Windows Server 2008 Migration Considerations

Chia sẻ: Nguyễn Thị Tú Uyên | Ngày: | Loại File: PDF | Số trang:7

Thêm vào BST

Báo xấu

230
lượt xem 95
download

Windows Server 2008 Migration Considerations

Mô tả tài liệu

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Windows Server 2008 is a big change from Windows Server 2003, as the 5-year gap in the names would sug- gest. Microsoft is providing role-based management, major new product variations (Server Core, Read-Only Domain Controllers), support for hardware-based virtualization, Network Access Protection, BitLocker drive encryption, an overhauled Terminal Services architecture, and a raft of less exciting but nonetheless useful evo- lutionary improvements.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Windows Server 2008 Migration Considerations

Expert Reference Series of White Papers Windows Server 2008 Migration Considerations 1-800-COURSES www.globalknowledge.com
Windows Server 2008 Migration Considerations Glenn Weadock, Global Knowledge Instructor, MCSE, MCT, A+ Introduction Windows Server 2008 is a big change from Windows Server 2003, as the 5-year gap in the names would sug- gest. Microsoft is providing role-based management, major new product variations (Server Core, Read-Only Domain Controllers), support for hardware-based virtualization, Network Access Protection, BitLocker drive encryption, an overhauled Terminal Services architecture, and a raft of less exciting but nonetheless useful evo- lutionary improvements. What are some of the primary migration considerations that you should review when evaluating or planning a move to the new product? I identified several of these in a presentation I gave in Raleigh and Chicago to cele- brate the impending launch of this gargantuan product. It’s not an exhaustive list (we only had two hours!) but it’s a good start, and we’ve repackaged that presentation into this white paper: Key new features (or: “Why should I upgrade?”) • Product versions • Hardware requirements • Focus: Server Core • Focus: Read-Only Domain Controllers • Focus: Server Manager • Focus: Group Policy • Migration and deployment tools Key New Features First, there is a “laundry list” of key new features to be aware of. We can’t cover each of them here, but rec- ommend exploring the ones that may be unfamiliar to you, either on the broad Web or on the Microsoft TechNet Windows Server 2008 Technical Library: • New deployment option with Server Core • Server Manager integrated administrative console • Better security with Read-Only Domain Controllers (RODCs) • Group Policy improvements (architecture, settings) • Improved administration with Server Manager • Better deployment architecture (WDS, WIM) • Synergies with Vista (look/feel; shared code base) • Improved event logging and collection • IPv6 installed by default • Network Access Protection (NAP) • BitLocker full volume encryption Copyright ©2008 Global Knowledge Training LLC. All rights reserved. Page 2
• Service hardening • PowerShell scripting interface • Server virtualization (Hyper-V) • User Account Control • Windows Firewall with Advanced Security • Reliability and Performance Monitor • Server Manager Product Versions Note that most of the following list of products is available either with or without Hyper-V, the hardware- based virtualization technology, although at this writing, the cost savings of the non-Hyper-V SKUs is negligi- ble: • Windows Web Server 2008 (no DNS, DHCP, VPN services) • Windows Server 2008 Standard Edition (no clustering) • Windows Server 2008 Enterprise Edition • Windows Server 2008 Datacenter Edition (unlimited VMs) • Windows Server 2008 for Itanium-Based Systems Hardware Requirements The minimum requirement for Standard Edition is specified as 1GHz CPU, 512MB RAM, and 8GB disk space, but the recommended spec doubles those figures. As usual with a server operating system, the actual hard- ware requirements will depend on what you ask the machine to do – how many simultaneous roles and serv- ices, the size of the client population, and so on. In terms of the ceiling rather than the floor, you can go up to 4 CPU sockets with the Web and Standard edi- tions, 8 sockets for Enterprise, and 32 for Datacenter. If that’s just not enough horsepower, Itanium edition sup- ports 64 CPU sockets. Maximum RAM varies from 4GB on the 32-bit versions of Web and Standard Edition up to 2TB on the Itanium edition and the 64-bit Enterprise product (wow!). The 32-bit Enterprise edition supports a maximum of 64GB. Focus: Server Core Server Core is a “minimalist” installation of Server 2008 – it doesn’t even come with a graphical user interface! The idea is that you only install the services you need. The benefits of a Server Core installation are reduced attack surface and reduced patch surface. Troubleshooting should be easier, as well, and we would expect increased sta- bility because of the smaller code footprint. Finally, Server Core is not as demanding as “regular” Server 2008 versions when it comes to hardware requirements. Server Core does require a clean install. It supports many, but not all, of the important server roles, including Active Directory Domain Services, AD Lightweight Domain Services, DHCP, DNS, file services, print services, and streaming media services. It does not support Certificate Services, Federation Services, or Rights Management Services. (Betas did not support IIS, but support for IIS on Server Core was added before the release of final code.) Copyright ©2008 Global Knowledge Training LLC. All rights reserved. Page 3
