In this tip, I'm going to depart from my series on LDAP and LDIFDE and give you a report on some very cool features for Longhorn and Vista that I learned about at Microsoft TechEd a couple of weeks ago. TechEd, of course, is Microsoft's flagship conference, and each year it entices thousands to its technological Mecca to hear wisdom from Redmond. This year, with Exchange 2007 and Longhorn and Vista releases on the near horizon, many attendees were anxious to get a peek at the new features and to find the hands-on labs to play in a little.
I'm doing a quick overview of some features here. In weeks to come, I'll drill down into the details and discuss more of them at length. In the meantime, here are the five features I found most impressive:
1. Longhorn Server Core (server roles)
I was introduced to this functionality in one of the hands-on labs and it took a little time to get used to it. I logged in as administrator and the server came up in a very unusual presentation. The only thing on the screen was a blue wallpaper background and two command windows -- no task bar, no start menu, no notification area (a.k.a. systray) and no desktop icons. Nothing to view but two command windows.
One presenter later said they put two command windows there for a reason -- in case you accidentally closed one of them, you'd have another to work in. It is intended to satisfy those who have remote servers or domain controllers (DCs) and centrally manage them, and who have complained to Microsoft that they need something that has a minimal user interface. I looked for the *.msc files for the snap-ins but didn't find any. There were some examples in the lab that led me through installing DNS, Dynamic Host Configuration Protocol and other server-related services using some rather cryptic commands. In fact, the MCT lab assistant had to contact Microsoft engineers to find out exactly how these commands are used. I did notice that you can install a DC using DCpromo, but you have to use an unattended answer file because there is no UI. It was also explained that these servers can be managed from a fully functional Longhorn server via the snap-ins and other tools just as we did in previous Windows versions.
It is indeed an interesting concept -- we'll see how many admins take advantage of it.
2. Vista Group Policy
As of Windows 2003, Microsoft indicated that there are about 1,800 Registry-based settings, plus more in security, IE and other extensions. They expect Vista to add about 700 more settings, and I would guess Longhorn Server will add even more. So, there will be about 2,500 settings when the dust settles -- minimum. It is kind of hard to imagine that Windows NT 4.0 had about 79 settings. Some very cool things are happening to Group Policy that will help administrators tame this growing monster.
Microsoft announced that the Group Policy Management Console (GPMC) tool will be included in the operating system as a native tool in Vista and Longhorn Server. The presenter indicated that many administrators still regard GPMC as "a neat utility," but many don't use it since it is an additional download. My job is to work with customers with Group Policy problems, and I insist they install GPMC or I won't help them. Including GPMC will make life much easier.
Anyone who has had to write custom ADM files will be glad to know that the old ADM syntax is going away in favor of ADMX, an XML-based format for creating custom ADM files. ADMX files will be significantly smaller than 4MB+ ADM files, reducing "sysvol bloat." Vista will ship with ADMX files, which are supersets of the old ADM files. No ADM files will be shipped. ADM and ADMX files will coexist and ADMX files can be controlled in a central store on the individual client or in a new directory on the server,
3. Read-Only Domain Controller (RODC)
At first blush, it seems like Microsoft has come full circle and re-invented the Backup Domain Controller (BDC). The idea behind the RODC is similar to that of the Server Core, to create a limited function DC in remote sites that is easier to manage and restore in case of a failure. The RODC has a significantly smaller NTDS.DIT file that will help you justify putting a DC at those slow link remote sites. Users are logged on with cached credentials. Security secrets are replicated for the users from a fully functional Longhorn DC and stored at the RODC in a fashion similar to the way the Universal Group Membership Caching feature works in Windows Server 2003.
The RODC will certainly be a great addition to the branch office deployment arsenal. Microsoft has promised a complete white paper on Read-Only DCs by the Longhorn Beta 2 timeframe.
4. BitLocker drive encryption
BitLocker drive encryption has the potential to be a huge security feature. Often, one of the arguments against deploying DCs or servers in remote locations is the inability to guarantee physical security. Not long ago, I read a news article about some high-tech thieves who broke into a bank and left the money in the vault untouched but stole the disk drive from a Global Catalog Server. Of course recent events where laptops containing damaging personal data have been lost or stolen perpetuate the need for some kind of mechanism to protect data from thieves.
The BitLocker feature locks a disk drive to the system board in a computer, very similar to the way a public key/private key works for file security -- without the keys or ping. In addition to preventing a disk from being mounted in another system to steal the data, BitLocker prevents access to the data without proper credentials even if booting via another OS or using a hacking tool to break Windows file and system security.
5. Restartable Active Directory
This is quite a cool concept. Restartable Active Directory allows AD to be restarted without rebooting the server. You can accomplish this via the command line and MMC Snap-ins. It saves you time on offline operations like an offline defrag of AD without taking the server offline and shutting down other services and applications. This will especially be important to many of you who are forced through budgetary constraints from deploying multiple servers at remote sites. For instance, you may have an Exchange Server, Global Catalog, File and Print services and applications on a single server that is also a DC. Performing DC troubleshooting, repair and offline operations could be accomplished with the server and the applications up and running, yet the AD would be offline. It will be interesting to see if Restartable AD will help prevent AD failures from affecting Exchange -- for example, by allowing an AD rebuild without affecting Exchange.
Gary Olsen is a systems software engineer for Hewlett-Packard Co., in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers.