Cover | Table of Contents | Colophon

Table of Contents

Chapter 1: Introducing Windows Server 2008

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

It all started with Windows NT, Microsoft's first serious entry into the network server market. Versions 3.1 and 3.5 of Windows NT didn't garner very much attention in a NetWare-dominated world because they were sluggish and refused to play well with others. Along came Windows NT 4.0, which used the new Windows 95 interface (revolutionary only to those who didn't recognize Apple's Macintosh OS user interface) to put a friendlier face on some simple yet fundamental architectural improvements. With version 4.0, larger organizations saw that Microsoft was serious about entering the enterprise computing market, even if the product currently being offered was still limited in scalability and availability. For one, Microsoft made concessions to NetWare users, giving them an easy way to integrate with a new NT network. The company also included a revised security feature set, including finely grained permissions and domains, which signified that Microsoft considered enterprise computing an important part of Windows.

After a record six and one-half service packs, NT 4.0 is considered by some to be the most stable operating system ever to come out of Redmond. However, despite that, most administrators with Unix experience required an OS more credible in an enterprise environment—one that could compare to the enormous Unix machines that penetrated that market long ago and had unquestionably occupied it ever since. It wasn't until February 2000, when Windows 2000 Server was released, that these calls were answered. Windows 2000 was a complete revision of NT 4.0 and was designed with stability and scalability as first priorities.

However, something was still lacking. Sun and IBM included application server software and developer-centric capabilities with their industrial-strength operating systems, Solaris and AIX. Windows 2000 lacked this functionality. In addition, the infamous security problems associated with the bundled Windows 2000 web server, Internet Information Services (IIS), cast an ominous cloud over the thought that Windows could ever be a viable Internet-facing enterprise OS. Given that many saw Microsoft as "betting the company" on a web services initiative called .NET, it was critical that Microsoft save face and do it right the next time. It wasn't too late, but customers were very concerned about the numerous security vulnerabilities and the lack of a convenient patch management system to apply corrections to those vulnerabilities. Things had to change.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Biggest Changes

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Unlike the transition from Windows 2000 Server to Windows Server 2003, which was a fairly minor "point"-style update, Windows Server 2008 is a radical revision to the core code base that makes up the Windows Server product. Windows Server 2008 shares quite a bit of fundamental code with Windows Vista, which was a product derived directly from the techniques of the secure development model (SDM)—sea change in programming methodologies at Microsoft that puts secure code at the forefront of all activity. Thus, a lot of new features and enhancements you will see in the product are a result of a more secure code base and an increased focus on system integrity and reliability.

The most radical changes to Windows Server 2008 include Server Core and the new Internet Information Services 7.0.

Server Core is a minimal installation option for Windows Server 2008 that contains only a subset of executable files and server roles. Management is done through the command line or through an unattended configuration file. According to Microsoft:

Server Core is designed for use in organizations that either have many servers, some of which need only to perform dedicated tasks but with outstanding stability, or in environments where high security requirements require a minimal attack surface on the server.

Accordingly, there are limited roles that Core servers can perform. They are:

• Dynamic Host Configuration Protocol (DHCP) server
• Domain Name System (DNS) server
• File server, including the file replication service, the Distributed File System (DFS), Distributed File System Replication (DFSR), the network filesystem, and single instance storage (SIS)
• Print services
• Domain controller, including a read-only domain controller
• Active Directory Lightweight Directory Services (AD LDS) server
• Windows Server Virtualization
• IIS, although only with a portion of its normal abilities—namely only static HTML hosting, and no dynamic web application support
• Windows Media Services (WMS)

Additionally, Server Core machines can participate in Microsoft clusters, use network load balancing, host Unix applications, encrypt their drives with Bitlocker, be remotely managed using Windows PowerShell on a client machine, and be monitored through Simple Network Management Protocol, or SNMP.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Networking Improvements

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The Windows Server 2008 team has made a special effort at improving network performance and efficiency. For the first time, there is a dual-IP layer architecture for native IPv4 and IPv6 support together, simultaneously. (If you've ever configured IPv4 and IPv6 on a Windows Server 2003 machine, you'll know what a pain it is to get them to interoperate without falling all over each other.) Communications security is enhanced through better IPsec integration throughout the various pieces of the TCP/IP stack. Hardware is used more efficiently and robustly to speed up performance of network transmissions, intelligent tuning and optimization algorithms run regularly to ensure efficient communication, and APIs to the network stack are more directly exposed, making it easier for developers to interact with the stack. Let's take a look at some of the improvements in what the team is calling Next Generation Networking.

As I alluded to earlier, many changes in Windows Server 2008 were made to the TCP/IP stack itself. One such improvement is the auto-tuning TCP window size: Windows Server 2008 can automatically tune the size of the receive window by each individual connection, increasing the efficiency of large data transfers between machines on the same network. Microsoft quotes the following example: " ... on a 10 Gigabit Ethernet network, packet size can be negotiated up to 6 Megabytes in size."