The other point to note when considering Server Core for your migration is that there is no managed code sup- port. The .NET framework is not present, and PowerShell is not available. You’ll need to use some command-line tools to configure and maintain Server Core, although the remoteable MMC snap-ins (which is most of them) can be run from other servers, or from workstations running Vista SP1, to manage Server Core systems. Microsoft provides a special built-in script, SCREGEDIT.WSF, to handle tasks such as enabling automatic updates, allowing Remote Administration connections, and setting Windows Error Reporting options. In addition to all of the above, you can access Server Core systems via a remote command line using Windows Remote Management (WinRM) and Windows Remote Shell (WinRS). Focus: Read-Only Domain Controllers It’s back to the future – remember the Windows NT Backup Domain Controller (BDC)? It could log you on, but you couldn’t make any changes to it. The 2008 version of the BDC goes by the new name of Read-Only Domain Controller. It is intended for deployment in branch offices that have low physical security and/or limited local IT management. The RODC receives all Active Directory database changes from a writeable domain controller. It has the ability to cache requested credentials (but not for administrators); however, it does not contain a full copy of the AD database. The idea is that if an RODC gets stolen, it’s a lot easier to reset the passwords that might have been cached on the RODC – that is, users at the branch office – than it would be to reset the passwords of every user in the forest! You’ll set up an RODC with new options when you run DCPROMO to promote a member server to a domain controller. The setup wizard also gives you the opportunity to pre-designate a group that can manage the RODC. The benefit of doing this is that you don’t have to have a Domain Admin at the branch office; the dele- gated RODC admin can log on to the RODC but doesn’t have the broad directory access that a Domain Admin has. Most of you reading this white paper know that Active Directory and DNS go together like the peanut butter and chocolate in a Reese’s peanut-butter cup. So it comes as no surprise that you can set up DNS on an RODC. If you do this, Microsoft recommends that branch office clients should point to the RODC’s DNS as the pre- ferred DNS server, with an alternate at the hub site running writeable DNS. Focus: Server Manager If you’re like me, you occasionally wish that your virtual desktop didn’t need to be as cluttered as your physical desktop. (The desktop metaphor that the folks over at Xerox developed a couple of decades ago is a little more accu- rate than I’d like!) In an attempt to ease some of that clutter, Microsoft has given us Server Manager, a new console that combines elements of several Server 2003 administrative tools. The idea is that Server Manager is a one- stop shop for server administration. Although it doesn’t quite succeed in that regard, its improvements are welcome. Copyright ©2008 Global Knowledge Training LLC. All rights reserved. Page 4
For one thing, Server Manager provides simultaneous access to multiple administrative tools, such as roles, features, Windows Reliability and Performance Monitor, Scheduled Tasks, and Event Viewer. In some cases it includes help data on tools and some links to documents dealing with best practices. Server Manager’s Achilles heel (and an area in which it represents a step backwards from the Computer Management console in Server 2003) is that it is not remoteable. However, you can always run it from within a Remote Desktop session. A command-line version provides opportunities for scripting (and showing off). Some of the Server Manager lingo may be a little bit new. “Roles” are collections of related functionality, much as you used to find in the Add/Remove Windows Components wizard (now defunct). Active Directory Domain Services is a role; so is DNS, Terminal Services, and Web Server (to mention a few). Through a new architecture called Component-Based Servicing, installing a role automatically installs required services and features. Server Manager also automatically secures roles during the installation, bringing the old Security Configuration Wizard one step closer to obsolescence. Finally, several wizards have been beefed up to guide administrators through necessary configuration steps. “Features” in Server Manager are ancillary support functions not tied to specific roles: things like BitLocker, failover clustering, Remote Assistance, and telnet. To round out the vocabulary lesson, “role services” are optional services that augment the capabilities of a role. Focus: Group Policy Group Policy (surely Microsoft regrets that name every time someone like me points out that it doesn’t normally have anything to do with groups) keeps evolving in inter- esting ways with every new operating system. Vista gave us a thorough preview of the changes in Group Policy that find their fruition in Server 2008; here’s a quick run- through of the changes you should know about when planning your migration. First off, the Group Policy Management Console, or GPMC, is now included with Server 2008. (It was also bundled with Vista, but it has been “un-bundled” from Vista as of Service Pack 1, nominally so that the product can be updated separately from the workstation operating system.) This console is where you can manage links, back up Group Policy Objects, product reports, create WMI filters, and perform security group filtering. But the Server 2008 GPMC goes further. It provides the ability to comment your GPOs, and even comment individual policy settings, as long as they fall in the Administrative Templates hierarchy. It also has improved search capabilities (although it’s called “filtering”). You can even create base GPOs that can act as templates for other GPOs; Microsoft calls these “starter GPOs.” These are all welcome changes. Another benefit to those of us who have to manage Group Policy is that you can create a central storage area on the network for the Group Policy “source code” files, formerly *.ADM and now *.ADMX to reflect their XML structure. These files are modular and topically organized; they load automatically if the GPO administra- tor is running Server 2008 or Vista (no more manual loading of ADM files!). Troubleshooting Group Policy is now easier in that there’s a dedicated event log just for Group Policy events. Copyright ©2008 Global Knowledge Training LLC. All rights reserved. Page 5
