Windows

10 things to consider when making a Windows Server 2008 upgrade decision

Windows Server 2008 is expected to officially launch in February of next year, but many companies are already preparing for the next generation of Windows server software and trying to decide whether, and when, to upgrade. Here's a list of look at 10 things you should consider in making that decision, including eight reasons to upgrade as soon as possible and two reasons you might want to hold off.

Windows Server 2008 is expected to officially launch in February of next year, but many companies are already preparing for the next generation of Windows server software and trying to decide whether, and when, to upgrade. Release candidate evaluations are available from the Microsoft Web site and many IT departments are already trying it out in their testbed labs. Exciting-sounding new features and promised improvements on the old ones make the upgrade tempting.

In this article, we'll look at 10 things you should consider in making the upgrade decision, including eight good reasons to upgrade as soon as possible and two equally good reasons you might just want to hold off for a while.

Note: This information is also available as a PDF download.

Reasons to upgrade

First, let's take a look at some reasons to upgrade your network infrastructure and/or individual servers to Windows Server 2008.

Reason #1 to upgrade: Security, security, security

The most compelling reason to upgrade to Windows 2008 sooner rather than later is really at least half a dozen reasons, but they all add up to one thing: improved security. And just as the most important factor in buying real estate is location, in today's interconnected IT world, the most important factor for most of us in selecting an operating system is security.

Here are some of Windows Server 2008's new or improved security mechanisms:

  • Network Access Protection (NAP) provides a way for administrators to exert more control over which computers connect to the network by checking for compliance with security policies and isolating those that don't have the proper service packs and updates installed, antivirus and firewall software installed and enabled, proper configuration settings, and so forth.
  • Read-only Domain Controller gives you a way to restrict the replication of the complete Active Directory database when deploying AD. This is useful when you need to run additional applications on a DC or it's in a place that's not physically secure, because changes can't be made to the AD database through it.
  • Federated Rights Management Services allows for better protection of sensitive data by integrating RMS with AD FS so companies with federated relationships can exchange protected files.
  • BitLocker full disk encryption (also supported by Vista Enterprise and Ultimate editions) enables you to prevent unauthorized persons from booting into the server even if they have physical access.
  • Secure Sockets Tunneling Protocol (SSTP) remote access VPN allows you to create an SSL VPN with strong authentication and transport-level security that will pass through firewalls that block PPTP and L2TP traffic.
  • Improved certificate services offer enhancements such as support for enrolling routers and other network devices for certificates, health monitoring of CAs with PKIView, support for Online Certificate Status Protocol for better management of revocation information, and improvements to Web enrollment.

These are only a few of the specific security mechanisms in Server 2008, which also includes the new Windows firewall first introduced in Vista, Windows Defender, service hardening, User Account Control (UAC), and more.

Reason #2 to upgrade: Virtualization

Virtualization is all the rage for businesses from enterprises down to small businesses. Running servers in virtual machines (VMs) allows you to have the logical separation you need so that your Exchange mail server, your Web server(s), your file server(s), etc., have the security benefits of running on separate operating systems. But you also get the cost savings of running all those separate computers on a single physical machine.

Server consolidation is one of the biggest uses for virtualization technology, but it's not the only one. VMs also make it much easier to test new operating systems or applications or to run multiple operating systems (such as XP and Vista) simultaneously.

Microsoft's hypervisor virtualization technology has been in the works for quite some time. Code named "Viridian," it has been announced as Hyper-V and will be available both as an add-on for Server 2008 and a stand-alone server product. Hyper-V can run a variety of operating systems in virtual machines, including 32- and 64-bit Windows and Linux.

Reason #3 to upgrade: Performance

Server 2008 includes numerous enhancements to increase server and networking performance. The "next generation" TCP/IP stack in Server 2008 (and Vista) include TCP receive window auto-tuning and compound TCP (CTCP), which maximizes the throughput on connections with large receive windows. Wireless networking performance has also been greatly increased.

