Mark Minasi's Windows Networking Tech Page
Issue #73 September 2008

Document copyright 2008 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Our Two-Day Vista Support and Server 2008 seminars coming to Seattle and Dallas in September, and Parsippany in December
    • The Server 2008 Seminar is Now a 15-CD Audio Set
    • Mastering Windows Server 2008: Networking Fundamentals is out
    • We're Podcasting:  Listen to This Newsletter
  • Tech Section
    • Should You Upgrade to Windows Server 2008?  (Part 1)
  • Conferences
  • Bring a Seminar to Your Site
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

Since Windows Server 2008 appeared at the end of February, I've heard the same question over and over again:  should I upgrade?  That's a big question or, rather, a little question with a big answer, and I'd like to offer that answer in this and upcoming newsletters.  This month, I cover the two big "political/economic" considerations when deciding whether or not to upgrade, and then offer three technical reasons why you might find 2008 uniquely appealing.

You'll see that it's been an audio-rich month for me because my producer Gary Masters and I spent a few weeks converting my Server 2008 two-day seminar to a 15-CD audio learning series (which, of course, costs money), and an audio version of this newsletter (which doesn't).  I know you'll find the 2008 upgrade pro/con discussion useful but, first, a word from our sponsor...

2008 Server and Vista Classes Coming to Seattle and Dallas in September and Parsippany in December

As you know, in the past year and a half Microsoft has released the Workstation and Server versions of Windows 6 — Vista and Server 2008 — and even if you've not implemented them yet, we all know that Resistance Is Futile and so you'll need to know how to plan to fit them into your IT structure, get 'em rolled out, and then maintain and troubleshoot them... so why not learn now?  (Okay, actually, you might not decide to upgrade, as I discuss later in this newsletter, but that's another story, right?)

Of course, you could download a small mountain of white papers (mostly written based on late betas and thus are only partially correct), and spend a few weeks testing it to discover the hundreds of changes that 2008 and Vista bring... or you could come spend a couple of days with me. In my Vista Support and Server 2008 classes, I'll tell you and show you what's changed in Windows — the good, the bad, the wonderful and the awful ... with a chuckle or two thrown in. Please consider joining me for the two-day Vista class, the two-day Server 2008 class, or both. I'll be in Seattle September 15/16 to do the Server 2008 class, Dallas on the week of September 22 to do the Vista and then 2008 class, and Parsippany, NJ the week of  December 8th to do the Vista and Server 2008 classes. Find out more about the Server class here, the Vista class here, and the schedule information here. Thanks!

The Server 2008 Seminar is Now a 15-CD Audio Set

I'll keep it short and sweet:  at this point I've taught the Server 2008 seminar in a few dozen locations and three countries, so it's time to offer it as a far-less-expensive-than-hiring-me-to-present-it audio learning series.  I want everyone to be able to afford this set, so I've priced it the same as I did our Server 2000 audio set eight years ago.  I've also posted online a free 18 minute sample from the Hyper-V coverage that I hope you'll like whether you buy the set or not.  More info at http://www.minasi.com/2008class/audio/, I hope you find it a convenient and entertaining way to get the ins and outs of 2008!

Mastering Windows Server 2008: Networking Fundamentals is out

The first of my three Windows Server 2008 books is out finally!  Mastering Windows Server 2008: Networking Fundamentals is now on the shelf at bookstores near you.  You can find out more about it at my page at http://www.minasi.com/2008class/2008books.htm explaining The Master Plan for my three-book series on Server 2008.  Wiley has also put up a sample chapter for this book, which is intended for those just entering the Windows Server field, at http://media.wiley.com/product_data/excerpt/46/04702498/0470249846.pdf.  If you've read my old books then you'll already know most of what's in this first volume, but if you know someone who needs to get started in networking, then please consider suggesting this to him or her.

We're Podcasting:  Listen to This Newsletter

I surrender, you guys win.  When the 114th person asked me why there wasn't an audio version of my newsletters, I had an epiphany:  why don't I offer my newsletters in a free audio format that you can download and stuff into your MP3 player?  Seriously, if you'd like to listen to this newsletter, just download from http://www.minasi.com/newsletters/nws0809.mp3.  (It's a 15 MB file.) And if you do, then drop me a line at help@minasi.com and let me know if it's worthwhile doing future ones in MP3 format as well.

Tech Section

Should You Upgrade to Windows Server 2008?  (Part 1)

The world of server software has changed a lot in the past eight years.  Back in the year 2000, Windows 2000 Server arrived, and virtually no one running NT Server 4.0 systems seriously questioned whether they'd go to 2000 or not — the only question was, when to upgrade?