The dead gateway detection algorithm present in Windows Server 2003 has been slightly improved: Windows Server 2008 now tries every so often to send TCP traffic through what it thinks to be a dead gateway. If the transmission doesn't error out, then Windows automatically changes the default gateway to the previously detected dead gateway, which is now live. And Windows Server 2008 supports offloading network processing functions from the CPU itself to the processing circuitry on the network interface card, freeing up the CPU to manage other processes.

There are also improvements to network scaling. For example, in previous versions of Windows Server, one NIC was associated with one single, physical processor. However, with the right network card, Windows Server 2008 supports scaling NICs and their associated traffic among multiple CPUs (a feature called r

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Security Improvements

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Security problems have plagued Microsoft since the Windows inception, but only in the last few years, as more people have become connected, have those flaws been exploited by malcontents. Indeed, some of the vulnerabilities in products that we see patches for on "Patch Tuesdays" are the results of poor design decisions. These types of flaws are the ones Microsoft is hoping to stamp out in the release of Windows Server 2008. You'll see quite a bit of change to the architecture of services in Windows Server 2008, including increasing the number of layers required to get to the kernel, segmenting services to reduce buffer overflows, and reducing the size of the high-risk, privileged layers to make the attack surface smaller.

While fundamentally changing the design of the operating system, the Windows Server 2008 team has also included several features designed to eliminate security breaches and malware infestations, as well as capabilities meant to protect corporate data from leakage and interception. Let's take a look at some of the improvements.

A new feature currently known as operating system file protection ensures the integrity of the boot process for your servers. Windows Server 2008 creates a validation key based on the kernel file in use, a specific hardware abstraction layer (HAL) for your system, and drivers that start at boot time. If, at any subsequent boot after this key is created, these files change, the operating system will know and halt the boot process so you can repair the problem.

Operating system file protection also extends to each binary image that resides on the disk drive. OS file protection in this mode consists of a filesystem filter driver that reads every page that is loaded into memory, checking its hashes, and validating any image that attempts to load itself into a protected process (processes that are often the most sensitive to elevation attacks). These hashes are stored in a specific system catalog, or in an X.509 certificate embedded within a secure file on the drive. If any of these tests result in failure, OS file protection will halt the process to keep your machine secure. This is active protection against problematic malware.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Manageability Improvements

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Servers are only effective if the administrator configures them properly. Windows Server products have traditionally been fairly simple to operate, but in Windows Server 2008 there are many improvements to the initial setup and configuration experience. Much of these details are still being worked out, and these elements may change as we draw nearer to the anticipated release date, but let's take a look anyway and see what Windows Server 2008 has to offer in terms of manageability enhancements.

Server Manager is a one-stop shop for viewing information on a server, looking at its stability and integrity, managing installed roles, and troubleshooting configuration issues that may arise. Server Manager replaces the Configure Your Server, Manage Your Server, and Security Configuration Wizard interfaces. It centralizes a variety of MMC 3.0 snap-ins, allowing you to see at a glance what roles and features are installed on any given machine, and giving you an easy jumping-off point to begin management of those pieces.

Many an administrator have come to love Remote Installation Services (RIS), the add-on to Windows 2000 Server and Windows Server 2003 that streamed an installation of client and server operating systems over the network and provided the ability to customize installations and set them off with just a few keystrokes. In Windows Server 2008, Microsoft has radically revised RIS and renamed it Windows Deployment Services (WDS). WDS still works using pre-boot execution environment (PXE) and trivial file transfer protocol (TFTP) to an OS, but it includes Windows PE, a graphical frontend to the installation process that replaces the ugly, less functional text-based blue screen setup phase that's plagued corporate Windows since NT 3.0.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Performance and Reliability Upgrades

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Among the other enhancements in Windows Server 2008, work was done to improve overall system reliability and performance. For example, to view processes in previous versions of Windows Server, you had two basic tools, both of which were virtually unchanged from release to release—the Task Manager and the Performance Monitor. In Windows Server 2008, these tools have been combined into a single interface, called the Performance Diagnostics Console (which is also integrated into the aforementioned Server Manager), to make it easier to view statistics and alerts about how well your machine is handling its duties.

The Resource View is a simpler, but more powerful, view of how certain processes and services, among other metrics, are using the available resources on your machine. The Reliability Monitor shows a detailed view of exactly what events are occurring on a regular or intermittent basis to degrade the stability of your server. For example, you can see problems and degradations based on software installation activity, application failures, hardware missteps, Windows failures, and other, uncategorized problems. The Reliability Monitor generates a "stability index," which is a painfully arbitrary number supposedly representing, on a scale of 1 to 10, how pristine your system is.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Windows Server 2008 Editions

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

As always, Microsoft has split up the various editions of Windows Server 2008 so that, in theory, each customer segment is served by the right product with the right feature set at the right price. Windows Server 2008 is available in the following editions:

Windows Web Server 2008

This version of Windows Server 2008 is optimized to host web sites using IIS and is therefore limited in its support of hardware and in its feature set. It's designed specifically as a web server, so you won't find many features enabled other than IIS, ASP.NET, and some other web hosting-specific capabilities. Avoid this edition unless you have machines whose sole purpose is serving web and other Internet content.

