Windows Server 2008 R2 Unleashed (13 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
virtual private network (VPN) to gain access into the network.
DirectAccess is an amazing technology that combines sophisticated security technology
ptg
and policy-based access technology to provide remote access to a network; however, orga-
nizations do find it challenging to get up to speed with all the technology components
necessary to make DirectAccess work. So, although many organizations will seek to
achieve DirectAccess capabilities, it might be months or a couple of years before all the
technologies are in place for the organization to easily enable DirectAccess in their enter-
prise environment.
Some of the technologies required to make DirectAccess work include the following:
.
PKI certificates—
DirectAccess leverages PKI certificates as a method of identifica-
tion of the remote device as well as the basis for encrypted communications from
the remote device and the network. Thus, an organization needs to have a good
certificate infrastructure in place for server and client certificate-based encrypted
communications.
.
Windows 7 clients—
DirectAccess only works with clients that are running
Windows 7. The client component for encryption, encapsulation, and policy control
depend on Windows 7 to make all the components work together.
.
IPSec—
The policy control used in DirectAccess leverages IPSec to identify the desti-
nation resources that a remote user should have access to. IPSec can be endpoint to
endpoint (that is, from the client system all the way to the application server) or
IPSec can be simplified from the client system to a DirectAccess proxy server where
the actual endpoint application servers do not need to be IPSec enabled. In any case,
IPSec is a part of the security and policy structure that ensures the remote client
system is only accessing server resources that by policy the remote client should
have access to as part of the DirectAccess session connection.
Improvements in Mobile Computing in Windows Server 2008 R2
29
.
IPv6—
Lastly, DirectAccess uses IPv6 as the IP session identifier. Although most orga-
nizations have not implemented IPv6 yet and most on-ramps to the Internet are still
1
IPv6, tunneling of IPv6 is fully supported in Windows 7 and Windows Server 2008
R2 and can be used in the interim until IPv6 is fully adopted. For now, IPv6 is a
requirement of DirectAccess and is used as part of the remote access solution.
More details on DirectAccess are provided in Chapter 24, “Server-to-Client Remote Access
and DirectAccess.”
Windows 7 VPN Reconnect
VPN Reconnect is not a Windows Server 2008 R2–specific feature but rather a Windows 7
client feature; however, with the simultaneous release of the Windows 7 client and
Windows Server 2008 R2, it is worth noting this feature because Microsoft will be touting
the technology and network administrators will want to know what they need to do to
implement the technology. VPN Reconnect is simply an update to the VPN client in
Windows 7 that reestablishes a VPN session on a client system in the event that the client
system’s VPN session is disconnected.
VPN Reconnect effectively acknowledges that a client VPN session has been disconnected
and reestablishes the session. Many longtime administrators might wonder why this is
ptg
new because client systems in the past (Windows XP, Vista, and so forth) have always had
the ability to retry a VPN session upon disconnect. However, the difference is that instead
of simply retrying the VPN session and establishing a new VPN session, the VPN
Reconnect feature of Windows 7 reestablishes a VPN session with the exact same session
identification, effectively allowing a session to pick up exactly where it left off.
For example, a Windows 7 client user can be transferring a file on a wired VPN connected
session and then switch midstream to a Wi-Fi VPN-connected session, and the file transfer
will continue uninterrupted.
VPN Reconnect utilizes the IKE v2 protocol on the client and on the Windows Server 2008
R2 side with an established session identification so that upon reconnect, the session ID
remains the same.
Chapter 24 provides more details on VPN Reconnect.
Windows 7 Mobile Broadband
Another Windows 7–specific technology for mobile users is Windows 7 Mobile Broadband.
Again, something that has nothing to do specifically with Windows Server 2008 R2,
Windows 7 Mobile Broadband is an update to the carrier-based (for example, AT&T,
Sprint, Verizon) mobile connection devices and services in Windows 7.
In the past, a user plugged in a Mobile Broadband card to their Windows XP or Vista
system and then had to launch an application such as the AT&T Connection Manager.
With Windows 7 and the latest Mobile Broadband drivers for the device and for Windows
7, the insertion of the Mobile Broadband card into a mobile system automatically
connects the user to the Internet. Just like if the user turns on a Wi-Fi adapter in a system
30
CHAPTER 1
Windows Server 2008 R2 Technology Primer
and automatically establishes a connection to a Wi-Fi access point, Mobile Broadband
automatically connects the user to the Internet.
When the Windows 7 Mobile Broadband adapter is disconnected from the user’s system,
the Mobile Broadband session disconnects, and if the system has a Wi-Fi or wired Ethernet
connection available, the user’s system automatically connects to an alternate connection
point. Combine Mobile Broadband with VPN Reconnect or with DirectAccess and a
mobile user has seamless connection access back into their organization’s network.
Improvements in Windows Server 2008 R2 for
Windows Server 2008 R2 has greatly enhanced the technology offerings that provide
better IT services to organizations with remote offices or branch offices. Typically, a
remote or branch office has limited IT support or at least the site needs to have the same
functionality and reliability as the main corporate or business office, but without the
budget, to have lots of redundant hardware and devices for full operational support. With
the new Windows Server 2008 R2 branch office resources, a remote location can now have
high security, high performance, access to data without significant latency, and opera-
ptg
tional capabilities, even if the remote site is dropped off the network due to a WAN or
Internet connection problem.
