I was recently asked to speak at a Penton road show event in Denver. The topic was Longhorn Server, and there would be three presentations. Two had been previously made for the speakers who were appearing in other cities during the road show, but there was a problem with the third: Since Microsoft had recently delayed Windows Server Virtualization (codenamed Viridian) and was running late delivering Longhorn Server Beta 3, we wouldn't have any demos for the planned third presentation. Thus, I was asked to come up with something of my own for the third session. It could be about anything I wanted, I was told.
Since I had just been briefed about Longhorn Server Beta 3 and knew that that release would ship to the public on April 25, a day after the event, I decided to focus on the features that were new or significantly improved in Beta 3. There are several, so I put it in a Top 10 format and pushed the content into one of Penton's patently terrible PowerPoint templates. And you can download that slide deck if you want (see the link to the right). But I thought SuperSite readers would enjoy and benefit from a more traditional article describing these features. This is it. With apologies to David Letterman...
10. Roles-based install and management
As is the case with Windows Vista, Longhorn Server has been completely rearchitected to be more componentized and modular. This has numerous implications for both products and those who use them. But on the server side, the biggest change wrought by this new architecture is Longhorn Server's new and improved roles install and management model.
Now, roles have been around in Windows Server for quite some time. In the initial release of Windows Server 2003 (see my review), you could configure 7 server roles via the Manage Your Server dashboard (Figure), and you could then trigger individual management consoles to administer those roles in the future. The only problem with this approach was that the roles were essentially isolated from the tools that configured them in the first place. They weren't intelligent about each other and could easily be misconfigured by mucking around in various management consoles.
Windows Server 2003 Service Pack 1 (SP1, see my review) takes this approach to the next level with the new Security Configuration Wizard (SCW). This useful tool examines your system and then shuts down unnecessary services, blocks unneeded ports and secures protocols to ensure that the server is configured as securely as possible given the roles it must perform. The problem with SCW, of course, is that it must be run manually after you've configured your system for whatever roles it will perform. And if you later go and make any changes to these roles, you should run SCW again, to ensure that it's still secured properly.
You can probably see where this is headed. In Longhorn Server, Microsoft has made the roles-based installation and management approach more granular, thanks to the new modular architecture of the product. But these roles are now intelligent: As you configure roles on the server, they are installed in the most secure possible fashion, automatically. And if you make role configuration changes later, no problem: These changes will be configured as securely as possible too.
Here are the 18 roles that Longhorn Server now supports:
Active Directory Certificate Services. Formerly called Windows Certificate Services, ADCS provides X.509 certificate management features. It is backed by a new cryptography API (literally called Cryptography Next Generation, or CNG) and consists of four role services: Certification Authority, Certification Authority Web Enrollment, Online Certificate Status Protocol, and Microsoft Simple Certificate Enrollment Protocol.
Active Directory Domain Services. Formerly known simply as Active Directory, Active Directory Domain Services (AD) is the foundation on which virtually all of Windows Server's management features are built. AD is a directory service that can store data for users, computers, hardware, applications, network services, and other objects.
Active Directory Federation Services. ADFS provides cross-company, federated identity management services, allowing large corporations to selectively open their infrastructures to trusted partners and customers. (i.e. it is cross-forest trust across the Internet divide.) ADFS provides three core capabilities: extranet authentication, Web single sign-on, and identity federation services for IIS-based Web applications.
Active Directory Lightweight Directory Services. Formerly called AD Application Mode, or ADAM, AD LDS is a special mode of AD in which the directory services are configured solely for applications. This lightweight AD mode provides both storage for and access to applications, using the same interfaces administrators and developers already understand.
Active Directory Rights Management Services. Formerly called Windows Rights Management Services, AD RMS is a centrally management digital rights management (DRM) infrastructure for email and other documents created within an organization.
Application Server. New to Longhorn Server Beta 3, the Application Server role is now separated from the Web Server role. This role configures a server with the technologies needed for deploying and running server-based business applications. These technologies include .NET Framework 3.5, COM+, Message Queuing, and various Windows Communication Foundation (WCF) Web services.
DHCP Server. This role provides Dynamic Host Configuration Protocol (DHCP) services, allowing the server to manage and allocate IP addresses to clients dynamically.
DNS Server. This role provides Domain Name System (DNS) services, allowing the server to process and resolve TCP/IP network-based DNS queries that translate user-friendly domain names into IP addresses. In Longhorn Server, DNS Server now supports IP version 6 (IPv6) support in addition to the more commonly used IPv4.
Fax Server. The Fax Server role manages and sends faxes, fax queues, and fax clients.
File Services. Longhorn Server's File Services role allows the server to perform as a file server. This involves a number of storage-related technologies and tools, including DFS (Distributed File System), Storage Area Networks (SANs), the File Server Resource Monitor (FSRM), and so on.
Network Policy and Access Services. Formerly named Network Access Server, this role serves as the foundation for compliance- and security-based remote network access and is a requirement for Longhorn's new Network Access Protection (NAP) network quarantining feature.
Print Server. Longhorn Server's Print Server role allows you to install, view, and manage printers in an organization. This includes a new Print Management console as well.
Terminal Services. Significantly enhanced in Windows Server Longhorn, Terminal Services (TS) is an application virtualization technology that allows administrators to provide remote clients with entire Windows environments or individual applications that are running on the server. New features in this version include TS Gateway, for delivering Terminal Services securely over HTTPS connections, TS RemoteApp, for delivering individual remote applications, and TS EasyPrint. (See below for more information about Terminal Services.)
UDDI Services. This role allows an organization to configure a Universal Description, Discovery, and Integration server for categorizing and managing XML-based Web services. UDDI is a core component of the Windows Server Web services infrastructure as it provides a way for discovering, sharing, and reusing Web services across a network.
Web Server. Newly split from Application Server in Longhorn Server, the Web Server role provides access to the IIS 7 Web server and a host of related technologies, including ASP .NET and Windows Communication Foundation (WCF) Web services. As with Longhorn Server itself, IIS has been thoroughly rearchitected to be highly componentized and configurable in a far more granular manner than previous versions.
Windows Deployment Services. New to Longhorn Server, Windows Deployment Services (WDS) replaces Remote Installation Services (RIS) and other deployment tools from previous Windows versions. WDS works with both the new image-based installs used by Windows Vista and Longhorn and the technologies used by older Windows versions. It can be used to deploy both client and server-based systems on the network.
Windows Media Services. This role configures the server as a media server, able to distribute audio and video content throughout your organization.
Windows SharePoint Services. This role, which works in tandem with Web Server, allows for the creation of SharePoint-based intranet Web sites, which are used for document-based collaboration.
Windows Server Virtualization. Though not included in Beta 3--indeed, the technology won't ship until after Longhorn Server is made available late in 2007--Windows Server Virtualization will allow you configure a server as a host for virtualized computer environments. In this scenario, the host OS is installed to a parent partition, while guest OSes are installed to child partitions, side-by-side on the disk. Each environment gets configurable access to the underlying hardware resources, and you can manage the server remotely using standard Windows Server management tools.
9. Windows PowerShell
Originally scheduled to ship separately from Longhorn Server, Microsoft's new command line and scripting environment is included in Beta 3 and will ship in the final product. (Users of Windows XP, Vista, and 2003 can download PowerShell for free from the Microsoft Web site.) PowerShell is a complex but technically impressive environment, with support for discoverable .NET-based objects, properties, and methods. It provides all of the power of UNIX command line environments with none of the inconsistencies. The issue, of course, is whether Windows-based administers will flock to a high-end command line interface. Though Beta 3 doesn't ship with any Longhorn-specific PowerShell commandlets--fully contained scripts that can be executed from the command line--it does include thorough documentation. Microsoft tells me it will ship Longhorn commandlets over time, and it expects a healthy community to quickly evolve as well.
8. Windows Firewall
Three years ago, when Microsoft had shut down active OS development to shore up its security and start the Trustworthy Computing program, I spoke with folks on the Windows Server team about some of the changes they had considered. At the time, simply turning on the firewall wasn't much of an option: It broke a lot of things on the client, but it was a complete disaster on the server. So ultimately, Windows XP Service Pack 2 (SP2) did include an improved firewall that was on by default, but with server, they had to leave it off.
That's all changing in Longhorn Server. The new Windows Firewall, based on the version in Windows Vista, is bidirectional and on by default, regardless of which roles you've configured. In fact, the Firewall is part of the new roles-based management model: As you enable and disable various roles and features, Windows Firewall is automatically configured in the background so that only the required ports are opened. On the other hand, yes, it's still possible to go into the Windows Firewall management console and mess around with individual settings. And if you muck up security there, Microsoft doesn't provide a "go back to previous known safe configuration" button. Maybe next time.