Standard Edition (SE)

This is the plain-vanilla version of Windows that most corporations likely will deploy. Included with it is support for up to two processors and 4 GB of memory. SE includes most of the features and support of the other editions, including the .NET Framework, IIS 7, Active Directory, the distributed and encrypting filesystems, and various management tools. You also receive Network Load Balancing (a feature previously reserved for the "premium editions" of the NT server product) and a simple Post Office Protocol 3 (POP3) server which, coupled with the existing Simple Mail Transfer Protocol (SMTP) server bundled with IIS, can turn your Windows Server 2003 machine into an Internet mail server.

Enterprise Edition (EE)

Aimed squarely at more demanding environments, EE adds clustering support, support for eight processors, 64 GB of RAM for x86-based systems and up to 2 TB of RAM for x64 systems, the ability to hot-add memory to a running server, and unlimited network connections, among other things.

Datacenter Edition (DE)

This performance- and scalability-enhanced Windows Server 2008 edition supports from 8 to 32 processors, hot-adding of processors and their replacement, and features the same memory support of the Enterprise Edition. With the exception of more extensive firewalling features and some increase in virtual machine licensing, DE is identical to EE.

For more information, visit the Microsoft web site at

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Hardware Requirements

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

lists Microsoft's minimum and recommended system requirements for running Windows Server 2008.

Table : Minimum and recommended system requirements for Windows Server 2008

Requirements	Minimum	Recommended
Processor	1 GHz (x86 processor) or 1.4 GHz (x64 processor)	2 GHz or faster
Memory	512 MB RAM	2 GB RAM or greater
Available Disk Space	10 GB	40 GB or greater
Drive	DVD-ROM drive
Display	Super VGA (800 × 600) or higher resolution monitor
Other	Keyboard and Microsoft Mouse or compatible pointing device

However, anyone with prior experience with Windows operating systems is likely familiar with the simple fact that Microsoft's minimum system requirements (and often, the recommended requirements as well) are woefully inadequate for all but the most casual serving duties. Based on price and performance considerations as of this writing, I recommend the following specifications for any Windows Server 2008 version available through traditional channels. I'll refer to these as the "realistic minimums" from this point on in the book.

• A Pentium III 1GHz processor
• A server machine capable of using dual processors
• At least 512 MB of RAM
• At least 9 GB of disk space

In this day and age, PC hardware changes in value, speed, and availability on what seems like a daily basis. Unless your sole job is to continually specify the hardware platforms and configurations on which your client and server computers will run, it only takes missing a week's worth of developments to miss out on new processor speeds, chipset replacements or introductions, and hard-drive enhancements.

Of course, the methodology for selecting hardware for your servers remains true regardless of the operating system—disk speed is the single most prominent bottleneck in a fileserver, whereas an application server has performance obstacles in the processor and memory.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Last Word

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Windows Server 2008 presents an interesting set of features that result in tangible benefits for many administrators. The Server Core version of the product is perhaps the most useful new installation option of Windows on the server in quite a while, and it's appropriate for use in many situations where rock-solid servers are required. If your server farm hosts network-intensive applications, you'll find the changes to the TCP/IP stack and other network performance improvements tantalizing, and hardware assistance now makes network scaling much more cost effective by requiring fewer physical servers than before. Security is of course of paramount importance, and NAP alone is worth investing in Windows Server 2008. Management capabilities are improved as well.

Two general camps of people and their organizations will find compelling reasons to immediately upgrade to Windows Server 2008:

Those still running a version of Windows NT or Windows 2000 Server

NT Server 4.0 reached the end of its supportable life on December 31, 2004. Windows 2000 Server's mainstream support ended June 30, 2005, and while extended support will be available until July 13, 2010, it's smart to consider a move. Windows Server 2008, a fundamentally major release, provides a good jump up to new features, although it will likely require a hardware refresh if you are still running Windows NT or Windows 2000 in production.

Those with current Microsoft Select, Software Assurance, or Open License agreements that allow them to upgrade to the latest release at no additional cost

If there's no fee or additional monetary outlay for your upgrade, you can get the benefit of Windows Server 2008 for little overall monetary cost.

If you are not a member of either group, the value of upgrading to Windows Server 2008 is less clear, though a strong case could be made for moving up. If you're happily chugging away with Windows Server 2003 or R2, have read this chapter and don't see any features you absolutely must have now, and don't have an update agreement with Microsoft, you might want to skip this release and wait for Windows Server 2009 (or whatever the appropriate year might be).

