Managing Branch and Global Offices with Windows Server 2008
For organizations that have expanded their office boundaries to include geographically dispersed branch office locations, the administration of distributed infrastructure resources and the optimization of communications channels can present serious challenges. With Windows Server 2008, you can maintain the performance, availability, and productivity benefits of local branch office services while overcoming several of the challenges associated with managing a mixed branch and global office environment.
Windows Server 2008 can help you streamline deployment, ensure highly secure and reliable connectivity, and lower management overhead when working with branch and global offices:
Windows Deployment Services
Windows Deployment Services (WDS) can be used to automate the deployment of operating systems in branch office environments where limited or no administrative staff exists. Using Windows Deployment Services, new systems can be brought online quickly, even those systems that are delivered without any operating system. Minimal user intervention is required to install the operating system, usually consisting of simply logging on to the network and choosing the operating system image that should be deployed.
Network Access Protection
Network Access Protection (NAP) is a policy enforcement platform that can be used to validate system health requirements. When a client connects to your network, the NAP components can verify that all of the required updates and system configuration settings are met before allowing the system to connect. Used in conjunction with System Center Configuration Manager 2007, any system that does not meet the policy requirements set forth by your organization can be automatically provisioned to become compliant. NAP can be used to check the health and status of your mobile workforce’s laptops, help ensure the ongoing health of desktop computers, determine the health of visiting systems, such as those of your partners, and verify the compliance and health of unmanaged home computers.
BitLocker Drive Encryption
In a branch office environment, you may not be able to physically secure your servers. In cases where you want to ensure the integrity of sensitive information, you may need to provide another security option besides controlling permissions to the data and rights to perform actions on the server. BitLocker Drive Encryption can be used to encrypt all of the data on the storage media. BitLocker is the combination of two major data-protection procedures: encrypting the entire Windows operating system volume on a hard disk and verifying the integrity of early boot components and boot configuration data.
Server Core Installation for Windows Server 2008
Server Core, an installation option of Windows Server 2008, provides a minimal operating system environment consisting of specific services and a limited administrative interface. Reducing the functionality to a command-line interface for administration and limiting the services that are allowed to run on the server reduce the overall attack surface of the system. Windows Server Core supports the following roles:
- Dynamic Host Configuration Protocol (DHCP)
- Active Directory Domain Services (AD DS)
- Read-Only Domain Controller (RODC)
- Active Directory Lightweight Directory Services (AD LDS)
- Windows Media Services (WMS)
- Internet Information Server 7.0 (IIS 7.0)
Read-Only Domain Controllers
A Read-Only Domain Controller (RODC) is a domain controller with a read-only version of the Active Directory database that can be deployed in environments where the security of the domain controller cannot be guaranteed. This includes branch offices where the physical security of the domain controller is in question, or domain controllers that host additional roles that require other users to log on and maintain the server. The use of RODCs provides several benefits:
- RODCs prevent changes made at branch locations from potentially polluting or corrupting your AD forest via replication.
- RODCs eliminate the need to use a staging site for branch office domain controllers, or to send installation media and a domain administrator to the branch location.
- Deploying an RODC can also benefit users in a branch office by allowing them to authenticate locally instead of relying on authentication across an inconsistent network link.
To learn more, please visit the Active Directory page.
IPSec Host-to-Host Authentication
Using Windows Server 2008 and Windows Vista, IPSec now supports user-level authentication known as AuthIP. AuthIP includes several benefits over the original IPSec that was included with previous versions of Windows Operating systems.
- User credentials can be used to enforce authentication. User-level authentication can be based on Kerberos, NT/LAN Manager version 2 (NTLM v2), user certificates, or a computer health certificate.
- Multiple credentials can be used to validate the computer when it connects, and then user credentials can be used to control access to resources.
- Improved authentication method negotiation allows systems to better negotiate the connection between the client and server. Multiple authentication methods can be configured, and the systems will negotiate which to use instead of failing after the first negotiation fails.
- Asymmetric Authentication allows you to specify different authentication methods depending upon where the communication was initiated. Using Asymmetric Authentication, you can now configure a one-way trust between the internal network’s domain and a perimeter domain. Asymmetric Authentication allows you to configure Kerberos authentication when communication is initiated by the intranet computers and certificate authentication when communication is initiated by computers in the perimeter.
Active Directory Replication Enhancements
Active Directory replication is more efficient with Windows Server 2008. After upgrading domain controllers to Windows Server 2008, Active Directory uses the Distributed Files System Replication (DFS-R) to replicate changes. DFS-R only replicates changes to attributes. This granular delta-replication reduces the amount of data that needs to be distributed across communication channels.
Next-Generation TCP/IP
The TCP/IP protocol suite has been completely redesigned for Windows Server 2008. Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) are both supported natively by Windows Server 2008. The design goals behind many of the new features in the Next-Generation TCP/IP stack keep the needs of today’s remote environments in mind, particularly for remote locations working over slower, less reliable network links.
Server Message Block 2.0
Server Message Block (SMB) 2.0 has been redesigned for today’s complex networking environments and next-generation file servers. The SMB 2.0 protocol provides a number of communication enhancements, including greater performance over a high-latency link, and better security through the use of mutual authentication and message signing.
Server Virtualization
Server consolidation through virtualization is an important consideration for organizations that have constrained budgets and limited administrative resources in remote branch office locations. Windows Server 2008 is available with Hyper-V, the next-generation hypervisor-based virtualization technology from Microsoft. Hyper-V helps address several business challenges and provides the following benefits for branch and global offices:
- Virtualization and consolidation of server roles as separate virtual machines (VMs) running on a single physical machine, without the need to buy third-party software
- Support for different operating systems, such as Windows, Linux, and others
- Simple virtual system migration from one physical host server to another
- Clustering of Windows Server virtualization (WSv) hosts or VMs running on WSv hosts, and backup of VMs while they are running, to keep your virtualized servers highly available
- New management tools and performance counters make virtualized environments easier to manage and monitor
- Virtual Machine Snapshot to easily revert back to a previous state
- Improved performance and security
- Improved storage access with support for storage area networks (SANs) and internal disk access
To learn more, please visit the Server Virtualization and Consolidation page.
Presentation Virtualization with Terminal Services
Terminal Services in Windows Server 2008 can provide centralized access to applications without the need to provide the whole remote desktop: To the end user, the application appears to be running on the local desktop while, in fact, the user is only experiencing the presentation of the application which is running remotely. With Terminal Services in Windows Server 2008, organizations can provide more secure access to centralized applications without a Virtual Private Network (VPN) and without opening up unwanted ports on firewalls. This reduces the complexity needed to provide secure remote access to applications and data. For deployments with several servers, new load-balancing features provide a simple way to ensure optimal performance by spreading sessions among the least-loaded available resources.
To learn more, please visit the Presentation Virtualization with Terminal Services page. |
