Scott Lowe shares 10 items that Windows server administrators need to know in order to adequately support Windows 7 clients.
You might think that Windows 7 is the sole purview of the desktop team, but there are features in the new desktop release that will significantly affect your work. Bear in mind that the Windows 7/Windows Server 2008 R2 release is the first joint Windows desktop/Windows Server release since Windows 2000, so there are considerable synergies between the products.
Here are 10 items that Windows server administrators need to know in order to adequately support Windows 7 clients.
1. New Remote Server Administration Tools
With the release of a new Windows client comes a new set of Remote Server Administration Tools; after all, you need to be able to manage your infrastructure without constantly connecting to a server console.
The downloadable Remote Server Administration Tools for Windows 7 can be installed to Windows 7 Enterprise, Professional, and Ultimate systems and can manage Windows Server 2003/2008/2008 R2. These tools support the Full and Server Core editions of Windows Server, and there are tool versions for 32-bit and 64-bit versions of Windows 7 clients.My take: This is pretty much par for the course each time a new version of Windows Server is released. Related TechRepublic resource
With Windows 7 and Windows Server 2008 R2, Microsoft has introduced a new feature called DirectAccess. Available on domain-joined Windows 7 Enterprise and Ultimate clients, DirectAccess allows direct, immediate access to network resources from any Internet connection as if that computer was connected to the corporate network. Moreover, with DirectAccess, mobile clients can stay in touch with corporate policy and software updates servers just like their non-mobile counterparts.
Because of DirectAccess' reliance on the existence of a Windows Server 2008 R2-based DirectAccess server, you'll be deeply involved in the support of this new Windows 7 feature. DirectAccess relies on IPv4 and IPv6, so make sure you break out the IPv6 books when you deploy this feature.My take: DirectAccess could make the traditional VPN obsolete in many companies, and the technology deserves a thorough analysis. New remote access capabilities often raise red flags with the security group, so make sure that all of the stakeholders have a clear view of how the technology works so the organization can perform a proper risk analysis. Related TechRepublic resources
- Windows Server 2008 R2 and Windows 7 provide DirectAccess to resources
- Windows 7 and Windows Server 2008 R2 DirectAccess Executive Overview
- Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2
- IT Manager Webcast: How Microsoft IT Deployed DirectAccess to Provide Secure Access to Corporate Resources From Anywhere (Level 200)
3. VPN Reconnect
Even though Windows 7 supports the new DirectAccess method, Microsoft hasn't abandoned traditional remote access methods. The VPN is enhanced through the introduction of the VPN Reconnect feature in the Windows Server 2008 R2 Routing and Remote Access Services (RRAS) component.
VPN Reconnect provides users with a consistent VPN experience and automatically reconnects VPN connections in the event of a temporary loss in Internet connectivity. The purpose of this feature is to help mobile users maintain productivity through a transparent reconnection to the RRAS-based VPN service. Microsoft has made available a step-by-step guide to deploying the RRAS service with VPN Reconnect; it's a relatively involved process that requires the Windows server administrator to implement and configure a number of components.My take: While it's not a revolutionary enhancement, automatically reconnecting to a failed VPN connection is pretty nice from a user experience perspective, but this isn't the first feature I would deploy. DirectAccess deserves a look first.
4. Offline Domain Join
Offline Domain Join is a feature whereby Windows 7 and Windows Server 2008 R2 clients can join an Active Directory domain without any network connectivity being in place. In many organizations, the Windows server administrator is responsible for Active Directory.
Offline Domain Join replaces the normal network-centric process of joining a domain with a pre-provisioning process that includes creating a text file for the computer that will join the domain. From there, the target client uses the text file and is joined to the domain without any actual network traffic having to be exchanged.My take: I have been in situations in which Offline Domain Join would have been really useful. Although the capability isn't exactly revolutionary, and some admins will probably overlook this feature, it can certainly reduce frustrations when you can't directly establish network connectivity.
BranchCache is another new feature added to Windows 7 and Windows Server 2008 R2. BranchCache is typically used by Windows 7 clients relying on a Windows Server 2008 R2 server, so you'll play a large role in supporting this new service.
