Chances are very good you're still using XP on the desktop and Server 2003 in the closet, because you're used to it, you're comfortable with it, your users understand it, and nobody's paying you to be disruptive. Plus, you're busy! So when you hear the name "Windows Server 2008 R2," what's your first thought? You're likely to believe that it's little more than a warmed-over service pack for Windows Server 2008, which is the server version of the much-maligned Windows Vista. That alone is enough of a condemnation to keep plenty of people away, even before we get to the learning curve.

But when you start to take a closer look, you realize that something much bigger is going on here than the name suggests. This "R2" moniker has gained favor in Redmond in the last few years as a way of saying, "It's the same software, honest! We've nailed on some bits to the side." It's supposed to appeal to IT departments that are allergic to disruptive changes. Maybe it's supposed to appeal to the inner Star Wars fan and make you think it's an adorable sidekick that can solve difficult problems with a simple tool. Windows Server 2003 R2 certainly fit that description—the kernel, core operating system and feature set of Server 2003 were 100 percent retained for 2003 R2, and some useful tools were added on. Server 2008 R2, on the other hand, is a much different story. It has a revised kernel, it has a new user interface, and it isn't a drop-in upgrade for that entry-level server you bought six years ago. But it presents some new and genuinely interesting ways of solving a lot of the day-to-day issues, big and small, that the busy IT person deals with.

We will take a closer look at two of those new features, Remote Desktop Services and DirectAccess, in the coming weeks. But for now, let's start with the basics.

The Boring Stuff

Let's get the (frankly boring) marketing & accounting details out of the way first. The core editions of Server 2008 R2 are Foundation, Standard, Enterprise, and Datacenter. The relative newcomer here is the "Foundation" edition. It's functionally the same as Standard Edition and contains almost all of the same features, but at about one third the price—about $270 USD.  It is limited to 15 network accounts, 8GB of memory and 1 physical CPU, does not support Server Core, and can only be obtained as part of a server purchase from OEMs like Dell, HP, and others. Other editions offered by Microsoft include a Web edition (branded as "Windows Web Server 2008 R2") for dedicated large-scale Web hosting environments, an edition for Intel's Itanium 2 processors that is roughly analogous to the Datacenter edition (but does not support Server Core), and an edition for large-scale distributed computing called HPC Server. The Small Business Server and Essential Business Server editions of Server 2008 R2 are due out later in 2010.

A few quick points about licensing. Companies that have already purchased Client Access Licenses or Terminal Services CALs for Windows Server 2008 can continue to use those CALs with Server 2008 R2. Client machines that connect to a Windows Server Foundation machine don't require CALs at all. A license for Server 2008 R2 Enterprise qualifies it to be run in up to four separate virtual machines on a single server (regardless of whether you're using Microsoft's Hyper-V, VMWare, or some other virtualization software), and a license for Server 2008 R2 Datacenter can be used to run an unlimited number of instances on a single server, though it is licensed on a per-CPU basis.

In terms of hardware requirements, 2008 R2 generally has lower "real-world" requirements than Server 2008, but higher requirements than Server 2003. The main issue that most administrators are going to need to pay attention is the new 64-bit CPU requirement. There are a number of scalability and optimization benefits that come from this, and it has some positive implications for security, but it comes at a cost. Most pre-2006 hardware cannot run it at all, and any software that needs to operate in kernel mode (e.g. drivers and anti-virus software) needs to be 64-bit as well. 2008 R2 can still run user-mode applications designed for 32-bit versions of Windows by utilizing a feature called "Windows on Windows 64-bit" (WOW64 for short). WOW64 makes it possible for those applications to run as 32-bit, by intercepting any system function calls, file system access, registry access, print jobs, and interactions with the kernel, translating them to a 64-bit equivalent. It's all done in a way that's almost completely transparent to the application. This technology isn't new, but it's becoming pretty widely used as more people use 64-bit versions of Windows.

One feature of WOW64 that's new to 2008 R2 in a Server Core install is that it can be removed altogether. Microsoft had originally intended to make WOW64 an installable option, and did all the refactoring work to untangle it from the rest of Windows, but had to back off after a rash of negative feedback from beta testers. It turns out that many software packages, even 64-bit ones, use 32-bit installer code—even if all that 32-bit code does is say, "Hey, you need a 64-bit version of Windows!" If you want to remove WOW64 from a Server Core install, it's easy: type "ocsetup ServerCore-WOW64 /uninstall" at a command prompt. Reinstalling it is just as straightforward: "ocsetup ServerCore-WOW64."