Windows System Resource Manager (WSRM) is integrated in Server 2008 and can enhance performance by allocating resources according to your needs. With increased performance for Storage Area Networks (SAN) and Direct Attached Storage (DAS) in clustering, better virtualization performance with Hyper-V, performance enhancements to IIS, better PKI performance in checking for revoked certificates, better performance for remote terminal services users with TS Gateway and other performance enhancements, better performance is a good reason to upgrade to Server 2008.

Reason #4 to upgrade: Server Core

Server 2008 gives you two installation options: You can install the full operating system with the familiar graphical interface and built-in applications, such as Internet Explorer, or you can install just the Server Core, a more minimalist environment for command-line administration. Server Core includes the important subsystems -- networking, file system, security subsystem, RDP, WMI, etc. -- but doesn't include the desktop shell, most applications (IE, mail, WordPad, etc.) or the .NET framework. You do get a few GUI utilities, such as Task Manager, Regedit, and Notepad (for editing scripts, viewing log files, etc.). Server Core provides a more secure environment (fewer applications and services to exploit), easier management, and better performance.

Reason #5 to upgrade: Server Manager

Server Manager is a new administrative tool in Server 2008 that's like a much more sophisticated version of the familiar Computer Manager MMC. You can use it to assign roles to the server (Web server, file server, etc.), configure settings, and so forth. It provides a centralized place for managing most aspects of your server. Server Manager is exclusive to Windows Server 2008 and won't run on previous versions of Windows, not even Vista. For those who prefer to work in the "dark place," there's a command-line version of Server Manager, ServerManagerCmd.exe. It's especially useful for automating the deployment of multiple servers that are configured alike.

Reason #6 to upgrade: IIS 7.0

The latest version of Internet Information Services (IIS) provides many improvements over its predecessor. This application is now modular, and you can install only the components you need. That makes it more secure, increases performance, and makes it easier to manage. For example, if you don't need FTP services, don't install them.

IIS has been designed to be as secure as possible out of the box. That is, most components are not installed unless you explicitly choose to install them. ASP, ASP.NET, and similar services are not installed by default. Other security enhancements include built-in URL filtering, a new and more secure account for anonymous users, automatic sandboxing (isolation) of applications on the server, and more.

The IIS management tool has gotten a makeover, too. It's more intuitive and more task-oriented. And a new command-line tool, AppCmd.exe, replaces numerous administration scripts that were used in IIS 6. IIS 7 can also be managed with Windows PowerShell. PowerShell is the command-line interface and scripting language that was code named Monad, and it provides a more UNIX-like environment for IT pros who are comfortable with the command line. Many tasks can be performed more quickly at the command line, and can be automated through scripting.

PowerShell can be downloaded from the Microsoft Web site and run on Windows XP SP2, Server 2003 SP 1, Server 2003 R2, and Vista, as well as Server 2008, but it is especially designed to administer Server 2008 roles, such as Terminal Services and IIS 7.

Reason #7 to upgrade: Terminal Services enhancements

If your business relies on a thin client model based on Windows Terminal Services, you'll find plenty of improvements in Server 2008. It starts with version 6.0 of the Remote Desktop Connection (RDC) client software, which is included in both Vista and Server 2008. This client lets you use network-level authentication (NLA), which authenticates clients before the user logs on. This provides better security by eliminating the window of opportunity during which attackers might intercept credentials or do other dirty deeds. Another security enhancement is server authentication, which prevents clients from connecting to a malicious terminal server that's spoofing the real one.

There are also improvements to the user experience. Higher resolution (up to 4096 x 2048) is supported and you can configure customized widescreen aspects such as 16:10. A welcome improvement is the ability to spread the terminal session display across multiple monitors (so long as they all have the same resolution settings). 32-bit color depth is also supported, and you can now use ClearType font smoothing in terminal sessions. Things are looking good.

Other improvements to Terminal Services include Display Data Prioritization (which provides better network utilization) and the ability to use desktop themes and even the Aero interface in terminal sessions. Printing is easier, too.