BranchCache helps alleviate WAN congestion, reduces communications costs, and increases productivity by caching content to a local computer in a branch office. In short, the first Windows 7 client that downloads information from a content server caches that content locally or to a hosted Windows Server 2008 R2 server in the branch office. When other clients access the same content, those clients are directed to the locally cached copy of the content rather than being routed over the WAN.
There are two modes by which BranchCache can operate: distributed cache and hosted cache. Distributed cache operates using a peer-to-peer communications model and allows, for example, a Windows 7 computer at a serverless branch office to cache files from an upstream Windows Server 2008 R2 computer. Hosted cache caches content from an upstream Windows Server 2008 R2 computer to a local Windows Server 2008 R2 computer.My take: WAN costs can still rack up big bills and congested links can sap productivity; BranchCache makes it possible to address both of these issues, as long as everyone is running Windows 7. BranchCache is worth a look, but it wouldn't necessarily be at the top of my to-do list yet. Related TechRepublic resource
6. New Group Policy capabilities
With each new release of Windows and Windows Server, Microsoft enhances the capability for the IT group to enforce policies and settings through additions to Group Policy. With Group Policy being a service often managed in the networking or server administration group, you should begin familiarizing yourself with some of the new management capabilities offered in the latest version of Group Policy. With Windows 7 and Windows Server 2008 R2, Group Policy administrators can now centrally configure BranchCache behavior, display brightness (among other power settings), new Windows 7 Taskbar behavior, and a lot more. Microsoft published a complete list of Group Policy objects entitled Group Policy Settings References for Windows and Windows Server.
Serious Group Policy enthusiasts should also check out the Advanced Group Policy Management (AGPM) tool. In addition to many other features, AGPM allows Group Policy administrators to more easily test new group policy objects (GPOs) before deploying them to a production environment; AGPM also makes it possible to maintain historical versions of GPOs.
With Windows Server 2008 R2 and Windows 7, Microsoft has released version 4 of the AGPM, which adds support for these new OSs and allows searching and filtering of GPOs and exporting and importing GPOs to different forests.My take: All Windows server administrators should definitely check out the new Group Policy capabilities. When you use Group Policy correctly, it can save your organization thousands of employee hours and keep it secure. Related TechRepublic resources
- MDOP Advanced Group Policy Management
- TechNet Webcast: Microsoft Advanced Group Policy Management (Level 200)
- Build Your Skills: Understanding Windows Server 2003's Group Policy Management Console
Like DirectAccess, BranchCache, and VPN Reconnect, AppLocker is new to the Windows world; it allows administrators to restrict program installation and execution using Group Policy objects.
If you used Software Restriction Policies (SRP) in older versions of Windows, you'll recall that SRP works on the policy of exclusion, requiring administrators to generate hash files that indicate which programs to block. Although this exclusion-focused service still exists in Windows Server 2008 and Windows 7, the new AppLocker service provides a much more manageable environment for administrators. AppLocker's functionality works in the opposite way — it blocks access to applications except applications that are specifically allowed via AppLocker GPOs. Policies can be based on a wide variety of factors, making it possible for IT to easily manage the service while keeping the security of the environment intact. Even better, AppLocker-controlled application access doesn't break with each successive application update, so there is less babysitting of this feature than there was under the sometimes painful-to-administer Software Restriction Policies.
AppLocker policies can be enforced on computers running Windows 7 Ultimate or Enterprise or any edition of Windows Server 2008 R2 except Web Server and Foundation.
Because of AppLocker's reliance on Group Policy, AppLocker deployments require coordination between desktop support groups and Windows server administrators.My take: Like DirectAccess, AppLocker deserves a close look sooner rather than later. The ability to allow a specific set of applications — and just those applications — can be quite compelling in environments demanding software restrictions. Related TechRepublic resources
- Configuring AppLocker in Windows Server 2008 R2 and Windows 7
- Video: Microsoft exec outlines Windows 7 security
8. Windows XP Mode adds patching challenges
Just when you thought that, at long last, Windows XP and its patching needs were being migrated out of the environment, your applications team has uncovered a critical issue that could stop a Windows 7 deployment dead in its tracks. Instead of giving up all of the other Windows 7 benefits, the applications team decides that the application can continue to be supported by running it under the virtual Windows XP Mode available in Windows 7.