Nowadays, I'm hearing that people don't feel quite that way about Server 2008.  Sure, they say, it's got some nice new features, but they wonder whether those features are really that much better than Server 2003 that it's worth uprooting their systems and making the move to "NT 6.1 Server."  I've been working with Server 2008 since the year 2006, both in beta and now with the final production code, and here are what I've found that many clients find useful enough about Windows Server 2008 that they're either considering it or are in the process of migrating to it. 

Please understand that as always, I'm not selling 2008 — I don't work for Microsoft and I don't care what version of Server you're running — I mean, no matter what version of Server you're running, I've got stuff I can sell you!  It's just that if you go to the Microsoft site and, sadly, many other places on the Web to find out what's new in 2008, then you'll find that the lists of "new stuff" have been, well, enhanced a bit, if you know what I mean.  Some of the cool new stuff is really only of interest to a small number of really large companies, and some of the new stuff isn't new at all.  For example, Microsoft would have you believe that Server 2008 offers something completely new called "Rights Management Services" which lets users control what others can do with their Microsoft Office documents, and the notion that it's new is silly, as RMS has been a free download that works with Windows Server 2003 since, if memory serves, about May of 2003.  What I'd like to do here is to give you "the short version" to save you time in making your upgrade decision.

As I've been asked the "upgrade or not?" question from a number of clients and readers, I thought I'd summarize 2008's big pros and cons in a few newsletters; here's the first.  Before getting into the nitty-gritty of 2008's best side, however, let me first get a couple of Big Issues out of the way.

Vista!

And speaking of being aware of what's old and what isn't in Server 2008, let me point out something pretty neat about 2008... it's got a heart... of Vista!  But, wait, don't run away... I know, I know, some of you hate Vista, but give me a second here.  Put aside any concerns about disliking the Aero Glass user interface, or that Vista needs more RAM, CPU and disk than XP does, or how it can't run some desktop application — that stuff doesn't apply to Server 2008 because the UI's basically the 2003 UI, the disk and RAM needs are inconsequential when we consider the sort of hardware that we buy for servers, and we don't run desktop applications on servers.

So where does that leave Server 2008?  With the good parts of Vista which, as you've probably already guessed, are all incorporated into Server 2008.  Things like a far more secure architecture for services, a more foolproof patching infrastructure, rootkit-sensing and -resistive behavior in the kernel, a far superior setup and imaging engine, a faster TCP stack, a volume encryption feature that'll secure branch office servers and a lot more.  So, unlikely as it seems, Reason Number One to like Server 2008 is that its kernel is a 99% match to the one in Vista SP1.

Resistance is ... Preferable?

In case it's not yet clear, let me state my heartfelt feelings about Server 2008 right upfront:  it's neat, I love a couple dozen of the new features, and I'm glad it's here.  But honestly, there is nothing in Server 2008 that will grab most of us by the throat and say, "you must have me!"  (Remember, I said "most" — for example, some folks will find its branch office-friendly technologies compelling.)  If all we ever got in the way of server technology from Microsoft from now to the end of time was 64-bit Server 2003 R2 SP2, then, well, the world would keep on turning, our enterprises would continue running, and things wouldn't be all that bad.  Server 2008 won't cure cancer, bring the price of gasoline in the US down below two dollars, or help you lose weight.  (Heck, it still won't let you smoosh two Active Directory forests into one.)

As a result, many enterprises may then end up saying, "well, then, why upgrade, why not just wait until the next version of Server?"  After all, the perceived PR failure of Vista has Microsoft in such a panic that they've decided to crank up the C# compilers and get something, anything, named "Windows 7" out the door as fast is humanly possible so that people will forget Vista and focus on "Seven."  As goes the desktop, so goes the server, and so — I'm guessing, I don't have any inside information — we'll probably see a Windows Seven for the Desktop as early as 20 months from now, with a corresponding new version of Server at about the same time.  (I know the rumors, and I know that there are journalists out there who make their livings trying to create "news, exposť and scoops" out of breaking the news that the next version of Server will be Windows Server SEVEN, rather than Windows Server 2008 R2, but I mean does anyone really, truly care what the silly thing's called?  The point is that if Microsoft continues to panic about Vista — and they may not, as people's opposition to it seems to be slowly waning — then I feel that the people currently in charge of the Windows product will get something out the door in the next couple of years, whether it's a big upgrade or not.)  As a result, I'm sure that some of you will decide to "do the version hop" and wait for Server Seven.

All of that aside, let's talk for a moment about a very common, if somewhat distasteful, reason to upgrade:  you have (or perceive that you have) no choice.  Microsoft only supports their operating systems for a limited number of years, and http://support.microsoft.com/lifecycle/?p1=3198 on their site seems to say that Server 2003 SP2 will not be supported after 13 March 2009 (which is, predictably, a Friday the Thirteenth).  That'd be extended if there's ever a Service Pack 3 for Server 2003 to twenty-four months after that imaginary service pack's release, but I'm guessing that we won't see an SP3.  Thus, as I write this in August 2008, Server 2003 — a high-quality, mature product used by millions — has a scant eight months or so to live, assuming that you want support.  Even if Microsoft extends that support to, say, 2021, the result remains the same:  upgrade or you're out in the cold.