7. Server Manager
In previous versions of Windows Server, Microsoft provided separate management consoles for all of the various roles and features in the OS and, in Windows Server 2003, a simple Manage Your Server dashboard that was more front-end that full-feature console. In Longhorn Server, that's all changed. Yes, you can still open individual consoles if you want, but the new Server Manager is your one-stop shop for daily management needs. For the average Windows admin, this will be the only tool you use on a regular basis. And thank goodness, it's a good one.
Server Manager, in many ways, is Manage Your Server all grown up. It's a full MMC 3.0-based management console, and not just a weird HTML-like dashboard. And it's chock full of goodness: You'll see sections for managing each installed role and feature, troubleshooting tools such as Event Viewer, Services, and Reliability and Performance utilities, configuration tools like Task Scheduler, Windows Firewall, WMI Control, and Device Manager, and Windows Server Backup (new to Longhorn) and Disk Management. Sure, in the past, admins would roll their own management consoles, filling them with the exact tools they needed. This time around, you may not need to do so.
What makes Server Manager so useful, aside from its collection of useful tools in a single place, is that each section of the UI gets its own home page. These home pages include information that pertinent to the role or feature at hand, but there are also links to fix problems, get more information, and access other tools. It's just a thoughtful, well-designed application.
In Beta 3, Server Manager has been improved to offer access to more tools and sports a nicer UI. But the big change this time around is the addition of the new servermanagercmd.exe command line utility, which runs in the standard Command Prompt environment, not the PowerShell. This tool completely duplicates all of the functionality from Server Manager, but within a command line, so you can script and automate. If you can do it in Server Manager, you can do it in servermanagercmd.exe.
6. Server Core
The new Server Core mode of Longhorn Server--which Microsoft tells me will be packaged as separate product editions in the final shipping version of the product--is something Windows administrators have been requesting for years. Server Core is a subset of the full Longhorn Server product. Microsoft has stripped out virtually all the GUI, so there's no shell (Start Menu, taskbar, Explorer windows, etc.), along with most end user applications like Windows Media Player, Internet Explorer, and Windows Mail. Indeed, the only interface you'll get sitting down in front of a Server Core-based server is a single command line window floating over an empty blue backdrop. That, and access to a couple of GUI-type applications like Notepad and Task Manager.
Server Core is designed to reduce the attackof the server to be as small as possible. As such, the server is more limited than a standard Longhorn installation. In Beta 3, Server Core supports just seven roles (up from five in Beta 2): AD, AD LDS, DHCP, DNS, File, Print, and WMS (AD LDS and WMS are new to Beta 3). In the final version, it will support eight. (Or, it will support 8 when Windows Server Virtualization is finally released.)
Because of the Spartan UI, you're going to want to do most Server Core administration remotely. And that's just fine, since all the regular GUI-based management tools will work just fine with Server Core over the network. After all, it is still Longhorn Server. But one of the new features in Beta 3 will prove interesting to command line fans: A new command line utility called oclist.exe will allow you to completely configure all of the roles supported under Server Core. And yes, that's for the normal Command Prompt, not PowerShell: You can't run PowerShell under Server Core because it requires the .NET Framework, which isn't supported under Server Core (because the .NET Framework includes GUI code). Microsoft is working on a subset of the .NET Framework that targets Server Core. This won't happen in time for Longhorn Server, but it could allow additional roles in the future--think Web Server--as well as .NET-based tools like PowerShell.
Microsoft's BitLocker full drive encryption technology debuted in Windows Vista as a way to protect the system volume on notebook computers. The idea was that, while a notebook loss or theft was inherently expensive, the real expense often came when the data on the drive was exploited by thieves. With full-drive encryption, you can't simply pop-out a hard drive and access the data using a different computer.
As it turns out, BitLocker is just as valuable for servers, if for slightly different reasons. Technologically, Longhorn's version of BitLocker is just about identical to what appeared in Vista. It requires TPM 1.2-based hardware or, alternatively, a USB key, to store encryption keys. (USB keys are less viable in server rooms, however.) And it can be configured via Group Policy.
On the server, BitLocker is particularly valuable for machines stored in branch offices, because those servers are often less well physically protected than the machines back in the home office. If a thief walks off with a BitLocker-protected server, they won't be able to access any of the data on the system disk. (You can still use EFS on other partitions, of course.) And BitLocker works really well with some of the other technologies I'm discussing here to create a truly secure and useful branch office solution. (See below.)
4. Read-Only Domain Controller
Also new to Longhorn is the new Read-Only Domain Controller (RODC) functionality, which allows administrators to optionally configure the AD database as read-only, where only locally cached user passwords are stored on the machine and AD replication is unidirectional, rather than bidirectional.
