John Savill Solutions Architect EMC Session Code: WSV403

Who am I? Technical Evangelist for EMC Consulting Ten Time Microsoft MVP Author of the Windows FAQ Written numerous books Latest book available “Complete Guide to Windows Server 2008” Speaker at Tech Ed

Agenda Challenges with a branch office Overview of security solutions used with Windows 2008 Virtualization in branch offices Enhancing User Experience and Productivity Branch Access Read-only Distributed File System Replicas

Branch Office Challenge Focus for Windows 2008 Offices often require local servers for both performance and resiliency to unavailable links A local domain controller is one of the common services provided which contains a complete copy of the entire organizations domain Remote offices rarely have dedicated server infrastructure areas that are secured nor local support personnel to manage the systems Remote office hardware is susceptible to compromise A way is needed to protect the data on branch office servers, lower maintenance overhead and counteract risk

Protected Branch Office Server RODC BitLocker Server Core

2008 R2 Improvements for Security Server Core had limitations in Windows Server 2008 We had no virtualization “in-box” for Windows 2008 that was RTM BitLocker only worked for internal fixed drives Management had limitations So where are we now?

Server Core Enhancements Subset of.NET 2.0, 3.0 and 3.5 Framework now available Enables more role services such as ASP.Net with IIS Enables PowerShell scripting Active Directory Certificate Services and File Server Resource Manager available WoW64 optionally installable for 32bit application support

Management Changes Remotable Server Manager Enhancements in PowerShell (2.0) which combined with WS-Mgmt gives us fan-out capability Best Practice wizards New version of the Remote Server Administration Tools will be available for Windows 7 to manager 2008 R2

BitLocker to Go Allows USB storage devices to be protected with BitLocker Policy can be used to control complexity and length of passphrase required to unlock drive Possible to configure USB device to auto unlock on specific servers through passphrase caching however this is risky if server is compromised

Server Core and Manageability

Hyper-V 2008 R2 Hyper-V is now included in-box Includes a number of new capabilities including: Support for 32 logical processors Hot add/remove of VHD and pass-through disks on SCSI controller (not IDE) Second Level Address Translation (SLAT) Live Migration and Cluster Shared Volumes Dynamic memory did not make this release

Boot from VHD Can now boot a Windows 7 or Windows 2008 R2 OS from a VHD file Best performance use static VHD file however dynamic VHD supported Few extra steps during the OS install process to create and mount the VHD file to allow installation Shift-F10 to open command window Create, Select and Attach vdisk Partition

Virtualization in the Branch Office Server hardware is often limited in branch offices Multiple roles are run under a single OS instance which is generally not optimal With virtualization we can run the various roles in separate virtualized OS instances We still use BitLocker on the host OS to protect the drives containing the VHD files Can now also protect USB storage devices

2008 R2 Branch Office Server RODC BitLocker Server Core

Improving the End User Experience All of the previous focus was around securing the branch office What about the actual users and their ability to work Most branch locations have slow, high latency links Users consume different types of data Data is typically stored in hub locations for easier management and central backup

Branch Cache Most branches have poor or high latency connections Users download same information from hub locations multiple times Branch cache works in a peer-to-peer or hosted server model to cache information over HTTP (including SharePoint) and SMB Branch computers can then retrieve information from a peer or the hosted server Works using a hash value for each file so data has to be stored on a 2008 R2 server

Cache Branch Cache in Action Peer to peer Hash

Cache Branch Cache in Action Hosted cache Hash

Branch Cache Requirements For peer to peer (distributed caching) clients must be in the same subnet Hosted cache does not require same subnet 1 Hosted cache per branch Windows 7 and Windows 2008 R2 Only Both solutions require connectivity to the original server If you want resiliency against connectivity failure you should look at DFSR instead

So What Exactly is Cached and When? Any file that has a hash is cached on the client When cache is full the least recently accessed item is removed to make room Only files over 64KB cached Designed for slow changing files Hashing is configured on a per-share level on the server For web content a script is used to create hashes for files and not done automatically Does not care about transport (supports IPSEC, HTTPS etc)

Branch Cache Storage Cache files are stored in chunks under the Network Service profile The cached chunks are not encrypted but protected by ACLs Only the Network Service has access

Monitoring and Controlling How Branch Cache is Used Performance Counters Group Policy and commands to enable distributed cache and to point to hosted cache Group Policy control cache % use of drive Entire cache can be cleared on client through PowerShell and netsh commands ??????

Branch Cache in Action

Distributed File System Replication Branch Cache requires the network for users to obtain file hash values If access to information is required without network connectivity Branch Cache does not work Distributed File System Replication is a good solution using delta based replication Available as part of 2003 R2 and above DFSR only replicates closed files In a multi-writer situation last writer wins (no check- in/check-out, this is SharePoint functionality)

Traditional DFSR DFSR Replica DFSR Replica DFSR Replica DFSR Replica Documents Legal Presentations Documents Legal Presentations Documents Legal Presentations Documents Legal Presentations Sales

Read-Only DFSR Replica DFSR Replica R-DFSR Replica R-DFSR Replica R-DFSR Replica Documents Legal Presentations Documents Legal Presentations Documents Legal Presentations Documents Legal Presentations Sales ACCESS DENIED

Making a Read-Only Replica Must have 2008 RTM schema extensions Only one check box different During wizard to create replication group on a non- authoritative server check the read-only box This is per folder on the server Can switch between being read-write and read-only with a click

Read-Only DFSR Usage Must have Windows 2008 R2 at the branch only Other replication partners can be Windows 2008 or Windows 2008 R2 R/O Replica can only replicate from a R/W Replica, R/O Replica cannot replicate from another R/O Replica Must use 2008 R2 DFS Management MMC snap-in End-user experience is to simply have read-only access. Acts like read-only media User will get File Access Denied if they try and write If users need to write then they would need to access a writable replica directly via SMB UNC path

Branch Cache vs. Read-Only DFSR So both technologies deal with publication type data For personal data you should be looking at folder re-direction with client side caching For collaboration type data we should be looking at SharePoint If you need data accessed without network connection you need Read-only DFSR If want to save bandwidth but not provide link resiliency Branch Cache is good solution Use Hosted cache over distributed cache if have server at branch Branch Cache requires Windows 7 clients

Summary Windows 2008 was great for securing branch office locations Windows 2008 R2 builds on this secure foundation and adds a great branch office user experience through various technologies Some of the major feature wins require Windows 7

Windows Server Resources Make sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter Learn More about Windows Server 2008 R2: Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies Over 15 booths and experts from Microsoft and our partners Over 15 booths and experts from Microsoft and our partners

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Resources

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.