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: Installation and Deployment

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Now that you've been thoroughly introduced to what's new, what's hot, and what's not in Windows Server 2008, the time has come to install the operating system on your machines. Installing Windows Server 2008 is easy: the fun comes in configuring and customizing the operating system. I'll begin by covering the installation process. Then I devote a large part of this chapter to unattended installations, automated deployment, and batch machine imaging, because you can gain a significant time savings by letting your computer handle as many of the tedious installation tasks as possible. So, let's jump in and get started.

It's a fairly effortless procedure to install Windows Server 2008 onto new systems. Here are the steps:

1. Turn the system power on and insert the Windows Server 2008 DVD into the drive. If you receive a prompt asking you to select from what location to boot, choose the option to boot from the CD. The system will boot and begin the initial installation procedure. shows the beginning of this phase from the Install Windows screen. Choose the correct language, time and currency format, and keyboard input method, and then click Next.
   

   Figure : Beginning the Windows installation process
2. Click the "Install now" button in the middle of the screen.
3. When you click the next screen, shown in , you are prompted for your product key. You do not have to enter the key now, but you will be required within a certain amount of time to enter a valid key once installation is complete. Enter your key if you wish and then click Next. Note that if you don't enter a key now, make sure that when you choose an edition to install (on the next screen), you choose the edition that corresponds to the key you will enter later; otherwise, you may need to reinstall.
   

   Figure : Entering the product key
4. If you did not enter a key, the screen shown in will appear, asking you to select the edition of Windows that you purchased. (If you had entered a key, Windows would have automatically chosen the correct edition based on the contents of your key.) Choose which edition of the product—including the standard installation or the Server Core flavor—to install. Then, click Next.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Installing Windows Server 2008

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

It's a fairly effortless procedure to install Windows Server 2008 onto new systems. Here are the steps:

1. Turn the system power on and insert the Windows Server 2008 DVD into the drive. If you receive a prompt asking you to select from what location to boot, choose the option to boot from the CD. The system will boot and begin the initial installation procedure. shows the beginning of this phase from the Install Windows screen. Choose the correct language, time and currency format, and keyboard input method, and then click Next.
   

   Figure : Beginning the Windows installation process
2. Click the "Install now" button in the middle of the screen.
3. When you click the next screen, shown in , you are prompted for your product key. You do not have to enter the key now, but you will be required within a certain amount of time to enter a valid key once installation is complete. Enter your key if you wish and then click Next. Note that if you don't enter a key now, make sure that when you choose an edition to install (on the next screen), you choose the edition that corresponds to the key you will enter later; otherwise, you may need to reinstall.
   

   Figure : Entering the product key
4. If you did not enter a key, the screen shown in will appear, asking you to select the edition of Windows that you purchased. (If you had entered a key, Windows would have automatically chosen the correct edition based on the contents of your key.) Choose which edition of the product—including the standard installation or the Server Core flavor—to install. Then, click Next.
   

   Figure : Selecting the edition of Windows Server 2008 to install
5. Read the terms of the license agreement. If you accept (which, of course, you have to do to continue installation), check the box and click to continue.
6. The "Which type of installation do you want?" screen appears, depicted in . If you were running this installation from within Windows, the Upgrade selection would be enabled, allowing you to move to Windows Server 2008 with most of your programs, files, and settings intact. This is not the recommended path; here, in this example, we are completing a clean installation onto a formatted, blank disk. In this case, the only available option is Custom. Click "Custom (advanced)" to continue.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Initial Configuration Tasks

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

After your password is changed, Windows Server 2008 logs you in as an administrator, and the Initial Configuration Tasks screen appears, as shown in . On this screen, you can complete the numerous but sometimes tedious steps to configure a newly installed machine for daily use, like setting the time zone, adding IP addresses and configuring them, naming the computer and joining it to a workgroup or domain, updating, and so on.

Figure : The Initial Configuration Tasks screen

I strongly recommend that the first step you complete on this screen is to immediately click the "Download and install updates" link (assuming you have an active network connection that can route to the Internet) to apply the latest security fixes and service packs before placing the machine into production.

In today's hostile Internet environment, I strongly encourage you to perform your installation on a machine that is at least protected by a hardware firewall, and preferably on a machine that is completely disconnected from the network, unless you are using a network-based deployment method (more on this later in the chapter). While the Windows Server 2008 firewall is initially on upon first boot, I have never heard of a virus, worm, or Trojan entering a system from the network without that system having network access. And Linksys, D-Link, and other hardware firewalls are cheap, reusable, and can come in handy in a variety of scenarios. It's a simple step to take to prevent hours of headaches.