The Pretty Stuff

As you already know from our extensive review of Windows 7, the user interface has received a pretty significant update. 2008 R2 includes this new interface as well, including the new taskbar, the litany of new keyboard & mouse shortcuts, the new Explorer with the vastly improved left-hand navigation pane, and the various toys and tidbits such as the Ribbon-based Paint and WordPad. Unlike its desktop counterpart, none of the advanced graphics or multimedia features are installed by default. Installing the "Desktop Experience" optional component adds Windows Aero graphics and effects, Windows Media Player, a bevy of desktop backgrounds, Windows Defender, Sound Recorder, and other desktop tools to a Server 2008 R2 installation, making it look and feel more like Windows 7.

By and large, most people won't do this on their Server 2008 R2 installs. But there are two groups of people who will want to: enthusiasts that plan to run Server 2008 R2 as their desktop operating system, and administrators of Remote Desktop Session Host server. While the first scenario is obvious enough, the second will come as a massive surprise: yes, you can use Windows Media Player to play audio and video at full speed over a Remote Desktop connection. Yes, you can record audio over a Remote Desktop connection. And, perhaps most surprising of all, yes, you can have a fully Aero-enabled desktop, with translucent effects, animations, full-fidelity audio and all, over a Remote Desktop connection.

No, I'm really not making this up:

HD Video over Remote Desktop say whaaaat?

Windows Media Player (and, in theory, DirectShow or Media Foundation-based multimedia application) is able to recognize when it is being run in a Remote Desktop session, and will stream the contents of the file being played through the Remote Desktop connection. Your local desktop decodes the file and displays it on your own screen. It's much the same with the Windows Aero graphics and effects; the remote machine instructs the local machine to draw the windows and do all the Aero effects. Bitmap acceleration is also supported; this allows any application running on the server that uses DirectX (including Flash and Silverlight) to run on the server, utilizing a GPU if available, or the CPU if necessary, to render the graphics, then capture the output and send it to the client. While this sounds great in theory, in practice it is not really all that scalable.

Remote server management

Windows Server 2008 introduced "Server Manager;" this is a single console that rounds up a pretty wide variety of tasks and administration tools and puts them in one place. If you're already familiar with the Computer Management console from prior versions of Windows, consider this its replacement when working with a server.

Server Manager console

The Server Manager is the tool you use when you want to add functionality to a Server 2008 system. There are two types of functionality:

• Roles: Think of roles as being the overall purpose of the machine. There are roles for being an Active Directory domain controller, a printer & scanner server, a Remote Desktop server, a web server, a file server, a virtual machine server, and so on.
• Features: A feature is a more specific set of functionality, such as the tools that are required to manage roles on other servers, and optional components like BitLocker, wireless networking support, server backup tools, telnet and TFTP support, and so on.

The available roles and features vary by edition of Windows Server. Most roles require some features to be installed. For example, Windows Server Update Services (which is included with Windows for the first time in Server 2008 R2) requires the Background Intelligent Transfer Services (aka BITS) feature installed, because BITS is what's actually used to transfer Windows Updates between computers.

The Server 2008 R2 version of Server Manager adds one very (very, very) useful feature—the ability to connect Server Manager to remote servers. It sounds like nothing at first, but once you realize that this means that you can manage Server Core installs with a remotely connected GUI, it suddenly makes the whole Server Core proposition a lot more palatable to people who'd rather use GUI tools than the command-line. The only caveat is that Roles and Features on a Server Core system cannot be added or removed through this tool... this still must be done through the command-line.

Server Manager is also included with the Remote Server Administration Tools package that has been released for Windows 7. As long as a server is configured to allow remote administration (which is done locally via Server Manager—look for the "Configure Server Manager Remote Management" link), it should finally be possible to fully maintain your servers without ever having to resort to Remote Desktop connections.

Speaking of the command-line...