Server 2008 Terminal Services users with domain accounts can log on once (single sign-on) if they're using Windows Vista as the client OS. And there are many other under-the-hood improvements that make Terminal Services better for both users and administrators.

Reason #8 to upgrade: Active Directory enhancements

With Server 2008, Microsoft has consolidated services that were separate in previous versions of the operating system. Active Directory is now integrated with the following:

  • Certificate Services (which is now called Active Directory Certificate Services, or AD CS, and offers many improvements)
  • Active Directory Rights Management Services (AD RMS), which provides control over what recipients of documents and e-mail messages can do with those files
  • Active Directory Federation Services (AD FS), which provides for identity management across a federation

Improvements to Active Directory itself include enhancements to the auditing service, granular password and account lockout policies, and the ability to restart the directory services without rebooting the domain controller in Restore mode. Last but not least, Server 2008 gives us the Read Only Domain Controller (RODC), which can be deployed in locations without the best physical security.

Reasons to wait

All of the above are reasons you may be chomping at the bit to roll out Server 2008. On the other hand, there are also a few good reasons you might want to wait before upgrading.

Reason #1 to wait: Compatibility issues

As with Vista, because of the new security architecture in Server 2008 there are likely to be some applications that won't run on it. These include many antivirus and other security applications that access the kernel, backup programs, and applications that check the operating system version prior to installation. Programs that interact with IIS may also have problems, since it has so many changes.

You'll want to check out all your mission-critical applications in a testbed environment before making the decision to deploy Server 2008. Don't just test whether they'll install; some apps may appear to install with no problem but then have problems working properly. If your important business applications won't run stably on Server 2008, you'll have to wait until the application vendor makes upgrades or patches available or switch to different applications before you can make the operating system upgrade.

Reason #2 to wait: Cost factors

If you have many servers, the licensing cost of upgrading to Server 2008 could be significant. You'll want to take an inventory and determine just what that cost will be and whether the benefits are worth it, given your specific needs. And don't forget that the cost of the software isn't the only consideration here.

Let's face it: There's a price for increased functionality with every new operating system, and part of that price almost always comes in increased hardware requirements. Just as Windows Vista requires more powerful computers than XP to run properly, Server 2008 makes greater hardware demands than Server 2003. Microsoft specifies a minimum 1GHz processor (1.4 GHz for the 64-bit version) and recommends a 2GHz or better machine. For Itanium, an Itanium 2 processor is required. Although 512 MB of RAM is specified as the minimum, a more realistic recommendation is 2 GB or more, and you'll need from 10 to 40 GB of available disk space.

Many servers currently running Server 2003 don't meet those criteria, so you may have to factor in the cost of buying new server systems or performing hardware upgrades to your existing servers to run Server 2008.


Debra Littlejohn Shinder is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security. These include Scene of the Cybercrime: Computer Forensics Handbook, published by Syngress, and Computer Networking Essentials, published by Cisco Press. She is co-author, with her husband, Dr. Thomas Shinder, of Troubleshooting Windows 2000 TCP/IP, the best-selling Configuring ISA Server 2000, and ISA Server and Beyond.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

5 comments
footlessRabbit
footlessRabbit

...then this maybe the reason to switch to SUSE or others. If you get down to it - Windows is still many years behind the alternative OS's in administration and security. For example - AD(LDAP) intergration ( #8), IIS 7.0(Apache) being modular (finally!)(#6), and SSL VPN have been available for a while on other OS's. Looks like they are making use of the 277(?) patent infringements and the Open Source Integration branch they built a few years ago. If they drop support for 2003, which they will threaten to do so that people get on the wagon, then I switch to something that has had support for the past 15+ years and is only on it's 2.6 version.

Autoyork162
Autoyork162

I never update any production systems until the first service pack is available. This gives time for hardware vendors to update device drivers and Microsoft time to fix the new security holes they created as well as any other major bugs.

s31064
s31064

God forbid you would just post them here, where the original article is.