Retail copies of Windows Server 2008 have a feature known as activation, which is an antipiracy measure instituted by Microsoft. In essence, when you install Windows with a specific license key on a computer, a hash is created using the key and several attributes of hardware on the computer, including the network card's MAC address. (The exact way this hash is created is, of course, secret.) This hash can't uniquely identify a computer, but it identifies a specific installation of Windows. This hash is sent to Microsoft during the activation procedure. The theory is that if you later try to use the same product key for an installation on different hardware (for example, on another computer), the hash created would be different, and activation would fail because it's likely you are trying to use more than one copy of Windows when you're licensed for only a single installation.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Deployment

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The deployment story in Windows Server 2008 (and Windows Vista, for that matter) has radically changed. Windows Deployment Services (WDS) replaces the old Remote Installation Services (RIS) product that was included with Windows 2000 and Windows Server 2003. It has a number of enhancements, improvements, and new features, but perhaps the most important and the most useful of them is the ability for WDS to read, manage, and stream the new Windows Imaging Format (WIM). WIM support was first baked into Windows Vista and solves a number of problems that you may have stumbled on if you've worked with imaging products for Windows in the past. While WDS can still deploy what it calls "legacy" images—for example, Windows XP installations in the format you used to use in conjunction with Remote Installation Services—WDS shines when you set up different WIM files with boot and install images for different architectures and systems.

With some upfront grunt work (and that may be putting it mildly), you can significantly reduce the time it takes to achieve a complete deployment on machines that are of different types, architectures, and configurations. Let's take a look at some critical components of the deployment infrastructure under Windows Server 2008.

Windows Vista introduced the Windows Imaging Format, a hardware-independent format that stores images of the operating system. The premise of WIM is to make images many-to-one in nature; in other words, multiple images can be contained within one WIM file. Since Windows Vista was architected to be so modular, 95% of the base operating system can be replicated among any number of images; as a result, Microsoft itself can ship just one binary image for each processor architecture—x86 and x64—to everyone in the channel. Additionally, the sizes of each of the image files are reduced using single-instance storage techniques and enhanced compression. Further, you can create WIM files very easily for your own uses and modify them as well.

Perhaps the best usability improvement of the WIM format is the ability to edit images offline using standard file management tools like Windows Explorer. You can add files and folder to an image; for instance, instead of the painful driver addition process in Remote Installation Services, you can simply drop drivers directly into a WIM-based image and have them automatically present for future deployments. Best of all, you don't need to create independent images for each edit you make—the additions, modifications, and deletions you make can coexist in one image, reducing management burden.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Last Word

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this chapter, I've covered quite a bit about the various methods to install Windows, how activation works, ways to recover from a bungled Setup, and what to do when Windows Server 2008 just won't boot. I've also looked at automated rollouts of the product and its client brethren.

In the next chapter, we'll step through in detail the file and print service functionality of Windows Server 2008.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: File Services

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

One of Windows Server 2008's primary functions within a typical organization is to serve files and connect multiple machines to a smaller number of printers. Windows Server 2008 enables you to create any number of shared folders that contain documents and programs that your users can access via such methods as Windows Explorer, Network Neighborhood, or mapped drives. The operating system also enables you to create a hierarchy of shared folders stored across multiple machines that can appear to end users as though they're stored on a single server.

Print services are simple to configure and manage. Windows Server 2008 enables you to share a printer connected either physically to the server, or to a print server device that is attached directly to the network. It can also host drivers for multiple operating systems and automatically distribute the correct drivers to client systems.

You'll need to be familiar with the following terminology to get the most from this chapter. Feel free to skip to the next section if you've been working with Windows for a while.

Disk

A disk is the actual, physical hard disk within the machine.

Drive

A drive is a logical object formatted for use with Windows. This can be either an entire physical disk or a partition.

Partition

A partition is a portion of a physical disk that can be used with volumes.

Volume

A volume is either a drive or a partition within Windows—it's a common term for both.

In this chapter, I'll discuss in depth all the file and print services Windows Server 2008 provides.

Several features are present in Windows Server 2008 to enable faster, more seamless access to file and print services on your network. Although the infrastructure of the file and print systems has not been completely redesigned, it certainly has been modified to provide for ease-of-use enhancements, increased data integrity, automatic and assisted backup, and other key features, including the following:

Distributed File System (DFS)

DFS is a feature in Windows Server 2008 that permits an administrator to create one logical filesystem layout despite the fact that shares can be scattered across the network on different servers. This makes it easier for clients to find and store files consistently, and it allows for better equipment utilization. One server can host multiple DFS roots, which are "starting" points for a hierarchy of shared folders. In addition, a Windows Server 2008 server can use Active Directory site topology to route DFS requests from clients to the closest available server, increasing response time.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

File and Print Server Features

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Several features are present in Windows Server 2008 to enable faster, more seamless access to file and print services on your network. Although the infrastructure of the file and print systems has not been completely redesigned, it certainly has been modified to provide for ease-of-use enhancements, increased data integrity, automatic and assisted backup, and other key features, including the following:

Distributed File System (DFS)

DFS is a feature in Windows Server 2008 that permits an administrator to create one logical filesystem layout despite the fact that shares can be scattered across the network on different servers. This makes it easier for clients to find and store files consistently, and it allows for better equipment utilization. One server can host multiple DFS roots, which are "starting" points for a hierarchy of shared folders. In addition, a Windows Server 2008 server can use Active Directory site topology to route DFS requests from clients to the closest available server, increasing response time.