For the last several years, there has been all kinds of hoopla over PowerShell, which is billed as the replacement for the traditional Windows command line. We did an in-depth review back in 2005 (back when it was still known as the Microsoft Command Shell, before Microsoft's crack team of marketers—presumably led by Jeremy Clarkson—renamed it) and concluded that was a pretty fantastic scripting environment, and represented a major advancement over not only traditional DOS batch files and Windows Scripting Host, but also on Unix shells like bash. The idea that Microsoft has been pursuing with PowerShell is that any kind of server management tasks would be done through PowerShell "cmdlets" (pronounced commandlets), which are .NET Framework components that contain the actual functionality. GUI administration tools and command-line interfaces would use the same PowerShell cmdlet. The benefit here is that it forces Microsoft to make all the management functionality available through the same architecture.

Version 2.0 of PowerShell is included with Windows 7 and 2008 R2; the list of improvements it brings over the 1.0 release is lengthy and mostly interesting only to people who write PowerShell scripts. There is one area that really matters: PowerShell 2.0 can run commands on remote machines, and, just as importantly, retrieve the results from those commands in a structured way. This closes a gap that administrators would have typically filled with a combination of the Sysinternals "psexec" tool and some clever scripting.

Here's a quick example to give you a bit of flavor. The two commands here show the list of processes whose executable files are not Microsoft software, both on the local machine, and on a remote machine named "win7-vm":

PowerShell

You will note in the screenshot here that PowerShell has been given prominent placing on the taskbar, right alongside Server Manager and Windows Explorer.

Another area that has seen some major improvements is in the command-line help facility. When you open a PowerShell prompt, you can type "help" and learn pretty much everything you're ever going to want to know about how to use PowerShell, and what commands are available. Extensive examples and parameter descriptions are included. Oh, and for the Unix administrators out there, yes, you can type "man" instead of "help."

Microsoft has also made a lot of noise about the fact that the .NET Framework can run inside Server Core. But it isn't installed by default, so PowerShell won't be available until it's been installed. This can be done through the sconfig tool.

Active Directory

First conceived in the mid-1990s (at a time when new technology coming from Microsoft apparently had to be "Active" or "Direct"), and first included with Windows 2000, Active Directory is the glue that holds a network of Windows PCs together. Unlike the NT Domain model that came before it, Active Directory is built mostly on established networking standards such as DNS, LDAP and Kerberos. A vast number of organizations, from sole proprietorships all the way to some of the largest military and corporate networks in the world, rely on Active Directory to keep the technology side of their business running.

When Windows Server 2008 was released, a number of pretty useful changes were introduced:

• Read-only domain controllers: A solution for companies that want to deploy domain controllers to remote offices, but don't want those domain controllers to be able to make changes to the domain
• Auditing policies: Monitoring of all changes made to Active Directory, and by who; previously only directory access auditing was available
• Last Interactive Login information: It's possible to see the last login date/time for a user, as well as the last time they failed to log in, and how many failed login attempts were made.
• Fine-grained password policies: Password complexity and lockout policies can be applied to individual users and groups, instead of being domain-wide

2008 R2 adds even more:

• Offline domain join: Allows the server and client sides of joining a computer to a domain to be done at different times
• Recycle Bin: Allows recovering deleted items in Active Directory without needing to rely on backups
• Authentication Mechanism Assurance: Users who log in to the domain with certificate-based methods (such as a smart card) instead of using a name/password combination can be assigned extra group membership, leading to possibilities where access to certain files could be restricted to people who use in-office company hardware to authenticate
• Active Directory Web Services: Access to Active Directory administration via standardized web services instead of the traditional (and proprietary) RPC-based communication methods

We should have a closer look at that last one, because on the face of it, it sounds really boring, especially if you've never been too concerned with how your management tools talk to Active Directory. Prior to 2008 R2, you were in for a bit of a struggle if you weren't on the same network as the domain controller. Because of the way RPC works, AD management activities could occur on a number of different TCP ports, none of which you could say, "Yup, that's Active Directory management." With 2008 R2, you'll see a new process called Microsoft.ActiveDirectory.WebServices.exe. This is a .NET Windows Communication Framework application that listens on port 9389 and provides a bunch of SOAP-based Web services. If that sounds a bit opaque, don't worry—it's just a miniature Web server that can read from and write to an Active Directory domain controller. It's also a sign that Microsoft is taking seriously the demand (from the European Commission and customers alike) for better interoperability with non-Microsoft protocols and systems.