Server 2008 introduces the concept of “preferences,” which you can use when you want to make settings that don’t need to be enforced. These are like suggestions, in that the settings take effect initially but users can change them – unlike “real” policies, which are not modifiable by users. Of course there are a bunch of new categories of Group Policy settings to think about when you plan your migration. Most of these apply only to Vista and Server 2008 systems. These include things like restricting device driver installation, managing power settings, User Account Control policies, pre-configuring wireless networking settings, and so on. But one of the most interesting new policy categories may shake the very foundations of your Active Directory domain plan: fine-grained password policies. In Server 2003 and 2000, all Organizational Units (OUs) in the same domain shared the same password and account lockout policies. In Server 2008, you can create Password Settings Objects that you can apply to security groups, so that you can have different user sub-popu- lations within a domain that have their own unique password policy settings. This could be a huge change for some organizations in the sense that they could potentially do some domain collapsing and simplify their AD design; unfortunately, the new system isn’t perfect, because the Password Settings Objects don’t apply directly to OUs. Microsoft suggests you make “shadow groups” that mirror your OU membership. Hmm, one more thing to manage… well, it might be worth it if you can get away with fewer domains in your forest. Migration and Deployment Tools The new tools that Microsoft released in 2007 for use with Vista migrations work with Server 2008 also. There’s the Windows Automated Installation Kit, or WAIK, consisting of the answer-file tool System Image Manager (SIM); the mini-Windows operating system WinPE; and the image capture tool ImageX. Whether you use these tools to deploy Server 2008 depends largely on how many systems you have to roll out, and how consistent their configurations need to be. The Windows Deployment Services (WDS) product, successor to RIS, permits deployment over the network from either Server 2008 or Server 2003, and is free (that is, you’ve paid for it in your server license). It uses the new and improved Windows Imaging format (.WIM) and permits multicasting, but watch out for those bandwidth requirements. Server 2008 is one big product. If you want to know more about these tools, you may have seen something called the Business Desktop Deployment 2007 “solution accelerator.” Now there’s a successor to BDD 2007 called “Microsoft Deployment.” Of course, you SMS shops can perform scheduled deployment of Server 2008 with full reporting and inventory management. Sorry, did I say SMS? I meant “System Center Configuration Manager.” There sure is a lot to keep up with in the Microsoft world these days. To end this section, here are a few miscellaneous tips when it comes time to roll out Server 2008: You may want to start with a member server and upgrade your domain controllers a little later. Adding a Server 2008 DC involves a bit more work, such as running ADPREP on your existing forest. If you want to avail yourself of the BitLocker full volume encryption technology, you’ll need to spend some time planning out your disk partitions; 2 are required at minimum. Copyright ©2008 Global Knowledge Training LLC. All rights reserved. Page 6
One nice thing about Server 2008 compared to Vista is that the server product lets you encrypt non-system volumes. You can use your Server 2003 printer drivers with Server 2008, but that’s just about the only category of driv- ers that is likely to be compatible with the new OS. User Account Control is likely to be a major area of application compatibility headaches, but remember that you can turn it on or off via Group Policy for specific OUs. Conclusion Windows Server 2008 is easily the broadest and deepest product I’ve ever seen from Microsoft, and this little white paper is just designed to flag some of the areas that you may want to know about when deciding whether and when to move to the new platform. We’ll be writing a lot more about this product as we all get to know it better in the coming months and years. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: Migrating to Server 2008 Managing and Maintaining Serer 2008 For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. About the Author Glenn Weadock is a longtime instructor for Global Knowledge and co-developer with Mark Wilkins of two advanced Server 2008 courses in the Microsoft Official Curriculum (MOC) series. He also consults through his Colorado-based company Independent Software, Inc. and is the author of 18 computer books. Copyright ©2008 Global Knowledge Training LLC. All rights reserved. Page 7

CÓ THỂ BẠN MUỐN DOWNLOAD