Encrypting File System (EFS)

Native encryption abilities are built into the NTFS filesystem used in Windows Server 2008. By simply checking a checkbox in the Properties sheet for a file, you can easily encrypt and decrypt files and folders to protect their integrity. This feature is particularly useful for mobile computers, which have a greater risk of data loss and capture than traditional corporate desktop machines.

Volume shadow copy

The volume shadow copy feature is perhaps one of the most useful features of Windows Server 2008. The server will take snapshots of files at specific periods during the day, thereby making available a library of previous versions of a file. If a user accidentally overwrites a file, saves an incorrect version, or somehow destroys the primary copy, he can simply click Previous Versions in the Explorer view of the folder and access a shadow copy version.

Windows Search Service

The Windows Search Service, new to Windows Server 2008, catalogs and indexes the contents of server hard disks, enabling users to search in files in different formats and languages for the data they need. The engine has been enhanced over several revisions of the product to accelerate the search process and to use less processor time when cataloging and indexing files.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Setting Up File Sharing Services

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Adding a file server role to a machine involves the following:

Configuring the machine as a file server

This process involves turning on file sharing and creating the first shared folder. Windows also creates a few of its own shares by default, which I'll discuss in more detail as the chapter progresses.

Establishing disk space limits by enabling disk quotas, if necessary

Disk quotas are a simple way to limit and control the amount of disk space your users take up with their data. Quotas monitor and limit a user's disk space on a per-partition or per-volume basis; quotas do not stretch across multiple disks. The wizard can configure Windows to apply default quota settings that you select to any new users of any NTFS filesystem. This step is not required to set up file sharing services, but you might find the feature useful. And there is another way of managing quotas—through the File Server Resource Manager, where you can enable per-folder quotas and further limiting by file-type filters.

Setting up Storage Utilization Monitoring

With Storage Utilization Monitoring, you can instruct Windows Server 2008 to keep tabs on how much disk capacity is being used on volumes and to generate reports to the administrator based on predefined thresholds. These reports can be simple alerts, or they can detail large files in order by owner, group, and so on, helping you pinpoint potential targets for archival or deletion in order to free up disk space.

Turning on the Windows Search Service

The Windows Search Service reads the contents of most files on the server and makes a catalog of their contents for easy search and retrieval at later points in time. Because the user interface for the Add Roles Wizard presents this option, I mention it here, but I cover it in detail in .

Installing management tools

The Add Roles Wizard will, when you first set up the file server role on each Windows Server 2008 machine, add the File Services component to Server Manager, allowing you easy access to share and storage management features and the classic Disk Management console.

Creating shared folders and setting share permissions for each folder

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

NTFS File and Folder Permissions

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

File- and folder-level permissions are one of the most dreaded and tedious, but necessary, tasks of system administration. However, they are significant in terms of protecting data from unauthorized use on your network. If you have ever worked with Unix permissions, you know how difficult they are to understand and set: complex CHMOD-based commands, with numbers that represent bits of permission signatures—it's so easy to get lost in the confusion. Windows Server 2008, on the other hand, provides a remarkably robust and complete set of permissions, more than any common Unix or Linux variety available today. It's also true that no one would argue how much easier it is to set permissions in Windows than to set them in any other operating system. That's not to say, however, that Windows permissions are a cinch to grasp; there's quite a bit to them.

Windows supports two different views of permissions: standard and special. Standard permissions are often sufficient to be applied to files and folders on a disk, whereas special permissions break standard permissions down into finer combinations and enable more control over who is allowed to do what functions to files and folders (called objects) on a disk. Coupled with Active Directory groups, Windows Server 2008 permissions are particularly powerful for dynamic management of access to resources by people other than the system administrator—for example, in the case of changing group membership. (You'll meet this feature of Active Directory, called delegation, in .)

describes the standard permissions available in Windows.

Table : Windows Server 2008 standard permissions

Type	Description
Read (R)	Allows user or group to read the file.
Write (W)	Allows user or group to write to the contents of a file or folder and to create new files and folders. It is possible to have write permissions without read permissions.
Read and Execute (RX)	Allows user or group to read attributes of a file or folder, view its contents, and read files within a folder. Files inside folders with RX rights inherit the rights onto themselves.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The File Server Resource Manager

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Windows Server 2008 includes the File Server Resource Manager, an integrated console that contains various tools and reporting functions so that you can determine, control, and administer the amount and kind of data stored on your file servers. FSRM provides a single and convenient place for you to configure quotas on folders and volumes, screen for unacceptable types of files, and generate comprehensive reports on exactly where your disk space is going.

To access the FSRM, open Server Manager, expand the File Services role in the left pane, expand Share and Storage Management, and click File Server Resource Manager. The default screen is shown in .

Figure : The File Server Resource Manager console

The first step in using the FSRM is configuring some options that will be used by the console. In the Actions pane, click the Configure Options link, and you'll see a screen like .