Two other new components of 2008 R2 use this Web service, the PowerShell module for Active Directory and this:

Active Directory Administration Center

This is the Active Directory Administrative Center. While at first glance it looks pretty similar to Active Directory Users and Computers, there are a few major differences. First and foremost, it's built on top of the PowerShell Active Directory module, so there is that assurance that anything that can be done via the GUI can also be done without it. Second, it puts two of the most common tasks front and center—finding users, and resetting passwords. Third, this tool vastly improves on directory search capabilities; building common queries is straightforward, and you can save common queries and re-run them.

Group Policy

The main purpose of Group Policy is to define and enforce the configuration of a computer.  Across the entirety of Windows, there are thousands of distinct "Group Policy Settings," affecting everything from the configuration of the firewall to whether or not the user is allowed to change the skin in Windows Media Player. Group Policy settings are broadly grouped into two categories: per-computer and per-user. A collection of Group Policy settings is called a "Group Policy Object" or GPO for short. A GPO is then applied to a selected group of users and computers. (By default, GPO settings are applied when the computer is booted, a user logs in, and every 90 minutes, give or take 20%.) A domain can contain many GPOs; it is fairly typical for administrators to create different GPOs for different groups of people and computers. A few examples: accessing Windows Update could be denied for everyone in the company except for IT staff; computers used in receptionist and help desk environments (i.e. where customer interaction takes place) could have their sound disabled; computers in different parts of the office can be instructed to have their default printer be something physically nearby.

With Windows Server 2008 came a pretty significant revision to Group Policy. It adds something called "Group Policy Preferences," which allow an administrator to change settings and create items on client computers, but then allow the user to change it later on. GP Preferences can work with VPN connections, mapped drive connections, files, folders, shortcuts, printers, local users and groups, scheduled tasks, registry settings, and environment variables. They can also configure a pretty wide variety of Internet Explorer and Window Explorer settings. In other words, they're already things that are user-configurable. I think System Administrators will really dig this; before Server 2008, the only way to set up these things was through building a predefined system image with the preferences already in place, or with complex registry manipulation, or with logon scripts.

The process of actually handling preferences is more involved than simply pushing out some predefined settings. Group Policy Settings answer the question of whether the user can do something, but Group Policy Preferences deal with whether the user (or computer) has something. It's a subtle but significant difference, that is probably best explained with an example. Here's a screenshot of the Group Policy Preferences configuration dialog for the Start Menu:

Group Policy Preferences - Start Menu

The first thing to note here is that this dialog looks very similar to the Start Menu properties dialog box in Windows Explorer itself. This should make it easy for administrators to understand what settings they're changing without having to do a lot of reading.  See those colored underlines? When a preference has a green underline, this tells Group Policy that you want that setting to be applied, i.e., the state of the check box on the client machines will be updated to match the state of the check box here. If the underline is red, then that setting will not be set on the client machine. The underline color is changed with the F6 key for green and F7 for red. 

Because these settings are applied every 90-ish minutes, regardless of whether a user is logged in or not, it is possible to roll out, for instance, a new network printer (or remove it, or change the settings of one that's already configured) without the user needing to log out or even be aware that it's happening. Forcing the Group Policy update to happen sooner is easy—just run "gpupdate" on the client machine. 

GP Preferences has the ability to use "targeting" to define conditions that have to be met before any given preference is applied. Some of the available conditions include day of week, time of day, whether the computer is a laptop, whether a particular piece of software is installed, whether a certain file exists on the computer, and so on. 

Here's an interesting possibility:

Apply the "Power Saver" power plan....

... during these days and times.

The screenshots say it all—any Vista or later machine will have its power plan automatically adjusted to "Power saver" between 8PM on Friday and 7AM on Monday. Add to this a second set of preferences to reset the power plan to "Balanced" during the week, and now you've got a fleet of computers that will perform better during the week and use less power on the weekend.