Your dream of a Windows XP-free world has turned into increased patching complexity — after all, now you need to patch two Windows instances including the Windows XP and Windows 7 instances. Plus, you have to make sure that your WSUS or third-party patching system can continue to support Windows XP patching as well as serve Windows 7's patching needs.My take: You're already patching Windows XP machines anyway, and you'll have the Windows XP/Windows 7 patch overlap during Windows 7 deployment, so this isn't a big deal. Related TechRepublic resources
- Determine if your hardware can support Windows XP Mode in Windows 7
- Hands on: Windows 7 XP Mode
- 10 reasons why Windows 7's XP Mode is a big deal
- Windows XP Mode for Windows 7 (Part 1)
9. Domain Name System Security Extensions (DNSSEC)
As DNS exploits become more and more common, the security of this foundation gets called into question. The scary part about DNS exploits is that someone can be affected not even know about the problem since DNS operates behind the scenes for most users. This is part of the thinking behind DNSSEC, a secure extension of today's DNS that helps to ensure the integrity of data in DNS servers. As stated by TechRepublic contributor Justin Fielding, "DNSSEC protects resolvers (clients) from being fed forged data by digitally signing DNS records. Clients can use this digital signature to check whether or not the supplied DNS information is identical to that held on the authoritative DNS server."
For some, DNSSEC isn't a good idea. However, DNSSEC is a requirement for administrators of U.S. federal computer systems who must comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, which indicates that DNSSEC is to be used in federal agencies.
Windows 7, when used in conjunction with a Windows Server 2008 R2-based DNS server, brings DNSSEC to the Windows masses and can help organizations rest a little easier when it comes to trusting DNS data. The Windows 7's DNS client includes what's called a "non-validating security-aware stub-resolver," which is just a cryptic way to say that, by itself, Windows 7 can't do DNSSEC validation. For DNSSEC to operate, Windows 7 relies on a Windows Server 2008 R2 DNS server, which is assigned the task of validating the DNS data that is to be sent to the Windows 7 client. When it comes to deploying DNSSEC throughout an organization, the duties of the desktop administrator, the security administrator, and the Windows DNS server administrator intertwine.My take: DNSSEC is far from a security panacea, and full support for DNSSEC remains a contentious issue in some circles. Unless you have a compelling or mandated need, look at other Windows 7 features before you tackle this one. Related TechRepublic resources
- DNSSEC: What's the fuss all about (and what does U.S. Homeland Security have to do with it)?
- You don't have to wait to deploy DNSSEC
10. Windows Deployment Services supports Windows 7 deployments
One of the most exciting new features in the Windows Server 2008 R2-based Windows Deployment Services (WDS) is the ability to deploy Windows Imaging Format (.wim) and Virtual Hard Disk (.vhd)-based image types. These additions greatly increase WDS' flexibility when it comes to image capture. The new WDS includes new multicasting capabilities to support a wider variety of clients and allows the automatic disconnection of slow clients as well as multicasting using IPv6.
Further, WDS includes new driver provisioning features, including the ability to deploy driver packages to clients based on their hardware configurations. With WDS being a very commonly used Windows server role, and some of WDS' new capabilities requiring partnerships between server, networking, and desktop teams, even the Windows 7 deployment features require new skill sets for the Windows server administrator.My take: Anything that Microsoft can do to make the deployment process easier is a good thing in my book. The new WDS capabilities deserve must look status from any deployment specialist and from Windows server administrators who need to support the deployment infrastructure. Related TechRepublic resource
- TechNet Webcast: 24 Hours of Windows Server 2008 (Part 15 of 24): Windows Deployment Services and Microsoft Deployment (Level 300)