TechNet Evening Session 20070307 – Windows Server Codename “Longhorn”
I was in the room and thought it would be interesting to share with you the highlights of the session.
Though we were shown a lot of new features, we did not see all of them, due to the short length of the session (2 hours).
In summary, Longhorn will offer
- more control: through enhanced task automation (PowerShell) and role-based installation and management
- increased protection: with the help of OS hardening and policy-based management (NAP)
- greater flexibility: thanks to integrated server virtualization (Hypervisor), anywhere application access, extensible Web solutions or improved deployment
Let’s now go more in-depth for some new cool stuff.
The installed process has been greatly improved. In short, the installation of a Longhorn machine goes like this:
- Insert the DVD and start the installation. Select the country and the language, enter the product key (can be done at a later stage), select the partition and boom…
- After the reboot, the Initial Configuration Wizard shows up to help you set the admin password, the server name and domain, configure Windows Update etc…
- Last, the Server Management console shows up to select additional server roles of features.
The out-of-the-box experience (OOBE) is here maximized.
The server management console allows to add roles with their required dependencies. Also, when a new role is added, all the MMC snap-ins needed to manage the role are installed and accessible through the Server Management tool.
It also seems that the backup tools have been improved as well.
Nothing really new in this area.
More on Powershell can be read on Microsoft Website.
It is worth mentionning that the Powershell ecosystem is growing with more and more partners, like Quest, PowerGadgets or PrimalScript.
Guess what… it is a full redesign with
- modular architecture (40 different modules, to date)
- comprehensive extensible APIs (public APIs)
- deeper integration with ASP.net
- unified configuration model, with XML config files
- administrative tool based on MMC 3.0
- powerful diagnostic capabilities
- delegated administration (granular level is possible)
- scripting language (appcmd)
A few extra words on the configuration. There is no metabase anymore!! IIS and ASP.net properties can be defined in the same file. XCOPY is then the key command when copying or replicating sites across prod, non prod, development environments.
The IIS configuration can also be stored centrally in the DFS-R or on the client cache side.
More info on IIS7 can be read here.
Defense in Depth service model with layers.
The size of the layers are being reduced while the services are being segmented. For example, RPC does not need access to the registry, but requires access to the network 135.
Also, the number of layers is greater than before and the number of drivers in the kernel is reduced.
The integrity of the boot process is also verified. Validation occurs on HAL, boot files etc…
Furthermore, the integrity off all Windows binaries is being validated through hashing, to make sure that they have not been tampered with.
Still on the protection side, Longhorn offers the ability to block the installation of new devices. It is granular enough to allow exceptions, based on hardware ID. Enterprises can then let the users install USB sticks, on the condition that they are from a specif vendor or model. This can all be controlled at computer level with Group Policy Objects.
The intagrated firewall is also improved with inbound/outbound rules and domain isolation with IPsec.
More info on OS hardening can be read here.
This is a minimal installation option for Longhorn with low footprint on the server.
The option will be available on Standard, Enterprise and Datacenter editions in both 32 or 64 bits versions.
It will let the server boot in a headless (no keyboard, no screen) scenario.
The UI is rather simplistic, as you only have a command prompt available. The management can be done through local or remote commands, via remote MMC or RDP client.
In fact, no CLR .net components are included. Immediate drawback of this is the lack of Powershell. Microsoft does not intend to release Powershell on Windows Core before Longhorn R2, due to the complexity do dissociate the CLR components the right way. For the moment, it is a all or nothing scenario.
There is a major benefit in the parching area. Microsoft thinks that the number of patches to apply on Windiws Core should be reduced by 60%.
By RTM time, Windows Server Core should be able to run the following roles: DNS, DHCP, File, Print, AD, Virtualization (as parent partition), Media Server and more to come.
Important to note: there is no Server Core upgrade path. When you want to switch from 2003 to Server Core, from Longhorn “standard” to Server Core, from Server Core to “standard”, it will always mean a full re-installation of the server.
It is needless to say that good scripting knowledge will be required to operate Windows Server Core servers:
- to change admin password (net user)
- to activate the OS (slmgr.vbs)
- to configure static IP address (netsh)
- to join the domain (netdom)
During the demo, a “blank” Windows Server Core had a footprint of 178 MB in the memory with 27 processes, while a “standard” Longhorn was at 462 MB with 45 processes.
Network Access Protection (NAP)
The Windows client computer (Vista or XP) will have a certificate of health, which will be presented to the Network Policy Server. The latter will validate the health of the client.
If the health is OK, the client is granted access to the corporate network.
If not, the client will be connected to the remediation network, where SMS, WSUS or FTP servers will help the client to reach the required level of conformity.
Good to know, the NAP is not only active at boot time but also during the session.
New name: Windows Server Failover Clustering.
- complexity is reduced
- no need anymore for domain account; the service can run on each cluster member in the LocalSystem context
- stability: no quorum model, so no SPOF anymore
- cluster validation before the installation: network, server version and storage are checked before the installation
- enhanced management capabilities through MMC 3.0 support
- majority quorum model
- for geographically dispersed cluster, the witness can be put on a file share in a 3rd site for instance
- no more single-subnet limitation
- configureable heartbeat timeouts
Branch Offices Deployment
- read-only domain controller
- unidirectional replication
- no secrets caching (can be changed thourh GPO)
- not member of Enterprise Domain Controllers or Domain Domain Controllers groups
- the local admin of the server is not administrator of the domain
- 2003 forest functional mode
- PDC role must be on a Longhorn server (should no longer be the case with RTM)
- having multiple Longhorn DCs per domain is recommended
- BitLocker for encryption: requires TPM 1.2 or UDB flash drive
Restartable Active Directory
Active Directory Directory Services can be stopped for maintenance purposes, without bringing the full server offline.
Very useful for restore the AD, defrag the DB etc… while keeping the other services available to the users.
This is to me, based on past experiences, a very cool feature.
Windows Server Virtualisation
Hypervisor is a layer between the operating system and the hardware. Note that the hardware must be based on Intel VT or AMDV.
The host must be running on 64 bits and allows parent partitions (VHD) running both 32 or 64 bits.
Live migration of a running virtual machine to another physical system will be possible.
New Terminal Services capabilities
- single sign-on for managed clients
- TS gateway will allow remote access to internal server resources (RDP over RPC over HTTPS). SSL encryption end-to-end. Granular access control at the perimeter (who can connect to which computers)
- Remote Programs: seamless window integration (à la Citrix) based on MSI or RDP packages. It will also be possible to use Flip3D within an TS session (even though I don’t see the advantage of it, considering the impact on the bandwidth)
- Active Directory has been renamed to Active Directory Domain Services.
- There will be the command “oclist” to list, install and un-install roles and features on Longhorn servers.
- The final name is not yet known.
- Initial planning is: RTM should reach the market in H2 2007.
- A new feature should come in the area of load balancing.