Network Locations

A recurring theme in the changes that have been introduced with Windows 7 and 2008 R2 is improving how notebook computers fit into an Active Directory domain. The original design architecture of a Windows domain didn't accommodate machines that are only "sometimes" connected to the corporate network. As a result, laptop users and IT departments have spent much of this decade grumbling over various problems with keeping the company's road warriors connected to the network, keeping those laptops safe from malware infections and other unwanted software, and keeping them updated with the latest fixes to Windows and other installed software... all while keeping the computer usable.

Windows Vista first introduced the concept of "network locations." There are two system services, "Network Location Awareness" and "Network List Service," that take collective responsibility for identifying the available networks across all network adapters, giving each of them a unique identifier, and determining whether a connection to the Internet or a local Intranet is available through that connection. Each network location also has a type: Private, Public, and Domain. The network location type has two main purposes: to help the user identify which connections are "trustworthy" and which aren't, and to inform the Windows Firewall what rules should be applied to that connection. The Private and Public location types are chosen on a per-connection basis by the user. The Domain location is automatically selected by the NLA service for a connection when the computer is joined to an Active Directory domain, and that domain is reachable through the connection. You can't choose this yourself.

Windows Vista's "Set Network Location" screen.

This screen should be familiar to anyone who has used Vista. Note that the "Home" and "Work" locations are actually the same "Private" network location type, and have the same set of firewall rules. 

One major area where Vista/2008 and 7/2008 R2 differ is in how the network location is actually chosen. On Vista and 2008, a single location (and therefore, firewall settings) is applied to all connections. It works like this: 1) If any connection is "Public," then all connections will be considered Public; 2) if there are no Public connections, but there are Private connections, then all connections will be considered Private; and 3) if there are no Public or Private connections, but there is a connection to the domain, then the Domain location is used. The problem here is obvious enough—plenty of people want to be able to connect to their workplace network through a VPN, but networking behaves differently because the Public or Private firewall profile will be in use for that VPN connection instead of the Domain firewall profile.

Windows 7/2008 R2, on the other hand, allows for different firewall profiles to be applied to different connections. It also allows the firewall to be disabled completely for connections to a particular network location type. It's a simple and sensible change that will be especially noticeable when a domain-joined laptop is connected to a Public network (thus blocking inbound connections), and the VPN connection back to the office is a Domain connection, thereby using the less restrictive Domain firewall rules.

Another area that Windows 7 improves on its predecessor is that when a network is designed as your "Home" network, it will enable the necessary components for HomeGroup for that connection. This is great for people with laptops who want to share files on their home network, but want those features turned off when they go to work. The Computer Browser service, which searches local networks for other computers, will be turned off altogether when the computer is only connected to Public networks—this makes it less likely for a Windows 7 computer to expose itself to other machines.

Miscellany

Before we finish up, let's quickly cover a few other topics.

Hyper-V is Microsoft's hardware virtualization platform. The version included with Server 2008 R2 adds the ability to do live migrations of virtual machines between physical computers, and improves networking performance pretty significantly. It also integrates with Remote Desktop Services; if you've ever wanted Remote Desktop connections to connect to a pool of dedicated virtual machines instead of a pool of sessions on a single copy of Windows Server, you're going to really like this. For the most part, though, Hyper-V is playing catch-up to VMWare's vSphere line of products, and while it's now good enough for people to use it in production deployments, there's little reason to switch to Hyper-V from VMWare. Administrators looking to manage Hyper-V through PowerShell can download the PowerShell Management Library, which is written and maintained by a Microsoft employee but isn't really an official part of the company's Windows Server offering.

Internet Information Services has been updated to version 7.5. For the most part, the new features in this version were previously released as extensions to IIS 7.0. One major change in the security model is the introduction of "Application pool identity accounts," which are virtual local user accounts that are only used to run Web applications. This differs from IIS 6.0 and 7.0, which both used the more generic NETWORK SERVICE account by default.  This account is also used by a pretty wide range of other system services that communicate over the network (Network Location Awareness, the DNS client, RPC, etc.), so sharing the account with IIS applications made little sense.  The virtual account names are prefixed with "IIS APPPOOL\", so they don't overlap with local or domain account names. All of IIS 7.5 can be controlled through PowerShell cmdlets.