Figure : Configuring FSRM options

The FSRM is designed to send email alerts and reports via email; on the Email notifications tab, enter the outgoing SMTP server (either through an installed SMTP service on the local machine or another mail server provided either by your organization or your ISP), and the To and From addresses. You can also choose to send a test email by clicking on that button.

shows the Notification Limits tab.

Figure : The Notification Limits tab

On this screen, you can set some limits as to how often the FSRM and Windows Server 2008 send notifications for similar events. If the FSRM detects, say, a quota exceeded event, and the user continues to try to exceed the quota, with these notification limits the FSRM will wait a certain amount of time before sending an email notification, writing an event log entry, and sending command and report notifications. Configure your limit, in minutes, for each of these notification types.

shows the Storage Reports tab.

Figure : The Storage Reports tab

On this tab, you can specify your preferences for each report that can be generated by the FSRM. For example, if you highlight the File Screening Audit report and click the Edit Parameters button, you'll be able to select which users are included in the report. To take a look at all of the parameters for the reports, click the Review Reports button. The defaults work pretty well here, but as you'll see as we dig further into the FSRM, you may want to alter them slightly to customize the reports for your environment.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Disk-Based Quotas

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Windows 2000 first introduced the disk-based quota feature, allowing an administrator to define a limit or set of limits on the consumption of disk space by individual users. Windows Server 2008's quota management features some interesting properties:

• Windows Server 2008 can distinguish between volumes, so you can set different quotas on different volumes to perhaps segregate types of data, or to offer a disk exclusively to a set of users for their daily work.
• You can assign disk-based quotas on mapped drives as long as the physical volumes to which the mapped drives point were created with Windows 2000 Server or Windows Server 2003 or were upgraded to either of the later versions from Windows NT 4.0.
• Unlike some third-party software programs, Windows Server 2008 does not allow grace writes. That is, some software allows a user to continue an operation—say, a file copy process—even if during the middle of that operation the disk-based quota is reached. Windows Server 2008 does not allow this; it will cut off the operation when the quota is reached.

As usual, though, neat features always contain weak points. First, quotas are supported only on disks formatted with the NTFS filesystem. This isn't too surprising because most progressive filesystem features aren't available under the various flavors of FAT. Second and perhaps more disturbing is that, due to an architectural limitation, disk-based quotas (those assigned on the volume level, that is) can be added only to individual users. This creates quite a headache, as most other network operating systems allow you to set a default quota based on group membership. In this manner, all normal users could have 500 MB, power users and executives could have 1.5 GB, and administrators could have unrestricted space. Alternatively, payroll users could have 250 MB, while the sales team with their myriad PowerPoint presentations might need 1 GB a piece. Alas, Windows Server 2008 doesn't support this by default out of the box at the disk level, but later in this section I'll show you a problematic but workable way around this limitation.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Using Offline Files and Folders

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Offline Files and Folders is a neat feature, offered for the first time in Windows 2000 Professional, which synchronizes files and folders when you connect to and disconnect from the network. Similar to the Windows 95 Briefcase, except much more versatile and automated, Offline Files and Folders caches a copy of selected files and folders on a computer's hard drive. When that computer becomes disconnected from the network for any reason, Windows reads the cache on the machine and intercepts requests for files and folders inside the cache. The end user can still open, save, delete, and rename files on network shares because Windows is fooling him into thinking that everything is still on the network and not in the cache. Windows records all changes, and the next time an appropriate network connection is detected, the changes are uploaded to the network and the cache, and the actual network file stores are synchronized.

What happens when a common network share—call it Contracts—is modified by two different users while they're offline? In this instance, it's really a case of who gets connected first. User A will synchronize with the network, and his modified version of the file will be the one now stored live on the network volume. When User B attempts to synchronize, Windows will prompt him to choose whether to keep the existing version (the one that User A modified) or to overwrite it with the one that User B has worked on.

This has obvious advantages for mobile users. In fact, as I write this, I am sitting at a rest stop on Interstate 20 outside Augusta, Georgia, taking an extended break from a road trip. To open this file, I navigated through Windows Explorer to my regular network storage location for this book and its assorted files. I noticed no difference between my office and this car, at least as far as Windows' interface to the network was concerned. However, tomorrow, when I am back in my office, I will plug the Ethernet cable into my laptop, and Windows will synchronize any files I modified in that folder with the files on my servers in the office. Using this feature, I always have the latest file with me wherever I am, be it in the office or on the road, and I don't really have to consciously think about it. But there's also a plus side that you might not have considered: if you enable Offline Files on regular desktop machines, not just mobile laptops, you create a poor man's fault-tolerant network. (The price you pay for such fault tolerance is bandwidth.) That is, when the network connection disappears, Windows doesn't care if you are using a big mini-tower system or an ultra-thin notebook. So, your desktop users still can safely and happily use network resources, even if the network has disappeared, and you as the administrator can rest assured in knowing whatever the users do will be updated safely on the network when it reappears. Now, of course, this is no substitute for a well-planned network with quality components, but in a pinch, offline folders do well to reduce user panic and wasted help-desk calls.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Using Previous Versions

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Previous versions (née shadow copies) are a relatively new technology within Windows products that enable a server to take snapshots of documents on a disk to record their states at certain points in time. If a user accidentally deletes or otherwise overwrites a file, she can open a version the server saved earlier in time, thereby eliminating the need to either re-create her work or contact the help desk to get them to restore the file from the most recent backup. When the previous versions feature is enabled on a disk, clients connecting to a share on that disk will be able to view and access previous point-in-time copies of either individual files or entire directories.