So why would you want to do this? Well, many organizations are installing servers in branch offices and other remote locations, and these servers often connect back to the home office using slow or unreliable WAN links. That makes AD replication--and even authentication--an arduous and lengthy process. With RODC, the server is setup and configured in the home office, shipped to the remote location, and switched on. From then on, only the user names and passwords of users who hit the server locally--and not the administrator account--are cached on the server.
Like BitLocker, RODC is an excellent solution for physically insecure remote servers. Indeed, if you combine RODC with technologies like BitLocker, Server Core, and EFS, you can configure the most secure remote server possible. That way, even hackers who gain physical control of the server can't take over your network. And removing the stolen RODC from your AD is as simple as checking a switch: Only those users who logged on to that machine will need to change their passwords. You won't have to institute an organization-wide emergency, because most users' accounts will not have been cached on that machine.
RODC is somewhat limited in that it can only support a subset of the roles and functionality normally supported on Longhorn Server. For example, RODC-based servers can support technologies such as ADFS, DHCP, DNS, Group Policy (GP), DFS, MOM (Microsoft Operations Manager), and SMS (System Management Server).
3. Terminal Services
While Terminal Services (TS) is still playing catch-up in many ways with Citrix, the Longhorn Server version of this technology does include a number of long-awaited improvements that should have administrators smiling. Much of this is new to Beta 3 as well. Some of the small but useful changes include TS Easy Print, which makes it easy to print to local printers from remote sessions, 32-bit color support in TS sessions, and, finally, seamless copy and paste operations between the host OS and remote sessions.
But there are big changes this time around too. The new TS RemoteApp functionality allows admins to remotely deploy individual applications to desktops, instead of entire PC environments, which can be confusing to users. These applications download and run on user desktops and, aside from the initial logon dialog box, function and look almost exactly as they would were they installed locally. This functionality requires the new Remote Desktop client, which shipped in Windows Vista and can be downloaded for Windows XP with SP2.
Another new feature, TS Gateway, lets you tunnel TS sessions over HTTPS outside the corporate firewall, so that users can access their remote applications on the road without having to configure a VPN client. This is particularly useful because VPN connections are often blocked at wireless access points, whereas HTTPS rarely is.
2. Network Access Protection
Microsoft has been planning to add simple and easily configurable network quarantining functionality to Windows Server for years, but it's finally happening in Longhorn Server with the addition of Network Access Protection (NAP). Basically, this feature allows you to setup security policies for your network. When a system connects to the network, NAP examines the device to make sure it meets the requirements of your security policies. Those that do are allowed online. Those that do not--typically machines that only connect infrequently to the network, such as those used by travelling employees--are pushed aside into a quarantined part of the network, where they can be updated. How these updates happen depends on the configuration of your environment, but once that's complete, the system is given full access again and allowed back on the network.
New to Beta 3, NAP now features simple installation and management interfaces, remediation failback to Windows Update or Microsoft Update if the local Windows Server Update Services server is unavailable, and compatibility with Cisco's Network Admission Control (NAC) quarantining technologies.
1. No more babysitting Setup
While you can of course install servers automatically using automated installation technologies, the truth is, admins often install servers interactively. The reason for this is simple: While desktop clients are often identical and thus ideal for automated installs, most servers are unique and important to employers and thus need to configured in a more hands-on manner. So this means that, more often than not, you'll sit down with an install disk, or perhaps trigger a network install, and then sit there answering questions and waiting as Setup moves ahead.
In Longhorn Server, this is no longer required. Now, you simply boot the new server with the Setup DVD and optionally plug in the product key when prompted. At that point, you can step away from the machine: Setup will install the operating system without requiring any input, and it won't halt somewhere in the middle like previous versions so you can enter important information. Instead, everything that Setup needs to know is inputted at the end of the process, and during the Initial Configuration Tasks phase, where you configure the roles and features that will be installed on that system. That's right: You don't need to babysit Setup any more.
In case it's not obvious, this nicety is yet another result of Microsoft's decision to componentized Longhorn Server. And because of the new image based Setup tools, Server can now be installed in about half the time it used to take. Not too shabby.
