systems.

This mechanism for centralized control has been hugely successful within Windows environments and has been continually augmented and improved with each successive OS upgrade. The release of Windows Server 2008 is no different. With Windows Server 2008, Group Policy gains new policy settings, deployment abilities, and troubleshooting toolsets that add to its already rich set of capabilities as a powerful tool in centrally managing desktop configurations in any AD environment.

Chapter 7: Introduction to Terminal Services

At the beginning of the previous chapter on Group Policy, we talked about how the world of computing has evolved from its early focus on relatively “dumb” consoles connecting to mainframe computers back in the data center. These days, a large percentage of business computing is done using the client/server model, where clients and servers both handle some component of workload processing. Servers sit back in the data center and typically handle the processing of a single function or service, while powerful desktops are used in concert to locally accomplish much of the workload processing.

There is great power in this division of processing between client and server. The actual work involved in processing users’ data needs is distributed among dozens to hundreds of processors within many machines, rather than consuming the resources of a smaller number of total processors within a much smaller collection of computing platforms. Users are given greater freedoms with the types of workloads they can accomplish. And adding new applications or services imposes a comparatively smaller impact to the greater user environment.

But with this greater distribution of workload processing comes a related explosion of touch points for administration and security. With the client/server computing model, each server and client runs an OS all its own, with all the associated management requirements. Administering such an IT environment today means controlling the configuration of computers in both the data center and at the desktop, which is a bigger scope to wrap your arms around. Also problematic are applications that require “chatty” network conversations between the client and server halves. These network conversations are particularly talkative, which increases the level of networking connectivity required between client and server. As clients that use such applications move farther away from their respective servers, overall performance declines, particularly as the number of WAN links involved increases.

Chapter 8: Advanced Topics in Terminal Services

Terminal Services and Terminal Server aren’t new technologies. Originally available with the release of Windows NT as Windows NT Terminal Server Edition, the bits that make up Terminal Server have been around since 1998, making this most recent operating system (OS) release a 10 year celebration of Windows’ remote application support. But Terminal Server has always had a complex history in relation with its related product Citrix XenApp (also previously called Citrix Presentation Server and Citrix MetaFrame).

Due to long-standing agreements between Microsoft and Citrix, the two applications have been tied to each other throughout their history. Citrix’s product and its features have traditionally been targeted for environments with higher-end requirements, with the Citrix product including extra management features like Published Applications, transport level security, a customizable web front-end, multiple mechanisms for deploying applications, and a rich load balancing engine for distributing incoming client session requests. These and other feature sets have historically only been available in the higher-end and higher-cost Citrix product.

Contrast this to Terminal Services, which over its history has usually been relegated to uses within smaller environments, those that cannot afford the added features of Citrix, or have no needs for them. A major factor in this decision is that Terminal Services is significantly less expensive than the Citrix solution, owing to the fact that no extra license costs are required other than for the TS CALs discussed in our last chapter. In contrast, using Citrix in the environment requires additional per concurrent user licenses along with their accompanying maintenance costs over and above Terminal Services’ TS CALs, Windows licenses, and maintenance. This makes Citrix’s features a natural up-sell for those that find themselves needing its extra functionality.

Chapter 9: Securing Servers & the Domain

Throughout this guide, I’ve attempted to show you the features and functionality now available with Windows Server 2008 that are designed to help build and manage your Windows infrastructure. Some of these capabilities are new to this OS version, while others have minor upgrades or remain relatively unchanged.

Yet all these great technologies found in Windows Server 2008 amount to exactly nothing if you can’t properly secure them against external attack. This idea is central to much of what’s different about Windows Server 2008. Beneath the covers and the systems administrator’s radar are a host of changes to the core OS itself that improve its security, enable better resistance against external attack, and ultimately improve its reliability. But those kernel-level improvements are only one part of the story. Layering atop the core enhancements are a set of features that make the management of security easier and more reliable.

In this chapter, we’ll talk about those features that enhance your data center’s security posture. By making the upgrade to Windows Server 2008, the workloads you run in your organization stand to gain a higher level of uptime.

Chapter 10: Windows Failover Clustering

The dream of every IT administrator is an environment of servers and services that never go down. With servers that never go down, the pager never goes off, sleep is never interrupted, and vacations are never put on hold due to data center emergencies. Although the “never” in that dream is likely to remain just a dream for a long time to come, there are technologies available today that can bring it a little closer to realization.O

ne of those technologies is Windows Server Failover Clustering (WSFC), available with Windows Server 2008. Although WSFC isn’t new to Windows, the updates it sees with the upgrade to Microsoft’s newest server operating system (OS) makes it a technology that is now eminently useable by a wide range of IT organizations.

The central problem with Windows clustering in previous versions was its significant complexity. The Windows clusters of yesterday were complex to set up and arrived with little assistance to the installing administrator. If you weren’t a specialist in Windows clustering, you were likely to have a problematic experience with getting your first few set up. Another issue with some of its earlier versions was clustering’s reliance on expensive fibre channel SCSI for its shared data storage. Although fibre channel is an excellent medium for high-speed access to remote LUNs, it can be difficult to work with and requires a set of skills all its own.

Although iSCSI support was first available in Windows Server 2003 SP1, Windows Server 2008 includes expanded support for iSCSI as the medium for shared storage. This version also improves the underlying low-level mechanisms that cluster nodes use to communicate with their shared storage, greatly improving the reliability of the storage subsystem itself.