Further benefits lurk beneath the surface of this feature, however. The service behind shadow copies, called the Volume Shadow Copy Service (VSS), is actually responsible for a newly developed application programming interface (API) that allows server-based applications such as Exchange, SQL, and backup programs to take advantage of the benefits of shadow copies. Perhaps the most famous example is a backup that skips open files, either because they are currently open by a user or because they are locked by another process. In the past, this resulted in incomplete backups, either because the backup process halted in midstream because of this unrecoverable error, or because the process skipped the open file. If the open file is, say, your Exchange email database, that's not necessarily a good thing. But now, with volume shadow copies, the backup application can simply use an API to take a snapshot of any open files and back up that snapshot. Now you have an instant backup of a database at any point in time, with no interruption in availability to the user. This is a very nice feature.

You definitely can take advantage of previous versions in the user realm as well. Part of the volume shadow copy service is a piece of client software that Windows Vista and Windows XP Service Pack 2 clients have integrated into the product; no separate installation is needed. Windows 2000 clients can access the software at

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Distributed File System

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The Distributed File System (DFS) is a technology that allows several distinct filesystems, potentially on multiple servers, to be mounted from one place and appear in one logical representation. The different shared folders, which likely reside on different drives in different server machines, can all be accessed from one folder, known as the namespace. Folder targets serve to point from shared folder to shared folder to mimic a directory tree structure, which can be rearranged and altered according to a particular implementation's needs. DFS also allows the clients to know only the name of the share point and not the name of the server on which it resides, a big boon when you field help-desk calls asking, "What server is my last budget proposal located on?"

DFS namespaces come in two basic flavors: standalone namespaces, which store the folder topology information locally, and domain-based namespaces, which store the topology structure in Active Directory and thereby replicate that information to other domain controllers. In this case, if you have multiple namespaces, you might have multiple connections to the same data—it just so happens that they appear in different shared folders. You even can set up two different share points to the same data on two different physical servers, because DFS is intelligent enough to select the folder set that is geographically closest to the requesting client, saving network traffic and packet travel time.

DFS in Windows Server 2008 is, essentially, made of two components:

DFS namespaces

These allow you to group shared folders stored on different servers and present them to users in one coherent tree, making the actual location of the files and folders irrelevant to the end user.

DFS replication

This is a multimaster replication engine that supports scheduling, bandwidth throttling, and compression. Most notably, DFS Replication now uses an algorithm known as Remote Differential Compression (RDC), which efficiently updates files over a limited-bandwidth network by looking at insertions, removals, and rearrangements of data in files, and then replicating only the changed file blocks. There is substantial savings to this method.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Command-Line Utilities

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this section, I'll look at several ways you can manage file, print, and user services from the command line.

Sometimes it's inconvenient to use the Windows GUI to map a drive—this is a problem particularly in logon scripts. How do you use a batch file to tell the mouse pointer to move over to My Network Places? There's a better way. The net use command enables you to map any drive to any server on your network, and in some cases, outside networks, too. The syntax is:

net use drive\\server\share

Here are some common examples that you should find useful.

To map drive H: to Lisa Johnson's home directory on server MERCURY:

net use H: \\mercury\users\lmjohnson

To map the first available drive letter to the same directory:

net use * \\mercury\users\lmjohnson

Sometimes you might need to connect to a share on a domain that isn't trusted by your home domain. If you have an account on that domain, you can use it to connect, like so:

net use H:\\foreignmachine\sharename
/user:foreigndomain\username

(If you need to use a password, you'll be prompted for it.)

If you need to terminate a connection or map to a server, use the /d switch:

net use \\mercury\users\lmjohnson /d

To disconnect all drive mappings on the local machinemaps:

net use * /d

To connect to a foreign machine (152.1.171.133, in this example) over the Internet or an intranet without relying on name resolution:

net use H:\\152.1.171.133\c$

You also can use a different account with the IP address:

net use H:\\152.1.171.133\c$
/user:hasselltech\hassell

And you can specify that this mapping is for the current session only and should not be restored upon logon. This is a feature that I call map persistency—keeping the same mappings across login sessions, a big timesaver for your users. To do so:

net use H:\\152.1.171.133\c$
/persistent:no

To set up default quotas and modify them using the command line, type the following at the prompt:

fsutil quota modify [VolumeOrDrive] [warninglevel] [hardquota] [<