branch office solutions in windows server 2008
DESCRIPTION
SVR304. Branch Office Solutions in Windows Server 2008. Julius Sinkevicius Group Product Manager Windows Server – Microsoft Corporation [email protected]. Session Agenda. Windows Server 2008 and Branch Office Benefits. Server Core. BitLocker Drive Encryption. - PowerPoint PPT PresentationTRANSCRIPT
SVR304
Branch Office Solutions in Windows Server 2008
Julius SinkeviciusGroup Product ManagerWindows Server – Microsoft [email protected]
Server Core
BitLocker Drive Encryption
Next generation TCP stack
Active Directory Domain Services enhancements
Improving file access in the branch
Session Agenda
Windows Server 2008 and Branch Office Benefits
WS2008 Branch Office Benefits
Optimization: Replication and Protocols
Security: Enhanced Data and Domain Controller protection
Administration: Improved Remote Management
Server Core
Reduced footprint serverAvailable as an option at initial install
Boot and operate stand-alone in headless/embedded scenarios
Less to install, manage, patch, attack
No GUI – all management through command line and remote MMC
Supported server rolesAD Domain Services, AD Lightweight Directory Services, DHCP, DNS, File, Print, Streaming Media Services
Optional Windows featuresFailover Clustering, Network Load Balancing, Subsystem for UNIX-based Applications, Backup, Multipath IO, Removable Storage, BitLocker Drive Encryption, SNMP, WINS, Telnet Client
System System Volume Contains:
MBR
Boot Manager
Boot Utilities
FVEK
3
4
Operating System Volume
SRK
1
VMK
2
BitLocker Drive Encryption
Operating System Volume Contains:
Encrypted OS
Encrypted Page File
Encrypted Temp Files
Encrypted Data
Encrypted Hibernation File
Where’s the Encryption Key?
SRK (Storage Root Key) contained in TPM
SRK encrypts the VMK (Volume Master Key)
VMK encrypts FVEK (Full Volume Encryption Key) – used for the actual data encryption
FVEK and VMK are stored encrypted on the Operating System Volume
Next Generation TCP Stack
Optimized performance without loss
Intelligent, automated tuning of TCP receive window size
Advanced congestion control for better throughput (CTCP)
Better packet loss resiliency (e.g. wireless connectivity)
Automatically adjusts for maximum efficiency
Faster network transfers, especially across WAN links
Optimized use of available network bandwidth
Reduced packet loss resulting in fewer retransmits
The Receive Window LimitationM
axim
um T
hrou
ghpu
t (M
pbs)
RTT ms
North America
IntercontinentalFiber
Satellite 64 KB
128 KB256 KB
512 KB
Active Directory Domain Services
Full Active Directory (AD) database excluding credentials
Caches allowed credentials (default is none)
Supports only read operationsInbound replication for both AD database and SYSVOLRead-Only Partial Attribute Set to further restrict inbound replicationDedicated cryptographic keyDeploy in existing AD environment with no changes
Read-Only Domain Controller (RODC)
BranchHub
Read Only DC
How RODC Works
Windows Server 2008 DC
1
2
3
4
56
6
123456 User logs on and authenticatesRODC: Looks in DB: "I don't have the users secrets"Forwards Request to Windows Server 2008 DCWindows Server 2008 DC authenticates requestReturns authentication response and TGT back to the RODCRODC gives TGT to User and RODC will cache credentials
RODC
Active Directory Domain ServicesThreat mitigation - compromised RODC
Admin perspectiveAttacker perspective
Active Directory Domain Services
Delegated administrationAdmin role separationTwo-stage DC promo
RestartableSYSVOL replication using DFS-R
Additional branch improvements
Improving File Access In The Branch
End User Wait TimeFirst time accessSubsequent access
Efficient use of bandwidthBytes transmittedTime of day
Metrics for measuring improvement
Types Of Data
Single User Data
Shared Data
Published Data
Files accessed by a single user
Server copy used mostly for backup purposes
Files accessed by multiple users from multiple machines
Server allows sharing and collaboration across users
Files accessed by many users from many machines
Data updates are rare
Large file set
Sync
Single User Data
Client operates off local cache when in branch network conditions (high latency and/or low bandwidth)Changes synchronized transparentlyOffline access when network is unavailableSeamless transitions between online and offline states
Client caching
Single User Data
Move user data from local drive to central server, while preserving access speedProvides central backup of user dataEasy data migration to new machinesData synchronization can be scheduled when bandwidth is cheap
Benefits of cached access
Shared Data – Streaming ImprovementParallel requests greatly increase read/write speed
16 MB file 1 GB file0
2000
4000
6000
8000
10000
309 312703
22472203
9383
XP-SMB1 Vista-SMB1 Vista-SMB2
Download speed (kb/sec), 100 ms RTTRequest
Response
SMB1 SMB2
Shared Data – Chattiness ImprovementCompounding reduces roundtrips
Open Dir
Query Dir
Query Volume
Response
Response
Response
Open Dir
Query DirQuery
Volume ResponseClose Dir
Traffic reduction for shel...0%
50%
7%
44%
Vista SMB2
2008 SMB2
Close DirRespons
e
Query Dir
Query Volume
Satisfied from cache
Published Data
Client caching of data set is impracticalImprovements in data access (streaming, compounding) improve accessHowever, high cost of data transfer since every access is a first access
Published Data
Windows Server 2003 R2DFS Replication to pre-stage data in the branchDFS Namespaces for location and fault toleranceRDC differencing engine for delta replication
Windows Server 2008Improved scalability and performance
Windows-based branch appliances offer caching of data in the branch
Improving File Access In The Branch
Windows Vista Client + Windows Server 2003 R2 (or earlier)
Improved offline experience offers user fast response times while keeping data synchronized between client and server
Windows Vista Client + Windows Server 2008Data streaming improves file transfer timesOperation compounding reduces chattiness
Client and server improvements
Hub Site
Branch Office
Branch Office Benefits
OptimizationSysVol ReplicationDFS ReplicationProtocols
SecurityBitLockerServer CoreRead-Only Domain ControllerRole Separation
AdministrationPrint Management ConsolePowerShell, WinRS, WinRMVirtualizationRestartable Active Directory
Resources
Technical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx
Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet
Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
Windows Server 2008http://www.microsoft.com/windowsserver2008/default.mspx
Branch Officehttp://www.microsoft.com/technet/branchoffice/default.mspx
Q&A
Complete an evaluation on
CommNet and enter to win!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.