The tools and technologies new or improved in Windows Server 2008 R2 include Read-
Only Domain Controllers, BitLocker Drive Encryption, distributed file server data replica-
tion, and distributed administration.
Details on the new technologies built in to Windows Server 2008 R2 that better support
remote and branch offices are covered in Chapter 32.
Read-Only Domain Controllers for the Branch Office
As covered in the section “Introducing the Read-Only Domain Controller” earlier in this
chapter, the RODC provides a copy of the Active Directory global catalog for logon
authentication of select users and communications with the Active Directory tree without
having the security exposure of a full global catalog server in the remote location. Many
organizations concerned with distributed global catalog servers chose to not place a server
in a remote location, but rather kept their global catalog and domain controllers central-
ized. What this meant for remote and branch offices is that all logon authentication had
to go across the WAN or Internet connection, which could be very slow. And in the event
of a WAN or Internet connection failure, the remote or branch office would be offline
because users could not authenticate to the network and access network resources until
the WAN or Internet connection was restored.
Read-Only Domain Controllers provide a way for organizations to distribute authentica-
tion and Active Directory access without increasing their security risk caused by the distri-
bution of directory services.
Improvements in Windows Server 2008 R2 for Better Branch Office Support
31
BranchCache File Access
New to Windows Server 2008 R2 is a role called BranchCache. BranchCache is a technol-
1
ogy that provides users with better access to files across a wide area network (WAN).
Normally, if one user accesses a file, the file is transferred across the WAN for the user, and
then when another user accesses the same file, the same file is again transferred across the
WAN for the other user. BranchCache acknowledges that a file has been transferred across
the WAN by a previous user, and instead of retrieving the file across the WAN, the file is
accessed locally by the subsequent user.
BranchCache requires Windows 7 on the client side and can be set up so that the file is
effectively retrieved in a peer-to-peer manner from another Windows 7 client that had
previously accessed a file. Or, a Windows Server 2008 R2 server with the BranchCache
server role can be set up in the remote location where remotely accessed files are
temporarily cached for other Windows 7 client users to seamlessly access the files locally
instead of being downloaded across the WAN.
BranchCache does not require the user to do anything differently. Users simply accesses
files as they normally do (either off a Windows file system or from a SharePoint document
library), and the combination of Windows 7 and Windows Server 2008 R2 does all the
caching automatically. BranchCache has proven to improve access time on average
30%–45% for remote users, thus increasing user experience and potentially user productiv-
ptg
ity by having faster access to information in remote locations.
BitLocker for Server Security
BitLocker is a technology first introduced with Windows Vista that provides an organiza-
tion with the ability to do a full partition encryption of all files, documents, and informa-
tion stored on the encrypted partition. When BitLocker was first introduced in Windows
Server 2008 as a server tool, it was hard to understand why a server would need to have its
drive volume encrypted. It made sense that a laptop would be encrypted in the event the
laptop is stolen—so that no one could get access to the data on the laptop hard drive.
However, when considering that servers are placed in remote locations—many times not
in a locked server rack in a locked computer room but rather sitting in a closet or even
under a cash register in the situation of a retail store with a server acting as the point-of-
sale system—servers with sensitive data are prevalent in enterprise environments.
So, BitLocker provides encryption of the volume of a Windows Server 2008 R2 server; for
organizations that are concerned that the server might be physically compromised by the
theft of the server or physical attack of the system, BitLocker is a great component to
implement on the server system.
Distributed File System Replication
Introduced in Windows 2000, improved in Windows 2003, and now a core component of
the branch office offerings in Windows Server 2008 R2, Distributed File System Replication
(DFSR) allows files to be replicated between servers, effectively providing duplicate infor-
mation in multiple locations. Windows Server 2008 R2 has a much improved Distributed
File System than what was available in Windows 2000/2003. In most organizations, files
32
CHAPTER 1
Windows Server 2008 R2 Technology Primer
are distributed across multiple servers throughout the enterprise. Users access file shares
that are geographically distributed but also can access file shares sitting on several servers
in a site within the organization. In many organizations, when file shares were originally
created years ago, server performance, server disk capacity, and the workgroup nature of
file and print server distribution created environments in which those organizations had a
file share for every department and every site. Thus, files have typically been distributed
throughout an entire organization across multiple servers.
Windows Server 2008 R2 Distributed File System Replication enables an organization to
combine file shares to fewer servers and create a file directory tree not based on a server-
by-server or share-by-share basis, but rather an enterprisewide directory tree. This allows
an organization to have a single directory spanning files from multiple servers throughout
the enterprise.
Because the DFSR directory is a logical directory that spans the entire organization with
links back to physical data, the actual physical data can be moved without having to make
changes to the way the users see the logical DFS directory. This enables an organization to
add or delete servers, or move and consolidate information, however it works best within
the organization.
For branch office locations, DFSR allows for data stored on a file server in a remote loca-
tion to be trickled back to the home office for nightly backup. Instead of having the
ptg
remote location responsible for data backup, or the requirement of an organization to
have tape drives in each of its branch offices, any data saved on the branch office can be