That's why many organizations say, "what the heck, we have to upgrade anyway, let's do it now rather than later," and that logic often makes sense.  As I've said, however, (1) as I've just said, I suspect that we'll see something named "Windows Server 2010" or the like within the next year and a half, and (2) it's a bit hard to believe that Microsoft thinks that they can abandon a product in under ten years, and it's a near certainty that there will be SOME new Server product by 2003's tenth birthday in 2013.  (I realize that the math works differently for those folks who've opted for Software Assurance.) So perhaps Mandatory Reason Number One to upgrade doesn't really count here; perhaps version skipping makes some sense in this case. (Again, however, there are lots of perfectly good reasons to upgrade. I'd just hate for people to feel that they're upgrading at gunpoint, so to speak.)

A Dark Horse Favorite:  DFS-R Sysvol

With the two "big policy" reasons out of the way, let's get down to some techie specifics about why you would or wouldn't upgrade.  I know that you've heard of Server Core and Read-Only Domain Controllers (RODCs), the new quarantine thingie and the like and I promise I'll talk about them a bit later, but first I wanted to start out my list of "nifty 2008 stuff" with an answer to an old problem:  Sysvol replication.  Sysvol is, as you may know, a file share on every domain controller in an Active Directory domain.  It contains default profiles, logon/logoff/shutdown/startup scripts, and — most important — a big piece of every group policy object (GPO) in your domain, a part called the Group Policy Template (GPT).  Sysvol's useful because whenever you change the contents of Sysvol on one DC (that is, whenever you modify a group policy on ONE DC), then in short order those changes should appear in all Sysvols on all other DCs.  Unfortunately, however, the thing that keeps the Sysvols in sync, the "replication engine," is called the File Replication Service (FRS) and while it's good at its job, it's not great at it.  Worse yet, when consistency amongst the Sysvols starts to fall apart, FRS tends to make things go from bad to worse, and sometimes rather rapidly.  Fixing it involves a bit of prayer and some Registry hacking of a value named Burflags ("backup and restore flags") that ain't no fun, trust me.

Server 2008 offers a complete replacement of the replication engine, a new tool called DFS-R (no, it doesn't stand for anything) and it's wonderful because it's fairly good at self-healing the little problems that gave FRS fits, and it uses a lot less bandwidth in synchronizing Sysvols across WAN links than FRS did.  To exploit DFS-R-powered Sysvol, however, you've got to first be at "2008 domain functional level," meaning that all domain controllers in your domain must be running Server 2008.  Note that you do not have to be at 2008 forest functional level, as Sysvol replication is an entirely intra-domain feature.

Sysvol's new replication engine's nice but, even better it's got a brand-new wipe-and-reload capability.  If things do fall apart and you want to essentially wipe all of the Sysvols and rebuild them from scratch, then 2008 lets you do that without having to blow up your whole AD domain and rebuild it from scratch with the wbadmin (the new backup tool) "-authsysvol" switch.  Sigh... all of those consulting hours Bufflagging reduced to just one or two!  Additionally, "-authsysvol" works in an AD that isn't yet to 2008 domain functional level — in that case wbadmin just sets up the Burflags automatically.

An Easy Favorite:  Flexible Password Policies

With my favorite obscure-but-important feature (the new Sysvol engine and restores) out of the way, let's look at what some will consider 2008's most appealing new feature:  the ability to give different password policies to different groups or even different users.  One of Active Directory's less attractive features prior to 2008 has been its inflexibility in password policies —  that is, how often you must change your password, its minimum length, whether or not you're locked out for too many bad logon attempts, whether or not your password must be complex and so on.

Suppose, for example, you've locked down your users' accounts so tightly that even if a bad guy were to get one of those users' passwords then he wouldn't be able to do much with it (yes, I'm ignoring the possibility of an elevation-of-privilege attack for this example), and suppose those same users chafe constantly under your current password-change policy that requires a new password every six weeks.  You'd like to loosen it up a bit and let them change their passwords instead every 24 weeks as sort of a quid pro quo for having to put up with the extreme lockdown regime that they work under... but you can't, because that would mean that people with domain admin accounts — who of necessity have not been locked down — could also change their passwords that infrequently, and that seems like a bad thing.  The password policies of the users and the admins have to travel in lockstep because 2000 and 2003 require identical password policies for everyone.  Or suppose that on the one hand you really don't like the idea of account lockouts because of their concomitant possibility of letting any internal bad guy lock everyone out in a few moments with a simple vbscript, but on the other hand management really wants you to enable account lockouts because some external security consultant said that they'd be fools not to have an account lockout policy, and so you think, "aha, why not enforce account lockouts on most of the users, but not on a some small group of admins?  That way, there would be people who could unlock everyone else's account in the event of an internal mass-lockout attack!"  Good answer, but, again, not possible under 2000 or 2003.