Windows Server Update Services, previously a downloadable add-on for Server 2003 and 2008, is now included. The only really significant new feature of WSUS is its integration with BranchCache, which makes it possible to have desktop machines in branch offices share WSUS updates with each other using P2P technology, rather than having all of those machines be forced to connect to the central WSUS server or Microsoft's Windows Update servers to collect the latest updates. Keeping your desktops and servers updated with the latest patches is really important, so make sure you check out Brian Hill's article on building and maintaining a tiered WSUS infrastructure.

Windows Server Backup was introduced with Server 2008 as the replacement for the venerable NTBACKUP tool. It wasn't well-received in some IT departments, due to its dropping support for tape backup systems, the inability to back up and restore system state separately from user data, and the inability to limit backups to individual folders. It felt like a frustratingly incomplete and unusable product unless you were willing to reinvent your entire backup strategy. Because of these criticisms, Microsoft added support for doing system state backups, per-folder backups, and file type filters. A new "bare metal recovery" option is available as well, which will back up every partition and drive in the system into a single backup. This is a big improvement. And, as with many other things in 2008 R2, Windows Server Backup can be fully controlled through PowerShell cmdlets.

Windows Memory Diagnostic is now included with Server 2008 R2, and is available from the Administrative Tools folder. This tool has been floating around on Microsoft's website for a few years now, and to be honest I don't really see the point of including it with Windows Server, as it still doesn't support testing more than 4GB of physical memory.

Conclusion

Microsoft had to spend a lot of time this past decade trying to get its house in order with security, architecture, and development processes. Steven Sinofsky, whose track record of shipping successive releases Microsoft Office on time, was moved to the Windows team to bring some badly needed discipline and shipping focus. It's a telling sign that Microsoft has managed to get Windows Server development firmly on track, to the point where they can ship two high-quality releases in as many years. Think about it like this—the scope of changes from 2008 to 2008 R2 is broadly the same as the changes from 2000 to 2003, but they were done in half the time. Sinofsky imposed a new organizational structure on the Windows development team, and he enacted a philosophy of making all decisions based on real-world data, not guesswork. This may have rankled some old hands who were used to the long-established practice of "testosterone-based engineering" (Sinofsky's own description), wherein features were added and bugs were fixed based on whoever had the loudest voice at meetings, but the new approach clearly works—Windows 7 and Server 2008 R2 are both very good operating systems.

You've probably noticed that PowerShell is a recurring theme here. While the traditional command prompt (cmd.exe) and the Scripting Host (cscript and wscript) won't be going away anytime soon, PowerShell is clearly their replacement. Microsoft wants administrators to feel comfortable using the command line to perform tasks, and it wants 100% of the functionality of Windows Server to be scriptable using this single, consistent interface. It also, finally, brings the .NET Framework in from the sidelines and positions it smack dab in the middle of Windows Server. Hey, isn't this what Redmond was promising eight years ago?

You really have to start wondering if "Windows Server 2010" may actually have been the better name for this product. Consider its ancestor, Windows 2000. The reason that operating system stuck so well, and why it felt like such an arrival point for Windows, was that nice round number. Okay, I'm kidding—the real reason is because it was a release where Microsoft presented a complete vision of what a Windows-based business would look like, both on the desktop and in the server room—even if your idea of a "server room" is a little more than a closet with a computer labeled "Do Not Turn Off!" It was Windows 2000's completeness that attracted attention from IT people. Heck, it was this release of Windows that got a lot of people into IT in the first place! But as the 2000s carried on, that vision was lost with the game of leapfrog, where client operating system releases (Windows XP, XP SP2, Vista) predated their server counterparts (Server 2003, 2003 SP1, 2008). That one really big leap, Windows Vista, was not widely adopted at businesses in the first year after its release, due in no small part to the absence of a strong server product to go along with it. By the time Server 2008 did arrive some 15 months later, the groundswell of negativity towards Vista (justified or not) in the home user market had grown to a point that it gave a lot of IT staffers pause. Worse still, many of its best features were not easily discoverable, the Server Core variant was almost completely inscrutable, and software/hardware compatibility was a problem.

Thankfully, those days are almost behind us.

So, will Windows 7 and Server 2008 R2 be a convincing enough upgrade for the eternally busy and professionally cynical administrators of XP & Server 2003 environments? There's another five years until Microsoft stops supporting these older operating systems, and another major release of Windows is likely to come out before then, so the pressure isn't on just yet.