But wait, there's more
There's a lot more to get excited about in Longhorn Server, but I wanted to focus mainly on the new stuff here. And of course, I'll be reviewing Longhorn Server Beta 3 shortly, so I can focus on how things have evolved and the wider feature set that isn't mentioned in this article. Looking at Longhorn Server, I can already point out a few really big areas that aren't new or improved in Beta 3 per se, but are nonetheless important and interesting. A few of these include:
Windows Server Virtualization coming later this year. Windows Server Virtualization, codenamed Viridian, is an exciting addition to Longhorn Server. Unfortunately, you're going to have to wait a while to see why this is so: Microsoft recently delayed the public beta of Viridian from the first half of 2007 to the second half of 2007. However, the company tells me it will still ship this technology on time, 180 days after Longhorn Server is finalized.
Active Directory service can now be stopped and restarted. In previous Windows Server versions, you'd have to take a domain controller offline to perform maintenance or back up the AD database. With Longhorn Server, this is no longer an issue, as you can now simply stop the AD service, perform the needed maintenance, and then bring the service back online. Simple and logical.
XML-based Event Logs. The event logs in Longhorn Server are now in an XML format which makes them easier to use and will also expand the number of tools admins can use to access these crucial troubleshooting data sets
Reliability and Performance Monitor. The incredible Reliability and Performance Monitor from Windows Vista comes along to Longhorn Server, giving you all the information you need to discover what's going wrong on the server.
Windows Server Backup. NT Backup, finally, is dead. Now, Microsoft provides a usable disk-based backup solution that doesn't require a tape backup that hasn't been manufactured since 1999.
Windows Service Hardening. In keeping with Microsoft's philosophy that servers should run as securely as possible regardless of the configuration, the default set of running Windows Services has been reduced as much as possible and those services that are running are now doing so with the least dangerous authentication level possible.
Removable Device Installation Control. Microsoft now provides a policy-based framework for preventing users from installing USB-based storage devices to their PCs, downloading critical corporate data, and walking out the front door. This eliminates theft, of course, and also prevents you from having to manually super-glue all those USB ports.
And then there are, of course, the questions. Though Longhorn Server is an amazing product, and, in Beta 3 form, quite mature and stable, not everything about this next Windows Server version is a net gain. I'm concerned about a number of areas.
Branding. Not a big deal, but what will Longhorn Server be called? My money is on Windows Server 2008, given the schedule (see below), but Microsoft might opt to call it Windows Server 2007 to keep it in line with previous version names and the promised four year gap between major product versions.
Schedule. Microsoft tells me that Longhorn Server is still on track for late 2007, but given how Beta 3 slipped a bit, I'm beginning to wonder. The good news, however, is that Beta 3 looks very good. And that makes a late 2007 release more probable, unless of course, the company decides to delay Longhorn for Windows Server Virtualization. Due 180 days after Longhorn Server, this free add-on was supposed to be available in beta form around the same time as Longhorn Beta 3. But the Windows Server Virtualization beta was recently delayed 6 months to late 2007. Microsoft says everything is still on track for the final release.
Pricing. While Microsoft has told me that Longhorn Server will utilize roughly the same product editions lineup found today in Windows Server 2003 R2 (Web Server, Standard, Enterprise, Datacenter, IA64), and will split off some of these versions into Server Core and "normal" variants, what will the pricing look like? It seems like the Server Core versions should be significantly less expensive
Windows Vista SP1. While Microsoft has been unusually cagey about Windows Vista Service Pack 1, the truth is, this important release is tied to Longhorn Server. When Longhorn ships, Microsoft will update the kernel in Vista so that it matches the Longhorn kernel version. This will happen, I'm told, in Vista SP1.
PowerShell. Will admins grok PowerShell? While it's admittedly a powerful and capable solution, I'm concerned that PowerShell requires a bit too much programming skill for the average admin to master. Time will tell, of course, and Microsoft's ability to create a global PowerShell community might help. Furthermore, while I'm happy that Microsoft is including PowerShell in Longhorn, when will the company truly integrate PowerShell into the OS as its done in Exchange Server 2007? That won't happen until a future server release, probably the next major release (currently due in 2011).
No matter how you slice it, Windows Server Longhorn is a major Windows Server release and the most exciting server OS release to ever come out of Redmond. Beta 3, though not final in any way, is a much more mature product than was the Beta 2 version, and because it's publicly available, anyone who wants to evaluate this system can now do so. My advice is to begin that evaluation as soon as possible: Longhorn offers enormous benefits over Windows Server 2003 R2 (see my review)--itself an excellent and full-featured product--and it won't take much experience with the new version before you begin imagining the many ways this product can make your life easier. See the future today, and download Longhorn Server Beta 3 to see what all the fuss is about.