With a Server 2008-based AD domain, in contrast, you could apply one set of password policies to, say, the Domain Admins group, and a different set to the larger Domain Users group.  But wait:  those domain administrators would also be members of the Domain Users group, causing a conflict, right?  Nope; when you create a password policy in 2008, you give it a priority value, a positive integer.  When there's a conflict, the lower value wins, so we could give the Domain Admins policy a priority of, say, 10, and then give the Domain Users policy a priority of 20, and so in the event of a conflict, Domain Admins would win.  Quite convenient, but there's more:  you can also create user-specific password policies.  The only down-side is that your domain must be in Server 2008 domain functional level for these "fine-grained password policies" to work.

The Come-From-Behind Possibility:  A New VPN

We've got time in this issue for just one more reason to upgrade to 2008.  So okay, quick now, how many of you use a VPN in your organization?  Ah, I see a lot of hands.  Hey, how many of you use a Microsoft-based one, like PPTP or some sort of IPsec/L2TP combination?  Oh... not so many hands.

Yup, Microsoft's had a rough go of it when it comes to VPNs.  On the plus side, it's convenient to have a VPN that's well-integrated with your operating system.  On the minus side, it's a really bad idea to cook up a home-brew encryption scheme to back up that VPN, and that was PPTP's downfall.  But that was a long time ago; ready to give Microsoft another chance?  If so, then take a look at their new "Secure Socket Tunneling Protocol" (SSTP), an SSL-based VPN technology that seems fairly useful, at least based on a bit of experimentation with it.  It does have one little wrinkle, however... currently your VPN server must be a Server 2008 system, and the only clients that can use it are Vista SP1 systems.  Of course, those Vista SP1 clients can access systems of any kind inside your intranet when those clients connect from the outside.  And if you ever struggled with getting your firewall to enable Protocol 47 (which has always sounded to me like some sort of tool for establishing world domination wielded by a villain in a James Bond movie), then you'll like SSTP, as it just needs li'l old TCP port 443.

I sort of doubt that it'll get a lot of use (which is why if it turned out to be popular then it'd be a real come-from-behind feature) not for a technical reason, but because no one seems to take Microsoft seriously when Redmond offers layer 2/3-ish stuff.  Remember the Microsoft wireless access points?  The Microsoft Ethernet switches?  Or how about the 802.1x wireless security stuff that you can do with a Server 2003 SP1-based infrastructure?  If your answer is "no," then you're in large company.  Most folks seem to use Cisco VPNs, which is a bit difficult to understand given that Cisco has actually refused to write a 64-bit Windows client for their VPN, instead forcing you to purchase their newer and SSL-based VPN solution if you want 64-bit support.  In any case, give SSTP a chance if you can, it seems fairly simple to work and set up.

That's about all I've got space for this time — gotta get back to work on the two remaining Mastering Server 2008 books — but if you want to know more about these or any other 2008 technologies, then either attend my Server 2008 seminar, pick up a copy of our 15-CD audio version of the seminar, or get ahold of my Mastering Server 2008 books when I get them done.  Join me next newsletter for more 2008 things to like or dislike, and thanks for joining me!

Conferences

Besides my public classes, I'm presenting at

  • TechTarget's Vista Roadshow in DC, Atlanta and Minneapolis -- info at http://events.techtarget.com/vista/.  Free to all who qualify!
  • TechMentor in New York September 7-10.  Note that 1105 is running two events in the fall, the New York event and a show in Las Vegas.  I will be speaking in New York but not in Vegas — so if you're planning to attend TechMentor in the fall and would like to see me speak then please plan for the New York show!  http://techmentorevents.com/2008/newyork/ for info.
  • Windows Connections Vegas November 10-13:  can't avoid Vegas in the fall, it seems!  Back to the Mandalay Bay — how can you not love a hotel with its own aquarium? — to keynote and more.   http://www.devconnections.com/shows/FALL2008WIN/default.asp?s=125 for more info.

Bring Mark to Your Site to Teach

I'm keeping busy doing Vista seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2008, Vista, security, XP, Active Directory or 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, military and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 1-5 Eastern time, weekdays, please).

Special European Discount for On-Site Clients!

Well, sort of.  Since the dollar's currently so weak against the euro, why not hire me now, before things change?<g>

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I hope that it is a useful source of Windows technical information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 45,000 subscribers and I hope to use this to get information to every one of my readers. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum.  Thanks for letting me visit with you, and take care. 

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2008 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.